Simplify some logic around X509_verify_cert callbacks If we simply set ctx->get_crl to get_crl, as the other callbacks do, we don't need to branch at the call site. Also get_issuer no longer needs to be a callback. We can just check if X509_STORE_CTX_set0_trusted_stack was called. Change-Id: I42235f141ee9f8463631f56471c12324a8755bba Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/64988 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com>

commit: d1831d78c867ba51b3992ccc213fd201d2f4b0f1 [log] [tgz]
author: David Benjamin <davidben@google.com> Wed Dec 20 12:55:23 2023 -0500
committer: Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com> Wed Dec 20 21:14:47 2023 +0000
tree: debc77905a263d173b911e96684aa5c04610c893
parent: b083a69e5b9a38fcbae710b0c2081de0235d509b [diff]
diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index ba4d6a2..8fe59c7 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h

@@ -3789,7 +3789,9 @@
                                        X509 *x509, STACK_OF(X509) *chain);
 
 // X509_STORE_CTX_set0_trusted_stack configures |ctx| to trust the certificates
-// in |sk|. |sk| must remain valid for the duration of |ctx|.
+// in |sk|. |sk| must remain valid for the duration of |ctx|. Calling this
+// function causes |ctx| to ignore any certificates configured in the
+// |X509_STORE|.
 //
 // WARNING: This function differs from most |set0| functions in that it does not
 // take ownership of its input. The caller is required to ensure the lifetimes
commit	d1831d78c867ba51b3992ccc213fd201d2f4b0f1	[log] [tgz]
author	David Benjamin <davidben@google.com>	Wed Dec 20 12:55:23 2023 -0500
committer	Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com>	Wed Dec 20 21:14:47 2023 +0000
tree	debc77905a263d173b911e96684aa5c04610c893
parent	b083a69e5b9a38fcbae710b0c2081de0235d509b [diff]