diff options
| author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-12-30 09:57:49 +0100 |
|---|---|---|
| committer | Dr. David von Oheimb <dev@ddvo.net> | 2021-01-14 14:36:09 +0100 |
| commit | fb1e2411042f0367c2560e4ec5e4b1189ca9cd45 (patch) | |
| tree | 76ff10c7eecdbbddaeda44c71d0ede617c2db80c /crypto | |
| parent | 2a9785c252df6836da90da33aaeed8edb506e556 (diff) | |
X509_cmp(): Fix comparison in case x509v3_cache_extensions() failed to due to invalid cert
This is the backport of #13755 to v1.1.1.
Fixes #13698
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13756)
Diffstat (limited to 'crypto')
| -rw-r--r-- | crypto/x509/x509_cmp.c | 20 | ||||
| -rw-r--r-- | crypto/x509/x_all.c | 2 | ||||
| -rw-r--r-- | crypto/x509v3/v3_purp.c | 3 |
3 files changed, 14 insertions, 11 deletions
diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c index ad620af0af..c9d8933640 100644 --- a/crypto/x509/x509_cmp.c +++ b/crypto/x509/x509_cmp.c @@ -133,19 +133,21 @@ unsigned long X509_subject_name_hash_old(X509 *x) */ int X509_cmp(const X509 *a, const X509 *b) { - int rv; + int rv = 0; if (a == b) /* for efficiency */ return 0; - /* ensure hash is valid */ - if (X509_check_purpose((X509 *)a, -1, 0) != 1) - return -2; - if (X509_check_purpose((X509 *)b, -1, 0) != 1) - return -2; - - rv = memcmp(a->sha1_hash, b->sha1_hash, SHA_DIGEST_LENGTH); - if (rv) + + /* try to make sure hash is valid */ + (void)X509_check_purpose((X509 *)a, -1, 0); + (void)X509_check_purpose((X509 *)b, -1, 0); + + if ((a->ex_flags & EXFLAG_NO_FINGERPRINT) == 0 + && (b->ex_flags & EXFLAG_NO_FINGERPRINT) == 0) + rv = memcmp(a->sha1_hash, b->sha1_hash, SHA_DIGEST_LENGTH); + if (rv != 0) return rv; + /* Check for match against stored encoding too */ if (!a->cert_info.enc.modified && !b->cert_info.enc.modified) { if (a->cert_info.enc.len < b->cert_info.enc.len) diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c index aa5ccba448..bec850af57 100644 --- a/crypto/x509/x_all.c +++ b/crypto/x509/x_all.c @@ -363,7 +363,7 @@ int X509_digest(const X509 *data, const EVP_MD *type, unsigned char *md, unsigned int *len) { if (type == EVP_sha1() && (data->ex_flags & EXFLAG_SET) != 0 - && (data->ex_flags & EXFLAG_INVALID) == 0) { + && (data->ex_flags & EXFLAG_NO_FINGERPRINT) == 0) { /* Asking for SHA1 and we already computed it. */ if (len != NULL) *len = sizeof(data->sha1_hash); diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c index 2b06dba053..93b5ca4d42 100644 --- a/crypto/x509v3/v3_purp.c +++ b/crypto/x509v3/v3_purp.c @@ -391,7 +391,8 @@ static void x509v3_cache_extensions(X509 *x) } if (!X509_digest(x, EVP_sha1(), x->sha1_hash, NULL)) - x->ex_flags |= EXFLAG_INVALID; + x->ex_flags |= (EXFLAG_NO_FINGERPRINT | EXFLAG_INVALID); + /* V1 should mean no extensions ... */ if (!X509_get_version(x)) x->ex_flags |= EXFLAG_V1; |