Lines Matching defs:depth

58 static int check_dane_issuer(X509_STORE_CTX *ctx, int depth);
149 * The error depth is |depth| if >= 0, else it defaults to |ctx->error_depth|.
150 * The error cert is |x| if not NULL, else defaults to the chain cert at depth.
154 static int verify_cb_cert(X509_STORE_CTX *ctx, X509 *x, int depth, int err)
156 if (depth < 0)
157 depth = ctx->error_depth;
159 ctx->error_depth = depth;
160 ctx->current_cert = (x != NULL) ? x : sk_X509_value(ctx->chain, depth);
166 #define CB_FAIL_IF(cond, ctx, cert, depth, err) \
167 if ((cond) && verify_cb_cert(ctx, cert, depth, err) == 0) \
172 * error depth and certificate are already set, we just specify the error
400 static int check_purpose(X509_STORE_CTX *ctx, X509 *x, int purpose, int depth,
423 if (depth >= ctx->num_untrusted && purpose == ctx->param->purpose)
444 return verify_cb_cert(ctx, x, depth, X509_V_ERR_INVALID_PURPOSE);
820 * Check for a DANE issuer at depth 1 or greater, if it is a DANE-TA(2)
821 * match, we're done, otherwise we'll merely record the match depth.
830 * Check trusted certificates in chain at depth num_untrusted and up.
1710 * If depth >= 0, invoke verification callbacks on error, otherwise just return
1715 int ossl_x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth)
1728 if (i >= 0 && depth < 0)
1730 CB_FAIL_IF(i == 0, ctx, x, depth, X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD);
1731 CB_FAIL_IF(i > 0, ctx, x, depth, X509_V_ERR_CERT_NOT_YET_VALID);
1734 if (i <= 0 && depth < 0)
1736 CB_FAIL_IF(i == 0, ctx, x, depth, X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD);
1737 CB_FAIL_IF(i < 0, ctx, x, depth, X509_V_ERR_CERT_HAS_EXPIRED);
1783 * n is the subject depth
1801 * cert and its depth (rather than n, the depth of the subject).
1836 * Signal success at this depth. However, the previous error (if any)
2152 void X509_STORE_CTX_set_error_depth(X509_STORE_CTX *ctx, int depth)
2154 ctx->error_depth = depth;
2494 void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth)
2496 X509_VERIFY_PARAM_set_depth(ctx->param, depth);
2687 static int dane_match(X509_STORE_CTX *ctx, X509 *cert, int depth)
2705 mask = (depth == 0) ? DANETLS_EE_MASK : DANETLS_TA_MASK;
2708 if (depth >= ctx->num_untrusted)
2742 * As soon as we find a match at any given depth, we stop, because either
2805 * Squirrel away the certificate and depth if we have a match. Any
2814 dane->mdpth = depth;
2830 static int check_dane_issuer(X509_STORE_CTX *ctx, int depth)
2836 if (!DANETLS_HAS_TA(dane) || depth == 0)
2840 * Record any DANE trust anchor matches, for the first depth to test, if
2841 * there's one at that depth. (This'll be false for length 1 chains looking
2844 cert = sk_X509_value(ctx->chain, depth);
2845 if (cert != NULL && (matched = dane_match(ctx, cert, depth)) < 0)
2848 ctx->num_untrusted = depth - 1;
2923 * record, the match depth and matching TLSA record are recorded, but the
2946 /* Bypass internal_verify(), issue depth 0 success callback */
2967 * Chain verification for usages 0/1/2. TLSA record matching of depth > 0
3052 if (ctx->param->depth > INT_MAX / 2)
3053 ctx->param->depth = INT_MAX / 2;
3060 max_depth = ctx->param->depth + 1;
3070 * reach the depth limit, we stop extending the chain, if by that point
3074 * maximal valid depth with the current certificate equal to the last
3076 * the callback will report errors at depth=1 when the immediate issuer
3097 * untrusted certificates, not a "depth".
3193 * certificate at depth "num" should be the new trusted