From b2a89f9426f1ee215d9d57cad8342591dc19aac3 Mon Sep 17 00:00:00 2001 From: beck <> Date: Wed, 27 Oct 2021 10:22:08 +0000 Subject: Revert version 1.3 - not allowing the creation of bogus certificates breaks the ruby regression tests that expect to make bogus certificates and see that they are rejected :( I am reverting this for now to make the regress tests pass, and will bring it back if we decide to patch the regress tests to remove the problem cases --- src/lib/libcrypto/x509/x509_alt.c | 50 +++------------------------------------ 1 file changed, 3 insertions(+), 47 deletions(-) (limited to 'src') diff --git a/src/lib/libcrypto/x509/x509_alt.c b/src/lib/libcrypto/x509/x509_alt.c index 02a4a3a377..891c7dd787 100644 --- a/src/lib/libcrypto/x509/x509_alt.c +++ b/src/lib/libcrypto/x509/x509_alt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_alt.c,v 1.3 2021/10/26 09:09:53 beck Exp $ */ +/* $OpenBSD: x509_alt.c,v 1.4 2021/10/27 10:22:08 beck Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ @@ -63,8 +63,6 @@ #include #include -#include "x509_internal.h" - static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval); static GENERAL_NAMES *v2i_issuer_alt(X509V3_EXT_METHOD *method, @@ -614,11 +612,8 @@ GENERAL_NAME * v2i_GENERAL_NAME_ex(GENERAL_NAME *out, const X509V3_EXT_METHOD *method, X509V3_CTX *ctx, CONF_VALUE *cnf, int is_nc) { - uint8_t *bytes = NULL; - char *name, *value; - GENERAL_NAME *ret; - size_t len = 0; int type; + char *name, *value; name = cnf->name; value = cnf->value; @@ -648,46 +643,7 @@ v2i_GENERAL_NAME_ex(GENERAL_NAME *out, const X509V3_EXT_METHOD *method, return NULL; } - ret = a2i_GENERAL_NAME(out, method, ctx, type, value, is_nc); - - /* Validate what we have for sanity */ - type = x509_constraints_general_to_bytes(ret, &bytes, &len); - switch(type) { - case GEN_DNS: - if (!x509_constraints_valid_sandns(bytes, len)) { - X509V3error(X509V3_R_BAD_OBJECT); - ERR_asprintf_error_data("name=%s value='%s'", name, bytes); - goto err; - } - break; - case GEN_URI: - if (!x509_constraints_uri_host(bytes, len, NULL)) { - X509V3error(X509V3_R_BAD_OBJECT); - ERR_asprintf_error_data("name=%s value='%s'", name, bytes); - goto err; - } - break; - case GEN_EMAIL: - if (!x509_constraints_parse_mailbox(bytes, len, NULL)) { - X509V3error(X509V3_R_BAD_OBJECT); - ERR_asprintf_error_data("name=%s value='%s'", name, bytes); - goto err; - } - break; - case GEN_IPADD: - if (len != 4 && len != 16) { - X509V3error(X509V3_R_BAD_IP_ADDRESS); - ERR_asprintf_error_data("name=%s len=%zu", name, len); - goto err; - } - break; - default: - break; - } - return ret; - err: - GENERAL_NAME_free(ret); - return NULL; + return a2i_GENERAL_NAME(out, method, ctx, type, value, is_nc); } static int -- cgit v1.2.3-55-g6feb