diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2021-01-28 00:28:25 +0100 |
---|---|---|
committer | Dr. David von Oheimb <dev@ddvo.net> | 2021-02-06 18:53:51 +0100 |
commit | 11ddbf84597d26c937ecb8f266424dea7f72cbdf (patch) | |
tree | cb23d927c8c8b85f6ca4947a313b0fe7fb36a07c /crypto/x509 | |
parent | 2bb05a9668323ac2719f84cf8e9ccffc2bc99916 (diff) | |
download | openssl-new-11ddbf84597d26c937ecb8f266424dea7f72cbdf.tar.gz |
Add X509_STORE_CTX_verify(), which takes the first untrusted cert as default target
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14021)
Diffstat (limited to 'crypto/x509')
-rw-r--r-- | crypto/x509/x509_vfy.c | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index ec7df5caa6..d55808e524 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -237,11 +237,25 @@ static int verify_chain(X509_STORE_CTX *ctx) return ok; } +int X509_STORE_CTX_verify(X509_STORE_CTX *ctx) +{ + if (ctx == NULL) { + ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER); + return -1; + } + if (ctx->cert == NULL && sk_X509_num(ctx->untrusted) >= 1) + ctx->cert = sk_X509_value(ctx->untrusted, 0); + return X509_verify_cert(ctx); +} + int X509_verify_cert(X509_STORE_CTX *ctx) { - SSL_DANE *dane = ctx->dane; int ret; + if (ctx == NULL) { + ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER); + return -1; + } if (ctx->cert == NULL) { ERR_raise(ERR_LIB_X509, X509_R_NO_CERT_SET_FOR_US_TO_VERIFY); ctx->error = X509_V_ERR_INVALID_CALL; @@ -268,7 +282,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx) CB_FAIL_IF(!check_key_level(ctx, ctx->cert), ctx, ctx->cert, 0, X509_V_ERR_EE_KEY_TOO_SMALL); - ret = DANETLS_ENABLED(dane) ? dane_verify(ctx) : verify_chain(ctx); + ret = DANETLS_ENABLED(ctx->dane) ? dane_verify(ctx) : verify_chain(ctx); /* * Safety-net. If we are returning an error, we must also set ctx->error, |