tidy verify code. xn not used any more and check for self signed more efficiently

author Dr. Stephen Henson <steve@openssl.org>

Thu, 25 Feb 2010 11:18:26 +0000 (11:18 +0000)

committer Dr. Stephen Henson <steve@openssl.org>

Thu, 25 Feb 2010 11:18:26 +0000 (11:18 +0000)
author Dr. Stephen Henson <steve@openssl.org>
Thu, 25 Feb 2010 11:18:26 +0000 (11:18 +0000)
committer Dr. Stephen Henson <steve@openssl.org>
Thu, 25 Feb 2010 11:18:26 +0000 (11:18 +0000)
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c

index 14e29f2782b85705fcc4752e3f241b58196d08cd..70011fd73316cce7e79591b97919a0b055aae962 100644 (file)
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -149,11 +149,19 @@ static int x509_subject_cmp(X509 **a, X509 **b)
         return X509_subject_name_cmp(*a,*b);
         }
  #endif
+/* Return 1 is a certificate is self signed */
+static int cert_self_signed(X509 *x)
+       {
+       X509_check_purpose(x, -1, 0);
+       if (x->ex_flags & EXFLAG_SS)
+               return 1;
+       else
+               return 0;
+       }
  
  int X509_verify_cert(X509_STORE_CTX *ctx)
         {
         X509 *x,*xtmp,*chain_ss=NULL;
-       X509_NAME *xn;
         int bad_chain = 0;
         X509_VERIFY_PARAM *param = ctx->param;
         int depth,i,ok=0;
@@ -205,8 +213,8 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
                                          */
  
                 /* If we are self signed, we break */
-               xn=X509_get_issuer_name(x);
-               if (ctx->check_issued(ctx, x,x)) break;
+               if (cert_self_signed(x))
+                       break;
  
                 /* If we were passed a cert chain, use it first */
                 if (ctx->untrusted != NULL)
@@ -242,8 +250,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
  
         i=sk_X509_num(ctx->chain);
         x=sk_X509_value(ctx->chain,i-1);
-       xn = X509_get_subject_name(x);
-       if (ctx->check_issued(ctx, x, x))
+       if (cert_self_signed(x))
                 {
                 /* we have a self signed certificate */
                 if (sk_X509_num(ctx->chain) == 1)
@@ -291,8 +298,8 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
                 if (depth < num) break;
  
                 /* If we are self signed, we break */
-               xn=X509_get_issuer_name(x);
-               if (ctx->check_issued(ctx,x,x)) break;
+               if (cert_self_signed(x))
+                       break;
  
                 ok = ctx->get_issuer(&xtmp, ctx, x);
  
@@ -310,7 +317,6 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
                 }
  
         /* we now have our chain, lets check it... */
-       xn=X509_get_issuer_name(x);
  
         i = check_trust(ctx);
author	Dr. Stephen Henson <steve@openssl.org>
	Thu, 25 Feb 2010 11:18:26 +0000 (11:18 +0000)
committer	Dr. Stephen Henson <steve@openssl.org>
	Thu, 25 Feb 2010 11:18:26 +0000 (11:18 +0000)