diff --git a/crypto/x509/by_file.c b/crypto/x509/by_file.c index 994beb9b1..1614c8c66 100644 --- a/crypto/x509/by_file.c +++ b/crypto/x509/by_file.c @@ -61,6 +61,8 @@ #include #include +#include "internal.h" + #ifndef OPENSSL_NO_STDIO static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, diff --git a/crypto/x509/internal.h b/crypto/x509/internal.h index 2782f2386..ac687550a 100644 --- a/crypto/x509/internal.h +++ b/crypto/x509/internal.h @@ -81,6 +81,22 @@ struct X509_pubkey_st { EVP_PKEY *pkey; } /* X509_PUBKEY */; +struct X509_name_entry_st { + ASN1_OBJECT *object; + ASN1_STRING *value; + int set; +} /* X509_NAME_ENTRY */; + +// we always keep X509_NAMEs in 2 forms. +struct X509_name_st { + STACK_OF(X509_NAME_ENTRY) *entries; + int modified; // true if 'bytes' needs to be built + BUF_MEM *bytes; + // unsigned long hash; Keep the hash around for lookups + unsigned char *canon_enc; + int canon_enclen; +} /* X509_NAME */; + struct x509_attributes_st { ASN1_OBJECT *object; STACK_OF(ASN1_TYPE) *set; @@ -100,6 +116,47 @@ struct X509_extension_st { ASN1_OCTET_STRING *value; } /* X509_EXTENSION */; +typedef struct { + ASN1_INTEGER *version; // [ 0 ] default of v1 + ASN1_INTEGER *serialNumber; + X509_ALGOR *signature; + X509_NAME *issuer; + X509_VAL *validity; + X509_NAME *subject; + X509_PUBKEY *key; + ASN1_BIT_STRING *issuerUID; // [ 1 ] optional in v2 + ASN1_BIT_STRING *subjectUID; // [ 2 ] optional in v2 + STACK_OF(X509_EXTENSION) *extensions; // [ 3 ] optional in v3 + ASN1_ENCODING enc; +} X509_CINF; + +DECLARE_ASN1_FUNCTIONS(X509_CINF) + +struct x509_st { + X509_CINF *cert_info; + X509_ALGOR *sig_alg; + ASN1_BIT_STRING *signature; + CRYPTO_refcount_t references; + CRYPTO_EX_DATA ex_data; + // These contain copies of various extension values + long ex_pathlen; + long ex_pcpathlen; + unsigned long ex_flags; + unsigned long ex_kusage; + unsigned long ex_xkusage; + unsigned long ex_nscert; + ASN1_OCTET_STRING *skid; + AUTHORITY_KEYID *akid; + X509_POLICY_CACHE *policy_cache; + STACK_OF(DIST_POINT) *crldp; + STACK_OF(GENERAL_NAME) *altname; + NAME_CONSTRAINTS *nc; + unsigned char sha1_hash[SHA_DIGEST_LENGTH]; + X509_CERT_AUX *aux; + CRYPTO_BUFFER *buf; + CRYPTO_MUTEX lock; +} /* X509 */; + typedef struct { ASN1_ENCODING enc; ASN1_INTEGER *version; @@ -153,7 +210,6 @@ struct X509_crl_st { void *meth_data; } /* X509_CRL */; - struct X509_VERIFY_PARAM_st { char *name; time_t check_time; // Time to use @@ -174,6 +230,131 @@ struct X509_VERIFY_PARAM_st { unsigned char poison; // Fail all verifications at name checking } /* X509_VERIFY_PARAM */; +struct x509_object_st { + // one of the above types + int type; + union { + char *ptr; + X509 *x509; + X509_CRL *crl; + EVP_PKEY *pkey; + } data; +} /* X509_OBJECT */; + +// This is a static that defines the function interface +struct x509_lookup_method_st { + const char *name; + int (*new_item)(X509_LOOKUP *ctx); + void (*free)(X509_LOOKUP *ctx); + int (*init)(X509_LOOKUP *ctx); + int (*shutdown)(X509_LOOKUP *ctx); + int (*ctrl)(X509_LOOKUP *ctx, int cmd, const char *argc, long argl, + char **ret); + int (*get_by_subject)(X509_LOOKUP *ctx, int type, X509_NAME *name, + X509_OBJECT *ret); + int (*get_by_issuer_serial)(X509_LOOKUP *ctx, int type, X509_NAME *name, + ASN1_INTEGER *serial, X509_OBJECT *ret); + int (*get_by_fingerprint)(X509_LOOKUP *ctx, int type, unsigned char *bytes, + int len, X509_OBJECT *ret); + int (*get_by_alias)(X509_LOOKUP *ctx, int type, char *str, int len, + X509_OBJECT *ret); +} /* X509_LOOKUP_METHOD */; + +// This is used to hold everything. It is used for all certificate +// validation. Once we have a certificate chain, the 'verify' +// function is then called to actually check the cert chain. +struct x509_store_st { + // The following is a cache of trusted certs + int cache; // if true, stash any hits + STACK_OF(X509_OBJECT) *objs; // Cache of all objects + CRYPTO_MUTEX objs_lock; + STACK_OF(X509) *additional_untrusted; + + // These are external lookup methods + STACK_OF(X509_LOOKUP) *get_cert_methods; + + X509_VERIFY_PARAM *param; + + // Callbacks for various operations + X509_STORE_CTX_verify_fn verify; // called to verify a certificate + X509_STORE_CTX_verify_cb verify_cb; // error callback + X509_STORE_CTX_get_issuer_fn get_issuer; // get issuers cert from ctx + X509_STORE_CTX_check_issued_fn check_issued; // check issued + X509_STORE_CTX_check_revocation_fn + check_revocation; // Check revocation status of chain + X509_STORE_CTX_get_crl_fn get_crl; // retrieve CRL + X509_STORE_CTX_check_crl_fn check_crl; // Check CRL validity + X509_STORE_CTX_cert_crl_fn cert_crl; // Check certificate against CRL + X509_STORE_CTX_lookup_certs_fn lookup_certs; + X509_STORE_CTX_lookup_crls_fn lookup_crls; + X509_STORE_CTX_cleanup_fn cleanup; + + CRYPTO_refcount_t references; +} /* X509_STORE */; + + +// This is the functions plus an instance of the local variables. +struct x509_lookup_st { + int init; // have we been started + int skip; // don't use us. + X509_LOOKUP_METHOD *method; // the functions + char *method_data; // method data + + X509_STORE *store_ctx; // who owns us +} /* X509_LOOKUP */; + +// This is a used when verifying cert chains. Since the +// gathering of the cert chain can take some time (and have to be +// 'retried', this needs to be kept and passed around. +struct x509_store_ctx_st { + X509_STORE *ctx; + + // The following are set by the caller + X509 *cert; // The cert to check + STACK_OF(X509) *untrusted; // chain of X509s - untrusted - passed in + STACK_OF(X509_CRL) *crls; // set of CRLs passed in + + X509_VERIFY_PARAM *param; + void *other_ctx; // Other info for use with get_issuer() + + // Callbacks for various operations + X509_STORE_CTX_verify_fn verify; // called to verify a certificate + X509_STORE_CTX_verify_cb verify_cb; // error callback + X509_STORE_CTX_get_issuer_fn get_issuer; // get issuers cert from ctx + X509_STORE_CTX_check_issued_fn check_issued; // check issued + X509_STORE_CTX_check_revocation_fn + check_revocation; // Check revocation status of chain + X509_STORE_CTX_get_crl_fn get_crl; // retrieve CRL + X509_STORE_CTX_check_crl_fn check_crl; // Check CRL validity + X509_STORE_CTX_cert_crl_fn cert_crl; // Check certificate against CRL + X509_STORE_CTX_check_policy_fn check_policy; + X509_STORE_CTX_lookup_certs_fn lookup_certs; + X509_STORE_CTX_lookup_crls_fn lookup_crls; + X509_STORE_CTX_cleanup_fn cleanup; + + // The following is built up + int valid; // if 0, rebuild chain + int last_untrusted; // index of last untrusted cert + STACK_OF(X509) *chain; // chain of X509s - built up and trusted + X509_POLICY_TREE *tree; // Valid policy tree + + int explicit_policy; // Require explicit policy value + + // When something goes wrong, this is why + int error_depth; + int error; + X509 *current_cert; + X509 *current_issuer; // cert currently being tested as valid issuer + X509_CRL *current_crl; // current CRL + + int current_crl_score; // score of current CRL + unsigned int current_reasons; // Reason mask + + X509_STORE_CTX *parent; // For CRL path validation: parent context + + CRYPTO_EX_DATA ex_data; +} /* X509_STORE_CTX */; + /* RSA-PSS functions. */ diff --git a/crypto/x509/name_print.c b/crypto/x509/name_print.c index 115edde0b..b5523c0f1 100644 --- a/crypto/x509/name_print.c +++ b/crypto/x509/name_print.c @@ -155,7 +155,7 @@ static int do_name_ex(BIO *out, const X509_NAME *n, int indent, else ent = X509_NAME_get_entry(n, i); if (prev != -1) { - if (prev == ent->set) { + if (prev == X509_NAME_ENTRY_set(ent)) { if (!maybe_write(out, sep_mv, sep_mv_len)) return -1; outlen += sep_mv_len; @@ -168,7 +168,7 @@ static int do_name_ex(BIO *out, const X509_NAME *n, int indent, outlen += indent; } } - prev = ent->set; + prev = X509_NAME_ENTRY_set(ent); fn = X509_NAME_ENTRY_get_object(ent); val = X509_NAME_ENTRY_get_data(ent); fn_nid = OBJ_obj2nid(fn); diff --git a/crypto/x509/x509_obj.c b/crypto/x509/x509_obj.c index 80d16c1a4..df54f779a 100644 --- a/crypto/x509/x509_obj.c +++ b/crypto/x509/x509_obj.c @@ -64,6 +64,7 @@ #include #include "../internal.h" +#include "internal.h" /* diff --git a/crypto/x509/x509_test.cc b/crypto/x509/x509_test.cc index bd77778cb..848bd07c3 100644 --- a/crypto/x509/x509_test.cc +++ b/crypto/x509/x509_test.cc @@ -32,6 +32,7 @@ #include #include +#include "internal.h" #include "../internal.h" #include "../test/test_util.h" #include "../x509v3/internal.h" diff --git a/crypto/x509/x509name.c b/crypto/x509/x509name.c index 23e75535e..6bc09521f 100644 --- a/crypto/x509/x509name.c +++ b/crypto/x509/x509name.c @@ -64,6 +64,7 @@ #include #include "../internal.h" +#include "internal.h" int X509_NAME_get_text_by_NID(const X509_NAME *name, int nid, char *buf, diff --git a/crypto/x509/x_name.c b/crypto/x509/x_name.c index e56f2c371..e4b5835d7 100644 --- a/crypto/x509/x_name.c +++ b/crypto/x509/x_name.c @@ -68,6 +68,7 @@ #include "../asn1/internal.h" #include "../internal.h" +#include "internal.h" typedef STACK_OF(X509_NAME_ENTRY) STACK_OF_X509_NAME_ENTRY; diff --git a/crypto/x509/x_x509.c b/crypto/x509/x_x509.c index 679acb129..38cceb14d 100644 --- a/crypto/x509/x_x509.c +++ b/crypto/x509/x_x509.c @@ -69,6 +69,7 @@ #include #include "../internal.h" +#include "internal.h" static CRYPTO_EX_DATA_CLASS g_ex_data_class = CRYPTO_EX_DATA_CLASS_INIT; diff --git a/crypto/x509v3/pcy_cache.c b/crypto/x509v3/pcy_cache.c index 755c07953..1caea76f5 100644 --- a/crypto/x509v3/pcy_cache.c +++ b/crypto/x509v3/pcy_cache.c @@ -62,6 +62,7 @@ #include "pcy_int.h" #include "../internal.h" +#include "../x509/internal.h" static int policy_data_cmp(const X509_POLICY_DATA **a, const X509_POLICY_DATA **b); diff --git a/crypto/x509v3/pcy_map.c b/crypto/x509v3/pcy_map.c index 7263c6920..a4a360151 100644 --- a/crypto/x509v3/pcy_map.c +++ b/crypto/x509v3/pcy_map.c @@ -62,6 +62,7 @@ #include #include "pcy_int.h" +#include "../x509/internal.h" /* * Set policy mapping entries in cache. Note: this modifies the passed diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c index 292cd20e8..596266b38 100644 --- a/crypto/x509v3/pcy_tree.c +++ b/crypto/x509v3/pcy_tree.c @@ -67,6 +67,7 @@ #include "pcy_int.h" #include "../internal.h" +#include "../x509/internal.h" /* * Enable this to print out the complete policy tree at various point during diff --git a/crypto/x509v3/v3_crld.c b/crypto/x509v3/v3_crld.c index 09d97365e..93e5b6dcc 100644 --- a/crypto/x509v3/v3_crld.c +++ b/crypto/x509v3/v3_crld.c @@ -67,6 +67,7 @@ #include #include "internal.h" +#include "../x509/internal.h" static void *v2i_crld(const X509V3_EXT_METHOD *method, diff --git a/crypto/x509v3/v3_ncons.c b/crypto/x509v3/v3_ncons.c index 35c826e05..739a59ec9 100644 --- a/crypto/x509v3/v3_ncons.c +++ b/crypto/x509v3/v3_ncons.c @@ -66,6 +66,7 @@ #include #include "../internal.h" +#include "../x509/internal.h" static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c index 2d7a4db87..d1f56f08b 100644 --- a/crypto/x509v3/v3_purp.c +++ b/crypto/x509v3/v3_purp.c @@ -68,6 +68,7 @@ #include #include "../internal.h" +#include "../x509/internal.h" #include "internal.h" #define V1_ROOT (EXFLAG_V1|EXFLAG_SS) diff --git a/include/openssl/base.h b/include/openssl/base.h index ea4366a21..dd6a14656 100644 --- a/include/openssl/base.h +++ b/include/openssl/base.h @@ -445,9 +445,10 @@ typedef struct trust_token_method_st TRUST_TOKEN_METHOD; typedef struct v3_ext_ctx X509V3_CTX; typedef struct x509_attributes_st X509_ATTRIBUTE; typedef struct x509_cert_aux_st X509_CERT_AUX; -typedef struct x509_cinf_st X509_CINF; typedef struct x509_crl_method_st X509_CRL_METHOD; typedef struct x509_lookup_st X509_LOOKUP; +typedef struct x509_lookup_method_st X509_LOOKUP_METHOD; +typedef struct x509_object_st X509_OBJECT; typedef struct x509_revoked_st X509_REVOKED; typedef struct x509_st X509; typedef struct x509_store_ctx_st X509_STORE_CTX; diff --git a/include/openssl/x509.h b/include/openssl/x509.h index fa333ca05..f4444c9c5 100644 --- a/include/openssl/x509.h +++ b/include/openssl/x509.h @@ -121,24 +121,8 @@ DEFINE_STACK_OF(X509_ALGOR) typedef STACK_OF(X509_ALGOR) X509_ALGORS; -struct X509_name_entry_st { - ASN1_OBJECT *object; - ASN1_STRING *value; - int set; -} /* X509_NAME_ENTRY */; - DEFINE_STACK_OF(X509_NAME_ENTRY) -// we always keep X509_NAMEs in 2 forms. -struct X509_name_st { - STACK_OF(X509_NAME_ENTRY) *entries; - int modified; // true if 'bytes' needs to be built - BUF_MEM *bytes; - // unsigned long hash; Keep the hash around for lookups - unsigned char *canon_enc; - int canon_enclen; -} /* X509_NAME */; - DEFINE_STACK_OF(X509_NAME) typedef STACK_OF(X509_EXTENSION) X509_EXTENSIONS; @@ -147,20 +131,6 @@ DEFINE_STACK_OF(X509_EXTENSION) DEFINE_STACK_OF(X509_ATTRIBUTE) -struct x509_cinf_st { - ASN1_INTEGER *version; // [ 0 ] default of v1 - ASN1_INTEGER *serialNumber; - X509_ALGOR *signature; - X509_NAME *issuer; - X509_VAL *validity; - X509_NAME *subject; - X509_PUBKEY *key; - ASN1_BIT_STRING *issuerUID; // [ 1 ] optional in v2 - ASN1_BIT_STRING *subjectUID; // [ 2 ] optional in v2 - STACK_OF(X509_EXTENSION) *extensions; // [ 3 ] optional in v3 - ASN1_ENCODING enc; -} /* X509_CINF */; - // This stuff is certificate "auxiliary info" // it contains details which are useful in certificate // stores and databases. When used this is tagged onto @@ -169,31 +139,6 @@ struct x509_cinf_st { DECLARE_STACK_OF(DIST_POINT) DECLARE_STACK_OF(GENERAL_NAME) -struct x509_st { - X509_CINF *cert_info; - X509_ALGOR *sig_alg; - ASN1_BIT_STRING *signature; - CRYPTO_refcount_t references; - CRYPTO_EX_DATA ex_data; - // These contain copies of various extension values - long ex_pathlen; - long ex_pcpathlen; - unsigned long ex_flags; - unsigned long ex_kusage; - unsigned long ex_xkusage; - unsigned long ex_nscert; - ASN1_OCTET_STRING *skid; - AUTHORITY_KEYID *akid; - X509_POLICY_CACHE *policy_cache; - STACK_OF(DIST_POINT) *crldp; - STACK_OF(GENERAL_NAME) *altname; - NAME_CONSTRAINTS *nc; - unsigned char sha1_hash[SHA_DIGEST_LENGTH]; - X509_CERT_AUX *aux; - CRYPTO_BUFFER *buf; - CRYPTO_MUTEX lock; -} /* X509 */; - DEFINE_STACK_OF(X509) // This is used for a table of trust checking functions @@ -939,8 +884,6 @@ DECLARE_ASN1_FUNCTIONS(X509_NAME) // to the copy, and returns one. Otherwise, it returns zero. OPENSSL_EXPORT int X509_NAME_set(X509_NAME **xn, X509_NAME *name); -DECLARE_ASN1_FUNCTIONS(X509_CINF) - DECLARE_ASN1_FUNCTIONS(X509) DECLARE_ASN1_FUNCTIONS(X509_CERT_AUX) @@ -1989,10 +1932,6 @@ BORINGSSL_MAKE_UP_REF(X509_STORE, X509_STORE_up_ref) BORINGSSL_MAKE_DELETER(X509_STORE_CTX, X509_STORE_CTX_free) BORINGSSL_MAKE_DELETER(X509_VERIFY_PARAM, X509_VERIFY_PARAM_free) -using ScopedX509_STORE_CTX = - internal::StackAllocated; - BSSL_NAMESPACE_END } // extern C++ diff --git a/include/openssl/x509_vfy.h b/include/openssl/x509_vfy.h index 9b99f4a9d..d8781afd8 100644 --- a/include/openssl/x509_vfy.h +++ b/include/openssl/x509_vfy.h @@ -99,39 +99,8 @@ certificate chain. #define X509_LU_CRL 2 #define X509_LU_PKEY 3 -typedef struct x509_object_st { - // one of the above types - int type; - union { - char *ptr; - X509 *x509; - X509_CRL *crl; - EVP_PKEY *pkey; - } data; -} X509_OBJECT; - DEFINE_STACK_OF(X509_LOOKUP) DEFINE_STACK_OF(X509_OBJECT) - -// This is a static that defines the function interface -typedef struct x509_lookup_method_st { - const char *name; - int (*new_item)(X509_LOOKUP *ctx); - void (*free)(X509_LOOKUP *ctx); - int (*init)(X509_LOOKUP *ctx); - int (*shutdown)(X509_LOOKUP *ctx); - int (*ctrl)(X509_LOOKUP *ctx, int cmd, const char *argc, long argl, - char **ret); - int (*get_by_subject)(X509_LOOKUP *ctx, int type, X509_NAME *name, - X509_OBJECT *ret); - int (*get_by_issuer_serial)(X509_LOOKUP *ctx, int type, X509_NAME *name, - ASN1_INTEGER *serial, X509_OBJECT *ret); - int (*get_by_fingerprint)(X509_LOOKUP *ctx, int type, unsigned char *bytes, - int len, X509_OBJECT *ret); - int (*get_by_alias)(X509_LOOKUP *ctx, int type, char *str, int len, - X509_OBJECT *ret); -} X509_LOOKUP_METHOD; - DEFINE_STACK_OF(X509_VERIFY_PARAM) typedef int (*X509_STORE_CTX_verify_cb)(int, X509_STORE_CTX *); @@ -153,103 +122,8 @@ typedef STACK_OF(X509_CRL) *(*X509_STORE_CTX_lookup_crls_fn)( X509_STORE_CTX *ctx, X509_NAME *nm); typedef int (*X509_STORE_CTX_cleanup_fn)(X509_STORE_CTX *ctx); -// This is used to hold everything. It is used for all certificate -// validation. Once we have a certificate chain, the 'verify' -// function is then called to actually check the cert chain. -struct x509_store_st { - // The following is a cache of trusted certs - int cache; // if true, stash any hits - STACK_OF(X509_OBJECT) *objs; // Cache of all objects - CRYPTO_MUTEX objs_lock; - STACK_OF(X509) *additional_untrusted; - - // These are external lookup methods - STACK_OF(X509_LOOKUP) *get_cert_methods; - - X509_VERIFY_PARAM *param; - - // Callbacks for various operations - X509_STORE_CTX_verify_fn verify; // called to verify a certificate - X509_STORE_CTX_verify_cb verify_cb; // error callback - X509_STORE_CTX_get_issuer_fn get_issuer; // get issuers cert from ctx - X509_STORE_CTX_check_issued_fn check_issued; // check issued - X509_STORE_CTX_check_revocation_fn - check_revocation; // Check revocation status of chain - X509_STORE_CTX_get_crl_fn get_crl; // retrieve CRL - X509_STORE_CTX_check_crl_fn check_crl; // Check CRL validity - X509_STORE_CTX_cert_crl_fn cert_crl; // Check certificate against CRL - X509_STORE_CTX_lookup_certs_fn lookup_certs; - X509_STORE_CTX_lookup_crls_fn lookup_crls; - X509_STORE_CTX_cleanup_fn cleanup; - - CRYPTO_refcount_t references; -} /* X509_STORE */; - OPENSSL_EXPORT int X509_STORE_set_depth(X509_STORE *store, int depth); -// This is the functions plus an instance of the local variables. -struct x509_lookup_st { - int init; // have we been started - int skip; // don't use us. - X509_LOOKUP_METHOD *method; // the functions - char *method_data; // method data - - X509_STORE *store_ctx; // who owns us -} /* X509_LOOKUP */; - -// This is a used when verifying cert chains. Since the -// gathering of the cert chain can take some time (and have to be -// 'retried', this needs to be kept and passed around. -struct x509_store_ctx_st // X509_STORE_CTX -{ - X509_STORE *ctx; - - // The following are set by the caller - X509 *cert; // The cert to check - STACK_OF(X509) *untrusted; // chain of X509s - untrusted - passed in - STACK_OF(X509_CRL) *crls; // set of CRLs passed in - - X509_VERIFY_PARAM *param; - void *other_ctx; // Other info for use with get_issuer() - - // Callbacks for various operations - X509_STORE_CTX_verify_fn verify; // called to verify a certificate - X509_STORE_CTX_verify_cb verify_cb; // error callback - X509_STORE_CTX_get_issuer_fn get_issuer; // get issuers cert from ctx - X509_STORE_CTX_check_issued_fn check_issued; // check issued - X509_STORE_CTX_check_revocation_fn - check_revocation; // Check revocation status of chain - X509_STORE_CTX_get_crl_fn get_crl; // retrieve CRL - X509_STORE_CTX_check_crl_fn check_crl; // Check CRL validity - X509_STORE_CTX_cert_crl_fn cert_crl; // Check certificate against CRL - X509_STORE_CTX_check_policy_fn check_policy; - X509_STORE_CTX_lookup_certs_fn lookup_certs; - X509_STORE_CTX_lookup_crls_fn lookup_crls; - X509_STORE_CTX_cleanup_fn cleanup; - - // The following is built up - int valid; // if 0, rebuild chain - int last_untrusted; // index of last untrusted cert - STACK_OF(X509) *chain; // chain of X509s - built up and trusted - X509_POLICY_TREE *tree; // Valid policy tree - - int explicit_policy; // Require explicit policy value - - // When something goes wrong, this is why - int error_depth; - int error; - X509 *current_cert; - X509 *current_issuer; // cert currently being tested as valid issuer - X509_CRL *current_crl; // current CRL - - int current_crl_score; // score of current CRL - unsigned int current_reasons; // Reason mask - - X509_STORE_CTX *parent; // For CRL path validation: parent context - - CRYPTO_EX_DATA ex_data; -} /* X509_STORE_CTX */; - OPENSSL_EXPORT void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); #define X509_STORE_CTX_set_app_data(ctx, data) \ diff --git a/ssl/ssl_x509.cc b/ssl/ssl_x509.cc index 98f1f6a87..8d340d301 100644 --- a/ssl/ssl_x509.cc +++ b/ssl/ssl_x509.cc @@ -379,8 +379,9 @@ static bool ssl_crypto_x509_session_verify_cert_chain(SSL_SESSION *session, const char *name; size_t name_len; SSL_get0_ech_name_override(ssl, &name, &name_len); - ScopedX509_STORE_CTX ctx; - if (!X509_STORE_CTX_init(ctx.get(), verify_store, leaf, cert_chain) || + UniquePtr ctx(X509_STORE_CTX_new()); + if (!ctx || + !X509_STORE_CTX_init(ctx.get(), verify_store, leaf, cert_chain) || !X509_STORE_CTX_set_ex_data(ctx.get(), SSL_get_ex_data_X509_STORE_CTX_idx(), ssl) || // We need to inherit the verify parameters. These can be determined by @@ -411,11 +412,11 @@ static bool ssl_crypto_x509_session_verify_cert_chain(SSL_SESSION *session, verify_ret = X509_verify_cert(ctx.get()); } - session->verify_result = ctx->error; + session->verify_result = X509_STORE_CTX_get_error(ctx.get()); // If |SSL_VERIFY_NONE|, the error is non-fatal, but we keep the result. if (verify_ret <= 0 && hs->config->verify_mode != SSL_VERIFY_NONE) { - *out_alert = SSL_alert_from_verify_result(ctx->error); + *out_alert = SSL_alert_from_verify_result(session->verify_result); return false; } @@ -464,9 +465,9 @@ static bool ssl_crypto_x509_ssl_auto_chain_if_needed(SSL_HANDSHAKE *hs) { return false; } - ScopedX509_STORE_CTX ctx; - if (!X509_STORE_CTX_init(ctx.get(), hs->ssl->ctx->cert_store, leaf.get(), - NULL)) { + UniquePtr ctx(X509_STORE_CTX_new()); + if (!ctx || !X509_STORE_CTX_init(ctx.get(), hs->ssl->ctx->cert_store, + leaf.get(), nullptr)) { OPENSSL_PUT_ERROR(SSL, ERR_R_X509_LIB); return false; } @@ -476,9 +477,13 @@ static bool ssl_crypto_x509_ssl_auto_chain_if_needed(SSL_HANDSHAKE *hs) { ERR_clear_error(); // Remove the leaf from the generated chain. - X509_free(sk_X509_shift(ctx->chain)); + UniquePtr chain(X509_STORE_CTX_get1_chain(ctx.get())); + if (!chain) { + return false; + } + X509_free(sk_X509_shift(chain.get())); - if (!ssl_cert_set_chain(hs->config->cert.get(), ctx->chain)) { + if (!ssl_cert_set_chain(hs->config->cert.get(), chain.get())) { return false; } diff --git a/ssl/test/test_config.cc b/ssl/test/test_config.cc index 12a9f7abd..7d1cefa16 100644 --- a/ssl/test/test_config.cc +++ b/ssl/test/test_config.cc @@ -810,7 +810,7 @@ static int CertVerifyCallback(X509_STORE_CTX *store_ctx, void *arg) { GetTestState(ssl)->cert_verified = true; if (config->verify_fail) { - store_ctx->error = X509_V_ERR_APPLICATION_VERIFICATION; + X509_STORE_CTX_set_error(store_ctx, X509_V_ERR_APPLICATION_VERIFICATION); return 0; }