diff options
| -rw-r--r-- | src/lib/libcrypto/x509/x509_trs.c | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/src/lib/libcrypto/x509/x509_trs.c b/src/lib/libcrypto/x509/x509_trs.c index 42fb97f571..5be7abdf08 100644 --- a/src/lib/libcrypto/x509/x509_trs.c +++ b/src/lib/libcrypto/x509/x509_trs.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_trs.c,v 1.20 2015/02/10 11:22:21 jsing Exp $ */ | 1 | /* $OpenBSD: x509_trs.c,v 1.21 2016/11/06 10:31:34 beck Exp $ */ |
| 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL | 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL |
| 3 | * project 1999. | 3 | * project 1999. |
| 4 | */ | 4 | */ |
| @@ -116,6 +116,22 @@ X509_check_trust(X509 *x, int id, int flags) | |||
| 116 | 116 | ||
| 117 | if (id == -1) | 117 | if (id == -1) |
| 118 | return 1; | 118 | return 1; |
| 119 | /* | ||
| 120 | * XXX beck/jsing This enables self signed certs to be trusted for | ||
| 121 | * an unspecified id/trust flag value (this is NOT the | ||
| 122 | * X509_TRUST_DEFAULT), which was the longstanding | ||
| 123 | * openssl behaviour. boringssl does not have this behaviour. | ||
| 124 | * | ||
| 125 | * This should be revisited, but changing the default "not default" | ||
| 126 | * may break things. | ||
| 127 | */ | ||
| 128 | if (id == 0) { | ||
| 129 | int rv; | ||
| 130 | rv = obj_trust(NID_anyExtendedKeyUsage, x, 0); | ||
| 131 | if (rv != X509_TRUST_UNTRUSTED) | ||
| 132 | return rv; | ||
| 133 | return trust_compat(NULL, x, 0); | ||
| 134 | } | ||
| 119 | idx = X509_TRUST_get_by_id(id); | 135 | idx = X509_TRUST_get_by_id(id); |
| 120 | if (idx == -1) | 136 | if (idx == -1) |
| 121 | return default_trust(id, x, flags); | 137 | return default_trust(id, x, flags); |