[openssl-commits] [openssl] master update

Viktor Dukhovni viktor at openssl.org
Fri Jan 29 15:53:55 UTC 2016 

The branch master has been updated
       via  aea6116146ef462d11950ebf701e0f56a38b3d75 (commit)
      from  d8ca44ba4158a9dafeaa30d3cba6f113904d2aa6 (commit)


- Log -----------------------------------------------------------------
commit aea6116146ef462d11950ebf701e0f56a38b3d75
Author: Viktor Dukhovni <openssl-users at dukhovni.org>
Date:   Wed Jan 27 22:43:23 2016 -0500

    Make it possible to check for explicit auxiliary trust
    
    By default X509_check_trust() trusts self-signed certificates from
    the trust store that have no explicit local trust/reject oids
    encapsulated as a "TRUSTED CERTIFICATE" object.  (See the -addtrust
    and -trustout options of x509(1)).
    
    This commit adds a flag that makes it possible to distinguish between
    that implicit trust, and explicit auxiliary settings.
    
    With flags |= X509_TRUST_NO_SS_COMPAT, a certificate is only trusted
    via explicit trust settings.
    
    Reviewed-by: Dr. Stephen Henson <steve at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 crypto/x509/x509_trs.c | 2 +-
 include/openssl/x509.h | 5 +++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/crypto/x509/x509_trs.c b/crypto/x509/x509_trs.c
index 72c8110..7392c55 100644
--- a/crypto/x509/x509_trs.c
+++ b/crypto/x509/x509_trs.c
@@ -285,7 +285,7 @@ static int trust_compat(X509_TRUST *trust, X509 *x, int flags)
 {
     /* Call for side-effect of computing hash and caching extensions */
     X509_check_purpose(x, -1, 0);
-    if (x->ex_flags & EXFLAG_SS)
+    if ((flags & X509_TRUST_NO_SS_COMPAT) == 0 && x->ex_flags & EXFLAG_SS)
         return X509_TRUST_TRUSTED;
     else
         return X509_TRUST_UNTRUSTED;
diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index 477bff8..7581bb4 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -199,8 +199,9 @@ DEFINE_STACK_OF(X509_TRUST)
 # define X509_TRUST_MAX          8
 
 /* trust_flags values */
-# define X509_TRUST_DYNAMIC      1
-# define X509_TRUST_DYNAMIC_NAME 2
+# define X509_TRUST_DYNAMIC      (1U << 0)
+# define X509_TRUST_DYNAMIC_NAME (1U << 1)
+# define X509_TRUST_NO_SS_COMPAT (1U << 2)
 
 /* check_trust return codes */

More information about the openssl-commits mailing list