Add setter and getter for X509_STORE's check_policy

Reviewed-by: Rich Salz <rsalz@openssl.org>

diff --git a/crypto/include/internal/x509_int.h b/crypto/include/internal/x509_int.h
index c5472e14d03ec510a1240c21a81bea93d69fcbb5..545f90990fe5fc215d43b9845bf110bccc8ff97e 100644 (file)
--- a/crypto/include/internal/x509_int.h
+++ b/crypto/include/internal/x509_int.h
@@ -204,6 +204,7 @@ struct x509_store_ctx_st {      /* X509_STORE_CTX */
     int (*check_crl) (X509_STORE_CTX *ctx, X509_CRL *crl);
     /* Check certificate against CRL */
     int (*cert_crl) (X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x);
+    /* Check policy status of the chain */
     int (*check_policy) (X509_STORE_CTX *ctx);
     STACK_OF(X509) *(*lookup_certs) (X509_STORE_CTX *ctx, X509_NAME *nm);
     STACK_OF(X509_CRL) *(*lookup_crls) (X509_STORE_CTX *ctx, X509_NAME *nm);

diff --git a/crypto/x509/x509_lcl.h b/crypto/x509/x509_lcl.h
index 340bb60b98416b3b83237820ca5e6c881635823b..2120b7e6f2f98ae77beda3f9b755f8df8180243d 100644 (file)
--- a/crypto/x509/x509_lcl.h
+++ b/crypto/x509/x509_lcl.h
@@ -123,6 +123,8 @@ struct x509_store_st {
     int (*check_crl) (X509_STORE_CTX *ctx, X509_CRL *crl);
     /* Check certificate against CRL */
     int (*cert_crl) (X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x);
+    /* Check policy status of the chain */
+    int (*check_policy) (X509_STORE_CTX *ctx);
     STACK_OF(X509) *(*lookup_certs) (X509_STORE_CTX *ctx, X509_NAME *nm);
     STACK_OF(X509_CRL) *(*lookup_crls) (X509_STORE_CTX *ctx, X509_NAME *nm);
     int (*cleanup) (X509_STORE_CTX *ctx);

diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c
index 26902d765b568aeadcd8de3fac26167fccfa409b..337482dee3dfe4cd9027fad9121d9e746cef5753 100644 (file)
--- a/crypto/x509/x509_lu.c
+++ b/crypto/x509/x509_lu.c
@@ -801,6 +801,17 @@ X509_STORE_CTX_cert_crl_fn X509_STORE_get_cert_crl(X509_STORE *ctx)
     return ctx->cert_crl;
 }
 
+void X509_STORE_set_check_policy(X509_STORE *ctx,
+                                 X509_STORE_CTX_check_policy_fn check_policy)
+{
+    ctx->check_policy = check_policy;
+}
+
+X509_STORE_CTX_check_policy_fn X509_STORE_get_check_policy(X509_STORE *ctx)
+{
+    return ctx->check_policy;
+}
+
 void X509_STORE_set_lookup_certs(X509_STORE *ctx,
                                  X509_STORE_CTX_lookup_certs_fn lookup_certs)
 {

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 649390c647ab7784e17f8d07d5d54d67a37cf8d0..a290a5e6b3f408a8b19dd155602d9dd3a0f6a64b 100644 (file)
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -2285,6 +2285,11 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
     else
         ctx->cert_crl = cert_crl;
 
+    if (store && store->check_policy)
+        ctx->check_policy = store->check_policy;
+    else
+        ctx->check_policy = check_policy;
+
     if (store && store->lookup_certs)
         ctx->lookup_certs = store->lookup_certs;
     else
@@ -2295,8 +2300,6 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
     else
         ctx->lookup_crls = X509_STORE_CTX_get1_crls;
 
-    ctx->check_policy = check_policy;
-
     ctx->param = X509_VERIFY_PARAM_new();
     if (ctx->param == NULL) {
         X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE);

diff --git a/include/openssl/x509_vfy.h b/include/openssl/x509_vfy.h
index 13ec740b42163eb40ddb4c2eb98a45d6a74a131d..dc726524751ca685e536cc9d5dac1405114dc33f 100644 (file)
--- a/include/openssl/x509_vfy.h
+++ b/include/openssl/x509_vfy.h
@@ -293,6 +293,9 @@ X509_STORE_CTX_check_crl_fn X509_STORE_get_check_crl(X509_STORE *ctx);
 void X509_STORE_set_cert_crl(X509_STORE *ctx,
                              X509_STORE_CTX_cert_crl_fn cert_crl);
 X509_STORE_CTX_cert_crl_fn X509_STORE_get_cert_crl(X509_STORE *ctx);
+void X509_STORE_set_check_policy(X509_STORE *ctx,
+                                 X509_STORE_CTX_check_policy_fn check_policy);
+X509_STORE_CTX_check_policy_fn X509_STORE_get_check_policy(X509_STORE *ctx);
 void X509_STORE_set_lookup_certs(X509_STORE *ctx,
                                  X509_STORE_CTX_lookup_certs_fn lookup_certs);
 X509_STORE_CTX_lookup_certs_fn X509_STORE_get_lookup_certs(X509_STORE *ctx);