Commit 5e80a5da authored by Matt Caswell's avatar Matt Caswell
Browse files

Don't crash if there are no trusted certs 



The X509_STORE_CTX_init() docs explicitly allow a NULL parameter for the
X509_STORE. Therefore we shouldn't crash if we subsequently call
X509_verify_cert() and no X509_STORE has been set.

Fixes #2462

Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6003)
parent c6c7bb01

crypto/x509/x509_lu.c

+16 −0
Original line number Diff line number Diff line
@@ -311,7 +311,11 @@ int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name, 
    X509_OBJECT stmp, *tmp;

    int i, j;



    if (ctx == NULL)

        return 0;



    CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);



    tmp = X509_OBJECT_retrieve_by_subject(ctx->objs, type, name);

    CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
@@ -506,6 +510,10 @@ STACK_OF(X509) *X509_STORE_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm) 
    STACK_OF(X509) *sk;

    X509 *x;

    X509_OBJECT *obj;



    if (ctx->ctx == NULL)

        return NULL;



    sk = sk_X509_new_null();

    CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);

    idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_X509, nm, &cnt);
@@ -551,6 +559,11 @@ STACK_OF(X509_CRL) *X509_STORE_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm) 
    STACK_OF(X509_CRL) *sk;

    X509_CRL *x;

    X509_OBJECT *obj, xobj;





    if (ctx->ctx == NULL)

        return NULL;



    sk = sk_X509_CRL_new_null();

    CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
@@ -651,6 +664,9 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) 
    }

    X509_OBJECT_free_contents(&obj);



    if (ctx->ctx == NULL)

        return 0;



    /* Else find index of first cert accepted by 'check_issued' */

    ret = 0;

    CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);