summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDr. David von Oheimb <David.von.Oheimb@siemens.com>2019-12-24 10:36:24 +0100
committerDr. David von Oheimb <David.von.Oheimb@siemens.com>2020-07-01 11:14:54 +0200
commitd18c7ad66aaaebe10c86127d966f5401bc414d2a (patch)
treea86fade6290ff3fa926d12812754a2d56d4fefce
parentAdd four more verify test cases on the self-signed Ed25519 and self-issed X25... (diff)
downloadopenssl-d18c7ad66aaaebe10c86127d966f5401bc414d2a.tar.xz
openssl-d18c7ad66aaaebe10c86127d966f5401bc414d2a.zip
Optimization and safety precaution in find_issuer() of x509_vfy.c:
candidate issuer cert cannot be the same as the subject cert 'x' Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10587)
-rw-r--r--crypto/x509/x509_vfy.c6
1 files changed, 5 insertions, 1 deletions
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index a7541d8572..ba36bafdfc 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -330,7 +330,11 @@ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
for (i = 0; i < sk_X509_num(sk); i++) {
issuer = sk_X509_value(sk, i);
- if (ctx->check_issued(ctx, x, issuer)) {
+ /*
+ * Below check 'issuer != x' is an optimization and safety precaution:
+ * Candidate issuer cert cannot be the same as the subject cert 'x'.
+ */
+ if (issuer != x && ctx->check_issued(ctx, x, issuer)) {
rv = issuer;
if (x509_check_cert_time(ctx, rv, -1))
break;