void crypto_cert_free(CRYPTO_CERT * cert) { #ifdef CRYPTO_OPENSSL X509_free(cert); #else /* built-in crypto */ ssl_cert_free(cert); #endif }
CERT *ssl_cert_dup(CERT *cert) { CERT *ret = OPENSSL_malloc(sizeof(CERT)); if (ret == NULL) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); return NULL; } OPENSSL_memset(ret, 0, sizeof(CERT)); ret->chain = sk_CRYPTO_BUFFER_deep_copy(cert->chain, buffer_up_ref, CRYPTO_BUFFER_free); if (cert->privatekey != NULL) { EVP_PKEY_up_ref(cert->privatekey); ret->privatekey = cert->privatekey; } ret->key_method = cert->key_method; ret->x509_method = cert->x509_method; if (cert->sigalgs != NULL) { ret->sigalgs = BUF_memdup(cert->sigalgs, cert->num_sigalgs * sizeof(cert->sigalgs[0])); if (ret->sigalgs == NULL) { goto err; } } ret->num_sigalgs = cert->num_sigalgs; ret->cert_cb = cert->cert_cb; ret->cert_cb_arg = cert->cert_cb_arg; ret->x509_method->cert_dup(ret, cert); if (cert->signed_cert_timestamp_list != NULL) { CRYPTO_BUFFER_up_ref(cert->signed_cert_timestamp_list); ret->signed_cert_timestamp_list = cert->signed_cert_timestamp_list; } if (cert->ocsp_response != NULL) { CRYPTO_BUFFER_up_ref(cert->ocsp_response); ret->ocsp_response = cert->ocsp_response; } ret->sid_ctx_length = cert->sid_ctx_length; OPENSSL_memcpy(ret->sid_ctx, cert->sid_ctx, sizeof(ret->sid_ctx)); ret->enable_early_data = cert->enable_early_data; return ret; err: ssl_cert_free(ret); return NULL; }
CERT *ssl_cert_dup(CERT *cert) { CERT *ret = OPENSSL_malloc(sizeof(CERT)); if (ret == NULL) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); return NULL; } memset(ret, 0, sizeof(CERT)); ret->mask_k = cert->mask_k; ret->mask_a = cert->mask_a; if (cert->dh_tmp != NULL) { ret->dh_tmp = DHparams_dup(cert->dh_tmp); if (ret->dh_tmp == NULL) { OPENSSL_PUT_ERROR(SSL, ERR_R_DH_LIB); goto err; } } ret->dh_tmp_cb = cert->dh_tmp_cb; if (cert->x509 != NULL) { ret->x509 = X509_up_ref(cert->x509); } if (cert->privatekey != NULL) { ret->privatekey = EVP_PKEY_up_ref(cert->privatekey); } if (cert->chain) { ret->chain = X509_chain_up_ref(cert->chain); if (!ret->chain) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } } ret->key_method = cert->key_method; ret->cert_cb = cert->cert_cb; ret->cert_cb_arg = cert->cert_cb_arg; if (cert->verify_store != NULL) { X509_STORE_up_ref(cert->verify_store); ret->verify_store = cert->verify_store; } return ret; err: ssl_cert_free(ret); return NULL; }
CERT *ssl_cert_dup(CERT *cert) { CERT *ret = OPENSSL_zalloc(sizeof(*ret)); int i; if (ret == NULL) { SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_MALLOC_FAILURE); return NULL; } ret->references = 1; ret->key = &ret->pkeys[cert->key - cert->pkeys]; ret->lock = CRYPTO_THREAD_lock_new(); if (ret->lock == NULL) { SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_MALLOC_FAILURE); OPENSSL_free(ret); return NULL; } #ifndef OPENSSL_NO_DH if (cert->dh_tmp != NULL) { ret->dh_tmp = cert->dh_tmp; EVP_PKEY_up_ref(ret->dh_tmp); } ret->dh_tmp_cb = cert->dh_tmp_cb; ret->dh_tmp_auto = cert->dh_tmp_auto; #endif for (i = 0; i < SSL_PKEY_NUM; i++) { CERT_PKEY *cpk = cert->pkeys + i; CERT_PKEY *rpk = ret->pkeys + i; if (cpk->x509 != NULL) { rpk->x509 = cpk->x509; X509_up_ref(rpk->x509); } if (cpk->privatekey != NULL) { rpk->privatekey = cpk->privatekey; EVP_PKEY_up_ref(cpk->privatekey); } if (cpk->chain) { rpk->chain = X509_chain_up_ref(cpk->chain); if (!rpk->chain) { SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_MALLOC_FAILURE); goto err; } } if (cert->pkeys[i].serverinfo != NULL) { /* Just copy everything. */ ret->pkeys[i].serverinfo = OPENSSL_malloc(cert->pkeys[i].serverinfo_length); if (ret->pkeys[i].serverinfo == NULL) { SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_MALLOC_FAILURE); goto err; } ret->pkeys[i].serverinfo_length = cert->pkeys[i].serverinfo_length; memcpy(ret->pkeys[i].serverinfo, cert->pkeys[i].serverinfo, cert->pkeys[i].serverinfo_length); } } /* Configured sigalgs copied across */ if (cert->conf_sigalgs) { ret->conf_sigalgs = OPENSSL_malloc(cert->conf_sigalgslen * sizeof(*cert->conf_sigalgs)); if (ret->conf_sigalgs == NULL) goto err; memcpy(ret->conf_sigalgs, cert->conf_sigalgs, cert->conf_sigalgslen * sizeof(*cert->conf_sigalgs)); ret->conf_sigalgslen = cert->conf_sigalgslen; } else ret->conf_sigalgs = NULL; if (cert->client_sigalgs) { ret->client_sigalgs = OPENSSL_malloc(cert->client_sigalgslen * sizeof(*cert->client_sigalgs)); if (ret->client_sigalgs == NULL) goto err; memcpy(ret->client_sigalgs, cert->client_sigalgs, cert->client_sigalgslen * sizeof(*cert->client_sigalgs)); ret->client_sigalgslen = cert->client_sigalgslen; } else ret->client_sigalgs = NULL; /* Shared sigalgs also NULL */ ret->shared_sigalgs = NULL; /* Copy any custom client certificate types */ if (cert->ctype) { ret->ctype = OPENSSL_memdup(cert->ctype, cert->ctype_len); if (ret->ctype == NULL) goto err; ret->ctype_len = cert->ctype_len; } ret->cert_flags = cert->cert_flags; ret->cert_cb = cert->cert_cb; ret->cert_cb_arg = cert->cert_cb_arg; if (cert->verify_store) { X509_STORE_up_ref(cert->verify_store); ret->verify_store = cert->verify_store; } if (cert->chain_store) { X509_STORE_up_ref(cert->chain_store); ret->chain_store = cert->chain_store; } ret->sec_cb = cert->sec_cb; ret->sec_level = cert->sec_level; ret->sec_ex = cert->sec_ex; if (!custom_exts_copy(&ret->custext, &cert->custext)) goto err; #ifndef OPENSSL_NO_PSK if (cert->psk_identity_hint) { ret->psk_identity_hint = OPENSSL_strdup(cert->psk_identity_hint); if (ret->psk_identity_hint == NULL) goto err; } #endif return ret; err: ssl_cert_free(ret); return NULL; }
void crypto_cert_free(CryptoCert cert) { ssl_cert_free(cert->data); xfree(cert); }
CERT *ssl_cert_dup(CERT *cert) { CERT *ret; int i; ret = (CERT *)OPENSSL_malloc(sizeof(CERT)); if (ret == NULL) { OPENSSL_PUT_ERROR(SSL, ssl_cert_dup, ERR_R_MALLOC_FAILURE); return NULL; } memset(ret, 0, sizeof(CERT)); ret->key = &ret->pkeys[cert->key - &cert->pkeys[0]]; /* or ret->key = ret->pkeys + (cert->key - cert->pkeys), if you find that * more readable */ ret->mask_k = cert->mask_k; ret->mask_a = cert->mask_a; if (cert->dh_tmp != NULL) { ret->dh_tmp = DHparams_dup(cert->dh_tmp); if (ret->dh_tmp == NULL) { OPENSSL_PUT_ERROR(SSL, ssl_cert_dup, ERR_R_DH_LIB); goto err; } if (cert->dh_tmp->priv_key) { BIGNUM *b = BN_dup(cert->dh_tmp->priv_key); if (!b) { OPENSSL_PUT_ERROR(SSL, ssl_cert_dup, ERR_R_BN_LIB); goto err; } ret->dh_tmp->priv_key = b; } if (cert->dh_tmp->pub_key) { BIGNUM *b = BN_dup(cert->dh_tmp->pub_key); if (!b) { OPENSSL_PUT_ERROR(SSL, ssl_cert_dup, ERR_R_BN_LIB); goto err; } ret->dh_tmp->pub_key = b; } } ret->dh_tmp_cb = cert->dh_tmp_cb; if (cert->ecdh_tmp) { ret->ecdh_tmp = EC_KEY_dup(cert->ecdh_tmp); if (ret->ecdh_tmp == NULL) { OPENSSL_PUT_ERROR(SSL, ssl_cert_dup, ERR_R_EC_LIB); goto err; } } ret->ecdh_tmp_cb = cert->ecdh_tmp_cb; ret->ecdh_tmp_auto = cert->ecdh_tmp_auto; for (i = 0; i < SSL_PKEY_NUM; i++) { CERT_PKEY *cpk = cert->pkeys + i; CERT_PKEY *rpk = ret->pkeys + i; if (cpk->x509 != NULL) { rpk->x509 = X509_up_ref(cpk->x509); } if (cpk->privatekey != NULL) { rpk->privatekey = EVP_PKEY_dup(cpk->privatekey); } if (cpk->chain) { rpk->chain = X509_chain_up_ref(cpk->chain); if (!rpk->chain) { OPENSSL_PUT_ERROR(SSL, ssl_cert_dup, ERR_R_MALLOC_FAILURE); goto err; } } } /* Peer sigalgs set to NULL as we get these from handshake too */ ret->peer_sigalgs = NULL; ret->peer_sigalgslen = 0; /* Configured sigalgs however we copy across */ if (cert->conf_sigalgs) { ret->conf_sigalgs = OPENSSL_malloc(cert->conf_sigalgslen); if (!ret->conf_sigalgs) { goto err; } memcpy(ret->conf_sigalgs, cert->conf_sigalgs, cert->conf_sigalgslen); ret->conf_sigalgslen = cert->conf_sigalgslen; } else { ret->conf_sigalgs = NULL; } if (cert->client_sigalgs) { ret->client_sigalgs = OPENSSL_malloc(cert->client_sigalgslen); if (!ret->client_sigalgs) { goto err; } memcpy(ret->client_sigalgs, cert->client_sigalgs, cert->client_sigalgslen); ret->client_sigalgslen = cert->client_sigalgslen; } else { ret->client_sigalgs = NULL; } /* Shared sigalgs also NULL */ ret->shared_sigalgs = NULL; /* Copy any custom client certificate types */ if (cert->client_certificate_types) { ret->client_certificate_types = BUF_memdup( cert->client_certificate_types, cert->num_client_certificate_types); if (!ret->client_certificate_types) { goto err; } ret->num_client_certificate_types = cert->num_client_certificate_types; } ret->cert_flags = cert->cert_flags; ret->cert_cb = cert->cert_cb; ret->cert_cb_arg = cert->cert_cb_arg; if (cert->verify_store) { CRYPTO_add(&cert->verify_store->references, 1, CRYPTO_LOCK_X509_STORE); ret->verify_store = cert->verify_store; } if (cert->chain_store) { CRYPTO_add(&cert->chain_store->references, 1, CRYPTO_LOCK_X509_STORE); ret->chain_store = cert->chain_store; } ret->ciphers_raw = NULL; return ret; err: ssl_cert_free(ret); return NULL; }
CERT *ssl_cert_dup(CERT *cert) { CERT *ret; int i; ret = OPENSSL_malloc(sizeof(CERT)); if (ret == NULL) { SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_MALLOC_FAILURE); return (NULL); } memset(ret, 0, sizeof(CERT)); ret->key = &ret->pkeys[cert->key - &cert->pkeys[0]]; /* * or ret->key = ret->pkeys + (cert->key - cert->pkeys), if you find that * more readable */ ret->valid = cert->valid; ret->mask_k = cert->mask_k; ret->mask_a = cert->mask_a; ret->export_mask_k = cert->export_mask_k; ret->export_mask_a = cert->export_mask_a; #ifndef OPENSSL_NO_RSA if (cert->rsa_tmp != NULL) { RSA_up_ref(cert->rsa_tmp); ret->rsa_tmp = cert->rsa_tmp; } ret->rsa_tmp_cb = cert->rsa_tmp_cb; #endif #ifndef OPENSSL_NO_DH if (cert->dh_tmp != NULL) { ret->dh_tmp = DHparams_dup(cert->dh_tmp); if (ret->dh_tmp == NULL) { SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_DH_LIB); goto err; } if (cert->dh_tmp->priv_key) { BIGNUM *b = BN_dup(cert->dh_tmp->priv_key); if (!b) { SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_BN_LIB); goto err; } ret->dh_tmp->priv_key = b; } if (cert->dh_tmp->pub_key) { BIGNUM *b = BN_dup(cert->dh_tmp->pub_key); if (!b) { SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_BN_LIB); goto err; } ret->dh_tmp->pub_key = b; } } ret->dh_tmp_cb = cert->dh_tmp_cb; ret->dh_tmp_auto = cert->dh_tmp_auto; #endif #ifndef OPENSSL_NO_EC if (cert->ecdh_tmp) { ret->ecdh_tmp = EC_KEY_dup(cert->ecdh_tmp); if (ret->ecdh_tmp == NULL) { SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_EC_LIB); goto err; } } ret->ecdh_tmp_cb = cert->ecdh_tmp_cb; ret->ecdh_tmp_auto = cert->ecdh_tmp_auto; #endif for (i = 0; i < SSL_PKEY_NUM; i++) { CERT_PKEY *cpk = cert->pkeys + i; CERT_PKEY *rpk = ret->pkeys + i; if (cpk->x509 != NULL) { rpk->x509 = cpk->x509; CRYPTO_add(&rpk->x509->references, 1, CRYPTO_LOCK_X509); } if (cpk->privatekey != NULL) { rpk->privatekey = cpk->privatekey; CRYPTO_add(&cpk->privatekey->references, 1, CRYPTO_LOCK_EVP_PKEY); } if (cpk->chain) { rpk->chain = X509_chain_up_ref(cpk->chain); if (!rpk->chain) { SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_MALLOC_FAILURE); goto err; } } rpk->valid_flags = 0; #ifndef OPENSSL_NO_TLSEXT if (cert->pkeys[i].serverinfo != NULL) { /* Just copy everything. */ ret->pkeys[i].serverinfo = OPENSSL_malloc(cert->pkeys[i].serverinfo_length); if (ret->pkeys[i].serverinfo == NULL) { SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_MALLOC_FAILURE); goto err; } ret->pkeys[i].serverinfo_length = cert->pkeys[i].serverinfo_length; memcpy(ret->pkeys[i].serverinfo, cert->pkeys[i].serverinfo, cert->pkeys[i].serverinfo_length); } #endif } ret->references = 1; /* * Set digests to defaults. NB: we don't copy existing values as they * will be set during handshake. */ ssl_cert_set_default_md(ret); /* Peer sigalgs set to NULL as we get these from handshake too */ ret->peer_sigalgs = NULL; ret->peer_sigalgslen = 0; /* Configured sigalgs however we copy across */ if (cert->conf_sigalgs) { ret->conf_sigalgs = OPENSSL_malloc(cert->conf_sigalgslen); if (!ret->conf_sigalgs) goto err; memcpy(ret->conf_sigalgs, cert->conf_sigalgs, cert->conf_sigalgslen); ret->conf_sigalgslen = cert->conf_sigalgslen; } else ret->conf_sigalgs = NULL; if (cert->client_sigalgs) { ret->client_sigalgs = OPENSSL_malloc(cert->client_sigalgslen); if (!ret->client_sigalgs) goto err; memcpy(ret->client_sigalgs, cert->client_sigalgs, cert->client_sigalgslen); ret->client_sigalgslen = cert->client_sigalgslen; } else ret->client_sigalgs = NULL; /* Shared sigalgs also NULL */ ret->shared_sigalgs = NULL; /* Copy any custom client certificate types */ if (cert->ctypes) { ret->ctypes = OPENSSL_malloc(cert->ctype_num); if (!ret->ctypes) goto err; memcpy(ret->ctypes, cert->ctypes, cert->ctype_num); ret->ctype_num = cert->ctype_num; } ret->cert_flags = cert->cert_flags; ret->cert_cb = cert->cert_cb; ret->cert_cb_arg = cert->cert_cb_arg; if (cert->verify_store) { CRYPTO_add(&cert->verify_store->references, 1, CRYPTO_LOCK_X509_STORE); ret->verify_store = cert->verify_store; } if (cert->chain_store) { CRYPTO_add(&cert->chain_store->references, 1, CRYPTO_LOCK_X509_STORE); ret->chain_store = cert->chain_store; } ret->ciphers_raw = NULL; ret->sec_cb = cert->sec_cb; ret->sec_level = cert->sec_level; ret->sec_ex = cert->sec_ex; #ifndef OPENSSL_NO_TLSEXT if (!custom_exts_copy(&ret->cli_ext, &cert->cli_ext)) goto err; if (!custom_exts_copy(&ret->srv_ext, &cert->srv_ext)) goto err; #endif return (ret); err: ssl_cert_free(ret); return NULL; }
CERT *ssl_cert_dup(CERT *cert) { CERT *ret = (CERT *)OPENSSL_malloc(sizeof(CERT)); if (ret == NULL) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); return NULL; } memset(ret, 0, sizeof(CERT)); ret->mask_k = cert->mask_k; ret->mask_a = cert->mask_a; if (cert->dh_tmp != NULL) { ret->dh_tmp = DHparams_dup(cert->dh_tmp); if (ret->dh_tmp == NULL) { OPENSSL_PUT_ERROR(SSL, ERR_R_DH_LIB); goto err; } if (cert->dh_tmp->priv_key) { BIGNUM *b = BN_dup(cert->dh_tmp->priv_key); if (!b) { OPENSSL_PUT_ERROR(SSL, ERR_R_BN_LIB); goto err; } ret->dh_tmp->priv_key = b; } if (cert->dh_tmp->pub_key) { BIGNUM *b = BN_dup(cert->dh_tmp->pub_key); if (!b) { OPENSSL_PUT_ERROR(SSL, ERR_R_BN_LIB); goto err; } ret->dh_tmp->pub_key = b; } } ret->dh_tmp_cb = cert->dh_tmp_cb; ret->ecdh_nid = cert->ecdh_nid; ret->ecdh_tmp_cb = cert->ecdh_tmp_cb; if (cert->x509 != NULL) { ret->x509 = X509_up_ref(cert->x509); } if (cert->privatekey != NULL) { ret->privatekey = EVP_PKEY_up_ref(cert->privatekey); } if (cert->chain) { ret->chain = X509_chain_up_ref(cert->chain); if (!ret->chain) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } } /* Copy over signature algorithm configuration. */ if (cert->conf_sigalgs) { ret->conf_sigalgs = BUF_memdup(cert->conf_sigalgs, cert->conf_sigalgslen); if (!ret->conf_sigalgs) { goto err; } ret->conf_sigalgslen = cert->conf_sigalgslen; } if (cert->client_sigalgs) { ret->client_sigalgs = BUF_memdup(cert->client_sigalgs, cert->client_sigalgslen); if (!ret->client_sigalgs) { goto err; } ret->client_sigalgslen = cert->client_sigalgslen; } /* Copy any custom client certificate types */ if (cert->client_certificate_types) { ret->client_certificate_types = BUF_memdup( cert->client_certificate_types, cert->num_client_certificate_types); if (!ret->client_certificate_types) { goto err; } ret->num_client_certificate_types = cert->num_client_certificate_types; } ret->cert_cb = cert->cert_cb; ret->cert_cb_arg = cert->cert_cb_arg; if (cert->verify_store) { CRYPTO_refcount_inc(&cert->verify_store->references); ret->verify_store = cert->verify_store; } if (cert->chain_store) { CRYPTO_refcount_inc(&cert->chain_store->references); ret->chain_store = cert->chain_store; } return ret; err: ssl_cert_free(ret); return NULL; }
CERT *ssl_cert_dup(CERT *cert) { CERT *ret = OPENSSL_zalloc(sizeof(*ret)); int i; if (ret == NULL) { SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_MALLOC_FAILURE); return (NULL); } ret->references = 1; ret->key = &ret->pkeys[cert->key - cert->pkeys]; #ifndef OPENSSL_NO_DH if (cert->dh_tmp != NULL) { ret->dh_tmp = DHparams_dup(cert->dh_tmp); if (ret->dh_tmp == NULL) { SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_DH_LIB); goto err; } if (cert->dh_tmp->priv_key) { BIGNUM *b = BN_dup(cert->dh_tmp->priv_key); if (!b) { SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_BN_LIB); goto err; } ret->dh_tmp->priv_key = b; } if (cert->dh_tmp->pub_key) { BIGNUM *b = BN_dup(cert->dh_tmp->pub_key); if (!b) { SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_BN_LIB); goto err; } ret->dh_tmp->pub_key = b; } } ret->dh_tmp_cb = cert->dh_tmp_cb; ret->dh_tmp_auto = cert->dh_tmp_auto; #endif for (i = 0; i < SSL_PKEY_NUM; i++) { CERT_PKEY *cpk = cert->pkeys + i; CERT_PKEY *rpk = ret->pkeys + i; if (cpk->x509 != NULL) { rpk->x509 = cpk->x509; X509_up_ref(rpk->x509); } if (cpk->privatekey != NULL) { rpk->privatekey = cpk->privatekey; CRYPTO_add(&cpk->privatekey->references, 1, CRYPTO_LOCK_EVP_PKEY); } if (cpk->chain) { rpk->chain = X509_chain_up_ref(cpk->chain); if (!rpk->chain) { SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_MALLOC_FAILURE); goto err; } } if (cert->pkeys[i].serverinfo != NULL) { /* Just copy everything. */ ret->pkeys[i].serverinfo = OPENSSL_malloc(cert->pkeys[i].serverinfo_length); if (ret->pkeys[i].serverinfo == NULL) { SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_MALLOC_FAILURE); goto err; } ret->pkeys[i].serverinfo_length = cert->pkeys[i].serverinfo_length; memcpy(ret->pkeys[i].serverinfo, cert->pkeys[i].serverinfo, cert->pkeys[i].serverinfo_length); } } /* Configured sigalgs copied across */ if (cert->conf_sigalgs) { ret->conf_sigalgs = OPENSSL_malloc(cert->conf_sigalgslen); if (ret->conf_sigalgs == NULL) goto err; memcpy(ret->conf_sigalgs, cert->conf_sigalgs, cert->conf_sigalgslen); ret->conf_sigalgslen = cert->conf_sigalgslen; } else ret->conf_sigalgs = NULL; if (cert->client_sigalgs) { ret->client_sigalgs = OPENSSL_malloc(cert->client_sigalgslen); if (ret->client_sigalgs == NULL) goto err; memcpy(ret->client_sigalgs, cert->client_sigalgs, cert->client_sigalgslen); ret->client_sigalgslen = cert->client_sigalgslen; } else ret->client_sigalgs = NULL; /* Shared sigalgs also NULL */ ret->shared_sigalgs = NULL; /* Copy any custom client certificate types */ if (cert->ctypes) { ret->ctypes = OPENSSL_malloc(cert->ctype_num); if (ret->ctypes == NULL) goto err; memcpy(ret->ctypes, cert->ctypes, cert->ctype_num); ret->ctype_num = cert->ctype_num; } ret->cert_flags = cert->cert_flags; ret->cert_cb = cert->cert_cb; ret->cert_cb_arg = cert->cert_cb_arg; if (cert->verify_store) { CRYPTO_add(&cert->verify_store->references, 1, CRYPTO_LOCK_X509_STORE); ret->verify_store = cert->verify_store; } if (cert->chain_store) { CRYPTO_add(&cert->chain_store->references, 1, CRYPTO_LOCK_X509_STORE); ret->chain_store = cert->chain_store; } ret->sec_cb = cert->sec_cb; ret->sec_level = cert->sec_level; ret->sec_ex = cert->sec_ex; if (!custom_exts_copy(&ret->cli_ext, &cert->cli_ext)) goto err; if (!custom_exts_copy(&ret->srv_ext, &cert->srv_ext)) goto err; #ifndef OPENSSL_NO_PSK if (cert->psk_identity_hint) { ret->psk_identity_hint = OPENSSL_strdup(cert->psk_identity_hint); if (ret->psk_identity_hint == NULL) goto err; } #endif return (ret); err: ssl_cert_free(ret); return NULL; }
static inline void parse_mcs_data_sc_security(Stream & cr_stream, CryptContext & encrypt, CryptContext & decrypt, uint32_t & server_public_key_len, uint8_t (& client_crypt_random)[512], int & encryptionLevel, Random * gen) { LOG(LOG_INFO, "SC_SECURITY"); uint32_t encryptionMethod = cr_stream.in_uint32_le(); /* 1 = 40-bit, 2 = 128-bit */ LOG(LOG_INFO, "encryptionMethod = %u", encryptionMethod); encryptionLevel = cr_stream.in_uint32_le(); /* 1 = low, 2 = medium, 3 = high */ LOG(LOG_INFO, "encryptionLevel = %u", encryptionLevel); if (encryptionLevel == 0 && encryptionMethod == 0) { /* no encryption */ LOG(LOG_INFO, "No encryption"); return; } uint8_t modulus[SEC_MAX_MODULUS_SIZE]; uint8_t exponent[SEC_EXPONENT_SIZE]; memset(modulus, 0, sizeof(modulus)); memset(exponent, 0, sizeof(exponent)); ssllib ssl; // serverRandomLen (4 bytes): A 32-bit, unsigned integer. The size in bytes of // the serverRandom field. If the encryptionMethod and encryptionLevel fields // are both set to 0 then the contents of this field MUST be ignored and the // serverRandom field MUST NOT be present. Otherwise, this field MUST be set to // 32 bytes. uint32_t serverRandomLen = cr_stream.in_uint32_le(); LOG(LOG_INFO, "serverRandomLen = %u", serverRandomLen); if (serverRandomLen != SEC_RANDOM_SIZE) { LOG(LOG_ERR, "parse_crypt_info_error: serverRandomLen %d, expected %d", serverRandomLen, SEC_RANDOM_SIZE); throw Error(ERR_SEC_PARSE_CRYPT_INFO_BAD_RANDOM_LEN); } // serverCertLen (4 bytes): A 32-bit, unsigned integer. The size in bytes of the // serverCertificate field. If the encryptionMethod and encryptionLevel fields // are both set to 0 then the contents of this field MUST be ignored and the // serverCertificate field MUST NOT be present. uint32_t serverCertLen = cr_stream.in_uint32_le(); LOG(LOG_INFO, "serverCertLen = %u", serverCertLen); // serverRandom (variable): The variable-length server random value used to // derive session keys (see sections 5.3.4 and 5.3.5). The length in bytes is // given by the serverRandomLen field. If the encryptionMethod and // encryptionLevel fields are both set to 0 then this field MUST NOT be present. uint8_t serverRandom[SEC_RANDOM_SIZE] = {}; cr_stream.in_copy_bytes(serverRandom, serverRandomLen); // serverCertificate (variable): The variable-length certificate containing the // server's public key information. The length in bytes is given by the // serverCertLen field. If the encryptionMethod and encryptionLevel fields are // both set to 0 then this field MUST NOT be present. /* RSA info */ uint8_t * end = cr_stream.p + serverCertLen; if (end > cr_stream.end) { LOG(LOG_ERR, "serverCertLen outside of buffer (%u bytes, remains: %u)", serverCertLen, cr_stream.end - cr_stream.p); throw Error(ERR_SEC_PARSE_CRYPT_INFO_BAD_RSA_LEN); } uint32_t dwVersion = cr_stream.in_uint32_le(); /* 1 = RDP4-style, 0x80000002 = X.509 */ LOG(LOG_INFO, "dwVersion = %x", dwVersion); if (dwVersion & SCSecurityGccUserData::CERT_CHAIN_VERSION_1) { LOG(LOG_DEBUG, "We're going for the RDP4-style encryption"); // dwSigAlgId (4 bytes): A 32-bit, unsigned integer. The signature algorithm // identifier. This field MUST be set to SIGNATURE_ALG_RSA (0x00000001). uint32_t dwSigAlgId = cr_stream.in_uint32_le(); LOG(LOG_DEBUG, "dwSigAlgId = %u", dwSigAlgId); // dwKeyAlgId (4 bytes): A 32-bit, unsigned integer. The key algorithm // identifier. This field MUST be set to KEY_EXCHANGE_ALG_RSA (0x00000001). uint32_t dwKeyAlgId = cr_stream.in_uint32_le(); LOG(LOG_DEBUG, "dwKeyAlgId = %u", dwKeyAlgId); LOG(LOG_DEBUG, "ReceivingPublic key, RDP4-style"); // wPublicKeyBlobType (2 bytes): A 16-bit, unsigned integer. The type of data // in the PublicKeyBlob field. This field MUST be set to BB_RSA_KEY_BLOB // (0x0006). TODO("put assertion to check type and throw and error if not as expected"); uint16_t wPublicKeyBlobType = cr_stream.in_uint16_le(); LOG(LOG_DEBUG, "wPublicKeyBlobType = %u", wPublicKeyBlobType); // wPublicKeyBlobLen (2 bytes): A 16-bit, unsigned integer. The size in bytes // of the PublicKeyBlob field. uint16_t wPublicKeyBlobLen = cr_stream.in_uint16_le(); LOG(LOG_DEBUG, "wPublicKeyBlobLen = %u", wPublicKeyBlobLen); uint8_t * next_tag = cr_stream.p + wPublicKeyBlobLen; // PublicKeyBlob (variable): Variable-length server public key bytes, formatted // using the Rivest-Shamir-Adleman (RSA) Public Key structure (section // 2.2.1.4.3.1.1.1). The length in bytes is given by the wPublicKeyBlobLen // field. uint32_t magic = cr_stream.in_uint32_le(); if (magic != SEC_RSA_MAGIC) { LOG(LOG_WARNING, "RSA magic 0x%x", magic); throw Error(ERR_SEC_PARSE_PUB_KEY_MAGIC_NOT_OK); } server_public_key_len = cr_stream.in_uint32_le() - SEC_PADDING_SIZE; if ((server_public_key_len < SEC_MODULUS_SIZE) || (server_public_key_len > SEC_MAX_MODULUS_SIZE)) { LOG(LOG_WARNING, "Bad server public key size (%u bits)", server_public_key_len * 8); throw Error(ERR_SEC_PARSE_PUB_KEY_MODUL_NOT_OK); } cr_stream.in_skip_bytes(8); /* modulus_bits, unknown */ cr_stream.in_copy_bytes(exponent, SEC_EXPONENT_SIZE); cr_stream.in_copy_bytes(modulus, server_public_key_len); cr_stream.in_skip_bytes(SEC_PADDING_SIZE); LOG(LOG_DEBUG, "Got Public key, RDP4-style"); // This should not be necessary as previous field if fully decoded cr_stream.p = next_tag; LOG(LOG_DEBUG, "Receiving key sig RDP4-style"); // wSignatureBlobType (2 bytes): A 16-bit, unsigned integer. The type of data // in the SignatureKeyBlob field. This field is set to BB_RSA_SIGNATURE_BLOB // (0x0008). TODO("put assertion to check type and throw and error if not as expected"); uint16_t wSignatureBlobType = cr_stream.in_uint16_le(); LOG(LOG_DEBUG, "wSignatureBlobType = %u", wSignatureBlobType); // wSignatureBlobLen (2 bytes): A 16-bit, unsigned integer. The size in bytes // of the SignatureKeyBlob field. uint16_t wSignatureBlobLen = cr_stream.in_uint16_le(); // SignatureBlob (variable): Variable-length signature of the certificate // created with the Terminal Services Signing Key (see sections 5.3.3.1.1 and // 5.3.3.1.2). The length in bytes is given by the wSignatureBlobLen field. cr_stream.in_skip_bytes(wSignatureBlobLen); LOG(LOG_DEBUG, "Got key sig RDP4-style"); } else { LOG(LOG_DEBUG, "We're going for the RDP5-style encryption"); uint32_t certcount = cr_stream.in_uint32_le(); LOG(LOG_DEBUG, "Certcount = %u", certcount); if (certcount < 2){ LOG(LOG_DEBUG, "Server didn't send enough X509 certificates"); throw Error(ERR_SEC_PARSE_CRYPT_INFO_CERT_NOK); } for (; certcount > 2; certcount--){ /* ignore all the certificates between the root and the signing CA */ LOG(LOG_WARNING, " Ignored certs left: %d", certcount); uint32_t ignorelen = cr_stream.in_uint32_le(); LOG(LOG_WARNING, "Ignored Certificate length is %d", ignorelen); SSL_CERT *ignorecert = ssl_cert_read(cr_stream.p, ignorelen); cr_stream.in_skip_bytes(ignorelen); if (ignorecert == NULL){ LOG(LOG_WARNING, "got a bad cert: this will probably screw up" " the rest of the communication"); } LOG(LOG_WARNING, "cert #%d (ignored)", certcount); } /* Do da funky X.509 stuffy "How did I find out about this? I looked up and saw a bright light and when I came to I had a scar on my forehead and knew about X.500" - Peter Gutman in a early version of http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt */ /* Loading CA_Certificate from server*/ uint32_t cacert_len = cr_stream.in_uint32_le(); LOG(LOG_DEBUG, "CA Certificate length is %d", cacert_len); SSL_CERT *cacert = ssl_cert_read(cr_stream.p, cacert_len); cr_stream.in_skip_bytes(cacert_len); if (NULL == cacert){ LOG(LOG_DEBUG, "Couldn't load CA Certificate from server"); throw Error(ERR_SEC_PARSE_CRYPT_INFO_CACERT_NULL); } /* Loading Certificate from server*/ uint32_t cert_len = cr_stream.in_uint32_le(); LOG(LOG_DEBUG, "Certificate length is %d", cert_len); SSL_CERT *server_cert = ssl_cert_read(cr_stream.p, cert_len); cr_stream.in_skip_bytes(cert_len); if (NULL == server_cert){ ssl_cert_free(cacert); LOG(LOG_DEBUG, "Couldn't load Certificate from server"); throw Error(ERR_SEC_PARSE_CRYPT_INFO_CACERT_NOT_LOADED); } /* Matching certificates */ if (!ssl_certs_ok(server_cert, cacert)){ ssl_cert_free(server_cert); ssl_cert_free(cacert); LOG(LOG_DEBUG, "Security error CA Certificate invalid"); throw Error(ERR_SEC_PARSE_CRYPT_INFO_CACERT_NOT_MATCH); } ssl_cert_free(cacert); cr_stream.in_skip_bytes(16); /* Padding */ SSL_RKEY *server_public_key = ssl_cert_to_rkey(server_cert, server_public_key_len); LOG(LOG_DEBUG, "Server public key length=%u", (unsigned)server_public_key_len); if (NULL == server_public_key){ LOG(LOG_DEBUG, "Didn't parse X509 correctly"); ssl_cert_free(server_cert); throw Error(ERR_SEC_PARSE_CRYPT_INFO_X509_NOT_PARSED); } ssl_cert_free(server_cert); LOG(LOG_INFO, "server_public_key_len=%d, MODULUS_SIZE=%d MAX_MODULUS_SIZE=%d", server_public_key_len, SEC_MODULUS_SIZE, SEC_MAX_MODULUS_SIZE); if ((server_public_key_len < SEC_MODULUS_SIZE) || (server_public_key_len > SEC_MAX_MODULUS_SIZE)){ LOG(LOG_DEBUG, "Bad server public key size (%u bits)", server_public_key_len * 8); ssl.rkey_free(server_public_key); throw Error(ERR_SEC_PARSE_CRYPT_INFO_MOD_SIZE_NOT_OK); } if (ssl_rkey_get_exp_mod(server_public_key, exponent, SEC_EXPONENT_SIZE, modulus, SEC_MAX_MODULUS_SIZE) != 0){ LOG(LOG_DEBUG, "Problem extracting RSA exponent, modulus"); ssl.rkey_free(server_public_key); throw Error(ERR_SEC_PARSE_CRYPT_INFO_RSA_EXP_NOT_OK); } ssl.rkey_free(server_public_key); TODO(" find a way to correctly dispose of garbage at end of buffer") /* There's some garbage here we don't care about */ } uint8_t client_random[SEC_RANDOM_SIZE]; memset(client_random, 0, sizeof(SEC_RANDOM_SIZE)); /* Generate a client random, and determine encryption keys */ gen->random(client_random, SEC_RANDOM_SIZE); ssl.rsa_encrypt(client_crypt_random, client_random, SEC_RANDOM_SIZE, server_public_key_len, modulus, exponent); rdp_sec_generate_keys(encrypt, decrypt, encrypt.sign_key, client_random, serverRandom, encryptionMethod); }
CERT *ssl_cert_dup(CERT *cert) { CERT *ret; int i; ret = (CERT *)OPENSSL_malloc(sizeof(CERT)); if (ret == NULL) { OPENSSL_PUT_ERROR(SSL, ssl_cert_dup, ERR_R_MALLOC_FAILURE); return(NULL); } memset(ret, 0, sizeof(CERT)); ret->key = &ret->pkeys[cert->key - &cert->pkeys[0]]; /* or ret->key = ret->pkeys + (cert->key - cert->pkeys), * if you find that more readable */ ret->mask_k = cert->mask_k; ret->mask_a = cert->mask_a; if (cert->dh_tmp != NULL) { ret->dh_tmp = DHparams_dup(cert->dh_tmp); if (ret->dh_tmp == NULL) { OPENSSL_PUT_ERROR(SSL, ssl_cert_dup, ERR_R_DH_LIB); goto err; } if (cert->dh_tmp->priv_key) { BIGNUM *b = BN_dup(cert->dh_tmp->priv_key); if (!b) { OPENSSL_PUT_ERROR(SSL, ssl_cert_dup, ERR_R_BN_LIB); goto err; } ret->dh_tmp->priv_key = b; } if (cert->dh_tmp->pub_key) { BIGNUM *b = BN_dup(cert->dh_tmp->pub_key); if (!b) { OPENSSL_PUT_ERROR(SSL, ssl_cert_dup, ERR_R_BN_LIB); goto err; } ret->dh_tmp->pub_key = b; } } ret->dh_tmp_cb = cert->dh_tmp_cb; if (cert->ecdh_tmp) { ret->ecdh_tmp = EC_KEY_dup(cert->ecdh_tmp); if (ret->ecdh_tmp == NULL) { OPENSSL_PUT_ERROR(SSL, ssl_cert_dup, ERR_R_EC_LIB); goto err; } } ret->ecdh_tmp_cb = cert->ecdh_tmp_cb; ret->ecdh_tmp_auto = cert->ecdh_tmp_auto; for (i = 0; i < SSL_PKEY_NUM; i++) { CERT_PKEY *cpk = cert->pkeys + i; CERT_PKEY *rpk = ret->pkeys + i; if (cpk->x509 != NULL) { rpk->x509 = X509_up_ref(cpk->x509); } if (cpk->privatekey != NULL) { rpk->privatekey = cpk->privatekey; CRYPTO_add(&cpk->privatekey->references, 1, CRYPTO_LOCK_EVP_PKEY); switch(i) { /* If there was anything special to do for * certain types of keys, we'd do it here. * (Nothing at the moment, I think.) */ case SSL_PKEY_RSA_ENC: case SSL_PKEY_RSA_SIGN: /* We have an RSA key. */ break; case SSL_PKEY_ECC: /* We have an ECC key */ break; default: /* Can't happen. */ OPENSSL_PUT_ERROR(SSL, ssl_cert_dup, SSL_R_LIBRARY_BUG); } } if (cpk->chain) { rpk->chain = X509_chain_up_ref(cpk->chain); if (!rpk->chain) { OPENSSL_PUT_ERROR(SSL, ssl_cert_dup, ERR_R_MALLOC_FAILURE); goto err; } } } /* Peer sigalgs set to NULL as we get these from handshake too */ ret->peer_sigalgs = NULL; ret->peer_sigalgslen = 0; /* Configured sigalgs however we copy across */ if (cert->conf_sigalgs) { ret->conf_sigalgs = OPENSSL_malloc(cert->conf_sigalgslen); if (!ret->conf_sigalgs) goto err; memcpy(ret->conf_sigalgs, cert->conf_sigalgs, cert->conf_sigalgslen); ret->conf_sigalgslen = cert->conf_sigalgslen; } else ret->conf_sigalgs = NULL; if (cert->client_sigalgs) { ret->client_sigalgs = OPENSSL_malloc(cert->client_sigalgslen); if (!ret->client_sigalgs) goto err; memcpy(ret->client_sigalgs, cert->client_sigalgs, cert->client_sigalgslen); ret->client_sigalgslen = cert->client_sigalgslen; } else ret->client_sigalgs = NULL; /* Shared sigalgs also NULL */ ret->shared_sigalgs = NULL; /* Copy any custom client certificate types */ if (cert->client_certificate_types) { ret->client_certificate_types = BUF_memdup( cert->client_certificate_types, cert->num_client_certificate_types); if (!ret->client_certificate_types) goto err; ret->num_client_certificate_types = cert->num_client_certificate_types; } ret->cert_flags = cert->cert_flags; ret->cert_cb = cert->cert_cb; ret->cert_cb_arg = cert->cert_cb_arg; if (cert->verify_store) { CRYPTO_add(&cert->verify_store->references, 1, CRYPTO_LOCK_X509_STORE); ret->verify_store = cert->verify_store; } if (cert->chain_store) { CRYPTO_add(&cert->chain_store->references, 1, CRYPTO_LOCK_X509_STORE); ret->chain_store = cert->chain_store; } ret->ciphers_raw = NULL; return(ret); err: ssl_cert_free(ret); return NULL; }