diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2013-07-12 17:35:08 +0100 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2013-08-06 16:08:09 +0100 |
commit | 7cf0529b52dca16bbfeca39e433402867303814c (patch) | |
tree | fc90d98197a4886aae4b0077528c9fdf7525ed13 /crypto/x509 | |
parent | 6c03af135b285429a71ab3dac953ad9a70d8a1ac (diff) | |
download | openssl-new-7cf0529b52dca16bbfeca39e433402867303814c.tar.gz |
Fix verify loop with CRL checking.
PR #3090
Reported by: Franck Youssef <fry@open.ch>
If no new reason codes are obtained after checking a CRL exit with an
error to avoid repeatedly checking the same CRL.
This will only happen if verify errors such as invalid CRL scope are
overridden in a callback.
(cherry picked from commit 4b26645c1a71cf9ce489e4f79fc836760b670ffe)
Diffstat (limited to 'crypto/x509')
-rw-r--r-- | crypto/x509/x509_vfy.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 12d71f54e2..5195ffef26 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -694,6 +694,7 @@ static int check_cert(X509_STORE_CTX *ctx) X509_CRL *crl = NULL, *dcrl = NULL; X509 *x; int ok, cnum; + unsigned int last_reasons; cnum = ctx->error_depth; x = sk_X509_value(ctx->chain, cnum); ctx->current_cert = x; @@ -702,6 +703,7 @@ static int check_cert(X509_STORE_CTX *ctx) ctx->current_reasons = 0; while (ctx->current_reasons != CRLDP_ALL_REASONS) { + last_reasons = ctx->current_reasons; /* Try to retrieve relevant CRL */ if (ctx->get_crl) ok = ctx->get_crl(ctx, &crl, x); @@ -745,6 +747,15 @@ static int check_cert(X509_STORE_CTX *ctx) X509_CRL_free(dcrl); crl = NULL; dcrl = NULL; + /* If reasons not updated we wont get anywhere by + * another iteration, so exit loop. + */ + if (last_reasons == ctx->current_reasons) + { + ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL; + ok = ctx->verify_cb(0, ctx); + goto err; + } } err: X509_CRL_free(crl); |