From d18c7ad66aaaebe10c86127d966f5401bc414d2a Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Tue, 24 Dec 2019 10:36:24 +0100 Subject: Optimization and safety precaution in find_issuer() of x509_vfy.c: candidate issuer cert cannot be the same as the subject cert 'x' Reviewed-by: Viktor Dukhovni (Merged from https://github.com/openssl/openssl/pull/10587) --- crypto/x509/x509_vfy.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'crypto/x509') diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index a7541d8572..ba36bafdfc 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -330,7 +330,11 @@ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) for (i = 0; i < sk_X509_num(sk); i++) { issuer = sk_X509_value(sk, i); - if (ctx->check_issued(ctx, x, issuer)) { + /* + * Below check 'issuer != x' is an optimization and safety precaution: + * Candidate issuer cert cannot be the same as the subject cert 'x'. + */ + if (issuer != x && ctx->check_issued(ctx, x, issuer)) { rv = issuer; if (x509_check_cert_time(ctx, rv, -1)) break; -- cgit v1.2.3