> From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
> us...@openssl.org] On Behalf Of Jens Maus
> Sent: Wednesday, 25 June, 2014 11:05
>
> On 2014-06-25 at 16:28, Viktor Dukhovni <openssl-us...@dukhovni.org> wrote:
>
> > On Wed, Jun 25, 2014 at 03:23:27PM +0200, Jens Maus wrote:
> >
> >> Ok, but then please allow the question how I should deal with
> >>
> >> SSL_CTX_set_cert_verify_callback(sslCtx, func, conn);
> >
> > Set this callback once, with a "conn" value of 0. Use
> >
> > ssl_idx = SSL_get_ex_data_X509_STORE_CTX_idx();
> > conn = X509_STORE_CTX_get_ex_data(store_ctx, ssl_idx);
> >
> > to retrieve the connection handle.
>
> Ok, thank you for that hint. But I still have problems understanding it
> completely or I haven't made myself clear enough.
>
> How exactly can I set the 'conn' pointer so that within my verify callback I
> can use your suggested solution?
You don't. As Viktor wrote, you set the "conn" parameter to 0, and you don't
use it for anything.
Viktor gave you the solution, but it probably wasn't clear if you're not
familiar with this particular corner of the OpenSSL API.
OpenSSL *already passes the SSL* connection "handle" to the verify callback*.
You don't have to do anything to tell OpenSSL to do that. It's just not passed
as one of the parameters; instead it's tucked down inside the X.509 container
(X509_STORE_CTX).
To retrieve it in the callback, you use the code Viktor provided. First you get
the index of the SSL* object in the X509_STORE_CTX's "external data" collection:
int ssl_idx = SSL_get_ex_X509_STORE_CTX_idx();
Then you use that index to get the SSL* itself:
SSL *conn = X509_STORE_CTX_get_ex_data(store_ctx, ssl_idx);
(Where "store_ctx" is the second parameter passed to the verify callback).
Of course you can do this in a single line:
SSL *conn = X509_STORE_CTX_get_ex_data(store_ctx,
SSL_get_ex_X509_STORE_CTX_idx());
That's it.
Now, if you need additional application-specific information in the callback,
the best thing is to add it as external data in the SSL object:
/* Create an index for our data in the SSL object */
int get_index(void) {
/* Serialize as necessary */
static int index = -1;
if (index < 0) index = SSL_get_ex_new_index(...);
return index;
}
/* After creating the SSL object */
SSL_set_ex_data(conn, get_index(), my_data_ptr);
...
/* In the verify callback, or wherever */
my_data_ptr = SSL_get_ex_data(conn, get_index());
But if all you need in the callback is the SSL object, you needn't worry about
all that.
--
Michael Wojcik
Technology Specialist, Micro Focus
This message has been scanned for malware by Websense. www.websense.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
