diff options
author | Tomas Mraz <tomas@openssl.org> | 2022-03-07 15:46:58 +0100 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2022-03-14 09:39:03 +0100 |
commit | dfb39f73132edf56daaad189e6791d1bdb57c4db (patch) | |
tree | 0b6e37d9fa5a263906d4ca4b6ceef0a14632ff18 /test/helpers | |
parent | 7e1f3ffcc5bc15fb9a12b9e3bb202f544c6ed5aa (diff) | |
download | openssl-new-dfb39f73132edf56daaad189e6791d1bdb57c4db.tar.gz |
Replace handling of negative verification result with SSL_set_retry_verify()
Provide a different mechanism to indicate that the application wants
to retry the verification. The negative result of the callback function
now indicates an error again.
Instead the SSL_set_retry_verify() can be called from the callback
to indicate that the handshake should be suspended.
Fixes #17568
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17825)
Diffstat (limited to 'test/helpers')
-rw-r--r-- | test/helpers/handshake.c | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/test/helpers/handshake.c b/test/helpers/handshake.c index cee11bbc18..0e503017aa 100644 --- a/test/helpers/handshake.c +++ b/test/helpers/handshake.c @@ -305,10 +305,18 @@ static int verify_reject_cb(X509_STORE_CTX *ctx, void *arg) { static int n_retries = 0; static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg) { + int idx = SSL_get_ex_data_X509_STORE_CTX_idx(); + SSL *ssl; + + /* this should not happen but check anyway */ + if (idx < 0 + || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL) + return 0; + if (--n_retries < 0) return 1; - X509_STORE_CTX_set_error(ctx, X509_V_ERR_APPLICATION_VERIFICATION); - return -1; + + return SSL_set_retry_verify(ssl); } static int verify_accept_cb(X509_STORE_CTX *ctx, void *arg) { |