mirror of
https://github.com/openssl/openssl.git
synced 2024-11-27 05:21:51 +08:00
Split X509_check_ca() into a small self and an internal function
check_ca(), to resolve constness issue. check_ca() is called from the purpose checkers instead of X509_check_ca(), since the stuff done by the latter (except for calling check_ca()) is also done by X509_check_purpose().
This commit is contained in:
parent
fc7fc5678f
commit
5073ff0346
@ -425,14 +425,8 @@ static void x509v3_cache_extensions(X509 *x)
|
||||
#define ns_reject(x, usage) \
|
||||
(((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
|
||||
|
||||
int X509_check_ca(X509 *x)
|
||||
static int check_ca(const X509 *x)
|
||||
{
|
||||
if(!(x->ex_flags & EXFLAG_SET)) {
|
||||
CRYPTO_w_lock(CRYPTO_LOCK_X509);
|
||||
x509v3_cache_extensions(x);
|
||||
CRYPTO_w_unlock(CRYPTO_LOCK_X509);
|
||||
}
|
||||
|
||||
/* keyUsage if present should allow cert signing */
|
||||
if(ku_reject(x, KU_KEY_CERT_SIGN)) return 0;
|
||||
if(x->ex_flags & EXFLAG_BCONS) {
|
||||
@ -454,11 +448,22 @@ int X509_check_ca(X509 *x)
|
||||
}
|
||||
}
|
||||
|
||||
int X509_check_ca(X509 *x)
|
||||
{
|
||||
if(!(x->ex_flags & EXFLAG_SET)) {
|
||||
CRYPTO_w_lock(CRYPTO_LOCK_X509);
|
||||
x509v3_cache_extensions(x);
|
||||
CRYPTO_w_unlock(CRYPTO_LOCK_X509);
|
||||
}
|
||||
|
||||
return check_ca(x);
|
||||
}
|
||||
|
||||
/* Check SSL CA: common checks for SSL client and server */
|
||||
static int check_ssl_ca(const X509 *x)
|
||||
{
|
||||
int ca_ret;
|
||||
ca_ret = X509_check_ca(x);
|
||||
ca_ret = check_ca(x);
|
||||
if(!ca_ret) return 0;
|
||||
/* check nsCertType if present */
|
||||
if(ca_ret != 5 || x->ex_nscert & NS_SSL_CA) return ca_ret;
|
||||
@ -506,7 +511,7 @@ static int purpose_smime(const X509 *x, int ca)
|
||||
if(xku_reject(x,XKU_SMIME)) return 0;
|
||||
if(ca) {
|
||||
int ca_ret;
|
||||
ca_ret = X509_check_ca(x);
|
||||
ca_ret = check_ca(x);
|
||||
if(!ca_ret) return 0;
|
||||
/* check nsCertType if present */
|
||||
if(ca_ret != 5 || x->ex_nscert & NS_SMIME_CA) return ca_ret;
|
||||
@ -543,7 +548,7 @@ static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
|
||||
{
|
||||
if(ca) {
|
||||
int ca_ret;
|
||||
if((ca_ret = X509_check_ca(x)) != 2) return ca_ret;
|
||||
if((ca_ret = check_ca(x)) != 2) return ca_ret;
|
||||
else return 0;
|
||||
}
|
||||
if(ku_reject(x, KU_CRL_SIGN)) return 0;
|
||||
@ -558,7 +563,7 @@ static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca)
|
||||
{
|
||||
/* Must be a valid CA. Should we really support the "I don't know"
|
||||
value (2)? */
|
||||
if(ca) return X509_check_ca(x);
|
||||
if(ca) return check_ca(x);
|
||||
/* leaf certificate is checked in OCSP_verify() */
|
||||
return 1;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user