New options to the -verify program which can be used for chain verification.

Extend the X509_PURPOSE structure to include shortnames for purposed and default
trust ids.

Still need some extendable trust checking code and integration with the SSL and
S/MIME code.

3 files changed, 37 insertions, 15 deletions

diff --git a/crypto/x509/Makefile.ssl b/crypto/x509/Makefile.ssl
index 4fd06af15f..f29efbaf9a 100644
--- a/crypto/x509/Makefile.ssl
+++ b/crypto/x509/Makefile.ssl
@@ -332,21 +332,21 @@ x509_v3.o: ../cryptlib.h
 x509_vfy.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 x509_vfy.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 x509_vfy.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x509_vfy.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-x509_vfy.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-x509_vfy.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-x509_vfy.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509_vfy.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509_vfy.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
-x509_vfy.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
-x509_vfy.o: ../../include/openssl/opensslconf.h
+x509_vfy.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+x509_vfy.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x509_vfy.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x509_vfy.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x509_vfy.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x509_vfy.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+x509_vfy.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_vfy.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 x509_vfy.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
 x509_vfy.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
 x509_vfy.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 x509_vfy.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 x509_vfy.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 x509_vfy.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509_vfy.o: ../cryptlib.h
+x509_vfy.o: ../../include/openssl/x509v3.h ../cryptlib.h
 x509name.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 x509name.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 x509name.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
diff --git a/crypto/x509/x509.h b/crypto/x509/x509.h
index f35a61476f..ed08dfb74a 100644
--- a/crypto/x509/x509.h
+++ b/crypto/x509/x509.h
@@ -238,11 +238,12 @@ typedef struct x509_cinf_st
 
 /* Bit values for trust/notrust */
 
-#define X509_TRUST_ALL			0
-#define X509_TRUST_SSL_CLIENT		1
-#define X509_TRUST_SSL_SERVER		2
-#define X509_TRUST_EMAIL		3
-#define X509_TRUST_OBJECT_SIGN		4
+#define X509_TRUST_BIT_ALL			0
+#define X509_TRUST_BIT_SSL_CLIENT		1
+#define X509_TRUST_BIT_SSL_SERVER		2
+#define X509_TRUST_BIT_EMAIL			3
+#define X509_TRUST_BIT_OBJECT_SIGN		4
+
 
 typedef struct x509_cert_aux_st
 	{
@@ -276,6 +277,24 @@ typedef struct x509_st
 DECLARE_STACK_OF(X509)
 DECLARE_ASN1_SET_OF(X509)
 
+/* This is used for a table of trust checking functions */
+
+typedef struct x509_trust_st {
+	int trust_id;
+	int trust_flags;
+	int (*check_trust)(struct x509_trust_st *, X509 *, int);
+	char *trust_name;
+	int trust_bit;
+	void *usr_data;
+} X509_TRUST;
+
+/* X509 trust ids */
+
+#define X509_TRUST_ANY		1
+#define X509_TRUST_SSL_CLIENT	2
+#define X509_TRUST_SSL_SERVER	3
+#define X509_TRUST_EMAIL	4
+
 typedef struct X509_revoked_st
 	{
 	ASN1_INTEGER *serialNumber;
diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c
index 82e7fa50a7..837b81f154 100644
--- a/crypto/x509/x509_lu.c
+++ b/crypto/x509/x509_lu.c
@@ -383,7 +383,10 @@ X509_OBJECT *X509_OBJECT_retrieve_by_subject(LHASH *h, int type,
 
 X509_STORE_CTX *X509_STORE_CTX_new(void)
 {
-	return (X509_STORE_CTX *)Malloc(sizeof(X509_STORE_CTX));
+	X509_STORE_CTX *ctx;
+	ctx = (X509_STORE_CTX *)Malloc(sizeof(X509_STORE_CTX));
+	if(ctx) memset(ctx, 0, sizeof(X509_STORE_CTX));
+	return ctx;
 }
 
 void X509_STORE_CTX_free(X509_STORE_CTX *ctx)