Update from 1.0.0-stable
authorDr. Stephen Henson <steve@openssl.org>
Tue, 30 Jun 2009 11:24:57 +0000 (11:24 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Tue, 30 Jun 2009 11:24:57 +0000 (11:24 +0000)
crypto/x509/x509_vpm.c
ssl/ssl_cert.c

index acc50f9..dfd89d8 100644 (file)
@@ -199,8 +199,12 @@ int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest,
 int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to,
                                                const X509_VERIFY_PARAM *from)
        {
+       unsigned long save_flags = to->inh_flags;
+       int ret;
        to->inh_flags |= X509_VP_FLAG_DEFAULT;
-       return X509_VERIFY_PARAM_inherit(to, from);
+       ret = X509_VERIFY_PARAM_inherit(to, from);
+       to->inh_flags = save_flags;
+       return ret;
        }
 
 int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name)
index ccb30e0..2f47eaf 100644 (file)
@@ -502,9 +502,6 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk)
                SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN,ERR_R_X509_LIB);
                return(0);
                }
-       if (s->param)
-               X509_VERIFY_PARAM_inherit(X509_STORE_CTX_get0_param(&ctx),
-                                               s->param);
 #if 0
        if (SSL_get_verify_depth(s) >= 0)
                X509_STORE_CTX_set_depth(&ctx, SSL_get_verify_depth(s));
@@ -518,6 +515,12 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk)
 
        X509_STORE_CTX_set_default(&ctx,
                                s->server ? "ssl_client" : "ssl_server");
+       /* Anything non-default in "param" should overwrite anything in the
+        * ctx.
+        */
+       if (s->param)
+               X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(&ctx),
+                                               s->param);
 
        if (s->verify_callback)
                X509_STORE_CTX_set_verify_cb(&ctx, s->verify_callback);