Make many X509_xxx types opaque.

Make X509_OBJECT, X509_STORE_CTX, X509_STORE, X509_LOOKUP, and X509_LOOKUP_METHOD opaque. Remove unused X509_CERT_FILE_CTX Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
author: Rich Salz <rsalz@openssl.org> 2016-04-14 23:59:26 -0400
committer: Rich Salz <rsalz@openssl.org> 2016-04-15 13:21:43 -0400
commit: f0e0fd51fd8307f6eae64862ad9aaea113f1177a (patch)
tree: b00de87cb2fd4dc437de5994d3c8028dd9262460 /doc
parent: 34da11b39d2421f546ec568f355875eec353844c (diff)
download: openssl-f0e0fd51fd8307f6eae64862ad9aaea113f1177a.tar.gz
3 files changed, 61 insertions, 28 deletions
diff --git a/doc/crypto/X509_STORE_CTX_get_error.pod b/doc/crypto/X509_STORE_CTX_get_error.pod
index 75be45374e..1cc6bb5e8f 100644
--- a/doc/crypto/X509_STORE_CTX_get_error.pod
+++ b/doc/crypto/X509_STORE_CTX_get_error.pod
@@ -2,7 +2,10 @@
 
 =head1 NAME
 
-X509_STORE_CTX_get_error, X509_STORE_CTX_set_error, X509_STORE_CTX_get_error_depth, X509_STORE_CTX_get_current_cert, X509_STORE_CTX_get1_chain, X509_verify_cert_error_string - get or set certificate verification status information
+X509_STORE_CTX_get_error, X509_STORE_CTX_set_error,
+X509_STORE_CTX_get_error_depth, X509_STORE_CTX_get_current_cert,
+X509_STORE_CTX_get0_cert,
+X509_STORE_CTX_get1_chain, X509_verify_cert_error_string - get or set certificate verification status information
 
 =head1 SYNOPSIS
 
@@ -13,6 +16,7 @@ X509_STORE_CTX_get_error, X509_STORE_CTX_set_error, X509_STORE_CTX_get_error_dep
  void	X509_STORE_CTX_set_error(X509_STORE_CTX *ctx,int s);
  int	X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx);
  X509 *	X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx);
+ X509 *	X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx);
 
  STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx);
 
@@ -35,6 +39,8 @@ non-negative integer representing where in the certificate chain the error
 occurred. If it is zero it occurred in the end entity certificate, one if
 it is the certificate which signed the end entity certificate and so on.
 
+X509_STORE_CTX_get0_cert() returns the leaf certificate being verified.
+
 X509_STORE_CTX_get_current_cert() returns the certificate in B<ctx> which
 caused the error or B<NULL> if no certificate is relevant.
 
diff --git a/doc/crypto/X509_STORE_CTX_new.pod b/doc/crypto/X509_STORE_CTX_new.pod
index 1f3ded6d29..69ff7c4538 100644
--- a/doc/crypto/X509_STORE_CTX_new.pod
+++ b/doc/crypto/X509_STORE_CTX_new.pod
@@ -2,7 +2,18 @@
 
 =head1 NAME
 
-X509_STORE_CTX_new, X509_STORE_CTX_cleanup, X509_STORE_CTX_free, X509_STORE_CTX_init, X509_STORE_CTX_trusted_stack, X509_STORE_CTX_set_cert, X509_STORE_CTX_set_chain, X509_STORE_CTX_set0_crls, X509_STORE_CTX_get0_param, X509_STORE_CTX_set0_param, X509_STORE_CTX_set_default - X509_STORE_CTX initialisation
+X509_STORE_CTX_new, X509_STORE_CTX_cleanup, X509_STORE_CTX_free,
+X509_STORE_CTX_init, X509_STORE_CTX_set0_trusted_stack, X509_STORE_CTX_set_cert,
+X509_STORE_CTX_set0_crls,
+X509_STORE_CTX_get0_chain, X509_STORE_CTX_set0_verified_chain,
+X509_STORE_CTX_get0_param, X509_STORE_CTX_set0_param,
+X509_STORE_CTX_get0_cert,
+X509_STORE_CTX_get0_untrusted,
+X509_STORE_CTX_get_num_untrusted,
+X509_STORE_CTX_set_default,
+X509_STORE_CTX_get_verify_cb,
+X509_STORE_CTX_set_verify,
+X509_STORE_CTX_get_verify - X509_STORE_CTX initialisation
 
 =head1 SYNOPSIS
 
@@ -15,18 +26,27 @@ X509_STORE_CTX_new, X509_STORE_CTX_cleanup, X509_STORE_CTX_free, X509_STORE_CTX_
  int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store,
 			 X509 *x509, STACK_OF(X509) *chain);
 
- void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk);
+ void X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk);
 
- void	X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx,X509 *x);
- void	X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx,STACK_OF(X509) *sk);
- void	X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk);
+ void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx,X509 *x);
+ STACK_OF(X509) *X509_STORE_CTX_get0_chain(X609_STORE_CTX *ctx);
+ void X509_STORE_CTX_set0_verified_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *chain);
+ void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk);
 
  X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx);
  void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param);
  int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name);
 
+ X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx);
+ STACK_OF(X509)* X509_STORE_CTX_get0_untrusted(X509_STORE_CTX *ctx);
+
  int X509_STORE_CTX_get_num_untrusted(X509_STORE_CTX *ctx);
 
+ typedef int (*X509_STORE_CTX_verify)(X509_STORE_CTX *);
+ X509_STORE_CTX_verify X509_STORE_CTX_get_verify(X509_STORE_CTX *ctx);
+ void X509_STORE_CTX_set_verify(X509_STORE_CTX *ctx, X509_STORE_CTX_verify verify);
+
+
 =head1 DESCRIPTION
 
 These functions initialise an B<X509_STORE_CTX> structure for subsequent use
@@ -52,15 +72,19 @@ certificates (which will be untrusted but may be used to build the chain) in
 B<chain>. Any or all of the B<store>, B<x509> and B<chain> parameters can be
 B<NULL>.
 
-X509_STORE_CTX_trusted_stack() sets the set of trusted certificates of B<ctx>
-to B<sk>. This is an alternative way of specifying trusted certificates 
+X509_STORE_CTX_set0_trusted_stack() sets the set of trusted certificates of
+B<ctx> to B<sk>. This is an alternative way of specifying trusted certificates
 instead of using an B<X509_STORE>.
 
 X509_STORE_CTX_set_cert() sets the certificate to be verified in B<ctx> to
 B<x>.
 
-X509_STORE_CTX_set_chain() sets the additional certificate chain used by B<ctx>
-to B<sk>.
+X509_STORE_CTX_set0_verified_chain() sets the validated chain used
+by B<ctx> to be B<chain>.
+Ownership of the chain is transferred to B<ctx> and should not be
+free'd by the caller.
+X509_STORE_CTX_get0_chain() returns a the internal pointer used by the
+B<ctx> that contains the validated chain.
 
 X509_STORE_CTX_set0_crls() sets a set of CRLs to use to aid certificate
 verification to B<sk>. These CRLs will only be used if CRL verification is
@@ -68,9 +92,15 @@ enabled in the associated B<X509_VERIFY_PARAM> structure. This might be
 used where additional "useful" CRLs are supplied as part of a protocol,
 for example in a PKCS#7 structure.
 
-X509_VERIFY_PARAM *X509_STORE_CTX_get0_param() retrieves an internal pointer
+X509_STORE_CTX_get0_param() retrieves an internal pointer
 to the verification parameters associated with B<ctx>.
 
+X509_STORE_CTX_get0_cert() retrieves an internal pointer to the
+certificate being verified by the B<ctx>.
+
+X509_STORE_CTX_get0_untrusted() retrieves an internal pointer to the
+stack of untrusted certifieds associated with B<ctx>.
+
 X509_STORE_CTX_set0_param() sets the internal verification parameter pointer
 to B<param>. After this call B<param> should not be used.
 
@@ -84,19 +114,7 @@ that were used in building the chain following a call to X509_verify_cert().
 =head1 NOTES
 
 The certificates and CRLs in a store are used internally and should B<not>
-be freed up until after the associated B<X509_STORE_CTX> is freed. Legacy
-applications might implicitly use an B<X509_STORE_CTX> like this:
-
-  X509_STORE_CTX ctx;
-  X509_STORE_CTX_init(&ctx, store, cert, chain);
-
-this is B<not> recommended in new applications they should instead do:
-
-  X509_STORE_CTX *ctx;
-  ctx = X509_STORE_CTX_new();
-  if (ctx == NULL)
-	/* Bad error */
-  X509_STORE_CTX_init(ctx, store, cert, chain);
+be freed up until after the associated B<X509_STORE_CTX> is freed.
 
 =head1 BUGS
 
@@ -114,8 +132,9 @@ X509_STORE_CTX_init() returns 1 for success or 0 if an error occurred.
 X509_STORE_CTX_get0_param() returns a pointer to an B<X509_VERIFY_PARAM>
 structure or B<NULL> if an error occurred.
 
-X509_STORE_CTX_cleanup(), X509_STORE_CTX_free(), X509_STORE_CTX_trusted_stack(),
-X509_STORE_CTX_set_cert(), X509_STORE_CTX_set_chain(),
+X509_STORE_CTX_cleanup(), X509_STORE_CTX_free(),
+X509_STORE_CTX_set0_trusted_stack(),
+X509_STORE_CTX_set_cert(),
 X509_STORE_CTX_set0_crls() and X509_STORE_CTX_set0_param() do not return
 values.
 
diff --git a/doc/crypto/X509_STORE_CTX_set_verify_cb.pod b/doc/crypto/X509_STORE_CTX_set_verify_cb.pod
index ba35a38474..e89b8060f7 100644
--- a/doc/crypto/X509_STORE_CTX_set_verify_cb.pod
+++ b/doc/crypto/X509_STORE_CTX_set_verify_cb.pod
@@ -2,14 +2,19 @@
 
 =head1 NAME
 
-X509_STORE_CTX_set_verify_cb - set verification callback
+X509_STORE_CTX_get_verify_cb,
+X509_STORE_CTX_set_verify_cb - get and set verification callback
 
 =head1 SYNOPSIS
 
  #include <openssl/x509_vfy.h>
 
+ typedef int (*X509_STORE_CTX_verify_cb)(int, X509_STORE_CTX *);
+
+ X509_STORE_CTX_verify_cb X509_STORE_CTX_get_verify_cb(X509_STORE_CTX *ctx);
+
  void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
-				int (*verify_cb)(int ok, X509_STORE_CTX *ctx));
+				   X509_STORE_CTX_verify_cb verify_cb);
 
 =head1 DESCRIPTION
 
@@ -35,6 +40,9 @@ structure and receive additional information about the error, for example
 by calling X509_STORE_CTX_get_current_cert(). Additional application data can
 be passed to the callback via the B<ex_data> mechanism.
 
+X509_STORE_CTX_get_verify_cb() returns the value of the current callback
+for the specific B<ctx>.
+
 =head1 WARNING
 
 In general a verification callback should B<NOT> unconditionally return 1 in
author	Rich Salz <rsalz@openssl.org>	2016-04-14 23:59:26 -0400
committer	Rich Salz <rsalz@openssl.org>	2016-04-15 13:21:43 -0400
commit	f0e0fd51fd8307f6eae64862ad9aaea113f1177a (patch)
tree	b00de87cb2fd4dc437de5994d3c8028dd9262460 /doc
parent	34da11b39d2421f546ec568f355875eec353844c (diff)
download	openssl-f0e0fd51fd8307f6eae64862ad9aaea113f1177a.tar.gz