diff options
author | Matt Caswell <matt@openssl.org> | 2020-04-03 18:01:04 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2020-04-16 14:19:51 +0100 |
commit | 0820217441b68724d91b7644f3560e15149a1848 (patch) | |
tree | 7a100589baf22f51c1c28d3041848875248a5cc7 /crypto/x509/x509_vfy.c | |
parent | b27ed819431fb7f50ded6fcddfd25de079d7e808 (diff) |
Create a libctx aware X509_verify_ex()
This is the same as X509_verify() except that it takes a libctx and propq
parameter and signature verification is done using those.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11507)
Diffstat (limited to 'crypto/x509/x509_vfy.c')
-rw-r--r-- | crypto/x509/x509_vfy.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 84a4bb2c60..c3eb261b94 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -1763,7 +1763,7 @@ static int internal_verify(X509_STORE_CTX *ctx) if (!verify_cb_cert(ctx, xi, xi != xs ? n+1 : n, X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY)) return 0; - } else if (X509_verify(xs, pkey) <= 0) { + } else if (X509_verify_ex(xs, pkey, ctx->libctx, ctx->propq) <= 0) { if (!verify_cb_cert(ctx, xs, n, X509_V_ERR_CERT_SIGNATURE_FAILURE)) return 0; @@ -2809,7 +2809,7 @@ static int check_dane_pkeys(X509_STORE_CTX *ctx) if (t->usage != DANETLS_USAGE_DANE_TA || t->selector != DANETLS_SELECTOR_SPKI || t->mtype != DANETLS_MATCHING_FULL || - X509_verify(cert, t->spki) <= 0) + X509_verify_ex(cert, t->spki, ctx->libctx, ctx->propq) <= 0) continue; /* Clear any PKIX-?? matches that failed to extend to a full chain */ |