for (i = 0; i < ctx->last_untrusted; i++)
{
x = sk_X509_value(ctx->chain, i);
+ if (!(ctx->flags & X509_V_FLAG_IGNORE_CRITICAL)
+ && (x->ex_flags & EXFLAG_CRITICAL))
+ {
+ ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION;
+ ctx->error_depth = i;
+ ctx->current_cert = x;
+ ok=cb(0,ctx);
+ if (!ok) goto end;
+ }
if (!X509_check_purpose(x, ctx->purpose, i))
{
if (i)
if (!(ctx->flags & X509_V_FLAG_CRL_CHECK))
return 1;
if (ctx->flags & X509_V_FLAG_CRL_CHECK_ALL)
- last = 0;
- else
last = sk_X509_num(ctx->chain) - 1;
+ else
+ last = 0;
for(i = 0; i <= last; i++)
{
ctx->error_depth = i;
ok=(*cb)(0,ctx);
if (!ok) goto end;
}
- if (X509_verify(xs,pkey) <= 0)
+ else if (X509_verify(xs,pkey) <= 0)
/* XXX For the final trusted self-signed cert,
* this is a waste of time. That check should
* optional so that e.g. 'openssl x509' can be
if (!ok) goto end;
}
- /* CRL CHECK */
-
/* The last error (if any) is still in the error value */
ctx->current_cert=xs;
ok=(*cb)(1,ctx);
{
char *str;
ASN1_TIME atm;
- time_t offset;
+ long offset;
char buff1[24],buff2[24],*p;
int i,j;
ctx->cert=x509;
ctx->untrusted=chain;
ctx->last_untrusted=0;
- ctx->purpose=store->purpose;
- ctx->trust=store->trust;
ctx->check_time=0;
- ctx->flags=0;
ctx->other_ctx=NULL;
ctx->valid=0;
ctx->chain=NULL;
* use defaults.
*/
- ctx->flags = store->flags;
- if (store->check_issued)
+ if (store)
+ {
+ ctx->purpose=store->purpose;
+ ctx->trust=store->trust;
+ ctx->flags = store->flags;
+ ctx->cleanup = store->cleanup;
+ }
+ else
+ {
+ ctx->purpose = 0;
+ ctx->trust = 0;
+ ctx->flags = 0;
+ ctx->cleanup = 0;
+ }
+
+ if (store && store->check_issued)
ctx->check_issued = store->check_issued;
else
ctx->check_issued = check_issued;
- if (store->get_issuer)
+ if (store && store->get_issuer)
ctx->get_issuer = store->get_issuer;
else
ctx->get_issuer = X509_STORE_CTX_get1_issuer;
- if (store->verify_cb)
+ if (store && store->verify_cb)
ctx->verify_cb = store->verify_cb;
else
ctx->verify_cb = null_callback;
- if (store->verify)
+ if (store && store->verify)
ctx->verify = store->verify;
else
ctx->verify = internal_verify;
- if (store->check_revocation)
+ if (store && store->check_revocation)
ctx->check_revocation = store->check_revocation;
else
ctx->check_revocation = check_revocation;
- if (store->get_crl)
+ if (store && store->get_crl)
ctx->get_crl = store->get_crl;
else
ctx->get_crl = get_crl;
- if (store->check_crl)
+ if (store && store->check_crl)
ctx->check_crl = store->check_crl;
else
ctx->check_crl = check_crl;
- if (store->cert_crl)
+ if (store && store->cert_crl)
ctx->cert_crl = store->cert_crl;
else
ctx->cert_crl = cert_crl;
- ctx->cleanup = store->cleanup;
/* This memset() can't make any sense anyway, so it's removed. As
* X509_STORE_CTX_cleanup does a proper "free" on the ex_data, we put a
projects / openssl.git / blobdiff