1 files changed, 2 insertions, 49 deletions
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index 233c95c408..a161b330ae 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.87 2021/08/19 03:44:00 beck Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.88 2021/08/28 15:22:42 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -634,54 +634,7 @@ X509_verify_cert(X509_STORE_CTX *ctx)
        /* Use the modern multi-chain verifier from x509_verify_cert */
-        /* Find our trusted roots */
+        if ((vctx = x509_verify_ctx_new_from_xsc(ctx)) != NULL) {
-        ctx->error = X509_V_ERR_OUT_OF_MEM;
-        if (ctx->get_issuer == get_issuer_sk) {
-                /*
-                 * We are using the trusted stack method. so
-                 * the roots are in the aptly named "ctx->other_ctx"
-                 * pointer. (It could have been called "al")
-                 */
-                if ((roots = X509_chain_up_ref(ctx->other_ctx)) == NULL)
-                        return -1;
-        } else {
-                /*
-                 * We have a X509_STORE and need to pull out the roots.
-                 * Don't look Ethel...
-                 */
-                STACK_OF(X509_OBJECT) *objs;
-                size_t i, good = 1;
-                if ((roots = sk_X509_new_null()) == NULL)
-                        return -1;
-                CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
-                if ((objs = X509_STORE_get0_objects(ctx->ctx)) == NULL)
-                        good = 0;
-                for (i = 0; good && i < sk_X509_OBJECT_num(objs); i++) {
-                        X509_OBJECT *obj;
-                        X509 *root;
-                        obj = sk_X509_OBJECT_value(objs, i);
-                        if (obj->type != X509_LU_X509)
-                                continue;
-                        root = obj->data.x509;
-                        if (X509_up_ref(root) == 0)
-                                good = 0;
-                        if (sk_X509_push(roots, root) == 0) {
-                                X509_free(root);
-                                good = 0;
-                        }
-                }
-                CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
-                if (!good) {
-                        sk_X509_pop_free(roots, X509_free);
-                        return -1;
-                }
-        }
-        if ((vctx = x509_verify_ctx_new_from_xsc(ctx, roots)) != NULL) {
                ctx->error = X509_V_OK; /* Initialize to OK */
                chain_count = x509_verify(vctx, NULL, NULL);
        }

diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c index 233c95c408..a161b330ae 100644 --- a/src/lib/libcrypto/x509/x509_vfy.c +++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_vfy.c,v 1.87 2021/08/19 03:44:00 beck Exp $ */	1	/* $OpenBSD: x509_vfy.c,v 1.88 2021/08/28 15:22:42 beck Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -634,54 +634,7 @@ X509_verify_cert(X509_STORE_CTX *ctx)
634		634
635	/* Use the modern multi-chain verifier from x509_verify_cert */	635	/* Use the modern multi-chain verifier from x509_verify_cert */
636		636
637	/* Find our trusted roots */	637	if ((vctx = x509_verify_ctx_new_from_xsc(ctx)) != NULL) {
638	ctx->error = X509_V_ERR_OUT_OF_MEM;
639
640	if (ctx->get_issuer == get_issuer_sk) {
641	/*
642	* We are using the trusted stack method. so
643	* the roots are in the aptly named "ctx->other_ctx"
644	* pointer. (It could have been called "al")
645	*/
646	if ((roots = X509_chain_up_ref(ctx->other_ctx)) == NULL)
647	return -1;
648	} else {
649	/*
650	* We have a X509_STORE and need to pull out the roots.
651	* Don't look Ethel...
652	*/
653	STACK_OF(X509_OBJECT) *objs;
654	size_t i, good = 1;
655
656	if ((roots = sk_X509_new_null()) == NULL)
657	return -1;
658
659	CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
660	if ((objs = X509_STORE_get0_objects(ctx->ctx)) == NULL)
661	good = 0;
662	for (i = 0; good && i < sk_X509_OBJECT_num(objs); i++) {
663	X509_OBJECT *obj;
664	X509 *root;
665	obj = sk_X509_OBJECT_value(objs, i);
666	if (obj->type != X509_LU_X509)
667	continue;
668	root = obj->data.x509;
669	if (X509_up_ref(root) == 0)
670	good = 0;
671	if (sk_X509_push(roots, root) == 0) {
672	X509_free(root);
673	good = 0;
674	}
675	}
676	CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
677
678	if (!good) {
679	sk_X509_pop_free(roots, X509_free);
680	return -1;
681	}
682	}
683
684	if ((vctx = x509_verify_ctx_new_from_xsc(ctx, roots)) != NULL) {
685	ctx->error = X509_V_OK; /* Initialize to OK */	638	ctx->error = X509_V_OK; /* Initialize to OK */
686	chain_count = x509_verify(vctx, NULL, NULL);	639	chain_count = x509_verify(vctx, NULL, NULL);
687	}	640	}