From: beck <beck@openbsd.org>
Date: Thu, 19 Aug 2021 03:44:00 +0000 (+0000)
Subject: Pull roots out of the trust store in the legacy xsc when building chains
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=ac5ed1688f6ce56d5c906d1c3bf118c962f582d2;p=openbsd

Pull roots out of the trust store in the legacy xsc when building chains
to handly by_dir and fun things correctly. - fixes dlg@'s case and
by_dir regress in openssl-ruby

ok jsing@
---

diff --git a/lib/libcrypto/x509/x509_internal.h b/lib/libcrypto/x509/x509_internal.h
index 7160053a8a4..493bf82ac84 100644
--- a/lib/libcrypto/x509/x509_internal.h
+++ b/lib/libcrypto/x509/x509_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_internal.h,v 1.8 2021/07/10 15:52:59 beck Exp $ */
+/* $OpenBSD: x509_internal.h,v 1.9 2021/08/19 03:44:00 beck Exp $ */
 /*
  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
  *
@@ -92,6 +92,7 @@ int x509_vfy_check_policy(X509_STORE_CTX *ctx);
 int x509_vfy_check_trust(X509_STORE_CTX *ctx);
 int x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx);
 void x509v3_cache_extensions(X509 *x);
+X509 *x509_vfy_lookup_cert_match(X509_STORE_CTX *ctx, X509 *x);
 
 int x509_verify_asn1_time_to_tm(const ASN1_TIME *atime, struct tm *tm,
     int notafter);
diff --git a/lib/libcrypto/x509/x509_verify.c b/lib/libcrypto/x509/x509_verify.c
index 9073dda31d0..5f3c97abf79 100644
--- a/lib/libcrypto/x509/x509_verify.c
+++ b/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_verify.c,v 1.41 2021/08/18 15:32:38 beck Exp $ */
+/* $OpenBSD: x509_verify.c,v 1.42 2021/08/19 03:44:00 beck Exp $ */
 /*
  * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
  *
@@ -207,21 +207,29 @@ static int
 x509_verify_ctx_cert_is_root(struct x509_verify_ctx *ctx, X509 *cert,
     int full_chain)
 {
+	X509 *match = NULL;
 	int i;
 
 	if (!x509_verify_cert_cache_extensions(cert))
 		return 0;
 
+	/* Check the provided roots */
 	for (i = 0; i < sk_X509_num(ctx->roots); i++) {
 		if (X509_cmp(sk_X509_value(ctx->roots, i), cert) == 0)
 			return !full_chain ||
 			    x509_verify_cert_self_signed(cert);
 	}
-	/*
-	 * XXX what if this is a by_dir thing? this currently isn't
-	 * handled so this case is a bit messed up for loonix with
-	 * by directory trust bundles...
-	 */
+
+	/* Check by lookup if we have a legacy xsc */
+	if (ctx->xsc != NULL) {
+		if ((match = x509_vfy_lookup_cert_match(ctx->xsc,
+		    cert)) != NULL) {
+			X509_free(match);
+			return !full_chain ||
+			    x509_verify_cert_self_signed(cert);
+		}
+	}
+
 	return 0;
 }
 
diff --git a/lib/libcrypto/x509/x509_vfy.c b/lib/libcrypto/x509/x509_vfy.c
index 9577040d9d5..233c95c4086 100644
--- a/lib/libcrypto/x509/x509_vfy.c
+++ b/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.86 2021/02/25 17:29:22 tb Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.87 2021/08/19 03:44:00 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -942,6 +942,15 @@ lookup_cert_match(X509_STORE_CTX *ctx, X509 *x)
 	return xtmp;
 }
 
+X509 *
+x509_vfy_lookup_cert_match(X509_STORE_CTX *ctx, X509 *x)
+{
+	if (ctx->lookup_certs == NULL || ctx->ctx == NULL ||
+	    ctx->ctx->objs == NULL)
+		return NULL;
+	return lookup_cert_match(ctx, x);
+}
+
 static int
 check_trust(X509_STORE_CTX *ctx)
 {