hey there. my software's operating in both client and server mode, and
needs a different verify function depending on the two.
i've used SSL_CTX_set_verify() to set the default callback. i'm usually
acting as a server, so i set it to my client cert verification function.
when i want to connect to my server, i first get a new SSL * with
SSL_new(), then attempt to change the callback function via
SSL_set_verify(). said function is never called.
i believe i have traced the problem to the following code:
SSL_CTX_set_verify sets the cb for its cert store in ssl/ssl_lib.c:
ctx->verify_mode=mode;
ctx->default_verify_callback=cb;
/* This needs cleaning up EAY EAY EAY */
X509_STORE_set_verify_cb_func(ctx->cert_store,cb);
while SSL_set_verify only sets the SSL's callback:
s->verify_mode=mode;
if (callback != NULL)
s->verify_callback=callback;
}
then, in ssl_verify_cert_chain (ssl/ssl_cert.c), we call
X509_verify_cert with the CTX's cert store (line 469):
i=X509_verify_cert(&ctx);
and X509_verify_cert only has access to the cb member of ctx, which was
set by SSL_CTX_set_verify(), but not by SSL_set_verify() here in
crypto/x509/x509_vfy.c.
cb=ctx->verify_cb;
if (cb == NULL) cb=null_callback;
it seems this should be fixed by allowing X509_verify_cert a second
parameter, which is the callback if non-NULL. otherwise, use the
default callback.
--
nicholas black ([EMAIL PROTECTED]) -=- developer, trellis network security
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
