Document certificate verification functions in SSL.
Or at least group them together and make a passing attempt to document
them. The legacy X.509 stack itself remains largely untouched and most
of the parameters have to do with it.
Change-Id: I9e11e2ad1bbeef53478c787344398c0d8d1b3876
Reviewed-on: https://boringssl-review.googlesource.com/5942
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index a9e8d77..4094b27 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -341,15 +341,17 @@
*ca_list = name_list;
}
-STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk) {
- size_t i;
- STACK_OF(X509_NAME) *ret;
- X509_NAME *name;
+STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *list) {
+ STACK_OF(X509_NAME) *ret = sk_X509_NAME_new_null();
+ if (ret == NULL) {
+ return NULL;
+ }
- ret = sk_X509_NAME_new_null();
- for (i = 0; i < sk_X509_NAME_num(sk); i++) {
- name = X509_NAME_dup(sk_X509_NAME_value(sk, i));
+ size_t i;
+ for (i = 0; i < sk_X509_NAME_num(list); i++) {
+ X509_NAME *name = X509_NAME_dup(sk_X509_NAME_value(list, i));
if (name == NULL || !sk_X509_NAME_push(ret, name)) {
+ X509_NAME_free(name);
sk_X509_NAME_pop_free(ret, X509_NAME_free);
return NULL;
}
@@ -358,12 +360,12 @@
return ret;
}
-void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list) {
- set_client_CA_list(&(s->client_CA), name_list);
+void SSL_set_client_CA_list(SSL *ssl, STACK_OF(X509_NAME) *name_list) {
+ set_client_CA_list(&ssl->client_CA, name_list);
}
void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list) {
- set_client_CA_list(&(ctx->client_CA), name_list);
+ set_client_CA_list(&ctx->client_CA, name_list);
}
STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx) {
@@ -386,10 +388,10 @@
return ssl->ctx->client_CA;
}
-static int add_client_CA(STACK_OF(X509_NAME) **sk, X509 *x) {
+static int add_client_CA(STACK_OF(X509_NAME) **sk, X509 *x509) {
X509_NAME *name;
- if (x == NULL) {
+ if (x509 == NULL) {
return 0;
}
if (*sk == NULL) {
@@ -399,7 +401,7 @@
}
}
- name = X509_NAME_dup(X509_get_subject_name(x));
+ name = X509_NAME_dup(X509_get_subject_name(x509));
if (name == NULL) {
return 0;
}
@@ -412,12 +414,12 @@
return 1;
}
-int SSL_add_client_CA(SSL *ssl, X509 *x) {
- return add_client_CA(&(ssl->client_CA), x);
+int SSL_add_client_CA(SSL *ssl, X509 *x509) {
+ return add_client_CA(&ssl->client_CA, x509);
}
-int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x) {
- return add_client_CA(&(ctx->client_CA), x);
+int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x509) {
+ return add_client_CA(&ctx->client_CA, x509);
}
/* Add a certificate to a BUF_MEM structure */
diff --git a/ssl/ssl_file.c b/ssl/ssl_file.c
index 25e1cc1..88ad5b7 100644
--- a/ssl/ssl_file.c
+++ b/ssl/ssl_file.c
@@ -128,13 +128,8 @@
return X509_NAME_cmp(*a, *b);
}
-/* Load CA certs from a file into a STACK. Note that it is somewhat misnamed;
- * it doesn't really have anything to do with clients (except that a common use
- * for a stack of CAs is to send it to the client). Actually, it doesn't have
- * much to do with CAs, either, since it will load any old cert.
- *
- * \param file the file containing one or more certs.
- * \return a ::STACK containing the certs. */
+/* TODO(davidben): Is there any reason this doesn't call
+ * |SSL_add_file_cert_subjects_to_stack|? */
STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file) {
BIO *in;
X509 *x = NULL;
@@ -197,13 +192,6 @@
return ret;
}
-/* Add a file of certs to a stack.
- *
- * \param stack the stack to add to.
- * \param file the file to add from. All certs in this file that are not
- * already in the stack will be added.
- * \return 1 for success, 0 for failure. Note that in the case of failure some
- * certs may have been added to \c stack. */
int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
const char *file) {
BIO *in;
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 572fdde..74bd633 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -976,28 +976,28 @@
return p != NULL;
}
-int SSL_CTX_set_purpose(SSL_CTX *s, int purpose) {
- return X509_VERIFY_PARAM_set_purpose(s->param, purpose);
+int SSL_CTX_set_purpose(SSL_CTX *ctx, int purpose) {
+ return X509_VERIFY_PARAM_set_purpose(ctx->param, purpose);
}
-int SSL_set_purpose(SSL *s, int purpose) {
- return X509_VERIFY_PARAM_set_purpose(s->param, purpose);
+int SSL_set_purpose(SSL *ssl, int purpose) {
+ return X509_VERIFY_PARAM_set_purpose(ssl->param, purpose);
}
-int SSL_CTX_set_trust(SSL_CTX *s, int trust) {
- return X509_VERIFY_PARAM_set_trust(s->param, trust);
+int SSL_CTX_set_trust(SSL_CTX *ctx, int trust) {
+ return X509_VERIFY_PARAM_set_trust(ctx->param, trust);
}
-int SSL_set_trust(SSL *s, int trust) {
- return X509_VERIFY_PARAM_set_trust(s->param, trust);
+int SSL_set_trust(SSL *ssl, int trust) {
+ return X509_VERIFY_PARAM_set_trust(ssl->param, trust);
}
-int SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm) {
- return X509_VERIFY_PARAM_set1(ctx->param, vpm);
+int SSL_CTX_set1_param(SSL_CTX *ctx, const X509_VERIFY_PARAM *param) {
+ return X509_VERIFY_PARAM_set1(ctx->param, param);
}
-int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm) {
- return X509_VERIFY_PARAM_set1(ssl->param, vpm);
+int SSL_set1_param(SSL *ssl, const X509_VERIFY_PARAM *param) {
+ return X509_VERIFY_PARAM_set1(ssl->param, param);
}
void ssl_cipher_preference_list_free(
@@ -1193,18 +1193,18 @@
return ret;
}
-int SSL_get_verify_mode(const SSL *s) { return s->verify_mode; }
+int SSL_get_verify_mode(const SSL *ssl) { return ssl->verify_mode; }
-int SSL_get_verify_depth(const SSL *s) {
- return X509_VERIFY_PARAM_get_depth(s->param);
+int SSL_get_verify_depth(const SSL *ssl) {
+ return X509_VERIFY_PARAM_get_depth(ssl->param);
}
int SSL_get_extms_support(const SSL *ssl) {
return ssl->s3->tmp.extended_master_secret == 1;
}
-int (*SSL_get_verify_callback(const SSL *s))(int, X509_STORE_CTX *) {
- return s->verify_callback;
+int (*SSL_get_verify_callback(const SSL *ssl))(int, X509_STORE_CTX *) {
+ return ssl->verify_callback;
}
int SSL_CTX_get_verify_mode(const SSL_CTX *ctx) { return ctx->verify_mode; }
@@ -1213,20 +1213,21 @@
return X509_VERIFY_PARAM_get_depth(ctx->param);
}
-int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int, X509_STORE_CTX *) {
+int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(
+ int ok, X509_STORE_CTX *store_ctx) {
return ctx->default_verify_callback;
}
-void SSL_set_verify(SSL *s, int mode,
- int (*callback)(int ok, X509_STORE_CTX *ctx)) {
- s->verify_mode = mode;
+void SSL_set_verify(SSL *ssl, int mode,
+ int (*callback)(int ok, X509_STORE_CTX *store_ctx)) {
+ ssl->verify_mode = mode;
if (callback != NULL) {
- s->verify_callback = callback;
+ ssl->verify_callback = callback;
}
}
-void SSL_set_verify_depth(SSL *s, int depth) {
- X509_VERIFY_PARAM_set_depth(s->param, depth);
+void SSL_set_verify_depth(SSL *ssl, int depth) {
+ X509_VERIFY_PARAM_set_depth(ssl->param, depth);
}
int SSL_CTX_get_read_ahead(const SSL_CTX *ctx) { return 0; }
@@ -1824,7 +1825,8 @@
}
void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx,
- int (*cb)(X509_STORE_CTX *, void *),
+ int (*cb)(X509_STORE_CTX *store_ctx,
+ void *arg),
void *arg) {
ctx->app_verify_callback = cb;
ctx->app_verify_arg = arg;
@@ -2139,9 +2141,9 @@
return X509_STORE_set_default_paths(ctx->cert_store);
}
-int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
- const char *CApath) {
- return X509_STORE_load_locations(ctx->cert_store, CAfile, CApath);
+int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *ca_file,
+ const char *ca_dir) {
+ return X509_STORE_load_locations(ctx->cert_store, ca_file, ca_dir);
}
void SSL_set_info_callback(SSL *ssl,
@@ -2158,7 +2160,9 @@
void SSL_set_state(SSL *ssl, int state) { }
-void SSL_set_verify_result(SSL *ssl, long arg) { ssl->verify_result = arg; }
+void SSL_set_verify_result(SSL *ssl, long result) {
+ ssl->verify_result = result;
+}
long SSL_get_verify_result(const SSL *ssl) { return ssl->verify_result; }
