The wrong "set" field was incremented in the wrong place and would
create a new RDN, not a multi-valued RDN.
RDN inserts would happen after not before.
Prepending an entry to an RDN incorrectly created a new RDN
Anything which built up an X509_NAME could get a messed-up structure,
which would then be "wrong" for anyone using that name.
Thanks to Ingo Schwarze for extensive debugging and the initial
fix (documented in GitHub issue #5870).
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/5882)
(cherry picked from commit
bbf27cd58337116c57a1c942153330ff83d5540a)
loc = n;
else if (loc < 0)
loc = n;
-
+ inc = (set == 0);
name->modified = 1;
if (set == -1) {
inc = 1;
} else {
set = sk_X509_NAME_ENTRY_value(sk, loc - 1)->set;
- inc = 0;
}
} else { /* if (set >= 0) */
set = 0;
} else
set = sk_X509_NAME_ENTRY_value(sk, loc)->set;
- inc = (set == 0) ? 1 : 0;
}
/*
* X509_NAME_ENTRY_dup is ASN1 generated code, that can't be easily
- * const'ified; harmless cast as dup() don't modify its input.
+ * const'ified; harmless cast since dup() don't modify its input.
*/
if ((new_name = X509_NAME_ENTRY_dup((X509_NAME_ENTRY *)ne)) == NULL)
goto err;
if (inc) {
n = sk_X509_NAME_ENTRY_num(sk);
for (i = loc + 1; i < n; i++)
- sk_X509_NAME_ENTRY_value(sk, i - 1)->set += 1;
+ sk_X509_NAME_ENTRY_value(sk, i)->set += 1;
}
return (1);
err: