From 3201f0b18674cca57acbfd835546e81c55db3a8b Mon Sep 17 00:00:00 2001 From: tb Date: Thu, 20 Apr 2023 18:29:08 +0000 Subject: [PATCH] Flip the default of explicitText to UTF8String While it may have been reasonable to use VisibleString back when this code was written, it's an anachronism nowadays. In particular, configuring BoringSSL reports that they have seen malformed certificates with exactly the issue caused by this unfortuante default. Reported by Alex Gaynor in OpenSSL issue 20772 ok jsing --- lib/libcrypto/x509/x509_cpols.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/libcrypto/x509/x509_cpols.c b/lib/libcrypto/x509/x509_cpols.c index 3f106c691de..af8f16c9b09 100644 --- a/lib/libcrypto/x509/x509_cpols.c +++ b/lib/libcrypto/x509/x509_cpols.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_cpols.c,v 1.7 2023/02/16 08:38:17 tb Exp $ */ +/* $OpenBSD: x509_cpols.c,v 1.8 2023/04/20 18:29:08 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -594,7 +594,7 @@ notice_section(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *unot, int ia5org) cnf = sk_CONF_VALUE_value(unot, i); if (!strcmp(cnf->name, "explicitText")) { if (not->exptext == NULL) { - not->exptext = ASN1_VISIBLESTRING_new(); + not->exptext = ASN1_UTF8STRING_new(); if (not->exptext == NULL) goto merr; } -- 2.20.1