From: Dr. Stephen Henson Date: Fri, 12 Jul 2013 16:35:08 +0000 (+0100) Subject: Fix verify loop with CRL checking. X-Git-Tag: OpenSSL_1_0_2-beta1~311 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=71c34b7f2d66808b21b1d341cea6f1c939d07324;p=oweals%2Fopenssl.git Fix verify loop with CRL checking. PR #3090 Reported by: Franck Youssef If no new reason codes are obtained after checking a CRL exit with an error to avoid repeatedly checking the same CRL. This will only happen if verify errors such as invalid CRL scope are overridden in a callback. (cherry picked from commit 4b26645c1a71cf9ce489e4f79fc836760b670ffe) --- diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index afb60163f2..d4820c0076 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -810,6 +810,7 @@ static int check_cert(X509_STORE_CTX *ctx) X509_CRL *crl = NULL, *dcrl = NULL; X509 *x; int ok, cnum; + unsigned int last_reasons; cnum = ctx->error_depth; x = sk_X509_value(ctx->chain, cnum); ctx->current_cert = x; @@ -818,6 +819,7 @@ static int check_cert(X509_STORE_CTX *ctx) ctx->current_reasons = 0; while (ctx->current_reasons != CRLDP_ALL_REASONS) { + last_reasons = ctx->current_reasons; /* Try to retrieve relevant CRL */ if (ctx->get_crl) ok = ctx->get_crl(ctx, &crl, x); @@ -861,6 +863,15 @@ static int check_cert(X509_STORE_CTX *ctx) X509_CRL_free(dcrl); crl = NULL; dcrl = NULL; + /* If reasons not updated we wont get anywhere by + * another iteration, so exit loop. + */ + if (last_reasons == ctx->current_reasons) + { + ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL; + ok = ctx->verify_cb(0, ctx); + goto err; + } } err: X509_CRL_free(crl);