kris
/
boringssl
1
0
Atdalīts 0
Kods Problēmas 0 Izmaiņu pieprasījumi 0 Laidieni 0 Vikivietne Aktivitāte
Nevar pievienot vairāk kā 25 tēmas Tēmai ir jāsākas ar burtu vai ciparu, tā var saturēt domu zīmes ('-') un var būt līdz 35 simboliem gara.
2017 Revīzijas
12 Atzari
38 MiB
 
 
 
 
 
 
Koks: 7104cc96b7
Atzari Tagi
${ item.name }
Izveidot atzaru ${ searchTerm }
no '7104cc96b7'
${ noResults }
boringssl/ssl/ssl_cert.c

559 rindas
16 KiB
Neapstrādāts Vainot Vēsture 

  1. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

  2.  * All rights reserved.

  3.  *

  4.  * This package is an SSL implementation written

  5.  * by Eric Young (eay@cryptsoft.com).

  6.  * The implementation was written so as to conform with Netscapes SSL.

  7.  *

  8.  * This library is free for commercial and non-commercial use as long as

  9.  * the following conditions are aheared to.  The following conditions

  10.  * apply to all code found in this distribution, be it the RC4, RSA,

  11.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

  12.  * included with this distribution is covered by the same copyright terms

  13.  * except that the holder is Tim Hudson (tjh@cryptsoft.com).

  14.  *

  15.  * Copyright remains Eric Young's, and as such any Copyright notices in

  16.  * the code are not to be removed.

  17.  * If this package is used in a product, Eric Young should be given attribution

  18.  * as the author of the parts of the library used.

  19.  * This can be in the form of a textual message at program startup or

  20.  * in documentation (online or textual) provided with the package.

  21.  *

  22.  * Redistribution and use in source and binary forms, with or without

  23.  * modification, are permitted provided that the following conditions

  24.  * are met:

  25.  * 1. Redistributions of source code must retain the copyright

  26.  *    notice, this list of conditions and the following disclaimer.

  27.  * 2. Redistributions in binary form must reproduce the above copyright

  28.  *    notice, this list of conditions and the following disclaimer in the

  29.  *    documentation and/or other materials provided with the distribution.

  30.  * 3. All advertising materials mentioning features or use of this software

  31.  *    must display the following acknowledgement:

  32.  *    "This product includes cryptographic software written by

  33.  *     Eric Young (eay@cryptsoft.com)"

  34.  *    The word 'cryptographic' can be left out if the rouines from the library

  35.  *    being used are not cryptographic related :-).

  36.  * 4. If you include any Windows specific code (or a derivative thereof) from

  37.  *    the apps directory (application code) you must include an acknowledgement:

  38.  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

  39.  *

  40.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

  41.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  42.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  43.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  44.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  45.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  46.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  47.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  48.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  49.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  50.  * SUCH DAMAGE.

  51.  *

  52.  * The licence and distribution terms for any publically available version or

  53.  * derivative of this code cannot be changed.  i.e. this code cannot simply be

  54.  * copied and put under another distribution licence

  55.  * [including the GNU Public Licence.]

  56.  */

  57. /* ====================================================================

  58.  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.

  59.  *

  60.  * Redistribution and use in source and binary forms, with or without

  61.  * modification, are permitted provided that the following conditions

  62.  * are met:

  63.  *

  64.  * 1. Redistributions of source code must retain the above copyright

  65.  *    notice, this list of conditions and the following disclaimer.

  66.  *

  67.  * 2. Redistributions in binary form must reproduce the above copyright

  68.  *    notice, this list of conditions and the following disclaimer in

  69.  *    the documentation and/or other materials provided with the

  70.  *    distribution.

  71.  *

  72.  * 3. All advertising materials mentioning features or use of this

  73.  *    software must display the following acknowledgment:

  74.  *    "This product includes software developed by the OpenSSL Project

  75.  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

  76.  *

  77.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

  78.  *    endorse or promote products derived from this software without

  79.  *    prior written permission. For written permission, please contact

  80.  *    openssl-core@openssl.org.

  81.  *

  82.  * 5. Products derived from this software may not be called "OpenSSL"

  83.  *    nor may "OpenSSL" appear in their names without prior written

  84.  *    permission of the OpenSSL Project.

  85.  *

  86.  * 6. Redistributions of any form whatsoever must retain the following

  87.  *    acknowledgment:

  88.  *    "This product includes software developed by the OpenSSL Project

  89.  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"

  90.  *

  91.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

  92.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  93.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

  94.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

  95.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  96.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  97.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  98.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  99.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  100.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  101.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

  102.  * OF THE POSSIBILITY OF SUCH DAMAGE.

  103.  * ====================================================================

  104.  *

  105.  * This product includes cryptographic software written by Eric Young

  106.  * (eay@cryptsoft.com).  This product includes software written by Tim

  107.  * Hudson (tjh@cryptsoft.com).

  108.  *

  109.  */

  110. /* ====================================================================

  111.  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.

  112.  * ECC cipher suite support in OpenSSL originally developed by

  113.  * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. */

  114. 

  115. #include <openssl/ssl.h>

  116. 

  117. #include <string.h>

  118. 

  119. #include <openssl/bn.h>

  120. #include <openssl/buf.h>

  121. #include <openssl/ec_key.h>

  122. #include <openssl/dh.h>

  123. #include <openssl/err.h>

  124. #include <openssl/mem.h>

  125. #include <openssl/x509.h>

  126. #include <openssl/x509v3.h>

  127. 

  128. #include "../crypto/dh/internal.h"

  129. #include "../crypto/internal.h"

  130. #include "internal.h"

  131. 

  132. 

  133. int SSL_get_ex_data_X509_STORE_CTX_idx(void) {

  134.   /* The ex_data index to go from |X509_STORE_CTX| to |SSL| always uses the

  135.    * reserved app_data slot. Before ex_data was introduced, app_data was used.

  136.    * Avoid breaking any software which assumes |X509_STORE_CTX_get_app_data|

  137.    * works. */

  138.   return 0;

  139. }

  140. 

  141. CERT *ssl_cert_new(void) {

  142.   CERT *ret = (CERT *)OPENSSL_malloc(sizeof(CERT));

  143.   if (ret == NULL) {

  144.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  145.     return NULL;

  146.   }

  147.   memset(ret, 0, sizeof(CERT));

  148. 

  149.   return ret;

  150. }

  151. 

  152. CERT *ssl_cert_dup(CERT *cert) {

  153.   CERT *ret = (CERT *)OPENSSL_malloc(sizeof(CERT));

  154.   if (ret == NULL) {

  155.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  156.     return NULL;

  157.   }

  158.   memset(ret, 0, sizeof(CERT));

  159. 

  160.   ret->mask_k = cert->mask_k;

  161.   ret->mask_a = cert->mask_a;

  162. 

  163.   if (cert->dh_tmp != NULL) {

  164.     ret->dh_tmp = DHparams_dup(cert->dh_tmp);

  165.     if (ret->dh_tmp == NULL) {

  166.       OPENSSL_PUT_ERROR(SSL, ERR_R_DH_LIB);

  167.       goto err;

  168.     }

  169.     if (cert->dh_tmp->priv_key) {

  170.       BIGNUM *b = BN_dup(cert->dh_tmp->priv_key);

  171.       if (!b) {

  172.         OPENSSL_PUT_ERROR(SSL, ERR_R_BN_LIB);

  173.         goto err;

  174.       }

  175.       ret->dh_tmp->priv_key = b;

  176.     }

  177.     if (cert->dh_tmp->pub_key) {

  178.       BIGNUM *b = BN_dup(cert->dh_tmp->pub_key);

  179.       if (!b) {

  180.         OPENSSL_PUT_ERROR(SSL, ERR_R_BN_LIB);

  181.         goto err;

  182.       }

  183.       ret->dh_tmp->pub_key = b;

  184.     }

  185.   }

  186.   ret->dh_tmp_cb = cert->dh_tmp_cb;

  187. 

  188.   ret->ecdh_nid = cert->ecdh_nid;

  189.   ret->ecdh_tmp_cb = cert->ecdh_tmp_cb;

  190. 

  191.   if (cert->x509 != NULL) {

  192.     ret->x509 = X509_up_ref(cert->x509);

  193.   }

  194. 

  195.   if (cert->privatekey != NULL) {

  196.     ret->privatekey = EVP_PKEY_up_ref(cert->privatekey);

  197.   }

  198. 

  199.   if (cert->chain) {

  200.     ret->chain = X509_chain_up_ref(cert->chain);

  201.     if (!ret->chain) {

  202.       OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  203.       goto err;

  204.     }

  205.   }

  206. 

  207.   ret->cert_cb = cert->cert_cb;

  208.   ret->cert_cb_arg = cert->cert_cb_arg;

  209. 

  210.   return ret;

  211. 

  212. err:

  213.   ssl_cert_free(ret);

  214.   return NULL;

  215. }

  216. 

  217. /* Free up and clear all certificates and chains */

  218. void ssl_cert_clear_certs(CERT *cert) {

  219.   if (cert == NULL) {

  220.     return;

  221.   }

  222. 

  223.   X509_free(cert->x509);

  224.   cert->x509 = NULL;

  225.   EVP_PKEY_free(cert->privatekey);

  226.   cert->privatekey = NULL;

  227.   sk_X509_pop_free(cert->chain, X509_free);

  228.   cert->chain = NULL;

  229.   cert->key_method = NULL;

  230. }

  231. 

  232. void ssl_cert_free(CERT *c) {

  233.   if (c == NULL) {

  234.     return;

  235.   }

  236. 

  237.   DH_free(c->dh_tmp);

  238. 

  239.   ssl_cert_clear_certs(c);

  240.   OPENSSL_free(c->peer_sigalgs);

  241.   OPENSSL_free(c->digest_nids);

  242. 

  243.   OPENSSL_free(c);

  244. }

  245. 

  246. int ssl_cert_set0_chain(CERT *cert, STACK_OF(X509) *chain) {

  247.   sk_X509_pop_free(cert->chain, X509_free);

  248.   cert->chain = chain;

  249.   return 1;

  250. }

  251. 

  252. int ssl_cert_set1_chain(CERT *cert, STACK_OF(X509) *chain) {

  253.   STACK_OF(X509) *dchain;

  254.   if (chain == NULL) {

  255.     return ssl_cert_set0_chain(cert, NULL);

  256.   }

  257. 

  258.   dchain = X509_chain_up_ref(chain);

  259.   if (dchain == NULL) {

  260.     return 0;

  261.   }

  262. 

  263.   if (!ssl_cert_set0_chain(cert, dchain)) {

  264.     sk_X509_pop_free(dchain, X509_free);

  265.     return 0;

  266.   }

  267. 

  268.   return 1;

  269. }

  270. 

  271. int ssl_cert_add0_chain_cert(CERT *cert, X509 *x509) {

  272.   if (cert->chain == NULL) {

  273.     cert->chain = sk_X509_new_null();

  274.   }

  275.   if (cert->chain == NULL || !sk_X509_push(cert->chain, x509)) {

  276.     return 0;

  277.   }

  278. 

  279.   return 1;

  280. }

  281. 

  282. int ssl_cert_add1_chain_cert(CERT *cert, X509 *x509) {

  283.   if (!ssl_cert_add0_chain_cert(cert, x509)) {

  284.     return 0;

  285.   }

  286. 

  287.   X509_up_ref(x509);

  288.   return 1;

  289. }

  290. 

  291. void ssl_cert_set_cert_cb(CERT *c, int (*cb)(SSL *ssl, void *arg), void *arg) {

  292.   c->cert_cb = cb;

  293.   c->cert_cb_arg = arg;

  294. }

  295. 

  296. int ssl_verify_cert_chain(SSL *ssl, STACK_OF(X509) *cert_chain) {

  297.   if (cert_chain == NULL || sk_X509_num(cert_chain) == 0) {

  298.     return 0;

  299.   }

  300. 

  301.   X509 *leaf = sk_X509_value(cert_chain, 0);

  302.   int ret = 0;

  303.   X509_STORE_CTX ctx;

  304.   if (!X509_STORE_CTX_init(&ctx, ssl->ctx->cert_store, leaf, cert_chain)) {

  305.     OPENSSL_PUT_ERROR(SSL, ERR_R_X509_LIB);

  306.     return 0;

  307.   }

  308.   if (!X509_STORE_CTX_set_ex_data(&ctx, SSL_get_ex_data_X509_STORE_CTX_idx(),

  309.                                   ssl)) {

  310.     goto err;

  311.   }

  312. 

  313.   /* We need to inherit the verify parameters. These can be determined by the

  314.    * context: if its a server it will verify SSL client certificates or vice

  315.    * versa. */

  316.   X509_STORE_CTX_set_default(&ctx, ssl->server ? "ssl_client" : "ssl_server");

  317. 

  318.   /* Anything non-default in "param" should overwrite anything in the ctx. */

  319.   X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(&ctx), ssl->param);

  320. 

  321.   if (ssl->verify_callback) {

  322.     X509_STORE_CTX_set_verify_cb(&ctx, ssl->verify_callback);

  323.   }

  324. 

  325.   if (ssl->ctx->app_verify_callback != NULL) {

  326.     ret = ssl->ctx->app_verify_callback(&ctx, ssl->ctx->app_verify_arg);

  327.   } else {

  328.     ret = X509_verify_cert(&ctx);

  329.   }

  330. 

  331.   ssl->verify_result = ctx.error;

  332. 

  333. err:

  334.   X509_STORE_CTX_cleanup(&ctx);

  335.   return ret;

  336. }

  337. 

  338. static void set_client_CA_list(STACK_OF(X509_NAME) **ca_list,

  339.                                STACK_OF(X509_NAME) *name_list) {

  340.   sk_X509_NAME_pop_free(*ca_list, X509_NAME_free);

  341.   *ca_list = name_list;

  342. }

  343. 

  344. STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *list) {

  345.   STACK_OF(X509_NAME) *ret = sk_X509_NAME_new_null();

  346.   if (ret == NULL) {

  347.     return NULL;

  348.   }

  349. 

  350.   size_t i;

  351.   for (i = 0; i < sk_X509_NAME_num(list); i++) {

  352.       X509_NAME *name = X509_NAME_dup(sk_X509_NAME_value(list, i));

  353.     if (name == NULL || !sk_X509_NAME_push(ret, name)) {

  354.       X509_NAME_free(name);

  355.       sk_X509_NAME_pop_free(ret, X509_NAME_free);

  356.       return NULL;

  357.     }

  358.   }

  359. 

  360.   return ret;

  361. }

  362. 

  363. void SSL_set_client_CA_list(SSL *ssl, STACK_OF(X509_NAME) *name_list) {

  364.   set_client_CA_list(&ssl->client_CA, name_list);

  365. }

  366. 

  367. void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list) {

  368.   set_client_CA_list(&ctx->client_CA, name_list);

  369. }

  370. 

  371. STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx) {

  372.   return ctx->client_CA;

  373. }

  374. 

  375. STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *ssl) {

  376.   /* For historical reasons, this function is used both to query configuration

  377.    * state on a server as well as handshake state on a client. However, whether

  378.    * |ssl| is a client or server is not known until explicitly configured with

  379.    * |SSL_set_connect_state|. If |handshake_func| is NULL, |ssl| is in an

  380.    * indeterminate mode and |ssl->server| is unset. */

  381.   if (ssl->handshake_func != NULL && !ssl->server) {

  382.     return ssl->s3->tmp.ca_names;

  383.   }

  384. 

  385.   if (ssl->client_CA != NULL) {

  386.     return ssl->client_CA;

  387.   }

  388.   return ssl->ctx->client_CA;

  389. }

  390. 

  391. static int add_client_CA(STACK_OF(X509_NAME) **sk, X509 *x509) {

  392.   X509_NAME *name;

  393. 

  394.   if (x509 == NULL) {

  395.     return 0;

  396.   }

  397.   if (*sk == NULL) {

  398.     *sk = sk_X509_NAME_new_null();

  399.     if (*sk == NULL) {

  400.       return 0;

  401.     }

  402.   }

  403. 

  404.   name = X509_NAME_dup(X509_get_subject_name(x509));

  405.   if (name == NULL) {

  406.     return 0;

  407.   }

  408. 

  409.   if (!sk_X509_NAME_push(*sk, name)) {

  410.     X509_NAME_free(name);

  411.     return 0;

  412.   }

  413. 

  414.   return 1;

  415. }

  416. 

  417. int SSL_add_client_CA(SSL *ssl, X509 *x509) {

  418.   return add_client_CA(&ssl->client_CA, x509);

  419. }

  420. 

  421. int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x509) {

  422.   return add_client_CA(&ctx->client_CA, x509);

  423. }

  424. 

  425. /* Add a certificate to a BUF_MEM structure */

  426. static int ssl_add_cert_to_buf(BUF_MEM *buf, unsigned long *l, X509 *x) {

  427.   int n;

  428.   uint8_t *p;

  429. 

  430.   n = i2d_X509(x, NULL);

  431.   if (!BUF_MEM_grow_clean(buf, (int)(n + (*l) + 3))) {

  432.     OPENSSL_PUT_ERROR(SSL, ERR_R_BUF_LIB);

  433.     return 0;

  434.   }

  435.   p = (uint8_t *)&(buf->data[*l]);

  436.   l2n3(n, p);

  437.   i2d_X509(x, &p);

  438.   *l += n + 3;

  439. 

  440.   return 1;

  441. }

  442. 

  443. /* Add certificate chain to internal SSL BUF_MEM structure. */

  444. int ssl_add_cert_chain(SSL *ssl, unsigned long *l) {

  445.   CERT *cert = ssl->cert;

  446.   BUF_MEM *buf = ssl->init_buf;

  447.   int no_chain = 0;

  448.   size_t i;

  449. 

  450.   X509 *x = cert->x509;

  451.   STACK_OF(X509) *chain = cert->chain;

  452. 

  453.   if (x == NULL) {

  454.     OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_SET);

  455.     return 0;

  456.   }

  457. 

  458.   if ((ssl->mode & SSL_MODE_NO_AUTO_CHAIN) || chain != NULL) {

  459.     no_chain = 1;

  460.   }

  461. 

  462.   if (no_chain) {

  463.     if (!ssl_add_cert_to_buf(buf, l, x)) {

  464.       return 0;

  465.     }

  466. 

  467.     for (i = 0; i < sk_X509_num(chain); i++) {

  468.       x = sk_X509_value(chain, i);

  469.       if (!ssl_add_cert_to_buf(buf, l, x)) {

  470.         return 0;

  471.       }

  472.     }

  473.   } else {

  474.     X509_STORE_CTX xs_ctx;

  475. 

  476.     if (!X509_STORE_CTX_init(&xs_ctx, ssl->ctx->cert_store, x, NULL)) {

  477.       OPENSSL_PUT_ERROR(SSL, ERR_R_X509_LIB);

  478.       return 0;

  479.     }

  480.     X509_verify_cert(&xs_ctx);

  481.     /* Don't leave errors in the queue */

  482.     ERR_clear_error();

  483.     for (i = 0; i < sk_X509_num(xs_ctx.chain); i++) {

  484.       x = sk_X509_value(xs_ctx.chain, i);

  485. 

  486.       if (!ssl_add_cert_to_buf(buf, l, x)) {

  487.         X509_STORE_CTX_cleanup(&xs_ctx);

  488.         return 0;

  489.       }

  490.     }

  491.     X509_STORE_CTX_cleanup(&xs_ctx);

  492.   }

  493. 

  494.   return 1;

  495. }

  496. 

  497. int SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *chain) {

  498.   return ssl_cert_set0_chain(ctx->cert, chain);

  499. }

  500. 

  501. int SSL_CTX_set1_chain(SSL_CTX *ctx, STACK_OF(X509) *chain) {

  502.   return ssl_cert_set1_chain(ctx->cert, chain);

  503. }

  504. 

  505. int SSL_set0_chain(SSL *ssl, STACK_OF(X509) *chain) {

  506.   return ssl_cert_set0_chain(ssl->cert, chain);

  507. }

  508. 

  509. int SSL_set1_chain(SSL *ssl, STACK_OF(X509) *chain) {

  510.   return ssl_cert_set1_chain(ssl->cert, chain);

  511. }

  512. 

  513. int SSL_CTX_add0_chain_cert(SSL_CTX *ctx, X509 *x509) {

  514.   return ssl_cert_add0_chain_cert(ctx->cert, x509);

  515. }

  516. 

  517. int SSL_CTX_add1_chain_cert(SSL_CTX *ctx, X509 *x509) {

  518.   return ssl_cert_add1_chain_cert(ctx->cert, x509);

  519. }

  520. 

  521. int SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *x509) {

  522.   return SSL_CTX_add0_chain_cert(ctx, x509);

  523. }

  524. 

  525. int SSL_add0_chain_cert(SSL *ssl, X509 *x509) {

  526.   return ssl_cert_add0_chain_cert(ssl->cert, x509);

  527. }

  528. 

  529. int SSL_add1_chain_cert(SSL *ssl, X509 *x509) {

  530.   return ssl_cert_add1_chain_cert(ssl->cert, x509);

  531. }

  532. 

  533. int SSL_CTX_clear_chain_certs(SSL_CTX *ctx) {

  534.   return SSL_CTX_set0_chain(ctx, NULL);

  535. }

  536. 

  537. int SSL_CTX_clear_extra_chain_certs(SSL_CTX *ctx) {

  538.   return SSL_CTX_clear_chain_certs(ctx);

  539. }

  540. 

  541. int SSL_clear_chain_certs(SSL *ssl) {

  542.   return SSL_set0_chain(ssl, NULL);

  543. }

  544. 

  545. int SSL_CTX_get0_chain_certs(const SSL_CTX *ctx, STACK_OF(X509) **out_chain) {

  546.   *out_chain = ctx->cert->chain;

  547.   return 1;

  548. }

  549. 

  550. int SSL_CTX_get_extra_chain_certs(const SSL_CTX *ctx,

  551.                                   STACK_OF(X509) **out_chain) {

  552.   return SSL_CTX_get0_chain_certs(ctx, out_chain);

  553. }

  554. 

  555. int SSL_get0_chain_certs(const SSL *ssl, STACK_OF(X509) **out_chain) {

  556.   *out_chain = ssl->cert->chain;

  557.   return 1;

  558. }