diff options
| author | job <> | 2021-10-26 15:14:18 +0000 |
|---|---|---|
| committer | job <> | 2021-10-26 15:14:18 +0000 |
| commit | c1a0932336b1e3f1dfc4957add7d7e7c8a88ff36 (patch) | |
| tree | 766673c3fbba98f9f20c68f9b588810a9dc1bcf8 /src | |
| parent | 58f0e9a0a11f944d9048084865ec2ca3c7b6b76c (diff) | |
| download | openbsd-c1a0932336b1e3f1dfc4957add7d7e7c8a88ff36.tar.gz openbsd-c1a0932336b1e3f1dfc4957add7d7e7c8a88ff36.tar.bz2 openbsd-c1a0932336b1e3f1dfc4957add7d7e7c8a88ff36.zip | |
Add RFC 3779 checks to both legacy and new verifier
OK beck@
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libcrypto/x509/x509_verify.c | 10 | ||||
| -rw-r--r-- | src/lib/libcrypto/x509/x509_vfy.c | 12 |
2 files changed, 20 insertions, 2 deletions
diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c index e49fbdee48..8bcc647149 100644 --- a/src/lib/libcrypto/x509/x509_verify.c +++ b/src/lib/libcrypto/x509/x509_verify.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_verify.c,v 1.49 2021/09/09 15:09:43 beck Exp $ */ | 1 | /* $OpenBSD: x509_verify.c,v 1.50 2021/10/26 15:14:18 job Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org> | 3 | * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org> |
| 4 | * | 4 | * |
| @@ -352,6 +352,14 @@ x509_verify_ctx_validate_legacy_chain(struct x509_verify_ctx *ctx, | |||
| 352 | if (!x509_vfy_check_chain_extensions(ctx->xsc)) | 352 | if (!x509_vfy_check_chain_extensions(ctx->xsc)) |
| 353 | goto err; | 353 | goto err; |
| 354 | 354 | ||
| 355 | #ifndef OPENSSL_NO_RFC3779 | ||
| 356 | if (!X509v3_asid_validate_path(ctx->xsc)) | ||
| 357 | goto err; | ||
| 358 | |||
| 359 | if (!X509v3_addr_validate_path(ctx->xsc)) | ||
| 360 | goto err; | ||
| 361 | #endif | ||
| 362 | |||
| 355 | if (!x509_constraints_chain(ctx->xsc->chain, | 363 | if (!x509_constraints_chain(ctx->xsc->chain, |
| 356 | &ctx->xsc->error, &ctx->xsc->error_depth)) { | 364 | &ctx->xsc->error, &ctx->xsc->error_depth)) { |
| 357 | X509 *cert = sk_X509_value(ctx->xsc->chain, depth); | 365 | X509 *cert = sk_X509_value(ctx->xsc->chain, depth); |
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c index c54444c91b..4c3fe7f3e3 100644 --- a/src/lib/libcrypto/x509/x509_vfy.c +++ b/src/lib/libcrypto/x509/x509_vfy.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_vfy.c,v 1.91 2021/10/24 13:52:13 tb Exp $ */ | 1 | /* $OpenBSD: x509_vfy.c,v 1.92 2021/10/26 15:14:18 job Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -549,6 +549,16 @@ X509_verify_cert_legacy(X509_STORE_CTX *ctx) | |||
| 549 | if (!ok) | 549 | if (!ok) |
| 550 | goto end; | 550 | goto end; |
| 551 | 551 | ||
| 552 | #ifndef OPENSSL_NO_RFC3779 | ||
| 553 | ok = X509v3_asid_validate_path(ctx); | ||
| 554 | if (!ok) | ||
| 555 | goto end; | ||
| 556 | |||
| 557 | ok = X509v3_addr_validate_path(ctx); | ||
| 558 | if (!ok) | ||
| 559 | goto end; | ||
| 560 | #endif | ||
| 561 | |||
| 552 | ok = check_id(ctx); | 562 | ok = check_id(ctx); |
| 553 | if (!ok) | 563 | if (!ok) |
| 554 | goto end; | 564 | goto end; |