diff options
Diffstat (limited to 'src/lib/libcrypto/x509/x509_vfy.c')
-rw-r--r-- | src/lib/libcrypto/x509/x509_vfy.c | 42 |
1 files changed, 41 insertions, 1 deletions
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c index 4b042e0b26..76847e7224 100644 --- a/src/lib/libcrypto/x509/x509_vfy.c +++ b/src/lib/libcrypto/x509/x509_vfy.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: x509_vfy.c,v 1.115 2023/04/25 18:37:56 tb Exp $ */ | 1 | /* $OpenBSD: x509_vfy.c,v 1.116 2023/04/26 19:11:33 beck Exp $ */ |
2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
3 | * All rights reserved. | 3 | * All rights reserved. |
4 | * | 4 | * |
@@ -1743,6 +1743,43 @@ cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) | |||
1743 | return 1; | 1743 | return 1; |
1744 | } | 1744 | } |
1745 | 1745 | ||
1746 | |||
1747 | #ifdef LIBRESSL_HAS_POLICY_DAG | ||
1748 | int | ||
1749 | x509_vfy_check_policy(X509_STORE_CTX *ctx) | ||
1750 | { | ||
1751 | X509 *current_cert = NULL; | ||
1752 | int ret; | ||
1753 | |||
1754 | if (ctx->parent != NULL) | ||
1755 | return 1; | ||
1756 | |||
1757 | ret = X509_policy_check(ctx->chain, ctx->param->policies, | ||
1758 | ctx->param->flags, ¤t_cert); | ||
1759 | if (ret != X509_V_OK) { | ||
1760 | ctx->current_cert = current_cert; | ||
1761 | ctx->error = ret; | ||
1762 | if (ret == X509_V_ERR_OUT_OF_MEM) | ||
1763 | return 0; | ||
1764 | return ctx->verify_cb(0, ctx); | ||
1765 | } | ||
1766 | |||
1767 | if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) { | ||
1768 | ctx->current_cert = NULL; | ||
1769 | /* | ||
1770 | * Verification errors need to be "sticky", a callback may have | ||
1771 | * allowed an SSL handshake to continue despite an error, and | ||
1772 | * we must then remain in an error state. Therefore, we MUST | ||
1773 | * NOT clear earlier verification errors by setting the error | ||
1774 | * to X509_V_OK. | ||
1775 | */ | ||
1776 | if (!ctx->verify_cb(2, ctx)) | ||
1777 | return 0; | ||
1778 | } | ||
1779 | |||
1780 | return 1; | ||
1781 | } | ||
1782 | #else | ||
1746 | int | 1783 | int |
1747 | x509_vfy_check_policy(X509_STORE_CTX *ctx) | 1784 | x509_vfy_check_policy(X509_STORE_CTX *ctx) |
1748 | { | 1785 | { |
@@ -1794,6 +1831,7 @@ x509_vfy_check_policy(X509_STORE_CTX *ctx) | |||
1794 | 1831 | ||
1795 | return 1; | 1832 | return 1; |
1796 | } | 1833 | } |
1834 | #endif | ||
1797 | 1835 | ||
1798 | static int | 1836 | static int |
1799 | check_policy(X509_STORE_CTX *ctx) | 1837 | check_policy(X509_STORE_CTX *ctx) |
@@ -2486,10 +2524,12 @@ X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) | |||
2486 | X509_VERIFY_PARAM_free(ctx->param); | 2524 | X509_VERIFY_PARAM_free(ctx->param); |
2487 | ctx->param = NULL; | 2525 | ctx->param = NULL; |
2488 | } | 2526 | } |
2527 | #ifndef LIBRESSL_HAS_POLICY_DAG | ||
2489 | if (ctx->tree != NULL) { | 2528 | if (ctx->tree != NULL) { |
2490 | X509_policy_tree_free(ctx->tree); | 2529 | X509_policy_tree_free(ctx->tree); |
2491 | ctx->tree = NULL; | 2530 | ctx->tree = NULL; |
2492 | } | 2531 | } |
2532 | #endif | ||
2493 | if (ctx->chain != NULL) { | 2533 | if (ctx->chain != NULL) { |
2494 | sk_X509_pop_free(ctx->chain, X509_free); | 2534 | sk_X509_pop_free(ctx->chain, X509_free); |
2495 | ctx->chain = NULL; | 2535 | ctx->chain = NULL; |