Fix typo in ssl/d1_pkt.c.

[openssl.git] / ssl / ssl_cert.c

diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 4cab28a200fa803c225df55ff89e0df61d5df73e..0c9bd073784c44f10403c9164162e3f29ae73c14 100644 (file)
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -483,20 +483,22 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk)
                SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN,ERR_R_X509_LIB);
                return(0);
                }
+       if (s->param)
+               X509_VERIFY_PARAM_inherit(X509_STORE_CTX_get0_param(&ctx),
+                                               s->param);
+#if 0
        if (SSL_get_verify_depth(s) >= 0)
                X509_STORE_CTX_set_depth(&ctx, SSL_get_verify_depth(s));
+#endif
        X509_STORE_CTX_set_ex_data(&ctx,SSL_get_ex_data_X509_STORE_CTX_idx(),s);
 
-       /* We need to set the verify purpose. The purpose can be determined by
+       /* We need to inherit the verify parameters. These can be determined by
         * the context: if its a server it will verify SSL client certificates
         * or vice versa.
         */
-       if (s->server)
-               i = X509_PURPOSE_SSL_CLIENT;
-       else
-               i = X509_PURPOSE_SSL_SERVER;
 
-       X509_STORE_CTX_purpose_inherit(&ctx, i, s->purpose, s->trust);
+       X509_STORE_CTX_set_default(&ctx,
+                               s->server ? "ssl_client" : "ssl_server");
 
        if (s->verify_callback)
                X509_STORE_CTX_set_verify_cb(&ctx, s->verify_callback);
@@ -561,12 +563,12 @@ void SSL_CTX_set_client_CA_list(SSL_CTX *ctx,STACK_OF(X509_NAME) *name_list)
        set_client_CA_list(&(ctx->client_CA),name_list);
        }
 
-STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(SSL_CTX *ctx)
+STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx)
        {
        return(ctx->client_CA);
        }
 
-STACK_OF(X509_NAME) *SSL_get_client_CA_list(SSL *s)
+STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s)
        {
        if (s->type == SSL_ST_CONNECT)
                { /* we are in the client */
@@ -633,14 +635,13 @@ STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file)
        BIO *in;
        X509 *x=NULL;
        X509_NAME *xn=NULL;
-       STACK_OF(X509_NAME) *ret,*sk;
+       STACK_OF(X509_NAME) *ret = NULL,*sk;
 
-       ret=sk_X509_NAME_new_null();
        sk=sk_X509_NAME_new(xname_cmp);
 
        in=BIO_new(BIO_s_file_internal());
 
-       if ((ret == NULL) || (sk == NULL) || (in == NULL))
+       if ((sk == NULL) || (in == NULL))
                {
                SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE,ERR_R_MALLOC_FAILURE);
                goto err;
@@ -653,6 +654,15 @@ STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file)
                {
                if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL)
                        break;
+               if (ret == NULL)
+                       {
+                       ret = sk_X509_NAME_new_null();
+                       if (ret == NULL)
+                               {
+                               SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE,ERR_R_MALLOC_FAILURE);
+                               goto err;
+                               }
+                       }
                if ((xn=X509_get_subject_name(x)) == NULL) goto err;
                /* check for duplicates */
                xn=X509_NAME_dup(xn);
@@ -675,6 +685,8 @@ err:
        if (sk != NULL) sk_X509_NAME_free(sk);
        if (in != NULL) BIO_free(in);
        if (x != NULL) X509_free(x);
+       if (ret != NULL)
+               ERR_clear_error();
        return(ret);
        }
 #endif