Revert version 1.3 - not allowing the creation of bogus certificates

breaks the ruby regression tests that expect to make bogus certificates and see that they are rejected :( I am reverting this for now to make the regress tests pass, and will bring it back if we decide to patch the regress tests to remove the problem cases
author: beck <> 2021-10-27 10:22:08 +0000
committer: beck <> 2021-10-27 10:22:08 +0000
commit: b2a89f9426f1ee215d9d57cad8342591dc19aac3 (patch)
tree: 36af60dc22fd90c8115b4ab185164d6f9b10175e /src
parent: c4b045656c4e6d30f67df55e0294a6f4824f748e (diff)
download: openbsd-b2a89f9426f1ee215d9d57cad8342591dc19aac3.tar.gz
openbsd-b2a89f9426f1ee215d9d57cad8342591dc19aac3.tar.bz2
openbsd-b2a89f9426f1ee215d9d57cad8342591dc19aac3.zip
1 files changed, 3 insertions, 47 deletions
diff --git a/src/lib/libcrypto/x509/x509_alt.c b/src/lib/libcrypto/x509/x509_alt.c
index 02a4a3a377..891c7dd787 100644
--- a/src/lib/libcrypto/x509/x509_alt.c
+++ b/src/lib/libcrypto/x509/x509_alt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_alt.c,v 1.3 2021/10/26 09:09:53 beck Exp $ */
+/* $OpenBSD: x509_alt.c,v 1.4 2021/10/27 10:22:08 beck Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
 */
@@ -63,8 +63,6 @@
 #include <openssl/err.h>
 #include <openssl/x509v3.h>
-#include "x509_internal.h"
 static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method,
    X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
 static GENERAL_NAMES *v2i_issuer_alt(X509V3_EXT_METHOD *method,
@@ -614,11 +612,8 @@ GENERAL_NAME *
 v2i_GENERAL_NAME_ex(GENERAL_NAME *out, const X509V3_EXT_METHOD *method,
    X509V3_CTX *ctx, CONF_VALUE *cnf, int is_nc)
 {
-        uint8_t *bytes = NULL;
-        char *name, *value;
-        GENERAL_NAME *ret;
-        size_t len = 0;
        int type;
+        char *name, *value;
        name = cnf->name;
        value = cnf->value;
@@ -648,46 +643,7 @@ v2i_GENERAL_NAME_ex(GENERAL_NAME *out, const X509V3_EXT_METHOD *method,
                return NULL;
        }
-        ret = a2i_GENERAL_NAME(out, method, ctx, type, value, is_nc);
+        return a2i_GENERAL_NAME(out, method, ctx, type, value, is_nc);
-        /* Validate what we have for sanity */
-        type = x509_constraints_general_to_bytes(ret, &bytes, &len);
-        switch(type) {
-        case GEN_DNS:
-                if (!x509_constraints_valid_sandns(bytes, len)) {
-                        X509V3error(X509V3_R_BAD_OBJECT);
-                        ERR_asprintf_error_data("name=%s value='%s'", name, bytes);
-                        goto err;
-                }
-                break;
-        case GEN_URI:
-                if (!x509_constraints_uri_host(bytes, len, NULL)) {
-                        X509V3error(X509V3_R_BAD_OBJECT);
-                        ERR_asprintf_error_data("name=%s value='%s'", name, bytes);
-                        goto err;
-                }
-                break;
-        case GEN_EMAIL:
-                if (!x509_constraints_parse_mailbox(bytes, len, NULL)) {
-                        X509V3error(X509V3_R_BAD_OBJECT);
-                        ERR_asprintf_error_data("name=%s value='%s'", name, bytes);
-                        goto err;
-                }
-                break;
-        case GEN_IPADD:
-                if (len != 4 && len != 16) {
-                        X509V3error(X509V3_R_BAD_IP_ADDRESS);
-                        ERR_asprintf_error_data("name=%s len=%zu", name, len);
-                        goto err;
-                }
-                break;
-        default:
-                break;
-        }
-        return ret;
- err:
-        GENERAL_NAME_free(ret);
-        return NULL;
 }
 static int
author	beck <>	2021-10-27 10:22:08 +0000
committer	beck <>	2021-10-27 10:22:08 +0000
commit	b2a89f9426f1ee215d9d57cad8342591dc19aac3 (patch)
tree	36af60dc22fd90c8115b4ab185164d6f9b10175e /src
parent	c4b045656c4e6d30f67df55e0294a6f4824f748e (diff)
download	openbsd-b2a89f9426f1ee215d9d57cad8342591dc19aac3.tar.gz openbsd-b2a89f9426f1ee215d9d57cad8342591dc19aac3.tar.bz2 openbsd-b2a89f9426f1ee215d9d57cad8342591dc19aac3.zip

diff --git a/src/lib/libcrypto/x509/x509_alt.c b/src/lib/libcrypto/x509/x509_alt.c index 02a4a3a377..891c7dd787 100644 --- a/src/lib/libcrypto/x509/x509_alt.c +++ b/src/lib/libcrypto/x509/x509_alt.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_alt.c,v 1.3 2021/10/26 09:09:53 beck Exp $ */	1	/* $OpenBSD: x509_alt.c,v 1.4 2021/10/27 10:22:08 beck Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project.	3	* project.
4	*/	4	*/
@@ -63,8 +63,6 @@
63	#include <openssl/err.h>	63	#include <openssl/err.h>
64	#include <openssl/x509v3.h>	64	#include <openssl/x509v3.h>
65		65
66	#include "x509_internal.h"
67
68	static GENERAL_NAMES v2i_subject_alt(X509V3_EXT_METHOD method,	66	static GENERAL_NAMES v2i_subject_alt(X509V3_EXT_METHOD method,
69	X509V3_CTX ctx, STACK_OF(CONF_VALUE) nval);	67	X509V3_CTX ctx, STACK_OF(CONF_VALUE) nval);
70	static GENERAL_NAMES v2i_issuer_alt(X509V3_EXT_METHOD method,	68	static GENERAL_NAMES v2i_issuer_alt(X509V3_EXT_METHOD method,
@@ -614,11 +612,8 @@ GENERAL_NAME *
614	v2i_GENERAL_NAME_ex(GENERAL_NAME out, const X509V3_EXT_METHOD method,	612	v2i_GENERAL_NAME_ex(GENERAL_NAME out, const X509V3_EXT_METHOD method,
615	X509V3_CTX ctx, CONF_VALUE cnf, int is_nc)	613	X509V3_CTX ctx, CONF_VALUE cnf, int is_nc)
616	{	614	{
617	uint8_t *bytes = NULL;
618	char name, value;
619	GENERAL_NAME *ret;
620	size_t len = 0;
621	int type;	615	int type;
		616	char name, value;
622		617
623	name = cnf->name;	618	name = cnf->name;
624	value = cnf->value;	619	value = cnf->value;
@@ -648,46 +643,7 @@ v2i_GENERAL_NAME_ex(GENERAL_NAME out, const X509V3_EXT_METHOD method,
648	return NULL;	643	return NULL;
649	}	644	}
650		645
651	ret = a2i_GENERAL_NAME(out, method, ctx, type, value, is_nc);	646	return a2i_GENERAL_NAME(out, method, ctx, type, value, is_nc);
652
653	/* Validate what we have for sanity */
654	type = x509_constraints_general_to_bytes(ret, &bytes, &len);
655	switch(type) {
656	case GEN_DNS:
657	if (!x509_constraints_valid_sandns(bytes, len)) {
658	X509V3error(X509V3_R_BAD_OBJECT);
659	ERR_asprintf_error_data("name=%s value='%s'", name, bytes);
660	goto err;
661	}
662	break;
663	case GEN_URI:
664	if (!x509_constraints_uri_host(bytes, len, NULL)) {
665	X509V3error(X509V3_R_BAD_OBJECT);
666	ERR_asprintf_error_data("name=%s value='%s'", name, bytes);
667	goto err;
668	}
669	break;
670	case GEN_EMAIL:
671	if (!x509_constraints_parse_mailbox(bytes, len, NULL)) {
672	X509V3error(X509V3_R_BAD_OBJECT);
673	ERR_asprintf_error_data("name=%s value='%s'", name, bytes);
674	goto err;
675	}
676	break;
677	case GEN_IPADD:
678	if (len != 4 && len != 16) {
679	X509V3error(X509V3_R_BAD_IP_ADDRESS);
680	ERR_asprintf_error_data("name=%s len=%zu", name, len);
681	goto err;
682	}
683	break;
684	default:
685	break;
686	}
687	return ret;
688	err:
689	GENERAL_NAME_free(ret);
690	return NULL;
691	}	647	}
692		648
693	static int	649	static int