Loading CHANGES +9 −0 Original line number Diff line number Diff line Loading @@ -12,6 +12,15 @@ *) applies to 0.9.6a/0.9.6b/0.9.6c and 0.9.7 +) applies to 0.9.7 only +) Test for certificates which contain unsupported critical extensions. If such a certificate is found during a verify operation it is rejected by default: this behaviour can be overridden by either handling the new error X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION or by setting the verify flag X509_V_FLAG_IGNORE_CRITICAL. A new function X509_supported_extension() has also been added which returns 1 if a particular extension is supported. [Steve Henson] +) New functions/macros SSL_CTX_set_msg_callback(ctx, cb) Loading apps/verify.c +3 −0 Original line number Diff line number Diff line Loading @@ -146,6 +146,8 @@ int MAIN(int argc, char **argv) } else if (strcmp(*argv,"-help") == 0) goto end; else if (strcmp(*argv,"-ignore_critical") == 0) vflags |= X509_V_FLAG_IGNORE_CRITICAL; else if (strcmp(*argv,"-issuer_checks") == 0) vflags |= X509_V_FLAG_CB_ISSUER_CHECK; else if (strcmp(*argv,"-crl_check") == 0) Loading Loading @@ -343,6 +345,7 @@ static int MS_CALLBACK cb(int ok, X509_STORE_CTX *ctx) if (ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ok=1; if (ctx->error == X509_V_ERR_CRL_HAS_EXPIRED) ok=1; if (ctx->error == X509_V_ERR_CRL_NOT_YET_VALID) ok=1; if (ctx->error == X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION) ok=1; } if (!v_verbose) ERR_clear_error(); Loading crypto/x509/x509_txt.c +3 −0 Original line number Diff line number Diff line Loading @@ -144,6 +144,9 @@ const char *X509_verify_cert_error_string(long n) case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER: return("unable to get CRL issuer certificate"); case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION: return("unhandled critical extension"); default: sprintf(buf,"error number %ld",n); return(buf); Loading crypto/x509/x509_vfy.c +9 −2 Original line number Diff line number Diff line Loading @@ -384,6 +384,15 @@ static int check_chain_purpose(X509_STORE_CTX *ctx) for (i = 0; i < ctx->last_untrusted; i++) { x = sk_X509_value(ctx->chain, i); if (!(ctx->flags & X509_V_FLAG_IGNORE_CRITICAL) && (x->ex_flags & EXFLAG_CRITICAL)) { ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION; ctx->error_depth = i; ctx->current_cert = x; ok=cb(0,ctx); if (!ok) goto end; } if (!X509_check_purpose(x, ctx->purpose, i)) { if (i) Loading Loading @@ -721,8 +730,6 @@ static int internal_verify(X509_STORE_CTX *ctx) if (!ok) goto end; } /* CRL CHECK */ /* The last error (if any) is still in the error value */ ctx->current_cert=xs; ok=(*cb)(1,ctx); Loading crypto/x509/x509_vfy.h +2 −0 Original line number Diff line number Diff line Loading @@ -303,6 +303,7 @@ struct x509_store_ctx_st /* X509_STORE_CTX */ #define X509_V_ERR_KEYUSAGE_NO_CERTSIGN 32 #define X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER 33 #define X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION 34 /* The application is not happy */ #define X509_V_ERR_APPLICATION_VERIFICATION 50 Loading @@ -313,6 +314,7 @@ struct x509_store_ctx_st /* X509_STORE_CTX */ #define X509_V_FLAG_USE_CHECK_TIME 0x2 /* Use check time instead of current time */ #define X509_V_FLAG_CRL_CHECK 0x4 /* Lookup CRLs */ #define X509_V_FLAG_CRL_CHECK_ALL 0x8 /* Lookup CRLs for whole chain */ #define X509_V_FLAG_IGNORE_CRITICAL 0x10 /* Ignore unhandled critical extensions */ int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type, X509_NAME *name); Loading Loading
CHANGES +9 −0 Original line number Diff line number Diff line Loading @@ -12,6 +12,15 @@ *) applies to 0.9.6a/0.9.6b/0.9.6c and 0.9.7 +) applies to 0.9.7 only +) Test for certificates which contain unsupported critical extensions. If such a certificate is found during a verify operation it is rejected by default: this behaviour can be overridden by either handling the new error X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION or by setting the verify flag X509_V_FLAG_IGNORE_CRITICAL. A new function X509_supported_extension() has also been added which returns 1 if a particular extension is supported. [Steve Henson] +) New functions/macros SSL_CTX_set_msg_callback(ctx, cb) Loading
apps/verify.c +3 −0 Original line number Diff line number Diff line Loading @@ -146,6 +146,8 @@ int MAIN(int argc, char **argv) } else if (strcmp(*argv,"-help") == 0) goto end; else if (strcmp(*argv,"-ignore_critical") == 0) vflags |= X509_V_FLAG_IGNORE_CRITICAL; else if (strcmp(*argv,"-issuer_checks") == 0) vflags |= X509_V_FLAG_CB_ISSUER_CHECK; else if (strcmp(*argv,"-crl_check") == 0) Loading Loading @@ -343,6 +345,7 @@ static int MS_CALLBACK cb(int ok, X509_STORE_CTX *ctx) if (ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ok=1; if (ctx->error == X509_V_ERR_CRL_HAS_EXPIRED) ok=1; if (ctx->error == X509_V_ERR_CRL_NOT_YET_VALID) ok=1; if (ctx->error == X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION) ok=1; } if (!v_verbose) ERR_clear_error(); Loading
crypto/x509/x509_txt.c +3 −0 Original line number Diff line number Diff line Loading @@ -144,6 +144,9 @@ const char *X509_verify_cert_error_string(long n) case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER: return("unable to get CRL issuer certificate"); case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION: return("unhandled critical extension"); default: sprintf(buf,"error number %ld",n); return(buf); Loading
crypto/x509/x509_vfy.c +9 −2 Original line number Diff line number Diff line Loading @@ -384,6 +384,15 @@ static int check_chain_purpose(X509_STORE_CTX *ctx) for (i = 0; i < ctx->last_untrusted; i++) { x = sk_X509_value(ctx->chain, i); if (!(ctx->flags & X509_V_FLAG_IGNORE_CRITICAL) && (x->ex_flags & EXFLAG_CRITICAL)) { ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION; ctx->error_depth = i; ctx->current_cert = x; ok=cb(0,ctx); if (!ok) goto end; } if (!X509_check_purpose(x, ctx->purpose, i)) { if (i) Loading Loading @@ -721,8 +730,6 @@ static int internal_verify(X509_STORE_CTX *ctx) if (!ok) goto end; } /* CRL CHECK */ /* The last error (if any) is still in the error value */ ctx->current_cert=xs; ok=(*cb)(1,ctx); Loading
crypto/x509/x509_vfy.h +2 −0 Original line number Diff line number Diff line Loading @@ -303,6 +303,7 @@ struct x509_store_ctx_st /* X509_STORE_CTX */ #define X509_V_ERR_KEYUSAGE_NO_CERTSIGN 32 #define X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER 33 #define X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION 34 /* The application is not happy */ #define X509_V_ERR_APPLICATION_VERIFICATION 50 Loading @@ -313,6 +314,7 @@ struct x509_store_ctx_st /* X509_STORE_CTX */ #define X509_V_FLAG_USE_CHECK_TIME 0x2 /* Use check time instead of current time */ #define X509_V_FLAG_CRL_CHECK 0x4 /* Lookup CRLs */ #define X509_V_FLAG_CRL_CHECK_ALL 0x8 /* Lookup CRLs for whole chain */ #define X509_V_FLAG_IGNORE_CRITICAL 0x10 /* Ignore unhandled critical extensions */ int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type, X509_NAME *name); Loading
