Split X509_check_ca() into a small self and an internal function

check_ca(), to resolve constness issue. check_ca() is called from the purpose checkers instead of X509_check_ca(), since the stuff done by the latter (except for calling check_ca()) is also done by X509_check_purpose().
2004-11-30 12:18:55 +00:00 · 2004-11-30 12:18:55 +00:00 · 5073ff0346
commit 5073ff0346
parent fc7fc5678f
1 changed files with 16 additions and 11 deletions
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@ -425,14 +425,8 @@ static void x509v3_cache_extensions(X509 *x)
 #define ns_reject(x, usage) \
 	(((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))

-int X509_check_ca(X509 *x)
+static int check_ca(const X509 *x)
 {
-	if(!(x->ex_flags & EXFLAG_SET)) {
-		CRYPTO_w_lock(CRYPTO_LOCK_X509);
-		x509v3_cache_extensions(x);
-		CRYPTO_w_unlock(CRYPTO_LOCK_X509);
-	}
-
 	/* keyUsage if present should allow cert signing */
 	if(ku_reject(x, KU_KEY_CERT_SIGN)) return 0;
 	if(x->ex_flags & EXFLAG_BCONS) {
@ -454,11 +448,22 @@ int X509_check_ca(X509 *x)
 	}
 }

+int X509_check_ca(X509 *x)
+{
+	if(!(x->ex_flags & EXFLAG_SET)) {
+		CRYPTO_w_lock(CRYPTO_LOCK_X509);
+		x509v3_cache_extensions(x);
+		CRYPTO_w_unlock(CRYPTO_LOCK_X509);
+	}
+
+	return check_ca(x);
+}
+
 /* Check SSL CA: common checks for SSL client and server */
 static int check_ssl_ca(const X509 *x)
 {
 	int ca_ret;
-	ca_ret = X509_check_ca(x);
+	ca_ret = check_ca(x);
 	if(!ca_ret) return 0;
 	/* check nsCertType if present */
 	if(ca_ret != 5 || x->ex_nscert & NS_SSL_CA) return ca_ret;
@ -506,7 +511,7 @@ static int purpose_smime(const X509 *x, int ca)
 	if(xku_reject(x,XKU_SMIME)) return 0;
 	if(ca) {
 		int ca_ret;
-		ca_ret = X509_check_ca(x);
+		ca_ret = check_ca(x);
 		if(!ca_ret) return 0;
 		/* check nsCertType if present */
 		if(ca_ret != 5 || x->ex_nscert & NS_SMIME_CA) return ca_ret;
@ -543,7 +548,7 @@ static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
 {
 	if(ca) {
 		int ca_ret;
-		if((ca_ret = X509_check_ca(x)) != 2) return ca_ret;
+		if((ca_ret = check_ca(x)) != 2) return ca_ret;
 		else return 0;
 	}
 	if(ku_reject(x, KU_CRL_SIGN)) return 0;
@ -558,7 +563,7 @@ static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca)
 {
 	/* Must be a valid CA.  Should we really support the "I don't know"
 	   value (2)? */
-	if(ca) return X509_check_ca(x);
+	if(ca) return check_ca(x);
 	/* leaf certificate is checked in OCSP_verify() */
 	return 1;
 }