Commit c25e1c4b78 for openssl.org
commit c25e1c4b78a8c3186eb2df52232a1995fee7814e
Author: Bob Beck <beck@openssl.org>
Date: Fri May 22 06:37:24 2026 -0600
SSL_OP_SECOP is dead code
Nothing set the "vfy" parameters in any of these functions to anything but 0.
Remove the parameter and stage things related to SSL_OP_SECOP to go away in the
future.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Tue Jun 30 10:47:07 2026
(Merged from https://github.com/openssl/openssl/pull/31271)
diff --git a/apps/lib/s_cb.c b/apps/lib/s_cb.c
index c556e961fd..4f2503502b 100644
--- a/apps/lib/s_cb.c
+++ b/apps/lib/s_cb.c
@@ -1524,10 +1524,7 @@ static STRINT_PAIR callback_types[] = {
{ "Signature Algorithm mask", SSL_SECOP_SIGALG_MASK },
{ "Certificate chain EE key", SSL_SECOP_EE_KEY },
{ "Certificate chain CA key", SSL_SECOP_CA_KEY },
- { "Peer Chain EE key", SSL_SECOP_PEER_EE_KEY },
- { "Peer Chain CA key", SSL_SECOP_PEER_CA_KEY },
{ "Certificate chain CA digest", SSL_SECOP_CA_MD },
- { "Peer chain CA digest", SSL_SECOP_PEER_CA_MD },
{ "SSL compression", SSL_SECOP_COMPRESSION },
{ "Session ticket", SSL_SECOP_TICKET },
{ NULL }
@@ -1561,7 +1558,6 @@ static int security_callback_debug(const SSL *s, const SSL_CTX *ctx,
show_nm = 0;
break;
case SSL_SECOP_CA_MD:
- case SSL_SECOP_PEER_CA_MD:
cert_md = 1;
break;
case SSL_SECOP_SIGALG_SUPPORTED:
diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
index f92937e951..fb044db957 100644
--- a/include/openssl/ssl.h.in
+++ b/include/openssl/ssl.h.in
@@ -2695,8 +2695,18 @@ const CTLOG_STORE *SSL_CTX_get0_ctlog_store(const SSL_CTX *ctx);
#define SSL_SECOP_OTHER_SIGALG (5 << 16)
#define SSL_SECOP_OTHER_CERT (6 << 16)
-/* Indicated operation refers to peer key or certificate */
+/*
+ * Unused values - these do nothing and are never set.
+ * They are retained because of API. They should
+ * be removed next major
+ */
#define SSL_SECOP_PEER 0x1000
+/* Peer EE key in certificate */
+#define SSL_SECOP_PEER_EE_KEY (SSL_SECOP_EE_KEY | SSL_SECOP_PEER)
+/* Peer CA key in certificate */
+#define SSL_SECOP_PEER_CA_KEY (SSL_SECOP_CA_KEY | SSL_SECOP_PEER)
+/* Peer CA digest algorithm in certificate */
+#define SSL_SECOP_PEER_CA_MD (SSL_SECOP_CA_MD | SSL_SECOP_PEER)
/* Values for "op" parameter in security callback */
@@ -2735,12 +2745,6 @@ const CTLOG_STORE *SSL_CTX_get0_ctlog_store(const SSL_CTX *ctx);
#define SSL_SECOP_CA_KEY (17 | SSL_SECOP_OTHER_CERT)
/* CA digest algorithm in certificate */
#define SSL_SECOP_CA_MD (18 | SSL_SECOP_OTHER_CERT)
-/* Peer EE key in certificate */
-#define SSL_SECOP_PEER_EE_KEY (SSL_SECOP_EE_KEY | SSL_SECOP_PEER)
-/* Peer CA key in certificate */
-#define SSL_SECOP_PEER_CA_KEY (SSL_SECOP_CA_KEY | SSL_SECOP_PEER)
-/* Peer CA digest algorithm in certificate */
-#define SSL_SECOP_PEER_CA_MD (SSL_SECOP_CA_MD | SSL_SECOP_PEER)
void SSL_set_security_level(SSL *s, int level);
__owur int SSL_get_security_level(const SSL *s);
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index c3479b08aa..2a51ada2a1 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -306,7 +306,7 @@ int ssl_cert_set0_chain(SSL_CONNECTION *s, SSL_CTX *ctx, STACK_OF(X509) *chain)
for (i = 0; i < sk_X509_num(chain); i++) {
X509 *x = sk_X509_value(chain, i);
- r = ssl_security_cert(s, ctx, x, 0, 0);
+ r = ssl_security_cert(s, ctx, x, 0);
if (r != 1) {
ERR_raise(ERR_LIB_SSL, r);
return 0;
@@ -340,7 +340,7 @@ int ssl_cert_add0_chain_cert(SSL_CONNECTION *s, SSL_CTX *ctx, X509 *x)
if (!cpk)
return 0;
- r = ssl_security_cert(s, ctx, x, 0, 0);
+ r = ssl_security_cert(s, ctx, x, 0);
if (r != 1) {
ERR_raise(ERR_LIB_SSL, r);
return 0;
@@ -1175,7 +1175,7 @@ int ssl_build_cert_chain(SSL_CONNECTION *s, SSL_CTX *ctx, int flags)
*/
for (i = 0; i < sk_X509_num(chain); i++) {
x = sk_X509_value(chain, i);
- rv = ssl_security_cert(s, ctx, x, 0, 0);
+ rv = ssl_security_cert(s, ctx, x, 0);
if (rv != 1) {
ERR_raise(ERR_LIB_SSL, rv);
OSSL_STACK_OF_X509_free(chain);
diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
index 62b0017b9c..a8171c30fa 100644
--- a/ssl/ssl_local.h
+++ b/ssl/ssl_local.h
@@ -2821,10 +2821,9 @@ __owur int ssl_validate_ct(SSL_CONNECTION *s);
__owur EVP_PKEY *ssl_get_auto_dh(SSL_CONNECTION *s);
-__owur int ssl_security_cert(SSL_CONNECTION *s, SSL_CTX *ctx, X509 *x, int vfy,
- int is_ee);
+__owur int ssl_security_cert(SSL_CONNECTION *s, SSL_CTX *ctx, X509 *x, int is_ee);
__owur int ssl_security_cert_chain(SSL_CONNECTION *s, STACK_OF(X509) *sk,
- X509 *ex, int vfy);
+ X509 *ex);
int tls_choose_sigalg(SSL_CONNECTION *s, int fatalerrs);
diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c
index 0e2b1fe9bd..7cfd59d6d0 100644
--- a/ssl/ssl_rsa.c
+++ b/ssl/ssl_rsa.c
@@ -42,7 +42,7 @@ int SSL_use_certificate(SSL *ssl, X509 *x)
return 0;
}
- rv = ssl_security_cert(sc, NULL, x, 0, 1);
+ rv = ssl_security_cert(sc, NULL, x, 1);
if (rv != 1) {
ERR_raise(ERR_LIB_SSL, rv);
return 0;
@@ -247,7 +247,7 @@ int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x)
return 0;
}
- rv = ssl_security_cert(NULL, ctx, x, 0, 1);
+ rv = ssl_security_cert(NULL, ctx, x, 1);
if (rv != 1) {
ERR_raise(ERR_LIB_SSL, rv);
return 0;
@@ -993,13 +993,13 @@ static int ssl_set_cert_and_key(SSL *ssl, SSL_CTX *ctx, X509 *x509, EVP_PKEY *pr
c = sc != NULL ? sc->cert : ctx->cert;
/* Do all security checks before anything else */
- rv = ssl_security_cert(sc, ctx, x509, 0, 1);
+ rv = ssl_security_cert(sc, ctx, x509, 1);
if (rv != 1) {
ERR_raise(ERR_LIB_SSL, rv);
goto out;
}
for (j = 0; j < sk_X509_num(chain); j++) {
- rv = ssl_security_cert(sc, ctx, sk_X509_value(chain, j), 0, 0);
+ rv = ssl_security_cert(sc, ctx, sk_X509_value(chain, j), 0);
if (rv != 1) {
ERR_raise(ERR_LIB_SSL, rv);
goto out;
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index c9d76fe8a7..465d2eff33 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -1056,7 +1056,7 @@ static int ssl_add_cert_chain(SSL_CONNECTION *s, WPACKET *pkt, CERT_PKEY *cpk, i
/* Don't leave errors in the queue */
ERR_clear_error();
chain = X509_STORE_CTX_get0_chain(xs_ctx);
- i = ssl_security_cert_chain(s, chain, NULL, 0);
+ i = ssl_security_cert_chain(s, chain, NULL);
if (i != 1) {
#if 0
/* Dummy error calls so mkerr generates them */
@@ -1081,7 +1081,7 @@ static int ssl_add_cert_chain(SSL_CONNECTION *s, WPACKET *pkt, CERT_PKEY *cpk, i
}
X509_STORE_CTX_free(xs_ctx);
} else {
- i = ssl_security_cert_chain(s, extra_certs, x, 0);
+ i = ssl_security_cert_chain(s, extra_certs, x);
if (i != 1) {
if (!for_comp)
SSLfatal(s, SSL_AD_INTERNAL_ERROR, i);
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index b6e487a1ab..01fcdefe1e 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -4605,19 +4605,16 @@ static int ssl_security_cert_sig(SSL_CONNECTION *s, SSL_CTX *ctx, X509 *x,
return ssl_ctx_security(ctx, op, secbits, nid, x);
}
-int ssl_security_cert(SSL_CONNECTION *s, SSL_CTX *ctx, X509 *x, int vfy,
- int is_ee)
+int ssl_security_cert(SSL_CONNECTION *s, SSL_CTX *ctx, X509 *x, int is_ee)
{
- if (vfy)
- vfy = SSL_SECOP_PEER;
if (is_ee) {
- if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY | vfy))
+ if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY))
return SSL_R_EE_KEY_TOO_SMALL;
} else {
- if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_CA_KEY | vfy))
+ if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_CA_KEY))
return SSL_R_CA_KEY_TOO_SMALL;
}
- if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy))
+ if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD))
return SSL_R_CA_MD_TOO_WEAK;
return 1;
}
@@ -4629,7 +4626,7 @@ int ssl_security_cert(SSL_CONNECTION *s, SSL_CTX *ctx, X509 *x, int vfy,
*/
int ssl_security_cert_chain(SSL_CONNECTION *s, STACK_OF(X509) *sk,
- X509 *x, int vfy)
+ X509 *x)
{
int rv, start_idx, i;
@@ -4641,13 +4638,13 @@ int ssl_security_cert_chain(SSL_CONNECTION *s, STACK_OF(X509) *sk,
} else
start_idx = 0;
- rv = ssl_security_cert(s, NULL, x, vfy, 1);
+ rv = ssl_security_cert(s, NULL, x, 1);
if (rv != 1)
return rv;
for (i = start_idx; i < sk_X509_num(sk); i++) {
x = sk_X509_value(sk, i);
- rv = ssl_security_cert(s, NULL, x, vfy, 0);
+ rv = ssl_security_cert(s, NULL, x, 0);
if (rv != 1)
return rv;
}