1 files changed, 53 insertions, 1 deletions
diff --git a/src/regress/lib/libcrypto/x509/x509_extensions_test.c b/src/regress/lib/libcrypto/x509/x509_extensions_test.c
index a90a173e1d..9005333fe7 100644
--- a/src/regress/lib/libcrypto/x509/x509_extensions_test.c
+++ b/src/regress/lib/libcrypto/x509/x509_extensions_test.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: x509_extensions_test.c,v 1.1 2024/05/28 15:33:35 tb Exp $ */
+/*      $OpenBSD: x509_extensions_test.c,v 1.2 2024/05/28 15:42:09 tb Exp $ */
 /*
 * Copyright (c) 2024 Theo Buehler <tb@openbsd.org>
@@ -575,6 +575,57 @@ test_x509v3_add1_i2d_add_append(STACK_OF(X509_EXTENSION) **extensions)
 }
 static int
+test_x509v3_add1_i2d_invalid_operations(STACK_OF(X509_EXTENSION) **extensions)
+{
+        BASIC_CONSTRAINTS *bc = NULL;
+        long error;
+        int crit, got, nid, op;
+        int failed = 1;
+        if (X509v3_get_ext_count(*extensions) != 0) {
+                fprintf(stderr, "%s: FAIL: need empty stack.\n", __func__);
+                goto err;
+        }
+        /*
+         * Attempt to add a basic constraint extension with invalid operations
+         */
+        nid = NID_basic_constraints;
+        bc = create_basic_constraints(1);
+        crit = 1;
+        for (op = X509V3_ADD_DELETE + 1; op <= X509V3_ADD_OP_MASK; op++) {
+                if ((got = X509V3_add1_i2d(extensions, nid, bc, crit, op)) != -1) {
+                        fprintf(stderr, "%s: FAIL: operation %d "
+                            "want %d, got %d.\n", __func__, op, -1, got);
+                        goto err;
+                }
+                error = ERR_get_error();
+                if (ERR_GET_REASON(error) != X509V3_R_UNSUPPORTED_OPTION) {
+                        fprintf(stderr, "%s: FAIL: invalid operation %d "
+                            " pushed %d, want %d.\n", __func__, op,
+                            ERR_GET_REASON(error), X509V3_R_EXTENSION_EXISTS);
+                        goto err;
+                }
+        }
+        BASIC_CONSTRAINTS_free(bc);
+        bc = NULL;
+        if ((got = X509v3_get_ext_count(*extensions)) != 0) {
+                fprintf(stderr, "%s: FAIL: expected 0 extensions, have %d.\n",
+                    __func__, got);
+                goto err;
+        }
+        failed = 0;
+ err:
+        BASIC_CONSTRAINTS_free(bc);
+        return failed;
+}
+static int
 test_x509v3_add1_i2d(void)
 {
        STACK_OF(X509_EXTENSION) *extensions;
@@ -586,6 +637,7 @@ test_x509v3_add1_i2d(void)
        failed |= test_x509v3_add1_i2d_empty_stack(&extensions);
        failed |= test_x509v3_add1_i2d_single_nid(&extensions);
        failed |= test_x509v3_add1_i2d_add_append(&extensions);
+        failed |= test_x509v3_add1_i2d_invalid_operations(&extensions);
        sk_X509_EXTENSION_pop_free(extensions, X509_EXTENSION_free);

diff --git a/src/regress/lib/libcrypto/x509/x509_extensions_test.c b/src/regress/lib/libcrypto/x509/x509_extensions_test.c index a90a173e1d..9005333fe7 100644 --- a/src/regress/lib/libcrypto/x509/x509_extensions_test.c +++ b/src/regress/lib/libcrypto/x509/x509_extensions_test.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_extensions_test.c,v 1.1 2024/05/28 15:33:35 tb Exp $ */	1	/* $OpenBSD: x509_extensions_test.c,v 1.2 2024/05/28 15:42:09 tb Exp $ */
2		2
3	/*	3	/*
4	* Copyright (c) 2024 Theo Buehler <tb@openbsd.org>	4	* Copyright (c) 2024 Theo Buehler <tb@openbsd.org>
@@ -575,6 +575,57 @@ test_x509v3_add1_i2d_add_append(STACK_OF(X509_EXTENSION) **extensions)
575	}	575	}
576		576
577	static int	577	static int
		578	test_x509v3_add1_i2d_invalid_operations(STACK_OF(X509_EXTENSION) **extensions)
		579	{
		580	BASIC_CONSTRAINTS *bc = NULL;
		581	long error;
		582	int crit, got, nid, op;
		583	int failed = 1;
		584
		585	if (X509v3_get_ext_count(*extensions) != 0) {
		586	fprintf(stderr, "%s: FAIL: need empty stack.\n", __func__);
		587	goto err;
		588	}
		589
		590	/*
		591	* Attempt to add a basic constraint extension with invalid operations
		592	*/
		593
		594	nid = NID_basic_constraints;
		595	bc = create_basic_constraints(1);
		596	crit = 1;
		597	for (op = X509V3_ADD_DELETE + 1; op <= X509V3_ADD_OP_MASK; op++) {
		598	if ((got = X509V3_add1_i2d(extensions, nid, bc, crit, op)) != -1) {
		599	fprintf(stderr, "%s: FAIL: operation %d "
		600	"want %d, got %d.\n", __func__, op, -1, got);
		601	goto err;
		602	}
		603	error = ERR_get_error();
		604	if (ERR_GET_REASON(error) != X509V3_R_UNSUPPORTED_OPTION) {
		605	fprintf(stderr, "%s: FAIL: invalid operation %d "
		606	" pushed %d, want %d.\n", __func__, op,
		607	ERR_GET_REASON(error), X509V3_R_EXTENSION_EXISTS);
		608	goto err;
		609	}
		610	}
		611	BASIC_CONSTRAINTS_free(bc);
		612	bc = NULL;
		613
		614	if ((got = X509v3_get_ext_count(*extensions)) != 0) {
		615	fprintf(stderr, "%s: FAIL: expected 0 extensions, have %d.\n",
		616	__func__, got);
		617	goto err;
		618	}
		619
		620	failed = 0;
		621
		622	err:
		623	BASIC_CONSTRAINTS_free(bc);
		624
		625	return failed;
		626	}
		627
		628	static int
578	test_x509v3_add1_i2d(void)	629	test_x509v3_add1_i2d(void)
579	{	630	{
580	STACK_OF(X509_EXTENSION) *extensions;	631	STACK_OF(X509_EXTENSION) *extensions;
@@ -586,6 +637,7 @@ test_x509v3_add1_i2d(void)
586	failed \|= test_x509v3_add1_i2d_empty_stack(&extensions);	637	failed \|= test_x509v3_add1_i2d_empty_stack(&extensions);
587	failed \|= test_x509v3_add1_i2d_single_nid(&extensions);	638	failed \|= test_x509v3_add1_i2d_single_nid(&extensions);
588	failed \|= test_x509v3_add1_i2d_add_append(&extensions);	639	failed \|= test_x509v3_add1_i2d_add_append(&extensions);
		640	failed \|= test_x509v3_add1_i2d_invalid_operations(&extensions);
589		641
590	sk_X509_EXTENSION_pop_free(extensions, X509_EXTENSION_free);	642	sk_X509_EXTENSION_pop_free(extensions, X509_EXTENSION_free);
591		643