diff options
| author | Matt Caswell <matt@openssl.org> | 2015-01-22 03:40:55 +0000 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2015-01-22 09:20:09 +0000 |
| commit | 0f113f3ee4d629ef9a4a30911b22b224772085e5 (patch) | |
| tree | e014603da5aed1d0751f587a66d6e270b6bda3de /ssl/ssl_cert.c | |
| parent | 22b52164aaed31d6e93dbd2d397ace041360e6aa (diff) | |
Run util/openssl-format-source -v -c .
Reviewed-by: Tim Hudson <tjh@openssl.org>
Diffstat (limited to 'ssl/ssl_cert.c')
| -rw-r--r-- | ssl/ssl_cert.c | 2203 |
1 files changed, 1067 insertions, 1136 deletions
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index 6dbf79a488..bfaf69aff7 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -1,25 +1,27 @@ -/*! \file ssl/ssl_cert.c */ +/* + * ! \file ssl/ssl_cert.c + */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. - * + * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * + * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -34,10 +36,10 @@ * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from + * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * + * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -49,7 +51,7 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * + * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence @@ -63,7 +65,7 @@ * are met: * * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in @@ -110,7 +112,7 @@ */ /* ==================================================================== * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. - * ECC cipher suite support in OpenSSL originally developed by + * ECC cipher suite support in OpenSSL originally developed by * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. */ @@ -127,780 +129,732 @@ #include <openssl/pem.h> #include <openssl/x509v3.h> #ifndef OPENSSL_NO_DH -#include <openssl/dh.h> +# include <openssl/dh.h> #endif #include <openssl/bn.h> #include "ssl_locl.h" -static int ssl_security_default_callback(SSL *s, SSL_CTX *ctx, int op, int bits, int nid, void *other, void *ex); +static int ssl_security_default_callback(SSL *s, SSL_CTX *ctx, int op, + int bits, int nid, void *other, + void *ex); int SSL_get_ex_data_X509_STORE_CTX_idx(void) - { - static volatile int ssl_x509_store_ctx_idx= -1; - int got_write_lock = 0; - - CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); - - if (ssl_x509_store_ctx_idx < 0) - { - CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); - CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); - got_write_lock = 1; - - if (ssl_x509_store_ctx_idx < 0) - { - ssl_x509_store_ctx_idx=X509_STORE_CTX_get_ex_new_index( - 0,"SSL for verify callback",NULL,NULL,NULL); - } - } - - if (got_write_lock) - CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); - else - CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); - - return ssl_x509_store_ctx_idx; - } +{ + static volatile int ssl_x509_store_ctx_idx = -1; + int got_write_lock = 0; + + CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); + + if (ssl_x509_store_ctx_idx < 0) { + CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); + CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); + got_write_lock = 1; + + if (ssl_x509_store_ctx_idx < 0) { + ssl_x509_store_ctx_idx = + X509_STORE_CTX_get_ex_new_index(0, "SSL for verify callback", + NULL, NULL, NULL); + } + } + + if (got_write_lock) + CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); + else + CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); + + return ssl_x509_store_ctx_idx; +} void ssl_cert_set_default_md(CERT *cert) - { - /* Set digest values to defaults */ +{ + /* Set digest values to defaults */ #ifndef OPENSSL_NO_DSA - cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); + cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); #endif #ifndef OPENSSL_NO_RSA - cert->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); - cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); + cert->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); + cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); #endif #ifndef OPENSSL_NO_ECDSA - cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); + cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); #endif - } +} CERT *ssl_cert_new(void) - { - CERT *ret; - - ret=(CERT *)OPENSSL_malloc(sizeof(CERT)); - if (ret == NULL) - { - SSLerr(SSL_F_SSL_CERT_NEW,ERR_R_MALLOC_FAILURE); - return(NULL); - } - memset(ret,0,sizeof(CERT)); - - ret->key= &(ret->pkeys[SSL_PKEY_RSA_ENC]); - ret->references=1; - ssl_cert_set_default_md(ret); - ret->sec_cb = ssl_security_default_callback; - ret->sec_level = OPENSSL_TLS_SECURITY_LEVEL; - ret->sec_ex = NULL; - return(ret); - } +{ + CERT *ret; + + ret = (CERT *)OPENSSL_malloc(sizeof(CERT)); + if (ret == NULL) { + SSLerr(SSL_F_SSL_CERT_NEW, ERR_R_MALLOC_FAILURE); + return (NULL); + } + memset(ret, 0, sizeof(CERT)); + + ret->key = &(ret->pkeys[SSL_PKEY_RSA_ENC]); + ret->references = 1; + ssl_cert_set_default_md(ret); + ret->sec_cb = ssl_security_default_callback; + ret->sec_level = OPENSSL_TLS_SECURITY_LEVEL; + ret->sec_ex = NULL; + return (ret); +} CERT *ssl_cert_dup(CERT *cert) - { - CERT *ret; - int i; - - ret = (CERT *)OPENSSL_malloc(sizeof(CERT)); - if (ret == NULL) - { - SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_MALLOC_FAILURE); - return(NULL); - } - - memset(ret, 0, sizeof(CERT)); - - ret->key = &ret->pkeys[cert->key - &cert->pkeys[0]]; - /* or ret->key = ret->pkeys + (cert->key - cert->pkeys), - * if you find that more readable */ - - ret->valid = cert->valid; - ret->mask_k = cert->mask_k; - ret->mask_a = cert->mask_a; - ret->export_mask_k = cert->export_mask_k; - ret->export_mask_a = cert->export_mask_a; +{ + CERT *ret; + int i; + + ret = (CERT *)OPENSSL_malloc(sizeof(CERT)); + if (ret == NULL) { + SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_MALLOC_FAILURE); + return (NULL); + } + + memset(ret, 0, sizeof(CERT)); + + ret->key = &ret->pkeys[cert->key - &cert->pkeys[0]]; + /* + * or ret->key = ret->pkeys + (cert->key - cert->pkeys), if you find that + * more readable + */ + + ret->valid = cert->valid; + ret->mask_k = cert->mask_k; + ret->mask_a = cert->mask_a; + ret->export_mask_k = cert->export_mask_k; + ret->export_mask_a = cert->export_mask_a; #ifndef OPENSSL_NO_RSA - if (cert->rsa_tmp != NULL) - { - RSA_up_ref(cert->rsa_tmp); - ret->rsa_tmp = cert->rsa_tmp; - } - ret->rsa_tmp_cb = cert->rsa_tmp_cb; + if (cert->rsa_tmp != NULL) { + RSA_up_ref(cert->rsa_tmp); + ret->rsa_tmp = cert->rsa_tmp; + } + ret->rsa_tmp_cb = cert->rsa_tmp_cb; #endif #ifndef OPENSSL_NO_DH - if (cert->dh_tmp != NULL) - { - ret->dh_tmp = DHparams_dup(cert->dh_tmp); - if (ret->dh_tmp == NULL) - { - SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_DH_LIB); - goto err; - } - if (cert->dh_tmp->priv_key) - { - BIGNUM *b = BN_dup(cert->dh_tmp->priv_key); - if (!b) - { - SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_BN_LIB); - goto err; - } - ret->dh_tmp->priv_key = b; - } - if (cert->dh_tmp->pub_key) - { - BIGNUM *b = BN_dup(cert->dh_tmp->pub_key); - if (!b) - { - SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_BN_LIB); - goto err; - } - ret->dh_tmp->pub_key = b; - } - } - ret->dh_tmp_cb = cert->dh_tmp_cb; - ret->dh_tmp_auto = cert->dh_tmp_auto; + if (cert->dh_tmp != NULL) { + ret->dh_tmp = DHparams_dup(cert->dh_tmp); + if (ret->dh_tmp == NULL) { + SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_DH_LIB); + goto err; + } + if (cert->dh_tmp->priv_key) { + BIGNUM *b = BN_dup(cert->dh_tmp->priv_key); + if (!b) { + SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_BN_LIB); + goto err; + } + ret->dh_tmp->priv_key = b; + } + if (cert->dh_tmp->pub_key) { + BIGNUM *b = BN_dup(cert->dh_tmp->pub_key); + if (!b) { + SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_BN_LIB); + goto err; + } + ret->dh_tmp->pub_key = b; + } + } + ret->dh_tmp_cb = cert->dh_tmp_cb; + ret->dh_tmp_auto = cert->dh_tmp_auto; #endif #ifndef OPENSSL_NO_ECDH - if (cert->ecdh_tmp) - { - ret->ecdh_tmp = EC_KEY_dup(cert->ecdh_tmp); - if (ret->ecdh_tmp == NULL) - { - SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_EC_LIB); - goto err; - } - } - ret->ecdh_tmp_cb = cert->ecdh_tmp_cb; - ret->ecdh_tmp_auto = cert->ecdh_tmp_auto; + if (cert->ecdh_tmp) { + ret->ecdh_tmp = EC_KEY_dup(cert->ecdh_tmp); + if (ret->ecdh_tmp == NULL) { + SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_EC_LIB); + goto err; + } + } + ret->ecdh_tmp_cb = cert->ecdh_tmp_cb; + ret->ecdh_tmp_auto = cert->ecdh_tmp_auto; #endif - for (i = 0; i < SSL_PKEY_NUM; i++) - { - CERT_PKEY *cpk = cert->pkeys + i; - CERT_PKEY *rpk = ret->pkeys + i; - if (cpk->x509 != NULL) - { - rpk->x509 = cpk->x509; - CRYPTO_add(&rpk->x509->references, 1, CRYPTO_LOCK_X509); - } - - if (cpk->privatekey != NULL) - { - rpk->privatekey = cpk->privatekey; - CRYPTO_add(&cpk->privatekey->references, 1, - CRYPTO_LOCK_EVP_PKEY); - } - - if (cpk->chain) - { - rpk->chain = X509_chain_up_ref(cpk->chain); - if (!rpk->chain) - { - SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_MALLOC_FAILURE); - goto err; - } - } - rpk->valid_flags = 0; + for (i = 0; i < SSL_PKEY_NUM; i++) { + CERT_PKEY *cpk = cert->pkeys + i; + CERT_PKEY *rpk = ret->pkeys + i; + if (cpk->x509 != NULL) { + rpk->x509 = cpk->x509; + CRYPTO_add(&rpk->x509->references, 1, CRYPTO_LOCK_X509); + } + + if (cpk->privatekey != NULL) { + rpk->privatekey = cpk->privatekey; + CRYPTO_add(&cpk->privatekey->references, 1, CRYPTO_LOCK_EVP_PKEY); + } + + if (cpk->chain) { + rpk->chain = X509_chain_up_ref(cpk->chain); + if (!rpk->chain) { + SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_MALLOC_FAILURE); + goto err; + } + } + rpk->valid_flags = 0; #ifndef OPENSSL_NO_TLSEXT - if (cert->pkeys[i].serverinfo != NULL) - { - /* Just copy everything. */ - ret->pkeys[i].serverinfo = - OPENSSL_malloc(cert->pkeys[i].serverinfo_length); - if (ret->pkeys[i].serverinfo == NULL) - { - SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_MALLOC_FAILURE); - goto err; - } - ret->pkeys[i].serverinfo_length = - cert->pkeys[i].serverinfo_length; - memcpy(ret->pkeys[i].serverinfo, - cert->pkeys[i].serverinfo, - cert->pkeys[i].serverinfo_length); - } + if (cert->pkeys[i].serverinfo != NULL) { + /* Just copy everything. */ + ret->pkeys[i].serverinfo = + OPENSSL_malloc(cert->pkeys[i].serverinfo_length); + if (ret->pkeys[i].serverinfo == NULL) { + SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_MALLOC_FAILURE); + goto err; + } + ret->pkeys[i].serverinfo_length = + cert->pkeys[i].serverinfo_length; + memcpy(ret->pkeys[i].serverinfo, + cert->pkeys[i].serverinfo, + cert->pkeys[i].serverinfo_length); + } #endif - } - - ret->references=1; - /* Set digests to defaults. NB: we don't copy existing values as they - * will be set during handshake. - */ - ssl_cert_set_default_md(ret); - /* Peer sigalgs set to NULL as we get these from handshake too */ - ret->peer_sigalgs = NULL; - ret->peer_sigalgslen = 0; - /* Configured sigalgs however we copy across */ - - if (cert->conf_sigalgs) - { - ret->conf_sigalgs = OPENSSL_malloc(cert->conf_sigalgslen); - if (!ret->conf_sigalgs) - goto err; - memcpy(ret->conf_sigalgs, cert->conf_sigalgs, - cert->conf_sigalgslen); - ret->conf_sigalgslen = cert->conf_sigalgslen; - } - else - ret->conf_sigalgs = NULL; - - if (cert->client_sigalgs) - { - ret->client_sigalgs = OPENSSL_malloc(cert->client_sigalgslen); - if (!ret->client_sigalgs) - goto err; - memcpy(ret->client_sigalgs, cert->client_sigalgs, - cert->client_sigalgslen); - ret->client_sigalgslen = cert->client_sigalgslen; - } - else - ret->client_sigalgs = NULL; - /* Shared sigalgs also NULL */ - ret->shared_sigalgs = NULL; - /* Copy any custom client certificate types */ - if (cert->ctypes) - { - ret->ctypes = OPENSSL_malloc(cert->ctype_num); - if (!ret->ctypes) - goto err; - memcpy(ret->ctypes, cert->ctypes, cert->ctype_num); - ret->ctype_num = cert->ctype_num; - } - - ret->cert_flags = cert->cert_flags; - - ret->cert_cb = cert->cert_cb; - ret->cert_cb_arg = cert->cert_cb_arg; - - if (cert->verify_store) - { - CRYPTO_add(&cert->verify_store->references, 1, CRYPTO_LOCK_X509_STORE); - ret->verify_store = cert->verify_store; - } - - if (cert->chain_store) - { - CRYPTO_add(&cert->chain_store->references, 1, CRYPTO_LOCK_X509_STORE); - ret->chain_store = cert->chain_store; - } - - ret->ciphers_raw = NULL; - - ret->sec_cb = cert->sec_cb; - ret->sec_level = cert->sec_level; - ret->sec_ex = cert->sec_ex; + } + + ret->references = 1; + /* + * Set digests to defaults. NB: we don't copy existing values as they + * will be set during handshake. + */ + ssl_cert_set_default_md(ret); + /* Peer sigalgs set to NULL as we get these from handshake too */ + ret->peer_sigalgs = NULL; + ret->peer_sigalgslen = 0; + /* Configured sigalgs however we copy across */ + + if (cert->conf_sigalgs) { + ret->conf_sigalgs = OPENSSL_malloc(cert->conf_sigalgslen); + if (!ret->conf_sigalgs) + goto err; + memcpy(ret->conf_sigalgs, cert->conf_sigalgs, cert->conf_sigalgslen); + ret->conf_sigalgslen = cert->conf_sigalgslen; + } else + ret->conf_sigalgs = NULL; + + if (cert->client_sigalgs) { + ret->client_sigalgs = OPENSSL_malloc(cert->client_sigalgslen); + if (!ret->client_sigalgs) + goto err; + memcpy(ret->client_sigalgs, cert->client_sigalgs, + cert->client_sigalgslen); + ret->client_sigalgslen = cert->client_sigalgslen; + } else + ret->client_sigalgs = NULL; + /* Shared sigalgs also NULL */ + ret->shared_sigalgs = NULL; + /* Copy any custom client certificate types */ + if (cert->ctypes) { + ret->ctypes = OPENSSL_malloc(cert->ctype_num); + if (!ret->ctypes) + goto err; + memcpy(ret->ctypes, cert->ctypes, cert->ctype_num); + ret->ctype_num = cert->ctype_num; + } + + ret->cert_flags = cert->cert_flags; + + ret->cert_cb = cert->cert_cb; + ret->cert_cb_arg = cert->cert_cb_arg; + + if (cert->verify_store) { + CRYPTO_add(&cert->verify_store->references, 1, + CRYPTO_LOCK_X509_STORE); + ret->verify_store = cert->verify_store; + } + + if (cert->chain_store) { + CRYPTO_add(&cert->chain_store->references, 1, CRYPTO_LOCK_X509_STORE); + ret->chain_store = cert->chain_store; + } + + ret->ciphers_raw = NULL; + + ret->sec_cb = cert->sec_cb; + ret->sec_level = cert->sec_level; + ret->sec_ex = cert->sec_ex; #ifndef OPENSSL_NO_TLSEXT - if (!custom_exts_copy(&ret->cli_ext, &cert->cli_ext)) - goto err; - if (!custom_exts_copy(&ret->srv_ext, &cert->srv_ext)) - goto err; + if (!custom_exts_copy(&ret->cli_ext, &cert->cli_ext)) + goto err; + if (!custom_exts_copy(&ret->srv_ext, &cert->srv_ext)) + goto err; #endif - return(ret); - -err: - ssl_cert_free(ret); + return (ret); + + err: + ssl_cert_free(ret); - return NULL; - } + return NULL; +} /* Free up and clear all certificates and chains */ void ssl_cert_clear_certs(CERT *c) - { - int i; - if (c == NULL) - return; - for (i = 0; i<SSL_PKEY_NUM; i++) - { - CERT_PKEY *cpk = c->pkeys + i; - if (cpk->x509) - { - X509_free(cpk->x509); - cpk->x509 = NULL; - } - if (cpk->privatekey) - { - EVP_PKEY_free(cpk->privatekey); - cpk->privatekey = NULL; - } - if (cpk->chain) - { - sk_X509_pop_free(cpk->chain, X509_free); - cpk->chain = NULL; - } +{ + int i; + if (c == NULL) + return; + for (i = 0; i < SSL_PKEY_NUM; i++) { + CERT_PKEY *cpk = c->pkeys + i; + if (cpk->x509) { + X509_free(cpk->x509); + cpk->x509 = NULL; + } + if (cpk->privatekey) { + EVP_PKEY_free(cpk->privatekey); + cpk->privatekey = NULL; + } + if (cpk->chain) { + sk_X509_pop_free(cpk->chain, X509_free); + cpk->chain = NULL; + } #ifndef OPENSSL_NO_TLSEXT - if (cpk->serverinfo) - { - OPENSSL_free(cpk->serverinfo); - cpk->serverinfo = NULL; - cpk->serverinfo_length = 0; - } + if (cpk->serverinfo) { + OPENSSL_free(cpk->serverinfo); + cpk->serverinfo = NULL; + cpk->serverinfo_length = 0; + } #endif - /* Clear all flags apart from explicit sign */ - cpk->valid_flags &= CERT_PKEY_EXPLICIT_SIGN; - } - } + /* Clear all flags apart from explicit sign */ + cpk->valid_flags &= CERT_PKEY_EXPLICIT_SIGN; + } +} void ssl_cert_free(CERT *c) - { - int i; +{ + int i; - if(c == NULL) - return; + if (c == NULL) + return; - i=CRYPTO_add(&c->references,-1,CRYPTO_LOCK_SSL_CERT); + i = CRYPTO_add(&c->references, -1, CRYPTO_LOCK_SSL_CERT); #ifdef REF_PRINT - REF_PRINT("CERT",c); + REF_PRINT("CERT", c); #endif - if (i > 0) return; + if (i > 0) + return; #ifdef REF_CHECK - if (i < 0) - { - fprintf(stderr,"ssl_cert_free, bad reference count\n"); - abort(); /* ok */ - } + if (i < 0) { + fprintf(stderr, "ssl_cert_free, bad reference count\n"); + abort(); /* ok */ + } #endif #ifndef OPENSSL_NO_RSA - if (c->rsa_tmp) RSA_free(c->rsa_tmp); + if (c->rsa_tmp) + RSA_free(c->rsa_tmp); #endif #ifndef OPENSSL_NO_DH - if (c->dh_tmp) DH_free(c->dh_tmp); + if (c->dh_tmp) + DH_free(c->dh_tmp); #endif #ifndef OPENSSL_NO_ECDH - if (c->ecdh_tmp) EC_KEY_free(c->ecdh_tmp); + if (c->ecdh_tmp) + EC_KEY_free(c->ecdh_tmp); #endif - ssl_cert_clear_certs(c); - if (c->peer_sigalgs) - OPENSSL_free(c->peer_sigalgs); - if (c->conf_sigalgs) - OPENSSL_free(c->conf_sigalgs); - if (c->client_sigalgs) - OPENSSL_free(c->client_sigalgs); - if (c->shared_sigalgs) - OPENSSL_free(c->shared_sigalgs); - if (c->ctypes) - OPENSSL_free(c->ctypes); - if (c->verify_store) - X509_STORE_free(c->verify_store); - if (c->chain_store) - X509_STORE_free(c->chain_store); - if (c->ciphers_raw) - OPENSSL_free(c->ciphers_raw); + ssl_cert_clear_certs(c); + if (c->peer_sigalgs) + OPENSSL_free(c->peer_sigalgs); + if (c->conf_sigalgs) + OPENSSL_free(c->conf_sigalgs); + if (c->client_sigalgs) + OPENSSL_free(c->client_sigalgs); + if (c->shared_sigalgs) + OPENSSL_free(c->shared_sigalgs); + if (c->ctypes) + OPENSSL_free(c->ctypes); + if (c->verify_store) + X509_STORE_free(c->verify_store); + if (c->chain_store) + X509_STORE_free(c->chain_store); + if (c->ciphers_raw) + OPENSSL_free(c->ciphers_raw); #ifndef OPENSSL_NO_TLSEXT - custom_exts_free(&c->cli_ext); - custom_exts_free(&c->srv_ext); + custom_exts_free(&c->cli_ext); + custom_exts_free(&c->srv_ext); #endif - OPENSSL_free(c); - } + OPENSSL_free(c); +} int ssl_cert_inst(CERT **o) - { - /* Create a CERT if there isn't already one - * (which cannot really happen, as it is initially created in - * SSL_CTX_new; but the earlier code usually allows for that one - * being non-existant, so we follow that behaviour, as it might - * turn out that there actually is a reason for it -- but I'm - * not sure that *all* of the existing code could cope with - * s->cert being NULL, otherwise we could do without the - * initialization in SSL_CTX_new). - */ - - if (o == NULL) - { - SSLerr(SSL_F_SSL_CERT_INST, ERR_R_PASSED_NULL_PARAMETER); - return(0); - } - if (*o == NULL) - { - if ((*o = ssl_cert_new()) == NULL) - { - SSLerr(SSL_F_SSL_CERT_INST, ERR_R_MALLOC_FAILURE); - return(0); - } - } - return(1); - } +{ + /* + * Create a CERT if there isn't already one (which cannot really happen, + * as it is initially created in SSL_CTX_new; but the earlier code + * usually allows for that one being non-existant, so we follow that + * behaviour, as it might turn out that there actually is a reason for it + * -- but I'm not sure that *all* of the existing code could cope with + * s->cert being NULL, otherwise we could do without the initialization + * in SSL_CTX_new). + */ + + if (o == NULL) { + SSLerr(SSL_F_SSL_CERT_INST, ERR_R_PASSED_NULL_PARAMETER); + return (0); + } + if (*o == NULL) { + if ((*o = ssl_cert_new()) == NULL) { + SSLerr(SSL_F_SSL_CERT_INST, ERR_R_MALLOC_FAILURE); + return (0); + } + } + return (1); +} int ssl_cert_set0_chain(SSL *s, SSL_CTX *ctx, STACK_OF(X509) *chain) - { - int i, r; - CERT_PKEY *cpk = s ? s->cert->key : ctx->cert->key; - if (!cpk) - return 0; - if (cpk->chain) - sk_X509_pop_free(cpk->chain, X509_free); - for (i = 0; i < sk_X509_num(chain); i++) - { - r = ssl_security_cert(s, ctx, sk_X509_value(chain, i), 0, 0); - if (r != 1) - { - SSLerr(SSL_F_SSL_CERT_SET0_CHAIN, r); - return 0; - } - } - cpk->chain = chain; - return 1; - } +{ + int i, r; + CERT_PKEY *cpk = s ? s->cert->key : ctx->cert->key; + if (!cpk) + return 0; + if (cpk->chain) + sk_X509_pop_free(cpk->chain, X509_free); + for (i = 0; i < sk_X509_num(chain); i++) { + r = ssl_security_cert(s, ctx, sk_X509_value(chain, i), 0, 0); + if (r != 1) { + SSLerr(SSL_F_SSL_CERT_SET0_CHAIN, r); + return 0; + } + } + cpk->chain = chain; + return 1; +} int ssl_cert_set1_chain(SSL *s, SSL_CTX *ctx, STACK_OF(X509) *chain) - { - STACK_OF(X509) *dchain; - if (!chain) - return ssl_cert_set0_chain(s, ctx, NULL); - dchain = X509_chain_up_ref(chain); - if (!dchain) - return 0; - if (!ssl_cert_set0_chain(s, ctx, dchain)) - { - sk_X509_pop_free(dchain, X509_free); - return 0; - } - return 1; - } +{ + STACK_OF(X509) *dchain; + if (!chain) + return ssl_cert_set0_chain(s, ctx, NULL); + dchain = X509_chain_up_ref(chain); + if (!dchain) + return 0; + if (!ssl_cert_set0_chain(s, ctx, dchain)) { + sk_X509_pop_free(dchain, X509_free); + return 0; + } + return 1; +} int ssl_cert_add0_chain_cert(SSL *s, SSL_CTX *ctx, X509 *x) - { - int r; - CERT_PKEY *cpk = s ? s->cert->key : ctx->cert->key; - if (!cpk) - return 0; - r = ssl_security_cert(s, ctx, x, 0, 0); - if (r != 1) - { - SSLerr(SSL_F_SSL_CERT_ADD0_CHAIN_CERT, r); - return 0; - } - if (!cpk->chain) - cpk->chain = sk_X509_new_null(); - if (!cpk->chain || !sk_X509_push(cpk->chain, x)) - return 0; - return 1; - } +{ + int r; + CERT_PKEY *cpk = s ? s->cert->key : ctx->cert->key; + if (!cpk) + return 0; + r = ssl_security_cert(s, ctx, x, 0, 0); + if (r != 1) { + SSLerr(SSL_F_SSL_CERT_ADD0_CHAIN_CERT, r); + return 0; + } + if (!cpk->chain) + cpk->chain = sk_X509_new_null(); + if (!cpk->chain || !sk_X509_push(cpk->chain, x)) + return 0; + return 1; +} int ssl_cert_add1_chain_cert(SSL *s, SSL_CTX *ctx, X509 *x) - { - if (!ssl_cert_add0_chain_cert(s, ctx, x)) - return 0; - CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); - return 1; - } +{ + if (!ssl_cert_add0_chain_cert(s, ctx, x)) + return 0; + CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); + return 1; +} int ssl_cert_select_current(CERT *c, X509 *x) - { - int i; - if (x == NULL) - return 0; - for (i = 0; i < SSL_PKEY_NUM; i++) - { - CERT_PKEY *cpk = c->pkeys + i; - if (cpk->x509 == x && cpk->privatekey) - { - c->key = cpk; - return 1; - } - } - - for (i = 0; i < SSL_PKEY_NUM; i++) - { - CERT_PKEY *cpk = c->pkeys + i; - if (cpk->privatekey && cpk->x509 && !X509_cmp(cpk->x509, x)) - { - c->key = cpk; - return 1; - } - } - return 0; - } +{ + int i; + if (x == NULL) + return 0; + for (i = 0; i < SSL_PKEY_NUM; i++) { + CERT_PKEY *cpk = c->pkeys + i; + if (cpk->x509 == x && cpk->privatekey) { + c->key = cpk; + return 1; + } + } + + for (i = 0; i < SSL_PKEY_NUM; i++) { + CERT_PKEY *cpk = c->pkeys + i; + if (cpk->privatekey && cpk->x509 && !X509_cmp(cpk->x509, x)) { + c->key = cpk; + return 1; + } + } + return 0; +} int ssl_cert_set_current(CERT *c, long op) - { - int i, idx; - if (!c) - return 0; - if (op == SSL_CERT_SET_FIRST) - idx = 0; - else if (op == SSL_CERT_SET_NEXT) - { - idx = (int)(c->key - c->pkeys + 1); - if (idx >= SSL_PKEY_NUM) - return 0; - } - else - return 0; - for (i = idx; i < SSL_PKEY_NUM; i++) - { - CERT_PKEY *cpk = c->pkeys + i; - if (cpk->x509 && cpk->privatekey) - { - c->key = cpk; - return 1; - } - } - return 0; - } - -void ssl_cert_set_cert_cb(CERT *c, int (*cb)(SSL *ssl, void *arg), void *arg) - { - c->cert_cb = cb; - c->cert_cb_arg = arg; - } +{ + int i, idx; + if (!c) + return 0; + if (op == SSL_CERT_SET_FIRST) + idx = 0; + else if (op == SSL_CERT_SET_NEXT) { + idx = (int)(c->key - c->pkeys + 1); + if (idx >= SSL_PKEY_NUM) + return 0; + } else + return 0; + for (i = idx; i < SSL_PKEY_NUM; i++) { + CERT_PKEY *cpk = c->pkeys + i; + if (cpk->x509 && cpk->privatekey) { + c->key = cpk; + return 1; + } + } + return 0; +} + +void ssl_cert_set_cert_cb(CERT *c, int (*cb) (SSL *ssl, void *arg), void *arg) +{ + c->cert_cb = cb; + c->cert_cb_arg = arg; +} SESS_CERT *ssl_sess_cert_new(void) - { - SESS_CERT *ret; +{ + SESS_CERT *ret; - ret = OPENSSL_malloc(sizeof *ret); - if (ret == NULL) - { - SSLerr(SSL_F_SSL_SESS_CERT_NEW, ERR_R_MALLOC_FAILURE); - return NULL; - } + ret = OPENSSL_malloc(sizeof *ret); + if (ret == NULL) { + SSLerr(SSL_F_SSL_SESS_CERT_NEW, ERR_R_MALLOC_FAILURE); + return NULL; + } - memset(ret, 0 ,sizeof *ret); - ret->peer_key = &(ret->peer_pkeys[SSL_PKEY_RSA_ENC]); - ret->references = 1; + memset(ret, 0, sizeof *ret); + ret->peer_key = &(ret->peer_pkeys[SSL_PKEY_RSA_ENC]); + ret->references = 1; - return ret; - } + return ret; +} void ssl_sess_cert_free(SESS_CERT *sc) - { - int i; +{ + int i; - if (sc == NULL) - return; + if (sc == NULL) + return; - i = CRYPTO_add(&sc->references, -1, CRYPTO_LOCK_SSL_SESS_CERT); + i = CRYPTO_add(&sc->references, -1, CRYPTO_LOCK_SSL_SESS_CERT); #ifdef REF_PRINT - REF_PRINT("SESS_CERT", sc); + REF_PRINT("SESS_CERT", sc); #endif - if (i > 0) - return; + if (i > 0) + return; #ifdef REF_CHECK - if (i < 0) - { - fprintf(stderr,"ssl_sess_cert_free, bad reference count\n"); - abort(); /* ok */ - } + if (i < 0) { + fprintf(stderr, "ssl_sess_cert_free, bad reference count\n"); + abort(); /* ok */ + } #endif - /* i == 0 */ - if (sc->cert_chain != NULL) - sk_X509_pop_free(sc->cert_chain, X509_free); - for (i = 0; i < SSL_PKEY_NUM; i++) - { - if (sc->peer_pkeys[i].x509 != NULL) - X509_free(sc->peer_pkeys[i].x509); -#if 0 /* We don't have the peer's private key. These lines are just - * here as a reminder that we're still using a not-quite-appropriate - * data structure. */ - if (sc->peer_pkeys[i].privatekey != NULL) - EVP_PKEY_free(sc->peer_pkeys[i].privatekey); + /* i == 0 */ + if (sc->cert_chain != NULL) + sk_X509_pop_free(sc->cert_chain, X509_free); + for (i = 0; i < SSL_PKEY_NUM; i++) { + if (sc->peer_pkeys[i].x509 != NULL) + X509_free(sc->peer_pkeys[i].x509); +#if 0 /* We don't have the peer's private key. + * These lines are just * here as a reminder + * that we're still using a + * not-quite-appropriate * data structure. */ + if (sc->peer_pkeys[i].privatekey != NULL) + EVP_PKEY_free(sc->peer_pkeys[i].privatekey); #endif - } + } #ifndef OPENSSL_NO_RSA - if (sc->peer_rsa_tmp != NULL) - RSA_free(sc->peer_rsa_tmp); + if (sc->peer_rsa_tmp != NULL) + RSA_free(sc->peer_rsa_tmp); #endif #ifndef OPENSSL_NO_DH - if (sc->peer_dh_tmp != NULL) - DH_free(sc->peer_d |