DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

OpenSSL: Use library wrapper functions to access cert store

Browse source 
OpenSSL 0.9.8 and newer includes SSL_CTX_get_cert_store() and
SSL_CTX_set_cert_store() helper functions, so there is no need to
dereference the SSL_CTX pointer to cert ssl_ctx->cert_store. This helps
in working with the future OpenSSL 1.1.0 release that makes the SSL_CTX
structure opaque.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2015-02-04 01:58:37 +02:00
parent c4f34de90d
commit 68ae4773a4
1 changed files with 15 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
src/crypto/tls_openssl.c
View file

@ -84,6 +84,7 @@ static struct tls_context *tls_global = NULL;
struct tls_connection { struct tls_connection {
struct tls_context *context; struct tls_context *context;
SSL_CTX *ssl_ctx;
SSL *ssl; SSL *ssl;
BIO *ssl_in, *ssl_out; BIO *ssl_in, *ssl_out;
#ifndef OPENSSL_NO_ENGINE #ifndef OPENSSL_NO_ENGINE
@ -1041,6 +1042,7 @@ struct tls_connection * tls_connection_init(void *ssl_ctx)
conn = os_zalloc(sizeof(*conn)); conn = os_zalloc(sizeof(*conn));
if (conn == NULL) if (conn == NULL)
return NULL; return NULL;
conn->ssl_ctx = ssl_ctx;
conn->ssl = SSL_new(ssl); conn->ssl = SSL_new(ssl);
if (conn->ssl == NULL) { if (conn->ssl == NULL) {
tls_show_errors(MSG_INFO, __func__, tls_show_errors(MSG_INFO, __func__,
@ -1609,7 +1611,7 @@ static int tls_load_ca_der(void *_ssl_ctx, const char *ca_cert)
X509_LOOKUP *lookup; X509_LOOKUP *lookup;
int ret = 0; int ret = 0;
lookup = X509_STORE_add_lookup(ssl_ctx->cert_store, lookup = X509_STORE_add_lookup(SSL_CTX_get_cert_store(ssl_ctx),
X509_LOOKUP_file()); X509_LOOKUP_file());
if (lookup == NULL) { if (lookup == NULL) {
tls_show_errors(MSG_WARNING, __func__, tls_show_errors(MSG_WARNING, __func__,
@ -1640,18 +1642,19 @@ static int tls_connection_ca_cert(void *_ssl_ctx, struct tls_connection *conn,
size_t ca_cert_blob_len, const char *ca_path) size_t ca_cert_blob_len, const char *ca_path)
{ {
SSL_CTX *ssl_ctx = _ssl_ctx; SSL_CTX *ssl_ctx = _ssl_ctx;
X509_STORE *store;
/* /*
* Remove previously configured trusted CA certificates before adding * Remove previously configured trusted CA certificates before adding
* new ones. * new ones.
*/ */
X509_STORE_free(ssl_ctx->cert_store); store = X509_STORE_new();
ssl_ctx->cert_store = X509_STORE_new(); if (store == NULL) {
if (ssl_ctx->cert_store == NULL) {
wpa_printf(MSG_DEBUG, "OpenSSL: %s - failed to allocate new " wpa_printf(MSG_DEBUG, "OpenSSL: %s - failed to allocate new "
"certificate store", __func__); "certificate store", __func__);
return -1; return -1;
} }
SSL_CTX_set_cert_store(ssl_ctx, store);
SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb); SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb);
conn->ca_cert_verify = 1; conn->ca_cert_verify = 1;
@ -1704,7 +1707,8 @@ static int tls_connection_ca_cert(void *_ssl_ctx, struct tls_connection *conn,
return -1; return -1;
} }
if (!X509_STORE_add_cert(ssl_ctx->cert_store, cert)) { if (!X509_STORE_add_cert(SSL_CTX_get_cert_store(ssl_ctx),
cert)) {
unsigned long err = ERR_peek_error(); unsigned long err = ERR_peek_error();
tls_show_errors(MSG_WARNING, __func__, tls_show_errors(MSG_WARNING, __func__,
"Failed to add ca_cert_blob to " "Failed to add ca_cert_blob to "
@ -2216,20 +2220,21 @@ static int tls_connection_engine_ca_cert(void *_ssl_ctx,
#ifndef OPENSSL_NO_ENGINE #ifndef OPENSSL_NO_ENGINE
X509 *cert; X509 *cert;
SSL_CTX *ssl_ctx = _ssl_ctx; SSL_CTX *ssl_ctx = _ssl_ctx;
X509_STORE *store;
if (tls_engine_get_cert(conn, ca_cert_id, &cert)) if (tls_engine_get_cert(conn, ca_cert_id, &cert))
return -1; return -1;
/* start off the same as tls_connection_ca_cert */ /* start off the same as tls_connection_ca_cert */
X509_STORE_free(ssl_ctx->cert_store); store = X509_STORE_new();
ssl_ctx->cert_store = X509_STORE_new(); if (store == NULL) {
if (ssl_ctx->cert_store == NULL) {
wpa_printf(MSG_DEBUG, "OpenSSL: %s - failed to allocate new " wpa_printf(MSG_DEBUG, "OpenSSL: %s - failed to allocate new "
"certificate store", __func__); "certificate store", __func__);
X509_free(cert); X509_free(cert);
return -1; return -1;
} }
if (!X509_STORE_add_cert(ssl_ctx->cert_store, cert)) { SSL_CTX_set_cert_store(ssl_ctx, store);
if (!X509_STORE_add_cert(store, cert)) {
unsigned long err = ERR_peek_error(); unsigned long err = ERR_peek_error();
tls_show_errors(MSG_WARNING, __func__, tls_show_errors(MSG_WARNING, __func__,
"Failed to add CA certificate from engine " "Failed to add CA certificate from engine "
@ -3138,7 +3143,7 @@ static int ocsp_resp_cb(SSL *s, void *arg)
return 0; return 0;
} }
store = SSL_CTX_get_cert_store(s->ctx); store = SSL_CTX_get_cert_store(conn->ssl_ctx);
if (conn->peer_issuer) { if (conn->peer_issuer) {
debug_print_cert(conn->peer_issuer, "Add OCSP issuer"); debug_print_cert(conn->peer_issuer, "Add OCSP issuer");