RT3874 Add certificate verify data to SSL struct

Add app_verify_callback and app_verify_arg to the SSL structure and add SSL_SESSION_set_verify_result() API. The values are copied from the SSL_CTX into the SSL. (cherry picked from commit 80b9e96) Conflicts: include/openssl/ssl.h ssl/ssl_cert.c
akamai · Jun 18, 2015 · e431afa · e431afa
1 parent 956053b
commit e431afa
Show file tree

Hide file tree

Showing 7 changed files with 63 additions and 5 deletions.
diff --git a/doc/ssl/SSL_CTX_set_cert_verify_callback.pod b/doc/ssl/SSL_CTX_set_cert_verify_callback.pod
@@ -9,21 +9,44 @@ SSL_CTX_set_cert_verify_callback - set peer certificate verification procedure
  #include <openssl/ssl.h>
 
  void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*callback)(X509_STORE_CTX *,void *), void *arg);
+ void SSL_set_cert_verify_callback(SSL *ssl, int (*callback)(X509_STORE_CTX *,void *), void *arg);
 
 =head1 DESCRIPTION
 
 SSL_CTX_set_cert_verify_callback() sets the verification callback function for
 I<ctx>. SSL objects that are created from I<ctx> inherit the setting valid at
 the time when L<SSL_new(3)|SSL_new(3)> is called.
 
+SSL_set_cert_verify_callback() sets the verification callback function for
+I<ssl>. This overrides any setting in the SSL_CTX set bye
+SSL_CTX_set_cert_verify_callback().
+
 =head1 NOTES
 
 Whenever a certificate is verified during a SSL/TLS handshake, a verification
 function is called. If the application does not explicitly specify a
 verification callback function, the built-in verification function is used.
 If a verification callback I<callback> is specified via
+SSL_set_cert_verify_callback(), the supplied call back function is called
+instead. Otherwise, if a verification callback I<callback> is specified via
 SSL_CTX_set_cert_verify_callback(), the supplied callback function is called
-instead. By setting I<callback> to NULL, the default behaviour is restored.
+instead. By setting both I<callback>s to NULL, the default behaviour is restored.
+
+The priorty order is:
+
+=item 1
+
+I<callback> set via SSL_set_cert_verify_callback()
+
+=item 1
+
+I<callback> set via SSL_CTX_set_cert_verify_callback()
+
+=item 1
+
+Built in verification function
+
+=back 
 
 When the verification must be performed, I<callback> will be called with
 the arguments callback(X509_STORE_CTX *x509_store_ctx, void *arg). The 

diff --git a/doc/ssl/SSL_set_verify_result.pod b/doc/ssl/SSL_set_verify_result.pod
@@ -2,32 +2,37 @@
 
 =head1 NAME
 
-SSL_set_verify_result - override result of peer certificate verification
+SSL_set_verify_result, SSL_SESSION_set_verify_result - override result of peer certificate verification
 
 =head1 SYNOPSIS
 
  #include <openssl/ssl.h>
 
  void SSL_set_verify_result(SSL *ssl, long verify_result);
+ void SSL_SESSION_set_verify_result(SSL *ssl, long verify_result);
 
 =head1 DESCRIPTION
 
 SSL_set_verify_result() sets B<verify_result> of the object B<ssl> to be the
 result of the verification of the X509 certificate presented by the peer,
 if any.
 
+SSL_SESSION_set_verify_result() sets B<verify_result> of the SSL_SESSION object 
+referenced by the B<ssl> to be the result of the verification of the X509
+certificate presented by the peer, if any.
+
 =head1 NOTES
 
 SSL_set_verify_result() overrides the verification result. It only changes
 the verification result of the B<ssl> object. It does not become part of the
 established session, so if the session is to be reused later, the original
-value will reappear.
+value will reappear. To update the session value use SSL_SESSION_set_verify_result().
 
 The valid codes for B<verify_result> are documented in L<verify(1)|verify(1)>.
 
 =head1 RETURN VALUES
 
-SSL_set_verify_result() does not provide a return value.
+SSL_set_verify_result() and SSL_SESSION_set_verify_result() do not provide a return value.
 
 =head1 SEE ALSO
 

diff --git a/doc/ssl/ssl.pod b/doc/ssl/ssl.pod
@@ -419,6 +419,8 @@ sessions defined in the B<SSL_SESSION> structures.
 
 =item long B<SSL_SESSION_set_timeout>(SSL_SESSION *s, long t);
 
+=item void B<SSL_SESSION_set_verify_result>(SSL *ssl, long arg);
+
 =back
 
 =head2 DEALING WITH CONNECTIONS
@@ -611,6 +613,8 @@ success or 0 on failure.
 
 =item void B<SSL_set_timeout>(SSL *ssl, long t);
 
+=item void B<SSL_set_cert_verify_cb>(SSL *ssl, int (*cb)(), char *arg)
+
 =item void B<SSL_set_verify>(SSL *ssl, int mode, int (*callback);(void))
 
 =item void B<SSL_set_verify_result>(SSL *ssl, long arg);

diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
@@ -1541,6 +1541,7 @@ int SSL_SESSION_print_fp(FILE *fp, const SSL_SESSION *ses);
 # endif
 int SSL_SESSION_print(BIO *fp, const SSL_SESSION *ses);
 int SSL_SESSION_print_keylog(BIO *bp, const SSL_SESSION *x);
+void SSL_SESSION_set_verify_result(SSL *ssl, long arg);
 void SSL_SESSION_free(SSL_SESSION *ses);
 __owur int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp);
 __owur int SSL_set_session(SSL *to, SSL_SESSION *session);
@@ -1570,6 +1571,9 @@ void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth);
 void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx,
                                       int (*cb) (X509_STORE_CTX *, void *),
                                       void *arg);
+void SSL_set_cert_verify_callback(SSL *s,
+                                  int (*cb) (X509_STORE_CTX *, void *),
+                                  void *arg);
 void SSL_CTX_set_cert_cb(SSL_CTX *c, int (*cb) (SSL *ssl, void *arg),
                          void *arg);
 # ifndef OPENSSL_NO_RSA

diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
@@ -628,7 +628,9 @@ int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk)
     if (s->verify_callback)
         X509_STORE_CTX_set_verify_cb(&ctx, s->verify_callback);
 
-    if (s->ctx->app_verify_callback != NULL)
+    if (s->app_verify_callback != NULL)
+        i = s->app_verify_callback(&ctx, s->app_verify_arg);
+    else if (s->ctx->app_verify_callback != NULL)
         i = s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg);
     else {
         i = X509_verify_cert(&ctx);

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
@@ -321,6 +321,9 @@ SSL *SSL_new(SSL_CTX *ctx)
     s->quiet_shutdown = ctx->quiet_shutdown;
     s->max_send_fragment = ctx->max_send_fragment;
 
+    s->app_verify_callback = ctx->app_verify_callback;
+    s->app_verify_arg = ctx->app_verify_arg;
+
     CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX);
     s->ctx = ctx;
     s->tlsext_debug_cb = 0;
@@ -1984,6 +1987,14 @@ void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx,
     ctx->app_verify_arg = arg;
 }
 
+void SSL_set_cert_verify_callback(SSL *s,
+                                  int (*cb) (X509_STORE_CTX *, void *),
+                                  void *arg)
+{
+    s->app_verify_callback = cb;
+    s->app_verify_arg = arg;
+}
+
 void SSL_CTX_set_verify(SSL_CTX *ctx, int mode,
                         int (*cb) (int, X509_STORE_CTX *))
 {
@@ -2954,6 +2965,12 @@ void SSL_set_state(SSL *ssl, int state)
     ssl->state = state;
 }
 
+void SSL_SESSION_set_verify_result(SSL *ssl, long arg)
+{
+    if (ssl->session)
+        ssl->session->verify_result = arg;
+}
+
 void SSL_set_verify_result(SSL *ssl, long arg)
 {
     ssl->verify_result = arg;

diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
@@ -1230,6 +1230,9 @@ struct ssl_st {
         } ctx;                 /* context/closure handed out to task */
     } task;
 
+    int (*app_verify_callback) (X509_STORE_CTX *, void *);
+    void *app_verify_arg;
+
     /* Keep track of bytes passed through SSL */
     size_t bytes_written;
     size_t bytes_read;