Allow security_level to mestastasize into the verifier

The tentacles are everywhere. This checks that all certs in a chain have keys and signature algorithms matching the requirements of the security_level configured in the verify parameters. ok beck jsing
author: tb <> 2022-06-27 14:10:22 +0000
committer: tb <> 2022-06-27 14:10:22 +0000
commit: d85e325a7025116ae28315a293f49d7170489464 (patch)
tree: 8f690d35a09cd2d9e7808f00b7617746497fcde3 /src/lib/libcrypto/x509/x509_verify.c
parent: 6220066aaad23f7ff52f0ab797cc297ec7302713 (diff)
download: openbsd-d85e325a7025116ae28315a293f49d7170489464.tar.gz
openbsd-d85e325a7025116ae28315a293f49d7170489464.tar.bz2
openbsd-d85e325a7025116ae28315a293f49d7170489464.zip
1 files changed, 4 insertions, 1 deletions
diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c
index f6959d1f3a..83030672ef 100644
--- a/src/lib/libcrypto/x509/x509_verify.c
+++ b/src/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_verify.c,v 1.56 2022/06/25 20:01:43 beck Exp $ */
+/* $OpenBSD: x509_verify.c,v 1.57 2022/06/27 14:10:22 tb Exp $ */
 /*
 * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
 *
@@ -415,6 +415,9 @@ x509_verify_ctx_validate_legacy_chain(struct x509_verify_ctx *ctx,
                goto err;
 #endif
+        if (!x509_vfy_check_security_level(ctx->xsc))
+                goto err;
        if (!x509_constraints_chain(ctx->xsc->chain,
                &ctx->xsc->error, &ctx->xsc->error_depth)) {
                X509 *cert = sk_X509_value(ctx->xsc->chain, depth);
author	tb <>	2022-06-27 14:10:22 +0000
committer	tb <>	2022-06-27 14:10:22 +0000
commit	d85e325a7025116ae28315a293f49d7170489464 (patch)
tree	8f690d35a09cd2d9e7808f00b7617746497fcde3 /src/lib/libcrypto/x509/x509_verify.c
parent	6220066aaad23f7ff52f0ab797cc297ec7302713 (diff)
download	openbsd-d85e325a7025116ae28315a293f49d7170489464.tar.gz openbsd-d85e325a7025116ae28315a293f49d7170489464.tar.bz2 openbsd-d85e325a7025116ae28315a293f49d7170489464.zip