[openssl] master update
dev at ddvo.net
dev at ddvo.net
Tue Feb 9 14:18:45 UTC 2021
The branch master has been updated
via 990a15fe73b059d78d06c351e902115a30f02e70 (commit)
via 579262af1442e4126677495b3a488490f2c3f082 (commit)
from 93b39c85c9bbf4b40d3cc2486a0ecac50422b2f3 (commit)
- Log -----------------------------------------------------------------
commit 990a15fe73b059d78d06c351e902115a30f02e70
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Mon Feb 8 08:17:23 2021 +0100
x509_vfy: Clarify relevance of ctx->error also on successful verification
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14127)
commit 579262af1442e4126677495b3a488490f2c3f082
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Mon Feb 8 08:12:15 2021 +0100
x509_vfy.c: Fix various coding style and documentation style nits
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14127)
-----------------------------------------------------------------------
Summary of changes:
crypto/x509/x509_vfy.c | 22 +++++++++---------
doc/man3/X509_STORE_CTX_get_error.pod | 43 +++++++++++++++++++----------------
doc/man3/X509_verify_cert.pod | 4 +++-
3 files changed, 37 insertions(+), 32 deletions(-)
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index d55808e524..dc64b34ec8 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -122,7 +122,7 @@ static X509 *lookup_cert_match(X509_STORE_CTX *ctx, X509 *x)
/* Look for exact match */
for (i = 0; i < sk_X509_num(certs); i++) {
xtmp = sk_X509_value(certs, i);
- if (!X509_cmp(xtmp, x))
+ if (X509_cmp(xtmp, x) == 0)
break;
xtmp = NULL;
}
@@ -232,7 +232,7 @@ static int verify_chain(X509_STORE_CTX *ctx)
#endif
/* If we get this far evaluate policies */
- if (ctx->param->flags & X509_V_FLAG_POLICY_CHECK)
+ if ((ctx->param->flags & X509_V_FLAG_POLICY_CHECK) != 0)
ok = ctx->check_policy(ctx);
return ok;
}
@@ -816,12 +816,13 @@ static int check_trust(X509_STORE_CTX *ctx, int num_untrusted)
* the chain is PKIX trusted.
*/
if (num_untrusted < num) {
- if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN)
+ if ((ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) != 0)
goto trusted;
return X509_TRUST_UNTRUSTED;
}
- if (num_untrusted == num && ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) {
+ if (num_untrusted == num
+ && (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) != 0) {
/*
* Last-resort call with no new trusted certificates, check the leaf
* for a direct trust store match.
@@ -1744,7 +1745,7 @@ static int internal_verify(X509_STORE_CTX *ctx)
*/
if (xi != NULL
&& (xs != xi
- || ((ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)
+ || ((ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE) != 0
&& (xi->ex_flags & EXFLAG_SS) != 0))) {
EVP_PKEY *pkey;
/*
@@ -1936,7 +1937,7 @@ int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
EVP_PKEY *ktmp = NULL, *ktmp2;
int i, j;
- if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey))
+ if (pkey != NULL && !EVP_PKEY_missing_parameters(pkey))
return 1;
for (i = 0; i < sk_X509_num(chain); i++) {
@@ -2176,7 +2177,6 @@ int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust)
* application can set: if they aren't set then we use the default of SSL
* client/server.
*/
-
int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
int purpose, int trust)
{
@@ -2958,7 +2958,7 @@ static int build_chain(X509_STORE_CTX *ctx)
* and alternate chains are not disabled, try building an alternate chain
* if no luck with untrusted first.
*/
- search = (ctx->untrusted != NULL) ? S_DOUNTRUSTED : 0;
+ search = ctx->untrusted != NULL ? S_DOUNTRUSTED : 0;
if (DANETLS_HAS_PKIX(dane) || !DANETLS_HAS_DANE(dane)) {
if (search == 0 || (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) != 0)
search |= S_DOTRUSTED;
@@ -3054,7 +3054,7 @@ static int build_chain(X509_STORE_CTX *ctx)
}
curr = sk_X509_value(ctx->chain, i - 1);
- ok = depth < num ? 0 : get_issuer(&issuer, ctx, curr);
+ ok = num > depth ? 0 : get_issuer(&issuer, ctx, curr);
if (ok < 0) {
trust = X509_TRUST_REJECTED;
@@ -3191,7 +3191,7 @@ static int build_chain(X509_STORE_CTX *ctx)
if (!ossl_assert(num == ctx->num_untrusted))
goto int_err;
curr = sk_X509_value(ctx->chain, num - 1);
- issuer = (self_signed || depth < num) ?
+ issuer = (self_signed || num > depth) ?
NULL : find_issuer(ctx, sk_untrusted, curr);
if (issuer == NULL) {
/*
@@ -3208,7 +3208,7 @@ static int build_chain(X509_STORE_CTX *ctx)
/* Drop this issuer from future consideration */
(void)sk_X509_delete_ptr(sk_untrusted, issuer);
- if (!X509_add_cert(ctx->chain, issuer, X509_ADD_FLAG_UP_REF))
+ if (!X509_add_cert(ctx->chain, issuer, X509_ADD_FLAG_UP_REF))
goto int_err;
++ctx->num_untrusted;
diff --git a/doc/man3/X509_STORE_CTX_get_error.pod b/doc/man3/X509_STORE_CTX_get_error.pod
index 8d0e2ad2dc..91e65f4af6 100644
--- a/doc/man3/X509_STORE_CTX_get_error.pod
+++ b/doc/man3/X509_STORE_CTX_get_error.pod
@@ -31,26 +31,28 @@ These functions are typically called after certificate or chain verification
using L<X509_verify_cert(3)> or L<X509_STORE_CTX_verify(3)> has indicated
an error or in a verification callback to determine the nature of an error.
-X509_STORE_CTX_get_error() returns the error code of B<ctx>, see
-the B<ERROR CODES> section for a full description of all error codes.
+X509_STORE_CTX_get_error() returns the error code of I<ctx>.
+See the L</ERROR CODES> section for a full description of all error codes.
+It may return a code != X509_V_OK even if X509_verify_cert() did not indicate
+an error, likely because a verification callback function has waived the error.
-X509_STORE_CTX_set_error() sets the error code of B<ctx> to B<s>. For example
+X509_STORE_CTX_set_error() sets the error code of I<ctx> to I<s>. For example
it might be used in a verification callback to set an error based on additional
checks.
-X509_STORE_CTX_get_error_depth() returns the B<depth> of the error. This is a
+X509_STORE_CTX_get_error_depth() returns the I<depth> of the error. This is a
nonnegative integer representing where in the certificate chain the error
occurred. If it is zero it occurred in the end entity certificate, one if
it is the certificate which signed the end entity certificate and so on.
-X509_STORE_CTX_set_error_depth() sets the error B<depth>.
+X509_STORE_CTX_set_error_depth() sets the error I<depth>.
This can be used in combination with X509_STORE_CTX_set_error() to set the
depth at which an error condition was detected.
-X509_STORE_CTX_get_current_cert() returns the certificate in B<ctx> which
-caused the error or B<NULL> if no certificate is relevant.
+X509_STORE_CTX_get_current_cert() returns the certificate in I<ctx> which
+caused the error or NULL if no certificate is relevant.
-X509_STORE_CTX_set_current_cert() sets the certificate B<x> in B<ctx> which
+X509_STORE_CTX_set_current_cert() sets the certificate I<x> in I<ctx> which
caused the error.
This value is not intended to remain valid for very long, and remains owned by
the caller.
@@ -63,17 +65,17 @@ Once such a I<saved> certificate is no longer needed it can be freed with
L<X509_free(3)>.
X509_STORE_CTX_get0_cert() retrieves an internal pointer to the
-certificate being verified by the B<ctx>.
+certificate being verified by the I<ctx>.
X509_STORE_CTX_get1_chain() returns a complete validate chain if a previous
verification is successful. Otherwise the returned chain may be incomplete or
-invalid. The returned chain persists after the B<ctx> structure is freed,
-when it is no longer needed it should be free up using:
+invalid. The returned chain persists after the I<ctx> structure is freed.
+When it is no longer needed it should be free up using:
sk_X509_pop_free(chain, X509_free);
X509_verify_cert_error_string() returns a human readable error string for
-verification error B<n>.
+verification error I<n>.
=head1 RETURN VALUES
@@ -82,10 +84,10 @@ X509_STORE_CTX_get_error() returns B<X509_V_OK> or an error code.
X509_STORE_CTX_get_error_depth() returns a nonnegative error depth.
X509_STORE_CTX_get_current_cert() returns the certificate which caused the
-error or B<NULL> if no certificate is relevant to the error.
+error or NULL if no certificate is relevant to the error.
X509_verify_cert_error_string() returns a human readable error string for
-verification error B<n>.
+verification error I<n>.
=head1 ERROR CODES
@@ -163,12 +165,12 @@ The CRL has expired.
=item B<X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
format error in certificate's notBefore field>
-The certificate B<notBefore> field contains an invalid time.
+The certificate C<notBefore> field contains an invalid time.
=item B<X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
format error in certificate's notAfter field>
-The certificate B<notAfter> field contains an invalid time.
+The certificate C<notAfter> field contains an invalid time.
=item B<X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
format error in CRL's lastUpdate field>
@@ -178,7 +180,7 @@ The CRL B<lastUpdate> field contains an invalid time.
=item B<X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
format error in CRL's nextUpdate field>
-The CRL B<nextUpdate> field contains an invalid time.
+The CRL C<nextUpdate> field contains an invalid time.
=item B<X509_V_ERR_OUT_OF_MEM: out of memory>
@@ -261,7 +263,7 @@ Not used as of OpenSSL 1.1.0.
=item B<X509_V_ERR_KEYUSAGE_NO_CERTSIGN:
key usage does not include certificate signing>
-The current candidate issuer certificate was rejected because its B<keyUsage>
+The current candidate issuer certificate was rejected because its C<keyUsage>
extension does not permit certificate signing.
Not used as of OpenSSL 1.1.0.
@@ -359,7 +361,8 @@ certificates.
=item B<X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED: proxy certificates not allowed, please set the appropriate flag>
-Proxy certificates not allowed unless the B<-allow_proxy_certs> option is used.
+Proxy certificates not allowed unless the B<X509_V_FLAG_ALLOW_PROXY_CERTS> flag
+is set.
=item B<X509_V_ERR_UNNESTED_RESOURCE: RFC 3779 resource not subset of parent's resources>
@@ -449,7 +452,7 @@ The above functions should be used instead of directly referencing the fields
in the B<X509_VERIFY_CTX> structure.
In versions of OpenSSL before 1.0 the current certificate returned by
-X509_STORE_CTX_get_current_cert() was never B<NULL>. Applications should
+X509_STORE_CTX_get_current_cert() was never NULL. Applications should
check the return value before printing out any debugging information relating
to the current certificate.
diff --git a/doc/man3/X509_verify_cert.pod b/doc/man3/X509_verify_cert.pod
index 13854f5ed6..2f9cfa3858 100644
--- a/doc/man3/X509_verify_cert.pod
+++ b/doc/man3/X509_verify_cert.pod
@@ -49,7 +49,9 @@ otherwise they return 0, and in exceptional circumstances (such as malloc
failure and internal errors) they can also return a negative code.
On error or failure additional error information can be obtained by
-examining I<ctx> using, for example, L<X509_STORE_CTX_get_error(3)>.
+examining I<ctx> using, for example, L<X509_STORE_CTX_get_error(3)>. Even if
+verification indicated success, the stored error code may be different from
+X509_V_OK, likely because a verification callback function has waived the error.
=head1 SEE ALSO
More information about the openssl-commits
mailing list