From 2b3936e8825efa15eceaa41ba6d3486dfc6ee2c0 Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Sat, 25 Dec 2010 20:45:59 +0000
Subject: [PATCH] avoid verification loops in trusted store when path building

---
 CHANGES                |  4 ++++
 crypto/x509/x509_txt.c |  2 ++
 crypto/x509/x509_vfy.c | 15 +++++++++++++++
 crypto/x509/x509_vfy.h |  2 ++
 4 files changed, 23 insertions(+)

diff --git a/CHANGES b/CHANGES
index 6157a1ef0d..c75e514793 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,10 @@
 
  Changes between 1.0.1 and 1.1.0  [xx XXX xxxx]
 
+  *) If a candidate issuer certificate is already part of the constructed
+     path ignore it: new debug notification X509_V_ERR_PATH_LOOP for this case.
+     [Steve Henson]
+
   *) Improve forward-security support: add functions
 
        void SSL_CTX_set_not_resumable_session_callback(SSL_CTX *ctx, int (*cb)(SSL *ssl, int is_forward_secure))
diff --git a/crypto/x509/x509_txt.c b/crypto/x509/x509_txt.c
index c44f753c46..9a0911a304 100644
--- a/crypto/x509/x509_txt.c
+++ b/crypto/x509/x509_txt.c
@@ -183,6 +183,8 @@ const char *X509_verify_cert_error_string(long n)
 		return("unsupported or invalid name syntax");
 	case X509_V_ERR_CRL_PATH_VALIDATION_ERROR:
 		return("CRL path validation error");
+	case X509_V_ERR_PATH_LOOP:
+		return("Path Loop");
 
 	default:
 		BIO_snprintf(buf,sizeof buf,"error number %ld",n);
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index fadf712e4b..64df4d34a1 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -439,6 +439,21 @@ static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
 {
 	int ret;
 	ret = X509_check_issued(issuer, x);
+	if (ret == X509_V_OK)
+		{
+		int i;
+		X509 *ch;
+		for (i = 0; i < sk_X509_num(ctx->chain); i++)
+			{
+			ch = sk_X509_value(ctx->chain, i);
+			if (ch == issuer || !X509_cmp(ch, issuer))
+				{
+				ret = X509_V_ERR_PATH_LOOP;
+				break;
+				}
+			}
+		}
+
 	if (ret == X509_V_OK)
 		return 1;
 	/* If we haven't asked for issuer errors don't set ctx */
diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h
index 992005f222..34f2f113d5 100644
--- a/crypto/x509/x509_vfy.h
+++ b/crypto/x509/x509_vfy.h
@@ -353,6 +353,8 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
 #define		X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX	52
 #define		X509_V_ERR_UNSUPPORTED_NAME_SYNTAX		53
 #define		X509_V_ERR_CRL_PATH_VALIDATION_ERROR		54
+/* Another issuer check debug option */
+#define		X509_V_ERR_PATH_LOOP				55
 
 /* The application is not happy */
 #define		X509_V_ERR_APPLICATION_VERIFICATION		50
-- 
2.25.1