artulab
projects / openbsd / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: f409a94)
rpki-client: explicitly enable policy checks
authortb <tb@openbsd.org>
Wed, 18 Jan 2023 00:27:10 +0000 (00:27 +0000)
committertb <tb@openbsd.org>
Wed, 18 Jan 2023 00:27:10 +0000 (00:27 +0000)
In x509_verify.c r1.62, beck disabled policy checks by default in the new
X.509 verifier to match the behavior of the legacy validator and OpenSSL.
In order to keep policy checks as mandated by RFC 7318, we need to opt
into them explicitly.

ok beck

usr.sbin/rpki-client/validate.c patch | blob | history

diff --git a/usr.sbin/rpki-client/validate.c b/usr.sbin/rpki-client/validate.c
index 7183ffc..096681d 100644 (file)
--- a/usr.sbin/rpki-client/validate.c
+++ b/usr.sbin/rpki-client/validate.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: validate.c,v 1.52 2023/01/04 14:22:43 claudio Exp $ */
+/*     $OpenBSD: validate.c,v 1.53 2023/01/18 00:27:10 tb Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -396,6 +396,7 @@ valid_x509(char *file, X509_STORE_CTX *store_ctx, X509 *x509, struct auth *a,
                cryptoerrx("X509_VERIFY_PARAM_add0_policy");
 
        flags = X509_V_FLAG_CRL_CHECK;
+       flags |= X509_V_FLAG_POLICY_CHECK;
        flags |= X509_V_FLAG_EXPLICIT_POLICY;
        flags |= X509_V_FLAG_INHIBIT_MAP;
        X509_STORE_CTX_set_flags(store_ctx, flags);
OpenBSD src
by Ahmet Artu Yildirim