Update from 1.0.0-stable
diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c
index acc50f9..dfd89d8 100644
--- a/crypto/x509/x509_vpm.c
+++ b/crypto/x509/x509_vpm.c
@@ -199,8 +199,12 @@
int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to,
const X509_VERIFY_PARAM *from)
{
+ unsigned long save_flags = to->inh_flags;
+ int ret;
to->inh_flags |= X509_VP_FLAG_DEFAULT;
- return X509_VERIFY_PARAM_inherit(to, from);
+ ret = X509_VERIFY_PARAM_inherit(to, from);
+ to->inh_flags = save_flags;
+ return ret;
}
int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name)
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index ccb30e0..2f47eaf 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -502,9 +502,6 @@
SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN,ERR_R_X509_LIB);
return(0);
}
- if (s->param)
- X509_VERIFY_PARAM_inherit(X509_STORE_CTX_get0_param(&ctx),
- s->param);
#if 0
if (SSL_get_verify_depth(s) >= 0)
X509_STORE_CTX_set_depth(&ctx, SSL_get_verify_depth(s));
@@ -518,6 +515,12 @@
X509_STORE_CTX_set_default(&ctx,
s->server ? "ssl_client" : "ssl_server");
+ /* Anything non-default in "param" should overwrite anything in the
+ * ctx.
+ */
+ if (s->param)
+ X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(&ctx),
+ s->param);
if (s->verify_callback)
X509_STORE_CTX_set_verify_cb(&ctx, s->verify_callback);
