From: Dr. Stephen Henson <steve@openssl.org>
Date: Fri, 14 Feb 2014 13:38:26 +0000 (+0000)
Subject: Add cert_self_signed function to simplify verify
X-Git-Tag: OpenSSL_1_0_2-beta1~31
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=ced6dc5cefca57b08e077951a9710c33b709e99e;p=oweals%2Fopenssl.git

Add cert_self_signed function to simplify verify

(from master)
---

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 990be83da3..07cd09f69d 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -151,6 +151,15 @@ static int x509_subject_cmp(X509 **a, X509 **b)
 	return X509_subject_name_cmp(*a,*b);
 	}
 #endif
+/* Return 1 is a certificate is self signed */
+static int cert_self_signed(X509 *x)
+	{
+	X509_check_purpose(x, -1, 0);
+	if (x->ex_flags & EXFLAG_SS)
+		return 1;
+	else
+		return 0;
+	}
 
 /* Given a certificate try and find an exact match in the store */
 
@@ -232,8 +241,8 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
 		                         */
 
 		/* If we are self signed, we break */
-		if (ctx->check_issued(ctx, x,x)) break;
-
+		if (cert_self_signed(x))
+			break;
 		/* If asked see if we can find issuer in trusted store first */
 		if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)
 			{
@@ -284,7 +293,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
 
 	i=sk_X509_num(ctx->chain);
 	x=sk_X509_value(ctx->chain,i-1);
-	if (ctx->check_issued(ctx, x, x))
+	if (cert_self_signed(x))
 		{
 		/* we have a self signed certificate */
 		if (sk_X509_num(ctx->chain) == 1)
@@ -332,7 +341,8 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
 		if (depth < num) break;
 
 		/* If we are self signed, we break */
-		if (ctx->check_issued(ctx,x,x)) break;
+		if (cert_self_signed(x))
+			break;
 
 		ok = ctx->get_issuer(&xtmp, ctx, x);