diff options
author | tb <> | 2025-02-08 01:01:31 +0000 |
---|---|---|
committer | tb <> | 2025-02-08 01:01:31 +0000 |
commit | 96c75ee2b11e9696094f297147e12a22be999847 (patch) | |
tree | fff0a0e516691848eb9172710032487d1fd841bd | |
parent | d4a59c72160515c2229ba5551c609e5d14f96fdb (diff) | |
download | openbsd-96c75ee2b11e9696094f297147e12a22be999847.tar.gz openbsd-96c75ee2b11e9696094f297147e12a22be999847.tar.bz2 openbsd-96c75ee2b11e9696094f297147e12a22be999847.zip |
x509_verify: missing verify error on cached signature mismatch
If a signature mismatch is cached, the same error should be passed to the
verify callback as if the mismatch was detected by doing the calculation,
rather than falling back to the "unable to find the issuer cert locally".
ok beck
-rw-r--r-- | src/lib/libcrypto/x509/x509_verify.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c index d3534879b8..5dcec27542 100644 --- a/src/lib/libcrypto/x509/x509_verify.c +++ b/src/lib/libcrypto/x509/x509_verify.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: x509_verify.c,v 1.70 2024/06/07 06:21:40 tb Exp $ */ | 1 | /* $OpenBSD: x509_verify.c,v 1.71 2025/02/08 01:01:31 tb Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org> | 3 | * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org> |
4 | * | 4 | * |
@@ -539,8 +539,11 @@ x509_verify_parent_signature(X509 *parent, X509 *child, int *error) | |||
539 | int ret = 0; | 539 | int ret = 0; |
540 | 540 | ||
541 | /* Use cached value if we have it */ | 541 | /* Use cached value if we have it */ |
542 | if ((cached = x509_issuer_cache_find(parent->hash, child->hash)) >= 0) | 542 | if ((cached = x509_issuer_cache_find(parent->hash, child->hash)) >= 0) { |
543 | if (cached == 0) | ||
544 | *error = X509_V_ERR_CERT_SIGNATURE_FAILURE; | ||
543 | return cached; | 545 | return cached; |
546 | } | ||
544 | 547 | ||
545 | /* Check signature. Did parent sign child? */ | 548 | /* Check signature. Did parent sign child? */ |
546 | if ((pkey = X509_get_pubkey(parent)) == NULL) { | 549 | if ((pkey = X509_get_pubkey(parent)) == NULL) { |