Add a -legacy_verify flag to force use of the old validator for debugging

and testing purposes. ok beck inoguchi jsing
author: tb <> 2020-10-26 11:48:39 +0000
committer: tb <> 2020-10-26 11:48:39 +0000
commit: d3ea9013dad42cd8c8569e9a061e851b2f3b757e (patch)
tree: f53b0c8f8b7f3bc6441adb37e2bd4974fd543d72 /src
parent: a32c02b8b29460995ef1893cecee58117c22d2e7 (diff)
download: openbsd-d3ea9013dad42cd8c8569e9a061e851b2f3b757e.tar.gz
openbsd-d3ea9013dad42cd8c8569e9a061e851b2f3b757e.tar.bz2
openbsd-d3ea9013dad42cd8c8569e9a061e851b2f3b757e.zip
3 files changed, 13 insertions, 4 deletions
diff --git a/src/usr.bin/openssl/apps.c b/src/usr.bin/openssl/apps.c
index e1dcd48b37..2c228aad59 100644
--- a/src/usr.bin/openssl/apps.c
+++ b/src/usr.bin/openssl/apps.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: apps.c,v 1.56 2020/10/14 07:20:09 tb Exp $ */
+/* $OpenBSD: apps.c,v 1.57 2020/10/26 11:48:39 tb Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -1916,6 +1916,8 @@ args_verify(char ***pargs, int *pargc, int *badarg, BIO *err,
                flags |= X509_V_FLAG_POLICY_CHECK;
        else if (!strcmp(arg, "-explicit_policy"))
                flags |= X509_V_FLAG_EXPLICIT_POLICY;
+        else if (!strcmp(arg, "-legacy_verify"))
+                flags |= X509_V_FLAG_LEGACY_VERIFY;
        else if (!strcmp(arg, "-inhibit_any"))
                flags |= X509_V_FLAG_INHIBIT_ANY;
        else if (!strcmp(arg, "-inhibit_map"))
diff --git a/src/usr.bin/openssl/openssl.1 b/src/usr.bin/openssl/openssl.1
index e364586f5a..474f00f493 100644
--- a/src/usr.bin/openssl/openssl.1
+++ b/src/usr.bin/openssl/openssl.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: openssl.1,v 1.125 2020/07/14 09:52:46 inoguchi Exp $
+.\" $OpenBSD: openssl.1,v 1.126 2020/10/26 11:48:39 tb Exp $
 .\" ====================================================================
 .\" Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 .\"
@@ -110,7 +110,7 @@
 .\" copied and put under another distribution licence
 .\" [including the GNU Public Licence.]
 .\"
-.Dd $Mdocdate: July 14 2020 $
+.Dd $Mdocdate: October 26 2020 $
 .Dt OPENSSL 1
 .Os
 .Sh NAME
@@ -5859,6 +5859,7 @@ The default is no.
 .Op Fl inhibit_any
 .Op Fl inhibit_map
 .Op Fl issuer_checks
+.Op Fl legacy_verify
 .Op Fl policy_check
 .Op Fl purpose Ar purpose
 .Op Fl trusted Ar file
@@ -5931,6 +5932,8 @@ showing why each candidate issuer certificate was rejected.
 The presence of rejection messages
 does not itself imply that anything is wrong:
 during the normal verify process several rejections may take place.
+.It Fl legacy_verify
+Use the legacy X.509 certificate chain verification code.
 .It Fl policy_check
 Enable certificate policy processing.
 .It Fl purpose Ar purpose
diff --git a/src/usr.bin/openssl/verify.c b/src/usr.bin/openssl/verify.c
index 3da41b917a..e4443148ce 100644
--- a/src/usr.bin/openssl/verify.c
+++ b/src/usr.bin/openssl/verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: verify.c,v 1.8 2020/07/14 19:08:30 jsing Exp $ */
+/* $OpenBSD: verify.c,v 1.9 2020/10/26 11:48:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -193,6 +193,10 @@ static const struct option verify_shared_options[] = {
                .desc = "Enable debugging of certificate issuer checks",
        },
        {
+                .name = "legacy_verify",
+                .desc = "Use legacy certificate chain verification",
+        },
+        {
                .name = "policy",
                .argname = "name",
                .desc = "Add given policy to the acceptable set",
author	tb <>	2020-10-26 11:48:39 +0000
committer	tb <>	2020-10-26 11:48:39 +0000
commit	d3ea9013dad42cd8c8569e9a061e851b2f3b757e (patch)
tree	f53b0c8f8b7f3bc6441adb37e2bd4974fd543d72 /src
parent	a32c02b8b29460995ef1893cecee58117c22d2e7 (diff)
download	openbsd-d3ea9013dad42cd8c8569e9a061e851b2f3b757e.tar.gz openbsd-d3ea9013dad42cd8c8569e9a061e851b2f3b757e.tar.bz2 openbsd-d3ea9013dad42cd8c8569e9a061e851b2f3b757e.zip