3 files changed, 26 insertions, 8 deletions
diff --git a/src/lib/libcrypto/x509/x509_internal.h b/src/lib/libcrypto/x509/x509_internal.h
index 7160053a8a..493bf82ac8 100644
--- a/src/lib/libcrypto/x509/x509_internal.h
+++ b/src/lib/libcrypto/x509/x509_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_internal.h,v 1.8 2021/07/10 15:52:59 beck Exp $ */
+/* $OpenBSD: x509_internal.h,v 1.9 2021/08/19 03:44:00 beck Exp $ */
 /*
 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
 *
@@ -92,6 +92,7 @@ int x509_vfy_check_policy(X509_STORE_CTX *ctx);
 int x509_vfy_check_trust(X509_STORE_CTX *ctx);
 int x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx);
 void x509v3_cache_extensions(X509 *x);
+X509 *x509_vfy_lookup_cert_match(X509_STORE_CTX *ctx, X509 *x);
 int x509_verify_asn1_time_to_tm(const ASN1_TIME *atime, struct tm *tm,
    int notafter);
diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c
index 9073dda31d..5f3c97abf7 100644
--- a/src/lib/libcrypto/x509/x509_verify.c
+++ b/src/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_verify.c,v 1.41 2021/08/18 15:32:38 beck Exp $ */
+/* $OpenBSD: x509_verify.c,v 1.42 2021/08/19 03:44:00 beck Exp $ */
 /*
 * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
 *
@@ -207,21 +207,29 @@ static int
 x509_verify_ctx_cert_is_root(struct x509_verify_ctx *ctx, X509 *cert,
    int full_chain)
 {
+        X509 *match = NULL;
        int i;
        if (!x509_verify_cert_cache_extensions(cert))
                return 0;
+        /* Check the provided roots */
        for (i = 0; i < sk_X509_num(ctx->roots); i++) {
                if (X509_cmp(sk_X509_value(ctx->roots, i), cert) == 0)
                        return !full_chain ||
                            x509_verify_cert_self_signed(cert);
        }
-        /*
-         * XXX what if this is a by_dir thing? this currently isn't
+        /* Check by lookup if we have a legacy xsc */
-         * handled so this case is a bit messed up for loonix with
+        if (ctx->xsc != NULL) {
-         * by directory trust bundles...
+                if ((match = x509_vfy_lookup_cert_match(ctx->xsc,
-         */
+                    cert)) != NULL) {
+                        X509_free(match);
+                        return !full_chain ||
+                            x509_verify_cert_self_signed(cert);
+                }
+        }
        return 0;
 }
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index 9577040d9d..233c95c408 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.86 2021/02/25 17:29:22 tb Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.87 2021/08/19 03:44:00 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -942,6 +942,15 @@ lookup_cert_match(X509_STORE_CTX *ctx, X509 *x)
        return xtmp;
 }
+X509 *
+x509_vfy_lookup_cert_match(X509_STORE_CTX *ctx, X509 *x)
+{
+        if (ctx->lookup_certs == NULL || ctx->ctx == NULL ||
+            ctx->ctx->objs == NULL)
+                return NULL;
+        return lookup_cert_match(ctx, x);
+}
 static int
 check_trust(X509_STORE_CTX *ctx)
 {

diff --git a/src/lib/libcrypto/x509/x509_internal.h b/src/lib/libcrypto/x509/x509_internal.h index 7160053a8a..493bf82ac8 100644 --- a/src/lib/libcrypto/x509/x509_internal.h +++ b/src/lib/libcrypto/x509/x509_internal.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_internal.h,v 1.8 2021/07/10 15:52:59 beck Exp $ */	1	/* $OpenBSD: x509_internal.h,v 1.9 2021/08/19 03:44:00 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2020 Bob Beck <beck@openbsd.org>	3	* Copyright (c) 2020 Bob Beck <beck@openbsd.org>
4	*	4	*
@@ -92,6 +92,7 @@ int x509_vfy_check_policy(X509_STORE_CTX *ctx);
92	int x509_vfy_check_trust(X509_STORE_CTX *ctx);	92	int x509_vfy_check_trust(X509_STORE_CTX *ctx);
93	int x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx);	93	int x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx);
94	void x509v3_cache_extensions(X509 *x);	94	void x509v3_cache_extensions(X509 *x);
		95	X509 x509_vfy_lookup_cert_match(X509_STORE_CTX ctx, X509 *x);
95		96
96	int x509_verify_asn1_time_to_tm(const ASN1_TIME atime, struct tm tm,	97	int x509_verify_asn1_time_to_tm(const ASN1_TIME atime, struct tm tm,
97	int notafter);	98	int notafter);


diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c index 9073dda31d..5f3c97abf7 100644 --- a/src/lib/libcrypto/x509/x509_verify.c +++ b/src/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_verify.c,v 1.41 2021/08/18 15:32:38 beck Exp $ */	1	/* $OpenBSD: x509_verify.c,v 1.42 2021/08/19 03:44:00 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>	3	* Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
4	*	4	*
@@ -207,21 +207,29 @@ static int
207	x509_verify_ctx_cert_is_root(struct x509_verify_ctx ctx, X509 cert,	207	x509_verify_ctx_cert_is_root(struct x509_verify_ctx ctx, X509 cert,
208	int full_chain)	208	int full_chain)
209	{	209	{
		210	X509 *match = NULL;
210	int i;	211	int i;
211		212
212	if (!x509_verify_cert_cache_extensions(cert))	213	if (!x509_verify_cert_cache_extensions(cert))
213	return 0;	214	return 0;
214		215
		216	/* Check the provided roots */
215	for (i = 0; i < sk_X509_num(ctx->roots); i++) {	217	for (i = 0; i < sk_X509_num(ctx->roots); i++) {
216	if (X509_cmp(sk_X509_value(ctx->roots, i), cert) == 0)	218	if (X509_cmp(sk_X509_value(ctx->roots, i), cert) == 0)
217	return !full_chain \|\|	219	return !full_chain \|\|
218	x509_verify_cert_self_signed(cert);	220	x509_verify_cert_self_signed(cert);
219	}	221	}
220	/*	222
221	* XXX what if this is a by_dir thing? this currently isn't	223	/* Check by lookup if we have a legacy xsc */
222	* handled so this case is a bit messed up for loonix with	224	if (ctx->xsc != NULL) {
223	* by directory trust bundles...	225	if ((match = x509_vfy_lookup_cert_match(ctx->xsc,
224	*/	226	cert)) != NULL) {
		227	X509_free(match);
		228	return !full_chain \|\|
		229	x509_verify_cert_self_signed(cert);
		230	}
		231	}
		232
225	return 0;	233	return 0;
226	}	234	}
227		235


diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c index 9577040d9d..233c95c408 100644 --- a/src/lib/libcrypto/x509/x509_vfy.c +++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_vfy.c,v 1.86 2021/02/25 17:29:22 tb Exp $ */	1	/* $OpenBSD: x509_vfy.c,v 1.87 2021/08/19 03:44:00 beck Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -942,6 +942,15 @@ lookup_cert_match(X509_STORE_CTX ctx, X509 x)
942	return xtmp;	942	return xtmp;
943	}	943	}
944		944
		945	X509 *
		946	x509_vfy_lookup_cert_match(X509_STORE_CTX ctx, X509 x)
		947	{
		948	if (ctx->lookup_certs == NULL \|\| ctx->ctx == NULL \|\|
		949	ctx->ctx->objs == NULL)
		950	return NULL;
		951	return lookup_cert_match(ctx, x);
		952	}
		953
945	static int	954	static int
946	check_trust(X509_STORE_CTX *ctx)	955	check_trust(X509_STORE_CTX *ctx)
947	{	956	{