summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjob <>2021-10-26 15:14:18 +0000
committerjob <>2021-10-26 15:14:18 +0000
commitc1a0932336b1e3f1dfc4957add7d7e7c8a88ff36 (patch)
tree766673c3fbba98f9f20c68f9b588810a9dc1bcf8
parent58f0e9a0a11f944d9048084865ec2ca3c7b6b76c (diff)
downloadopenbsd-c1a0932336b1e3f1dfc4957add7d7e7c8a88ff36.tar.gz
openbsd-c1a0932336b1e3f1dfc4957add7d7e7c8a88ff36.tar.bz2
openbsd-c1a0932336b1e3f1dfc4957add7d7e7c8a88ff36.zip
Add RFC 3779 checks to both legacy and new verifier
OK beck@
Diffstat
-rw-r--r--src/lib/libcrypto/x509/x509_verify.c10
-rw-r--r--src/lib/libcrypto/x509/x509_vfy.c12
2 files changed, 20 insertions, 2 deletions
diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c
index e49fbdee48..8bcc647149 100644
--- a/src/lib/libcrypto/x509/x509_verify.c
+++ b/src/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: x509_verify.c,v 1.49 2021/09/09 15:09:43 beck Exp $ */ 1/* $OpenBSD: x509_verify.c,v 1.50 2021/10/26 15:14:18 job Exp $ */
2/* 2/*
3 * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org> 3 * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
4 * 4 *
@@ -352,6 +352,14 @@ x509_verify_ctx_validate_legacy_chain(struct x509_verify_ctx *ctx,
352 if (!x509_vfy_check_chain_extensions(ctx->xsc)) 352 if (!x509_vfy_check_chain_extensions(ctx->xsc))
353 goto err; 353 goto err;
354 354
355#ifndef OPENSSL_NO_RFC3779
356 if (!X509v3_asid_validate_path(ctx->xsc))
357 goto err;
358
359 if (!X509v3_addr_validate_path(ctx->xsc))
360 goto err;
361#endif
362
355 if (!x509_constraints_chain(ctx->xsc->chain, 363 if (!x509_constraints_chain(ctx->xsc->chain,
356 &ctx->xsc->error, &ctx->xsc->error_depth)) { 364 &ctx->xsc->error, &ctx->xsc->error_depth)) {
357 X509 *cert = sk_X509_value(ctx->xsc->chain, depth); 365 X509 *cert = sk_X509_value(ctx->xsc->chain, depth);
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index c54444c91b..4c3fe7f3e3 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: x509_vfy.c,v 1.91 2021/10/24 13:52:13 tb Exp $ */ 1/* $OpenBSD: x509_vfy.c,v 1.92 2021/10/26 15:14:18 job Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -549,6 +549,16 @@ X509_verify_cert_legacy(X509_STORE_CTX *ctx)
549 if (!ok) 549 if (!ok)
550 goto end; 550 goto end;
551 551
552#ifndef OPENSSL_NO_RFC3779
553 ok = X509v3_asid_validate_path(ctx);
554 if (!ok)
555 goto end;
556
557 ok = X509v3_addr_validate_path(ctx);
558 if (!ok)
559 goto end;
560#endif
561
552 ok = check_id(ctx); 562 ok = check_id(ctx);
553 if (!ok) 563 if (!ok)
554 goto end; 564 goto end;
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-21 01:03:30 +0000