diff options
| author | job <> | 2023-04-23 21:31:16 +0000 |
|---|---|---|
| committer | job <> | 2023-04-23 21:31:16 +0000 |
| commit | 4c20d9bfcef952ee5a32034ed25c792413465fde (patch) | |
| tree | 6845cb5f4e2722640f5effb72fa388651a08a748 /src/lib/libcrypto/x509 | |
| parent | aedbb67da548df0585f48b0c49d758c2366fea7f (diff) | |
| download | openbsd-4c20d9bfcef952ee5a32034ed25c792413465fde.tar.gz openbsd-4c20d9bfcef952ee5a32034ed25c792413465fde.tar.bz2 openbsd-4c20d9bfcef952ee5a32034ed25c792413465fde.zip | |
Add compliance checks for the X.509 version field
Check whether the X.509 version is in the range of valid version
values, and also checks whether the version is consistent with fields
new to those versions (such as X.509 v3 extensions).
X.690 section 11.5 states: "The encoding of a set value or a sequence
value shall not include an encoding for any component value which is
equal to its default value." However, enforcing version 1 (value 0) to
be absent reportedly caused some issues as recent as July 2020, so
accept version 1 even if it is explicitly encoded.
OK tb@ beck@
Diffstat (limited to 'src/lib/libcrypto/x509')
| -rw-r--r-- | src/lib/libcrypto/x509/x509.h | 3 | ||||
| -rw-r--r-- | src/lib/libcrypto/x509/x509_err.c | 3 |
2 files changed, 4 insertions, 2 deletions
diff --git a/src/lib/libcrypto/x509/x509.h b/src/lib/libcrypto/x509/x509.h index 9f87700c60..e8cedaae13 100644 --- a/src/lib/libcrypto/x509/x509.h +++ b/src/lib/libcrypto/x509/x509.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509.h,v 1.96 2023/04/18 08:47:28 tb Exp $ */ | 1 | /* $OpenBSD: x509.h,v 1.97 2023/04/23 21:31:16 job Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1200,6 +1200,7 @@ void ERR_load_X509_strings(void); | |||
| 1200 | #define X509_R_UNSUPPORTED_ALGORITHM 111 | 1200 | #define X509_R_UNSUPPORTED_ALGORITHM 111 |
| 1201 | #define X509_R_WRONG_LOOKUP_TYPE 112 | 1201 | #define X509_R_WRONG_LOOKUP_TYPE 112 |
| 1202 | #define X509_R_WRONG_TYPE 122 | 1202 | #define X509_R_WRONG_TYPE 122 |
| 1203 | #define X509_R_INVALID_VERSION 123 | ||
| 1203 | 1204 | ||
| 1204 | #ifdef __cplusplus | 1205 | #ifdef __cplusplus |
| 1205 | } | 1206 | } |
diff --git a/src/lib/libcrypto/x509/x509_err.c b/src/lib/libcrypto/x509/x509_err.c index 272d2894d8..84328df62a 100644 --- a/src/lib/libcrypto/x509/x509_err.c +++ b/src/lib/libcrypto/x509/x509_err.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_err.c,v 1.19 2023/02/16 08:38:17 tb Exp $ */ | 1 | /* $OpenBSD: x509_err.c,v 1.20 2023/04/23 21:31:16 job Exp $ */ |
| 2 | /* ==================================================================== | 2 | /* ==================================================================== |
| 3 | * Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved. | 3 | * Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved. |
| 4 | * | 4 | * |
| @@ -104,6 +104,7 @@ static ERR_STRING_DATA X509_str_reasons[] = { | |||
| 104 | {ERR_REASON(X509_R_UNSUPPORTED_ALGORITHM), "unsupported algorithm"}, | 104 | {ERR_REASON(X509_R_UNSUPPORTED_ALGORITHM), "unsupported algorithm"}, |
| 105 | {ERR_REASON(X509_R_WRONG_LOOKUP_TYPE) , "wrong lookup type"}, | 105 | {ERR_REASON(X509_R_WRONG_LOOKUP_TYPE) , "wrong lookup type"}, |
| 106 | {ERR_REASON(X509_R_WRONG_TYPE) , "wrong type"}, | 106 | {ERR_REASON(X509_R_WRONG_TYPE) , "wrong type"}, |
| 107 | {ERR_REASON(X509_R_INVALID_VERSION) , "wrong x509 version"}, | ||
| 107 | {0, NULL} | 108 | {0, NULL} |
| 108 | }; | 109 | }; |
| 109 | 110 | ||