int SSL_CONF_CTX_finish(SSL_CONF_CTX *cctx)
{
/* See if any certificates are missing private keys */
size_t i;
CERT *c = NULL;
if (cctx->ctx)
c = cctx->ctx->cert;
else if (cctx->ssl)
c = cctx->ssl->cert;
if (c && cctx->flags & SSL_CONF_FLAG_REQUIRE_PRIVATE) {
for (i = 0; i < SSL_PKEY_NUM; i++) {
const char *p = cctx->cert_filename[i];
/*
* If missing private key try to load one from certificate file
*/
if (p && !c->pkeys[i].privatekey) {
if (!cmd_PrivateKey(cctx, p))
return 0;
}
}
}
if (cctx->canames) {
if (cctx->ssl)
SSL_set_client_CA_list(cctx->ssl, cctx->canames);
else if (cctx->ctx)
SSL_CTX_set_client_CA_list(cctx->ctx, cctx->canames);
else
sk_X509_NAME_pop_free(cctx->canames, X509_NAME_free);
cctx->canames = NULL;
}
return 1;
}
void ssl3_free(SSL *s) {
if (s == NULL || s->s3 == NULL) {
return;
}
ssl3_cleanup_key_block(s);
ssl_read_buffer_clear(s);
ssl_write_buffer_clear(s);
DH_free(s->s3->tmp.dh);
EC_KEY_free(s->s3->tmp.ecdh);
sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free);
OPENSSL_free(s->s3->tmp.certificate_types);
OPENSSL_free(s->s3->tmp.peer_ellipticcurvelist);
OPENSSL_free(s->s3->tmp.peer_psk_identity_hint);
DH_free(s->s3->tmp.peer_dh_tmp);
EC_KEY_free(s->s3->tmp.peer_ecdh_tmp);
ssl3_free_handshake_buffer(s);
ssl3_free_handshake_hash(s);
OPENSSL_free(s->s3->alpn_selected);
OPENSSL_cleanse(s->s3, sizeof *s->s3);
OPENSSL_free(s->s3);
s->s3 = NULL;
}
void ssl3_free(SSL *ssl) {
if (ssl == NULL || ssl->s3 == NULL) {
return;
}
ssl3_cleanup_key_block(ssl);
ssl_read_buffer_clear(ssl);
ssl_write_buffer_clear(ssl);
SSL_ECDH_CTX_cleanup(&ssl->s3->tmp.ecdh_ctx);
OPENSSL_free(ssl->s3->tmp.peer_key);
sk_X509_NAME_pop_free(ssl->s3->tmp.ca_names, X509_NAME_free);
OPENSSL_free(ssl->s3->tmp.certificate_types);
OPENSSL_free(ssl->s3->tmp.peer_ellipticcurvelist);
OPENSSL_free(ssl->s3->tmp.peer_psk_identity_hint);
ssl3_free_handshake_buffer(ssl);
ssl3_free_handshake_hash(ssl);
OPENSSL_free(ssl->s3->next_proto_negotiated);
OPENSSL_free(ssl->s3->alpn_selected);
SSL_AEAD_CTX_free(ssl->s3->aead_read_ctx);
SSL_AEAD_CTX_free(ssl->s3->aead_write_ctx);
OPENSSL_cleanse(ssl->s3, sizeof *ssl->s3);
OPENSSL_free(ssl->s3);
ssl->s3 = NULL;
}
void ssl3_free(SSL *ssl) {
if (ssl == NULL || ssl->s3 == NULL) {
return;
}
ssl3_cleanup_key_block(ssl);
ssl_read_buffer_clear(ssl);
ssl_write_buffer_clear(ssl);
SSL_ECDH_CTX_cleanup(&ssl->s3->tmp.ecdh_ctx);
OPENSSL_free(ssl->s3->tmp.peer_key);
OPENSSL_free(ssl->s3->tmp.server_params);
sk_X509_NAME_pop_free(ssl->s3->tmp.ca_names, X509_NAME_free);
OPENSSL_free(ssl->s3->tmp.certificate_types);
OPENSSL_free(ssl->s3->tmp.peer_supported_group_list);
OPENSSL_free(ssl->s3->tmp.peer_psk_identity_hint);
SSL_SESSION_free(ssl->s3->new_session);
SSL_SESSION_free(ssl->s3->established_session);
ssl3_free_handshake_buffer(ssl);
ssl3_free_handshake_hash(ssl);
ssl_handshake_free(ssl->s3->hs);
OPENSSL_free(ssl->s3->next_proto_negotiated);
OPENSSL_free(ssl->s3->alpn_selected);
SSL_AEAD_CTX_free(ssl->s3->aead_read_ctx);
SSL_AEAD_CTX_free(ssl->s3->aead_write_ctx);
OPENSSL_free(ssl->s3->pending_message);
OPENSSL_cleanse(ssl->s3, sizeof *ssl->s3);
OPENSSL_free(ssl->s3);
ssl->s3 = NULL;
}
static enum ssl_hs_wait_t do_process_certificate_request(SSL *ssl,
SSL_HANDSHAKE *hs) {
ssl->s3->tmp.cert_request = 0;
/* CertificateRequest may only be sent in certificate-based ciphers. */
if (!ssl_cipher_uses_certificate_auth(ssl->s3->tmp.new_cipher)) {
hs->state = state_process_server_finished;
return ssl_hs_ok;
}
/* CertificateRequest is optional. */
if (ssl->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST) {
hs->state = state_process_server_certificate;
return ssl_hs_ok;
}
CBS cbs, context, supported_signature_algorithms;
CBS_init(&cbs, ssl->init_msg, ssl->init_num);
if (!CBS_get_u8_length_prefixed(&cbs, &context) ||
/* The request context is always empty during the handshake. */
CBS_len(&context) != 0 ||
!CBS_get_u16_length_prefixed(&cbs, &supported_signature_algorithms) ||
CBS_len(&supported_signature_algorithms) == 0 ||
!tls1_parse_peer_sigalgs(ssl, &supported_signature_algorithms)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
return ssl_hs_error;
}
uint8_t alert;
STACK_OF(X509_NAME) *ca_sk = ssl_parse_client_CA_list(ssl, &alert, &cbs);
if (ca_sk == NULL) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
return ssl_hs_error;
}
/* Ignore extensions. */
CBS extensions;
if (!CBS_get_u16_length_prefixed(&cbs, &extensions) ||
CBS_len(&cbs) != 0) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
return ssl_hs_error;
}
ssl->s3->tmp.cert_request = 1;
sk_X509_NAME_pop_free(ssl->s3->tmp.ca_names, X509_NAME_free);
ssl->s3->tmp.ca_names = ca_sk;
if (!ssl->method->hash_current_message(ssl)) {
return ssl_hs_error;
}
hs->state = state_process_server_certificate;
return ssl_hs_read_message;
}
void SSL_CONF_CTX_free(SSL_CONF_CTX *cctx)
{
if (cctx) {
size_t i;
for (i = 0; i < SSL_PKEY_NUM; i++)
OPENSSL_free(cctx->cert_filename[i]);
OPENSSL_free(cctx->prefix);
sk_X509_NAME_pop_free(cctx->canames, X509_NAME_free);
OPENSSL_free(cctx);
}
}
static STACK_OF(X509_NAME) *
use_inline_load_client_CA_file (SSL_CTX *ctx, const char *ca_string)
{
BIO *in = NULL;
X509 *x = NULL;
X509_NAME *xn = NULL;
STACK_OF(X509_NAME) *ret = NULL, *sk;
sk=sk_X509_NAME_new(xname_cmp);
in = BIO_new_mem_buf ((char *)ca_string, -1);
if (!in)
goto err;
if ((sk == NULL) || (in == NULL))
goto err;
for (;;)
{
if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL)
break;
if (ret == NULL)
{
ret = sk_X509_NAME_new_null();
if (ret == NULL)
goto err;
}
if ((xn=X509_get_subject_name(x)) == NULL) goto err;
/* check for duplicates */
xn=X509_NAME_dup(xn);
if (xn == NULL) goto err;
if (sk_X509_NAME_find(sk,xn) >= 0)
X509_NAME_free(xn);
else
{
sk_X509_NAME_push(sk,xn);
sk_X509_NAME_push(ret,xn);
}
}
if (0)
{
err:
if (ret != NULL) sk_X509_NAME_pop_free(ret,X509_NAME_free);
ret=NULL;
}
if (sk != NULL) sk_X509_NAME_free(sk);
if (in != NULL) BIO_free(in);
if (x != NULL) X509_free(x);
if (ret != NULL)
ERR_clear_error();
return(ret);
}
/* Load CA certs from a file into a STACK. Note that it is somewhat misnamed;
* it doesn't really have anything to do with clients (except that a common use
* for a stack of CAs is to send it to the client). Actually, it doesn't have
* much to do with CAs, either, since it will load any old cert.
*
* \param file the file containing one or more certs.
* \return a ::STACK containing the certs. */
STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file) {
BIO *in;
X509 *x = NULL;
X509_NAME *xn = NULL;
STACK_OF(X509_NAME) *ret = NULL, *sk;
sk = sk_X509_NAME_new(xname_cmp);
in = BIO_new(BIO_s_file());
if (sk == NULL || in == NULL) {
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
goto err;
}
if (!BIO_read_filename(in, file)) {
goto err;
}
for (;;) {
if (PEM_read_bio_X509(in, &x, NULL, NULL) == NULL) {
break;
}
if (ret == NULL) {
ret = sk_X509_NAME_new_null();
if (ret == NULL) {
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
goto err;
}
}
xn = X509_get_subject_name(x);
if (xn == NULL) {
goto err;
}
/* check for duplicates */
xn = X509_NAME_dup(xn);
if (xn == NULL) {
goto err;
}
if (sk_X509_NAME_find(sk, NULL, xn)) {
X509_NAME_free(xn);
} else {
sk_X509_NAME_push(sk, xn);
sk_X509_NAME_push(ret, xn);
}
}
if (0) {
err:
sk_X509_NAME_pop_free(ret, X509_NAME_free);
ret = NULL;
}
sk_X509_NAME_free(sk);
BIO_free(in);
X509_free(x);
if (ret != NULL) {
ERR_clear_error();
}
return ret;
}
static void server_free(server *srv) {
size_t i;
for (i = 0; i < FILE_CACHE_MAX; i++) {
buffer_free(srv->mtime_cache[i].str);
}
#define CLEAN(x) \
buffer_free(srv->x);
CLEAN(response_header);
CLEAN(parse_full_path);
CLEAN(ts_debug_str);
CLEAN(ts_date_str);
CLEAN(errorlog_buf);
CLEAN(response_range);
CLEAN(tmp_buf);
CLEAN(empty_string);
CLEAN(cond_check_buf);
CLEAN(srvconf.errorlog_file);
CLEAN(srvconf.breakagelog_file);
CLEAN(srvconf.groupname);
CLEAN(srvconf.username);
CLEAN(srvconf.changeroot);
CLEAN(srvconf.bindhost);
CLEAN(srvconf.event_handler);
CLEAN(srvconf.pid_file);
CLEAN(srvconf.modules_dir);
CLEAN(srvconf.network_backend);
//- Sungmin add 20111018
CLEAN(srvconf.arpping_interface);
CLEAN(srvconf.syslog_file);
CLEAN(srvconf.product_image);
CLEAN(srvconf.aicloud_version);
CLEAN(srvconf.app_installation_url);
CLEAN(syslog_buf);
CLEAN(cur_login_info);
CLEAN(last_login_info);
CLEAN(tmp_chunk_len);
#undef CLEAN
#if 0
fdevent_unregister(srv->ev, srv->fd);
#endif
fdevent_free(srv->ev);
free(srv->conns);
if (srv->config_storage) {
for (i = 0; i < srv->config_context->used; i++) {
specific_config *s = srv->config_storage[i];
if (!s) continue;
buffer_free(s->document_root);
buffer_free(s->server_name);
buffer_free(s->server_tag);
buffer_free(s->ssl_pemfile);
buffer_free(s->ssl_ca_file);
buffer_free(s->ssl_cipher_list);
buffer_free(s->ssl_dh_file);
buffer_free(s->ssl_ec_curve);
buffer_free(s->error_handler);
buffer_free(s->errorfile_prefix);
array_free(s->mimetypes);
buffer_free(s->ssl_verifyclient_username);
#ifdef USE_OPENSSL
SSL_CTX_free(s->ssl_ctx);
EVP_PKEY_free(s->ssl_pemfile_pkey);
X509_free(s->ssl_pemfile_x509);
if (NULL != s->ssl_ca_file_cert_names) sk_X509_NAME_pop_free(s->ssl_ca_file_cert_names, X509_NAME_free);
#endif
free(s);
}
free(srv->config_storage);
srv->config_storage = NULL;
}
#define CLEAN(x) \
array_free(srv->x);
CLEAN(config_context);
CLEAN(config_touched);
CLEAN(status);
CLEAN(srvconf.upload_tempdirs);
#undef CLEAN
joblist_free(srv, srv->joblist);
fdwaitqueue_free(srv, srv->fdwaitqueue);
if (srv->stat_cache) {
stat_cache_free(srv->stat_cache);
}
array_free(srv->srvconf.modules);
array_free(srv->split_vals);
#ifdef USE_OPENSSL
if (srv->ssl_is_init) {
CRYPTO_cleanup_all_ex_data();
ERR_free_strings();
ERR_remove_state(0);
EVP_cleanup();
}
#endif
free(srv);
}