diff options
| author | beck <> | 2022-08-05 14:46:52 +0000 |
|---|---|---|
| committer | beck <> | 2022-08-05 14:46:52 +0000 |
| commit | 2e7ae5002415d7060ce772d6467d1e6ac482295b (patch) | |
| tree | 914795990369bb721a7c458a2b63eb3905a187ee /src | |
| parent | 065c3b8f4dbd70a085d42a0b39436d95e698dbac (diff) | |
| download | openbsd-2e7ae5002415d7060ce772d6467d1e6ac482295b.tar.gz openbsd-2e7ae5002415d7060ce772d6467d1e6ac482295b.tar.bz2 openbsd-2e7ae5002415d7060ce772d6467d1e6ac482295b.zip | |
Remove overly aggressive trust check in legacy verifier that breaks
p5-IO-Socket-SSL regress and regress/sbin/iked/live
Still passes the mutt regress that this was intended to fix.
ok tb@
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libcrypto/x509/x509_verify.c | 19 |
1 files changed, 4 insertions, 15 deletions
diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c index a9c54e664f..ca32a93e50 100644 --- a/src/lib/libcrypto/x509/x509_verify.c +++ b/src/lib/libcrypto/x509/x509_verify.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_verify.c,v 1.59 2022/06/28 16:05:42 beck Exp $ */ | 1 | /* $OpenBSD: x509_verify.c,v 1.60 2022/08/05 14:46:52 beck Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org> | 3 | * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org> |
| 4 | * | 4 | * |
| @@ -268,16 +268,6 @@ x509_verify_check_chain_end(X509 *cert, int full_chain) | |||
| 268 | } | 268 | } |
| 269 | 269 | ||
| 270 | static int | 270 | static int |
| 271 | x509_verify_check_legacy_chain_end(struct x509_verify_ctx *ctx, X509 *cert, | ||
| 272 | int full_chain) | ||
| 273 | { | ||
| 274 | if (X509_check_trust(cert, ctx->xsc->param->trust, 0) != | ||
| 275 | X509_TRUST_TRUSTED) | ||
| 276 | return 0; | ||
| 277 | return x509_verify_check_chain_end(cert, full_chain); | ||
| 278 | } | ||
| 279 | |||
| 280 | static int | ||
| 281 | x509_verify_ctx_cert_is_root(struct x509_verify_ctx *ctx, X509 *cert, | 271 | x509_verify_ctx_cert_is_root(struct x509_verify_ctx *ctx, X509 *cert, |
| 282 | int full_chain) | 272 | int full_chain) |
| 283 | { | 273 | { |
| @@ -292,8 +282,7 @@ x509_verify_ctx_cert_is_root(struct x509_verify_ctx *ctx, X509 *cert, | |||
| 292 | if ((match = x509_vfy_lookup_cert_match(ctx->xsc, | 282 | if ((match = x509_vfy_lookup_cert_match(ctx->xsc, |
| 293 | cert)) != NULL) { | 283 | cert)) != NULL) { |
| 294 | X509_free(match); | 284 | X509_free(match); |
| 295 | return x509_verify_check_legacy_chain_end(ctx, cert, | 285 | return x509_verify_check_chain_end(cert, full_chain); |
| 296 | full_chain); | ||
| 297 | 286 | ||
| 298 | } | 287 | } |
| 299 | } else { | 288 | } else { |
| @@ -713,8 +702,8 @@ x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert, | |||
| 713 | } | 702 | } |
| 714 | if (ret > 0) { | 703 | if (ret > 0) { |
| 715 | if (x509_verify_potential_parent(ctx, candidate, cert)) { | 704 | if (x509_verify_potential_parent(ctx, candidate, cert)) { |
| 716 | is_root = x509_verify_check_legacy_chain_end( | 705 | is_root = x509_verify_check_chain_end(candidate, |
| 717 | ctx, candidate, full_chain); | 706 | full_chain); |
| 718 | x509_verify_consider_candidate(ctx, cert, | 707 | x509_verify_consider_candidate(ctx, cert, |
| 719 | is_root, candidate, current_chain, | 708 | is_root, candidate, current_chain, |
| 720 | full_chain, name); | 709 | full_chain, name); |