From 3a7c85d931b2023a54a02c316fd13e9c48298d91 Mon Sep 17 00:00:00 2001 From: jsing <> Date: Thu, 4 Apr 2019 15:03:21 +0000 Subject: Provide SSL chain/cert chain APIs. These allow for chains to be managed on a per-certificate basis rather than as a single "extra certificates" list. Note that "chain" in this context does not actually include the leaf certificate however, unlike SSL_CTX_use_certificate_chain_{file,mem}(). Thanks to sthen@ for running this through a bulk ports build. ok beck@ tb@ --- src/lib/libssl/s3_lib.c | 114 +++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 113 insertions(+), 1 deletion(-) (limited to 'src/lib/libssl/s3_lib.c') diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c index 49f402d065..0357a70ca3 100644 --- a/src/lib/libssl/s3_lib.c +++ b/src/lib/libssl/s3_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_lib.c,v 1.185 2019/03/25 17:21:18 jsing Exp $ */ +/* $OpenBSD: s3_lib.c,v 1.186 2019/04/04 15:03:21 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1875,6 +1875,47 @@ _SSL_set_tlsext_status_ocsp_resp(SSL *s, unsigned char *resp, int resp_len) return 1; } +int +SSL_set0_chain(SSL *ssl, STACK_OF(X509) *chain) +{ + return ssl_cert_set0_chain(ssl->cert, chain); +} + +int +SSL_set1_chain(SSL *ssl, STACK_OF(X509) *chain) +{ + return ssl_cert_set1_chain(ssl->cert, chain); +} + +int +SSL_add0_chain_cert(SSL *ssl, X509 *x509) +{ + return ssl_cert_add0_chain_cert(ssl->cert, x509); +} + +int +SSL_add1_chain_cert(SSL *ssl, X509 *x509) +{ + return ssl_cert_add1_chain_cert(ssl->cert, x509); +} + +int +SSL_get0_chain_certs(const SSL *ssl, STACK_OF(X509) **out_chain) +{ + *out_chain = NULL; + + if (ssl->cert->key != NULL) + *out_chain = ssl->cert->key->chain; + + return 1; +} + +int +SSL_clear_chain_certs(SSL *ssl) +{ + return ssl_cert_set0_chain(ssl->cert, NULL); +} + int SSL_set1_groups(SSL *s, const int *groups, size_t groups_len) { @@ -1956,6 +1997,21 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP: return _SSL_set_tlsext_status_ocsp_resp(s, parg, larg); + case SSL_CTRL_CHAIN: + if (larg == 0) + return SSL_set0_chain(s, (STACK_OF(X509) *)parg); + else + return SSL_set1_chain(s, (STACK_OF(X509) *)parg); + + case SSL_CTRL_CHAIN_CERT: + if (larg == 0) + return SSL_add0_chain_cert(s, (X509 *)parg); + else + return SSL_add1_chain_cert(s, (X509 *)parg); + + case SSL_CTRL_GET_CHAIN_CERTS: + return SSL_get0_chain_certs(s, (STACK_OF(X509) **)parg); + case SSL_CTRL_SET_GROUPS: return SSL_set1_groups(s, parg, larg); @@ -2127,6 +2183,47 @@ _SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg) return 1; } +int +SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *chain) +{ + return ssl_cert_set0_chain(ctx->internal->cert, chain); +} + +int +SSL_CTX_set1_chain(SSL_CTX *ctx, STACK_OF(X509) *chain) +{ + return ssl_cert_set1_chain(ctx->internal->cert, chain); +} + +int +SSL_CTX_add0_chain_cert(SSL_CTX *ctx, X509 *x509) +{ + return ssl_cert_add0_chain_cert(ctx->internal->cert, x509); +} + +int +SSL_CTX_add1_chain_cert(SSL_CTX *ctx, X509 *x509) +{ + return ssl_cert_add1_chain_cert(ctx->internal->cert, x509); +} + +int +SSL_CTX_get0_chain_certs(const SSL_CTX *ctx, STACK_OF(X509) **out_chain) +{ + *out_chain = NULL; + + if (ctx->internal->cert->key != NULL) + *out_chain = ctx->internal->cert->key->chain; + + return 1; +} + +int +SSL_CTX_clear_chain_certs(SSL_CTX *ctx) +{ + return ssl_cert_set0_chain(ctx->internal->cert, NULL); +} + static int _SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *cert) { @@ -2208,6 +2305,21 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG: return _SSL_CTX_set_tlsext_status_arg(ctx, parg); + case SSL_CTRL_CHAIN: + if (larg == 0) + return SSL_CTX_set0_chain(ctx, (STACK_OF(X509) *)parg); + else + return SSL_CTX_set1_chain(ctx, (STACK_OF(X509) *)parg); + + case SSL_CTRL_CHAIN_CERT: + if (larg == 0) + return SSL_CTX_add0_chain_cert(ctx, (X509 *)parg); + else + return SSL_CTX_add1_chain_cert(ctx, (X509 *)parg); + + case SSL_CTRL_GET_CHAIN_CERTS: + return SSL_CTX_get0_chain_certs(ctx, (STACK_OF(X509) **)parg); + case SSL_CTRL_EXTRA_CHAIN_CERT: return _SSL_CTX_add_extra_chain_cert(ctx, parg); -- cgit v1.2.3-55-g6feb