diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 10fbeeff6d41735f2df537429f2e53a4939149ea..2c3efdd4b01a6fd1b896e71a3c9be792c82b4da2 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -298,7 +298,7 @@ static int verify_chain(X509_STORE_CTX *ctx) int X509_verify_cert(X509_STORE_CTX *ctx) { - struct dane_st *dane = (struct dane_st *)ctx->dane; + SSL_DANE *dane = ctx->dane; if (ctx->cert == NULL) { X509err(X509_F_X509_VERIFY_CERT, X509_R_NO_CERT_SET_FOR_US_TO_VERIFY); @@ -665,7 +665,7 @@ static int check_trust(X509_STORE_CTX *ctx, int num_untrusted) int i; X509 *x = NULL; X509 *mx; - struct dane_st *dane = (struct dane_st *)ctx->dane; + SSL_DANE *dane = ctx->dane; int num = sk_X509_num(ctx->chain); int trust; @@ -2369,7 +2369,7 @@ void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param) ctx->param = param; } -void X509_STORE_CTX_set0_dane(X509_STORE_CTX *ctx, struct dane_st *dane) +void X509_STORE_CTX_set0_dane(X509_STORE_CTX *ctx, SSL_DANE *dane) { ctx->dane = dane; } @@ -2410,7 +2410,7 @@ static unsigned char *dane_i2d( static int dane_match(X509_STORE_CTX *ctx, X509 *cert, int depth) { - struct dane_st *dane = (struct dane_st *)ctx->dane; + SSL_DANE *dane = ctx->dane; unsigned usage = DANETLS_NONE; unsigned selector = DANETLS_NONE; unsigned ordinal = DANETLS_NONE; @@ -2553,7 +2553,7 @@ static int dane_match(X509_STORE_CTX *ctx, X509 *cert, int depth) static int check_dane_issuer(X509_STORE_CTX *ctx, int depth) { - struct dane_st *dane = (struct dane_st *)ctx->dane; + SSL_DANE *dane = ctx->dane; int matched = 0; X509 *cert; @@ -2578,7 +2578,7 @@ static int check_dane_issuer(X509_STORE_CTX *ctx, int depth) static int check_dane_pkeys(X509_STORE_CTX *ctx) { - struct dane_st *dane = (struct dane_st *)ctx->dane; + SSL_DANE *dane = ctx->dane; danetls_record *t; int num = ctx->num_untrusted; X509 *cert = sk_X509_value(ctx->chain, num - 1); @@ -2613,7 +2613,7 @@ static int check_dane_pkeys(X509_STORE_CTX *ctx) return X509_TRUST_UNTRUSTED; } -static void dane_reset(struct dane_st *dane) +static void dane_reset(SSL_DANE *dane) { /* * Reset state to verify another chain, or clear after failure. @@ -2637,7 +2637,7 @@ static int check_leaf_suiteb(X509_STORE_CTX *ctx, X509 *cert) static int dane_verify(X509_STORE_CTX *ctx) { X509 *cert = ctx->cert; - struct dane_st *dane = (struct dane_st *)ctx->dane; + SSL_DANE *dane = ctx->dane; int matched; int done; @@ -2707,7 +2707,7 @@ static int get_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *cert) static int build_chain(X509_STORE_CTX *ctx) { - struct dane_st *dane = (struct dane_st *)ctx->dane; + SSL_DANE *dane = ctx->dane; int num = sk_X509_num(ctx->chain); X509 *cert = sk_X509_value(ctx->chain, num - 1); int ss = cert_self_signed(cert); diff --git a/include/internal/dane.h b/include/internal/dane.h index 42581104fd7a08acef798bc1ccbcab880c0d5c1b..1672849c8328cdfc3b7597478ecfbaf48f2845cf 100644 --- a/include/internal/dane.h +++ b/include/internal/dane.h @@ -110,7 +110,7 @@ struct dane_ctx_st { /* * Per connection DANE state */ -struct dane_st { +struct ssl_dane_st { struct dane_ctx_st *dctx; STACK_OF(danetls_record) *trecs; STACK_OF(X509) *certs; /* DANE-TA(2) Cert(0) Full(0) certs */ diff --git a/include/openssl/ossl_typ.h b/include/openssl/ossl_typ.h index 7a8d319989e6269db09ae6760afee1bebe2ae9b5..ee6ebcfb677dfc18448b9773bf26616b619e38e3 100644 --- a/include/openssl/ossl_typ.h +++ b/include/openssl/ossl_typ.h @@ -158,6 +158,7 @@ typedef struct ec_key_method_st EC_KEY_METHOD; typedef struct rand_meth_st RAND_METHOD; +typedef struct ssl_dane_st SSL_DANE; typedef struct x509_st X509; typedef struct X509_algor_st X509_ALGOR; typedef struct X509_crl_st X509_CRL; diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index ae9d8f27eb3b5dd9db3e47c341d2266949e5c9b2..8459c93e0547e17a32eb6ae43854ea3a306ced40 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -1578,7 +1578,7 @@ __owur int SSL_get0_dane_tlsa(SSL *s, uint8_t *usage, uint8_t *selector, * Bridge opacity barrier between libcrypt and libssl, also needed to support * offline testing in test/danetest.c */ -struct dane_st *SSL_get0_dane(SSL *ssl); +SSL_DANE *SSL_get0_dane(SSL *ssl); __owur int SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm); __owur int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm); diff --git a/include/openssl/x509_vfy.h b/include/openssl/x509_vfy.h index 093b0f3d0ae5b4bddc606390bff86b1e2ee766d0..2d0cbc0ddf0fb1c767bad4bd0a9b4c3277a458e9 100644 --- a/include/openssl/x509_vfy.h +++ b/include/openssl/x509_vfy.h @@ -262,7 +262,7 @@ struct x509_store_ctx_st { /* X509_STORE_CTX */ /* For CRL path validation: parent context */ X509_STORE_CTX *parent; CRYPTO_EX_DATA ex_data; - struct dane_st *dane; + SSL_DANE *dane; /* signed via bare TA public key, rather than CA certificate */ int bare_ta_signed; } /* X509_STORE_CTX */ ; @@ -536,7 +536,7 @@ int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name); * Bridge opacity barrier between libcrypt and libssl, also needed to support * offline testing in test/danetest.c */ -void X509_STORE_CTX_set0_dane(X509_STORE_CTX *ctx, struct dane_st *dane); +void X509_STORE_CTX_set0_dane(X509_STORE_CTX *ctx, SSL_DANE *dane); /* X509_VERIFY_PARAM functions */ diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index e7f90ec7f0a9dfd78a445ee50d1266d516f0a86f..68fe4965cff59627efe48731302b7fe006091d47 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -257,7 +257,7 @@ static void tlsa_free(danetls_record *t) OPENSSL_free(t); } -static void dane_final(struct dane_st *dane) +static void dane_final(SSL_DANE *dane) { sk_danetls_record_pop_free(dane->trecs, tlsa_free); dane->trecs = NULL; @@ -344,7 +344,7 @@ static int dane_mtype_set( return 1; } -static const EVP_MD *tlsa_md_get(struct dane_st *dane, uint8_t mtype) +static const EVP_MD *tlsa_md_get(SSL_DANE *dane, uint8_t mtype) { if (mtype > dane->dctx->mdmax) return NULL; @@ -352,7 +352,7 @@ static const EVP_MD *tlsa_md_get(struct dane_st *dane, uint8_t mtype) } static int dane_tlsa_add( - struct dane_st *dane, + SSL_DANE *dane, uint8_t usage, uint8_t selector, uint8_t mtype, @@ -883,7 +883,7 @@ int SSL_CTX_dane_enable(SSL_CTX *ctx) int SSL_dane_enable(SSL *s, const char *basedomain) { - struct dane_st *dane = &s->dane; + SSL_DANE *dane = &s->dane; if (s->ctx->dane.mdmax == 0) { SSLerr(SSL_F_SSL_DANE_ENABLE, SSL_R_CONTEXT_NOT_DANE_ENABLED); @@ -926,7 +926,7 @@ int SSL_dane_enable(SSL *s, const char *basedomain) int SSL_get0_dane_authority(SSL *s, X509 **mcert, EVP_PKEY **mspki) { - struct dane_st *dane = &s->dane; + SSL_DANE *dane = &s->dane; if (!DANETLS_ENABLED(dane) || s->verify_result != X509_V_OK) return -1; @@ -942,7 +942,7 @@ int SSL_get0_dane_authority(SSL *s, X509 **mcert, EVP_PKEY **mspki) int SSL_get0_dane_tlsa(SSL *s, uint8_t *usage, uint8_t *selector, uint8_t *mtype, unsigned const char **data, size_t *dlen) { - struct dane_st *dane = &s->dane; + SSL_DANE *dane = &s->dane; if (!DANETLS_ENABLED(dane) || s->verify_result != X509_V_OK) return -1; @@ -961,7 +961,7 @@ int SSL_get0_dane_tlsa(SSL *s, uint8_t *usage, uint8_t *selector, return dane->mdpth; } -struct dane_st *SSL_get0_dane(SSL *s) +SSL_DANE *SSL_get0_dane(SSL *s) { return &s->dane; } @@ -4115,7 +4115,7 @@ int ssl_validate_ct(SSL *s) int ret = 0; X509 *cert = s->session != NULL ? s->session->peer : NULL; X509 *issuer; - struct dane_st *dane = &s->dane; + SSL_DANE *dane = &s->dane; CT_POLICY_EVAL_CTX *ctx = NULL; const STACK_OF(SCT) *scts; diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 8c8876c88e0a26c1119c78392c2db1bf138a5fc5..c03c12b20c428cca2b52ab9c8f34a20dce7ee47b 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -1015,7 +1015,7 @@ struct ssl_st { X509_VERIFY_PARAM *param; /* Per connection DANE state */ - struct dane_st dane; + SSL_DANE dane; /* crypto */ STACK_OF(SSL_CIPHER) *cipher_list;