Disallow certs with explicit curve in verification chain

The check is applied only with X509_V_FLAG_X509_STRICT. Fixes #12139 Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/12683)
author: Tomas Mraz <tmraz@fedoraproject.org> 2020-09-11 09:09:29 +0200
committer: Tomas Mraz <tmraz@fedoraproject.org> 2020-09-17 17:15:15 +0200
commit: cccf532fef10aaa2d682227061b8828a1eb2c031 (patch)
tree: eebff041321fc8ca671a21369395370e806175d2 /ssl/statem
parent: fe2f8aecfe4a0de483334bf671a8eb4f14444c00 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index 6d0efb3239..618a58d659 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -1408,6 +1408,7 @@ int tls_get_message_body(SSL *s, size_t *len)
 static const X509ERR2ALERT x509table[] = {
     {X509_V_ERR_APPLICATION_VERIFICATION, SSL_AD_HANDSHAKE_FAILURE},
     {X509_V_ERR_CA_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
+    {X509_V_ERR_EC_KEY_EXPLICIT_PARAMS, SSL_AD_BAD_CERTIFICATE},
     {X509_V_ERR_CA_MD_TOO_WEAK, SSL_AD_BAD_CERTIFICATE},
     {X509_V_ERR_CERT_CHAIN_TOO_LONG, SSL_AD_UNKNOWN_CA},
     {X509_V_ERR_CERT_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
author	Tomas Mraz <tmraz@fedoraproject.org>	2020-09-11 09:09:29 +0200
committer	Tomas Mraz <tmraz@fedoraproject.org>	2020-09-17 17:15:15 +0200
commit	cccf532fef10aaa2d682227061b8828a1eb2c031 (patch)
tree	eebff041321fc8ca671a21369395370e806175d2 /ssl/statem
parent	fe2f8aecfe4a0de483334bf671a8eb4f14444c00 (diff)