Add cert_self_signed function to simplify verify.
(Imported from upstream's ced6dc5cefca57b08e077951a9710c33b709e99e)
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 4578780..4791d1d 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -148,6 +148,15 @@
return X509_subject_name_cmp(*a,*b);
}
#endif
+/* Return 1 is a certificate is self signed */
+static int cert_self_signed(X509 *x)
+ {
+ X509_check_purpose(x, -1, 0);
+ if (x->ex_flags & EXFLAG_SS)
+ return 1;
+ else
+ return 0;
+ }
/* Given a certificate try and find an exact match in the store */
@@ -229,8 +238,8 @@
*/
/* If we are self signed, we break */
- if (ctx->check_issued(ctx, x,x)) break;
-
+ if (cert_self_signed(x))
+ break;
/* If asked see if we can find issuer in trusted store first */
if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)
{
@@ -281,7 +290,7 @@
i=sk_X509_num(ctx->chain);
x=sk_X509_value(ctx->chain,i-1);
- if (ctx->check_issued(ctx, x, x))
+ if (cert_self_signed(x))
{
/* we have a self signed certificate */
if (sk_X509_num(ctx->chain) == 1)
@@ -329,7 +338,8 @@
if (depth < num) break;
/* If we are self signed, we break */
- if (ctx->check_issued(ctx,x,x)) break;
+ if (cert_self_signed(x))
+ break;
ok = ctx->get_issuer(&xtmp, ctx, x);
