|
 |
6f47c0 |
diff -up openssl-1.1.1g/crypto/x509/x509_vfy.c.bypass-strict-flag openssl-1.1.1g/crypto/x509/x509_vfy.c
|
|
|
6f47c0 |
--- openssl-1.1.1g/crypto/x509/x509_vfy.c.bypass-strict-flag 2021-03-25 15:04:24.786522525 +0100
|
|
|
6f47c0 |
+++ openssl-1.1.1g/crypto/x509/x509_vfy.c 2021-03-25 15:14:01.392910477 +0100
|
|
|
6f47c0 |
@@ -509,15 +509,19 @@ static int check_chain_extensions(X509_S
|
|
|
6f47c0 |
ret = 1;
|
|
|
6f47c0 |
break;
|
|
|
6f47c0 |
}
|
|
|
6f47c0 |
- if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) && num > 1) {
|
|
|
6f47c0 |
+ if (ret > 0
|
|
|
6f47c0 |
+ && (ctx->param->flags & X509_V_FLAG_X509_STRICT) && num > 1) {
|
|
|
6f47c0 |
/* Check for presence of explicit elliptic curve parameters */
|
|
|
6f47c0 |
ret = check_curve(x);
|
|
|
6f47c0 |
- if (ret < 0)
|
|
|
6f47c0 |
+ if (ret < 0) {
|
|
|
6f47c0 |
ctx->error = X509_V_ERR_UNSPECIFIED;
|
|
|
6f47c0 |
- else if (ret == 0)
|
|
|
6f47c0 |
+ ret = 0;
|
|
|
6f47c0 |
+ } else if (ret == 0) {
|
|
|
6f47c0 |
ctx->error = X509_V_ERR_EC_KEY_EXPLICIT_PARAMS;
|
|
|
6f47c0 |
+ }
|
|
|
6f47c0 |
}
|
|
|
6f47c0 |
- if ((x->ex_flags & EXFLAG_CA) == 0
|
|
|
6f47c0 |
+ if (ret > 0
|
|
|
6f47c0 |
+ && (x->ex_flags & EXFLAG_CA) == 0
|
|
|
6f47c0 |
&& x->ex_pathlen != -1
|
|
|
6f47c0 |
&& (ctx->param->flags & X509_V_FLAG_X509_STRICT)) {
|
|
|
6f47c0 |
ctx->error = X509_V_ERR_INVALID_EXTENSION;
|
|
|
6f47c0 |
diff -up openssl-1.1.1g/test/verify_extra_test.c.bypass-strict-flag openssl-1.1.1g/test/verify_extra_test.c
|
|
|
6f47c0 |
--- openssl-1.1.1g/test/verify_extra_test.c.bypass-strict-flag 2020-04-21 14:22:39.000000000 +0200
|
|
|
6f47c0 |
+++ openssl-1.1.1g/test/verify_extra_test.c 2021-03-25 15:04:24.793522594 +0100
|
|
|
6f47c0 |
@@ -125,10 +125,22 @@ static int test_alt_chains_cert_forgery(
|
|
|
6f47c0 |
|
|
|
6f47c0 |
i = X509_verify_cert(sctx);
|
|
|
6f47c0 |
|
|
|
6f47c0 |
- if (i == 0 && X509_STORE_CTX_get_error(sctx) == X509_V_ERR_INVALID_CA) {
|
|
|
6f47c0 |
+ if (i != 0 || X509_STORE_CTX_get_error(sctx) != X509_V_ERR_INVALID_CA)
|
|
|
6f47c0 |
+ goto err;
|
|
|
6f47c0 |
+
|
|
|
6f47c0 |
+ /* repeat with X509_V_FLAG_X509_STRICT */
|
|
|
6f47c0 |
+ X509_STORE_CTX_cleanup(sctx);
|
|
|
6f47c0 |
+ X509_STORE_set_flags(store, X509_V_FLAG_X509_STRICT);
|
|
|
6f47c0 |
+
|
|
|
6f47c0 |
+ if (!X509_STORE_CTX_init(sctx, store, x, untrusted))
|
|
|
6f47c0 |
+ goto err;
|
|
|
6f47c0 |
+
|
|
|
6f47c0 |
+ i = X509_verify_cert(sctx);
|
|
|
6f47c0 |
+
|
|
|
6f47c0 |
+ if (i == 0 && X509_STORE_CTX_get_error(sctx) == X509_V_ERR_INVALID_CA)
|
|
|
6f47c0 |
/* This is the result we were expecting: Test passed */
|
|
|
6f47c0 |
ret = 1;
|
|
|
6f47c0 |
- }
|
|
|
6f47c0 |
+
|
|
|
6f47c0 |
err:
|
|
|
6f47c0 |
X509_STORE_CTX_free(sctx);
|
|
|
6f47c0 |
X509_free(x);
|