summaryrefslogtreecommitdiff
path: root/src/lib/libc/stdlib/merge.c
diff options
context:
space:
mode:
authortb <>2021-02-24 17:59:05 +0000
committertb <>2021-02-24 17:59:05 +0000
commit5822fc8cd3b2c5fe4583f96f1f227cebc9e07883 (patch)
tree6a82977031792901b175e88b3195d0e2b65a9c14 /src/lib/libc/stdlib/merge.c
parent479ca8e451d375cb6fedc8ac95903bc80449092c (diff)
downloadopenbsd-5822fc8cd3b2c5fe4583f96f1f227cebc9e07883.tar.gz
openbsd-5822fc8cd3b2c5fe4583f96f1f227cebc9e07883.tar.bz2
openbsd-5822fc8cd3b2c5fe4583f96f1f227cebc9e07883.zip
Make the new validator check for EXFLAG_CRITICAL
As should be obvious from the name and the comment in x509_vfy.h int last_untrusted; /* index of last untrusted cert */ last_untrusted actually counts the number of untrusted certs at the bottom of the chain. Unfortunately, an earlier fix introducing x509_verify_set_xsc_chain() assumed that last_untrusted actually meant the index of the last untrusted cert in the chain, resulting in an off-by-one, which in turn led to x509_vfy_check_chain_extension() skipping the check for the EXFLAG_CRITICAL flag. A second bug in x509_verify_set_xsc_chain() assumed that it is always called with a trusted root, which is not necessarily the case anymore. Address this with a temporary fix which will have to be revisited once we will allow chains with more than one trusted cert. Reported with a test case by tobhe. ok jsing tobhe
Diffstat (limited to 'src/lib/libc/stdlib/merge.c')
0 files changed, 0 insertions, 0 deletions