root
/
openssl
mirror of https://github.com/openssl/openssl.git
1
0
Fork 0
Code Issues Actions 7 Packages Projects Releases Wiki Activity

x509_lu.c and x509_vfy.c: improve coding style, comments, and related doc 

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18840)
This commit is contained in:
Dr. David von Oheimb 2022-07-20 15:33:51 +02:00 committed by Dr. David von Oheimb
parent affc070aab
commit c34e78766f
8 changed files with 226 additions and 219 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

214
crypto/x509/x509_lu.c
View File

@ -41,14 +41,14 @@ void X509_LOOKUP_free(X509_LOOKUP *ctx)
OPENSSL_free(ctx);
}
int X509_STORE_lock(X509_STORE *s)
int X509_STORE_lock(X509_STORE *xs)
{
return CRYPTO_THREAD_write_lock(s->lock);
return CRYPTO_THREAD_write_lock(xs->lock);
}
int X509_STORE_unlock(X509_STORE *s)
int X509_STORE_unlock(X509_STORE *xs)
{
return CRYPTO_THREAD_unlock(s->lock);
return CRYPTO_THREAD_unlock(xs->lock);
}
int X509_LOOKUP_init(X509_LOOKUP *ctx)
@ -154,7 +154,6 @@ X509_STORE *X509_LOOKUP_get_store(const X509_LOOKUP *ctx)
return ctx->store_ctx;
}
static int x509_object_cmp(const X509_OBJECT *const *a,
const X509_OBJECT *const *b)
{
@ -220,54 +219,54 @@ err:
return NULL;
}
void X509_STORE_free(X509_STORE *vfy)
void X509_STORE_free(X509_STORE *xs)
{
int i;
STACK_OF(X509_LOOKUP) *sk;
X509_LOOKUP *lu;
if (vfy == NULL)
if (xs == NULL)
return;
CRYPTO_DOWN_REF(&vfy->references, &i, vfy->lock);
REF_PRINT_COUNT("X509_STORE", vfy);
CRYPTO_DOWN_REF(&xs->references, &i, xs->lock);
REF_PRINT_COUNT("X509_STORE", xs);
if (i > 0)
return;
REF_ASSERT_ISNT(i < 0);
sk = vfy->get_cert_methods;
sk = xs->get_cert_methods;
for (i = 0; i < sk_X509_LOOKUP_num(sk); i++) {
lu = sk_X509_LOOKUP_value(sk, i);
X509_LOOKUP_shutdown(lu);
X509_LOOKUP_free(lu);
}
sk_X509_LOOKUP_free(sk);
sk_X509_OBJECT_pop_free(vfy->objs, X509_OBJECT_free);
sk_X509_OBJECT_pop_free(xs->objs, X509_OBJECT_free);
CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE, vfy, &vfy->ex_data);
X509_VERIFY_PARAM_free(vfy->param);
CRYPTO_THREAD_lock_free(vfy->lock);
OPENSSL_free(vfy);
CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE, xs, &xs->ex_data);
X509_VERIFY_PARAM_free(xs->param);
CRYPTO_THREAD_lock_free(xs->lock);
OPENSSL_free(xs);
}
int X509_STORE_up_ref(X509_STORE *vfy)
int X509_STORE_up_ref(X509_STORE *xs)
{
int i;
if (CRYPTO_UP_REF(&vfy->references, &i, vfy->lock) <= 0)
if (CRYPTO_UP_REF(&xs->references, &i, xs->lock) <= 0)
return 0;
REF_PRINT_COUNT("X509_STORE", vfy);
REF_PRINT_COUNT("X509_STORE", xs);
REF_ASSERT_ISNT(i < 2);
return ((i > 1) ? 1 : 0);
return i > 1 ? 1 : 0;
}
X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m)
X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *xs, X509_LOOKUP_METHOD *m)
{
int i;
STACK_OF(X509_LOOKUP) *sk;
X509_LOOKUP *lu;
sk = v->get_cert_methods;
sk = xs->get_cert_methods;
for (i = 0; i < sk_X509_LOOKUP_num(sk); i++) {
lu = sk_X509_LOOKUP_value(sk, i);
if (m == lu->method) {
@ -281,8 +280,8 @@ X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m)
return NULL;
}
lu->store_ctx = v;
if (sk_X509_LOOKUP_push(v->get_cert_methods, lu))
lu->store_ctx = xs;
if (sk_X509_LOOKUP_push(xs->get_cert_methods, lu))
return lu;
/* malloc failed */
ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
@ -290,7 +289,8 @@ X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m)
return NULL;
}
X509_OBJECT *X509_STORE_CTX_get_obj_by_subject(X509_STORE_CTX *vs,
/* Also fill the cache (ctx->store->objs) with all matching certificates. */
X509_OBJECT *X509_STORE_CTX_get_obj_by_subject(X509_STORE_CTX *ctx,
X509_LOOKUP_TYPE type,
const X509_NAME *name)
{
@ -298,7 +298,7 @@ X509_OBJECT *X509_STORE_CTX_get_obj_by_subject(X509_STORE_CTX *vs,
if (ret == NULL)
return NULL;
if (!X509_STORE_CTX_get_by_subject(vs, type, name, ret)) {
if (!X509_STORE_CTX_get_by_subject(ctx, type, name, ret)) {
X509_OBJECT_free(ret);
return NULL;
}
@ -306,16 +306,18 @@ X509_OBJECT *X509_STORE_CTX_get_obj_by_subject(X509_STORE_CTX *vs,
}
/*
* May be called with |ret| == NULL just for the side effect of
* caching all certs matching the given subject DN in |ctx->store->objs|.
* Returns 1 if successful,
* 0 if not found or X509_LOOKUP_by_subject_ex() returns an error,
* -1 on failure
*/
static int ossl_x509_store_ctx_get_by_subject(const X509_STORE_CTX *vs,
static int ossl_x509_store_ctx_get_by_subject(const X509_STORE_CTX *ctx,
X509_LOOKUP_TYPE type,
const X509_NAME *name,
X509_OBJECT *ret)
{
X509_STORE *store = vs->store;
X509_STORE *store = ctx->store;
X509_LOOKUP *lu;
X509_OBJECT stmp, *tmp;
int i, j;
@ -339,7 +341,7 @@ static int ossl_x509_store_ctx_get_by_subject(const X509_STORE_CTX *vs,
if (lu->method == NULL)
return -1;
j = X509_LOOKUP_by_subject_ex(lu, type, name, &stmp,
vs->libctx, vs->propq);
ctx->libctx, ctx->propq);
if (j != 0) { /* non-zero value is considered success here */
tmp = &stmp;
break;
@ -356,15 +358,16 @@ static int ossl_x509_store_ctx_get_by_subject(const X509_STORE_CTX *vs,
return 1;
}
/* Also fill the cache with all matching certificates */
int X509_STORE_CTX_get_by_subject(const X509_STORE_CTX *vs,
/* Also fill the cache |ctx->store->objs| with all matching certificates. */
int X509_STORE_CTX_get_by_subject(const X509_STORE_CTX *ctx,
X509_LOOKUP_TYPE type,
const X509_NAME *name, X509_OBJECT *ret)
{
return ossl_x509_store_ctx_get_by_subject(vs, type, name, ret) > 0;
return ossl_x509_store_ctx_get_by_subject(ctx, type, name, ret) > 0;
}
static int x509_store_add(X509_STORE *store, void *x, int crl) {
static int x509_store_add(X509_STORE *store, void *x, int crl)
{
X509_OBJECT *obj;
int ret = 0, added = 0;
@ -407,18 +410,18 @@ static int x509_store_add(X509_STORE *store, void *x, int crl) {
return ret;
}
int X509_STORE_add_cert(X509_STORE *ctx, X509 *x)
int X509_STORE_add_cert(X509_STORE *xs, X509 *x)
{
if (!x509_store_add(ctx, x, 0)) {
if (!x509_store_add(xs, x, 0)) {
ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
return 0;
}
return 1;
}
int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x)
int X509_STORE_add_crl(X509_STORE *xs, X509_CRL *x)
{
if (!x509_store_add(ctx, x, 1)) {
if (!x509_store_add(xs, x, 1)) {
ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
return 0;
}
@ -557,9 +560,9 @@ X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h,
return sk_X509_OBJECT_value(h, idx);
}
STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(const X509_STORE *v)
STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(const X509_STORE *xs)
{
return v->objs;
return xs->objs;
}
STACK_OF(X509) *X509_STORE_get1_all_certs(X509_STORE *store)
@ -727,8 +730,9 @@ X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h,
} else if (x->type == X509_LU_CRL) {
if (X509_CRL_match(obj->data.crl, x->data.crl) == 0)
return obj;
} else
} else {
return obj;
}
}
return NULL;
}
@ -817,176 +821,176 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
return ret;
}
int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags)
int X509_STORE_set_flags(X509_STORE *xs, unsigned long flags)
{
return X509_VERIFY_PARAM_set_flags(ctx->param, flags);
return X509_VERIFY_PARAM_set_flags(xs->param, flags);
}
int X509_STORE_set_depth(X509_STORE *ctx, int depth)
int X509_STORE_set_depth(X509_STORE *xs, int depth)
{
X509_VERIFY_PARAM_set_depth(ctx->param, depth);
X509_VERIFY_PARAM_set_depth(xs->param, depth);
return 1;
}
int X509_STORE_set_purpose(X509_STORE *ctx, int purpose)
int X509_STORE_set_purpose(X509_STORE *xs, int purpose)
{
return X509_VERIFY_PARAM_set_purpose(ctx->param, purpose);
return X509_VERIFY_PARAM_set_purpose(xs->param, purpose);
}
int X509_STORE_set_trust(X509_STORE *ctx, int trust)
int X509_STORE_set_trust(X509_STORE *xs, int trust)
{
return X509_VERIFY_PARAM_set_trust(ctx->param, trust);
return X509_VERIFY_PARAM_set_trust(xs->param, trust);
}
int X509_STORE_set1_param(X509_STORE *ctx, const X509_VERIFY_PARAM *param)
int X509_STORE_set1_param(X509_STORE *xs, const X509_VERIFY_PARAM *param)
{
return X509_VERIFY_PARAM_set1(ctx->param, param);
return X509_VERIFY_PARAM_set1(xs->param, param);
}
X509_VERIFY_PARAM *X509_STORE_get0_param(const X509_STORE *ctx)
X509_VERIFY_PARAM *X509_STORE_get0_param(const X509_STORE *xs)
{
return ctx->param;
return xs->param;
}
void X509_STORE_set_verify(X509_STORE *ctx, X509_STORE_CTX_verify_fn verify)
void X509_STORE_set_verify(X509_STORE *xs, X509_STORE_CTX_verify_fn verify)
{
ctx->verify = verify;
xs->verify = verify;
}
X509_STORE_CTX_verify_fn X509_STORE_get_verify(const X509_STORE *ctx)
X509_STORE_CTX_verify_fn X509_STORE_get_verify(const X509_STORE *xs)
{
return ctx->verify;
return xs->verify;
}
void X509_STORE_set_verify_cb(X509_STORE *ctx,
void X509_STORE_set_verify_cb(X509_STORE *xs,
X509_STORE_CTX_verify_cb verify_cb)
{
ctx->verify_cb = verify_cb;
xs->verify_cb = verify_cb;
}
X509_STORE_CTX_verify_cb X509_STORE_get_verify_cb(const X509_STORE *ctx)
X509_STORE_CTX_verify_cb X509_STORE_get_verify_cb(const X509_STORE *xs)
{
return ctx->verify_cb;
return xs->verify_cb;
}
void X509_STORE_set_get_issuer(X509_STORE *ctx,
void X509_STORE_set_get_issuer(X509_STORE *xs,
X509_STORE_CTX_get_issuer_fn get_issuer)
{
ctx->get_issuer = get_issuer;
xs->get_issuer = get_issuer;
}
X509_STORE_CTX_get_issuer_fn X509_STORE_get_get_issuer(const X509_STORE *ctx)
X509_STORE_CTX_get_issuer_fn X509_STORE_get_get_issuer(const X509_STORE *xs)
{
return ctx->get_issuer;
return xs->get_issuer;
}
void X509_STORE_set_check_issued(X509_STORE *ctx,
void X509_STORE_set_check_issued(X509_STORE *xs,
X509_STORE_CTX_check_issued_fn check_issued)
{
ctx->check_issued = check_issued;
xs->check_issued = check_issued;
}
X509_STORE_CTX_check_issued_fn X509_STORE_get_check_issued(const X509_STORE *ctx)
X509_STORE_CTX_check_issued_fn X509_STORE_get_check_issued(const X509_STORE *xs)
{
return ctx->check_issued;
return xs->check_issued;
}
void X509_STORE_set_check_revocation(X509_STORE *ctx,
X509_STORE_CTX_check_revocation_fn check_revocation)
void X509_STORE_set_check_revocation(X509_STORE *xs,
X509_STORE_CTX_check_revocation_fn cb)
{
ctx->check_revocation = check_revocation;
xs->check_revocation = cb;
}
X509_STORE_CTX_check_revocation_fn X509_STORE_get_check_revocation(const X509_STORE *ctx)
X509_STORE_CTX_check_revocation_fn X509_STORE_get_check_revocation(const X509_STORE *xs)
{
return ctx->check_revocation;
return xs->check_revocation;
}
void X509_STORE_set_get_crl(X509_STORE *ctx,
void X509_STORE_set_get_crl(X509_STORE *xs,
X509_STORE_CTX_get_crl_fn get_crl)
{
ctx->get_crl = get_crl;
xs->get_crl = get_crl;
}
X509_STORE_CTX_get_crl_fn X509_STORE_get_get_crl(const X509_STORE *ctx)
X509_STORE_CTX_get_crl_fn X509_STORE_get_get_crl(const X509_STORE *xs)
{
return ctx->get_crl;
return xs->get_crl;
}
void X509_STORE_set_check_crl(X509_STORE *ctx,
void X509_STORE_set_check_crl(X509_STORE *xs,
X509_STORE_CTX_check_crl_fn check_crl)
{
ctx->check_crl = check_crl;
xs->check_crl = check_crl;
}
X509_STORE_CTX_check_crl_fn X509_STORE_get_check_crl(const X509_STORE *ctx)
X509_STORE_CTX_check_crl_fn X509_STORE_get_check_crl(const X509_STORE *xs)
{
return ctx->check_crl;
return xs->check_crl;
}
void X509_STORE_set_cert_crl(X509_STORE *ctx,
void X509_STORE_set_cert_crl(X509_STORE *xs,
X509_STORE_CTX_cert_crl_fn cert_crl)
{
ctx->cert_crl = cert_crl;
xs->cert_crl = cert_crl;
}
X509_STORE_CTX_cert_crl_fn X509_STORE_get_cert_crl(const X509_STORE *ctx)
X509_STORE_CTX_cert_crl_fn X509_STORE_get_cert_crl(const X509_STORE *xs)
{
return ctx->cert_crl;
return xs->cert_crl;
}
void X509_STORE_set_check_policy(X509_STORE *ctx,
void X509_STORE_set_check_policy(X509_STORE *xs,
X509_STORE_CTX_check_policy_fn check_policy)
{
ctx->check_policy = check_policy;
xs->check_policy = check_policy;
}
X509_STORE_CTX_check_policy_fn X509_STORE_get_check_policy(const X509_STORE *ctx)
X509_STORE_CTX_check_policy_fn X509_STORE_get_check_policy(const X509_STORE *xs)
{
return ctx->check_policy;
return xs->check_policy;
}
void X509_STORE_set_lookup_certs(X509_STORE *ctx,
void X509_STORE_set_lookup_certs(X509_STORE *xs,
X509_STORE_CTX_lookup_certs_fn lookup_certs)
{
ctx->lookup_certs = lookup_certs;
xs->lookup_certs = lookup_certs;
}
X509_STORE_CTX_lookup_certs_fn X509_STORE_get_lookup_certs(const X509_STORE *ctx)
X509_STORE_CTX_lookup_certs_fn X509_STORE_get_lookup_certs(const X509_STORE *xs)
{
return ctx->lookup_certs;
return xs->lookup_certs;
}
void X509_STORE_set_lookup_crls(X509_STORE *ctx,
void X509_STORE_set_lookup_crls(X509_STORE *xs,
X509_STORE_CTX_lookup_crls_fn lookup_crls)
{
ctx->lookup_crls = lookup_crls;
xs->lookup_crls = lookup_crls;
}
X509_STORE_CTX_lookup_crls_fn X509_STORE_get_lookup_crls(const X509_STORE *ctx)
X509_STORE_CTX_lookup_crls_fn X509_STORE_get_lookup_crls(const X509_STORE *xs)
{
return ctx->lookup_crls;
return xs->lookup_crls;
}
void X509_STORE_set_cleanup(X509_STORE *ctx,
X509_STORE_CTX_cleanup_fn ctx_cleanup)
void X509_STORE_set_cleanup(X509_STORE *xs,
X509_STORE_CTX_cleanup_fn cleanup)
{
ctx->cleanup = ctx_cleanup;
xs->cleanup = cleanup;
}
X509_STORE_CTX_cleanup_fn X509_STORE_get_cleanup(const X509_STORE *ctx)
X509_STORE_CTX_cleanup_fn X509_STORE_get_cleanup(const X509_STORE *xs)
{
return ctx->cleanup;
return xs->cleanup;
}
int X509_STORE_set_ex_data(X509_STORE *ctx, int idx, void *data)
int X509_STORE_set_ex_data(X509_STORE *xs, int idx, void *data)
{
return CRYPTO_set_ex_data(&ctx->ex_data, idx, data);
return CRYPTO_set_ex_data(&xs->ex_data, idx, data);
}
void *X509_STORE_get_ex_data(const X509_STORE *ctx, int idx)
void *X509_STORE_get_ex_data(const X509_STORE *xs, int idx)
{
return CRYPTO_get_ex_data(&ctx->ex_data, idx);
return CRYPTO_get_ex_data(&xs->ex_data, idx);
}
X509_STORE *X509_STORE_CTX_get0_store(const X509_STORE_CTX *ctx)

31
crypto/x509/x509_vfy.c
View File

@ -124,6 +124,7 @@ static int lookup_cert_match(X509 **result, X509_STORE_CTX *ctx, X509 *x)
ERR_pop_to_mark();
if (certs == NULL)
return -1;
/* Look for exact match */
for (i = 0; i < sk_X509_num(certs); i++) {
xtmp = sk_X509_value(certs, i);
@ -348,7 +349,7 @@ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
return rv;
}
/* Check that the given certificate 'x' is issued by the certificate 'issuer' */
/* Check that the given certificate |x| is issued by the certificate |issuer| */
static int check_issued(ossl_unused X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
{
int err = ossl_x509_likely_issued(issuer, x);
@ -369,17 +370,16 @@ static int check_issued(ossl_unused X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
{
*issuer = find_issuer(ctx, ctx->other_ctx, x);
if (*issuer != NULL)
return X509_up_ref(*issuer) ? 1 : -1;
return 0;
if (*issuer == NULL)
return 0;
return X509_up_ref(*issuer) ? 1 : -1;
}
/*-
* Alternative lookup method: look from a STACK stored in other_ctx.
* Returns NULL on internal/fatal error, empty stack if not found.
*/
static STACK_OF(X509) *lookup_certs_sk(X509_STORE_CTX *ctx,
const X509_NAME *nm)
static STACK_OF(X509) *lookup_certs_sk(X509_STORE_CTX *ctx, const X509_NAME *nm)
{
STACK_OF(X509) *sk = sk_X509_new_null();
X509 *x;
@ -874,7 +874,7 @@ static int check_trust(X509_STORE_CTX *ctx, int num_untrusted)
res = lookup_cert_match(&mx, ctx, x);
if (res < 0)
return res;
if (mx == NULL)
if (res == 0)
return X509_TRUST_UNTRUSTED;
/*
@ -1858,6 +1858,7 @@ int X509_cmp_current_time(const ASN1_TIME *ctm)
return X509_cmp_time(ctm, NULL);
}
/* returns 0 on error, otherwise 1 if ctm > cmp_time, else -1 */
int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
{
static const size_t utctime_length = sizeof("YYMMDDHHMMSSZ") - 1;
@ -3164,11 +3165,8 @@ static int build_chain(X509_STORE_CTX *ctx)
dane->pdpth = -1;
}
/*
* Self-signed untrusted certificates get replaced by their
* trusted matching issuer. Otherwise, grow the chain.
*/
if (!self_signed) {
if (!self_signed) { /* untrusted not self-signed certificate */
/* Grow the chain by trusted issuer */
if (!sk_X509_push(ctx->chain, issuer)) {
X509_free(issuer);
goto memerr;
@ -3177,7 +3175,7 @@ static int build_chain(X509_STORE_CTX *ctx)
goto int_err;
} else {
/*
* We have a self-signed certificate that has the same
* We have a self-signed untrusted cert that has the same
* subject name (and perhaps keyid and/or serial number) as
* a trust anchor. We must have an exact match to avoid
* possible impersonation via key substitution etc.
@ -3187,6 +3185,10 @@ static int build_chain(X509_STORE_CTX *ctx)
X509_free(issuer);
ok = 0;
} else { /* curr "==" issuer */
/*
* Replace self-signed untrusted certificate
* by its trusted matching issuer.
*/
X509_free(curr);
ctx->num_untrusted = --num;
(void)sk_X509_set(ctx->chain, num, issuer);
@ -3239,7 +3241,7 @@ static int build_chain(X509_STORE_CTX *ctx)
}
/*
* Extend chain with peer-provided untrusted certificates
* Try to extend chain with peer-provided untrusted certificate
*/
if ((search & S_DOUNTRUSTED) != 0) {
num = sk_X509_num(ctx->chain);
@ -3263,6 +3265,7 @@ static int build_chain(X509_STORE_CTX *ctx)
/* Drop this issuer from future consideration */
(void)sk_X509_delete_ptr(sk_untrusted, issuer);
/* Grow the chain by untrusted issuer */
if (!X509_add_cert(ctx->chain, issuer, X509_ADD_FLAG_UP_REF))
goto int_err;

1
doc/man3/X509_STORE_CTX_new.pod
View File

@ -74,6 +74,7 @@ X509_STORE_CTX_free() completely frees up I<ctx>. After this call I<ctx>
is no longer valid.
If I<ctx> is NULL nothing is done.
X509_STORE_CTX_init() sets up I<ctx> for a subsequent verification operation.
It must be called before each call to L<X509_verify_cert(3)> or
L<X509_STORE_CTX_verify(3)>, i.e., a context is only good for one verification.
If you want to verify a further certificate or chain with the same I<ctx>

28
doc/man3/X509_STORE_add_cert.pod
View File

@ -18,30 +18,30 @@ X509_STORE_load_locations_ex, X509_STORE_load_locations
typedef x509_store_st X509_STORE;
int X509_STORE_add_cert(X509_STORE *ctx, X509 *x);
int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x);
int X509_STORE_add_cert(X509_STORE *xs, X509 *x);
int X509_STORE_add_crl(X509_STORE *xs, X509_CRL *x);
int X509_STORE_set_depth(X509_STORE *store, int depth);
int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags);
int X509_STORE_set_purpose(X509_STORE *ctx, int purpose);
int X509_STORE_set_trust(X509_STORE *ctx, int trust);
int X509_STORE_set_flags(X509_STORE *xs, unsigned long flags);
int X509_STORE_set_purpose(X509_STORE *xs, int purpose);
int X509_STORE_set_trust(X509_STORE *xs, int trust);
X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *store,
X509_LOOKUP_METHOD *meth);
int X509_STORE_set_default_paths_ex(X509_STORE *ctx, OSSL_LIB_CTX *libctx,
int X509_STORE_set_default_paths_ex(X509_STORE *xs, OSSL_LIB_CTX *libctx,
const char *propq);
int X509_STORE_set_default_paths(X509_STORE *ctx);
int X509_STORE_load_file_ex(X509_STORE *ctx, const char *file,
int X509_STORE_set_default_paths(X509_STORE *xs);
int X509_STORE_load_file_ex(X509_STORE *xs, const char *file,
OSSL_LIB_CTX *libctx, const char *propq);
int X509_STORE_load_file(X509_STORE *ctx, const char *file);
int X509_STORE_load_path(X509_STORE *ctx, const char *dir);
int X509_STORE_load_store_ex(X509_STORE *ctx, const char *uri,
int X509_STORE_load_file(X509_STORE *xs, const char *file);
int X509_STORE_load_path(X509_STORE *xs, const char *dir);
int X509_STORE_load_store_ex(X509_STORE *xs, const char *uri,
OSSL_LIB_CTX *libctx, const char *propq);
int X509_STORE_load_store(X509_STORE *ctx, const char *uri);
int X509_STORE_load_locations_ex(X509_STORE *ctx, const char *file,
int X509_STORE_load_store(X509_STORE *xs, const char *uri);
int X509_STORE_load_locations_ex(X509_STORE *xs, const char *file,
const char *dir, OSSL_LIB_CTX *libctx,
const char *propq);
int X509_STORE_load_locations(X509_STORE *ctx,
int X509_STORE_load_locations(X509_STORE *xs,
const char *file, const char *dir);
=head1 DESCRIPTION

13
doc/man3/X509_STORE_get0_param.pod
View File

@ -10,18 +10,17 @@ X509_STORE_get0_objects, X509_STORE_get1_all_certs
#include <openssl/x509_vfy.h>
X509_VERIFY_PARAM *X509_STORE_get0_param(const X509_STORE *ctx);
int X509_STORE_set1_param(X509_STORE *ctx, const X509_VERIFY_PARAM *pm);
STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(const X509_STORE *ctx);
STACK_OF(X509) *X509_STORE_get1_all_certs(X509_STORE *st);
X509_VERIFY_PARAM *X509_STORE_get0_param(const X509_STORE *xs);
int X509_STORE_set1_param(X509_STORE *xs, const X509_VERIFY_PARAM *pm);
STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(const X509_STORE *xs);
STACK_OF(X509) *X509_STORE_get1_all_certs(X509_STORE *xs);
=head1 DESCRIPTION
X509_STORE_set1_param() sets the verification parameters
to B<pm> for B<ctx>.
X509_STORE_set1_param() sets the verification parameters to I<pm> for I<xs>.
X509_STORE_get0_param() retrieves an internal pointer to the verification
parameters for B<ctx>. The returned pointer must not be freed by the
parameters for I<xs>. The returned pointer must not be freed by the
calling application
X509_STORE_get0_objects() retrieves an internal pointer to the store's

8
doc/man3/X509_STORE_new.pod
View File

@ -11,10 +11,10 @@ X509_STORE_lock,X509_STORE_unlock
#include <openssl/x509_vfy.h>
X509_STORE *X509_STORE_new(void);
void X509_STORE_free(X509_STORE *v);
int X509_STORE_lock(X509_STORE *v);
int X509_STORE_unlock(X509_STORE *v);
int X509_STORE_up_ref(X509_STORE *v);
void X509_STORE_free(X509_STORE *xs);
int X509_STORE_lock(X509_STORE *xs);
int X509_STORE_unlock(X509_STORE *xs);
int X509_STORE_up_ref(X509_STORE *xs);
=head1 DESCRIPTION

42
doc/man3/X509_STORE_set_verify_cb_func.pod
View File

@ -58,78 +58,78 @@ X509_STORE_CTX_lookup_certs_fn, X509_STORE_CTX_lookup_crls_fn
const X509_NAME *nm);
typedef int (*X509_STORE_CTX_cleanup_fn)(X509_STORE_CTX *ctx);
void X509_STORE_set_verify_cb(X509_STORE *ctx,
void X509_STORE_set_verify_cb(X509_STORE *xs,
X509_STORE_CTX_verify_cb verify_cb);
X509_STORE_CTX_verify_cb X509_STORE_get_verify_cb(const X509_STORE_CTX *ctx);
void X509_STORE_set_verify(X509_STORE *ctx, X509_STORE_CTX_verify_fn verify);
void X509_STORE_set_verify(X509_STORE *xs, X509_STORE_CTX_verify_fn verify);
X509_STORE_CTX_verify_fn X509_STORE_CTX_get_verify(const X509_STORE_CTX *ctx);
int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x);
X509_STORE_CTX_get_issuer_fn X509_STORE_get_get_issuer(const X509_STORE_CTX *ctx);
void X509_STORE_set_get_issuer(X509_STORE *ctx,
void X509_STORE_set_get_issuer(X509_STORE *xs,
X509_STORE_CTX_get_issuer_fn get_issuer);
void X509_STORE_set_check_issued(X509_STORE *ctx,
void X509_STORE_set_check_issued(X509_STORE *xs,
X509_STORE_CTX_check_issued_fn check_issued);
X509_STORE_CTX_check_issued_fn
X509_STORE_get_check_issued(const X509_STORE_CTX *ctx);
void X509_STORE_set_check_revocation(X509_STORE *ctx,
void X509_STORE_set_check_revocation(X509_STORE *xs,
X509_STORE_CTX_check_revocation_fn check_revocation);
X509_STORE_CTX_check_revocation_fn
X509_STORE_get_check_revocation(const X509_STORE_CTX *ctx);
void X509_STORE_set_get_crl(X509_STORE *ctx,
void X509_STORE_set_get_crl(X509_STORE *xs,
X509_STORE_CTX_get_crl_fn get_crl);
X509_STORE_CTX_get_crl_fn X509_STORE_get_get_crl(const X509_STORE_CTX *ctx);
void X509_STORE_set_check_crl(X509_STORE *ctx,
void X509_STORE_set_check_crl(X509_STORE *xs,
X509_STORE_CTX_check_crl_fn check_crl);
X509_STORE_CTX_check_crl_fn
X509_STORE_get_check_crl(const X509_STORE_CTX *ctx);
void X509_STORE_set_cert_crl(X509_STORE *ctx,
void X509_STORE_set_cert_crl(X509_STORE *xs,
X509_STORE_CTX_cert_crl_fn cert_crl);
X509_STORE_CTX_cert_crl_fn X509_STORE_get_cert_crl(const X509_STORE_CTX *ctx);
void X509_STORE_set_check_policy(X509_STORE *ctx,
void X509_STORE_set_check_policy(X509_STORE *xs,
X509_STORE_CTX_check_policy_fn check_policy);
X509_STORE_CTX_check_policy_fn
X509_STORE_get_check_policy(const X509_STORE_CTX *ctx);
void X509_STORE_set_lookup_certs(X509_STORE *ctx,
void X509_STORE_set_lookup_certs(X509_STORE *xs,
X509_STORE_CTX_lookup_certs_fn lookup_certs);
X509_STORE_CTX_lookup_certs_fn
X509_STORE_get_lookup_certs(const X509_STORE_CTX *ctx);
void X509_STORE_set_lookup_crls(X509_STORE *ctx,
void X509_STORE_set_lookup_crls(X509_STORE *xs,
X509_STORE_CTX_lookup_crls_fn lookup_crls);
X509_STORE_CTX_lookup_crls_fn
X509_STORE_get_lookup_crls(const X509_STORE_CTX *ctx);
void X509_STORE_set_cleanup(X509_STORE *ctx,
void X509_STORE_set_cleanup(X509_STORE *xs,
X509_STORE_CTX_cleanup_fn cleanup);
X509_STORE_CTX_cleanup_fn X509_STORE_get_cleanup(const X509_STORE_CTX *ctx);
/* Aliases */
void X509_STORE_set_verify_cb_func(X509_STORE *st,
X509_STORE_CTX_verify_cb verify_cb);
void X509_STORE_set_verify_func(X509_STORE *ctx,
void X509_STORE_set_verify_func(X509_STORE *xs,
X509_STORE_CTX_verify_fn verify);
void X509_STORE_set_lookup_crls_cb(X509_STORE *ctx,
void X509_STORE_set_lookup_crls_cb(X509_STORE *xs,
X509_STORE_CTX_lookup_crls_fn lookup_crls);
=head1 DESCRIPTION
X509_STORE_set_verify_cb() sets the verification callback of I<ctx> to
X509_STORE_set_verify_cb() sets the verification callback of I<xs> to
I<verify_cb> overwriting the previous callback.
The callback assigned with this function becomes a default for the one
that can be assigned directly to the corresponding B<X509_STORE_CTX>,
please see L<X509_STORE_CTX_set_verify_cb(3)> for further information.
X509_STORE_set_verify() sets the final chain verification function for
I<ctx> to I<verify>.
I<xs> to I<verify>.
Its purpose is to go through the chain of certificates and check that
all signatures are valid and that the current time is within the
limits of each certificate's first and last validity time.
@ -139,12 +139,14 @@ I<If no chain verification function is provided, the internal default
function will be used instead.>
X509_STORE_CTX_get1_issuer() tries to find a certificate from the I<store>
component of I<ctx> with a subject name matching the issuer name of I<x>.
On success it assigns to I<*issuer> the first match that is currently valid,
or at least the most recently expired match if there is no currently valid one.
component of I<ctx> that has a subject name matching the issuer name of I<x>
and is accepted by the I<check_issued> function in I<ctx>.
On success it assigns to I<*issuer> the first match that has a suitable validity
period or otherwise has the latest expiration date of all matching certificates.
If the function returns 1 the caller is responsible for freeing I<*issuer>.
Note that this search does not support backtracking.
X509_STORE_set_get_issuer() sets the function I<get_issuer>
X509_STORE_set_get_issuer() sets the function I<get_issuer> that is used
to get the "best" candidate issuer certificate of the given certificate I<x>.
When such a certificate is found, I<get_issuer> must up-ref and assign it
to I<*issuer> and then return 1.

108
include/openssl/x509_vfy.h.in
View File

@ -394,71 +394,71 @@ int X509_OBJECT_set1_X509(X509_OBJECT *a, X509 *obj);
X509_CRL *X509_OBJECT_get0_X509_CRL(const X509_OBJECT *a);
int X509_OBJECT_set1_X509_CRL(X509_OBJECT *a, X509_CRL *obj);
X509_STORE *X509_STORE_new(void);
void X509_STORE_free(X509_STORE *v);
int X509_STORE_lock(X509_STORE *ctx);
int X509_STORE_unlock(X509_STORE *ctx);
int X509_STORE_up_ref(X509_STORE *v);
STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(const X509_STORE *v);
STACK_OF(X509) *X509_STORE_get1_all_certs(X509_STORE *st);
STACK_OF(X509) *X509_STORE_CTX_get1_certs(X509_STORE_CTX *st,
void X509_STORE_free(X509_STORE *xs);
int X509_STORE_lock(X509_STORE *xs);
int X509_STORE_unlock(X509_STORE *xs);
int X509_STORE_up_ref(X509_STORE *xs);
STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(const X509_STORE *xs);
STACK_OF(X509) *X509_STORE_get1_all_certs(X509_STORE *xs);
STACK_OF(X509) *X509_STORE_CTX_get1_certs(X509_STORE_CTX *xs,
const X509_NAME *nm);
STACK_OF(X509_CRL) *X509_STORE_CTX_get1_crls(const X509_STORE_CTX *st,
const X509_NAME *nm);
int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags);
int X509_STORE_set_purpose(X509_STORE *ctx, int purpose);
int X509_STORE_set_trust(X509_STORE *ctx, int trust);
int X509_STORE_set1_param(X509_STORE *ctx, const X509_VERIFY_PARAM *pm);
X509_VERIFY_PARAM *X509_STORE_get0_param(const X509_STORE *ctx);
int X509_STORE_set_flags(X509_STORE *xs, unsigned long flags);
int X509_STORE_set_purpose(X509_STORE *xs, int purpose);
int X509_STORE_set_trust(X509_STORE *xs, int trust);
int X509_STORE_set1_param(X509_STORE *xs, const X509_VERIFY_PARAM *pm);
X509_VERIFY_PARAM *X509_STORE_get0_param(const X509_STORE *xs);
void X509_STORE_set_verify(X509_STORE *ctx, X509_STORE_CTX_verify_fn verify);
void X509_STORE_set_verify(X509_STORE *xs, X509_STORE_CTX_verify_fn verify);
#define X509_STORE_set_verify_func(ctx, func) \
X509_STORE_set_verify((ctx),(func))
void X509_STORE_CTX_set_verify(X509_STORE_CTX *ctx,
X509_STORE_CTX_verify_fn verify);
X509_STORE_CTX_verify_fn X509_STORE_get_verify(const X509_STORE *ctx);
void X509_STORE_set_verify_cb(X509_STORE *ctx,
X509_STORE_CTX_verify_fn X509_STORE_get_verify(const X509_STORE *xs);
void X509_STORE_set_verify_cb(X509_STORE *xs,
X509_STORE_CTX_verify_cb verify_cb);
# define X509_STORE_set_verify_cb_func(ctx,func) \
X509_STORE_set_verify_cb((ctx),(func))
X509_STORE_CTX_verify_cb X509_STORE_get_verify_cb(const X509_STORE *ctx);
void X509_STORE_set_get_issuer(X509_STORE *ctx,
X509_STORE_CTX_verify_cb X509_STORE_get_verify_cb(const X509_STORE *xs);
void X509_STORE_set_get_issuer(X509_STORE *xs,
X509_STORE_CTX_get_issuer_fn get_issuer);
X509_STORE_CTX_get_issuer_fn X509_STORE_get_get_issuer(const X509_STORE *ctx);
void X509_STORE_set_check_issued(X509_STORE *ctx,
X509_STORE_CTX_get_issuer_fn X509_STORE_get_get_issuer(const X509_STORE *xs);
void X509_STORE_set_check_issued(X509_STORE *xs,
X509_STORE_CTX_check_issued_fn check_issued);
X509_STORE_CTX_check_issued_fn X509_STORE_get_check_issued(const X509_STORE *ctx);
void X509_STORE_set_check_revocation(X509_STORE *ctx,
X509_STORE_CTX_check_issued_fn X509_STORE_get_check_issued(const X509_STORE *s);
void X509_STORE_set_check_revocation(X509_STORE *xs,
X509_STORE_CTX_check_revocation_fn check_revocation);
X509_STORE_CTX_check_revocation_fn
X509_STORE_get_check_revocation(const X509_STORE *ctx);
void X509_STORE_set_get_crl(X509_STORE *ctx,
X509_STORE_get_check_revocation(const X509_STORE *xs);
void X509_STORE_set_get_crl(X509_STORE *xs,
X509_STORE_CTX_get_crl_fn get_crl);
X509_STORE_CTX_get_crl_fn X509_STORE_get_get_crl(const X509_STORE *ctx);
void X509_STORE_set_check_crl(X509_STORE *ctx,
X509_STORE_CTX_get_crl_fn X509_STORE_get_get_crl(const X509_STORE *xs);
void X509_STORE_set_check_crl(X509_STORE *xs,
X509_STORE_CTX_check_crl_fn check_crl);
X509_STORE_CTX_check_crl_fn X509_STORE_get_check_crl(const X509_STORE *ctx);
void X509_STORE_set_cert_crl(X509_STORE *ctx,
X509_STORE_CTX_check_crl_fn X509_STORE_get_check_crl(const X509_STORE *xs);
void X509_STORE_set_cert_crl(X509_STORE *xs,
X509_STORE_CTX_cert_crl_fn cert_crl);
X509_STORE_CTX_cert_crl_fn X509_STORE_get_cert_crl(const X509_STORE *ctx);
void X509_STORE_set_check_policy(X509_STORE *ctx,
X509_STORE_CTX_cert_crl_fn X509_STORE_get_cert_crl(const X509_STORE *xs);
void X509_STORE_set_check_policy(X509_STORE *xs,
X509_STORE_CTX_check_policy_fn check_policy);
X509_STORE_CTX_check_policy_fn X509_STORE_get_check_policy(const X509_STORE *ctx);
void X509_STORE_set_lookup_certs(X509_STORE *ctx,
X509_STORE_CTX_check_policy_fn X509_STORE_get_check_policy(const X509_STORE *s);
void X509_STORE_set_lookup_certs(X509_STORE *xs,
X509_STORE_CTX_lookup_certs_fn lookup_certs);
X509_STORE_CTX_lookup_certs_fn X509_STORE_get_lookup_certs(const X509_STORE *ctx);
void X509_STORE_set_lookup_crls(X509_STORE *ctx,
X509_STORE_CTX_lookup_certs_fn X509_STORE_get_lookup_certs(const X509_STORE *s);
void X509_STORE_set_lookup_crls(X509_STORE *xs,
X509_STORE_CTX_lookup_crls_fn lookup_crls);
#define X509_STORE_set_lookup_crls_cb(ctx, func) \
X509_STORE_set_lookup_crls((ctx), (func))
X509_STORE_CTX_lookup_crls_fn X509_STORE_get_lookup_crls(const X509_STORE *ctx);
void X509_STORE_set_cleanup(X509_STORE *ctx,
X509_STORE_CTX_lookup_crls_fn X509_STORE_get_lookup_crls(const X509_STORE *xs);
void X509_STORE_set_cleanup(X509_STORE *xs,
X509_STORE_CTX_cleanup_fn cleanup);
X509_STORE_CTX_cleanup_fn X509_STORE_get_cleanup(const X509_STORE *ctx);
X509_STORE_CTX_cleanup_fn X509_STORE_get_cleanup(const X509_STORE *xs);
#define X509_STORE_get_ex_new_index(l, p, newf, dupf, freef) \
CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE, l, p, newf, dupf, freef)
int X509_STORE_set_ex_data(X509_STORE *ctx, int idx, void *data);
void *X509_STORE_get_ex_data(const X509_STORE *ctx, int idx);
int X509_STORE_set_ex_data(X509_STORE *xs, int idx, void *data);
void *X509_STORE_get_ex_data(const X509_STORE *xs, int idx);
X509_STORE_CTX *X509_STORE_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq);
X509_STORE_CTX *X509_STORE_CTX_new(void);
@ -503,7 +503,7 @@ X509_STORE_CTX_cleanup_fn X509_STORE_CTX_get_cleanup(const X509_STORE_CTX *ctx);
# define X509_STORE_get1_crl X509_STORE_CTX_get1_crls
#endif
X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m);
X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *xs, X509_LOOKUP_METHOD *m);
X509_LOOKUP_METHOD *X509_LOOKUP_hash_dir(void);
X509_LOOKUP_METHOD *X509_LOOKUP_file(void);
X509_LOOKUP_METHOD *X509_LOOKUP_store(void);
@ -588,8 +588,8 @@ X509_LOOKUP_get_by_alias_fn X509_LOOKUP_meth_get_get_by_alias(
const X509_LOOKUP_METHOD *method);
int X509_STORE_add_cert(X509_STORE *ctx, X509 *x);
int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x);
int X509_STORE_add_cert(X509_STORE *xs, X509 *x);
int X509_STORE_add_crl(X509_STORE *xs, X509_CRL *x);
int X509_STORE_CTX_get_by_subject(const X509_STORE_CTX *vs,
X509_LOOKUP_TYPE type,
@ -633,23 +633,21 @@ void *X509_LOOKUP_get_method_data(const X509_LOOKUP *ctx);
X509_STORE *X509_LOOKUP_get_store(const X509_LOOKUP *ctx);
int X509_LOOKUP_shutdown(X509_LOOKUP *ctx);
int X509_STORE_load_file(X509_STORE *ctx, const char *file);
int X509_STORE_load_path(X509_STORE *ctx, const char *path);
int X509_STORE_load_store(X509_STORE *ctx, const char *store);
int X509_STORE_load_locations(X509_STORE *ctx,
const char *file,
const char *dir);
int X509_STORE_set_default_paths(X509_STORE *ctx);
int X509_STORE_load_file(X509_STORE *xs, const char *file);
int X509_STORE_load_path(X509_STORE *xs, const char *path);
int X509_STORE_load_store(X509_STORE *xs, const char *store);
int X509_STORE_load_locations(X509_STORE *s, const char *file, const char *dir);
int X509_STORE_set_default_paths(X509_STORE *xs);
int X509_STORE_load_file_ex(X509_STORE *ctx, const char *file,
int X509_STORE_load_file_ex(X509_STORE *xs, const char *file,
OSSL_LIB_CTX *libctx, const char *propq);
int X509_STORE_load_store_ex(X509_STORE *ctx, const char *store,
int X509_STORE_load_store_ex(X509_STORE *xs, const char *store,
OSSL_LIB_CTX *libctx, const char *propq);
int X509_STORE_load_locations_ex(X509_STORE *ctx, const char *file,
const char *dir, OSSL_LIB_CTX *libctx,
const char *propq);
int X509_STORE_set_default_paths_ex(X509_STORE *ctx, OSSL_LIB_CTX *libctx,
const char *propq);
int X509_STORE_load_locations_ex(X509_STORE *xs,
const char *file, const char *dir,
OSSL_LIB_CTX *libctx, const char *propq);
int X509_STORE_set_default_paths_ex(X509_STORE *xs,
OSSL_LIB_CTX *libctx, const char *propq);
#define X509_STORE_CTX_get_ex_new_index(l, p, newf, dupf, freef) \
CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX, l, p, newf, dupf, freef)