diff options
| author | Theo Buehler <tb@cvs.openbsd.org> | 2023-01-18 00:27:11 +0000 |
|---|---|---|
| committer | Theo Buehler <tb@cvs.openbsd.org> | 2023-01-18 00:27:11 +0000 |
| commit | c6d4344ddaaaaa51590ee32f97e49f5e94eac707 (patch) | |
| tree | 34dfe90e4f3b95e2405ca732493dfa4ae91108ee | |
| parent | bb4a4bca7998a39cf9098a5b5fd323e9f154fc23 (diff) | |
rpki-client: explicitly enable policy checks
In x509_verify.c r1.62, beck disabled policy checks by default in the new
X.509 verifier to match the behavior of the legacy validator and OpenSSL.
In order to keep policy checks as mandated by RFC 7318, we need to opt
into them explicitly.
ok beck
| -rw-r--r-- | usr.sbin/rpki-client/validate.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/usr.sbin/rpki-client/validate.c b/usr.sbin/rpki-client/validate.c index 7183ffca59d..096681d8675 100644 --- a/usr.sbin/rpki-client/validate.c +++ b/usr.sbin/rpki-client/validate.c @@ -1,4 +1,4 @@ -/* $OpenBSD: validate.c,v 1.52 2023/01/04 14:22:43 claudio Exp $ */ +/* $OpenBSD: validate.c,v 1.53 2023/01/18 00:27:10 tb Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -396,6 +396,7 @@ valid_x509(char *file, X509_STORE_CTX *store_ctx, X509 *x509, struct auth *a, cryptoerrx("X509_VERIFY_PARAM_add0_policy"); flags = X509_V_FLAG_CRL_CHECK; + flags |= X509_V_FLAG_POLICY_CHECK; flags |= X509_V_FLAG_EXPLICIT_POLICY; flags |= X509_V_FLAG_INHIBIT_MAP; X509_STORE_CTX_set_flags(store_ctx, flags); |