summaryrefslogtreecommitdiff
path: root/ssl/ssl_cert.c
diff options
context:
space:
mode:
Diffstat (limited to 'ssl/ssl_cert.c')
-rw-r--r--ssl/ssl_cert.c35
1 files changed, 22 insertions, 13 deletions
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index e81542a89e..e6262bfaeb 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -257,18 +257,12 @@ int ssl_cert_set0_chain(SSL *s, SSL_CTX *ctx, STACK_OF(X509) *chain)
{
int i, r;
CERT_PKEY *cpk = s != NULL ? s->cert->key : ctx->cert->key;
- SSL_CTX *realctx = s != NULL ? s->ctx : ctx;
if (!cpk)
return 0;
for (i = 0; i < sk_X509_num(chain); i++) {
X509 *x = sk_X509_value(chain, i);
- if (!X509v3_cache_extensions(x, realctx->libctx, realctx->propq)) {
- SSLerr(0, ERR_LIB_X509);
- return 0;
- }
-
r = ssl_security_cert(s, ctx, x, 0, 0);
if (r != 1) {
SSLerr(SSL_F_SSL_CERT_SET0_CHAIN, r);
@@ -614,29 +608,39 @@ static unsigned long xname_hash(const X509_NAME *a)
return X509_NAME_hash((X509_NAME *)a);
}
-STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file)
+STACK_OF(X509_NAME) *SSL_load_client_CA_file_with_libctx(const char *file,
+ OPENSSL_CTX *libctx,
+ const char *propq)
{
BIO *in = BIO_new(BIO_s_file());
X509 *x = NULL;
X509_NAME *xn = NULL;
STACK_OF(X509_NAME) *ret = NULL;
LHASH_OF(X509_NAME) *name_hash = lh_X509_NAME_new(xname_hash, xname_cmp);
+ OPENSSL_CTX *prev_libctx = NULL;
if ((name_hash == NULL) || (in == NULL)) {
- SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE, ERR_R_MALLOC_FAILURE);
+ SSLerr(0, ERR_R_MALLOC_FAILURE);
goto err;
}
+ x = X509_new_with_libctx(libctx, propq);
+ if (x == NULL) {
+ SSLerr(0, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
if (!BIO_read_filename(in, file))
goto err;
+ /* Internally lh_X509_NAME_retrieve() needs the libctx to retrieve SHA1 */
+ prev_libctx = OPENSSL_CTX_set0_default(libctx);
for (;;) {
if (PEM_read_bio_X509(in, &x, NULL, NULL) == NULL)
break;
if (ret == NULL) {
ret = sk_X509_NAME_new_null();
if (ret == NULL) {
- SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE, ERR_R_MALLOC_FAILURE);
+ SSLerr(0, ERR_R_MALLOC_FAILURE);
goto err;
}
}
@@ -663,6 +667,8 @@ STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file)
sk_X509_NAME_pop_free(ret, X509_NAME_free);
ret = NULL;
done:
+ /* restore the old libctx */
+ OPENSSL_CTX_set0_default(prev_libctx);
BIO_free(in);
X509_free(x);
lh_X509_NAME_free(name_hash);
@@ -671,6 +677,11 @@ STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file)
return ret;
}
+STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file)
+{
+ return SSL_load_client_CA_file_with_libctx(file, NULL, NULL);
+}
+
int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
const char *file)
{
@@ -841,6 +852,7 @@ int ssl_build_cert_chain(SSL *s, SSL_CTX *ctx, int flags)
X509_STORE_CTX *xs_ctx = NULL;
STACK_OF(X509) *chain = NULL, *untrusted = NULL;
X509 *x;
+ SSL_CTX *real_ctx = (s == NULL) ? ctx : s->ctx;
int i, rv = 0;
if (!cpk->x509) {
@@ -872,10 +884,7 @@ int ssl_build_cert_chain(SSL *s, SSL_CTX *ctx, int flags)
untrusted = cpk->chain;
}
- if (s == NULL)
- xs_ctx = X509_STORE_CTX_new_with_libctx(ctx->libctx, ctx->propq);
- else
- xs_ctx = X509_STORE_CTX_new_with_libctx(s->ctx->libctx, s->ctx->propq);
+ xs_ctx = X509_STORE_CTX_new_with_libctx(real_ctx->libctx, ctx->propq);
if (xs_ctx == NULL) {
SSLerr(SSL_F_SSL_BUILD_CERT_CHAIN, ERR_R_MALLOC_FAILURE);
goto err;
View Lorry Controller Status