summaryrefslogtreecommitdiff
path: root/lib/libcrypto/x509/x509_verify.c
diff options
context:
space:
mode:
authorJob Snijders <job@cvs.openbsd.org>2021-10-26 15:14:19 +0000
committerJob Snijders <job@cvs.openbsd.org>2021-10-26 15:14:19 +0000
commit5eae90ba3c02082efc9e93501ec62f6dfdd92e59 (patch)
tree4f4d6e9c1935d663f838e66a5e0815b8fb524d65 /lib/libcrypto/x509/x509_verify.c
parent59721c6329f525fc0e6a3e120e9c9ef79dd18d1f (diff)
Add RFC 3779 checks to both legacy and new verifier
OK beck@
Diffstat (limited to 'lib/libcrypto/x509/x509_verify.c')
-rw-r--r--lib/libcrypto/x509/x509_verify.c10
1 files changed, 9 insertions, 1 deletions
diff --git a/lib/libcrypto/x509/x509_verify.c b/lib/libcrypto/x509/x509_verify.c
index e49fbdee48a..8bcc6471492 100644
--- a/lib/libcrypto/x509/x509_verify.c
+++ b/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_verify.c,v 1.49 2021/09/09 15:09:43 beck Exp $ */
+/* $OpenBSD: x509_verify.c,v 1.50 2021/10/26 15:14:18 job Exp $ */
/*
* Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
*
@@ -352,6 +352,14 @@ x509_verify_ctx_validate_legacy_chain(struct x509_verify_ctx *ctx,
if (!x509_vfy_check_chain_extensions(ctx->xsc))
goto err;
+#ifndef OPENSSL_NO_RFC3779
+ if (!X509v3_asid_validate_path(ctx->xsc))
+ goto err;
+
+ if (!X509v3_addr_validate_path(ctx->xsc))
+ goto err;
+#endif
+
if (!x509_constraints_chain(ctx->xsc->chain,
&ctx->xsc->error, &ctx->xsc->error_depth)) {
X509 *cert = sk_X509_value(ctx->xsc->chain, depth);
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-29 02:25:22 +0000