Mirrors/openssl
0
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2026-01-18 17:11:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix regression when X509_V_FLAG_CRL_CHECK_ALL is set, while X509_V_FLAG_CRL_CHECK is clear

Browse Source 
Fixes #28758

When X509_V_FLAG_CRL_CHECK is not set, the man pages document that X509_V_FLAG_CRL_CHECK_ALL is ignored.
Prior to 3.6.0, this was indeed the case.

In 3.6.0, the behavior changed, and setting X509_V_FLAG_CRL_CHECK_ALL began to imply X509_V_FLAG_CRL_CHECK.
This unfortunately breaks the majority of ruby installations, which relied on the documented behavior.

For consistency, this commit applies the same logic to the new X509_V_FLAG_OCSP_RESP_CHECK and X509_V_FLAG_OCSP_RESP_CHECK_ALL flags,
which are still undocumented as of 3.6.0.

All existing tests continue to pass.  They also make the assumption that the xxx_CHECK_ALL flags are irrelevant unless xxx_CHECK is set.
We could add a new test for this regression.  I'll leave that to another commit.

CLA: trivial

Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28797)

(cherry picked from commit cbaf28ce48)
This commit is contained in:
Carter Thaxton
2025-10-08 19:20:25 -07:00
committed by Tomas Mraz
parent e7d5206e89
commit 996d50da8f
1 changed files with 5 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
crypto/x509/x509_vfy.c
View File

@@ -193,8 +193,7 @@ static int verify_cb_crl(X509_STORE_CTX *ctx, int err)
/*
* Inform the verify callback of an error, OCSP-specific variant.
* It is called also on OCSP response errors, if the
* X509_V_FLAG_OCSP_RESP_CHECK or X509_V_FLAG_OCSP_RESP_CHECK_ALL flag
* is set.
* X509_V_FLAG_OCSP_RESP_CHECK flag is set.
* Here, the error depth and certificate are already set, we just specify
* the error number.
*
@@ -1134,10 +1133,10 @@ trusted:
static int check_revocation(X509_STORE_CTX *ctx)
{
int i = 0, last = 0, ok = 0;
int crl_check_enabled = (ctx->param->flags & (X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL)) != 0;
int crl_check_all_enabled = (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL) != 0;
int ocsp_check_enabled = (ctx->param->flags & (X509_V_FLAG_OCSP_RESP_CHECK | X509_V_FLAG_OCSP_RESP_CHECK_ALL)) != 0;
int ocsp_check_all_enabled = (ctx->param->flags & X509_V_FLAG_OCSP_RESP_CHECK_ALL) != 0;
int crl_check_enabled = (ctx->param->flags & X509_V_FLAG_CRL_CHECK) != 0;
int crl_check_all_enabled = crl_check_enabled && (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL) != 0;
int ocsp_check_enabled = (ctx->param->flags & X509_V_FLAG_OCSP_RESP_CHECK) != 0;
int ocsp_check_all_enabled = ocsp_check_enabled && (ctx->param->flags & X509_V_FLAG_OCSP_RESP_CHECK_ALL) != 0;
if (!crl_check_enabled && !ocsp_check_enabled)
return 1;