diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2004-09-06 18:43:01 +0000 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2004-09-06 18:43:01 +0000 |
| commit | 5d7c222db8f26a53c00646cc1dde2bdded38027e (patch) | |
| tree | 7ce0523e1f46b97b427eec9c348e79c3221a8ccc /ssl | |
| parent | d993addbed0a3502c3fa6ef2ae2bd9b7fd002d01 (diff) | |
New X509_VERIFY_PARAM structure and associated functionality.
This tidies up verify parameters and adds support for integrated policy
checking.
Add support for policy related command line options. Currently only in smime
application.
WARNING: experimental code subject to change.
Diffstat (limited to 'ssl')
| -rw-r--r-- | ssl/ssl.h | 10 | ||||
| -rw-r--r-- | ssl/ssl_cert.c | 14 | ||||
| -rw-r--r-- | ssl/ssl_lib.c | 41 |
3 files changed, 47 insertions, 18 deletions
@@ -711,7 +711,6 @@ struct ssl_ctx_st void *msg_callback_arg; int verify_mode; - int verify_depth; unsigned int sid_ctx_length; unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; int (*default_verify_callback)(int ok,X509_STORE_CTX *ctx); /* called 'verify_callback' in the SSL */ @@ -719,8 +718,12 @@ struct ssl_ctx_st /* Default generate session ID callback. */ GEN_SESSION_CB generate_session_id; + X509_VERIFY_PARAM *param; + +#if 0 int purpose; /* Purpose setting */ int trust; /* Trust setting */ +#endif int quiet_shutdown; }; @@ -861,8 +864,12 @@ struct ssl_st int hit; /* reusing a previous session */ + X509_VERIFY_PARAM *param; + +#if 0 int purpose; /* Purpose setting */ int trust; /* Trust setting */ +#endif /* crypto */ STACK_OF(SSL_CIPHER) *cipher_list; @@ -907,7 +914,6 @@ struct ssl_st /* Used in SSL2 and SSL3 */ int verify_mode; /* 0 don't care about verify failure. * 1 fail if verify fails */ - int verify_depth; int (*verify_callback)(int ok,X509_STORE_CTX *ctx); /* fail if callback returns 0 */ void (*info_callback)(const SSL *ssl,int type,int val); /* optional informational callback */ diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index 4cab28a200..b515c064a8 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -483,20 +483,22 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk) SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN,ERR_R_X509_LIB); return(0); } + if (s->param) + X509_VERIFY_PARAM_inherit(X509_STORE_CTX_get0_param(&ctx), + s->param); +#if 0 if (SSL_get_verify_depth(s) >= 0) X509_STORE_CTX_set_depth(&ctx, SSL_get_verify_depth(s)); +#endif X509_STORE_CTX_set_ex_data(&ctx,SSL_get_ex_data_X509_STORE_CTX_idx(),s); - /* We need to set the verify purpose. The purpose can be determined by + /* We need to inherit the verify parameters. These can be determined by * the context: if its a server it will verify SSL client certificates * or vice versa. */ - if (s->server) - i = X509_PURPOSE_SSL_CLIENT; - else - i = X509_PURPOSE_SSL_SERVER; - X509_STORE_CTX_purpose_inherit(&ctx, i, s->purpose, s->trust); + X509_STORE_CTX_set_default(&ctx, + s->server ? "ssl_client" : "ssl_server"); if (s->verify_callback) X509_STORE_CTX_set_verify_cb(&ctx, s->verify_callback); diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 7da3dda900..fb092813e7 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -276,14 +276,23 @@ SSL *SSL_new(SSL_CTX *ctx) s->msg_callback=ctx->msg_callback; s->msg_callback_arg=ctx->msg_callback_arg; s->verify_mode=ctx->verify_mode; +#if 0 s->verify_depth=ctx->verify_depth; +#endif s->sid_ctx_length=ctx->sid_ctx_length; OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx); memcpy(&s->sid_ctx,&ctx->sid_ctx,sizeof(s->sid_ctx)); s->verify_callback=ctx->default_verify_callback; s->generate_session_id=ctx->generate_session_id; + + s->param = X509_VERIFY_PARAM_new(); + if (!s->param) + goto err; + X509_VERIFY_PARAM_inherit(s->param, ctx->param); +#if 0 s->purpose = ctx->purpose; s->trust = ctx->trust; +#endif s->quiet_shutdown=ctx->quiet_shutdown; CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX); @@ -397,22 +406,22 @@ int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id, int SSL_CTX_set_purpose(SSL_CTX *s, int purpose) { - return X509_PURPOSE_set(&s->purpose, purpose); + return X509_VERIFY_PARAM_set_purpose(s->param, purpose); } int SSL_set_purpose(SSL *s, int purpose) { - return X509_PURPOSE_set(&s->purpose, purpose); + return X509_VERIFY_PARAM_set_purpose(s->param, purpose); } int SSL_CTX_set_trust(SSL_CTX *s, int trust) { - return X509_TRUST_set(&s->trust, trust); + return X509_VERIFY_PARAM_set_trust(s->param, trust); } int SSL_set_trust(SSL *s, int trust) { - return X509_TRUST_set(&s->trust, trust); + return X509_VERIFY_PARAM_set_trust(s->param, trust); } void SSL_free(SSL *s) @@ -435,6 +444,9 @@ void SSL_free(SSL *s) } #endif + if (s->param) + X509_VERIFY_PARAM_free(s->param); + CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data); if (s->bbio != NULL) @@ -647,7 +659,7 @@ int SSL_get_verify_mode(SSL *s) int SSL_get_verify_depth(SSL *s) { - return(s->verify_depth); + return X509_VERIFY_PARAM_get_depth(s->param); } int (*SSL_get_verify_callback(SSL *s))(int,X509_STORE_CTX *) @@ -662,7 +674,7 @@ int SSL_CTX_get_verify_mode(SSL_CTX *ctx) int SSL_CTX_get_verify_depth(SSL_CTX *ctx) { - return(ctx->verify_depth); + return X509_VERIFY_PARAM_get_depth(ctx->param); } int (*SSL_CTX_get_verify_callback(SSL_CTX *ctx))(int,X509_STORE_CTX *) @@ -680,7 +692,7 @@ void SSL_set_verify(SSL *s,int mode, void SSL_set_verify_depth(SSL *s,int depth) { - s->verify_depth=depth; + X509_VERIFY_PARAM_set_depth(s->param, depth); } void SSL_set_read_ahead(SSL *s,int yes) @@ -1345,7 +1357,9 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth) ret->msg_callback=0; ret->msg_callback_arg=NULL; ret->verify_mode=SSL_VERIFY_NONE; +#if 0 ret->verify_depth=-1; /* Don't impose a limit (but x509_lu.c does) */ +#endif ret->sid_ctx_length=0; ret->default_verify_callback=NULL; if ((ret->cert=ssl_cert_new()) == NULL) @@ -1371,6 +1385,10 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth) goto err2; } + ret->param = X509_VERIFY_PARAM_new(); + if (!ret->param) + goto err; + if ((ret->rsa_md5=EVP_get_digestbyname("ssl2-md5")) == NULL) { SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES); @@ -1427,6 +1445,9 @@ void SSL_CTX_free(SSL_CTX *a) } #endif + if (a->param) + X509_VERIFY_PARAM_free(a->param); + /* * Free internal session cache. However: the remove_cb() may reference * the ex_data of SSL_CTX, thus the ex_data store can only be removed @@ -1489,7 +1510,7 @@ void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,int (*cb)(int, X509_STORE_CTX *)) void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth) { - ctx->verify_depth=depth; + X509_VERIFY_PARAM_set_depth(ctx->param, depth); } void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher) @@ -2117,8 +2138,8 @@ SSL *SSL_dup(SSL *s) ret->rstate=s->rstate; ret->init_num = 0; /* would have to copy ret->init_buf, ret->init_msg, ret->init_num, ret->init_off */ ret->hit=s->hit; - ret->purpose=s->purpose; - ret->trust=s->trust; + + X509_VERIFY_PARAM_inherit(ret->param, s->param); /* dup the cipher_list and cipher_list_by_id stacks */ if (s->cipher_list != NULL) |