[openssl-commits] Passed: openssl/openssl#3537 (master - 69664d6)

Travis CI builds at travis-ci.org
Wed Apr 27 20:25:19 UTC 2016

Build Update for openssl/openssl

Build: #3537
Status: Passed

Duration: 25 minutes and 14 seconds
Commit: 69664d6 (master)
Author: Viktor Dukhovni
Message: Future proof build_chain() in x509_vfy.c

Coverity reports a potential NULL deref when "2 0 0" DANE trust-anchors
from DNS are configured via SSL_dane_tlsa_add() and X509_STORE_CTX_init()
is called with a NULL stack of untrusted certificates.

Since ssl_verify_cert_chain() always provideds a non-NULL stack of
untrusted certs, and no other code path enables DANE, the problem
can only happen in applications that use SSL_CTX_set_cert_verify_callback()
to implement their own wrappers around X509_verify_cert() passing
only the leaf certificate to the latter.

Regardless of the "improbability" of the problem, we do need to
ensure that build_chain() handles this case correctly.

Reviewed-by: Matt Caswell <matt at openssl.org>

View the changeset: https://github.com/openssl/openssl/compare/4c5e6b2cb95a...69664d6af0cd

View the full build log and details: https://travis-ci.org/openssl/openssl/builds/126186727


You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-commits/attachments/20160427/4d6225cc/attachment-0001.html>

More information about the openssl-commits mailing list