OCSP stapling and SCT extensions go under certificate verification.

This mirrors how the server halves fall under configuring certificates.

Change-Id: I9bde85eecfaff6487eeb887c88cb8bb0c36b83d8
Reviewed-on: https://boringssl-review.googlesource.com/5961
Reviewed-by: Adam Langley <agl@google.com>
This commit is contained in:
David Benjamin 2015-09-20 00:00:28 -04:00 committed by Adam Langley
parent 0cfea3411a
commit d3a53c8fd9

View File

@ -1583,8 +1583,11 @@ OPENSSL_EXPORT void SSL_set_tmp_dh_callback(SSL *ssl,
* certificate verification externally. This may be done with
* |SSL_CTX_set_cert_verify_callback| or by extracting the chain with
* |SSL_get_peer_cert_chain| after the handshake. In the future, functions will
* be added to use the SSL stack without depending on any part of the legacy
* X.509 and ASN.1 stack. */
* be added to use the SSL stack without dependency on any part of the legacy
* X.509 and ASN.1 stack.
*
* To augment certificate verification, a client may also enable OCSP stapling
* (RFC 6066) and Certificate Transparency (RFC 6962) extensions. */
/* SSL_VERIFY_NONE, on a client, verifies the server certificate but does not
* make errors fatal. The result may be checked with |SSL_get_verify_result|. On
@ -1750,6 +1753,44 @@ OPENSSL_EXPORT void SSL_CTX_set_cert_verify_callback(
SSL_CTX *ctx, int (*callback)(X509_STORE_CTX *store_ctx, void *arg),
void *arg);
/* SSL_enable_signed_cert_timestamps causes |ssl| (which must be the client end
* of a connection) to request SCTs from the server. See
* https://tools.ietf.org/html/rfc6962. It returns one. */
OPENSSL_EXPORT int SSL_enable_signed_cert_timestamps(SSL *ssl);
/* SSL_CTX_enable_signed_cert_timestamps enables SCT requests on all client SSL
* objects created from |ctx|. */
OPENSSL_EXPORT void SSL_CTX_enable_signed_cert_timestamps(SSL_CTX *ctx);
/* SSL_get0_signed_cert_timestamp_list sets |*out| and |*out_len| to point to
* |*out_len| bytes of SCT information from the server. This is only valid if
* |ssl| is a client. The SCT information is a SignedCertificateTimestampList
* (including the two leading length bytes).
* See https://tools.ietf.org/html/rfc6962#section-3.3
* If no SCT was received then |*out_len| will be zero on return.
*
* WARNING: the returned data is not guaranteed to be well formed. */
OPENSSL_EXPORT void SSL_get0_signed_cert_timestamp_list(const SSL *ssl,
const uint8_t **out,
size_t *out_len);
/* SSL_enable_ocsp_stapling causes |ssl| (which must be the client end of a
* connection) to request a stapled OCSP response from the server. It returns
* one. */
OPENSSL_EXPORT int SSL_enable_ocsp_stapling(SSL *ssl);
/* SSL_CTX_enable_ocsp_stapling enables OCSP stapling on all client SSL objects
* created from |ctx|. */
OPENSSL_EXPORT void SSL_CTX_enable_ocsp_stapling(SSL_CTX *ctx);
/* SSL_get0_ocsp_response sets |*out| and |*out_len| to point to |*out_len|
* bytes of an OCSP response from the server. This is the DER encoding of an
* OCSPResponse type as defined in RFC 2560.
*
* WARNING: the returned data is not guaranteed to be well formed. */
OPENSSL_EXPORT void SSL_get0_ocsp_response(const SSL *ssl, const uint8_t **out,
size_t *out_len);
/* Client certificate CA list.
*
@ -2348,43 +2389,6 @@ OPENSSL_EXPORT void SSL_CTX_set_client_cert_cb(
OPENSSL_EXPORT int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL *ssl,
X509 **x509,
EVP_PKEY **pkey);
/* SSL_enable_signed_cert_timestamps causes |ssl| (which must be the client end
* of a connection) to request SCTs from the server. See
* https://tools.ietf.org/html/rfc6962. It returns one. */
OPENSSL_EXPORT int SSL_enable_signed_cert_timestamps(SSL *ssl);
/* SSL_CTX_enable_signed_cert_timestamps enables SCT requests on all client SSL
* objects created from |ctx|. */
OPENSSL_EXPORT void SSL_CTX_enable_signed_cert_timestamps(SSL_CTX *ctx);
/* SSL_enable_ocsp_stapling causes |ssl| (which must be the client end of a
* connection) to request a stapled OCSP response from the server. It returns
* one. */
OPENSSL_EXPORT int SSL_enable_ocsp_stapling(SSL *ssl);
/* SSL_CTX_enable_ocsp_stapling enables OCSP stapling on all client SSL objects
* created from |ctx|. */
OPENSSL_EXPORT void SSL_CTX_enable_ocsp_stapling(SSL_CTX *ctx);
/* SSL_get0_signed_cert_timestamp_list sets |*out| and |*out_len| to point to
* |*out_len| bytes of SCT information from the server. This is only valid if
* |ssl| is a client. The SCT information is a SignedCertificateTimestampList
* (including the two leading length bytes).
* See https://tools.ietf.org/html/rfc6962#section-3.3
* If no SCT was received then |*out_len| will be zero on return.
*
* WARNING: the returned data is not guaranteed to be well formed. */
OPENSSL_EXPORT void SSL_get0_signed_cert_timestamp_list(const SSL *ssl,
const uint8_t **out,
size_t *out_len);
/* SSL_get0_ocsp_response sets |*out| and |*out_len| to point to |*out_len|
* bytes of an OCSP response from the server. This is the DER encoding of an
* OCSPResponse type as defined in RFC 2560.
*
* WARNING: the returned data is not guaranteed to be well formed. */
OPENSSL_EXPORT void SSL_get0_ocsp_response(const SSL *ssl, const uint8_t **out,
size_t *out_len);
#define SSL_NOTHING 1
#define SSL_WRITING 2