kris/boringssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add |SSL_get0_server_requested_CAs|.

Browse Source 
This function is a |CRYPTO_BUFFER|-based method for getting the X.509
names from a CertificateRequest.

Change-Id: Ife26f726d3c1a055b332656678c2bc560b5a66ec
Reviewed-on: https://boringssl-review.googlesource.com/14013
Commit-Queue: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
This commit is contained in:
Adam Langley 2017-03-02 12:56:32 -08:00 committed by CQ bot account: commit-bot@chromium.org
parent 919d8cf94e
commit d6c22ee938
3 changed files with 25 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
include/openssl/ssl.h
View File

@ -2338,6 +2338,16 @@ OPENSSL_EXPORT void SSL_CTX_set_client_CA_list(SSL_CTX *ctx,
* when the handshake is paused because of them. */ * when the handshake is paused because of them. */
OPENSSL_EXPORT STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *ssl); OPENSSL_EXPORT STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *ssl);
/* SSL_get0_server_requested_CAs returns the CAs sent by a server to guide a
* client in certificate selection. They are a series of DER-encoded X.509
* names. This function may only be called during a callback set by
* |SSL_CTX_set_cert_cb| or when the handshake is paused because of it.
*
* The returned stack is owned by |ssl|, as are its contents. It should not be
* used past the point where the handshake is restarted after the callback. */
OPENSSL_EXPORT STACK_OF(CRYPTO_BUFFER) *SSL_get0_server_requested_CAs(
const SSL *ssl);
/* SSL_CTX_get_client_CA_list returns |ctx|'s client certificate CA list. */ /* SSL_CTX_get_client_CA_list returns |ctx|'s client certificate CA list. */
OPENSSL_EXPORT STACK_OF(X509_NAME) * OPENSSL_EXPORT STACK_OF(X509_NAME) *
SSL_CTX_get_client_CA_list(const SSL_CTX *ctx); SSL_CTX_get_client_CA_list(const SSL_CTX *ctx);

7
ssl/ssl_cert.c
View File

@ -705,6 +705,13 @@ void SSL_set_cert_cb(SSL *ssl, int (*cb)(SSL *ssl, void *arg), void *arg) {
ssl_cert_set_cert_cb(ssl->cert, cb, arg); ssl_cert_set_cert_cb(ssl->cert, cb, arg);
} }
STACK_OF(CRYPTO_BUFFER) *SSL_get0_server_requested_CAs(const SSL *ssl) {
if (ssl->s3->hs == NULL) {
return NULL;
}
return ssl->s3->hs->ca_names;
}
int ssl_check_leaf_certificate(SSL_HANDSHAKE *hs, EVP_PKEY *pkey, int ssl_check_leaf_certificate(SSL_HANDSHAKE *hs, EVP_PKEY *pkey,
const CRYPTO_BUFFER *leaf) { const CRYPTO_BUFFER *leaf) {
SSL *const ssl = hs->ssl; SSL *const ssl = hs->ssl;

8
ssl/test/bssl_shim.cc
View File

@ -626,6 +626,14 @@ static bool CheckCertificateRequest(SSL *ssl) {
return false; return false;
} }
} }
STACK_OF(CRYPTO_BUFFER) *buffers = SSL_get0_server_requested_CAs(ssl);
if (sk_CRYPTO_BUFFER_num(buffers) != num_received) {
fprintf(stderr,
"Mismatch between SSL_get_server_requested_CAs and "
"SSL_get_client_CA_list.\n");
return false;
}
} }
return true; return true;