kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2548 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Tree: 3ed24f0502
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '3ed24f0502'
${ noResults }
boringssl/ssl/ssl_cert.c

580 lines
17 KiB
Raw Blame History 

  1. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

  2.  * All rights reserved.

  3.  *

  4.  * This package is an SSL implementation written

  5.  * by Eric Young (eay@cryptsoft.com).

  6.  * The implementation was written so as to conform with Netscapes SSL.

  7.  *

  8.  * This library is free for commercial and non-commercial use as long as

  9.  * the following conditions are aheared to.  The following conditions

  10.  * apply to all code found in this distribution, be it the RC4, RSA,

  11.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

  12.  * included with this distribution is covered by the same copyright terms

  13.  * except that the holder is Tim Hudson (tjh@cryptsoft.com).

  14.  *

  15.  * Copyright remains Eric Young's, and as such any Copyright notices in

  16.  * the code are not to be removed.

  17.  * If this package is used in a product, Eric Young should be given attribution

  18.  * as the author of the parts of the library used.

  19.  * This can be in the form of a textual message at program startup or

  20.  * in documentation (online or textual) provided with the package.

  21.  *

  22.  * Redistribution and use in source and binary forms, with or without

  23.  * modification, are permitted provided that the following conditions

  24.  * are met:

  25.  * 1. Redistributions of source code must retain the copyright

  26.  *    notice, this list of conditions and the following disclaimer.

  27.  * 2. Redistributions in binary form must reproduce the above copyright

  28.  *    notice, this list of conditions and the following disclaimer in the

  29.  *    documentation and/or other materials provided with the distribution.

  30.  * 3. All advertising materials mentioning features or use of this software

  31.  *    must display the following acknowledgement:

  32.  *    "This product includes cryptographic software written by

  33.  *     Eric Young (eay@cryptsoft.com)"

  34.  *    The word 'cryptographic' can be left out if the rouines from the library

  35.  *    being used are not cryptographic related :-).

  36.  * 4. If you include any Windows specific code (or a derivative thereof) from

  37.  *    the apps directory (application code) you must include an acknowledgement:

  38.  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

  39.  *

  40.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

  41.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  42.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  43.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  44.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  45.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  46.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  47.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  48.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  49.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  50.  * SUCH DAMAGE.

  51.  *

  52.  * The licence and distribution terms for any publically available version or

  53.  * derivative of this code cannot be changed.  i.e. this code cannot simply be

  54.  * copied and put under another distribution licence

  55.  * [including the GNU Public Licence.]

  56.  */

  57. /* ====================================================================

  58.  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.

  59.  *

  60.  * Redistribution and use in source and binary forms, with or without

  61.  * modification, are permitted provided that the following conditions

  62.  * are met:

  63.  *

  64.  * 1. Redistributions of source code must retain the above copyright

  65.  *    notice, this list of conditions and the following disclaimer.

  66.  *

  67.  * 2. Redistributions in binary form must reproduce the above copyright

  68.  *    notice, this list of conditions and the following disclaimer in

  69.  *    the documentation and/or other materials provided with the

  70.  *    distribution.

  71.  *

  72.  * 3. All advertising materials mentioning features or use of this

  73.  *    software must display the following acknowledgment:

  74.  *    "This product includes software developed by the OpenSSL Project

  75.  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

  76.  *

  77.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

  78.  *    endorse or promote products derived from this software without

  79.  *    prior written permission. For written permission, please contact

  80.  *    openssl-core@openssl.org.

  81.  *

  82.  * 5. Products derived from this software may not be called "OpenSSL"

  83.  *    nor may "OpenSSL" appear in their names without prior written

  84.  *    permission of the OpenSSL Project.

  85.  *

  86.  * 6. Redistributions of any form whatsoever must retain the following

  87.  *    acknowledgment:

  88.  *    "This product includes software developed by the OpenSSL Project

  89.  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"

  90.  *

  91.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

  92.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  93.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

  94.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

  95.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  96.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  97.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  98.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  99.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  100.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  101.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

  102.  * OF THE POSSIBILITY OF SUCH DAMAGE.

  103.  * ====================================================================

  104.  *

  105.  * This product includes cryptographic software written by Eric Young

  106.  * (eay@cryptsoft.com).  This product includes software written by Tim

  107.  * Hudson (tjh@cryptsoft.com).

  108.  *

  109.  */

  110. /* ====================================================================

  111.  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.

  112.  * ECC cipher suite support in OpenSSL originally developed by

  113.  * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. */

  114. 

  115. #include <openssl/ssl.h>

  116. 

  117. #include <string.h>

  118. 

  119. #include <openssl/bn.h>

  120. #include <openssl/buf.h>

  121. #include <openssl/ec_key.h>

  122. #include <openssl/dh.h>

  123. #include <openssl/err.h>

  124. #include <openssl/mem.h>

  125. #include <openssl/x509.h>

  126. #include <openssl/x509v3.h>

  127. 

  128. #include "../crypto/dh/internal.h"

  129. #include "../crypto/internal.h"

  130. #include "internal.h"

  131. 

  132. 

  133. int SSL_get_ex_data_X509_STORE_CTX_idx(void) {

  134.   /* The ex_data index to go from |X509_STORE_CTX| to |SSL| always uses the

  135.    * reserved app_data slot. Before ex_data was introduced, app_data was used.

  136.    * Avoid breaking any software which assumes |X509_STORE_CTX_get_app_data|

  137.    * works. */

  138.   return 0;

  139. }

  140. 

  141. CERT *ssl_cert_new(void) {

  142.   CERT *ret = OPENSSL_malloc(sizeof(CERT));

  143.   if (ret == NULL) {

  144.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  145.     return NULL;

  146.   }

  147.   memset(ret, 0, sizeof(CERT));

  148. 

  149.   return ret;

  150. }

  151. 

  152. CERT *ssl_cert_dup(CERT *cert) {

  153.   CERT *ret = OPENSSL_malloc(sizeof(CERT));

  154.   if (ret == NULL) {

  155.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  156.     return NULL;

  157.   }

  158.   memset(ret, 0, sizeof(CERT));

  159. 

  160.   ret->mask_k = cert->mask_k;

  161.   ret->mask_a = cert->mask_a;

  162. 

  163.   if (cert->dh_tmp != NULL) {

  164.     ret->dh_tmp = DHparams_dup(cert->dh_tmp);

  165.     if (ret->dh_tmp == NULL) {

  166.       OPENSSL_PUT_ERROR(SSL, ERR_R_DH_LIB);

  167.       goto err;

  168.     }

  169.   }

  170.   ret->dh_tmp_cb = cert->dh_tmp_cb;

  171. 

  172.   if (cert->x509 != NULL) {

  173.     ret->x509 = X509_up_ref(cert->x509);

  174.   }

  175. 

  176.   if (cert->privatekey != NULL) {

  177.     ret->privatekey = EVP_PKEY_up_ref(cert->privatekey);

  178.   }

  179. 

  180.   if (cert->chain) {

  181.     ret->chain = X509_chain_up_ref(cert->chain);

  182.     if (!ret->chain) {

  183.       OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  184.       goto err;

  185.     }

  186.   }

  187. 

  188.   ret->key_method = cert->key_method;

  189. 

  190.   ret->cert_cb = cert->cert_cb;

  191.   ret->cert_cb_arg = cert->cert_cb_arg;

  192. 

  193.   if (cert->verify_store != NULL) {

  194.     X509_STORE_up_ref(cert->verify_store);

  195.     ret->verify_store = cert->verify_store;

  196.   }

  197. 

  198.   return ret;

  199. 

  200. err:

  201.   ssl_cert_free(ret);

  202.   return NULL;

  203. }

  204. 

  205. /* Free up and clear all certificates and chains */

  206. void ssl_cert_clear_certs(CERT *cert) {

  207.   if (cert == NULL) {

  208.     return;

  209.   }

  210. 

  211.   X509_free(cert->x509);

  212.   cert->x509 = NULL;

  213.   EVP_PKEY_free(cert->privatekey);

  214.   cert->privatekey = NULL;

  215.   sk_X509_pop_free(cert->chain, X509_free);

  216.   cert->chain = NULL;

  217.   cert->key_method = NULL;

  218. }

  219. 

  220. void ssl_cert_free(CERT *c) {

  221.   if (c == NULL) {

  222.     return;

  223.   }

  224. 

  225.   DH_free(c->dh_tmp);

  226. 

  227.   ssl_cert_clear_certs(c);

  228.   OPENSSL_free(c->peer_sigalgs);

  229.   OPENSSL_free(c->digest_nids);

  230.   X509_STORE_free(c->verify_store);

  231. 

  232.   OPENSSL_free(c);

  233. }

  234. 

  235. int ssl_cert_set0_chain(CERT *cert, STACK_OF(X509) *chain) {

  236.   sk_X509_pop_free(cert->chain, X509_free);

  237.   cert->chain = chain;

  238.   return 1;

  239. }

  240. 

  241. int ssl_cert_set1_chain(CERT *cert, STACK_OF(X509) *chain) {

  242.   STACK_OF(X509) *dchain;

  243.   if (chain == NULL) {

  244.     return ssl_cert_set0_chain(cert, NULL);

  245.   }

  246. 

  247.   dchain = X509_chain_up_ref(chain);

  248.   if (dchain == NULL) {

  249.     return 0;

  250.   }

  251. 

  252.   if (!ssl_cert_set0_chain(cert, dchain)) {

  253.     sk_X509_pop_free(dchain, X509_free);

  254.     return 0;

  255.   }

  256. 

  257.   return 1;

  258. }

  259. 

  260. int ssl_cert_add0_chain_cert(CERT *cert, X509 *x509) {

  261.   if (cert->chain == NULL) {

  262.     cert->chain = sk_X509_new_null();

  263.   }

  264.   if (cert->chain == NULL || !sk_X509_push(cert->chain, x509)) {

  265.     return 0;

  266.   }

  267. 

  268.   return 1;

  269. }

  270. 

  271. int ssl_cert_add1_chain_cert(CERT *cert, X509 *x509) {

  272.   if (!ssl_cert_add0_chain_cert(cert, x509)) {

  273.     return 0;

  274.   }

  275. 

  276.   X509_up_ref(x509);

  277.   return 1;

  278. }

  279. 

  280. void ssl_cert_set_cert_cb(CERT *c, int (*cb)(SSL *ssl, void *arg), void *arg) {

  281.   c->cert_cb = cb;

  282.   c->cert_cb_arg = arg;

  283. }

  284. 

  285. int ssl_verify_cert_chain(SSL *ssl, STACK_OF(X509) *cert_chain) {

  286.   if (cert_chain == NULL || sk_X509_num(cert_chain) == 0) {

  287.     return 0;

  288.   }

  289. 

  290.   X509_STORE *verify_store = ssl->ctx->cert_store;

  291.   if (ssl->cert->verify_store != NULL) {

  292.     verify_store = ssl->cert->verify_store;

  293.   }

  294. 

  295.   X509 *leaf = sk_X509_value(cert_chain, 0);

  296.   int ret = 0;

  297.   X509_STORE_CTX ctx;

  298.   if (!X509_STORE_CTX_init(&ctx, verify_store, leaf, cert_chain)) {

  299.     OPENSSL_PUT_ERROR(SSL, ERR_R_X509_LIB);

  300.     return 0;

  301.   }

  302.   if (!X509_STORE_CTX_set_ex_data(&ctx, SSL_get_ex_data_X509_STORE_CTX_idx(),

  303.                                   ssl)) {

  304.     goto err;

  305.   }

  306. 

  307.   /* We need to inherit the verify parameters. These can be determined by the

  308.    * context: if its a server it will verify SSL client certificates or vice

  309.    * versa. */

  310.   X509_STORE_CTX_set_default(&ctx, ssl->server ? "ssl_client" : "ssl_server");

  311. 

  312.   /* Anything non-default in "param" should overwrite anything in the ctx. */

  313.   X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(&ctx), ssl->param);

  314. 

  315.   if (ssl->verify_callback) {

  316.     X509_STORE_CTX_set_verify_cb(&ctx, ssl->verify_callback);

  317.   }

  318. 

  319.   if (ssl->ctx->app_verify_callback != NULL) {

  320.     ret = ssl->ctx->app_verify_callback(&ctx, ssl->ctx->app_verify_arg);

  321.   } else {

  322.     ret = X509_verify_cert(&ctx);

  323.   }

  324. 

  325.   ssl->verify_result = ctx.error;

  326. 

  327. err:

  328.   X509_STORE_CTX_cleanup(&ctx);

  329.   return ret;

  330. }

  331. 

  332. static void set_client_CA_list(STACK_OF(X509_NAME) **ca_list,

  333.                                STACK_OF(X509_NAME) *name_list) {

  334.   sk_X509_NAME_pop_free(*ca_list, X509_NAME_free);

  335.   *ca_list = name_list;

  336. }

  337. 

  338. STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *list) {

  339.   STACK_OF(X509_NAME) *ret = sk_X509_NAME_new_null();

  340.   if (ret == NULL) {

  341.     return NULL;

  342.   }

  343. 

  344.   size_t i;

  345.   for (i = 0; i < sk_X509_NAME_num(list); i++) {

  346.       X509_NAME *name = X509_NAME_dup(sk_X509_NAME_value(list, i));

  347.     if (name == NULL || !sk_X509_NAME_push(ret, name)) {

  348.       X509_NAME_free(name);

  349.       sk_X509_NAME_pop_free(ret, X509_NAME_free);

  350.       return NULL;

  351.     }

  352.   }

  353. 

  354.   return ret;

  355. }

  356. 

  357. void SSL_set_client_CA_list(SSL *ssl, STACK_OF(X509_NAME) *name_list) {

  358.   set_client_CA_list(&ssl->client_CA, name_list);

  359. }

  360. 

  361. void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list) {

  362.   set_client_CA_list(&ctx->client_CA, name_list);

  363. }

  364. 

  365. STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx) {

  366.   return ctx->client_CA;

  367. }

  368. 

  369. STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *ssl) {

  370.   /* For historical reasons, this function is used both to query configuration

  371.    * state on a server as well as handshake state on a client. However, whether

  372.    * |ssl| is a client or server is not known until explicitly configured with

  373.    * |SSL_set_connect_state|. If |handshake_func| is NULL, |ssl| is in an

  374.    * indeterminate mode and |ssl->server| is unset. */

  375.   if (ssl->handshake_func != NULL && !ssl->server) {

  376.     return ssl->s3->tmp.ca_names;

  377.   }

  378. 

  379.   if (ssl->client_CA != NULL) {

  380.     return ssl->client_CA;

  381.   }

  382.   return ssl->ctx->client_CA;

  383. }

  384. 

  385. static int add_client_CA(STACK_OF(X509_NAME) **sk, X509 *x509) {

  386.   X509_NAME *name;

  387. 

  388.   if (x509 == NULL) {

  389.     return 0;

  390.   }

  391.   if (*sk == NULL) {

  392.     *sk = sk_X509_NAME_new_null();

  393.     if (*sk == NULL) {

  394.       return 0;

  395.     }

  396.   }

  397. 

  398.   name = X509_NAME_dup(X509_get_subject_name(x509));

  399.   if (name == NULL) {

  400.     return 0;

  401.   }

  402. 

  403.   if (!sk_X509_NAME_push(*sk, name)) {

  404.     X509_NAME_free(name);

  405.     return 0;

  406.   }

  407. 

  408.   return 1;

  409. }

  410. 

  411. int SSL_add_client_CA(SSL *ssl, X509 *x509) {

  412.   return add_client_CA(&ssl->client_CA, x509);

  413. }

  414. 

  415. int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x509) {

  416.   return add_client_CA(&ctx->client_CA, x509);

  417. }

  418. 

  419. /* Add a certificate to a BUF_MEM structure */

  420. static int ssl_add_cert_to_buf(BUF_MEM *buf, unsigned long *l, X509 *x) {

  421.   int n;

  422.   uint8_t *p;

  423. 

  424.   n = i2d_X509(x, NULL);

  425.   if (!BUF_MEM_grow_clean(buf, (int)(n + (*l) + 3))) {

  426.     OPENSSL_PUT_ERROR(SSL, ERR_R_BUF_LIB);

  427.     return 0;

  428.   }

  429.   p = (uint8_t *)&(buf->data[*l]);

  430.   l2n3(n, p);

  431.   i2d_X509(x, &p);

  432.   *l += n + 3;

  433. 

  434.   return 1;

  435. }

  436. 

  437. /* Add certificate chain to internal SSL BUF_MEM structure. */

  438. int ssl_add_cert_chain(SSL *ssl, unsigned long *l) {

  439.   CERT *cert = ssl->cert;

  440.   BUF_MEM *buf = ssl->init_buf;

  441.   int no_chain = 0;

  442.   size_t i;

  443. 

  444.   X509 *x = cert->x509;

  445.   STACK_OF(X509) *chain = cert->chain;

  446. 

  447.   if (x == NULL) {

  448.     OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_SET);

  449.     return 0;

  450.   }

  451. 

  452.   if ((ssl->mode & SSL_MODE_NO_AUTO_CHAIN) || chain != NULL) {

  453.     no_chain = 1;

  454.   }

  455. 

  456.   if (no_chain) {

  457.     if (!ssl_add_cert_to_buf(buf, l, x)) {

  458.       return 0;

  459.     }

  460. 

  461.     for (i = 0; i < sk_X509_num(chain); i++) {

  462.       x = sk_X509_value(chain, i);

  463.       if (!ssl_add_cert_to_buf(buf, l, x)) {

  464.         return 0;

  465.       }

  466.     }

  467.   } else {

  468.     X509_STORE_CTX xs_ctx;

  469. 

  470.     if (!X509_STORE_CTX_init(&xs_ctx, ssl->ctx->cert_store, x, NULL)) {

  471.       OPENSSL_PUT_ERROR(SSL, ERR_R_X509_LIB);

  472.       return 0;

  473.     }

  474.     X509_verify_cert(&xs_ctx);

  475.     /* Don't leave errors in the queue */

  476.     ERR_clear_error();

  477.     for (i = 0; i < sk_X509_num(xs_ctx.chain); i++) {

  478.       x = sk_X509_value(xs_ctx.chain, i);

  479. 

  480.       if (!ssl_add_cert_to_buf(buf, l, x)) {

  481.         X509_STORE_CTX_cleanup(&xs_ctx);

  482.         return 0;

  483.       }

  484.     }

  485.     X509_STORE_CTX_cleanup(&xs_ctx);

  486.   }

  487. 

  488.   return 1;

  489. }

  490. 

  491. static int set_cert_store(X509_STORE **store_ptr, X509_STORE *new_store, int take_ref) {

  492.   X509_STORE_free(*store_ptr);

  493.   *store_ptr = new_store;

  494. 

  495.   if (new_store != NULL && take_ref) {

  496.     X509_STORE_up_ref(new_store);

  497.   }

  498. 

  499.   return 1;

  500. }

  501. 

  502. int SSL_CTX_set0_verify_cert_store(SSL_CTX *ctx, X509_STORE *store) {

  503.   return set_cert_store(&ctx->cert->verify_store, store, 0);

  504. }

  505. 

  506. int SSL_CTX_set1_verify_cert_store(SSL_CTX *ctx, X509_STORE *store) {

  507.   return set_cert_store(&ctx->cert->verify_store, store, 1);

  508. }

  509. 

  510. int SSL_set0_verify_cert_store(SSL *ssl, X509_STORE *store) {

  511.   return set_cert_store(&ssl->cert->verify_store, store, 0);

  512. }

  513. 

  514. int SSL_set1_verify_cert_store(SSL *ssl, X509_STORE *store) {

  515.   return set_cert_store(&ssl->cert->verify_store, store, 1);

  516. }

  517. 

  518. int SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *chain) {

  519.   return ssl_cert_set0_chain(ctx->cert, chain);

  520. }

  521. 

  522. int SSL_CTX_set1_chain(SSL_CTX *ctx, STACK_OF(X509) *chain) {

  523.   return ssl_cert_set1_chain(ctx->cert, chain);

  524. }

  525. 

  526. int SSL_set0_chain(SSL *ssl, STACK_OF(X509) *chain) {

  527.   return ssl_cert_set0_chain(ssl->cert, chain);

  528. }

  529. 

  530. int SSL_set1_chain(SSL *ssl, STACK_OF(X509) *chain) {

  531.   return ssl_cert_set1_chain(ssl->cert, chain);

  532. }

  533. 

  534. int SSL_CTX_add0_chain_cert(SSL_CTX *ctx, X509 *x509) {

  535.   return ssl_cert_add0_chain_cert(ctx->cert, x509);

  536. }

  537. 

  538. int SSL_CTX_add1_chain_cert(SSL_CTX *ctx, X509 *x509) {

  539.   return ssl_cert_add1_chain_cert(ctx->cert, x509);

  540. }

  541. 

  542. int SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *x509) {

  543.   return SSL_CTX_add0_chain_cert(ctx, x509);

  544. }

  545. 

  546. int SSL_add0_chain_cert(SSL *ssl, X509 *x509) {

  547.   return ssl_cert_add0_chain_cert(ssl->cert, x509);

  548. }

  549. 

  550. int SSL_add1_chain_cert(SSL *ssl, X509 *x509) {

  551.   return ssl_cert_add1_chain_cert(ssl->cert, x509);

  552. }

  553. 

  554. int SSL_CTX_clear_chain_certs(SSL_CTX *ctx) {

  555.   return SSL_CTX_set0_chain(ctx, NULL);

  556. }

  557. 

  558. int SSL_CTX_clear_extra_chain_certs(SSL_CTX *ctx) {

  559.   return SSL_CTX_clear_chain_certs(ctx);

  560. }

  561. 

  562. int SSL_clear_chain_certs(SSL *ssl) {

  563.   return SSL_set0_chain(ssl, NULL);

  564. }

  565. 

  566. int SSL_CTX_get0_chain_certs(const SSL_CTX *ctx, STACK_OF(X509) **out_chain) {

  567.   *out_chain = ctx->cert->chain;

  568.   return 1;

  569. }

  570. 

  571. int SSL_CTX_get_extra_chain_certs(const SSL_CTX *ctx,

  572.                                   STACK_OF(X509) **out_chain) {

  573.   return SSL_CTX_get0_chain_certs(ctx, out_chain);

  574. }

  575. 

  576. int SSL_get0_chain_certs(const SSL *ssl, STACK_OF(X509) **out_chain) {

  577.   *out_chain = ssl->cert->chain;

  578.   return 1;

  579. }