diff options
Diffstat (limited to 'src/lib/libcrypto/x509/x509_asid.c')
| -rw-r--r-- | src/lib/libcrypto/x509/x509_asid.c | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/src/lib/libcrypto/x509/x509_asid.c b/src/lib/libcrypto/x509/x509_asid.c index c82f2f32cc..5f43b3030d 100644 --- a/src/lib/libcrypto/x509/x509_asid.c +++ b/src/lib/libcrypto/x509/x509_asid.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_asid.c,v 1.30 2021/12/25 15:46:05 tb Exp $ */ | 1 | /* $OpenBSD: x509_asid.c,v 1.31 2022/04/21 04:48:12 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Contributed to the OpenSSL Project by the American Registry for | 3 | * Contributed to the OpenSSL Project by the American Registry for |
| 4 | * Internet Numbers ("ARIN"). | 4 | * Internet Numbers ("ARIN"). |
| @@ -1006,14 +1006,16 @@ asid_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, | |||
| 1006 | if (ext != NULL) { | 1006 | if (ext != NULL) { |
| 1007 | i = -1; | 1007 | i = -1; |
| 1008 | x = NULL; | 1008 | x = NULL; |
| 1009 | if (!X509v3_asid_is_canonical(ext)) | ||
| 1010 | validation_err(X509_V_ERR_INVALID_EXTENSION); | ||
| 1009 | } else { | 1011 | } else { |
| 1010 | i = 0; | 1012 | i = 0; |
| 1011 | x = sk_X509_value(chain, i); | 1013 | x = sk_X509_value(chain, i); |
| 1014 | if ((X509_get_extension_flags(x) & EXFLAG_INVALID) != 0) | ||
| 1015 | goto done; | ||
| 1012 | if ((ext = x->rfc3779_asid) == NULL) | 1016 | if ((ext = x->rfc3779_asid) == NULL) |
| 1013 | goto done; | 1017 | goto done; |
| 1014 | } | 1018 | } |
| 1015 | if (!X509v3_asid_is_canonical(ext)) | ||
| 1016 | validation_err(X509_V_ERR_INVALID_EXTENSION); | ||
| 1017 | if (ext->asnum != NULL) { | 1019 | if (ext->asnum != NULL) { |
| 1018 | switch (ext->asnum->type) { | 1020 | switch (ext->asnum->type) { |
| 1019 | case ASIdentifierChoice_inherit: | 1021 | case ASIdentifierChoice_inherit: |
| @@ -1042,13 +1044,13 @@ asid_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, | |||
| 1042 | for (i++; i < sk_X509_num(chain); i++) { | 1044 | for (i++; i < sk_X509_num(chain); i++) { |
| 1043 | x = sk_X509_value(chain, i); | 1045 | x = sk_X509_value(chain, i); |
| 1044 | 1046 | ||
| 1047 | if ((X509_get_extension_flags(x) & EXFLAG_INVALID) != 0) | ||
| 1048 | validation_err(X509_V_ERR_INVALID_EXTENSION); | ||
| 1045 | if (x->rfc3779_asid == NULL) { | 1049 | if (x->rfc3779_asid == NULL) { |
| 1046 | if (child_as != NULL || child_rdi != NULL) | 1050 | if (child_as != NULL || child_rdi != NULL) |
| 1047 | validation_err(X509_V_ERR_UNNESTED_RESOURCE); | 1051 | validation_err(X509_V_ERR_UNNESTED_RESOURCE); |
| 1048 | continue; | 1052 | continue; |
| 1049 | } | 1053 | } |
| 1050 | if (!X509v3_asid_is_canonical(x->rfc3779_asid)) | ||
| 1051 | validation_err(X509_V_ERR_INVALID_EXTENSION); | ||
| 1052 | if (x->rfc3779_asid->asnum == NULL && child_as != NULL) { | 1054 | if (x->rfc3779_asid->asnum == NULL && child_as != NULL) { |
| 1053 | validation_err(X509_V_ERR_UNNESTED_RESOURCE); | 1055 | validation_err(X509_V_ERR_UNNESTED_RESOURCE); |
| 1054 | child_as = NULL; | 1056 | child_as = NULL; |