X509 build_chain(): Fix two potential memory leaks on issuer variable

This also removes an inadequate guard: if (num == ctx->num_untrusted) Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14422)
2025-01-18 13:44:20 +08:00 · 2021-03-04 21:17:31 +01:00 · 2021-03-04 21:17:31 +01:00 · 558f2a0146
commit 558f2a0146
parent fc48b5c825
1 changed files with 8 additions and 6 deletions
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@ -2965,10 +2965,10 @@ static int dane_verify(X509_STORE_CTX *ctx)
 }

 /*
- * Get issuer, without duplicate suppression
+ * Get trusted issuer, without duplicate suppression
 * Returns -1 on internal error.
 */
-static int get_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *cert)
+static int get1_trusted_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *cert)
 {
    STACK_OF(X509) *saved_chain = ctx->chain;
    int ok;
@ -3090,8 +3090,8 @@ static int build_chain(X509_STORE_CTX *ctx)
            }
            curr = sk_X509_value(ctx->chain, i - 1);

-            /* Note: get_issuer() must be used even if curr is self-signed. */
-            ok = num > max_depth ? 0 : get_issuer(&issuer, ctx, curr);
+            /* Note: get1_trusted_issuer() must be used even if self-signed. */
+            ok = num > max_depth ? 0 : get1_trusted_issuer(&issuer, ctx, curr);

            if (ok < 0) {
                trust = -1;
@ -3102,8 +3102,10 @@ static int build_chain(X509_STORE_CTX *ctx)
            if (ok > 0) {
                int self_signed = X509_self_signed(curr, 0);

-                if (self_signed < 0)
+                if (self_signed < 0) {
+                    X509_free(issuer);
                    goto int_err;
+                }
                /*
                 * Alternative trusted issuer for a mid-chain untrusted cert?
                 * Pop the untrusted cert's successors and retry.  We might now
@ -3150,7 +3152,7 @@ static int build_chain(X509_STORE_CTX *ctx)
                    }
                    if ((self_signed = X509_self_signed(issuer, 0)) < 0)
                        goto int_err;
-                } else if (num == ctx->num_untrusted) {
+                } else {
                    /*
                     * We have a self-signed certificate that has the same
                     * subject name (and perhaps keyid and/or serial number) as