Remove SSL_build_cert_chain.
This is unused. It seems to be distinct from the automatic chain
building and was added in 1.0.2. Seems to be an awful lot of machinery
that consumers ought to configure anyway.
BUG=486295
Change-Id: If3d4a2761f61c5b2252b37d4692089112fc0ec21
Reviewed-on: https://boringssl-review.googlesource.com/5353
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 2a48ed2..7071acc 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -813,18 +813,6 @@
* enforcing certifcate chain algorithms. When this is set we enforce them. */
#define SSL_CERT_FLAG_TLS_STRICT 0x00000001L
-/* Flags for building certificate chains */
-/* Treat any existing certificates as untrusted CAs */
-#define SSL_BUILD_CHAIN_FLAG_UNTRUSTED 0x1
-/* Don't include root CA in chain */
-#define SSL_BUILD_CHAIN_FLAG_NO_ROOT 0x2
-/* Just check certificates already there */
-#define SSL_BUILD_CHAIN_FLAG_CHECK 0x4
-/* Ignore verification errors */
-#define SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR 0x8
-/* Clear verification errors from queue */
-#define SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR 0x10
-
/* SSL_set_mtu sets the |ssl|'s MTU in DTLS to |mtu|. It returns one on success
* and zero on failure. */
OPENSSL_EXPORT int SSL_set_mtu(SSL *ssl, unsigned mtu);
@@ -1755,7 +1743,6 @@
#define SSL_CTRL_SET_CLIENT_SIGALGS_LIST 102
#define SSL_CTRL_GET_CLIENT_CERT_TYPES 103
#define SSL_CTRL_SET_CLIENT_CERT_TYPES 104
-#define SSL_CTRL_BUILD_CERT_CHAIN 105
#define SSL_CTRL_SET_VERIFY_CERT_STORE 106
#define SSL_CTRL_SET_CHAIN_CERT_STORE 107
#define SSL_CTRL_GET_EC_POINT_FORMATS 111
@@ -1867,8 +1854,6 @@
#define SSL_CTX_get0_chain_certs(ctx, px509) \
SSL_CTX_ctrl(ctx, SSL_CTRL_GET_CHAIN_CERTS, 0, px509)
#define SSL_CTX_clear_chain_certs(ctx) SSL_CTX_set0_chain(ctx, NULL)
-#define SSL_CTX_build_cert_chain(ctx, flags) \
- SSL_CTX_ctrl(ctx, SSL_CTRL_BUILD_CERT_CHAIN, flags, NULL)
#define SSL_CTX_set0_verify_cert_store(ctx, st) \
SSL_CTX_ctrl(ctx, SSL_CTRL_SET_VERIFY_CERT_STORE, 0, (char *)st)
@@ -1888,8 +1873,6 @@
#define SSL_get0_chain_certs(ctx, px509) \
SSL_ctrl(ctx, SSL_CTRL_GET_CHAIN_CERTS, 0, px509)
#define SSL_clear_chain_certs(ctx) SSL_set0_chain(ctx, NULL)
-#define SSL_build_cert_chain(s, flags) \
- SSL_ctrl(s, SSL_CTRL_BUILD_CERT_CHAIN, flags, NULL)
#define SSL_set0_verify_cert_store(s, st) \
SSL_ctrl(s, SSL_CTRL_SET_VERIFY_CERT_STORE, 0, (char *)st)
diff --git a/ssl/internal.h b/ssl/internal.h
index 327f52b..f107452 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -837,7 +837,6 @@
int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk);
int ssl_add_cert_chain(SSL *s, unsigned long *l);
-int ssl_build_cert_chain(CERT *c, X509_STORE *chain_store, int flags);
int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain, int ref);
void ssl_update_cache(SSL *s, int mode);
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 0272d6c..dc8d2e0 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -440,9 +440,6 @@
}
return ssl3_set_req_cert_type(s->cert, parg, larg);
- case SSL_CTRL_BUILD_CERT_CHAIN:
- return ssl_build_cert_chain(s->cert, s->ctx->cert_store, larg);
-
case SSL_CTRL_SET_VERIFY_CERT_STORE:
return ssl_cert_set_cert_store(s->cert, parg, 0, larg);
@@ -480,9 +477,6 @@
case SSL_CTRL_SET_CLIENT_CERT_TYPES:
return ssl3_set_req_cert_type(ctx->cert, parg, larg);
- case SSL_CTRL_BUILD_CERT_CHAIN:
- return ssl_build_cert_chain(ctx->cert, ctx->cert_store, larg);
-
case SSL_CTRL_SET_VERIFY_CERT_STORE:
return ssl_cert_set_cert_store(ctx->cert, parg, 0, larg);
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index a389cc4..3e22582 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -793,118 +793,6 @@
return 1;
}
-/* Build a certificate chain for current certificate */
-int ssl_build_cert_chain(CERT *cert, X509_STORE *chain_store, int flags) {
- X509_STORE_CTX xs_ctx;
- STACK_OF(X509) *chain = NULL, *untrusted = NULL;
- X509 *x;
- int i, rv = 0;
- uint32_t error;
-
- if (cert->x509 == NULL) {
- OPENSSL_PUT_ERROR(SSL, ssl_build_cert_chain, SSL_R_NO_CERTIFICATE_SET);
- goto err;
- }
-
- /* Rearranging and check the chain: add everything to a store */
- if (flags & SSL_BUILD_CHAIN_FLAG_CHECK) {
- size_t j;
- chain_store = X509_STORE_new();
- if (!chain_store) {
- goto err;
- }
-
- for (j = 0; j < sk_X509_num(cert->chain); j++) {
- x = sk_X509_value(cert->chain, j);
- if (!X509_STORE_add_cert(chain_store, x)) {
- error = ERR_peek_last_error();
- if (ERR_GET_LIB(error) != ERR_LIB_X509 ||
- ERR_GET_REASON(error) != X509_R_CERT_ALREADY_IN_HASH_TABLE) {
- goto err;
- }
- ERR_clear_error();
- }
- }
-
- /* Add EE cert too: it might be self signed */
- if (!X509_STORE_add_cert(chain_store, cert->x509)) {
- error = ERR_peek_last_error();
- if (ERR_GET_LIB(error) != ERR_LIB_X509 ||
- ERR_GET_REASON(error) != X509_R_CERT_ALREADY_IN_HASH_TABLE) {
- goto err;
- }
- ERR_clear_error();
- }
- } else {
- if (cert->chain_store) {
- chain_store = cert->chain_store;
- }
-
- if (flags & SSL_BUILD_CHAIN_FLAG_UNTRUSTED) {
- untrusted = cert->chain;
- }
- }
-
- if (!X509_STORE_CTX_init(&xs_ctx, chain_store, cert->x509, untrusted)) {
- OPENSSL_PUT_ERROR(SSL, ssl_build_cert_chain, ERR_R_X509_LIB);
- goto err;
- }
-
- i = X509_verify_cert(&xs_ctx);
- if (i <= 0 && flags & SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR) {
- if (flags & SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR) {
- ERR_clear_error();
- }
- i = 1;
- rv = 2;
- }
-
- if (i > 0) {
- chain = X509_STORE_CTX_get1_chain(&xs_ctx);
- }
- if (i <= 0) {
- OPENSSL_PUT_ERROR(SSL, ssl_build_cert_chain,
- SSL_R_CERTIFICATE_VERIFY_FAILED);
- i = X509_STORE_CTX_get_error(&xs_ctx);
- ERR_add_error_data(2, "Verify error:", X509_verify_cert_error_string(i));
-
- X509_STORE_CTX_cleanup(&xs_ctx);
- goto err;
- }
-
- X509_STORE_CTX_cleanup(&xs_ctx);
- if (cert->chain) {
- sk_X509_pop_free(cert->chain, X509_free);
- }
-
- /* Remove EE certificate from chain */
- x = sk_X509_shift(chain);
- X509_free(x);
- if (flags & SSL_BUILD_CHAIN_FLAG_NO_ROOT) {
- if (sk_X509_num(chain) > 0) {
- /* See if last cert is self signed */
- x = sk_X509_value(chain, sk_X509_num(chain) - 1);
- X509_check_purpose(x, -1, 0);
- if (x->ex_flags & EXFLAG_SS) {
- x = sk_X509_pop(chain);
- X509_free(x);
- }
- }
- }
-
- cert->chain = chain;
- if (rv == 0) {
- rv = 1;
- }
-
-err:
- if (flags & SSL_BUILD_CHAIN_FLAG_CHECK) {
- X509_STORE_free(chain_store);
- }
-
- return rv;
-}
-
int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain, int ref) {
X509_STORE **pstore;
if (chain) {
