Support verify_depth from the SSL API without need for user-defined
callbacks. Submitted by: Reviewed by: PR:
This commit is contained in:
parent
69bb35ed72
commit
7f89714e64
7 changed files with 45 additions and 5 deletions
7
CHANGES
7
CHANGES
|
@ -5,6 +5,13 @@
|
|||
|
||||
Changes between 0.9.2b and 0.9.3
|
||||
|
||||
*) Support verify_depth from the SSL API.
|
||||
x509_vfy.c had what can be considered an off-by-one-error:
|
||||
Its depth (which was not part of the external interface)
|
||||
was actually counting the number of certificates in a chain;
|
||||
now it really counts the depth.
|
||||
[Bodo Moeller]
|
||||
|
||||
*) New function SSL_CTX_set_session_id_context that allows to set a default
|
||||
value (so that you don't need SSL_set_session_id_context for each
|
||||
connection using the SSL_CTX).
|
||||
|
|
|
@ -391,7 +391,7 @@ void X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
|
|||
ctx->last_untrusted=0;
|
||||
ctx->valid=0;
|
||||
ctx->chain=NULL;
|
||||
ctx->depth=10;
|
||||
ctx->depth=9;
|
||||
ctx->error=0;
|
||||
ctx->current_cert=NULL;
|
||||
memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA));
|
||||
|
|
|
@ -143,7 +143,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
|
|||
for (;;)
|
||||
{
|
||||
/* If we have enough, we break */
|
||||
if (depth <= num) break;
|
||||
if (depth < num) break;
|
||||
|
||||
/* If we are self signed, we break */
|
||||
xn=X509_get_issuer_name(x);
|
||||
|
@ -206,7 +206,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
|
|||
for (;;)
|
||||
{
|
||||
/* If we have enough, we break */
|
||||
if (depth <= num) break;
|
||||
if (depth < num) break;
|
||||
|
||||
/* If we are self signed, we break */
|
||||
xn=X509_get_issuer_name(x);
|
||||
|
|
|
@ -169,7 +169,7 @@ typedef struct x509_store_st
|
|||
|
||||
CRYPTO_EX_DATA ex_data;
|
||||
int references;
|
||||
int depth; /* how deep to look (still unused) */
|
||||
int depth; /* how deep to look (still unused -- X509_STORE_CTX's depth is used) */
|
||||
} X509_STORE;
|
||||
|
||||
#define X509_STORE_set_depth(ctx,d) ((ctx)->depth=(d))
|
||||
|
@ -191,7 +191,7 @@ struct x509_lookup_st
|
|||
/* This is a temporary used when processing cert chains. Since the
|
||||
* gathering of the cert chain can take some time (and have to be
|
||||
* 'retried', this needs to be kept and passed around. */
|
||||
struct x509_store_state_st
|
||||
struct x509_store_state_st /* X509_STORE_CTX */
|
||||
{
|
||||
X509_STORE *ctx;
|
||||
int current_method; /* used when looking up certs */
|
||||
|
@ -214,6 +214,8 @@ struct x509_store_state_st
|
|||
CRYPTO_EX_DATA ex_data;
|
||||
};
|
||||
|
||||
#define X509_STORE_CTX_set_depth(ctx,d) ((ctx)->depth=(d))
|
||||
|
||||
#define X509_STORE_CTX_set_app_data(ctx,data) \
|
||||
X509_STORE_CTX_set_ex_data(ctx,0,data)
|
||||
#define X509_STORE_CTX_get_app_data(ctx) \
|
||||
|
|
|
@ -394,6 +394,7 @@ struct ssl_ctx_st
|
|||
/**/ struct cert_st /* CERT */ *default_cert;
|
||||
/**/ int read_ahead;
|
||||
/**/ int verify_mode;
|
||||
/**/ int verify_depth;
|
||||
/**/ unsigned int sid_ctx_length;
|
||||
/**/ unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
|
||||
/**/ int (*default_verify_callback)(int ok,X509_STORE_CTX *ctx);
|
||||
|
@ -573,6 +574,7 @@ struct ssl_st
|
|||
/* Used in SSL2 and SSL3 */
|
||||
int verify_mode; /* 0 don't care about verify failure.
|
||||
* 1 fail if verify fails */
|
||||
int verify_depth;
|
||||
int (*verify_callback)(int ok,X509_STORE_CTX *ctx); /* fail if callback returns 0 */
|
||||
void (*info_callback)(); /* optional informational callback */
|
||||
|
||||
|
@ -851,9 +853,11 @@ BIO * SSL_get_wbio(SSL *s);
|
|||
int SSL_set_cipher_list(SSL *s, char *str);
|
||||
void SSL_set_read_ahead(SSL *s, int yes);
|
||||
int SSL_get_verify_mode(SSL *s);
|
||||
int SSL_get_verify_depth(SSL *s);
|
||||
int (*SSL_get_verify_callback(SSL *s))(int,X509_STORE_CTX *);
|
||||
void SSL_set_verify(SSL *s, int mode,
|
||||
int (*callback)(int ok,X509_STORE_CTX *ctx));
|
||||
void SSL_set_verify_depth(SSL *s, int depth);
|
||||
#ifndef NO_RSA
|
||||
int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa);
|
||||
#endif
|
||||
|
@ -912,9 +916,11 @@ X509 * SSL_get_peer_certificate(SSL *s);
|
|||
STACK_OF(X509) *SSL_get_peer_cert_chain(SSL *s);
|
||||
|
||||
int SSL_CTX_get_verify_mode(SSL_CTX *ctx);
|
||||
int SSL_CTX_get_verify_depth(SSL_CTX *ctx);
|
||||
int (*SSL_CTX_get_verify_callback(SSL_CTX *ctx))(int,X509_STORE_CTX *);
|
||||
void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,
|
||||
int (*callback)(int, X509_STORE_CTX *));
|
||||
void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth);
|
||||
void SSL_CTX_set_cert_verify_cb(SSL_CTX *ctx, int (*cb)(),char *arg);
|
||||
#ifndef NO_RSA
|
||||
int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa);
|
||||
|
|
|
@ -185,6 +185,8 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk)
|
|||
|
||||
x=sk_X509_value(sk,0);
|
||||
X509_STORE_CTX_init(&ctx,s->ctx->cert_store,x,sk);
|
||||
if (SSL_get_verify_depth(s) >= 0)
|
||||
X509_STORE_CTX_set_depth(&ctx, SSL_get_verify_depth(s));
|
||||
X509_STORE_CTX_set_ex_data(&ctx,SSL_get_ex_data_X509_STORE_CTX_idx(),
|
||||
(char *)s);
|
||||
|
||||
|
|
|
@ -189,6 +189,7 @@ SSL *SSL_new(SSL_CTX *ctx)
|
|||
s->sid_ctx_length=ctx->sid_ctx_length;
|
||||
memcpy(&s->sid_ctx,&ctx->sid_ctx,sizeof(s->sid_ctx));
|
||||
s->verify_mode=ctx->verify_mode;
|
||||
s->verify_depth=ctx->verify_depth;
|
||||
s->verify_callback=ctx->default_verify_callback;
|
||||
CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
|
||||
s->ctx=ctx;
|
||||
|
@ -422,6 +423,11 @@ int SSL_get_verify_mode(SSL *s)
|
|||
return(s->verify_mode);
|
||||
}
|
||||
|
||||
int SSL_get_verify_depth(SSL *s)
|
||||
{
|
||||
return(s->verify_depth);
|
||||
}
|
||||
|
||||
int (*SSL_get_verify_callback(SSL *s))(int,X509_STORE_CTX *)
|
||||
{
|
||||
return(s->verify_callback);
|
||||
|
@ -432,6 +438,11 @@ int SSL_CTX_get_verify_mode(SSL_CTX *ctx)
|
|||
return(ctx->verify_mode);
|
||||
}
|
||||
|
||||
int SSL_CTX_get_verify_depth(SSL_CTX *ctx)
|
||||
{
|
||||
return(ctx->verify_depth);
|
||||
}
|
||||
|
||||
int (*SSL_CTX_get_verify_callback(SSL_CTX *ctx))(int,X509_STORE_CTX *)
|
||||
{
|
||||
return(ctx->default_verify_callback);
|
||||
|
@ -445,6 +456,11 @@ void SSL_set_verify(SSL *s,int mode,
|
|||
s->verify_callback=callback;
|
||||
}
|
||||
|
||||
void SSL_set_verify_depth(SSL *s,int depth)
|
||||
{
|
||||
s->verify_depth=depth;
|
||||
}
|
||||
|
||||
void SSL_set_read_ahead(SSL *s,int yes)
|
||||
{
|
||||
s->read_ahead=yes;
|
||||
|
@ -961,6 +977,7 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth)
|
|||
|
||||
ret->read_ahead=0;
|
||||
ret->verify_mode=SSL_VERIFY_NONE;
|
||||
ret->verify_depth=-1; /* Don't impose a limit (but x509_lu.c does) */
|
||||
ret->default_verify_callback=NULL;
|
||||
if ((ret->default_cert=ssl_cert_new()) == NULL)
|
||||
goto err;
|
||||
|
@ -1079,6 +1096,11 @@ void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,int (*cb)(int, X509_STORE_CTX *))
|
|||
X509_STORE_set_verify_cb_func(ctx->cert_store,cb);
|
||||
}
|
||||
|
||||
void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth)
|
||||
{
|
||||
ctx->verify_depth=depth;
|
||||
}
|
||||
|
||||
/* Need default_cert to check for callbacks, for now (see comment in CERT
|
||||
strucure)
|
||||
*/
|
||||
|
@ -1463,6 +1485,7 @@ SSL *SSL_dup(SSL *s)
|
|||
SSL_set_read_ahead(ret,SSL_get_read_ahead(s));
|
||||
SSL_set_verify(ret,SSL_get_verify_mode(s),
|
||||
SSL_get_verify_callback(s));
|
||||
SSL_set_verify_depth(ret,SSL_get_verify_depth(s));
|
||||
|
||||
SSL_set_info_callback(ret,SSL_get_info_callback(s));
|
||||
|
||||
|
|
Loading…
Reference in a new issue