diff options
author | Rich Salz <rsalz@openssl.org> | 2016-04-14 23:59:26 -0400 |
---|---|---|
committer | Rich Salz <rsalz@openssl.org> | 2016-04-15 13:21:43 -0400 |
commit | f0e0fd51fd8307f6eae64862ad9aaea113f1177a (patch) | |
tree | b00de87cb2fd4dc437de5994d3c8028dd9262460 /ssl | |
parent | 34da11b39d2421f546ec568f355875eec353844c (diff) |
Make many X509_xxx types opaque.
Make X509_OBJECT, X509_STORE_CTX, X509_STORE, X509_LOOKUP,
and X509_LOOKUP_METHOD opaque.
Remove unused X509_CERT_FILE_CTX
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/ssl_cert.c | 95 |
1 files changed, 56 insertions, 39 deletions
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index 24ac352d1d..04a4a36d77 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -475,25 +475,31 @@ void ssl_cert_set_cert_cb(CERT *c, int (*cb) (SSL *ssl, void *arg), void *arg) int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk) { X509 *x; - int i; + int i = 0; X509_STORE *verify_store; - X509_STORE_CTX ctx; + X509_STORE_CTX *ctx = NULL; X509_VERIFY_PARAM *param; + if ((sk == NULL) || (sk_X509_num(sk) == 0)) + return 0; + if (s->cert->verify_store) verify_store = s->cert->verify_store; else verify_store = s->ctx->cert_store; - if ((sk == NULL) || (sk_X509_num(sk) == 0)) - return (0); + ctx = X509_STORE_CTX_new(); + if (ctx == NULL) { + SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN, ERR_R_MALLOC_FAILURE); + return 0; + } x = sk_X509_value(sk, 0); - if (!X509_STORE_CTX_init(&ctx, verify_store, x, sk)) { + if (!X509_STORE_CTX_init(ctx, verify_store, x, sk)) { SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN, ERR_R_X509_LIB); - return (0); + goto end; } - param = X509_STORE_CTX_get0_param(&ctx); + param = X509_STORE_CTX_get0_param(ctx); /* * XXX: Separate @AUTHSECLEVEL and @TLSSECLEVEL would be useful at some * point, for now a single @SECLEVEL sets the same policy for TLS crypto @@ -502,12 +508,12 @@ int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk) X509_VERIFY_PARAM_set_auth_level(param, SSL_get_security_level(s)); /* Set suite B flags if needed */ - X509_STORE_CTX_set_flags(&ctx, tls1_suiteb(s)); - X509_STORE_CTX_set_ex_data(&ctx, SSL_get_ex_data_X509_STORE_CTX_idx(), s); + X509_STORE_CTX_set_flags(ctx, tls1_suiteb(s)); + X509_STORE_CTX_set_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx(), s); /* Verify via DANE if enabled */ if (DANETLS_ENABLED(&s->dane)) - X509_STORE_CTX_set0_dane(&ctx, &s->dane); + X509_STORE_CTX_set0_dane(ctx, &s->dane); /* * We need to inherit the verify parameters. These can be determined by @@ -515,25 +521,25 @@ int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk) * vice versa. */ - X509_STORE_CTX_set_default(&ctx, s->server ? "ssl_client" : "ssl_server"); + X509_STORE_CTX_set_default(ctx, s->server ? "ssl_client" : "ssl_server"); /* * Anything non-default in "s->param" should overwrite anything in the ctx. */ X509_VERIFY_PARAM_set1(param, s->param); if (s->verify_callback) - X509_STORE_CTX_set_verify_cb(&ctx, s->verify_callback); + X509_STORE_CTX_set_verify_cb(ctx, s->verify_callback); if (s->ctx->app_verify_callback != NULL) - i = s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg); + i = s->ctx->app_verify_callback(ctx, s->ctx->app_verify_arg); else - i = X509_verify_cert(&ctx); + i = X509_verify_cert(ctx); - s->verify_result = ctx.error; + s->verify_result = X509_STORE_CTX_get_error(ctx); sk_X509_pop_free(s->verified_chain, X509_free); s->verified_chain = NULL; - if (X509_STORE_CTX_get_chain(&ctx) != NULL) { - s->verified_chain = X509_STORE_CTX_get1_chain(&ctx); + if (X509_STORE_CTX_get0_chain(ctx) != NULL) { + s->verified_chain = X509_STORE_CTX_get1_chain(ctx); if (s->verified_chain == NULL) { SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN, ERR_R_MALLOC_FAILURE); i = 0; @@ -543,9 +549,9 @@ int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk) /* Move peername from the store context params to the SSL handle's */ X509_VERIFY_PARAM_move_peername(s->param, param); - X509_STORE_CTX_cleanup(&ctx); - - return (i); +end: + X509_STORE_CTX_free(ctx); + return i; } static void set_client_CA_list(STACK_OF(X509_NAME) **ca_list, @@ -846,10 +852,10 @@ static int ssl_add_cert_to_buf(BUF_MEM *buf, unsigned long *l, X509 *x) int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l) { BUF_MEM *buf = s->init_buf; - int i; - + int i, chain_count; X509 *x; STACK_OF(X509) *extra_certs; + STACK_OF(X509) *chain = NULL; X509_STORE *chain_store; /* TLSv1 sends a chain with nothing in it, instead of an alert */ @@ -879,9 +885,14 @@ int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l) chain_store = s->ctx->cert_store; if (chain_store) { - X509_STORE_CTX xs_ctx; + X509_STORE_CTX* xs_ctx = X509_STORE_CTX_new(); - if (!X509_STORE_CTX_init(&xs_ctx, chain_store, x, NULL)) { + if (xs_ctx == NULL) { + SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, ERR_R_MALLOC_FAILURE); + return (0); + } + if (!X509_STORE_CTX_init(xs_ctx, chain_store, x, NULL)) { + X509_STORE_CTX_free(xs_ctx); SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, ERR_R_X509_LIB); return (0); } @@ -891,30 +902,32 @@ int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l) * ignore the error return from this call. We're not actually verifying * the cert - we're just building as much of the chain as we can */ - (void) X509_verify_cert(&xs_ctx); + (void) X509_verify_cert(xs_ctx); /* Don't leave errors in the queue */ ERR_clear_error(); - i = ssl_security_cert_chain(s, xs_ctx.chain, NULL, 0); + chain = X509_STORE_CTX_get0_chain(xs_ctx); + i = ssl_security_cert_chain(s, chain, NULL, 0); if (i != 1) { - X509_STORE_CTX_cleanup(&xs_ctx); #if 0 /* Dummy error calls so mkerr generates them */ SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_EE_KEY_TOO_SMALL); SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_CA_KEY_TOO_SMALL); SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_CA_MD_TOO_WEAK); #endif + X509_STORE_CTX_free(xs_ctx); SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, i); return 0; } - for (i = 0; i < sk_X509_num(xs_ctx.chain); i++) { - x = sk_X509_value(xs_ctx.chain, i); + chain_count = sk_X509_num(chain); + for (i = 0; i < chain_count; i++) { + x = sk_X509_value(chain, i); if (!ssl_add_cert_to_buf(buf, l, x)) { - X509_STORE_CTX_cleanup(&xs_ctx); + X509_STORE_CTX_free(xs_ctx); return 0; } } - X509_STORE_CTX_cleanup(&xs_ctx); + X509_STORE_CTX_free(xs_ctx); } else { i = ssl_security_cert_chain(s, extra_certs, x, 0); if (i != 1) { @@ -938,7 +951,7 @@ int ssl_build_cert_chain(SSL *s, SSL_CTX *ctx, int flags) CERT *c = s ? s->cert : ctx->cert; CERT_PKEY *cpk = c->key; X509_STORE *chain_store = NULL; - X509_STORE_CTX xs_ctx; + X509_STORE_CTX *xs_ctx = NULL; STACK_OF(X509) *chain = NULL, *untrusted = NULL; X509 *x; int i, rv = 0; @@ -984,15 +997,20 @@ int ssl_build_cert_chain(SSL *s, SSL_CTX *ctx, int flags) untrusted = cpk->chain; } - if (!X509_STORE_CTX_init(&xs_ctx, chain_store, cpk->x509, untrusted)) { + xs_ctx = X509_STORE_CTX_new(); + if (xs_ctx == NULL) { + SSLerr(SSL_F_SSL_BUILD_CERT_CHAIN, ERR_R_MALLOC_FAILURE); + goto err; + } + if (!X509_STORE_CTX_init(xs_ctx, chain_store, cpk->x509, untrusted)) { SSLerr(SSL_F_SSL_BUILD_CERT_CHAIN, ERR_R_X509_LIB); goto err; } /* Set suite B flags if needed */ - X509_STORE_CTX_set_flags(&xs_ctx, + X509_STORE_CTX_set_flags(xs_ctx, c->cert_flags & SSL_CERT_FLAG_SUITEB_128_LOS); - i = X509_verify_cert(&xs_ctx); + i = X509_verify_cert(xs_ctx); if (i <= 0 && flags & SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR) { if (flags & SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR) ERR_clear_error(); @@ -1000,17 +1018,15 @@ int ssl_build_cert_chain(SSL *s, SSL_CTX *ctx, int flags) rv = 2; } if (i > 0) - chain = X509_STORE_CTX_get1_chain(&xs_ctx); + chain = X509_STORE_CTX_get1_chain(xs_ctx); if (i <= 0) { SSLerr(SSL_F_SSL_BUILD_CERT_CHAIN, SSL_R_CERTIFICATE_VERIFY_FAILED); - i = X509_STORE_CTX_get_error(&xs_ctx); + i = X509_STORE_CTX_get_error(xs_ctx); ERR_add_error_data(2, "Verify error:", X509_verify_cert_error_string(i)); - X509_STORE_CTX_cleanup(&xs_ctx); goto err; } - X509_STORE_CTX_cleanup(&xs_ctx); /* Remove EE certificate from chain */ x = sk_X509_shift(chain); X509_free(x); @@ -1045,6 +1061,7 @@ int ssl_build_cert_chain(SSL *s, SSL_CTX *ctx, int flags) err: if (flags & SSL_BUILD_CHAIN_FLAG_CHECK) X509_STORE_free(chain_store); + X509_STORE_CTX_free(xs_ctx); return rv; } |