modify param of X509_STORE_CTX, much like `ssl_verify_cert_chain` of OpenSSL does
diff --git a/lib/openssl.c b/lib/openssl.c
index 3ce0397..2dd3dd1 100644
--- a/lib/openssl.c
+++ b/lib/openssl.c
@@ -63,6 +63,7 @@
#define EVP_PKEY_up_ref(p) CRYPTO_add(&(p)->references, 1, CRYPTO_LOCK_EVP_PKEY)
#define X509_STORE_up_ref(p) CRYPTO_add(&(p)->references, 1, CRYPTO_LOCK_X509_STORE)
+#define X509_STORE_get0_param(p) ((p)->param)
static HMAC_CTX *HMAC_CTX_new(void)
{
@@ -1229,14 +1230,11 @@
goto Exit;
}
- {
- X509_VERIFY_PARAM *params;
- if ((params = X509_VERIFY_PARAM_new()) == NULL) {
- ret = PTLS_ERROR_NO_MEMORY;
- goto Exit;
- }
+ { /* setup verify params */
+ X509_VERIFY_PARAM *params = X509_STORE_CTX_get0_param(verify_ctx);
X509_VERIFY_PARAM_set_purpose(params, is_server ? X509_PURPOSE_SSL_SERVER : X509_PURPOSE_SSL_CLIENT);
X509_VERIFY_PARAM_set_depth(params, 98); /* use the default of OpenSSL 1.0.2 and above; see `man SSL_CTX_set_verify` */
+ /* when _acting_ as client, set the server name */
if (!is_server) {
assert(server_name != NULL && "ptls_set_server_name MUST be called");
if (server_name != NULL) {
@@ -1248,7 +1246,6 @@
}
}
}
- X509_STORE_CTX_set0_param(verify_ctx, params); /* params will be freed alongside verify_ctx */
}
if (X509_verify_cert(verify_ctx) != 1) {