diff options
| -rw-r--r-- | src/lib/libcrypto/x509/x509_trs.c | 22 |
1 files changed, 8 insertions, 14 deletions
diff --git a/src/lib/libcrypto/x509/x509_trs.c b/src/lib/libcrypto/x509/x509_trs.c index f0f4eefb6a..78eb29555e 100644 --- a/src/lib/libcrypto/x509/x509_trs.c +++ b/src/lib/libcrypto/x509/x509_trs.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_trs.c,v 1.55 2024/03/26 22:43:42 tb Exp $ */ | 1 | /* $OpenBSD: x509_trs.c,v 1.56 2024/07/12 15:53:51 beck Exp $ */ |
| 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL | 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL |
| 3 | * project 1999. | 3 | * project 1999. |
| 4 | */ | 4 | */ |
| @@ -94,7 +94,7 @@ obj_trust(int id, const X509 *x) | |||
| 94 | } | 94 | } |
| 95 | 95 | ||
| 96 | static int | 96 | static int |
| 97 | trust_compat(int nid, const X509 *x) | 97 | trust_if_self_signed(const X509 *x) |
| 98 | { | 98 | { |
| 99 | /* Extensions already cached in X509_check_trust(). */ | 99 | /* Extensions already cached in X509_check_trust(). */ |
| 100 | if ((x->ex_flags & EXFLAG_SS) != 0) | 100 | if ((x->ex_flags & EXFLAG_SS) != 0) |
| @@ -111,7 +111,7 @@ trust_1oidany(int nid, const X509 *x) | |||
| 111 | return obj_trust(nid, x); | 111 | return obj_trust(nid, x); |
| 112 | 112 | ||
| 113 | /* For compatibility we return trusted if the cert is self signed. */ | 113 | /* For compatibility we return trusted if the cert is self signed. */ |
| 114 | return trust_compat(NID_undef, x); | 114 | return trust_if_self_signed(x); |
| 115 | } | 115 | } |
| 116 | 116 | ||
| 117 | static int | 117 | static int |
| @@ -136,22 +136,16 @@ X509_check_trust(X509 *x, int trust_id, int flags) | |||
| 136 | return X509_TRUST_UNTRUSTED; | 136 | return X509_TRUST_UNTRUSTED; |
| 137 | 137 | ||
| 138 | switch (trust_id) { | 138 | switch (trust_id) { |
| 139 | case 0: | 139 | case 0: /* |
| 140 | /* | 140 | * The default behaviour: If the certificate has EKU any, or it |
| 141 | * XXX beck/jsing This enables self signed certs to be trusted | 141 | * is self-signed, it is trusted. Otherwise it is untrusted. |
| 142 | * for an unspecified id/trust flag value (this is NOT the | ||
| 143 | * X509_TRUST_DEFAULT), which was the longstanding openssl | ||
| 144 | * behaviour. boringssl does not have this behaviour. | ||
| 145 | * | ||
| 146 | * This should be revisited, but changing the default | ||
| 147 | * "not default" may break things. | ||
| 148 | */ | 142 | */ |
| 149 | rv = obj_trust(NID_anyExtendedKeyUsage, x); | 143 | rv = obj_trust(NID_anyExtendedKeyUsage, x); |
| 150 | if (rv != X509_TRUST_UNTRUSTED) | 144 | if (rv != X509_TRUST_UNTRUSTED) |
| 151 | return rv; | 145 | return rv; |
| 152 | return trust_compat(NID_undef, x); | 146 | return trust_if_self_signed(x); |
| 153 | case X509_TRUST_COMPAT: | 147 | case X509_TRUST_COMPAT: |
| 154 | return trust_compat(NID_undef, x); | 148 | return trust_if_self_signed(x); |
| 155 | case X509_TRUST_SSL_CLIENT: | 149 | case X509_TRUST_SSL_CLIENT: |
| 156 | return trust_1oidany(NID_client_auth, x); | 150 | return trust_1oidany(NID_client_auth, x); |
| 157 | case X509_TRUST_SSL_SERVER: | 151 | case X509_TRUST_SSL_SERVER: |