From 465f34ed27d54b36b47f98b8ce4b5ec9e33c4f02 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Mon, 6 Apr 2020 12:14:30 +0100
Subject: [PATCH] Introduce an internal version of X509_check_issued()

The internal version is library context aware.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11507)
---
 crypto/x509/v3_purp.c  | 12 +++++++++---
 crypto/x509/x509_vfy.c |  2 +-
 include/crypto/x509.h  |  4 ++++
 3 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/crypto/x509/v3_purp.c b/crypto/x509/v3_purp.c
index bee8210bfc..687d065303 100644
--- a/crypto/x509/v3_purp.c
+++ b/crypto/x509/v3_purp.c
@@ -811,14 +811,15 @@ static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca)
  * codes for X509_verify_cert()
  */
 
-int X509_check_issued(X509 *issuer, X509 *subject)
+int x509_check_issued_int(X509 *issuer, X509 *subject, OPENSSL_CTX *libctx,
+                          const char *propq)
 {
     if (X509_NAME_cmp(X509_get_subject_name(issuer),
                       X509_get_issuer_name(subject)))
         return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
 
-    if (!X509v3_cache_extensions(issuer, NULL, NULL)
-            || !X509v3_cache_extensions(subject, NULL, NULL))
+    if (!X509v3_cache_extensions(issuer, libctx, propq)
+            || !X509v3_cache_extensions(subject, libctx, propq))
         return X509_V_ERR_UNSPECIFIED;
 
     if (subject->akid) {
@@ -853,6 +854,11 @@ int X509_check_issued(X509 *issuer, X509 *subject)
     return X509_V_OK;
 }
 
+int X509_check_issued(X509 *issuer, X509 *subject)
+{
+    return x509_check_issued_int(issuer, subject, NULL, NULL);
+}
+
 int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid)
 {
 
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index c3eb261b94..99479444e6 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -334,7 +334,7 @@ static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
         return ss;
     }
 
-    ret = X509_check_issued(issuer, x);
+    ret = x509_check_issued_int(issuer, x, ctx->libctx, ctx->propq);
     if (ret == X509_V_OK) {
         int i;
         X509 *ch;
diff --git a/include/crypto/x509.h b/include/crypto/x509.h
index 560f3abb76..1d2ec3ee52 100644
--- a/include/crypto/x509.h
+++ b/include/crypto/x509.h
@@ -297,3 +297,7 @@ int x509_set1_time(ASN1_TIME **ptm, const ASN1_TIME *tm);
 int x509_print_ex_brief(BIO *bio, X509 *cert, unsigned long neg_cflags);
 
 void x509_init_sig_info(X509 *x);
+
+
+int x509_check_issued_int(X509 *issuer, X509 *subject, OPENSSL_CTX *libctx,
+                          const char *propq);
-- 
2.25.1