diff options
author | Bodo Möller <bodo@openssl.org> | 1999-05-01 03:20:40 +0000 |
---|---|---|
committer | Bodo Möller <bodo@openssl.org> | 1999-05-01 03:20:40 +0000 |
commit | 7f89714e64d1dc64b50554a92e2a12596b9934ba (patch) | |
tree | 940620d173d8a4c7cbea392ba4c9760b7a6efa23 /ssl | |
parent | 69bb35ed726102975259808dcf7c279f85afef4f (diff) | |
download | openssl-7f89714e64d1dc64b50554a92e2a12596b9934ba.zip openssl-7f89714e64d1dc64b50554a92e2a12596b9934ba.tar.gz openssl-7f89714e64d1dc64b50554a92e2a12596b9934ba.tar.bz2 |
Support verify_depth from the SSL API without need for user-defined
callbacks.
Submitted by:
Reviewed by:
PR:
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/ssl.h | 6 | ||||
-rw-r--r-- | ssl/ssl_cert.c | 2 | ||||
-rw-r--r-- | ssl/ssl_lib.c | 23 |
3 files changed, 31 insertions, 0 deletions
@@ -394,6 +394,7 @@ struct ssl_ctx_st /**/ struct cert_st /* CERT */ *default_cert; /**/ int read_ahead; /**/ int verify_mode; +/**/ int verify_depth; /**/ unsigned int sid_ctx_length; /**/ unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; /**/ int (*default_verify_callback)(int ok,X509_STORE_CTX *ctx); @@ -573,6 +574,7 @@ struct ssl_st /* Used in SSL2 and SSL3 */ int verify_mode; /* 0 don't care about verify failure. * 1 fail if verify fails */ + int verify_depth; int (*verify_callback)(int ok,X509_STORE_CTX *ctx); /* fail if callback returns 0 */ void (*info_callback)(); /* optional informational callback */ @@ -851,9 +853,11 @@ BIO * SSL_get_wbio(SSL *s); int SSL_set_cipher_list(SSL *s, char *str); void SSL_set_read_ahead(SSL *s, int yes); int SSL_get_verify_mode(SSL *s); +int SSL_get_verify_depth(SSL *s); int (*SSL_get_verify_callback(SSL *s))(int,X509_STORE_CTX *); void SSL_set_verify(SSL *s, int mode, int (*callback)(int ok,X509_STORE_CTX *ctx)); +void SSL_set_verify_depth(SSL *s, int depth); #ifndef NO_RSA int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa); #endif @@ -912,9 +916,11 @@ X509 * SSL_get_peer_certificate(SSL *s); STACK_OF(X509) *SSL_get_peer_cert_chain(SSL *s); int SSL_CTX_get_verify_mode(SSL_CTX *ctx); +int SSL_CTX_get_verify_depth(SSL_CTX *ctx); int (*SSL_CTX_get_verify_callback(SSL_CTX *ctx))(int,X509_STORE_CTX *); void SSL_CTX_set_verify(SSL_CTX *ctx,int mode, int (*callback)(int, X509_STORE_CTX *)); +void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth); void SSL_CTX_set_cert_verify_cb(SSL_CTX *ctx, int (*cb)(),char *arg); #ifndef NO_RSA int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa); diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index 88cc5fc..91494df 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -185,6 +185,8 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk) x=sk_X509_value(sk,0); X509_STORE_CTX_init(&ctx,s->ctx->cert_store,x,sk); + if (SSL_get_verify_depth(s) >= 0) + X509_STORE_CTX_set_depth(&ctx, SSL_get_verify_depth(s)); X509_STORE_CTX_set_ex_data(&ctx,SSL_get_ex_data_X509_STORE_CTX_idx(), (char *)s); diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 8317683..945dab1 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -189,6 +189,7 @@ SSL *SSL_new(SSL_CTX *ctx) s->sid_ctx_length=ctx->sid_ctx_length; memcpy(&s->sid_ctx,&ctx->sid_ctx,sizeof(s->sid_ctx)); s->verify_mode=ctx->verify_mode; + s->verify_depth=ctx->verify_depth; s->verify_callback=ctx->default_verify_callback; CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX); s->ctx=ctx; @@ -422,6 +423,11 @@ int SSL_get_verify_mode(SSL *s) return(s->verify_mode); } +int SSL_get_verify_depth(SSL *s) + { + return(s->verify_depth); + } + int (*SSL_get_verify_callback(SSL *s))(int,X509_STORE_CTX *) { return(s->verify_callback); @@ -432,6 +438,11 @@ int SSL_CTX_get_verify_mode(SSL_CTX *ctx) return(ctx->verify_mode); } +int SSL_CTX_get_verify_depth(SSL_CTX *ctx) + { + return(ctx->verify_depth); + } + int (*SSL_CTX_get_verify_callback(SSL_CTX *ctx))(int,X509_STORE_CTX *) { return(ctx->default_verify_callback); @@ -445,6 +456,11 @@ void SSL_set_verify(SSL *s,int mode, s->verify_callback=callback; } +void SSL_set_verify_depth(SSL *s,int depth) + { + s->verify_depth=depth; + } + void SSL_set_read_ahead(SSL *s,int yes) { s->read_ahead=yes; @@ -961,6 +977,7 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth) ret->read_ahead=0; ret->verify_mode=SSL_VERIFY_NONE; + ret->verify_depth=-1; /* Don't impose a limit (but x509_lu.c does) */ ret->default_verify_callback=NULL; if ((ret->default_cert=ssl_cert_new()) == NULL) goto err; @@ -1079,6 +1096,11 @@ void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,int (*cb)(int, X509_STORE_CTX *)) X509_STORE_set_verify_cb_func(ctx->cert_store,cb); } +void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth) + { + ctx->verify_depth=depth; + } + /* Need default_cert to check for callbacks, for now (see comment in CERT strucure) */ @@ -1463,6 +1485,7 @@ SSL *SSL_dup(SSL *s) SSL_set_read_ahead(ret,SSL_get_read_ahead(s)); SSL_set_verify(ret,SSL_get_verify_mode(s), SSL_get_verify_callback(s)); + SSL_set_verify_depth(ret,SSL_get_verify_depth(s)); SSL_set_info_callback(ret,SSL_get_info_callback(s)); |