The upcoming x509 alt chains diff tightens the trust requirements

for certificates. This (from OpenSSL) ensures that the current "default" behaviour remains the same. We should revisit this later ok jsing@
author: beck <> 2016-11-06 10:31:34 +0000
committer: beck <> 2016-11-06 10:31:34 +0000
commit: 86de6636f522fb101a9347e689d450972645ca99 (patch)
tree: 1f994b06c8e0987a3bfd0e9ba324a0282934a3e8 /src
parent: ff3d11642a44421d51ea23a2994378482e7dba6c (diff)
download: openbsd-86de6636f522fb101a9347e689d450972645ca99.tar.gz
openbsd-86de6636f522fb101a9347e689d450972645ca99.tar.bz2
openbsd-86de6636f522fb101a9347e689d450972645ca99.zip
1 files changed, 17 insertions, 1 deletions
diff --git a/src/lib/libcrypto/x509/x509_trs.c b/src/lib/libcrypto/x509/x509_trs.c
index 42fb97f571..5be7abdf08 100644
--- a/src/lib/libcrypto/x509/x509_trs.c
+++ b/src/lib/libcrypto/x509/x509_trs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_trs.c,v 1.20 2015/02/10 11:22:21 jsing Exp $ */
+/* $OpenBSD: x509_trs.c,v 1.21 2016/11/06 10:31:34 beck Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -116,6 +116,22 @@ X509_check_trust(X509 *x, int id, int flags)
        if (id == -1)
                return 1;
+        /*
+         * XXX beck/jsing This enables self signed certs to be trusted for
+         * an unspecified id/trust flag value (this is NOT the
+         * X509_TRUST_DEFAULT), which was the longstanding
+         * openssl behaviour. boringssl does not have this behaviour.
+         *
+         * This should be revisited, but changing the default "not default"
+         * may break things.
+         */
+        if (id == 0) {
+                int rv;
+                rv = obj_trust(NID_anyExtendedKeyUsage, x, 0);
+                if (rv != X509_TRUST_UNTRUSTED)
+                        return rv;
+                return trust_compat(NULL, x, 0);
+        }
        idx = X509_TRUST_get_by_id(id);
        if (idx == -1)
                return default_trust(id, x, flags);
author	beck <>	2016-11-06 10:31:34 +0000
committer	beck <>	2016-11-06 10:31:34 +0000
commit	86de6636f522fb101a9347e689d450972645ca99 (patch)
tree	1f994b06c8e0987a3bfd0e9ba324a0282934a3e8 /src
parent	ff3d11642a44421d51ea23a2994378482e7dba6c (diff)
download	openbsd-86de6636f522fb101a9347e689d450972645ca99.tar.gz openbsd-86de6636f522fb101a9347e689d450972645ca99.tar.bz2 openbsd-86de6636f522fb101a9347e689d450972645ca99.zip

diff --git a/src/lib/libcrypto/x509/x509_trs.c b/src/lib/libcrypto/x509/x509_trs.c index 42fb97f571..5be7abdf08 100644 --- a/src/lib/libcrypto/x509/x509_trs.c +++ b/src/lib/libcrypto/x509/x509_trs.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_trs.c,v 1.20 2015/02/10 11:22:21 jsing Exp $ */	1	/* $OpenBSD: x509_trs.c,v 1.21 2016/11/06 10:31:34 beck Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project 1999.	3	* project 1999.
4	*/	4	*/
@@ -116,6 +116,22 @@ X509_check_trust(X509 *x, int id, int flags)
116		116
117	if (id == -1)	117	if (id == -1)
118	return 1;	118	return 1;
		119	/*
		120	* XXX beck/jsing This enables self signed certs to be trusted for
		121	* an unspecified id/trust flag value (this is NOT the
		122	* X509_TRUST_DEFAULT), which was the longstanding
		123	* openssl behaviour. boringssl does not have this behaviour.
		124	*
		125	* This should be revisited, but changing the default "not default"
		126	* may break things.
		127	*/
		128	if (id == 0) {
		129	int rv;
		130	rv = obj_trust(NID_anyExtendedKeyUsage, x, 0);
		131	if (rv != X509_TRUST_UNTRUSTED)
		132	return rv;
		133	return trust_compat(NULL, x, 0);
		134	}
119	idx = X509_TRUST_get_by_id(id);	135	idx = X509_TRUST_get_by_id(id);
120	if (idx == -1)	136	if (idx == -1)
121	return default_trust(id, x, flags);	137	return default_trust(id, x, flags);