From d53b4cfb1657b03af7f1654f76351dbb75a44d2f Mon Sep 17 00:00:00 2001
From: beck <>
Date: Sun, 6 Nov 2016 10:31:34 +0000
Subject: The upcoming x509 alt chains diff tightens the trust requirements for
 certificates. This (from OpenSSL) ensures that the current "default"
 behaviour remains the same.  We should revisit this later ok jsing@

---
 src/lib/libcrypto/x509/x509_trs.c | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

(limited to 'src/lib/libcrypto/x509/x509_trs.c')

diff --git a/src/lib/libcrypto/x509/x509_trs.c b/src/lib/libcrypto/x509/x509_trs.c
index 42fb97f571..5be7abdf08 100644
--- a/src/lib/libcrypto/x509/x509_trs.c
+++ b/src/lib/libcrypto/x509/x509_trs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_trs.c,v 1.20 2015/02/10 11:22:21 jsing Exp $ */
+/* $OpenBSD: x509_trs.c,v 1.21 2016/11/06 10:31:34 beck Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -116,6 +116,22 @@ X509_check_trust(X509 *x, int id, int flags)
 
 	if (id == -1)
 		return 1;
+	/*
+	 * XXX beck/jsing This enables self signed certs to be trusted for
+	 * an unspecified id/trust flag value (this is NOT the
+	 * X509_TRUST_DEFAULT), which was the longstanding
+	 * openssl behaviour. boringssl does not have this behaviour.
+	 *
+	 * This should be revisited, but changing the default "not default"
+	 * may break things.
+	 */
+	if (id == 0) {
+		int rv;
+		rv = obj_trust(NID_anyExtendedKeyUsage, x, 0);
+		if (rv != X509_TRUST_UNTRUSTED)
+			return rv;
+		return trust_compat(NULL, x, 0);
+	}
 	idx = X509_TRUST_get_by_id(id);
 	if (idx == -1)
 		return default_trust(id, x, flags);
-- 
cgit v1.2.3-55-g6feb