summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/x509/x509_vfy.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libcrypto/x509/x509_vfy.c')
-rw-r--r--src/lib/libcrypto/x509/x509_vfy.c42
1 files changed, 41 insertions, 1 deletions
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index 4b042e0b26..76847e7224 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: x509_vfy.c,v 1.115 2023/04/25 18:37:56 tb Exp $ */ 1/* $OpenBSD: x509_vfy.c,v 1.116 2023/04/26 19:11:33 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1743,6 +1743,43 @@ cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
1743 return 1; 1743 return 1;
1744} 1744}
1745 1745
1746
1747#ifdef LIBRESSL_HAS_POLICY_DAG
1748int
1749x509_vfy_check_policy(X509_STORE_CTX *ctx)
1750{
1751 X509 *current_cert = NULL;
1752 int ret;
1753
1754 if (ctx->parent != NULL)
1755 return 1;
1756
1757 ret = X509_policy_check(ctx->chain, ctx->param->policies,
1758 ctx->param->flags, &current_cert);
1759 if (ret != X509_V_OK) {
1760 ctx->current_cert = current_cert;
1761 ctx->error = ret;
1762 if (ret == X509_V_ERR_OUT_OF_MEM)
1763 return 0;
1764 return ctx->verify_cb(0, ctx);
1765 }
1766
1767 if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) {
1768 ctx->current_cert = NULL;
1769 /*
1770 * Verification errors need to be "sticky", a callback may have
1771 * allowed an SSL handshake to continue despite an error, and
1772 * we must then remain in an error state. Therefore, we MUST
1773 * NOT clear earlier verification errors by setting the error
1774 * to X509_V_OK.
1775 */
1776 if (!ctx->verify_cb(2, ctx))
1777 return 0;
1778 }
1779
1780 return 1;
1781}
1782#else
1746int 1783int
1747x509_vfy_check_policy(X509_STORE_CTX *ctx) 1784x509_vfy_check_policy(X509_STORE_CTX *ctx)
1748{ 1785{
@@ -1794,6 +1831,7 @@ x509_vfy_check_policy(X509_STORE_CTX *ctx)
1794 1831
1795 return 1; 1832 return 1;
1796} 1833}
1834#endif
1797 1835
1798static int 1836static int
1799check_policy(X509_STORE_CTX *ctx) 1837check_policy(X509_STORE_CTX *ctx)
@@ -2486,10 +2524,12 @@ X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
2486 X509_VERIFY_PARAM_free(ctx->param); 2524 X509_VERIFY_PARAM_free(ctx->param);
2487 ctx->param = NULL; 2525 ctx->param = NULL;
2488 } 2526 }
2527#ifndef LIBRESSL_HAS_POLICY_DAG
2489 if (ctx->tree != NULL) { 2528 if (ctx->tree != NULL) {
2490 X509_policy_tree_free(ctx->tree); 2529 X509_policy_tree_free(ctx->tree);
2491 ctx->tree = NULL; 2530 ctx->tree = NULL;
2492 } 2531 }
2532#endif
2493 if (ctx->chain != NULL) { 2533 if (ctx->chain != NULL) {
2494 sk_X509_pop_free(ctx->chain, X509_free); 2534 sk_X509_pop_free(ctx->chain, X509_free);
2495 ctx->chain = NULL; 2535 ctx->chain = NULL;