From 58b293db10ecbfbd81368500bcb171be78b56ec2 Mon Sep 17 00:00:00 2001 From: Bob Beck Date: Sat, 9 Jan 2021 03:01:04 +0000 Subject: Bail out early after finding an single chain if we are have been called from x509_vfy and have an xsc. There's no point in finding more chains since that API can not return them, and all we do is trigger buggy callbacks in calling software. ok jsing@ --- lib/libcrypto/x509/x509_verify.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/lib/libcrypto/x509/x509_verify.c b/lib/libcrypto/x509/x509_verify.c index b19b5373c5e..d343706ea12 100644 --- a/lib/libcrypto/x509/x509_verify.c +++ b/lib/libcrypto/x509/x509_verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_verify.c,v 1.28 2021/01/08 03:23:56 beck Exp $ */ +/* $OpenBSD: x509_verify.c,v 1.29 2021/01/09 03:01:03 beck Exp $ */ /* * Copyright (c) 2020-2021 Bob Beck * @@ -470,6 +470,14 @@ x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert, X509 *candidate; int i, depth, count, ret; + /* + * If we are finding chains with an xsc, just stop after we have + * one chain, there's no point in finding more, it just exercises + * the potentially buggy callback processing in the calling software. + */ + if (ctx->xsc != NULL && ctx->chains_count > 0) + return; + depth = sk_X509_num(current_chain->certs); if (depth > 0) depth--; -- cgit v1.2.3