diff options
| author | Bob Beck <beck@cvs.openbsd.org> | 2021-08-19 03:44:01 +0000 |
|---|---|---|
| committer | Bob Beck <beck@cvs.openbsd.org> | 2021-08-19 03:44:01 +0000 |
| commit | f58ffb7608544bcdc2a3640a891028d8fbc2b709 (patch) | |
| tree | a7b1c2231da3c8365e3bd4b5f2a857d56d6bb69c | |
| parent | f8da91ff8c96e1b559f7368f16c9e5e39dd860b3 (diff) | |
Pull roots out of the trust store in the legacy xsc when building chains
to handly by_dir and fun things correctly. - fixes dlg@'s case and
by_dir regress in openssl-ruby
ok jsing@
| -rw-r--r-- | lib/libcrypto/x509/x509_internal.h | 3 | ||||
| -rw-r--r-- | lib/libcrypto/x509/x509_verify.c | 20 | ||||
| -rw-r--r-- | lib/libcrypto/x509/x509_vfy.c | 11 |
3 files changed, 26 insertions, 8 deletions
diff --git a/lib/libcrypto/x509/x509_internal.h b/lib/libcrypto/x509/x509_internal.h index 7160053a8a4..493bf82ac84 100644 --- a/lib/libcrypto/x509/x509_internal.h +++ b/lib/libcrypto/x509/x509_internal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_internal.h,v 1.8 2021/07/10 15:52:59 beck Exp $ */ +/* $OpenBSD: x509_internal.h,v 1.9 2021/08/19 03:44:00 beck Exp $ */ /* * Copyright (c) 2020 Bob Beck <beck@openbsd.org> * @@ -92,6 +92,7 @@ int x509_vfy_check_policy(X509_STORE_CTX *ctx); int x509_vfy_check_trust(X509_STORE_CTX *ctx); int x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx); void x509v3_cache_extensions(X509 *x); +X509 *x509_vfy_lookup_cert_match(X509_STORE_CTX *ctx, X509 *x); int x509_verify_asn1_time_to_tm(const ASN1_TIME *atime, struct tm *tm, int notafter); diff --git a/lib/libcrypto/x509/x509_verify.c b/lib/libcrypto/x509/x509_verify.c index 9073dda31d0..5f3c97abf79 100644 --- a/lib/libcrypto/x509/x509_verify.c +++ b/lib/libcrypto/x509/x509_verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_verify.c,v 1.41 2021/08/18 15:32:38 beck Exp $ */ +/* $OpenBSD: x509_verify.c,v 1.42 2021/08/19 03:44:00 beck Exp $ */ /* * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org> * @@ -207,21 +207,29 @@ static int x509_verify_ctx_cert_is_root(struct x509_verify_ctx *ctx, X509 *cert, int full_chain) { + X509 *match = NULL; int i; if (!x509_verify_cert_cache_extensions(cert)) return 0; + /* Check the provided roots */ for (i = 0; i < sk_X509_num(ctx->roots); i++) { if (X509_cmp(sk_X509_value(ctx->roots, i), cert) == 0) return !full_chain || x509_verify_cert_self_signed(cert); } - /* - * XXX what if this is a by_dir thing? this currently isn't - * handled so this case is a bit messed up for loonix with - * by directory trust bundles... - */ + + /* Check by lookup if we have a legacy xsc */ + if (ctx->xsc != NULL) { + if ((match = x509_vfy_lookup_cert_match(ctx->xsc, + cert)) != NULL) { + X509_free(match); + return !full_chain || + x509_verify_cert_self_signed(cert); + } + } + return 0; } diff --git a/lib/libcrypto/x509/x509_vfy.c b/lib/libcrypto/x509/x509_vfy.c index 9577040d9d5..233c95c4086 100644 --- a/lib/libcrypto/x509/x509_vfy.c +++ b/lib/libcrypto/x509/x509_vfy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vfy.c,v 1.86 2021/02/25 17:29:22 tb Exp $ */ +/* $OpenBSD: x509_vfy.c,v 1.87 2021/08/19 03:44:00 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -942,6 +942,15 @@ lookup_cert_match(X509_STORE_CTX *ctx, X509 *x) return xtmp; } +X509 * +x509_vfy_lookup_cert_match(X509_STORE_CTX *ctx, X509 *x) +{ + if (ctx->lookup_certs == NULL || ctx->ctx == NULL || + ctx->ctx->objs == NULL) + return NULL; + return lookup_cert_match(ctx, x); +} + static int check_trust(X509_STORE_CTX *ctx) { |