Change over to use the new x509 name constraints verification.

ok jsing@

1 files changed, 7 insertions, 28 deletions

diff --git a/lib/libcrypto/x509/x509_vfy.c b/lib/libcrypto/x509/x509_vfy.c
index 126e0f3000b..28dbf60c38b 100644
--- a/lib/libcrypto/x509/x509_vfy.c
+++ b/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.73 2020/05/31 17:23:39 jsing Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.74 2020/09/12 14:14:02 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -75,6 +75,7 @@
 #include <openssl/x509v3.h>
 #include "asn1_locl.h"
 #include "vpm_int.h"
+#include "x509_internal.h"
 #include "x509_lcl.h"
 
 /* CRL score values */
@@ -782,33 +783,11 @@ end:
 static int
 check_name_constraints(X509_STORE_CTX *ctx)
 {
-	X509 *x;
-	int i, j, rv;
-
-	/* Check name constraints for all certificates */
-	for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) {
-		x = sk_X509_value(ctx->chain, i);
-		/* Ignore self issued certs unless last in chain */
-		if (i && (x->ex_flags & EXFLAG_SI))
-			continue;
-		/* Check against constraints for all certificates higher in
-		 * chain including trust anchor. Trust anchor not strictly
-		 * speaking needed but if it includes constraints it is to be
-		 * assumed it expects them to be obeyed.
-		 */
-		for (j = sk_X509_num(ctx->chain) - 1; j > i; j--) {
-			NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc;
-			if (nc) {
-				rv = NAME_CONSTRAINTS_check(x, nc);
-				if (rv != X509_V_OK) {
-					ctx->error = rv;
-					ctx->error_depth = i;
-					ctx->current_cert = x;
-					if (!ctx->verify_cb(0, ctx))
-						return 0;
-				}
-			}
-		}
+	if (!x509_constraints_chain(ctx->chain, &ctx->error,
+	    &ctx->error_depth)) {
+		ctx->current_cert = sk_X509_value(ctx->chain, ctx->error_depth);
+		if (!ctx->verify_cb(0, ctx))
+			return 0;
 	}
 	return 1;
 }