From: Richard Levitte Date: Tue, 30 Nov 2004 12:18:55 +0000 (+0000) Subject: Split X509_check_ca() into a small self and an internal function X-Git-Tag: BEN_FIPS_TEST_6~14^2~16 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=5073ff03463a3e21f4acfcdcfa0c1eda64145007;p=oweals%2Fopenssl.git Split X509_check_ca() into a small self and an internal function check_ca(), to resolve constness issue. check_ca() is called from the purpose checkers instead of X509_check_ca(), since the stuff done by the latter (except for calling check_ca()) is also done by X509_check_purpose(). --- diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c index d37e79481a..8d0ebbeaef 100644 --- a/crypto/x509v3/v3_purp.c +++ b/crypto/x509v3/v3_purp.c @@ -425,14 +425,8 @@ static void x509v3_cache_extensions(X509 *x) #define ns_reject(x, usage) \ (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage))) -int X509_check_ca(X509 *x) +static int check_ca(const X509 *x) { - if(!(x->ex_flags & EXFLAG_SET)) { - CRYPTO_w_lock(CRYPTO_LOCK_X509); - x509v3_cache_extensions(x); - CRYPTO_w_unlock(CRYPTO_LOCK_X509); - } - /* keyUsage if present should allow cert signing */ if(ku_reject(x, KU_KEY_CERT_SIGN)) return 0; if(x->ex_flags & EXFLAG_BCONS) { @@ -454,11 +448,22 @@ int X509_check_ca(X509 *x) } } +int X509_check_ca(X509 *x) +{ + if(!(x->ex_flags & EXFLAG_SET)) { + CRYPTO_w_lock(CRYPTO_LOCK_X509); + x509v3_cache_extensions(x); + CRYPTO_w_unlock(CRYPTO_LOCK_X509); + } + + return check_ca(x); +} + /* Check SSL CA: common checks for SSL client and server */ static int check_ssl_ca(const X509 *x) { int ca_ret; - ca_ret = X509_check_ca(x); + ca_ret = check_ca(x); if(!ca_ret) return 0; /* check nsCertType if present */ if(ca_ret != 5 || x->ex_nscert & NS_SSL_CA) return ca_ret; @@ -506,7 +511,7 @@ static int purpose_smime(const X509 *x, int ca) if(xku_reject(x,XKU_SMIME)) return 0; if(ca) { int ca_ret; - ca_ret = X509_check_ca(x); + ca_ret = check_ca(x); if(!ca_ret) return 0; /* check nsCertType if present */ if(ca_ret != 5 || x->ex_nscert & NS_SMIME_CA) return ca_ret; @@ -543,7 +548,7 @@ static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca) { if(ca) { int ca_ret; - if((ca_ret = X509_check_ca(x)) != 2) return ca_ret; + if((ca_ret = check_ca(x)) != 2) return ca_ret; else return 0; } if(ku_reject(x, KU_CRL_SIGN)) return 0; @@ -558,7 +563,7 @@ static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca) { /* Must be a valid CA. Should we really support the "I don't know" value (2)? */ - if(ca) return X509_check_ca(x); + if(ca) return check_ca(x); /* leaf certificate is checked in OCSP_verify() */ return 1; }