diff options
| author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2021-02-08 07:31:11 +0100 |
|---|---|---|
| committer | Dr. David von Oheimb <dev@ddvo.net> | 2021-02-09 15:48:30 +0100 |
| commit | 364246a986cd08e6b2b0e9ab8043ed2e2c505026 (patch) | |
| tree | e6f52558e67448017b6f6cfae7b98382a45d5e1c /crypto | |
| parent | 990a15fe73b059d78d06c351e902115a30f02e70 (diff) | |
X509_get_pubkey_parameters(): Correct failure behavior and its use
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14095)
Diffstat (limited to 'crypto')
| -rw-r--r-- | crypto/x509/x509_vfy.c | 25 |
1 files changed, 12 insertions, 13 deletions
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index dc64b34ec8..d723239cb0 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -199,17 +199,13 @@ static int verify_chain(X509_STORE_CTX *ctx) int err; int ok; - /* - * Before either returning with an error, or continuing with CRL checks, - * instantiate chain public key parameters. - */ - if ((ok = build_chain(ctx)) == 0 || - (ok = check_chain(ctx)) == 0 || - (ok = check_auth_level(ctx)) == 0 || - (ok = check_id(ctx)) == 0 || 1) - X509_get_pubkey_parameters(NULL, ctx->chain); - if (ok == 0 || (ok = ctx->check_revocation(ctx)) == 0) - return 0; + if ((ok = build_chain(ctx)) <= 0 + || (ok = check_chain(ctx)) <= 0 + || (ok = check_auth_level(ctx)) <= 0 + || (ok = check_id(ctx)) <= 0 + || (ok = X509_get_pubkey_parameters(NULL, ctx->chain) ? 1 : -1) <= 0 + || (ok = ctx->check_revocation(ctx)) <= 0) + return ok; err = X509_chain_check_suiteb(&ctx->error_depth, NULL, ctx->chain, ctx->param->flags); @@ -1932,6 +1928,7 @@ ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s, return ASN1_TIME_adj(s, t, offset_day, offset_sec); } +/* Copy any missing public key parameters up the chain towards pkey */ int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain) { EVP_PKEY *ktmp = NULL, *ktmp2; @@ -1948,6 +1945,7 @@ int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain) } if (!EVP_PKEY_missing_parameters(ktmp)) break; + ktmp = NULL; } if (ktmp == NULL) { ERR_raise(ERR_LIB_X509, X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN); @@ -1957,11 +1955,12 @@ int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain) /* first, populate the other certs */ for (j = i - 1; j >= 0; j--) { ktmp2 = X509_get0_pubkey(sk_X509_value(chain, j)); - EVP_PKEY_copy_parameters(ktmp2, ktmp); + if (!EVP_PKEY_copy_parameters(ktmp2, ktmp)) + return 0; } if (pkey != NULL) - EVP_PKEY_copy_parameters(pkey, ktmp); + return EVP_PKEY_copy_parameters(pkey, ktmp); return 1; } |