Disallow certs with explicit curve in verification chain

The check is applied only with X509_V_FLAG_X509_STRICT. Fixes #12139 Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/12683)
author: Tomas Mraz <tmraz@fedoraproject.org> 2020-09-11 09:09:29 +0200
committer: Tomas Mraz <tmraz@fedoraproject.org> 2020-09-17 17:15:15 +0200
commit: cccf532fef10aaa2d682227061b8828a1eb2c031 (patch)
tree: eebff041321fc8ca671a21369395370e806175d2 /include
parent: fe2f8aecfe4a0de483334bf671a8eb4f14444c00 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/include/openssl/x509_vfy.h.in b/include/openssl/x509_vfy.h.in
index 8a565f71a3..6266e6007d 100644
--- a/include/openssl/x509_vfy.h.in
+++ b/include/openssl/x509_vfy.h.in
@@ -242,6 +242,7 @@ X509_LOOKUP_ctrl_with_libctx((x), X509_L_ADD_STORE, (name), 0, NULL,           \
 # define X509_V_ERR_SUBJECT_KEY_IDENTIFIER_CRITICAL      91
 # define X509_V_ERR_CA_CERT_MISSING_KEY_USAGE            92
 # define X509_V_ERR_EXTENSIONS_REQUIRE_VERSION_3         93
+# define X509_V_ERR_EC_KEY_EXPLICIT_PARAMS               94
 
 /* Certificate verify flags */
 # ifndef OPENSSL_NO_DEPRECATED_1_1_0
author	Tomas Mraz <tmraz@fedoraproject.org>	2020-09-11 09:09:29 +0200
committer	Tomas Mraz <tmraz@fedoraproject.org>	2020-09-17 17:15:15 +0200
commit	cccf532fef10aaa2d682227061b8828a1eb2c031 (patch)
tree	eebff041321fc8ca671a21369395370e806175d2 /include
parent	fe2f8aecfe4a0de483334bf671a8eb4f14444c00 (diff)