From: Dr. Stephen Henson <steve@openssl.org>
Date: Tue, 30 Jun 2009 11:24:57 +0000 (+0000)
Subject: Update from 1.0.0-stable
X-Git-Tag: OpenSSL-fips-2_0-rc1~1620
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=508c53522145ccd59b330e789a07470c79e87770;p=oweals%2Fopenssl.git

Update from 1.0.0-stable
---

diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c
index acc50f97d5..dfd89d89fa 100644
--- a/crypto/x509/x509_vpm.c
+++ b/crypto/x509/x509_vpm.c
@@ -199,8 +199,12 @@ int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest,
 int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to,
 						const X509_VERIFY_PARAM *from)
 	{
+	unsigned long save_flags = to->inh_flags;
+	int ret;
 	to->inh_flags |= X509_VP_FLAG_DEFAULT;
-	return X509_VERIFY_PARAM_inherit(to, from);
+	ret = X509_VERIFY_PARAM_inherit(to, from);
+	to->inh_flags = save_flags;
+	return ret;
 	}
 
 int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name)
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index ccb30e0760..2f47eaf510 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -502,9 +502,6 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk)
 		SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN,ERR_R_X509_LIB);
 		return(0);
 		}
-	if (s->param)
-		X509_VERIFY_PARAM_inherit(X509_STORE_CTX_get0_param(&ctx),
-						s->param);
 #if 0
 	if (SSL_get_verify_depth(s) >= 0)
 		X509_STORE_CTX_set_depth(&ctx, SSL_get_verify_depth(s));
@@ -518,6 +515,12 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk)
 
 	X509_STORE_CTX_set_default(&ctx,
 				s->server ? "ssl_client" : "ssl_server");
+	/* Anything non-default in "param" should overwrite anything in the
+	 * ctx.
+	 */
+	if (s->param)
+		X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(&ctx),
+						s->param);
 
 	if (s->verify_callback)
 		X509_STORE_CTX_set_verify_cb(&ctx, s->verify_callback);