From e90f233154c1bc3c39e7dd6c8cb63924e02e3a78 Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Thu, 29 Apr 2021 14:17:51 +0200 Subject: [PATCH] Fix #50713: openssl_pkcs7_verify() may ignore untrusted CAs `openssl_pkcs7_verify()` works fine with untrusted CAs, as long as one doesn't specify a `$signers_certificates_filename` in which case the verification fails, because we're not passing along the untrusted CAs to `PKCS7_get0_signers()`. --- ext/openssl/openssl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index b3ca042306eee..453f904186589 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -5244,7 +5244,7 @@ PHP_FUNCTION(openssl_pkcs7_verify) certout = BIO_new_file(signersfilename, PHP_OPENSSL_BIO_MODE_W(PKCS7_BINARY)); if (certout) { int i; - signers = PKCS7_get0_signers(p7, NULL, (int)flags); + signers = PKCS7_get0_signers(p7, others, (int)flags); if (signers != NULL) { for (i = 0; i < sk_X509_num(signers); i++) {