Skip to content

Commit 3bd9765

Browse files
t8mt8m
committed
Fix strict client chain check with TLS-1.3
When TLS-1.3 is used and the server does not send any CA names the ca_dn will be NULL. sk_X509_NAME_num() returns -1 on null argument. Reviewed-by: Todd Short <[email protected]> Reviewed-by: Matt Caswell <[email protected]> (Merged from openssl#17986) (cherry picked from commit 89dd854)
1 parent b7ce611 commit 3bd9765

File tree

1 file changed

+6
-8
lines changed

1 file changed

+6
-8
lines changed

ssl/t1_lib.c

Lines changed: 6 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -2369,22 +2369,20 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
23692369

23702370
ca_dn = s->s3->tmp.peer_ca_names;
23712371

2372-
if (!sk_X509_NAME_num(ca_dn))
2372+
if (ca_dn == NULL
2373+
|| sk_X509_NAME_num(ca_dn) == 0
2374+
|| ssl_check_ca_name(ca_dn, x))
23732375
rv |= CERT_PKEY_ISSUER_NAME;
2374-
2375-
if (!(rv & CERT_PKEY_ISSUER_NAME)) {
2376-
if (ssl_check_ca_name(ca_dn, x))
2377-
rv |= CERT_PKEY_ISSUER_NAME;
2378-
}
2379-
if (!(rv & CERT_PKEY_ISSUER_NAME)) {
2376+
else
23802377
for (i = 0; i < sk_X509_num(chain); i++) {
23812378
X509 *xtmp = sk_X509_value(chain, i);
2379+
23822380
if (ssl_check_ca_name(ca_dn, xtmp)) {
23832381
rv |= CERT_PKEY_ISSUER_NAME;
23842382
break;
23852383
}
23862384
}
2387-
}
2385+
23882386
if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
23892387
goto end;
23902388
} else

0 commit comments

Comments
 (0)