diff options
Diffstat (limited to 'src/lib/libcrypto/x509/x509_vfy.c')
| -rw-r--r-- | src/lib/libcrypto/x509/x509_vfy.c | 38 |
1 files changed, 4 insertions, 34 deletions
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c index 8bba796198..8fd193699e 100644 --- a/src/lib/libcrypto/x509/x509_vfy.c +++ b/src/lib/libcrypto/x509/x509_vfy.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_vfy.c,v 1.111 2023/02/16 08:38:17 tb Exp $ */ | 1 | /* $OpenBSD: x509_vfy.c,v 1.112 2023/04/16 08:06:42 tb Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -732,7 +732,6 @@ x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx) | |||
| 732 | int (*cb)(int xok, X509_STORE_CTX *xctx); | 732 | int (*cb)(int xok, X509_STORE_CTX *xctx); |
| 733 | int proxy_path_length = 0; | 733 | int proxy_path_length = 0; |
| 734 | int purpose; | 734 | int purpose; |
| 735 | int allow_proxy_certs; | ||
| 736 | 735 | ||
| 737 | cb = ctx->verify_cb; | 736 | cb = ctx->verify_cb; |
| 738 | 737 | ||
| @@ -747,14 +746,10 @@ x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx) | |||
| 747 | must_be_ca = -1; | 746 | must_be_ca = -1; |
| 748 | 747 | ||
| 749 | /* CRL path validation */ | 748 | /* CRL path validation */ |
| 750 | if (ctx->parent) { | 749 | if (ctx->parent) |
| 751 | allow_proxy_certs = 0; | ||
| 752 | purpose = X509_PURPOSE_CRL_SIGN; | 750 | purpose = X509_PURPOSE_CRL_SIGN; |
| 753 | } else { | 751 | else |
| 754 | allow_proxy_certs = | ||
| 755 | !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS); | ||
| 756 | purpose = ctx->param->purpose; | 752 | purpose = ctx->param->purpose; |
| 757 | } | ||
| 758 | 753 | ||
| 759 | /* Check all untrusted certificates */ | 754 | /* Check all untrusted certificates */ |
| 760 | for (i = 0; i < ctx->num_untrusted; i++) { | 755 | for (i = 0; i < ctx->num_untrusted; i++) { |
| @@ -769,14 +764,6 @@ x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx) | |||
| 769 | if (!ok) | 764 | if (!ok) |
| 770 | goto end; | 765 | goto end; |
| 771 | } | 766 | } |
| 772 | if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) { | ||
| 773 | ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED; | ||
| 774 | ctx->error_depth = i; | ||
| 775 | ctx->current_cert = x; | ||
| 776 | ok = cb(0, ctx); | ||
| 777 | if (!ok) | ||
| 778 | goto end; | ||
| 779 | } | ||
| 780 | ret = X509_check_ca(x); | 767 | ret = X509_check_ca(x); |
| 781 | switch (must_be_ca) { | 768 | switch (must_be_ca) { |
| 782 | case -1: | 769 | case -1: |
| @@ -838,24 +825,7 @@ x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx) | |||
| 838 | /* Increment path length if not self issued */ | 825 | /* Increment path length if not self issued */ |
| 839 | if (!(x->ex_flags & EXFLAG_SI)) | 826 | if (!(x->ex_flags & EXFLAG_SI)) |
| 840 | plen++; | 827 | plen++; |
| 841 | /* If this certificate is a proxy certificate, the next | 828 | must_be_ca = 1; |
| 842 | certificate must be another proxy certificate or a EE | ||
| 843 | certificate. If not, the next certificate must be a | ||
| 844 | CA certificate. */ | ||
| 845 | if (x->ex_flags & EXFLAG_PROXY) { | ||
| 846 | if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen) { | ||
| 847 | ctx->error = | ||
| 848 | X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED; | ||
| 849 | ctx->error_depth = i; | ||
| 850 | ctx->current_cert = x; | ||
| 851 | ok = cb(0, ctx); | ||
| 852 | if (!ok) | ||
| 853 | goto end; | ||
| 854 | } | ||
| 855 | proxy_path_length++; | ||
| 856 | must_be_ca = 0; | ||
| 857 | } else | ||
| 858 | must_be_ca = 1; | ||
| 859 | } | 829 | } |
| 860 | ok = 1; | 830 | ok = 1; |
| 861 | 831 | ||