Pingora's patch disabling cert version validation for extensions

boring-sys/Cargo.toml

@@ -61,6 +61,9 @@ rpk = []
 # Require mlkem.h
 mlkem = []
 
+# Violate RFC 5280 5.1.2.1 and allow certs with CRL extensions without a correct version
+allow-crl-extensions-bad-version = []
+
 # Applies a patch (`patches/underscore-wildcards.patch`) to enable
 # `ffi::X509_CHECK_FLAG_UNDERSCORE_WILDCARDS`. This feature is necessary in
 # order to compile the bindings for the default branch of boringSSL

boring-sys/build/config.rs

@@ -21,6 +21,7 @@ pub(crate) struct Features {
     pub(crate) fips: bool,
     pub(crate) rpk: bool,
     pub(crate) underscore_wildcards: bool,
+    pub(crate) allow_crl_extensions_bad_version: bool,
 }
 
 pub(crate) struct Env {
@@ -126,14 +127,11 @@ impl Config {
 
 impl Features {
     fn from_env() -> Self {
-        let fips = env::var_os("CARGO_FEATURE_FIPS").is_some();
-        let rpk = env::var_os("CARGO_FEATURE_RPK").is_some();
-        let underscore_wildcards = env::var_os("CARGO_FEATURE_UNDERSCORE_WILDCARDS").is_some();
-
         Self {
-            fips,
-            rpk,
-            underscore_wildcards,
+            fips: cfg!(feature = "fips"),
+            rpk: cfg!(feature = "rpk"),
+            underscore_wildcards: cfg!(feature = "underscore-wildcards"),
+            allow_crl_extensions_bad_version: cfg!(feature = "allow-crl-extensions-bad-version"),
         }
     }
 

boring-sys/build/main.rs

@@ -464,6 +464,14 @@ fn ensure_patches_applied(config: &Config) -> io::Result<()> {
         run_command(Command::new("git").arg("init").current_dir(src_path))?;
     }
 
+    if config.features.allow_crl_extensions_bad_version {
+        println!(
+            "cargo:warning=applying the patch for disabling cert version \
+            validation for extensions"
+        );
+        apply_patch(config, "bad-cert-verification.patch")?;
+    }
+
     println!("cargo:warning=applying post quantum crypto patch to boringssl");
     apply_patch(config, "boring-pq.patch")?;
 

boring-sys/patches/bad-cert-verification.patch

@@ -0,0 +1,48 @@
+From fe0b517fa34063990a83268edf7a3cd9ba0b2362 Mon Sep 17 00:00:00 2001
+From: Yuchen Wu <yuchen@cloudflare.com>
+Date: Mon, 13 Mar 2023 14:28:10 -0700
+Subject: [PATCH] PINGORA-474: disable cert version check for openssl
+ compatibility
+
+Some free customers use badly crafted cert (with verification off).
+Openssl allows these cert but boring does't.
+---
+ crypto/x509/x509_test.cc | 4 ++--
+ crypto/x509/x_crl.cc     | 2 ++
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/x509/x509_test.cc b/crypto/x509/x509_test.cc
+index aa5bfda5d..15c1c73ee 100644
+--- a/crypto/x509/x509_test.cc
++++ b/crypto/x509/x509_test.cc
+@@ -3859,8 +3859,8 @@ TEST(X509Test, InvalidVersion) {
+   EXPECT_FALSE(CertFromPEM(kNegativeVersionPEM));
+   EXPECT_FALSE(CertFromPEM(kFutureVersionPEM));
+   EXPECT_FALSE(CertFromPEM(kOverflowVersionPEM));
+-  EXPECT_FALSE(CertFromPEM(kV1WithExtensionsPEM));
+-  EXPECT_FALSE(CertFromPEM(kV2WithExtensionsPEM));
++  ASSERT_TRUE(CertFromPEM(kV1WithExtensionsPEM));
++  ASSERT_TRUE(CertFromPEM(kV2WithExtensionsPEM));
+   EXPECT_FALSE(CertFromPEM(kV1WithIssuerUniqueIDPEM));
+   EXPECT_FALSE(CertFromPEM(kV1WithSubjectUniqueIDPEM));
+   EXPECT_FALSE(CRLFromPEM(kV1CRLWithExtensionsPEM));
+diff --git a/crypto/x509/x_crl.cc b/crypto/x509/x_crl.cc
+index 1d22ed638..4f50bc03f 100644
+--- a/crypto/x509/x_crl.cc
++++ b/crypto/x509/x_crl.cc
+@@ -148,10 +148,12 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
+       }
+
+       // Per RFC 5280, section 5.1.2.1, extensions require v2.
++      /* disable this check for openssl compatibility
+       if (version != X509_CRL_VERSION_2 && crl->crl->extensions != nullptr) {
+         OPENSSL_PUT_ERROR(X509, X509_R_INVALID_FIELD_FOR_VERSION);
+         return 0;
+       }
++      */
+
+       // Extensions is a SEQUENCE SIZE (1..MAX), so it cannot be empty. An empty
+       // extensions list is encoded by omitting the OPTIONAL field.
+-- 
+2.39.5
+