Future proof build_chain() in x509_vfy.c

author Viktor Dukhovni <openssl-users@dukhovni.org>

Tue, 26 Apr 2016 18:17:57 +0000 (14:17 -0400)

committer Viktor Dukhovni <openssl-users@dukhovni.org>

Wed, 27 Apr 2016 18:42:38 +0000 (14:42 -0400)
author Viktor Dukhovni <openssl-users@dukhovni.org>
Tue, 26 Apr 2016 18:17:57 +0000 (14:17 -0400)
committer Viktor Dukhovni <openssl-users@dukhovni.org>
Wed, 27 Apr 2016 18:42:38 +0000 (14:42 -0400)
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c

index b895ffe33ea887a0bb8c563c69e9cdc9918051aa..30eabcb55842577fa67de0089fe13be2b57e49b2 100644 (file)
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -2789,8 +2789,21 @@ static int build_chain(X509_STORE_CTX *ctx)
          return 0;
      }
  
-    /* Include any untrusted full certificates from DNS */
+    /*
+     * If we got any "DANE-TA(2) Cert(0) Full(0)" trust-anchors from DNS, add
+     * them to our working copy of the untrusted certificate stack.  Since the
+     * caller of X509_STORE_CTX_init() may have provided only a leaf cert with
+     * no corresponding stack of untrusted certificates, we may need to create
+     * an empty stack first.  [ At present only the ssl library provides DANE
+     * support, and ssl_verify_cert_chain() always provides a non-null stack
+     * containing at least the leaf certificate, but we must be prepared for
+     * this to change. ]
+     */
      if (DANETLS_ENABLED(dane) && dane->certs != NULL) {
+        if (sktmp == NULL && (sktmp = sk_X509_new_null()) == NULL) {
+            X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE);
+            return 0;
+        }
          for (i = 0; i < sk_X509_num(dane->certs); ++i) {
              if (!sk_X509_push(sktmp, sk_X509_value(dane->certs, i))) {
                  sk_X509_free(sktmp);
author	Viktor Dukhovni <openssl-users@dukhovni.org>
	Tue, 26 Apr 2016 18:17:57 +0000 (14:17 -0400)
committer	Viktor Dukhovni <openssl-users@dukhovni.org>
	Wed, 27 Apr 2016 18:42:38 +0000 (14:42 -0400)