Fix verify loop with CRL checking.
authorDr. Stephen Henson <steve@openssl.org>
Fri, 12 Jul 2013 16:35:08 +0000 (17:35 +0100)
committerDr. Stephen Henson <steve@openssl.org>
Tue, 6 Aug 2013 15:08:09 +0000 (16:08 +0100)
PR #3090
Reported by: Franck Youssef <fry@open.ch>

If no new reason codes are obtained after checking a CRL exit with an
error to avoid repeatedly checking the same CRL.

This will only happen if verify errors such as invalid CRL scope are
overridden in a callback.
(cherry picked from commit 4b26645c1a71cf9ce489e4f79fc836760b670ffe)

crypto/x509/x509_vfy.c

index 12d71f54e2e53af69071b6dfd0164deaa5d14e04..5195ffef264d647dec2205cfcbbf1df02f1419f5 100644 (file)
@@ -694,6 +694,7 @@ static int check_cert(X509_STORE_CTX *ctx)
        X509_CRL *crl = NULL, *dcrl = NULL;
        X509 *x;
        int ok, cnum;
+       unsigned int last_reasons;
        cnum = ctx->error_depth;
        x = sk_X509_value(ctx->chain, cnum);
        ctx->current_cert = x;
@@ -702,6 +703,7 @@ static int check_cert(X509_STORE_CTX *ctx)
        ctx->current_reasons = 0;
        while (ctx->current_reasons != CRLDP_ALL_REASONS)
                {
+               last_reasons = ctx->current_reasons;
                /* Try to retrieve relevant CRL */
                if (ctx->get_crl)
                        ok = ctx->get_crl(ctx, &crl, x);
@@ -745,6 +747,15 @@ static int check_cert(X509_STORE_CTX *ctx)
                X509_CRL_free(dcrl);
                crl = NULL;
                dcrl = NULL;
+               /* If reasons not updated we wont get anywhere by
+                * another iteration, so exit loop.
+                */
+               if (last_reasons == ctx->current_reasons)
+                       {
+                       ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
+                       ok = ctx->verify_cb(0, ctx);
+                       goto err;
+                       }
                }
        err:
        X509_CRL_free(crl);