summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/x509/x509_vfy.c
diff options
context:
space:
mode:
authortb <>2023-04-16 08:06:42 +0000
committertb <>2023-04-16 08:06:42 +0000
commitaf5673b318b3bb1548e40342abba68903d680131 (patch)
treeda5366d0ec0a73467af45e2bb10f95ba049a341a /src/lib/libcrypto/x509/x509_vfy.c
parent699a40dcab913cc71bfe12a9d96aabcdd691c77a (diff)
downloadopenbsd-af5673b318b3bb1548e40342abba68903d680131.tar.gz
openbsd-af5673b318b3bb1548e40342abba68903d680131.tar.bz2
openbsd-af5673b318b3bb1548e40342abba68903d680131.zip
More ProxyCertInfo tentacles go to the attic
This removes ProxyCertInfo from extension caching, issuer checking and it also drops the special path validation for proxy certs from the legacy verifier. ok jsing
Diffstat (limited to 'src/lib/libcrypto/x509/x509_vfy.c')
-rw-r--r--src/lib/libcrypto/x509/x509_vfy.c38
1 files changed, 4 insertions, 34 deletions
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index 8bba796198..8fd193699e 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: x509_vfy.c,v 1.111 2023/02/16 08:38:17 tb Exp $ */ 1/* $OpenBSD: x509_vfy.c,v 1.112 2023/04/16 08:06:42 tb Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -732,7 +732,6 @@ x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx)
732 int (*cb)(int xok, X509_STORE_CTX *xctx); 732 int (*cb)(int xok, X509_STORE_CTX *xctx);
733 int proxy_path_length = 0; 733 int proxy_path_length = 0;
734 int purpose; 734 int purpose;
735 int allow_proxy_certs;
736 735
737 cb = ctx->verify_cb; 736 cb = ctx->verify_cb;
738 737
@@ -747,14 +746,10 @@ x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx)
747 must_be_ca = -1; 746 must_be_ca = -1;
748 747
749 /* CRL path validation */ 748 /* CRL path validation */
750 if (ctx->parent) { 749 if (ctx->parent)
751 allow_proxy_certs = 0;
752 purpose = X509_PURPOSE_CRL_SIGN; 750 purpose = X509_PURPOSE_CRL_SIGN;
753 } else { 751 else
754 allow_proxy_certs =
755 !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
756 purpose = ctx->param->purpose; 752 purpose = ctx->param->purpose;
757 }
758 753
759 /* Check all untrusted certificates */ 754 /* Check all untrusted certificates */
760 for (i = 0; i < ctx->num_untrusted; i++) { 755 for (i = 0; i < ctx->num_untrusted; i++) {
@@ -769,14 +764,6 @@ x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx)
769 if (!ok) 764 if (!ok)
770 goto end; 765 goto end;
771 } 766 }
772 if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) {
773 ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED;
774 ctx->error_depth = i;
775 ctx->current_cert = x;
776 ok = cb(0, ctx);
777 if (!ok)
778 goto end;
779 }
780 ret = X509_check_ca(x); 767 ret = X509_check_ca(x);
781 switch (must_be_ca) { 768 switch (must_be_ca) {
782 case -1: 769 case -1:
@@ -838,24 +825,7 @@ x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx)
838 /* Increment path length if not self issued */ 825 /* Increment path length if not self issued */
839 if (!(x->ex_flags & EXFLAG_SI)) 826 if (!(x->ex_flags & EXFLAG_SI))
840 plen++; 827 plen++;
841 /* If this certificate is a proxy certificate, the next 828 must_be_ca = 1;
842 certificate must be another proxy certificate or a EE
843 certificate. If not, the next certificate must be a
844 CA certificate. */
845 if (x->ex_flags & EXFLAG_PROXY) {
846 if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen) {
847 ctx->error =
848 X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED;
849 ctx->error_depth = i;
850 ctx->current_cert = x;
851 ok = cb(0, ctx);
852 if (!ok)
853 goto end;
854 }
855 proxy_path_length++;
856 must_be_ca = 0;
857 } else
858 must_be_ca = 1;
859 } 829 }
860 ok = 1; 830 ok = 1;
861 831
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-15 23:52:34 +0000