On Wed, Jan 7, 2009 at 1:10 PM, Dr. Stephen Henson <[email protected]> wrote:
[...]
> diff -ur openssl-0.9.8i-ORIG/apps/speed.c openssl-0.9.8i/apps/speed.c
[...]
> diff -ur openssl-0.9.8i-ORIG/ssl/ssltest.c openssl-0.9.8i/ssl/ssltest.c
0.9.9 CVS head (and probably 0.9.8 as well): for completeness sake
there's one more spot not listed in the published patch, where another
call to X509_verify_cert() was done.
(based on full source code scan; not a run-time test)
Correct me if I'm wrong or code-pedantic.
Addendum to patch supplied here:
-------------------------------------
--- \\Debbie\ger\prj\1original\openssl\openssl\crypto\x509\x509_vfy.c
2008-10-07
23:55:27.000000000 +-0100
+++ \\Debbie\ger\prj\3actual\openssl\crypto\x509\x509_vfy.c 2009-01-07
18:04:33.000000000 +-0100
@@ -1121,15 +1120,15 @@
crl_ctx.parent = ctx;
crl_ctx.verify_cb = ctx->verify_cb;
/* Verify CRL issuer */
ret = X509_verify_cert(&crl_ctx);
- if (!ret)
+ if (ret <= 0) /* OpenSSL Security Advisory [07-Jan-2009] */
goto err;
/* Check chain is acceptable */
ret = check_crl_chain(ctx, ctx->chain, crl_ctx.chain);
err:
X509_STORE_CTX_cleanup(&crl_ctx);
return ret;
-------------------------------------
--
Met vriendelijke groeten / Best regards,
Ger Hobbelt
--------------------------------------------------
web: http://www.hobbelt.com/
http://www.hebbut.net/
mail: [email protected]
mobile: +31-6-11 120 978
--------------------------------------------------
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
