generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add 'void *' argument to app_verify_callback.

Browse Source 
Submitted by: D. K. Smetters <smetters@parc.xerox.com>
Reviewed by: Bodo Moeller
This commit is contained in:
Bodo Möller 2002-02-28 10:55:52 +00:00
parent 6d1a837df7
commit 48781ef7f7
8 changed files with 89 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
CHANGES
View File

@ -13,6 +13,22 @@
*) applies to 0.9.6a/0.9.6b/0.9.6c and 0.9.7 *) applies to 0.9.6a/0.9.6b/0.9.6c and 0.9.7
+) applies to 0.9.7 only +) applies to 0.9.7 only
+) Fix the 'app_verify_callback' interface so that the user-defined
argument is actually passed to the callback: In the
SSL_CTX_set_cert_verify_callback() prototype, the callback
declaration has been changed from
int (*cb)()
into
int (*cb)(X509_STORE_CTX *,void *);
in ssl_verify_cert_chain (ssl/ssl_cert.c), the call
i=s->ctx->app_verify_callback(&ctx)
has been changed into
i=s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg).
To update applications using SSL_CTX_set_cert_verify_callback(),
a dummy argument can be added to their callback functions.
[D. K. Smetters <smetters@parc.xerox.com>]
+) Added the '4758cca' ENGINE to support IBM 4758 cards. +) Added the '4758cca' ENGINE to support IBM 4758 cards.
[Maurice Gittens <maurice@gittens.nl>, touchups by Geoff Thorpe] [Maurice Gittens <maurice@gittens.nl>, touchups by Geoff Thorpe]

6
demos/easy_tls/easy-tls.c
View File

@ -1,7 +1,7 @@
/* -*- Mode: C; c-file-style: "bsd" -*- */ /* -*- Mode: C; c-file-style: "bsd" -*- */
/* /*
* easy-tls.c -- generic TLS proxy. * easy-tls.c -- generic TLS proxy.
* $Id: easy-tls.c,v 1.2 2001/09/24 07:54:09 bodo Exp $ * $Id: easy-tls.c,v 1.2.2.1 2002/02/28 10:55:00 bodo Exp $
*/ */
/* /*
(c) Copyright 1999 Bodo Moeller. All rights reserved. (c) Copyright 1999 Bodo Moeller. All rights reserved.
@ -73,7 +73,7 @@
*/ */
static char const rcsid[] = static char const rcsid[] =
"$Id: easy-tls.c,v 1.2 2001/09/24 07:54:09 bodo Exp $"; "$Id: easy-tls.c,v 1.2.2.1 2002/02/28 10:55:00 bodo Exp $";
#include <assert.h> #include <assert.h>
#include <errno.h> #include <errno.h>
@ -568,7 +568,7 @@ no_passphrase_callback(char *buf, int num, int w, void *arg)
} }
static int static int
verify_dont_fail_cb(X509_STORE_CTX *c) verify_dont_fail_cb(X509_STORE_CTX *c, void *unused_arg)
{ {
int i; int i;

40
doc/ssl/SSL_CTX_set_cert_verify_callback.pod
View File

@ -8,38 +8,36 @@ SSL_CTX_set_cert_verify_callback - set peer certificate verification procedure
#include <openssl/ssl.h> #include <openssl/ssl.h>
void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*callback)(), void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*callback)(X509_STORE_CTX *,void *), void *arg);
char *arg);
int (*callback)();
=head1 DESCRIPTION =head1 DESCRIPTION
SSL_CTX_set_cert_verify_callback() sets the verification callback function for SSL_CTX_set_cert_verify_callback() sets the verification callback function for
B<ctx>. SSL objects, that are created from B<ctx> inherit the setting valid at I<ctx>. SSL objects that are created from I<ctx> inherit the setting valid at
the time, L<SSL_new(3)|SSL_new(3)> is called. B<arg> is currently ignored. the time when L<SSL_new(3)|SSL_new(3)> is called.
=head1 NOTES =head1 NOTES
Whenever a certificate is verified during a SSL/TLS handshake, a verification Whenever a certificate is verified during a SSL/TLS handshake, a verification
function is called. If the application does not explicitly specify a function is called. If the application does not explicitly specify a
verification callback function, the built-in verification function is used. verification callback function, the built-in verification function is used.
If a verification callback B<callback> is specified via If a verification callback I<callback> is specified via
SSL_CTX_set_cert_verify_callback(), the supplied callback function is called SSL_CTX_set_cert_verify_callback(), the supplied callback function is called
instead. By setting B<callback> to NULL, the default behaviour is restored. instead. By setting I<callback> to NULL, the default behaviour is restored.
When the verification must be performed, B<callback> will be called with When the verification must be performed, I<callback> will be called with
the argument callback(X509_STORE_CTX *x509_store_ctx). The arguments B<arg> the arguments callback(X509_STORE_CTX *x509_store_ctx, void *arg). The
that can be specified when setting B<callback> are currently ignored. argument I<arg> is specified by the application when setting I<callback>.
B<callback> should return 1 to indicate verification success and 0 to I<callback> should return 1 to indicate verification success and 0 to
indicate verification failure. If SSL_VERIFY_PEER is set and B<callback> indicate verification failure. If SSL_VERIFY_PEER is set and I<callback>
returns 0, the handshake will fail. As the verification procedure may returns 0, the handshake will fail. As the verification procedure may
allow to continue the connection in case of failure (by always returning 1) allow to continue the connection in case of failure (by always returning 1)
the verification result must be set in any case using the B<error> the verification result must be set in any case using the B<error>
member of B<x509_store_ctx>, so that the calling application will be informed member of I<x509_store_ctx> so that the calling application will be informed
about the detailed result of the verification procedure! about the detailed result of the verification procedure!
Within B<x509_store_ctx>, B<callback> has access to the B<verify_callback> Within I<x509_store_ctx>, I<callback> has access to the I<verify_callback>
function set using L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>. function set using L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>.
=head1 WARNINGS =head1 WARNINGS
@ -56,12 +54,6 @@ the B<verify_callback> function.
=head1 BUGS =head1 BUGS
It is possible to specify arguments to be passed to the verification callback.
Currently they are however not passed but ignored.
The B<callback> function is not specified via a prototype, so that no
type checking takes place.
=head1 RETURN VALUES =head1 RETURN VALUES
SSL_CTX_set_cert_verify_callback() does not provide diagnostic information. SSL_CTX_set_cert_verify_callback() does not provide diagnostic information.
@ -72,4 +64,12 @@ L<ssl(3)|ssl(3)>, L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>,
L<SSL_get_verify_result(3)|SSL_get_verify_result(3)>, L<SSL_get_verify_result(3)|SSL_get_verify_result(3)>,
L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)> L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>
=head1 HISTORY
Previous to OpenSSL 0.9.7, the I<arg> argument to B<SSL_CTX_set_cert_verify_callback>
was ignored, and I<callback> was called simply as
int (*callback)(X509_STORE_CTX *)
To compile software written for previous versions of OpenSSL, a dummy
argument will have to be added to I<callback>.
=cut =cut

8
ssl/ssl.h
View File

@ -607,8 +607,10 @@ struct ssl_ctx_st
int references; int references;
/* if defined, these override the X509_verify_cert() calls */ /* if defined, these override the X509_verify_cert() calls */
int (*app_verify_callback)(); int (*app_verify_callback)(X509_STORE_CTX *, void *);
char *app_verify_arg; /* never used; should be void * */ void *app_verify_arg;
/* before OpenSSL 0.9.7, 'app_verify_arg' was ignored
* ('app_verify_callback' was called with just one argument) */
/* Default password callback. */ /* Default password callback. */
pem_password_cb *default_passwd_callback; pem_password_cb *default_passwd_callback;
@ -1232,7 +1234,7 @@ int (*SSL_CTX_get_verify_callback(SSL_CTX *ctx))(int,X509_STORE_CTX *);
void SSL_CTX_set_verify(SSL_CTX *ctx,int mode, void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,
int (*callback)(int, X509_STORE_CTX *)); int (*callback)(int, X509_STORE_CTX *));
void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth); void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth);
void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(),char *arg); void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(X509_STORE_CTX *,void *), void *arg);
#ifndef OPENSSL_NO_RSA #ifndef OPENSSL_NO_RSA
int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa); int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa);
#endif #endif

4
ssl/ssl_cert.c
View File

@ -483,7 +483,11 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk)
X509_STORE_CTX_set_verify_cb(&ctx, s->verify_callback); X509_STORE_CTX_set_verify_cb(&ctx, s->verify_callback);
if (s->ctx->app_verify_callback != NULL) if (s->ctx->app_verify_callback != NULL)
#if 1 /* new with OpenSSL 0.9.7 */
i=s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg);
#else
i=s->ctx->app_verify_callback(&ctx); /* should pass app_verify_arg */ i=s->ctx->app_verify_callback(&ctx); /* should pass app_verify_arg */
#endif
else else
{ {
#ifndef OPENSSL_NO_X509_VERIFY #ifndef OPENSSL_NO_X509_VERIFY

9
ssl/ssl_lib.c
View File

@ -1443,15 +1443,10 @@ void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx,void *u)
ctx->default_passwd_callback_userdata=u; ctx->default_passwd_callback_userdata=u;
} }
void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx,int (*cb)(),char *arg) void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(X509_STORE_CTX *,void *), void *arg)
{ {
/* now
* int (*cb)(X509_STORE_CTX *),
* but should be
* int (*cb)(X509_STORE_CTX *, void *arg)
*/
ctx->app_verify_callback=cb; ctx->app_verify_callback=cb;
ctx->app_verify_arg=arg; /* never used */ ctx->app_verify_arg=arg;
} }
void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,int (*cb)(int, X509_STORE_CTX *)) void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,int (*cb)(int, X509_STORE_CTX *))

36
ssl/ssltest.c
View File

@ -158,6 +158,10 @@ static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export,int keylength); static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export,int keylength);
static void free_tmp_rsa(void); static void free_tmp_rsa(void);
#endif #endif
static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg);
#define APP_CALLBACK "Test Callback Argument"
static char *app_verify_arg = APP_CALLBACK;
#ifndef OPENSSL_NO_DH #ifndef OPENSSL_NO_DH
static DH *get_dh512(void); static DH *get_dh512(void);
static DH *get_dh1024(void); static DH *get_dh1024(void);
@ -336,6 +340,7 @@ int main(int argc, char *argv[])
int tls1=0,ssl2=0,ssl3=0,ret=1; int tls1=0,ssl2=0,ssl3=0,ret=1;
int client_auth=0; int client_auth=0;
int server_auth=0,i; int server_auth=0,i;
int app_verify=0;
char *server_cert=TEST_SERVER_CERT; char *server_cert=TEST_SERVER_CERT;
char *server_key=NULL; char *server_key=NULL;
char *client_cert=TEST_CLIENT_CERT; char *client_cert=TEST_CLIENT_CERT;
@ -489,6 +494,10 @@ int main(int argc, char *argv[])
{ {
comp = COMP_RLE; comp = COMP_RLE;
} }
else if (strcmp(*argv,"-app_verify") == 0)
{
app_verify = 1;
}
else else
{ {
fprintf(stderr,"unknown option %s\n",*argv); fprintf(stderr,"unknown option %s\n",*argv);
@ -640,12 +649,20 @@ bad:
SSL_CTX_set_verify(s_ctx, SSL_CTX_set_verify(s_ctx,
SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
verify_callback); verify_callback);
if (app_verify)
{
SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, app_verify_arg);
}
} }
if (server_auth) if (server_auth)
{ {
BIO_printf(bio_err,"server authentication\n"); BIO_printf(bio_err,"server authentication\n");
SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER, SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER,
verify_callback); verify_callback);
if (app_verify)
{
SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, app_verify_arg);
}
} }
{ {
@ -1433,6 +1450,25 @@ static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
return(ok); return(ok);
} }
static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg)
{
char *s = NULL,buf[256];
int ok=1;
fprintf(stderr, "In app_verify_callback, allowing cert. ");
fprintf(stderr, "Arg is: %s\n", (char *)arg);
fprintf(stderr, "Finished printing do we have a context? 0x%x a cert? 0x%x\n",
(unsigned int)ctx, (unsigned int)ctx->cert);
if (ctx->cert)
s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256);
if (s != NULL)
{
fprintf(stderr,"cert depth=%d %s\n",ctx->error_depth,buf);
}
return(ok);
}
#ifndef OPENSSL_NO_RSA #ifndef OPENSSL_NO_RSA
static RSA *rsa_tmp=NULL; static RSA *rsa_tmp=NULL;

3
test/testssl
View File

@ -116,6 +116,9 @@ $ssltest -bio_pair -client_auth $CA $extra || exit 1
echo test sslv2/sslv3 with both client and server authentication via BIO pair echo test sslv2/sslv3 with both client and server authentication via BIO pair
$ssltest -bio_pair -server_auth -client_auth $CA $extra || exit 1 $ssltest -bio_pair -server_auth -client_auth $CA $extra || exit 1
echo test sslv2/sslv3 with both client and server authentication via BIO pair and app verify
$ssltest -bio_pair -server_auth -client_auth -app_verify $CA $extra || exit 1
############################################################################# #############################################################################
echo test tls1 with 1024bit anonymous DH, multiple handshakes echo test tls1 with 1024bit anonymous DH, multiple handshakes