diff options
| author | Vladimir Kotal <vlada@kotalovi.cz> | 2024-03-07 17:00:07 +0100 |
|---|---|---|
| committer | Tomas Mraz <tomas@openssl.org> | 2024-03-26 15:08:36 +0100 |
| commit | 6af739b79ba50bd42ac8934747ab5c8b996f16b6 (patch) | |
| tree | ef17337e58b25fee60951a46469234ff7f9b7c42 | |
| parent | a4cbffcd8998180b98bb9f7ce6065ed37d079d8b (diff) | |
| download | openssl-6af739b79ba50bd42ac8934747ab5c8b996f16b6.zip openssl-6af739b79ba50bd42ac8934747ab5c8b996f16b6.tar.gz openssl-6af739b79ba50bd42ac8934747ab5c8b996f16b6.tar.bz2 | |
apps/req,crl: exit with 1 on verification failure
Fixes #23771
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/23773)
| -rw-r--r-- | CHANGES.md | 5 | ||||
| -rw-r--r-- | apps/crl.c | 5 | ||||
| -rw-r--r-- | apps/req.c | 5 | ||||
| -rw-r--r-- | doc/man1/openssl-crl.pod.in | 4 | ||||
| -rw-r--r-- | doc/man1/openssl-req.pod.in | 4 |
5 files changed, 17 insertions, 6 deletions
@@ -28,6 +28,11 @@ OpenSSL 3.3 ### Changes between 3.2 and 3.3 [xx XXX xxxx] + * The `-verify` option to the `openssl crl` and `openssl req` will make + the program exit with 1 on failure. + + *VladimĂr Kotal* + * The BIO_get_new_index() function can only be called 127 times before it reaches its upper bound of BIO_TYPE_MASK. It will now correctly return an error of -1 once it is exhausted. Users may need to reserve using this @@ -248,9 +248,10 @@ int crl_main(int argc, char **argv) EVP_PKEY_free(pkey); if (i < 0) goto end; - if (i == 0) + if (i == 0) { BIO_printf(bio_err, "verify failure\n"); - else + goto end; + } else BIO_printf(bio_err, "verify OK\n"); } @@ -918,9 +918,10 @@ int req_main(int argc, char **argv) if (i < 0) goto end; - if (i == 0) + if (i == 0) { BIO_printf(bio_err, "Certificate request self-signature verify failure\n"); - else /* i > 0 */ + goto end; + } else /* i > 0 */ BIO_printf(bio_out, "Certificate request self-signature verify OK\n"); } diff --git a/doc/man1/openssl-crl.pod.in b/doc/man1/openssl-crl.pod.in index 7e15f64..f477cfd 100644 --- a/doc/man1/openssl-crl.pod.in +++ b/doc/man1/openssl-crl.pod.in @@ -93,7 +93,9 @@ Print out the CRL in text form. =item B<-verify> -Verify the signature in the CRL. +Verify the signature in the CRL. If the verification fails, +the program will immediately exit, i.e. further option processing +(e.g. B<-gendelta>) is skipped. =item B<-noout> diff --git a/doc/man1/openssl-req.pod.in b/doc/man1/openssl-req.pod.in index c223200..d2de373 100644 --- a/doc/man1/openssl-req.pod.in +++ b/doc/man1/openssl-req.pod.in @@ -148,7 +148,9 @@ Prints out the value of the modulus of the public key contained in the request. =item B<-verify> -Verifies the self-signature on the request. +Verifies the self-signature on the request. If the verification fails, +the program will immediately exit, i.e. further option processing +(e.g. B<-text>) is skipped. =item B<-new> |