Purpose and trust setting functions for X509_STORE. Tidy existing code.

926a56bf · Dr. Stephen Henson · d6f188be · 926a56bf · 926a56bf · 926a56bf
10 changed file
--- a/CHANGES
+++ b/CHANGES
@@ -11,6 +11,11 @@
         *) applies to 0.9.6a (/0.9.6b) and 0.9.7
         +) applies to 0.9.7 only

+  +) New functions X509_PURPOSE_set() and X509_TRUST_set() to handle
+     setting of purpose and trust fields. New X509_STORE trust and
+     purpose functions and tidy up setting in other SSL functions.
+     [Steve Henson]
+
  +) Add copies of X509_STORE_CTX fields and callbacks to X509_STORE
     structure. These are inherited by X509_STORE_CTX when it is 
     initialised. This allows various defaults to be set in the

--- a/crypto/x509/x509.h
+++ b/crypto/x509/x509.h
@@ -886,6 +886,7 @@ int X509_alias_set1(X509 *x, unsigned char *name, int len);
 int X509_keyid_set1(X509 *x, unsigned char *id, int len);
 unsigned char * X509_alias_get0(X509 *x, int *len);
 int (*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int);
+int X509_TRUST_set(int *t, int trust);
 int X509_add1_trust_object(X509 *x, ASN1_OBJECT *obj);
 int X509_add1_reject_object(X509 *x, ASN1_OBJECT *obj);
 void X509_trust_clear(X509 *x);
@@ -1173,6 +1174,7 @@ int X509_TRUST_get_trust(X509_TRUST *xp);
 /* The following lines are auto generated by the script mkerr.pl. Any changes
 * made after this point may be overwritten when the script is next run.
 */
+void ERR_load_X509_strings(void);

 /* Error codes for the X509 functions. */

@@ -1214,6 +1216,7 @@ int X509_TRUST_get_trust(X509_TRUST *xp);
 #define X509_F_X509_STORE_CTX_PURPOSE_INHERIT		 134
 #define X509_F_X509_TO_X509_REQ				 126
 #define X509_F_X509_TRUST_ADD				 133
+#define X509_F_X509_TRUST_SET				 141
 #define X509_F_X509_VERIFY_CERT				 127

 /* Reason codes. */
@@ -1224,6 +1227,7 @@ int X509_TRUST_get_trust(X509_TRUST *xp);
 #define X509_R_ERR_ASN1_LIB				 102
 #define X509_R_INVALID_DIRECTORY			 113
 #define X509_R_INVALID_FIELD_NAME			 119
+#define X509_R_INVALID_TRUST				 123
 #define X509_R_KEY_TYPE_MISMATCH			 115
 #define X509_R_KEY_VALUES_MISMATCH			 116
 #define X509_R_LOADING_CERT_DIR				 103
@@ -1244,4 +1248,3 @@ int X509_TRUST_get_trust(X509_TRUST *xp);
 }
 #endif
 #endif
-
--- a/crypto/x509/x509_err.c
+++ b/crypto/x509/x509_err.c
@@ -103,6 +103,7 @@ static ERR_STRING_DATA X509_str_functs[]=
 {ERR_PACK(0,X509_F_X509_STORE_CTX_PURPOSE_INHERIT,0),	"X509_STORE_CTX_purpose_inherit"},
 {ERR_PACK(0,X509_F_X509_TO_X509_REQ,0),	"X509_to_X509_REQ"},
 {ERR_PACK(0,X509_F_X509_TRUST_ADD,0),	"X509_TRUST_add"},
+{ERR_PACK(0,X509_F_X509_TRUST_SET,0),	"X509_TRUST_set"},
 {ERR_PACK(0,X509_F_X509_VERIFY_CERT,0),	"X509_verify_cert"},
 {0,NULL}
 	};
@@ -116,6 +117,7 @@ static ERR_STRING_DATA X509_str_reasons[]=
 {X509_R_ERR_ASN1_LIB                     ,"err asn1 lib"},
 {X509_R_INVALID_DIRECTORY                ,"invalid directory"},
 {X509_R_INVALID_FIELD_NAME               ,"invalid field name"},
+{X509_R_INVALID_TRUST                    ,"invalid trust"},
 {X509_R_KEY_TYPE_MISMATCH                ,"key type mismatch"},
 {X509_R_KEY_VALUES_MISMATCH              ,"key values mismatch"},
 {X509_R_LOADING_CERT_DIR                 ,"loading cert dir"},

--- a/crypto/x509/x509_lu.c
+++ b/crypto/x509/x509_lu.c
@@ -60,6 +60,7 @@
 #include "cryptlib.h"
 #include <openssl/lhash.h>
 #include <openssl/x509.h>
+#include <openssl/x509v3.h>

 static STACK_OF(CRYPTO_EX_DATA_FUNCS) *x509_store_meth=NULL;

@@ -544,5 +545,15 @@ void X509_STORE_set_flags(X509_STORE *ctx, long flags)
 	ctx->flags |= flags;
 	}

+int X509_STORE_set_purpose(X509_STORE *ctx, int purpose)
+	{
+	return X509_PURPOSE_set(&ctx->purpose, purpose);
+	}
+
+int X509_STORE_set_trust(X509_STORE *ctx, int trust)
+	{
+	return X509_TRUST_set(&ctx->trust, trust);
+	}
+
 IMPLEMENT_STACK_OF(X509_LOOKUP)
 IMPLEMENT_STACK_OF(X509_OBJECT)
--- a/crypto/x509/x509_trs.c
+++ b/crypto/x509/x509_trs.c
@@ -144,6 +144,16 @@ int X509_TRUST_get_by_id(int id)
 	return idx + X509_TRUST_COUNT;
 }

+int X509_TRUST_set(int *t, int trust)
+{
+	if(X509_TRUST_get_by_id(trust) == -1) {
+		X509err(X509_F_X509_TRUST_SET, X509_R_INVALID_TRUST);
+		return 0;
+	}
+	*t = trust;
+	return 1;
+}
+
 int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int),
 					char *name, int arg1, void *arg2)
 {

--- a/crypto/x509/x509_vfy.h
+++ b/crypto/x509/x509_vfy.h
@@ -326,6 +326,8 @@ X509_STORE *X509_STORE_new(void );
 void X509_STORE_free(X509_STORE *v);

 void X509_STORE_set_flags(X509_STORE *ctx, long flags);
+int X509_STORE_set_purpose(X509_STORE *ctx, int purpose);
+int X509_STORE_set_trust(X509_STORE *ctx, int trust);

 X509_STORE_CTX *X509_STORE_CTX_new(void);


--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -121,6 +121,16 @@ int X509_check_purpose(X509 *x, int id, int ca)
 	return pt->check_purpose(pt, x, ca);
 }

+int X509_PURPOSE_set(int *p, int purpose)
+{
+	if(X509_PURPOSE_get_by_id(purpose) == -1) {
+		X509V3err(X509V3_F_X509_PURPOSE_SET, X509V3_R_INVALID_PURPOSE);
+		return 0;
+	}
+	*p = purpose;
+	return 1;
+}
+
 int X509_PURPOSE_get_count(void)
 {
 	if(!xptable) return X509_PURPOSE_COUNT;

--- a/crypto/x509v3/v3err.c
+++ b/crypto/x509v3/v3err.c
@@ -107,6 +107,7 @@ static ERR_STRING_DATA X509V3_str_functs[]=
 {ERR_PACK(0,X509V3_F_X509V3_GET_VALUE_BOOL,0),	"X509V3_get_value_bool"},
 {ERR_PACK(0,X509V3_F_X509V3_PARSE_LIST,0),	"X509V3_parse_list"},
 {ERR_PACK(0,X509V3_F_X509_PURPOSE_ADD,0),	"X509_PURPOSE_add"},
+{ERR_PACK(0,X509V3_F_X509_PURPOSE_SET,0),	"X509_PURPOSE_set"},
 {0,NULL}
 	};

@@ -138,6 +139,7 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
 {X509V3_R_INVALID_OBJECT_IDENTIFIER      ,"invalid object identifier"},
 {X509V3_R_INVALID_OPTION                 ,"invalid option"},
 {X509V3_R_INVALID_POLICY_IDENTIFIER      ,"invalid policy identifier"},
+{X509V3_R_INVALID_PURPOSE                ,"invalid purpose"},
 {X509V3_R_INVALID_SECTION                ,"invalid section"},
 {X509V3_R_INVALID_SYNTAX                 ,"invalid syntax"},
 {X509V3_R_ISSUER_DECODE_ERROR            ,"issuer decode error"},

--- a/crypto/x509v3/x509v3.h
+++ b/crypto/x509v3/x509v3.h
@@ -518,6 +518,7 @@ int X509V3_EXT_print_fp(FILE *out, X509_EXTENSION *ext, int flag, int indent);
 int X509V3_extensions_print(BIO *out, char *title, STACK_OF(X509_EXTENSION) *exts, unsigned long flag, int indent);

 int X509_check_purpose(X509 *x, int id, int ca);
+int X509_PURPOSE_set(int *p, int purpose);
 int X509_check_issued(X509 *issuer, X509 *subject);
 int X509_PURPOSE_get_count(void);
 X509_PURPOSE * X509_PURPOSE_get0(int idx);
@@ -541,6 +542,7 @@ void X509_email_free(STACK *sk);
 /* The following lines are auto generated by the script mkerr.pl. Any changes
 * made after this point may be overwritten when the script is next run.
 */
+void ERR_load_X509V3_strings(void);

 /* Error codes for the X509V3 functions. */

@@ -586,6 +588,7 @@ void X509_email_free(STACK *sk);
 #define X509V3_F_X509V3_GET_VALUE_BOOL			 110
 #define X509V3_F_X509V3_PARSE_LIST			 109
 #define X509V3_F_X509_PURPOSE_ADD			 137
+#define X509V3_F_X509_PURPOSE_SET			 141

 /* Reason codes. */
 #define X509V3_R_BAD_IP_ADDRESS				 118
@@ -614,6 +617,7 @@ void X509_email_free(STACK *sk);
 #define X509V3_R_INVALID_OBJECT_IDENTIFIER		 110
 #define X509V3_R_INVALID_OPTION				 138
 #define X509V3_R_INVALID_POLICY_IDENTIFIER		 134
+#define X509V3_R_INVALID_PURPOSE			 146
 #define X509V3_R_INVALID_SECTION			 135
 #define X509V3_R_INVALID_SYNTAX				 143
 #define X509V3_R_ISSUER_DECODE_ERROR			 126
@@ -639,4 +643,3 @@ void X509_email_free(STACK *sk);
 }
 #endif
 #endif
-
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -333,42 +333,22 @@ int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,

 int SSL_CTX_set_purpose(SSL_CTX *s, int purpose)
 {
-	if(X509_PURPOSE_get_by_id(purpose) == -1) {
-		SSLerr(SSL_F_SSL_CTX_SET_PURPOSE, SSL_R_INVALID_PURPOSE);
-		return 0;
-	}
-	s->purpose = purpose;
-	return 1;
+	return X509_PURPOSE_set(&s->purpose, purpose);
 }

 int SSL_set_purpose(SSL *s, int purpose)
 {
-	if(X509_PURPOSE_get_by_id(purpose) == -1) {
-		SSLerr(SSL_F_SSL_SET_PURPOSE, SSL_R_INVALID_PURPOSE);
-		return 0;
-	}
-	s->purpose = purpose;
-	return 1;
+	return X509_PURPOSE_set(&s->purpose, purpose);
 }
-	
+
 int SSL_CTX_set_trust(SSL_CTX *s, int trust)
 {
-	if(X509_TRUST_get_by_id(trust) == -1) {
-		SSLerr(SSL_F_SSL_CTX_SET_TRUST, SSL_R_INVALID_TRUST);
-		return 0;
-	}
-	s->trust = trust;
-	return 1;
+	return X509_TRUST_set(&s->trust, trust);
 }

 int SSL_set_trust(SSL *s, int trust)
 {
-	if(X509_TRUST_get_by_id(trust) == -1) {
-		SSLerr(SSL_F_SSL_SET_TRUST, SSL_R_INVALID_TRUST);
-		return 0;
-	}
-	s->trust = trust;
-	return 1;
+	return X509_TRUST_set(&s->trust, trust);
 }

 void SSL_free(SSL *s)