Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 1 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 2 | * All rights reserved. |
| 3 | * |
| 4 | * This package is an SSL implementation written |
| 5 | * by Eric Young (eay@cryptsoft.com). |
| 6 | * The implementation was written so as to conform with Netscapes SSL. |
| 7 | * |
| 8 | * This library is free for commercial and non-commercial use as long as |
| 9 | * the following conditions are aheared to. The following conditions |
| 10 | * apply to all code found in this distribution, be it the RC4, RSA, |
| 11 | * lhash, DES, etc., code; not just the SSL code. The SSL documentation |
| 12 | * included with this distribution is covered by the same copyright terms |
| 13 | * except that the holder is Tim Hudson (tjh@cryptsoft.com). |
| 14 | * |
| 15 | * Copyright remains Eric Young's, and as such any Copyright notices in |
| 16 | * the code are not to be removed. |
| 17 | * If this package is used in a product, Eric Young should be given attribution |
| 18 | * as the author of the parts of the library used. |
| 19 | * This can be in the form of a textual message at program startup or |
| 20 | * in documentation (online or textual) provided with the package. |
| 21 | * |
| 22 | * Redistribution and use in source and binary forms, with or without |
| 23 | * modification, are permitted provided that the following conditions |
| 24 | * are met: |
| 25 | * 1. Redistributions of source code must retain the copyright |
| 26 | * notice, this list of conditions and the following disclaimer. |
| 27 | * 2. Redistributions in binary form must reproduce the above copyright |
| 28 | * notice, this list of conditions and the following disclaimer in the |
| 29 | * documentation and/or other materials provided with the distribution. |
| 30 | * 3. All advertising materials mentioning features or use of this software |
| 31 | * must display the following acknowledgement: |
| 32 | * "This product includes cryptographic software written by |
| 33 | * Eric Young (eay@cryptsoft.com)" |
| 34 | * The word 'cryptographic' can be left out if the rouines from the library |
| 35 | * being used are not cryptographic related :-). |
| 36 | * 4. If you include any Windows specific code (or a derivative thereof) from |
| 37 | * the apps directory (application code) you must include an acknowledgement: |
| 38 | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" |
| 39 | * |
| 40 | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND |
| 41 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
| 42 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
| 43 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
| 44 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
| 45 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
| 46 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
| 47 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
| 48 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
| 49 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
| 50 | * SUCH DAMAGE. |
| 51 | * |
| 52 | * The licence and distribution terms for any publically available version or |
| 53 | * derivative of this code cannot be changed. i.e. this code cannot simply be |
| 54 | * copied and put under another distribution licence |
| 55 | * [including the GNU Public Licence.] |
| 56 | */ |
| 57 | /* ==================================================================== |
| 58 | * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. |
| 59 | * |
| 60 | * Redistribution and use in source and binary forms, with or without |
| 61 | * modification, are permitted provided that the following conditions |
| 62 | * are met: |
| 63 | * |
| 64 | * 1. Redistributions of source code must retain the above copyright |
| 65 | * notice, this list of conditions and the following disclaimer. |
| 66 | * |
| 67 | * 2. Redistributions in binary form must reproduce the above copyright |
| 68 | * notice, this list of conditions and the following disclaimer in |
| 69 | * the documentation and/or other materials provided with the |
| 70 | * distribution. |
| 71 | * |
| 72 | * 3. All advertising materials mentioning features or use of this |
| 73 | * software must display the following acknowledgment: |
| 74 | * "This product includes software developed by the OpenSSL Project |
| 75 | * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" |
| 76 | * |
| 77 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to |
| 78 | * endorse or promote products derived from this software without |
| 79 | * prior written permission. For written permission, please contact |
| 80 | * openssl-core@openssl.org. |
| 81 | * |
| 82 | * 5. Products derived from this software may not be called "OpenSSL" |
| 83 | * nor may "OpenSSL" appear in their names without prior written |
| 84 | * permission of the OpenSSL Project. |
| 85 | * |
| 86 | * 6. Redistributions of any form whatsoever must retain the following |
| 87 | * acknowledgment: |
| 88 | * "This product includes software developed by the OpenSSL Project |
| 89 | * for use in the OpenSSL Toolkit (http://www.openssl.org/)" |
| 90 | * |
| 91 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY |
| 92 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
| 93 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
| 94 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR |
| 95 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
| 96 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
| 97 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
| 98 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
| 99 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
| 100 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
| 101 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
| 102 | * OF THE POSSIBILITY OF SUCH DAMAGE. |
| 103 | * ==================================================================== |
| 104 | * |
| 105 | * This product includes cryptographic software written by Eric Young |
| 106 | * (eay@cryptsoft.com). This product includes software written by Tim |
| 107 | * Hudson (tjh@cryptsoft.com). |
| 108 | * |
| 109 | */ |
| 110 | /* ==================================================================== |
| 111 | * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. |
| 112 | * ECC cipher suite support in OpenSSL originally developed by |
| 113 | * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. */ |
| 114 | |
David Benjamin | f0ae170 | 2015-04-07 23:05:04 -0400 | [diff] [blame] | 115 | #include <errno.h> |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 116 | #include <stdio.h> |
David Benjamin | f0ae170 | 2015-04-07 23:05:04 -0400 | [diff] [blame] | 117 | #include <string.h> |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 118 | |
| 119 | #include <openssl/bio.h> |
| 120 | #include <openssl/bn.h> |
David Benjamin | 676d1e7 | 2014-07-08 14:34:10 -0400 | [diff] [blame] | 121 | #include <openssl/buf.h> |
David Benjamin | 680ca96 | 2015-06-18 12:37:23 -0400 | [diff] [blame] | 122 | #include <openssl/ec_key.h> |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 123 | #include <openssl/dh.h> |
| 124 | #include <openssl/err.h> |
| 125 | #include <openssl/mem.h> |
| 126 | #include <openssl/obj.h> |
| 127 | #include <openssl/pem.h> |
David Benjamin | 680ca96 | 2015-06-18 12:37:23 -0400 | [diff] [blame] | 128 | #include <openssl/x509.h> |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 129 | #include <openssl/x509v3.h> |
| 130 | |
| 131 | #include "../crypto/dh/internal.h" |
| 132 | #include "../crypto/directory.h" |
Adam Langley | 0da323a | 2015-05-15 12:49:30 -0700 | [diff] [blame] | 133 | #include "../crypto/internal.h" |
David Benjamin | 2ee94aa | 2015-04-07 22:38:30 -0400 | [diff] [blame] | 134 | #include "internal.h" |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 135 | |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 136 | |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 137 | int SSL_get_ex_data_X509_STORE_CTX_idx(void) { |
David Benjamin | aa58513 | 2015-06-29 23:36:17 -0400 | [diff] [blame] | 138 | /* The ex_data index to go from |X509_STORE_CTX| to |SSL| always uses the |
| 139 | * reserved app_data slot. Before ex_data was introduced, app_data was used. |
| 140 | * Avoid breaking any software which assumes |X509_STORE_CTX_get_app_data| |
| 141 | * works. */ |
| 142 | return 0; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 143 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 144 | |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 145 | CERT *ssl_cert_new(void) { |
David Benjamin | d1d8078 | 2015-07-05 11:54:09 -0400 | [diff] [blame] | 146 | CERT *ret = (CERT *)OPENSSL_malloc(sizeof(CERT)); |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 147 | if (ret == NULL) { |
David Benjamin | 3570d73 | 2015-06-29 00:28:17 -0400 | [diff] [blame] | 148 | OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 149 | return NULL; |
| 150 | } |
| 151 | memset(ret, 0, sizeof(CERT)); |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 152 | |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 153 | return ret; |
| 154 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 155 | |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 156 | CERT *ssl_cert_dup(CERT *cert) { |
David Benjamin | d1d8078 | 2015-07-05 11:54:09 -0400 | [diff] [blame] | 157 | CERT *ret = (CERT *)OPENSSL_malloc(sizeof(CERT)); |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 158 | if (ret == NULL) { |
David Benjamin | 3570d73 | 2015-06-29 00:28:17 -0400 | [diff] [blame] | 159 | OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 160 | return NULL; |
| 161 | } |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 162 | memset(ret, 0, sizeof(CERT)); |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 163 | |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 164 | ret->mask_k = cert->mask_k; |
| 165 | ret->mask_a = cert->mask_a; |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 166 | |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 167 | if (cert->dh_tmp != NULL) { |
| 168 | ret->dh_tmp = DHparams_dup(cert->dh_tmp); |
| 169 | if (ret->dh_tmp == NULL) { |
David Benjamin | 3570d73 | 2015-06-29 00:28:17 -0400 | [diff] [blame] | 170 | OPENSSL_PUT_ERROR(SSL, ERR_R_DH_LIB); |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 171 | goto err; |
| 172 | } |
| 173 | if (cert->dh_tmp->priv_key) { |
| 174 | BIGNUM *b = BN_dup(cert->dh_tmp->priv_key); |
| 175 | if (!b) { |
David Benjamin | 3570d73 | 2015-06-29 00:28:17 -0400 | [diff] [blame] | 176 | OPENSSL_PUT_ERROR(SSL, ERR_R_BN_LIB); |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 177 | goto err; |
| 178 | } |
| 179 | ret->dh_tmp->priv_key = b; |
| 180 | } |
| 181 | if (cert->dh_tmp->pub_key) { |
| 182 | BIGNUM *b = BN_dup(cert->dh_tmp->pub_key); |
| 183 | if (!b) { |
David Benjamin | 3570d73 | 2015-06-29 00:28:17 -0400 | [diff] [blame] | 184 | OPENSSL_PUT_ERROR(SSL, ERR_R_BN_LIB); |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 185 | goto err; |
| 186 | } |
| 187 | ret->dh_tmp->pub_key = b; |
| 188 | } |
| 189 | } |
| 190 | ret->dh_tmp_cb = cert->dh_tmp_cb; |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 191 | |
David Benjamin | c0f763b | 2015-03-27 02:05:39 -0400 | [diff] [blame] | 192 | ret->ecdh_nid = cert->ecdh_nid; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 193 | ret->ecdh_tmp_cb = cert->ecdh_tmp_cb; |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 194 | |
David Benjamin | d1d8078 | 2015-07-05 11:54:09 -0400 | [diff] [blame] | 195 | if (cert->x509 != NULL) { |
| 196 | ret->x509 = X509_up_ref(cert->x509); |
| 197 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 198 | |
David Benjamin | d1d8078 | 2015-07-05 11:54:09 -0400 | [diff] [blame] | 199 | if (cert->privatekey != NULL) { |
| 200 | ret->privatekey = EVP_PKEY_up_ref(cert->privatekey); |
| 201 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 202 | |
David Benjamin | d1d8078 | 2015-07-05 11:54:09 -0400 | [diff] [blame] | 203 | if (cert->chain) { |
| 204 | ret->chain = X509_chain_up_ref(cert->chain); |
| 205 | if (!ret->chain) { |
David Benjamin | 3570d73 | 2015-06-29 00:28:17 -0400 | [diff] [blame] | 206 | OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); |
David Benjamin | d1d8078 | 2015-07-05 11:54:09 -0400 | [diff] [blame] | 207 | goto err; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 208 | } |
| 209 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 210 | |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 211 | ret->cert_cb = cert->cert_cb; |
| 212 | ret->cert_cb_arg = cert->cert_cb_arg; |
| 213 | |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 214 | return ret; |
| 215 | |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 216 | err: |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 217 | ssl_cert_free(ret); |
| 218 | return NULL; |
| 219 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 220 | |
| 221 | /* Free up and clear all certificates and chains */ |
David Benjamin | d1d8078 | 2015-07-05 11:54:09 -0400 | [diff] [blame] | 222 | void ssl_cert_clear_certs(CERT *cert) { |
| 223 | if (cert == NULL) { |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 224 | return; |
| 225 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 226 | |
David Benjamin | d1d8078 | 2015-07-05 11:54:09 -0400 | [diff] [blame] | 227 | X509_free(cert->x509); |
| 228 | cert->x509 = NULL; |
| 229 | EVP_PKEY_free(cert->privatekey); |
| 230 | cert->privatekey = NULL; |
| 231 | sk_X509_pop_free(cert->chain, X509_free); |
| 232 | cert->chain = NULL; |
David Benjamin | 71d2e54 | 2015-07-06 00:30:25 -0400 | [diff] [blame] | 233 | cert->key_method = NULL; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 234 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 235 | |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 236 | void ssl_cert_free(CERT *c) { |
| 237 | if (c == NULL) { |
| 238 | return; |
| 239 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 240 | |
David Benjamin | 2755a3e | 2015-04-22 16:17:58 -0400 | [diff] [blame] | 241 | DH_free(c->dh_tmp); |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 242 | |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 243 | ssl_cert_clear_certs(c); |
David Benjamin | 2755a3e | 2015-04-22 16:17:58 -0400 | [diff] [blame] | 244 | OPENSSL_free(c->peer_sigalgs); |
David Benjamin | 2755a3e | 2015-04-22 16:17:58 -0400 | [diff] [blame] | 245 | OPENSSL_free(c->shared_sigalgs); |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 246 | |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 247 | OPENSSL_free(c); |
| 248 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 249 | |
David Benjamin | d1d8078 | 2015-07-05 11:54:09 -0400 | [diff] [blame] | 250 | int ssl_cert_set0_chain(CERT *cert, STACK_OF(X509) *chain) { |
| 251 | sk_X509_pop_free(cert->chain, X509_free); |
| 252 | cert->chain = chain; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 253 | return 1; |
| 254 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 255 | |
David Benjamin | d1d8078 | 2015-07-05 11:54:09 -0400 | [diff] [blame] | 256 | int ssl_cert_set1_chain(CERT *cert, STACK_OF(X509) *chain) { |
David Benjamin | 60da0cd | 2015-05-03 15:21:28 -0400 | [diff] [blame] | 257 | STACK_OF(X509) *dchain; |
David Benjamin | d1d8078 | 2015-07-05 11:54:09 -0400 | [diff] [blame] | 258 | if (chain == NULL) { |
| 259 | return ssl_cert_set0_chain(cert, NULL); |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 260 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 261 | |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 262 | dchain = X509_chain_up_ref(chain); |
David Benjamin | d1d8078 | 2015-07-05 11:54:09 -0400 | [diff] [blame] | 263 | if (dchain == NULL) { |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 264 | return 0; |
| 265 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 266 | |
David Benjamin | d1d8078 | 2015-07-05 11:54:09 -0400 | [diff] [blame] | 267 | if (!ssl_cert_set0_chain(cert, dchain)) { |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 268 | sk_X509_pop_free(dchain, X509_free); |
| 269 | return 0; |
| 270 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 271 | |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 272 | return 1; |
| 273 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 274 | |
David Benjamin | d1d8078 | 2015-07-05 11:54:09 -0400 | [diff] [blame] | 275 | int ssl_cert_add0_chain_cert(CERT *cert, X509 *x509) { |
| 276 | if (cert->chain == NULL) { |
| 277 | cert->chain = sk_X509_new_null(); |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 278 | } |
David Benjamin | d1d8078 | 2015-07-05 11:54:09 -0400 | [diff] [blame] | 279 | if (cert->chain == NULL || !sk_X509_push(cert->chain, x509)) { |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 280 | return 0; |
| 281 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 282 | |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 283 | return 1; |
| 284 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 285 | |
David Benjamin | d1d8078 | 2015-07-05 11:54:09 -0400 | [diff] [blame] | 286 | int ssl_cert_add1_chain_cert(CERT *cert, X509 *x509) { |
| 287 | if (!ssl_cert_add0_chain_cert(cert, x509)) { |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 288 | return 0; |
| 289 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 290 | |
David Benjamin | d1d8078 | 2015-07-05 11:54:09 -0400 | [diff] [blame] | 291 | X509_up_ref(x509); |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 292 | return 1; |
| 293 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 294 | |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 295 | void ssl_cert_set_cert_cb(CERT *c, int (*cb)(SSL *ssl, void *arg), void *arg) { |
| 296 | c->cert_cb = cb; |
| 297 | c->cert_cb_arg = arg; |
| 298 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 299 | |
David Benjamin | 60da0cd | 2015-05-03 15:21:28 -0400 | [diff] [blame] | 300 | int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk) { |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 301 | X509 *x; |
| 302 | int i; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 303 | X509_STORE_CTX ctx; |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 304 | |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 305 | if (sk == NULL || sk_X509_num(sk) == 0) { |
| 306 | return 0; |
| 307 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 308 | |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 309 | x = sk_X509_value(sk, 0); |
David Benjamin | d27441a | 2015-08-09 11:05:17 -0400 | [diff] [blame] | 310 | if (!X509_STORE_CTX_init(&ctx, s->ctx->cert_store, x, sk)) { |
David Benjamin | 3570d73 | 2015-06-29 00:28:17 -0400 | [diff] [blame] | 311 | OPENSSL_PUT_ERROR(SSL, ERR_R_X509_LIB); |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 312 | return 0; |
| 313 | } |
| 314 | X509_STORE_CTX_set_ex_data(&ctx, SSL_get_ex_data_X509_STORE_CTX_idx(), s); |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 315 | |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 316 | /* We need to inherit the verify parameters. These can be determined by the |
| 317 | * context: if its a server it will verify SSL client certificates or vice |
| 318 | * versa. */ |
| 319 | X509_STORE_CTX_set_default(&ctx, s->server ? "ssl_client" : "ssl_server"); |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 320 | |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 321 | /* Anything non-default in "param" should overwrite anything in the ctx. */ |
| 322 | X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(&ctx), s->param); |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 323 | |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 324 | if (s->verify_callback) { |
| 325 | X509_STORE_CTX_set_verify_cb(&ctx, s->verify_callback); |
| 326 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 327 | |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 328 | if (s->ctx->app_verify_callback != NULL) { |
| 329 | i = s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg); |
| 330 | } else { |
| 331 | i = X509_verify_cert(&ctx); |
| 332 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 333 | |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 334 | s->verify_result = ctx.error; |
| 335 | X509_STORE_CTX_cleanup(&ctx); |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 336 | |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 337 | return i; |
| 338 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 339 | |
David Benjamin | 60da0cd | 2015-05-03 15:21:28 -0400 | [diff] [blame] | 340 | static void set_client_CA_list(STACK_OF(X509_NAME) **ca_list, |
| 341 | STACK_OF(X509_NAME) *name_list) { |
David Benjamin | 2755a3e | 2015-04-22 16:17:58 -0400 | [diff] [blame] | 342 | sk_X509_NAME_pop_free(*ca_list, X509_NAME_free); |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 343 | *ca_list = name_list; |
| 344 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 345 | |
David Benjamin | 60da0cd | 2015-05-03 15:21:28 -0400 | [diff] [blame] | 346 | STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk) { |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 347 | size_t i; |
David Benjamin | 60da0cd | 2015-05-03 15:21:28 -0400 | [diff] [blame] | 348 | STACK_OF(X509_NAME) *ret; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 349 | X509_NAME *name; |
| 350 | |
| 351 | ret = sk_X509_NAME_new_null(); |
| 352 | for (i = 0; i < sk_X509_NAME_num(sk); i++) { |
| 353 | name = X509_NAME_dup(sk_X509_NAME_value(sk, i)); |
| 354 | if (name == NULL || !sk_X509_NAME_push(ret, name)) { |
| 355 | sk_X509_NAME_pop_free(ret, X509_NAME_free); |
| 356 | return NULL; |
| 357 | } |
| 358 | } |
| 359 | |
| 360 | return ret; |
| 361 | } |
| 362 | |
David Benjamin | 60da0cd | 2015-05-03 15:21:28 -0400 | [diff] [blame] | 363 | void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list) { |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 364 | set_client_CA_list(&(s->client_CA), name_list); |
| 365 | } |
| 366 | |
David Benjamin | 60da0cd | 2015-05-03 15:21:28 -0400 | [diff] [blame] | 367 | void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list) { |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 368 | set_client_CA_list(&(ctx->client_CA), name_list); |
| 369 | } |
| 370 | |
David Benjamin | 60da0cd | 2015-05-03 15:21:28 -0400 | [diff] [blame] | 371 | STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx) { |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 372 | return ctx->client_CA; |
| 373 | } |
| 374 | |
David Benjamin | 60da0cd | 2015-05-03 15:21:28 -0400 | [diff] [blame] | 375 | STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s) { |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 376 | if (s->server) { |
| 377 | if (s->client_CA != NULL) { |
| 378 | return s->client_CA; |
| 379 | } else { |
| 380 | return s->ctx->client_CA; |
| 381 | } |
| 382 | } else { |
| 383 | if ((s->version >> 8) == SSL3_VERSION_MAJOR && s->s3 != NULL) { |
| 384 | return s->s3->tmp.ca_names; |
| 385 | } else { |
| 386 | return NULL; |
| 387 | } |
| 388 | } |
| 389 | } |
| 390 | |
David Benjamin | 60da0cd | 2015-05-03 15:21:28 -0400 | [diff] [blame] | 391 | static int add_client_CA(STACK_OF(X509_NAME) **sk, X509 *x) { |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 392 | X509_NAME *name; |
| 393 | |
| 394 | if (x == NULL) { |
| 395 | return 0; |
| 396 | } |
| 397 | if (*sk == NULL) { |
| 398 | *sk = sk_X509_NAME_new_null(); |
| 399 | if (*sk == NULL) { |
| 400 | return 0; |
| 401 | } |
| 402 | } |
| 403 | |
| 404 | name = X509_NAME_dup(X509_get_subject_name(x)); |
| 405 | if (name == NULL) { |
| 406 | return 0; |
| 407 | } |
| 408 | |
| 409 | if (!sk_X509_NAME_push(*sk, name)) { |
| 410 | X509_NAME_free(name); |
| 411 | return 0; |
| 412 | } |
| 413 | |
| 414 | return 1; |
| 415 | } |
| 416 | |
| 417 | int SSL_add_client_CA(SSL *ssl, X509 *x) { |
| 418 | return add_client_CA(&(ssl->client_CA), x); |
| 419 | } |
| 420 | |
| 421 | int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x) { |
| 422 | return add_client_CA(&(ctx->client_CA), x); |
| 423 | } |
| 424 | |
| 425 | static int xname_cmp(const X509_NAME **a, const X509_NAME **b) { |
| 426 | return X509_NAME_cmp(*a, *b); |
| 427 | } |
| 428 | |
| 429 | /* Load CA certs from a file into a STACK. Note that it is somewhat misnamed; |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 430 | * it doesn't really have anything to do with clients (except that a common use |
| 431 | * for a stack of CAs is to send it to the client). Actually, it doesn't have |
| 432 | * much to do with CAs, either, since it will load any old cert. |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 433 | * |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 434 | * \param file the file containing one or more certs. |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 435 | * \return a ::STACK containing the certs. */ |
David Benjamin | 60da0cd | 2015-05-03 15:21:28 -0400 | [diff] [blame] | 436 | STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file) { |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 437 | BIO *in; |
| 438 | X509 *x = NULL; |
| 439 | X509_NAME *xn = NULL; |
| 440 | STACK_OF(X509_NAME) *ret = NULL, *sk; |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 441 | |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 442 | sk = sk_X509_NAME_new(xname_cmp); |
| 443 | in = BIO_new(BIO_s_file()); |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 444 | |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 445 | if (sk == NULL || in == NULL) { |
David Benjamin | 3570d73 | 2015-06-29 00:28:17 -0400 | [diff] [blame] | 446 | OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 447 | goto err; |
| 448 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 449 | |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 450 | if (!BIO_read_filename(in, file)) { |
| 451 | goto err; |
| 452 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 453 | |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 454 | for (;;) { |
| 455 | if (PEM_read_bio_X509(in, &x, NULL, NULL) == NULL) { |
| 456 | break; |
| 457 | } |
| 458 | if (ret == NULL) { |
| 459 | ret = sk_X509_NAME_new_null(); |
| 460 | if (ret == NULL) { |
David Benjamin | 3570d73 | 2015-06-29 00:28:17 -0400 | [diff] [blame] | 461 | OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 462 | goto err; |
| 463 | } |
| 464 | } |
| 465 | xn = X509_get_subject_name(x); |
| 466 | if (xn == NULL) { |
| 467 | goto err; |
| 468 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 469 | |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 470 | /* check for duplicates */ |
| 471 | xn = X509_NAME_dup(xn); |
| 472 | if (xn == NULL) { |
| 473 | goto err; |
| 474 | } |
| 475 | if (sk_X509_NAME_find(sk, NULL, xn)) { |
| 476 | X509_NAME_free(xn); |
| 477 | } else { |
| 478 | sk_X509_NAME_push(sk, xn); |
| 479 | sk_X509_NAME_push(ret, xn); |
| 480 | } |
| 481 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 482 | |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 483 | if (0) { |
| 484 | err: |
David Benjamin | 2755a3e | 2015-04-22 16:17:58 -0400 | [diff] [blame] | 485 | sk_X509_NAME_pop_free(ret, X509_NAME_free); |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 486 | ret = NULL; |
| 487 | } |
| 488 | |
David Benjamin | 2755a3e | 2015-04-22 16:17:58 -0400 | [diff] [blame] | 489 | sk_X509_NAME_free(sk); |
| 490 | BIO_free(in); |
| 491 | X509_free(x); |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 492 | if (ret != NULL) { |
| 493 | ERR_clear_error(); |
| 494 | } |
| 495 | return ret; |
| 496 | } |
| 497 | |
| 498 | /* Add a file of certs to a stack. |
| 499 | * |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 500 | * \param stack the stack to add to. |
| 501 | * \param file the file to add from. All certs in this file that are not |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 502 | * already in the stack will be added. |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 503 | * \return 1 for success, 0 for failure. Note that in the case of failure some |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 504 | * certs may have been added to \c stack. */ |
David Benjamin | 60da0cd | 2015-05-03 15:21:28 -0400 | [diff] [blame] | 505 | int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 506 | const char *file) { |
| 507 | BIO *in; |
| 508 | X509 *x = NULL; |
| 509 | X509_NAME *xn = NULL; |
| 510 | int ret = 1; |
| 511 | int (*oldcmp)(const X509_NAME **a, const X509_NAME **b); |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 512 | |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 513 | oldcmp = sk_X509_NAME_set_cmp_func(stack, xname_cmp); |
| 514 | in = BIO_new(BIO_s_file()); |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 515 | |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 516 | if (in == NULL) { |
David Benjamin | 3570d73 | 2015-06-29 00:28:17 -0400 | [diff] [blame] | 517 | OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 518 | goto err; |
| 519 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 520 | |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 521 | if (!BIO_read_filename(in, file)) { |
| 522 | goto err; |
| 523 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 524 | |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 525 | for (;;) { |
| 526 | if (PEM_read_bio_X509(in, &x, NULL, NULL) == NULL) { |
| 527 | break; |
| 528 | } |
| 529 | xn = X509_get_subject_name(x); |
| 530 | if (xn == NULL) { |
| 531 | goto err; |
| 532 | } |
| 533 | xn = X509_NAME_dup(xn); |
| 534 | if (xn == NULL) { |
| 535 | goto err; |
| 536 | } |
| 537 | if (sk_X509_NAME_find(stack, NULL, xn)) { |
| 538 | X509_NAME_free(xn); |
| 539 | } else { |
| 540 | sk_X509_NAME_push(stack, xn); |
| 541 | } |
| 542 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 543 | |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 544 | ERR_clear_error(); |
| 545 | |
| 546 | if (0) { |
| 547 | err: |
| 548 | ret = 0; |
| 549 | } |
| 550 | |
David Benjamin | 2755a3e | 2015-04-22 16:17:58 -0400 | [diff] [blame] | 551 | BIO_free(in); |
| 552 | X509_free(x); |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 553 | |
Adam Langley | a307dfd | 2015-01-09 15:42:58 -0800 | [diff] [blame] | 554 | (void) sk_X509_NAME_set_cmp_func(stack, oldcmp); |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 555 | |
| 556 | return ret; |
| 557 | } |
| 558 | |
| 559 | /* Add a directory of certs to a stack. |
| 560 | * |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 561 | * \param stack the stack to append to. |
| 562 | * \param dir the directory to append from. All files in this directory will be |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 563 | * examined as potential certs. Any that are acceptable to |
| 564 | * SSL_add_dir_cert_subjects_to_stack() that are not already in the stack will |
| 565 | * be included. |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 566 | * \return 1 for success, 0 for failure. Note that in the case of failure some |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 567 | * certs may have been added to \c stack. */ |
David Benjamin | 60da0cd | 2015-05-03 15:21:28 -0400 | [diff] [blame] | 568 | int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 569 | const char *dir) { |
| 570 | OPENSSL_DIR_CTX *d = NULL; |
| 571 | const char *filename; |
| 572 | int ret = 0; |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 573 | |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 574 | /* Note that a side effect is that the CAs will be sorted by name */ |
| 575 | while ((filename = OPENSSL_DIR_read(&d, dir))) { |
| 576 | char buf[1024]; |
| 577 | int r; |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 578 | |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 579 | if (strlen(dir) + strlen(filename) + 2 > sizeof(buf)) { |
David Benjamin | 3570d73 | 2015-06-29 00:28:17 -0400 | [diff] [blame] | 580 | OPENSSL_PUT_ERROR(SSL, SSL_R_PATH_TOO_LONG); |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 581 | goto err; |
| 582 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 583 | |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 584 | r = BIO_snprintf(buf, sizeof buf, "%s/%s", dir, filename); |
| 585 | if (r <= 0 || r >= (int)sizeof(buf) || |
| 586 | !SSL_add_file_cert_subjects_to_stack(stack, buf)) { |
| 587 | goto err; |
| 588 | } |
| 589 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 590 | |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 591 | if (errno) { |
David Benjamin | 3570d73 | 2015-06-29 00:28:17 -0400 | [diff] [blame] | 592 | OPENSSL_PUT_ERROR(SSL, ERR_R_SYS_LIB); |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 593 | ERR_add_error_data(3, "OPENSSL_DIR_read(&ctx, '", dir, "')"); |
| 594 | goto err; |
| 595 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 596 | |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 597 | ret = 1; |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 598 | |
| 599 | err: |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 600 | if (d) { |
| 601 | OPENSSL_DIR_end(&d); |
| 602 | } |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 603 | return ret; |
| 604 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 605 | |
| 606 | /* Add a certificate to a BUF_MEM structure */ |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 607 | static int ssl_add_cert_to_buf(BUF_MEM *buf, unsigned long *l, X509 *x) { |
| 608 | int n; |
| 609 | uint8_t *p; |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 610 | |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 611 | n = i2d_X509(x, NULL); |
| 612 | if (!BUF_MEM_grow_clean(buf, (int)(n + (*l) + 3))) { |
David Benjamin | 3570d73 | 2015-06-29 00:28:17 -0400 | [diff] [blame] | 613 | OPENSSL_PUT_ERROR(SSL, ERR_R_BUF_LIB); |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 614 | return 0; |
| 615 | } |
| 616 | p = (uint8_t *)&(buf->data[*l]); |
| 617 | l2n3(n, p); |
| 618 | i2d_X509(x, &p); |
| 619 | *l += n + 3; |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 620 | |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 621 | return 1; |
| 622 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 623 | |
Adam Langley | 2481975 | 2014-12-15 18:42:07 -0800 | [diff] [blame] | 624 | /* Add certificate chain to internal SSL BUF_MEM structure. */ |
David Benjamin | d1d8078 | 2015-07-05 11:54:09 -0400 | [diff] [blame] | 625 | int ssl_add_cert_chain(SSL *ssl, unsigned long *l) { |
| 626 | CERT *cert = ssl->cert; |
| 627 | BUF_MEM *buf = ssl->init_buf; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 628 | int no_chain = 0; |
| 629 | size_t i; |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 630 | |
David Benjamin | d1d8078 | 2015-07-05 11:54:09 -0400 | [diff] [blame] | 631 | X509 *x = cert->x509; |
| 632 | STACK_OF(X509) *chain = cert->chain; |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 633 | |
David Benjamin | 605641e | 2015-05-03 15:14:04 -0400 | [diff] [blame] | 634 | if (x == NULL) { |
David Benjamin | 3570d73 | 2015-06-29 00:28:17 -0400 | [diff] [blame] | 635 | OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_SET); |
David Benjamin | 605641e | 2015-05-03 15:14:04 -0400 | [diff] [blame] | 636 | return 0; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 637 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 638 | |
David Benjamin | d1d8078 | 2015-07-05 11:54:09 -0400 | [diff] [blame] | 639 | if ((ssl->mode & SSL_MODE_NO_AUTO_CHAIN) || chain != NULL) { |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 640 | no_chain = 1; |
| 641 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 642 | |
David Benjamin | 605641e | 2015-05-03 15:14:04 -0400 | [diff] [blame] | 643 | if (no_chain) { |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 644 | if (!ssl_add_cert_to_buf(buf, l, x)) { |
| 645 | return 0; |
| 646 | } |
David Benjamin | 605641e | 2015-05-03 15:14:04 -0400 | [diff] [blame] | 647 | |
David Benjamin | d1d8078 | 2015-07-05 11:54:09 -0400 | [diff] [blame] | 648 | for (i = 0; i < sk_X509_num(chain); i++) { |
| 649 | x = sk_X509_value(chain, i); |
David Benjamin | 605641e | 2015-05-03 15:14:04 -0400 | [diff] [blame] | 650 | if (!ssl_add_cert_to_buf(buf, l, x)) { |
| 651 | return 0; |
| 652 | } |
| 653 | } |
| 654 | } else { |
| 655 | X509_STORE_CTX xs_ctx; |
| 656 | |
David Benjamin | d27441a | 2015-08-09 11:05:17 -0400 | [diff] [blame] | 657 | if (!X509_STORE_CTX_init(&xs_ctx, ssl->ctx->cert_store, x, NULL)) { |
David Benjamin | 3570d73 | 2015-06-29 00:28:17 -0400 | [diff] [blame] | 658 | OPENSSL_PUT_ERROR(SSL, ERR_R_X509_LIB); |
David Benjamin | 605641e | 2015-05-03 15:14:04 -0400 | [diff] [blame] | 659 | return 0; |
| 660 | } |
| 661 | X509_verify_cert(&xs_ctx); |
| 662 | /* Don't leave errors in the queue */ |
| 663 | ERR_clear_error(); |
| 664 | for (i = 0; i < sk_X509_num(xs_ctx.chain); i++) { |
| 665 | x = sk_X509_value(xs_ctx.chain, i); |
| 666 | |
| 667 | if (!ssl_add_cert_to_buf(buf, l, x)) { |
| 668 | X509_STORE_CTX_cleanup(&xs_ctx); |
| 669 | return 0; |
| 670 | } |
| 671 | } |
| 672 | X509_STORE_CTX_cleanup(&xs_ctx); |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 673 | } |
| 674 | |
| 675 | return 1; |
| 676 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 677 | |
David Benjamin | 11c0f8e | 2015-07-06 00:18:15 -0400 | [diff] [blame] | 678 | int SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *chain) { |
| 679 | return ssl_cert_set0_chain(ctx->cert, chain); |
| 680 | } |
| 681 | |
| 682 | int SSL_CTX_set1_chain(SSL_CTX *ctx, STACK_OF(X509) *chain) { |
| 683 | return ssl_cert_set1_chain(ctx->cert, chain); |
| 684 | } |
| 685 | |
| 686 | int SSL_set0_chain(SSL *ssl, STACK_OF(X509) *chain) { |
| 687 | return ssl_cert_set0_chain(ssl->cert, chain); |
| 688 | } |
| 689 | |
| 690 | int SSL_set1_chain(SSL *ssl, STACK_OF(X509) *chain) { |
| 691 | return ssl_cert_set1_chain(ssl->cert, chain); |
| 692 | } |
| 693 | |
| 694 | int SSL_CTX_add0_chain_cert(SSL_CTX *ctx, X509 *x509) { |
| 695 | return ssl_cert_add0_chain_cert(ctx->cert, x509); |
| 696 | } |
| 697 | |
| 698 | int SSL_CTX_add1_chain_cert(SSL_CTX *ctx, X509 *x509) { |
| 699 | return ssl_cert_add1_chain_cert(ctx->cert, x509); |
| 700 | } |
| 701 | |
| 702 | int SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *x509) { |
| 703 | return SSL_CTX_add0_chain_cert(ctx, x509); |
| 704 | } |
| 705 | |
| 706 | int SSL_add0_chain_cert(SSL *ssl, X509 *x509) { |
| 707 | return ssl_cert_add0_chain_cert(ssl->cert, x509); |
| 708 | } |
| 709 | |
| 710 | int SSL_add1_chain_cert(SSL *ssl, X509 *x509) { |
| 711 | return ssl_cert_add1_chain_cert(ssl->cert, x509); |
| 712 | } |
| 713 | |
| 714 | int SSL_CTX_clear_chain_certs(SSL_CTX *ctx) { |
| 715 | return SSL_CTX_set0_chain(ctx, NULL); |
| 716 | } |
| 717 | |
| 718 | int SSL_CTX_clear_extra_chain_certs(SSL_CTX *ctx) { |
| 719 | return SSL_CTX_clear_chain_certs(ctx); |
| 720 | } |
| 721 | |
| 722 | int SSL_clear_chain_certs(SSL *ssl) { |
| 723 | return SSL_set0_chain(ssl, NULL); |
| 724 | } |
| 725 | |
| 726 | int SSL_CTX_get0_chain_certs(const SSL_CTX *ctx, STACK_OF(X509) **out_chain) { |
| 727 | *out_chain = ctx->cert->chain; |
| 728 | return 1; |
| 729 | } |
| 730 | |
| 731 | int SSL_CTX_get_extra_chain_certs(const SSL_CTX *ctx, |
| 732 | STACK_OF(X509) **out_chain) { |
| 733 | return SSL_CTX_get0_chain_certs(ctx, out_chain); |
| 734 | } |
| 735 | |
| 736 | int SSL_get0_chain_certs(const SSL *ssl, STACK_OF(X509) **out_chain) { |
| 737 | *out_chain = ssl->cert->chain; |
| 738 | return 1; |
| 739 | } |