src - FreeBSD source tree

diff options


context:
space:
mode:

author	Jung-uk Kim <jkim@FreeBSD.org>	2019-02-26 19:31:33 +0000
committer	Jung-uk Kim <jkim@FreeBSD.org>	2019-02-26 19:31:33 +0000
commit	6935a639f0f999de98b970a3cf26b0dc80b1798b (patch)
tree	4549bd7ef0d8a5d43b6278ae71c08e155435c33f /crypto/openssl/apps
parent	50792eb553bf2cebaea3ddaea066100ab9e51f2d (diff)
parent	851f7386fd78b9787f4f6669ad271886a2a003f1 (diff)
download	src-6935a639f0f999de98b970a3cf26b0dc80b1798b.tar.gz src-6935a639f0f999de98b970a3cf26b0dc80b1798b.zip

Notes

Diffstat (limited to 'crypto/openssl/apps')

-rw-r--r--

crypto/openssl/apps/apps.c

-rw-r--r--

crypto/openssl/apps/ct_log_list.cnf

-rw-r--r--

crypto/openssl/apps/dh1024.pem

-rw-r--r--

crypto/openssl/apps/dh2048.pem

-rw-r--r--

crypto/openssl/apps/dh4096.pem

-rw-r--r--

crypto/openssl/apps/ocsp.c

-rw-r--r--

crypto/openssl/apps/openssl.cnf

-rw-r--r--

crypto/openssl/apps/pkcs12.c

-rw-r--r--

crypto/openssl/apps/rehash.c

-rw-r--r--

crypto/openssl/apps/s_cb.c

-rw-r--r--

crypto/openssl/apps/s_client.c

-rw-r--r--

crypto/openssl/apps/s_server.c

-rw-r--r--

crypto/openssl/apps/speed.c

-rw-r--r--

crypto/openssl/apps/verify.c

14 files changed, 197 insertions, 40 deletions

diff --git a/crypto/openssl/apps/apps.c b/crypto/openssl/apps/apps.c
index 653e3973e04d..36cb0b278337 100644
--- a/crypto/openssl/apps/apps.c
+++ b/crypto/openssl/apps/apps.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -1561,7 +1561,7 @@ CA_DB *load_index(const char *dbfile, DB_ATTR *db_attr)

#else

BIO_snprintf(buf, sizeof(buf), "%s-attr", dbfile);

#endif

- dbattr_conf = app_load_config(buf);

+ dbattr_conf = app_load_config_quiet(buf);

retdb = app_malloc(sizeof(*retdb), "new DB");

retdb->db = tmpdb;

@@ -2196,7 +2196,7 @@ double app_tminterval(int stop, int usertime)

return ret;

}

-#elif defined(OPENSSL_SYSTEM_VXWORKS)

+#elif defined(OPENSSL_SYS_VXWORKS)

# include <time.h>

double app_tminterval(int stop, int usertime)

diff --git a/crypto/openssl/apps/ct_log_list.cnf b/crypto/openssl/apps/ct_log_list.cnf
index 650aa22da59c..e643cfdbdf3f 100644
--- a/crypto/openssl/apps/ct_log_list.cnf
+++ b/crypto/openssl/apps/ct_log_list.cnf

@@ -2,8 +2,8 @@

# that are to be trusted.

# Google's list of logs can be found here:

-# www.certificate-transparency.org/known-logs

+# www.certificate-transparency.org/known-logs

# A Python program to convert the log list to OpenSSL's format can be

# found here:

-# https://github.com/google/certificate-transparency/blob/master/python/utilities/log_list/print_log_list.py

+# https://github.com/google/certificate-transparency/blob/master/python/utilities/log_list/print_log_list.py

# Use the "--openssl_output" flag.

diff --git a/crypto/openssl/apps/dh1024.pem b/crypto/openssl/apps/dh1024.pem
index f1a5e180aa95..813e8a4a4822 100644
--- a/crypto/openssl/apps/dh1024.pem
+++ b/crypto/openssl/apps/dh1024.pem

@@ -4,7 +4,7 @@ Sgh5jjQE3e+VGbPNOkMbMCsKbfJfFDdP4TVtbVHCReSFtXZiXn7G9ExC6aY37WsL

/1y29Aa37e44a/taiZ+lrp8kEXxLH+ZJKGZR7OZTgf//////////AgEC

-----END DH PARAMETERS-----

-These are the 1024-bit DH parameters from "Internet Key Exchange

+These are the 1024-bit DH parameters from "Internet Key Exchange

Protocol Version 2 (IKEv2)": https://tools.ietf.org/html/rfc5996

See https://tools.ietf.org/html/rfc2412 for how they were generated.

diff --git a/crypto/openssl/apps/dh2048.pem b/crypto/openssl/apps/dh2048.pem
index e899f2e0296d..288a20997e5a 100644
--- a/crypto/openssl/apps/dh2048.pem
+++ b/crypto/openssl/apps/dh2048.pem

@@ -7,8 +7,8 @@ fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq

5RXSJhiY+gUQFXKOWoqsqmj//////////wIBAg==

-----END DH PARAMETERS-----

-These are the 2048-bit DH parameters from "More Modular Exponential

-(MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)":

+These are the 2048-bit DH parameters from "More Modular Exponential

+(MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)":

https://tools.ietf.org/html/rfc3526

See https://tools.ietf.org/html/rfc2412 for how they were generated.

diff --git a/crypto/openssl/apps/dh4096.pem b/crypto/openssl/apps/dh4096.pem
index adada2b55815..08560e1284e2 100644
--- a/crypto/openssl/apps/dh4096.pem
+++ b/crypto/openssl/apps/dh4096.pem

@@ -12,8 +12,8 @@ ARpyPBKnh+bXiHGaEL26WyaZwycYavTiPBqUaDS2FQvaJYPpyirUTOjbu8LbBN6O

HNAGkSfVsFqpk7TqmI2P3cGG/7fckKbAj030Nck0BjGZ//////////8CAQI=

-----END DH PARAMETERS-----

-These are the 4096-bit DH parameters from "More Modular Exponential

-(MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)":

+These are the 4096-bit DH parameters from "More Modular Exponential

+(MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)":

https://tools.ietf.org/html/rfc3526

See https://tools.ietf.org/html/rfc2412 for how they were generated.

diff --git a/crypto/openssl/apps/ocsp.c b/crypto/openssl/apps/ocsp.c
index 7fd78624bbcc..e8aeb11cc51d 100644
--- a/crypto/openssl/apps/ocsp.c
+++ b/crypto/openssl/apps/ocsp.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -36,7 +36,21 @@ NON_EMPTY_TRANSLATION_UNIT

# include <openssl/x509v3.h>

# include <openssl/rand.h>

-# if defined(OPENSSL_SYS_UNIX) && !defined(OPENSSL_NO_SOCK) \

+#ifndef HAVE_FORK

+# if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS)

+# define HAVE_FORK 0

+# else

+# define HAVE_FORK 1

+# endif

+#endif

+#if HAVE_FORK

+# undef NO_FORK

+#else

+# define NO_FORK

+#endif

+# if !defined(NO_FORK) && !defined(OPENSSL_NO_SOCK) \

&& !defined(OPENSSL_NO_POSIX_IO)

# define OCSP_DAEMON

# include <sys/types.h>

@@ -53,6 +67,20 @@ NON_EMPTY_TRANSLATION_UNIT

# define LOG_ERR 2

# endif

+# if defined(OPENSSL_SYS_VXWORKS)

+/* not supported */

+int setpgid(pid_t pid, pid_t pgid)

+ errno = ENOSYS;

+ return 0;

+/* not supported */

+pid_t fork(void)

+ errno = ENOSYS;

+ return (pid_t) -1;

+# endif

/* Maximum leeway in validity period: default 5 minutes */

# define MAX_VALIDITY_PERIOD (5 * 60)

@@ -863,6 +891,7 @@ static void killall(int ret, pid_t *kidpids)

for (i = 0; i < multi; ++i)

if (kidpids[i] != 0)

(void)kill(kidpids[i], SIGTERM);

+ OPENSSL_free(kidpids);

sleep(1);

exit(ret);

}

@@ -977,7 +1006,6 @@ static void spawn_loop(void)

}

/* The loop above can only break on termsig */

- OPENSSL_free(kidpids);

syslog(LOG_INFO, "terminating on signal: %d", termsig);

killall(0, kidpids);

}

diff --git a/crypto/openssl/apps/openssl.cnf b/crypto/openssl/apps/openssl.cnf
index 24538651ebb7..d67a4241af78 100644
--- a/crypto/openssl/apps/openssl.cnf
+++ b/crypto/openssl/apps/openssl.cnf

@@ -19,7 +19,7 @@ oid_section = new_oids

# To use this configuration file with the "-extfile" option of the

# "openssl x509" utility, name here the section containing the

# X.509v3 extensions to use:

-# extensions =

+# extensions =

# (Alternatively, use a configuration file that has only

# X.509v3 extensions in its main [= default] section.)

@@ -116,7 +116,7 @@ x509_extensions = v3_ca # The extensions to add to the self signed cert

# input_password = secret

# output_password = secret

-# This sets a mask for permitted string types. There are several options.

+# This sets a mask for permitted string types. There are several options.

# default: PrintableString, T61String, BMPString.

# pkix : PrintableString, BMPString (PKIX recommendation before 2004)

# utf8only: only UTF8Strings (PKIX recommendation after 2004).

diff --git a/crypto/openssl/apps/pkcs12.c b/crypto/openssl/apps/pkcs12.c
index c8fc452ec6d2..719a309a860c 100644
--- a/crypto/openssl/apps/pkcs12.c
+++ b/crypto/openssl/apps/pkcs12.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -311,6 +311,13 @@ int pkcs12_main(int argc, char **argv)

if (cpass != NULL) {

mpass = cpass;

noprompt = 1;

+ if (twopass) {

+ if (export_cert)

+ BIO_printf(bio_err, "Option -twopass cannot be used with -passout or -password\n");

+ else

+ BIO_printf(bio_err, "Option -twopass cannot be used with -passin or -password\n");

+ goto end;

+ }

} else {

cpass = pass;

mpass = macpass;

diff --git a/crypto/openssl/apps/rehash.c b/crypto/openssl/apps/rehash.c
index bb41d3129f9c..2b769fbceb87 100644
--- a/crypto/openssl/apps/rehash.c
+++ b/crypto/openssl/apps/rehash.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

@@ -51,6 +51,26 @@

# endif

# define MAX_COLLISIONS 256

+# if defined(OPENSSL_SYS_VXWORKS)

+/*

+ * VxWorks has no symbolic links

+ */

+# define lstat(path, buf) stat(path, buf)

+int symlink(const char *target, const char *linkpath)

+ errno = ENOSYS;

+ return -1;

+ssize_t readlink(const char *pathname, char *buf, size_t bufsiz)

+ errno = ENOSYS;

+ return -1;

+# endif

typedef struct hentry_st {

struct hentry_st *next;

char *filename;

diff --git a/crypto/openssl/apps/s_cb.c b/crypto/openssl/apps/s_cb.c
index 2d4568f40ccb..d0e332a7088a 100644
--- a/crypto/openssl/apps/s_cb.c
+++ b/crypto/openssl/apps/s_cb.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -24,7 +24,7 @@

#define COOKIE_SECRET_LENGTH 16

-VERIFY_CB_ARGS verify_args = { 0, 0, X509_V_OK, 0 };

+VERIFY_CB_ARGS verify_args = { -1, 0, X509_V_OK, 0 };

#ifndef OPENSSL_NO_SOCK

static unsigned char cookie_secret[COOKIE_SECRET_LENGTH];

@@ -63,7 +63,7 @@ int verify_callback(int ok, X509_STORE_CTX *ctx)

if (!ok) {

BIO_printf(bio_err, "verify error:num=%d:%s\n", err,

X509_verify_cert_error_string(err));

- if (verify_args.depth >= depth) {

+ if (verify_args.depth < 0 || verify_args.depth >= depth) {

if (!verify_args.return_error)

ok = 1;

verify_args.error = err;

diff --git a/crypto/openssl/apps/s_client.c b/crypto/openssl/apps/s_client.c
index dcaa10cf44eb..4dd6e2fef4e4 100644
--- a/crypto/openssl/apps/s_client.c
+++ b/crypto/openssl/apps/s_client.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

@@ -74,6 +74,7 @@ static void print_stuff(BIO *berr, SSL *con, int full);

static int ocsp_resp_cb(SSL *s, void *arg);

#endif

static int ldap_ExtendedResponse_parse(const char *buf, long rem);

+static int is_dNS_name(const char *host);

static int saved_errno;

@@ -596,6 +597,7 @@ typedef enum OPTION_choice {

#endif

OPT_DANE_TLSA_RRDATA, OPT_DANE_EE_NO_NAME,

OPT_ENABLE_PHA,

+ OPT_SCTP_LABEL_BUG,

OPT_R_ENUM

} OPTION_CHOICE;

@@ -750,6 +752,7 @@ const OPTIONS s_client_options[] = {

#endif

#ifndef OPENSSL_NO_SCTP

{"sctp", OPT_SCTP, '-', "Use SCTP"},

+ {"sctp_label_bug", OPT_SCTP_LABEL_BUG, '-', "Enable SCTP label length bug"},

#endif

#ifndef OPENSSL_NO_SSL_TRACE

{"trace", OPT_TRACE, '-', "Show trace output of protocol messages"},

@@ -976,6 +979,9 @@ int s_client_main(int argc, char **argv)

#endif

char *psksessf = NULL;

int enable_pha = 0;

+#ifndef OPENSSL_NO_SCTP

+ int sctp_label_bug = 0;

+#endif

FD_ZERO(&readfds);

FD_ZERO(&writefds);

@@ -1121,6 +1127,7 @@ int s_client_main(int argc, char **argv)

goto opthelp;

break;

case OPT_VERIFY_RET_ERROR:

+ verify = SSL_VERIFY_PEER;

verify_args.return_error = 1;

break;

case OPT_VERIFY_QUIET:

@@ -1323,6 +1330,11 @@ int s_client_main(int argc, char **argv)

protocol = IPPROTO_SCTP;

#endif

break;

+ case OPT_SCTP_LABEL_BUG:

+#ifndef OPENSSL_NO_SCTP

+ sctp_label_bug = 1;

+#endif

+ break;

case OPT_TIMEOUT:

#ifndef OPENSSL_NO_DTLS

enable_timeouts = 1;

@@ -1707,6 +1719,11 @@ int s_client_main(int argc, char **argv)

}

+#ifndef OPENSSL_NO_SCTP

+ if (protocol == IPPROTO_SCTP && sctp_label_bug == 1)

+ SSL_CTX_set_mode(ctx, SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG);

+#endif

if (min_version != 0

&& SSL_CTX_set_min_proto_version(ctx, min_version) == 0)

goto end;

@@ -1975,9 +1992,11 @@ int s_client_main(int argc, char **argv)

SSL_set_mode(con, SSL_MODE_SEND_FALLBACK_SCSV);

if (!noservername && (servername != NULL || dane_tlsa_domain == NULL)) {

- if (servername == NULL)

- servername = (host == NULL) ? "localhost" : host;

- if (!SSL_set_tlsext_host_name(con, servername)) {

+ if (servername == NULL) {

+ if(host == NULL || is_dNS_name(host))

+ servername = (host == NULL) ? "localhost" : host;

+ }

+ if (servername != NULL && !SSL_set_tlsext_host_name(con, servername)) {

BIO_printf(bio_err, "Unable to set TLS servername extension.\n");

ERR_print_errors(bio_err);

goto end;

@@ -3031,9 +3050,7 @@ int s_client_main(int argc, char **argv)

BIO_printf(bio_err, "RENEGOTIATING\n");

SSL_renegotiate(con);

cbuf_len = 0;

- }

- if (!c_ign_eof && (cbuf[0] == 'K' || cbuf[0] == 'k' )

+ } else if (!c_ign_eof && (cbuf[0] == 'K' || cbuf[0] == 'k' )

&& cmdletters) {

BIO_printf(bio_err, "KEYUPDATE\n");

SSL_key_update(con,

@@ -3459,4 +3476,69 @@ static int ldap_ExtendedResponse_parse(const char *buf, long rem)

return ret;

}

+/*

+ * Host dNS Name verifier: used for checking that the hostname is in dNS format

+ * before setting it as SNI

+ */

+static int is_dNS_name(const char *host)

+ const size_t MAX_LABEL_LENGTH = 63;

+ size_t i;

+ int isdnsname = 0;

+ size_t length = strlen(host);

+ size_t label_length = 0;

+ int all_numeric = 1;

+ /*

+ * Deviation from strict DNS name syntax, also check names with '_'

+ * Check DNS name syntax, any '-' or '.' must be internal,

+ * and on either side of each '.' we can't have a '-' or '.'.

+ *

+ * If the name has just one label, we don't consider it a DNS name.

+ */

+ for (i = 0; i < length && label_length < MAX_LABEL_LENGTH; ++i) {

+ char c = host[i];

+ if ((c >= 'a' && c <= 'z')

+ || (c >= 'A' && c <= 'Z')

+ || c == '_') {

+ label_length += 1;

+ all_numeric = 0;

+ continue;

+ }

+ if (c >= '0' && c <= '9') {

+ label_length += 1;

+ continue;

+ }

+ /* Dot and hyphen cannot be first or last. */

+ if (i > 0 && i < length - 1) {

+ if (c == '-') {

+ label_length += 1;

+ continue;

+ }

+ /*

+ * Next to a dot the preceding and following characters must not be

+ * another dot or a hyphen. Otherwise, record that the name is

+ * plausible, since it has two or more labels.

+ */

+ if (c == '.'

+ && host[i + 1] != '.'

+ && host[i - 1] != '-'

+ && host[i + 1] != '-') {

+ label_length = 0;

+ isdnsname = 1;

+ continue;

+ }

+ isdnsname = 0;

+ break;

+ }

+ /* dNS name must not be all numeric and labels must be shorter than 64 characters. */

+ isdnsname &= !all_numeric && !(label_length == MAX_LABEL_LENGTH);

+ return isdnsname;

#endif /* OPENSSL_NO_SOCK */

diff --git a/crypto/openssl/apps/s_server.c b/crypto/openssl/apps/s_server.c
index ac7dca607ba4..929a08bd85b0 100644
--- a/crypto/openssl/apps/s_server.c
+++ b/crypto/openssl/apps/s_server.c

@@ -1,5 +1,5 @@

@@ -751,7 +751,7 @@ typedef enum OPTION_choice {

OPT_CERT2, OPT_KEY2, OPT_NEXTPROTONEG, OPT_ALPN,

OPT_SRTP_PROFILES, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN,

OPT_KEYLOG_FILE, OPT_MAX_EARLY, OPT_RECV_MAX_EARLY, OPT_EARLY_DATA,

- OPT_S_NUM_TICKETS, OPT_ANTI_REPLAY, OPT_NO_ANTI_REPLAY,

+ OPT_S_NUM_TICKETS, OPT_ANTI_REPLAY, OPT_NO_ANTI_REPLAY, OPT_SCTP_LABEL_BUG,

OPT_R_ENUM,

OPT_S_ENUM,

OPT_V_ENUM,

@@ -938,6 +938,7 @@ const OPTIONS s_server_options[] = {

#endif

#ifndef OPENSSL_NO_SCTP

{"sctp", OPT_SCTP, '-', "Use SCTP"},

+ {"sctp_label_bug", OPT_SCTP_LABEL_BUG, '-', "Enable SCTP label length bug"},

#endif

#ifndef OPENSSL_NO_DH

{"no_dhe", OPT_NO_DHE, '-', "Disable ephemeral DH"},

@@ -1047,6 +1048,9 @@ int s_server_main(int argc, char *argv[])

const char *keylog_file = NULL;

int max_early_data = -1, recv_max_early_data = -1;

char *psksessf = NULL;

+#ifndef OPENSSL_NO_SCTP

+ int sctp_label_bug = 0;

+#endif

/* Init of few remaining global variables */

local_argc = argc;

@@ -1407,7 +1411,7 @@ int s_server_main(int argc, char *argv[])

for (p = psk_key = opt_arg(); *p; p++) {

if (isxdigit(_UC(*p)))

continue;

- BIO_printf(bio_err, "Not a hex number '%s'\n", *argv);

+ BIO_printf(bio_err, "Not a hex number '%s'\n", psk_key);

goto end;

}

break;

@@ -1490,6 +1494,11 @@ int s_server_main(int argc, char *argv[])

protocol = IPPROTO_SCTP;

#endif

break;

+ case OPT_SCTP_LABEL_BUG:

+#ifndef OPENSSL_NO_SCTP

+ sctp_label_bug = 1;

+#endif

+ break;

case OPT_TIMEOUT:

#ifndef OPENSSL_NO_DTLS

enable_timeouts = 1;

@@ -1792,6 +1801,12 @@ int s_server_main(int argc, char *argv[])

goto end;

}

+#ifndef OPENSSL_NO_SCTP

+ if (protocol == IPPROTO_SCTP && sctp_label_bug == 1)

+ SSL_CTX_set_mode(ctx, SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG);

+#endif

if (min_version != 0

&& SSL_CTX_set_min_proto_version(ctx, min_version) == 0)

goto end;

@@ -2754,6 +2769,8 @@ static int init_ssl_connection(SSL *con)

BIO_ADDR_free(client);

return 0;

}

+ (void)BIO_ctrl_set_connected(wbio, client);

BIO_ADDR_free(client);

dtlslisten = 0;

} else {

diff --git a/crypto/openssl/apps/speed.c b/crypto/openssl/apps/speed.c
index 40e990408ab9..506737d05fc6 100644
--- a/crypto/openssl/apps/speed.c
+++ b/crypto/openssl/apps/speed.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

@@ -100,7 +100,7 @@

#include <openssl/modes.h>

#ifndef HAVE_FORK

-# if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS)

+# if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_VXWORKS)

# define HAVE_FORK 0

# else

# define HAVE_FORK 1

@@ -1499,11 +1499,11 @@ int speed_main(int argc, char **argv)

{"nistp192", NID_X9_62_prime192v1, 192},

{"nistp224", NID_secp224r1, 224},

{"nistp256", NID_X9_62_prime256v1, 256},

- {"nistp384", NID_secp384r1, 384},

+ {"nistp384", NID_secp384r1, 384},

{"nistp521", NID_secp521r1, 521},

/* Binary Curves */

{"nistk163", NID_sect163k1, 163},

- {"nistk233", NID_sect233k1, 233},

+ {"nistk233", NID_sect233k1, 233},

{"nistk283", NID_sect283k1, 283},

{"nistk409", NID_sect409k1, 409},

{"nistk571", NID_sect571k1, 571},

diff --git a/crypto/openssl/apps/verify.c b/crypto/openssl/apps/verify.c
index 38377a57e4a9..1f9385606046 100644
--- a/crypto/openssl/apps/verify.c
+++ b/crypto/openssl/apps/verify.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -286,16 +286,19 @@ static int cb(int ok, X509_STORE_CTX *ctx)

cert_error,

X509_STORE_CTX_get_error_depth(ctx),

X509_verify_cert_error_string(cert_error));

+ /*

+ * Pretend that some errors are ok, so they don't stop further

+ * processing of the certificate chain. Setting ok = 1 does this.

+ * After X509_verify_cert() is done, we verify that there were

+ * no actual errors, even if the returned value was positive.

+ */

switch (cert_error) {

case X509_V_ERR_NO_EXPLICIT_POLICY:

policies_print(ctx);

/* fall thru */

case X509_V_ERR_CERT_HAS_EXPIRED:

- /*

- * since we are just checking the certificates, it is ok if they

- * are self signed. But we should still warn the user.

- */

+ /* Continue even if the leaf is a self signed cert */

case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:

/* Continue after extension errors too */

case X509_V_ERR_INVALID_CA: