diff options
| author |   jsing <jsing@openbsd.org> | 2014-04-14 13:10:35 +0000 |
|---|---|---|
| committer | jsing <jsing@openbsd.org> | 2014-04-14 13:10:35 +0000 |
| commit | 35fb06776ce30f160c3ccd100d55f2fa3b81cb24 (patch) | |
| tree | 618eded092453257d783393140615515887e0ab3 /lib/libssl/ssl_cert.c | |
| parent | Adapt relayd to use AgentX protocol to send traps (diff) | |
| download | wireguard-openbsd-35fb06776ce30f160c3ccd100d55f2fa3b81cb24.tar.xz wireguard-openbsd-35fb06776ce30f160c3ccd100d55f2fa3b81cb24.zip | |
First pass at applying KNF to the OpenSSL code, which almost makes it
readable. This pass is whitespace only and can readily be verified using
tr and md5.
Diffstat (limited to 'lib/libssl/ssl_cert.c')
| -rw-r--r-- | lib/libssl/ssl_cert.c | 649 |
1 files changed, 320 insertions, 329 deletions
diff --git a/lib/libssl/ssl_cert.c b/lib/libssl/ssl_cert.c index 1aaddc351f8..79eb4ee0313 100644 --- a/lib/libssl/ssl_cert.c +++ b/lib/libssl/ssl_cert.c @@ -132,36 +132,36 @@ #include <openssl/bn.h> #include "ssl_locl.h" -int SSL_get_ex_data_X509_STORE_CTX_idx(void) - { - static volatile int ssl_x509_store_ctx_idx= -1; +int +SSL_get_ex_data_X509_STORE_CTX_idx(void) +{ + static volatile int ssl_x509_store_ctx_idx = -1; int got_write_lock = 0; CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); - if (ssl_x509_store_ctx_idx < 0) - { + if (ssl_x509_store_ctx_idx < 0) { CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); got_write_lock = 1; - - if (ssl_x509_store_ctx_idx < 0) - { - ssl_x509_store_ctx_idx=X509_STORE_CTX_get_ex_new_index( - 0,"SSL for verify callback",NULL,NULL,NULL); - } + + if (ssl_x509_store_ctx_idx < 0) { + ssl_x509_store_ctx_idx = X509_STORE_CTX_get_ex_new_index( + 0, "SSL for verify callback", NULL, NULL, NULL); } + } if (got_write_lock) CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); else CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); - + return ssl_x509_store_ctx_idx; - } +} -static void ssl_cert_set_default_md(CERT *cert) - { +static void +ssl_cert_set_default_md(CERT *cert) +{ /* Set digest values to defaults */ #ifndef OPENSSL_NO_DSA cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); @@ -173,37 +173,37 @@ static void ssl_cert_set_default_md(CERT *cert) #ifndef OPENSSL_NO_ECDSA cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); #endif - } +} -CERT *ssl_cert_new(void) - { +CERT +*ssl_cert_new(void) +{ CERT *ret; - ret=(CERT *)OPENSSL_malloc(sizeof(CERT)); - if (ret == NULL) - { - SSLerr(SSL_F_SSL_CERT_NEW,ERR_R_MALLOC_FAILURE); - return(NULL); - } - memset(ret,0,sizeof(CERT)); + ret = (CERT *)OPENSSL_malloc(sizeof(CERT)); + if (ret == NULL) { + SSLerr(SSL_F_SSL_CERT_NEW, ERR_R_MALLOC_FAILURE); + return (NULL); + } + memset(ret, 0, sizeof(CERT)); - ret->key= &(ret->pkeys[SSL_PKEY_RSA_ENC]); - ret->references=1; + ret->key = &(ret->pkeys[SSL_PKEY_RSA_ENC]); + ret->references = 1; ssl_cert_set_default_md(ret); - return(ret); - } + return (ret); +} -CERT *ssl_cert_dup(CERT *cert) - { +CERT +*ssl_cert_dup(CERT *cert) +{ CERT *ret; int i; ret = (CERT *)OPENSSL_malloc(sizeof(CERT)); - if (ret == NULL) - { + if (ret == NULL) { SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_MALLOC_FAILURE); - return(NULL); - } + return (NULL); + } memset(ret, 0, sizeof(CERT)); @@ -218,77 +218,64 @@ CERT *ssl_cert_dup(CERT *cert) ret->export_mask_a = cert->export_mask_a; #ifndef OPENSSL_NO_RSA - if (cert->rsa_tmp != NULL) - { + if (cert->rsa_tmp != NULL) { RSA_up_ref(cert->rsa_tmp); ret->rsa_tmp = cert->rsa_tmp; - } + } ret->rsa_tmp_cb = cert->rsa_tmp_cb; #endif #ifndef OPENSSL_NO_DH - if (cert->dh_tmp != NULL) - { + if (cert->dh_tmp != NULL) { ret->dh_tmp = DHparams_dup(cert->dh_tmp); - if (ret->dh_tmp == NULL) - { + if (ret->dh_tmp == NULL) { SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_DH_LIB); goto err; - } - if (cert->dh_tmp->priv_key) - { + } + if (cert->dh_tmp->priv_key) { BIGNUM *b = BN_dup(cert->dh_tmp->priv_key); - if (!b) - { + if (!b) { SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_BN_LIB); goto err; - } - ret->dh_tmp->priv_key = b; } - if (cert->dh_tmp->pub_key) - { + ret->dh_tmp->priv_key = b; + } + if (cert->dh_tmp->pub_key) { BIGNUM *b = BN_dup(cert->dh_tmp->pub_key); - if (!b) - { + if (!b) { SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_BN_LIB); goto err; - } - ret->dh_tmp->pub_key = b; } + ret->dh_tmp->pub_key = b; } + } ret->dh_tmp_cb = cert->dh_tmp_cb; #endif #ifndef OPENSSL_NO_ECDH - if (cert->ecdh_tmp) - { + if (cert->ecdh_tmp) { ret->ecdh_tmp = EC_KEY_dup(cert->ecdh_tmp); - if (ret->ecdh_tmp == NULL) - { + if (ret->ecdh_tmp == NULL) { SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_EC_LIB); goto err; - } } + } ret->ecdh_tmp_cb = cert->ecdh_tmp_cb; #endif - for (i = 0; i < SSL_PKEY_NUM; i++) - { - if (cert->pkeys[i].x509 != NULL) - { + for (i = 0; i < SSL_PKEY_NUM; i++) { + if (cert->pkeys[i].x509 != NULL) { ret->pkeys[i].x509 = cert->pkeys[i].x509; CRYPTO_add(&ret->pkeys[i].x509->references, 1, - CRYPTO_LOCK_X509); - } - - if (cert->pkeys[i].privatekey != NULL) - { + CRYPTO_LOCK_X509); + } + + if (cert->pkeys[i].privatekey != NULL) { ret->pkeys[i].privatekey = cert->pkeys[i].privatekey; CRYPTO_add(&ret->pkeys[i].privatekey->references, 1, - CRYPTO_LOCK_EVP_PKEY); + CRYPTO_LOCK_EVP_PKEY); - switch(i) - { + switch (i) { /* If there was anything special to do for * certain types of keys, we'd do it here. * (Nothing at the moment, I think.) */ @@ -297,11 +284,11 @@ CERT *ssl_cert_dup(CERT *cert) case SSL_PKEY_RSA_SIGN: /* We have an RSA key. */ break; - + case SSL_PKEY_DSA_SIGN: /* We have a DSA key. */ break; - + case SSL_PKEY_DH_RSA: case SSL_PKEY_DH_DSA: /* We have a DH key. */ @@ -314,21 +301,21 @@ CERT *ssl_cert_dup(CERT *cert) default: /* Can't happen. */ SSLerr(SSL_F_SSL_CERT_DUP, SSL_R_LIBRARY_BUG); - } } } - + } + /* ret->extra_certs *should* exist, but currently the own certificate * chain is held inside SSL_CTX */ - ret->references=1; + ret->references = 1; /* Set digests to defaults. NB: we don't copy existing values as they * will be set during handshake. */ ssl_cert_set_default_md(ret); - return(ret); - + return (ret); + #if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_ECDH) err: #endif @@ -345,50 +332,52 @@ err: EC_KEY_free(ret->ecdh_tmp); #endif - for (i = 0; i < SSL_PKEY_NUM; i++) - { + for (i = 0; i < SSL_PKEY_NUM; i++) { if (ret->pkeys[i].x509 != NULL) X509_free(ret->pkeys[i].x509); if (ret->pkeys[i].privatekey != NULL) EVP_PKEY_free(ret->pkeys[i].privatekey); - } + } return NULL; - } +} -void ssl_cert_free(CERT *c) - { +void +ssl_cert_free(CERT *c) +{ int i; - if(c == NULL) - return; + if (c == NULL) + return; - i=CRYPTO_add(&c->references,-1,CRYPTO_LOCK_SSL_CERT); + i = CRYPTO_add(&c->references, -1, CRYPTO_LOCK_SSL_CERT); #ifdef REF_PRINT - REF_PRINT("CERT",c); + REF_PRINT("CERT", c); #endif - if (i > 0) return; + if (i > 0) + return; #ifdef REF_CHECK - if (i < 0) - { - fprintf(stderr,"ssl_cert_free, bad reference count\n"); + if (i < 0) { + fprintf(stderr, "ssl_cert_free, bad reference count\n"); abort(); /* ok */ - } + } #endif #ifndef OPENSSL_NO_RSA - if (c->rsa_tmp) RSA_free(c->rsa_tmp); + if (c->rsa_tmp) + RSA_free(c->rsa_tmp); #endif #ifndef OPENSSL_NO_DH - if (c->dh_tmp) DH_free(c->dh_tmp); + if (c->dh_tmp) + DH_free(c->dh_tmp); #endif #ifndef OPENSSL_NO_ECDH - if (c->ecdh_tmp) EC_KEY_free(c->ecdh_tmp); + if (c->ecdh_tmp) + EC_KEY_free(c->ecdh_tmp); #endif - for (i=0; i<SSL_PKEY_NUM; i++) - { + for (i = 0; i < SSL_PKEY_NUM; i++) { if (c->pkeys[i].x509 != NULL) X509_free(c->pkeys[i].x509); if (c->pkeys[i].privatekey != NULL) @@ -397,12 +386,13 @@ void ssl_cert_free(CERT *c) if (c->pkeys[i].publickey != NULL) EVP_PKEY_free(c->pkeys[i].publickey); #endif - } - OPENSSL_free(c); } + OPENSSL_free(c); +} -int ssl_cert_inst(CERT **o) - { +int +ssl_cert_inst(CERT **o) +{ /* Create a CERT if there isn't already one * (which cannot really happen, as it is initially created in * SSL_CTX_new; but the earlier code usually allows for that one @@ -412,44 +402,42 @@ int ssl_cert_inst(CERT **o) * s->cert being NULL, otherwise we could do without the * initialization in SSL_CTX_new). */ - - if (o == NULL) - { + + if (o == NULL) { SSLerr(SSL_F_SSL_CERT_INST, ERR_R_PASSED_NULL_PARAMETER); - return(0); - } - if (*o == NULL) - { - if ((*o = ssl_cert_new()) == NULL) - { + return (0); + } + if (*o == NULL) { + if ((*o = ssl_cert_new()) == NULL) { SSLerr(SSL_F_SSL_CERT_INST, ERR_R_MALLOC_FAILURE); - return(0); - } + return (0); } - return(1); } + return (1); +} -SESS_CERT *ssl_sess_cert_new(void) - { +SESS_CERT +*ssl_sess_cert_new(void) +{ SESS_CERT *ret; ret = OPENSSL_malloc(sizeof *ret); - if (ret == NULL) - { + if (ret == NULL) { SSLerr(SSL_F_SSL_SESS_CERT_NEW, ERR_R_MALLOC_FAILURE); return NULL; - } + } - memset(ret, 0 ,sizeof *ret); + memset(ret, 0 , sizeof *ret); ret->peer_key = &(ret->peer_pkeys[SSL_PKEY_RSA_ENC]); ret->references = 1; return ret; - } +} -void ssl_sess_cert_free(SESS_CERT *sc) - { +void +ssl_sess_cert_free(SESS_CERT *sc) +{ int i; if (sc == NULL) @@ -462,27 +450,25 @@ void ssl_sess_cert_free(SESS_CERT *sc) if (i > 0) return; #ifdef REF_CHECK - if (i < 0) - { - fprintf(stderr,"ssl_sess_cert_free, bad reference count\n"); + if (i < 0) { + fprintf(stderr, "ssl_sess_cert_free, bad reference count\n"); abort(); /* ok */ - } + } #endif /* i == 0 */ if (sc->cert_chain != NULL) sk_X509_pop_free(sc->cert_chain, X509_free); - for (i = 0; i < SSL_PKEY_NUM; i++) - { + for (i = 0; i < SSL_PKEY_NUM; i++) { if (sc->peer_pkeys[i].x509 != NULL) X509_free(sc->peer_pkeys[i].x509); #if 0 /* We don't have the peer's private key. These lines are just - * here as a reminder that we're still using a not-quite-appropriate - * data structure. */ + * here as a reminder that we're still using a not-quite-appropriate + * data structure. */ if (sc->peer_pkeys[i].privatekey != NULL) EVP_PKEY_free(sc->peer_pkeys[i].privatekey); #endif - } + } #ifndef OPENSSL_NO_RSA if (sc->peer_rsa_tmp != NULL) @@ -498,34 +484,35 @@ void ssl_sess_cert_free(SESS_CERT *sc) #endif OPENSSL_free(sc); - } +} -int ssl_set_peer_cert_type(SESS_CERT *sc,int type) - { +int +ssl_set_peer_cert_type(SESS_CERT *sc, int type) +{ sc->peer_cert_type = type; - return(1); - } + return (1); +} -int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk) - { +int +ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk) +{ X509 *x; int i; X509_STORE_CTX ctx; if ((sk == NULL) || (sk_X509_num(sk) == 0)) - return(0); + return (0); - x=sk_X509_value(sk,0); - if(!X509_STORE_CTX_init(&ctx,s->ctx->cert_store,x,sk)) - { - SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN,ERR_R_X509_LIB); - return(0); - } + x = sk_X509_value(sk, 0); + if (!X509_STORE_CTX_init(&ctx, s->ctx->cert_store, x, sk)) { + SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN, ERR_R_X509_LIB); + return (0); + } #if 0 if (SSL_get_verify_depth(s) >= 0) X509_STORE_CTX_set_depth(&ctx, SSL_get_verify_depth(s)); #endif - X509_STORE_CTX_set_ex_data(&ctx,SSL_get_ex_data_X509_STORE_CTX_idx(),s); + X509_STORE_CTX_set_ex_data(&ctx, SSL_get_ex_data_X509_STORE_CTX_idx(), s); /* We need to inherit the verify parameters. These can be determined by * the context: if its a server it will verify SSL client certificates @@ -533,7 +520,7 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk) */ X509_STORE_CTX_set_default(&ctx, - s->server ? "ssl_client" : "ssl_server"); + s->server ? "ssl_client" : "ssl_server"); /* Anything non-default in "param" should overwrite anything in the * ctx. */ @@ -544,121 +531,127 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk) if (s->ctx->app_verify_callback != NULL) #if 1 /* new with OpenSSL 0.9.7 */ - i=s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg); + i = s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg); + #else - i=s->ctx->app_verify_callback(&ctx); /* should pass app_verify_arg */ + i=s->ctx->app_verify_callback(&ctx); /* should pass app_verify_arg */ #endif - else - { + else { #ifndef OPENSSL_NO_X509_VERIFY - i=X509_verify_cert(&ctx); + i = X509_verify_cert(&ctx); #else - i=0; - ctx.error=X509_V_ERR_APPLICATION_VERIFICATION; - SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN,SSL_R_NO_VERIFY_CALLBACK); + i = 0; + ctx.error = X509_V_ERR_APPLICATION_VERIFICATION; + SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN, SSL_R_NO_VERIFY_CALLBACK); #endif - } + } - s->verify_result=ctx.error; + s->verify_result = ctx.error; X509_STORE_CTX_cleanup(&ctx); - return(i); - } + return (i); +} -static void set_client_CA_list(STACK_OF(X509_NAME) **ca_list,STACK_OF(X509_NAME) *name_list) - { +static void +set_client_CA_list(STACK_OF(X509_NAME) **ca_list, STACK_OF(X509_NAME) *name_list) +{ if (*ca_list != NULL) - sk_X509_NAME_pop_free(*ca_list,X509_NAME_free); + sk_X509_NAME_pop_free(*ca_list, X509_NAME_free); - *ca_list=name_list; - } + *ca_list = name_list; +} -STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk) - { +STACK_OF(X509_NAME) +*SSL_dup_CA_list(STACK_OF(X509_NAME) *sk) +{ int i; STACK_OF(X509_NAME) *ret; X509_NAME *name; - ret=sk_X509_NAME_new_null(); - for (i=0; i<sk_X509_NAME_num(sk); i++) - { - name=X509_NAME_dup(sk_X509_NAME_value(sk,i)); - if ((name == NULL) || !sk_X509_NAME_push(ret,name)) - { - sk_X509_NAME_pop_free(ret,X509_NAME_free); - return(NULL); - } + ret = sk_X509_NAME_new_null(); + for (i = 0; i < sk_X509_NAME_num(sk); i++) { + name = X509_NAME_dup(sk_X509_NAME_value(sk, i)); + if ((name == NULL) || !sk_X509_NAME_push(ret, name)) { + sk_X509_NAME_pop_free(ret, X509_NAME_free); + return (NULL); } - return(ret); } - -void SSL_set_client_CA_list(SSL *s,STACK_OF(X509_NAME) *name_list) - { - set_client_CA_list(&(s->client_CA),name_list); - } - -void SSL_CTX_set_client_CA_list(SSL_CTX *ctx,STACK_OF(X509_NAME) *name_list) - { - set_client_CA_list(&(ctx->client_CA),name_list); - } - -STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx) - { - return(ctx->client_CA); - } - -STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s) - { + return (ret); +} + +void +SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list) +{ + set_client_CA_list(&(s->client_CA), name_list); +} + +void +SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list) +{ + set_client_CA_list(&(ctx->client_CA), name_list); +} + +STACK_OF(X509_NAME) +*SSL_CTX_get_client_CA_list(const SSL_CTX *ctx) +{ + return (ctx->client_CA); +} + +STACK_OF(X509_NAME) +*SSL_get_client_CA_list(const SSL *s) +{ if (s->type == SSL_ST_CONNECT) - { /* we are in the client */ - if (((s->version>>8) == SSL3_VERSION_MAJOR) && + { /* we are in the client */ + if (((s->version >> 8) == SSL3_VERSION_MAJOR) && (s->s3 != NULL)) - return(s->s3->tmp.ca_names); + return (s->s3->tmp.ca_names); else - return(NULL); - } - else - { + return (NULL); + } else { if (s->client_CA != NULL) - return(s->client_CA); + return (s->client_CA); else - return(s->ctx->client_CA); - } + return (s->ctx->client_CA); } +} -static int add_client_CA(STACK_OF(X509_NAME) **sk,X509 *x) - { +static int +add_client_CA(STACK_OF(X509_NAME) **sk, X509 *x) +{ X509_NAME *name; - if (x == NULL) return(0); - if ((*sk == NULL) && ((*sk=sk_X509_NAME_new_null()) == NULL)) - return(0); - - if ((name=X509_NAME_dup(X509_get_subject_name(x))) == NULL) - return(0); - - if (!sk_X509_NAME_push(*sk,name)) - { - X509_NAME_free(name); - return(0); - } - return(1); - } + if (x == NULL) + return (0); + if ((*sk == NULL) && ((*sk = sk_X509_NAME_new_null()) == NULL)) + return (0); -int SSL_add_client_CA(SSL *ssl,X509 *x) - { - return(add_client_CA(&(ssl->client_CA),x)); - } + if ((name = X509_NAME_dup(X509_get_subject_name(x))) == NULL) + return (0); -int SSL_CTX_add_client_CA(SSL_CTX *ctx,X509 *x) - { - return(add_client_CA(&(ctx->client_CA),x)); - } - -static int xname_cmp(const X509_NAME * const *a, const X509_NAME * const *b) - { - return(X509_NAME_cmp(*a,*b)); + if (!sk_X509_NAME_push(*sk, name)) { + X509_NAME_free(name); + return (0); } + return (1); +} + +int +SSL_add_client_CA(SSL *ssl, X509 *x) +{ + return (add_client_CA(&(ssl->client_CA), x)); +} + +int +SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x) +{ + return (add_client_CA(&(ctx->client_CA), x)); +} + +static int +xname_cmp(const X509_NAME * const *a, const X509_NAME * const *b) +{ + return (X509_NAME_cmp(*a, *b)); +} #ifndef OPENSSL_NO_STDIO /*! @@ -669,65 +662,65 @@ static int xname_cmp(const X509_NAME * const *a, const X509_NAME * const *b) * \param file the file containing one or more certs. * \return a ::STACK containing the certs. */ -STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file) - { +STACK_OF(X509_NAME) +*SSL_load_client_CA_file(const char *file) +{ BIO *in; - X509 *x=NULL; - X509_NAME *xn=NULL; - STACK_OF(X509_NAME) *ret = NULL,*sk; + X509 *x = NULL; + X509_NAME *xn = NULL; + STACK_OF(X509_NAME) *ret = NULL, *sk; - sk=sk_X509_NAME_new(xname_cmp); + sk = sk_X509_NAME_new(xname_cmp); - in=BIO_new(BIO_s_file_internal()); + in = BIO_new(BIO_s_file_internal()); - if ((sk == NULL) || (in == NULL)) - { - SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE,ERR_R_MALLOC_FAILURE); + if ((sk == NULL) || (in == NULL)) { + SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE, ERR_R_MALLOC_FAILURE); goto err; - } - - if (!BIO_read_filename(in,file)) + } + + if (!BIO_read_filename(in, file)) goto err; - for (;;) - { - if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL) + for (;;) { + if (PEM_read_bio_X509(in, &x, NULL, NULL) == NULL) break; - if (ret == NULL) - { + if (ret == NULL) { ret = sk_X509_NAME_new_null(); - if (ret == NULL) - { - SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE,ERR_R_MALLOC_FAILURE); + if (ret == NULL) { + SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE, ERR_R_MALLOC_FAILURE); goto err; - } } - if ((xn=X509_get_subject_name(x)) == NULL) goto err; - /* check for duplicates */ - xn=X509_NAME_dup(xn); - if (xn == NULL) goto err; - if (sk_X509_NAME_find(sk,xn) >= 0) + } + if ((xn = X509_get_subject_name(x)) == NULL) goto err; + /* check for duplicates */ + xn = X509_NAME_dup(xn); + if (xn == NULL) + goto err; + if (sk_X509_NAME_find(sk, xn) >= 0) X509_NAME_free(xn); - else - { - sk_X509_NAME_push(sk,xn); - sk_X509_NAME_push(ret,xn); - } + else { + sk_X509_NAME_push(sk, xn); + sk_X509_NAME_push(ret, xn); } + } - if (0) - { + if (0) { err: - if (ret != NULL) sk_X509_NAME_pop_free(ret,X509_NAME_free); - ret=NULL; - } - if (sk != NULL) sk_X509_NAME_free(sk); - if (in != NULL) BIO_free(in); - if (x != NULL) X509_free(x); + if (ret != NULL) + sk_X509_NAME_pop_free(ret, X509_NAME_free); + ret = NULL; + } + if (sk != NULL) + sk_X509_NAME_free(sk); + if (in != NULL) + BIO_free(in); + if (x != NULL) + X509_free(x); if (ret != NULL) ERR_clear_error(); - return(ret); - } + return (ret); +} #endif /*! @@ -739,57 +732,56 @@ err: * certs may have been added to \c stack. */ -int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, - const char *file) - { +int +SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, + const char *file) +{ BIO *in; - X509 *x=NULL; - X509_NAME *xn=NULL; - int ret=1; + X509 *x = NULL; + X509_NAME *xn = NULL; + int ret = 1; int (*oldcmp)(const X509_NAME * const *a, const X509_NAME * const *b); - - oldcmp=sk_X509_NAME_set_cmp_func(stack,xname_cmp); - - in=BIO_new(BIO_s_file_internal()); - - if (in == NULL) - { - SSLerr(SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK,ERR_R_MALLOC_FAILURE); + + oldcmp = sk_X509_NAME_set_cmp_func(stack, xname_cmp); + + in = BIO_new(BIO_s_file_internal()); + + if (in == NULL) { + SSLerr(SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK, ERR_R_MALLOC_FAILURE); goto err; - } - - if (!BIO_read_filename(in,file)) + } + + if (!BIO_read_filename(in, file)) goto err; - - for (;;) - { - if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL) + + for (;;) { + if (PEM_read_bio_X509(in, &x, NULL, NULL) == NULL) break; - if ((xn=X509_get_subject_name(x)) == NULL) goto err; - xn=X509_NAME_dup(xn); - if (xn == NULL) goto err; - if (sk_X509_NAME_find(stack,xn) >= 0) + if ((xn = X509_get_subject_name(x)) == NULL) goto err; + xn = X509_NAME_dup(xn); + if (xn == NULL) + goto err; + if (sk_X509_NAME_find(stack, xn) >= 0) X509_NAME_free(xn); else - sk_X509_NAME_push(stack,xn); - } + sk_X509_NAME_push(stack, xn); + } ERR_clear_error(); - if (0) - { + if (0) { err: - ret=0; - } - if(in != NULL) + ret = 0; + } + if (in != NULL) BIO_free(in); - if(x != NULL) + if (x != NULL) X509_free(x); - - (void)sk_X509_NAME_set_cmp_func(stack,oldcmp); + + (void)sk_X509_NAME_set_cmp_func(stack, oldcmp); return ret; - } +} /*! * Add a directory of certs to a stack. @@ -802,9 +794,10 @@ err: * certs may have been added to \c stack. */ -int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, - const char *dir) - { +int +SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, + const char *dir) +{ OPENSSL_DIR_CTX *d = NULL; const char *filename; int ret = 0; @@ -813,36 +806,34 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, /* Note that a side effect is that the CAs will be sorted by name */ - while((filename = OPENSSL_DIR_read(&d, dir))) - { + while ((filename = OPENSSL_DIR_read(&d, dir))) { char buf[1024]; int r; - if(strlen(dir)+strlen(filename)+2 > sizeof buf) - { - SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,SSL_R_PATH_TOO_LONG); + if (strlen(dir) + strlen(filename) + 2 > sizeof buf) { + SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK, SSL_R_PATH_TOO_LONG); goto err; - } - r = BIO_snprintf(buf,sizeof buf,"%s/%s",dir,filename); + } + r = BIO_snprintf(buf, sizeof buf, "%s/%s", dir, filename); if (r <= 0 || r >= (int)sizeof(buf)) goto err; - if(!SSL_add_file_cert_subjects_to_stack(stack,buf)) + if (!SSL_add_file_cert_subjects_to_stack(stack, buf)) goto err; - } + } - if (errno) - { + if (errno) { SYSerr(SYS_F_OPENDIR, errno); ERR_add_error_data(3, "OPENSSL_DIR_read(&ctx, '", dir, "')"); SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK, ERR_R_SYS_LIB); goto err; - } + } ret = 1; err: - if (d) OPENSSL_DIR_end(&d); + if (d) + OPENSSL_DIR_end(&d); CRYPTO_w_unlock(CRYPTO_LOCK_READDIR); return ret; - } +} |