[openssl] master update
dev at ddvo.net
dev at ddvo.net
Thu Oct 8 14:50:04 UTC 2020
The branch master has been updated
via 02a2567173a451d8d00c276e6d8c1d1cb171234d (commit)
from df38dcfcd5c3e264e449589ef0b9fce8ce6e428c (commit)
- Log -----------------------------------------------------------------
commit 02a2567173a451d8d00c276e6d8c1d1cb171234d
Author: André Klitzing <aklitzing at gmail.com>
Date: Wed Mar 18 16:04:06 2020 +0100
Allow to continue on UNABLE_TO_VERIFY_LEAF_SIGNATURE
This unifies the behaviour of a single certificate with
an unknown CA certificate with a self-signed certificate.
The user callback can mask that error to retrieve additional
error information. So the user application can decide to
abort the connection instead to be forced by openssl.
This change in behaviour is backward compatible as user callbacks
who don't want to ignore UNABLE_TO_VERIFY_LEAF_SIGNATURE will
still abort the connection by default.
CLA: trivial
Fixes #11297
Reviewed-by: David von Oheimb <david.von.oheimb at siemens.com>
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13083)
-----------------------------------------------------------------------
Summary of changes:
crypto/x509/x509_vfy.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index cf89179dfd..710939b619 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -1804,9 +1804,15 @@ static int internal_verify(X509_STORE_CTX *ctx)
xs = xi;
goto check_cert_time;
}
- if (n <= 0)
- return verify_cb_cert(ctx, xi, 0,
- X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE);
+ if (n <= 0) {
+ if (!verify_cb_cert(ctx, xi, 0,
+ X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE))
+ return 0;
+
+ xs = xi;
+ goto check_cert_time;
+ }
+
n--;
ctx->error_depth = n;
xs = sk_X509_value(ctx->chain, n);
More information about the openssl-commits
mailing list