From 47ae43c59d54927c866d98e2249318f5de880b4a Mon Sep 17 00:00:00 2001 From: jsing <> Date: Sat, 26 Sep 2020 15:44:06 +0000 Subject: Ensure leaf is set up on X509_STORE_CTX before verification. Previously the leaf certificate was only being set up on the X509_STORE_CTX after two verification steps were performed, however at least one of those steps could result in the verification callback being triggered and existing code breaking. Issue noticed by Raf Czlonka when attempting to connect to talk.google.com using profanity (which does not set SNI and ends up receiving an invalid certificate). ok beck@ deraadt@ tb@ --- src/lib/libcrypto/x509/x509_verify.c | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c index 53a06b193b..0c32cd04b7 100644 --- a/src/lib/libcrypto/x509/x509_verify.c +++ b/src/lib/libcrypto/x509/x509_verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_verify.c,v 1.12 2020/09/23 18:20:16 jsing Exp $ */ +/* $OpenBSD: x509_verify.c,v 1.13 2020/09/26 15:44:06 jsing Exp $ */ /* * Copyright (c) 2020 Bob Beck * @@ -862,15 +862,7 @@ x509_verify(struct x509_verify_ctx *ctx, X509 *leaf, char *name) return 0; } leaf = ctx->xsc->cert; - } - - if (!x509_verify_cert_valid(ctx, leaf, NULL)) - return 0; - - if (!x509_verify_cert_hostname(ctx, leaf, name)) - return 0; - if (ctx->xsc != NULL) { /* * XXX * The legacy code expects the top level cert to be @@ -895,6 +887,12 @@ x509_verify(struct x509_verify_ctx *ctx, X509 *leaf, char *name) ctx->xsc->current_cert = leaf; } + if (!x509_verify_cert_valid(ctx, leaf, NULL)) + return 0; + + if (!x509_verify_cert_hostname(ctx, leaf, name)) + return 0; + if ((current_chain = x509_verify_chain_new()) == NULL) { ctx->error = X509_V_ERR_OUT_OF_MEM; return 0; -- cgit v1.2.3-55-g6feb