• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the OpenSSL license (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 #include <stdio.h>
11 
12 #include "internal/cryptlib.h"
13 #include <openssl/crypto.h>
14 #include <openssl/buffer.h>
15 #include <openssl/x509.h>
16 #include <openssl/x509v3.h>
17 #include "crypto/x509.h"
18 
19 #include "x509_local.h"
20 
21 /* X509_VERIFY_PARAM functions */
22 
23 #define SET_HOST 0
24 #define ADD_HOST 1
25 
str_copy(const char * s)26 static char *str_copy(const char *s)
27 {
28     return OPENSSL_strdup(s);
29 }
30 
str_free(char * s)31 static void str_free(char *s)
32 {
33     OPENSSL_free(s);
34 }
35 
int_x509_param_set_hosts(X509_VERIFY_PARAM * vpm,int mode,const char * name,size_t namelen)36 static int int_x509_param_set_hosts(X509_VERIFY_PARAM *vpm, int mode,
37                                     const char *name, size_t namelen)
38 {
39     char *copy;
40 
41     /*
42      * Refuse names with embedded NUL bytes, except perhaps as final byte.
43      * XXX: Do we need to push an error onto the error stack?
44      */
45     if (namelen == 0 || name == NULL)
46         namelen = name ? strlen(name) : 0;
47     else if (name && memchr(name, '\0', namelen > 1 ? namelen - 1 : namelen))
48         return 0;
49     if (namelen > 0 && name[namelen - 1] == '\0')
50         --namelen;
51 
52     if (mode == SET_HOST) {
53         sk_OPENSSL_STRING_pop_free(vpm->hosts, str_free);
54         vpm->hosts = NULL;
55     }
56     if (name == NULL || namelen == 0)
57         return 1;
58 
59     copy = OPENSSL_strndup(name, namelen);
60     if (copy == NULL)
61         return 0;
62 
63     if (vpm->hosts == NULL &&
64         (vpm->hosts = sk_OPENSSL_STRING_new_null()) == NULL) {
65         OPENSSL_free(copy);
66         return 0;
67     }
68 
69     if (!sk_OPENSSL_STRING_push(vpm->hosts, copy)) {
70         OPENSSL_free(copy);
71         if (sk_OPENSSL_STRING_num(vpm->hosts) == 0) {
72             sk_OPENSSL_STRING_free(vpm->hosts);
73             vpm->hosts = NULL;
74         }
75         return 0;
76     }
77 
78     return 1;
79 }
80 
81 
X509_VERIFY_PARAM_new(void)82 X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void)
83 {
84     X509_VERIFY_PARAM *param;
85 
86     param = OPENSSL_zalloc(sizeof(*param));
87     if (param == NULL) {
88         X509err(X509_F_X509_VERIFY_PARAM_NEW, ERR_R_MALLOC_FAILURE);
89         return NULL;
90     }
91     param->trust = X509_TRUST_DEFAULT;
92     /* param->inh_flags = X509_VP_FLAG_DEFAULT; */
93     param->depth = -1;
94     param->auth_level = -1; /* -1 means unset, 0 is explicit */
95     return param;
96 }
97 
X509_VERIFY_PARAM_free(X509_VERIFY_PARAM * param)98 void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param)
99 {
100     if (param == NULL)
101         return;
102     sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
103     sk_OPENSSL_STRING_pop_free(param->hosts, str_free);
104     OPENSSL_free(param->peername);
105     OPENSSL_free(param->email);
106     OPENSSL_free(param->ip);
107     OPENSSL_free(param);
108 }
109 
110 /*-
111  * This function determines how parameters are "inherited" from one structure
112  * to another. There are several different ways this can happen.
113  *
114  * 1. If a child structure needs to have its values initialized from a parent
115  *    they are simply copied across. For example SSL_CTX copied to SSL.
116  * 2. If the structure should take on values only if they are currently unset.
117  *    For example the values in an SSL structure will take appropriate value
118  *    for SSL servers or clients but only if the application has not set new
119  *    ones.
120  *
121  * The "inh_flags" field determines how this function behaves.
122  *
123  * Normally any values which are set in the default are not copied from the
124  * destination and verify flags are ORed together.
125  *
126  * If X509_VP_FLAG_DEFAULT is set then anything set in the source is copied
127  * to the destination. Effectively the values in "to" become default values
128  * which will be used only if nothing new is set in "from".
129  *
130  * If X509_VP_FLAG_OVERWRITE is set then all value are copied across whether
131  * they are set or not. Flags is still Ored though.
132  *
133  * If X509_VP_FLAG_RESET_FLAGS is set then the flags value is copied instead
134  * of ORed.
135  *
136  * If X509_VP_FLAG_LOCKED is set then no values are copied.
137  *
138  * If X509_VP_FLAG_ONCE is set then the current inh_flags setting is zeroed
139  * after the next call.
140  */
141 
142 /* Macro to test if a field should be copied from src to dest */
143 
144 #define test_x509_verify_param_copy(field, def) \
145         (to_overwrite || \
146                 ((src->field != def) && (to_default || (dest->field == def))))
147 
148 /* Macro to test and copy a field if necessary */
149 
150 #define x509_verify_param_copy(field, def) \
151         if (test_x509_verify_param_copy(field, def)) \
152                 dest->field = src->field
153 
X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM * dest,const X509_VERIFY_PARAM * src)154 int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest,
155                               const X509_VERIFY_PARAM *src)
156 {
157     unsigned long inh_flags;
158     int to_default, to_overwrite;
159     if (!src)
160         return 1;
161     inh_flags = dest->inh_flags | src->inh_flags;
162 
163     if (inh_flags & X509_VP_FLAG_ONCE)
164         dest->inh_flags = 0;
165 
166     if (inh_flags & X509_VP_FLAG_LOCKED)
167         return 1;
168 
169     if (inh_flags & X509_VP_FLAG_DEFAULT)
170         to_default = 1;
171     else
172         to_default = 0;
173 
174     if (inh_flags & X509_VP_FLAG_OVERWRITE)
175         to_overwrite = 1;
176     else
177         to_overwrite = 0;
178 
179     x509_verify_param_copy(purpose, 0);
180     x509_verify_param_copy(trust, X509_TRUST_DEFAULT);
181     x509_verify_param_copy(depth, -1);
182     x509_verify_param_copy(auth_level, -1);
183 
184     /* If overwrite or check time not set, copy across */
185 
186     if (to_overwrite || !(dest->flags & X509_V_FLAG_USE_CHECK_TIME)) {
187         dest->check_time = src->check_time;
188         dest->flags &= ~X509_V_FLAG_USE_CHECK_TIME;
189         /* Don't need to copy flag: that is done below */
190     }
191 
192     if (inh_flags & X509_VP_FLAG_RESET_FLAGS)
193         dest->flags = 0;
194 
195     dest->flags |= src->flags;
196 
197     if (test_x509_verify_param_copy(policies, NULL)) {
198         if (!X509_VERIFY_PARAM_set1_policies(dest, src->policies))
199             return 0;
200     }
201 
202     x509_verify_param_copy(hostflags, 0);
203 
204     if (test_x509_verify_param_copy(hosts, NULL)) {
205         sk_OPENSSL_STRING_pop_free(dest->hosts, str_free);
206         dest->hosts = NULL;
207         if (src->hosts) {
208             dest->hosts =
209                 sk_OPENSSL_STRING_deep_copy(src->hosts, str_copy, str_free);
210             if (dest->hosts == NULL)
211                 return 0;
212         }
213     }
214 
215     if (test_x509_verify_param_copy(email, NULL)) {
216         if (!X509_VERIFY_PARAM_set1_email(dest, src->email, src->emaillen))
217             return 0;
218     }
219 
220     if (test_x509_verify_param_copy(ip, NULL)) {
221         if (!X509_VERIFY_PARAM_set1_ip(dest, src->ip, src->iplen))
222             return 0;
223     }
224 
225     return 1;
226 }
227 
X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM * to,const X509_VERIFY_PARAM * from)228 int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to,
229                            const X509_VERIFY_PARAM *from)
230 {
231     unsigned long save_flags = to->inh_flags;
232     int ret;
233     to->inh_flags |= X509_VP_FLAG_DEFAULT;
234     ret = X509_VERIFY_PARAM_inherit(to, from);
235     to->inh_flags = save_flags;
236     return ret;
237 }
238 
int_x509_param_set1(char ** pdest,size_t * pdestlen,const char * src,size_t srclen)239 static int int_x509_param_set1(char **pdest, size_t *pdestlen,
240                                const char *src, size_t srclen)
241 {
242     void *tmp;
243     if (src) {
244         if (srclen == 0)
245             srclen = strlen(src);
246 
247         tmp = OPENSSL_memdup(src, srclen);
248         if (tmp == NULL)
249             return 0;
250     } else {
251         tmp = NULL;
252         srclen = 0;
253     }
254     OPENSSL_free(*pdest);
255     *pdest = tmp;
256     if (pdestlen != NULL)
257         *pdestlen = srclen;
258     return 1;
259 }
260 
X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM * param,const char * name)261 int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name)
262 {
263     OPENSSL_free(param->name);
264     param->name = OPENSSL_strdup(name);
265     if (param->name)
266         return 1;
267     return 0;
268 }
269 
X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM * param,unsigned long flags)270 int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags)
271 {
272     param->flags |= flags;
273     if (flags & X509_V_FLAG_POLICY_MASK)
274         param->flags |= X509_V_FLAG_POLICY_CHECK;
275     return 1;
276 }
277 
X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM * param,unsigned long flags)278 int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param,
279                                   unsigned long flags)
280 {
281     param->flags &= ~flags;
282     return 1;
283 }
284 
X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM * param)285 unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param)
286 {
287     return param->flags;
288 }
289 
X509_VERIFY_PARAM_get_inh_flags(const X509_VERIFY_PARAM * param)290 uint32_t X509_VERIFY_PARAM_get_inh_flags(const X509_VERIFY_PARAM *param)
291 {
292     return param->inh_flags;
293 }
294 
X509_VERIFY_PARAM_set_inh_flags(X509_VERIFY_PARAM * param,uint32_t flags)295 int X509_VERIFY_PARAM_set_inh_flags(X509_VERIFY_PARAM *param, uint32_t flags)
296 {
297     param->inh_flags = flags;
298     return 1;
299 }
300 
X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM * param,int purpose)301 int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose)
302 {
303     return X509_PURPOSE_set(&param->purpose, purpose);
304 }
305 
X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM * param,int trust)306 int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust)
307 {
308     return X509_TRUST_set(&param->trust, trust);
309 }
310 
X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM * param,int depth)311 void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth)
312 {
313     param->depth = depth;
314 }
315 
X509_VERIFY_PARAM_set_auth_level(X509_VERIFY_PARAM * param,int auth_level)316 void X509_VERIFY_PARAM_set_auth_level(X509_VERIFY_PARAM *param, int auth_level)
317 {
318     param->auth_level = auth_level;
319 }
320 
X509_VERIFY_PARAM_get_time(const X509_VERIFY_PARAM * param)321 time_t X509_VERIFY_PARAM_get_time(const X509_VERIFY_PARAM *param)
322 {
323     return param->check_time;
324 }
325 
X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM * param,time_t t)326 void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t)
327 {
328     param->check_time = t;
329     param->flags |= X509_V_FLAG_USE_CHECK_TIME;
330 }
331 
X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM * param,ASN1_OBJECT * policy)332 int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param,
333                                   ASN1_OBJECT *policy)
334 {
335     if (!param->policies) {
336         param->policies = sk_ASN1_OBJECT_new_null();
337         if (!param->policies)
338             return 0;
339     }
340     if (!sk_ASN1_OBJECT_push(param->policies, policy))
341         return 0;
342     return 1;
343 }
344 
X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM * param,STACK_OF (ASN1_OBJECT)* policies)345 int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
346                                     STACK_OF(ASN1_OBJECT) *policies)
347 {
348     int i;
349     ASN1_OBJECT *oid, *doid;
350 
351     if (!param)
352         return 0;
353     sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
354 
355     if (!policies) {
356         param->policies = NULL;
357         return 1;
358     }
359 
360     param->policies = sk_ASN1_OBJECT_new_null();
361     if (!param->policies)
362         return 0;
363 
364     for (i = 0; i < sk_ASN1_OBJECT_num(policies); i++) {
365         oid = sk_ASN1_OBJECT_value(policies, i);
366         doid = OBJ_dup(oid);
367         if (!doid)
368             return 0;
369         if (!sk_ASN1_OBJECT_push(param->policies, doid)) {
370             ASN1_OBJECT_free(doid);
371             return 0;
372         }
373     }
374     param->flags |= X509_V_FLAG_POLICY_CHECK;
375     return 1;
376 }
377 
X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM * param,const char * name,size_t namelen)378 int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param,
379                                 const char *name, size_t namelen)
380 {
381     return int_x509_param_set_hosts(param, SET_HOST, name, namelen);
382 }
383 
X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM * param,const char * name,size_t namelen)384 int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param,
385                                 const char *name, size_t namelen)
386 {
387     return int_x509_param_set_hosts(param, ADD_HOST, name, namelen);
388 }
389 
X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM * param,unsigned int flags)390 void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param,
391                                      unsigned int flags)
392 {
393     param->hostflags = flags;
394 }
395 
X509_VERIFY_PARAM_get_hostflags(const X509_VERIFY_PARAM * param)396 unsigned int X509_VERIFY_PARAM_get_hostflags(const X509_VERIFY_PARAM *param)
397 {
398     return param->hostflags;
399 }
400 
X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM * param)401 char *X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *param)
402 {
403     return param->peername;
404 }
405 
406 /*
407  * Move peername from one param structure to another, freeing any name present
408  * at the target.  If the source is a NULL parameter structure, free and zero
409  * the target peername.
410  */
X509_VERIFY_PARAM_move_peername(X509_VERIFY_PARAM * to,X509_VERIFY_PARAM * from)411 void X509_VERIFY_PARAM_move_peername(X509_VERIFY_PARAM *to,
412                                      X509_VERIFY_PARAM *from)
413 {
414     char *peername = (from != NULL) ? from->peername : NULL;
415 
416     if (to->peername != peername) {
417         OPENSSL_free(to->peername);
418         to->peername = peername;
419     }
420     if (from)
421         from->peername = NULL;
422 }
423 
X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM * param,const char * email,size_t emaillen)424 int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param,
425                                  const char *email, size_t emaillen)
426 {
427     return int_x509_param_set1(&param->email, &param->emaillen,
428                                email, emaillen);
429 }
430 
X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM * param,const unsigned char * ip,size_t iplen)431 int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param,
432                               const unsigned char *ip, size_t iplen)
433 {
434     if (iplen != 0 && iplen != 4 && iplen != 16)
435         return 0;
436     return int_x509_param_set1((char **)&param->ip, &param->iplen,
437                                (char *)ip, iplen);
438 }
439 
X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM * param,const char * ipasc)440 int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, const char *ipasc)
441 {
442     unsigned char ipout[16];
443     size_t iplen;
444 
445     iplen = (size_t)a2i_ipadd(ipout, ipasc);
446     if (iplen == 0)
447         return 0;
448     return X509_VERIFY_PARAM_set1_ip(param, ipout, iplen);
449 }
450 
X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM * param)451 int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param)
452 {
453     return param->depth;
454 }
455 
X509_VERIFY_PARAM_get_auth_level(const X509_VERIFY_PARAM * param)456 int X509_VERIFY_PARAM_get_auth_level(const X509_VERIFY_PARAM *param)
457 {
458     return param->auth_level;
459 }
460 
X509_VERIFY_PARAM_get0_name(const X509_VERIFY_PARAM * param)461 const char *X509_VERIFY_PARAM_get0_name(const X509_VERIFY_PARAM *param)
462 {
463     return param->name;
464 }
465 
466 #define vpm_empty_id NULL, 0U, NULL, NULL, 0, NULL, 0
467 
468 /*
469  * Default verify parameters: these are used for various applications and can
470  * be overridden by the user specified table. NB: the 'name' field *must* be
471  * in alphabetical order because it will be searched using OBJ_search.
472  */
473 
474 static const X509_VERIFY_PARAM default_table[] = {
475     {
476      "default",                 /* X509 default parameters */
477      0,                         /* Check time */
478      0,                         /* internal flags */
479      X509_V_FLAG_TRUSTED_FIRST, /* flags */
480      0,                         /* purpose */
481      0,                         /* trust */
482      100,                       /* depth */
483      -1,                        /* auth_level */
484      NULL,                      /* policies */
485      vpm_empty_id},
486     {
487      "pkcs7",                   /* S/MIME sign parameters */
488      0,                         /* Check time */
489      0,                         /* internal flags */
490      0,                         /* flags */
491      X509_PURPOSE_SMIME_SIGN,   /* purpose */
492      X509_TRUST_EMAIL,          /* trust */
493      -1,                        /* depth */
494      -1,                        /* auth_level */
495      NULL,                      /* policies */
496      vpm_empty_id},
497     {
498      "smime_sign",              /* S/MIME sign parameters */
499      0,                         /* Check time */
500      0,                         /* internal flags */
501      0,                         /* flags */
502      X509_PURPOSE_SMIME_SIGN,   /* purpose */
503      X509_TRUST_EMAIL,          /* trust */
504      -1,                        /* depth */
505      -1,                        /* auth_level */
506      NULL,                      /* policies */
507      vpm_empty_id},
508     {
509      "ssl_client",              /* SSL/TLS client parameters */
510      0,                         /* Check time */
511      0,                         /* internal flags */
512      0,                         /* flags */
513      X509_PURPOSE_SSL_CLIENT,   /* purpose */
514      X509_TRUST_SSL_CLIENT,     /* trust */
515      -1,                        /* depth */
516      -1,                        /* auth_level */
517      NULL,                      /* policies */
518      vpm_empty_id},
519     {
520      "ssl_server",              /* SSL/TLS server parameters */
521      0,                         /* Check time */
522      0,                         /* internal flags */
523      0,                         /* flags */
524      X509_PURPOSE_SSL_SERVER,   /* purpose */
525      X509_TRUST_SSL_SERVER,     /* trust */
526      -1,                        /* depth */
527      -1,                        /* auth_level */
528      NULL,                      /* policies */
529      vpm_empty_id}
530 };
531 
532 static STACK_OF(X509_VERIFY_PARAM) *param_table = NULL;
533 
table_cmp(const X509_VERIFY_PARAM * a,const X509_VERIFY_PARAM * b)534 static int table_cmp(const X509_VERIFY_PARAM *a, const X509_VERIFY_PARAM *b)
535 {
536     return strcmp(a->name, b->name);
537 }
538 
539 DECLARE_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM, table);
540 IMPLEMENT_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM, table);
541 
param_cmp(const X509_VERIFY_PARAM * const * a,const X509_VERIFY_PARAM * const * b)542 static int param_cmp(const X509_VERIFY_PARAM *const *a,
543                      const X509_VERIFY_PARAM *const *b)
544 {
545     return strcmp((*a)->name, (*b)->name);
546 }
547 
X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM * param)548 int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param)
549 {
550     int idx;
551     X509_VERIFY_PARAM *ptmp;
552     if (param_table == NULL) {
553         param_table = sk_X509_VERIFY_PARAM_new(param_cmp);
554         if (param_table == NULL)
555             return 0;
556     } else {
557         idx = sk_X509_VERIFY_PARAM_find(param_table, param);
558         if (idx >= 0) {
559             ptmp = sk_X509_VERIFY_PARAM_delete(param_table, idx);
560             X509_VERIFY_PARAM_free(ptmp);
561         }
562     }
563     if (!sk_X509_VERIFY_PARAM_push(param_table, param))
564         return 0;
565     return 1;
566 }
567 
X509_VERIFY_PARAM_get_count(void)568 int X509_VERIFY_PARAM_get_count(void)
569 {
570     int num = OSSL_NELEM(default_table);
571     if (param_table)
572         num += sk_X509_VERIFY_PARAM_num(param_table);
573     return num;
574 }
575 
X509_VERIFY_PARAM_get0(int id)576 const X509_VERIFY_PARAM *X509_VERIFY_PARAM_get0(int id)
577 {
578     int num = OSSL_NELEM(default_table);
579     if (id < num)
580         return default_table + id;
581     return sk_X509_VERIFY_PARAM_value(param_table, id - num);
582 }
583 
X509_VERIFY_PARAM_lookup(const char * name)584 const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name)
585 {
586     int idx;
587     X509_VERIFY_PARAM pm;
588 
589     pm.name = (char *)name;
590     if (param_table != NULL) {
591         idx = sk_X509_VERIFY_PARAM_find(param_table, &pm);
592         if (idx >= 0)
593             return sk_X509_VERIFY_PARAM_value(param_table, idx);
594     }
595     return OBJ_bsearch_table(&pm, default_table, OSSL_NELEM(default_table));
596 }
597 
X509_VERIFY_PARAM_table_cleanup(void)598 void X509_VERIFY_PARAM_table_cleanup(void)
599 {
600     sk_X509_VERIFY_PARAM_pop_free(param_table, X509_VERIFY_PARAM_free);
601     param_table = NULL;
602 }
603