diff options
Diffstat (limited to 'src/lib/libcrypto/x509/x509_verify.c')
| -rw-r--r-- | src/lib/libcrypto/x509/x509_verify.c | 55 |
1 files changed, 29 insertions, 26 deletions
diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c index 3176e110ba..68dd2863a7 100644 --- a/src/lib/libcrypto/x509/x509_verify.c +++ b/src/lib/libcrypto/x509/x509_verify.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_verify.c,v 1.43 2021/08/28 07:49:00 beck Exp $ */ | 1 | /* $OpenBSD: x509_verify.c,v 1.44 2021/08/28 15:22:42 beck Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org> | 3 | * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org> |
| 4 | * | 4 | * |
| @@ -213,13 +213,6 @@ x509_verify_ctx_cert_is_root(struct x509_verify_ctx *ctx, X509 *cert, | |||
| 213 | if (!x509_verify_cert_cache_extensions(cert)) | 213 | if (!x509_verify_cert_cache_extensions(cert)) |
| 214 | return 0; | 214 | return 0; |
| 215 | 215 | ||
| 216 | /* Check the provided roots */ | ||
| 217 | for (i = 0; i < sk_X509_num(ctx->roots); i++) { | ||
| 218 | if (X509_cmp(sk_X509_value(ctx->roots, i), cert) == 0) | ||
| 219 | return !full_chain || | ||
| 220 | x509_verify_cert_self_signed(cert); | ||
| 221 | } | ||
| 222 | |||
| 223 | /* Check by lookup if we have a legacy xsc */ | 216 | /* Check by lookup if we have a legacy xsc */ |
| 224 | if (ctx->xsc != NULL) { | 217 | if (ctx->xsc != NULL) { |
| 225 | if ((match = x509_vfy_lookup_cert_match(ctx->xsc, | 218 | if ((match = x509_vfy_lookup_cert_match(ctx->xsc, |
| @@ -228,6 +221,13 @@ x509_verify_ctx_cert_is_root(struct x509_verify_ctx *ctx, X509 *cert, | |||
| 228 | return !full_chain || | 221 | return !full_chain || |
| 229 | x509_verify_cert_self_signed(cert); | 222 | x509_verify_cert_self_signed(cert); |
| 230 | } | 223 | } |
| 224 | } else { | ||
| 225 | /* Check the provided roots */ | ||
| 226 | for (i = 0; i < sk_X509_num(ctx->roots); i++) { | ||
| 227 | if (X509_cmp(sk_X509_value(ctx->roots, i), cert) == 0) | ||
| 228 | return !full_chain || | ||
| 229 | x509_verify_cert_self_signed(cert); | ||
| 230 | } | ||
| 231 | } | 231 | } |
| 232 | 232 | ||
| 233 | return 0; | 233 | return 0; |
| @@ -611,17 +611,6 @@ x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert, | |||
| 611 | X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN; | 611 | X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN; |
| 612 | } | 612 | } |
| 613 | 613 | ||
| 614 | /* Check to see if we have a trusted root issuer. */ | ||
| 615 | for (i = 0; i < sk_X509_num(ctx->roots); i++) { | ||
| 616 | candidate = sk_X509_value(ctx->roots, i); | ||
| 617 | if (x509_verify_potential_parent(ctx, candidate, cert)) { | ||
| 618 | is_root = !full_chain || | ||
| 619 | x509_verify_cert_self_signed(candidate); | ||
| 620 | x509_verify_consider_candidate(ctx, cert, | ||
| 621 | cert_md, is_root, candidate, current_chain, | ||
| 622 | full_chain); | ||
| 623 | } | ||
| 624 | } | ||
| 625 | /* Check for legacy mode roots */ | 614 | /* Check for legacy mode roots */ |
| 626 | if (ctx->xsc != NULL) { | 615 | if (ctx->xsc != NULL) { |
| 627 | if ((ret = ctx->xsc->get_issuer(&candidate, ctx->xsc, cert)) < 0) { | 616 | if ((ret = ctx->xsc->get_issuer(&candidate, ctx->xsc, cert)) < 0) { |
| @@ -639,6 +628,18 @@ x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert, | |||
| 639 | } | 628 | } |
| 640 | X509_free(candidate); | 629 | X509_free(candidate); |
| 641 | } | 630 | } |
| 631 | } else { | ||
| 632 | /* Check to see if we have a trusted root issuer. */ | ||
| 633 | for (i = 0; i < sk_X509_num(ctx->roots); i++) { | ||
| 634 | candidate = sk_X509_value(ctx->roots, i); | ||
| 635 | if (x509_verify_potential_parent(ctx, candidate, cert)) { | ||
| 636 | is_root = !full_chain || | ||
| 637 | x509_verify_cert_self_signed(candidate); | ||
| 638 | x509_verify_consider_candidate(ctx, cert, | ||
| 639 | cert_md, is_root, candidate, current_chain, | ||
| 640 | full_chain); | ||
| 641 | } | ||
| 642 | } | ||
| 642 | } | 643 | } |
| 643 | 644 | ||
| 644 | /* Check intermediates after checking roots */ | 645 | /* Check intermediates after checking roots */ |
| @@ -933,7 +934,7 @@ x509_verify_cert_valid(struct x509_verify_ctx *ctx, X509 *cert, | |||
| 933 | } | 934 | } |
| 934 | 935 | ||
| 935 | struct x509_verify_ctx * | 936 | struct x509_verify_ctx * |
| 936 | x509_verify_ctx_new_from_xsc(X509_STORE_CTX *xsc, STACK_OF(X509) *roots) | 937 | x509_verify_ctx_new_from_xsc(X509_STORE_CTX *xsc) |
| 937 | { | 938 | { |
| 938 | struct x509_verify_ctx *ctx; | 939 | struct x509_verify_ctx *ctx; |
| 939 | size_t max_depth; | 940 | size_t max_depth; |
| @@ -941,7 +942,7 @@ x509_verify_ctx_new_from_xsc(X509_STORE_CTX *xsc, STACK_OF(X509) *roots) | |||
| 941 | if (xsc == NULL) | 942 | if (xsc == NULL) |
| 942 | return NULL; | 943 | return NULL; |
| 943 | 944 | ||
| 944 | if ((ctx = x509_verify_ctx_new(roots)) == NULL) | 945 | if ((ctx = x509_verify_ctx_new(NULL)) == NULL) |
| 945 | return NULL; | 946 | return NULL; |
| 946 | 947 | ||
| 947 | ctx->xsc = xsc; | 948 | ctx->xsc = xsc; |
| @@ -969,14 +970,16 @@ x509_verify_ctx_new(STACK_OF(X509) *roots) | |||
| 969 | { | 970 | { |
| 970 | struct x509_verify_ctx *ctx; | 971 | struct x509_verify_ctx *ctx; |
| 971 | 972 | ||
| 972 | if (roots == NULL) | ||
| 973 | return NULL; | ||
| 974 | |||
| 975 | if ((ctx = calloc(1, sizeof(struct x509_verify_ctx))) == NULL) | 973 | if ((ctx = calloc(1, sizeof(struct x509_verify_ctx))) == NULL) |
| 976 | return NULL; | 974 | return NULL; |
| 977 | 975 | ||
| 978 | if ((ctx->roots = X509_chain_up_ref(roots)) == NULL) | 976 | if (roots != NULL) { |
| 979 | goto err; | 977 | if ((ctx->roots = X509_chain_up_ref(roots)) == NULL) |
| 978 | goto err; | ||
| 979 | } else { | ||
| 980 | if ((ctx->roots = sk_X509_new_null()) == NULL) | ||
| 981 | goto err; | ||
| 982 | } | ||
| 980 | 983 | ||
| 981 | ctx->max_depth = X509_VERIFY_MAX_CHAIN_CERTS; | 984 | ctx->max_depth = X509_VERIFY_MAX_CHAIN_CERTS; |
| 982 | ctx->max_chains = X509_VERIFY_MAX_CHAINS; | 985 | ctx->max_chains = X509_VERIFY_MAX_CHAINS; |