Deprecate and no-op SSL_set_verify_result.

As documented by OpenSSL, it does not interact with session resumption correctly: https://www.openssl.org/docs/manmaster/ssl/SSL_set_verify_result.html Sadly, netty-tcnative calls it, but we should be able to get them to take it out because it doesn't do anything. Two of the three calls are immediately after SSL_new. In OpenSSL and BoringSSL as of the previous commit, this does nothing. The final call is in verify_callback (see SSL_set_verify). This callback is called in X509_verify_cert by way of X509_STORE_CTX_set_verify_cb. As soon as X509_verify_cert returns, ssl->verify_result is clobbered anyway, so it doesn't do anything. Within OpenSSL, it's used in testdane.c. As far as I can tell, it does not actually do a handshake and just uses this function to fake having done one. (Regardless, we don't need to build against that.) This is done in preparation for removing ssl->verify_result in favor of session->verify_result. Change-Id: I7e32d7f26c44f70136c72e58be05a3a43e62582b Reviewed-on: https://boringssl-review.googlesource.com/10485 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com>
2016-08-08 21:22:47 -04:00 · 2016-08-08 21:22:47 -04:00 · 93d9743def
commit 93d9743def
parent 46662482b8
2 changed files with 10 additions and 4 deletions
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@ -2163,9 +2163,6 @@ OPENSSL_EXPORT int SSL_CTX_load_verify_locations(SSL_CTX *ctx,
 * either |X509_V_OK| or a |X509_V_ERR_*| value. */
 OPENSSL_EXPORT long SSL_get_verify_result(const SSL *ssl);

-/* SSL_set_verify_result overrides the result of certificate verification. */
-OPENSSL_EXPORT void SSL_set_verify_result(SSL *ssl, long result);
-
 /* SSL_get_ex_data_X509_STORE_CTX_idx returns the ex_data index used to look up
 * the |SSL| associated with an |X509_STORE_CTX| in the verify callback. */
 OPENSSL_EXPORT int SSL_get_ex_data_X509_STORE_CTX_idx(void);
@ -3593,6 +3590,12 @@ OPENSSL_EXPORT int SSL_set_private_key_digest_prefs(SSL *ssl,
                                                    const int *digest_nids,
                                                    size_t num_digests);

+/* SSL_set_verify_result calls |abort| unless |result| is |X509_V_OK|.
+ *
+ * TODO(davidben): Remove this function once it has been removed from
+ * netty-tcnative. */
+OPENSSL_EXPORT void SSL_set_verify_result(SSL *ssl, long result);
+

 /* Private structures.
 *
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@ -141,6 +141,7 @@
 #include <openssl/ssl.h>

 #include <assert.h>
+#include <stdlib.h>
 #include <string.h>

 #include <openssl/bytestring.h>
@ -2310,7 +2311,9 @@ char *SSL_get_shared_ciphers(const SSL *ssl, char *buf, int len) {
 }

 void SSL_set_verify_result(SSL *ssl, long result) {
-  ssl->verify_result = result;
+  if (result != X509_V_OK) {
+    abort();
+  }
 }

 long SSL_get_verify_result(const SSL *ssl) { return ssl->verify_result; }