diff options
author | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-05-17 13:40:57 -0400 |
---|---|---|
committer | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-05-18 15:16:37 -0400 |
commit | f3e235ed6faa82170d857fdec3287558eb906c58 (patch) | |
tree | 6be52b96d30e137d5c58eaa62264a67fd0b4ffdd /crypto/x509v3 | |
parent | 5fba3912cc770bb035accb390653bda1a795f39e (diff) | |
download | openssl-f3e235ed6faa82170d857fdec3287558eb906c58.tar.gz |
Ensure verify error is set when X509_verify_cert() fails
Set ctx->error = X509_V_ERR_OUT_OF_MEM when verificaiton cannot
continue due to malloc failure. Also, when X509_verify_cert()
returns <= 0 make sure that the verification status does not remain
X509_V_OK, as a last resort set it it to X509_V_ERR_UNSPECIFIED,
just in case some code path returns an error without setting an
appropriate value of ctx->error.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Diffstat (limited to 'crypto/x509v3')
-rw-r--r-- | crypto/x509v3/v3_addr.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/crypto/x509v3/v3_addr.c b/crypto/x509v3/v3_addr.c index 53583fb754..be8ca5dcbb 100644 --- a/crypto/x509v3/v3_addr.c +++ b/crypto/x509v3/v3_addr.c @@ -1166,6 +1166,11 @@ int X509v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b) /* * Core code for RFC 3779 2.3 path validation. + * + * Returns 1 for success, 0 on error. + * + * When returning 0, ctx->error MUST be set to an appropriate value other than + * X509_V_OK. */ static int addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, @@ -1200,6 +1205,7 @@ static int addr_validate_path_internal(X509_STORE_CTX *ctx, if ((child = sk_IPAddressFamily_dup(ext)) == NULL) { X509V3err(X509V3_F_ADDR_VALIDATE_PATH_INTERNAL, ERR_R_MALLOC_FAILURE); + ctx->error = X509_V_ERR_OUT_OF_MEM; ret = 0; goto done; } |