From 69c7967e9157ce97bd121acf9f553f9609deb179 Mon Sep 17 00:00:00 2001
From: job <job@openbsd.org>
Date: Tue, 26 Oct 2021 15:14:18 +0000
Subject: [PATCH] Add RFC 3779 checks to both legacy and new verifier

OK beck@
---
 lib/libcrypto/x509/x509_verify.c | 10 +++++++++-
 lib/libcrypto/x509/x509_vfy.c    | 12 +++++++++++-
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/lib/libcrypto/x509/x509_verify.c b/lib/libcrypto/x509/x509_verify.c
index e49fbdee48a..8bcc6471492 100644
--- a/lib/libcrypto/x509/x509_verify.c
+++ b/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_verify.c,v 1.49 2021/09/09 15:09:43 beck Exp $ */
+/* $OpenBSD: x509_verify.c,v 1.50 2021/10/26 15:14:18 job Exp $ */
 /*
  * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
  *
@@ -352,6 +352,14 @@ x509_verify_ctx_validate_legacy_chain(struct x509_verify_ctx *ctx,
 	if (!x509_vfy_check_chain_extensions(ctx->xsc))
 		goto err;
 
+#ifndef OPENSSL_NO_RFC3779
+	if (!X509v3_asid_validate_path(ctx->xsc))
+		goto err;
+
+	if (!X509v3_addr_validate_path(ctx->xsc))
+		goto err;
+#endif
+
 	if (!x509_constraints_chain(ctx->xsc->chain,
 		&ctx->xsc->error, &ctx->xsc->error_depth)) {
 		X509 *cert = sk_X509_value(ctx->xsc->chain, depth);
diff --git a/lib/libcrypto/x509/x509_vfy.c b/lib/libcrypto/x509/x509_vfy.c
index c54444c91b9..4c3fe7f3e3e 100644
--- a/lib/libcrypto/x509/x509_vfy.c
+++ b/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.91 2021/10/24 13:52:13 tb Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.92 2021/10/26 15:14:18 job Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -549,6 +549,16 @@ X509_verify_cert_legacy(X509_STORE_CTX *ctx)
 	if (!ok)
 		goto end;
 
+#ifndef OPENSSL_NO_RFC3779
+	ok = X509v3_asid_validate_path(ctx);
+	if (!ok)
+		goto end;
+
+	ok = X509v3_addr_validate_path(ctx);
+	if (!ok)
+		goto end;
+#endif
+
 	ok = check_id(ctx);
 	if (!ok)
 		goto end;
-- 
2.20.1