diff options
author | Tomas Mraz <tomas@openssl.org> | 2022-03-07 15:46:58 +0100 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2022-03-14 09:39:03 +0100 |
commit | dfb39f73132edf56daaad189e6791d1bdb57c4db (patch) | |
tree | 0b6e37d9fa5a263906d4ca4b6ceef0a14632ff18 /ssl/ssl_lib.c | |
parent | 7e1f3ffcc5bc15fb9a12b9e3bb202f544c6ed5aa (diff) |
Replace handling of negative verification result with SSL_set_retry_verify()
Provide a different mechanism to indicate that the application wants
to retry the verification. The negative result of the callback function
now indicates an error again.
Instead the SSL_set_retry_verify() can be called from the callback
to indicate that the handshake should be suspended.
Fixes #17568
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17825)
Diffstat (limited to 'ssl/ssl_lib.c')
-rw-r--r-- | ssl/ssl_lib.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 9138cd659b..ab56e66e3a 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -2393,6 +2393,9 @@ long SSL_ctrl(SSL *s, int cmd, long larg, void *parg) return 1; case SSL_CTRL_GET_RI_SUPPORT: return s->s3.send_connection_binding; + case SSL_CTRL_SET_RETRY_VERIFY: + s->rwstate = SSL_RETRY_VERIFY; + return 1; case SSL_CTRL_CERT_FLAGS: return (s->cert->cert_flags |= larg); case SSL_CTRL_CLEAR_CERT_FLAGS: |