diff options
Diffstat (limited to 'src/lib/libcrypto/x509/x509_verify.c')
-rw-r--r-- | src/lib/libcrypto/x509/x509_verify.c | 20 |
1 files changed, 14 insertions, 6 deletions
diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c index 9073dda31d..5f3c97abf7 100644 --- a/src/lib/libcrypto/x509/x509_verify.c +++ b/src/lib/libcrypto/x509/x509_verify.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: x509_verify.c,v 1.41 2021/08/18 15:32:38 beck Exp $ */ | 1 | /* $OpenBSD: x509_verify.c,v 1.42 2021/08/19 03:44:00 beck Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org> | 3 | * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org> |
4 | * | 4 | * |
@@ -207,21 +207,29 @@ static int | |||
207 | x509_verify_ctx_cert_is_root(struct x509_verify_ctx *ctx, X509 *cert, | 207 | x509_verify_ctx_cert_is_root(struct x509_verify_ctx *ctx, X509 *cert, |
208 | int full_chain) | 208 | int full_chain) |
209 | { | 209 | { |
210 | X509 *match = NULL; | ||
210 | int i; | 211 | int i; |
211 | 212 | ||
212 | if (!x509_verify_cert_cache_extensions(cert)) | 213 | if (!x509_verify_cert_cache_extensions(cert)) |
213 | return 0; | 214 | return 0; |
214 | 215 | ||
216 | /* Check the provided roots */ | ||
215 | for (i = 0; i < sk_X509_num(ctx->roots); i++) { | 217 | for (i = 0; i < sk_X509_num(ctx->roots); i++) { |
216 | if (X509_cmp(sk_X509_value(ctx->roots, i), cert) == 0) | 218 | if (X509_cmp(sk_X509_value(ctx->roots, i), cert) == 0) |
217 | return !full_chain || | 219 | return !full_chain || |
218 | x509_verify_cert_self_signed(cert); | 220 | x509_verify_cert_self_signed(cert); |
219 | } | 221 | } |
220 | /* | 222 | |
221 | * XXX what if this is a by_dir thing? this currently isn't | 223 | /* Check by lookup if we have a legacy xsc */ |
222 | * handled so this case is a bit messed up for loonix with | 224 | if (ctx->xsc != NULL) { |
223 | * by directory trust bundles... | 225 | if ((match = x509_vfy_lookup_cert_match(ctx->xsc, |
224 | */ | 226 | cert)) != NULL) { |
227 | X509_free(match); | ||
228 | return !full_chain || | ||
229 | x509_verify_cert_self_signed(cert); | ||
230 | } | ||
231 | } | ||
232 | |||
225 | return 0; | 233 | return 0; |
226 | } | 234 | } |
227 | 235 | ||