summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBob Beck <beck@cvs.openbsd.org>2016-11-06 10:31:35 +0000
committerBob Beck <beck@cvs.openbsd.org>2016-11-06 10:31:35 +0000
commite78a7659b1bb94406f52714af3e7165ed96ea23a (patch)
tree826515c5ca001b21314de44e520ee0395869e9ca
parentd27d6bd2cf7bd4d12fc95a32ae838b3bd6b953c9 (diff)
The upcoming x509 alt chains diff tightens the trust requirements
for certificates. This (from OpenSSL) ensures that the current "default" behaviour remains the same. We should revisit this later ok jsing@
-rw-r--r--lib/libcrypto/x509/x509_trs.c18
1 files changed, 17 insertions, 1 deletions
diff --git a/lib/libcrypto/x509/x509_trs.c b/lib/libcrypto/x509/x509_trs.c
index 42fb97f571e..5be7abdf08f 100644
--- a/lib/libcrypto/x509/x509_trs.c
+++ b/lib/libcrypto/x509/x509_trs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_trs.c,v 1.20 2015/02/10 11:22:21 jsing Exp $ */
+/* $OpenBSD: x509_trs.c,v 1.21 2016/11/06 10:31:34 beck Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 1999.
*/
@@ -116,6 +116,22 @@ X509_check_trust(X509 *x, int id, int flags)
if (id == -1)
return 1;
+ /*
+ * XXX beck/jsing This enables self signed certs to be trusted for
+ * an unspecified id/trust flag value (this is NOT the
+ * X509_TRUST_DEFAULT), which was the longstanding
+ * openssl behaviour. boringssl does not have this behaviour.
+ *
+ * This should be revisited, but changing the default "not default"
+ * may break things.
+ */
+ if (id == 0) {
+ int rv;
+ rv = obj_trust(NID_anyExtendedKeyUsage, x, 0);
+ if (rv != X509_TRUST_UNTRUSTED)
+ return rv;
+ return trust_compat(NULL, x, 0);
+ }
idx = X509_TRUST_get_by_id(id);
if (idx == -1)
return default_trust(id, x, flags);