1 /* 2 * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved. 3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved 4 * 5 * Licensed under the Apache License 2.0 (the "License"). You may not use 6 * this file except in compliance with the License. You can obtain a copy 7 * in the file LICENSE in the source distribution or at 8 * https://www.openssl.org/source/license.html 9 */ 10 11 #include "internal/e_os.h" 12 13 #include <stdio.h> 14 #include <sys/types.h> 15 16 #include "internal/nelem.h" 17 #include "internal/o_dir.h" 18 #include <openssl/bio.h> 19 #include <openssl/pem.h> 20 #include <openssl/store.h> 21 #include <openssl/x509v3.h> 22 #include <openssl/dh.h> 23 #include <openssl/bn.h> 24 #include <openssl/crypto.h> 25 #include "internal/refcount.h" 26 #include "ssl_local.h" 27 #include "ssl_cert_table.h" 28 #include "internal/thread_once.h" 29 #include "internal/ssl_unwrap.h" 30 #ifndef OPENSSL_NO_POSIX_IO 31 # include <sys/stat.h> 32 # ifdef _WIN32 33 # define stat _stat 34 # endif 35 # ifndef S_ISDIR 36 # define S_ISDIR(a) (((a) & S_IFMT) == S_IFDIR) 37 # endif 38 #endif 39 40 41 static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx, 42 int op, int bits, int nid, void *other, 43 void *ex); 44 45 static CRYPTO_ONCE ssl_x509_store_ctx_once = CRYPTO_ONCE_STATIC_INIT; 46 static volatile int ssl_x509_store_ctx_idx = -1; 47 48 DEFINE_RUN_ONCE_STATIC(ssl_x509_store_ctx_init) 49 { 50 ssl_x509_store_ctx_idx = X509_STORE_CTX_get_ex_new_index(0, 51 "SSL for verify callback", 52 NULL, NULL, NULL); 53 return ssl_x509_store_ctx_idx >= 0; 54 } 55 56 int SSL_get_ex_data_X509_STORE_CTX_idx(void) 57 { 58 59 if (!RUN_ONCE(&ssl_x509_store_ctx_once, ssl_x509_store_ctx_init)) 60 return -1; 61 return ssl_x509_store_ctx_idx; 62 } 63 64 CERT *ssl_cert_new(size_t ssl_pkey_num) 65 { 66 CERT *ret = NULL; 67 68 /* Should never happen */ 69 if (!ossl_assert(ssl_pkey_num >= SSL_PKEY_NUM)) 70 return NULL; 71 72 ret = OPENSSL_zalloc(sizeof(*ret)); 73 if (ret == NULL) 74 return NULL; 75 76 ret->ssl_pkey_num = ssl_pkey_num; 77 ret->pkeys = OPENSSL_zalloc(ret->ssl_pkey_num * sizeof(CERT_PKEY)); 78 if (ret->pkeys == NULL) { 79 OPENSSL_free(ret); 80 return NULL; 81 } 82 83 ret->key = &(ret->pkeys[SSL_PKEY_RSA]); 84 ret->sec_cb = ssl_security_default_callback; 85 ret->sec_level = OPENSSL_TLS_SECURITY_LEVEL; 86 ret->sec_ex = NULL; 87 if (!CRYPTO_NEW_REF(&ret->references, 1)) { 88 OPENSSL_free(ret->pkeys); 89 OPENSSL_free(ret); 90 return NULL; 91 } 92 93 return ret; 94 } 95 96 CERT *ssl_cert_dup(CERT *cert) 97 { 98 CERT *ret = OPENSSL_zalloc(sizeof(*ret)); 99 size_t i; 100 #ifndef OPENSSL_NO_COMP_ALG 101 int j; 102 #endif 103 104 if (ret == NULL) 105 return NULL; 106 107 ret->ssl_pkey_num = cert->ssl_pkey_num; 108 ret->pkeys = OPENSSL_zalloc(ret->ssl_pkey_num * sizeof(CERT_PKEY)); 109 if (ret->pkeys == NULL) { 110 OPENSSL_free(ret); 111 return NULL; 112 } 113 114 ret->key = &ret->pkeys[cert->key - cert->pkeys]; 115 if (!CRYPTO_NEW_REF(&ret->references, 1)) { 116 OPENSSL_free(ret->pkeys); 117 OPENSSL_free(ret); 118 return NULL; 119 } 120 121 if (cert->dh_tmp != NULL) { 122 if (!EVP_PKEY_up_ref(cert->dh_tmp)) 123 goto err; 124 ret->dh_tmp = cert->dh_tmp; 125 } 126 127 ret->dh_tmp_cb = cert->dh_tmp_cb; 128 ret->dh_tmp_auto = cert->dh_tmp_auto; 129 130 for (i = 0; i < ret->ssl_pkey_num; i++) { 131 CERT_PKEY *cpk = cert->pkeys + i; 132 CERT_PKEY *rpk = ret->pkeys + i; 133 134 if (cpk->x509 != NULL) { 135 if (!X509_up_ref(cpk->x509)) 136 goto err; 137 rpk->x509 = cpk->x509; 138 } 139 140 if (cpk->privatekey != NULL) { 141 if (!EVP_PKEY_up_ref(cpk->privatekey)) 142 goto err; 143 rpk->privatekey = cpk->privatekey; 144 } 145 146 if (cpk->chain) { 147 rpk->chain = X509_chain_up_ref(cpk->chain); 148 if (!rpk->chain) { 149 ERR_raise(ERR_LIB_SSL, ERR_R_X509_LIB); 150 goto err; 151 } 152 } 153 if (cpk->serverinfo != NULL) { 154 /* Just copy everything. */ 155 rpk->serverinfo = OPENSSL_memdup(cpk->serverinfo, cpk->serverinfo_length); 156 if (rpk->serverinfo == NULL) 157 goto err; 158 rpk->serverinfo_length = cpk->serverinfo_length; 159 } 160 #ifndef OPENSSL_NO_COMP_ALG 161 for (j = TLSEXT_comp_cert_none; j < TLSEXT_comp_cert_limit; j++) { 162 if (cpk->comp_cert[j] != NULL) { 163 if (!OSSL_COMP_CERT_up_ref(cpk->comp_cert[j])) 164 goto err; 165 rpk->comp_cert[j] = cpk->comp_cert[j]; 166 } 167 } 168 #endif 169 } 170 171 /* Configured sigalgs copied across */ 172 if (cert->conf_sigalgs) { 173 ret->conf_sigalgs = OPENSSL_malloc(cert->conf_sigalgslen 174 * sizeof(*cert->conf_sigalgs)); 175 if (ret->conf_sigalgs == NULL) 176 goto err; 177 memcpy(ret->conf_sigalgs, cert->conf_sigalgs, 178 cert->conf_sigalgslen * sizeof(*cert->conf_sigalgs)); 179 ret->conf_sigalgslen = cert->conf_sigalgslen; 180 } else 181 ret->conf_sigalgs = NULL; 182 183 if (cert->client_sigalgs) { 184 ret->client_sigalgs = OPENSSL_malloc(cert->client_sigalgslen 185 * sizeof(*cert->client_sigalgs)); 186 if (ret->client_sigalgs == NULL) 187 goto err; 188 memcpy(ret->client_sigalgs, cert->client_sigalgs, 189 cert->client_sigalgslen * sizeof(*cert->client_sigalgs)); 190 ret->client_sigalgslen = cert->client_sigalgslen; 191 } else 192 ret->client_sigalgs = NULL; 193 /* Copy any custom client certificate types */ 194 if (cert->ctype) { 195 ret->ctype = OPENSSL_memdup(cert->ctype, cert->ctype_len); 196 if (ret->ctype == NULL) 197 goto err; 198 ret->ctype_len = cert->ctype_len; 199 } 200 201 ret->cert_flags = cert->cert_flags; 202 203 ret->cert_cb = cert->cert_cb; 204 ret->cert_cb_arg = cert->cert_cb_arg; 205 206 if (cert->verify_store) { 207 if (!X509_STORE_up_ref(cert->verify_store)) 208 goto err; 209 ret->verify_store = cert->verify_store; 210 } 211 212 if (cert->chain_store) { 213 if (!X509_STORE_up_ref(cert->chain_store)) 214 goto err; 215 ret->chain_store = cert->chain_store; 216 } 217 218 ret->sec_cb = cert->sec_cb; 219 ret->sec_level = cert->sec_level; 220 ret->sec_ex = cert->sec_ex; 221 222 if (!custom_exts_copy(&ret->custext, &cert->custext)) 223 goto err; 224 #ifndef OPENSSL_NO_PSK 225 if (cert->psk_identity_hint) { 226 ret->psk_identity_hint = OPENSSL_strdup(cert->psk_identity_hint); 227 if (ret->psk_identity_hint == NULL) 228 goto err; 229 } 230 #endif 231 return ret; 232 233 err: 234 ssl_cert_free(ret); 235 236 return NULL; 237 } 238 239 /* Free up and clear all certificates and chains */ 240 241 void ssl_cert_clear_certs(CERT *c) 242 { 243 size_t i; 244 #ifndef OPENSSL_NO_COMP_ALG 245 int j; 246 #endif 247 248 if (c == NULL) 249 return; 250 for (i = 0; i < c->ssl_pkey_num; i++) { 251 CERT_PKEY *cpk = c->pkeys + i; 252 X509_free(cpk->x509); 253 cpk->x509 = NULL; 254 EVP_PKEY_free(cpk->privatekey); 255 cpk->privatekey = NULL; 256 OSSL_STACK_OF_X509_free(cpk->chain); 257 cpk->chain = NULL; 258 OPENSSL_free(cpk->serverinfo); 259 cpk->serverinfo = NULL; 260 cpk->serverinfo_length = 0; 261 #ifndef OPENSSL_NO_COMP_ALG 262 for (j = 0; j < TLSEXT_comp_cert_limit; j++) { 263 OSSL_COMP_CERT_free(cpk->comp_cert[j]); 264 cpk->comp_cert[j] = NULL; 265 cpk->cert_comp_used = 0; 266 } 267 #endif 268 } 269 } 270 271 void ssl_cert_free(CERT *c) 272 { 273 int i; 274 275 if (c == NULL) 276 return; 277 CRYPTO_DOWN_REF(&c->references, &i); 278 REF_PRINT_COUNT("CERT", i, c); 279 if (i > 0) 280 return; 281 REF_ASSERT_ISNT(i < 0); 282 283 EVP_PKEY_free(c->dh_tmp); 284 285 ssl_cert_clear_certs(c); 286 OPENSSL_free(c->conf_sigalgs); 287 OPENSSL_free(c->client_sigalgs); 288 OPENSSL_free(c->ctype); 289 X509_STORE_free(c->verify_store); 290 X509_STORE_free(c->chain_store); 291 custom_exts_free(&c->custext); 292 #ifndef OPENSSL_NO_PSK 293 OPENSSL_free(c->psk_identity_hint); 294 #endif 295 OPENSSL_free(c->pkeys); 296 CRYPTO_FREE_REF(&c->references); 297 OPENSSL_free(c); 298 } 299 300 int ssl_cert_set0_chain(SSL_CONNECTION *s, SSL_CTX *ctx, STACK_OF(X509) *chain) 301 { 302 int i, r; 303 CERT_PKEY *cpk = s != NULL ? s->cert->key : ctx->cert->key; 304 305 if (!cpk) 306 return 0; 307 for (i = 0; i < sk_X509_num(chain); i++) { 308 X509 *x = sk_X509_value(chain, i); 309 310 r = ssl_security_cert(s, ctx, x, 0, 0); 311 if (r != 1) { 312 ERR_raise(ERR_LIB_SSL, r); 313 return 0; 314 } 315 } 316 OSSL_STACK_OF_X509_free(cpk->chain); 317 cpk->chain = chain; 318 return 1; 319 } 320 321 int ssl_cert_set1_chain(SSL_CONNECTION *s, SSL_CTX *ctx, STACK_OF(X509) *chain) 322 { 323 STACK_OF(X509) *dchain; 324 325 if (!chain) 326 return ssl_cert_set0_chain(s, ctx, NULL); 327 dchain = X509_chain_up_ref(chain); 328 if (!dchain) 329 return 0; 330 if (!ssl_cert_set0_chain(s, ctx, dchain)) { 331 OSSL_STACK_OF_X509_free(dchain); 332 return 0; 333 } 334 return 1; 335 } 336 337 int ssl_cert_add0_chain_cert(SSL_CONNECTION *s, SSL_CTX *ctx, X509 *x) 338 { 339 int r; 340 CERT_PKEY *cpk = s ? s->cert->key : ctx->cert->key; 341 342 if (!cpk) 343 return 0; 344 r = ssl_security_cert(s, ctx, x, 0, 0); 345 if (r != 1) { 346 ERR_raise(ERR_LIB_SSL, r); 347 return 0; 348 } 349 if (!cpk->chain) 350 cpk->chain = sk_X509_new_null(); 351 if (!cpk->chain || !sk_X509_push(cpk->chain, x)) 352 return 0; 353 return 1; 354 } 355 356 int ssl_cert_add1_chain_cert(SSL_CONNECTION *s, SSL_CTX *ctx, X509 *x) 357 { 358 if (!X509_up_ref(x)) 359 return 0; 360 if (!ssl_cert_add0_chain_cert(s, ctx, x)) { 361 X509_free(x); 362 return 0; 363 } 364 return 1; 365 } 366 367 int ssl_cert_select_current(CERT *c, X509 *x) 368 { 369 size_t i; 370 371 if (x == NULL) 372 return 0; 373 for (i = 0; i < c->ssl_pkey_num; i++) { 374 CERT_PKEY *cpk = c->pkeys + i; 375 if (cpk->x509 == x && cpk->privatekey) { 376 c->key = cpk; 377 return 1; 378 } 379 } 380 381 for (i = 0; i < c->ssl_pkey_num; i++) { 382 CERT_PKEY *cpk = c->pkeys + i; 383 if (cpk->privatekey && cpk->x509 && !X509_cmp(cpk->x509, x)) { 384 c->key = cpk; 385 return 1; 386 } 387 } 388 return 0; 389 } 390 391 int ssl_cert_set_current(CERT *c, long op) 392 { 393 size_t i, idx; 394 395 if (!c) 396 return 0; 397 if (op == SSL_CERT_SET_FIRST) 398 idx = 0; 399 else if (op == SSL_CERT_SET_NEXT) { 400 idx = (size_t)(c->key - c->pkeys + 1); 401 if (idx >= c->ssl_pkey_num) 402 return 0; 403 } else 404 return 0; 405 for (i = idx; i < c->ssl_pkey_num; i++) { 406 CERT_PKEY *cpk = c->pkeys + i; 407 if (cpk->x509 && cpk->privatekey) { 408 c->key = cpk; 409 return 1; 410 } 411 } 412 return 0; 413 } 414 415 void ssl_cert_set_cert_cb(CERT *c, int (*cb) (SSL *ssl, void *arg), void *arg) 416 { 417 c->cert_cb = cb; 418 c->cert_cb_arg = arg; 419 } 420 421 /* 422 * Verify a certificate chain/raw public key 423 * Return codes: 424 * 1: Verify success 425 * 0: Verify failure or error 426 * -1: Retry required 427 */ 428 static int ssl_verify_internal(SSL_CONNECTION *s, STACK_OF(X509) *sk, EVP_PKEY *rpk) 429 { 430 X509 *x; 431 int i = 0; 432 X509_STORE *verify_store; 433 X509_STORE_CTX *ctx = NULL; 434 X509_VERIFY_PARAM *param; 435 SSL_CTX *sctx; 436 437 /* Something must be passed in */ 438 if ((sk == NULL || sk_X509_num(sk) == 0) && rpk == NULL) 439 return 0; 440 441 /* Only one can be set */ 442 if (sk != NULL && rpk != NULL) 443 return 0; 444 445 sctx = SSL_CONNECTION_GET_CTX(s); 446 if (s->cert->verify_store) 447 verify_store = s->cert->verify_store; 448 else 449 verify_store = sctx->cert_store; 450 451 ctx = X509_STORE_CTX_new_ex(sctx->libctx, sctx->propq); 452 if (ctx == NULL) { 453 ERR_raise(ERR_LIB_SSL, ERR_R_X509_LIB); 454 return 0; 455 } 456 457 if (sk != NULL) { 458 x = sk_X509_value(sk, 0); 459 if (!X509_STORE_CTX_init(ctx, verify_store, x, sk)) { 460 ERR_raise(ERR_LIB_SSL, ERR_R_X509_LIB); 461 goto end; 462 } 463 } else { 464 if (!X509_STORE_CTX_init_rpk(ctx, verify_store, rpk)) { 465 ERR_raise(ERR_LIB_SSL, ERR_R_X509_LIB); 466 goto end; 467 } 468 } 469 param = X509_STORE_CTX_get0_param(ctx); 470 /* 471 * XXX: Separate @AUTHSECLEVEL and @TLSSECLEVEL would be useful at some 472 * point, for now a single @SECLEVEL sets the same policy for TLS crypto 473 * and PKI authentication. 474 */ 475 X509_VERIFY_PARAM_set_auth_level(param, 476 SSL_get_security_level(SSL_CONNECTION_GET_SSL(s))); 477 478 /* Set suite B flags if needed */ 479 X509_STORE_CTX_set_flags(ctx, tls1_suiteb(s)); 480 if (!X509_STORE_CTX_set_ex_data(ctx, 481 SSL_get_ex_data_X509_STORE_CTX_idx(), 482 SSL_CONNECTION_GET_USER_SSL(s))) 483 goto end; 484 485 /* Verify via DANE if enabled */ 486 if (DANETLS_ENABLED(&s->dane)) 487 X509_STORE_CTX_set0_dane(ctx, &s->dane); 488 489 /* 490 * We need to inherit the verify parameters. These can be determined by 491 * the context: if its a server it will verify SSL client certificates or 492 * vice versa. 493 */ 494 495 X509_STORE_CTX_set_default(ctx, s->server ? "ssl_client" : "ssl_server"); 496 /* 497 * Anything non-default in "s->param" should overwrite anything in the ctx. 498 */ 499 X509_VERIFY_PARAM_set1(param, s->param); 500 501 if (s->verify_callback) 502 X509_STORE_CTX_set_verify_cb(ctx, s->verify_callback); 503 504 if (sctx->app_verify_callback != NULL) { 505 i = sctx->app_verify_callback(ctx, sctx->app_verify_arg); 506 } else { 507 i = X509_verify_cert(ctx); 508 /* We treat an error in the same way as a failure to verify */ 509 if (i < 0) 510 i = 0; 511 } 512 513 s->verify_result = X509_STORE_CTX_get_error(ctx); 514 OSSL_STACK_OF_X509_free(s->verified_chain); 515 s->verified_chain = NULL; 516 517 if (sk != NULL && X509_STORE_CTX_get0_chain(ctx) != NULL) { 518 s->verified_chain = X509_STORE_CTX_get1_chain(ctx); 519 if (s->verified_chain == NULL) { 520 ERR_raise(ERR_LIB_SSL, ERR_R_X509_LIB); 521 i = 0; 522 } 523 } 524 525 /* Move peername from the store context params to the SSL handle's */ 526 X509_VERIFY_PARAM_move_peername(s->param, param); 527 528 end: 529 X509_STORE_CTX_free(ctx); 530 return i; 531 } 532 533 /* 534 * Verify a raw public key 535 * Return codes: 536 * 1: Verify success 537 * 0: Verify failure or error 538 * -1: Retry required 539 */ 540 int ssl_verify_rpk(SSL_CONNECTION *s, EVP_PKEY *rpk) 541 { 542 return ssl_verify_internal(s, NULL, rpk); 543 } 544 545 /* 546 * Verify a certificate chain 547 * Return codes: 548 * 1: Verify success 549 * 0: Verify failure or error 550 * -1: Retry required 551 */ 552 int ssl_verify_cert_chain(SSL_CONNECTION *s, STACK_OF(X509) *sk) 553 { 554 return ssl_verify_internal(s, sk, NULL); 555 } 556 557 static void set0_CA_list(STACK_OF(X509_NAME) **ca_list, 558 STACK_OF(X509_NAME) *name_list) 559 { 560 sk_X509_NAME_pop_free(*ca_list, X509_NAME_free); 561 *ca_list = name_list; 562 } 563 564 STACK_OF(X509_NAME) *SSL_dup_CA_list(const STACK_OF(X509_NAME) *sk) 565 { 566 int i; 567 const int num = sk_X509_NAME_num(sk); 568 STACK_OF(X509_NAME) *ret; 569 X509_NAME *name; 570 571 ret = sk_X509_NAME_new_reserve(NULL, num); 572 if (ret == NULL) { 573 ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB); 574 return NULL; 575 } 576 for (i = 0; i < num; i++) { 577 name = X509_NAME_dup(sk_X509_NAME_value(sk, i)); 578 if (name == NULL) { 579 ERR_raise(ERR_LIB_SSL, ERR_R_X509_LIB); 580 sk_X509_NAME_pop_free(ret, X509_NAME_free); 581 return NULL; 582 } 583 sk_X509_NAME_push(ret, name); /* Cannot fail after reserve call */ 584 } 585 return ret; 586 } 587 588 void SSL_set0_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list) 589 { 590 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s); 591 592 if (sc == NULL) 593 return; 594 595 set0_CA_list(&sc->ca_names, name_list); 596 } 597 598 void SSL_CTX_set0_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list) 599 { 600 set0_CA_list(&ctx->ca_names, name_list); 601 } 602 603 const STACK_OF(X509_NAME) *SSL_CTX_get0_CA_list(const SSL_CTX *ctx) 604 { 605 return ctx->ca_names; 606 } 607 608 const STACK_OF(X509_NAME) *SSL_get0_CA_list(const SSL *s) 609 { 610 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s); 611 612 if (sc == NULL) 613 return NULL; 614 615 return sc->ca_names != NULL ? sc->ca_names : s->ctx->ca_names; 616 } 617 618 void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list) 619 { 620 set0_CA_list(&ctx->client_ca_names, name_list); 621 } 622 623 STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx) 624 { 625 return ctx->client_ca_names; 626 } 627 628 void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list) 629 { 630 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s); 631 632 if (sc == NULL) 633 return; 634 635 set0_CA_list(&sc->client_ca_names, name_list); 636 } 637 638 const STACK_OF(X509_NAME) *SSL_get0_peer_CA_list(const SSL *s) 639 { 640 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s); 641 642 if (sc == NULL) 643 return NULL; 644 645 return sc->s3.tmp.peer_ca_names; 646 } 647 648 STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s) 649 { 650 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s); 651 652 if (sc == NULL) 653 return NULL; 654 655 if (!sc->server) 656 return sc->s3.tmp.peer_ca_names; 657 return sc->client_ca_names != NULL ? sc->client_ca_names 658 : s->ctx->client_ca_names; 659 } 660 661 static int add_ca_name(STACK_OF(X509_NAME) **sk, const X509 *x) 662 { 663 X509_NAME *name; 664 665 if (x == NULL) 666 return 0; 667 if (*sk == NULL && ((*sk = sk_X509_NAME_new_null()) == NULL)) 668 return 0; 669 670 if ((name = X509_NAME_dup(X509_get_subject_name(x))) == NULL) 671 return 0; 672 673 if (!sk_X509_NAME_push(*sk, name)) { 674 X509_NAME_free(name); 675 return 0; 676 } 677 return 1; 678 } 679 680 int SSL_add1_to_CA_list(SSL *ssl, const X509 *x) 681 { 682 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl); 683 684 if (sc == NULL) 685 return 0; 686 687 return add_ca_name(&sc->ca_names, x); 688 } 689 690 int SSL_CTX_add1_to_CA_list(SSL_CTX *ctx, const X509 *x) 691 { 692 return add_ca_name(&ctx->ca_names, x); 693 } 694 695 /* 696 * The following two are older names are to be replaced with 697 * SSL(_CTX)_add1_to_CA_list 698 */ 699 int SSL_add_client_CA(SSL *ssl, X509 *x) 700 { 701 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl); 702 703 if (sc == NULL) 704 return 0; 705 706 return add_ca_name(&sc->client_ca_names, x); 707 } 708 709 int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x) 710 { 711 return add_ca_name(&ctx->client_ca_names, x); 712 } 713 714 static int xname_cmp(const X509_NAME *a, const X509_NAME *b) 715 { 716 unsigned char *abuf = NULL, *bbuf = NULL; 717 int alen, blen, ret; 718 719 /* X509_NAME_cmp() itself casts away constness in this way, so 720 * assume it's safe: 721 */ 722 alen = i2d_X509_NAME((X509_NAME *)a, &abuf); 723 blen = i2d_X509_NAME((X509_NAME *)b, &bbuf); 724 725 if (alen < 0 || blen < 0) 726 ret = -2; 727 else if (alen != blen) 728 ret = alen - blen; 729 else /* alen == blen */ 730 ret = memcmp(abuf, bbuf, alen); 731 732 OPENSSL_free(abuf); 733 OPENSSL_free(bbuf); 734 735 return ret; 736 } 737 738 static int xname_sk_cmp(const X509_NAME *const *a, const X509_NAME *const *b) 739 { 740 return xname_cmp(*a, *b); 741 } 742 743 static unsigned long xname_hash(const X509_NAME *a) 744 { 745 /* This returns 0 also if SHA1 is not available */ 746 return X509_NAME_hash_ex((X509_NAME *)a, NULL, NULL, NULL); 747 } 748 749 STACK_OF(X509_NAME) *SSL_load_client_CA_file_ex(const char *file, 750 OSSL_LIB_CTX *libctx, 751 const char *propq) 752 { 753 BIO *in = BIO_new(BIO_s_file()); 754 X509 *x = NULL; 755 X509_NAME *xn = NULL; 756 STACK_OF(X509_NAME) *ret = NULL; 757 LHASH_OF(X509_NAME) *name_hash = lh_X509_NAME_new(xname_hash, xname_cmp); 758 OSSL_LIB_CTX *prev_libctx = NULL; 759 760 if (file == NULL) { 761 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_NULL_PARAMETER); 762 goto err; 763 } 764 if (name_hash == NULL) { 765 ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB); 766 goto err; 767 } 768 if (in == NULL) { 769 ERR_raise(ERR_LIB_SSL, ERR_R_BIO_LIB); 770 goto err; 771 } 772 773 x = X509_new_ex(libctx, propq); 774 if (x == NULL) { 775 ERR_raise(ERR_LIB_SSL, ERR_R_X509_LIB); 776 goto err; 777 } 778 if (BIO_read_filename(in, file) <= 0) 779 goto err; 780 781 /* Internally lh_X509_NAME_retrieve() needs the libctx to retrieve SHA1 */ 782 prev_libctx = OSSL_LIB_CTX_set0_default(libctx); 783 for (;;) { 784 if (PEM_read_bio_X509(in, &x, NULL, NULL) == NULL) 785 break; 786 if (ret == NULL) { 787 ret = sk_X509_NAME_new_null(); 788 if (ret == NULL) { 789 ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB); 790 goto err; 791 } 792 } 793 if ((xn = X509_get_subject_name(x)) == NULL) 794 goto err; 795 /* check for duplicates */ 796 xn = X509_NAME_dup(xn); 797 if (xn == NULL) 798 goto err; 799 if (lh_X509_NAME_retrieve(name_hash, xn) != NULL) { 800 /* Duplicate. */ 801 X509_NAME_free(xn); 802 xn = NULL; 803 } else { 804 lh_X509_NAME_insert(name_hash, xn); 805 if (!sk_X509_NAME_push(ret, xn)) 806 goto err; 807 } 808 } 809 goto done; 810 811 err: 812 X509_NAME_free(xn); 813 sk_X509_NAME_pop_free(ret, X509_NAME_free); 814 ret = NULL; 815 done: 816 /* restore the old libctx */ 817 OSSL_LIB_CTX_set0_default(prev_libctx); 818 BIO_free(in); 819 X509_free(x); 820 lh_X509_NAME_free(name_hash); 821 if (ret != NULL) 822 ERR_clear_error(); 823 return ret; 824 } 825 826 STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file) 827 { 828 return SSL_load_client_CA_file_ex(file, NULL, NULL); 829 } 830 831 static int add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, 832 const char *file, 833 LHASH_OF(X509_NAME) *name_hash) 834 { 835 BIO *in; 836 X509 *x = NULL; 837 X509_NAME *xn = NULL; 838 int ret = 1; 839 840 in = BIO_new(BIO_s_file()); 841 842 if (in == NULL) { 843 ERR_raise(ERR_LIB_SSL, ERR_R_BIO_LIB); 844 goto err; 845 } 846 847 if (BIO_read_filename(in, file) <= 0) 848 goto err; 849 850 for (;;) { 851 if (PEM_read_bio_X509(in, &x, NULL, NULL) == NULL) 852 break; 853 if ((xn = X509_get_subject_name(x)) == NULL) 854 goto err; 855 xn = X509_NAME_dup(xn); 856 if (xn == NULL) 857 goto err; 858 if (lh_X509_NAME_retrieve(name_hash, xn) != NULL) { 859 /* Duplicate. */ 860 X509_NAME_free(xn); 861 } else if (!sk_X509_NAME_push(stack, xn)) { 862 X509_NAME_free(xn); 863 goto err; 864 } else { 865 /* Successful insert, add to hash table */ 866 lh_X509_NAME_insert(name_hash, xn); 867 } 868 } 869 870 ERR_clear_error(); 871 goto done; 872 873 err: 874 ret = 0; 875 done: 876 BIO_free(in); 877 X509_free(x); 878 return ret; 879 } 880 881 int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, 882 const char *file) 883 { 884 X509_NAME *xn = NULL; 885 int ret = 1; 886 int idx = 0; 887 int num = 0; 888 LHASH_OF(X509_NAME) *name_hash = lh_X509_NAME_new(xname_hash, xname_cmp); 889 890 if (file == NULL) { 891 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_NULL_PARAMETER); 892 goto err; 893 } 894 895 if (name_hash == NULL) { 896 ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB); 897 goto err; 898 } 899 900 /* 901 * Pre-populate the lhash with the existing entries of the stack, since 902 * using the LHASH_OF is much faster for duplicate checking. That's because 903 * xname_cmp converts the X509_NAMEs to DER involving a memory allocation 904 * for every single invocation of the comparison function. 905 */ 906 num = sk_X509_NAME_num(stack); 907 for (idx = 0; idx < num; idx++) { 908 xn = sk_X509_NAME_value(stack, idx); 909 lh_X509_NAME_insert(name_hash, xn); 910 } 911 912 ret = add_file_cert_subjects_to_stack(stack, file, name_hash); 913 goto done; 914 915 err: 916 ret = 0; 917 done: 918 lh_X509_NAME_free(name_hash); 919 return ret; 920 } 921 922 int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, 923 const char *dir) 924 { 925 OPENSSL_DIR_CTX *d = NULL; 926 const char *filename; 927 int ret = 0; 928 X509_NAME *xn = NULL; 929 int idx = 0; 930 int num = 0; 931 LHASH_OF(X509_NAME) *name_hash = lh_X509_NAME_new(xname_hash, xname_cmp); 932 933 if (name_hash == NULL) { 934 ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB); 935 goto err; 936 } 937 938 /* 939 * Pre-populate the lhash with the existing entries of the stack, since 940 * using the LHASH_OF is much faster for duplicate checking. That's because 941 * xname_cmp converts the X509_NAMEs to DER involving a memory allocation 942 * for every single invocation of the comparison function. 943 */ 944 num = sk_X509_NAME_num(stack); 945 for (idx = 0; idx < num; idx++) { 946 xn = sk_X509_NAME_value(stack, idx); 947 lh_X509_NAME_insert(name_hash, xn); 948 } 949 950 while ((filename = OPENSSL_DIR_read(&d, dir))) { 951 char buf[1024]; 952 int r; 953 #ifndef OPENSSL_NO_POSIX_IO 954 struct stat st; 955 956 #else 957 /* Cannot use stat so just skip current and parent directories */ 958 if (strcmp(filename, ".") == 0 || strcmp(filename, "..") == 0) 959 continue; 960 #endif 961 if (strlen(dir) + strlen(filename) + 2 > sizeof(buf)) { 962 ERR_raise(ERR_LIB_SSL, SSL_R_PATH_TOO_LONG); 963 goto err; 964 } 965 #ifdef OPENSSL_SYS_VMS 966 r = BIO_snprintf(buf, sizeof(buf), "%s%s", dir, filename); 967 #else 968 r = BIO_snprintf(buf, sizeof(buf), "%s/%s", dir, filename); 969 #endif 970 #ifndef OPENSSL_NO_POSIX_IO 971 /* Skip subdirectories */ 972 if (!stat(buf, &st) && S_ISDIR(st.st_mode)) 973 continue; 974 #endif 975 if (r <= 0 || r >= (int)sizeof(buf)) 976 goto err; 977 if (!add_file_cert_subjects_to_stack(stack, buf, name_hash)) 978 goto err; 979 } 980 981 if (errno) { 982 ERR_raise_data(ERR_LIB_SYS, get_last_sys_error(), 983 "calling OPENSSL_dir_read(%s)", dir); 984 ERR_raise(ERR_LIB_SSL, ERR_R_SYS_LIB); 985 goto err; 986 } 987 988 ret = 1; 989 990 err: 991 if (d) 992 OPENSSL_DIR_end(&d); 993 lh_X509_NAME_free(name_hash); 994 995 return ret; 996 } 997 998 static int add_uris_recursive(STACK_OF(X509_NAME) *stack, 999 const char *uri, int depth) 1000 { 1001 int ok = 1; 1002 OSSL_STORE_CTX *ctx = NULL; 1003 X509 *x = NULL; 1004 X509_NAME *xn = NULL; 1005 OSSL_STORE_INFO *info = NULL; 1006 1007 if ((ctx = OSSL_STORE_open(uri, NULL, NULL, NULL, NULL)) == NULL) 1008 goto err; 1009 1010 while (!OSSL_STORE_eof(ctx) && !OSSL_STORE_error(ctx)) { 1011 int infotype; 1012 1013 if ((info = OSSL_STORE_load(ctx)) == NULL) 1014 continue; 1015 infotype = OSSL_STORE_INFO_get_type(info); 1016 1017 if (infotype == OSSL_STORE_INFO_NAME) { 1018 /* 1019 * This is an entry in the "directory" represented by the current 1020 * uri. if |depth| allows, dive into it. 1021 */ 1022 if (depth > 0) 1023 ok = add_uris_recursive(stack, OSSL_STORE_INFO_get0_NAME(info), 1024 depth - 1); 1025 } else if (infotype == OSSL_STORE_INFO_CERT) { 1026 if ((x = OSSL_STORE_INFO_get0_CERT(info)) == NULL 1027 || (xn = X509_get_subject_name(x)) == NULL 1028 || (xn = X509_NAME_dup(xn)) == NULL) 1029 goto err; 1030 if (sk_X509_NAME_find(stack, xn) >= 0) { 1031 /* Duplicate. */ 1032 X509_NAME_free(xn); 1033 } else if (!sk_X509_NAME_push(stack, xn)) { 1034 X509_NAME_free(xn); 1035 goto err; 1036 } 1037 } 1038 1039 OSSL_STORE_INFO_free(info); 1040 info = NULL; 1041 } 1042 1043 ERR_clear_error(); 1044 goto done; 1045 1046 err: 1047 ok = 0; 1048 OSSL_STORE_INFO_free(info); 1049 done: 1050 OSSL_STORE_close(ctx); 1051 1052 return ok; 1053 } 1054 1055 int SSL_add_store_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, 1056 const char *store) 1057 { 1058 int (*oldcmp) (const X509_NAME *const *a, const X509_NAME *const *b) 1059 = sk_X509_NAME_set_cmp_func(stack, xname_sk_cmp); 1060 int ret = add_uris_recursive(stack, store, 1); 1061 1062 (void)sk_X509_NAME_set_cmp_func(stack, oldcmp); 1063 return ret; 1064 } 1065 1066 /* Build a certificate chain for current certificate */ 1067 int ssl_build_cert_chain(SSL_CONNECTION *s, SSL_CTX *ctx, int flags) 1068 { 1069 CERT *c = s != NULL ? s->cert : ctx->cert; 1070 CERT_PKEY *cpk = c->key; 1071 X509_STORE *chain_store = NULL; 1072 X509_STORE_CTX *xs_ctx = NULL; 1073 STACK_OF(X509) *chain = NULL, *untrusted = NULL; 1074 X509 *x; 1075 SSL_CTX *real_ctx = (s == NULL) ? ctx : SSL_CONNECTION_GET_CTX(s); 1076 int i, rv = 0; 1077 1078 if (cpk->x509 == NULL) { 1079 ERR_raise(ERR_LIB_SSL, SSL_R_NO_CERTIFICATE_SET); 1080 goto err; 1081 } 1082 /* Rearranging and check the chain: add everything to a store */ 1083 if (flags & SSL_BUILD_CHAIN_FLAG_CHECK) { 1084 chain_store = X509_STORE_new(); 1085 if (chain_store == NULL) 1086 goto err; 1087 for (i = 0; i < sk_X509_num(cpk->chain); i++) { 1088 x = sk_X509_value(cpk->chain, i); 1089 if (!X509_STORE_add_cert(chain_store, x)) 1090 goto err; 1091 } 1092 /* Add EE cert too: it might be self signed */ 1093 if (!X509_STORE_add_cert(chain_store, cpk->x509)) 1094 goto err; 1095 } else { 1096 if (c->chain_store != NULL) 1097 chain_store = c->chain_store; 1098 else 1099 chain_store = real_ctx->cert_store; 1100 1101 if (flags & SSL_BUILD_CHAIN_FLAG_UNTRUSTED) 1102 untrusted = cpk->chain; 1103 } 1104 1105 xs_ctx = X509_STORE_CTX_new_ex(real_ctx->libctx, real_ctx->propq); 1106 if (xs_ctx == NULL) { 1107 ERR_raise(ERR_LIB_SSL, ERR_R_X509_LIB); 1108 goto err; 1109 } 1110 if (!X509_STORE_CTX_init(xs_ctx, chain_store, cpk->x509, untrusted)) { 1111 ERR_raise(ERR_LIB_SSL, ERR_R_X509_LIB); 1112 goto err; 1113 } 1114 /* Set suite B flags if needed */ 1115 X509_STORE_CTX_set_flags(xs_ctx, 1116 c->cert_flags & SSL_CERT_FLAG_SUITEB_128_LOS); 1117 1118 i = X509_verify_cert(xs_ctx); 1119 if (i <= 0 && flags & SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR) { 1120 if (flags & SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR) 1121 ERR_clear_error(); 1122 i = 1; 1123 rv = 2; 1124 } 1125 if (i > 0) 1126 chain = X509_STORE_CTX_get1_chain(xs_ctx); 1127 if (i <= 0) { 1128 i = X509_STORE_CTX_get_error(xs_ctx); 1129 ERR_raise_data(ERR_LIB_SSL, SSL_R_CERTIFICATE_VERIFY_FAILED, 1130 "Verify error:%s", X509_verify_cert_error_string(i)); 1131 1132 goto err; 1133 } 1134 /* Remove EE certificate from chain */ 1135 x = sk_X509_shift(chain); 1136 X509_free(x); 1137 if (flags & SSL_BUILD_CHAIN_FLAG_NO_ROOT) { 1138 if (sk_X509_num(chain) > 0) { 1139 /* See if last cert is self signed */ 1140 x = sk_X509_value(chain, sk_X509_num(chain) - 1); 1141 if (X509_get_extension_flags(x) & EXFLAG_SS) { 1142 x = sk_X509_pop(chain); 1143 X509_free(x); 1144 } 1145 } 1146 } 1147 /* 1148 * Check security level of all CA certificates: EE will have been checked 1149 * already. 1150 */ 1151 for (i = 0; i < sk_X509_num(chain); i++) { 1152 x = sk_X509_value(chain, i); 1153 rv = ssl_security_cert(s, ctx, x, 0, 0); 1154 if (rv != 1) { 1155 ERR_raise(ERR_LIB_SSL, rv); 1156 OSSL_STACK_OF_X509_free(chain); 1157 rv = 0; 1158 goto err; 1159 } 1160 } 1161 OSSL_STACK_OF_X509_free(cpk->chain); 1162 cpk->chain = chain; 1163 if (rv == 0) 1164 rv = 1; 1165 err: 1166 if (flags & SSL_BUILD_CHAIN_FLAG_CHECK) 1167 X509_STORE_free(chain_store); 1168 X509_STORE_CTX_free(xs_ctx); 1169 1170 return rv; 1171 } 1172 1173 int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain, int ref) 1174 { 1175 X509_STORE **pstore; 1176 1177 if (ref && store && !X509_STORE_up_ref(store)) 1178 return 0; 1179 1180 if (chain) 1181 pstore = &c->chain_store; 1182 else 1183 pstore = &c->verify_store; 1184 X509_STORE_free(*pstore); 1185 *pstore = store; 1186 1187 return 1; 1188 } 1189 1190 int ssl_cert_get_cert_store(CERT *c, X509_STORE **pstore, int chain) 1191 { 1192 *pstore = (chain ? c->chain_store : c->verify_store); 1193 return 1; 1194 } 1195 1196 int ssl_get_security_level_bits(const SSL *s, const SSL_CTX *ctx, int *levelp) 1197 { 1198 int level; 1199 /* 1200 * note that there's a corresponding minbits_table 1201 * in crypto/x509/x509_vfy.c that's used for checking the security level 1202 * of RSA and DSA keys 1203 */ 1204 static const int minbits_table[5 + 1] = { 0, 80, 112, 128, 192, 256 }; 1205 1206 if (ctx != NULL) 1207 level = SSL_CTX_get_security_level(ctx); 1208 else 1209 level = SSL_get_security_level(s); 1210 1211 if (level > 5) 1212 level = 5; 1213 else if (level < 0) 1214 level = 0; 1215 1216 if (levelp != NULL) 1217 *levelp = level; 1218 1219 return minbits_table[level]; 1220 } 1221 1222 static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx, 1223 int op, int bits, int nid, void *other, 1224 void *ex) 1225 { 1226 int level, minbits, pfs_mask; 1227 const SSL_CONNECTION *sc; 1228 1229 minbits = ssl_get_security_level_bits(s, ctx, &level); 1230 1231 if (level == 0) { 1232 /* 1233 * No EDH keys weaker than 1024-bits even at level 0, otherwise, 1234 * anything goes. 1235 */ 1236 if (op == SSL_SECOP_TMP_DH && bits < 80) 1237 return 0; 1238 return 1; 1239 } 1240 switch (op) { 1241 case SSL_SECOP_CIPHER_SUPPORTED: 1242 case SSL_SECOP_CIPHER_SHARED: 1243 case SSL_SECOP_CIPHER_CHECK: 1244 { 1245 const SSL_CIPHER *c = other; 1246 /* No ciphers below security level */ 1247 if (bits < minbits) 1248 return 0; 1249 /* No unauthenticated ciphersuites */ 1250 if (c->algorithm_auth & SSL_aNULL) 1251 return 0; 1252 /* No MD5 mac ciphersuites */ 1253 if (c->algorithm_mac & SSL_MD5) 1254 return 0; 1255 /* SHA1 HMAC is 160 bits of security */ 1256 if (minbits > 160 && c->algorithm_mac & SSL_SHA1) 1257 return 0; 1258 /* Level 3: forward secure ciphersuites only */ 1259 pfs_mask = SSL_kDHE | SSL_kECDHE | SSL_kDHEPSK | SSL_kECDHEPSK; 1260 if (level >= 3 && c->min_tls != TLS1_3_VERSION && 1261 !(c->algorithm_mkey & pfs_mask)) 1262 return 0; 1263 break; 1264 } 1265 case SSL_SECOP_VERSION: 1266 if ((sc = SSL_CONNECTION_FROM_CONST_SSL(s)) == NULL) 1267 return 0; 1268 if (!SSL_CONNECTION_IS_DTLS(sc)) { 1269 /* SSLv3, TLS v1.0 and TLS v1.1 only allowed at level 0 */ 1270 if (nid <= TLS1_1_VERSION && level > 0) 1271 return 0; 1272 } else { 1273 /* DTLS v1.0 only allowed at level 0 */ 1274 if (DTLS_VERSION_LT(nid, DTLS1_2_VERSION) && level > 0) 1275 return 0; 1276 } 1277 break; 1278 1279 case SSL_SECOP_COMPRESSION: 1280 if (level >= 2) 1281 return 0; 1282 break; 1283 case SSL_SECOP_TICKET: 1284 if (level >= 3) 1285 return 0; 1286 break; 1287 default: 1288 if (bits < minbits) 1289 return 0; 1290 } 1291 return 1; 1292 } 1293 1294 int ssl_security(const SSL_CONNECTION *s, int op, int bits, int nid, void *other) 1295 { 1296 return s->cert->sec_cb(SSL_CONNECTION_GET_USER_SSL(s), NULL, op, bits, nid, 1297 other, s->cert->sec_ex); 1298 } 1299 1300 int ssl_ctx_security(const SSL_CTX *ctx, int op, int bits, int nid, void *other) 1301 { 1302 return ctx->cert->sec_cb(NULL, ctx, op, bits, nid, other, 1303 ctx->cert->sec_ex); 1304 } 1305 1306 int ssl_cert_lookup_by_nid(int nid, size_t *pidx, SSL_CTX *ctx) 1307 { 1308 size_t i; 1309 1310 for (i = 0; i < OSSL_NELEM(ssl_cert_info); i++) { 1311 if (ssl_cert_info[i].nid == nid) { 1312 *pidx = i; 1313 return 1; 1314 } 1315 } 1316 for (i = 0; i < ctx->sigalg_list_len; i++) { 1317 if (ctx->ssl_cert_info[i].nid == nid) { 1318 *pidx = SSL_PKEY_NUM + i; 1319 return 1; 1320 } 1321 } 1322 return 0; 1323 } 1324 1325 const SSL_CERT_LOOKUP *ssl_cert_lookup_by_pkey(const EVP_PKEY *pk, size_t *pidx, SSL_CTX *ctx) 1326 { 1327 size_t i; 1328 1329 /* check classic pk types */ 1330 for (i = 0; i < OSSL_NELEM(ssl_cert_info); i++) { 1331 const SSL_CERT_LOOKUP *tmp_lu = &ssl_cert_info[i]; 1332 1333 if (EVP_PKEY_is_a(pk, OBJ_nid2sn(tmp_lu->nid)) 1334 || EVP_PKEY_is_a(pk, OBJ_nid2ln(tmp_lu->nid))) { 1335 if (pidx != NULL) 1336 *pidx = i; 1337 return tmp_lu; 1338 } 1339 } 1340 /* check provider-loaded pk types */ 1341 for (i = 0; i < ctx->sigalg_list_len; i++) { 1342 SSL_CERT_LOOKUP *tmp_lu = &(ctx->ssl_cert_info[i]); 1343 1344 if (EVP_PKEY_is_a(pk, OBJ_nid2sn(tmp_lu->nid)) 1345 || EVP_PKEY_is_a(pk, OBJ_nid2ln(tmp_lu->nid))) { 1346 if (pidx != NULL) 1347 *pidx = SSL_PKEY_NUM + i; 1348 return &ctx->ssl_cert_info[i]; 1349 } 1350 } 1351 1352 return NULL; 1353 } 1354 1355 const SSL_CERT_LOOKUP *ssl_cert_lookup_by_idx(size_t idx, SSL_CTX *ctx) 1356 { 1357 if (idx >= (OSSL_NELEM(ssl_cert_info) + ctx->sigalg_list_len)) 1358 return NULL; 1359 else if (idx >= (OSSL_NELEM(ssl_cert_info))) 1360 return &(ctx->ssl_cert_info[idx - SSL_PKEY_NUM]); 1361 return &ssl_cert_info[idx]; 1362 } 1363