From aea6116146ef462d11950ebf701e0f56a38b3d75 Mon Sep 17 00:00:00 2001 From: Viktor Dukhovni Date: Wed, 27 Jan 2016 22:43:23 -0500 Subject: [PATCH] Make it possible to check for explicit auxiliary trust By default X509_check_trust() trusts self-signed certificates from the trust store that have no explicit local trust/reject oids encapsulated as a "TRUSTED CERTIFICATE" object. (See the -addtrust and -trustout options of x509(1)). This commit adds a flag that makes it possible to distinguish between that implicit trust, and explicit auxiliary settings. With flags |= X509_TRUST_NO_SS_COMPAT, a certificate is only trusted via explicit trust settings. Reviewed-by: Dr. Stephen Henson --- crypto/x509/x509_trs.c | 2 +- include/openssl/x509.h | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/crypto/x509/x509_trs.c b/crypto/x509/x509_trs.c index 72c8110313..7392c55953 100644 --- a/crypto/x509/x509_trs.c +++ b/crypto/x509/x509_trs.c @@ -285,7 +285,7 @@ static int trust_compat(X509_TRUST *trust, X509 *x, int flags) { /* Call for side-effect of computing hash and caching extensions */ X509_check_purpose(x, -1, 0); - if (x->ex_flags & EXFLAG_SS) + if ((flags & X509_TRUST_NO_SS_COMPAT) == 0 && x->ex_flags & EXFLAG_SS) return X509_TRUST_TRUSTED; else return X509_TRUST_UNTRUSTED; diff --git a/include/openssl/x509.h b/include/openssl/x509.h index 477bff8eb8..7581bb4be8 100644 --- a/include/openssl/x509.h +++ b/include/openssl/x509.h @@ -199,8 +199,9 @@ DEFINE_STACK_OF(X509_TRUST) # define X509_TRUST_MAX 8 /* trust_flags values */ -# define X509_TRUST_DYNAMIC 1 -# define X509_TRUST_DYNAMIC_NAME 2 +# define X509_TRUST_DYNAMIC (1U << 0) +# define X509_TRUST_DYNAMIC_NAME (1U << 1) +# define X509_TRUST_NO_SS_COMPAT (1U << 2) /* check_trust return codes */ -- 2.34.1