[openssl] master update
tomas at openssl.org
tomas at openssl.org
Tue Nov 9 07:50:56 UTC 2021
The branch master has been updated
via 64c428c35053a101a452c42d5d0a9a8342493606 (commit)
from 7267769c28fb90d990a9d789093e83699bf4c5a0 (commit)
- Log -----------------------------------------------------------------
commit 64c428c35053a101a452c42d5d0a9a8342493606
Author: PW Hu <jlu.hpw at foxmail.com>
Date: Fri Nov 5 17:56:50 2021 +0800
Fix: invoking X509_self_signed improperly
Reviewed-by: Paul Dale <pauli at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16976)
-----------------------------------------------------------------------
Summary of changes:
crypto/x509/x509_cmp.c | 8 ++++++--
crypto/x509/x509_vfy.c | 4 ++--
2 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c
index 8b4e46a589..f3d58cdfa6 100644
--- a/crypto/x509/x509_cmp.c
+++ b/crypto/x509/x509_cmp.c
@@ -208,8 +208,12 @@ int X509_add_cert(STACK_OF(X509) *sk, X509 *cert, int flags)
return 1;
}
}
- if ((flags & X509_ADD_FLAG_NO_SS) != 0 && X509_self_signed(cert, 0))
- return 1;
+ if ((flags & X509_ADD_FLAG_NO_SS) != 0) {
+ int ret = X509_self_signed(cert, 0);
+
+ if (ret != 0)
+ return ret > 0 ? 1 : 0;
+ }
if (!sk_X509_insert(sk, cert,
(flags & X509_ADD_FLAG_PREPEND) != 0 ? 0 : -1)) {
ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 1039bad305..7221bbe050 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -3231,7 +3231,7 @@ static int build_chain(X509_STORE_CTX *ctx)
if (!ossl_assert(num == ctx->num_untrusted))
goto int_err;
curr = sk_X509_value(ctx->chain, num - 1);
- issuer = (X509_self_signed(curr, 0) || num > max_depth) ?
+ issuer = (X509_self_signed(curr, 0) > 0 || num > max_depth) ?
NULL : find_issuer(ctx, sk_untrusted, curr);
if (issuer == NULL) {
/*
@@ -3302,7 +3302,7 @@ static int build_chain(X509_STORE_CTX *ctx)
CB_FAIL_IF(DANETLS_ENABLED(dane)
&& (!DANETLS_HAS_PKIX(dane) || dane->pdpth >= 0),
ctx, NULL, num - 1, X509_V_ERR_DANE_NO_MATCH);
- if (X509_self_signed(sk_X509_value(ctx->chain, num - 1), 0))
+ if (X509_self_signed(sk_X509_value(ctx->chain, num - 1), 0) > 0)
return verify_cb_cert(ctx, NULL, num - 1,
num == 1
? X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
More information about the openssl-commits
mailing list