Skip to content
Snippets Groups Projects
Commit 2b3936e8 authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

avoid verification loops in trusted store when path building

parent c596b2ab
No related branches found
No related tags found
No related merge requests found
......@@ -4,6 +4,10 @@
Changes between 1.0.1 and 1.1.0 [xx XXX xxxx]
*) If a candidate issuer certificate is already part of the constructed
path ignore it: new debug notification X509_V_ERR_PATH_LOOP for this case.
[Steve Henson]
*) Improve forward-security support: add functions
void SSL_CTX_set_not_resumable_session_callback(SSL_CTX *ctx, int (*cb)(SSL *ssl, int is_forward_secure))
......
......@@ -183,6 +183,8 @@ const char *X509_verify_cert_error_string(long n)
return("unsupported or invalid name syntax");
case X509_V_ERR_CRL_PATH_VALIDATION_ERROR:
return("CRL path validation error");
case X509_V_ERR_PATH_LOOP:
return("Path Loop");
default:
BIO_snprintf(buf,sizeof buf,"error number %ld",n);
......
......@@ -439,6 +439,21 @@ static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
{
int ret;
ret = X509_check_issued(issuer, x);
if (ret == X509_V_OK)
{
int i;
X509 *ch;
for (i = 0; i < sk_X509_num(ctx->chain); i++)
{
ch = sk_X509_value(ctx->chain, i);
if (ch == issuer || !X509_cmp(ch, issuer))
{
ret = X509_V_ERR_PATH_LOOP;
break;
}
}
}
if (ret == X509_V_OK)
return 1;
/* If we haven't asked for issuer errors don't set ctx */
......
......@@ -353,6 +353,8 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
#define X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX 52
#define X509_V_ERR_UNSUPPORTED_NAME_SYNTAX 53
#define X509_V_ERR_CRL_PATH_VALIDATION_ERROR 54
/* Another issuer check debug option */
#define X509_V_ERR_PATH_LOOP 55
/* The application is not happy */
#define X509_V_ERR_APPLICATION_VERIFICATION 50
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment