From: tb Date: Thu, 1 Dec 2022 05:20:30 +0000 (+0000) Subject: Retire X509_V_FLAG_CB_ISSUER_CHECK X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=89e62afd4a7af3b695cd9d3e08102a6987e4c420;p=openbsd Retire X509_V_FLAG_CB_ISSUER_CHECK This flag has been deprecated in OpenSSL 1.1 and has not had an effect since. This way we can simplify the default check_issued() callback, which helpfully has its arguments reversed compared to the public API X509_check_issued(). ok jsing --- diff --git a/lib/libcrypto/x509/x509_vfy.c b/lib/libcrypto/x509/x509_vfy.c index 675aba43225..9392b1f41e6 100644 --- a/lib/libcrypto/x509/x509_vfy.c +++ b/lib/libcrypto/x509/x509_vfy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vfy.c,v 1.108 2022/12/01 05:16:08 tb Exp $ */ +/* $OpenBSD: x509_vfy.c,v 1.109 2022/12/01 05:20:30 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -116,7 +116,7 @@ #define CRL_SCORE_TIME_DELTA 0x002 static int null_callback(int ok, X509_STORE_CTX *e); -static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); +static int check_issued(X509_STORE_CTX *ctx, X509 *subject, X509 *issuer); static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x, int allow_expired); static int check_chain_extensions(X509_STORE_CTX *ctx); @@ -695,21 +695,13 @@ find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x, /* Given a possible certificate and issuer check them */ static int -check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer) +check_issued(X509_STORE_CTX *ctx, X509 *subject, X509 *issuer) { - int ret; - - ret = X509_check_issued(issuer, x); - if (ret == X509_V_OK) - return 1; - /* If we haven't asked for issuer errors don't set ctx */ - if (!(ctx->param->flags & X509_V_FLAG_CB_ISSUER_CHECK)) - return 0; - - ctx->error = ret; - ctx->current_cert = x; - ctx->current_issuer = issuer; - return ctx->verify_cb(0, ctx); + /* + * Yes, the arguments of X509_STORE_CTX_check_issued_fn were exposed in + * reverse order compared to the already public X509_check_issued()... + */ + return X509_check_issued(issuer, subject) == X509_V_OK; } /* Alternative lookup method: look from a STACK stored in other_ctx */