From ef18f5fcfa9cf3eeefcc89685bead61b8239028f Mon Sep 17 00:00:00 2001 From: jsing <> Date: Thu, 4 Apr 2019 15:03:21 +0000 Subject: Provide SSL chain/cert chain APIs. These allow for chains to be managed on a per-certificate basis rather than as a single "extra certificates" list. Note that "chain" in this context does not actually include the leaf certificate however, unlike SSL_CTX_use_certificate_chain_{file,mem}(). Thanks to sthen@ for running this through a bulk ports build. ok beck@ tb@ --- src/lib/libssl/ssl.h | 37 ++++++++++++++++++++++++++++++++++++- 1 file changed, 36 insertions(+), 1 deletion(-) (limited to 'src/lib/libssl/ssl.h') diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h index 58b1be6d0d..fc89b0ef6e 100644 --- a/src/lib/libssl/ssl.h +++ b/src/lib/libssl/ssl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl.h,v 1.165 2019/03/17 17:28:08 jsing Exp $ */ +/* $OpenBSD: ssl.h,v 1.166 2019/04/04 15:03:21 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1118,6 +1118,9 @@ int PEM_write_SSL_SESSION(FILE *fp, SSL_SESSION *x); #define SSL_CTRL_GET_EXTRA_CHAIN_CERTS 82 #define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS 83 +#define SSL_CTRL_CHAIN 88 +#define SSL_CTRL_CHAIN_CERT 89 + #define SSL_CTRL_SET_GROUPS 91 #define SSL_CTRL_SET_GROUPS_LIST 92 @@ -1125,6 +1128,8 @@ int PEM_write_SSL_SESSION(FILE *fp, SSL_SESSION *x); #define SSL_CTRL_GET_SERVER_TMP_KEY 109 +#define SSL_CTRL_GET_CHAIN_CERTS 115 + #define SSL_CTRL_SET_DH_AUTO 118 #define SSL_CTRL_SET_MIN_PROTO_VERSION 123 @@ -1174,6 +1179,20 @@ int PEM_write_SSL_SESSION(FILE *fp, SSL_SESSION *x); #define SSL_set_ecdh_auto(s, onoff) \ SSL_ctrl(s,SSL_CTRL_SET_ECDH_AUTO,onoff,NULL) +int SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *chain); +int SSL_CTX_set1_chain(SSL_CTX *ctx, STACK_OF(X509) *chain); +int SSL_CTX_add0_chain_cert(SSL_CTX *ctx, X509 *x509); +int SSL_CTX_add1_chain_cert(SSL_CTX *ctx, X509 *x509); +int SSL_CTX_get0_chain_certs(const SSL_CTX *ctx, STACK_OF(X509) **out_chain); +int SSL_CTX_clear_chain_certs(SSL_CTX *ctx); + +int SSL_set0_chain(SSL *ssl, STACK_OF(X509) *chain); +int SSL_set1_chain(SSL *ssl, STACK_OF(X509) *chain); +int SSL_add0_chain_cert(SSL *ssl, X509 *x509); +int SSL_add1_chain_cert(SSL *ssl, X509 *x509); +int SSL_get0_chain_certs(const SSL *ssl, STACK_OF(X509) **out_chain); +int SSL_clear_chain_certs(SSL *ssl); + int SSL_CTX_set1_groups(SSL_CTX *ctx, const int *groups, size_t groups_len); int SSL_CTX_set1_groups_list(SSL_CTX *ctx, const char *groups); @@ -1215,14 +1234,30 @@ int SSL_set_max_proto_version(SSL *ssl, uint16_t version); * Also provide those functions as macros for compatibility with * existing users. */ +#define SSL_CTX_set0_chain SSL_CTX_set0_chain +#define SSL_CTX_set1_chain SSL_CTX_set1_chain +#define SSL_CTX_add0_chain_cert SSL_CTX_add0_chain_cert +#define SSL_CTX_add1_chain_cert SSL_CTX_add1_chain_cert +#define SSL_CTX_get0_chain_certs SSL_CTX_get0_chain_certs +#define SSL_CTX_clear_chain_certs SSL_CTX_clear_chain_certs + +#define SSL_add0_chain_cert SSL_add0_chain_cert +#define SSL_add1_chain_cert SSL_add1_chain_cert +#define SSL_set0_chain SSL_set0_chain +#define SSL_set1_chain SSL_set1_chain +#define SSL_get0_chain_certs SSL_get0_chain_certs +#define SSL_clear_chain_certs SSL_clear_chain_certs + #define SSL_CTX_set1_groups SSL_CTX_set1_groups #define SSL_CTX_set1_groups_list SSL_CTX_set1_groups_list #define SSL_set1_groups SSL_set1_groups #define SSL_set1_groups_list SSL_set1_groups_list + #define SSL_CTX_get_min_proto_version SSL_CTX_get_min_proto_version #define SSL_CTX_get_max_proto_version SSL_CTX_get_max_proto_version #define SSL_CTX_set_min_proto_version SSL_CTX_set_min_proto_version #define SSL_CTX_set_max_proto_version SSL_CTX_set_max_proto_version + #define SSL_get_min_proto_version SSL_get_min_proto_version #define SSL_get_max_proto_version SSL_get_max_proto_version #define SSL_set_min_proto_version SSL_set_min_proto_version -- cgit v1.2.3-55-g6feb