Replace handling of negative verification result with SSL_set_retry_verify()

Provide a different mechanism to indicate that the application wants to retry the verification. The negative result of the callback function now indicates an error again. Instead the SSL_set_retry_verify() can be called from the callback to indicate that the handshake should be suspended. Fixes #17568 Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17825) (cherry picked from commit dfb39f73132edf56daaad189e6791d1bdb57c4db)
author: Tomas Mraz <tomas@openssl.org> 2022-03-07 15:46:58 +0100
committer: Tomas Mraz <tomas@openssl.org> 2022-03-14 09:42:54 +0100
commit: 38514791b6b8459a98aac4f39e196183cd6332d8 (patch)
tree: 61fdae210a31d3dd878ed83dc8e1c353f73f22b0 /ssl/ssl_lib.c
parent: 2722d7482feef2033d27e7ce25394fa4abb8558c (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 14030f8ebc..50254ad5af 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2393,6 +2393,9 @@ long SSL_ctrl(SSL *s, int cmd, long larg, void *parg)
         return 1;
     case SSL_CTRL_GET_RI_SUPPORT:
         return s->s3.send_connection_binding;
+    case SSL_CTRL_SET_RETRY_VERIFY:
+        s->rwstate = SSL_RETRY_VERIFY;
+        return 1;
     case SSL_CTRL_CERT_FLAGS:
         return (s->cert->cert_flags |= larg);
     case SSL_CTRL_CLEAR_CERT_FLAGS:
author	Tomas Mraz <tomas@openssl.org>	2022-03-07 15:46:58 +0100
committer	Tomas Mraz <tomas@openssl.org>	2022-03-14 09:42:54 +0100
commit	38514791b6b8459a98aac4f39e196183cd6332d8 (patch)
tree	61fdae210a31d3dd878ed83dc8e1c353f73f22b0 /ssl/ssl_lib.c
parent	2722d7482feef2033d27e7ce25394fa4abb8558c (diff)