[openssl] master update

dev at ddvo.net dev at ddvo.net
Thu Feb 18 10:22:51 UTC 2021


The branch master has been updated
       via  0b3139e815d3d14c4d7506488add6e02a2b682ec (commit)
      from  ba37b82045b1b2fbcbf7580b317de5e3b52c8035 (commit)


- Log -----------------------------------------------------------------
commit 0b3139e815d3d14c4d7506488add6e02a2b682ec
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Thu Feb 11 21:07:14 2021 +0100

    chain_build(): Call verify_cb_cert() if a preliminary error has become final
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/14157)

-----------------------------------------------------------------------

Summary of changes:
 crypto/x509/x509_vfy.c | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index d5c09d28f4..83dddeeb3d 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -352,7 +352,7 @@ static int check_issued(ossl_unused X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
      */
     if (err != X509_V_ERR_SUBJECT_ISSUER_MISMATCH)
         ctx->error = err;
-    return 0; /* Better call verify_cb_cert(ctx, x, ctx->error_depth, err) ? */
+    return 0;
 }
 
 /*
@@ -3282,10 +3282,17 @@ static int build_chain(X509_STORE_CTX *ctx)
         return 0;
     case X509_TRUST_UNTRUSTED:
     default:
-        if (ctx->error != X509_V_OK)
-            /* Callback already issued in most such cases */
-            return 0;
-        num = sk_X509_num(ctx->chain);
+        switch(ctx->error) {
+        case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
+        case X509_V_ERR_CERT_NOT_YET_VALID:
+        case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
+        case X509_V_ERR_CERT_HAS_EXPIRED:
+            return 0; /* Callback already issued by x509_check_cert_time() */
+        default: /* A preliminary error has become final */
+            return verify_cb_cert(ctx, NULL, num - 1, ctx->error);
+        case X509_V_OK:
+            break;
+        }
         CB_FAIL_IF(num > depth,
                    ctx, NULL, num - 1, X509_V_ERR_CERT_CHAIN_TOO_LONG);
         CB_FAIL_IF(DANETLS_ENABLED(dane)


More information about the openssl-commits mailing list