From: Dr. Stephen Henson Date: Sat, 24 May 2014 22:55:19 +0000 (+0100) Subject: Don't use expired certificates if possible. X-Git-Tag: master-post-reformat~779 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=0930251df814f3993bf2c598761e0c7c6d0d62a2;p=oweals%2Fopenssl.git Don't use expired certificates if possible. When looking for the issuer of a certificate, if current candidate is expired, continue looking. Only return an expired certificate if no valid certificates are found. PR#3359 --- diff --git a/crypto/x509/x509_lcl.h b/crypto/x509/x509_lcl.h index 55c791550b..f994cb9c27 100644 --- a/crypto/x509/x509_lcl.h +++ b/crypto/x509/x509_lcl.h @@ -68,3 +68,5 @@ struct X509_VERIFY_PARAM_ID_st unsigned char *ip; /* If not NULL IP address to match */ size_t iplen; /* Length of IP address */ }; + +int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet); diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c index cce90848a2..79281c6bdb 100644 --- a/crypto/x509/x509_lu.c +++ b/crypto/x509/x509_lu.c @@ -61,6 +61,7 @@ #include #include #include +#include "x509_lcl.h" X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method) { @@ -639,6 +640,7 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) X509_NAME *xn; X509_OBJECT obj, *pobj; int i, ok, idx, ret; + *issuer = NULL; xn=X509_get_issuer_name(x); ok=X509_STORE_get_by_subject(ctx,X509_LU_X509,xn,&obj); if (ok != X509_LU_X509) @@ -660,8 +662,11 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) /* If certificate matches all OK */ if (ctx->check_issued(ctx, x, obj.data.x509)) { - *issuer = obj.data.x509; - return 1; + if (x509_check_cert_time(ctx, obj.data.x509, 1)) + { + *issuer = obj.data.x509; + return 1; + } } X509_OBJECT_free_contents(&obj); @@ -683,13 +688,22 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) if (ctx->check_issued(ctx, x, pobj->data.x509)) { *issuer = pobj->data.x509; - X509_OBJECT_up_ref_count(pobj); ret = 1; - break; + /* + * If times check, exit with match, + * otherwise keep looking. Leave last + * match in issuer so we return nearest + * match if no certificate time is OK. + */ + + if (x509_check_cert_time(ctx, *issuer, 1)) + break; } } } CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); + if (*issuer) + CRYPTO_add(&(*issuer)->references,1,CRYPTO_LOCK_X509); return ret; } diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 563737ecec..30fc974a20 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -469,14 +469,18 @@ end: static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) { int i; - X509 *issuer; + X509 *issuer, *rv = NULL;; for (i = 0; i < sk_X509_num(sk); i++) { issuer = sk_X509_value(sk, i); if (ctx->check_issued(ctx, x, issuer)) - return issuer; + { + rv = issuer; + if (x509_check_cert_time(ctx, rv, 1)) + break; + } } - return NULL; + return rv; } /* Given a possible certificate and issuer check them */ @@ -1694,7 +1698,7 @@ static int check_policy(X509_STORE_CTX *ctx) return 1; } -static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) +int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet) { time_t *ptime; int i; @@ -1707,6 +1711,8 @@ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) i=X509_cmp_time(X509_get_notBefore(x), ptime); if (i == 0) { + if (quiet) + return 0; ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; ctx->current_cert=x; if (!ctx->verify_cb(0, ctx)) @@ -1715,6 +1721,8 @@ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) if (i > 0) { + if (quiet) + return 0; ctx->error=X509_V_ERR_CERT_NOT_YET_VALID; ctx->current_cert=x; if (!ctx->verify_cb(0, ctx)) @@ -1724,6 +1732,8 @@ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) i=X509_cmp_time(X509_get_notAfter(x), ptime); if (i == 0) { + if (quiet) + return 0; ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; ctx->current_cert=x; if (!ctx->verify_cb(0, ctx)) @@ -1732,6 +1742,8 @@ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) if (i < 0) { + if (quiet) + return 0; ctx->error=X509_V_ERR_CERT_HAS_EXPIRED; ctx->current_cert=x; if (!ctx->verify_cb(0, ctx)) @@ -1815,7 +1827,7 @@ static int internal_verify(X509_STORE_CTX *ctx) xs->valid = 1; check_cert: - ok = check_cert_time(ctx, xs); + ok = x509_check_cert_time(ctx, xs, 0); if (!ok) goto end;