[openssl-commits] [openssl] master update

Rich Salz rsalz at openssl.org
Wed Jun 8 15:37:54 UTC 2016


The branch master has been updated
       via  e417070c9f2162594e8289aed93bd5801e70e60d (commit)
      from  01d0e241dc4184a5a1f222f8eccdad11da12305a (commit)


- Log -----------------------------------------------------------------
commit e417070c9f2162594e8289aed93bd5801e70e60d
Author: Rich Salz <rsalz at openssl.org>
Date:   Wed Jun 8 11:37:06 2016 -0400

    Add some accessor API's
    
    GH1098: Add X509_get_pathlen() (and a test)
    GH1097:  Add SSL_is_dtls() function.
    
    Documented.
    
    Reviewed-by: Matt Caswell <matt at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 .gitignore                              |  1 +
 crypto/x509v3/v3_purp.c                 |  9 +++++++
 doc/crypto/X509_get_extension_flags.pod | 17 +++++++++++--
 doc/ssl/SSL_get_version.pod             | 12 ++++++++--
 doc/ssl/ssl.pod                         |  2 ++
 include/openssl/ssl.h                   |  1 +
 include/openssl/x509.h                  |  1 +
 ssl/ssl_lib.c                           |  5 ++++
 test/build.info                         |  6 ++++-
 test/certs/pathlen.pem                  | 22 +++++++++++++++++
 test/recipes/25-test_x509.t             |  6 ++++-
 test/v3ext.c                            | 42 +++++++++++++++++++++++++++++++++
 util/libcrypto.num                      |  1 +
 util/libssl.num                         |  1 +
 14 files changed, 120 insertions(+), 6 deletions(-)
 create mode 100644 test/certs/pathlen.pem
 create mode 100644 test/v3ext.c

diff --git a/.gitignore b/.gitignore
index f572413..b47a348 100644
--- a/.gitignore
+++ b/.gitignore
@@ -84,6 +84,7 @@ Makefile
 /test/fips_test_suite
 /test/ssltest_old
 /test/x509aux
+/test/v3ext
 *.so*
 *.dylib*
 *.dll*
diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
index b0d40ed..92a8b1d 100644
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -838,3 +838,12 @@ const ASN1_OCTET_STRING *X509_get0_subject_key_id(X509 *x)
     X509_check_purpose(x, -1, -1);
     return x->skid;
 }
+
+long X509_get_pathlen(X509 *x)
+{
+    /* Called for side effect of caching extensions */
+    if (X509_check_purpose(x, -1, -1) != 1
+            || (x->ex_flags & EXFLAG_BCONS) == 0)
+        return -1;
+    return x->ex_pathlen;
+}
diff --git a/doc/crypto/X509_get_extension_flags.pod b/doc/crypto/X509_get_extension_flags.pod
index a2a8a8c..1452cc8 100644
--- a/doc/crypto/X509_get_extension_flags.pod
+++ b/doc/crypto/X509_get_extension_flags.pod
@@ -2,13 +2,15 @@
 
 =head1 NAME
 
+X509_get_pathlen,
 X509_get_extension_flags, X509_get_key_usage, X509_get_extended_key_usage -
-retrieve certificate extension flags
+retrieve certificate extension data
 
 =head1 SYNOPSIS
 
    #include <openssl/x509v3.h>
 
+   long X509_get_pathlen(X509 *x);
    uint32_t X509_get_extension_flags(X509 *x);
    uint32_t X509_get_key_usage(X509 *x);
    uint32_t X509_get_extended_key_usage(X509 *x);
@@ -16,7 +18,11 @@ retrieve certificate extension flags
 
 =head1 DESCRIPTION
 
-These functions retrieve flags related to commonly used certificate extensions.
+These functions retrieve information related to commonly used certificate extensions.
+
+X509_get_pathlen() retrieves the path length extension from a certificate.
+This extension is used to limit the length of a cert chain that may be
+issued from that CA.
 
 X509_get_extension_flags() retrieves general information about a certificate,
 it will return one or more of the following flags ored together.
@@ -115,6 +121,9 @@ X509_get_ext_d2i().
 
 =head1 RETURN VALUE
 
+X509_get_pathlen() returns the path length value, or -1 if the extension
+is not present.
+
 X509_get_extension_flags(), X509_get_key_usage() and
 X509_get_extended_key_usage() return sets of flags corresponding to the
 certificate extension values.
@@ -127,6 +136,10 @@ is absent or an error occurred during parsing.
 
 L<X509_check_purpose(3)>
 
+=head1 HISTORY
+
+X509_get_pathlen() was added in OpenSSL 1.1.0.
+
 =head1 COPYRIGHT
 
 Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
diff --git a/doc/ssl/SSL_get_version.pod b/doc/ssl/SSL_get_version.pod
index 45e2f1d..8e26d43 100644
--- a/doc/ssl/SSL_get_version.pod
+++ b/doc/ssl/SSL_get_version.pod
@@ -2,7 +2,7 @@
 
 =head1 NAME
 
-SSL_get_version - get the protocol version of a connection
+SSL_get_version, SSL_is_dtls - get the protocol information of a connection
 
 =head1 SYNOPSIS
 
@@ -10,14 +10,18 @@ SSL_get_version - get the protocol version of a connection
 
  const char *SSL_get_version(const SSL *ssl);
 
+ int SSL_is_dtls(const SSL *ssl);
+
 =head1 DESCRIPTION
 
 SSL_get_version() returns the name of the protocol used for the
 connection B<ssl>.
 
+SSL_is_dtls() returns one if the connection is using DTLS, zero if not.
+
 =head1 RETURN VALUES
 
-The following strings can be returned:
+SSL_get_verison() returns one of the following strings:
 
 =over 4
 
@@ -47,6 +51,10 @@ This indicates that no version has been set (no connection established).
 
 L<ssl(3)>
 
+=head1 HISTORY
+
+SSL_is_dtls() was added in OpenSSL 1.1.0.
+
 =head1 COPYRIGHT
 
 Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
diff --git a/doc/ssl/ssl.pod b/doc/ssl/ssl.pod
index 9a95019..bc62489 100644
--- a/doc/ssl/ssl.pod
+++ b/doc/ssl/ssl.pod
@@ -520,6 +520,8 @@ fresh handle for each connection.
 
 =item const char *B<SSL_get_cipher>(const SSL *ssl);
 
+=item int B<SSL_is_dtls>(const SSL *ssl);
+
 =item int B<SSL_get_cipher_bits>(const SSL *ssl, int *alg_bits);
 
 =item char *B<SSL_get_cipher_list>(const SSL *ssl, int n);
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 2c897c4..881c6bb 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -1457,6 +1457,7 @@ __owur int SSL_CTX_set_session_id_context(SSL_CTX *ctx, const unsigned char *sid
 
 SSL *SSL_new(SSL_CTX *ctx);
 int SSL_up_ref(SSL *s);
+int SSL_is_dtls(const SSL *s);
 __owur int SSL_set_session_id_context(SSL *ssl, const unsigned char *sid_ctx,
                                unsigned int sid_ctx_len);
 
diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index 93ded51..906184a 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -504,6 +504,7 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey);
 EVP_PKEY *X509_PUBKEY_get0(X509_PUBKEY *key);
 EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key);
 int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain);
+long X509_get_pathlen(X509 *x);
 int i2d_PUBKEY(EVP_PKEY *a, unsigned char **pp);
 EVP_PKEY *d2i_PUBKEY(EVP_PKEY **a, const unsigned char **pp, long length);
 # ifndef OPENSSL_NO_RSA
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index a6957b3..d4b8335 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -671,6 +671,11 @@ SSL *SSL_new(SSL_CTX *ctx)
     return NULL;
 }
 
+int SSL_is_dtls(const SSL *s)
+{
+    return SSL_IS_DTLS(s) ? 1 : 0;
+}
+
 int SSL_up_ref(SSL *s)
 {
     int i;
diff --git a/test/build.info b/test/build.info
index c74d717..e9228d0 100644
--- a/test/build.info
+++ b/test/build.info
@@ -11,7 +11,7 @@ IF[{- !$disabled{tests} -}]
           mdc2test rmdtest \
           randtest dhtest enginetest casttest \
           bftest ssltest_old dsatest exptest rsa_test \
-          evp_test evp_extra_test igetest v3nametest \
+          evp_test evp_extra_test igetest v3nametest v3ext \
           danetest heartbeat_test p5_crpt2_test \
           constant_time_test verify_extra_test clienthellotest \
           packettest asynctest secmemtest srptest memleaktest \
@@ -163,6 +163,10 @@ IF[{- !$disabled{tests} -}]
   INCLUDE[v3nametest]="{- rel2abs(catdir($builddir,"../include")) -}" ../include
   DEPEND[v3nametest]=../libcrypto
 
+  SOURCE[v3ext]=v3ext.c
+  INCLUDE[v3ext]="{- rel2abs(catdir($builddir,"../include")) -}" ../include
+  DEPEND[v3ext]=../libcrypto
+
   SOURCE[danetest]=danetest.c
   INCLUDE[danetest]="{- rel2abs(catdir($builddir,"../include")) -}" ../include
   DEPEND[danetest]=../libcrypto ../libssl
diff --git a/test/certs/pathlen.pem b/test/certs/pathlen.pem
new file mode 100644
index 0000000..c0ef75e
--- /dev/null
+++ b/test/certs/pathlen.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDjTCCAnWgAwIBAgIBGzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJVUzEf
+MB0GA1UEChMWVGVzdCBDZXJ0aWZpY2F0ZXMgMjAxMTEVMBMGA1UEAxMMVHJ1c3Qg
+QW5jaG9yMB4XDTEwMDEwMTA4MzAwMFoXDTMwMTIzMTA4MzAwMFowTjELMAkGA1UE
+BhMCVVMxHzAdBgNVBAoTFlRlc3QgQ2VydGlmaWNhdGVzIDIwMTExHjAcBgNVBAMT
+FXBhdGhMZW5Db25zdHJhaW50NiBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBAMhrG5ilLNK2JnW0V+GiT392lCKM4vUjPjAOxrg0mdIfK2AI1D9pgYUN
+h5jXFarP18NT65fkskd/NPPSbEePcEzi0ZjOBqnaUFS+tA425QiWkqdld/q+r4H/
+1ZF/f6Cz6CrguSUDNPT1a0cmv1t7dlLnae1UTP9HiVBLNCTfabBaTN95vzM3dyVR
+mcGYkT+ahiEgXDLYXuoWjqHjkz5Y8yd3+3TQ2IsyrmSN0NJCj4P/fC5sdpzFRDoB
+FYCXsCL0gXVUsvfzn/ds1BUqxcHw6O4UUadhBj+Khuleq0forX+77bxFhUnZkGo5
+iO+EZhvr6t32d7IG/MKfXt5nb25jypMCAwEAAaN/MH0wHwYDVR0jBBgwFoAU5H1f
+0VyVhggsBa6+dbZlp9ldqGYwHQYDVR0OBBYEFK+8ha7+TK7hjZcjiMilsWALuk7Y
+MA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwEgYDVR0T
+AQH/BAgwBgEB/wIBBjANBgkqhkiG9w0BAQsFAAOCAQEAMJCr70MBeik9uEqE4f27
+dR2O/kNaoqIOtzn+Y4PIzJGRspeGRjhkl4E+wafiPgHeyYCWIlO/R2E4BmI/ZNeD
+xQCHbIVzPDHeSI7DD6F9N/atZ/b3L3J4VnfU8gFdNq1wsGqf1hxHcvdpLXLTU0LX
+2j+th4jY/ogHv4kz3SHT7un1ktxQk2Rhb1u4PSBbQ6lI9oP4Jnda0jtakb1ZqhdZ
+8N/sJvsfEQuqxss/jp+j70dmIGH/bDJfxU1oG0xdyi1xP2qjqdrWHI/mEVlygfXi
+oxJ8JTfEcEHVsTffYR9fDUn0NylqCLdqFaDwLKqWl+C2inODNMpNusqleDAViw6B
+CA==
+-----END CERTIFICATE-----
diff --git a/test/recipes/25-test_x509.t b/test/recipes/25-test_x509.t
index 3ff187d..98a8d32 100644
--- a/test/recipes/25-test_x509.t
+++ b/test/recipes/25-test_x509.t
@@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/;
 
 setup("test_x509");
 
-plan tests => 4;
+plan tests => 5;
 
 require_ok(srctop_file('test','recipes','tconversion.pl'));
 
@@ -28,3 +28,7 @@ subtest 'x509 -- first x.509 v3 certificate' => sub {
 subtest 'x509 -- second x.509 v3 certificate' => sub {
     tconversion("x509", srctop_file("test","v3-cert2.pem"));
 };
+
+subtest 'x509 -- pathlen' => sub {
+    ok(run(test(["v3ext", srctop_file("test/certs", "pathlen.pem")])));
+}
diff --git a/test/v3ext.c b/test/v3ext.c
new file mode 100644
index 0000000..1c1f788
--- /dev/null
+++ b/test/v3ext.c
@@ -0,0 +1,42 @@
+/*
+ * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <stdio.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+#include <openssl/pem.h>
+#include <openssl/err.h>
+
+int main(int ac, char **av)
+{
+    X509 *x = NULL;
+    BIO *b = NULL;
+    long pathlen;
+    int ret = 1;
+
+    if (ac != 2) {
+        fprintf(stderr, "Usage error\n");
+        goto end;
+    }
+    b = BIO_new_file(av[1], "r");
+    if (b == NULL)
+        goto end;
+    x = PEM_read_bio_X509(b, NULL, NULL, NULL);
+    if (x == NULL)
+        goto end;
+    pathlen = X509_get_pathlen(x);
+    if (pathlen == 6)
+        ret = 0;
+
+end:
+    ERR_print_errors_fp(stderr);
+    BIO_free(b);
+    X509_free(x);
+    return ret;
+}
diff --git a/util/libcrypto.num b/util/libcrypto.num
index 8c659c5..a87fc25 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -4147,3 +4147,4 @@ X509_STORE_set_verify                   4088	1_1_0	EXIST::FUNCTION:
 X509_OBJECT_new                         4089	1_1_0	EXIST::FUNCTION:
 X509_STORE_get0_param                   4090	1_1_0	EXIST::FUNCTION:
 PEM_write_bio_PrivateKey_traditional    4091	1_1_0	EXIST::FUNCTION:
+X509_get_pathlen                        4092	1_1_0	EXIST::FUNCTION:
diff --git a/util/libssl.num b/util/libssl.num
index 9ea918c..d023293 100644
--- a/util/libssl.num
+++ b/util/libssl.num
@@ -395,3 +395,4 @@ SSL_CTX_get_ciphers                     395	1_1_0	EXIST::FUNCTION:
 SSL_SESSION_get0_hostname               396	1_1_0	EXIST::FUNCTION:
 SSL_client_version                      397	1_1_0	EXIST::FUNCTION:
 SSL_SESSION_get_protocol_version        398	1_1_0	EXIST::FUNCTION:
+SSL_is_dtls                             399	1_1_0	EXIST::FUNCTION:


More information about the openssl-commits mailing list