diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 929d2b3ade..a6f6215dca 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -1480,62 +1480,40 @@ void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk) { } int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose) { - return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0); -} + // If |purpose| is zero, this function historically silently did nothing. + if (purpose == 0) { + return 1; + } -int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust) { - return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust); -} - -// This function is used to set the X509_STORE_CTX purpose and trust values. -// This is intended to be used when another structure has its own trust and -// purpose values which (if set) will be inherited by the ctx. If they aren't -// set then we will usually have a default purpose in mind which should then -// be used to set the trust value. An example of this is SSL use: an SSL -// structure will have its own purpose and trust settings which the -// application can set: if they aren't set then we use the default of SSL -// client/server. - -int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose, - int purpose, int trust) { - int idx; - // If purpose not set use default - if (!purpose) { - purpose = def_purpose; - } - // If we have a purpose then check it is valid - if (purpose) { - idx = X509_PURPOSE_get_by_id(purpose); - if (idx == -1) { - OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_PURPOSE_ID); - return 0; - } - const X509_PURPOSE *ptmp = X509_PURPOSE_get0(idx); - if (ptmp->trust == X509_TRUST_DEFAULT) { - idx = X509_PURPOSE_get_by_id(def_purpose); - if (idx == -1) { - OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_PURPOSE_ID); - return 0; - } - ptmp = X509_PURPOSE_get0(idx); - } - // If trust not set then get from purpose default - if (!trust) { - trust = ptmp->trust; - } + int idx = X509_PURPOSE_get_by_id(purpose); + if (idx == -1) { + OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_PURPOSE_ID); + return 0; } - if (trust) { - idx = X509_TRUST_get_by_id(trust); - if (idx == -1) { - OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_TRUST_ID); - return 0; - } + + int trust = X509_PURPOSE_get_trust(X509_PURPOSE_get0(idx)); + if (!X509_STORE_CTX_set_trust(ctx, trust)) { + return 0; } - if (purpose && !ctx->param->purpose) { + if (ctx->param->purpose == 0) { ctx->param->purpose = purpose; } - if (trust && !ctx->param->trust) { + return 1; +} + +int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust) { + // If |trust| is zero, this function historically silently did nothing. + if (trust == 0) { + return 1; + } + + if (X509_TRUST_get_by_id(trust) == -1) { + OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_TRUST_ID); + return 0; + } + + if (ctx->param->trust == 0) { ctx->param->trust = trust; } return 1; diff --git a/include/openssl/x509.h b/include/openssl/x509.h index 29a4930365..ff18c481af 100644 --- a/include/openssl/x509.h +++ b/include/openssl/x509.h @@ -4289,12 +4289,6 @@ OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get0_untrusted( OPENSSL_EXPORT void X509_STORE_CTX_set0_crls(X509_STORE_CTX *c, STACK_OF(X509_CRL) *sk); -// X509_STORE_CTX_purpose_inherit is an internal implementation detail that will -// shortly be removed. -OPENSSL_EXPORT int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, - int def_purpose, int purpose, - int trust); - // X509_STORE_CTX_set_flags enables all values in |flags| in |ctx|'s // verification flags. |flags| should be a combination of |X509_V_FLAG_*| // constants.