New X509_VERIFY_PARAM structure and associated functionality. This tidies up verify parameters and adds support for integrated policy checking. Add support for policy related command line options. Currently only in smime application. WARNING: experimental code subject to change.

commit: 5d7c222db8f26a53c00646cc1dde2bdded38027e [log] [tgz]
author: Dr. Stephen Henson <steve@openssl.org> Mon Sep 06 18:43:01 2004 +0000
committer: Dr. Stephen Henson <steve@openssl.org> Mon Sep 06 18:43:01 2004 +0000
tree: 7ce0523e1f46b97b427eec9c348e79c3221a8ccc
parent: d993addbed0a3502c3fa6ef2ae2bd9b7fd002d01 [diff] [blame]
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 4cab28a..b515c06 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c

@@ -483,20 +483,22 @@
 		SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN,ERR_R_X509_LIB);
 		return(0);
 		}
+	if (s->param)
+		X509_VERIFY_PARAM_inherit(X509_STORE_CTX_get0_param(&ctx),
+						s->param);
+#if 0
 	if (SSL_get_verify_depth(s) >= 0)
 		X509_STORE_CTX_set_depth(&ctx, SSL_get_verify_depth(s));
+#endif
 	X509_STORE_CTX_set_ex_data(&ctx,SSL_get_ex_data_X509_STORE_CTX_idx(),s);
 
-	/* We need to set the verify purpose. The purpose can be determined by
+	/* We need to inherit the verify parameters. These can be determined by
 	 * the context: if its a server it will verify SSL client certificates
 	 * or vice versa.
 	 */
-	if (s->server)
-		i = X509_PURPOSE_SSL_CLIENT;
-	else
-		i = X509_PURPOSE_SSL_SERVER;
 
-	X509_STORE_CTX_purpose_inherit(&ctx, i, s->purpose, s->trust);
+	X509_STORE_CTX_set_default(&ctx,
+				s->server ? "ssl_client" : "ssl_server");
 
 	if (s->verify_callback)
 		X509_STORE_CTX_set_verify_cb(&ctx, s->verify_callback);
commit	5d7c222db8f26a53c00646cc1dde2bdded38027e	[log] [tgz]
author	Dr. Stephen Henson <steve@openssl.org>	Mon Sep 06 18:43:01 2004 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	Mon Sep 06 18:43:01 2004 +0000
tree	7ce0523e1f46b97b427eec9c348e79c3221a8ccc
parent	d993addbed0a3502c3fa6ef2ae2bd9b7fd002d01 [diff] [blame]