Fold X509_VERIFY_PARAM_ID into X509_VERIFY_PARAM.
See also upstream's 9689a6aeed4ef7a2357cb95191b4313175440e4c.
X509_VERIFY_PARAM_ID made sense as a separate structure when
X509_VERIFY_PARAM was public, but now the struct is unexported.
Change-Id: I93bac64d33b76aa020fae07bba71b04f1505fdc4
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48128
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/crypto/x509/internal.h b/crypto/x509/internal.h
index d984805..32a6a9f 100644
--- a/crypto/x509/internal.h
+++ b/crypto/x509/internal.h
@@ -112,20 +112,6 @@
CRYPTO_refcount_t references;
} /* X509_REQ */;
-// TODO(davidben): This was historically a separate struct because
-// |X509_VERIFY_PARAM| used to be exported. Now that it is also opaque, embed it
-// directly.
-typedef struct {
- STACK_OF(OPENSSL_STRING) *hosts; /* Set of acceptable names */
- unsigned int hostflags; /* Flags to control matching features */
- char *peername; /* Matching hostname in peer certificate */
- char *email; /* If not NULL email address to match */
- size_t emaillen;
- unsigned char *ip; /* If not NULL IP address to match */
- size_t iplen; /* Length of IP address */
- unsigned char poison; /* Fail all verifications */
-} X509_VERIFY_PARAM_ID;
-
struct X509_VERIFY_PARAM_st {
char *name;
time_t check_time; // Time to use
@@ -135,7 +121,15 @@
int trust; // trust setting to check
int depth; // Verify depth
STACK_OF(ASN1_OBJECT) *policies; // Permissible policies
- X509_VERIFY_PARAM_ID *id; // opaque ID data
+ // The following fields specify acceptable peer identities.
+ STACK_OF(OPENSSL_STRING) *hosts; // Set of acceptable names
+ unsigned int hostflags; // Flags to control matching features
+ char *peername; // Matching hostname in peer certificate
+ char *email; // If not NULL email address to match
+ size_t emaillen;
+ unsigned char *ip; // If not NULL IP address to match
+ size_t iplen; // Length of IP address
+ unsigned char poison; // Fail all verifications at name checking
} /* X509_VERIFY_PARAM */;
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index f7785c6..2387de3 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -835,20 +835,20 @@
return ctx->verify_cb(0, ctx);
}
-static int check_hosts(X509 *x, X509_VERIFY_PARAM_ID *id)
+static int check_hosts(X509 *x, X509_VERIFY_PARAM *param)
{
size_t i;
- size_t n = sk_OPENSSL_STRING_num(id->hosts);
+ size_t n = sk_OPENSSL_STRING_num(param->hosts);
char *name;
- if (id->peername != NULL) {
- OPENSSL_free(id->peername);
- id->peername = NULL;
+ if (param->peername != NULL) {
+ OPENSSL_free(param->peername);
+ param->peername = NULL;
}
for (i = 0; i < n; ++i) {
- name = sk_OPENSSL_STRING_value(id->hosts, i);
- if (X509_check_host(x, name, strlen(name), id->hostflags,
- &id->peername) > 0)
+ name = sk_OPENSSL_STRING_value(param->hosts, i);
+ if (X509_check_host(x, name, strlen(name), param->hostflags,
+ ¶m->peername) > 0)
return 1;
}
return n == 0;
@@ -857,21 +857,20 @@
static int check_id(X509_STORE_CTX *ctx)
{
X509_VERIFY_PARAM *vpm = ctx->param;
- X509_VERIFY_PARAM_ID *id = vpm->id;
X509 *x = ctx->cert;
- if (id->poison) {
+ if (vpm->poison) {
if (!check_id_error(ctx, X509_V_ERR_INVALID_CALL))
return 0;
}
- if (id->hosts && check_hosts(x, id) <= 0) {
+ if (vpm->hosts && check_hosts(x, vpm) <= 0) {
if (!check_id_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH))
return 0;
}
- if (id->email && X509_check_email(x, id->email, id->emaillen, 0) <= 0) {
+ if (vpm->email && X509_check_email(x, vpm->email, vpm->emaillen, 0) <= 0) {
if (!check_id_error(ctx, X509_V_ERR_EMAIL_MISMATCH))
return 0;
}
- if (id->ip && X509_check_ip(x, id->ip, id->iplen, 0) <= 0) {
+ if (vpm->ip && X509_check_ip(x, vpm->ip, vpm->iplen, 0) <= 0) {
if (!check_id_error(ctx, X509_V_ERR_IP_ADDRESS_MISMATCH))
return 0;
}
diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c
index c3c2426..ae3a7e8 100644
--- a/crypto/x509/x509_vpm.c
+++ b/crypto/x509/x509_vpm.c
@@ -83,7 +83,7 @@
#define string_stack_free(sk) sk_OPENSSL_STRING_pop_free(sk, str_free)
-static int int_x509_param_set_hosts(X509_VERIFY_PARAM_ID *id, int mode,
+static int int_x509_param_set_hosts(X509_VERIFY_PARAM *param, int mode,
const char *name, size_t namelen)
{
char *copy;
@@ -100,26 +100,26 @@
if (name && OPENSSL_memchr(name, '\0', namelen))
return 0;
- if (mode == SET_HOST && id->hosts) {
- string_stack_free(id->hosts);
- id->hosts = NULL;
+ if (mode == SET_HOST && param->hosts) {
+ string_stack_free(param->hosts);
+ param->hosts = NULL;
}
copy = OPENSSL_strndup(name, namelen);
if (copy == NULL)
return 0;
- if (id->hosts == NULL &&
- (id->hosts = sk_OPENSSL_STRING_new_null()) == NULL) {
+ if (param->hosts == NULL &&
+ (param->hosts = sk_OPENSSL_STRING_new_null()) == NULL) {
OPENSSL_free(copy);
return 0;
}
- if (!sk_OPENSSL_STRING_push(id->hosts, copy)) {
+ if (!sk_OPENSSL_STRING_push(param->hosts, copy)) {
OPENSSL_free(copy);
- if (sk_OPENSSL_STRING_num(id->hosts) == 0) {
- sk_OPENSSL_STRING_free(id->hosts);
- id->hosts = NULL;
+ if (sk_OPENSSL_STRING_num(param->hosts) == 0) {
+ sk_OPENSSL_STRING_free(param->hosts);
+ param->hosts = NULL;
}
return 0;
}
@@ -129,7 +129,6 @@
static void x509_verify_param_zero(X509_VERIFY_PARAM *param)
{
- X509_VERIFY_PARAM_ID *paramid;
if (!param)
return;
param->name = NULL;
@@ -145,43 +144,34 @@
sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
param->policies = NULL;
}
- paramid = param->id;
- if (paramid->hosts) {
- string_stack_free(paramid->hosts);
- paramid->hosts = NULL;
+ if (param->hosts) {
+ string_stack_free(param->hosts);
+ param->hosts = NULL;
}
- if (paramid->peername) {
- OPENSSL_free(paramid->peername);
- paramid->peername = NULL;
+ if (param->peername) {
+ OPENSSL_free(param->peername);
+ param->peername = NULL;
}
- if (paramid->email) {
- OPENSSL_free(paramid->email);
- paramid->email = NULL;
- paramid->emaillen = 0;
+ if (param->email) {
+ OPENSSL_free(param->email);
+ param->email = NULL;
+ param->emaillen = 0;
}
- if (paramid->ip) {
- OPENSSL_free(paramid->ip);
- paramid->ip = NULL;
- paramid->iplen = 0;
+ if (param->ip) {
+ OPENSSL_free(param->ip);
+ param->ip = NULL;
+ param->iplen = 0;
}
- paramid->poison = 0;
+ param->poison = 0;
}
X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void)
{
X509_VERIFY_PARAM *param;
- X509_VERIFY_PARAM_ID *paramid;
param = OPENSSL_malloc(sizeof(X509_VERIFY_PARAM));
if (!param)
return NULL;
- paramid = OPENSSL_malloc(sizeof(X509_VERIFY_PARAM_ID));
- if (!paramid) {
- OPENSSL_free(param);
- return NULL;
- }
OPENSSL_memset(param, 0, sizeof(X509_VERIFY_PARAM));
- OPENSSL_memset(paramid, 0, sizeof(X509_VERIFY_PARAM_ID));
- param->id = paramid;
x509_verify_param_zero(param);
return param;
}
@@ -191,7 +181,6 @@
if (param == NULL)
return;
x509_verify_param_zero(param);
- OPENSSL_free(param->id);
OPENSSL_free(param);
}
@@ -233,11 +222,6 @@
(to_overwrite || \
((src->field != (def)) && (to_default || (dest->field == (def)))))
-/* As above but for ID fields */
-
-#define test_x509_verify_param_copy_id(idf, def) \
- test_x509_verify_param_copy(id->idf, def)
-
/* Macro to test and copy a field if necessary */
#define x509_verify_param_copy(field, def) \
@@ -249,10 +233,8 @@
{
unsigned long inh_flags;
int to_default, to_overwrite;
- X509_VERIFY_PARAM_ID *id;
if (!src)
return 1;
- id = src->id;
inh_flags = dest->inh_flags | src->inh_flags;
if (inh_flags & X509_VP_FLAG_ONCE)
@@ -294,31 +276,31 @@
}
/* Copy the host flags if and only if we're copying the host list */
- if (test_x509_verify_param_copy_id(hosts, NULL)) {
- if (dest->id->hosts) {
- string_stack_free(dest->id->hosts);
- dest->id->hosts = NULL;
+ if (test_x509_verify_param_copy(hosts, NULL)) {
+ if (dest->hosts) {
+ string_stack_free(dest->hosts);
+ dest->hosts = NULL;
}
- if (id->hosts) {
- dest->id->hosts =
- sk_OPENSSL_STRING_deep_copy(id->hosts, str_copy, str_free);
- if (dest->id->hosts == NULL)
+ if (src->hosts) {
+ dest->hosts =
+ sk_OPENSSL_STRING_deep_copy(src->hosts, str_copy, str_free);
+ if (dest->hosts == NULL)
return 0;
- dest->id->hostflags = id->hostflags;
+ dest->hostflags = src->hostflags;
}
}
- if (test_x509_verify_param_copy_id(email, NULL)) {
- if (!X509_VERIFY_PARAM_set1_email(dest, id->email, id->emaillen))
+ if (test_x509_verify_param_copy(email, NULL)) {
+ if (!X509_VERIFY_PARAM_set1_email(dest, src->email, src->emaillen))
return 0;
}
- if (test_x509_verify_param_copy_id(ip, NULL)) {
- if (!X509_VERIFY_PARAM_set1_ip(dest, id->ip, id->iplen))
+ if (test_x509_verify_param_copy(ip, NULL)) {
+ if (!X509_VERIFY_PARAM_set1_ip(dest, src->ip, src->iplen))
return 0;
}
- dest->id->poison = src->id->poison;
+ dest->poison = src->poison;
return 1;
}
@@ -457,8 +439,8 @@
int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param,
const char *name, size_t namelen)
{
- if (!int_x509_param_set_hosts(param->id, SET_HOST, name, namelen)) {
- param->id->poison = 1;
+ if (!int_x509_param_set_hosts(param, SET_HOST, name, namelen)) {
+ param->poison = 1;
return 0;
}
return 1;
@@ -467,8 +449,8 @@
int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param,
const char *name, size_t namelen)
{
- if (!int_x509_param_set_hosts(param->id, ADD_HOST, name, namelen)) {
- param->id->poison = 1;
+ if (!int_x509_param_set_hosts(param, ADD_HOST, name, namelen)) {
+ param->poison = 1;
return 0;
}
return 1;
@@ -477,21 +459,21 @@
void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param,
unsigned int flags)
{
- param->id->hostflags = flags;
+ param->hostflags = flags;
}
char *X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *param)
{
- return param->id->peername;
+ return param->peername;
}
int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param,
const char *email, size_t emaillen)
{
if (OPENSSL_memchr(email, '\0', emaillen) != NULL ||
- !int_x509_param_set1(¶m->id->email, ¶m->id->emaillen,
+ !int_x509_param_set1(¶m->email, ¶m->emaillen,
email, emaillen)) {
- param->id->poison = 1;
+ param->poison = 1;
return 0;
}
@@ -502,9 +484,9 @@
const unsigned char *ip, size_t iplen)
{
if ((iplen != 4 && iplen != 16) ||
- !int_x509_param_set1((char **)¶m->id->ip, ¶m->id->iplen,
+ !int_x509_param_set1((char **)¶m->ip, ¶m->iplen,
(char *)ip, iplen)) {
- param->id->poison = 1;
+ param->poison = 1;
return 0;
}
@@ -532,10 +514,7 @@
return param->name;
}
-static const X509_VERIFY_PARAM_ID _empty_id =
- { NULL, 0U, NULL, NULL, 0, NULL, 0, 0 };
-
-#define vpm_empty_id ((X509_VERIFY_PARAM_ID *)&_empty_id)
+#define vpm_empty_id NULL, 0U, NULL, NULL, 0, NULL, 0, 0
/*
* Default verify parameters: these are used for various applications and can