Chiebot-Mirror
/
boringssl
mirror of https://gitee.com/mirrors/boringssl.git
8
0
Fork 0
Code Issues Projects Releases Wiki Activity

Make most of crypto/x509 opaque.

Browse Source 
This unexports X509, X509_CINF, X509_NAME_ENTRY, X509_NAME, X509_OBJECT,
X509_LOOKUP_METHOD, X509_STORE, X509_LOOKUP, and X509_STORE_CTX.

Note this means X509_STORE_CTX can no longer be stack-allocated.

Update-Note: Patch cl/390055173 into the roll that includes this. This
unexports most of the X.509 structs, aligning with OpenSSL. Use the
accessor APIs instead.

Bug: 425
Change-Id: I53e915bfae3b8dc4b67642279d0e54dc606f2297
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48985
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
grpc-202302
David Benjamin 3 years ago committed by Boringssl LUCI CQ
parent 59aff62ca8
commit dddb60eb97
19 changed files with 214 additions and 201 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      crypto/x509/by_file.c
  2. 183
      crypto/x509/internal.h
  3. 4
      crypto/x509/name_print.c
  4. 1
      crypto/x509/x509_obj.c
  5. 1
      crypto/x509/x509_test.cc
  6. 1
      crypto/x509/x509name.c
  7. 1
      crypto/x509/x_name.c
  8. 1
      crypto/x509/x_x509.c
  9. 1
      crypto/x509v3/pcy_cache.c
  10. 1
      crypto/x509v3/pcy_map.c
  11. 1
      crypto/x509v3/pcy_tree.c
  12. 1
      crypto/x509v3/v3_crld.c
  13. 1
      crypto/x509v3/v3_ncons.c
  14. 1
      crypto/x509v3/v3_purp.c
  15. 3
      include/openssl/base.h
  16. 61
      include/openssl/x509.h
  17. 126
      include/openssl/x509_vfy.h
  18. 23
      ssl/ssl_x509.cc
  19. 2
      ssl/test/test_config.cc

2
crypto/x509/by_file.c
Unescape View File

@ -61,6 +61,8 @@
#include <openssl/pem.h>
#include <openssl/thread.h>
#include "internal.h"
#ifndef OPENSSL_NO_STDIO
static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc,

183
crypto/x509/internal.h
Unescape View File

@ -81,6 +81,22 @@ struct X509_pubkey_st {
EVP_PKEY *pkey;
} /* X509_PUBKEY */;
struct X509_name_entry_st {
ASN1_OBJECT *object;
ASN1_STRING *value;
int set;
} /* X509_NAME_ENTRY */;
// we always keep X509_NAMEs in 2 forms.
struct X509_name_st {
STACK_OF(X509_NAME_ENTRY) *entries;
int modified; // true if 'bytes' needs to be built
BUF_MEM *bytes;
// unsigned long hash; Keep the hash around for lookups
unsigned char *canon_enc;
int canon_enclen;
} /* X509_NAME */;
struct x509_attributes_st {
ASN1_OBJECT *object;
STACK_OF(ASN1_TYPE) *set;
@ -100,6 +116,47 @@ struct X509_extension_st {
ASN1_OCTET_STRING *value;
} /* X509_EXTENSION */;
typedef struct {
ASN1_INTEGER *version; // [ 0 ] default of v1
ASN1_INTEGER *serialNumber;
X509_ALGOR *signature;
X509_NAME *issuer;
X509_VAL *validity;
X509_NAME *subject;
X509_PUBKEY *key;
ASN1_BIT_STRING *issuerUID; // [ 1 ] optional in v2
ASN1_BIT_STRING *subjectUID; // [ 2 ] optional in v2
STACK_OF(X509_EXTENSION) *extensions; // [ 3 ] optional in v3
ASN1_ENCODING enc;
} X509_CINF;
DECLARE_ASN1_FUNCTIONS(X509_CINF)
struct x509_st {
X509_CINF *cert_info;
X509_ALGOR *sig_alg;
ASN1_BIT_STRING *signature;
CRYPTO_refcount_t references;
CRYPTO_EX_DATA ex_data;
// These contain copies of various extension values
long ex_pathlen;
long ex_pcpathlen;
unsigned long ex_flags;
unsigned long ex_kusage;
unsigned long ex_xkusage;
unsigned long ex_nscert;
ASN1_OCTET_STRING *skid;
AUTHORITY_KEYID *akid;
X509_POLICY_CACHE *policy_cache;
STACK_OF(DIST_POINT) *crldp;
STACK_OF(GENERAL_NAME) *altname;
NAME_CONSTRAINTS *nc;
unsigned char sha1_hash[SHA_DIGEST_LENGTH];
X509_CERT_AUX *aux;
CRYPTO_BUFFER *buf;
CRYPTO_MUTEX lock;
} /* X509 */;
typedef struct {
ASN1_ENCODING enc;
ASN1_INTEGER *version;
@ -153,7 +210,6 @@ struct X509_crl_st {
void *meth_data;
} /* X509_CRL */;
struct X509_VERIFY_PARAM_st {
char *name;
time_t check_time; // Time to use
@ -174,6 +230,131 @@ struct X509_VERIFY_PARAM_st {
unsigned char poison; // Fail all verifications at name checking
} /* X509_VERIFY_PARAM */;
struct x509_object_st {
// one of the above types
int type;
union {
char *ptr;
X509 *x509;
X509_CRL *crl;
EVP_PKEY *pkey;
} data;
} /* X509_OBJECT */;
// This is a static that defines the function interface
struct x509_lookup_method_st {
const char *name;
int (*new_item)(X509_LOOKUP *ctx);
void (*free)(X509_LOOKUP *ctx);
int (*init)(X509_LOOKUP *ctx);
int (*shutdown)(X509_LOOKUP *ctx);
int (*ctrl)(X509_LOOKUP *ctx, int cmd, const char *argc, long argl,
char **ret);
int (*get_by_subject)(X509_LOOKUP *ctx, int type, X509_NAME *name,
X509_OBJECT *ret);
int (*get_by_issuer_serial)(X509_LOOKUP *ctx, int type, X509_NAME *name,
ASN1_INTEGER *serial, X509_OBJECT *ret);
int (*get_by_fingerprint)(X509_LOOKUP *ctx, int type, unsigned char *bytes,
int len, X509_OBJECT *ret);
int (*get_by_alias)(X509_LOOKUP *ctx, int type, char *str, int len,
X509_OBJECT *ret);
} /* X509_LOOKUP_METHOD */;
// This is used to hold everything. It is used for all certificate
// validation. Once we have a certificate chain, the 'verify'
// function is then called to actually check the cert chain.
struct x509_store_st {
// The following is a cache of trusted certs
int cache; // if true, stash any hits
STACK_OF(X509_OBJECT) *objs; // Cache of all objects
CRYPTO_MUTEX objs_lock;
STACK_OF(X509) *additional_untrusted;
// These are external lookup methods
STACK_OF(X509_LOOKUP) *get_cert_methods;
X509_VERIFY_PARAM *param;
// Callbacks for various operations
X509_STORE_CTX_verify_fn verify; // called to verify a certificate
X509_STORE_CTX_verify_cb verify_cb; // error callback
X509_STORE_CTX_get_issuer_fn get_issuer; // get issuers cert from ctx
X509_STORE_CTX_check_issued_fn check_issued; // check issued
X509_STORE_CTX_check_revocation_fn
check_revocation; // Check revocation status of chain
X509_STORE_CTX_get_crl_fn get_crl; // retrieve CRL
X509_STORE_CTX_check_crl_fn check_crl; // Check CRL validity
X509_STORE_CTX_cert_crl_fn cert_crl; // Check certificate against CRL
X509_STORE_CTX_lookup_certs_fn lookup_certs;
X509_STORE_CTX_lookup_crls_fn lookup_crls;
X509_STORE_CTX_cleanup_fn cleanup;
CRYPTO_refcount_t references;
} /* X509_STORE */;
// This is the functions plus an instance of the local variables.
struct x509_lookup_st {
int init; // have we been started
int skip; // don't use us.
X509_LOOKUP_METHOD *method; // the functions
char *method_data; // method data
X509_STORE *store_ctx; // who owns us
} /* X509_LOOKUP */;
// This is a used when verifying cert chains. Since the
// gathering of the cert chain can take some time (and have to be
// 'retried', this needs to be kept and passed around.
struct x509_store_ctx_st {
X509_STORE *ctx;
// The following are set by the caller
X509 *cert; // The cert to check
STACK_OF(X509) *untrusted; // chain of X509s - untrusted - passed in
STACK_OF(X509_CRL) *crls; // set of CRLs passed in
X509_VERIFY_PARAM *param;
void *other_ctx; // Other info for use with get_issuer()
// Callbacks for various operations
X509_STORE_CTX_verify_fn verify; // called to verify a certificate
X509_STORE_CTX_verify_cb verify_cb; // error callback
X509_STORE_CTX_get_issuer_fn get_issuer; // get issuers cert from ctx
X509_STORE_CTX_check_issued_fn check_issued; // check issued
X509_STORE_CTX_check_revocation_fn
check_revocation; // Check revocation status of chain
X509_STORE_CTX_get_crl_fn get_crl; // retrieve CRL
X509_STORE_CTX_check_crl_fn check_crl; // Check CRL validity
X509_STORE_CTX_cert_crl_fn cert_crl; // Check certificate against CRL
X509_STORE_CTX_check_policy_fn check_policy;
X509_STORE_CTX_lookup_certs_fn lookup_certs;
X509_STORE_CTX_lookup_crls_fn lookup_crls;
X509_STORE_CTX_cleanup_fn cleanup;
// The following is built up
int valid; // if 0, rebuild chain
int last_untrusted; // index of last untrusted cert
STACK_OF(X509) *chain; // chain of X509s - built up and trusted
X509_POLICY_TREE *tree; // Valid policy tree
int explicit_policy; // Require explicit policy value
// When something goes wrong, this is why
int error_depth;
int error;
X509 *current_cert;
X509 *current_issuer; // cert currently being tested as valid issuer
X509_CRL *current_crl; // current CRL
int current_crl_score; // score of current CRL
unsigned int current_reasons; // Reason mask
X509_STORE_CTX *parent; // For CRL path validation: parent context
CRYPTO_EX_DATA ex_data;
} /* X509_STORE_CTX */;
/* RSA-PSS functions. */

4
crypto/x509/name_print.c
Unescape View File

@ -155,7 +155,7 @@ static int do_name_ex(BIO *out, const X509_NAME *n, int indent,
else
ent = X509_NAME_get_entry(n, i);
if (prev != -1) {
if (prev == ent->set) {
if (prev == X509_NAME_ENTRY_set(ent)) {
if (!maybe_write(out, sep_mv, sep_mv_len))
return -1;
outlen += sep_mv_len;
@ -168,7 +168,7 @@ static int do_name_ex(BIO *out, const X509_NAME *n, int indent,
outlen += indent;
}
}
prev = ent->set;
prev = X509_NAME_ENTRY_set(ent);
fn = X509_NAME_ENTRY_get_object(ent);
val = X509_NAME_ENTRY_get_data(ent);
fn_nid = OBJ_obj2nid(fn);

1
crypto/x509/x509_obj.c
Unescape View File

@ -64,6 +64,7 @@
#include <openssl/x509.h>
#include "../internal.h"
#include "internal.h"
/*

1
crypto/x509/x509_test.cc
Unescape View File

@ -32,6 +32,7 @@
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include "internal.h"
#include "../internal.h"
#include "../test/test_util.h"
#include "../x509v3/internal.h"

1
crypto/x509/x509name.c
Unescape View File

@ -64,6 +64,7 @@
#include <openssl/x509.h>
#include "../internal.h"
#include "internal.h"
int X509_NAME_get_text_by_NID(const X509_NAME *name, int nid, char *buf,

1
crypto/x509/x_name.c
Unescape View File

@ -68,6 +68,7 @@
#include "../asn1/internal.h"
#include "../internal.h"
#include "internal.h"
typedef STACK_OF(X509_NAME_ENTRY) STACK_OF_X509_NAME_ENTRY;

1
crypto/x509/x_x509.c
Unescape View File

@ -69,6 +69,7 @@
#include <openssl/x509v3.h>
#include "../internal.h"
#include "internal.h"
static CRYPTO_EX_DATA_CLASS g_ex_data_class = CRYPTO_EX_DATA_CLASS_INIT;

1
crypto/x509v3/pcy_cache.c
Unescape View File

@ -62,6 +62,7 @@
#include "pcy_int.h"
#include "../internal.h"
#include "../x509/internal.h"
static int policy_data_cmp(const X509_POLICY_DATA **a,
const X509_POLICY_DATA **b);

1
crypto/x509v3/pcy_map.c
Unescape View File

@ -62,6 +62,7 @@
#include <openssl/x509v3.h>
#include "pcy_int.h"
#include "../x509/internal.h"
/*
* Set policy mapping entries in cache. Note: this modifies the passed

1
crypto/x509v3/pcy_tree.c
Unescape View File

@ -67,6 +67,7 @@
#include "pcy_int.h"
#include "../internal.h"
#include "../x509/internal.h"
/*
* Enable this to print out the complete policy tree at various point during

1
crypto/x509v3/v3_crld.c
Unescape View File

@ -67,6 +67,7 @@
#include <openssl/x509v3.h>
#include "internal.h"
#include "../x509/internal.h"
static void *v2i_crld(const X509V3_EXT_METHOD *method,

1
crypto/x509v3/v3_ncons.c
Unescape View File

@ -66,6 +66,7 @@
#include <openssl/x509v3.h>
#include "../internal.h"
#include "../x509/internal.h"
static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,

1
crypto/x509v3/v3_purp.c
Unescape View File

@ -68,6 +68,7 @@
#include <openssl/x509v3.h>
#include "../internal.h"
#include "../x509/internal.h"
#include "internal.h"
#define V1_ROOT (EXFLAG_V1|EXFLAG_SS)

3
include/openssl/base.h
Unescape View File

@ -445,9 +445,10 @@ typedef struct trust_token_method_st TRUST_TOKEN_METHOD;
typedef struct v3_ext_ctx X509V3_CTX;
typedef struct x509_attributes_st X509_ATTRIBUTE;
typedef struct x509_cert_aux_st X509_CERT_AUX;
typedef struct x509_cinf_st X509_CINF;
typedef struct x509_crl_method_st X509_CRL_METHOD;
typedef struct x509_lookup_st X509_LOOKUP;
typedef struct x509_lookup_method_st X509_LOOKUP_METHOD;
typedef struct x509_object_st X509_OBJECT;
typedef struct x509_revoked_st X509_REVOKED;
typedef struct x509_st X509;
typedef struct x509_store_ctx_st X509_STORE_CTX;

61
include/openssl/x509.h
Unescape View File

@ -121,24 +121,8 @@ DEFINE_STACK_OF(X509_ALGOR)
typedef STACK_OF(X509_ALGOR) X509_ALGORS;
struct X509_name_entry_st {
ASN1_OBJECT *object;
ASN1_STRING *value;
int set;
} /* X509_NAME_ENTRY */;
DEFINE_STACK_OF(X509_NAME_ENTRY)
// we always keep X509_NAMEs in 2 forms.
struct X509_name_st {
STACK_OF(X509_NAME_ENTRY) *entries;
int modified; // true if 'bytes' needs to be built
BUF_MEM *bytes;
// unsigned long hash; Keep the hash around for lookups
unsigned char *canon_enc;
int canon_enclen;
} /* X509_NAME */;
DEFINE_STACK_OF(X509_NAME)
typedef STACK_OF(X509_EXTENSION) X509_EXTENSIONS;
@ -147,20 +131,6 @@ DEFINE_STACK_OF(X509_EXTENSION)
DEFINE_STACK_OF(X509_ATTRIBUTE)
struct x509_cinf_st {
ASN1_INTEGER *version; // [ 0 ] default of v1
ASN1_INTEGER *serialNumber;
X509_ALGOR *signature;
X509_NAME *issuer;
X509_VAL *validity;
X509_NAME *subject;
X509_PUBKEY *key;
ASN1_BIT_STRING *issuerUID; // [ 1 ] optional in v2
ASN1_BIT_STRING *subjectUID; // [ 2 ] optional in v2
STACK_OF(X509_EXTENSION) *extensions; // [ 3 ] optional in v3
ASN1_ENCODING enc;
} /* X509_CINF */;
// This stuff is certificate "auxiliary info"
// it contains details which are useful in certificate
// stores and databases. When used this is tagged onto
@ -169,31 +139,6 @@ struct x509_cinf_st {
DECLARE_STACK_OF(DIST_POINT)
DECLARE_STACK_OF(GENERAL_NAME)
struct x509_st {
X509_CINF *cert_info;
X509_ALGOR *sig_alg;
ASN1_BIT_STRING *signature;
CRYPTO_refcount_t references;
CRYPTO_EX_DATA ex_data;
// These contain copies of various extension values
long ex_pathlen;
long ex_pcpathlen;
unsigned long ex_flags;
unsigned long ex_kusage;
unsigned long ex_xkusage;
unsigned long ex_nscert;
ASN1_OCTET_STRING *skid;
AUTHORITY_KEYID *akid;
X509_POLICY_CACHE *policy_cache;
STACK_OF(DIST_POINT) *crldp;
STACK_OF(GENERAL_NAME) *altname;
NAME_CONSTRAINTS *nc;
unsigned char sha1_hash[SHA_DIGEST_LENGTH];
X509_CERT_AUX *aux;
CRYPTO_BUFFER *buf;
CRYPTO_MUTEX lock;
} /* X509 */;
DEFINE_STACK_OF(X509)
// This is used for a table of trust checking functions
@ -939,8 +884,6 @@ DECLARE_ASN1_FUNCTIONS(X509_NAME)
// to the copy, and returns one. Otherwise, it returns zero.
OPENSSL_EXPORT int X509_NAME_set(X509_NAME **xn, X509_NAME *name);
DECLARE_ASN1_FUNCTIONS(X509_CINF)
DECLARE_ASN1_FUNCTIONS(X509)
DECLARE_ASN1_FUNCTIONS(X509_CERT_AUX)
@ -1989,10 +1932,6 @@ BORINGSSL_MAKE_UP_REF(X509_STORE, X509_STORE_up_ref)
BORINGSSL_MAKE_DELETER(X509_STORE_CTX, X509_STORE_CTX_free)
BORINGSSL_MAKE_DELETER(X509_VERIFY_PARAM, X509_VERIFY_PARAM_free)
using ScopedX509_STORE_CTX =
internal::StackAllocated<X509_STORE_CTX, void, X509_STORE_CTX_zero,
X509_STORE_CTX_cleanup>;
BSSL_NAMESPACE_END
} // extern C++

126
include/openssl/x509_vfy.h
Unescape View File

@ -99,39 +99,8 @@ certificate chain.
#define X509_LU_CRL 2
#define X509_LU_PKEY 3
typedef struct x509_object_st {
// one of the above types
int type;
union {
char *ptr;
X509 *x509;
X509_CRL *crl;
EVP_PKEY *pkey;
} data;
} X509_OBJECT;
DEFINE_STACK_OF(X509_LOOKUP)
DEFINE_STACK_OF(X509_OBJECT)
// This is a static that defines the function interface
typedef struct x509_lookup_method_st {
const char *name;
int (*new_item)(X509_LOOKUP *ctx);
void (*free)(X509_LOOKUP *ctx);
int (*init)(X509_LOOKUP *ctx);
int (*shutdown)(X509_LOOKUP *ctx);
int (*ctrl)(X509_LOOKUP *ctx, int cmd, const char *argc, long argl,
char **ret);
int (*get_by_subject)(X509_LOOKUP *ctx, int type, X509_NAME *name,
X509_OBJECT *ret);
int (*get_by_issuer_serial)(X509_LOOKUP *ctx, int type, X509_NAME *name,
ASN1_INTEGER *serial, X509_OBJECT *ret);
int (*get_by_fingerprint)(X509_LOOKUP *ctx, int type, unsigned char *bytes,
int len, X509_OBJECT *ret);
int (*get_by_alias)(X509_LOOKUP *ctx, int type, char *str, int len,
X509_OBJECT *ret);
} X509_LOOKUP_METHOD;
DEFINE_STACK_OF(X509_VERIFY_PARAM)
typedef int (*X509_STORE_CTX_verify_cb)(int, X509_STORE_CTX *);
@ -153,103 +122,8 @@ typedef STACK_OF(X509_CRL) *(*X509_STORE_CTX_lookup_crls_fn)(
X509_STORE_CTX *ctx, X509_NAME *nm);
typedef int (*X509_STORE_CTX_cleanup_fn)(X509_STORE_CTX *ctx);
// This is used to hold everything. It is used for all certificate
// validation. Once we have a certificate chain, the 'verify'
// function is then called to actually check the cert chain.
struct x509_store_st {
// The following is a cache of trusted certs
int cache; // if true, stash any hits
STACK_OF(X509_OBJECT) *objs; // Cache of all objects
CRYPTO_MUTEX objs_lock;
STACK_OF(X509) *additional_untrusted;
// These are external lookup methods
STACK_OF(X509_LOOKUP) *get_cert_methods;
X509_VERIFY_PARAM *param;
// Callbacks for various operations
X509_STORE_CTX_verify_fn verify; // called to verify a certificate
X509_STORE_CTX_verify_cb verify_cb; // error callback
X509_STORE_CTX_get_issuer_fn get_issuer; // get issuers cert from ctx
X509_STORE_CTX_check_issued_fn check_issued; // check issued
X509_STORE_CTX_check_revocation_fn
check_revocation; // Check revocation status of chain
X509_STORE_CTX_get_crl_fn get_crl; // retrieve CRL
X509_STORE_CTX_check_crl_fn check_crl; // Check CRL validity
X509_STORE_CTX_cert_crl_fn cert_crl; // Check certificate against CRL
X509_STORE_CTX_lookup_certs_fn lookup_certs;
X509_STORE_CTX_lookup_crls_fn lookup_crls;
X509_STORE_CTX_cleanup_fn cleanup;
CRYPTO_refcount_t references;
} /* X509_STORE */;
OPENSSL_EXPORT int X509_STORE_set_depth(X509_STORE *store, int depth);
// This is the functions plus an instance of the local variables.
struct x509_lookup_st {
int init; // have we been started
int skip; // don't use us.
X509_LOOKUP_METHOD *method; // the functions
char *method_data; // method data
X509_STORE *store_ctx; // who owns us
} /* X509_LOOKUP */;
// This is a used when verifying cert chains. Since the
// gathering of the cert chain can take some time (and have to be
// 'retried', this needs to be kept and passed around.
struct x509_store_ctx_st // X509_STORE_CTX
{
X509_STORE *ctx;
// The following are set by the caller
X509 *cert; // The cert to check
STACK_OF(X509) *untrusted; // chain of X509s - untrusted - passed in
STACK_OF(X509_CRL) *crls; // set of CRLs passed in
X509_VERIFY_PARAM *param;
void *other_ctx; // Other info for use with get_issuer()
// Callbacks for various operations
X509_STORE_CTX_verify_fn verify; // called to verify a certificate
X509_STORE_CTX_verify_cb verify_cb; // error callback
X509_STORE_CTX_get_issuer_fn get_issuer; // get issuers cert from ctx
X509_STORE_CTX_check_issued_fn check_issued; // check issued
X509_STORE_CTX_check_revocation_fn
check_revocation; // Check revocation status of chain
X509_STORE_CTX_get_crl_fn get_crl; // retrieve CRL
X509_STORE_CTX_check_crl_fn check_crl; // Check CRL validity
X509_STORE_CTX_cert_crl_fn cert_crl; // Check certificate against CRL
X509_STORE_CTX_check_policy_fn check_policy;
X509_STORE_CTX_lookup_certs_fn lookup_certs;
X509_STORE_CTX_lookup_crls_fn lookup_crls;
X509_STORE_CTX_cleanup_fn cleanup;
// The following is built up
int valid; // if 0, rebuild chain
int last_untrusted; // index of last untrusted cert
STACK_OF(X509) *chain; // chain of X509s - built up and trusted
X509_POLICY_TREE *tree; // Valid policy tree
int explicit_policy; // Require explicit policy value
// When something goes wrong, this is why
int error_depth;
int error;
X509 *current_cert;
X509 *current_issuer; // cert currently being tested as valid issuer
X509_CRL *current_crl; // current CRL
int current_crl_score; // score of current CRL
unsigned int current_reasons; // Reason mask
X509_STORE_CTX *parent; // For CRL path validation: parent context
CRYPTO_EX_DATA ex_data;
} /* X509_STORE_CTX */;
OPENSSL_EXPORT void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
#define X509_STORE_CTX_set_app_data(ctx, data) \

23
ssl/ssl_x509.cc
Unescape View File

@ -379,8 +379,9 @@ static bool ssl_crypto_x509_session_verify_cert_chain(SSL_SESSION *session,
const char *name;
size_t name_len;
SSL_get0_ech_name_override(ssl, &name, &name_len);
ScopedX509_STORE_CTX ctx;
if (!X509_STORE_CTX_init(ctx.get(), verify_store, leaf, cert_chain) ||
UniquePtr<X509_STORE_CTX> ctx(X509_STORE_CTX_new());
if (!ctx ||
!X509_STORE_CTX_init(ctx.get(), verify_store, leaf, cert_chain) ||
!X509_STORE_CTX_set_ex_data(ctx.get(),
SSL_get_ex_data_X509_STORE_CTX_idx(), ssl) ||
// We need to inherit the verify parameters. These can be determined by
@ -411,11 +412,11 @@ static bool ssl_crypto_x509_session_verify_cert_chain(SSL_SESSION *session,
verify_ret = X509_verify_cert(ctx.get());
}
session->verify_result = ctx->error;
session->verify_result = X509_STORE_CTX_get_error(ctx.get());
// If |SSL_VERIFY_NONE|, the error is non-fatal, but we keep the result.
if (verify_ret <= 0 && hs->config->verify_mode != SSL_VERIFY_NONE) {
*out_alert = SSL_alert_from_verify_result(ctx->error);
*out_alert = SSL_alert_from_verify_result(session->verify_result);
return false;
}
@ -464,9 +465,9 @@ static bool ssl_crypto_x509_ssl_auto_chain_if_needed(SSL_HANDSHAKE *hs) {
return false;
}
ScopedX509_STORE_CTX ctx;
if (!X509_STORE_CTX_init(ctx.get(), hs->ssl->ctx->cert_store, leaf.get(),
NULL)) {
UniquePtr<X509_STORE_CTX> ctx(X509_STORE_CTX_new());
if (!ctx || !X509_STORE_CTX_init(ctx.get(), hs->ssl->ctx->cert_store,
leaf.get(), nullptr)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_X509_LIB);
return false;
}
@ -476,9 +477,13 @@ static bool ssl_crypto_x509_ssl_auto_chain_if_needed(SSL_HANDSHAKE *hs) {
ERR_clear_error();
// Remove the leaf from the generated chain.
X509_free(sk_X509_shift(ctx->chain));
UniquePtr<STACK_OF(X509)> chain(X509_STORE_CTX_get1_chain(ctx.get()));
if (!chain) {
return false;
}
X509_free(sk_X509_shift(chain.get()));
if (!ssl_cert_set_chain(hs->config->cert.get(), ctx->chain)) {
if (!ssl_cert_set_chain(hs->config->cert.get(), chain.get())) {
return false;
}

2
ssl/test/test_config.cc
Unescape View File

@ -810,7 +810,7 @@ static int CertVerifyCallback(X509_STORE_CTX *store_ctx, void *arg) {
GetTestState(ssl)->cert_verified = true;
if (config->verify_fail) {
store_ctx->error = X509_V_ERR_APPLICATION_VERIFICATION;
X509_STORE_CTX_set_error(store_ctx, X509_V_ERR_APPLICATION_VERIFICATION);
return 0;
}

Write Preview
Loading…
Cancel
Save