diff options
| -rw-r--r-- | src/lib/libcrypto/x509/x509_verify.c | 26 |
1 files changed, 15 insertions, 11 deletions
diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c index 0297fac145..b19b5373c5 100644 --- a/src/lib/libcrypto/x509/x509_verify.c +++ b/src/lib/libcrypto/x509/x509_verify.c | |||
| @@ -1,6 +1,6 @@ | |||
| 1 | /* $OpenBSD: x509_verify.c,v 1.27 2021/01/05 16:53:10 jsing Exp $ */ | 1 | /* $OpenBSD: x509_verify.c,v 1.28 2021/01/08 03:23:56 beck Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2020 Bob Beck <beck@openbsd.org> | 3 | * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org> |
| 4 | * | 4 | * |
| 5 | * Permission to use, copy, modify, and distribute this software for any | 5 | * Permission to use, copy, modify, and distribute this software for any |
| 6 | * purpose with or without fee is hereby granted, provided that the above | 6 | * purpose with or without fee is hereby granted, provided that the above |
| @@ -501,6 +501,7 @@ x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert, | |||
| 501 | X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN; | 501 | X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN; |
| 502 | } | 502 | } |
| 503 | 503 | ||
| 504 | /* Check to see if we have a trusted root issuer. */ | ||
| 504 | for (i = 0; i < sk_X509_num(ctx->roots); i++) { | 505 | for (i = 0; i < sk_X509_num(ctx->roots); i++) { |
| 505 | candidate = sk_X509_value(ctx->roots, i); | 506 | candidate = sk_X509_value(ctx->roots, i); |
| 506 | if (x509_verify_potential_parent(ctx, candidate, cert)) { | 507 | if (x509_verify_potential_parent(ctx, candidate, cert)) { |
| @@ -508,15 +509,7 @@ x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert, | |||
| 508 | cert_md, 1, candidate, current_chain); | 509 | cert_md, 1, candidate, current_chain); |
| 509 | } | 510 | } |
| 510 | } | 511 | } |
| 511 | if (ctx->intermediates != NULL) { | 512 | /* Check for legacy mode roots */ |
| 512 | for (i = 0; i < sk_X509_num(ctx->intermediates); i++) { | ||
| 513 | candidate = sk_X509_value(ctx->intermediates, i); | ||
| 514 | if (x509_verify_potential_parent(ctx, candidate, cert)) { | ||
| 515 | x509_verify_consider_candidate(ctx, cert, | ||
| 516 | cert_md, 0, candidate, current_chain); | ||
| 517 | } | ||
| 518 | } | ||
| 519 | } | ||
| 520 | if (ctx->xsc != NULL) { | 513 | if (ctx->xsc != NULL) { |
| 521 | if ((ret = ctx->xsc->get_issuer(&candidate, ctx->xsc, cert)) < 0) { | 514 | if ((ret = ctx->xsc->get_issuer(&candidate, ctx->xsc, cert)) < 0) { |
| 522 | x509_verify_cert_error(ctx, cert, depth, | 515 | x509_verify_cert_error(ctx, cert, depth, |
| @@ -532,6 +525,17 @@ x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert, | |||
| 532 | } | 525 | } |
| 533 | } | 526 | } |
| 534 | 527 | ||
| 528 | /* Check intermediates after checking roots */ | ||
| 529 | if (ctx->intermediates != NULL) { | ||
| 530 | for (i = 0; i < sk_X509_num(ctx->intermediates); i++) { | ||
| 531 | candidate = sk_X509_value(ctx->intermediates, i); | ||
| 532 | if (x509_verify_potential_parent(ctx, candidate, cert)) { | ||
| 533 | x509_verify_consider_candidate(ctx, cert, | ||
| 534 | cert_md, 0, candidate, current_chain); | ||
| 535 | } | ||
| 536 | } | ||
| 537 | } | ||
| 538 | |||
| 535 | if (ctx->chains_count > count) { | 539 | if (ctx->chains_count > count) { |
| 536 | if (ctx->xsc != NULL) { | 540 | if (ctx->xsc != NULL) { |
| 537 | ctx->xsc->error = X509_V_OK; | 541 | ctx->xsc->error = X509_V_OK; |