[openssl.org #2368] [PATCH] Fix incorrect initializations of flags in X509_STORE_CTX_init

Jonathan Dixon via RT Wed, 10 Nov 2010 20:31:02 -0800

See email below for detailed explanation.
Summary: the X509_VP_FLAG_xxx constants are for use with inh_flags, not
flags.



diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -2034,7 +2034,7 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx,
X509_STORE *store, X509 *x509,
        if (store)
                ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param);
        else
-               ctx->param->flags |= X509_VP_FLAG_DEFAULT|X509_VP_FLAG_ONCE;
+               ctx->param->inh_flags |=
X509_VP_FLAG_DEFAULT|X509_VP_FLAG_ONCE;

        if (store)
                {


On 1 November 2010 19:09, Jonathan Dixon <[email protected]> wrote:

> In some experimental code I'm  passing store == NULL
> into X509_STORE_CTX_init however I find that my verify_cb is called for
> every issuer/subject mismatch, as if I had set X509_V_FLAG_CB_ISSUER_CHECK
> (which I haven't)
>
> Digging into it, it appears the the X509_VERIFY_PARAM 'flags' field (in
> ctx->param->flags) is being erroneously initialized with a value of 17
> because it is being incorrectly initialized with enumeration constants
> intended for the inh_flags field.
>
> The values X509_VP_FLAG_DEFAULT|X509_VP_FLAG_ONCE == 17, which are
> then interpreted as  X509_V_FLAG_CB_ISSUER_CHECK|X509_V_FLAG_IGNORE_CRITICAL
> hence the reason I see the spurious CB_ISSUER_CHECK callbacks.
>
>
> Suggested fix:-
>
> diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
> --- a/crypto/x509/x509_vfy.c
> +++ b/crypto/x509/x509_vfy.c
> @@ -2034,7 +2034,7 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx,
> X509_STORE *store, X509 *x509,
>         if (store)
>                 ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param);
>         else
> -               ctx->param->flags |=
> X509_VP_FLAG_DEFAULT|X509_VP_FLAG_ONCE;
> +               ctx->param->inh_flags |=
> X509_VP_FLAG_DEFAULT|X509_VP_FLAG_ONCE;
>
>         if (store)
>                 {
>
>

See email below for detailed explanation.

Summary: the X509_VP_FLAG_xxx constants are for use with inh_flags, not flags.

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c

--- a/crypto/x509/x509_vfy.c

+++ b/crypto/x509/x509_vfy.c

@@ -2034,7 +2034,7 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,

if (store)

ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param);

else

- ctx->param->flags |= X509_VP_FLAG_DEFAULT|X509_VP_FLAG_ONCE;

+ ctx->param->inh_flags |= X509_VP_FLAG_DEFAULT|X509_VP_FLAG_ONCE;

if (store)

{

On 1 November 2010 19:09, Jonathan Dixon <[email protected]> wrote:

In some experimental code I'm passing store == NULL into X509_STORE_CTX_init however I find that my verify_cb is called for every issuer/subject mismatch, as if I had set X509_V_FLAG_CB_ISSUER_CHECK (which I haven't)

Digging into it, it appears the the X509_VERIFY_PARAM 'flags' field (in ctx->param->flags) is being erroneously initialized with a value of 17 because it is being incorrectly initialized with enumeration constants intended for the inh_flags field.

The values X509_VP_FLAG_DEFAULT|X509_VP_FLAG_ONCE == 17, which are then interpreted as  X509_V_FLAG_CB_ISSUER_CHECK|X509_V_FLAG_IGNORE_CRITICAL hence the reason I see the spurious CB_ISSUER_CHECK callbacks.

Suggested fix:-

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c

@@ -2034,7 +2034,7 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
   if (store)
   ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param);

   else
- ctx->param->flags |= X509_VP_FLAG_DEFAULT|X509_VP_FLAG_ONCE;
+ ctx->param->inh_flags |= X509_VP_FLAG_DEFAULT|X509_VP_FLAG_ONCE;

   if (store)
   {

[openssl.org #2368] [PATCH] Fix incorrect initializations of flags in X509_STORE_CTX_init

Reply via email to