diff options
Diffstat (limited to 'src/lib/libcrypto/x509/x509_addr.c')
| -rw-r--r-- | src/lib/libcrypto/x509/x509_addr.c | 20 |
1 files changed, 10 insertions, 10 deletions
diff --git a/src/lib/libcrypto/x509/x509_addr.c b/src/lib/libcrypto/x509/x509_addr.c index 035353826b..d33d4f2f8e 100644 --- a/src/lib/libcrypto/x509/x509_addr.c +++ b/src/lib/libcrypto/x509/x509_addr.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_addr.c,v 1.78 2022/03/16 11:44:36 tb Exp $ */ | 1 | /* $OpenBSD: x509_addr.c,v 1.79 2022/04/21 04:48:12 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Contributed to the OpenSSL Project by the American Registry for | 3 | * Contributed to the OpenSSL Project by the American Registry for |
| 4 | * Internet Numbers ("ARIN"). | 4 | * Internet Numbers ("ARIN"). |
| @@ -1780,11 +1780,11 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, | |||
| 1780 | if (ext == NULL) { | 1780 | if (ext == NULL) { |
| 1781 | depth = 0; | 1781 | depth = 0; |
| 1782 | cert = sk_X509_value(chain, depth); | 1782 | cert = sk_X509_value(chain, depth); |
| 1783 | if ((X509_get_extension_flags(cert) & EXFLAG_INVALID) != 0) | ||
| 1784 | goto done; | ||
| 1783 | if ((ext = cert->rfc3779_addr) == NULL) | 1785 | if ((ext = cert->rfc3779_addr) == NULL) |
| 1784 | goto done; | 1786 | goto done; |
| 1785 | } | 1787 | } else if (!X509v3_addr_is_canonical(ext)) { |
| 1786 | |||
| 1787 | if (!X509v3_addr_is_canonical(ext)) { | ||
| 1788 | if ((ret = verify_error(ctx, cert, | 1788 | if ((ret = verify_error(ctx, cert, |
| 1789 | X509_V_ERR_INVALID_EXTENSION, depth)) == 0) | 1789 | X509_V_ERR_INVALID_EXTENSION, depth)) == 0) |
| 1790 | goto done; | 1790 | goto done; |
| @@ -1806,6 +1806,12 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, | |||
| 1806 | for (depth++; depth < sk_X509_num(chain); depth++) { | 1806 | for (depth++; depth < sk_X509_num(chain); depth++) { |
| 1807 | cert = sk_X509_value(chain, depth); | 1807 | cert = sk_X509_value(chain, depth); |
| 1808 | 1808 | ||
| 1809 | if ((X509_get_extension_flags(cert) & EXFLAG_INVALID) != 0) { | ||
| 1810 | if ((ret = verify_error(ctx, cert, | ||
| 1811 | X509_V_ERR_INVALID_EXTENSION, depth)) == 0) | ||
| 1812 | goto done; | ||
| 1813 | } | ||
| 1814 | |||
| 1809 | if ((parent = cert->rfc3779_addr) == NULL) { | 1815 | if ((parent = cert->rfc3779_addr) == NULL) { |
| 1810 | for (i = 0; i < sk_IPAddressFamily_num(child); i++) { | 1816 | for (i = 0; i < sk_IPAddressFamily_num(child); i++) { |
| 1811 | child_af = sk_IPAddressFamily_value(child, i); | 1817 | child_af = sk_IPAddressFamily_value(child, i); |
| @@ -1822,12 +1828,6 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, | |||
| 1822 | continue; | 1828 | continue; |
| 1823 | } | 1829 | } |
| 1824 | 1830 | ||
| 1825 | if (!X509v3_addr_is_canonical(parent)) { | ||
| 1826 | if ((ret = verify_error(ctx, cert, | ||
| 1827 | X509_V_ERR_INVALID_EXTENSION, depth)) == 0) | ||
| 1828 | goto done; | ||
| 1829 | } | ||
| 1830 | |||
| 1831 | /* | 1831 | /* |
| 1832 | * Check that the child's resources are covered by the parent. | 1832 | * Check that the child's resources are covered by the parent. |
| 1833 | * Each covered resource is replaced with the parent's resource | 1833 | * Each covered resource is replaced with the parent's resource |