From: Dr. David von Oheimb <David.von.Oheimb@siemens.com>
Date: Tue, 8 Sep 2020 07:39:33 +0000 (+0200)
Subject: check_chain_extensions(): Require X.509 v3 if extensions are present
X-Git-Tag: openssl-3.0.0-alpha7~309
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=82bdd6419361136e7be533d31a990ba0476fced3;p=thirdparty%2Fopenssl.git

check_chain_extensions(): Require X.509 v3 if extensions are present

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12478)
---

diff --git a/crypto/x509/x509_txt.c b/crypto/x509/x509_txt.c
index 9cb6c8b7392..53b19e46dfe 100644
--- a/crypto/x509/x509_txt.c
+++ b/crypto/x509/x509_txt.c
@@ -208,6 +208,8 @@ const char *X509_verify_cert_error_string(long n)
         return "Subject Key Identifier marked critical";
     case X509_V_ERR_CA_CERT_MISSING_KEY_USAGE:
         return "CA cert does not include key usage extension";
+    case X509_V_ERR_EXTENSIONS_REQUIRE_VERSION_3:
+        return "Using cert extension requires at least X509v3";
 
     default:
         /* Printing an error number into a static buffer is not thread-safe */
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 83dae9a79bb..4a067e5ff4f 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -26,6 +26,7 @@
 #include "x509_local.h"
 
 DEFINE_STACK_OF(X509)
+DEFINE_STACK_OF(X509_EXTENSION)
 DEFINE_STACK_OF(X509_REVOKED)
 DEFINE_STACK_OF(GENERAL_NAME)
 DEFINE_STACK_OF(X509_CRL)
@@ -585,6 +586,9 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
                 /* Check SKID presence acc. to RFC 5280 section 4.2.1.2 */
                 if ((x->ex_flags & EXFLAG_CA) != 0 && x->skid == NULL)
                     ctx->error = X509_V_ERR_MISSING_SUBJECT_KEY_IDENTIFIER;
+            } else {
+                if (sk_X509_EXTENSION_num(X509_get0_extensions(x)) > 0)
+                    ctx->error = X509_V_ERR_EXTENSIONS_REQUIRE_VERSION_3;
             }
         }
         if (ctx->error != X509_V_OK)
diff --git a/include/openssl/x509_vfy.h b/include/openssl/x509_vfy.h
index 50ae14f240e..d43a442fc7a 100644
--- a/include/openssl/x509_vfy.h
+++ b/include/openssl/x509_vfy.h
@@ -233,6 +233,7 @@ X509_LOOKUP_ctrl_with_libctx((x), X509_L_ADD_STORE, (name), 0, NULL,           \
 # define X509_V_ERR_AUTHORITY_KEY_IDENTIFIER_CRITICAL    90
 # define X509_V_ERR_SUBJECT_KEY_IDENTIFIER_CRITICAL      91
 # define X509_V_ERR_CA_CERT_MISSING_KEY_USAGE            92
+# define X509_V_ERR_EXTENSIONS_REQUIRE_VERSION_3         93
 
 /* Certificate verify flags */
 # ifndef OPENSSL_NO_DEPRECATED_1_1_0