[openssl] master update

dev at ddvo.net dev at ddvo.net
Fri Jan 7 09:46:44 UTC 2022


The branch master has been updated
       via  6e98b7f153fcf9dfad1053fbb3a592166837c6fc (commit)
      from  fd989c734dc3f9e15d700ff9ced15125a23d4359 (commit)


- Log -----------------------------------------------------------------
commit 6e98b7f153fcf9dfad1053fbb3a592166837c6fc
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Tue Aug 17 19:12:55 2021 +0200

    v2i_AUTHORITY_KEYID(): Improve error reporting on parsing config values/options
    
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/16345)

-----------------------------------------------------------------------

Summary of changes:
 crypto/err/openssl.txt      |  3 +++
 crypto/x509/v3_akid.c       | 33 ++++++++++++++++++++++-----------
 crypto/x509/v3err.c         |  3 +++
 doc/man5/x509v3_config.pod  |  4 ++--
 include/openssl/x509v3err.h |  3 +++
 5 files changed, 33 insertions(+), 13 deletions(-)

diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index 6e75af9b8b..3c59fce96c 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -1585,6 +1585,8 @@ UI_R_UNKNOWN_TTYGET_ERRNO_VALUE:108:unknown ttyget errno value
 UI_R_USER_DATA_DUPLICATION_UNSUPPORTED:112:user data duplication unsupported
 X509V3_R_BAD_IP_ADDRESS:118:bad ip address
 X509V3_R_BAD_OBJECT:119:bad object
+X509V3_R_BAD_OPTION:170:bad option
+X509V3_R_BAD_VALUE:171:bad value
 X509V3_R_BN_DEC2BN_ERROR:100:bn dec2bn error
 X509V3_R_BN_TO_ASN1_INTEGER_ERROR:101:bn to asn1 integer error
 X509V3_R_DIRNAME_ERROR:149:dirname error
@@ -1651,6 +1653,7 @@ X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT:111:unknown bit string argument
 X509V3_R_UNKNOWN_EXTENSION:129:unknown extension
 X509V3_R_UNKNOWN_EXTENSION_NAME:130:unknown extension name
 X509V3_R_UNKNOWN_OPTION:120:unknown option
+X509V3_R_UNKNOWN_VALUE:172:unknown value
 X509V3_R_UNSUPPORTED_OPTION:117:unsupported option
 X509V3_R_UNSUPPORTED_TYPE:167:unsupported type
 X509V3_R_USER_TOO_LONG:132:user too long
diff --git a/crypto/x509/v3_akid.c b/crypto/x509/v3_akid.c
index 2a993dd5bc..209f32cbf7 100644
--- a/crypto/x509/v3_akid.c
+++ b/crypto/x509/v3_akid.c
@@ -85,14 +85,14 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
 }
 
 /*-
- * Currently two options:
- * keyid: use the issuers subject keyid, the value 'always' means its is
- * an error if the issuer certificate doesn't have a key id.
- * issuer: use the issuers cert issuer and serial number. The default is
- * to only use this if keyid is not present. With the option 'always'
+ * Three explicit tags may be given, where 'keyid' and 'issuer' may be combined:
+ * 'none': do not add any authority key identifier.
+ * 'keyid': use the issuer's subject keyid; the option 'always' means its is
+ * an error if the issuer certificate doesn't have a subject key id.
+ * 'issuer': use the issuer's cert issuer and serial number. The default is
+ * to only use this if 'keyid' is not present. With the option 'always'
  * this is always included.
  */
-
 static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
                                             X509V3_CTX *ctx,
                                             STACK_OF(CONF_VALUE) *values)
@@ -119,16 +119,27 @@ static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
 
     for (i = 0; i < n; i++) {
         cnf = sk_CONF_VALUE_value(values, i);
-        if (strcmp(cnf->name, "keyid") == 0) {
+        if (cnf->value != NULL && strcmp(cnf->value, "always") != 0) {
+            ERR_raise_data(ERR_LIB_X509V3, X509V3_R_UNKNOWN_OPTION,
+                           "name=%s option=%s", cnf->name, cnf->value);
+            goto err;
+        }
+        if (strcmp(cnf->name, "keyid") == 0 && keyid == 0) {
             keyid = 1;
-            if (cnf->value && strcmp(cnf->value, "always") == 0)
+            if (cnf->value != NULL)
                 keyid = 2;
-        } else if (strcmp(cnf->name, "issuer") == 0) {
+        } else if (strcmp(cnf->name, "issuer") == 0 && issuer == 0) {
             issuer = 1;
-            if (cnf->value && strcmp(cnf->value, "always") == 0)
+            if (cnf->value != NULL)
                 issuer = 2;
+        } else if (strcmp(cnf->name, "none") == 0
+                   || strcmp(cnf->name, "keyid") == 0
+                   || strcmp(cnf->name, "issuer") == 0) {
+            ERR_raise_data(ERR_LIB_X509V3, X509V3_R_BAD_VALUE,
+                           "name=%s", cnf->name);
+            goto err;
         } else {
-            ERR_raise_data(ERR_LIB_X509V3, X509V3_R_UNKNOWN_OPTION,
+            ERR_raise_data(ERR_LIB_X509V3, X509V3_R_UNKNOWN_VALUE,
                            "name=%s", cnf->name);
             goto err;
         }
diff --git a/crypto/x509/v3err.c b/crypto/x509/v3err.c
index 6f38034c1a..b52f16f597 100644
--- a/crypto/x509/v3err.c
+++ b/crypto/x509/v3err.c
@@ -17,6 +17,8 @@
 static const ERR_STRING_DATA X509V3_str_reasons[] = {
     {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_BAD_IP_ADDRESS), "bad ip address"},
     {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_BAD_OBJECT), "bad object"},
+    {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_BAD_OPTION), "bad option"},
+    {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_BAD_VALUE), "bad value"},
     {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_BN_DEC2BN_ERROR), "bn dec2bn error"},
     {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_BN_TO_ASN1_INTEGER_ERROR),
     "bn to asn1 integer error"},
@@ -127,6 +129,7 @@ static const ERR_STRING_DATA X509V3_str_reasons[] = {
     {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_UNKNOWN_EXTENSION_NAME),
     "unknown extension name"},
     {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_UNKNOWN_OPTION), "unknown option"},
+    {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_UNKNOWN_VALUE), "unknown value"},
     {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_UNSUPPORTED_OPTION),
     "unsupported option"},
     {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_UNSUPPORTED_TYPE),
diff --git a/doc/man5/x509v3_config.pod b/doc/man5/x509v3_config.pod
index fb9e562d7f..97251d5d09 100644
--- a/doc/man5/x509v3_config.pod
+++ b/doc/man5/x509v3_config.pod
@@ -195,8 +195,8 @@ or both of them, separated by C<,>.
 Either or both can have the option B<always>,
 indicated by putting a colon C<:> between the value and this option.
 For self-signed certificates the AKID is suppressed unless B<always> is present.
-By default the B<x509>, B<req>, and B<ca> apps behave as if
-"none" was given for self-signed certificates and "keyid, issuer" otherwise.
+By default the B<x509>, B<req>, and B<ca> apps behave as if B<none> was given
+for self-signed certificates and B<keyid>C<,> B<issuer> otherwise.
 
 If B<keyid> is present, an attempt is made to
 copy the subject key identifier (SKID) from the issuer certificate except if
diff --git a/include/openssl/x509v3err.h b/include/openssl/x509v3err.h
index 1ae3a56209..fcad1bfca5 100644
--- a/include/openssl/x509v3err.h
+++ b/include/openssl/x509v3err.h
@@ -23,6 +23,8 @@
  */
 # define X509V3_R_BAD_IP_ADDRESS                          118
 # define X509V3_R_BAD_OBJECT                              119
+# define X509V3_R_BAD_OPTION                              170
+# define X509V3_R_BAD_VALUE                               171
 # define X509V3_R_BN_DEC2BN_ERROR                         100
 # define X509V3_R_BN_TO_ASN1_INTEGER_ERROR                101
 # define X509V3_R_DIRNAME_ERROR                           149
@@ -86,6 +88,7 @@
 # define X509V3_R_UNKNOWN_EXTENSION                       129
 # define X509V3_R_UNKNOWN_EXTENSION_NAME                  130
 # define X509V3_R_UNKNOWN_OPTION                          120
+# define X509V3_R_UNKNOWN_VALUE                           172
 # define X509V3_R_UNSUPPORTED_OPTION                      117
 # define X509V3_R_UNSUPPORTED_TYPE                        167
 # define X509V3_R_USER_TOO_LONG                           132


More information about the openssl-commits mailing list