From 4f94258c65a918ee3d8670e93916d15bf879e6ec Mon Sep 17 00:00:00 2001 From: jsing Date: Mon, 17 Oct 2022 18:56:54 +0000 Subject: [PATCH] Store errors that result from leaf certificate verification. In the case that a verification callback is installed that tells the verifier to continue when a certificate is invalid (e.g. expired), any error resulting from the leaf certificate verification is not stored and made available post verification, resulting in an incorrect error being returned. Also perform leaf certificate verification prior to adding the chain, which avoids a potential memory leak (as noted by tb@). Issue reported by Ilya Shipitsin, who encountered haproxy regress failures. ok tb@ --- lib/libcrypto/x509/x509_verify.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/lib/libcrypto/x509/x509_verify.c b/lib/libcrypto/x509/x509_verify.c index ca32a93e506..e85c3a64d6f 100644 --- a/lib/libcrypto/x509/x509_verify.c +++ b/lib/libcrypto/x509/x509_verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_verify.c,v 1.60 2022/08/05 14:46:52 beck Exp $ */ +/* $OpenBSD: x509_verify.c,v 1.61 2022/10/17 18:56:54 jsing Exp $ */ /* * Copyright (c) 2020-2021 Bob Beck * @@ -494,6 +494,15 @@ x509_verify_ctx_add_chain(struct x509_verify_ctx *ctx, if (!x509_verify_ctx_validate_legacy_chain(ctx, chain, depth)) return 0; + /* Verify the leaf certificate and store any resulting error. */ + if (!x509_verify_cert_valid(ctx, leaf, NULL)) + return 0; + if (!x509_verify_cert_hostname(ctx, leaf, name)) + return 0; + if (ctx->error_depth == 0 && + ctx->error != X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) + chain->cert_errors[0] = ctx->error; + /* * In the non-legacy code, extensions and purpose are dealt * with as the chain is built. @@ -508,16 +517,11 @@ x509_verify_ctx_add_chain(struct x509_verify_ctx *ctx, return x509_verify_cert_error(ctx, last, depth, X509_V_ERR_OUT_OF_MEM, 0); } - - if (!x509_verify_cert_valid(ctx, leaf, NULL)) - return 0; - - if (!x509_verify_cert_hostname(ctx, leaf, name)) - return 0; - ctx->chains_count++; + ctx->error = X509_V_OK; ctx->error_depth = depth; + return 1; } -- 2.20.1