[openssl-commits] [openssl] master update

Dr. Stephen Henson steve at openssl.org
Sat Feb 6 18:21:01 UTC 2016

The branch master has been updated
       via  8a07e27cd83adc4779a92e447b44a5a65c51c34d (commit)
       via  cf4462daaf5360483bec601f4dfb2fd1630db0c0 (commit)
       via  696178edff89f8df0382af0edbd0f723790a86cc (commit)
      from  f3ac50038df0e0739d3bc3da11fdce0dc2939e22 (commit)

- Log -----------------------------------------------------------------
commit 8a07e27cd83adc4779a92e447b44a5a65c51c34d
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Sat Feb 6 17:53:35 2016 +0000

    make update
    Reviewed-by: Viktor Dukhovni <viktor at openssl.org>

commit cf4462daaf5360483bec601f4dfb2fd1630db0c0
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Sat Feb 6 16:42:22 2016 +0000

    Add documenation for X509_chain_up_ref()
    Reviewed-by: Viktor Dukhovni <viktor at openssl.org>

commit 696178edff89f8df0382af0edbd0f723790a86cc
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Sat Feb 6 03:17:23 2016 +0000

    Add SSL_get0_verified_chain() to return verified chain of peer
    Reviewed-by: Viktor Dukhovni <viktor at openssl.org>


Summary of changes:
 doc/crypto/X509_new.pod             | 12 ++++++++++++
 doc/ssl/SSL_get_peer_cert_chain.pod | 27 +++++++++++++++++++++------
 include/openssl/ssl.h               |  1 +
 ssl/ssl_cert.c                      |  9 +++++++++
 ssl/ssl_lib.c                       |  8 ++++++++
 ssl/ssl_locl.h                      |  6 ++++--
 util/ssleay.num                     |  1 +
 7 files changed, 56 insertions(+), 8 deletions(-)

diff --git a/doc/crypto/X509_new.pod b/doc/crypto/X509_new.pod
index d6c365f..8db6cdb 100644
--- a/doc/crypto/X509_new.pod
+++ b/doc/crypto/X509_new.pod
@@ -11,6 +11,7 @@ X509_new, X509_free, X509_up_ref - X509 certificate ASN1 allocation functions
  X509 *X509_new(void);
  void X509_free(X509 *a);
  void X509_up_ref(X509 *a);
+ STACK_OF(X509) *X509_chain_up_ref(STACK_OF(X509) *x);
@@ -25,12 +26,20 @@ frees it up if the reference count is zero. If B<a> is NULL nothing is done.
 X509_up_ref() increments the reference count of B<a>.
+X509_chain_up_ref() increases the reference count of all certificates in
+chain B<x> and returns a copy of the stack.
 =head1 NOTES
 The function X509_up_ref() if useful if a certificate structure is being
 used by several different operations each of which will free it up after
 use: this avoids the need to duplicate the entire certificate structure.
+The function X509_chain_up_ref() doesn't just up the reference count of
+each certificate it also returns a copy of the stack, using sk_X509_dup(),
+but it serves a similar purpose: the returned chain persists after the
+original has been freed.
 If the allocation fails, X509_new() returns B<NULL> and sets an error
@@ -39,6 +48,9 @@ Otherwise it returns a pointer to the newly allocated structure.
 X509_free() and X509_up_ref() do not return a value.
+X509_chain_up_ref() returns a copy of the stack or B<NULL> if an error
 =head1 SEE ALSO
diff --git a/doc/ssl/SSL_get_peer_cert_chain.pod b/doc/ssl/SSL_get_peer_cert_chain.pod
index 4d3e6d5..649de14 100644
--- a/doc/ssl/SSL_get_peer_cert_chain.pod
+++ b/doc/ssl/SSL_get_peer_cert_chain.pod
@@ -2,31 +2,45 @@
 =head1 NAME
-SSL_get_peer_cert_chain - get the X509 certificate chain of the peer
+SSL_get_peer_cert_chain, SSL_get0_verified_chain - get the X509 certificate
+chain of the peer
 =head1 SYNOPSIS
  #include <openssl/ssl.h>
  STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl);
+ STACK_OF(X509) *SSL_get0_verified_chain(const SSL *ssl);
 SSL_get_peer_cert_chain() returns a pointer to STACK_OF(X509) certificates
-forming the certificate chain of the peer. If called on the client side,
+forming the certificate chain sent by the peer. If called on the client side,
 the stack also contains the peer's certificate; if called on the server
 side, the peer's certificate must be obtained separately using
 If the peer did not present a certificate, NULL is returned.
+NB: SSL_get_peer_chain() returns the peer chain as sent by the peer: it
+only consists of certificates the peer has sent (in the order the peer
+has sent them) it is B<not> a verified chain.
+SSL_get0_verified_chain() returns the B<verified> certificate chain
+of the peer including the peer's end entity certificate. It must be called
+after a session has been successfully established. If peer verification was
+not successful (as indicated by SSL_get_verify_result() not returning
+X509_V_OK) the chain may be incomplete or invalid.
 =head1 NOTES
 The peer certificate chain is not necessarily available after reusing
 a session, in which case a NULL pointer is returned.
-The reference count of the STACK_OF(X509) object is not incremented.
-If the corresponding session is freed, the pointer must not be used
-any longer.
+The reference count of each certificate in the returned STACK_OF(X509) object
+is not incremented and the returned stack may be invalidated by renegotiation.
+If applications wish to use any certificates in the returned chain
+indefinitely they must increase the reference counts using X509_up_ref() or
+obtain a copy of the whole chain with X509_chain_up_ref().
@@ -47,6 +61,7 @@ The return value points to the certificate chain presented by the peer.
 =head1 SEE ALSO
-L<ssl(3)>, L<SSL_get_peer_certificate(3)>
+L<ssl(3)>, L<SSL_get_peer_certificate(3)>, L<X509_up_ref(3)>,
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 8c80c91..659ab96 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -1716,6 +1716,7 @@ __owur OSSL_HANDSHAKE_STATE SSL_get_state(const SSL *ssl);
 void SSL_set_verify_result(SSL *ssl, long v);
 __owur long SSL_get_verify_result(const SSL *ssl);
+__owur STACK_OF(X509) *SSL_get0_verified_chain(const SSL *s);
 __owur size_t SSL_get_client_random(const SSL *ssl, unsigned char *out,
                                     size_t outlen);
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 2aaf99c..68c8924 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -541,6 +541,15 @@ int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk)
     s->verify_result = ctx.error;
+    sk_X509_pop_free(s->verified_chain, X509_free);
+    s->verified_chain = NULL;
+    if (X509_STORE_CTX_get_chain(&ctx) != NULL) {
+        s->verified_chain = X509_STORE_CTX_get1_chain(&ctx);
+        if (s->verified_chain == NULL) {
+            i = 0;
+        }
+    }
     /* Move peername from the store context params to the SSL handle's */
     X509_VERIFY_PARAM_move_peername(s->param, param);
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 1154b71..197a37c 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -715,6 +715,7 @@ SSL *SSL_new(SSL_CTX *ctx)
         s->alpn_client_proto_list_len = s->ctx->alpn_client_proto_list_len;
+    s->verified_chain = NULL;
     s->verify_result = X509_V_OK;
     s->default_passwd_callback = ctx->default_passwd_callback;
@@ -1052,6 +1053,8 @@ void SSL_free(SSL *s)
     sk_X509_NAME_pop_free(s->client_CA, X509_NAME_free);
+    sk_X509_pop_free(s->verified_chain, X509_free);
     if (s->method != NULL)
@@ -3822,4 +3825,9 @@ unsigned long SSL_clear_options(SSL *s, unsigned long op)
     return s->options &= ~op;
+STACK_OF(X509) *SSL_get0_verified_chain(const SSL *s)
+    return s->verified_chain;
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 9a30598..b505309 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -614,7 +614,7 @@ struct ssl_session_st {
     /* This is the cert and type for the other end. */
     X509 *peer;
     int peer_type;
-    /* Certificate chain of peer */
+    /* Certificate chain peer sent */
     STACK_OF(X509) *peer_chain;
      * when app_verify_callback accepts a session where the peer's
@@ -1058,8 +1058,10 @@ struct ssl_st {
                                          unsigned int max_psk_len);
 #  endif
     SSL_CTX *ctx;
-    /* extra application data */
+    /* Verified chain of peer */
+    STACK_OF(X509) *verified_chain;
     long verify_result;
+    /* extra application data */
     CRYPTO_EX_DATA ex_data;
     /* for server side, keep the list of CA_dn we can use */
     STACK_OF(X509_NAME) *client_CA;
diff --git a/util/ssleay.num b/util/ssleay.num
index f1bf0ce..67fd4ab 100755
--- a/util/ssleay.num
+++ b/util/ssleay.num
@@ -436,3 +436,4 @@ SSL_get_options                         470	1_1_0	EXIST::FUNCTION:
 SSL_up_ref                              471	1_1_0	EXIST::FUNCTION:
 SSL_CTX_up_ref                          472	1_1_0	EXIST::FUNCTION:
 DTLSv1_listen                           473	1_1_0	EXIST::FUNCTION:
+SSL_get0_verified_chain                 474	1_1_0	EXIST::FUNCTION:

More information about the openssl-commits mailing list