Move X509-related verification code into ssl_x509.c.
Change-Id: I9f94033036550ae85c98cd4e09584972b4441b5d
Reviewed-on: https://boringssl-review.googlesource.com/13971
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/ssl/ssl_x509.c b/ssl/ssl_x509.c
index 9865292..0393714 100644
--- a/ssl/ssl_x509.c
+++ b/ssl/ssl_x509.c
@@ -402,6 +402,18 @@
cert->x509_stash = NULL;
}
+static void ssl_crypto_x509_free(CERT *cert) {
+ ssl_crypto_x509_clear(cert);
+ X509_STORE_free(cert->verify_store);
+}
+
+static void ssl_crypto_x509_dup(CERT *new_cert, const CERT *cert) {
+ if (cert->verify_store != NULL) {
+ X509_STORE_up_ref(cert->verify_store);
+ new_cert->verify_store = cert->verify_store;
+ }
+}
+
static int ssl_crypto_x509_session_cache_objects(SSL_SESSION *sess) {
STACK_OF(X509) *chain = NULL;
const size_t num_certs = sk_CRYPTO_BUFFER_num(sess->certs);
@@ -474,31 +486,124 @@
session->x509_chain_without_leaf = NULL;
}
+static int ssl_crypto_x509_session_verify_cert_chain(SSL_SESSION *session,
+ SSL *ssl) {
+ STACK_OF(X509) *const cert_chain = session->x509_chain;
+ if (cert_chain == NULL || sk_X509_num(cert_chain) == 0) {
+ return 0;
+ }
+
+ X509_STORE *verify_store = ssl->ctx->cert_store;
+ if (ssl->cert->verify_store != NULL) {
+ verify_store = ssl->cert->verify_store;
+ }
+
+ X509 *leaf = sk_X509_value(cert_chain, 0);
+ int ret = 0;
+ X509_STORE_CTX ctx;
+ if (!X509_STORE_CTX_init(&ctx, verify_store, leaf, cert_chain)) {
+ OPENSSL_PUT_ERROR(SSL, ERR_R_X509_LIB);
+ return 0;
+ }
+ if (!X509_STORE_CTX_set_ex_data(&ctx, SSL_get_ex_data_X509_STORE_CTX_idx(),
+ ssl)) {
+ goto err;
+ }
+
+ /* We need to inherit the verify parameters. These can be determined by the
+ * context: if its a server it will verify SSL client certificates or vice
+ * versa. */
+ X509_STORE_CTX_set_default(&ctx, ssl->server ? "ssl_client" : "ssl_server");
+
+ /* Anything non-default in "param" should overwrite anything in the ctx. */
+ X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(&ctx), ssl->param);
+
+ if (ssl->verify_callback) {
+ X509_STORE_CTX_set_verify_cb(&ctx, ssl->verify_callback);
+ }
+
+ int verify_ret;
+ if (ssl->ctx->app_verify_callback != NULL) {
+ verify_ret = ssl->ctx->app_verify_callback(&ctx, ssl->ctx->app_verify_arg);
+ } else {
+ verify_ret = X509_verify_cert(&ctx);
+ }
+
+ session->verify_result = ctx.error;
+
+ /* If |SSL_VERIFY_NONE|, the error is non-fatal, but we keep the result. */
+ if (verify_ret <= 0 && ssl->verify_mode != SSL_VERIFY_NONE) {
+ ssl3_send_alert(ssl, SSL3_AL_FATAL, ssl_verify_alarm_type(ctx.error));
+ OPENSSL_PUT_ERROR(SSL, SSL_R_CERTIFICATE_VERIFY_FAILED);
+ goto err;
+ }
+
+ ERR_clear_error();
+ ret = 1;
+
+err:
+ X509_STORE_CTX_cleanup(&ctx);
+ return ret;
+}
+
static void ssl_crypto_x509_hs_flush_cached_ca_names(SSL_HANDSHAKE *hs) {
sk_X509_NAME_pop_free(hs->cached_x509_ca_names, X509_NAME_free);
hs->cached_x509_ca_names = NULL;
}
+static int ssl_crypto_x509_ssl_new(SSL *ssl) {
+ ssl->param = X509_VERIFY_PARAM_new();
+ if (ssl->param == NULL) {
+ return 0;
+ }
+ X509_VERIFY_PARAM_inherit(ssl->param, ssl->ctx->param);
+ return 1;
+}
+
static void ssl_crypto_x509_ssl_flush_cached_client_CA(SSL *ssl) {
sk_X509_NAME_pop_free(ssl->cached_x509_client_CA, X509_NAME_free);
ssl->cached_x509_client_CA = NULL;
}
+static void ssl_crypto_x509_ssl_free(SSL *ssl) {
+ ssl_crypto_x509_ssl_flush_cached_client_CA(ssl);
+ X509_VERIFY_PARAM_free(ssl->param);
+}
+
static void ssl_crypto_x509_ssl_ctx_flush_cached_client_CA(SSL_CTX *ctx) {
sk_X509_NAME_pop_free(ctx->cached_x509_client_CA, X509_NAME_free);
ctx->cached_x509_client_CA = NULL;
}
+static int ssl_crypto_x509_ssl_ctx_new(SSL_CTX *ctx) {
+ ctx->cert_store = X509_STORE_new();
+ ctx->param = X509_VERIFY_PARAM_new();
+ return (ctx->cert_store != NULL && ctx->param != NULL);
+}
+
+static void ssl_crypto_x509_ssl_ctx_free(SSL_CTX *ctx) {
+ ssl_crypto_x509_ssl_ctx_flush_cached_client_CA(ctx);
+ X509_VERIFY_PARAM_free(ctx->param);
+ X509_STORE_free(ctx->cert_store);
+}
+
const SSL_X509_METHOD ssl_crypto_x509_method = {
ssl_crypto_x509_check_client_CA_list,
ssl_crypto_x509_clear,
+ ssl_crypto_x509_free,
+ ssl_crypto_x509_dup,
ssl_crypto_x509_flush_cached_chain,
ssl_crypto_x509_flush_cached_leaf,
ssl_crypto_x509_session_cache_objects,
ssl_crypto_x509_session_dup,
ssl_crypto_x509_session_clear,
+ ssl_crypto_x509_session_verify_cert_chain,
ssl_crypto_x509_hs_flush_cached_ca_names,
+ ssl_crypto_x509_ssl_new,
+ ssl_crypto_x509_ssl_free,
ssl_crypto_x509_ssl_flush_cached_client_CA,
+ ssl_crypto_x509_ssl_ctx_new,
+ ssl_crypto_x509_ssl_ctx_free,
ssl_crypto_x509_ssl_ctx_flush_cached_client_CA,
};
@@ -1103,3 +1208,76 @@
ssl_crypto_x509_ssl_ctx_flush_cached_client_CA(ctx);
return 1;
}
+
+static int do_client_cert_cb(SSL *ssl, void *arg) {
+ if (ssl_has_certificate(ssl) || ssl->ctx->client_cert_cb == NULL) {
+ return 1;
+ }
+
+ X509 *x509 = NULL;
+ EVP_PKEY *pkey = NULL;
+ int ret = ssl->ctx->client_cert_cb(ssl, &x509, &pkey);
+ if (ret < 0) {
+ return -1;
+ }
+
+ if (ret != 0) {
+ if (!SSL_use_certificate(ssl, x509) ||
+ !SSL_use_PrivateKey(ssl, pkey)) {
+ return 0;
+ }
+ }
+
+ X509_free(x509);
+ EVP_PKEY_free(pkey);
+ return 1;
+}
+
+void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int (*cb)(SSL *ssl,
+ X509 **out_x509,
+ EVP_PKEY **out_pkey)) {
+ check_ssl_ctx_x509_method(ctx);
+ /* Emulate the old client certificate callback with the new one. */
+ SSL_CTX_set_cert_cb(ctx, do_client_cert_cb, NULL);
+ ctx->client_cert_cb = cb;
+}
+
+static int set_cert_store(X509_STORE **store_ptr, X509_STORE *new_store,
+ int take_ref) {
+ X509_STORE_free(*store_ptr);
+ *store_ptr = new_store;
+
+ if (new_store != NULL && take_ref) {
+ X509_STORE_up_ref(new_store);
+ }
+
+ return 1;
+}
+
+int SSL_get_ex_data_X509_STORE_CTX_idx(void) {
+ /* The ex_data index to go from |X509_STORE_CTX| to |SSL| always uses the
+ * reserved app_data slot. Before ex_data was introduced, app_data was used.
+ * Avoid breaking any software which assumes |X509_STORE_CTX_get_app_data|
+ * works. */
+ return 0;
+}
+
+int SSL_CTX_set0_verify_cert_store(SSL_CTX *ctx, X509_STORE *store) {
+ check_ssl_ctx_x509_method(ctx);
+ return set_cert_store(&ctx->cert->verify_store, store, 0);
+}
+
+int SSL_CTX_set1_verify_cert_store(SSL_CTX *ctx, X509_STORE *store) {
+ check_ssl_ctx_x509_method(ctx);
+ return set_cert_store(&ctx->cert->verify_store, store, 1);
+}
+
+int SSL_set0_verify_cert_store(SSL *ssl, X509_STORE *store) {
+ check_ssl_x509_method(ssl);
+ return set_cert_store(&ssl->cert->verify_store, store, 0);
+}
+
+int SSL_set1_verify_cert_store(SSL *ssl, X509_STORE *store) {
+ check_ssl_x509_method(ssl);
+ return set_cert_store(&ssl->cert->verify_store, store, 1);
+}