Support verify_depth from the SSL API without need for user-defined
callbacks.
Submitted by:
Reviewed by:
PR:
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 8317683..945dab1 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -189,6 +189,7 @@
s->sid_ctx_length=ctx->sid_ctx_length;
memcpy(&s->sid_ctx,&ctx->sid_ctx,sizeof(s->sid_ctx));
s->verify_mode=ctx->verify_mode;
+ s->verify_depth=ctx->verify_depth;
s->verify_callback=ctx->default_verify_callback;
CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
s->ctx=ctx;
@@ -422,6 +423,11 @@
return(s->verify_mode);
}
+int SSL_get_verify_depth(SSL *s)
+ {
+ return(s->verify_depth);
+ }
+
int (*SSL_get_verify_callback(SSL *s))(int,X509_STORE_CTX *)
{
return(s->verify_callback);
@@ -432,6 +438,11 @@
return(ctx->verify_mode);
}
+int SSL_CTX_get_verify_depth(SSL_CTX *ctx)
+ {
+ return(ctx->verify_depth);
+ }
+
int (*SSL_CTX_get_verify_callback(SSL_CTX *ctx))(int,X509_STORE_CTX *)
{
return(ctx->default_verify_callback);
@@ -445,6 +456,11 @@
s->verify_callback=callback;
}
+void SSL_set_verify_depth(SSL *s,int depth)
+ {
+ s->verify_depth=depth;
+ }
+
void SSL_set_read_ahead(SSL *s,int yes)
{
s->read_ahead=yes;
@@ -961,6 +977,7 @@
ret->read_ahead=0;
ret->verify_mode=SSL_VERIFY_NONE;
+ ret->verify_depth=-1; /* Don't impose a limit (but x509_lu.c does) */
ret->default_verify_callback=NULL;
if ((ret->default_cert=ssl_cert_new()) == NULL)
goto err;
@@ -1079,6 +1096,11 @@
X509_STORE_set_verify_cb_func(ctx->cert_store,cb);
}
+void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth)
+ {
+ ctx->verify_depth=depth;
+ }
+
/* Need default_cert to check for callbacks, for now (see comment in CERT
strucure)
*/
@@ -1463,6 +1485,7 @@
SSL_set_read_ahead(ret,SSL_get_read_ahead(s));
SSL_set_verify(ret,SSL_get_verify_mode(s),
SSL_get_verify_callback(s));
+ SSL_set_verify_depth(ret,SSL_get_verify_depth(s));
SSL_set_info_callback(ret,SSL_get_info_callback(s));
