From a501e42ba79e88a58d28b4491728b8cf86cf46d6 Mon Sep 17 00:00:00 2001 From: tb <> Date: Thu, 20 Oct 2022 09:45:18 +0000 Subject: Store errors that result from leaf certificate verification. In the case that a verification callback is installed that tells the verifier to continue when a certificate is invalid (e.g. expired), any error resulting from the leaf certificate verification is not stored and made available post verification, resulting in an incorrect error being returned. Also perform leaf certificate verification prior to adding the chain, which avoids a potential memory leak (as noted by tb@). Issue reported by Ilya Shipitsin, who encountered haproxy regress failures. ok tb@; from jsing This is errata/7.2/001_x509.patch.sig --- src/lib/libcrypto/x509/x509_verify.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c index ca32a93e50..c212ab4e8a 100644 --- a/src/lib/libcrypto/x509/x509_verify.c +++ b/src/lib/libcrypto/x509/x509_verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_verify.c,v 1.60 2022/08/05 14:46:52 beck Exp $ */ +/* $OpenBSD: x509_verify.c,v 1.60.2.1 2022/10/20 09:45:18 tb Exp $ */ /* * Copyright (c) 2020-2021 Bob Beck * @@ -494,6 +494,15 @@ x509_verify_ctx_add_chain(struct x509_verify_ctx *ctx, if (!x509_verify_ctx_validate_legacy_chain(ctx, chain, depth)) return 0; + /* Verify the leaf certificate and store any resulting error. */ + if (!x509_verify_cert_valid(ctx, leaf, NULL)) + return 0; + if (!x509_verify_cert_hostname(ctx, leaf, name)) + return 0; + if (ctx->error_depth == 0 && + ctx->error != X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) + chain->cert_errors[0] = ctx->error; + /* * In the non-legacy code, extensions and purpose are dealt * with as the chain is built. @@ -508,16 +517,11 @@ x509_verify_ctx_add_chain(struct x509_verify_ctx *ctx, return x509_verify_cert_error(ctx, last, depth, X509_V_ERR_OUT_OF_MEM, 0); } - - if (!x509_verify_cert_valid(ctx, leaf, NULL)) - return 0; - - if (!x509_verify_cert_hostname(ctx, leaf, name)) - return 0; - ctx->chains_count++; + ctx->error = X509_V_OK; ctx->error_depth = depth; + return 1; } -- cgit v1.2.3-55-g6feb