diff options
author | Tomas Mraz <tomas@openssl.org> | 2022-03-29 13:31:34 +0200 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2022-06-03 15:52:02 +0200 |
commit | b6f107088cc6f054fac5d0b563dec6fdfaa5a161 (patch) | |
tree | 109243ce502cca4d6469ec816f5a78ab49d7b70f /ssl | |
parent | 6fd014f32257b63a0b17e5793faab3e70c979851 (diff) |
Fix strict client chain check with TLS-1.3
When TLS-1.3 is used and the server does not send any CA names
the ca_dn will be NULL. sk_X509_NAME_num() returns -1 on null
argument.
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17986)
(cherry picked from commit 89dd85430770d39cbfb15eb586c921958ca7687f)
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/t1_lib.c | 14 |
1 files changed, 6 insertions, 8 deletions
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 97fdfcda4e..27e8f04ea3 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -2815,22 +2815,20 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, ca_dn = s->s3.tmp.peer_ca_names; - if (!sk_X509_NAME_num(ca_dn)) + if (ca_dn == NULL + || sk_X509_NAME_num(ca_dn) == 0 + || ssl_check_ca_name(ca_dn, x)) rv |= CERT_PKEY_ISSUER_NAME; - - if (!(rv & CERT_PKEY_ISSUER_NAME)) { - if (ssl_check_ca_name(ca_dn, x)) - rv |= CERT_PKEY_ISSUER_NAME; - } - if (!(rv & CERT_PKEY_ISSUER_NAME)) { + else for (i = 0; i < sk_X509_num(chain); i++) { X509 *xtmp = sk_X509_value(chain, i); + if (ssl_check_ca_name(ca_dn, xtmp)) { rv |= CERT_PKEY_ISSUER_NAME; break; } } - } + if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME)) goto end; } else |