x509_vpm.c 18 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657
  1. /*
  2. * Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <stdio.h>
  10. #include "internal/cryptlib.h"
  11. #include <openssl/crypto.h>
  12. #include <openssl/buffer.h>
  13. #include <openssl/x509.h>
  14. #include <openssl/x509v3.h>
  15. #include "crypto/x509.h"
  16. #include "x509_local.h"
  17. /* X509_VERIFY_PARAM functions */
  18. #define SET_HOST 0
  19. #define ADD_HOST 1
  20. static char *str_copy(const char *s)
  21. {
  22. return OPENSSL_strdup(s);
  23. }
  24. static void str_free(char *s)
  25. {
  26. OPENSSL_free(s);
  27. }
  28. static int int_x509_param_set_hosts(X509_VERIFY_PARAM *vpm, int mode,
  29. const char *name, size_t namelen)
  30. {
  31. char *copy;
  32. /*
  33. * Refuse names with embedded NUL bytes, except perhaps as final byte.
  34. * XXX: Do we need to push an error onto the error stack?
  35. */
  36. if (namelen == 0 || name == NULL)
  37. namelen = name ? strlen(name) : 0;
  38. else if (name != NULL
  39. && memchr(name, '\0', namelen > 1 ? namelen - 1 : namelen) != NULL)
  40. return 0;
  41. if (namelen > 0 && name[namelen - 1] == '\0')
  42. --namelen;
  43. if (mode == SET_HOST) {
  44. sk_OPENSSL_STRING_pop_free(vpm->hosts, str_free);
  45. vpm->hosts = NULL;
  46. }
  47. if (name == NULL || namelen == 0)
  48. return 1;
  49. copy = OPENSSL_strndup(name, namelen);
  50. if (copy == NULL)
  51. return 0;
  52. if (vpm->hosts == NULL &&
  53. (vpm->hosts = sk_OPENSSL_STRING_new_null()) == NULL) {
  54. OPENSSL_free(copy);
  55. return 0;
  56. }
  57. if (!sk_OPENSSL_STRING_push(vpm->hosts, copy)) {
  58. OPENSSL_free(copy);
  59. if (sk_OPENSSL_STRING_num(vpm->hosts) == 0) {
  60. sk_OPENSSL_STRING_free(vpm->hosts);
  61. vpm->hosts = NULL;
  62. }
  63. return 0;
  64. }
  65. return 1;
  66. }
  67. X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void)
  68. {
  69. X509_VERIFY_PARAM *param;
  70. param = OPENSSL_zalloc(sizeof(*param));
  71. if (param == NULL)
  72. return NULL;
  73. param->trust = X509_TRUST_DEFAULT;
  74. /* param->inh_flags = X509_VP_FLAG_DEFAULT; */
  75. param->depth = -1;
  76. param->auth_level = -1; /* -1 means unset, 0 is explicit */
  77. return param;
  78. }
  79. void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param)
  80. {
  81. if (param == NULL)
  82. return;
  83. sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
  84. sk_OPENSSL_STRING_pop_free(param->hosts, str_free);
  85. OPENSSL_free(param->peername);
  86. OPENSSL_free(param->email);
  87. OPENSSL_free(param->ip);
  88. OPENSSL_free(param);
  89. }
  90. /*-
  91. * This function determines how parameters are "inherited" from one structure
  92. * to another. There are several different ways this can happen.
  93. *
  94. * 1. If a child structure needs to have its values initialized from a parent
  95. * they are simply copied across. For example SSL_CTX copied to SSL.
  96. * 2. If the structure should take on values only if they are currently unset.
  97. * For example the values in an SSL structure will take appropriate value
  98. * for SSL servers or clients but only if the application has not set new
  99. * ones.
  100. *
  101. * The "inh_flags" field determines how this function behaves.
  102. *
  103. * Normally any values which are set in the default are not copied from the
  104. * destination and verify flags are ORed together.
  105. *
  106. * If X509_VP_FLAG_DEFAULT is set then anything set in the source is copied
  107. * to the destination. Effectively the values in "to" become default values
  108. * which will be used only if nothing new is set in "from".
  109. *
  110. * If X509_VP_FLAG_OVERWRITE is set then all value are copied across whether
  111. * they are set or not. Flags is still Ored though.
  112. *
  113. * If X509_VP_FLAG_RESET_FLAGS is set then the flags value is copied instead
  114. * of ORed.
  115. *
  116. * If X509_VP_FLAG_LOCKED is set then no values are copied.
  117. *
  118. * If X509_VP_FLAG_ONCE is set then the current inh_flags setting is zeroed
  119. * after the next call.
  120. */
  121. /* Macro to test if a field should be copied from src to dest */
  122. #define test_x509_verify_param_copy(field, def) \
  123. (to_overwrite || (src->field != def && (to_default || dest->field == def)))
  124. /* Macro to test and copy a field if necessary */
  125. #define x509_verify_param_copy(field, def) \
  126. if (test_x509_verify_param_copy(field, def)) \
  127. dest->field = src->field;
  128. int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest,
  129. const X509_VERIFY_PARAM *src)
  130. {
  131. unsigned long inh_flags;
  132. int to_default, to_overwrite;
  133. if (src == NULL)
  134. return 1;
  135. inh_flags = dest->inh_flags | src->inh_flags;
  136. if ((inh_flags & X509_VP_FLAG_ONCE) != 0)
  137. dest->inh_flags = 0;
  138. if ((inh_flags & X509_VP_FLAG_LOCKED) != 0)
  139. return 1;
  140. to_default = (inh_flags & X509_VP_FLAG_DEFAULT) != 0;
  141. to_overwrite = (inh_flags & X509_VP_FLAG_OVERWRITE) != 0;
  142. x509_verify_param_copy(purpose, 0);
  143. x509_verify_param_copy(trust, X509_TRUST_DEFAULT);
  144. x509_verify_param_copy(depth, -1);
  145. x509_verify_param_copy(auth_level, -1);
  146. /* If overwrite or check time not set, copy across */
  147. if (to_overwrite || (dest->flags & X509_V_FLAG_USE_CHECK_TIME) == 0) {
  148. dest->check_time = src->check_time;
  149. dest->flags &= ~X509_V_FLAG_USE_CHECK_TIME;
  150. /* Don't need to copy flag: that is done below */
  151. }
  152. if ((inh_flags & X509_VP_FLAG_RESET_FLAGS) != 0)
  153. dest->flags = 0;
  154. dest->flags |= src->flags;
  155. if (test_x509_verify_param_copy(policies, NULL)) {
  156. if (!X509_VERIFY_PARAM_set1_policies(dest, src->policies))
  157. return 0;
  158. }
  159. x509_verify_param_copy(hostflags, 0);
  160. if (test_x509_verify_param_copy(hosts, NULL)) {
  161. sk_OPENSSL_STRING_pop_free(dest->hosts, str_free);
  162. dest->hosts = NULL;
  163. if (src->hosts != NULL) {
  164. dest->hosts =
  165. sk_OPENSSL_STRING_deep_copy(src->hosts, str_copy, str_free);
  166. if (dest->hosts == NULL)
  167. return 0;
  168. }
  169. }
  170. if (test_x509_verify_param_copy(email, NULL)) {
  171. if (!X509_VERIFY_PARAM_set1_email(dest, src->email, src->emaillen))
  172. return 0;
  173. }
  174. if (test_x509_verify_param_copy(ip, NULL)) {
  175. if (!X509_VERIFY_PARAM_set1_ip(dest, src->ip, src->iplen))
  176. return 0;
  177. }
  178. return 1;
  179. }
  180. int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to,
  181. const X509_VERIFY_PARAM *from)
  182. {
  183. unsigned long save_flags;
  184. int ret;
  185. if (to == NULL) {
  186. ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER);
  187. return 0;
  188. }
  189. save_flags = to->inh_flags;
  190. to->inh_flags |= X509_VP_FLAG_DEFAULT;
  191. ret = X509_VERIFY_PARAM_inherit(to, from);
  192. to->inh_flags = save_flags;
  193. return ret;
  194. }
  195. static int int_x509_param_set1(char **pdest, size_t *pdestlen,
  196. const char *src, size_t srclen)
  197. {
  198. char *tmp;
  199. if (src != NULL) {
  200. if (srclen == 0)
  201. srclen = strlen(src);
  202. tmp = OPENSSL_malloc(srclen + 1);
  203. if (tmp == NULL)
  204. return 0;
  205. memcpy(tmp, src, srclen);
  206. tmp[srclen] = '\0'; /* enforce NUL termination */
  207. } else {
  208. tmp = NULL;
  209. srclen = 0;
  210. }
  211. OPENSSL_free(*pdest);
  212. *pdest = tmp;
  213. if (pdestlen != NULL)
  214. *pdestlen = srclen;
  215. return 1;
  216. }
  217. int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name)
  218. {
  219. OPENSSL_free(param->name);
  220. param->name = OPENSSL_strdup(name);
  221. return param->name != NULL;
  222. }
  223. int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags)
  224. {
  225. param->flags |= flags;
  226. if ((flags & X509_V_FLAG_POLICY_MASK) != 0)
  227. param->flags |= X509_V_FLAG_POLICY_CHECK;
  228. return 1;
  229. }
  230. int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param,
  231. unsigned long flags)
  232. {
  233. param->flags &= ~flags;
  234. return 1;
  235. }
  236. unsigned long X509_VERIFY_PARAM_get_flags(const X509_VERIFY_PARAM *param)
  237. {
  238. return param->flags;
  239. }
  240. uint32_t X509_VERIFY_PARAM_get_inh_flags(const X509_VERIFY_PARAM *param)
  241. {
  242. return param->inh_flags;
  243. }
  244. int X509_VERIFY_PARAM_set_inh_flags(X509_VERIFY_PARAM *param, uint32_t flags)
  245. {
  246. param->inh_flags = flags;
  247. return 1;
  248. }
  249. int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose)
  250. {
  251. return X509_PURPOSE_set(&param->purpose, purpose);
  252. }
  253. int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust)
  254. {
  255. return X509_TRUST_set(&param->trust, trust);
  256. }
  257. void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth)
  258. {
  259. param->depth = depth;
  260. }
  261. void X509_VERIFY_PARAM_set_auth_level(X509_VERIFY_PARAM *param, int auth_level)
  262. {
  263. param->auth_level = auth_level;
  264. }
  265. time_t X509_VERIFY_PARAM_get_time(const X509_VERIFY_PARAM *param)
  266. {
  267. return param->check_time;
  268. }
  269. void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t)
  270. {
  271. param->check_time = t;
  272. param->flags |= X509_V_FLAG_USE_CHECK_TIME;
  273. }
  274. int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param,
  275. ASN1_OBJECT *policy)
  276. {
  277. if (param->policies == NULL) {
  278. param->policies = sk_ASN1_OBJECT_new_null();
  279. if (param->policies == NULL)
  280. return 0;
  281. }
  282. if (sk_ASN1_OBJECT_push(param->policies, policy) <= 0)
  283. return 0;
  284. return 1;
  285. }
  286. int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
  287. STACK_OF(ASN1_OBJECT) *policies)
  288. {
  289. int i;
  290. ASN1_OBJECT *oid, *doid;
  291. if (param == NULL) {
  292. ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER);
  293. return 0;
  294. }
  295. sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
  296. if (policies == NULL) {
  297. param->policies = NULL;
  298. return 1;
  299. }
  300. param->policies = sk_ASN1_OBJECT_new_null();
  301. if (param->policies == NULL)
  302. return 0;
  303. for (i = 0; i < sk_ASN1_OBJECT_num(policies); i++) {
  304. oid = sk_ASN1_OBJECT_value(policies, i);
  305. doid = OBJ_dup(oid);
  306. if (doid == NULL)
  307. return 0;
  308. if (!sk_ASN1_OBJECT_push(param->policies, doid)) {
  309. ASN1_OBJECT_free(doid);
  310. return 0;
  311. }
  312. }
  313. param->flags |= X509_V_FLAG_POLICY_CHECK;
  314. return 1;
  315. }
  316. char *X509_VERIFY_PARAM_get0_host(X509_VERIFY_PARAM *param, int idx)
  317. {
  318. return sk_OPENSSL_STRING_value(param->hosts, idx);
  319. }
  320. int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param,
  321. const char *name, size_t namelen)
  322. {
  323. return int_x509_param_set_hosts(param, SET_HOST, name, namelen);
  324. }
  325. int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param,
  326. const char *name, size_t namelen)
  327. {
  328. return int_x509_param_set_hosts(param, ADD_HOST, name, namelen);
  329. }
  330. void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param,
  331. unsigned int flags)
  332. {
  333. param->hostflags = flags;
  334. }
  335. unsigned int X509_VERIFY_PARAM_get_hostflags(const X509_VERIFY_PARAM *param)
  336. {
  337. return param->hostflags;
  338. }
  339. char *X509_VERIFY_PARAM_get0_peername(const X509_VERIFY_PARAM *param)
  340. {
  341. return param->peername;
  342. }
  343. /*
  344. * Move peername from one param structure to another, freeing any name present
  345. * at the target. If the source is a NULL parameter structure, free and zero
  346. * the target peername.
  347. */
  348. void X509_VERIFY_PARAM_move_peername(X509_VERIFY_PARAM *to,
  349. X509_VERIFY_PARAM *from)
  350. {
  351. char *peername = (from != NULL) ? from->peername : NULL;
  352. if (to->peername != peername) {
  353. OPENSSL_free(to->peername);
  354. to->peername = peername;
  355. }
  356. if (from != NULL)
  357. from->peername = NULL;
  358. }
  359. char *X509_VERIFY_PARAM_get0_email(X509_VERIFY_PARAM *param)
  360. {
  361. return param->email;
  362. }
  363. int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param,
  364. const char *email, size_t emaillen)
  365. {
  366. return int_x509_param_set1(&param->email, &param->emaillen,
  367. email, emaillen);
  368. }
  369. static unsigned char
  370. *int_X509_VERIFY_PARAM_get0_ip(X509_VERIFY_PARAM *param, size_t *plen)
  371. {
  372. if (param == NULL || param->ip == NULL) {
  373. ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER);
  374. return NULL;
  375. }
  376. if (plen != NULL)
  377. *plen = param->iplen;
  378. return param->ip;
  379. }
  380. char *X509_VERIFY_PARAM_get1_ip_asc(X509_VERIFY_PARAM *param)
  381. {
  382. size_t iplen;
  383. unsigned char *ip = int_X509_VERIFY_PARAM_get0_ip(param, &iplen);
  384. return ip == NULL ? NULL : ossl_ipaddr_to_asc(ip, iplen);
  385. }
  386. int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param,
  387. const unsigned char *ip, size_t iplen)
  388. {
  389. if (iplen != 0 && iplen != 4 && iplen != 16) {
  390. ERR_raise(ERR_LIB_X509, ERR_R_PASSED_INVALID_ARGUMENT);
  391. return 0;
  392. }
  393. return int_x509_param_set1((char **)&param->ip, &param->iplen,
  394. (char *)ip, iplen);
  395. }
  396. int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, const char *ipasc)
  397. {
  398. unsigned char ipout[16];
  399. size_t iplen = (size_t)ossl_a2i_ipadd(ipout, ipasc);
  400. if (iplen == 0)
  401. return 0;
  402. return X509_VERIFY_PARAM_set1_ip(param, ipout, iplen);
  403. }
  404. int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param)
  405. {
  406. return param->depth;
  407. }
  408. int X509_VERIFY_PARAM_get_auth_level(const X509_VERIFY_PARAM *param)
  409. {
  410. return param->auth_level;
  411. }
  412. const char *X509_VERIFY_PARAM_get0_name(const X509_VERIFY_PARAM *param)
  413. {
  414. return param->name;
  415. }
  416. #define vpm_empty_id NULL, 0U, NULL, NULL, 0, NULL, 0
  417. /*
  418. * Default verify parameters: these are used for various applications and can
  419. * be overridden by the user specified table. NB: the 'name' field *must* be
  420. * in alphabetical order because it will be searched using OBJ_search.
  421. */
  422. static const X509_VERIFY_PARAM default_table[] = {
  423. {
  424. "code_sign", /* Code sign parameters */
  425. 0, /* check time to use */
  426. 0, /* inheritance flags */
  427. 0, /* flags */
  428. X509_PURPOSE_CODE_SIGN, /* purpose */
  429. X509_TRUST_OBJECT_SIGN, /* trust */
  430. -1, /* depth */
  431. -1, /* auth_level */
  432. NULL, /* policies */
  433. vpm_empty_id
  434. },
  435. {
  436. "default", /* X509 default parameters */
  437. 0, /* check time to use */
  438. 0, /* inheritance flags */
  439. X509_V_FLAG_TRUSTED_FIRST, /* flags */
  440. 0, /* purpose */
  441. 0, /* trust */
  442. 100, /* depth */
  443. -1, /* auth_level */
  444. NULL, /* policies */
  445. vpm_empty_id
  446. },
  447. {
  448. "pkcs7", /* S/MIME sign parameters */
  449. 0, /* check time to use */
  450. 0, /* inheritance flags */
  451. 0, /* flags */
  452. X509_PURPOSE_SMIME_SIGN, /* purpose */
  453. X509_TRUST_EMAIL, /* trust */
  454. -1, /* depth */
  455. -1, /* auth_level */
  456. NULL, /* policies */
  457. vpm_empty_id
  458. },
  459. {
  460. "smime_sign", /* S/MIME sign parameters */
  461. 0, /* check time to use */
  462. 0, /* inheritance flags */
  463. 0, /* flags */
  464. X509_PURPOSE_SMIME_SIGN, /* purpose */
  465. X509_TRUST_EMAIL, /* trust */
  466. -1, /* depth */
  467. -1, /* auth_level */
  468. NULL, /* policies */
  469. vpm_empty_id
  470. },
  471. {
  472. "ssl_client", /* SSL/TLS client parameters */
  473. 0, /* check time to use */
  474. 0, /* inheritance flags */
  475. 0, /* flags */
  476. X509_PURPOSE_SSL_CLIENT, /* purpose */
  477. X509_TRUST_SSL_CLIENT, /* trust */
  478. -1, /* depth */
  479. -1, /* auth_level */
  480. NULL, /* policies */
  481. vpm_empty_id
  482. },
  483. {
  484. "ssl_server", /* SSL/TLS server parameters */
  485. 0, /* check time to use */
  486. 0, /* inheritance flags */
  487. 0, /* flags */
  488. X509_PURPOSE_SSL_SERVER, /* purpose */
  489. X509_TRUST_SSL_SERVER, /* trust */
  490. -1, /* depth */
  491. -1, /* auth_level */
  492. NULL, /* policies */
  493. vpm_empty_id
  494. }
  495. };
  496. static STACK_OF(X509_VERIFY_PARAM) *param_table = NULL;
  497. static int table_cmp(const X509_VERIFY_PARAM *a, const X509_VERIFY_PARAM *b)
  498. {
  499. return strcmp(a->name, b->name);
  500. }
  501. DECLARE_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM, table);
  502. IMPLEMENT_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM, table);
  503. static int param_cmp(const X509_VERIFY_PARAM *const *a,
  504. const X509_VERIFY_PARAM *const *b)
  505. {
  506. return strcmp((*a)->name, (*b)->name);
  507. }
  508. int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param)
  509. {
  510. int idx;
  511. X509_VERIFY_PARAM *ptmp;
  512. if (param_table == NULL) {
  513. param_table = sk_X509_VERIFY_PARAM_new(param_cmp);
  514. if (param_table == NULL)
  515. return 0;
  516. } else {
  517. idx = sk_X509_VERIFY_PARAM_find(param_table, param);
  518. if (idx >= 0) {
  519. ptmp = sk_X509_VERIFY_PARAM_delete(param_table, idx);
  520. X509_VERIFY_PARAM_free(ptmp);
  521. }
  522. }
  523. if (sk_X509_VERIFY_PARAM_push(param_table, param) <= 0)
  524. return 0;
  525. return 1;
  526. }
  527. int X509_VERIFY_PARAM_get_count(void)
  528. {
  529. int num = OSSL_NELEM(default_table);
  530. if (param_table != NULL)
  531. num += sk_X509_VERIFY_PARAM_num(param_table);
  532. return num;
  533. }
  534. const X509_VERIFY_PARAM *X509_VERIFY_PARAM_get0(int id)
  535. {
  536. int num = OSSL_NELEM(default_table);
  537. if (id < num)
  538. return default_table + id;
  539. return sk_X509_VERIFY_PARAM_value(param_table, id - num);
  540. }
  541. const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name)
  542. {
  543. int idx;
  544. X509_VERIFY_PARAM pm;
  545. pm.name = (char *)name;
  546. if (param_table != NULL) {
  547. /* Ideally, this would be done under a lock */
  548. sk_X509_VERIFY_PARAM_sort(param_table);
  549. idx = sk_X509_VERIFY_PARAM_find(param_table, &pm);
  550. if (idx >= 0)
  551. return sk_X509_VERIFY_PARAM_value(param_table, idx);
  552. }
  553. return OBJ_bsearch_table(&pm, default_table, OSSL_NELEM(default_table));
  554. }
  555. void X509_VERIFY_PARAM_table_cleanup(void)
  556. {
  557. sk_X509_VERIFY_PARAM_pop_free(param_table, X509_VERIFY_PARAM_free);
  558. param_table = NULL;
  559. }