Commit 4b26645c authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

Fix verify loop with CRL checking. 

PR #3090
Reported by: Franck Youssef <fry@open.ch>

If no new reason codes are obtained after checking a CRL exit with an
error to avoid repeatedly checking the same CRL.

This will only happen if verify errors such as invalid CRL scope are
overridden in a callback.
parent c051cbc8

crypto/x509/x509_vfy.c

+11 −0
Original line number Diff line number Diff line
@@ -838,6 +838,7 @@ static int check_cert(X509_STORE_CTX *ctx) 
	X509_CRL *crl = NULL, *dcrl = NULL;

	X509 *x;

	int ok, cnum;

	unsigned int last_reasons;

	cnum = ctx->error_depth;

	x = sk_X509_value(ctx->chain, cnum);

	ctx->current_cert = x;
@@ -846,6 +847,7 @@ static int check_cert(X509_STORE_CTX *ctx) 
	ctx->current_reasons = 0;

	while (ctx->current_reasons != CRLDP_ALL_REASONS)

		{

		last_reasons = ctx->current_reasons;

		/* Try to retrieve relevant CRL */

		if (ctx->get_crl)

			ok = ctx->get_crl(ctx, &crl, x);
@@ -889,6 +891,15 @@ static int check_cert(X509_STORE_CTX *ctx) 
		X509_CRL_free(dcrl);

		crl = NULL;

		dcrl = NULL;

		/* If reasons not updated we wont get anywhere by

		 * another iteration, so exit loop.

		 */

		if (last_reasons == ctx->current_reasons)

			{

			ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;

			ok = ctx->verify_cb(0, ctx);

			goto err;

			}

		}

	err:

	X509_CRL_free(crl);