From: Tobias Brunner <tobias@strongswan.org>
Date: Wed, 4 Mar 2020 18:26:55 +0000 (+0100)
Subject: openssl: Don't check signature if issuer doesn't match always
X-Git-Tag: 5.8.3rc1~7
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=61769fd1e31b49f451dda33a36c7d5cf639698b5;p=thirdparty%2Fstrongswan.git

openssl: Don't check signature if issuer doesn't match always

Doing this for the self-signed check also (i.e. if this and issuer are
the same) is particularly useful if the issuer uses a different key type.
Otherwise, we'd try to verify the signature with an incompatible key
that would result in a log message.

Fixes #3357.
---

diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c
index 6a8f6ff086..4f8395136a 100644
--- a/src/libstrongswan/plugins/openssl/openssl_x509.c
+++ b/src/libstrongswan/plugins/openssl/openssl_x509.c
@@ -416,10 +416,10 @@ METHOD(certificate_t, issued_by, bool,
 		{
 			return FALSE;
 		}
-		if (!this->issuer->equals(this->issuer, issuer->get_subject(issuer)))
-		{
-			return FALSE;
-		}
+	}
+	if (!this->issuer->equals(this->issuer, issuer->get_subject(issuer)))
+	{
+		return FALSE;
 	}
 	key = issuer->get_public_key(issuer);
 	if (!key)