diff options
| author | beck <> | 2021-08-19 03:44:00 +0000 |
|---|---|---|
| committer | beck <> | 2021-08-19 03:44:00 +0000 |
| commit | 252cbe4493634e4a70789ca96794482ba219de91 (patch) | |
| tree | 1329511d1aa6b33cd3f48ec007990cdf78af765f /src | |
| parent | a5c89764af8f7a72f1c0ddb9d42ec39de836d700 (diff) | |
| download | openbsd-252cbe4493634e4a70789ca96794482ba219de91.tar.gz openbsd-252cbe4493634e4a70789ca96794482ba219de91.tar.bz2 openbsd-252cbe4493634e4a70789ca96794482ba219de91.zip | |
Pull roots out of the trust store in the legacy xsc when building chains
to handly by_dir and fun things correctly. - fixes dlg@'s case and
by_dir regress in openssl-ruby
ok jsing@
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libcrypto/x509/x509_internal.h | 3 | ||||
| -rw-r--r-- | src/lib/libcrypto/x509/x509_verify.c | 20 | ||||
| -rw-r--r-- | src/lib/libcrypto/x509/x509_vfy.c | 11 |
3 files changed, 26 insertions, 8 deletions
diff --git a/src/lib/libcrypto/x509/x509_internal.h b/src/lib/libcrypto/x509/x509_internal.h index 7160053a8a..493bf82ac8 100644 --- a/src/lib/libcrypto/x509/x509_internal.h +++ b/src/lib/libcrypto/x509/x509_internal.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_internal.h,v 1.8 2021/07/10 15:52:59 beck Exp $ */ | 1 | /* $OpenBSD: x509_internal.h,v 1.9 2021/08/19 03:44:00 beck Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2020 Bob Beck <beck@openbsd.org> | 3 | * Copyright (c) 2020 Bob Beck <beck@openbsd.org> |
| 4 | * | 4 | * |
| @@ -92,6 +92,7 @@ int x509_vfy_check_policy(X509_STORE_CTX *ctx); | |||
| 92 | int x509_vfy_check_trust(X509_STORE_CTX *ctx); | 92 | int x509_vfy_check_trust(X509_STORE_CTX *ctx); |
| 93 | int x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx); | 93 | int x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx); |
| 94 | void x509v3_cache_extensions(X509 *x); | 94 | void x509v3_cache_extensions(X509 *x); |
| 95 | X509 *x509_vfy_lookup_cert_match(X509_STORE_CTX *ctx, X509 *x); | ||
| 95 | 96 | ||
| 96 | int x509_verify_asn1_time_to_tm(const ASN1_TIME *atime, struct tm *tm, | 97 | int x509_verify_asn1_time_to_tm(const ASN1_TIME *atime, struct tm *tm, |
| 97 | int notafter); | 98 | int notafter); |
diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c index 9073dda31d..5f3c97abf7 100644 --- a/src/lib/libcrypto/x509/x509_verify.c +++ b/src/lib/libcrypto/x509/x509_verify.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_verify.c,v 1.41 2021/08/18 15:32:38 beck Exp $ */ | 1 | /* $OpenBSD: x509_verify.c,v 1.42 2021/08/19 03:44:00 beck Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org> | 3 | * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org> |
| 4 | * | 4 | * |
| @@ -207,21 +207,29 @@ static int | |||
| 207 | x509_verify_ctx_cert_is_root(struct x509_verify_ctx *ctx, X509 *cert, | 207 | x509_verify_ctx_cert_is_root(struct x509_verify_ctx *ctx, X509 *cert, |
| 208 | int full_chain) | 208 | int full_chain) |
| 209 | { | 209 | { |
| 210 | X509 *match = NULL; | ||
| 210 | int i; | 211 | int i; |
| 211 | 212 | ||
| 212 | if (!x509_verify_cert_cache_extensions(cert)) | 213 | if (!x509_verify_cert_cache_extensions(cert)) |
| 213 | return 0; | 214 | return 0; |
| 214 | 215 | ||
| 216 | /* Check the provided roots */ | ||
| 215 | for (i = 0; i < sk_X509_num(ctx->roots); i++) { | 217 | for (i = 0; i < sk_X509_num(ctx->roots); i++) { |
| 216 | if (X509_cmp(sk_X509_value(ctx->roots, i), cert) == 0) | 218 | if (X509_cmp(sk_X509_value(ctx->roots, i), cert) == 0) |
| 217 | return !full_chain || | 219 | return !full_chain || |
| 218 | x509_verify_cert_self_signed(cert); | 220 | x509_verify_cert_self_signed(cert); |
| 219 | } | 221 | } |
| 220 | /* | 222 | |
| 221 | * XXX what if this is a by_dir thing? this currently isn't | 223 | /* Check by lookup if we have a legacy xsc */ |
| 222 | * handled so this case is a bit messed up for loonix with | 224 | if (ctx->xsc != NULL) { |
| 223 | * by directory trust bundles... | 225 | if ((match = x509_vfy_lookup_cert_match(ctx->xsc, |
| 224 | */ | 226 | cert)) != NULL) { |
| 227 | X509_free(match); | ||
| 228 | return !full_chain || | ||
| 229 | x509_verify_cert_self_signed(cert); | ||
| 230 | } | ||
| 231 | } | ||
| 232 | |||
| 225 | return 0; | 233 | return 0; |
| 226 | } | 234 | } |
| 227 | 235 | ||
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c index 9577040d9d..233c95c408 100644 --- a/src/lib/libcrypto/x509/x509_vfy.c +++ b/src/lib/libcrypto/x509/x509_vfy.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_vfy.c,v 1.86 2021/02/25 17:29:22 tb Exp $ */ | 1 | /* $OpenBSD: x509_vfy.c,v 1.87 2021/08/19 03:44:00 beck Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -942,6 +942,15 @@ lookup_cert_match(X509_STORE_CTX *ctx, X509 *x) | |||
| 942 | return xtmp; | 942 | return xtmp; |
| 943 | } | 943 | } |
| 944 | 944 | ||
| 945 | X509 * | ||
| 946 | x509_vfy_lookup_cert_match(X509_STORE_CTX *ctx, X509 *x) | ||
| 947 | { | ||
| 948 | if (ctx->lookup_certs == NULL || ctx->ctx == NULL || | ||
| 949 | ctx->ctx->objs == NULL) | ||
| 950 | return NULL; | ||
| 951 | return lookup_cert_match(ctx, x); | ||
| 952 | } | ||
| 953 | |||
| 945 | static int | 954 | static int |
| 946 | check_trust(X509_STORE_CTX *ctx) | 955 | check_trust(X509_STORE_CTX *ctx) |
| 947 | { | 956 | { |