diff options
author | Tomas Mraz <tomas@openssl.org> | 2022-03-07 15:46:58 +0100 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2022-03-14 09:42:54 +0100 |
commit | 38514791b6b8459a98aac4f39e196183cd6332d8 (patch) | |
tree | 61fdae210a31d3dd878ed83dc8e1c353f73f22b0 /test/helpers/handshake.c | |
parent | 2722d7482feef2033d27e7ce25394fa4abb8558c (diff) |
Replace handling of negative verification result with SSL_set_retry_verify()
Provide a different mechanism to indicate that the application wants
to retry the verification. The negative result of the callback function
now indicates an error again.
Instead the SSL_set_retry_verify() can be called from the callback
to indicate that the handshake should be suspended.
Fixes #17568
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17825)
(cherry picked from commit dfb39f73132edf56daaad189e6791d1bdb57c4db)
Diffstat (limited to 'test/helpers/handshake.c')
-rw-r--r-- | test/helpers/handshake.c | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/test/helpers/handshake.c b/test/helpers/handshake.c index d44aa4baaf..f05782220d 100644 --- a/test/helpers/handshake.c +++ b/test/helpers/handshake.c @@ -305,10 +305,18 @@ static int verify_reject_cb(X509_STORE_CTX *ctx, void *arg) { static int n_retries = 0; static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg) { + int idx = SSL_get_ex_data_X509_STORE_CTX_idx(); + SSL *ssl; + + /* this should not happen but check anyway */ + if (idx < 0 + || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL) + return 0; + if (--n_retries < 0) return 1; - X509_STORE_CTX_set_error(ctx, X509_V_ERR_APPLICATION_VERIFICATION); - return -1; + + return SSL_set_retry_verify(ssl); } static int verify_accept_cb(X509_STORE_CTX *ctx, void *arg) { |