Add cert_self_signed function to simplify verify.

(Imported from upstream's ced6dc5cefca57b08e077951a9710c33b709e99e)

1 files changed, 14 insertions, 4 deletions

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 45787807..4791d1d9 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -148,6 +148,15 @@ static int x509_subject_cmp(X509 **a, X509 **b)
 	return X509_subject_name_cmp(*a,*b);
 	}
 #endif
+/* Return 1 is a certificate is self signed */
+static int cert_self_signed(X509 *x)
+	{
+	X509_check_purpose(x, -1, 0);
+	if (x->ex_flags & EXFLAG_SS)
+		return 1;
+	else
+		return 0;
+	}
 
 /* Given a certificate try and find an exact match in the store */
 
@@ -229,8 +238,8 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
 		                         */
 
 		/* If we are self signed, we break */
-		if (ctx->check_issued(ctx, x,x)) break;
-
+		if (cert_self_signed(x))
+			break;
 		/* If asked see if we can find issuer in trusted store first */
 		if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)
 			{
@@ -281,7 +290,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
 
 	i=sk_X509_num(ctx->chain);
 	x=sk_X509_value(ctx->chain,i-1);
-	if (ctx->check_issued(ctx, x, x))
+	if (cert_self_signed(x))
 		{
 		/* we have a self signed certificate */
 		if (sk_X509_num(ctx->chain) == 1)
@@ -329,7 +338,8 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
 		if (depth < num) break;
 
 		/* If we are self signed, we break */
-		if (ctx->check_issued(ctx,x,x)) break;
+		if (cert_self_signed(x))
+			break;
 
 		ok = ctx->get_issuer(&xtmp, ctx, x);