diff --git a/CHANGES b/CHANGES index fd23e1a262..5e6d2204a3 100644 --- a/CHANGES +++ b/CHANGES @@ -12,6 +12,14 @@ *) applies to 0.9.6a/0.9.6b/0.9.6c and 0.9.7 +) applies to 0.9.7 only + *) Modified SSL library such that the verify_callback that has been set + specificly for an SSL object with SSL_set_verify() is actually being + used. Before the change, a verify_callback set with this function was + ignored and the verify_callback() set in the SSL_CTX at the time of + the call was used. New function X509_STORE_CTX_set_verify_cb() introduced + to allow the necessary settings. + [Lutz Jaenicke] + +) Initial reduction of linker bloat: the use of some functions, such as PEM causes large amounts of unused functions to be linked in due to poor organisation. For example pem_all.c contains every PEM function diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h index e08075e85a..b7e58b407e 100644 --- a/crypto/x509/x509_vfy.h +++ b/crypto/x509/x509_vfy.h @@ -397,6 +397,8 @@ int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose, int purpose, int trust); void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, long flags); void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, long flags, time_t t); +void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, + int (*verify_cb)(int, X509_STORE_CTX *)); #ifdef __cplusplus } diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index 605e97e966..8a53b9fa4b 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -471,6 +471,8 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk) X509_STORE_CTX_purpose_inherit(&ctx, i, s->purpose, s->trust); + X509_STORE_CTX_set_verify_cb(&ctx, s->verify_callback); + if (s->ctx->app_verify_callback != NULL) i=s->ctx->app_verify_callback(&ctx); /* should pass app_verify_arg */ else diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 34510963dc..f4dfdbf250 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -1361,8 +1361,6 @@ void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,int (*cb)(int, X509_STORE_CTX *)) { ctx->verify_mode=mode; ctx->default_verify_callback=cb; - /* This needs cleaning up EAY EAY EAY */ - X509_STORE_set_verify_cb_func(ctx->cert_store,cb); } void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth)