diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 7a30d551..7d008d23 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -1990,8 +1990,6 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) #define SSL_CTRL_SET_SIGALGS 97 #define SSL_CTRL_SET_CLIENT_SIGALGS 101 #define SSL_CTRL_SET_CLIENT_CERT_TYPES 104 -#define SSL_CTRL_SET_VERIFY_CERT_STORE 106 -#define SSL_CTRL_SET_CHAIN_CERT_STORE 107 /* DTLSv1_get_timeout queries the next DTLS handshake timeout. If there is a * timeout in progress, it sets |*out| to the time remaining and returns one. @@ -2086,24 +2084,6 @@ OPENSSL_EXPORT size_t SSL_get_tls_channel_id(SSL *ssl, uint8_t *out, OPENSSL_EXPORT size_t SSL_get0_certificate_types(SSL *ssl, const uint8_t **out_types); -#define SSL_CTX_set0_verify_cert_store(ctx, st) \ - SSL_CTX_ctrl(ctx, SSL_CTRL_SET_VERIFY_CERT_STORE, 0, (char *)st) -#define SSL_CTX_set1_verify_cert_store(ctx, st) \ - SSL_CTX_ctrl(ctx, SSL_CTRL_SET_VERIFY_CERT_STORE, 1, (char *)st) -#define SSL_CTX_set0_chain_cert_store(ctx, st) \ - SSL_CTX_ctrl(ctx, SSL_CTRL_SET_CHAIN_CERT_STORE, 0, (char *)st) -#define SSL_CTX_set1_chain_cert_store(ctx, st) \ - SSL_CTX_ctrl(ctx, SSL_CTRL_SET_CHAIN_CERT_STORE, 1, (char *)st) - -#define SSL_set0_verify_cert_store(s, st) \ - SSL_ctrl(s, SSL_CTRL_SET_VERIFY_CERT_STORE, 0, (char *)st) -#define SSL_set1_verify_cert_store(s, st) \ - SSL_ctrl(s, SSL_CTRL_SET_VERIFY_CERT_STORE, 1, (char *)st) -#define SSL_set0_chain_cert_store(s, st) \ - SSL_ctrl(s, SSL_CTRL_SET_CHAIN_CERT_STORE, 0, (char *)st) -#define SSL_set1_chain_cert_store(s, st) \ - SSL_ctrl(s, SSL_CTRL_SET_CHAIN_CERT_STORE, 1, (char *)st) - #define SSL_get1_curves(ctx, s) SSL_ctrl(ctx, SSL_CTRL_GET_CURVES, 0, (char *)s) #define SSL_CTX_set1_curves(ctx, clist, clistlen) \ SSL_CTX_ctrl(ctx, SSL_CTRL_SET_CURVES, clistlen, (char *)clist) diff --git a/ssl/internal.h b/ssl/internal.h index 4acd3018..ac58f792 100644 --- a/ssl/internal.h +++ b/ssl/internal.h @@ -647,11 +647,6 @@ typedef struct cert_st { * supported signature algorithms or curves. */ int (*cert_cb)(SSL *ssl, void *arg); void *cert_cb_arg; - - /* Optional X509_STORE for chain building or certificate validation - * If NULL the parent SSL_CTX store is used instead. */ - X509_STORE *chain_store; - X509_STORE *verify_store; } CERT; typedef struct sess_cert_st { @@ -889,7 +884,6 @@ void ssl_cert_set_cert_cb(CERT *cert, int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk); int ssl_add_cert_chain(SSL *s, unsigned long *l); -int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain, int ref); void ssl_update_cache(SSL *s, int mode); /* ssl_get_compatible_server_ciphers determines the key exchange and diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 6baf6f12..55c291c5 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -420,12 +420,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) { } return ssl3_set_req_cert_type(s->cert, parg, larg); - case SSL_CTRL_SET_VERIFY_CERT_STORE: - return ssl_cert_set_cert_store(s->cert, parg, 0, larg); - - case SSL_CTRL_SET_CHAIN_CERT_STORE: - return ssl_cert_set_cert_store(s->cert, parg, 1, larg); - default: break; } @@ -448,12 +442,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) { case SSL_CTRL_SET_CLIENT_CERT_TYPES: return ssl3_set_req_cert_type(ctx->cert, parg, larg); - case SSL_CTRL_SET_VERIFY_CERT_STORE: - return ssl_cert_set_cert_store(ctx->cert, parg, 0, larg); - - case SSL_CTRL_SET_CHAIN_CERT_STORE: - return ssl_cert_set_cert_store(ctx->cert, parg, 1, larg); - default: return 0; } diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index 7b019682..553d4c95 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -239,16 +239,6 @@ CERT *ssl_cert_dup(CERT *cert) { ret->cert_cb = cert->cert_cb; ret->cert_cb_arg = cert->cert_cb_arg; - if (cert->verify_store) { - CRYPTO_refcount_inc(&cert->verify_store->references); - ret->verify_store = cert->verify_store; - } - - if (cert->chain_store) { - CRYPTO_refcount_inc(&cert->chain_store->references); - ret->chain_store = cert->chain_store; - } - return ret; err: @@ -284,8 +274,6 @@ void ssl_cert_free(CERT *c) { OPENSSL_free(c->client_sigalgs); OPENSSL_free(c->shared_sigalgs); OPENSSL_free(c->client_certificate_types); - X509_STORE_free(c->verify_store); - X509_STORE_free(c->chain_store); OPENSSL_free(c); } @@ -397,21 +385,14 @@ void ssl_sess_cert_free(SESS_CERT *sess_cert) { int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk) { X509 *x; int i; - X509_STORE *verify_store; X509_STORE_CTX ctx; - if (s->cert->verify_store) { - verify_store = s->cert->verify_store; - } else { - verify_store = s->ctx->cert_store; - } - if (sk == NULL || sk_X509_num(sk) == 0) { return 0; } x = sk_X509_value(sk, 0); - if (!X509_STORE_CTX_init(&ctx, verify_store, x, sk)) { + if (!X509_STORE_CTX_init(&ctx, s->ctx->cert_store, x, sk)) { OPENSSL_PUT_ERROR(SSL, ERR_R_X509_LIB); return 0; } @@ -734,19 +715,12 @@ int ssl_add_cert_chain(SSL *ssl, unsigned long *l) { X509 *x = cert->x509; STACK_OF(X509) *chain = cert->chain; - X509_STORE *chain_store; if (x == NULL) { OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_SET); return 0; } - if (ssl->cert->chain_store) { - chain_store = ssl->cert->chain_store; - } else { - chain_store = ssl->ctx->cert_store; - } - if ((ssl->mode & SSL_MODE_NO_AUTO_CHAIN) || chain != NULL) { no_chain = 1; } @@ -765,7 +739,7 @@ int ssl_add_cert_chain(SSL *ssl, unsigned long *l) { } else { X509_STORE_CTX xs_ctx; - if (!X509_STORE_CTX_init(&xs_ctx, chain_store, x, NULL)) { + if (!X509_STORE_CTX_init(&xs_ctx, ssl->ctx->cert_store, x, NULL)) { OPENSSL_PUT_ERROR(SSL, ERR_R_X509_LIB); return 0; } @@ -786,23 +760,6 @@ int ssl_add_cert_chain(SSL *ssl, unsigned long *l) { return 1; } -int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain, int ref) { - X509_STORE **pstore; - if (chain) { - pstore = &c->chain_store; - } else { - pstore = &c->verify_store; - } - - X509_STORE_free(*pstore); - *pstore = store; - - if (ref && store) { - CRYPTO_refcount_inc(&store->references); - } - return 1; -} - int SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *chain) { return ssl_cert_set0_chain(ctx->cert, chain); }