diff options
| author | tb <> | 2023-06-20 14:21:19 +0000 |
|---|---|---|
| committer | tb <> | 2023-06-20 14:21:19 +0000 |
| commit | a7641133988eb74a1505ddbdd5ef7d3cae70b041 (patch) | |
| tree | af8f09a18c7463edb484ca6c922932b1d98762fa | |
| parent | 493bcd9093b2f475136974c32415a153d83e0399 (diff) | |
| download | openbsd-a7641133988eb74a1505ddbdd5ef7d3cae70b041.tar.gz openbsd-a7641133988eb74a1505ddbdd5ef7d3cae70b041.tar.bz2 openbsd-a7641133988eb74a1505ddbdd5ef7d3cae70b041.zip | |
Improve certificate version checks in x509v3_cache_extensions()
Only allow version v1-v3, disallow issuerUID and subjectUID in v1 certs
and require that if X509v3 extensions are present that the cert be v3.
Initial diff from job
ok job jsing
| -rw-r--r-- | src/lib/libcrypto/x509/x509_purp.c | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/src/lib/libcrypto/x509/x509_purp.c b/src/lib/libcrypto/x509/x509_purp.c index 85d9b77f68..75d229b03b 100644 --- a/src/lib/libcrypto/x509/x509_purp.c +++ b/src/lib/libcrypto/x509/x509_purp.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_purp.c,v 1.25 2023/04/23 21:49:15 job Exp $ */ | 1 | /* $OpenBSD: x509_purp.c,v 1.26 2023/06/20 14:21:19 tb Exp $ */ |
| 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL | 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL |
| 3 | * project 2001. | 3 | * project 2001. |
| 4 | */ | 4 | */ |
| @@ -449,6 +449,7 @@ x509v3_cache_extensions_internal(X509 *x) | |||
| 449 | ASN1_BIT_STRING *ns; | 449 | ASN1_BIT_STRING *ns; |
| 450 | EXTENDED_KEY_USAGE *extusage; | 450 | EXTENDED_KEY_USAGE *extusage; |
| 451 | X509_EXTENSION *ex; | 451 | X509_EXTENSION *ex; |
| 452 | long version; | ||
| 452 | int i; | 453 | int i; |
| 453 | 454 | ||
| 454 | if (x->ex_flags & EXFLAG_SET) | 455 | if (x->ex_flags & EXFLAG_SET) |
| @@ -456,12 +457,18 @@ x509v3_cache_extensions_internal(X509 *x) | |||
| 456 | 457 | ||
| 457 | X509_digest(x, X509_CERT_HASH_EVP, x->hash, NULL); | 458 | X509_digest(x, X509_CERT_HASH_EVP, x->hash, NULL); |
| 458 | 459 | ||
| 459 | /* V1 should mean no extensions ... */ | 460 | version = X509_get_version(x); |
| 460 | if (X509_get_version(x) == 0) { | 461 | if (version < 0 || version > 2) |
| 462 | x->ex_flags |= EXFLAG_INVALID; | ||
| 463 | if (version == 0) { | ||
| 461 | x->ex_flags |= EXFLAG_V1; | 464 | x->ex_flags |= EXFLAG_V1; |
| 462 | if (X509_get_ext_count(x) != 0) | 465 | /* UIDs may only appear in v2 or v3 certs */ |
| 466 | if (x->cert_info->issuerUID != NULL || | ||
| 467 | x->cert_info->subjectUID != NULL) | ||
| 463 | x->ex_flags |= EXFLAG_INVALID; | 468 | x->ex_flags |= EXFLAG_INVALID; |
| 464 | } | 469 | } |
| 470 | if (version != 2 && X509_get_ext_count(x) != 0) | ||
| 471 | x->ex_flags |= EXFLAG_INVALID; | ||
| 465 | 472 | ||
| 466 | /* Handle basic constraints */ | 473 | /* Handle basic constraints */ |
| 467 | if ((bs = X509_get_ext_d2i(x, NID_basic_constraints, &i, NULL))) { | 474 | if ((bs = X509_get_ext_d2i(x, NID_basic_constraints, &i, NULL))) { |