From 508c53522145ccd59b330e789a07470c79e87770 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Tue, 30 Jun 2009 11:24:57 +0000 Subject: [PATCH] Update from 1.0.0-stable --- crypto/x509/x509_vpm.c | 6 +++++- ssl/ssl_cert.c | 9 ++++++--- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c index acc50f97d5..dfd89d89fa 100644 --- a/crypto/x509/x509_vpm.c +++ b/crypto/x509/x509_vpm.c @@ -199,8 +199,12 @@ int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to, const X509_VERIFY_PARAM *from) { + unsigned long save_flags = to->inh_flags; + int ret; to->inh_flags |= X509_VP_FLAG_DEFAULT; - return X509_VERIFY_PARAM_inherit(to, from); + ret = X509_VERIFY_PARAM_inherit(to, from); + to->inh_flags = save_flags; + return ret; } int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name) diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index ccb30e0760..2f47eaf510 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -502,9 +502,6 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk) SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN,ERR_R_X509_LIB); return(0); } - if (s->param) - X509_VERIFY_PARAM_inherit(X509_STORE_CTX_get0_param(&ctx), - s->param); #if 0 if (SSL_get_verify_depth(s) >= 0) X509_STORE_CTX_set_depth(&ctx, SSL_get_verify_depth(s)); @@ -518,6 +515,12 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk) X509_STORE_CTX_set_default(&ctx, s->server ? "ssl_client" : "ssl_server"); + /* Anything non-default in "param" should overwrite anything in the + * ctx. + */ + if (s->param) + X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(&ctx), + s->param); if (s->verify_callback) X509_STORE_CTX_set_verify_cb(&ctx, s->verify_callback); -- 2.25.1