generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix verify loop with CRL checking.

Browse Source 
PR #3090
Reported by: Franck Youssef <fry@open.ch>

If no new reason codes are obtained after checking a CRL exit with an
error to avoid repeatedly checking the same CRL.

This will only happen if verify errors such as invalid CRL scope are
overridden in a callback.
(cherry picked from commit 4b26645c1a)
This commit is contained in:
Dr. Stephen Henson
2013-07-12 17:35:08 +01:00
parent 6c03af135b
commit 7cf0529b52
1 changed files with 11 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
crypto/x509/x509_vfy.c
View File

@@ -694,6 +694,7 @@ static int check_cert(X509_STORE_CTX *ctx)
X509_CRL *crl = NULL, *dcrl = NULL; X509_CRL *crl = NULL, *dcrl = NULL;
X509 *x; X509 *x;
int ok, cnum; int ok, cnum;
unsigned int last_reasons;
cnum = ctx->error_depth; cnum = ctx->error_depth;
x = sk_X509_value(ctx->chain, cnum); x = sk_X509_value(ctx->chain, cnum);
ctx->current_cert = x; ctx->current_cert = x;
@@ -702,6 +703,7 @@ static int check_cert(X509_STORE_CTX *ctx)
ctx->current_reasons = 0; ctx->current_reasons = 0;
while (ctx->current_reasons != CRLDP_ALL_REASONS) while (ctx->current_reasons != CRLDP_ALL_REASONS)
{ {
last_reasons = ctx->current_reasons;
/* Try to retrieve relevant CRL */ /* Try to retrieve relevant CRL */
if (ctx->get_crl) if (ctx->get_crl)
ok = ctx->get_crl(ctx, &crl, x); ok = ctx->get_crl(ctx, &crl, x);
@@ -745,6 +747,15 @@ static int check_cert(X509_STORE_CTX *ctx)
X509_CRL_free(dcrl); X509_CRL_free(dcrl);
crl = NULL; crl = NULL;
dcrl = NULL; dcrl = NULL;
/* If reasons not updated we wont get anywhere by
* another iteration, so exit loop.
*/
if (last_reasons == ctx->current_reasons)
{
ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
ok = ctx->verify_cb(0, ctx);
goto err;
}
} }
err: err:
X509_CRL_free(crl); X509_CRL_free(crl);