callbacks.
Submitted by:
Reviewed by:
PR:
Changes between 0.9.2b and 0.9.3
+ *) Support verify_depth from the SSL API.
+ x509_vfy.c had what can be considered an off-by-one-error:
+ Its depth (which was not part of the external interface)
+ was actually counting the number of certificates in a chain;
+ now it really counts the depth.
+ [Bodo Moeller]
+
*) New function SSL_CTX_set_session_id_context that allows to set a default
value (so that you don't need SSL_set_session_id_context for each
connection using the SSL_CTX).
ctx->last_untrusted=0;
ctx->valid=0;
ctx->chain=NULL;
- ctx->depth=10;
+ ctx->depth=9;
ctx->error=0;
ctx->current_cert=NULL;
memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA));
for (;;)
{
/* If we have enough, we break */
- if (depth <= num) break;
+ if (depth < num) break;
/* If we are self signed, we break */
xn=X509_get_issuer_name(x);
for (;;)
{
/* If we have enough, we break */
- if (depth <= num) break;
+ if (depth < num) break;
/* If we are self signed, we break */
xn=X509_get_issuer_name(x);
CRYPTO_EX_DATA ex_data;
int references;
- int depth; /* how deep to look (still unused) */
+ int depth; /* how deep to look (still unused -- X509_STORE_CTX's depth is used) */
} X509_STORE;
#define X509_STORE_set_depth(ctx,d) ((ctx)->depth=(d))
/* This is a temporary used when processing cert chains. Since the
* gathering of the cert chain can take some time (and have to be
* 'retried', this needs to be kept and passed around. */
-struct x509_store_state_st
+struct x509_store_state_st /* X509_STORE_CTX */
{
X509_STORE *ctx;
int current_method; /* used when looking up certs */
CRYPTO_EX_DATA ex_data;
};
+#define X509_STORE_CTX_set_depth(ctx,d) ((ctx)->depth=(d))
+
#define X509_STORE_CTX_set_app_data(ctx,data) \
X509_STORE_CTX_set_ex_data(ctx,0,data)
#define X509_STORE_CTX_get_app_data(ctx) \
/**/ struct cert_st /* CERT */ *default_cert;
/**/ int read_ahead;
/**/ int verify_mode;
+/**/ int verify_depth;
/**/ unsigned int sid_ctx_length;
/**/ unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
/**/ int (*default_verify_callback)(int ok,X509_STORE_CTX *ctx);
/* Used in SSL2 and SSL3 */
int verify_mode; /* 0 don't care about verify failure.
* 1 fail if verify fails */
+ int verify_depth;
int (*verify_callback)(int ok,X509_STORE_CTX *ctx); /* fail if callback returns 0 */
void (*info_callback)(); /* optional informational callback */
int SSL_set_cipher_list(SSL *s, char *str);
void SSL_set_read_ahead(SSL *s, int yes);
int SSL_get_verify_mode(SSL *s);
+int SSL_get_verify_depth(SSL *s);
int (*SSL_get_verify_callback(SSL *s))(int,X509_STORE_CTX *);
void SSL_set_verify(SSL *s, int mode,
int (*callback)(int ok,X509_STORE_CTX *ctx));
+void SSL_set_verify_depth(SSL *s, int depth);
#ifndef NO_RSA
int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa);
#endif
STACK_OF(X509) *SSL_get_peer_cert_chain(SSL *s);
int SSL_CTX_get_verify_mode(SSL_CTX *ctx);
+int SSL_CTX_get_verify_depth(SSL_CTX *ctx);
int (*SSL_CTX_get_verify_callback(SSL_CTX *ctx))(int,X509_STORE_CTX *);
void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,
int (*callback)(int, X509_STORE_CTX *));
+void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth);
void SSL_CTX_set_cert_verify_cb(SSL_CTX *ctx, int (*cb)(),char *arg);
#ifndef NO_RSA
int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa);
x=sk_X509_value(sk,0);
X509_STORE_CTX_init(&ctx,s->ctx->cert_store,x,sk);
+ if (SSL_get_verify_depth(s) >= 0)
+ X509_STORE_CTX_set_depth(&ctx, SSL_get_verify_depth(s));
X509_STORE_CTX_set_ex_data(&ctx,SSL_get_ex_data_X509_STORE_CTX_idx(),
(char *)s);
s->sid_ctx_length=ctx->sid_ctx_length;
memcpy(&s->sid_ctx,&ctx->sid_ctx,sizeof(s->sid_ctx));
s->verify_mode=ctx->verify_mode;
+ s->verify_depth=ctx->verify_depth;
s->verify_callback=ctx->default_verify_callback;
CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
s->ctx=ctx;
return(s->verify_mode);
}
+int SSL_get_verify_depth(SSL *s)
+ {
+ return(s->verify_depth);
+ }
+
int (*SSL_get_verify_callback(SSL *s))(int,X509_STORE_CTX *)
{
return(s->verify_callback);
return(ctx->verify_mode);
}
+int SSL_CTX_get_verify_depth(SSL_CTX *ctx)
+ {
+ return(ctx->verify_depth);
+ }
+
int (*SSL_CTX_get_verify_callback(SSL_CTX *ctx))(int,X509_STORE_CTX *)
{
return(ctx->default_verify_callback);
s->verify_callback=callback;
}
+void SSL_set_verify_depth(SSL *s,int depth)
+ {
+ s->verify_depth=depth;
+ }
+
void SSL_set_read_ahead(SSL *s,int yes)
{
s->read_ahead=yes;
ret->read_ahead=0;
ret->verify_mode=SSL_VERIFY_NONE;
+ ret->verify_depth=-1; /* Don't impose a limit (but x509_lu.c does) */
ret->default_verify_callback=NULL;
if ((ret->default_cert=ssl_cert_new()) == NULL)
goto err;
X509_STORE_set_verify_cb_func(ctx->cert_store,cb);
}
+void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth)
+ {
+ ctx->verify_depth=depth;
+ }
+
/* Need default_cert to check for callbacks, for now (see comment in CERT
strucure)
*/
SSL_set_read_ahead(ret,SSL_get_read_ahead(s));
SSL_set_verify(ret,SSL_get_verify_mode(s),
SSL_get_verify_callback(s));
+ SSL_set_verify_depth(ret,SSL_get_verify_depth(s));
SSL_set_info_callback(ret,SSL_get_info_callback(s));
projects / oweals / openssl.git / commitdiff