From: Dr. David von Oheimb <David.von.Oheimb@siemens.com>
Date: Tue, 24 Dec 2019 09:36:24 +0000 (+0100)
Subject: Optimization and safety precaution in find_issuer() of x509_vfy.c:
X-Git-Tag: openssl-3.0.0-alpha5~127
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d18c7ad66aaaebe10c86127d966f5401bc414d2a;p=thirdparty%2Fopenssl.git

Optimization and safety precaution in find_issuer() of x509_vfy.c:
candidate issuer cert cannot be the same as the subject cert 'x'

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10587)
---

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index a7541d85726..ba36bafdfc1 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -330,7 +330,11 @@ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
 
     for (i = 0; i < sk_X509_num(sk); i++) {
         issuer = sk_X509_value(sk, i);
-        if (ctx->check_issued(ctx, x, issuer)) {
+        /*
+         * Below check 'issuer != x' is an optimization and safety precaution:
+         * Candidate issuer cert cannot be the same as the subject cert 'x'.
+         */
+        if (issuer != x && ctx->check_issued(ctx, x, issuer)) {
             rv = issuer;
             if (x509_check_cert_time(ctx, rv, -1))
                 break;