[prev in list] [next in list] [prev in thread] [next in thread]
List: openssl-dev
Subject: [openssl-dev] [openssl.org #3874] [PATCH] Add certificate verify data to SSL struct
From: "Short, Todd via RT" <rt () openssl ! org>
Date: 2015-05-27 20:32:34
Message-ID: rt-4.0.4-1888-1432758754-1080.3874-21-0 () openssl ! org
[Download RAW message or body]
Hello OpenSSL Org:
This is a change that Akamai has made to its implementation of OpenSSL.
Version: master branch
Description: Add certificate verify data to SSL struct
Add app_verify_callback and app_verify_arg to the SSL structure and add
SSL_SESSION_set_verify_result() API. The values are copied from the
SSL_CTX into the SSL. There is also an SSL_set_cert_verify_callback() API.
Github link:
https://github.com/akamai/openssl/commit/a7d729491c2dacd4dae01eb49e1ca3ff797133ff
And attachment.
Thank you.
--
-Todd Short
// tshort@akamai.com
// "One if by land, two if by sea, three if by the Internet."
["0017-Add-certificate-verify-data-to-SSL-struct.patch" (application/octet-stream)]
From a7d729491c2dacd4dae01eb49e1ca3ff797133ff Mon Sep 17 00:00:00 2001
From: Laszlo Kovacs <lkovacs@akamai.com>
Date: Tue, 31 Mar 2015 16:01:17 -0400
Subject: [PATCH 17/26] Add certificate verify data to SSL struct
Add app_verify_callback and app_verify_arg to the SSL structure and add
SSL_SESSION_set_verify_result() API. The values are copied from the
SSL_CTX into the SSL.
(cherry picked from commit 80b9e96d4f624b146daeeb135acb6ee299a8e3df)
Conflicts:
include/openssl/ssl.h
ssl/ssl_cert.c
---
include/openssl/ssl.h | 4 ++++
ssl/ssl_cert.c | 4 +++-
ssl/ssl_lib.c | 17 +++++++++++++++++
ssl/ssl_locl.h | 3 +++
4 files changed, 27 insertions(+), 1 deletion(-)
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index d14460c..9523a43 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -1553,6 +1553,7 @@ int SSL_SESSION_print_fp(FILE *fp, const SSL_SESSION *ses);
# endif
int SSL_SESSION_print(BIO *fp, const SSL_SESSION *ses);
int SSL_SESSION_print_keylog(BIO *bp, const SSL_SESSION *x);
+void SSL_SESSION_set_verify_result(SSL *ssl, long arg);
void SSL_SESSION_free(SSL_SESSION *ses);
__owur int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp);
__owur int SSL_set_session(SSL *to, SSL_SESSION *session);
@@ -1582,6 +1583,9 @@ void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth);
void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx,
int (*cb) (X509_STORE_CTX *, void *),
void *arg);
+void SSL_set_cert_verify_callback(SSL *s,
+ int (*cb) (X509_STORE_CTX *, void *),
+ void *arg);
void SSL_CTX_set_cert_cb(SSL_CTX *c, int (*cb) (SSL *ssl, void *arg),
void *arg);
# ifndef OPENSSL_NO_RSA
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 987b2b7..063c06a 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -636,7 +636,9 @@ int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk)
if (s->verify_callback)
X509_STORE_CTX_set_verify_cb(&ctx, s->verify_callback);
- if (s->ctx->app_verify_callback != NULL)
+ if (s->app_verify_callback != NULL)
+ i = s->app_verify_callback(&ctx, s->app_verify_arg);
+ else if (s->ctx->app_verify_callback != NULL)
i = s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg);
else {
i = X509_verify_cert(&ctx);
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index b834c00..cf1276b 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -315,6 +315,9 @@ SSL *SSL_new(SSL_CTX *ctx)
s->quiet_shutdown = ctx->quiet_shutdown;
s->max_send_fragment = ctx->max_send_fragment;
+ s->app_verify_callback = ctx->app_verify_callback;
+ s->app_verify_arg = ctx->app_verify_arg;
+
CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX);
s->ctx = ctx;
#ifndef OPENSSL_NO_TLSEXT
@@ -1983,6 +1986,14 @@ void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx,
ctx->app_verify_arg = arg;
}
+void SSL_set_cert_verify_callback(SSL *s,
+ int (*cb) (X509_STORE_CTX *, void *),
+ void *arg)
+{
+ s->app_verify_callback = cb;
+ s->app_verify_arg = arg;
+}
+
void SSL_CTX_set_verify(SSL_CTX *ctx, int mode,
int (*cb) (int, X509_STORE_CTX *))
{
@@ -2967,6 +2978,12 @@ void SSL_set_state(SSL *ssl, int state)
ssl->state = state;
}
+void SSL_SESSION_set_verify_result(SSL *ssl, long arg)
+{
+ if (ssl->session)
+ ssl->session->verify_result = arg;
+}
+
void SSL_set_verify_result(SSL *ssl, long arg)
{
ssl->verify_result = arg;
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 2e83fa5..88f9866 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -1240,6 +1240,9 @@ struct ssl_st {
} ctx; /* context/closure handed out to task */
} task;
+ int (*app_verify_callback) (X509_STORE_CTX *, void *);
+ void *app_verify_arg;
+
/* Keep track of bytes passed through SSL */
size_t bytes_written;
size_t bytes_read;
--
2.3.2 (Apple Git-55)
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic