Support verify_depth from the SSL API without need for user-defined

callbacks. Submitted by: Reviewed by: PR:

Support verify_depth from the SSL API without need for user-defined
callbacks. Submitted by: Reviewed by: PR:
7f89714e · Bodo Möller · 69bb35ed · 7f89714e · 7f89714e · 7f89714e
7 changed file
--- a/CHANGES
+++ b/CHANGES
@@ -5,6 +5,13 @@

 Changes between 0.9.2b and 0.9.3

+  *) Support verify_depth from the SSL API.
+     x509_vfy.c had what can be considered an off-by-one-error:
+     Its depth (which was not part of the external interface)
+     was actually counting the number of certificates in a chain;
+     now it really counts the depth.
+     [Bodo Moeller]
+
  *) New function SSL_CTX_set_session_id_context that allows to set a default
     value (so that you don't need SSL_set_session_id_context for each
     connection using the SSL_CTX).

--- a/crypto/x509/x509_lu.c
+++ b/crypto/x509/x509_lu.c
@@ -391,7 +391,7 @@ void X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
 	ctx->last_untrusted=0;
 	ctx->valid=0;
 	ctx->chain=NULL;
-	ctx->depth=10;
+	ctx->depth=9;
 	ctx->error=0;
 	ctx->current_cert=NULL;
 	memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA));

--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -143,7 +143,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
 	for (;;)
 		{
 		/* If we have enough, we break */
-		if (depth <= num) break;
+		if (depth < num) break;

 		/* If we are self signed, we break */
 		xn=X509_get_issuer_name(x);
@@ -206,7 +206,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
 	for (;;)
 		{
 		/* If we have enough, we break */
-		if (depth <= num) break;
+		if (depth < num) break;

 		/* If we are self signed, we break */
 		xn=X509_get_issuer_name(x);

--- a/crypto/x509/x509_vfy.h
+++ b/crypto/x509/x509_vfy.h
@@ -169,7 +169,7 @@ typedef struct x509_store_st

 	CRYPTO_EX_DATA ex_data;
 	int references;
-	int depth;		/* how deep to look (still unused) */
+	int depth;		/* how deep to look (still unused -- X509_STORE_CTX's depth is used) */
 	}  X509_STORE;

 #define X509_STORE_set_depth(ctx,d)       ((ctx)->depth=(d))
@@ -191,7 +191,7 @@ struct x509_lookup_st
 /* This is a temporary used when processing cert chains.  Since the
 * gathering of the cert chain can take some time (and have to be
 * 'retried', this needs to be kept and passed around. */
-struct x509_store_state_st
+struct x509_store_state_st      /* X509_STORE_CTX */
 	{
 	X509_STORE *ctx;
 	int current_method;	/* used when looking up certs */
@@ -214,6 +214,8 @@ struct x509_store_state_st
 	CRYPTO_EX_DATA ex_data;
 	};

+#define X509_STORE_CTX_set_depth(ctx,d)       ((ctx)->depth=(d))
+
 #define X509_STORE_CTX_set_app_data(ctx,data) \
 	X509_STORE_CTX_set_ex_data(ctx,0,data)
 #define X509_STORE_CTX_get_app_data(ctx) \

--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -394,6 +394,7 @@ struct ssl_ctx_st
 /**/	struct cert_st /* CERT */ *default_cert;
 /**/	int read_ahead;
 /**/	int verify_mode;
+/**/	int verify_depth;
 /**/	unsigned int sid_ctx_length;
 /**/	unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
 /**/	int (*default_verify_callback)(int ok,X509_STORE_CTX *ctx);
@@ -573,6 +574,7 @@ struct ssl_st
 	/* Used in SSL2 and SSL3 */
 	int verify_mode;	/* 0 don't care about verify failure.
 				 * 1 fail if verify fails */
+	int verify_depth;
 	int (*verify_callback)(int ok,X509_STORE_CTX *ctx); /* fail if callback returns 0 */
 	void (*info_callback)(); /* optional informational callback */

@@ -851,9 +853,11 @@ BIO *	SSL_get_wbio(SSL *s);
 int	SSL_set_cipher_list(SSL *s, char *str);
 void	SSL_set_read_ahead(SSL *s, int yes);
 int	SSL_get_verify_mode(SSL *s);
+int	SSL_get_verify_depth(SSL *s);
 int	(*SSL_get_verify_callback(SSL *s))(int,X509_STORE_CTX *);
 void	SSL_set_verify(SSL *s, int mode,
 		       int (*callback)(int ok,X509_STORE_CTX *ctx));
+void	SSL_set_verify_depth(SSL *s, int depth);
 #ifndef NO_RSA
 int	SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa);
 #endif
@@ -912,9 +916,11 @@ X509 *	SSL_get_peer_certificate(SSL *s);
 STACK_OF(X509) *SSL_get_peer_cert_chain(SSL *s);

 int SSL_CTX_get_verify_mode(SSL_CTX *ctx);
+int SSL_CTX_get_verify_depth(SSL_CTX *ctx);
 int (*SSL_CTX_get_verify_callback(SSL_CTX *ctx))(int,X509_STORE_CTX *);
 void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,
 			int (*callback)(int, X509_STORE_CTX *));
+void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth);
 void SSL_CTX_set_cert_verify_cb(SSL_CTX *ctx, int (*cb)(),char *arg);
 #ifndef NO_RSA
 int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa);

--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -185,6 +185,8 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk)

 	x=sk_X509_value(sk,0);
 	X509_STORE_CTX_init(&ctx,s->ctx->cert_store,x,sk);
+	if (SSL_get_verify_depth(s) >= 0)
+		X509_STORE_CTX_set_depth(&ctx, SSL_get_verify_depth(s));
 	X509_STORE_CTX_set_ex_data(&ctx,SSL_get_ex_data_X509_STORE_CTX_idx(),
 		(char *)s);


--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -189,6 +189,7 @@ SSL *SSL_new(SSL_CTX *ctx)
 	s->sid_ctx_length=ctx->sid_ctx_length;
 	memcpy(&s->sid_ctx,&ctx->sid_ctx,sizeof(s->sid_ctx));
 	s->verify_mode=ctx->verify_mode;
+	s->verify_depth=ctx->verify_depth;
 	s->verify_callback=ctx->default_verify_callback;
 	CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
 	s->ctx=ctx;
@@ -422,6 +423,11 @@ int SSL_get_verify_mode(SSL *s)
 	return(s->verify_mode);
 	}

+int SSL_get_verify_depth(SSL *s)
+	{
+	return(s->verify_depth);
+	}
+
 int (*SSL_get_verify_callback(SSL *s))(int,X509_STORE_CTX *)
 	{
 	return(s->verify_callback);
@@ -432,6 +438,11 @@ int SSL_CTX_get_verify_mode(SSL_CTX *ctx)
 	return(ctx->verify_mode);
 	}

+int SSL_CTX_get_verify_depth(SSL_CTX *ctx)
+	{
+	return(ctx->verify_depth);
+	}
+
 int (*SSL_CTX_get_verify_callback(SSL_CTX *ctx))(int,X509_STORE_CTX *)
 	{
 	return(ctx->default_verify_callback);
@@ -445,6 +456,11 @@ void SSL_set_verify(SSL *s,int mode,
 		s->verify_callback=callback;
 	}

+void SSL_set_verify_depth(SSL *s,int depth)
+	{
+	s->verify_depth=depth;
+	}
+
 void SSL_set_read_ahead(SSL *s,int yes)
 	{
 	s->read_ahead=yes;
@@ -961,6 +977,7 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth)

 	ret->read_ahead=0;
 	ret->verify_mode=SSL_VERIFY_NONE;
+	ret->verify_depth=-1; /* Don't impose a limit (but x509_lu.c does) */
 	ret->default_verify_callback=NULL;
 	if ((ret->default_cert=ssl_cert_new()) == NULL)
 		goto err;
@@ -1079,6 +1096,11 @@ void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,int (*cb)(int, X509_STORE_CTX *))
 	X509_STORE_set_verify_cb_func(ctx->cert_store,cb);
 	}

+void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth)
+	{
+	ctx->verify_depth=depth;
+	}
+
 /* Need default_cert to check for callbacks, for now (see comment in CERT
   strucure)
 */
@@ -1463,6 +1485,7 @@ SSL *SSL_dup(SSL *s)
 	SSL_set_read_ahead(ret,SSL_get_read_ahead(s));
 	SSL_set_verify(ret,SSL_get_verify_mode(s),
 		SSL_get_verify_callback(s));
+	SSL_set_verify_depth(ret,SSL_get_verify_depth(s));

 	SSL_set_info_callback(ret,SSL_get_info_callback(s));