Fix the horrible and undocumented behaviour of X509_check_trust

Of allowing you to pass in a NID directly, instead of a trust_id,
and have it work, as long as the trust_id's and the NID's did not
overlap.

This screwball behaviour was depended upon by the OCSP code that
called X509_check_trust with the NID, instead of the trust id, so
let's fix that.

We also rename the confusingly named X509_TRUST_DEFAULT to
X509_TRUST_ACCEPT_ALL which makes a lot more sense, and rototill
this to remove the confusingly named static functions.

This will shortly be follwed up by making this function private,
so we have not bothered to fix the amazingly obtuse man page
as it will be taken behind the barn at that time.

ok tb@

1 files changed, 3 insertions, 3 deletions

diff --git a/src/lib/libcrypto/ocsp/ocsp_vfy.c b/src/lib/libcrypto/ocsp/ocsp_vfy.c
index d197fe4ea7..27d2283ea7 100644
--- a/src/lib/libcrypto/ocsp/ocsp_vfy.c
+++ b/src/lib/libcrypto/ocsp/ocsp_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ocsp_vfy.c,v 1.23 2023/07/08 10:44:00 beck Exp $ */
+/* $OpenBSD: ocsp_vfy.c,v 1.24 2024/07/12 18:15:10 beck Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
@@ -168,8 +168,8 @@ OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st,
                         goto end;
 
                 x = sk_X509_value(chain, sk_X509_num(chain) - 1);
-                if (X509_check_trust(x, NID_OCSP_sign, 0) !=
-                        X509_TRUST_TRUSTED) {
+                if (X509_check_trust(x, X509_TRUST_OCSP_SIGN, 0) !=
+                    X509_TRUST_TRUSTED) {
                         OCSPerror(OCSP_R_ROOT_CA_NOT_TRUSTED);
                         goto end;
                 }