static int Verify(X509 *leaf, const std::vector<X509 *> &roots,
const std::vector<X509 *> &intermediates,
const std::vector<X509_CRL *> &crls,
unsigned long flags,
bool use_additional_untrusted) {
bssl::UniquePtr<STACK_OF(X509)> roots_stack(CertsToStack(roots));
bssl::UniquePtr<STACK_OF(X509)> intermediates_stack(
CertsToStack(intermediates));
bssl::UniquePtr<STACK_OF(X509_CRL)> crls_stack(CRLsToStack(crls));
if (!roots_stack ||
!intermediates_stack ||
!crls_stack) {
return X509_V_ERR_UNSPECIFIED;
}
bssl::UniquePtr<X509_STORE_CTX> ctx(X509_STORE_CTX_new());
bssl::UniquePtr<X509_STORE> store(X509_STORE_new());
if (!ctx ||
!store) {
return X509_V_ERR_UNSPECIFIED;
}
if (use_additional_untrusted) {
X509_STORE_set0_additional_untrusted(store.get(),
intermediates_stack.get());
}
if (!X509_STORE_CTX_init(
ctx.get(), store.get(), leaf,
use_additional_untrusted ? nullptr : intermediates_stack.get())) {
return X509_V_ERR_UNSPECIFIED;
}
X509_STORE_CTX_trusted_stack(ctx.get(), roots_stack.get());
X509_STORE_CTX_set0_crls(ctx.get(), crls_stack.get());
X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new();
if (param == nullptr) {
return X509_V_ERR_UNSPECIFIED;
}
X509_VERIFY_PARAM_set_time(param, 1474934400 /* Sep 27th, 2016 */);
X509_VERIFY_PARAM_set_depth(param, 16);
if (flags) {
X509_VERIFY_PARAM_set_flags(param, flags);
}
X509_STORE_CTX_set0_param(ctx.get(), param);
ERR_clear_error();
if (X509_verify_cert(ctx.get()) != 1) {
return X509_STORE_CTX_get_error(ctx.get());
}
return X509_V_OK;
ssl_x509.cc
static int ssl_crypto_x509_session_verify_cert_chain(SSL_SESSION *session,
SSL *ssl,
uint8_t *out_alert) {
*out_alert = SSL_AD_INTERNAL_ERROR;
STACK_OF(X509) *const cert_chain = session->x509_chain;
if (cert_chain == NULL || sk_X509_num(cert_chain) == 0) {
return 0;
}
X509_STORE *verify_store = ssl->ctx->cert_store;
if (ssl->cert->verify_store != NULL) {
verify_store = ssl->cert->verify_store;
}
X509 *leaf = sk_X509_value(cert_chain, 0);
ScopedX509_STORE_CTX ctx;
if (!X509_STORE_CTX_init(ctx.get(), verify_store, leaf, cert_chain)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_X509_LIB);
return 0;
}
if (!X509_STORE_CTX_set_ex_data(ctx.get(),
SSL_get_ex_data_X509_STORE_CTX_idx(), ssl)) {
return 0;
}
// We need to inherit the verify parameters. These can be determined by the
// context: if its a server it will verify SSL client certificates or vice
// versa.
X509_STORE_CTX_set_default(ctx.get(),
ssl->server ? "ssl_client" : "ssl_server");
// Anything non-default in "param" should overwrite anything in the ctx.
X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(ctx.get()), ssl->param);
if (ssl->verify_callback) {
X509_STORE_CTX_set_verify_cb(ctx.get(), ssl->verify_callback);
}
int verify_ret;
if (ssl->ctx->app_verify_callback != NULL) {
verify_ret =
ssl->ctx->app_verify_callback(ctx.get(), ssl->ctx->app_verify_arg);
} else {
verify_ret = X509_verify_cert(ctx.get());
}
session->verify_result = ctx->error;
// If |SSL_VERIFY_NONE|, the error is non-fatal, but we keep the result.
if (verify_ret <= 0 && ssl->verify_mode != SSL_VERIFY_NONE) {
*out_alert = ssl_verify_alarm_type(ctx->error);
return 0;
}
ERR_clear_error();
return 1;
}
#ifndef OPENSSL_ZHI_CUST
SSLInfo ssl_info;
bool has_ssl_info = ssl_socket_->GetSSLInfo(&ssl_info);
DCHECK(has_ssl_info);
uint16_t cipher_suite =
SSLConnectionStatusToCipherSuite(ssl_info.connection_status);
LOAD_IGNORE_ALL_CERT_ERRORS
SSLInfo ssl_info1;
bool has_ssl_info1 = ssl_socket_->GetSSLInfo(&ssl_info1);
DCHECK(has_ssl_info1);
uint16_t cipher_suite1 =
SSLConnectionStatusToCipherSuite(ssl_info1.connection_status);
if ( cipher_suite1 == 0xe013 ||