New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
X509_NAME_cmp fix for empty name #21155
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This would be acceptable with CLA: trivial. Could you either amend the commit message (git commit --amend
) to add CLA: trivial
on a separate line in the commit message body? You can also add Fixes #21156
on another separate line.
Or, alternatively, you can submit a CLA according to https://www.openssl.org/policies/cla.html
It would be also nice to have a test case but that would make the PR outside of things acceptable with CLA: trivial. |
CLA: trivial Fixes openssl#21156
Added the CLA and Fixes to commit message. Also in process to submit CLA, but that can take time for corporate approvals. |
return -2; | ||
|
||
if (ret == 0) | ||
if (ret == 0) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This could go a bit further by combining with the prior if
, as both have ret == 0
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a nit. Does not block approval.
This pull request is ready to merge |
@tmshort Are you OK with CLA: trivial? |
@t8m, if the nit I mentioned were fixed, then no; but as-is, I'm ok with (cla:trivial). |
Merged to master, 3.1, and 3.0 branches. Thank you for your contribution. |
The leaf certificate in our certificate chain currently has an empty subject.
This was verifying fine always until we updated alpine linux to version with OpenSSL 3.0.8 (from 1.1.1q).
It is also still validating fine on debian linux with OpenSSL 3.0.8.
Root cause analysis indicated that following commit caused the issue: 72ded6f
Reason is the empty subject is now always seen as an issue and returns -2. In both cases when empty subject is a or b. Which of course invalidates the compare invariant:
"" < "anything"
and"anything" < ""
.We have a certificate chain that exactly triggers issue on alpine linux qsort that the correct certificate is not found anymore in verification.
Checklist