generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Split X509_check_ca() into a small self and an internal function

Browse Source 
check_ca(), to resolve constness issue.  check_ca() is called from the
purpose checkers instead of X509_check_ca(), since the stuff done by
the latter (except for calling check_ca()) is also done by
X509_check_purpose().
This commit is contained in:
Richard Levitte 2004-11-30 12:18:55 +00:00
parent fc7fc5678f
commit 5073ff0346
1 changed files with 16 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
crypto/x509v3/v3_purp.c
View File

@ -425,14 +425,8 @@ static void x509v3_cache_extensions(X509 *x)
#define ns_reject(x, usage) \ #define ns_reject(x, usage) \
(((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage))) (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
int X509_check_ca(X509 *x) static int check_ca(const X509 *x)
{ {
if(!(x->ex_flags & EXFLAG_SET)) {
CRYPTO_w_lock(CRYPTO_LOCK_X509);
x509v3_cache_extensions(x);
CRYPTO_w_unlock(CRYPTO_LOCK_X509);
}
/* keyUsage if present should allow cert signing */ /* keyUsage if present should allow cert signing */
if(ku_reject(x, KU_KEY_CERT_SIGN)) return 0; if(ku_reject(x, KU_KEY_CERT_SIGN)) return 0;
if(x->ex_flags & EXFLAG_BCONS) { if(x->ex_flags & EXFLAG_BCONS) {
@ -454,11 +448,22 @@ int X509_check_ca(X509 *x)
} }
} }
int X509_check_ca(X509 *x)
{
if(!(x->ex_flags & EXFLAG_SET)) {
CRYPTO_w_lock(CRYPTO_LOCK_X509);
x509v3_cache_extensions(x);
CRYPTO_w_unlock(CRYPTO_LOCK_X509);
}
return check_ca(x);
}
/* Check SSL CA: common checks for SSL client and server */ /* Check SSL CA: common checks for SSL client and server */
static int check_ssl_ca(const X509 *x) static int check_ssl_ca(const X509 *x)
{ {
int ca_ret; int ca_ret;
ca_ret = X509_check_ca(x); ca_ret = check_ca(x);
if(!ca_ret) return 0; if(!ca_ret) return 0;
/* check nsCertType if present */ /* check nsCertType if present */
if(ca_ret != 5 || x->ex_nscert & NS_SSL_CA) return ca_ret; if(ca_ret != 5 || x->ex_nscert & NS_SSL_CA) return ca_ret;
@ -506,7 +511,7 @@ static int purpose_smime(const X509 *x, int ca)
if(xku_reject(x,XKU_SMIME)) return 0; if(xku_reject(x,XKU_SMIME)) return 0;
if(ca) { if(ca) {
int ca_ret; int ca_ret;
ca_ret = X509_check_ca(x); ca_ret = check_ca(x);
if(!ca_ret) return 0; if(!ca_ret) return 0;
/* check nsCertType if present */ /* check nsCertType if present */
if(ca_ret != 5 || x->ex_nscert & NS_SMIME_CA) return ca_ret; if(ca_ret != 5 || x->ex_nscert & NS_SMIME_CA) return ca_ret;
@ -543,7 +548,7 @@ static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
{ {
if(ca) { if(ca) {
int ca_ret; int ca_ret;
if((ca_ret = X509_check_ca(x)) != 2) return ca_ret; if((ca_ret = check_ca(x)) != 2) return ca_ret;
else return 0; else return 0;
} }
if(ku_reject(x, KU_CRL_SIGN)) return 0; if(ku_reject(x, KU_CRL_SIGN)) return 0;
@ -558,7 +563,7 @@ static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca)
{ {
/* Must be a valid CA. Should we really support the "I don't know" /* Must be a valid CA. Should we really support the "I don't know"
value (2)? */ value (2)? */
if(ca) return X509_check_ca(x); if(ca) return check_ca(x);
/* leaf certificate is checked in OCSP_verify() */ /* leaf certificate is checked in OCSP_verify() */
return 1; return 1;
} }