diff options
| author | Bob Beck <beck@cvs.openbsd.org> | 2021-08-28 07:49:01 +0000 |
|---|---|---|
| committer | Bob Beck <beck@cvs.openbsd.org> | 2021-08-28 07:49:01 +0000 |
| commit | 241915d8a5a99e7c7ee04f706a2c7d0582e180b9 (patch) | |
| tree | 4eb2b41d7295580aa066098dbf69ea641b699f48 /lib | |
| parent | fdbe8d15bb28ced371ff5d9dc1006a645eb53528 (diff) | |
Remove the "dump_chain" flag and code. This was a workaround for a problem where
roots were not checked correctly before intermediates that has since been fixed
and is no longer necessary. It is regress checked by case 2c in
regress/lib/libcrypto/x509/verify.c
ok jsing@ tb@
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/libcrypto/x509/x509_internal.h | 3 | ||||
| -rw-r--r-- | lib/libcrypto/x509/x509_verify.c | 17 |
2 files changed, 4 insertions, 16 deletions
diff --git a/lib/libcrypto/x509/x509_internal.h b/lib/libcrypto/x509/x509_internal.h index 493bf82ac84..f6ce78346eb 100644 --- a/lib/libcrypto/x509/x509_internal.h +++ b/lib/libcrypto/x509/x509_internal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_internal.h,v 1.9 2021/08/19 03:44:00 beck Exp $ */ +/* $OpenBSD: x509_internal.h,v 1.10 2021/08/28 07:49:00 beck Exp $ */ /* * Copyright (c) 2020 Bob Beck <beck@openbsd.org> * @@ -69,7 +69,6 @@ struct x509_verify_ctx { int saved_error; int saved_error_depth; size_t chains_count; - int dump_chain; /* Dump current chain without erroring */ STACK_OF(X509) *roots; /* Trusted roots for this validation */ STACK_OF(X509) *intermediates; /* Intermediates provided by peer */ time_t *check_time; /* Time for validity checks */ diff --git a/lib/libcrypto/x509/x509_verify.c b/lib/libcrypto/x509/x509_verify.c index 5f3c97abf79..3176e110bab 100644 --- a/lib/libcrypto/x509/x509_verify.c +++ b/lib/libcrypto/x509/x509_verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_verify.c,v 1.42 2021/08/19 03:44:00 beck Exp $ */ +/* $OpenBSD: x509_verify.c,v 1.43 2021/08/28 07:49:00 beck Exp $ */ /* * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org> * @@ -494,18 +494,8 @@ x509_verify_consider_candidate(struct x509_verify_ctx *ctx, X509 *cert, /* Fail if the certificate is already in the chain */ for (i = 0; i < sk_X509_num(current_chain->certs); i++) { if (X509_cmp(sk_X509_value(current_chain->certs, i), - candidate) == 0) { - if (is_root_cert) { - /* - * Someone made a boo-boo and put their root - * in with their intermediates - handle this - * gracefully as we'll have already picked - * this up as a shorter chain. - */ - ctx->dump_chain = 1; - } + candidate) == 0) return 0; - } } if (ctx->sig_checks++ > X509_VERIFY_MAX_SIGCHECKS) { @@ -606,7 +596,6 @@ x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert, return; count = ctx->chains_count; - ctx->dump_chain = 0; ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; ctx->error_depth = depth; if (ctx->xsc != NULL) { @@ -671,7 +660,7 @@ x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert, ctx->xsc->current_cert = cert; (void) ctx->xsc->verify_cb(1, ctx->xsc); } - } else if (ctx->error_depth == depth && !ctx->dump_chain) { + } else if (ctx->error_depth == depth) { if (!x509_verify_ctx_set_xsc_chain(ctx, current_chain, 0, 0)) return; (void) x509_verify_cert_error(ctx, cert, depth, |