From e857c54f12ffaa162a0e320c14c1e5771611d383 Mon Sep 17 00:00:00 2001 From: tb Date: Tue, 20 Jun 2023 14:21:19 +0000 Subject: [PATCH] Improve certificate version checks in x509v3_cache_extensions() Only allow version v1-v3, disallow issuerUID and subjectUID in v1 certs and require that if X509v3 extensions are present that the cert be v3. Initial diff from job ok job jsing --- lib/libcrypto/x509/x509_purp.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/lib/libcrypto/x509/x509_purp.c b/lib/libcrypto/x509/x509_purp.c index 85d9b77f68d..75d229b03bd 100644 --- a/lib/libcrypto/x509/x509_purp.c +++ b/lib/libcrypto/x509/x509_purp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_purp.c,v 1.25 2023/04/23 21:49:15 job Exp $ */ +/* $OpenBSD: x509_purp.c,v 1.26 2023/06/20 14:21:19 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2001. */ @@ -449,6 +449,7 @@ x509v3_cache_extensions_internal(X509 *x) ASN1_BIT_STRING *ns; EXTENDED_KEY_USAGE *extusage; X509_EXTENSION *ex; + long version; int i; if (x->ex_flags & EXFLAG_SET) @@ -456,12 +457,18 @@ x509v3_cache_extensions_internal(X509 *x) X509_digest(x, X509_CERT_HASH_EVP, x->hash, NULL); - /* V1 should mean no extensions ... */ - if (X509_get_version(x) == 0) { + version = X509_get_version(x); + if (version < 0 || version > 2) + x->ex_flags |= EXFLAG_INVALID; + if (version == 0) { x->ex_flags |= EXFLAG_V1; - if (X509_get_ext_count(x) != 0) + /* UIDs may only appear in v2 or v3 certs */ + if (x->cert_info->issuerUID != NULL || + x->cert_info->subjectUID != NULL) x->ex_flags |= EXFLAG_INVALID; } + if (version != 2 && X509_get_ext_count(x) != 0) + x->ex_flags |= EXFLAG_INVALID; /* Handle basic constraints */ if ((bs = X509_get_ext_d2i(x, NID_basic_constraints, &i, NULL))) { -- 2.20.1