From 1060a50b6d70cf801e08c6b97835397d1c222af9 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Thu, 7 Jul 2016 23:22:45 +0200 Subject: [PATCH] Add getters / setters for the X509_STORE_CTX and X509_STORE functions We only add setters for X509_STORE function pointers except for the verify callback function. The thought is that the function pointers in X509_STORE_CTX are a cache for the X509_STORE functions. Therefore, it's preferable if the user makes the changes in X509_STORE before X509_STORE_CTX_init is called, and otherwise use the verify callback to override any results from OpenSSL's internal calculations. Reviewed-by: Rich Salz --- crypto/x509/x509_lu.c | 117 ++++++++++++++++++++++++++++++++++--- crypto/x509/x509_vfy.c | 72 ++++++++++++++++++----- include/openssl/x509_vfy.h | 80 ++++++++++++++++++++----- util/libcrypto.num | 2 +- 4 files changed, 233 insertions(+), 38 deletions(-) diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c index 843f3519dc..26902d765b 100644 --- a/crypto/x509/x509_lu.c +++ b/crypto/x509/x509_lu.c @@ -714,23 +714,124 @@ X509_VERIFY_PARAM *X509_STORE_get0_param(X509_STORE *ctx) return ctx->param; } +void X509_STORE_set_verify(X509_STORE *ctx, X509_STORE_CTX_verify_fn verify) +{ + ctx->verify = verify; +} + +X509_STORE_CTX_verify_fn X509_STORE_get_verify(X509_STORE *ctx) +{ + return ctx->verify; +} + void X509_STORE_set_verify_cb(X509_STORE *ctx, - int (*verify_cb) (int, X509_STORE_CTX *)) + X509_STORE_CTX_verify_cb verify_cb) { ctx->verify_cb = verify_cb; } -void X509_STORE_set_verify(X509_STORE *ctx, X509_STORE_CTX_verify verify) +X509_STORE_CTX_verify_cb X509_STORE_get_verify_cb(X509_STORE *ctx) { - ctx->verify = verify; + return ctx->verify_cb; +} + +void X509_STORE_set_get_issuer(X509_STORE *ctx, + X509_STORE_CTX_get_issuer_fn get_issuer) +{ + ctx->get_issuer = get_issuer; +} + +X509_STORE_CTX_get_issuer_fn X509_STORE_get_get_issuer(X509_STORE *ctx) +{ + return ctx->get_issuer; +} + +void X509_STORE_set_check_issued(X509_STORE *ctx, + X509_STORE_CTX_check_issued_fn check_issued) +{ + ctx->check_issued = check_issued; +} + +X509_STORE_CTX_check_issued_fn X509_STORE_get_check_issued(X509_STORE *ctx) +{ + return ctx->check_issued; +} + +void X509_STORE_set_check_revocation(X509_STORE *ctx, + X509_STORE_CTX_check_revocation_fn check_revocation) +{ + ctx->check_revocation = check_revocation; +} + +X509_STORE_CTX_check_revocation_fn X509_STORE_get_check_revocation(X509_STORE *ctx) +{ + return ctx->check_revocation; +} + +void X509_STORE_set_get_crl(X509_STORE *ctx, + X509_STORE_CTX_get_crl_fn get_crl) +{ + ctx->get_crl = get_crl; +} + +X509_STORE_CTX_get_crl_fn X509_STORE_get_get_crl(X509_STORE *ctx) +{ + return ctx->get_crl; +} + +void X509_STORE_set_check_crl(X509_STORE *ctx, + X509_STORE_CTX_check_crl_fn check_crl) +{ + ctx->check_crl = check_crl; +} + +X509_STORE_CTX_check_crl_fn X509_STORE_get_check_crl(X509_STORE *ctx) +{ + return ctx->check_crl; +} + +void X509_STORE_set_cert_crl(X509_STORE *ctx, + X509_STORE_CTX_cert_crl_fn cert_crl) +{ + ctx->cert_crl = cert_crl; +} + +X509_STORE_CTX_cert_crl_fn X509_STORE_get_cert_crl(X509_STORE *ctx) +{ + return ctx->cert_crl; +} + +void X509_STORE_set_lookup_certs(X509_STORE *ctx, + X509_STORE_CTX_lookup_certs_fn lookup_certs) +{ + ctx->lookup_certs = lookup_certs; +} + +X509_STORE_CTX_lookup_certs_fn X509_STORE_get_lookup_certs(X509_STORE *ctx) +{ + return ctx->lookup_certs; +} + +void X509_STORE_set_lookup_crls(X509_STORE *ctx, + X509_STORE_CTX_lookup_crls_fn lookup_crls) +{ + ctx->lookup_crls = lookup_crls; +} + +X509_STORE_CTX_lookup_crls_fn X509_STORE_get_lookup_crls(X509_STORE *ctx) +{ + return ctx->lookup_crls; +} + +void X509_STORE_set_cleanup(X509_STORE *ctx, + X509_STORE_CTX_cleanup_fn ctx_cleanup) +{ + ctx->cleanup = ctx_cleanup; } -void X509_STORE_set_lookup_crls_cb(X509_STORE *ctx, - STACK_OF(X509_CRL) *(*cb) (X509_STORE_CTX - *ctx, - X509_NAME *nm)) +X509_STORE_CTX_cleanup_fn X509_STORE_get_cleanup(X509_STORE *ctx) { - ctx->lookup_crls = cb; + return ctx->cleanup; } int X509_STORE_set_ex_data(X509_STORE *ctx, int idx, void *data) diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 2a157021dd..649390c647 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -2399,6 +2399,27 @@ void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, X509_VERIFY_PARAM_set_time(ctx->param, t); } +X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx) +{ + return ctx->cert; +} + +STACK_OF(X509) *X509_STORE_CTX_get0_untrusted(X509_STORE_CTX *ctx) +{ + return ctx->untrusted; +} + +void X509_STORE_CTX_set0_untrusted(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) +{ + ctx->untrusted = sk; +} + +void X509_STORE_CTX_set0_verified_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) +{ + sk_X509_pop_free(ctx->chain, X509_free); + ctx->chain = sk; +} + void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, X509_STORE_CTX_verify_cb verify_cb) { @@ -2410,36 +2431,59 @@ X509_STORE_CTX_verify_cb X509_STORE_CTX_get_verify_cb(X509_STORE_CTX *ctx) return ctx->verify_cb; } -X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx) +X509_STORE_CTX_verify_fn X509_STORE_CTX_get_verify(X509_STORE_CTX *ctx) { - return ctx->cert; + return ctx->verify; } -STACK_OF(X509) *X509_STORE_CTX_get0_untrusted(X509_STORE_CTX *ctx) +X509_STORE_CTX_get_issuer_fn X509_STORE_CTX_get_get_issuer(X509_STORE_CTX *ctx) { - return ctx->untrusted; + return ctx->get_issuer; } -void X509_STORE_CTX_set0_untrusted(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) +X509_STORE_CTX_check_issued_fn X509_STORE_CTX_get_check_issued(X509_STORE_CTX *ctx) { - ctx->untrusted = sk; + return ctx->check_issued; } -void X509_STORE_CTX_set0_verified_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) +X509_STORE_CTX_check_revocation_fn X509_STORE_CTX_get_check_revocation(X509_STORE_CTX *ctx) { - sk_X509_pop_free(ctx->chain, X509_free); - ctx->chain = sk; + return ctx->check_revocation; } -void X509_STORE_CTX_set_verify(X509_STORE_CTX *ctx, - X509_STORE_CTX_verify verify) +X509_STORE_CTX_get_crl_fn X509_STORE_CTX_get_get_crl(X509_STORE_CTX *ctx) { - ctx->verify = verify; + return ctx->get_crl; } -X509_STORE_CTX_verify X509_STORE_CTX_get_verify(X509_STORE_CTX *ctx) +X509_STORE_CTX_check_crl_fn X509_STORE_CTX_get_check_crl(X509_STORE_CTX *ctx) { - return ctx->verify; + return ctx->check_crl; +} + +X509_STORE_CTX_cert_crl_fn X509_STORE_CTX_get_cert_crl(X509_STORE_CTX *ctx) +{ + return ctx->cert_crl; +} + +X509_STORE_CTX_check_policy_fn X509_STORE_CTX_get_check_policy(X509_STORE_CTX *ctx) +{ + return ctx->check_policy; +} + +X509_STORE_CTX_lookup_certs_fn X509_STORE_CTX_get_lookup_certs(X509_STORE_CTX *ctx) +{ + return ctx->lookup_certs; +} + +X509_STORE_CTX_lookup_crls_fn X509_STORE_CTX_get_lookup_crls(X509_STORE_CTX *ctx) +{ + return ctx->lookup_crls; +} + +X509_STORE_CTX_cleanup_fn X509_STORE_CTX_get_cleanup(X509_STORE_CTX *ctx) +{ + return ctx->cleanup; } X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx) diff --git a/include/openssl/x509_vfy.h b/include/openssl/x509_vfy.h index 19895bf9d4..13ec740b42 100644 --- a/include/openssl/x509_vfy.h +++ b/include/openssl/x509_vfy.h @@ -56,15 +56,25 @@ DEFINE_STACK_OF(X509_VERIFY_PARAM) int X509_STORE_set_depth(X509_STORE *store, int depth); -# define X509_STORE_set_verify_cb_func(ctx,func) \ - X509_STORE_set_verify_cb((ctx),(func)) - typedef int (*X509_STORE_CTX_verify_cb)(int, X509_STORE_CTX *); -typedef int (*X509_STORE_CTX_verify)(X509_STORE_CTX *); +typedef int (*X509_STORE_CTX_verify_fn)(X509_STORE_CTX *); +typedef int (*X509_STORE_CTX_get_issuer_fn)(X509 **issuer, + X509_STORE_CTX *ctx, X509 *x); +typedef int (*X509_STORE_CTX_check_issued_fn)(X509_STORE_CTX *ctx, + X509 *x, X509 *issuer); +typedef int (*X509_STORE_CTX_check_revocation_fn)(X509_STORE_CTX *ctx); +typedef int (*X509_STORE_CTX_get_crl_fn)(X509_STORE_CTX *ctx, + X509_CRL **crl, X509 *x); +typedef int (*X509_STORE_CTX_check_crl_fn)(X509_STORE_CTX *ctx, X509_CRL *crl); +typedef int (*X509_STORE_CTX_cert_crl_fn)(X509_STORE_CTX *ctx, + X509_CRL *crl, X509 *x); +typedef int (*X509_STORE_CTX_check_policy_fn)(X509_STORE_CTX *ctx); +typedef STACK_OF(X509) *(*X509_STORE_CTX_lookup_certs_fn)(X509_STORE_CTX *ctx, + X509_NAME *nm); +typedef STACK_OF(X509_CRL) *(*X509_STORE_CTX_lookup_crls_fn)(X509_STORE_CTX *ctx, + X509_NAME *nm); +typedef int (*X509_STORE_CTX_cleanup_fn)(X509_STORE_CTX *ctx); -void X509_STORE_set_verify(X509_STORE *ctx, X509_STORE_CTX_verify verify); -#define X509_STORE_set_verify_func(ctx, func) \ - X509_STORE_set_verify((ctx),(func)) void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); @@ -256,13 +266,45 @@ int X509_STORE_set_trust(X509_STORE *ctx, int trust); int X509_STORE_set1_param(X509_STORE *ctx, X509_VERIFY_PARAM *pm); X509_VERIFY_PARAM *X509_STORE_get0_param(X509_STORE *ctx); +void X509_STORE_set_verify(X509_STORE *ctx, X509_STORE_CTX_verify_fn verify); +#define X509_STORE_set_verify_func(ctx, func) \ + X509_STORE_set_verify((ctx),(func)) +X509_STORE_CTX_verify_fn X509_STORE_get_verify(X509_STORE *ctx); void X509_STORE_set_verify_cb(X509_STORE *ctx, - int (*verify_cb) (int, X509_STORE_CTX *)); + X509_STORE_CTX_verify_cb verify_cb); +# define X509_STORE_set_verify_cb_func(ctx,func) \ + X509_STORE_set_verify_cb((ctx),(func)) +X509_STORE_CTX_verify_cb X509_STORE_get_verify_cb(X509_STORE *ctx); +void X509_STORE_set_get_issuer(X509_STORE *ctx, + X509_STORE_CTX_get_issuer_fn get_issuer); +X509_STORE_CTX_get_issuer_fn X509_STORE_get_get_issuer(X509_STORE *ctx); +void X509_STORE_set_check_issued(X509_STORE *ctx, + X509_STORE_CTX_check_issued_fn check_issued); +X509_STORE_CTX_check_issued_fn X509_STORE_get_check_issued(X509_STORE *ctx); +void X509_STORE_set_check_revocation(X509_STORE *ctx, + X509_STORE_CTX_check_revocation_fn check_revocation); +X509_STORE_CTX_check_revocation_fn X509_STORE_get_check_revocation(X509_STORE *ctx); +void X509_STORE_set_get_crl(X509_STORE *ctx, + X509_STORE_CTX_get_crl_fn get_crl); +X509_STORE_CTX_get_crl_fn X509_STORE_get_get_crl(X509_STORE *ctx); +void X509_STORE_set_check_crl(X509_STORE *ctx, + X509_STORE_CTX_check_crl_fn check_crl); +X509_STORE_CTX_check_crl_fn X509_STORE_get_check_crl(X509_STORE *ctx); +void X509_STORE_set_cert_crl(X509_STORE *ctx, + X509_STORE_CTX_cert_crl_fn cert_crl); +X509_STORE_CTX_cert_crl_fn X509_STORE_get_cert_crl(X509_STORE *ctx); +void X509_STORE_set_lookup_certs(X509_STORE *ctx, + X509_STORE_CTX_lookup_certs_fn lookup_certs); +X509_STORE_CTX_lookup_certs_fn X509_STORE_get_lookup_certs(X509_STORE *ctx); +void X509_STORE_set_lookup_crls(X509_STORE *ctx, + X509_STORE_CTX_lookup_crls_fn lookup_crls); +#define X509_STORE_set_lookup_crls_cb(ctx, func) \ + X509_STORE_set_lookup_crls((ctx), (func)) +X509_STORE_CTX_lookup_crls_fn X509_STORE_get_lookup_crls(X509_STORE *ctx); +void X509_STORE_set_cleanup(X509_STORE *ctx, + X509_STORE_CTX_cleanup_fn cleanup); +X509_STORE_CTX_cleanup_fn X509_STORE_get_cleanup(X509_STORE *ctx); -void X509_STORE_set_lookup_crls_cb(X509_STORE *ctx, - STACK_OF(X509_CRL) *(*cb) (X509_STORE_CTX - *ctx, - X509_NAME *nm)); #define X509_STORE_get_ex_new_index(l, p, newf, dupf, freef) \ CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE, l, p, newf, dupf, freef) int X509_STORE_set_ex_data(X509_STORE *ctx, int idx, void *data); @@ -285,9 +327,17 @@ void X509_STORE_CTX_set0_untrusted(X509_STORE_CTX *ctx, STACK_OF(X509) *sk); void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, X509_STORE_CTX_verify_cb verify); X509_STORE_CTX_verify_cb X509_STORE_CTX_get_verify_cb(X509_STORE_CTX *ctx); -void X509_STORE_CTX_set_verify(X509_STORE_CTX *ctx, - X509_STORE_CTX_verify verify); -X509_STORE_CTX_verify X509_STORE_CTX_get_verify(X509_STORE_CTX *ctx); +X509_STORE_CTX_verify_fn X509_STORE_CTX_get_verify(X509_STORE_CTX *ctx); +X509_STORE_CTX_get_issuer_fn X509_STORE_CTX_get_get_issuer(X509_STORE_CTX *ctx); +X509_STORE_CTX_check_issued_fn X509_STORE_CTX_get_check_issued(X509_STORE_CTX *ctx); +X509_STORE_CTX_check_revocation_fn X509_STORE_CTX_get_check_revocation(X509_STORE_CTX *ctx); +X509_STORE_CTX_get_crl_fn X509_STORE_CTX_get_get_crl(X509_STORE_CTX *ctx); +X509_STORE_CTX_check_crl_fn X509_STORE_CTX_get_check_crl(X509_STORE_CTX *ctx); +X509_STORE_CTX_cert_crl_fn X509_STORE_CTX_get_cert_crl(X509_STORE_CTX *ctx); +X509_STORE_CTX_check_policy_fn X509_STORE_CTX_get_check_policy(X509_STORE_CTX *ctx); +X509_STORE_CTX_lookup_certs_fn X509_STORE_CTX_get_lookup_certs(X509_STORE_CTX *ctx); +X509_STORE_CTX_lookup_crls_fn X509_STORE_CTX_get_lookup_crls(X509_STORE_CTX *ctx); +X509_STORE_CTX_cleanup_fn X509_STORE_CTX_get_cleanup(X509_STORE_CTX *ctx); #if OPENSSL_API_COMPAT < 0x10100000L # define X509_STORE_CTX_get_chain X509_STORE_CTX_get0_chain diff --git a/util/libcrypto.num b/util/libcrypto.num index 0f2d82f03a..6cca35cdb5 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -3454,7 +3454,7 @@ OCSP_REQUEST_get_ext 3401 1_1_0 EXIST::FUNCTION:OCSP NETSCAPE_SPKAC_new 3402 1_1_0 EXIST::FUNCTION: EVP_PKEY_meth_get_verify 3403 1_1_0 EXIST::FUNCTION: CRYPTO_128_wrap 3404 1_1_0 EXIST::FUNCTION: -X509_STORE_set_lookup_crls_cb 3405 1_1_0 EXIST::FUNCTION: +X509_STORE_set_lookup_crls 3405 1_1_0 EXIST::FUNCTION: EVP_CIPHER_meth_get_ctrl 3406 1_1_0 EXIST::FUNCTION: OCSP_REQ_CTX_set1_req 3407 1_1_0 EXIST::FUNCTION:OCSP CONF_imodule_get_usr_data 3408 1_1_0 EXIST::FUNCTION: -- GitLab