summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/dsa
diff options
context:
space:
mode:
authorjsing <>2020-11-11 18:49:34 +0000
committerjsing <>2020-11-11 18:49:34 +0000
commitd677ab3272ee7c58415094ef4162e2760b96be3c (patch)
treef48ae5f4913a86ab11be677b612ebada5129384a /src/lib/libcrypto/dsa
parent5bc4eba7ef5295b28908fc64844ded7577e36d50 (diff)
downloadopenbsd-d677ab3272ee7c58415094ef4162e2760b96be3c.tar.gz
openbsd-d677ab3272ee7c58415094ef4162e2760b96be3c.tar.bz2
openbsd-d677ab3272ee7c58415094ef4162e2760b96be3c.zip
Handle additional certificate error cases in new X.509 verifier.
With the old verifier, the verify callback can always return 1 instructing the verifier to simply continue regardless of a certificate verification failure (e.g. the certificate is expired or revoked). This would result in a chain being built, however the first error encountered would be persisted, which allows the caller to build the chain, have the verification process succeed, yet upon inspecting the error code note that the chain is not valid for some reason. Mimic this behaviour by keeping track of certificate errors while building chains - when we finish verification, find the certificate error closest to the leaf certificate and expose that via the X509_STORE_CTX. There are various corner cases that we also have to handle, like the fact that we keep an certificate error until we find the issuer, at which point we have to clear it. Issue reported by Ilya Shipitcin due to failing haproxy regression tests. With much discussion and input from beck@ and tb@! ok beck@ tb@
Diffstat (limited to 'src/lib/libcrypto/dsa')
0 files changed, 0 insertions, 0 deletions