4 files changed, 73 insertions, 54 deletions
diff --git a/src/lib/libcrypto/ocsp/ocsp_vfy.c b/src/lib/libcrypto/ocsp/ocsp_vfy.c
index d197fe4ea7..27d2283ea7 100644
--- a/src/lib/libcrypto/ocsp/ocsp_vfy.c
+++ b/src/lib/libcrypto/ocsp/ocsp_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ocsp_vfy.c,v 1.23 2023/07/08 10:44:00 beck Exp $ */
+/* $OpenBSD: ocsp_vfy.c,v 1.24 2024/07/12 18:15:10 beck Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2000.
 */
@@ -168,8 +168,8 @@ OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st,
                        goto end;
                x = sk_X509_value(chain, sk_X509_num(chain) - 1);
-                if (X509_check_trust(x, NID_OCSP_sign, 0) !=
+                if (X509_check_trust(x, X509_TRUST_OCSP_SIGN, 0) !=
-                        X509_TRUST_TRUSTED) {
+                    X509_TRUST_TRUSTED) {
                        OCSPerror(OCSP_R_ROOT_CA_NOT_TRUSTED);
                        goto end;
                }
diff --git a/src/lib/libcrypto/x509/x509_local.h b/src/lib/libcrypto/x509/x509_local.h
index 5b74b0d1bd..6b72678e7a 100644
--- a/src/lib/libcrypto/x509/x509_local.h
+++ b/src/lib/libcrypto/x509/x509_local.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: x509_local.h,v 1.24 2024/04/08 23:46:21 beck Exp $ */
+/*      $OpenBSD: x509_local.h,v 1.25 2024/07/12 18:15:10 beck Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2013.
 */
@@ -71,6 +71,14 @@ __BEGIN_HIDDEN_DECLS
 #define X509_CRL_HASH_EVP       EVP_sha512()
 #define X509_CRL_HASH_LEN       SHA512_DIGEST_LENGTH
+/*
+ * Used internally instead of the confusing X509_TRUST_DEFAULT,
+ * which is not the default for X509_check_trust.
+ * XXX Make X509_check_trust internal, and move the other
+ * X509_TRUST values here to clean up this mess.
+ */
+#define X509_TRUST_ACCEPT_ALL   -1
 struct X509_pubkey_st {
        X509_ALGOR *algor;
        ASN1_BIT_STRING *public_key;
diff --git a/src/lib/libcrypto/x509/x509_purp.c b/src/lib/libcrypto/x509/x509_purp.c
index d2e9277013..619a4b890a 100644
--- a/src/lib/libcrypto/x509/x509_purp.c
+++ b/src/lib/libcrypto/x509/x509_purp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_purp.c,v 1.42 2024/05/15 18:10:03 tb Exp $ */
+/* $OpenBSD: x509_purp.c,v 1.43 2024/07/12 18:15:10 beck Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2001.
 */
@@ -150,7 +150,7 @@ static const X509_PURPOSE xstandard[] = {
        },
        {
                .purpose = X509_PURPOSE_ANY,
-                .trust = X509_TRUST_DEFAULT,
+                .trust = X509_TRUST_ACCEPT_ALL,
                .check_purpose = no_check,
                .name = "Any Purpose",
                .sname = "any",
diff --git a/src/lib/libcrypto/x509/x509_trs.c b/src/lib/libcrypto/x509/x509_trs.c
index 78eb29555e..9ba8194ee0 100644
--- a/src/lib/libcrypto/x509/x509_trs.c
+++ b/src/lib/libcrypto/x509/x509_trs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_trs.c,v 1.56 2024/07/12 15:53:51 beck Exp $ */
+/* $OpenBSD: x509_trs.c,v 1.57 2024/07/12 18:15:10 beck Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -67,6 +67,23 @@
 #include "x509_local.h"
 static int
+trust_if_self_signed(const X509 *x)
+{
+        /* Extensions already cached in X509_check_trust(). */
+        if ((x->ex_flags & EXFLAG_SS) != 0)
+                return X509_TRUST_TRUSTED;
+        return X509_TRUST_UNTRUSTED;
+}
+static int
+trust_was_set(const X509 *x)
+{
+        return x->aux != NULL && (x->aux->trust != NULL ||
+            x->aux->reject != NULL);
+}
+static int
 obj_trust(int id, const X509 *x)
 {
        const X509_CERT_AUX *aux;
@@ -94,33 +111,31 @@ obj_trust(int id, const X509 *x)
 }
 static int
-trust_if_self_signed(const X509 *x)
+nid_from_trust_id(int trust_id)
-{
-        /* Extensions already cached in X509_check_trust(). */
-        if ((x->ex_flags & EXFLAG_SS) != 0)
-                return X509_TRUST_TRUSTED;
-        return X509_TRUST_UNTRUSTED;
-}
-static int
-trust_1oidany(int nid, const X509 *x)
 {
-        /* Inspect the certificate's trust settings if there are any. */
+        OPENSSL_assert(trust_id == 0 ||
-        if (x->aux != NULL && (x->aux->trust != NULL || x->aux->reject != NULL))
+            (trust_id >= X509_TRUST_MIN && trust_id <= X509_TRUST_MAX));
-                return obj_trust(nid, x);
-        /* For compatibility we return trusted if the cert is self signed. */
-        return trust_if_self_signed(x);
-}
-static int
+        switch (trust_id) {
-trust_1oid(int nid, const X509 *x)
+        case X509_TRUST_COMPAT:
-{
+                return NID_undef;
-        if (x->aux != NULL)
+        case X509_TRUST_SSL_CLIENT:
-                return obj_trust(nid, x);
+                return NID_client_auth;
+        case X509_TRUST_SSL_SERVER:
-        return X509_TRUST_UNTRUSTED;
+                return NID_server_auth;
+        case X509_TRUST_EMAIL:
+                return NID_email_protect;
+        case X509_TRUST_OBJECT_SIGN:
+                return NID_code_sign;
+        case X509_TRUST_OCSP_SIGN:
+                return NID_OCSP_sign;
+        case X509_TRUST_OCSP_REQUEST:
+                return NID_ad_OCSP;
+        case X509_TRUST_TSA:
+                return NID_time_stamp;
+        default:
+                return NID_undef;
+        }
 }
 int
@@ -128,40 +143,36 @@ X509_check_trust(X509 *x, int trust_id, int flags)
 {
        int rv;
-        if (trust_id == -1)
-                return 1;
        /* Call early so the trust handlers don't need to modify the certs. */
        if (!x509v3_cache_extensions(x))
                return X509_TRUST_UNTRUSTED;
+        /*
+         * XXX make X509_TRUST_ACCEPT_ALL a real boy once it does not
+         * need to have the same -1 value as X509_TRUST_DEFAULT
+         */
+        if (trust_id == X509_TRUST_ACCEPT_ALL)
+                return 1;
        switch (trust_id) {
-        case 0: /*
-                 * The default behaviour: If the certificate has EKU any, or it
-                 * is self-signed, it is trusted. Otherwise it is untrusted.
-                 */
-                rv = obj_trust(NID_anyExtendedKeyUsage, x);
-                if (rv != X509_TRUST_UNTRUSTED)
-                        return rv;
-                return trust_if_self_signed(x);
        case X509_TRUST_COMPAT:
                return trust_if_self_signed(x);
-        case X509_TRUST_SSL_CLIENT:
-                return trust_1oidany(NID_client_auth, x);
-        case X509_TRUST_SSL_SERVER:
-                return trust_1oidany(NID_server_auth, x);
        case X509_TRUST_EMAIL:
-                return trust_1oidany(NID_email_protect, x);
        case X509_TRUST_OBJECT_SIGN:
-                return trust_1oidany(NID_code_sign, x);
+        case X509_TRUST_SSL_SERVER:
+        case X509_TRUST_SSL_CLIENT:
+        case X509_TRUST_TSA:
+                if (trust_was_set(x))
+                        return obj_trust(nid_from_trust_id(trust_id), x);
+                return trust_if_self_signed(x);
        case X509_TRUST_OCSP_SIGN:
-                return trust_1oid(NID_OCSP_sign, x);
        case X509_TRUST_OCSP_REQUEST:
-                return trust_1oid(NID_ad_OCSP, x);
+                return obj_trust(nid_from_trust_id(trust_id), x);
-        case X509_TRUST_TSA:
-                return trust_1oidany(NID_time_stamp, x);
        default:
-                return obj_trust(trust_id, x);
+                rv = obj_trust(NID_anyExtendedKeyUsage, x);
+                if (rv != X509_TRUST_UNTRUSTED)
+                        return rv;
+                return trust_if_self_signed(x);
        }
 }
 LCRYPTO_ALIAS(X509_check_trust);

diff --git a/src/lib/libcrypto/ocsp/ocsp_vfy.c b/src/lib/libcrypto/ocsp/ocsp_vfy.c index d197fe4ea7..27d2283ea7 100644 --- a/src/lib/libcrypto/ocsp/ocsp_vfy.c +++ b/src/lib/libcrypto/ocsp/ocsp_vfy.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ocsp_vfy.c,v 1.23 2023/07/08 10:44:00 beck Exp $ */	1	/* $OpenBSD: ocsp_vfy.c,v 1.24 2024/07/12 18:15:10 beck Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project 2000.	3	* project 2000.
4	*/	4	*/
@@ -168,8 +168,8 @@ OCSP_basic_verify(OCSP_BASICRESP bs, STACK_OF(X509) certs, X509_STORE *st,
168	goto end;	168	goto end;
169		169
170	x = sk_X509_value(chain, sk_X509_num(chain) - 1);	170	x = sk_X509_value(chain, sk_X509_num(chain) - 1);
171	if (X509_check_trust(x, NID_OCSP_sign, 0) !=	171	if (X509_check_trust(x, X509_TRUST_OCSP_SIGN, 0) !=
172	X509_TRUST_TRUSTED) {	172	X509_TRUST_TRUSTED) {
173	OCSPerror(OCSP_R_ROOT_CA_NOT_TRUSTED);	173	OCSPerror(OCSP_R_ROOT_CA_NOT_TRUSTED);
174	goto end;	174	goto end;
175	}	175	}


diff --git a/src/lib/libcrypto/x509/x509_local.h b/src/lib/libcrypto/x509/x509_local.h index 5b74b0d1bd..6b72678e7a 100644 --- a/src/lib/libcrypto/x509/x509_local.h +++ b/src/lib/libcrypto/x509/x509_local.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_local.h,v 1.24 2024/04/08 23:46:21 beck Exp $ */	1	/* $OpenBSD: x509_local.h,v 1.25 2024/07/12 18:15:10 beck Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project 2013.	3	* project 2013.
4	*/	4	*/
@@ -71,6 +71,14 @@ __BEGIN_HIDDEN_DECLS
71	#define X509_CRL_HASH_EVP EVP_sha512()	71	#define X509_CRL_HASH_EVP EVP_sha512()
72	#define X509_CRL_HASH_LEN SHA512_DIGEST_LENGTH	72	#define X509_CRL_HASH_LEN SHA512_DIGEST_LENGTH
73		73
		74	/*
		75	* Used internally instead of the confusing X509_TRUST_DEFAULT,
		76	* which is not the default for X509_check_trust.
		77	* XXX Make X509_check_trust internal, and move the other
		78	* X509_TRUST values here to clean up this mess.
		79	*/
		80	#define X509_TRUST_ACCEPT_ALL -1
		81
74	struct X509_pubkey_st {	82	struct X509_pubkey_st {
75	X509_ALGOR *algor;	83	X509_ALGOR *algor;
76	ASN1_BIT_STRING *public_key;	84	ASN1_BIT_STRING *public_key;


diff --git a/src/lib/libcrypto/x509/x509_purp.c b/src/lib/libcrypto/x509/x509_purp.c index d2e9277013..619a4b890a 100644 --- a/src/lib/libcrypto/x509/x509_purp.c +++ b/src/lib/libcrypto/x509/x509_purp.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_purp.c,v 1.42 2024/05/15 18:10:03 tb Exp $ */	1	/* $OpenBSD: x509_purp.c,v 1.43 2024/07/12 18:15:10 beck Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project 2001.	3	* project 2001.
4	*/	4	*/
@@ -150,7 +150,7 @@ static const X509_PURPOSE xstandard[] = {
150	},	150	},
151	{	151	{
152	.purpose = X509_PURPOSE_ANY,	152	.purpose = X509_PURPOSE_ANY,
153	.trust = X509_TRUST_DEFAULT,	153	.trust = X509_TRUST_ACCEPT_ALL,
154	.check_purpose = no_check,	154	.check_purpose = no_check,
155	.name = "Any Purpose",	155	.name = "Any Purpose",
156	.sname = "any",	156	.sname = "any",


diff --git a/src/lib/libcrypto/x509/x509_trs.c b/src/lib/libcrypto/x509/x509_trs.c index 78eb29555e..9ba8194ee0 100644 --- a/src/lib/libcrypto/x509/x509_trs.c +++ b/src/lib/libcrypto/x509/x509_trs.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_trs.c,v 1.56 2024/07/12 15:53:51 beck Exp $ */	1	/* $OpenBSD: x509_trs.c,v 1.57 2024/07/12 18:15:10 beck Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project 1999.	3	* project 1999.
4	*/	4	*/
@@ -67,6 +67,23 @@
67	#include "x509_local.h"	67	#include "x509_local.h"
68		68
69	static int	69	static int
		70	trust_if_self_signed(const X509 *x)
		71	{
		72	/* Extensions already cached in X509_check_trust(). */
		73	if ((x->ex_flags & EXFLAG_SS) != 0)
		74	return X509_TRUST_TRUSTED;
		75
		76	return X509_TRUST_UNTRUSTED;
		77	}
		78
		79	static int
		80	trust_was_set(const X509 *x)
		81	{
		82	return x->aux != NULL && (x->aux->trust != NULL \|\|
		83	x->aux->reject != NULL);
		84	}
		85
		86	static int
70	obj_trust(int id, const X509 *x)	87	obj_trust(int id, const X509 *x)
71	{	88	{
72	const X509_CERT_AUX *aux;	89	const X509_CERT_AUX *aux;
@@ -94,33 +111,31 @@ obj_trust(int id, const X509 *x)
94	}	111	}
95		112
96	static int	113	static int
97	trust_if_self_signed(const X509 *x)	114	nid_from_trust_id(int trust_id)
98	{
99	/* Extensions already cached in X509_check_trust(). */
100	if ((x->ex_flags & EXFLAG_SS) != 0)
101	return X509_TRUST_TRUSTED;
102
103	return X509_TRUST_UNTRUSTED;
104	}
105
106	static int
107	trust_1oidany(int nid, const X509 *x)
108	{	115	{
109	/* Inspect the certificate's trust settings if there are any. */	116	OPENSSL_assert(trust_id == 0 \|\|
110	if (x->aux != NULL && (x->aux->trust != NULL \|\| x->aux->reject != NULL))	117	(trust_id >= X509_TRUST_MIN && trust_id <= X509_TRUST_MAX));
111	return obj_trust(nid, x);
112
113	/* For compatibility we return trusted if the cert is self signed. */
114	return trust_if_self_signed(x);
115	}
116		118
117	static int	119	switch (trust_id) {
118	trust_1oid(int nid, const X509 *x)	120	case X509_TRUST_COMPAT:
119	{	121	return NID_undef;
120	if (x->aux != NULL)	122	case X509_TRUST_SSL_CLIENT:
121	return obj_trust(nid, x);	123	return NID_client_auth;
122		124	case X509_TRUST_SSL_SERVER:
123	return X509_TRUST_UNTRUSTED;	125	return NID_server_auth;
		126	case X509_TRUST_EMAIL:
		127	return NID_email_protect;
		128	case X509_TRUST_OBJECT_SIGN:
		129	return NID_code_sign;
		130	case X509_TRUST_OCSP_SIGN:
		131	return NID_OCSP_sign;
		132	case X509_TRUST_OCSP_REQUEST:
		133	return NID_ad_OCSP;
		134	case X509_TRUST_TSA:
		135	return NID_time_stamp;
		136	default:
		137	return NID_undef;
		138	}
124	}	139	}
125		140
126	int	141	int
@@ -128,40 +143,36 @@ X509_check_trust(X509 *x, int trust_id, int flags)
128	{	143	{
129	int rv;	144	int rv;
130		145
131	if (trust_id == -1)
132	return 1;
133
134	/* Call early so the trust handlers don't need to modify the certs. */	146	/* Call early so the trust handlers don't need to modify the certs. */
135	if (!x509v3_cache_extensions(x))	147	if (!x509v3_cache_extensions(x))
136	return X509_TRUST_UNTRUSTED;	148	return X509_TRUST_UNTRUSTED;
137		149
		150	/*
		151	* XXX make X509_TRUST_ACCEPT_ALL a real boy once it does not
		152	* need to have the same -1 value as X509_TRUST_DEFAULT
		153	*/
		154	if (trust_id == X509_TRUST_ACCEPT_ALL)
		155	return 1;
		156
138	switch (trust_id) {	157	switch (trust_id) {
139	case 0: /*
140	* The default behaviour: If the certificate has EKU any, or it
141	* is self-signed, it is trusted. Otherwise it is untrusted.
142	*/
143	rv = obj_trust(NID_anyExtendedKeyUsage, x);
144	if (rv != X509_TRUST_UNTRUSTED)
145	return rv;
146	return trust_if_self_signed(x);
147	case X509_TRUST_COMPAT:	158	case X509_TRUST_COMPAT:
148	return trust_if_self_signed(x);	159	return trust_if_self_signed(x);
149	case X509_TRUST_SSL_CLIENT:
150	return trust_1oidany(NID_client_auth, x);
151	case X509_TRUST_SSL_SERVER:
152	return trust_1oidany(NID_server_auth, x);
153	case X509_TRUST_EMAIL:	160	case X509_TRUST_EMAIL:
154	return trust_1oidany(NID_email_protect, x);
155	case X509_TRUST_OBJECT_SIGN:	161	case X509_TRUST_OBJECT_SIGN:
156	return trust_1oidany(NID_code_sign, x);	162	case X509_TRUST_SSL_SERVER:
		163	case X509_TRUST_SSL_CLIENT:
		164	case X509_TRUST_TSA:
		165	if (trust_was_set(x))
		166	return obj_trust(nid_from_trust_id(trust_id), x);
		167	return trust_if_self_signed(x);
157	case X509_TRUST_OCSP_SIGN:	168	case X509_TRUST_OCSP_SIGN:
158	return trust_1oid(NID_OCSP_sign, x);
159	case X509_TRUST_OCSP_REQUEST:	169	case X509_TRUST_OCSP_REQUEST:
160	return trust_1oid(NID_ad_OCSP, x);	170	return obj_trust(nid_from_trust_id(trust_id), x);
161	case X509_TRUST_TSA:
162	return trust_1oidany(NID_time_stamp, x);
163	default:	171	default:
164	return obj_trust(trust_id, x);	172	rv = obj_trust(NID_anyExtendedKeyUsage, x);
		173	if (rv != X509_TRUST_UNTRUSTED)
		174	return rv;
		175	return trust_if_self_signed(x);
165	}	176	}
166	}	177	}
167	LCRYPTO_ALIAS(X509_check_trust);	178	LCRYPTO_ALIAS(X509_check_trust);