diff options
author | Mike DePaulo <mikedep333@gmail.com> | 2015-07-10 08:13:00 -0400 |
---|---|---|
committer | Mike DePaulo <mikedep333@gmail.com> | 2015-07-10 08:23:07 -0400 |
commit | ca7b8d357638d3f7d22b5df91e325022f3517368 (patch) | |
tree | a6f0421e63b9efc3f9036f86e27b1bfe96fc9121 /openssl/crypto/x509/x509_vfy.c | |
parent | ab75afbcc58c927654b75d8b3c179f423e38cfbd (diff) | |
download | vcxsrv-ca7b8d357638d3f7d22b5df91e325022f3517368.tar.gz vcxsrv-ca7b8d357638d3f7d22b5df91e325022f3517368.tar.bz2 vcxsrv-ca7b8d357638d3f7d22b5df91e325022f3517368.zip |
Update openssl: 1.0.1o -> 1.0.1p
Diffstat (limited to 'openssl/crypto/x509/x509_vfy.c')
-rw-r--r-- | openssl/crypto/x509/x509_vfy.c | 26 |
1 files changed, 16 insertions, 10 deletions
diff --git a/openssl/crypto/x509/x509_vfy.c b/openssl/crypto/x509/x509_vfy.c index 16db4c025..7009ae630 100644 --- a/openssl/crypto/x509/x509_vfy.c +++ b/openssl/crypto/x509/x509_vfy.c @@ -162,6 +162,14 @@ int X509_verify_cert(X509_STORE_CTX *ctx) X509err(X509_F_X509_VERIFY_CERT, X509_R_NO_CERT_SET_FOR_US_TO_VERIFY); return -1; } + if (ctx->chain != NULL) { + /* + * This X509_STORE_CTX has already been used to verify a cert. We + * cannot do another one. + */ + X509err(X509_F_X509_VERIFY_CERT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return -1; + } cb = ctx->verify_cb; @@ -169,15 +177,13 @@ int X509_verify_cert(X509_STORE_CTX *ctx) * first we make sure the chain we are going to build is present and that * the first entry is in place */ - if (ctx->chain == NULL) { - if (((ctx->chain = sk_X509_new_null()) == NULL) || - (!sk_X509_push(ctx->chain, ctx->cert))) { - X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE); - goto end; - } - CRYPTO_add(&ctx->cert->references, 1, CRYPTO_LOCK_X509); - ctx->last_untrusted = 1; + if (((ctx->chain = sk_X509_new_null()) == NULL) || + (!sk_X509_push(ctx->chain, ctx->cert))) { + X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE); + goto end; } + CRYPTO_add(&ctx->cert->references, 1, CRYPTO_LOCK_X509); + ctx->last_untrusted = 1; /* We use a temporary STACK so we can chop and hack at it */ if (ctx->untrusted != NULL @@ -306,7 +312,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx) * if the user hasn't switched off alternate chain checking */ retry = 0; - if (j == ctx->last_untrusted && + if (num == ctx->last_untrusted && !(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) { while (j-- > 1) { xtmp2 = sk_X509_value(ctx->chain, j - 1); @@ -328,8 +334,8 @@ int X509_verify_cert(X509_STORE_CTX *ctx) xtmp = sk_X509_pop(ctx->chain); X509_free(xtmp); num--; - ctx->last_untrusted--; } + ctx->last_untrusted = sk_X509_num(ctx->chain); retry = 1; break; } |