summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorJoel Sing <jsing@cvs.openbsd.org>2020-09-26 15:44:07 +0000
committerJoel Sing <jsing@cvs.openbsd.org>2020-09-26 15:44:07 +0000
commitf10fbfcb88857cf009f7acec1f57cf6536f69489 (patch)
treeb1df6b432823955e6cb30a36279b4943cba0da98 /lib
parent328ef3190b9e9df5dca58ff5e7a831d929d5629e (diff)
Ensure leaf is set up on X509_STORE_CTX before verification.
Previously the leaf certificate was only being set up on the X509_STORE_CTX after two verification steps were performed, however at least one of those steps could result in the verification callback being triggered and existing code breaking. Issue noticed by Raf Czlonka when attempting to connect to talk.google.com using profanity (which does not set SNI and ends up receiving an invalid certificate). ok beck@ deraadt@ tb@
Diffstat (limited to 'lib')
-rw-r--r--lib/libcrypto/x509/x509_verify.c16
1 files changed, 7 insertions, 9 deletions
diff --git a/lib/libcrypto/x509/x509_verify.c b/lib/libcrypto/x509/x509_verify.c
index 53a06b193b4..0c32cd04b74 100644
--- a/lib/libcrypto/x509/x509_verify.c
+++ b/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_verify.c,v 1.12 2020/09/23 18:20:16 jsing Exp $ */
+/* $OpenBSD: x509_verify.c,v 1.13 2020/09/26 15:44:06 jsing Exp $ */
/*
* Copyright (c) 2020 Bob Beck <beck@openbsd.org>
*
@@ -862,15 +862,7 @@ x509_verify(struct x509_verify_ctx *ctx, X509 *leaf, char *name)
return 0;
}
leaf = ctx->xsc->cert;
- }
-
- if (!x509_verify_cert_valid(ctx, leaf, NULL))
- return 0;
-
- if (!x509_verify_cert_hostname(ctx, leaf, name))
- return 0;
- if (ctx->xsc != NULL) {
/*
* XXX
* The legacy code expects the top level cert to be
@@ -895,6 +887,12 @@ x509_verify(struct x509_verify_ctx *ctx, X509 *leaf, char *name)
ctx->xsc->current_cert = leaf;
}
+ if (!x509_verify_cert_valid(ctx, leaf, NULL))
+ return 0;
+
+ if (!x509_verify_cert_hostname(ctx, leaf, name))
+ return 0;
+
if ((current_chain = x509_verify_chain_new()) == NULL) {
ctx->error = X509_V_ERR_OUT_OF_MEM;
return 0;