ssl_cert.c revision 1.1.1.2
1 /* 2 * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved. 3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved 4 * 5 * Licensed under the Apache License 2.0 (the "License"). You may not use 6 * this file except in compliance with the License. You can obtain a copy 7 * in the file LICENSE in the source distribution or at 8 * https://www.openssl.org/source/license.html 9 */ 10 11 #include "internal/e_os.h" 12 13 #include <stdio.h> 14 #include <sys/types.h> 15 16 #include "internal/nelem.h" 17 #include "internal/o_dir.h" 18 #include <openssl/bio.h> 19 #include <openssl/pem.h> 20 #include <openssl/store.h> 21 #include <openssl/x509v3.h> 22 #include <openssl/dh.h> 23 #include <openssl/bn.h> 24 #include <openssl/crypto.h> 25 #include "internal/refcount.h" 26 #include "ssl_local.h" 27 #include "ssl_cert_table.h" 28 #include "internal/thread_once.h" 29 #include "internal/ssl_unwrap.h" 30 #ifndef OPENSSL_NO_POSIX_IO 31 #include <sys/stat.h> 32 #ifdef _WIN32 33 #define stat _stat 34 #endif 35 #ifndef S_ISDIR 36 #define S_ISDIR(a) (((a) & S_IFMT) == S_IFDIR) 37 #endif 38 #endif 39 40 static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx, 41 int op, int bits, int nid, void *other, 42 void *ex); 43 44 static CRYPTO_ONCE ssl_x509_store_ctx_once = CRYPTO_ONCE_STATIC_INIT; 45 static volatile int ssl_x509_store_ctx_idx = -1; 46 47 DEFINE_RUN_ONCE_STATIC(ssl_x509_store_ctx_init) 48 { 49 ssl_x509_store_ctx_idx = X509_STORE_CTX_get_ex_new_index(0, 50 "SSL for verify callback", 51 NULL, NULL, NULL); 52 return ssl_x509_store_ctx_idx >= 0; 53 } 54 55 int SSL_get_ex_data_X509_STORE_CTX_idx(void) 56 { 57 58 if (!RUN_ONCE(&ssl_x509_store_ctx_once, ssl_x509_store_ctx_init)) 59 return -1; 60 return ssl_x509_store_ctx_idx; 61 } 62 63 CERT *ssl_cert_new(size_t ssl_pkey_num) 64 { 65 CERT *ret = NULL; 66 67 /* Should never happen */ 68 if (!ossl_assert(ssl_pkey_num >= SSL_PKEY_NUM)) 69 return NULL; 70 71 ret = OPENSSL_zalloc(sizeof(*ret)); 72 if (ret == NULL) 73 return NULL; 74 75 ret->ssl_pkey_num = ssl_pkey_num; 76 ret->pkeys = OPENSSL_zalloc(ret->ssl_pkey_num * sizeof(CERT_PKEY)); 77 if (ret->pkeys == NULL) { 78 OPENSSL_free(ret); 79 return NULL; 80 } 81 82 ret->key = &(ret->pkeys[SSL_PKEY_RSA]); 83 ret->sec_cb = ssl_security_default_callback; 84 ret->sec_level = OPENSSL_TLS_SECURITY_LEVEL; 85 ret->sec_ex = NULL; 86 if (!CRYPTO_NEW_REF(&ret->references, 1)) { 87 OPENSSL_free(ret->pkeys); 88 OPENSSL_free(ret); 89 return NULL; 90 } 91 92 return ret; 93 } 94 95 CERT *ssl_cert_dup(CERT *cert) 96 { 97 CERT *ret = OPENSSL_zalloc(sizeof(*ret)); 98 size_t i; 99 #ifndef OPENSSL_NO_COMP_ALG 100 int j; 101 #endif 102 103 if (ret == NULL) 104 return NULL; 105 106 ret->ssl_pkey_num = cert->ssl_pkey_num; 107 ret->pkeys = OPENSSL_zalloc(ret->ssl_pkey_num * sizeof(CERT_PKEY)); 108 if (ret->pkeys == NULL) { 109 OPENSSL_free(ret); 110 return NULL; 111 } 112 113 ret->key = &ret->pkeys[cert->key - cert->pkeys]; 114 if (!CRYPTO_NEW_REF(&ret->references, 1)) { 115 OPENSSL_free(ret->pkeys); 116 OPENSSL_free(ret); 117 return NULL; 118 } 119 120 if (cert->dh_tmp != NULL) { 121 if (!EVP_PKEY_up_ref(cert->dh_tmp)) 122 goto err; 123 ret->dh_tmp = cert->dh_tmp; 124 } 125 126 ret->dh_tmp_cb = cert->dh_tmp_cb; 127 ret->dh_tmp_auto = cert->dh_tmp_auto; 128 129 for (i = 0; i < ret->ssl_pkey_num; i++) { 130 CERT_PKEY *cpk = cert->pkeys + i; 131 CERT_PKEY *rpk = ret->pkeys + i; 132 133 if (cpk->x509 != NULL) { 134 if (!X509_up_ref(cpk->x509)) 135 goto err; 136 rpk->x509 = cpk->x509; 137 } 138 139 if (cpk->privatekey != NULL) { 140 if (!EVP_PKEY_up_ref(cpk->privatekey)) 141 goto err; 142 rpk->privatekey = cpk->privatekey; 143 } 144 145 if (cpk->chain) { 146 rpk->chain = X509_chain_up_ref(cpk->chain); 147 if (!rpk->chain) { 148 ERR_raise(ERR_LIB_SSL, ERR_R_X509_LIB); 149 goto err; 150 } 151 } 152 if (cpk->serverinfo != NULL) { 153 /* Just copy everything. */ 154 rpk->serverinfo = OPENSSL_memdup(cpk->serverinfo, cpk->serverinfo_length); 155 if (rpk->serverinfo == NULL) 156 goto err; 157 rpk->serverinfo_length = cpk->serverinfo_length; 158 } 159 #ifndef OPENSSL_NO_COMP_ALG 160 for (j = TLSEXT_comp_cert_none; j < TLSEXT_comp_cert_limit; j++) { 161 if (cpk->comp_cert[j] != NULL) { 162 if (!OSSL_COMP_CERT_up_ref(cpk->comp_cert[j])) 163 goto err; 164 rpk->comp_cert[j] = cpk->comp_cert[j]; 165 } 166 } 167 #endif 168 } 169 170 /* Configured sigalgs copied across */ 171 if (cert->conf_sigalgs) { 172 ret->conf_sigalgs = OPENSSL_malloc(cert->conf_sigalgslen 173 * sizeof(*cert->conf_sigalgs)); 174 if (ret->conf_sigalgs == NULL) 175 goto err; 176 memcpy(ret->conf_sigalgs, cert->conf_sigalgs, 177 cert->conf_sigalgslen * sizeof(*cert->conf_sigalgs)); 178 ret->conf_sigalgslen = cert->conf_sigalgslen; 179 } else 180 ret->conf_sigalgs = NULL; 181 182 if (cert->client_sigalgs) { 183 ret->client_sigalgs = OPENSSL_malloc(cert->client_sigalgslen 184 * sizeof(*cert->client_sigalgs)); 185 if (ret->client_sigalgs == NULL) 186 goto err; 187 memcpy(ret->client_sigalgs, cert->client_sigalgs, 188 cert->client_sigalgslen * sizeof(*cert->client_sigalgs)); 189 ret->client_sigalgslen = cert->client_sigalgslen; 190 } else 191 ret->client_sigalgs = NULL; 192 /* Copy any custom client certificate types */ 193 if (cert->ctype) { 194 ret->ctype = OPENSSL_memdup(cert->ctype, cert->ctype_len); 195 if (ret->ctype == NULL) 196 goto err; 197 ret->ctype_len = cert->ctype_len; 198 } 199 200 ret->cert_flags = cert->cert_flags; 201 202 ret->cert_cb = cert->cert_cb; 203 ret->cert_cb_arg = cert->cert_cb_arg; 204 205 if (cert->verify_store) { 206 if (!X509_STORE_up_ref(cert->verify_store)) 207 goto err; 208 ret->verify_store = cert->verify_store; 209 } 210 211 if (cert->chain_store) { 212 if (!X509_STORE_up_ref(cert->chain_store)) 213 goto err; 214 ret->chain_store = cert->chain_store; 215 } 216 217 ret->sec_cb = cert->sec_cb; 218 ret->sec_level = cert->sec_level; 219 ret->sec_ex = cert->sec_ex; 220 221 if (!custom_exts_copy(&ret->custext, &cert->custext)) 222 goto err; 223 #ifndef OPENSSL_NO_PSK 224 if (cert->psk_identity_hint) { 225 ret->psk_identity_hint = OPENSSL_strdup(cert->psk_identity_hint); 226 if (ret->psk_identity_hint == NULL) 227 goto err; 228 } 229 #endif 230 return ret; 231 232 err: 233 ssl_cert_free(ret); 234 235 return NULL; 236 } 237 238 /* Free up and clear all certificates and chains */ 239 240 void ssl_cert_clear_certs(CERT *c) 241 { 242 size_t i; 243 #ifndef OPENSSL_NO_COMP_ALG 244 int j; 245 #endif 246 247 if (c == NULL) 248 return; 249 for (i = 0; i < c->ssl_pkey_num; i++) { 250 CERT_PKEY *cpk = c->pkeys + i; 251 X509_free(cpk->x509); 252 cpk->x509 = NULL; 253 EVP_PKEY_free(cpk->privatekey); 254 cpk->privatekey = NULL; 255 OSSL_STACK_OF_X509_free(cpk->chain); 256 cpk->chain = NULL; 257 OPENSSL_free(cpk->serverinfo); 258 cpk->serverinfo = NULL; 259 cpk->serverinfo_length = 0; 260 #ifndef OPENSSL_NO_COMP_ALG 261 for (j = 0; j < TLSEXT_comp_cert_limit; j++) { 262 OSSL_COMP_CERT_free(cpk->comp_cert[j]); 263 cpk->comp_cert[j] = NULL; 264 cpk->cert_comp_used = 0; 265 } 266 #endif 267 } 268 } 269 270 void ssl_cert_free(CERT *c) 271 { 272 int i; 273 274 if (c == NULL) 275 return; 276 CRYPTO_DOWN_REF(&c->references, &i); 277 REF_PRINT_COUNT("CERT", i, c); 278 if (i > 0) 279 return; 280 REF_ASSERT_ISNT(i < 0); 281 282 EVP_PKEY_free(c->dh_tmp); 283 284 ssl_cert_clear_certs(c); 285 OPENSSL_free(c->conf_sigalgs); 286 OPENSSL_free(c->client_sigalgs); 287 OPENSSL_free(c->ctype); 288 X509_STORE_free(c->verify_store); 289 X509_STORE_free(c->chain_store); 290 custom_exts_free(&c->custext); 291 #ifndef OPENSSL_NO_PSK 292 OPENSSL_free(c->psk_identity_hint); 293 #endif 294 OPENSSL_free(c->pkeys); 295 CRYPTO_FREE_REF(&c->references); 296 OPENSSL_free(c); 297 } 298 299 int ssl_cert_set0_chain(SSL_CONNECTION *s, SSL_CTX *ctx, STACK_OF(X509) *chain) 300 { 301 int i, r; 302 CERT_PKEY *cpk = s != NULL ? s->cert->key : ctx->cert->key; 303 304 if (!cpk) 305 return 0; 306 for (i = 0; i < sk_X509_num(chain); i++) { 307 X509 *x = sk_X509_value(chain, i); 308 309 r = ssl_security_cert(s, ctx, x, 0, 0); 310 if (r != 1) { 311 ERR_raise(ERR_LIB_SSL, r); 312 return 0; 313 } 314 } 315 OSSL_STACK_OF_X509_free(cpk->chain); 316 cpk->chain = chain; 317 return 1; 318 } 319 320 int ssl_cert_set1_chain(SSL_CONNECTION *s, SSL_CTX *ctx, STACK_OF(X509) *chain) 321 { 322 STACK_OF(X509) *dchain; 323 324 if (!chain) 325 return ssl_cert_set0_chain(s, ctx, NULL); 326 dchain = X509_chain_up_ref(chain); 327 if (!dchain) 328 return 0; 329 if (!ssl_cert_set0_chain(s, ctx, dchain)) { 330 OSSL_STACK_OF_X509_free(dchain); 331 return 0; 332 } 333 return 1; 334 } 335 336 int ssl_cert_add0_chain_cert(SSL_CONNECTION *s, SSL_CTX *ctx, X509 *x) 337 { 338 int r; 339 CERT_PKEY *cpk = s ? s->cert->key : ctx->cert->key; 340 341 if (!cpk) 342 return 0; 343 r = ssl_security_cert(s, ctx, x, 0, 0); 344 if (r != 1) { 345 ERR_raise(ERR_LIB_SSL, r); 346 return 0; 347 } 348 if (!cpk->chain) 349 cpk->chain = sk_X509_new_null(); 350 if (!cpk->chain || !sk_X509_push(cpk->chain, x)) 351 return 0; 352 return 1; 353 } 354 355 int ssl_cert_add1_chain_cert(SSL_CONNECTION *s, SSL_CTX *ctx, X509 *x) 356 { 357 if (!X509_up_ref(x)) 358 return 0; 359 if (!ssl_cert_add0_chain_cert(s, ctx, x)) { 360 X509_free(x); 361 return 0; 362 } 363 return 1; 364 } 365 366 int ssl_cert_select_current(CERT *c, X509 *x) 367 { 368 size_t i; 369 370 if (x == NULL) 371 return 0; 372 for (i = 0; i < c->ssl_pkey_num; i++) { 373 CERT_PKEY *cpk = c->pkeys + i; 374 if (cpk->x509 == x && cpk->privatekey) { 375 c->key = cpk; 376 return 1; 377 } 378 } 379 380 for (i = 0; i < c->ssl_pkey_num; i++) { 381 CERT_PKEY *cpk = c->pkeys + i; 382 if (cpk->privatekey && cpk->x509 && !X509_cmp(cpk->x509, x)) { 383 c->key = cpk; 384 return 1; 385 } 386 } 387 return 0; 388 } 389 390 int ssl_cert_set_current(CERT *c, long op) 391 { 392 size_t i, idx; 393 394 if (!c) 395 return 0; 396 if (op == SSL_CERT_SET_FIRST) 397 idx = 0; 398 else if (op == SSL_CERT_SET_NEXT) { 399 idx = (size_t)(c->key - c->pkeys + 1); 400 if (idx >= c->ssl_pkey_num) 401 return 0; 402 } else 403 return 0; 404 for (i = idx; i < c->ssl_pkey_num; i++) { 405 CERT_PKEY *cpk = c->pkeys + i; 406 if (cpk->x509 && cpk->privatekey) { 407 c->key = cpk; 408 return 1; 409 } 410 } 411 return 0; 412 } 413 414 void ssl_cert_set_cert_cb(CERT *c, int (*cb)(SSL *ssl, void *arg), void *arg) 415 { 416 c->cert_cb = cb; 417 c->cert_cb_arg = arg; 418 } 419 420 /* 421 * Verify a certificate chain/raw public key 422 * Return codes: 423 * 1: Verify success 424 * 0: Verify failure or error 425 * -1: Retry required 426 */ 427 static int ssl_verify_internal(SSL_CONNECTION *s, STACK_OF(X509) *sk, EVP_PKEY *rpk) 428 { 429 X509 *x; 430 int i = 0; 431 X509_STORE *verify_store; 432 X509_STORE_CTX *ctx = NULL; 433 X509_VERIFY_PARAM *param; 434 SSL_CTX *sctx; 435 436 /* Something must be passed in */ 437 if ((sk == NULL || sk_X509_num(sk) == 0) && rpk == NULL) 438 return 0; 439 440 /* Only one can be set */ 441 if (sk != NULL && rpk != NULL) 442 return 0; 443 444 sctx = SSL_CONNECTION_GET_CTX(s); 445 if (s->cert->verify_store) 446 verify_store = s->cert->verify_store; 447 else 448 verify_store = sctx->cert_store; 449 450 ctx = X509_STORE_CTX_new_ex(sctx->libctx, sctx->propq); 451 if (ctx == NULL) { 452 ERR_raise(ERR_LIB_SSL, ERR_R_X509_LIB); 453 return 0; 454 } 455 456 if (sk != NULL) { 457 x = sk_X509_value(sk, 0); 458 if (!X509_STORE_CTX_init(ctx, verify_store, x, sk)) { 459 ERR_raise(ERR_LIB_SSL, ERR_R_X509_LIB); 460 goto end; 461 } 462 } else { 463 if (!X509_STORE_CTX_init_rpk(ctx, verify_store, rpk)) { 464 ERR_raise(ERR_LIB_SSL, ERR_R_X509_LIB); 465 goto end; 466 } 467 } 468 param = X509_STORE_CTX_get0_param(ctx); 469 /* 470 * XXX: Separate @AUTHSECLEVEL and @TLSSECLEVEL would be useful at some 471 * point, for now a single @SECLEVEL sets the same policy for TLS crypto 472 * and PKI authentication. 473 */ 474 X509_VERIFY_PARAM_set_auth_level(param, 475 SSL_get_security_level(SSL_CONNECTION_GET_SSL(s))); 476 477 /* Set suite B flags if needed */ 478 X509_STORE_CTX_set_flags(ctx, tls1_suiteb(s)); 479 if (!X509_STORE_CTX_set_ex_data(ctx, 480 SSL_get_ex_data_X509_STORE_CTX_idx(), 481 SSL_CONNECTION_GET_USER_SSL(s))) 482 goto end; 483 484 /* Verify via DANE if enabled */ 485 if (DANETLS_ENABLED(&s->dane)) 486 X509_STORE_CTX_set0_dane(ctx, &s->dane); 487 488 /* 489 * We need to inherit the verify parameters. These can be determined by 490 * the context: if its a server it will verify SSL client certificates or 491 * vice versa. 492 */ 493 494 X509_STORE_CTX_set_default(ctx, s->server ? "ssl_client" : "ssl_server"); 495 /* 496 * Anything non-default in "s->param" should overwrite anything in the ctx. 497 */ 498 X509_VERIFY_PARAM_set1(param, s->param); 499 500 if (s->verify_callback) 501 X509_STORE_CTX_set_verify_cb(ctx, s->verify_callback); 502 503 if (sctx->app_verify_callback != NULL) { 504 i = sctx->app_verify_callback(ctx, sctx->app_verify_arg); 505 } else { 506 i = X509_verify_cert(ctx); 507 /* We treat an error in the same way as a failure to verify */ 508 if (i < 0) 509 i = 0; 510 } 511 512 s->verify_result = X509_STORE_CTX_get_error(ctx); 513 OSSL_STACK_OF_X509_free(s->verified_chain); 514 s->verified_chain = NULL; 515 516 if (sk != NULL && X509_STORE_CTX_get0_chain(ctx) != NULL) { 517 s->verified_chain = X509_STORE_CTX_get1_chain(ctx); 518 if (s->verified_chain == NULL) { 519 ERR_raise(ERR_LIB_SSL, ERR_R_X509_LIB); 520 i = 0; 521 } 522 } 523 524 /* Move peername from the store context params to the SSL handle's */ 525 X509_VERIFY_PARAM_move_peername(s->param, param); 526 527 end: 528 X509_STORE_CTX_free(ctx); 529 return i; 530 } 531 532 /* 533 * Verify a raw public key 534 * Return codes: 535 * 1: Verify success 536 * 0: Verify failure or error 537 * -1: Retry required 538 */ 539 int ssl_verify_rpk(SSL_CONNECTION *s, EVP_PKEY *rpk) 540 { 541 return ssl_verify_internal(s, NULL, rpk); 542 } 543 544 /* 545 * Verify a certificate chain 546 * Return codes: 547 * 1: Verify success 548 * 0: Verify failure or error 549 * -1: Retry required 550 */ 551 int ssl_verify_cert_chain(SSL_CONNECTION *s, STACK_OF(X509) *sk) 552 { 553 return ssl_verify_internal(s, sk, NULL); 554 } 555 556 static void set0_CA_list(STACK_OF(X509_NAME) **ca_list, 557 STACK_OF(X509_NAME) *name_list) 558 { 559 sk_X509_NAME_pop_free(*ca_list, X509_NAME_free); 560 *ca_list = name_list; 561 } 562 563 STACK_OF(X509_NAME) *SSL_dup_CA_list(const STACK_OF(X509_NAME) *sk) 564 { 565 int i; 566 const int num = sk_X509_NAME_num(sk); 567 STACK_OF(X509_NAME) *ret; 568 X509_NAME *name; 569 570 ret = sk_X509_NAME_new_reserve(NULL, num); 571 if (ret == NULL) { 572 ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB); 573 return NULL; 574 } 575 for (i = 0; i < num; i++) { 576 name = X509_NAME_dup(sk_X509_NAME_value(sk, i)); 577 if (name == NULL) { 578 ERR_raise(ERR_LIB_SSL, ERR_R_X509_LIB); 579 sk_X509_NAME_pop_free(ret, X509_NAME_free); 580 return NULL; 581 } 582 sk_X509_NAME_push(ret, name); /* Cannot fail after reserve call */ 583 } 584 return ret; 585 } 586 587 void SSL_set0_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list) 588 { 589 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s); 590 591 if (sc == NULL) 592 return; 593 594 set0_CA_list(&sc->ca_names, name_list); 595 } 596 597 void SSL_CTX_set0_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list) 598 { 599 set0_CA_list(&ctx->ca_names, name_list); 600 } 601 602 const STACK_OF(X509_NAME) *SSL_CTX_get0_CA_list(const SSL_CTX *ctx) 603 { 604 return ctx->ca_names; 605 } 606 607 const STACK_OF(X509_NAME) *SSL_get0_CA_list(const SSL *s) 608 { 609 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s); 610 611 if (sc == NULL) 612 return NULL; 613 614 return sc->ca_names != NULL ? sc->ca_names : s->ctx->ca_names; 615 } 616 617 void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list) 618 { 619 set0_CA_list(&ctx->client_ca_names, name_list); 620 } 621 622 STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx) 623 { 624 return ctx->client_ca_names; 625 } 626 627 void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list) 628 { 629 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s); 630 631 if (sc == NULL) 632 return; 633 634 set0_CA_list(&sc->client_ca_names, name_list); 635 } 636 637 const STACK_OF(X509_NAME) *SSL_get0_peer_CA_list(const SSL *s) 638 { 639 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s); 640 641 if (sc == NULL) 642 return NULL; 643 644 return sc->s3.tmp.peer_ca_names; 645 } 646 647 STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s) 648 { 649 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s); 650 651 if (sc == NULL) 652 return NULL; 653 654 if (!sc->server) 655 return sc->s3.tmp.peer_ca_names; 656 return sc->client_ca_names != NULL ? sc->client_ca_names 657 : s->ctx->client_ca_names; 658 } 659 660 static int add_ca_name(STACK_OF(X509_NAME) **sk, const X509 *x) 661 { 662 X509_NAME *name; 663 664 if (x == NULL) 665 return 0; 666 if (*sk == NULL && ((*sk = sk_X509_NAME_new_null()) == NULL)) 667 return 0; 668 669 if ((name = X509_NAME_dup(X509_get_subject_name(x))) == NULL) 670 return 0; 671 672 if (!sk_X509_NAME_push(*sk, name)) { 673 X509_NAME_free(name); 674 return 0; 675 } 676 return 1; 677 } 678 679 int SSL_add1_to_CA_list(SSL *ssl, const X509 *x) 680 { 681 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl); 682 683 if (sc == NULL) 684 return 0; 685 686 return add_ca_name(&sc->ca_names, x); 687 } 688 689 int SSL_CTX_add1_to_CA_list(SSL_CTX *ctx, const X509 *x) 690 { 691 return add_ca_name(&ctx->ca_names, x); 692 } 693 694 /* 695 * The following two are older names are to be replaced with 696 * SSL(_CTX)_add1_to_CA_list 697 */ 698 int SSL_add_client_CA(SSL *ssl, X509 *x) 699 { 700 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl); 701 702 if (sc == NULL) 703 return 0; 704 705 return add_ca_name(&sc->client_ca_names, x); 706 } 707 708 int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x) 709 { 710 return add_ca_name(&ctx->client_ca_names, x); 711 } 712 713 static int xname_cmp(const X509_NAME *a, const X509_NAME *b) 714 { 715 unsigned char *abuf = NULL, *bbuf = NULL; 716 int alen, blen, ret; 717 718 /* X509_NAME_cmp() itself casts away constness in this way, so 719 * assume it's safe: 720 */ 721 alen = i2d_X509_NAME((X509_NAME *)a, &abuf); 722 blen = i2d_X509_NAME((X509_NAME *)b, &bbuf); 723 724 if (alen < 0 || blen < 0) 725 ret = -2; 726 else if (alen != blen) 727 ret = alen - blen; 728 else /* alen == blen */ 729 ret = memcmp(abuf, bbuf, alen); 730 731 OPENSSL_free(abuf); 732 OPENSSL_free(bbuf); 733 734 return ret; 735 } 736 737 static int xname_sk_cmp(const X509_NAME *const *a, const X509_NAME *const *b) 738 { 739 return xname_cmp(*a, *b); 740 } 741 742 static unsigned long xname_hash(const X509_NAME *a) 743 { 744 /* This returns 0 also if SHA1 is not available */ 745 return X509_NAME_hash_ex((X509_NAME *)a, NULL, NULL, NULL); 746 } 747 748 STACK_OF(X509_NAME) *SSL_load_client_CA_file_ex(const char *file, 749 OSSL_LIB_CTX *libctx, 750 const char *propq) 751 { 752 BIO *in = BIO_new(BIO_s_file()); 753 X509 *x = NULL; 754 X509_NAME *xn = NULL; 755 STACK_OF(X509_NAME) *ret = NULL; 756 LHASH_OF(X509_NAME) *name_hash = lh_X509_NAME_new(xname_hash, xname_cmp); 757 OSSL_LIB_CTX *prev_libctx = NULL; 758 759 if (file == NULL) { 760 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_NULL_PARAMETER); 761 goto err; 762 } 763 if (name_hash == NULL) { 764 ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB); 765 goto err; 766 } 767 if (in == NULL) { 768 ERR_raise(ERR_LIB_SSL, ERR_R_BIO_LIB); 769 goto err; 770 } 771 772 x = X509_new_ex(libctx, propq); 773 if (x == NULL) { 774 ERR_raise(ERR_LIB_SSL, ERR_R_X509_LIB); 775 goto err; 776 } 777 if (BIO_read_filename(in, file) <= 0) 778 goto err; 779 780 /* Internally lh_X509_NAME_retrieve() needs the libctx to retrieve SHA1 */ 781 prev_libctx = OSSL_LIB_CTX_set0_default(libctx); 782 for (;;) { 783 if (PEM_read_bio_X509(in, &x, NULL, NULL) == NULL) 784 break; 785 if (ret == NULL) { 786 ret = sk_X509_NAME_new_null(); 787 if (ret == NULL) { 788 ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB); 789 goto err; 790 } 791 } 792 if ((xn = X509_get_subject_name(x)) == NULL) 793 goto err; 794 /* check for duplicates */ 795 xn = X509_NAME_dup(xn); 796 if (xn == NULL) 797 goto err; 798 if (lh_X509_NAME_retrieve(name_hash, xn) != NULL) { 799 /* Duplicate. */ 800 X509_NAME_free(xn); 801 xn = NULL; 802 } else { 803 lh_X509_NAME_insert(name_hash, xn); 804 if (!sk_X509_NAME_push(ret, xn)) 805 goto err; 806 } 807 } 808 goto done; 809 810 err: 811 X509_NAME_free(xn); 812 sk_X509_NAME_pop_free(ret, X509_NAME_free); 813 ret = NULL; 814 done: 815 /* restore the old libctx */ 816 OSSL_LIB_CTX_set0_default(prev_libctx); 817 BIO_free(in); 818 X509_free(x); 819 lh_X509_NAME_free(name_hash); 820 if (ret != NULL) 821 ERR_clear_error(); 822 return ret; 823 } 824 825 STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file) 826 { 827 return SSL_load_client_CA_file_ex(file, NULL, NULL); 828 } 829 830 static int add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, 831 const char *file, 832 LHASH_OF(X509_NAME) *name_hash) 833 { 834 BIO *in; 835 X509 *x = NULL; 836 X509_NAME *xn = NULL; 837 int ret = 1; 838 839 in = BIO_new(BIO_s_file()); 840 841 if (in == NULL) { 842 ERR_raise(ERR_LIB_SSL, ERR_R_BIO_LIB); 843 goto err; 844 } 845 846 if (BIO_read_filename(in, file) <= 0) 847 goto err; 848 849 for (;;) { 850 if (PEM_read_bio_X509(in, &x, NULL, NULL) == NULL) 851 break; 852 if ((xn = X509_get_subject_name(x)) == NULL) 853 goto err; 854 xn = X509_NAME_dup(xn); 855 if (xn == NULL) 856 goto err; 857 if (lh_X509_NAME_retrieve(name_hash, xn) != NULL) { 858 /* Duplicate. */ 859 X509_NAME_free(xn); 860 } else if (!sk_X509_NAME_push(stack, xn)) { 861 X509_NAME_free(xn); 862 goto err; 863 } else { 864 /* Successful insert, add to hash table */ 865 lh_X509_NAME_insert(name_hash, xn); 866 } 867 } 868 869 ERR_clear_error(); 870 goto done; 871 872 err: 873 ret = 0; 874 done: 875 BIO_free(in); 876 X509_free(x); 877 return ret; 878 } 879 880 int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, 881 const char *file) 882 { 883 X509_NAME *xn = NULL; 884 int ret = 1; 885 int idx = 0; 886 int num = 0; 887 LHASH_OF(X509_NAME) *name_hash = lh_X509_NAME_new(xname_hash, xname_cmp); 888 889 if (file == NULL) { 890 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_NULL_PARAMETER); 891 goto err; 892 } 893 894 if (name_hash == NULL) { 895 ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB); 896 goto err; 897 } 898 899 /* 900 * Pre-populate the lhash with the existing entries of the stack, since 901 * using the LHASH_OF is much faster for duplicate checking. That's because 902 * xname_cmp converts the X509_NAMEs to DER involving a memory allocation 903 * for every single invocation of the comparison function. 904 */ 905 num = sk_X509_NAME_num(stack); 906 for (idx = 0; idx < num; idx++) { 907 xn = sk_X509_NAME_value(stack, idx); 908 lh_X509_NAME_insert(name_hash, xn); 909 } 910 911 ret = add_file_cert_subjects_to_stack(stack, file, name_hash); 912 goto done; 913 914 err: 915 ret = 0; 916 done: 917 lh_X509_NAME_free(name_hash); 918 return ret; 919 } 920 921 int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, 922 const char *dir) 923 { 924 OPENSSL_DIR_CTX *d = NULL; 925 const char *filename; 926 int ret = 0; 927 X509_NAME *xn = NULL; 928 int idx = 0; 929 int num = 0; 930 LHASH_OF(X509_NAME) *name_hash = lh_X509_NAME_new(xname_hash, xname_cmp); 931 932 if (name_hash == NULL) { 933 ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB); 934 goto err; 935 } 936 937 /* 938 * Pre-populate the lhash with the existing entries of the stack, since 939 * using the LHASH_OF is much faster for duplicate checking. That's because 940 * xname_cmp converts the X509_NAMEs to DER involving a memory allocation 941 * for every single invocation of the comparison function. 942 */ 943 num = sk_X509_NAME_num(stack); 944 for (idx = 0; idx < num; idx++) { 945 xn = sk_X509_NAME_value(stack, idx); 946 lh_X509_NAME_insert(name_hash, xn); 947 } 948 949 while ((filename = OPENSSL_DIR_read(&d, dir))) { 950 char buf[1024]; 951 int r; 952 #ifndef OPENSSL_NO_POSIX_IO 953 struct stat st; 954 955 #else 956 /* Cannot use stat so just skip current and parent directories */ 957 if (strcmp(filename, ".") == 0 || strcmp(filename, "..") == 0) 958 continue; 959 #endif 960 if (strlen(dir) + strlen(filename) + 2 > sizeof(buf)) { 961 ERR_raise(ERR_LIB_SSL, SSL_R_PATH_TOO_LONG); 962 goto err; 963 } 964 #ifdef OPENSSL_SYS_VMS 965 r = BIO_snprintf(buf, sizeof(buf), "%s%s", dir, filename); 966 #else 967 r = BIO_snprintf(buf, sizeof(buf), "%s/%s", dir, filename); 968 #endif 969 #ifndef OPENSSL_NO_POSIX_IO 970 /* Skip subdirectories */ 971 if (!stat(buf, &st) && S_ISDIR(st.st_mode)) 972 continue; 973 #endif 974 if (r <= 0 || r >= (int)sizeof(buf)) 975 goto err; 976 if (!add_file_cert_subjects_to_stack(stack, buf, name_hash)) 977 goto err; 978 } 979 980 if (errno) { 981 ERR_raise_data(ERR_LIB_SYS, get_last_sys_error(), 982 "calling OPENSSL_dir_read(%s)", dir); 983 ERR_raise(ERR_LIB_SSL, ERR_R_SYS_LIB); 984 goto err; 985 } 986 987 ret = 1; 988 989 err: 990 if (d) 991 OPENSSL_DIR_end(&d); 992 lh_X509_NAME_free(name_hash); 993 994 return ret; 995 } 996 997 static int add_uris_recursive(STACK_OF(X509_NAME) *stack, 998 const char *uri, int depth) 999 { 1000 int ok = 1; 1001 OSSL_STORE_CTX *ctx = NULL; 1002 X509 *x = NULL; 1003 X509_NAME *xn = NULL; 1004 OSSL_STORE_INFO *info = NULL; 1005 1006 if ((ctx = OSSL_STORE_open(uri, NULL, NULL, NULL, NULL)) == NULL) 1007 goto err; 1008 1009 while (!OSSL_STORE_eof(ctx) && !OSSL_STORE_error(ctx)) { 1010 int infotype; 1011 1012 if ((info = OSSL_STORE_load(ctx)) == NULL) 1013 continue; 1014 infotype = OSSL_STORE_INFO_get_type(info); 1015 1016 if (infotype == OSSL_STORE_INFO_NAME) { 1017 /* 1018 * This is an entry in the "directory" represented by the current 1019 * uri. if |depth| allows, dive into it. 1020 */ 1021 if (depth > 0) 1022 ok = add_uris_recursive(stack, OSSL_STORE_INFO_get0_NAME(info), 1023 depth - 1); 1024 } else if (infotype == OSSL_STORE_INFO_CERT) { 1025 if ((x = OSSL_STORE_INFO_get0_CERT(info)) == NULL 1026 || (xn = X509_get_subject_name(x)) == NULL 1027 || (xn = X509_NAME_dup(xn)) == NULL) 1028 goto err; 1029 if (sk_X509_NAME_find(stack, xn) >= 0) { 1030 /* Duplicate. */ 1031 X509_NAME_free(xn); 1032 } else if (!sk_X509_NAME_push(stack, xn)) { 1033 X509_NAME_free(xn); 1034 goto err; 1035 } 1036 } 1037 1038 OSSL_STORE_INFO_free(info); 1039 info = NULL; 1040 } 1041 1042 ERR_clear_error(); 1043 goto done; 1044 1045 err: 1046 ok = 0; 1047 OSSL_STORE_INFO_free(info); 1048 done: 1049 OSSL_STORE_close(ctx); 1050 1051 return ok; 1052 } 1053 1054 int SSL_add_store_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, 1055 const char *store) 1056 { 1057 int (*oldcmp)(const X509_NAME *const *a, const X509_NAME *const *b) 1058 = sk_X509_NAME_set_cmp_func(stack, xname_sk_cmp); 1059 int ret = add_uris_recursive(stack, store, 1); 1060 1061 (void)sk_X509_NAME_set_cmp_func(stack, oldcmp); 1062 return ret; 1063 } 1064 1065 /* Build a certificate chain for current certificate */ 1066 int ssl_build_cert_chain(SSL_CONNECTION *s, SSL_CTX *ctx, int flags) 1067 { 1068 CERT *c = s != NULL ? s->cert : ctx->cert; 1069 CERT_PKEY *cpk = c->key; 1070 X509_STORE *chain_store = NULL; 1071 X509_STORE_CTX *xs_ctx = NULL; 1072 STACK_OF(X509) *chain = NULL, *untrusted = NULL; 1073 X509 *x; 1074 SSL_CTX *real_ctx = (s == NULL) ? ctx : SSL_CONNECTION_GET_CTX(s); 1075 int i, rv = 0; 1076 1077 if (cpk->x509 == NULL) { 1078 ERR_raise(ERR_LIB_SSL, SSL_R_NO_CERTIFICATE_SET); 1079 goto err; 1080 } 1081 /* Rearranging and check the chain: add everything to a store */ 1082 if (flags & SSL_BUILD_CHAIN_FLAG_CHECK) { 1083 chain_store = X509_STORE_new(); 1084 if (chain_store == NULL) 1085 goto err; 1086 for (i = 0; i < sk_X509_num(cpk->chain); i++) { 1087 x = sk_X509_value(cpk->chain, i); 1088 if (!X509_STORE_add_cert(chain_store, x)) 1089 goto err; 1090 } 1091 /* Add EE cert too: it might be self signed */ 1092 if (!X509_STORE_add_cert(chain_store, cpk->x509)) 1093 goto err; 1094 } else { 1095 if (c->chain_store != NULL) 1096 chain_store = c->chain_store; 1097 else 1098 chain_store = real_ctx->cert_store; 1099 1100 if (flags & SSL_BUILD_CHAIN_FLAG_UNTRUSTED) 1101 untrusted = cpk->chain; 1102 } 1103 1104 xs_ctx = X509_STORE_CTX_new_ex(real_ctx->libctx, real_ctx->propq); 1105 if (xs_ctx == NULL) { 1106 ERR_raise(ERR_LIB_SSL, ERR_R_X509_LIB); 1107 goto err; 1108 } 1109 if (!X509_STORE_CTX_init(xs_ctx, chain_store, cpk->x509, untrusted)) { 1110 ERR_raise(ERR_LIB_SSL, ERR_R_X509_LIB); 1111 goto err; 1112 } 1113 /* Set suite B flags if needed */ 1114 X509_STORE_CTX_set_flags(xs_ctx, 1115 c->cert_flags & SSL_CERT_FLAG_SUITEB_128_LOS); 1116 1117 i = X509_verify_cert(xs_ctx); 1118 if (i <= 0 && flags & SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR) { 1119 if (flags & SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR) 1120 ERR_clear_error(); 1121 i = 1; 1122 rv = 2; 1123 } 1124 if (i > 0) 1125 chain = X509_STORE_CTX_get1_chain(xs_ctx); 1126 if (i <= 0) { 1127 i = X509_STORE_CTX_get_error(xs_ctx); 1128 ERR_raise_data(ERR_LIB_SSL, SSL_R_CERTIFICATE_VERIFY_FAILED, 1129 "Verify error:%s", X509_verify_cert_error_string(i)); 1130 1131 goto err; 1132 } 1133 /* Remove EE certificate from chain */ 1134 x = sk_X509_shift(chain); 1135 X509_free(x); 1136 if (flags & SSL_BUILD_CHAIN_FLAG_NO_ROOT) { 1137 if (sk_X509_num(chain) > 0) { 1138 /* See if last cert is self signed */ 1139 x = sk_X509_value(chain, sk_X509_num(chain) - 1); 1140 if (X509_get_extension_flags(x) & EXFLAG_SS) { 1141 x = sk_X509_pop(chain); 1142 X509_free(x); 1143 } 1144 } 1145 } 1146 /* 1147 * Check security level of all CA certificates: EE will have been checked 1148 * already. 1149 */ 1150 for (i = 0; i < sk_X509_num(chain); i++) { 1151 x = sk_X509_value(chain, i); 1152 rv = ssl_security_cert(s, ctx, x, 0, 0); 1153 if (rv != 1) { 1154 ERR_raise(ERR_LIB_SSL, rv); 1155 OSSL_STACK_OF_X509_free(chain); 1156 rv = 0; 1157 goto err; 1158 } 1159 } 1160 OSSL_STACK_OF_X509_free(cpk->chain); 1161 cpk->chain = chain; 1162 if (rv == 0) 1163 rv = 1; 1164 err: 1165 if (flags & SSL_BUILD_CHAIN_FLAG_CHECK) 1166 X509_STORE_free(chain_store); 1167 X509_STORE_CTX_free(xs_ctx); 1168 1169 return rv; 1170 } 1171 1172 int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain, int ref) 1173 { 1174 X509_STORE **pstore; 1175 1176 if (ref && store && !X509_STORE_up_ref(store)) 1177 return 0; 1178 1179 if (chain) 1180 pstore = &c->chain_store; 1181 else 1182 pstore = &c->verify_store; 1183 X509_STORE_free(*pstore); 1184 *pstore = store; 1185 1186 return 1; 1187 } 1188 1189 int ssl_cert_get_cert_store(CERT *c, X509_STORE **pstore, int chain) 1190 { 1191 *pstore = (chain ? c->chain_store : c->verify_store); 1192 return 1; 1193 } 1194 1195 int ssl_get_security_level_bits(const SSL *s, const SSL_CTX *ctx, int *levelp) 1196 { 1197 int level; 1198 /* 1199 * note that there's a corresponding minbits_table 1200 * in crypto/x509/x509_vfy.c that's used for checking the security level 1201 * of RSA and DSA keys 1202 */ 1203 static const int minbits_table[5 + 1] = { 0, 80, 112, 128, 192, 256 }; 1204 1205 if (ctx != NULL) 1206 level = SSL_CTX_get_security_level(ctx); 1207 else 1208 level = SSL_get_security_level(s); 1209 1210 if (level > 5) 1211 level = 5; 1212 else if (level < 0) 1213 level = 0; 1214 1215 if (levelp != NULL) 1216 *levelp = level; 1217 1218 return minbits_table[level]; 1219 } 1220 1221 static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx, 1222 int op, int bits, int nid, void *other, 1223 void *ex) 1224 { 1225 int level, minbits, pfs_mask; 1226 const SSL_CONNECTION *sc; 1227 1228 minbits = ssl_get_security_level_bits(s, ctx, &level); 1229 1230 if (level == 0) { 1231 /* 1232 * No EDH keys weaker than 1024-bits even at level 0, otherwise, 1233 * anything goes. 1234 */ 1235 if (op == SSL_SECOP_TMP_DH && bits < 80) 1236 return 0; 1237 return 1; 1238 } 1239 switch (op) { 1240 case SSL_SECOP_CIPHER_SUPPORTED: 1241 case SSL_SECOP_CIPHER_SHARED: 1242 case SSL_SECOP_CIPHER_CHECK: { 1243 const SSL_CIPHER *c = other; 1244 /* No ciphers below security level */ 1245 if (bits < minbits) 1246 return 0; 1247 /* No unauthenticated ciphersuites */ 1248 if (c->algorithm_auth & SSL_aNULL) 1249 return 0; 1250 /* No MD5 mac ciphersuites */ 1251 if (c->algorithm_mac & SSL_MD5) 1252 return 0; 1253 /* SHA1 HMAC is 160 bits of security */ 1254 if (minbits > 160 && c->algorithm_mac & SSL_SHA1) 1255 return 0; 1256 /* Level 3: forward secure ciphersuites only */ 1257 pfs_mask = SSL_kDHE | SSL_kECDHE | SSL_kDHEPSK | SSL_kECDHEPSK; 1258 if (level >= 3 && c->min_tls != TLS1_3_VERSION && !(c->algorithm_mkey & pfs_mask)) 1259 return 0; 1260 break; 1261 } 1262 case SSL_SECOP_VERSION: 1263 if ((sc = SSL_CONNECTION_FROM_CONST_SSL(s)) == NULL) 1264 return 0; 1265 if (!SSL_CONNECTION_IS_DTLS(sc)) { 1266 /* SSLv3, TLS v1.0 and TLS v1.1 only allowed at level 0 */ 1267 if (nid <= TLS1_1_VERSION && level > 0) 1268 return 0; 1269 } else { 1270 /* DTLS v1.0 only allowed at level 0 */ 1271 if (DTLS_VERSION_LT(nid, DTLS1_2_VERSION) && level > 0) 1272 return 0; 1273 } 1274 break; 1275 1276 case SSL_SECOP_COMPRESSION: 1277 if (level >= 2) 1278 return 0; 1279 break; 1280 case SSL_SECOP_TICKET: 1281 if (level >= 3) 1282 return 0; 1283 break; 1284 default: 1285 if (bits < minbits) 1286 return 0; 1287 } 1288 return 1; 1289 } 1290 1291 int ssl_security(const SSL_CONNECTION *s, int op, int bits, int nid, void *other) 1292 { 1293 return s->cert->sec_cb(SSL_CONNECTION_GET_USER_SSL(s), NULL, op, bits, nid, 1294 other, s->cert->sec_ex); 1295 } 1296 1297 int ssl_ctx_security(const SSL_CTX *ctx, int op, int bits, int nid, void *other) 1298 { 1299 return ctx->cert->sec_cb(NULL, ctx, op, bits, nid, other, 1300 ctx->cert->sec_ex); 1301 } 1302 1303 int ssl_cert_lookup_by_nid(int nid, size_t *pidx, SSL_CTX *ctx) 1304 { 1305 size_t i; 1306 1307 for (i = 0; i < OSSL_NELEM(ssl_cert_info); i++) { 1308 if (ssl_cert_info[i].pkey_nid == nid) { 1309 *pidx = i; 1310 return 1; 1311 } 1312 } 1313 for (i = 0; i < ctx->sigalg_list_len; i++) { 1314 if (ctx->ssl_cert_info[i].pkey_nid == nid) { 1315 *pidx = SSL_PKEY_NUM + i; 1316 return 1; 1317 } 1318 } 1319 return 0; 1320 } 1321 1322 const SSL_CERT_LOOKUP *ssl_cert_lookup_by_pkey(const EVP_PKEY *pk, size_t *pidx, SSL_CTX *ctx) 1323 { 1324 size_t i; 1325 1326 /* check classic pk types */ 1327 for (i = 0; i < OSSL_NELEM(ssl_cert_info); i++) { 1328 const SSL_CERT_LOOKUP *tmp_lu = &ssl_cert_info[i]; 1329 1330 if (EVP_PKEY_is_a(pk, OBJ_nid2sn(tmp_lu->pkey_nid)) 1331 || EVP_PKEY_is_a(pk, OBJ_nid2ln(tmp_lu->pkey_nid))) { 1332 if (pidx != NULL) 1333 *pidx = i; 1334 return tmp_lu; 1335 } 1336 } 1337 /* check provider-loaded pk types */ 1338 for (i = 0; i < ctx->sigalg_list_len; i++) { 1339 SSL_CERT_LOOKUP *tmp_lu = &(ctx->ssl_cert_info[i]); 1340 1341 if (EVP_PKEY_is_a(pk, OBJ_nid2sn(tmp_lu->pkey_nid)) 1342 || EVP_PKEY_is_a(pk, OBJ_nid2ln(tmp_lu->pkey_nid))) { 1343 if (pidx != NULL) 1344 *pidx = SSL_PKEY_NUM + i; 1345 return &ctx->ssl_cert_info[i]; 1346 } 1347 } 1348 1349 return NULL; 1350 } 1351 1352 const SSL_CERT_LOOKUP *ssl_cert_lookup_by_idx(size_t idx, SSL_CTX *ctx) 1353 { 1354 if (idx >= (OSSL_NELEM(ssl_cert_info) + ctx->sigalg_list_len)) 1355 return NULL; 1356 else if (idx >= (OSSL_NELEM(ssl_cert_info))) 1357 return &(ctx->ssl_cert_info[idx - SSL_PKEY_NUM]); 1358 return &ssl_cert_info[idx]; 1359 } 1360
Indexes created Mon Mar 02 05:31:46 UTC 2026