summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authortb <>2025-02-08 01:01:31 +0000
committertb <>2025-02-08 01:01:31 +0000
commit96c75ee2b11e9696094f297147e12a22be999847 (patch)
treefff0a0e516691848eb9172710032487d1fd841bd
parentd4a59c72160515c2229ba5551c609e5d14f96fdb (diff)
downloadopenbsd-96c75ee2b11e9696094f297147e12a22be999847.tar.gz
openbsd-96c75ee2b11e9696094f297147e12a22be999847.tar.bz2
openbsd-96c75ee2b11e9696094f297147e12a22be999847.zip
x509_verify: missing verify error on cached signature mismatch
If a signature mismatch is cached, the same error should be passed to the verify callback as if the mismatch was detected by doing the calculation, rather than falling back to the "unable to find the issuer cert locally". ok beck
-rw-r--r--src/lib/libcrypto/x509/x509_verify.c7
1 files changed, 5 insertions, 2 deletions
diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c
index d3534879b8..5dcec27542 100644
--- a/src/lib/libcrypto/x509/x509_verify.c
+++ b/src/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: x509_verify.c,v 1.70 2024/06/07 06:21:40 tb Exp $ */ 1/* $OpenBSD: x509_verify.c,v 1.71 2025/02/08 01:01:31 tb Exp $ */
2/* 2/*
3 * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org> 3 * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
4 * 4 *
@@ -539,8 +539,11 @@ x509_verify_parent_signature(X509 *parent, X509 *child, int *error)
539 int ret = 0; 539 int ret = 0;
540 540
541 /* Use cached value if we have it */ 541 /* Use cached value if we have it */
542 if ((cached = x509_issuer_cache_find(parent->hash, child->hash)) >= 0) 542 if ((cached = x509_issuer_cache_find(parent->hash, child->hash)) >= 0) {
543 if (cached == 0)
544 *error = X509_V_ERR_CERT_SIGNATURE_FAILURE;
543 return cached; 545 return cached;
546 }
544 547
545 /* Check signature. Did parent sign child? */ 548 /* Check signature. Did parent sign child? */
546 if ((pkey = X509_get_pubkey(parent)) == NULL) { 549 if ((pkey = X509_get_pubkey(parent)) == NULL) {