git.openssl.org Git - openssl.git/commit

author	Rich Salz <rsalz@akamai.com>
	Tue, 6 Jul 2021 16:00:19 +0000 (12:00 -0400)
committer	Pauli <pauli@openssl.org>
	Thu, 8 Jul 2021 01:46:19 +0000 (11:46 +1000)
commit	02db7354fe780c8bfb34b3f0ed73595cb9ac6570
tree	deaa665d345edee5c99b008957c75afe33ccf70c	tree \| snapshot
parent	3bd5319b5d0df9ecf05c8baba2c401ad8e3ba130	commit \| diff

Fix bug in X509_print_ex

If the user set nmflags == XN_FLAG_COMPAT and X509_NAME_print_ex(3)
failed, the error return value of 0 was misinterpreted as an indicator
of success, causing X509_print_ex(3) to ignore the error, continue
printing, and potentially return successfully even though not all
the content of the certificate was printed.

The X509_NAME_print_ex(3) manual page explains that this function
indicates failure by returning 0 if nmflags == XN_FLAG_COMPAT
and by returning -1 if nmflags != XN_FLAG_COMPAT.

Note that just checking for <= 0 in all cases would not be correct
either because X509_NAME_print_ex(3) returns 0 to indicate that it
successfully printed zero bytes in some cases, for example when all
three of the following conditions hold:
1. nmflags != XN_FLAG_COMPAT
2. indent == 0 (which X509_print_ex(3) does use in some cases)
3. the name object is NULL or empty

Thanks to Ingo Schwarze <schwarze@openbsd.org> for finding the bug,
and Joel Sing <jsing@openbsd.org> for contributing an idea for the
fix.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16009)