From cccf532fef10aaa2d682227061b8828a1eb2c031 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Fri, 11 Sep 2020 09:09:29 +0200
Subject: Disallow certs with explicit curve in verification chain

The check is applied only with X509_V_FLAG_X509_STRICT.

Fixes #12139

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12683)
---
 include/openssl/x509_vfy.h.in | 1 +
 1 file changed, 1 insertion(+)

(limited to 'include')

diff --git a/include/openssl/x509_vfy.h.in b/include/openssl/x509_vfy.h.in
index 8a565f71a3..6266e6007d 100644
--- a/include/openssl/x509_vfy.h.in
+++ b/include/openssl/x509_vfy.h.in
@@ -242,6 +242,7 @@ X509_LOOKUP_ctrl_with_libctx((x), X509_L_ADD_STORE, (name), 0, NULL,           \
 # define X509_V_ERR_SUBJECT_KEY_IDENTIFIER_CRITICAL      91
 # define X509_V_ERR_CA_CERT_MISSING_KEY_USAGE            92
 # define X509_V_ERR_EXTENSIONS_REQUIRE_VERSION_3         93
+# define X509_V_ERR_EC_KEY_EXPLICIT_PARAMS               94
 
 /* Certificate verify flags */
 # ifndef OPENSSL_NO_DEPRECATED_1_1_0
-- 
cgit v1.2.3