diff options
author | Tomas Mraz <tomas@openssl.org> | 2022-03-29 13:31:34 +0200 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2022-06-03 15:51:19 +0200 |
commit | 89dd85430770d39cbfb15eb586c921958ca7687f (patch) | |
tree | 6d0709028bdd7aa2b2d94e7d5bcbef0627244808 | |
parent | 336d92eb206946293a50db667fdc44ab7d69f8ad (diff) | |
download | openssl-89dd85430770d39cbfb15eb586c921958ca7687f.tar.gz |
Fix strict client chain check with TLS-1.3
When TLS-1.3 is used and the server does not send any CA names
the ca_dn will be NULL. sk_X509_NAME_num() returns -1 on null
argument.
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17986)
-rw-r--r-- | ssl/t1_lib.c | 14 |
1 files changed, 6 insertions, 8 deletions
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index f1cb507753..c22aff9e58 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -2870,22 +2870,20 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, ca_dn = s->s3.tmp.peer_ca_names; - if (!sk_X509_NAME_num(ca_dn)) + if (ca_dn == NULL + || sk_X509_NAME_num(ca_dn) == 0 + || ssl_check_ca_name(ca_dn, x)) rv |= CERT_PKEY_ISSUER_NAME; - - if (!(rv & CERT_PKEY_ISSUER_NAME)) { - if (ssl_check_ca_name(ca_dn, x)) - rv |= CERT_PKEY_ISSUER_NAME; - } - if (!(rv & CERT_PKEY_ISSUER_NAME)) { + else for (i = 0; i < sk_X509_num(chain); i++) { X509 *xtmp = sk_X509_value(chain, i); + if (ssl_check_ca_name(ca_dn, xtmp)) { rv |= CERT_PKEY_ISSUER_NAME; break; } } - } + if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME)) goto end; } else |