Google Git
Sign in
boringssl/boringssl/4bc2b6654271ec95863d77c27685f3f78f3c13e7^!/.
commit
4bc2b6654271ec95863d77c27685f3f78f3c13e7
[log]
author
Bob Beck <bbe@google.com>
Tue Sep 17 20:21:09 2024 +0000
committer
Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com>
Fri Oct 11 00:37:04 2024 +0000
tree
48f48c6655495d52a3dcf7600e47dc4f49ef0764
parent
e543bbd442af4c42f26cdc0fe8ce09b01e039c0e [diff]
Change around some "client CA" things

re-use code for parsing CA name lists.

Change-Id: I55027999862912cedad062ab4ea2e97e407ae01f
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/71608
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Bob Beck <bbe@google.com>

diff --git a/ssl/handshake_client.cc b/ssl/handshake_client.cc
index 44ef210..f87e000 100644
--- a/ssl/handshake_client.cc
+++ b/ssl/handshake_client.cc

@@ -1301,7 +1301,7 @@
 
   uint8_t alert = SSL_AD_DECODE_ERROR;
   UniquePtr<STACK_OF(CRYPTO_BUFFER)> ca_names =
-      ssl_parse_client_CA_list(ssl, &alert, &body);
+      SSL_parse_CA_list(ssl, &alert, &body);
   if (!ca_names) {
     ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
     return ssl_hs_error;

diff --git a/ssl/internal.h b/ssl/internal.h
index fac6260..ccb66e0 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h

@@ -1620,13 +1620,14 @@
 // nullptr and pushes to the error queue.
 UniquePtr<EVP_PKEY> ssl_cert_parse_pubkey(const CBS *in);
 
-// ssl_parse_client_CA_list parses a CA list from |cbs| in the format used by a
-// TLS CertificateRequest message. On success, it returns a newly-allocated
-// |CRYPTO_BUFFER| list and advances |cbs|. Otherwise, it returns nullptr and
-// sets |*out_alert| to an alert to send to the peer.
-UniquePtr<STACK_OF(CRYPTO_BUFFER)> ssl_parse_client_CA_list(SSL *ssl,
-                                                            uint8_t *out_alert,
-                                                            CBS *cbs);
+// SSL_parse_CA_list parses a CA list from |cbs| in the format used by a TLS
+// CertificateRequest message and Certificate Authorities extension. On success,
+// it returns a newly-allocated |CRYPTO_BUFFER| list and advances
+// |cbs|. Otherwise, it returns nullptr and sets |*out_alert| to an alert to
+// send to the peer.
+UniquePtr<STACK_OF(CRYPTO_BUFFER)> SSL_parse_CA_list(SSL *ssl,
+                                                     uint8_t *out_alert,
+                                                     CBS *cbs);
 
 // ssl_has_client_CAs returns there are configured CAs.
 bool ssl_has_client_CAs(const SSL_CONFIG *cfg);
@@ -2851,10 +2852,10 @@
                                     Span<uint8_t> in);
 
 struct SSL_X509_METHOD {
-  // check_client_CA_list returns one if |names| is a good list of X.509
-  // distinguished names and zero otherwise. This is used to ensure that we can
-  // reject unparsable values at handshake time when using crypto/x509.
-  bool (*check_client_CA_list)(STACK_OF(CRYPTO_BUFFER) *names);
+  // check_CA_list returns one if |names| is a good list of X.509 distinguished
+  // names and zero otherwise. This is used to ensure that we can reject
+  // unparsable values at handshake time when using crypto/x509.
+  bool (*check_CA_list)(STACK_OF(CRYPTO_BUFFER) *names);
 
   // cert_clear frees and NULLs all X509 certificate-related state.
   void (*cert_clear)(CERT *cert);
@@ -3378,6 +3379,13 @@
   // |client_CA|.
   STACK_OF(X509_NAME) *cached_x509_client_CA = nullptr;
 
+  // For client side, keep the list of CA distinguished names we can use
+  // for the Certificate Authorities extension.
+  // TODO(bbe) having this separate from the client side (above) is mildly
+  // silly, but OpenSSL has *_client_CA API's for this exposed, and for the
+  // moment we are not crossing those streams.
+  UniquePtr<STACK_OF(CRYPTO_BUFFER)> CA_names;
+
   Array<uint16_t> supported_group_list;  // our list
 
   // channel_id_private is the client's Channel ID private key, or null if
@@ -3887,6 +3895,8 @@
   // |client_CA|.
   STACK_OF(X509_NAME) *cached_x509_client_CA = nullptr;
 
+  // What we put in client hello in the CA extension.
+  bssl::UniquePtr<STACK_OF(CRYPTO_BUFFER)> CA_names;
 
   // Default values to use in SSL structures follow (these are copied by
   // SSL_new)

diff --git a/ssl/ssl_cert.cc b/ssl/ssl_cert.cc
index b6d2cb7..68e155c 100644
--- a/ssl/ssl_cert.cc
+++ b/ssl/ssl_cert.cc

@@ -469,9 +469,9 @@
   return true;
 }
 
-UniquePtr<STACK_OF(CRYPTO_BUFFER)> ssl_parse_client_CA_list(SSL *ssl,
-                                                            uint8_t *out_alert,
-                                                            CBS *cbs) {
+UniquePtr<STACK_OF(CRYPTO_BUFFER)> SSL_parse_CA_list(SSL *ssl,
+                                                     uint8_t *out_alert,
+                                                     CBS *cbs) {
   CRYPTO_BUFFER_POOL *const pool = ssl->ctx->pool;
 
   UniquePtr<STACK_OF(CRYPTO_BUFFER)> ret(sk_CRYPTO_BUFFER_new_null());
@@ -504,7 +504,7 @@
     }
   }
 
-  if (!ssl->ctx->x509_method->check_client_CA_list(ret.get())) {
+  if (!ssl->ctx->x509_method->check_CA_list(ret.get())) {
     *out_alert = SSL_AD_DECODE_ERROR;
     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
     return nullptr;

diff --git a/ssl/tls13_client.cc b/ssl/tls13_client.cc
index c386241..fbe94ad 100644
--- a/ssl/tls13_client.cc
+++ b/ssl/tls13_client.cc

@@ -672,7 +672,7 @@
   }
 
   if (ca.present) {
-    hs->ca_names = ssl_parse_client_CA_list(ssl, &alert, &ca.data);
+    hs->ca_names = SSL_parse_CA_list(ssl, &alert, &ca.data);
     if (!hs->ca_names) {
       ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
       return ssl_hs_error;