[openssl] master update

shane.lontis at oracle.com shane.lontis at oracle.com
Mon Feb 15 04:14:12 UTC 2021

The branch master has been updated
       via  63ae8476796510c15163c9bd18998ccef6c1de16 (commit)
      from  99c166a1b0408e6d5c6efdc402fa859652048751 (commit)

- Log -----------------------------------------------------------------
commit 63ae8476796510c15163c9bd18998ccef6c1de16
Author: Benjamin Kaduk <bkaduk at akamai.com>
Date:   Thu Feb 11 16:10:50 2021 -0800

    x509_vfy: remove redundant stack allocation
    Fix CID 1472833 by removing a codepath that attempts to allocate a
    stack if not already allocated, when the stack was already allocated
    unconditionally a few lines previously.
    Interestingly enough, this additional allocation path (and the comment
    describing the need for it) were added in commit
    69664d6af0cdd7738f55d10fbbe46cdf15f72e0e, also prompted by Coverity(!).
    It seems that the intervening (and much more recent) commit
    d53b437f9992f974c1623e9b9b9bdf053aefbcc3 that allowed sk_X509_dup()
    to accept a NULL argument allowed the earlier initialization path
    to unconditionally allocate a stack, rendering this later allocation fully
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/14161)


Summary of changes:
 crypto/x509/x509_vfy.c | 10 +---------
 1 file changed, 1 insertion(+), 9 deletions(-)

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 58598bbf1f..4e192abec4 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -3033,17 +3033,9 @@ static int build_chain(X509_STORE_CTX *ctx)
      * If we got any "DANE-TA(2) Cert(0) Full(0)" trust anchors from DNS, add
-     * them to our working copy of the untrusted certificate stack.  Since the
-     * caller of X509_STORE_CTX_init() may have provided only a leaf cert with
-     * no corresponding stack of untrusted certificates, we may need to create
-     * an empty stack first.  [ At present only the ssl library provides DANE
-     * support, and ssl_verify_cert_chain() always provides a non-null stack
-     * containing at least the leaf certificate, but we must be prepared for
-     * this to change. ]
+     * them to our working copy of the untrusted certificate stack.
     if (DANETLS_ENABLED(dane) && dane->certs != NULL) {
-        if (sk_untrusted == NULL && (sk_untrusted = sk_X509_new_null()) == NULL)
-            goto memerr;
         if (!X509_add_certs(sk_untrusted, dane->certs, X509_ADD_FLAG_DEFAULT)) {
             goto memerr;

More information about the openssl-commits mailing list