summaryrefslogtreecommitdiff
path: root/src/ssl/ssl_x509.cc
diff options
context:
space:
mode:
Diffstat (limited to 'src/ssl/ssl_x509.cc')
-rw-r--r--src/ssl/ssl_x509.cc134
1 files changed, 65 insertions, 69 deletions
diff --git a/src/ssl/ssl_x509.cc b/src/ssl/ssl_x509.cc
index 841482f8..cda76117 100644
--- a/src/ssl/ssl_x509.cc
+++ b/src/ssl/ssl_x509.cc
@@ -200,19 +200,19 @@ static UniquePtr<STACK_OF(CRYPTO_BUFFER)> new_leafless_chain(void) {
// forms of elements of |chain|. It returns one on success or zero on error, in
// which case no change to |cert->chain| is made. It preverses the existing
// leaf from |cert->chain|, if any.
-static int ssl_cert_set_chain(CERT *cert, STACK_OF(X509) *chain) {
+static bool ssl_cert_set_chain(CERT *cert, STACK_OF(X509) *chain) {
UniquePtr<STACK_OF(CRYPTO_BUFFER)> new_chain;
if (cert->chain != nullptr) {
new_chain.reset(sk_CRYPTO_BUFFER_new_null());
if (!new_chain) {
- return 0;
+ return false;
}
// |leaf| might be NULL if it's a “leafless” chain.
CRYPTO_BUFFER *leaf = sk_CRYPTO_BUFFER_value(cert->chain.get(), 0);
if (!PushToStack(new_chain.get(), UpRef(leaf))) {
- return 0;
+ return false;
}
}
@@ -220,32 +220,32 @@ static int ssl_cert_set_chain(CERT *cert, STACK_OF(X509) *chain) {
if (!new_chain) {
new_chain = new_leafless_chain();
if (!new_chain) {
- return 0;
+ return false;
}
}
UniquePtr<CRYPTO_BUFFER> buffer = x509_to_buffer(x509);
if (!buffer ||
!PushToStack(new_chain.get(), std::move(buffer))) {
- return 0;
+ return false;
}
}
cert->chain = std::move(new_chain);
- return 1;
+ return true;
}
static void ssl_crypto_x509_cert_flush_cached_leaf(CERT *cert) {
X509_free(cert->x509_leaf);
- cert->x509_leaf = NULL;
+ cert->x509_leaf = nullptr;
}
static void ssl_crypto_x509_cert_flush_cached_chain(CERT *cert) {
sk_X509_pop_free(cert->x509_chain, X509_free);
- cert->x509_chain = NULL;
+ cert->x509_chain = nullptr;
}
-static int ssl_crypto_x509_check_client_CA_list(
+static bool ssl_crypto_x509_check_client_CA_list(
STACK_OF(CRYPTO_BUFFER) *names) {
for (const CRYPTO_BUFFER *buffer : names) {
const uint8_t *inp = CRYPTO_BUFFER_data(buffer);
@@ -253,11 +253,11 @@ static int ssl_crypto_x509_check_client_CA_list(
d2i_X509_NAME(nullptr, &inp, CRYPTO_BUFFER_len(buffer)));
if (name == nullptr ||
inp != CRYPTO_BUFFER_data(buffer) + CRYPTO_BUFFER_len(buffer)) {
- return 0;
+ return false;
}
}
- return 1;
+ return true;
}
static void ssl_crypto_x509_cert_clear(CERT *cert) {
@@ -265,7 +265,7 @@ static void ssl_crypto_x509_cert_clear(CERT *cert) {
ssl_crypto_x509_cert_flush_cached_chain(cert);
X509_free(cert->x509_stash);
- cert->x509_stash = NULL;
+ cert->x509_stash = nullptr;
}
static void ssl_crypto_x509_cert_free(CERT *cert) {
@@ -274,19 +274,19 @@ static void ssl_crypto_x509_cert_free(CERT *cert) {
}
static void ssl_crypto_x509_cert_dup(CERT *new_cert, const CERT *cert) {
- if (cert->verify_store != NULL) {
+ if (cert->verify_store != nullptr) {
X509_STORE_up_ref(cert->verify_store);
new_cert->verify_store = cert->verify_store;
}
}
-static int ssl_crypto_x509_session_cache_objects(SSL_SESSION *sess) {
+static bool ssl_crypto_x509_session_cache_objects(SSL_SESSION *sess) {
bssl::UniquePtr<STACK_OF(X509)> chain, chain_without_leaf;
if (sk_CRYPTO_BUFFER_num(sess->certs.get()) > 0) {
chain.reset(sk_X509_new_null());
if (!chain) {
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
- return 0;
+ return false;
}
if (sess->is_server) {
// chain_without_leaf is only needed for server sessions. See
@@ -294,7 +294,7 @@ static int ssl_crypto_x509_session_cache_objects(SSL_SESSION *sess) {
chain_without_leaf.reset(sk_X509_new_null());
if (!chain_without_leaf) {
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
- return 0;
+ return false;
}
}
}
@@ -304,18 +304,18 @@ static int ssl_crypto_x509_session_cache_objects(SSL_SESSION *sess) {
UniquePtr<X509> x509(X509_parse_from_buffer(cert));
if (!x509) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
- return 0;
+ return false;
}
if (leaf == nullptr) {
leaf = UpRef(x509);
} else if (chain_without_leaf &&
!PushToStack(chain_without_leaf.get(), UpRef(x509))) {
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
- return 0;
+ return false;
}
if (!PushToStack(chain.get(), std::move(x509))) {
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
- return 0;
+ return false;
}
}
@@ -327,80 +327,76 @@ static int ssl_crypto_x509_session_cache_objects(SSL_SESSION *sess) {
X509_free(sess->x509_peer);
sess->x509_peer = leaf.release();
- return 1;
+ return true;
}
-static int ssl_crypto_x509_session_dup(SSL_SESSION *new_session,
- const SSL_SESSION *session) {
+static bool ssl_crypto_x509_session_dup(SSL_SESSION *new_session,
+ const SSL_SESSION *session) {
new_session->x509_peer = UpRef(session->x509_peer).release();
if (session->x509_chain != nullptr) {
new_session->x509_chain = X509_chain_up_ref(session->x509_chain);
if (new_session->x509_chain == nullptr) {
- return 0;
+ return false;
}
}
if (session->x509_chain_without_leaf != nullptr) {
new_session->x509_chain_without_leaf =
X509_chain_up_ref(session->x509_chain_without_leaf);
if (new_session->x509_chain_without_leaf == nullptr) {
- return 0;
+ return false;
}
}
- return 1;
+ return true;
}
static void ssl_crypto_x509_session_clear(SSL_SESSION *session) {
X509_free(session->x509_peer);
- session->x509_peer = NULL;
+ session->x509_peer = nullptr;
sk_X509_pop_free(session->x509_chain, X509_free);
- session->x509_chain = NULL;
+ session->x509_chain = nullptr;
sk_X509_pop_free(session->x509_chain_without_leaf, X509_free);
- session->x509_chain_without_leaf = NULL;
+ session->x509_chain_without_leaf = nullptr;
}
-static int ssl_crypto_x509_session_verify_cert_chain(SSL_SESSION *session,
- SSL_HANDSHAKE *hs,
- uint8_t *out_alert) {
+static bool ssl_crypto_x509_session_verify_cert_chain(SSL_SESSION *session,
+ SSL_HANDSHAKE *hs,
+ uint8_t *out_alert) {
*out_alert = SSL_AD_INTERNAL_ERROR;
STACK_OF(X509) *const cert_chain = session->x509_chain;
- if (cert_chain == NULL || sk_X509_num(cert_chain) == 0) {
- return 0;
+ if (cert_chain == nullptr || sk_X509_num(cert_chain) == 0) {
+ return false;
}
SSL_CTX *ssl_ctx = hs->ssl->ctx.get();
X509_STORE *verify_store = ssl_ctx->cert_store;
- if (hs->config->cert->verify_store != NULL) {
+ if (hs->config->cert->verify_store != nullptr) {
verify_store = hs->config->cert->verify_store;
}
X509 *leaf = sk_X509_value(cert_chain, 0);
ScopedX509_STORE_CTX ctx;
- if (!X509_STORE_CTX_init(ctx.get(), verify_store, leaf, cert_chain)) {
+ if (!X509_STORE_CTX_init(ctx.get(), verify_store, leaf, cert_chain) ||
+ !X509_STORE_CTX_set_ex_data(
+ ctx.get(), SSL_get_ex_data_X509_STORE_CTX_idx(), hs->ssl) ||
+ // We need to inherit the verify parameters. These can be determined by
+ // the context: if its a server it will verify SSL client certificates or
+ // vice versa.
+ !X509_STORE_CTX_set_default(
+ ctx.get(), hs->ssl->server ? "ssl_client" : "ssl_server") ||
+ // Anything non-default in "param" should overwrite anything in the ctx.
+ !X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(ctx.get()),
+ hs->config->param)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_X509_LIB);
- return 0;
- }
- if (!X509_STORE_CTX_set_ex_data(
- ctx.get(), SSL_get_ex_data_X509_STORE_CTX_idx(), hs->ssl)) {
- return 0;
+ return false;
}
- // We need to inherit the verify parameters. These can be determined by the
- // context: if its a server it will verify SSL client certificates or vice
- // versa.
- X509_STORE_CTX_set_default(ctx.get(),
- hs->ssl->server ? "ssl_client" : "ssl_server");
-
- // Anything non-default in "param" should overwrite anything in the ctx.
- X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(ctx.get()),
- hs->config->param);
-
if (hs->config->verify_callback) {
X509_STORE_CTX_set_verify_cb(ctx.get(), hs->config->verify_callback);
}
int verify_ret;
- if (ssl_ctx->app_verify_callback != NULL) {
+ if (ssl_ctx->app_verify_callback != nullptr) {
verify_ret =
ssl_ctx->app_verify_callback(ctx.get(), ssl_ctx->app_verify_arg);
} else {
@@ -412,59 +408,59 @@ static int ssl_crypto_x509_session_verify_cert_chain(SSL_SESSION *session,
// If |SSL_VERIFY_NONE|, the error is non-fatal, but we keep the result.
if (verify_ret <= 0 && hs->config->verify_mode != SSL_VERIFY_NONE) {
*out_alert = SSL_alert_from_verify_result(ctx->error);
- return 0;
+ return false;
}
ERR_clear_error();
- return 1;
+ return true;
}
static void ssl_crypto_x509_hs_flush_cached_ca_names(SSL_HANDSHAKE *hs) {
sk_X509_NAME_pop_free(hs->cached_x509_ca_names, X509_NAME_free);
- hs->cached_x509_ca_names = NULL;
+ hs->cached_x509_ca_names = nullptr;
}
-static int ssl_crypto_x509_ssl_new(SSL_HANDSHAKE *hs) {
+static bool ssl_crypto_x509_ssl_new(SSL_HANDSHAKE *hs) {
hs->config->param = X509_VERIFY_PARAM_new();
- if (hs->config->param == NULL) {
- return 0;
+ if (hs->config->param == nullptr) {
+ return false;
}
X509_VERIFY_PARAM_inherit(hs->config->param, hs->ssl->ctx->param);
- return 1;
+ return true;
}
static void ssl_crypto_x509_ssl_flush_cached_client_CA(SSL_CONFIG *cfg) {
sk_X509_NAME_pop_free(cfg->cached_x509_client_CA, X509_NAME_free);
- cfg->cached_x509_client_CA = NULL;
+ cfg->cached_x509_client_CA = nullptr;
}
static void ssl_crypto_x509_ssl_config_free(SSL_CONFIG *cfg) {
sk_X509_NAME_pop_free(cfg->cached_x509_client_CA, X509_NAME_free);
- cfg->cached_x509_client_CA = NULL;
+ cfg->cached_x509_client_CA = nullptr;
X509_VERIFY_PARAM_free(cfg->param);
}
-static int ssl_crypto_x509_ssl_auto_chain_if_needed(SSL_HANDSHAKE *hs) {
+static bool ssl_crypto_x509_ssl_auto_chain_if_needed(SSL_HANDSHAKE *hs) {
// Only build a chain if there are no intermediates configured and the feature
// isn't disabled.
if ((hs->ssl->mode & SSL_MODE_NO_AUTO_CHAIN) ||
!ssl_has_certificate(hs) || hs->config->cert->chain == NULL ||
sk_CRYPTO_BUFFER_num(hs->config->cert->chain.get()) > 1) {
- return 1;
+ return true;
}
UniquePtr<X509> leaf(X509_parse_from_buffer(
sk_CRYPTO_BUFFER_value(hs->config->cert->chain.get(), 0)));
if (!leaf) {
OPENSSL_PUT_ERROR(SSL, ERR_R_X509_LIB);
- return 0;
+ return false;
}
ScopedX509_STORE_CTX ctx;
if (!X509_STORE_CTX_init(ctx.get(), hs->ssl->ctx->cert_store, leaf.get(),
NULL)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_X509_LIB);
- return 0;
+ return false;
}
// Attempt to build a chain, ignoring the result.
@@ -475,23 +471,23 @@ static int ssl_crypto_x509_ssl_auto_chain_if_needed(SSL_HANDSHAKE *hs) {
X509_free(sk_X509_shift(ctx->chain));
if (!ssl_cert_set_chain(hs->config->cert.get(), ctx->chain)) {
- return 0;
+ return false;
}
ssl_crypto_x509_cert_flush_cached_chain(hs->config->cert.get());
- return 1;
+ return true;
}
static void ssl_crypto_x509_ssl_ctx_flush_cached_client_CA(SSL_CTX *ctx) {
sk_X509_NAME_pop_free(ctx->cached_x509_client_CA, X509_NAME_free);
- ctx->cached_x509_client_CA = NULL;
+ ctx->cached_x509_client_CA = nullptr;
}
-static int ssl_crypto_x509_ssl_ctx_new(SSL_CTX *ctx) {
+static bool ssl_crypto_x509_ssl_ctx_new(SSL_CTX *ctx) {
ctx->cert_store = X509_STORE_new();
ctx->param = X509_VERIFY_PARAM_new();
- return (ctx->cert_store != NULL && ctx->param != NULL);
+ return (ctx->cert_store != nullptr && ctx->param != nullptr);
}
static void ssl_crypto_x509_ssl_ctx_free(SSL_CTX *ctx) {
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-26 08:54:43 +0000