diff options
| author | jsing <> | 2022-10-17 18:56:54 +0000 |
|---|---|---|
| committer | jsing <> | 2022-10-17 18:56:54 +0000 |
| commit | 7ec30b26db8e76fdcf25b85a337d066de2e9dda4 (patch) | |
| tree | 7947de47c2206d6d99f658484d0f7008794837c7 | |
| parent | 88e2e531dd14bb11c24ba57cd3d8d2affeb7ec31 (diff) | |
| download | openbsd-7ec30b26db8e76fdcf25b85a337d066de2e9dda4.tar.gz openbsd-7ec30b26db8e76fdcf25b85a337d066de2e9dda4.tar.bz2 openbsd-7ec30b26db8e76fdcf25b85a337d066de2e9dda4.zip | |
Store errors that result from leaf certificate verification.
In the case that a verification callback is installed that tells the
verifier to continue when a certificate is invalid (e.g. expired),
any error resulting from the leaf certificate verification is not stored
and made available post verification, resulting in an incorrect error being
returned.
Also perform leaf certificate verification prior to adding the chain, which
avoids a potential memory leak (as noted by tb@).
Issue reported by Ilya Shipitsin, who encountered haproxy regress failures.
ok tb@
| -rw-r--r-- | src/lib/libcrypto/x509/x509_verify.c | 20 |
1 files changed, 12 insertions, 8 deletions
diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c index ca32a93e50..e85c3a64d6 100644 --- a/src/lib/libcrypto/x509/x509_verify.c +++ b/src/lib/libcrypto/x509/x509_verify.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_verify.c,v 1.60 2022/08/05 14:46:52 beck Exp $ */ | 1 | /* $OpenBSD: x509_verify.c,v 1.61 2022/10/17 18:56:54 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org> | 3 | * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org> |
| 4 | * | 4 | * |
| @@ -494,6 +494,15 @@ x509_verify_ctx_add_chain(struct x509_verify_ctx *ctx, | |||
| 494 | if (!x509_verify_ctx_validate_legacy_chain(ctx, chain, depth)) | 494 | if (!x509_verify_ctx_validate_legacy_chain(ctx, chain, depth)) |
| 495 | return 0; | 495 | return 0; |
| 496 | 496 | ||
| 497 | /* Verify the leaf certificate and store any resulting error. */ | ||
| 498 | if (!x509_verify_cert_valid(ctx, leaf, NULL)) | ||
| 499 | return 0; | ||
| 500 | if (!x509_verify_cert_hostname(ctx, leaf, name)) | ||
| 501 | return 0; | ||
| 502 | if (ctx->error_depth == 0 && | ||
| 503 | ctx->error != X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) | ||
| 504 | chain->cert_errors[0] = ctx->error; | ||
| 505 | |||
| 497 | /* | 506 | /* |
| 498 | * In the non-legacy code, extensions and purpose are dealt | 507 | * In the non-legacy code, extensions and purpose are dealt |
| 499 | * with as the chain is built. | 508 | * with as the chain is built. |
| @@ -508,16 +517,11 @@ x509_verify_ctx_add_chain(struct x509_verify_ctx *ctx, | |||
| 508 | return x509_verify_cert_error(ctx, last, depth, | 517 | return x509_verify_cert_error(ctx, last, depth, |
| 509 | X509_V_ERR_OUT_OF_MEM, 0); | 518 | X509_V_ERR_OUT_OF_MEM, 0); |
| 510 | } | 519 | } |
| 511 | |||
| 512 | if (!x509_verify_cert_valid(ctx, leaf, NULL)) | ||
| 513 | return 0; | ||
| 514 | |||
| 515 | if (!x509_verify_cert_hostname(ctx, leaf, name)) | ||
| 516 | return 0; | ||
| 517 | |||
| 518 | ctx->chains_count++; | 520 | ctx->chains_count++; |
| 521 | |||
| 519 | ctx->error = X509_V_OK; | 522 | ctx->error = X509_V_OK; |
| 520 | ctx->error_depth = depth; | 523 | ctx->error_depth = depth; |
| 524 | |||
| 521 | return 1; | 525 | return 1; |
| 522 | } | 526 | } |
| 523 | 527 | ||