Use EXFLAG_INVALID to handle out of memory and parse errors in

x509v3_cache_extensions(). ok tb@
author: tobhe <> 2021-03-13 23:01:49 +0000
committer: tobhe <> 2021-03-13 23:01:49 +0000
commit: 0c378cc53837d51d2f3a48a028d7726d2a78d8d7 (patch)
tree: 203add7eba338a639cc64ed6703102a30b3bdce1 /src/lib/libcrypto/x509/x509_verify.c
parent: 266aa0aa5323d0e87855e9e761085c9b055a4f10 (diff)
download: openbsd-0c378cc53837d51d2f3a48a028d7726d2a78d8d7.tar.gz
openbsd-0c378cc53837d51d2f3a48a028d7726d2a78d8d7.tar.bz2
openbsd-0c378cc53837d51d2f3a48a028d7726d2a78d8d7.zip
1 files changed, 5 insertions, 1 deletions
diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c
index 3c8369f1f9..9c34e31ee3 100644
--- a/src/lib/libcrypto/x509/x509_verify.c
+++ b/src/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_verify.c,v 1.35 2021/03/12 15:53:38 tb Exp $ */
+/* $OpenBSD: x509_verify.c,v 1.36 2021/03/13 23:01:49 tobhe Exp $ */
 /*
 * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
 *
@@ -756,6 +756,10 @@ x509_verify_cert_extensions(struct x509_verify_ctx *ctx, X509 *cert, int need_ca
                CRYPTO_w_lock(CRYPTO_LOCK_X509);
                x509v3_cache_extensions(cert);
                CRYPTO_w_unlock(CRYPTO_LOCK_X509);
+                if (cert->ex_flags & EXFLAG_INVALID) {
+                        ctx->error = X509_V_ERR_UNSPECIFIED;
+                        return 0;
+                }
        }
        if (ctx->xsc != NULL)
author	tobhe <>	2021-03-13 23:01:49 +0000
committer	tobhe <>	2021-03-13 23:01:49 +0000
commit	0c378cc53837d51d2f3a48a028d7726d2a78d8d7 (patch)
tree	203add7eba338a639cc64ed6703102a30b3bdce1 /src/lib/libcrypto/x509/x509_verify.c
parent	266aa0aa5323d0e87855e9e761085c9b055a4f10 (diff)
download	openbsd-0c378cc53837d51d2f3a48a028d7726d2a78d8d7.tar.gz openbsd-0c378cc53837d51d2f3a48a028d7726d2a78d8d7.tar.bz2 openbsd-0c378cc53837d51d2f3a48a028d7726d2a78d8d7.zip