From bc7ae01a57de1d9f7a00f00e5ac4aff08735613b Mon Sep 17 00:00:00 2001 From: tb Date: Wed, 18 Jan 2023 00:27:10 +0000 Subject: [PATCH] rpki-client: explicitly enable policy checks In x509_verify.c r1.62, beck disabled policy checks by default in the new X.509 verifier to match the behavior of the legacy validator and OpenSSL. In order to keep policy checks as mandated by RFC 7318, we need to opt into them explicitly. ok beck --- usr.sbin/rpki-client/validate.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/usr.sbin/rpki-client/validate.c b/usr.sbin/rpki-client/validate.c index 7183ffca59d..096681d8675 100644 --- a/usr.sbin/rpki-client/validate.c +++ b/usr.sbin/rpki-client/validate.c @@ -1,4 +1,4 @@ -/* $OpenBSD: validate.c,v 1.52 2023/01/04 14:22:43 claudio Exp $ */ +/* $OpenBSD: validate.c,v 1.53 2023/01/18 00:27:10 tb Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -396,6 +396,7 @@ valid_x509(char *file, X509_STORE_CTX *store_ctx, X509 *x509, struct auth *a, cryptoerrx("X509_VERIFY_PARAM_add0_policy"); flags = X509_V_FLAG_CRL_CHECK; + flags |= X509_V_FLAG_POLICY_CHECK; flags |= X509_V_FLAG_EXPLICIT_POLICY; flags |= X509_V_FLAG_INHIBIT_MAP; X509_STORE_CTX_set_flags(store_ctx, flags); -- 2.20.1