diff options
author | Matt Caswell <matt@openssl.org> | 2016-12-02 09:14:15 +0000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2017-01-06 10:25:13 +0000 |
commit | e96e0f8e420c42f28b0e86c9cf757f152f696321 (patch) | |
tree | aa40a232274c0948c52af07df051ea75ecb37218 /ssl/ssl_cert.c | |
parent | f97d4c370844081e5e735711bd8b91979313ce7b (diff) |
Create Certificate messages in TLS1.3 format
Also updates TLSProxy to be able to understand the format and parse the
contained extensions.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2020)
Diffstat (limited to 'ssl/ssl_cert.c')
-rw-r--r-- | ssl/ssl_cert.c | 110 |
1 files changed, 0 insertions, 110 deletions
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index f26e876014..9668976324 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -740,116 +740,6 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, return ret; } -/* Add a certificate to the WPACKET */ -static int ssl_add_cert_to_buf(WPACKET *pkt, X509 *x) -{ - int len; - unsigned char *outbytes; - - len = i2d_X509(x, NULL); - if (len < 0) { - SSLerr(SSL_F_SSL_ADD_CERT_TO_BUF, ERR_R_BUF_LIB); - return 0; - } - if (!WPACKET_sub_allocate_bytes_u24(pkt, len, &outbytes) - || i2d_X509(x, &outbytes) != len) { - SSLerr(SSL_F_SSL_ADD_CERT_TO_BUF, ERR_R_INTERNAL_ERROR); - return 0; - } - - return 1; -} - -/* Add certificate chain to internal SSL BUF_MEM structure */ -int ssl_add_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk) -{ - int i, chain_count; - X509 *x; - STACK_OF(X509) *extra_certs; - STACK_OF(X509) *chain = NULL; - X509_STORE *chain_store; - - if (cpk == NULL || cpk->x509 == NULL) - return 1; - - x = cpk->x509; - - /* - * If we have a certificate specific chain use it, else use parent ctx. - */ - if (cpk->chain) - extra_certs = cpk->chain; - else - extra_certs = s->ctx->extra_certs; - - if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || extra_certs) - chain_store = NULL; - else if (s->cert->chain_store) - chain_store = s->cert->chain_store; - else - chain_store = s->ctx->cert_store; - - if (chain_store) { - X509_STORE_CTX *xs_ctx = X509_STORE_CTX_new(); - - if (xs_ctx == NULL) { - SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, ERR_R_MALLOC_FAILURE); - return (0); - } - if (!X509_STORE_CTX_init(xs_ctx, chain_store, x, NULL)) { - X509_STORE_CTX_free(xs_ctx); - SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, ERR_R_X509_LIB); - return (0); - } - /* - * It is valid for the chain not to be complete (because normally we - * don't include the root cert in the chain). Therefore we deliberately - * ignore the error return from this call. We're not actually verifying - * the cert - we're just building as much of the chain as we can - */ - (void)X509_verify_cert(xs_ctx); - /* Don't leave errors in the queue */ - ERR_clear_error(); - chain = X509_STORE_CTX_get0_chain(xs_ctx); - i = ssl_security_cert_chain(s, chain, NULL, 0); - if (i != 1) { -#if 0 - /* Dummy error calls so mkerr generates them */ - SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_EE_KEY_TOO_SMALL); - SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_CA_KEY_TOO_SMALL); - SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_CA_MD_TOO_WEAK); -#endif - X509_STORE_CTX_free(xs_ctx); - SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, i); - return 0; - } - chain_count = sk_X509_num(chain); - for (i = 0; i < chain_count; i++) { - x = sk_X509_value(chain, i); - - if (!ssl_add_cert_to_buf(pkt, x)) { - X509_STORE_CTX_free(xs_ctx); - return 0; - } - } - X509_STORE_CTX_free(xs_ctx); - } else { - i = ssl_security_cert_chain(s, extra_certs, x, 0); - if (i != 1) { - SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, i); - return 0; - } - if (!ssl_add_cert_to_buf(pkt, x)) - return 0; - for (i = 0; i < sk_X509_num(extra_certs); i++) { - x = sk_X509_value(extra_certs, i); - if (!ssl_add_cert_to_buf(pkt, x)) - return 0; - } - } - return 1; -} - /* Build a certificate chain for current certificate */ int ssl_build_cert_chain(SSL *s, SSL_CTX *ctx, int flags) { |