From: tb Date: Thu, 20 Apr 2023 18:29:08 +0000 (+0000) Subject: Flip the default of explicitText to UTF8String X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=3201f0b18674cca57acbfd835546e81c55db3a8b;p=openbsd Flip the default of explicitText to UTF8String While it may have been reasonable to use VisibleString back when this code was written, it's an anachronism nowadays. In particular, configuring BoringSSL reports that they have seen malformed certificates with exactly the issue caused by this unfortuante default. Reported by Alex Gaynor in OpenSSL issue 20772 ok jsing --- diff --git a/lib/libcrypto/x509/x509_cpols.c b/lib/libcrypto/x509/x509_cpols.c index 3f106c691de..af8f16c9b09 100644 --- a/lib/libcrypto/x509/x509_cpols.c +++ b/lib/libcrypto/x509/x509_cpols.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_cpols.c,v 1.7 2023/02/16 08:38:17 tb Exp $ */ +/* $OpenBSD: x509_cpols.c,v 1.8 2023/04/20 18:29:08 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -594,7 +594,7 @@ notice_section(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *unot, int ia5org) cnf = sk_CONF_VALUE_value(unot, i); if (!strcmp(cnf->name, "explicitText")) { if (not->exptext == NULL) { - not->exptext = ASN1_VISIBLESTRING_new(); + not->exptext = ASN1_UTF8STRING_new(); if (not->exptext == NULL) goto merr; }