openbsd/ports
1
0
Fork 0
mirror of https://github.com/openbsd/ports.git synced 2026-06-17 23:13:55 +02:00
Code Issues Packages Projects Releases Wiki Activity

Do not use x509 legacy verify anymore. LibreSSL has been fixed.

Browse Source
This commit is contained in:
bluhm
2024-02-08 19:24:44 +00:00
parent 98d5708ec0
commit 51a103d67a
2 changed files with 3 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files
misc/open62541/Makefile
+1
View File
@@ -1,6 +1,7 @@
COMMENT = library implementation of OPC UA
VERSION = 1.3.8
REVISION = 0
DISTNAME = open62541-${VERSION}
PKGNAME = open62541-${VERSION}
misc/open62541/patches/patch-plugins_crypto_openssl_ua_pki_openssl_c
+2 -24
View File
@@ -2,14 +2,10 @@ Replace X509_STORE_CTX_get_check_issued with X509_check_issued.
https://github.com/libressl-portable/portable/issues/748
https://github.com/open62541/open62541/commit/35939a5b688d9647dbc96db88df5df27ebcced7a
Workaround libressl validation issues with self signed certificates
by using the legacy verifier.
https://marc.info/?l=libressl&m=169307453205178&w=2
Index: plugins/crypto/openssl/ua_pki_openssl.c
--- plugins/crypto/openssl/ua_pki_openssl.c.orig
+++ plugins/crypto/openssl/ua_pki_openssl.c
@@ -485,10 +485,15 @@ UA_CertificateVerification_Verify (void *
@@ -485,7 +485,7 @@ UA_CertificateVerification_Verify (void *
/* Set flag to check if the certificate has an invalid signature */
X509_STORE_CTX_set_flags (storeCtx, X509_V_FLAG_CHECK_SS_SIGNATURE);
@@ -18,15 +14,7 @@ Index: plugins/crypto/openssl/ua_pki_openssl.c
X509_STORE_CTX_set_flags (storeCtx, X509_V_FLAG_CRL_CHECK);
}
+ /* use the libressl legacy verifier if available */
+#ifdef X509_V_FLAG_LEGACY_VERIFY
+ X509_STORE_CTX_set_flags(storeCtx, X509_V_FLAG_LEGACY_VERIFY);
+#endif
+
/* This condition will check whether the certificate is a User certificate or a CA certificate.
* If the KU_KEY_CERT_SIGN and KU_CRL_SIGN of key_usage are set, then the certificate shall be
* condidered as CA Certificate and cannot be used to establish a connection. Refer the test case
@@ -505,7 +510,7 @@ UA_CertificateVerification_Verify (void *
@@ -505,7 +505,7 @@ UA_CertificateVerification_Verify (void *
/* Check if the not trusted certificate has a CRL file. If there is no CRL file available for the corresponding
* parent certificate then return status code UA_STATUSCODE_BADCERTIFICATEISSUERREVOCATIONUNKNOWN. Refer the test
* case CTT/Security/Security Certificate Validation/002.js */
@@ -35,13 +23,3 @@ Index: plugins/crypto/openssl/ua_pki_openssl.c
/* Free X509_STORE_CTX and reuse it for certification verification */
if (storeCtx != NULL) {
X509_STORE_CTX_free(storeCtx);
@@ -527,6 +532,9 @@ UA_CertificateVerification_Verify (void *
/* Set flags for CRL check */
X509_STORE_CTX_set_flags (storeCtx, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
+#ifdef X509_V_FLAG_LEGACY_VERIFY
+ X509_STORE_CTX_set_flags(storeCtx, X509_V_FLAG_LEGACY_VERIFY);
+#endif
opensslRet = X509_verify_cert (storeCtx);
if (opensslRet != 1) {
opensslRet = X509_STORE_CTX_get_error (storeCtx);