Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 67454b6f76d90fe290da4650ee0fc97db3357e02 / . / ssl / ssl_cert.c
blob: 765efe4928b4853b00df1d0919f57ab86edfc24d [file] [log] [blame]
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57/* ====================================================================
58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com).
108 *
109 */
110/* ====================================================================
111 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
112 * ECC cipher suite support in OpenSSL originally developed by
113 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. */
114
115#include <stdio.h>
116
117#include <openssl/bio.h>
118#include <openssl/bn.h>
David Benjamin676d1e72014-07-08 14:34:10 -0400[diff] [blame]119#include <openssl/buf.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]120#include <openssl/dh.h>
121#include <openssl/err.h>
122#include <openssl/mem.h>
123#include <openssl/obj.h>
124#include <openssl/pem.h>
125#include <openssl/x509v3.h>
126
127#include "../crypto/dh/internal.h"
128#include "../crypto/directory.h"
129#include "ssl_locl.h"
130
131int SSL_get_ex_data_X509_STORE_CTX_idx(void)
132 {
133 static volatile int ssl_x509_store_ctx_idx= -1;
134 int got_write_lock = 0;
135
136 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
137
138 if (ssl_x509_store_ctx_idx < 0)
139 {
140 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
141 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
142 got_write_lock = 1;
143
144 if (ssl_x509_store_ctx_idx < 0)
145 {
146 ssl_x509_store_ctx_idx=X509_STORE_CTX_get_ex_new_index(
147 0,"SSL for verify callback",NULL,NULL,NULL);
148 }
149 }
150
151 if (got_write_lock)
152 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
153 else
154 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
155
156 return ssl_x509_store_ctx_idx;
157 }
158
159void ssl_cert_set_default_md(CERT *cert)
160 {
161 /* Set digest values to defaults */
162#ifndef OPENSSL_NO_DSA
163 cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
164#endif
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]165 cert->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
166 cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]167#ifndef OPENSSL_NO_ECDSA
168 cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
169#endif
170 }
171
172CERT *ssl_cert_new(void)
173 {
174 CERT *ret;
175
176 ret=(CERT *)OPENSSL_malloc(sizeof(CERT));
177 if (ret == NULL)
178 {
179 OPENSSL_PUT_ERROR(SSL, ssl_cert_new, ERR_R_MALLOC_FAILURE);
180 return(NULL);
181 }
182 memset(ret,0,sizeof(CERT));
183
184 ret->key= &(ret->pkeys[SSL_PKEY_RSA_ENC]);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]185 ssl_cert_set_default_md(ret);
186 return(ret);
187 }
188
189CERT *ssl_cert_dup(CERT *cert)
190 {
191 CERT *ret;
192 int i;
193
194 ret = (CERT *)OPENSSL_malloc(sizeof(CERT));
195 if (ret == NULL)
196 {
197 OPENSSL_PUT_ERROR(SSL, ssl_cert_dup, ERR_R_MALLOC_FAILURE);
198 return(NULL);
199 }
200
201 memset(ret, 0, sizeof(CERT));
202
203 ret->key = &ret->pkeys[cert->key - &cert->pkeys[0]];
204 /* or ret->key = ret->pkeys + (cert->key - cert->pkeys),
205 * if you find that more readable */
206
207 ret->valid = cert->valid;
208 ret->mask_k = cert->mask_k;
209 ret->mask_a = cert->mask_a;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]210
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]211#ifndef OPENSSL_NO_DH
212 if (cert->dh_tmp != NULL)
213 {
214 ret->dh_tmp = DHparams_dup(cert->dh_tmp);
215 if (ret->dh_tmp == NULL)
216 {
217 OPENSSL_PUT_ERROR(SSL, ssl_cert_dup, ERR_R_DH_LIB);
218 goto err;
219 }
220 if (cert->dh_tmp->priv_key)
221 {
222 BIGNUM *b = BN_dup(cert->dh_tmp->priv_key);
223 if (!b)
224 {
225 OPENSSL_PUT_ERROR(SSL, ssl_cert_dup, ERR_R_BN_LIB);
226 goto err;
227 }
228 ret->dh_tmp->priv_key = b;
229 }
230 if (cert->dh_tmp->pub_key)
231 {
232 BIGNUM *b = BN_dup(cert->dh_tmp->pub_key);
233 if (!b)
234 {
235 OPENSSL_PUT_ERROR(SSL, ssl_cert_dup, ERR_R_BN_LIB);
236 goto err;
237 }
238 ret->dh_tmp->pub_key = b;
239 }
240 }
241 ret->dh_tmp_cb = cert->dh_tmp_cb;
242#endif
243
244#ifndef OPENSSL_NO_ECDH
245 if (cert->ecdh_tmp)
246 {
247 ret->ecdh_tmp = EC_KEY_dup(cert->ecdh_tmp);
248 if (ret->ecdh_tmp == NULL)
249 {
250 OPENSSL_PUT_ERROR(SSL, ssl_cert_dup, ERR_R_EC_LIB);
251 goto err;
252 }
253 }
254 ret->ecdh_tmp_cb = cert->ecdh_tmp_cb;
255 ret->ecdh_tmp_auto = cert->ecdh_tmp_auto;
256#endif
257
258 for (i = 0; i < SSL_PKEY_NUM; i++)
259 {
260 CERT_PKEY *cpk = cert->pkeys + i;
261 CERT_PKEY *rpk = ret->pkeys + i;
262 if (cpk->x509 != NULL)
263 {
David Benjamin150c6172014-08-05 22:22:49 -0400[diff] [blame]264 rpk->x509 = X509_up_ref(cpk->x509);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]265 }
266
267 if (cpk->privatekey != NULL)
268 {
269 rpk->privatekey = cpk->privatekey;
270 CRYPTO_add(&cpk->privatekey->references, 1,
271 CRYPTO_LOCK_EVP_PKEY);
272
273 switch(i)
274 {
275 /* If there was anything special to do for
276 * certain types of keys, we'd do it here.
277 * (Nothing at the moment, I think.) */
278
279 case SSL_PKEY_RSA_ENC:
280 case SSL_PKEY_RSA_SIGN:
281 /* We have an RSA key. */
282 break;
283
284 case SSL_PKEY_DSA_SIGN:
285 /* We have a DSA key. */
286 break;
287
288 case SSL_PKEY_DH_RSA:
289 case SSL_PKEY_DH_DSA:
290 /* We have a DH key. */
291 break;
292
293 case SSL_PKEY_ECC:
294 /* We have an ECC key */
295 break;
296
297 default:
298 /* Can't happen. */
299 OPENSSL_PUT_ERROR(SSL, ssl_cert_dup, SSL_R_LIBRARY_BUG);
300 }
301 }
302
303 if (cpk->chain)
304 {
305 rpk->chain = X509_chain_up_ref(cpk->chain);
306 if (!rpk->chain)
307 {
308 OPENSSL_PUT_ERROR(SSL, ssl_cert_dup, ERR_R_MALLOC_FAILURE);
309 goto err;
310 }
311 }
312 rpk->valid_flags = 0;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]313 }
314
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]315 /* Set digests to defaults. NB: we don't copy existing values as they
316 * will be set during handshake.
317 */
318 ssl_cert_set_default_md(ret);
319 /* Peer sigalgs set to NULL as we get these from handshake too */
320 ret->peer_sigalgs = NULL;
321 ret->peer_sigalgslen = 0;
322 /* Configured sigalgs however we copy across */
323
324 if (cert->conf_sigalgs)
325 {
326 ret->conf_sigalgs = OPENSSL_malloc(cert->conf_sigalgslen);
327 if (!ret->conf_sigalgs)
328 goto err;
329 memcpy(ret->conf_sigalgs, cert->conf_sigalgs,
330 cert->conf_sigalgslen);
331 ret->conf_sigalgslen = cert->conf_sigalgslen;
332 }
333 else
334 ret->conf_sigalgs = NULL;
335
336 if (cert->client_sigalgs)
337 {
338 ret->client_sigalgs = OPENSSL_malloc(cert->client_sigalgslen);
339 if (!ret->client_sigalgs)
340 goto err;
341 memcpy(ret->client_sigalgs, cert->client_sigalgs,
342 cert->client_sigalgslen);
343 ret->client_sigalgslen = cert->client_sigalgslen;
344 }
345 else
346 ret->client_sigalgs = NULL;
347 /* Shared sigalgs also NULL */
348 ret->shared_sigalgs = NULL;
349 /* Copy any custom client certificate types */
David Benjamin676d1e72014-07-08 14:34:10 -0400[diff] [blame]350 if (cert->client_certificate_types)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]351 {
David Benjamin676d1e72014-07-08 14:34:10 -0400[diff] [blame]352 ret->client_certificate_types = BUF_memdup(
353 cert->client_certificate_types,
354 cert->num_client_certificate_types);
355 if (!ret->client_certificate_types)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]356 goto err;
David Benjamin676d1e72014-07-08 14:34:10 -0400[diff] [blame]357 ret->num_client_certificate_types = cert->num_client_certificate_types;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]358 }
359
360 ret->cert_flags = cert->cert_flags;
361
362 ret->cert_cb = cert->cert_cb;
363 ret->cert_cb_arg = cert->cert_cb_arg;
364
365 if (cert->verify_store)
366 {
David Benjamin67454b62014-08-06 22:15:46 -0400[diff] [blame^]367 CRYPTO_add(&cert->verify_store->references, 1, CRYPTO_LOCK_X509_STORE);
368 ret->verify_store = cert->verify_store;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]369 }
370
371 if (cert->chain_store)
372 {
David Benjamin67454b62014-08-06 22:15:46 -0400[diff] [blame^]373 CRYPTO_add(&cert->chain_store->references, 1, CRYPTO_LOCK_X509_STORE);
374 ret->chain_store = cert->chain_store;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]375 }
376
377 ret->ciphers_raw = NULL;
378
379 return(ret);
380
381#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_ECDH)
382err:
383#endif
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]384#ifndef OPENSSL_NO_DH
385 if (ret->dh_tmp != NULL)
386 DH_free(ret->dh_tmp);
387#endif
388#ifndef OPENSSL_NO_ECDH
389 if (ret->ecdh_tmp != NULL)
390 EC_KEY_free(ret->ecdh_tmp);
391#endif
392
393 ssl_cert_clear_certs(ret);
394
395 return NULL;
396 }
397
398/* Free up and clear all certificates and chains */
399
400void ssl_cert_clear_certs(CERT *c)
401 {
402 int i;
403 if (c == NULL)
404 return;
405 for (i = 0; i<SSL_PKEY_NUM; i++)
406 {
407 CERT_PKEY *cpk = c->pkeys + i;
408 if (cpk->x509)
409 {
410 X509_free(cpk->x509);
411 cpk->x509 = NULL;
412 }
413 if (cpk->privatekey)
414 {
415 EVP_PKEY_free(cpk->privatekey);
416 cpk->privatekey = NULL;
417 }
418 if (cpk->chain)
419 {
420 sk_X509_pop_free(cpk->chain, X509_free);
421 cpk->chain = NULL;
422 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]423 /* Clear all flags apart from explicit sign */
424 cpk->valid_flags &= CERT_PKEY_EXPLICIT_SIGN;
425 }
426 }
427
428void ssl_cert_free(CERT *c)
429 {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]430 if(c == NULL)
431 return;
432
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]433#ifndef OPENSSL_NO_DH
434 if (c->dh_tmp) DH_free(c->dh_tmp);
435#endif
436#ifndef OPENSSL_NO_ECDH
437 if (c->ecdh_tmp) EC_KEY_free(c->ecdh_tmp);
438#endif
439
440 ssl_cert_clear_certs(c);
441 if (c->peer_sigalgs)
442 OPENSSL_free(c->peer_sigalgs);
443 if (c->conf_sigalgs)
444 OPENSSL_free(c->conf_sigalgs);
445 if (c->client_sigalgs)
446 OPENSSL_free(c->client_sigalgs);
447 if (c->shared_sigalgs)
448 OPENSSL_free(c->shared_sigalgs);
David Benjamin676d1e72014-07-08 14:34:10 -0400[diff] [blame]449 if (c->client_certificate_types)
450 OPENSSL_free(c->client_certificate_types);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]451 if (c->verify_store)
452 X509_STORE_free(c->verify_store);
453 if (c->chain_store)
454 X509_STORE_free(c->chain_store);
455 if (c->ciphers_raw)
456 OPENSSL_free(c->ciphers_raw);
457 OPENSSL_free(c);
458 }
459
460int ssl_cert_inst(CERT **o)
461 {
462 /* Create a CERT if there isn't already one
463 * (which cannot really happen, as it is initially created in
464 * SSL_CTX_new; but the earlier code usually allows for that one
465 * being non-existant, so we follow that behaviour, as it might
466 * turn out that there actually is a reason for it -- but I'm
467 * not sure that *all* of the existing code could cope with
468 * s->cert being NULL, otherwise we could do without the
469 * initialization in SSL_CTX_new).
470 */
471
472 if (o == NULL)
473 {
474 OPENSSL_PUT_ERROR(SSL, ssl_cert_inst, ERR_R_PASSED_NULL_PARAMETER);
475 return(0);
476 }
477 if (*o == NULL)
478 {
479 if ((*o = ssl_cert_new()) == NULL)
480 {
481 OPENSSL_PUT_ERROR(SSL, ssl_cert_new, ERR_R_MALLOC_FAILURE);
482 return(0);
483 }
484 }
485 return(1);
486 }
487
488int ssl_cert_set0_chain(CERT *c, STACK_OF(X509) *chain)
489 {
490 CERT_PKEY *cpk = c->key;
491 if (!cpk)
492 return 0;
493 if (cpk->chain)
494 sk_X509_pop_free(cpk->chain, X509_free);
495 cpk->chain = chain;
496 return 1;
497 }
498
499int ssl_cert_set1_chain(CERT *c, STACK_OF(X509) *chain)
500 {
501 STACK_OF(X509) *dchain;
502 if (!chain)
503 return ssl_cert_set0_chain(c, NULL);
504 dchain = X509_chain_up_ref(chain);
505 if (!dchain)
506 return 0;
507 if (!ssl_cert_set0_chain(c, dchain))
508 {
509 sk_X509_pop_free(dchain, X509_free);
510 return 0;
511 }
512 return 1;
513 }
514
515int ssl_cert_add0_chain_cert(CERT *c, X509 *x)
516 {
517 CERT_PKEY *cpk = c->key;
518 if (!cpk)
519 return 0;
520 if (!cpk->chain)
521 cpk->chain = sk_X509_new_null();
522 if (!cpk->chain || !sk_X509_push(cpk->chain, x))
523 return 0;
524 return 1;
525 }
526
527int ssl_cert_add1_chain_cert(CERT *c, X509 *x)
528 {
529 if (!ssl_cert_add0_chain_cert(c, x))
530 return 0;
David Benjamin150c6172014-08-05 22:22:49 -0400[diff] [blame]531 X509_up_ref(x);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]532 return 1;
533 }
534
535int ssl_cert_select_current(CERT *c, X509 *x)
536 {
537 int i;
538 if (x == NULL)
539 return 0;
540 for (i = 0; i < SSL_PKEY_NUM; i++)
541 {
542 if (c->pkeys[i].x509 == x)
543 {
544 c->key = &c->pkeys[i];
545 return 1;
546 }
547 }
548
549 for (i = 0; i < SSL_PKEY_NUM; i++)
550 {
551 if (c->pkeys[i].x509 && !X509_cmp(c->pkeys[i].x509, x))
552 {
553 c->key = &c->pkeys[i];
554 return 1;
555 }
556 }
557 return 0;
558 }
559
560void ssl_cert_set_cert_cb(CERT *c, int (*cb)(SSL *ssl, void *arg), void *arg)
561 {
562 c->cert_cb = cb;
563 c->cert_cb_arg = arg;
564 }
565
566SESS_CERT *ssl_sess_cert_new(void)
567 {
568 SESS_CERT *ret;
569
570 ret = OPENSSL_malloc(sizeof *ret);
571 if (ret == NULL)
572 {
573 OPENSSL_PUT_ERROR(SSL, ssl_sess_cert_new, ERR_R_MALLOC_FAILURE);
574 return NULL;
575 }
576
577 memset(ret, 0 ,sizeof *ret);
578 ret->peer_key = &(ret->peer_pkeys[SSL_PKEY_RSA_ENC]);
579 ret->references = 1;
580
581 return ret;
582 }
583
584void ssl_sess_cert_free(SESS_CERT *sc)
585 {
586 int i;
587
588 if (sc == NULL)
589 return;
590
591 i = CRYPTO_add(&sc->references, -1, CRYPTO_LOCK_SSL_SESS_CERT);
592#ifdef REF_PRINT
593 REF_PRINT("SESS_CERT", sc);
594#endif
595 if (i > 0)
596 return;
597#ifdef REF_CHECK
598 if (i < 0)
599 {
600 fprintf(stderr,"ssl_sess_cert_free, bad reference count\n");
601 abort(); /* ok */
602 }
603#endif
604
605 /* i == 0 */
606 if (sc->cert_chain != NULL)
607 sk_X509_pop_free(sc->cert_chain, X509_free);
608 for (i = 0; i < SSL_PKEY_NUM; i++)
609 {
610 if (sc->peer_pkeys[i].x509 != NULL)
611 X509_free(sc->peer_pkeys[i].x509);
612#if 0 /* We don't have the peer's private key. These lines are just
613 * here as a reminder that we're still using a not-quite-appropriate
614 * data structure. */
615 if (sc->peer_pkeys[i].privatekey != NULL)
616 EVP_PKEY_free(sc->peer_pkeys[i].privatekey);
617#endif
618 }
619
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]620 if (sc->peer_rsa_tmp != NULL)
621 RSA_free(sc->peer_rsa_tmp);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]622#ifndef OPENSSL_NO_DH
623 if (sc->peer_dh_tmp != NULL)
624 DH_free(sc->peer_dh_tmp);
625#endif
626#ifndef OPENSSL_NO_ECDH
627 if (sc->peer_ecdh_tmp != NULL)
628 EC_KEY_free(sc->peer_ecdh_tmp);
629#endif
630
631 OPENSSL_free(sc);
632 }
633
634int ssl_set_peer_cert_type(SESS_CERT *sc,int type)
635 {
636 sc->peer_cert_type = type;
637 return(1);
638 }
639
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]640int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk)
641 {
642 X509 *x;
643 int i;
644 X509_STORE *verify_store;
645 X509_STORE_CTX ctx;
646
647 if (s->cert->verify_store)
648 verify_store = s->cert->verify_store;
649 else
650 verify_store = s->ctx->cert_store;
651
652 if ((sk == NULL) || (sk_X509_num(sk) == 0))
653 return(0);
654
655 x=sk_X509_value(sk,0);
656 if(!X509_STORE_CTX_init(&ctx,verify_store,x,sk))
657 {
658 OPENSSL_PUT_ERROR(SSL, ssl_verify_cert_chain, ERR_R_X509_LIB);
659 return(0);
660 }
661 /* Set suite B flags if needed */
662 X509_STORE_CTX_set_flags(&ctx, tls1_suiteb(s));
663#if 0
664 if (SSL_get_verify_depth(s) >= 0)
665 X509_STORE_CTX_set_depth(&ctx, SSL_get_verify_depth(s));
666#endif
667 X509_STORE_CTX_set_ex_data(&ctx,SSL_get_ex_data_X509_STORE_CTX_idx(),s);
668
669 /* We need to inherit the verify parameters. These can be determined by
670 * the context: if its a server it will verify SSL client certificates
671 * or vice versa.
672 */
673
674 X509_STORE_CTX_set_default(&ctx,
675 s->server ? "ssl_client" : "ssl_server");
676 /* Anything non-default in "param" should overwrite anything in the
677 * ctx.
678 */
679 X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(&ctx), s->param);
680
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]681 if (s->verify_callback)
682 X509_STORE_CTX_set_verify_cb(&ctx, s->verify_callback);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]683
684 if (s->ctx->app_verify_callback != NULL)
685#if 1 /* new with OpenSSL 0.9.7 */
686 i=s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg);
687#else
688 i=s->ctx->app_verify_callback(&ctx); /* should pass app_verify_arg */
689#endif
690 else
691 {
692#ifndef OPENSSL_NO_X509_VERIFY
693 i=X509_verify_cert(&ctx);
694#else
695 i=0;
696 ctx.error=X509_V_ERR_APPLICATION_VERIFICATION;
697 OPENSSL_PUT_ERROR(SSL, ssl_verify_cert_chain, SSL_R_NO_VERIFY_CALLBACK);
698#endif
699 }
700
701 s->verify_result=ctx.error;
702 X509_STORE_CTX_cleanup(&ctx);
703
704 return(i);
705 }
706
707static void set_client_CA_list(STACK_OF(X509_NAME) **ca_list,STACK_OF(X509_NAME) *name_list)
708 {
709 if (*ca_list != NULL)
710 sk_X509_NAME_pop_free(*ca_list,X509_NAME_free);
711
712 *ca_list=name_list;
713 }
714
715STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk)
716 {
717 int i;
718 STACK_OF(X509_NAME) *ret;
719 X509_NAME *name;
720
721 ret=sk_X509_NAME_new_null();
722 for (i=0; i<sk_X509_NAME_num(sk); i++)
723 {
724 name=X509_NAME_dup(sk_X509_NAME_value(sk,i));
725 if ((name == NULL) || !sk_X509_NAME_push(ret,name))
726 {
727 sk_X509_NAME_pop_free(ret,X509_NAME_free);
728 return(NULL);
729 }
730 }
731 return(ret);
732 }
733
734void SSL_set_client_CA_list(SSL *s,STACK_OF(X509_NAME) *name_list)
735 {
736 set_client_CA_list(&(s->client_CA),name_list);
737 }
738
739void SSL_CTX_set_client_CA_list(SSL_CTX *ctx,STACK_OF(X509_NAME) *name_list)
740 {
741 set_client_CA_list(&(ctx->client_CA),name_list);
742 }
743
744STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx)
745 {
746 return(ctx->client_CA);
747 }
748
749STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s)
750 {
751 if (s->type == SSL_ST_CONNECT)
752 { /* we are in the client */
753 if (((s->version>>8) == SSL3_VERSION_MAJOR) &&
754 (s->s3 != NULL))
755 return(s->s3->tmp.ca_names);
756 else
757 return(NULL);
758 }
759 else
760 {
761 if (s->client_CA != NULL)
762 return(s->client_CA);
763 else
764 return(s->ctx->client_CA);
765 }
766 }
767
768static int add_client_CA(STACK_OF(X509_NAME) **sk,X509 *x)
769 {
770 X509_NAME *name;
771
772 if (x == NULL) return(0);
773 if ((*sk == NULL) && ((*sk=sk_X509_NAME_new_null()) == NULL))
774 return(0);
775
776 if ((name=X509_NAME_dup(X509_get_subject_name(x))) == NULL)
777 return(0);
778
779 if (!sk_X509_NAME_push(*sk,name))
780 {
781 X509_NAME_free(name);
782 return(0);
783 }
784 return(1);
785 }
786
787int SSL_add_client_CA(SSL *ssl,X509 *x)
788 {
789 return(add_client_CA(&(ssl->client_CA),x));
790 }
791
792int SSL_CTX_add_client_CA(SSL_CTX *ctx,X509 *x)
793 {
794 return(add_client_CA(&(ctx->client_CA),x));
795 }
796
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]797static int xname_cmp(const X509_NAME **a, const X509_NAME **b)
798 {
799 return(X509_NAME_cmp(*a,*b));
800 }
801
802#ifndef OPENSSL_NO_STDIO
803/*!
804 * Load CA certs from a file into a ::STACK. Note that it is somewhat misnamed;
805 * it doesn't really have anything to do with clients (except that a common use
806 * for a stack of CAs is to send it to the client). Actually, it doesn't have
807 * much to do with CAs, either, since it will load any old cert.
808 * \param file the file containing one or more certs.
809 * \return a ::STACK containing the certs.
810 */
811STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file)
812 {
813 BIO *in;
814 X509 *x=NULL;
815 X509_NAME *xn=NULL;
816 STACK_OF(X509_NAME) *ret = NULL,*sk;
817
818 sk=sk_X509_NAME_new(xname_cmp);
819
820 in=BIO_new(BIO_s_file());
821
822 if ((sk == NULL) || (in == NULL))
823 {
824 OPENSSL_PUT_ERROR(SSL, SSL_load_client_CA_file, ERR_R_MALLOC_FAILURE);
825 goto err;
826 }
827
828 if (!BIO_read_filename(in,file))
829 goto err;
830
831 for (;;)
832 {
833 if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL)
834 break;
835 if (ret == NULL)
836 {
837 ret = sk_X509_NAME_new_null();
838 if (ret == NULL)
839 {
840 OPENSSL_PUT_ERROR(SSL, SSL_load_client_CA_file, ERR_R_MALLOC_FAILURE);
841 goto err;
842 }
843 }
844 if ((xn=X509_get_subject_name(x)) == NULL) goto err;
845 /* check for duplicates */
846 xn=X509_NAME_dup(xn);
847 if (xn == NULL) goto err;
848 if (sk_X509_NAME_find(sk, NULL, xn))
849 X509_NAME_free(xn);
850 else
851 {
852 sk_X509_NAME_push(sk,xn);
853 sk_X509_NAME_push(ret,xn);
854 }
855 }
856
857 if (0)
858 {
859err:
860 if (ret != NULL) sk_X509_NAME_pop_free(ret,X509_NAME_free);
861 ret=NULL;
862 }
863 if (sk != NULL) sk_X509_NAME_free(sk);
864 if (in != NULL) BIO_free(in);
865 if (x != NULL) X509_free(x);
866 if (ret != NULL)
867 ERR_clear_error();
868 return(ret);
869 }
870#endif
871
872/*!
873 * Add a file of certs to a stack.
874 * \param stack the stack to add to.
875 * \param file the file to add from. All certs in this file that are not
876 * already in the stack will be added.
877 * \return 1 for success, 0 for failure. Note that in the case of failure some
878 * certs may have been added to \c stack.
879 */
880
881int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
882 const char *file)
883 {
884 BIO *in;
885 X509 *x=NULL;
886 X509_NAME *xn=NULL;
887 int ret=1;
888 int (*oldcmp)(const X509_NAME **a, const X509_NAME **b);
889
890 oldcmp=sk_X509_NAME_set_cmp_func(stack,xname_cmp);
891
892 in=BIO_new(BIO_s_file());
893
894 if (in == NULL)
895 {
896 OPENSSL_PUT_ERROR(SSL, SSL_add_file_cert_subjects_to_stack, ERR_R_MALLOC_FAILURE);
897 goto err;
898 }
899
900 if (!BIO_read_filename(in,file))
901 goto err;
902
903 for (;;)
904 {
905 if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL)
906 break;
907 if ((xn=X509_get_subject_name(x)) == NULL) goto err;
908 xn=X509_NAME_dup(xn);
909 if (xn == NULL) goto err;
910 if (sk_X509_NAME_find(stack, NULL, xn))
911 X509_NAME_free(xn);
912 else
913 sk_X509_NAME_push(stack,xn);
914 }
915
916 ERR_clear_error();
917
918 if (0)
919 {
920err:
921 ret=0;
922 }
923 if(in != NULL)
924 BIO_free(in);
925 if(x != NULL)
926 X509_free(x);
927
928 (void)sk_X509_NAME_set_cmp_func(stack,oldcmp);
929
930 return ret;
931 }
932
933/*!
934 * Add a directory of certs to a stack.
935 * \param stack the stack to append to.
936 * \param dir the directory to append from. All files in this directory will be
937 * examined as potential certs. Any that are acceptable to
938 * SSL_add_dir_cert_subjects_to_stack() that are not already in the stack will be
939 * included.
940 * \return 1 for success, 0 for failure. Note that in the case of failure some
941 * certs may have been added to \c stack.
942 */
943
944int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
945 const char *dir)
946 {
947 OPENSSL_DIR_CTX *d = NULL;
948 const char *filename;
949 int ret = 0;
950
951 CRYPTO_w_lock(CRYPTO_LOCK_READDIR);
952
953 /* Note that a side effect is that the CAs will be sorted by name */
954
955 while((filename = OPENSSL_DIR_read(&d, dir)))
956 {
957 char buf[1024];
958 int r;
959
960 if(strlen(dir)+strlen(filename)+2 > sizeof buf)
961 {
962 OPENSSL_PUT_ERROR(SSL, SSL_add_dir_cert_subjects_to_stack, SSL_R_PATH_TOO_LONG);
963 goto err;
964 }
965
966#ifdef OPENSSL_SYS_VMS
967 r = BIO_snprintf(buf,sizeof buf,"%s%s",dir,filename);
968#else
969 r = BIO_snprintf(buf,sizeof buf,"%s/%s",dir,filename);
970#endif
971 if (r <= 0 || r >= (int)sizeof(buf))
972 goto err;
973 if(!SSL_add_file_cert_subjects_to_stack(stack,buf))
974 goto err;
975 }
976
977 if (errno)
978 {
979 OPENSSL_PUT_ERROR(SSL, SSL_add_file_cert_subjects_to_stack, ERR_R_SYS_LIB);
980 ERR_add_error_data(3, "OPENSSL_DIR_read(&ctx, '", dir, "')");
981 goto err;
982 }
983
984 ret = 1;
985
986err:
987 if (d) OPENSSL_DIR_end(&d);
988 CRYPTO_w_unlock(CRYPTO_LOCK_READDIR);
989 return ret;
990 }
991
992/* Add a certificate to a BUF_MEM structure */
993
994static int ssl_add_cert_to_buf(BUF_MEM *buf, unsigned long *l, X509 *x)
995 {
996 int n;
997 unsigned char *p;
998
999 n=i2d_X509(x,NULL);
1000 if (!BUF_MEM_grow_clean(buf,(int)(n+(*l)+3)))
1001 {
1002 OPENSSL_PUT_ERROR(SSL, ssl_add_cert_to_buf, ERR_R_BUF_LIB);
1003 return 0;
1004 }
1005 p=(unsigned char *)&(buf->data[*l]);
1006 l2n3(n,p);
1007 i2d_X509(x,&p);
1008 *l+=n+3;
1009
1010 return 1;
1011 }
1012
1013/* Add certificate chain to internal SSL BUF_MEM strcuture */
1014int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l)
1015 {
1016 BUF_MEM *buf = s->init_buf;
1017 int no_chain;
1018 int i;
1019
1020 X509 *x;
1021 STACK_OF(X509) *extra_certs;
1022 X509_STORE *chain_store;
1023
1024 if (cpk)
1025 x = cpk->x509;
1026 else
1027 x = NULL;
1028
1029 if (s->cert->chain_store)
1030 chain_store = s->cert->chain_store;
1031 else
1032 chain_store = s->ctx->cert_store;
1033
1034 /* If we have a certificate specific chain use it, else use
1035 * parent ctx.
1036 */
1037 if (cpk && cpk->chain)
1038 extra_certs = cpk->chain;
1039 else
1040 extra_certs = s->ctx->extra_certs;
1041
1042 if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || extra_certs)
1043 no_chain = 1;
1044 else
1045 no_chain = 0;
1046
1047 /* TLSv1 sends a chain with nothing in it, instead of an alert */
1048 if (!BUF_MEM_grow_clean(buf,10))
1049 {
1050 OPENSSL_PUT_ERROR(SSL, ssl_add_cert_chain, ERR_R_BUF_LIB);
1051 return 0;
1052 }
1053 if (x != NULL)
1054 {
1055 if (no_chain)
1056 {
1057 if (!ssl_add_cert_to_buf(buf, l, x))
1058 return 0;
1059 }
1060 else
1061 {
1062 X509_STORE_CTX xs_ctx;
1063
1064 if (!X509_STORE_CTX_init(&xs_ctx,chain_store,x,NULL))
1065 {
1066 OPENSSL_PUT_ERROR(SSL, ssl_add_cert_chain, ERR_R_X509_LIB);
1067 return(0);
1068 }
1069 X509_verify_cert(&xs_ctx);
1070 /* Don't leave errors in the queue */
1071 ERR_clear_error();
1072 for (i=0; i < sk_X509_num(xs_ctx.chain); i++)
1073 {
1074 x = sk_X509_value(xs_ctx.chain, i);
1075
1076 if (!ssl_add_cert_to_buf(buf, l, x))
1077 {
1078 X509_STORE_CTX_cleanup(&xs_ctx);
1079 return 0;
1080 }
1081 }
1082 X509_STORE_CTX_cleanup(&xs_ctx);
1083 }
1084 }
1085 for (i=0; i<sk_X509_num(extra_certs); i++)
1086 {
1087 x=sk_X509_value(extra_certs,i);
1088 if (!ssl_add_cert_to_buf(buf, l, x))
1089 return 0;
1090 }
1091
1092 return 1;
1093 }
1094
1095/* Build a certificate chain for current certificate */
1096int ssl_build_cert_chain(CERT *c, X509_STORE *chain_store, int flags)
1097 {
1098 CERT_PKEY *cpk = c->key;
1099 X509_STORE_CTX xs_ctx;
1100 STACK_OF(X509) *chain = NULL, *untrusted = NULL;
1101 X509 *x;
Adam Langleyf669c2d2014-06-20 12:00:00 -0700[diff] [blame]1102 int i, rv = 0;
Adam Langleydff7b9e2014-06-20 12:00:00 -0700[diff] [blame]1103 unsigned long error;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1104
1105 if (!cpk->x509)
1106 {
1107 OPENSSL_PUT_ERROR(SSL, ssl_build_cert_chain, SSL_R_NO_CERTIFICATE_SET);
Adam Langleyf669c2d2014-06-20 12:00:00 -0700[diff] [blame]1108 goto err;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1109 }
Adam Langleyf669c2d2014-06-20 12:00:00 -0700[diff] [blame]1110 /* Rearranging and check the chain: add everything to a store */
1111 if (flags & SSL_BUILD_CHAIN_FLAG_CHECK)
1112 {
1113 chain_store = X509_STORE_new();
1114 if (!chain_store)
1115 goto err;
1116 for (i = 0; i < sk_X509_num(cpk->chain); i++)
1117 {
1118 x = sk_X509_value(cpk->chain, i);
1119 if (!X509_STORE_add_cert(chain_store, x))
Adam Langleydff7b9e2014-06-20 12:00:00 -0700[diff] [blame]1120 {
1121 error = ERR_peek_last_error();
1122 if (ERR_GET_LIB(error) != ERR_LIB_X509 ||
1123 ERR_GET_REASON(error) != X509_R_CERT_ALREADY_IN_HASH_TABLE)
1124 goto err;
1125 ERR_clear_error();
1126 }
Adam Langleyf669c2d2014-06-20 12:00:00 -0700[diff] [blame]1127 }
1128 /* Add EE cert too: it might be self signed */
1129 if (!X509_STORE_add_cert(chain_store, cpk->x509))
Adam Langleydff7b9e2014-06-20 12:00:00 -0700[diff] [blame]1130 {
1131 error = ERR_peek_last_error();
1132 if (ERR_GET_LIB(error) != ERR_LIB_X509 ||
1133 ERR_GET_REASON(error) != X509_R_CERT_ALREADY_IN_HASH_TABLE)
1134 goto err;
1135 ERR_clear_error();
1136 }
Adam Langleyf669c2d2014-06-20 12:00:00 -0700[diff] [blame]1137 }
1138 else
1139 {
1140 if (c->chain_store)
1141 chain_store = c->chain_store;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1142
Adam Langleyf669c2d2014-06-20 12:00:00 -0700[diff] [blame]1143 if (flags & SSL_BUILD_CHAIN_FLAG_UNTRUSTED)
1144 untrusted = cpk->chain;
1145 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1146
1147 if (!X509_STORE_CTX_init(&xs_ctx, chain_store, cpk->x509, untrusted))
1148 {
1149 OPENSSL_PUT_ERROR(SSL, ssl_build_cert_chain, ERR_R_X509_LIB);
Adam Langleyf669c2d2014-06-20 12:00:00 -0700[diff] [blame]1150 goto err;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1151 }
1152 /* Set suite B flags if needed */
1153 X509_STORE_CTX_set_flags(&xs_ctx, c->cert_flags & SSL_CERT_FLAG_SUITEB_128_LOS);
1154
1155 i = X509_verify_cert(&xs_ctx);
Adam Langleyf669c2d2014-06-20 12:00:00 -0700[diff] [blame]1156 if (i <= 0 && flags & SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR)
1157 {
Adam Langley64c22232014-06-20 12:00:00 -0700[diff] [blame]1158 if (flags & SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR)
1159 ERR_clear_error();
Adam Langleyf669c2d2014-06-20 12:00:00 -0700[diff] [blame]1160 i = 1;
Adam Langley64c22232014-06-20 12:00:00 -0700[diff] [blame]1161 rv = 2;
Adam Langleyf669c2d2014-06-20 12:00:00 -0700[diff] [blame]1162 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1163 if (i > 0)
1164 chain = X509_STORE_CTX_get1_chain(&xs_ctx);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1165 if (i <= 0)
1166 {
1167 OPENSSL_PUT_ERROR(SSL, ssl_build_cert_chain, SSL_R_CERTIFICATE_VERIFY_FAILED);
Adam Langleyf669c2d2014-06-20 12:00:00 -0700[diff] [blame]1168 i = X509_STORE_CTX_get_error(&xs_ctx);
1169 ERR_add_error_data(2, "Verify error:",
1170 X509_verify_cert_error_string(i));
1171
1172 X509_STORE_CTX_cleanup(&xs_ctx);
1173 goto err;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1174 }
Adam Langleyf669c2d2014-06-20 12:00:00 -0700[diff] [blame]1175 X509_STORE_CTX_cleanup(&xs_ctx);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1176 if (cpk->chain)
1177 sk_X509_pop_free(cpk->chain, X509_free);
1178 /* Remove EE certificate from chain */
1179 x = sk_X509_shift(chain);
1180 X509_free(x);
1181 if (flags & SSL_BUILD_CHAIN_FLAG_NO_ROOT)
1182 {
Adam Langleyf669c2d2014-06-20 12:00:00 -0700[diff] [blame]1183 if (sk_X509_num(chain) > 0)
1184 {
1185 /* See if last cert is self signed */
1186 x = sk_X509_value(chain, sk_X509_num(chain) - 1);
1187 X509_check_purpose(x, -1, 0);
1188 if (x->ex_flags & EXFLAG_SS)
1189 {
1190 x = sk_X509_pop(chain);
1191 X509_free(x);
1192 }
1193 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1194 }
1195 cpk->chain = chain;
Adam Langley64c22232014-06-20 12:00:00 -0700[diff] [blame]1196 if (rv == 0)
1197 rv = 1;
Adam Langleyf669c2d2014-06-20 12:00:00 -0700[diff] [blame]1198 err:
1199 if (flags & SSL_BUILD_CHAIN_FLAG_CHECK)
1200 X509_STORE_free(chain_store);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1201
Adam Langleyf669c2d2014-06-20 12:00:00 -0700[diff] [blame]1202 return rv;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1203 }
1204
1205int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain, int ref)
1206 {
1207 X509_STORE **pstore;
1208 if (chain)
1209 pstore = &c->chain_store;
1210 else
1211 pstore = &c->verify_store;
1212 if (*pstore)
1213 X509_STORE_free(*pstore);
1214 *pstore = store;
1215 if (ref && store)
David Benjamin67454b62014-08-06 22:15:46 -0400[diff] [blame^]1216 CRYPTO_add(&store->references, 1, CRYPTO_LOCK_X509_STORE);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1217 return 1;
1218 }
1219