diff options
| author | tb <> | 2022-06-29 21:08:07 +0000 |
|---|---|---|
| committer | tb <> | 2022-06-29 21:08:07 +0000 |
| commit | 9f44bbceaed6292b842455e640f3de2978aba6e2 (patch) | |
| tree | d02192d851f6cda6d522c2e1b6eeb4f4e9e4bf31 /src | |
| parent | 7ae5167e29afee766e1fa7e3809bada939f325f5 (diff) | |
| download | openbsd-9f44bbceaed6292b842455e640f3de2978aba6e2.tar.gz openbsd-9f44bbceaed6292b842455e640f3de2978aba6e2.tar.bz2 openbsd-9f44bbceaed6292b842455e640f3de2978aba6e2.zip | |
Make sure the verifier checks the security level in cert chains
ok beck jsing
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libssl/ssl_cert.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c index 246a010180..ecf8179d51 100644 --- a/src/lib/libssl/ssl_cert.c +++ b/src/lib/libssl/ssl_cert.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_cert.c,v 1.97 2022/06/28 20:43:21 tb Exp $ */ | 1 | /* $OpenBSD: ssl_cert.c,v 1.98 2022/06/29 21:08:07 tb Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -362,6 +362,7 @@ int | |||
| 362 | ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk) | 362 | ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk) |
| 363 | { | 363 | { |
| 364 | X509_STORE_CTX *ctx = NULL; | 364 | X509_STORE_CTX *ctx = NULL; |
| 365 | X509_VERIFY_PARAM *param; | ||
| 365 | X509 *x; | 366 | X509 *x; |
| 366 | int ret = 0; | 367 | int ret = 0; |
| 367 | 368 | ||
| @@ -385,11 +386,17 @@ ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk) | |||
| 385 | */ | 386 | */ |
| 386 | X509_STORE_CTX_set_default(ctx, s->server ? "ssl_client" : "ssl_server"); | 387 | X509_STORE_CTX_set_default(ctx, s->server ? "ssl_client" : "ssl_server"); |
| 387 | 388 | ||
| 389 | param = X509_STORE_CTX_get0_param(ctx); | ||
| 390 | |||
| 391 | #if defined(LIBRESSL_HAS_SECURITY_LEVEL) | ||
| 392 | X509_VERIFY_PARAM_set_auth_level(param, SSL_get_security_level(s)); | ||
| 393 | #endif | ||
| 394 | |||
| 388 | /* | 395 | /* |
| 389 | * Anything non-default in "param" should overwrite anything | 396 | * Anything non-default in "param" should overwrite anything |
| 390 | * in the ctx. | 397 | * in the ctx. |
| 391 | */ | 398 | */ |
| 392 | X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(ctx), s->param); | 399 | X509_VERIFY_PARAM_set1(param, s->param); |
| 393 | 400 | ||
| 394 | if (s->internal->verify_callback) | 401 | if (s->internal->verify_callback) |
| 395 | X509_STORE_CTX_set_verify_cb(ctx, s->internal->verify_callback); | 402 | X509_STORE_CTX_set_verify_cb(ctx, s->internal->verify_callback); |