diff options
| author | beck <> | 2023-04-28 16:50:16 +0000 |
|---|---|---|
| committer | beck <> | 2023-04-28 16:50:16 +0000 |
| commit | 894a54df05aae48b1ccfb4d0acd6170e67c7bd80 (patch) | |
| tree | c1ffb128d53575a3341638cccf75fcf2d6427d05 /src/lib/libcrypto/x509/x509_verify.c | |
| parent | 1ce60b4afbf4cde527424c04352d010e0bafb51b (diff) | |
| download | openbsd-894a54df05aae48b1ccfb4d0acd6170e67c7bd80.tar.gz openbsd-894a54df05aae48b1ccfb4d0acd6170e67c7bd80.tar.bz2 openbsd-894a54df05aae48b1ccfb4d0acd6170e67c7bd80.zip | |
Enable policy checking by default now that we are DAG implementation based.
This ensures that we will no longer silently ignore a certificate with
a critical policy extention by default.
ok tb@
Diffstat (limited to '')
| -rw-r--r-- | src/lib/libcrypto/x509/x509_verify.c | 5 |
1 files changed, 2 insertions, 3 deletions
diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c index 6cb372dbce..ccdf256a1f 100644 --- a/src/lib/libcrypto/x509/x509_verify.c +++ b/src/lib/libcrypto/x509/x509_verify.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_verify.c,v 1.64 2023/04/16 07:59:57 tb Exp $ */ | 1 | /* $OpenBSD: x509_verify.c,v 1.65 2023/04/28 16:50:16 beck Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org> | 3 | * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org> |
| 4 | * | 4 | * |
| @@ -439,8 +439,7 @@ x509_verify_ctx_validate_legacy_chain(struct x509_verify_ctx *ctx, | |||
| 439 | if (!x509_vfy_check_revocation(ctx->xsc)) | 439 | if (!x509_vfy_check_revocation(ctx->xsc)) |
| 440 | goto err; | 440 | goto err; |
| 441 | 441 | ||
| 442 | if (ctx->xsc->param->flags & X509_V_FLAG_POLICY_CHECK && | 442 | if (!x509_vfy_check_policy(ctx->xsc)) |
| 443 | !x509_vfy_check_policy(ctx->xsc)) | ||
| 444 | goto err; | 443 | goto err; |
| 445 | 444 | ||
| 446 | ret = 1; | 445 | ret = 1; |