Change over to use the new x509 name constraints verification.

ok jsing@
author: beck <> 2020-09-12 14:14:02 +0000
committer: beck <> 2020-09-12 14:14:02 +0000
commit: d7dfc10134411f17602aa3f2d5224ccb44f6701c (patch)
tree: 2e8cba8a60876b7612ba25a26b032d0fb5f4da17
parent: ca7e93e1e5543d9778b24369e5b780da61dd26bf (diff)
download: openbsd-d7dfc10134411f17602aa3f2d5224ccb44f6701c.tar.gz
openbsd-d7dfc10134411f17602aa3f2d5224ccb44f6701c.tar.bz2
openbsd-d7dfc10134411f17602aa3f2d5224ccb44f6701c.zip
1 files changed, 7 insertions, 28 deletions
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index 126e0f3000..28dbf60c38 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.73 2020/05/31 17:23:39 jsing Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.74 2020/09/12 14:14:02 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -75,6 +75,7 @@
 #include <openssl/x509v3.h>
 #include "asn1_locl.h"
 #include "vpm_int.h"
+#include "x509_internal.h"
 #include "x509_lcl.h"
 /* CRL score values */
@@ -782,33 +783,11 @@ end:
 static int
 check_name_constraints(X509_STORE_CTX *ctx)
 {
-        X509 *x;
+        if (!x509_constraints_chain(ctx->chain, &ctx->error,
-        int i, j, rv;
+            &ctx->error_depth)) {
+                ctx->current_cert = sk_X509_value(ctx->chain, ctx->error_depth);
-        /* Check name constraints for all certificates */
+                if (!ctx->verify_cb(0, ctx))
-        for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) {
+                        return 0;
-                x = sk_X509_value(ctx->chain, i);
-                /* Ignore self issued certs unless last in chain */
-                if (i && (x->ex_flags & EXFLAG_SI))
-                        continue;
-                /* Check against constraints for all certificates higher in
-                 * chain including trust anchor. Trust anchor not strictly
-                 * speaking needed but if it includes constraints it is to be
-                 * assumed it expects them to be obeyed.
-                 */
-                for (j = sk_X509_num(ctx->chain) - 1; j > i; j--) {
-                        NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc;
-                        if (nc) {
-                                rv = NAME_CONSTRAINTS_check(x, nc);
-                                if (rv != X509_V_OK) {
-                                        ctx->error = rv;
-                                        ctx->error_depth = i;
-                                        ctx->current_cert = x;
-                                        if (!ctx->verify_cb(0, ctx))
-                                                return 0;
-                                }
-                        }
-                }
        }
        return 1;
 }
author	beck <>	2020-09-12 14:14:02 +0000
committer	beck <>	2020-09-12 14:14:02 +0000
commit	d7dfc10134411f17602aa3f2d5224ccb44f6701c (patch)
tree	2e8cba8a60876b7612ba25a26b032d0fb5f4da17
parent	ca7e93e1e5543d9778b24369e5b780da61dd26bf (diff)
download	openbsd-d7dfc10134411f17602aa3f2d5224ccb44f6701c.tar.gz openbsd-d7dfc10134411f17602aa3f2d5224ccb44f6701c.tar.bz2 openbsd-d7dfc10134411f17602aa3f2d5224ccb44f6701c.zip

diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c index 126e0f3000..28dbf60c38 100644 --- a/src/lib/libcrypto/x509/x509_vfy.c +++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_vfy.c,v 1.73 2020/05/31 17:23:39 jsing Exp $ */	1	/* $OpenBSD: x509_vfy.c,v 1.74 2020/09/12 14:14:02 beck Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -75,6 +75,7 @@
75	#include <openssl/x509v3.h>	75	#include <openssl/x509v3.h>
76	#include "asn1_locl.h"	76	#include "asn1_locl.h"
77	#include "vpm_int.h"	77	#include "vpm_int.h"
		78	#include "x509_internal.h"
78	#include "x509_lcl.h"	79	#include "x509_lcl.h"
79		80
80	/* CRL score values */	81	/* CRL score values */
@@ -782,33 +783,11 @@ end:
782	static int	783	static int
783	check_name_constraints(X509_STORE_CTX *ctx)	784	check_name_constraints(X509_STORE_CTX *ctx)
784	{	785	{
785	X509 *x;	786	if (!x509_constraints_chain(ctx->chain, &ctx->error,
786	int i, j, rv;	787	&ctx->error_depth)) {
787		788	ctx->current_cert = sk_X509_value(ctx->chain, ctx->error_depth);
788	/* Check name constraints for all certificates */	789	if (!ctx->verify_cb(0, ctx))
789	for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) {	790	return 0;
790	x = sk_X509_value(ctx->chain, i);
791	/* Ignore self issued certs unless last in chain */
792	if (i && (x->ex_flags & EXFLAG_SI))
793	continue;
794	/* Check against constraints for all certificates higher in
795	* chain including trust anchor. Trust anchor not strictly
796	* speaking needed but if it includes constraints it is to be
797	* assumed it expects them to be obeyed.
798	*/
799	for (j = sk_X509_num(ctx->chain) - 1; j > i; j--) {
800	NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc;
801	if (nc) {
802	rv = NAME_CONSTRAINTS_check(x, nc);
803	if (rv != X509_V_OK) {
804	ctx->error = rv;
805	ctx->error_depth = i;
806	ctx->current_cert = x;
807	if (!ctx->verify_cb(0, ctx))
808	return 0;
809	}
810	}
811	}
812	}	791	}
813	return 1;	792	return 1;
814	}	793	}