Reject certificate chains where the adjacent certificates have the same subject.

author Carl Hetherington <cth@carlh.net>

Wed, 26 Jun 2019 14:54:09 +0000 (15:54 +0100)

committer Carl Hetherington <cth@carlh.net>

Tue, 1 Oct 2019 20:18:12 +0000 (22:18 +0200)
author Carl Hetherington <cth@carlh.net>
Wed, 26 Jun 2019 14:54:09 +0000 (15:54 +0100)
committer Carl Hetherington <cth@carlh.net>
Tue, 1 Oct 2019 20:18:12 +0000 (22:18 +0200)
diff --git a/src/certificate_chain.cc b/src/certificate_chain.cc

index 614144366b1864bb79b4d744a9ded8b191730746..0d99d1c920a28083c4bcf748fe3d3dbe822928a6 100644 (file)
--- a/src/certificate_chain.cc
+++ b/src/certificate_chain.cc
@@ -464,10 +464,11 @@ CertificateChain::chain_valid (List const & chain) const
                         return false;
                 }
  
-               /* I don't know why OpenSSL doesn't check this in verify_cert, but without this check
-                  the certificates_validation8 test fails.
+               /* I don't know why OpenSSL doesn't check this stuff
+                  in verify_cert, but without these checks the
+                  certificates_validation8 test fails.
                 */
-               if (j->issuer() != i->subject()) {
+               if (j->issuer() != i->subject() || j->subject() == i->subject()) {
                         X509_STORE_free (store);
                         return false;
                 }
author	Carl Hetherington <cth@carlh.net>
	Wed, 26 Jun 2019 14:54:09 +0000 (15:54 +0100)
committer	Carl Hetherington <cth@carlh.net>
	Tue, 1 Oct 2019 20:18:12 +0000 (22:18 +0200)