diff options
Diffstat (limited to 'deps/boringssl/src/ssl/ssl_x509.cc')
-rw-r--r-- | deps/boringssl/src/ssl/ssl_x509.cc | 50 |
1 files changed, 28 insertions, 22 deletions
diff --git a/deps/boringssl/src/ssl/ssl_x509.cc b/deps/boringssl/src/ssl/ssl_x509.cc index cda7611..680f253 100644 --- a/deps/boringssl/src/ssl/ssl_x509.cc +++ b/deps/boringssl/src/ssl/ssl_x509.cc @@ -368,25 +368,34 @@ static bool ssl_crypto_x509_session_verify_cert_chain(SSL_SESSION *session, return false; } - SSL_CTX *ssl_ctx = hs->ssl->ctx.get(); + SSL *const ssl = hs->ssl; + SSL_CTX *ssl_ctx = ssl->ctx.get(); X509_STORE *verify_store = ssl_ctx->cert_store; if (hs->config->cert->verify_store != nullptr) { verify_store = hs->config->cert->verify_store; } X509 *leaf = sk_X509_value(cert_chain, 0); - ScopedX509_STORE_CTX ctx; - if (!X509_STORE_CTX_init(ctx.get(), verify_store, leaf, cert_chain) || - !X509_STORE_CTX_set_ex_data( - ctx.get(), SSL_get_ex_data_X509_STORE_CTX_idx(), hs->ssl) || + const char *name; + size_t name_len; + SSL_get0_ech_name_override(ssl, &name, &name_len); + UniquePtr<X509_STORE_CTX> ctx(X509_STORE_CTX_new()); + if (!ctx || + !X509_STORE_CTX_init(ctx.get(), verify_store, leaf, cert_chain) || + !X509_STORE_CTX_set_ex_data(ctx.get(), + SSL_get_ex_data_X509_STORE_CTX_idx(), ssl) || // We need to inherit the verify parameters. These can be determined by // the context: if its a server it will verify SSL client certificates or // vice versa. - !X509_STORE_CTX_set_default( - ctx.get(), hs->ssl->server ? "ssl_client" : "ssl_server") || + !X509_STORE_CTX_set_default(ctx.get(), + ssl->server ? "ssl_client" : "ssl_server") || // Anything non-default in "param" should overwrite anything in the ctx. !X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(ctx.get()), - hs->config->param)) { + hs->config->param) || + // ClientHelloOuter connections use a different name. + (name_len != 0 && + !X509_VERIFY_PARAM_set1_host(X509_STORE_CTX_get0_param(ctx.get()), name, + name_len))) { OPENSSL_PUT_ERROR(SSL, ERR_R_X509_LIB); return false; } @@ -403,11 +412,11 @@ static bool ssl_crypto_x509_session_verify_cert_chain(SSL_SESSION *session, verify_ret = X509_verify_cert(ctx.get()); } - session->verify_result = ctx->error; + session->verify_result = X509_STORE_CTX_get_error(ctx.get()); // If |SSL_VERIFY_NONE|, the error is non-fatal, but we keep the result. if (verify_ret <= 0 && hs->config->verify_mode != SSL_VERIFY_NONE) { - *out_alert = SSL_alert_from_verify_result(ctx->error); + *out_alert = SSL_alert_from_verify_result(session->verify_result); return false; } @@ -456,9 +465,9 @@ static bool ssl_crypto_x509_ssl_auto_chain_if_needed(SSL_HANDSHAKE *hs) { return false; } - ScopedX509_STORE_CTX ctx; - if (!X509_STORE_CTX_init(ctx.get(), hs->ssl->ctx->cert_store, leaf.get(), - NULL)) { + UniquePtr<X509_STORE_CTX> ctx(X509_STORE_CTX_new()); + if (!ctx || !X509_STORE_CTX_init(ctx.get(), hs->ssl->ctx->cert_store, + leaf.get(), nullptr)) { OPENSSL_PUT_ERROR(SSL, ERR_R_X509_LIB); return false; } @@ -468,9 +477,13 @@ static bool ssl_crypto_x509_ssl_auto_chain_if_needed(SSL_HANDSHAKE *hs) { ERR_clear_error(); // Remove the leaf from the generated chain. - X509_free(sk_X509_shift(ctx->chain)); + UniquePtr<STACK_OF(X509)> chain(X509_STORE_CTX_get1_chain(ctx.get())); + if (!chain) { + return false; + } + X509_free(sk_X509_shift(chain.get())); - if (!ssl_cert_set_chain(hs->config->cert.get(), ctx->chain)) { + if (!ssl_cert_set_chain(hs->config->cert.get(), chain.get())) { return false; } @@ -698,13 +711,6 @@ int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *ca_file, return X509_STORE_load_locations(ctx->cert_store, ca_file, ca_dir); } -void SSL_set_verify_result(SSL *ssl, long result) { - check_ssl_x509_method(ssl); - if (result != X509_V_OK) { - abort(); - } -} - long SSL_get_verify_result(const SSL *ssl) { check_ssl_x509_method(ssl); SSL_SESSION *session = SSL_get_session(ssl); |