diff options
| -rw-r--r-- | src/lib/libcrypto/x509/x509_purp.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/src/lib/libcrypto/x509/x509_purp.c b/src/lib/libcrypto/x509/x509_purp.c index 8f4e5934e1..baa33d5764 100644 --- a/src/lib/libcrypto/x509/x509_purp.c +++ b/src/lib/libcrypto/x509/x509_purp.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_purp.c,v 1.40 2024/04/08 23:46:21 beck Exp $ */ | 1 | /* $OpenBSD: x509_purp.c,v 1.41 2024/04/09 15:00:44 tb Exp $ */ |
| 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL | 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL |
| 3 | * project 2001. | 3 | * project 2001. |
| 4 | */ | 4 | */ |
| @@ -398,6 +398,13 @@ x509v3_cache_extensions_internal(X509 *x) | |||
| 398 | if (x->ex_flags & EXFLAG_SET) | 398 | if (x->ex_flags & EXFLAG_SET) |
| 399 | return; | 399 | return; |
| 400 | 400 | ||
| 401 | /* | ||
| 402 | * XXX - this should really only set EXFLAG_INVALID if extensions are | ||
| 403 | * invalid. However, the X509_digest() failure matches OpenSSL/BoringSSL | ||
| 404 | * behavior and the version checks are at least vaguely related to | ||
| 405 | * extensions. | ||
| 406 | */ | ||
| 407 | |||
| 401 | if (!X509_digest(x, X509_CERT_HASH_EVP, x->hash, NULL)) | 408 | if (!X509_digest(x, X509_CERT_HASH_EVP, x->hash, NULL)) |
| 402 | x->ex_flags |= EXFLAG_INVALID; | 409 | x->ex_flags |= EXFLAG_INVALID; |
| 403 | 410 | ||