In certain situations the server provided certificate chain may no longer be... (f7bf8e02) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

crypto/x509/x509_vfy.c

+98 −67

Original line number	Diff line number	Diff line
		@@ -151,11 +151,11 @@ static int x509_subject_cmp(X509 a, X509 b)

		int X509_verify_cert(X509_STORE_CTX *ctx)
		{
		X509 x, xtmp, *chain_ss = NULL;
		X509 x, xtmp, xtmp2, chain_ss = NULL;
		int bad_chain = 0;
		X509_VERIFY_PARAM *param = ctx->param;
		int depth, i, ok = 0;
		int num;
		int num, j, retry;
		int (cb) (int xok, X509_STORE_CTX xctx);
		STACK_OF(X509) *sktmp = NULL;
		if (ctx->cert == NULL) {
		@@ -224,25 +224,27 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
		break;
		}

		/* Remember how many untrusted certs we have */
		j = num;
		/*
		* at this point, chain should contain a list of untrusted certificates.
		* We now need to add at least one trusted one, if possible, otherwise we
		* complain.
		*/

		do {
		/*
		* Examine last certificate in chain and see if it is self signed.
		*/

		i = sk_X509_num(ctx->chain);
		x = sk_X509_value(ctx->chain, i - 1);
		if (ctx->check_issued(ctx, x, x)) {
		/* we have a self signed certificate */
		if (sk_X509_num(ctx->chain) == 1) {
		/*
		* We have a single self signed certificate: see if we can find
		* it in the store. We must have an exact match to avoid possible
		* impersonation.
		* We have a single self signed certificate: see if we can
		* find it in the store. We must have an exact match to avoid
		* possible impersonation.
		*/
		ok = ctx->get_issuer(&xtmp, ctx, x);
		if ((ok <= 0) \|\| X509_cmp(x, xtmp)) {
		@@ -257,8 +259,8 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
		goto end;
		} else {
		/*
		* We have a match: replace certificate with store version so
		* we get any trust settings.
		* We have a match: replace certificate with store
		* version so we get any trust settings.
		*/
		X509_free(x);
		x = xtmp;
		@@ -272,27 +274,23 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
		chain_ss = sk_X509_pop(ctx->chain);
		ctx->last_untrusted--;
		num--;
		j--;
		x = sk_X509_value(ctx->chain, num - 1);
		}
		}

		/* We now lookup certs from the certificate store */
		for (;;) {
		/* If we have enough, we break */
		if (depth < num)
		break;

		/* If we are self signed, we break */
		if (ctx->check_issued(ctx, x, x))
		break;

		ok = ctx->get_issuer(&xtmp, ctx, x);

		if (ok < 0)
		return ok;
		if (ok == 0)
		break;

		x = xtmp;
		if (!sk_X509_push(ctx->chain, x)) {
		X509_free(xtmp);
		@@ -302,7 +300,40 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
		num++;
		}

		/* we now have our chain, lets check it... */
		/*
		* If we haven't got a least one certificate from our store then check
		* if there is an alternative chain that could be used.
		*/
		retry = 0;
		if (j == ctx->last_untrusted) {
		while (j-- > 1) {
		xtmp2 = sk_X509_value(ctx->chain, j - 1);
		ok = ctx->get_issuer(&xtmp, ctx, xtmp2);
		if (ok < 0)
		goto end;
		/* Check if we found an alternate chain */
		if (ok > 0) {
		/*
		* Free up the found cert we'll add it again later
		*/
		X509_free(xtmp);

		/*
		* Dump all the certs above this point - we've found an
		* alternate chain
		*/
		while (num > j) {
		xtmp = sk_X509_pop(ctx->chain);
		X509_free(xtmp);
		num--;
		ctx->last_untrusted--;
		}
		retry = 1;
		break;
		}
		}
		}
		} while (retry);

		/* Is last certificate looked up self signed? */
		if (!ctx->check_issued(ctx, x, x)) {

Admin message