diff options
author | Matt Caswell <matt@openssl.org> | 2015-06-24 00:12:38 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2015-07-07 22:57:36 +0100 |
commit | cb22d2ae5a5b6069dbf66dbcce07223ac15a16de (patch) | |
tree | 2c91a796e41734227d15b1a6afccb9f8f522c06e | |
parent | b3b1eb5735c5b3d566a9fc3bf745bf716a29afa0 (diff) |
Fix alt chains bug
This is a follow up to the alternate chains certificate forgery issue
(CVE-2015-1793). That issue is exacerbated in 1.0.1 by a related bug which
means that we *always* check for an alternative chain, even if we have
already found a chain. The code is supposed to stop as soon as it has found
one (and does do in master and 1.0.2).
Reviewed-by: Stephen Henson <steve@openssl.org>
-rw-r--r-- | crypto/x509/verify_extra_test.c | 3 | ||||
-rw-r--r-- | crypto/x509/x509_vfy.c | 2 |
2 files changed, 3 insertions, 2 deletions
diff --git a/crypto/x509/verify_extra_test.c b/crypto/x509/verify_extra_test.c index 08509f0131..a1e41f2822 100644 --- a/crypto/x509/verify_extra_test.c +++ b/crypto/x509/verify_extra_test.c @@ -168,7 +168,8 @@ static int test_alt_chains_cert_forgery(void) i = X509_verify_cert(sctx); - if(i == 0 && X509_STORE_CTX_get_error(sctx) == X509_V_ERR_INVALID_CA) { + if(i == 0 && X509_STORE_CTX_get_error(sctx) + == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT) { /* This is the result we were expecting: Test passed */ ret = 1; } diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 2e4c54b816..7009ae6307 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -312,7 +312,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx) * if the user hasn't switched off alternate chain checking */ retry = 0; - if (j == ctx->last_untrusted && + if (num == ctx->last_untrusted && !(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) { while (j-- > 1) { xtmp2 = sk_X509_value(ctx->chain, j - 1); |