Changes between 1.0.1 and 1.1.0 [xx XXX xxxx]
+ *) If a candidate issuer certificate is already part of the constructed
+ path ignore it: new debug notification X509_V_ERR_PATH_LOOP for this case.
+ [Steve Henson]
+
*) Improve forward-security support: add functions
void SSL_CTX_set_not_resumable_session_callback(SSL_CTX *ctx, int (*cb)(SSL *ssl, int is_forward_secure))
return("unsupported or invalid name syntax");
case X509_V_ERR_CRL_PATH_VALIDATION_ERROR:
return("CRL path validation error");
+ case X509_V_ERR_PATH_LOOP:
+ return("Path Loop");
default:
BIO_snprintf(buf,sizeof buf,"error number %ld",n);
{
int ret;
ret = X509_check_issued(issuer, x);
+ if (ret == X509_V_OK)
+ {
+ int i;
+ X509 *ch;
+ for (i = 0; i < sk_X509_num(ctx->chain); i++)
+ {
+ ch = sk_X509_value(ctx->chain, i);
+ if (ch == issuer || !X509_cmp(ch, issuer))
+ {
+ ret = X509_V_ERR_PATH_LOOP;
+ break;
+ }
+ }
+ }
+
if (ret == X509_V_OK)
return 1;
/* If we haven't asked for issuer errors don't set ctx */
#define X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX 52
#define X509_V_ERR_UNSUPPORTED_NAME_SYNTAX 53
#define X509_V_ERR_CRL_PATH_VALIDATION_ERROR 54
+/* Another issuer check debug option */
+#define X509_V_ERR_PATH_LOOP 55
/* The application is not happy */
#define X509_V_ERR_APPLICATION_VERIFICATION 50
projects / oweals / openssl.git / commitdiff