From ae5c3af379b59402e225b783c31ab0cb1e0608dd Mon Sep 17 00:00:00 2001 From: Joel Sing Date: Tue, 5 Jan 2021 17:14:47 +0000 Subject: Use legacy verifier when building auto chains. The new verifier builds all chains, starting with the shortest possible path. It also does not currently return partial chains. Both of these things conflict with auto chain, where we want to build the longest possible chain (to include all intermediates, and probably the root unnecessarily), as well as using an incomplete chain when a trusted chain is not known. Depending on software configuration, we can end up building a chain consisting only of a leaf certificate, rather than a longer chain. This results in auto chain not including intermediates, which is undesireable. For now, switch auto chain building to use the legacy verifier. This should resolve the issues encountered by ajacoutot@ with sendmail. ok tb@ --- lib/libssl/ssl_both.c | 4 +++- lib/libssl/tls13_server.c | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) (limited to 'lib/libssl') diff --git a/lib/libssl/ssl_both.c b/lib/libssl/ssl_both.c index 081b374396b..6480b45becf 100644 --- a/lib/libssl/ssl_both.c +++ b/lib/libssl/ssl_both.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_both.c,v 1.21 2020/10/14 16:57:33 jsing Exp $ */ +/* $OpenBSD: ssl_both.c,v 1.22 2021/01/05 17:14:46 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -408,6 +408,8 @@ ssl3_output_cert_chain(SSL *s, CBB *cbb, CERT_PKEY *cpk) SSLerror(s, ERR_R_X509_LIB); goto err; } + X509_VERIFY_PARAM_set_flags(X509_STORE_CTX_get0_param(xs_ctx), + X509_V_FLAG_LEGACY_VERIFY); X509_verify_cert(xs_ctx); ERR_clear_error(); chain = xs_ctx->chain; diff --git a/lib/libssl/tls13_server.c b/lib/libssl/tls13_server.c index 1c8644ab27a..549383e3313 100644 --- a/lib/libssl/tls13_server.c +++ b/lib/libssl/tls13_server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_server.c,v 1.64 2020/12/14 15:26:36 tb Exp $ */ +/* $OpenBSD: tls13_server.c,v 1.65 2021/01/05 17:14:46 jsing Exp $ */ /* * Copyright (c) 2019, 2020 Joel Sing * Copyright (c) 2020 Bob Beck @@ -639,6 +639,8 @@ tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb) goto err; if (!X509_STORE_CTX_init(xsc, s->ctx->cert_store, cpk->x509, NULL)) goto err; + X509_VERIFY_PARAM_set_flags(X509_STORE_CTX_get0_param(xsc), + X509_V_FLAG_LEGACY_VERIFY); X509_verify_cert(xsc); ERR_clear_error(); chain = xsc->chain; -- cgit v1.2.3