kris/boringssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Move SSL_get_peer_* to Connection information.

Browse Source 
This is arguably more commonly queried connection information than the
tls-unique.

Change-Id: I1f080536153ba9f178af8e92cb43b03df37110b5
Reviewed-on: https://boringssl-review.googlesource.com/5874
Reviewed-by: Adam Langley <agl@google.com>
This commit is contained in:
David Benjamin 2015-09-13 01:03:54 -04:00 committed by Adam Langley
parent 27bbae4682
commit ee0c82789a
2 changed files with 64 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
include/openssl/ssl.h
View File

@ -941,6 +941,21 @@ OPENSSL_EXPORT void SSL_set_private_key_method(
/* Connection information. */
/* SSL_get_peer_certificate returns the peer's leaf certificate or NULL if the
* peer did not use certificates. The caller must call |X509_free| on the
* result to release it. */
OPENSSL_EXPORT X509 *SSL_get_peer_certificate(const SSL *ssl);
/* SSL_get_peer_cert_chain returns the peer's certificate chain or NULL if
* unavailable or the peer did not use certificates. For historical reasons,
* this may not be available if resuming a serialized |SSL_SESSION|. The caller
* does not take ownership of the result.
*
* WARNING: This function behaves differently between client and server. If
* |ssl| is a server, the returned chain does not include the leaf certificate.
* If a client, it does. */
OPENSSL_EXPORT STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl);
/* SSL_get_tls_unique writes at most |max_out| bytes of the tls-unique value
* for |ssl| to |out| and sets |*out_len| to the number of bytes written. It
* returns one on success or zero on error. In general |max_out| should be at
@ -2380,21 +2395,6 @@ OPENSSL_EXPORT int SSL_SESSION_to_bytes_for_ticket(SSL_SESSION *in,
OPENSSL_EXPORT SSL_SESSION *SSL_SESSION_from_bytes(const uint8_t *in,
size_t in_len);
/* SSL_get_peer_certificate returns the peer's leaf certificate or NULL if the
* peer did not use certificates. The caller must call |X509_free| on the
* result to release it. */
OPENSSL_EXPORT X509 *SSL_get_peer_certificate(const SSL *ssl);
/* SSL_get_peer_cert_chain returns the peer's certificate chain or NULL if
* unavailable or the peer did not use certificates. For historical reasons,
* this may not be available if resuming a serialized |SSL_SESSION|. The caller
* does not take ownership of the result.
*
* WARNING: This function behaves differently between client and server. If
* |ssl| is a server, the returned chain does not include the leaf certificate.
* If a client, it does. */
OPENSSL_EXPORT STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl);
OPENSSL_EXPORT int SSL_CTX_get_verify_mode(const SSL_CTX *ctx);
OPENSSL_EXPORT int SSL_CTX_get_verify_depth(const SSL_CTX *ctx);
OPENSSL_EXPORT int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(

98
ssl/ssl_lib.c
View File

@ -868,6 +868,55 @@ uint32_t SSL_clear_mode(SSL *ssl, uint32_t mode) {
uint32_t SSL_get_mode(const SSL *ssl) { return ssl->mode; }
X509 *SSL_get_peer_certificate(const SSL *ssl) {
if (ssl == NULL || ssl->session == NULL || ssl->session->peer == NULL) {
return NULL;
}
return X509_up_ref(ssl->session->peer);
}
STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl) {
if (ssl == NULL || ssl->session == NULL) {
return NULL;
}
return ssl->session->cert_chain;
}
int SSL_get_tls_unique(const SSL *ssl, uint8_t *out, size_t *out_len,
size_t max_out) {
/* The tls-unique value is the first Finished message in the handshake, which
* is the client's in a full handshake and the server's for a resumption. See
* https://tools.ietf.org/html/rfc5929#section-3.1. */
const uint8_t *finished = ssl->s3->previous_client_finished;
size_t finished_len = ssl->s3->previous_client_finished_len;
if (ssl->hit) {
/* tls-unique is broken for resumed sessions unless EMS is used. */
if (!ssl->session->extended_master_secret) {
goto err;
}
finished = ssl->s3->previous_server_finished;
finished_len = ssl->s3->previous_server_finished_len;
}
if (!ssl->s3->initial_handshake_complete ||
ssl->version < TLS1_VERSION) {
goto err;
}
*out_len = finished_len;
if (finished_len > max_out) {
*out_len = max_out;
}
memcpy(out, finished, *out_len);
return 1;
err:
*out_len = 0;
memset(out, 0, max_out);
return 0;
}
int SSL_CTX_set_session_id_context(SSL_CTX *ctx, const uint8_t *sid_ctx,
unsigned int sid_ctx_len) {
if (sid_ctx_len > sizeof ctx->sid_ctx) {
@ -1187,20 +1236,6 @@ int SSL_pending(const SSL *s) {
: 0;
}
X509 *SSL_get_peer_certificate(const SSL *ssl) {
if (ssl == NULL || ssl->session == NULL || ssl->session->peer == NULL) {
return NULL;
}
return X509_up_ref(ssl->session->peer);
}
STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl) {
if (ssl == NULL || ssl->session == NULL) {
return NULL;
}
return ssl->session->cert_chain;
}
/* Fix this so it checks all the valid key/cert options */
int SSL_CTX_check_private_key(const SSL_CTX *ctx) {
if (ctx->cert->x509 == NULL) {
@ -2745,41 +2780,6 @@ int SSL_get_rc4_state(const SSL *ssl, const RC4_KEY **read_key,
EVP_AEAD_CTX_get_rc4_state(&ssl->aead_write_ctx->ctx, write_key);
}
int SSL_get_tls_unique(const SSL *ssl, uint8_t *out, size_t *out_len,
size_t max_out) {
/* The tls-unique value is the first Finished message in the handshake, which
* is the client's in a full handshake and the server's for a resumption. See
* https://tools.ietf.org/html/rfc5929#section-3.1. */
const uint8_t *finished = ssl->s3->previous_client_finished;
size_t finished_len = ssl->s3->previous_client_finished_len;
if (ssl->hit) {
/* tls-unique is broken for resumed sessions unless EMS is used. */
if (!ssl->session->extended_master_secret) {
goto err;
}
finished = ssl->s3->previous_server_finished;
finished_len = ssl->s3->previous_server_finished_len;
}
if (!ssl->s3->initial_handshake_complete ||
ssl->version < TLS1_VERSION) {
goto err;
}
*out_len = finished_len;
if (finished_len > max_out) {
*out_len = max_out;
}
memcpy(out, finished, *out_len);
return 1;
err:
*out_len = 0;
memset(out, 0, max_out);
return 0;
}
int SSL_clear(SSL *ssl) {
if (ssl->method == NULL) {
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_METHOD_SPECIFIED);