__owur const char *SSL_alert_desc_string_long(int value);
__owur const char *SSL_alert_desc_string(int value);
+void SSL_set0_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list);
+void SSL_CTX_set0_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list);
+__owur const STACK_OF(X509_NAME) *SSL_get0_CA_list(const SSL *s);
+__owur const STACK_OF(X509_NAME) *SSL_CTX_get0_CA_list(const SSL_CTX *ctx);
+__owur int SSL_add1_CA_list(SSL *ssl, const X509 *x);
+__owur int SSL_CTX_add1_CA_list(SSL_CTX *ctx, const X509 *x);
+__owur const STACK_OF(X509_NAME) *SSL_get0_peer_CA_list(const SSL *s);
+
void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list);
void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list);
__owur STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s);
#endif
OPENSSL_free(s->s3->tmp.ctype);
- sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free);
+ sk_X509_NAME_pop_free(s->s3->tmp.peer_ca_names, X509_NAME_free);
OPENSSL_free(s->s3->tmp.ciphers_raw);
OPENSSL_clear_free(s->s3->tmp.pms, s->s3->tmp.pmslen);
OPENSSL_free(s->s3->tmp.peer_sigalgs);
{
ssl3_cleanup_key_block(s);
OPENSSL_free(s->s3->tmp.ctype);
- sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free);
+ sk_X509_NAME_pop_free(s->s3->tmp.peer_ca_names, X509_NAME_free);
OPENSSL_free(s->s3->tmp.ciphers_raw);
OPENSSL_clear_free(s->s3->tmp.pms, s->s3->tmp.pmslen);
OPENSSL_free(s->s3->tmp.peer_sigalgs);
return i;
}
-static void set_client_CA_list(STACK_OF(X509_NAME) **ca_list,
- STACK_OF(X509_NAME) *name_list)
+static void set0_CA_list(STACK_OF(X509_NAME) **ca_list,
+ STACK_OF(X509_NAME) *name_list)
{
sk_X509_NAME_pop_free(*ca_list, X509_NAME_free);
*ca_list = name_list;
return (ret);
}
-void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list)
+void SSL_set0_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list)
{
- set_client_CA_list(&(s->client_CA), name_list);
+ set0_CA_list(&s->ca_names, name_list);
+}
+
+void SSL_CTX_set0_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list)
+{
+ set0_CA_list(&ctx->ca_names, name_list);
+}
+
+const STACK_OF(X509_NAME) *SSL_CTX_get0_CA_list(const SSL_CTX *ctx)
+{
+ return ctx->ca_names;
+}
+
+const STACK_OF(X509_NAME) *SSL_get0_CA_list(const SSL *s)
+{
+ return s->ca_names != NULL ? s->ca_names : s->ctx->ca_names;
}
void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list)
{
- set_client_CA_list(&(ctx->client_CA), name_list);
+ SSL_CTX_set0_CA_list(ctx, name_list);
}
STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx)
{
- return (ctx->client_CA);
+ return ctx->ca_names;
+}
+
+void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list)
+{
+ SSL_set0_CA_list(s, name_list);
+}
+
+const STACK_OF(X509_NAME) *SSL_get0_peer_CA_list(const SSL *s)
+{
+ return s->s3 != NULL ? s->s3->tmp.peer_ca_names : NULL;
}
STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s)
{
- if (!s->server) { /* we are in the client */
- if (s->s3 != NULL)
- return s->s3->tmp.ca_names;
- else
- return NULL;
- } else {
- if (s->client_CA != NULL)
- return s->client_CA;
- else
- return s->ctx->client_CA;
- }
+ if (!s->server)
+ return s->s3 != NULL ? s->s3->tmp.peer_ca_names : NULL;
+ return s->ca_names != NULL ? s->ca_names : s->ctx->ca_names;
}
-static int add_client_CA(STACK_OF(X509_NAME) **sk, X509 *x)
+static int add_ca_name(STACK_OF(X509_NAME) **sk, const X509 *x)
{
X509_NAME *name;
if (x == NULL)
- return (0);
- if ((*sk == NULL) && ((*sk = sk_X509_NAME_new_null()) == NULL))
- return (0);
+ return 0;
+ if (*sk == NULL && ((*sk = sk_X509_NAME_new_null()) == NULL))
+ return 0;
if ((name = X509_NAME_dup(X509_get_subject_name(x))) == NULL)
- return (0);
+ return 0;
if (!sk_X509_NAME_push(*sk, name)) {
X509_NAME_free(name);
- return (0);
+ return 0;
}
- return (1);
+ return 1;
+}
+
+int SSL_add1_CA_list(SSL *ssl, const X509 *x)
+{
+ return add_ca_name(&ssl->ca_names, x);
+}
+
+int SSL_CTX_add1_CA_list(SSL_CTX *ctx, const X509 *x)
+{
+ return add_ca_name(&ctx->ca_names, x);
}
int SSL_add_client_CA(SSL *ssl, X509 *x)
{
- return (add_client_CA(&(ssl->client_CA), x));
+ return add_ca_name(&ssl->ca_names, x);
}
int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x)
{
- return (add_client_CA(&(ctx->client_CA), x));
+ return add_ca_name(&ctx->ca_names, x);
}
static int xname_sk_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
OPENSSL_free(s->ext.tls13_cookie);
OPENSSL_free(s->clienthello);
- sk_X509_NAME_pop_free(s->client_CA, X509_NAME_free);
+ sk_X509_NAME_pop_free(s->ca_names, X509_NAME_free);
sk_X509_pop_free(s->verified_chain, X509_free);
goto err2;
}
- if ((ret->client_CA = sk_X509_NAME_new_null()) == NULL)
+ if ((ret->ca_names = sk_X509_NAME_new_null()) == NULL)
goto err;
if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data))
sk_SSL_CIPHER_free(a->cipher_list);
sk_SSL_CIPHER_free(a->cipher_list_by_id);
ssl_cert_free(a->cert);
- sk_X509_NAME_pop_free(a->client_CA, X509_NAME_free);
+ sk_X509_NAME_pop_free(a->ca_names, X509_NAME_free);
sk_X509_pop_free(a->extra_certs, X509_free);
a->comp_methods = NULL;
#ifndef OPENSSL_NO_SRTP
goto err;
/* Dup the client_CA list */
- if (s->client_CA != NULL) {
- if ((sk = sk_X509_NAME_dup(s->client_CA)) == NULL)
+ if (s->ca_names != NULL) {
+ if ((sk = sk_X509_NAME_dup(s->ca_names)) == NULL)
goto err;
- ret->client_CA = sk;
+ ret->ca_names = sk;
for (i = 0; i < sk_X509_NAME_num(sk); i++) {
xn = sk_X509_NAME_value(sk, i);
if (sk_X509_NAME_set(sk, i, X509_NAME_dup(xn)) == NULL) {
/* This is the cert and type for the other end. */
X509 *peer;
int peer_type;
- /* Certificate chain peer sent */
+ /* Certificate chain peer sent. */
STACK_OF(X509) *peer_chain;
/*
* when app_verify_callback accepts a session where the peer's
/* used if SSL's info_callback is NULL */
void (*info_callback) (const SSL *ssl, int type, int val);
- /* what we put in client cert requests */
- STACK_OF(X509_NAME) *client_CA;
+ /*
+ * What we put in certificate_authorities extension for TLS 1.3
+ * (ClientHello and CertificateRequest) or just client cert requests for
+ * earlier versions.
+ */
+ STACK_OF(X509_NAME) *ca_names;
/*
* Default values to use in SSL structures follow (these are copied by
/* extra application data */
CRYPTO_EX_DATA ex_data;
/* for server side, keep the list of CA_dn we can use */
- STACK_OF(X509_NAME) *client_CA;
+ STACK_OF(X509_NAME) *ca_names;
CRYPTO_REF_COUNT references;
/* protocol behaviour */
uint32_t options;
/* Certificate types in certificate request message. */
uint8_t *ctype;
size_t ctype_len;
- STACK_OF(X509_NAME) *ca_names;
+ /* Certificate authorities list peer sent */
+ STACK_OF(X509_NAME) *peer_ca_names;
size_t key_block_length;
unsigned char *key_block;
const EVP_CIPHER *new_sym_enc;
static int init_certificate_authorities(SSL *s, unsigned int context)
{
- sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free);
- s->s3->tmp.ca_names = NULL;
+ sk_X509_NAME_pop_free(s->s3->tmp.peer_ca_names, X509_NAME_free);
+ s->s3->tmp.peer_ca_names = NULL;
return 1;
}
xn = NULL;
}
- sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free);
- s->s3->tmp.ca_names = ca_sk;
+ sk_X509_NAME_pop_free(s->s3->tmp.peer_ca_names, X509_NAME_free);
+ s->s3->tmp.peer_ca_names = ca_sk;
return 1;
rv |= CERT_PKEY_CERT_TYPE;
}
- ca_dn = s->s3->tmp.ca_names;
+ ca_dn = s->s3->tmp.peer_ca_names;
if (!sk_X509_NAME_num(ca_dn))
rv |= CERT_PKEY_ISSUER_NAME;