[openssl] OpenSSL_1_1_1-stable update
tmraz at fedoraproject.org
tmraz at fedoraproject.org
Mon Apr 6 08:28:54 UTC 2020
The branch OpenSSL_1_1_1-stable has been updated
via 29e94f285f7f05b1aec6fa275e320bc5fa37ab1e (commit)
from 00a0da2f021e6a0bc9519a6a9e5be66d45e6fc91 (commit)
- Log -----------------------------------------------------------------
commit 29e94f285f7f05b1aec6fa275e320bc5fa37ab1e
Author: Tomas Mraz <tmraz at fedoraproject.org>
Date: Thu Apr 2 17:31:21 2020 +0200
Set X509_V_ERR_INVALID_EXTENSION error for invalid basic constraints
If we encounter certificate with basic constraints CA:false,
pathlen present and X509_V_FLAG_X509_STRICT is set we set
X509_V_ERR_INVALID_EXTENSION error.
Reviewed-by: Bernd Edlinger <bernd.edlinger at hotmail.de>
Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11463)
(cherry picked from commit fa86e2ee3533bb7fa9f3c62c38920cf960e9fec0)
-----------------------------------------------------------------------
Summary of changes:
crypto/x509/x509_vfy.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index f28f2d2610..41625e75ad 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -508,6 +508,12 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
ret = 1;
break;
}
+ if ((x->ex_flags & EXFLAG_CA) == 0
+ && x->ex_pathlen != -1
+ && (ctx->param->flags & X509_V_FLAG_X509_STRICT)) {
+ ctx->error = X509_V_ERR_INVALID_EXTENSION;
+ ret = 0;
+ }
if (ret == 0 && !verify_cb_cert(ctx, x, i, X509_V_OK))
return 0;
/* check_purpose() makes the callback as needed */
More information about the openssl-commits
mailing list