From 926a56bfe380e82ebd07c79ccc7d1d9524c0aca6 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Thu, 10 May 2001 00:13:59 +0000 Subject: [PATCH] Purpose and trust setting functions for X509_STORE. Tidy existing code. --- CHANGES | 5 +++++ crypto/x509/x509.h | 5 ++++- crypto/x509/x509_err.c | 2 ++ crypto/x509/x509_lu.c | 11 +++++++++++ crypto/x509/x509_trs.c | 10 ++++++++++ crypto/x509/x509_vfy.h | 2 ++ crypto/x509v3/v3_purp.c | 10 ++++++++++ crypto/x509v3/v3err.c | 2 ++ crypto/x509v3/x509v3.h | 5 ++++- ssl/ssl_lib.c | 30 +++++------------------------- 10 files changed, 55 insertions(+), 27 deletions(-) diff --git a/CHANGES b/CHANGES index e0b2838c29..dfbc0e764f 100644 --- a/CHANGES +++ b/CHANGES @@ -11,6 +11,11 @@ *) applies to 0.9.6a (/0.9.6b) and 0.9.7 +) applies to 0.9.7 only + +) New functions X509_PURPOSE_set() and X509_TRUST_set() to handle + setting of purpose and trust fields. New X509_STORE trust and + purpose functions and tidy up setting in other SSL functions. + [Steve Henson] + +) Add copies of X509_STORE_CTX fields and callbacks to X509_STORE structure. These are inherited by X509_STORE_CTX when it is initialised. This allows various defaults to be set in the diff --git a/crypto/x509/x509.h b/crypto/x509/x509.h index 2b9d1050b7..16a5653b1d 100644 --- a/crypto/x509/x509.h +++ b/crypto/x509/x509.h @@ -886,6 +886,7 @@ int X509_alias_set1(X509 *x, unsigned char *name, int len); int X509_keyid_set1(X509 *x, unsigned char *id, int len); unsigned char * X509_alias_get0(X509 *x, int *len); int (*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int); +int X509_TRUST_set(int *t, int trust); int X509_add1_trust_object(X509 *x, ASN1_OBJECT *obj); int X509_add1_reject_object(X509 *x, ASN1_OBJECT *obj); void X509_trust_clear(X509 *x); @@ -1173,6 +1174,7 @@ int X509_TRUST_get_trust(X509_TRUST *xp); /* The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. */ +void ERR_load_X509_strings(void); /* Error codes for the X509 functions. */ @@ -1214,6 +1216,7 @@ int X509_TRUST_get_trust(X509_TRUST *xp); #define X509_F_X509_STORE_CTX_PURPOSE_INHERIT 134 #define X509_F_X509_TO_X509_REQ 126 #define X509_F_X509_TRUST_ADD 133 +#define X509_F_X509_TRUST_SET 141 #define X509_F_X509_VERIFY_CERT 127 /* Reason codes. */ @@ -1224,6 +1227,7 @@ int X509_TRUST_get_trust(X509_TRUST *xp); #define X509_R_ERR_ASN1_LIB 102 #define X509_R_INVALID_DIRECTORY 113 #define X509_R_INVALID_FIELD_NAME 119 +#define X509_R_INVALID_TRUST 123 #define X509_R_KEY_TYPE_MISMATCH 115 #define X509_R_KEY_VALUES_MISMATCH 116 #define X509_R_LOADING_CERT_DIR 103 @@ -1244,4 +1248,3 @@ int X509_TRUST_get_trust(X509_TRUST *xp); } #endif #endif - diff --git a/crypto/x509/x509_err.c b/crypto/x509/x509_err.c index 6dd3a9731f..fa72c162e9 100644 --- a/crypto/x509/x509_err.c +++ b/crypto/x509/x509_err.c @@ -103,6 +103,7 @@ static ERR_STRING_DATA X509_str_functs[]= {ERR_PACK(0,X509_F_X509_STORE_CTX_PURPOSE_INHERIT,0), "X509_STORE_CTX_purpose_inherit"}, {ERR_PACK(0,X509_F_X509_TO_X509_REQ,0), "X509_to_X509_REQ"}, {ERR_PACK(0,X509_F_X509_TRUST_ADD,0), "X509_TRUST_add"}, +{ERR_PACK(0,X509_F_X509_TRUST_SET,0), "X509_TRUST_set"}, {ERR_PACK(0,X509_F_X509_VERIFY_CERT,0), "X509_verify_cert"}, {0,NULL} }; @@ -116,6 +117,7 @@ static ERR_STRING_DATA X509_str_reasons[]= {X509_R_ERR_ASN1_LIB ,"err asn1 lib"}, {X509_R_INVALID_DIRECTORY ,"invalid directory"}, {X509_R_INVALID_FIELD_NAME ,"invalid field name"}, +{X509_R_INVALID_TRUST ,"invalid trust"}, {X509_R_KEY_TYPE_MISMATCH ,"key type mismatch"}, {X509_R_KEY_VALUES_MISMATCH ,"key values mismatch"}, {X509_R_LOADING_CERT_DIR ,"loading cert dir"}, diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c index fe9fbca315..a298343a4f 100644 --- a/crypto/x509/x509_lu.c +++ b/crypto/x509/x509_lu.c @@ -60,6 +60,7 @@ #include "cryptlib.h" #include #include +#include static STACK_OF(CRYPTO_EX_DATA_FUNCS) *x509_store_meth=NULL; @@ -544,5 +545,15 @@ void X509_STORE_set_flags(X509_STORE *ctx, long flags) ctx->flags |= flags; } +int X509_STORE_set_purpose(X509_STORE *ctx, int purpose) + { + return X509_PURPOSE_set(&ctx->purpose, purpose); + } + +int X509_STORE_set_trust(X509_STORE *ctx, int trust) + { + return X509_TRUST_set(&ctx->trust, trust); + } + IMPLEMENT_STACK_OF(X509_LOOKUP) IMPLEMENT_STACK_OF(X509_OBJECT) diff --git a/crypto/x509/x509_trs.c b/crypto/x509/x509_trs.c index 4f48b55160..c164badbe4 100644 --- a/crypto/x509/x509_trs.c +++ b/crypto/x509/x509_trs.c @@ -144,6 +144,16 @@ int X509_TRUST_get_by_id(int id) return idx + X509_TRUST_COUNT; } +int X509_TRUST_set(int *t, int trust) +{ + if(X509_TRUST_get_by_id(trust) == -1) { + X509err(X509_F_X509_TRUST_SET, X509_R_INVALID_TRUST); + return 0; + } + *t = trust; + return 1; +} + int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int), char *name, int arg1, void *arg2) { diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h index c308d26ab8..e08075e85a 100644 --- a/crypto/x509/x509_vfy.h +++ b/crypto/x509/x509_vfy.h @@ -326,6 +326,8 @@ X509_STORE *X509_STORE_new(void ); void X509_STORE_free(X509_STORE *v); void X509_STORE_set_flags(X509_STORE *ctx, long flags); +int X509_STORE_set_purpose(X509_STORE *ctx, int purpose); +int X509_STORE_set_trust(X509_STORE *ctx, int trust); X509_STORE_CTX *X509_STORE_CTX_new(void); diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c index 39c20d48e8..ad55016236 100644 --- a/crypto/x509v3/v3_purp.c +++ b/crypto/x509v3/v3_purp.c @@ -121,6 +121,16 @@ int X509_check_purpose(X509 *x, int id, int ca) return pt->check_purpose(pt, x, ca); } +int X509_PURPOSE_set(int *p, int purpose) +{ + if(X509_PURPOSE_get_by_id(purpose) == -1) { + X509V3err(X509V3_F_X509_PURPOSE_SET, X509V3_R_INVALID_PURPOSE); + return 0; + } + *p = purpose; + return 1; +} + int X509_PURPOSE_get_count(void) { if(!xptable) return X509_PURPOSE_COUNT; diff --git a/crypto/x509v3/v3err.c b/crypto/x509v3/v3err.c index db2ef8d9bf..6458e95bb9 100644 --- a/crypto/x509v3/v3err.c +++ b/crypto/x509v3/v3err.c @@ -107,6 +107,7 @@ static ERR_STRING_DATA X509V3_str_functs[]= {ERR_PACK(0,X509V3_F_X509V3_GET_VALUE_BOOL,0), "X509V3_get_value_bool"}, {ERR_PACK(0,X509V3_F_X509V3_PARSE_LIST,0), "X509V3_parse_list"}, {ERR_PACK(0,X509V3_F_X509_PURPOSE_ADD,0), "X509_PURPOSE_add"}, +{ERR_PACK(0,X509V3_F_X509_PURPOSE_SET,0), "X509_PURPOSE_set"}, {0,NULL} }; @@ -138,6 +139,7 @@ static ERR_STRING_DATA X509V3_str_reasons[]= {X509V3_R_INVALID_OBJECT_IDENTIFIER ,"invalid object identifier"}, {X509V3_R_INVALID_OPTION ,"invalid option"}, {X509V3_R_INVALID_POLICY_IDENTIFIER ,"invalid policy identifier"}, +{X509V3_R_INVALID_PURPOSE ,"invalid purpose"}, {X509V3_R_INVALID_SECTION ,"invalid section"}, {X509V3_R_INVALID_SYNTAX ,"invalid syntax"}, {X509V3_R_ISSUER_DECODE_ERROR ,"issuer decode error"}, diff --git a/crypto/x509v3/x509v3.h b/crypto/x509v3/x509v3.h index 6b186de724..65ef776d7e 100644 --- a/crypto/x509v3/x509v3.h +++ b/crypto/x509v3/x509v3.h @@ -518,6 +518,7 @@ int X509V3_EXT_print_fp(FILE *out, X509_EXTENSION *ext, int flag, int indent); int X509V3_extensions_print(BIO *out, char *title, STACK_OF(X509_EXTENSION) *exts, unsigned long flag, int indent); int X509_check_purpose(X509 *x, int id, int ca); +int X509_PURPOSE_set(int *p, int purpose); int X509_check_issued(X509 *issuer, X509 *subject); int X509_PURPOSE_get_count(void); X509_PURPOSE * X509_PURPOSE_get0(int idx); @@ -541,6 +542,7 @@ void X509_email_free(STACK *sk); /* The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. */ +void ERR_load_X509V3_strings(void); /* Error codes for the X509V3 functions. */ @@ -586,6 +588,7 @@ void X509_email_free(STACK *sk); #define X509V3_F_X509V3_GET_VALUE_BOOL 110 #define X509V3_F_X509V3_PARSE_LIST 109 #define X509V3_F_X509_PURPOSE_ADD 137 +#define X509V3_F_X509_PURPOSE_SET 141 /* Reason codes. */ #define X509V3_R_BAD_IP_ADDRESS 118 @@ -614,6 +617,7 @@ void X509_email_free(STACK *sk); #define X509V3_R_INVALID_OBJECT_IDENTIFIER 110 #define X509V3_R_INVALID_OPTION 138 #define X509V3_R_INVALID_POLICY_IDENTIFIER 134 +#define X509V3_R_INVALID_PURPOSE 146 #define X509V3_R_INVALID_SECTION 135 #define X509V3_R_INVALID_SYNTAX 143 #define X509V3_R_ISSUER_DECODE_ERROR 126 @@ -639,4 +643,3 @@ void X509_email_free(STACK *sk); } #endif #endif - diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index c1a545a5ff..ab9deafd7d 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -333,42 +333,22 @@ int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id, int SSL_CTX_set_purpose(SSL_CTX *s, int purpose) { - if(X509_PURPOSE_get_by_id(purpose) == -1) { - SSLerr(SSL_F_SSL_CTX_SET_PURPOSE, SSL_R_INVALID_PURPOSE); - return 0; - } - s->purpose = purpose; - return 1; + return X509_PURPOSE_set(&s->purpose, purpose); } int SSL_set_purpose(SSL *s, int purpose) { - if(X509_PURPOSE_get_by_id(purpose) == -1) { - SSLerr(SSL_F_SSL_SET_PURPOSE, SSL_R_INVALID_PURPOSE); - return 0; - } - s->purpose = purpose; - return 1; + return X509_PURPOSE_set(&s->purpose, purpose); } - + int SSL_CTX_set_trust(SSL_CTX *s, int trust) { - if(X509_TRUST_get_by_id(trust) == -1) { - SSLerr(SSL_F_SSL_CTX_SET_TRUST, SSL_R_INVALID_TRUST); - return 0; - } - s->trust = trust; - return 1; + return X509_TRUST_set(&s->trust, trust); } int SSL_set_trust(SSL *s, int trust) { - if(X509_TRUST_get_by_id(trust) == -1) { - SSLerr(SSL_F_SSL_SET_TRUST, SSL_R_INVALID_TRUST); - return 0; - } - s->trust = trust; - return 1; + return X509_TRUST_set(&s->trust, trust); } void SSL_free(SSL *s) -- 2.25.1