Remove SSL_build_cert_chain.
This is unused. It seems to be distinct from the automatic chain building and was added in 1.0.2. Seems to be an awful lot of machinery that consumers ought to configure anyway. BUG=486295 Change-Id: If3d4a2761f61c5b2252b37d4692089112fc0ec21 Reviewed-on: https://boringssl-review.googlesource.com/5353 Reviewed-by: Adam Langley <agl@google.com>
This commit is contained in:
parent
4462809623
commit
b2a9d6ab78
@ -813,18 +813,6 @@ struct ssl_session_st {
|
|||||||
* enforcing certifcate chain algorithms. When this is set we enforce them. */
|
* enforcing certifcate chain algorithms. When this is set we enforce them. */
|
||||||
#define SSL_CERT_FLAG_TLS_STRICT 0x00000001L
|
#define SSL_CERT_FLAG_TLS_STRICT 0x00000001L
|
||||||
|
|
||||||
/* Flags for building certificate chains */
|
|
||||||
/* Treat any existing certificates as untrusted CAs */
|
|
||||||
#define SSL_BUILD_CHAIN_FLAG_UNTRUSTED 0x1
|
|
||||||
/* Don't include root CA in chain */
|
|
||||||
#define SSL_BUILD_CHAIN_FLAG_NO_ROOT 0x2
|
|
||||||
/* Just check certificates already there */
|
|
||||||
#define SSL_BUILD_CHAIN_FLAG_CHECK 0x4
|
|
||||||
/* Ignore verification errors */
|
|
||||||
#define SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR 0x8
|
|
||||||
/* Clear verification errors from queue */
|
|
||||||
#define SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR 0x10
|
|
||||||
|
|
||||||
/* SSL_set_mtu sets the |ssl|'s MTU in DTLS to |mtu|. It returns one on success
|
/* SSL_set_mtu sets the |ssl|'s MTU in DTLS to |mtu|. It returns one on success
|
||||||
* and zero on failure. */
|
* and zero on failure. */
|
||||||
OPENSSL_EXPORT int SSL_set_mtu(SSL *ssl, unsigned mtu);
|
OPENSSL_EXPORT int SSL_set_mtu(SSL *ssl, unsigned mtu);
|
||||||
@ -1755,7 +1743,6 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
|
|||||||
#define SSL_CTRL_SET_CLIENT_SIGALGS_LIST 102
|
#define SSL_CTRL_SET_CLIENT_SIGALGS_LIST 102
|
||||||
#define SSL_CTRL_GET_CLIENT_CERT_TYPES 103
|
#define SSL_CTRL_GET_CLIENT_CERT_TYPES 103
|
||||||
#define SSL_CTRL_SET_CLIENT_CERT_TYPES 104
|
#define SSL_CTRL_SET_CLIENT_CERT_TYPES 104
|
||||||
#define SSL_CTRL_BUILD_CERT_CHAIN 105
|
|
||||||
#define SSL_CTRL_SET_VERIFY_CERT_STORE 106
|
#define SSL_CTRL_SET_VERIFY_CERT_STORE 106
|
||||||
#define SSL_CTRL_SET_CHAIN_CERT_STORE 107
|
#define SSL_CTRL_SET_CHAIN_CERT_STORE 107
|
||||||
#define SSL_CTRL_GET_EC_POINT_FORMATS 111
|
#define SSL_CTRL_GET_EC_POINT_FORMATS 111
|
||||||
@ -1867,8 +1854,6 @@ OPENSSL_EXPORT size_t SSL_get_tls_channel_id(SSL *ssl, uint8_t *out,
|
|||||||
#define SSL_CTX_get0_chain_certs(ctx, px509) \
|
#define SSL_CTX_get0_chain_certs(ctx, px509) \
|
||||||
SSL_CTX_ctrl(ctx, SSL_CTRL_GET_CHAIN_CERTS, 0, px509)
|
SSL_CTX_ctrl(ctx, SSL_CTRL_GET_CHAIN_CERTS, 0, px509)
|
||||||
#define SSL_CTX_clear_chain_certs(ctx) SSL_CTX_set0_chain(ctx, NULL)
|
#define SSL_CTX_clear_chain_certs(ctx) SSL_CTX_set0_chain(ctx, NULL)
|
||||||
#define SSL_CTX_build_cert_chain(ctx, flags) \
|
|
||||||
SSL_CTX_ctrl(ctx, SSL_CTRL_BUILD_CERT_CHAIN, flags, NULL)
|
|
||||||
|
|
||||||
#define SSL_CTX_set0_verify_cert_store(ctx, st) \
|
#define SSL_CTX_set0_verify_cert_store(ctx, st) \
|
||||||
SSL_CTX_ctrl(ctx, SSL_CTRL_SET_VERIFY_CERT_STORE, 0, (char *)st)
|
SSL_CTX_ctrl(ctx, SSL_CTRL_SET_VERIFY_CERT_STORE, 0, (char *)st)
|
||||||
@ -1888,8 +1873,6 @@ OPENSSL_EXPORT size_t SSL_get_tls_channel_id(SSL *ssl, uint8_t *out,
|
|||||||
#define SSL_get0_chain_certs(ctx, px509) \
|
#define SSL_get0_chain_certs(ctx, px509) \
|
||||||
SSL_ctrl(ctx, SSL_CTRL_GET_CHAIN_CERTS, 0, px509)
|
SSL_ctrl(ctx, SSL_CTRL_GET_CHAIN_CERTS, 0, px509)
|
||||||
#define SSL_clear_chain_certs(ctx) SSL_set0_chain(ctx, NULL)
|
#define SSL_clear_chain_certs(ctx) SSL_set0_chain(ctx, NULL)
|
||||||
#define SSL_build_cert_chain(s, flags) \
|
|
||||||
SSL_ctrl(s, SSL_CTRL_BUILD_CERT_CHAIN, flags, NULL)
|
|
||||||
|
|
||||||
#define SSL_set0_verify_cert_store(s, st) \
|
#define SSL_set0_verify_cert_store(s, st) \
|
||||||
SSL_ctrl(s, SSL_CTRL_SET_VERIFY_CERT_STORE, 0, (char *)st)
|
SSL_ctrl(s, SSL_CTRL_SET_VERIFY_CERT_STORE, 0, (char *)st)
|
||||||
|
@ -837,7 +837,6 @@ void ssl_cert_set_cert_cb(CERT *cert,
|
|||||||
|
|
||||||
int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk);
|
int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk);
|
||||||
int ssl_add_cert_chain(SSL *s, unsigned long *l);
|
int ssl_add_cert_chain(SSL *s, unsigned long *l);
|
||||||
int ssl_build_cert_chain(CERT *c, X509_STORE *chain_store, int flags);
|
|
||||||
int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain, int ref);
|
int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain, int ref);
|
||||||
void ssl_update_cache(SSL *s, int mode);
|
void ssl_update_cache(SSL *s, int mode);
|
||||||
|
|
||||||
|
@ -440,9 +440,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) {
|
|||||||
}
|
}
|
||||||
return ssl3_set_req_cert_type(s->cert, parg, larg);
|
return ssl3_set_req_cert_type(s->cert, parg, larg);
|
||||||
|
|
||||||
case SSL_CTRL_BUILD_CERT_CHAIN:
|
|
||||||
return ssl_build_cert_chain(s->cert, s->ctx->cert_store, larg);
|
|
||||||
|
|
||||||
case SSL_CTRL_SET_VERIFY_CERT_STORE:
|
case SSL_CTRL_SET_VERIFY_CERT_STORE:
|
||||||
return ssl_cert_set_cert_store(s->cert, parg, 0, larg);
|
return ssl_cert_set_cert_store(s->cert, parg, 0, larg);
|
||||||
|
|
||||||
@ -480,9 +477,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) {
|
|||||||
case SSL_CTRL_SET_CLIENT_CERT_TYPES:
|
case SSL_CTRL_SET_CLIENT_CERT_TYPES:
|
||||||
return ssl3_set_req_cert_type(ctx->cert, parg, larg);
|
return ssl3_set_req_cert_type(ctx->cert, parg, larg);
|
||||||
|
|
||||||
case SSL_CTRL_BUILD_CERT_CHAIN:
|
|
||||||
return ssl_build_cert_chain(ctx->cert, ctx->cert_store, larg);
|
|
||||||
|
|
||||||
case SSL_CTRL_SET_VERIFY_CERT_STORE:
|
case SSL_CTRL_SET_VERIFY_CERT_STORE:
|
||||||
return ssl_cert_set_cert_store(ctx->cert, parg, 0, larg);
|
return ssl_cert_set_cert_store(ctx->cert, parg, 0, larg);
|
||||||
|
|
||||||
|
112
ssl/ssl_cert.c
112
ssl/ssl_cert.c
@ -793,118 +793,6 @@ int ssl_add_cert_chain(SSL *ssl, unsigned long *l) {
|
|||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Build a certificate chain for current certificate */
|
|
||||||
int ssl_build_cert_chain(CERT *cert, X509_STORE *chain_store, int flags) {
|
|
||||||
X509_STORE_CTX xs_ctx;
|
|
||||||
STACK_OF(X509) *chain = NULL, *untrusted = NULL;
|
|
||||||
X509 *x;
|
|
||||||
int i, rv = 0;
|
|
||||||
uint32_t error;
|
|
||||||
|
|
||||||
if (cert->x509 == NULL) {
|
|
||||||
OPENSSL_PUT_ERROR(SSL, ssl_build_cert_chain, SSL_R_NO_CERTIFICATE_SET);
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Rearranging and check the chain: add everything to a store */
|
|
||||||
if (flags & SSL_BUILD_CHAIN_FLAG_CHECK) {
|
|
||||||
size_t j;
|
|
||||||
chain_store = X509_STORE_new();
|
|
||||||
if (!chain_store) {
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
|
|
||||||
for (j = 0; j < sk_X509_num(cert->chain); j++) {
|
|
||||||
x = sk_X509_value(cert->chain, j);
|
|
||||||
if (!X509_STORE_add_cert(chain_store, x)) {
|
|
||||||
error = ERR_peek_last_error();
|
|
||||||
if (ERR_GET_LIB(error) != ERR_LIB_X509 ||
|
|
||||||
ERR_GET_REASON(error) != X509_R_CERT_ALREADY_IN_HASH_TABLE) {
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
ERR_clear_error();
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Add EE cert too: it might be self signed */
|
|
||||||
if (!X509_STORE_add_cert(chain_store, cert->x509)) {
|
|
||||||
error = ERR_peek_last_error();
|
|
||||||
if (ERR_GET_LIB(error) != ERR_LIB_X509 ||
|
|
||||||
ERR_GET_REASON(error) != X509_R_CERT_ALREADY_IN_HASH_TABLE) {
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
ERR_clear_error();
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
if (cert->chain_store) {
|
|
||||||
chain_store = cert->chain_store;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (flags & SSL_BUILD_CHAIN_FLAG_UNTRUSTED) {
|
|
||||||
untrusted = cert->chain;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!X509_STORE_CTX_init(&xs_ctx, chain_store, cert->x509, untrusted)) {
|
|
||||||
OPENSSL_PUT_ERROR(SSL, ssl_build_cert_chain, ERR_R_X509_LIB);
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
|
|
||||||
i = X509_verify_cert(&xs_ctx);
|
|
||||||
if (i <= 0 && flags & SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR) {
|
|
||||||
if (flags & SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR) {
|
|
||||||
ERR_clear_error();
|
|
||||||
}
|
|
||||||
i = 1;
|
|
||||||
rv = 2;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (i > 0) {
|
|
||||||
chain = X509_STORE_CTX_get1_chain(&xs_ctx);
|
|
||||||
}
|
|
||||||
if (i <= 0) {
|
|
||||||
OPENSSL_PUT_ERROR(SSL, ssl_build_cert_chain,
|
|
||||||
SSL_R_CERTIFICATE_VERIFY_FAILED);
|
|
||||||
i = X509_STORE_CTX_get_error(&xs_ctx);
|
|
||||||
ERR_add_error_data(2, "Verify error:", X509_verify_cert_error_string(i));
|
|
||||||
|
|
||||||
X509_STORE_CTX_cleanup(&xs_ctx);
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
|
|
||||||
X509_STORE_CTX_cleanup(&xs_ctx);
|
|
||||||
if (cert->chain) {
|
|
||||||
sk_X509_pop_free(cert->chain, X509_free);
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Remove EE certificate from chain */
|
|
||||||
x = sk_X509_shift(chain);
|
|
||||||
X509_free(x);
|
|
||||||
if (flags & SSL_BUILD_CHAIN_FLAG_NO_ROOT) {
|
|
||||||
if (sk_X509_num(chain) > 0) {
|
|
||||||
/* See if last cert is self signed */
|
|
||||||
x = sk_X509_value(chain, sk_X509_num(chain) - 1);
|
|
||||||
X509_check_purpose(x, -1, 0);
|
|
||||||
if (x->ex_flags & EXFLAG_SS) {
|
|
||||||
x = sk_X509_pop(chain);
|
|
||||||
X509_free(x);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
cert->chain = chain;
|
|
||||||
if (rv == 0) {
|
|
||||||
rv = 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
err:
|
|
||||||
if (flags & SSL_BUILD_CHAIN_FLAG_CHECK) {
|
|
||||||
X509_STORE_free(chain_store);
|
|
||||||
}
|
|
||||||
|
|
||||||
return rv;
|
|
||||||
}
|
|
||||||
|
|
||||||
int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain, int ref) {
|
int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain, int ref) {
|
||||||
X509_STORE **pstore;
|
X509_STORE **pstore;
|
||||||
if (chain) {
|
if (chain) {
|
||||||
|
Loading…
Reference in New Issue
Block a user