diff options
| author | tb <> | 2022-12-01 05:20:30 +0000 |
|---|---|---|
| committer | tb <> | 2022-12-01 05:20:30 +0000 |
| commit | 99d4fe4fe3b15c7dc0c3bc9008276df96cc0a3d2 (patch) | |
| tree | c7b43369d947c965a89353332f4773cedf9c5270 /src | |
| parent | 28ef9c3d0b11cd813f139ffe30994a5008042bf8 (diff) | |
| download | openbsd-99d4fe4fe3b15c7dc0c3bc9008276df96cc0a3d2.tar.gz openbsd-99d4fe4fe3b15c7dc0c3bc9008276df96cc0a3d2.tar.bz2 openbsd-99d4fe4fe3b15c7dc0c3bc9008276df96cc0a3d2.zip | |
Retire X509_V_FLAG_CB_ISSUER_CHECK
This flag has been deprecated in OpenSSL 1.1 and has not had an effect
since. This way we can simplify the default check_issued() callback,
which helpfully has its arguments reversed compared to the public API
X509_check_issued().
ok jsing
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libcrypto/x509/x509_vfy.c | 24 |
1 files changed, 8 insertions, 16 deletions
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c index 675aba4322..9392b1f41e 100644 --- a/src/lib/libcrypto/x509/x509_vfy.c +++ b/src/lib/libcrypto/x509/x509_vfy.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_vfy.c,v 1.108 2022/12/01 05:16:08 tb Exp $ */ | 1 | /* $OpenBSD: x509_vfy.c,v 1.109 2022/12/01 05:20:30 tb Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -116,7 +116,7 @@ | |||
| 116 | #define CRL_SCORE_TIME_DELTA 0x002 | 116 | #define CRL_SCORE_TIME_DELTA 0x002 |
| 117 | 117 | ||
| 118 | static int null_callback(int ok, X509_STORE_CTX *e); | 118 | static int null_callback(int ok, X509_STORE_CTX *e); |
| 119 | static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); | 119 | static int check_issued(X509_STORE_CTX *ctx, X509 *subject, X509 *issuer); |
| 120 | static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x, | 120 | static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x, |
| 121 | int allow_expired); | 121 | int allow_expired); |
| 122 | static int check_chain_extensions(X509_STORE_CTX *ctx); | 122 | static int check_chain_extensions(X509_STORE_CTX *ctx); |
| @@ -695,21 +695,13 @@ find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x, | |||
| 695 | /* Given a possible certificate and issuer check them */ | 695 | /* Given a possible certificate and issuer check them */ |
| 696 | 696 | ||
| 697 | static int | 697 | static int |
| 698 | check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer) | 698 | check_issued(X509_STORE_CTX *ctx, X509 *subject, X509 *issuer) |
| 699 | { | 699 | { |
| 700 | int ret; | 700 | /* |
| 701 | 701 | * Yes, the arguments of X509_STORE_CTX_check_issued_fn were exposed in | |
| 702 | ret = X509_check_issued(issuer, x); | 702 | * reverse order compared to the already public X509_check_issued()... |
| 703 | if (ret == X509_V_OK) | 703 | */ |
| 704 | return 1; | 704 | return X509_check_issued(issuer, subject) == X509_V_OK; |
| 705 | /* If we haven't asked for issuer errors don't set ctx */ | ||
| 706 | if (!(ctx->param->flags & X509_V_FLAG_CB_ISSUER_CHECK)) | ||
| 707 | return 0; | ||
| 708 | |||
| 709 | ctx->error = ret; | ||
| 710 | ctx->current_cert = x; | ||
| 711 | ctx->current_issuer = issuer; | ||
| 712 | return ctx->verify_cb(0, ctx); | ||
| 713 | } | 705 | } |
| 714 | 706 | ||
| 715 | /* Alternative lookup method: look from a STACK stored in other_ctx */ | 707 | /* Alternative lookup method: look from a STACK stored in other_ctx */ |