diff options
| author |   beck <beck@openbsd.org> | 2021-01-09 03:01:03 +0000 |
|---|---|---|
| committer | beck <beck@openbsd.org> | 2021-01-09 03:01:03 +0000 |
| commit | 4f6c473e1a69faa733ba94a85042dc04f32da42f (patch) | |
| tree | 66488ee5a0aa50a67d934b76a4d9b94babb5cc87 | |
| parent | Now we do not call ttyopen() in sioopen(), we do not need the variable (diff) | |
| download | wireguard-openbsd-4f6c473e1a69faa733ba94a85042dc04f32da42f.tar.xz wireguard-openbsd-4f6c473e1a69faa733ba94a85042dc04f32da42f.zip | |
Bail out early after finding an single chain if we are have been called from
x509_vfy and have an xsc. There's no point in finding more chains since that
API can not return them, and all we do is trigger buggy callbacks in
calling software.
ok jsing@
| -rw-r--r-- | lib/libcrypto/x509/x509_verify.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/lib/libcrypto/x509/x509_verify.c b/lib/libcrypto/x509/x509_verify.c index b19b5373c5e..d343706ea12 100644 --- a/lib/libcrypto/x509/x509_verify.c +++ b/lib/libcrypto/x509/x509_verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_verify.c,v 1.28 2021/01/08 03:23:56 beck Exp $ */ +/* $OpenBSD: x509_verify.c,v 1.29 2021/01/09 03:01:03 beck Exp $ */ /* * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org> * @@ -470,6 +470,14 @@ x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert, X509 *candidate; int i, depth, count, ret; + /* + * If we are finding chains with an xsc, just stop after we have + * one chain, there's no point in finding more, it just exercises + * the potentially buggy callback processing in the calling software. + */ + if (ctx->xsc != NULL && ctx->chains_count > 0) + return; + depth = sk_X509_num(current_chain->certs); if (depth > 0) depth--; |