[openssl.org #840] fix for check_issued().

Wed, 10 Mar 2004 23:23:21 -0800 

OpenSSL self-test report:

OpenSSL version:  0.9.7c
Last change:      Fix various bugs revealed by running the NISCC test sui...
Options:           no-krb5
OS (uname):       FreeBSD swift.juniper.net 4.9-STABLE FreeBSD 4.9-STABLE #0: Fr
i Dec 19 16:09:34 PST 2003     [EMAIL PROTECTED]:/usr/obj/usr/src/sys/SWIFT
  i386
OS (config):      i386-pc-freebsd4.9
Target (default): FreeBSD-elf
Target:           dist
Compiler:         Using builtin specs.
gcc version 2.95.4 20020320 [FreeBSD]


The patch below should be self explanitory, but just in case...

There are several places where check_issued is called like:

                /* If we are self signed, we break */
                xn=X509_get_issuer_name(x);
                if (ctx->check_issued(ctx,x,x)) break;

if x is not self-signed, check_issued should return 0, and that is
what happens provided X509_V_FLAG_CB_ISSUER_CHECK is not set.
If X509_V_FLAG_CB_ISSUER_CHECK is used,  we get spurious errors about
subject issuer missmatch, and a non-zero return which breaks the logic
above.

Repeat using any valid cert which is not self signed and run

openssl verify -issuer_checks cert.pem

Fix is simple...

Thanks
--sjg

Index: crypto/x509/x509_vfy.c
===================================================================
RCS file: /cvs/junos-2001/src/crypto/openssl/crypto/x509/x509_vfy.c,v
retrieving revision 1.1.1.4
diff -u -p -r1.1.1.4 x509_vfy.c
--- crypto/x509/x509_vfy.c      30 Sep 2003 12:05:44 -0000      1.1.1.4
+++ crypto/x509/x509_vfy.c      11 Mar 2004 00:05:18 -0000
@@ -342,14 +342,18 @@ static int check_issued(X509_STORE_CTX *
        if (ret == X509_V_OK)
                return 1;
        /* If we haven't asked for issuer errors don't set ctx */
-       if (!(ctx->flags & X509_V_FLAG_CB_ISSUER_CHECK))
+       if (!(ctx->flags & X509_V_FLAG_CB_ISSUER_CHECK)
+           /*
+            * Or if we were called to see if x is self signed (x == issuer),
+            * it is not an error that issuer did not issue x.
+            */
+           || (x == issuer))
                return 0;
 
        ctx->error = ret;
        ctx->current_cert = x;
        ctx->current_issuer = issuer;
        return ctx->verify_cb(0, ctx);
-       return 0;
 }
 
 /* Alternative lookup method: look from a STACK stored in other_ctx */

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to