From d7dfc10134411f17602aa3f2d5224ccb44f6701c Mon Sep 17 00:00:00 2001 From: beck <> Date: Sat, 12 Sep 2020 14:14:02 +0000 Subject: Change over to use the new x509 name constraints verification. ok jsing@ --- src/lib/libcrypto/x509/x509_vfy.c | 35 +++++++---------------------------- 1 file changed, 7 insertions(+), 28 deletions(-) (limited to 'src/lib/libcrypto') diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c index 126e0f3000..28dbf60c38 100644 --- a/src/lib/libcrypto/x509/x509_vfy.c +++ b/src/lib/libcrypto/x509/x509_vfy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vfy.c,v 1.73 2020/05/31 17:23:39 jsing Exp $ */ +/* $OpenBSD: x509_vfy.c,v 1.74 2020/09/12 14:14:02 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -75,6 +75,7 @@ #include #include "asn1_locl.h" #include "vpm_int.h" +#include "x509_internal.h" #include "x509_lcl.h" /* CRL score values */ @@ -782,33 +783,11 @@ end: static int check_name_constraints(X509_STORE_CTX *ctx) { - X509 *x; - int i, j, rv; - - /* Check name constraints for all certificates */ - for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) { - x = sk_X509_value(ctx->chain, i); - /* Ignore self issued certs unless last in chain */ - if (i && (x->ex_flags & EXFLAG_SI)) - continue; - /* Check against constraints for all certificates higher in - * chain including trust anchor. Trust anchor not strictly - * speaking needed but if it includes constraints it is to be - * assumed it expects them to be obeyed. - */ - for (j = sk_X509_num(ctx->chain) - 1; j > i; j--) { - NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc; - if (nc) { - rv = NAME_CONSTRAINTS_check(x, nc); - if (rv != X509_V_OK) { - ctx->error = rv; - ctx->error_depth = i; - ctx->current_cert = x; - if (!ctx->verify_cb(0, ctx)) - return 0; - } - } - } + if (!x509_constraints_chain(ctx->chain, &ctx->error, + &ctx->error_depth)) { + ctx->current_cert = sk_X509_value(ctx->chain, ctx->error_depth); + if (!ctx->verify_cb(0, ctx)) + return 0; } return 1; } -- cgit v1.2.3-55-g6feb