Remove separate APIs for configuring chain and verify stores.
These are unused (new as of 1.0.2). Although being able to separate the
two stores is a reasonable thing to do, we hope to remove the
auto-chaining feature eventually. Given that, SSL_CTX_set_cert_store
should suffice. This gets rid of two more ctrl macros.
BUG=404754,486295
Change-Id: Id84de95d7b2ad5a14fc68a62bb2394f01fa67bb4
Reviewed-on: https://boringssl-review.googlesource.com/5672
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 7a30d55..7d008d2 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -1990,8 +1990,6 @@
#define SSL_CTRL_SET_SIGALGS 97
#define SSL_CTRL_SET_CLIENT_SIGALGS 101
#define SSL_CTRL_SET_CLIENT_CERT_TYPES 104
-#define SSL_CTRL_SET_VERIFY_CERT_STORE 106
-#define SSL_CTRL_SET_CHAIN_CERT_STORE 107
/* DTLSv1_get_timeout queries the next DTLS handshake timeout. If there is a
* timeout in progress, it sets |*out| to the time remaining and returns one.
@@ -2086,24 +2084,6 @@
OPENSSL_EXPORT size_t SSL_get0_certificate_types(SSL *ssl,
const uint8_t **out_types);
-#define SSL_CTX_set0_verify_cert_store(ctx, st) \
- SSL_CTX_ctrl(ctx, SSL_CTRL_SET_VERIFY_CERT_STORE, 0, (char *)st)
-#define SSL_CTX_set1_verify_cert_store(ctx, st) \
- SSL_CTX_ctrl(ctx, SSL_CTRL_SET_VERIFY_CERT_STORE, 1, (char *)st)
-#define SSL_CTX_set0_chain_cert_store(ctx, st) \
- SSL_CTX_ctrl(ctx, SSL_CTRL_SET_CHAIN_CERT_STORE, 0, (char *)st)
-#define SSL_CTX_set1_chain_cert_store(ctx, st) \
- SSL_CTX_ctrl(ctx, SSL_CTRL_SET_CHAIN_CERT_STORE, 1, (char *)st)
-
-#define SSL_set0_verify_cert_store(s, st) \
- SSL_ctrl(s, SSL_CTRL_SET_VERIFY_CERT_STORE, 0, (char *)st)
-#define SSL_set1_verify_cert_store(s, st) \
- SSL_ctrl(s, SSL_CTRL_SET_VERIFY_CERT_STORE, 1, (char *)st)
-#define SSL_set0_chain_cert_store(s, st) \
- SSL_ctrl(s, SSL_CTRL_SET_CHAIN_CERT_STORE, 0, (char *)st)
-#define SSL_set1_chain_cert_store(s, st) \
- SSL_ctrl(s, SSL_CTRL_SET_CHAIN_CERT_STORE, 1, (char *)st)
-
#define SSL_get1_curves(ctx, s) SSL_ctrl(ctx, SSL_CTRL_GET_CURVES, 0, (char *)s)
#define SSL_CTX_set1_curves(ctx, clist, clistlen) \
SSL_CTX_ctrl(ctx, SSL_CTRL_SET_CURVES, clistlen, (char *)clist)
diff --git a/ssl/internal.h b/ssl/internal.h
index 4acd301..ac58f79 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -647,11 +647,6 @@
* supported signature algorithms or curves. */
int (*cert_cb)(SSL *ssl, void *arg);
void *cert_cb_arg;
-
- /* Optional X509_STORE for chain building or certificate validation
- * If NULL the parent SSL_CTX store is used instead. */
- X509_STORE *chain_store;
- X509_STORE *verify_store;
} CERT;
typedef struct sess_cert_st {
@@ -889,7 +884,6 @@
int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk);
int ssl_add_cert_chain(SSL *s, unsigned long *l);
-int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain, int ref);
void ssl_update_cache(SSL *s, int mode);
/* ssl_get_compatible_server_ciphers determines the key exchange and
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 6baf6f1..55c291c 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -420,12 +420,6 @@
}
return ssl3_set_req_cert_type(s->cert, parg, larg);
- case SSL_CTRL_SET_VERIFY_CERT_STORE:
- return ssl_cert_set_cert_store(s->cert, parg, 0, larg);
-
- case SSL_CTRL_SET_CHAIN_CERT_STORE:
- return ssl_cert_set_cert_store(s->cert, parg, 1, larg);
-
default:
break;
}
@@ -448,12 +442,6 @@
case SSL_CTRL_SET_CLIENT_CERT_TYPES:
return ssl3_set_req_cert_type(ctx->cert, parg, larg);
- case SSL_CTRL_SET_VERIFY_CERT_STORE:
- return ssl_cert_set_cert_store(ctx->cert, parg, 0, larg);
-
- case SSL_CTRL_SET_CHAIN_CERT_STORE:
- return ssl_cert_set_cert_store(ctx->cert, parg, 1, larg);
-
default:
return 0;
}
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 7b01968..553d4c9 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -239,16 +239,6 @@
ret->cert_cb = cert->cert_cb;
ret->cert_cb_arg = cert->cert_cb_arg;
- if (cert->verify_store) {
- CRYPTO_refcount_inc(&cert->verify_store->references);
- ret->verify_store = cert->verify_store;
- }
-
- if (cert->chain_store) {
- CRYPTO_refcount_inc(&cert->chain_store->references);
- ret->chain_store = cert->chain_store;
- }
-
return ret;
err:
@@ -284,8 +274,6 @@
OPENSSL_free(c->client_sigalgs);
OPENSSL_free(c->shared_sigalgs);
OPENSSL_free(c->client_certificate_types);
- X509_STORE_free(c->verify_store);
- X509_STORE_free(c->chain_store);
OPENSSL_free(c);
}
@@ -397,21 +385,14 @@
int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk) {
X509 *x;
int i;
- X509_STORE *verify_store;
X509_STORE_CTX ctx;
- if (s->cert->verify_store) {
- verify_store = s->cert->verify_store;
- } else {
- verify_store = s->ctx->cert_store;
- }
-
if (sk == NULL || sk_X509_num(sk) == 0) {
return 0;
}
x = sk_X509_value(sk, 0);
- if (!X509_STORE_CTX_init(&ctx, verify_store, x, sk)) {
+ if (!X509_STORE_CTX_init(&ctx, s->ctx->cert_store, x, sk)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_X509_LIB);
return 0;
}
@@ -734,19 +715,12 @@
X509 *x = cert->x509;
STACK_OF(X509) *chain = cert->chain;
- X509_STORE *chain_store;
if (x == NULL) {
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_SET);
return 0;
}
- if (ssl->cert->chain_store) {
- chain_store = ssl->cert->chain_store;
- } else {
- chain_store = ssl->ctx->cert_store;
- }
-
if ((ssl->mode & SSL_MODE_NO_AUTO_CHAIN) || chain != NULL) {
no_chain = 1;
}
@@ -765,7 +739,7 @@
} else {
X509_STORE_CTX xs_ctx;
- if (!X509_STORE_CTX_init(&xs_ctx, chain_store, x, NULL)) {
+ if (!X509_STORE_CTX_init(&xs_ctx, ssl->ctx->cert_store, x, NULL)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_X509_LIB);
return 0;
}
@@ -786,23 +760,6 @@
return 1;
}
-int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain, int ref) {
- X509_STORE **pstore;
- if (chain) {
- pstore = &c->chain_store;
- } else {
- pstore = &c->verify_store;
- }
-
- X509_STORE_free(*pstore);
- *pstore = store;
-
- if (ref && store) {
- CRYPTO_refcount_inc(&store->references);
- }
- return 1;
-}
-
int SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *chain) {
return ssl_cert_set0_chain(ctx->cert, chain);
}
