diff options
author | Tomas Mraz <tomas@openssl.org> | 2022-03-07 15:46:58 +0100 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2022-03-14 09:42:54 +0100 |
commit | 38514791b6b8459a98aac4f39e196183cd6332d8 (patch) | |
tree | 61fdae210a31d3dd878ed83dc8e1c353f73f22b0 /include | |
parent | 2722d7482feef2033d27e7ce25394fa4abb8558c (diff) |
Replace handling of negative verification result with SSL_set_retry_verify()
Provide a different mechanism to indicate that the application wants
to retry the verification. The negative result of the callback function
now indicates an error again.
Instead the SSL_set_retry_verify() can be called from the callback
to indicate that the handshake should be suspended.
Fixes #17568
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17825)
(cherry picked from commit dfb39f73132edf56daaad189e6791d1bdb57c4db)
Diffstat (limited to 'include')
-rw-r--r-- | include/openssl/ssl.h.in | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in index 9c00eb3d13..7202717391 100644 --- a/include/openssl/ssl.h.in +++ b/include/openssl/ssl.h.in @@ -1308,6 +1308,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) # define SSL_CTRL_GET_SIGNATURE_NID 132 # define SSL_CTRL_GET_TMP_KEY 133 # define SSL_CTRL_GET_NEGOTIATED_GROUP 134 +# define SSL_CTRL_SET_RETRY_VERIFY 136 # define SSL_CERT_SET_FIRST 1 # define SSL_CERT_SET_NEXT 2 # define SSL_CERT_SET_SERVER 3 @@ -2130,6 +2131,8 @@ __owur int SSL_get_ex_data_X509_STORE_CTX_idx(void); SSL_CTX_ctrl(ctx,SSL_CTRL_SET_MAX_PIPELINES,m,NULL) # define SSL_set_max_pipelines(ssl,m) \ SSL_ctrl(ssl,SSL_CTRL_SET_MAX_PIPELINES,m,NULL) +# define SSL_set_retry_verify(ssl) \ + (SSL_ctrl(ssl,SSL_CTRL_SET_RETRY_VERIFY,0,NULL) > 0) void SSL_CTX_set_default_read_buffer_len(SSL_CTX *ctx, size_t len); void SSL_set_default_read_buffer_len(SSL *s, size_t len); |