openssl: Don't check signature if issuer doesn't match always
authorTobias Brunner <tobias@strongswan.org>
Wed, 4 Mar 2020 18:26:55 +0000 (19:26 +0100)
committerTobias Brunner <tobias@strongswan.org>
Fri, 6 Mar 2020 10:12:07 +0000 (11:12 +0100)
Doing this for the self-signed check also (i.e. if this and issuer are
the same) is particularly useful if the issuer uses a different key type.
Otherwise, we'd try to verify the signature with an incompatible key
that would result in a log message.

Fixes #3357.

src/libstrongswan/plugins/openssl/openssl_x509.c

index 6a8f6ff..4f83951 100644 (file)
@@ -416,10 +416,10 @@ METHOD(certificate_t, issued_by, bool,
                {
                        return FALSE;
                }
                {
                        return FALSE;
                }
-               if (!this->issuer->equals(this->issuer, issuer->get_subject(issuer)))
-               {
-                       return FALSE;
-               }
+       }
+       if (!this->issuer->equals(this->issuer, issuer->get_subject(issuer)))
+       {
+               return FALSE;
        }
        key = issuer->get_public_key(issuer);
        if (!key)
        }
        key = issuer->get_public_key(issuer);
        if (!key)