X509_check_mumble() failure is <= 0, not just 0

[openssl.git] / crypto / x509 / x509_vfy.c

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 869a4f29e8573aeba6181eaba4d95c7e15d34438..b6f16bb77220afcfda900d79a6d26d4380d5fef4 100644 (file)
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -69,7 +69,7 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 #include <openssl/objects.h>
-#include "vpm_int.h"
+#include "x509_lcl.h"
 
 /* CRL score values */
 
@@ -366,8 +366,11 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
        /* If explicitly rejected error */
        if (i == X509_TRUST_REJECTED)
                goto end;
-       /* If not explicitly trusted then indicate error */
-       if (i != X509_TRUST_TRUSTED)
+       /* If not explicitly trusted then indicate error unless it's
+        * a single self signed certificate in which case we've indicated
+        * an error already and set bad_chain == 1
+        */
+       if (i != X509_TRUST_TRUSTED && !bad_chain)
                {
                if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss))
                        {
@@ -466,14 +469,18 @@ end:
 static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
 {
        int i;
-       X509 *issuer;
+       X509 *issuer, *rv = NULL;;
        for (i = 0; i < sk_X509_num(sk); i++)
                {
                issuer = sk_X509_value(sk, i);
                if (ctx->check_issued(ctx, x, issuer))
-                       return issuer;
+                       {
+                       rv = issuer;
+                       if (x509_check_cert_time(ctx, rv, 1))
+                               break;
+                       }
                }
-       return NULL;
+       return rv;
 }
 
 /* Given a possible certificate and issuer check them */
@@ -741,17 +748,17 @@ static int check_id(X509_STORE_CTX *ctx)
        X509_VERIFY_PARAM *vpm = ctx->param;
        X509_VERIFY_PARAM_ID *id = vpm->id;
        X509 *x = ctx->cert;
-       if (id->host && !X509_check_host(x, id->host, id->hostlen, 0))
+       if (id->host && X509_check_host(x, id->host, 0, id->hostflags) <= 0)
                {
                if (!check_id_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH))
                        return 0;
                }
-       if (id->email && !X509_check_email(x, id->email, id->emaillen, 0))
+       if (id->email && X509_check_email(x, id->email, id->emaillen, 0) <= 0)
                {
                if (!check_id_error(ctx, X509_V_ERR_EMAIL_MISMATCH))
                        return 0;
                }
-       if (id->ip && !X509_check_ip(x, id->ip, id->iplen, 0))
+       if (id->ip && X509_check_ip(x, id->ip, id->iplen, 0) <= 0)
                {
                if (!check_id_error(ctx, X509_V_ERR_IP_ADDRESS_MISMATCH))
                        return 0;
@@ -1690,7 +1697,7 @@ static int check_policy(X509_STORE_CTX *ctx)
        return 1;
        }
 
-static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
+int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet)
        {
        time_t *ptime;
        int i;
@@ -1703,6 +1710,8 @@ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
        i=X509_cmp_time(X509_get_notBefore(x), ptime);
        if (i == 0)
                {
+               if (quiet)
+                       return 0;
                ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
                ctx->current_cert=x;
                if (!ctx->verify_cb(0, ctx))
@@ -1711,6 +1720,8 @@ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
 
        if (i > 0)
                {
+               if (quiet)
+                       return 0;
                ctx->error=X509_V_ERR_CERT_NOT_YET_VALID;
                ctx->current_cert=x;
                if (!ctx->verify_cb(0, ctx))
@@ -1720,6 +1731,8 @@ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
        i=X509_cmp_time(X509_get_notAfter(x), ptime);
        if (i == 0)
                {
+               if (quiet)
+                       return 0;
                ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
                ctx->current_cert=x;
                if (!ctx->verify_cb(0, ctx))
@@ -1728,6 +1741,8 @@ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
 
        if (i < 0)
                {
+               if (quiet)
+                       return 0;
                ctx->error=X509_V_ERR_CERT_HAS_EXPIRED;
                ctx->current_cert=x;
                if (!ctx->verify_cb(0, ctx))
@@ -1811,7 +1826,7 @@ static int internal_verify(X509_STORE_CTX *ctx)
                xs->valid = 1;
 
                check_cert:
-               ok = check_cert_time(ctx, xs);
+               ok = x509_check_cert_time(ctx, xs, 0);
                if (!ok)
                        goto end;