1 files changed, 48 insertions, 7 deletions
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index 2bb21b443e..2e4d0b823a 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -383,6 +383,7 @@ static int check_chain_purpose(X509_STORE_CTX *ctx)
        /* Check all untrusted certificates */
        for (i = 0; i < ctx->last_untrusted; i++)
                {
+                int ret;
                x = sk_X509_value(ctx->chain, i);
                if (!(ctx->flags & X509_V_FLAG_IGNORE_CRITICAL)
                        && (x->ex_flags & EXFLAG_CRITICAL))
@@ -393,7 +394,10 @@ static int check_chain_purpose(X509_STORE_CTX *ctx)
                        ok=cb(0,ctx);
                        if (!ok) goto end;
                        }
-                if (!X509_check_purpose(x, ctx->purpose, i))
+                ret = X509_check_purpose(x, ctx->purpose, i);
+                if ((ret == 0)
+                         || ((ctx->flags & X509_V_FLAG_X509_STRICT)
+                                && (ret != 1)))
                        {
                        if (i)
                                ctx->error = X509_V_ERR_INVALID_CA;
@@ -537,6 +541,14 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
        if(issuer)
                {
+                /* Check for cRLSign bit if keyUsage present */
+                if ((issuer->ex_flags & EXFLAG_KUSAGE) &&
+                        !(issuer->ex_kusage & KU_CRL_SIGN))
+                        {
+                        ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN;
+                        ok = ctx->verify_cb(0, ctx);
+                        if(!ok) goto err;
+                        }
                /* Attempt to get issuer certificate public key */
                ikey = X509_get_pubkey(issuer);
@@ -611,17 +623,46 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
        {
        int idx, ok;
        X509_REVOKED rtmp;
+        STACK_OF(X509_EXTENSION) *exts;
+        X509_EXTENSION *ext;
        /* Look for serial number of certificate in CRL */
        rtmp.serialNumber = X509_get_serialNumber(x);
        idx = sk_X509_REVOKED_find(crl->crl->revoked, &rtmp);
-        /* Not found: OK */
+        /* If found assume revoked: want something cleverer than
-        if(idx == -1) return 1;
-        /* Otherwise revoked: want something cleverer than
         * this to handle entry extensions in V2 CRLs.
         */
-        ctx->error = X509_V_ERR_CERT_REVOKED;
+        if(idx >= 0)
-        ok = ctx->verify_cb(0, ctx);
+                {
-        return ok;
+                ctx->error = X509_V_ERR_CERT_REVOKED;
+                ok = ctx->verify_cb(0, ctx);
+                if (!ok) return 0;
+                }
+        if (ctx->flags & X509_V_FLAG_IGNORE_CRITICAL)
+                return 1;
+        /* See if we have any critical CRL extensions: since we
+         * currently don't handle any CRL extensions the CRL must be
+         * rejected. 
+         * This code accesses the X509_CRL structure directly: applications
+         * shouldn't do this.
+         */
+        exts = crl->crl->extensions;
+        for (idx = 0; idx < sk_X509_EXTENSION_num(exts); idx++)
+                {
+                ext = sk_X509_EXTENSION_value(exts, idx);
+                if (ext->critical > 0)
+                        {
+                        ctx->error =
+                                X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
+                        ok = ctx->verify_cb(0, ctx);
+                        if(!ok) return 0;
+                        break;
+                        }
+                }
+        return 1;
        }
 static int internal_verify(X509_STORE_CTX *ctx)

diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c index 2bb21b443e..2e4d0b823a 100644 --- a/src/lib/libcrypto/x509/x509_vfy.c +++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -383,6 +383,7 @@ static int check_chain_purpose(X509_STORE_CTX *ctx)
383	/* Check all untrusted certificates */	383	/* Check all untrusted certificates */
384	for (i = 0; i < ctx->last_untrusted; i++)	384	for (i = 0; i < ctx->last_untrusted; i++)
385	{	385	{
		386	int ret;
386	x = sk_X509_value(ctx->chain, i);	387	x = sk_X509_value(ctx->chain, i);
387	if (!(ctx->flags & X509_V_FLAG_IGNORE_CRITICAL)	388	if (!(ctx->flags & X509_V_FLAG_IGNORE_CRITICAL)
388	&& (x->ex_flags & EXFLAG_CRITICAL))	389	&& (x->ex_flags & EXFLAG_CRITICAL))
@@ -393,7 +394,10 @@ static int check_chain_purpose(X509_STORE_CTX *ctx)
393	ok=cb(0,ctx);	394	ok=cb(0,ctx);
394	if (!ok) goto end;	395	if (!ok) goto end;
395	}	396	}
396	if (!X509_check_purpose(x, ctx->purpose, i))	397	ret = X509_check_purpose(x, ctx->purpose, i);
		398	if ((ret == 0)
		399	\|\| ((ctx->flags & X509_V_FLAG_X509_STRICT)
		400	&& (ret != 1)))
397	{	401	{
398	if (i)	402	if (i)
399	ctx->error = X509_V_ERR_INVALID_CA;	403	ctx->error = X509_V_ERR_INVALID_CA;
@@ -537,6 +541,14 @@ static int check_crl(X509_STORE_CTX ctx, X509_CRL crl)
537		541
538	if(issuer)	542	if(issuer)
539	{	543	{
		544	/* Check for cRLSign bit if keyUsage present */
		545	if ((issuer->ex_flags & EXFLAG_KUSAGE) &&
		546	!(issuer->ex_kusage & KU_CRL_SIGN))
		547	{
		548	ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN;
		549	ok = ctx->verify_cb(0, ctx);
		550	if(!ok) goto err;
		551	}
540		552
541	/* Attempt to get issuer certificate public key */	553	/* Attempt to get issuer certificate public key */
542	ikey = X509_get_pubkey(issuer);	554	ikey = X509_get_pubkey(issuer);
@@ -611,17 +623,46 @@ static int cert_crl(X509_STORE_CTX ctx, X509_CRL crl, X509 *x)
611	{	623	{
612	int idx, ok;	624	int idx, ok;
613	X509_REVOKED rtmp;	625	X509_REVOKED rtmp;
		626	STACK_OF(X509_EXTENSION) *exts;
		627	X509_EXTENSION *ext;
614	/* Look for serial number of certificate in CRL */	628	/* Look for serial number of certificate in CRL */
615	rtmp.serialNumber = X509_get_serialNumber(x);	629	rtmp.serialNumber = X509_get_serialNumber(x);
616	idx = sk_X509_REVOKED_find(crl->crl->revoked, &rtmp);	630	idx = sk_X509_REVOKED_find(crl->crl->revoked, &rtmp);
617	/* Not found: OK */	631	/* If found assume revoked: want something cleverer than
618	if(idx == -1) return 1;
619	/* Otherwise revoked: want something cleverer than
620	* this to handle entry extensions in V2 CRLs.	632	* this to handle entry extensions in V2 CRLs.
621	*/	633	*/
622	ctx->error = X509_V_ERR_CERT_REVOKED;	634	if(idx >= 0)
623	ok = ctx->verify_cb(0, ctx);	635	{
624	return ok;	636	ctx->error = X509_V_ERR_CERT_REVOKED;
		637	ok = ctx->verify_cb(0, ctx);
		638	if (!ok) return 0;
		639	}
		640
		641	if (ctx->flags & X509_V_FLAG_IGNORE_CRITICAL)
		642	return 1;
		643
		644	/* See if we have any critical CRL extensions: since we
		645	* currently don't handle any CRL extensions the CRL must be
		646	* rejected.
		647	* This code accesses the X509_CRL structure directly: applications
		648	* shouldn't do this.
		649	*/
		650
		651	exts = crl->crl->extensions;
		652
		653	for (idx = 0; idx < sk_X509_EXTENSION_num(exts); idx++)
		654	{
		655	ext = sk_X509_EXTENSION_value(exts, idx);
		656	if (ext->critical > 0)
		657	{
		658	ctx->error =
		659	X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
		660	ok = ctx->verify_cb(0, ctx);
		661	if(!ok) return 0;
		662	break;
		663	}
		664	}
		665	return 1;
625	}	666	}
626		667
627	static int internal_verify(X509_STORE_CTX *ctx)	668	static int internal_verify(X509_STORE_CTX *ctx)