Fixed #6148: multiple ceritificate purposes

OpenSSL certificate verification can only check a single purpose. Run the checks with all allowed purposes and accept any.
2020-05-12 13:00:13 +02:00 · 2020-05-12 13:00:13 +02:00 · 5cfc3e8593
commit 5cfc3e8593
parent a1f2c1e161
1 changed files with 23 additions and 12 deletions
--- a/libfreerdp/crypto/crypto.c
+++ b/libfreerdp/crypto/crypto.c
@ -797,6 +797,8 @@ static int verify_cb(int ok, X509_STORE_CTX* csc)

 BOOL x509_verify_certificate(CryptoCert cert, const char* certificate_store_path)
 {
+	size_t i;
+	const int purposes[3] = { X509_PURPOSE_SSL_SERVER, X509_PURPOSE_SSL_CLIENT, X509_PURPOSE_ANY };
 	X509_STORE_CTX* csc;
 	BOOL status = FALSE;
 	X509_STORE* cert_ctx = NULL;
@ -831,23 +833,32 @@ BOOL x509_verify_certificate(CryptoCert cert, const char* certificate_store_path
 		X509_LOOKUP_add_dir(lookup, certificate_store_path, X509_FILETYPE_PEM);
 	}

+	X509_STORE_set_flags(cert_ctx, 0);
+
+	for (i = 0; i < ARRAYSIZE(purposes); i++)
+	{
+		int rc = -1;
+		int purpose = purposes[i];
 		csc = X509_STORE_CTX_new();

 		if (csc == NULL)
-		goto end;
-
-	X509_STORE_set_flags(cert_ctx, 0);
-
+			goto skip;
 		if (!X509_STORE_CTX_init(csc, cert_ctx, cert->px509, cert->px509chain))
-		goto end;
+			goto skip;

-	X509_STORE_CTX_set_purpose(csc, X509_PURPOSE_ANY);
+		X509_STORE_CTX_set_purpose(csc, purpose);
 		X509_STORE_CTX_set_verify_cb(csc, verify_cb);

-	if (X509_verify_cert(csc) == 1)
-		status = TRUE;
-
+		rc = X509_verify_cert(csc);
+	skip:
 		X509_STORE_CTX_free(csc);
+		if (rc == 1)
+		{
+			status = TRUE;
+			break;
+		}
+	}
+
 	X509_STORE_free(cert_ctx);
 end:
 	return status;