From 76d63a55a6d557006e231322ca4abbc81bc472f2 Mon Sep 17 00:00:00 2001 From: beck Date: Sat, 28 Aug 2021 07:49:00 +0000 Subject: [PATCH] Remove the "dump_chain" flag and code. This was a workaround for a problem where roots were not checked correctly before intermediates that has since been fixed and is no longer necessary. It is regress checked by case 2c in regress/lib/libcrypto/x509/verify.c ok jsing@ tb@ --- lib/libcrypto/x509/x509_internal.h | 3 +-- lib/libcrypto/x509/x509_verify.c | 17 +++-------------- 2 files changed, 4 insertions(+), 16 deletions(-) diff --git a/lib/libcrypto/x509/x509_internal.h b/lib/libcrypto/x509/x509_internal.h index 493bf82ac84..f6ce78346eb 100644 --- a/lib/libcrypto/x509/x509_internal.h +++ b/lib/libcrypto/x509/x509_internal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_internal.h,v 1.9 2021/08/19 03:44:00 beck Exp $ */ +/* $OpenBSD: x509_internal.h,v 1.10 2021/08/28 07:49:00 beck Exp $ */ /* * Copyright (c) 2020 Bob Beck * @@ -69,7 +69,6 @@ struct x509_verify_ctx { int saved_error; int saved_error_depth; size_t chains_count; - int dump_chain; /* Dump current chain without erroring */ STACK_OF(X509) *roots; /* Trusted roots for this validation */ STACK_OF(X509) *intermediates; /* Intermediates provided by peer */ time_t *check_time; /* Time for validity checks */ diff --git a/lib/libcrypto/x509/x509_verify.c b/lib/libcrypto/x509/x509_verify.c index 5f3c97abf79..3176e110bab 100644 --- a/lib/libcrypto/x509/x509_verify.c +++ b/lib/libcrypto/x509/x509_verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_verify.c,v 1.42 2021/08/19 03:44:00 beck Exp $ */ +/* $OpenBSD: x509_verify.c,v 1.43 2021/08/28 07:49:00 beck Exp $ */ /* * Copyright (c) 2020-2021 Bob Beck * @@ -494,18 +494,8 @@ x509_verify_consider_candidate(struct x509_verify_ctx *ctx, X509 *cert, /* Fail if the certificate is already in the chain */ for (i = 0; i < sk_X509_num(current_chain->certs); i++) { if (X509_cmp(sk_X509_value(current_chain->certs, i), - candidate) == 0) { - if (is_root_cert) { - /* - * Someone made a boo-boo and put their root - * in with their intermediates - handle this - * gracefully as we'll have already picked - * this up as a shorter chain. - */ - ctx->dump_chain = 1; - } + candidate) == 0) return 0; - } } if (ctx->sig_checks++ > X509_VERIFY_MAX_SIGCHECKS) { @@ -606,7 +596,6 @@ x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert, return; count = ctx->chains_count; - ctx->dump_chain = 0; ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; ctx->error_depth = depth; if (ctx->xsc != NULL) { @@ -671,7 +660,7 @@ x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert, ctx->xsc->current_cert = cert; (void) ctx->xsc->verify_cb(1, ctx->xsc); } - } else if (ctx->error_depth == depth && !ctx->dump_chain) { + } else if (ctx->error_depth == depth) { if (!x509_verify_ctx_set_xsc_chain(ctx, current_chain, 0, 0)) return; (void) x509_verify_cert_error(ctx, cert, depth, -- 2.20.1