[openssl-commits] [openssl] master update

Rich Salz rsalz at openssl.org
Tue Nov 1 19:44:01 UTC 2016

The branch master has been updated
       via  b50052dbe822271c9d7b2559a38a127fca87e4ab (commit)
      from  ba7407002d899b614d4728da9004594f947ff3da (commit)

- Log -----------------------------------------------------------------
commit b50052dbe822271c9d7b2559a38a127fca87e4ab
Author: Todd Short <tshort at akamai.com>
Date:   Tue Mar 31 16:20:03 2015 -0400

    Add SSL_CTX_set1_cert_store()
    For convenience, combine getting a new ref for the new SSL_CTX
    with assigning the store and freeing the old one.
    Reviewed-by: Matt Caswell <matt at openssl.org>
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/1755)


Summary of changes:
 doc/man3/SSL_CTX_set_cert_store.pod | 18 +++++++++++++++++-
 doc/man7/ssl.pod                    |  2 ++
 include/openssl/ssl.h               |  1 +
 ssl/ssl_lib.c                       |  7 +++++++
 util/libssl.num                     |  1 +
 5 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/doc/man3/SSL_CTX_set_cert_store.pod b/doc/man3/SSL_CTX_set_cert_store.pod
index 7f7a794..28e855f 100644
--- a/doc/man3/SSL_CTX_set_cert_store.pod
+++ b/doc/man3/SSL_CTX_set_cert_store.pod
@@ -2,13 +2,14 @@
 =head1 NAME
-SSL_CTX_set_cert_store, SSL_CTX_get_cert_store - manipulate X509 certificate verification storage
+SSL_CTX_set_cert_store, SSL_CTX_set1_cert_store, SSL_CTX_get_cert_store - manipulate X509 certificate verification storage
 =head1 SYNOPSIS
  #include <openssl/ssl.h>
  void SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store);
+ void SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store);
  X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx);
@@ -17,6 +18,10 @@ SSL_CTX_set_cert_store() sets/replaces the certificate verification storage
 of B<ctx> to/with B<store>. If another X509_STORE object is currently
 set in B<ctx>, it will be X509_STORE_free()ed.
+SSL_CTX_set1_cert_store() sets/replaces the certificate verification storage
+of B<ctx> to/with B<store>. The B<store>'s reference count is incremented.
+If another X509_STORE object is currently set in B<ctx>, it will be X509_STORE_free()ed.
 SSL_CTX_get_cert_store() returns a pointer to the current certificate
 verification storage.
@@ -42,6 +47,15 @@ L<SSL_CTX_set_verify(3)> family of functions.
 This document must therefore be updated when documentation about the
 X509_STORE object and its handling becomes available.
+SSL_CTX_set_cert_store() does not increment the B<store>'s reference
+count, so it should not be used to assign an X509_STORE that is owned
+by another SSL_CTX.
+To share X509_STOREs between two SSL_CTXs, use SSL_CTX_get_cert_store()
+to get the X509_STORE from the first SSL_CTX, and then use
+SSL_CTX_set1_cert_store() to assign to the second SSL_CTX and
+increment the reference count of the X509_STORE.
 The X509_STORE structure used by an SSL_CTX is used for verifying peer
@@ -53,6 +67,8 @@ functions such as SSL_CTX_set1_verify_cert_store() instead.
 SSL_CTX_set_cert_store() does not return diagnostic output.
+SSL_CTX_set1_cert_store() does not return diagnostic output.
 SSL_CTX_get_cert_store() returns the current setting.
 =head1 SEE ALSO
diff --git a/doc/man7/ssl.pod b/doc/man7/ssl.pod
index b67edbc..ce163f4 100644
--- a/doc/man7/ssl.pod
+++ b/doc/man7/ssl.pod
@@ -320,6 +320,8 @@ protocol context defined in the B<SSL_CTX> structure.
 =item void B<SSL_CTX_set_cert_store>(SSL_CTX *ctx, X509_STORE *cs);
+=item void B<SSL_CTX_set1_cert_store>(SSL_CTX *ctx, X509_STORE *cs);
 =item void B<SSL_CTX_set_cert_verify_cb>(SSL_CTX *ctx, int (*cb)(), char *arg)
 =item int B<SSL_CTX_set_cipher_list>(SSL_CTX *ctx, char *str);
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 7e626e0..20013db 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -1308,6 +1308,7 @@ __owur long SSL_CTX_set_timeout(SSL_CTX *ctx, long t);
 __owur long SSL_CTX_get_timeout(const SSL_CTX *ctx);
 __owur X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *);
 void SSL_CTX_set_cert_store(SSL_CTX *, X509_STORE *);
+void SSL_CTX_set1_cert_store(SSL_CTX *, X509_STORE *);
 __owur int SSL_want(const SSL *s);
 __owur int SSL_clear(SSL *s);
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index bd0fbf8..8bf872b 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -3553,6 +3553,13 @@ void SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store)
     ctx->cert_store = store;
+void SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store)
+    if (store != NULL)
+        X509_STORE_up_ref(store);
+    SSL_CTX_set_cert_store(ctx, store);
 int SSL_want(const SSL *s)
     return (s->rwstate);
diff --git a/util/libssl.num b/util/libssl.num
index 200629f..7e00479 100644
--- a/util/libssl.num
+++ b/util/libssl.num
@@ -403,3 +403,4 @@ SSL_dane_clear_flags                    403	1_1_0	EXIST::FUNCTION:
 SSL_SESSION_get0_cipher                 404	1_1_0	EXIST::FUNCTION:
 SSL_SESSION_get0_id_context             405	1_1_0	EXIST::FUNCTION:
 SSL_SESSION_set1_id                     406	1_1_0	EXIST::FUNCTION:
+SSL_CTX_set1_cert_store                 407	1_1_1	EXIST::FUNCTION:

More information about the openssl-commits mailing list