kris/boringssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Move ssl_verify_alarm_type into ssl_x509.c.

Browse Source 
It's only called from within that file.

Change-Id: I281c9eb1ea25d9cfbec492ba8a4d007f45ae2635
Reviewed-on: https://boringssl-review.googlesource.com/14027
Reviewed-by: Adam Langley <agl@google.com>
This commit is contained in:
David Benjamin 2017-02-28 20:07:22 -05:00 committed by Adam Langley
parent ab1d28e305
commit 54689ed91e
3 changed files with 60 additions and 77 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ssl/internal.h
View File

@ -2027,8 +2027,6 @@ const struct ssl_cipher_preference_list_st *ssl_get_cipher_preferences(
void ssl_update_cache(SSL_HANDSHAKE *hs, int mode); void ssl_update_cache(SSL_HANDSHAKE *hs, int mode);
int ssl_verify_alarm_type(long type);
int ssl3_get_finished(SSL_HANDSHAKE *hs); int ssl3_get_finished(SSL_HANDSHAKE *hs);
int ssl3_send_alert(SSL *ssl, int level, int desc); int ssl3_send_alert(SSL *ssl, int level, int desc);
int ssl3_get_message(SSL *ssl); int ssl3_get_message(SSL *ssl);

75
ssl/s3_both.c
View File

@ -125,7 +125,6 @@
#include <openssl/nid.h> #include <openssl/nid.h>
#include <openssl/rand.h> #include <openssl/rand.h>
#include <openssl/sha.h> #include <openssl/sha.h>
#include <openssl/x509.h>
#include "../crypto/internal.h" #include "../crypto/internal.h"
#include "internal.h" #include "internal.h"
@ -770,80 +769,6 @@ void ssl3_release_current_message(SSL *ssl, int free_buffer) {
} }
} }
int ssl_verify_alarm_type(long type) {
int al;
switch (type) {
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
case X509_V_ERR_UNABLE_TO_GET_CRL:
case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER:
al = SSL_AD_UNKNOWN_CA;
break;
case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
case X509_V_ERR_CERT_NOT_YET_VALID:
case X509_V_ERR_CRL_NOT_YET_VALID:
case X509_V_ERR_CERT_UNTRUSTED:
case X509_V_ERR_CERT_REJECTED:
case X509_V_ERR_HOSTNAME_MISMATCH:
case X509_V_ERR_EMAIL_MISMATCH:
case X509_V_ERR_IP_ADDRESS_MISMATCH:
al = SSL_AD_BAD_CERTIFICATE;
break;
case X509_V_ERR_CERT_SIGNATURE_FAILURE:
case X509_V_ERR_CRL_SIGNATURE_FAILURE:
al = SSL_AD_DECRYPT_ERROR;
break;
case X509_V_ERR_CERT_HAS_EXPIRED:
case X509_V_ERR_CRL_HAS_EXPIRED:
al = SSL_AD_CERTIFICATE_EXPIRED;
break;
case X509_V_ERR_CERT_REVOKED:
al = SSL_AD_CERTIFICATE_REVOKED;
break;
case X509_V_ERR_UNSPECIFIED:
case X509_V_ERR_OUT_OF_MEM:
case X509_V_ERR_INVALID_CALL:
case X509_V_ERR_STORE_LOOKUP:
al = SSL_AD_INTERNAL_ERROR;
break;
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
case X509_V_ERR_CERT_CHAIN_TOO_LONG:
case X509_V_ERR_PATH_LENGTH_EXCEEDED:
case X509_V_ERR_INVALID_CA:
al = SSL_AD_UNKNOWN_CA;
break;
case X509_V_ERR_APPLICATION_VERIFICATION:
al = SSL_AD_HANDSHAKE_FAILURE;
break;
case X509_V_ERR_INVALID_PURPOSE:
al = SSL_AD_UNSUPPORTED_CERTIFICATE;
break;
default:
al = SSL_AD_CERTIFICATE_UNKNOWN;
break;
}
return al;
}
int ssl_parse_extensions(const CBS *cbs, uint8_t *out_alert, int ssl_parse_extensions(const CBS *cbs, uint8_t *out_alert,
const SSL_EXTENSION_TYPE *ext_types, const SSL_EXTENSION_TYPE *ext_types,
size_t num_ext_types, int ignore_unknown) { size_t num_ext_types, int ignore_unknown) {

60
ssl/ssl_x509.c
View File

@ -565,6 +565,66 @@ static void ssl_crypto_x509_session_clear(SSL_SESSION *session) {
session->x509_chain_without_leaf = NULL; session->x509_chain_without_leaf = NULL;
} }
static int ssl_verify_alarm_type(long type) {
switch (type) {
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
case X509_V_ERR_UNABLE_TO_GET_CRL:
case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER:
return SSL_AD_UNKNOWN_CA;
case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
case X509_V_ERR_CERT_NOT_YET_VALID:
case X509_V_ERR_CRL_NOT_YET_VALID:
case X509_V_ERR_CERT_UNTRUSTED:
case X509_V_ERR_CERT_REJECTED:
case X509_V_ERR_HOSTNAME_MISMATCH:
case X509_V_ERR_EMAIL_MISMATCH:
case X509_V_ERR_IP_ADDRESS_MISMATCH:
return SSL_AD_BAD_CERTIFICATE;
case X509_V_ERR_CERT_SIGNATURE_FAILURE:
case X509_V_ERR_CRL_SIGNATURE_FAILURE:
return SSL_AD_DECRYPT_ERROR;
case X509_V_ERR_CERT_HAS_EXPIRED:
case X509_V_ERR_CRL_HAS_EXPIRED:
return SSL_AD_CERTIFICATE_EXPIRED;
case X509_V_ERR_CERT_REVOKED:
return SSL_AD_CERTIFICATE_REVOKED;
case X509_V_ERR_UNSPECIFIED:
case X509_V_ERR_OUT_OF_MEM:
case X509_V_ERR_INVALID_CALL:
case X509_V_ERR_STORE_LOOKUP:
return SSL_AD_INTERNAL_ERROR;
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
case X509_V_ERR_CERT_CHAIN_TOO_LONG:
case X509_V_ERR_PATH_LENGTH_EXCEEDED:
case X509_V_ERR_INVALID_CA:
return SSL_AD_UNKNOWN_CA;
case X509_V_ERR_APPLICATION_VERIFICATION:
return SSL_AD_HANDSHAKE_FAILURE;
case X509_V_ERR_INVALID_PURPOSE:
return SSL_AD_UNSUPPORTED_CERTIFICATE;
default:
return SSL_AD_CERTIFICATE_UNKNOWN;
}
}
static int ssl_crypto_x509_session_verify_cert_chain(SSL_SESSION *session, static int ssl_crypto_x509_session_verify_cert_chain(SSL_SESSION *session,
SSL *ssl) { SSL *ssl) {
STACK_OF(X509) *const cert_chain = session->x509_chain; STACK_OF(X509) *const cert_chain = session->x509_chain;