diff options
| author | Richard Levitte <levitte@openssl.org> | 2004-11-30 12:18:55 +0000 |
|---|---|---|
| committer | Richard Levitte <levitte@openssl.org> | 2004-11-30 12:18:55 +0000 |
| commit | 5073ff03463a3e21f4acfcdcfa0c1eda64145007 (patch) | |
| tree | 0991debe18db7e4bdb777e4af848a43ec850b5d9 | |
| parent | fc7fc5678f69a4f9bb0b155d9d45f70fc545f626 (diff) | |
| download | openssl-5073ff03463a3e21f4acfcdcfa0c1eda64145007.tar.gz | |
Split X509_check_ca() into a small self and an internal function
check_ca(), to resolve constness issue. check_ca() is called from the
purpose checkers instead of X509_check_ca(), since the stuff done by
the latter (except for calling check_ca()) is also done by
X509_check_purpose().
| -rw-r--r-- | crypto/x509v3/v3_purp.c | 27 |
1 files changed, 16 insertions, 11 deletions
diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c index d37e79481a..8d0ebbeaef 100644 --- a/crypto/x509v3/v3_purp.c +++ b/crypto/x509v3/v3_purp.c @@ -425,14 +425,8 @@ static void x509v3_cache_extensions(X509 *x) #define ns_reject(x, usage) \ (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage))) -int X509_check_ca(X509 *x) +static int check_ca(const X509 *x) { - if(!(x->ex_flags & EXFLAG_SET)) { - CRYPTO_w_lock(CRYPTO_LOCK_X509); - x509v3_cache_extensions(x); - CRYPTO_w_unlock(CRYPTO_LOCK_X509); - } - /* keyUsage if present should allow cert signing */ if(ku_reject(x, KU_KEY_CERT_SIGN)) return 0; if(x->ex_flags & EXFLAG_BCONS) { @@ -454,11 +448,22 @@ int X509_check_ca(X509 *x) } } +int X509_check_ca(X509 *x) +{ + if(!(x->ex_flags & EXFLAG_SET)) { + CRYPTO_w_lock(CRYPTO_LOCK_X509); + x509v3_cache_extensions(x); + CRYPTO_w_unlock(CRYPTO_LOCK_X509); + } + + return check_ca(x); +} + /* Check SSL CA: common checks for SSL client and server */ static int check_ssl_ca(const X509 *x) { int ca_ret; - ca_ret = X509_check_ca(x); + ca_ret = check_ca(x); if(!ca_ret) return 0; /* check nsCertType if present */ if(ca_ret != 5 || x->ex_nscert & NS_SSL_CA) return ca_ret; @@ -506,7 +511,7 @@ static int purpose_smime(const X509 *x, int ca) if(xku_reject(x,XKU_SMIME)) return 0; if(ca) { int ca_ret; - ca_ret = X509_check_ca(x); + ca_ret = check_ca(x); if(!ca_ret) return 0; /* check nsCertType if present */ if(ca_ret != 5 || x->ex_nscert & NS_SMIME_CA) return ca_ret; @@ -543,7 +548,7 @@ static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca) { if(ca) { int ca_ret; - if((ca_ret = X509_check_ca(x)) != 2) return ca_ret; + if((ca_ret = check_ca(x)) != 2) return ca_ret; else return 0; } if(ku_reject(x, KU_CRL_SIGN)) return 0; @@ -558,7 +563,7 @@ static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca) { /* Must be a valid CA. Should we really support the "I don't know" value (2)? */ - if(ca) return X509_check_ca(x); + if(ca) return check_ca(x); /* leaf certificate is checked in OCSP_verify() */ return 1; } |