From b5a6f0a92d89ac586fc007ebe69ebc985551f366 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Lutz=20J=C3=A4nicke?= Date: Sat, 20 Jan 2001 16:22:43 +0000 Subject: [PATCH] Documentation about SSL_get_ex_data_X509_STORE_CTX_idx and SSL_get_ex_new_index() functionality. Extended verify_callback() example to show the usage. --- doc/ssl/SSL_CTX_set_verify.pod | 47 +++++++++++--- .../SSL_get_ex_data_X509_STORE_CTX_idx.pod | 61 +++++++++++++++++++ doc/ssl/SSL_get_ex_new_index.pod | 59 ++++++++++++++++++ 3 files changed, 160 insertions(+), 7 deletions(-) create mode 100644 doc/ssl/SSL_get_ex_data_X509_STORE_CTX_idx.pod create mode 100644 doc/ssl/SSL_get_ex_new_index.pod diff --git a/doc/ssl/SSL_CTX_set_verify.pod b/doc/ssl/SSL_CTX_set_verify.pod index 9d7b7a9070..fc0b76118f 100644 --- a/doc/ssl/SSL_CTX_set_verify.pod +++ b/doc/ssl/SSL_CTX_set_verify.pod @@ -165,21 +165,38 @@ are printed on request. The example is realized for a server that does allow but not require client certificates. +The example makes use of the ex_data technique to store application data +into/retrieve application data from the SSL structure +(see L, +L). + ... - int verbose_mode; - int verify_depth; - int always_continue; + typedef struct { + int verbose_mode; + int verify_depth; + int always_continue; + } mydata_t; + int mydata_index; ... static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx) { char buf[256]; X509 *err_cert; int err, depth; + SSL *ssl; + mydata_t *mydata; err_cert = X509_STORE_CTX_get_current_cert(ctx); err = X509_STORE_CTX_get_error(ctx); depth = X509_STORE_CTX_get_error_depth(ctx); + /* + * Retrieve the pointer to the SSL of the connection currently treated + * and the application specific data stored into the SSL object. + */ + ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); + mydata = SSL_get_ex_data(ssl, mydata_index); + X509_NAME_oneline(X509_get_subject_name(err_cert), buf, 256); /* @@ -191,7 +208,7 @@ certificates. * be found explicitly; only errors introduced by cutting off the * additional certificates would be logged. */ - if (depth > verify_depth) { + if (depth > mydata->verify_depth) { preverify_ok = 0; err = X509_V_ERR_CERT_CHAIN_TOO_LONG; X509_STORE_CTX_set_error(ctx, err); @@ -200,7 +217,7 @@ certificates. printf("verify error:num=%d:%s:depth=%d:%s\n", err, X509_verify_cert_error_string(err), depth, buf); } - else if (verbose_mode) + else if (mydata->verbose_mode) { printf("depth=%d:%s\n", depth, buf); } @@ -215,11 +232,18 @@ certificates. printf("issuer= %s\n", buf); } - if (always_continue) + if (mydata->always_continue) return 1; else return preverify_ok; } + ... + + mydata_t mydata; + + ... + mydata_index = SSL_get_ex_new_index(0, "mydata index", NULL, NULL, NULL); + ... SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, verify_callback); @@ -229,6 +253,13 @@ certificates. * an appropriate error in the logfile. */ SSL_CTX_set_verify_depth(verify_depth + 1); + + /* + * Set up the SSL specific data into "mydata" and store it into th SSL + * structure. + */ + mydata.verify_depth = verify_depth; ... + SSL_set_ex_data(ssl, mydata_index, &mydata); ... SSL_accept(ssl); /* check of success left out for clarity */ @@ -246,6 +277,8 @@ L, L, L, L, L, -L +L, +L, +L =cut diff --git a/doc/ssl/SSL_get_ex_data_X509_STORE_CTX_idx.pod b/doc/ssl/SSL_get_ex_data_X509_STORE_CTX_idx.pod new file mode 100644 index 0000000000..165c6a5b2c --- /dev/null +++ b/doc/ssl/SSL_get_ex_data_X509_STORE_CTX_idx.pod @@ -0,0 +1,61 @@ +=pod + +=head1 NAME + +SSL_get_ex_data_X509_STORE_CTX_idx - get ex_data index to access SSL structure +from X509_STORE_CTX + +=head1 SYNOPSIS + + #include + + int SSL_get_ex_data_X509_STORE_CTX_idx(void); + +=head1 DESCRIPTION + +SSL_get_ex_data_X509_STORE_CTX_idx() returns the index number under which +the pointer to the SSL object is stored into the X509_STORE_CTX object. + +=head1 NOTES + +Whenever a X509_STORE_CTX object is created for the verification of the +peers certificate during a handshake, a pointer to the SSL object is +stored into the X509_STORE_CTX object to identify the connection affected. +To retrieve this pointer the X509_STORE_CTX_get_ex_data() function can +be used with the correct index. This index is globally the same for all +X509_STORE_CTX objects and can be retrieved using +SSL_get_ex_data_X509_STORE_CTX_idx(). The index value is set when +SSL_get_ex_data_X509_STORE_CTX_idx() is first called either by the application +program directly or indirectly during other SSL setup functions or during +the handshake. + +The value depends on other index values defined for X509_STORE_CTX objects +before the SSL index is created. + +=head1 RETURN VALUES + +=over 4 + +=item E=0 + +The index value to access the pointer. + +=item E0 + +An error occurred, check the error stack for a detailed error message. + +=back + +=head1 EXAMPLES + +The index returned from SSL_get_ex_data_X509_STORE_CTX_idx() allows to +access the SSL object for the connection to be accessed during the +verify_callback() when checking the peers certificate. Please check +the example in L, + +=head1 SEE ALSO + +L, L, +L + +=cut diff --git a/doc/ssl/SSL_get_ex_new_index.pod b/doc/ssl/SSL_get_ex_new_index.pod new file mode 100644 index 0000000000..2b69bb1050 --- /dev/null +++ b/doc/ssl/SSL_get_ex_new_index.pod @@ -0,0 +1,59 @@ +=pod + +=head1 NAME + +SSL_get_ex_new_index, SSL_set_ex_data, SSL_get_ex_data - internal application specific data functions + +=head1 SYNOPSIS + + #include + + int SSL_get_ex_new_index(long argl, void *argp, + CRYPTO_EX_new *new_func, + CRYPTO_EX_dup *dup_func, + CRYPTO_EX_free *free_func); + + int SSL_set_ex_data(SSL *ssl, int idx, void *arg); + + void *SSL_get_ex_data(SSL *ssl, int idx); + + typedef int new_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, + int idx, long argl, void *argp); + typedef void free_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, + int idx, long argl, void *argp); + typedef int dup_func(CRYPTO_EX_DATA *to, CRYPTO_EX_DATA *from, void *from_d, + int idx, long argl, void *argp); + +=head1 DESCRIPTION + +Several OpenSSL structures can have application specific data attached to them. +These functions are used internally by OpenSSL to manipulate application +specific data attached to a specific structure. + +SSL_get_ex_new_index() is used to register a new index for application +specific data. + +SSL_set_ex_data() is used to store application data at B for B into +the B object. + +SSL_get_ex_data() is used to retrieve the information for B from +B. + +A detailed description for the B<*_get_ex_new_index()> functionality +can be found in L. +The B<*_get_ex_data()> and B<*_set_ex_data()> functionality is described in +L. + +=head1 EXAMPLES + +An example on how to use the functionality is included in the example +verify_callback() in L. + +=head1 SEE ALSO + +L, +L, +L, +L + +=cut -- 2.25.1