Remove separate APIs for configuring chain and verify stores.
These are unused (new as of 1.0.2). Although being able to separate the two stores is a reasonable thing to do, we hope to remove the auto-chaining feature eventually. Given that, SSL_CTX_set_cert_store should suffice. This gets rid of two more ctrl macros. BUG=404754,486295 Change-Id: Id84de95d7b2ad5a14fc68a62bb2394f01fa67bb4 Reviewed-on: https://boringssl-review.googlesource.com/5672 Reviewed-by: Adam Langley <agl@google.com>
This commit is contained in:
David Benjamin
Adam Langley
parent
7591064546
commit
d27441a9cb
@ -1990,8 +1990,6 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
|
||||
#define SSL_CTRL_SET_SIGALGS 97
|
||||
#define SSL_CTRL_SET_CLIENT_SIGALGS 101
|
||||
#define SSL_CTRL_SET_CLIENT_CERT_TYPES 104
|
||||
#define SSL_CTRL_SET_VERIFY_CERT_STORE 106
|
||||
#define SSL_CTRL_SET_CHAIN_CERT_STORE 107
|
||||
|
||||
/* DTLSv1_get_timeout queries the next DTLS handshake timeout. If there is a
|
||||
* timeout in progress, it sets |*out| to the time remaining and returns one.
|
||||
@ -2086,24 +2084,6 @@ OPENSSL_EXPORT size_t SSL_get_tls_channel_id(SSL *ssl, uint8_t *out,
|
||||
OPENSSL_EXPORT size_t SSL_get0_certificate_types(SSL *ssl,
|
||||
const uint8_t **out_types);
|
||||
|
||||
#define SSL_CTX_set0_verify_cert_store(ctx, st) \
|
||||
SSL_CTX_ctrl(ctx, SSL_CTRL_SET_VERIFY_CERT_STORE, 0, (char *)st)
|
||||
#define SSL_CTX_set1_verify_cert_store(ctx, st) \
|
||||
SSL_CTX_ctrl(ctx, SSL_CTRL_SET_VERIFY_CERT_STORE, 1, (char *)st)
|
||||
#define SSL_CTX_set0_chain_cert_store(ctx, st) \
|
||||
SSL_CTX_ctrl(ctx, SSL_CTRL_SET_CHAIN_CERT_STORE, 0, (char *)st)
|
||||
#define SSL_CTX_set1_chain_cert_store(ctx, st) \
|
||||
SSL_CTX_ctrl(ctx, SSL_CTRL_SET_CHAIN_CERT_STORE, 1, (char *)st)
|
||||
|
||||
#define SSL_set0_verify_cert_store(s, st) \
|
||||
SSL_ctrl(s, SSL_CTRL_SET_VERIFY_CERT_STORE, 0, (char *)st)
|
||||
#define SSL_set1_verify_cert_store(s, st) \
|
||||
SSL_ctrl(s, SSL_CTRL_SET_VERIFY_CERT_STORE, 1, (char *)st)
|
||||
#define SSL_set0_chain_cert_store(s, st) \
|
||||
SSL_ctrl(s, SSL_CTRL_SET_CHAIN_CERT_STORE, 0, (char *)st)
|
||||
#define SSL_set1_chain_cert_store(s, st) \
|
||||
SSL_ctrl(s, SSL_CTRL_SET_CHAIN_CERT_STORE, 1, (char *)st)
|
||||
|
||||
#define SSL_get1_curves(ctx, s) SSL_ctrl(ctx, SSL_CTRL_GET_CURVES, 0, (char *)s)
|
||||
#define SSL_CTX_set1_curves(ctx, clist, clistlen) \
|
||||
SSL_CTX_ctrl(ctx, SSL_CTRL_SET_CURVES, clistlen, (char *)clist)
|
||||
|
||||
@ -647,11 +647,6 @@ typedef struct cert_st {
|
||||
* supported signature algorithms or curves. */
|
||||
int (*cert_cb)(SSL *ssl, void *arg);
|
||||
void *cert_cb_arg;
|
||||
|
||||
/* Optional X509_STORE for chain building or certificate validation
|
||||
* If NULL the parent SSL_CTX store is used instead. */
|
||||
X509_STORE *chain_store;
|
||||
X509_STORE *verify_store;
|
||||
} CERT;
|
||||
|
||||
typedef struct sess_cert_st {
|
||||
@ -889,7 +884,6 @@ void ssl_cert_set_cert_cb(CERT *cert,
|
||||
|
||||
int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk);
|
||||
int ssl_add_cert_chain(SSL *s, unsigned long *l);
|
||||
int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain, int ref);
|
||||
void ssl_update_cache(SSL *s, int mode);
|
||||
|
||||
/* ssl_get_compatible_server_ciphers determines the key exchange and
|
||||
|
||||
12
ssl/s3_lib.c
12
ssl/s3_lib.c
@ -420,12 +420,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) {
|
||||
}
|
||||
return ssl3_set_req_cert_type(s->cert, parg, larg);
|
||||
|
||||
case SSL_CTRL_SET_VERIFY_CERT_STORE:
|
||||
return ssl_cert_set_cert_store(s->cert, parg, 0, larg);
|
||||
|
||||
case SSL_CTRL_SET_CHAIN_CERT_STORE:
|
||||
return ssl_cert_set_cert_store(s->cert, parg, 1, larg);
|
||||
|
||||
default:
|
||||
break;
|
||||
}
|
||||
@ -448,12 +442,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) {
|
||||
case SSL_CTRL_SET_CLIENT_CERT_TYPES:
|
||||
return ssl3_set_req_cert_type(ctx->cert, parg, larg);
|
||||
|
||||
case SSL_CTRL_SET_VERIFY_CERT_STORE:
|
||||
return ssl_cert_set_cert_store(ctx->cert, parg, 0, larg);
|
||||
|
||||
case SSL_CTRL_SET_CHAIN_CERT_STORE:
|
||||
return ssl_cert_set_cert_store(ctx->cert, parg, 1, larg);
|
||||
|
||||
default:
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -239,16 +239,6 @@ CERT *ssl_cert_dup(CERT *cert) {
|
||||
ret->cert_cb = cert->cert_cb;
|
||||
ret->cert_cb_arg = cert->cert_cb_arg;
|
||||
|
||||
if (cert->verify_store) {
|
||||
CRYPTO_refcount_inc(&cert->verify_store->references);
|
||||
ret->verify_store = cert->verify_store;
|
||||
}
|
||||
|
||||
if (cert->chain_store) {
|
||||
CRYPTO_refcount_inc(&cert->chain_store->references);
|
||||
ret->chain_store = cert->chain_store;
|
||||
}
|
||||
|
||||
return ret;
|
||||
|
||||
err:
|
||||
@ -284,8 +274,6 @@ void ssl_cert_free(CERT *c) {
|
||||
OPENSSL_free(c->client_sigalgs);
|
||||
OPENSSL_free(c->shared_sigalgs);
|
||||
OPENSSL_free(c->client_certificate_types);
|
||||
X509_STORE_free(c->verify_store);
|
||||
X509_STORE_free(c->chain_store);
|
||||
|
||||
OPENSSL_free(c);
|
||||
}
|
||||
@ -397,21 +385,14 @@ void ssl_sess_cert_free(SESS_CERT *sess_cert) {
|
||||
int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk) {
|
||||
X509 *x;
|
||||
int i;
|
||||
X509_STORE *verify_store;
|
||||
X509_STORE_CTX ctx;
|
||||
|
||||
if (s->cert->verify_store) {
|
||||
verify_store = s->cert->verify_store;
|
||||
} else {
|
||||
verify_store = s->ctx->cert_store;
|
||||
}
|
||||
|
||||
if (sk == NULL || sk_X509_num(sk) == 0) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
x = sk_X509_value(sk, 0);
|
||||
if (!X509_STORE_CTX_init(&ctx, verify_store, x, sk)) {
|
||||
if (!X509_STORE_CTX_init(&ctx, s->ctx->cert_store, x, sk)) {
|
||||
OPENSSL_PUT_ERROR(SSL, ERR_R_X509_LIB);
|
||||
return 0;
|
||||
}
|
||||
@ -734,19 +715,12 @@ int ssl_add_cert_chain(SSL *ssl, unsigned long *l) {
|
||||
|
||||
X509 *x = cert->x509;
|
||||
STACK_OF(X509) *chain = cert->chain;
|
||||
X509_STORE *chain_store;
|
||||
|
||||
if (x == NULL) {
|
||||
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_SET);
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (ssl->cert->chain_store) {
|
||||
chain_store = ssl->cert->chain_store;
|
||||
} else {
|
||||
chain_store = ssl->ctx->cert_store;
|
||||
}
|
||||
|
||||
if ((ssl->mode & SSL_MODE_NO_AUTO_CHAIN) || chain != NULL) {
|
||||
no_chain = 1;
|
||||
}
|
||||
@ -765,7 +739,7 @@ int ssl_add_cert_chain(SSL *ssl, unsigned long *l) {
|
||||
} else {
|
||||
X509_STORE_CTX xs_ctx;
|
||||
|
||||
if (!X509_STORE_CTX_init(&xs_ctx, chain_store, x, NULL)) {
|
||||
if (!X509_STORE_CTX_init(&xs_ctx, ssl->ctx->cert_store, x, NULL)) {
|
||||
OPENSSL_PUT_ERROR(SSL, ERR_R_X509_LIB);
|
||||
return 0;
|
||||
}
|
||||
@ -786,23 +760,6 @@ int ssl_add_cert_chain(SSL *ssl, unsigned long *l) {
|
||||
return 1;
|
||||
}
|
||||
|
||||
int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain, int ref) {
|
||||
X509_STORE **pstore;
|
||||
if (chain) {
|
||||
pstore = &c->chain_store;
|
||||
} else {
|
||||
pstore = &c->verify_store;
|
||||
}
|
||||
|
||||
X509_STORE_free(*pstore);
|
||||
*pstore = store;
|
||||
|
||||
if (ref && store) {
|
||||
CRYPTO_refcount_inc(&store->references);
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
int SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *chain) {
|
||||
return ssl_cert_set0_chain(ctx->cert, chain);
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user