summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/x509/x509_verify.c
diff options
context:
space:
mode:
authorbeck <>2021-08-28 15:22:42 +0000
committerbeck <>2021-08-28 15:22:42 +0000
commit480921b20b6041e9bc8c752904c958b63cb91b33 (patch)
tree2657c3b4dc8dbc196f3586c32eae2e989ba7d569 /src/lib/libcrypto/x509/x509_verify.c
parent9a67589bb5e17849587c80865d013e5d534c653d (diff)
downloadopenbsd-480921b20b6041e9bc8c752904c958b63cb91b33.tar.gz
openbsd-480921b20b6041e9bc8c752904c958b63cb91b33.tar.bz2
openbsd-480921b20b6041e9bc8c752904c958b63cb91b33.zip
Get rid of historical code to extract the roots in the legacy case.
Due to the need to support by_dir, we use the get_issuer stuff when running in x509_vfy compatibility mode amyway - so just use it any time we are doing that. Removes a bunch of yukky stuff and a "Don't Look Ethel" ok tb@ jsing@
Diffstat (limited to 'src/lib/libcrypto/x509/x509_verify.c')
-rw-r--r--src/lib/libcrypto/x509/x509_verify.c55
1 files changed, 29 insertions, 26 deletions
diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c
index 3176e110ba..68dd2863a7 100644
--- a/src/lib/libcrypto/x509/x509_verify.c
+++ b/src/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: x509_verify.c,v 1.43 2021/08/28 07:49:00 beck Exp $ */ 1/* $OpenBSD: x509_verify.c,v 1.44 2021/08/28 15:22:42 beck Exp $ */
2/* 2/*
3 * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org> 3 * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
4 * 4 *
@@ -213,13 +213,6 @@ x509_verify_ctx_cert_is_root(struct x509_verify_ctx *ctx, X509 *cert,
213 if (!x509_verify_cert_cache_extensions(cert)) 213 if (!x509_verify_cert_cache_extensions(cert))
214 return 0; 214 return 0;
215 215
216 /* Check the provided roots */
217 for (i = 0; i < sk_X509_num(ctx->roots); i++) {
218 if (X509_cmp(sk_X509_value(ctx->roots, i), cert) == 0)
219 return !full_chain ||
220 x509_verify_cert_self_signed(cert);
221 }
222
223 /* Check by lookup if we have a legacy xsc */ 216 /* Check by lookup if we have a legacy xsc */
224 if (ctx->xsc != NULL) { 217 if (ctx->xsc != NULL) {
225 if ((match = x509_vfy_lookup_cert_match(ctx->xsc, 218 if ((match = x509_vfy_lookup_cert_match(ctx->xsc,
@@ -228,6 +221,13 @@ x509_verify_ctx_cert_is_root(struct x509_verify_ctx *ctx, X509 *cert,
228 return !full_chain || 221 return !full_chain ||
229 x509_verify_cert_self_signed(cert); 222 x509_verify_cert_self_signed(cert);
230 } 223 }
224 } else {
225 /* Check the provided roots */
226 for (i = 0; i < sk_X509_num(ctx->roots); i++) {
227 if (X509_cmp(sk_X509_value(ctx->roots, i), cert) == 0)
228 return !full_chain ||
229 x509_verify_cert_self_signed(cert);
230 }
231 } 231 }
232 232
233 return 0; 233 return 0;
@@ -611,17 +611,6 @@ x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert,
611 X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN; 611 X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
612 } 612 }
613 613
614 /* Check to see if we have a trusted root issuer. */
615 for (i = 0; i < sk_X509_num(ctx->roots); i++) {
616 candidate = sk_X509_value(ctx->roots, i);
617 if (x509_verify_potential_parent(ctx, candidate, cert)) {
618 is_root = !full_chain ||
619 x509_verify_cert_self_signed(candidate);
620 x509_verify_consider_candidate(ctx, cert,
621 cert_md, is_root, candidate, current_chain,
622 full_chain);
623 }
624 }
625 /* Check for legacy mode roots */ 614 /* Check for legacy mode roots */
626 if (ctx->xsc != NULL) { 615 if (ctx->xsc != NULL) {
627 if ((ret = ctx->xsc->get_issuer(&candidate, ctx->xsc, cert)) < 0) { 616 if ((ret = ctx->xsc->get_issuer(&candidate, ctx->xsc, cert)) < 0) {
@@ -639,6 +628,18 @@ x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert,
639 } 628 }
640 X509_free(candidate); 629 X509_free(candidate);
641 } 630 }
631 } else {
632 /* Check to see if we have a trusted root issuer. */
633 for (i = 0; i < sk_X509_num(ctx->roots); i++) {
634 candidate = sk_X509_value(ctx->roots, i);
635 if (x509_verify_potential_parent(ctx, candidate, cert)) {
636 is_root = !full_chain ||
637 x509_verify_cert_self_signed(candidate);
638 x509_verify_consider_candidate(ctx, cert,
639 cert_md, is_root, candidate, current_chain,
640 full_chain);
641 }
642 }
642 } 643 }
643 644
644 /* Check intermediates after checking roots */ 645 /* Check intermediates after checking roots */
@@ -933,7 +934,7 @@ x509_verify_cert_valid(struct x509_verify_ctx *ctx, X509 *cert,
933} 934}
934 935
935struct x509_verify_ctx * 936struct x509_verify_ctx *
936x509_verify_ctx_new_from_xsc(X509_STORE_CTX *xsc, STACK_OF(X509) *roots) 937x509_verify_ctx_new_from_xsc(X509_STORE_CTX *xsc)
937{ 938{
938 struct x509_verify_ctx *ctx; 939 struct x509_verify_ctx *ctx;
939 size_t max_depth; 940 size_t max_depth;
@@ -941,7 +942,7 @@ x509_verify_ctx_new_from_xsc(X509_STORE_CTX *xsc, STACK_OF(X509) *roots)
941 if (xsc == NULL) 942 if (xsc == NULL)
942 return NULL; 943 return NULL;
943 944
944 if ((ctx = x509_verify_ctx_new(roots)) == NULL) 945 if ((ctx = x509_verify_ctx_new(NULL)) == NULL)
945 return NULL; 946 return NULL;
946 947
947 ctx->xsc = xsc; 948 ctx->xsc = xsc;
@@ -969,14 +970,16 @@ x509_verify_ctx_new(STACK_OF(X509) *roots)
969{ 970{
970 struct x509_verify_ctx *ctx; 971 struct x509_verify_ctx *ctx;
971 972
972 if (roots == NULL)
973 return NULL;
974
975 if ((ctx = calloc(1, sizeof(struct x509_verify_ctx))) == NULL) 973 if ((ctx = calloc(1, sizeof(struct x509_verify_ctx))) == NULL)
976 return NULL; 974 return NULL;
977 975
978 if ((ctx->roots = X509_chain_up_ref(roots)) == NULL) 976 if (roots != NULL) {
979 goto err; 977 if ((ctx->roots = X509_chain_up_ref(roots)) == NULL)
978 goto err;
979 } else {
980 if ((ctx->roots = sk_X509_new_null()) == NULL)
981 goto err;
982 }
980 983
981 ctx->max_depth = X509_VERIFY_MAX_CHAIN_CERTS; 984 ctx->max_depth = X509_VERIFY_MAX_CHAIN_CERTS;
982 ctx->max_chains = X509_VERIFY_MAX_CHAINS; 985 ctx->max_chains = X509_VERIFY_MAX_CHAINS;
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-12-08 09:19:18 +0000