diff options
Diffstat (limited to '')
-rw-r--r-- | src/lib/libcrypto/x509/x509_verify.c | 46 |
1 files changed, 36 insertions, 10 deletions
diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c index 39371ef038..2ec53f6fc8 100644 --- a/src/lib/libcrypto/x509/x509_verify.c +++ b/src/lib/libcrypto/x509/x509_verify.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: x509_verify.c,v 1.47 2021/08/30 08:59:33 beck Exp $ */ | 1 | /* $OpenBSD: x509_verify.c,v 1.48 2021/09/03 08:58:53 beck Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org> | 3 | * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org> |
4 | * | 4 | * |
@@ -383,6 +383,7 @@ x509_verify_ctx_validate_legacy_chain(struct x509_verify_ctx *ctx, | |||
383 | return 0; | 383 | return 0; |
384 | chain->cert_errors[ctx->xsc->error_depth] = | 384 | chain->cert_errors[ctx->xsc->error_depth] = |
385 | ctx->xsc->error; | 385 | ctx->xsc->error; |
386 | ctx->error_depth = ctx->xsc->error_depth; | ||
386 | } | 387 | } |
387 | 388 | ||
388 | return ret; | 389 | return ret; |
@@ -537,10 +538,11 @@ x509_verify_consider_candidate(struct x509_verify_ctx *ctx, X509 *cert, | |||
537 | x509_verify_chain_free(new_chain); | 538 | x509_verify_chain_free(new_chain); |
538 | return 0; | 539 | return 0; |
539 | } | 540 | } |
540 | if (x509_verify_cert_error(ctx, candidate, depth, X509_V_OK, 1)) { | 541 | if (!x509_verify_ctx_add_chain(ctx, new_chain)) { |
541 | (void) x509_verify_ctx_add_chain(ctx, new_chain); | 542 | x509_verify_chain_free(new_chain); |
542 | goto done; | 543 | return 0; |
543 | } | 544 | } |
545 | goto done; | ||
544 | } | 546 | } |
545 | 547 | ||
546 | x509_verify_build_chains(ctx, candidate, new_chain, full_chain); | 548 | x509_verify_build_chains(ctx, candidate, new_chain, full_chain); |
@@ -596,8 +598,15 @@ x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert, | |||
596 | return; | 598 | return; |
597 | 599 | ||
598 | count = ctx->chains_count; | 600 | count = ctx->chains_count; |
601 | |||
599 | ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; | 602 | ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; |
600 | ctx->error_depth = depth; | 603 | ctx->error_depth = depth; |
604 | |||
605 | if (ctx->saved_error != 0) | ||
606 | ctx->error = ctx->saved_error; | ||
607 | if (ctx->saved_error_depth != 0) | ||
608 | ctx->error_depth = ctx->saved_error_depth; | ||
609 | |||
601 | if (ctx->xsc != NULL) { | 610 | if (ctx->xsc != NULL) { |
602 | /* | 611 | /* |
603 | * Long ago experiments at Muppet labs resulted in a | 612 | * Long ago experiments at Muppet labs resulted in a |
@@ -663,8 +672,6 @@ x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert, | |||
663 | } else if (ctx->error_depth == depth) { | 672 | } else if (ctx->error_depth == depth) { |
664 | if (!x509_verify_ctx_set_xsc_chain(ctx, current_chain, 0, 0)) | 673 | if (!x509_verify_ctx_set_xsc_chain(ctx, current_chain, 0, 0)) |
665 | return; | 674 | return; |
666 | (void) x509_verify_cert_error(ctx, cert, depth, | ||
667 | ctx->error, 0); | ||
668 | } | 675 | } |
669 | } | 676 | } |
670 | 677 | ||
@@ -1131,9 +1138,12 @@ x509_verify(struct x509_verify_ctx *ctx, X509 *leaf, char *name) | |||
1131 | } | 1138 | } |
1132 | do { | 1139 | do { |
1133 | retry_chain_build = 0; | 1140 | retry_chain_build = 0; |
1134 | if (x509_verify_ctx_cert_is_root(ctx, leaf, full_chain)) | 1141 | if (x509_verify_ctx_cert_is_root(ctx, leaf, full_chain)) { |
1135 | x509_verify_ctx_add_chain(ctx, current_chain); | 1142 | if (!x509_verify_ctx_add_chain(ctx, current_chain)) { |
1136 | else { | 1143 | x509_verify_chain_free(current_chain); |
1144 | goto err; | ||
1145 | } | ||
1146 | } else { | ||
1137 | x509_verify_build_chains(ctx, leaf, current_chain, | 1147 | x509_verify_build_chains(ctx, leaf, current_chain, |
1138 | full_chain); | 1148 | full_chain); |
1139 | if (full_chain && ctx->chains_count == 0) { | 1149 | if (full_chain && ctx->chains_count == 0) { |
@@ -1189,8 +1199,24 @@ x509_verify(struct x509_verify_ctx *ctx, X509 *leaf, char *name) | |||
1189 | if (!x509_verify_ctx_set_xsc_chain(ctx, ctx->chains[0], | 1199 | if (!x509_verify_ctx_set_xsc_chain(ctx, ctx->chains[0], |
1190 | 1, 1)) | 1200 | 1, 1)) |
1191 | goto err; | 1201 | goto err; |
1202 | ctx->xsc->error = X509_V_OK; | ||
1203 | /* | ||
1204 | * Call the callback indicating success up our already | ||
1205 | * verified chain. The callback could still tell us to | ||
1206 | * fail. | ||
1207 | */ | ||
1208 | if(!x509_vfy_callback_indicate_success(ctx->xsc)) | ||
1209 | goto err; | ||
1210 | } else { | ||
1211 | /* | ||
1212 | * We had a failure, indicate the failure, but | ||
1213 | * allow the callback to override at depth 0 | ||
1214 | */ | ||
1215 | if (ctx->xsc->verify_cb(0, ctx->xsc)) { | ||
1216 | ctx->xsc->error = X509_V_OK; | ||
1217 | return 1; | ||
1218 | } | ||
1192 | } | 1219 | } |
1193 | return ctx->xsc->verify_cb(ctx->chains_count > 0, ctx->xsc); | ||
1194 | } | 1220 | } |
1195 | return (ctx->chains_count); | 1221 | return (ctx->chains_count); |
1196 | 1222 | ||