diff options
Diffstat (limited to 'src/lib/libcrypto/x509/x509_vfy.c')
| -rw-r--r-- | src/lib/libcrypto/x509/x509_vfy.c | 20 |
1 files changed, 15 insertions, 5 deletions
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c index b0779db023..920066aeba 100644 --- a/src/lib/libcrypto/x509/x509_vfy.c +++ b/src/lib/libcrypto/x509/x509_vfy.c | |||
| @@ -694,6 +694,7 @@ static int check_cert(X509_STORE_CTX *ctx) | |||
| 694 | X509_CRL *crl = NULL, *dcrl = NULL; | 694 | X509_CRL *crl = NULL, *dcrl = NULL; |
| 695 | X509 *x; | 695 | X509 *x; |
| 696 | int ok, cnum; | 696 | int ok, cnum; |
| 697 | unsigned int last_reasons; | ||
| 697 | cnum = ctx->error_depth; | 698 | cnum = ctx->error_depth; |
| 698 | x = sk_X509_value(ctx->chain, cnum); | 699 | x = sk_X509_value(ctx->chain, cnum); |
| 699 | ctx->current_cert = x; | 700 | ctx->current_cert = x; |
| @@ -702,6 +703,7 @@ static int check_cert(X509_STORE_CTX *ctx) | |||
| 702 | ctx->current_reasons = 0; | 703 | ctx->current_reasons = 0; |
| 703 | while (ctx->current_reasons != CRLDP_ALL_REASONS) | 704 | while (ctx->current_reasons != CRLDP_ALL_REASONS) |
| 704 | { | 705 | { |
| 706 | last_reasons = ctx->current_reasons; | ||
| 705 | /* Try to retrieve relevant CRL */ | 707 | /* Try to retrieve relevant CRL */ |
| 706 | if (ctx->get_crl) | 708 | if (ctx->get_crl) |
| 707 | ok = ctx->get_crl(ctx, &crl, x); | 709 | ok = ctx->get_crl(ctx, &crl, x); |
| @@ -745,6 +747,15 @@ static int check_cert(X509_STORE_CTX *ctx) | |||
| 745 | X509_CRL_free(dcrl); | 747 | X509_CRL_free(dcrl); |
| 746 | crl = NULL; | 748 | crl = NULL; |
| 747 | dcrl = NULL; | 749 | dcrl = NULL; |
| 750 | /* If reasons not updated we wont get anywhere by | ||
| 751 | * another iteration, so exit loop. | ||
| 752 | */ | ||
| 753 | if (last_reasons == ctx->current_reasons) | ||
| 754 | { | ||
| 755 | ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL; | ||
| 756 | ok = ctx->verify_cb(0, ctx); | ||
| 757 | goto err; | ||
| 758 | } | ||
| 748 | } | 759 | } |
| 749 | err: | 760 | err: |
| 750 | X509_CRL_free(crl); | 761 | X509_CRL_free(crl); |
| @@ -872,7 +883,7 @@ static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid) | |||
| 872 | { | 883 | { |
| 873 | ASN1_OCTET_STRING *exta, *extb; | 884 | ASN1_OCTET_STRING *exta, *extb; |
| 874 | int i; | 885 | int i; |
| 875 | i = X509_CRL_get_ext_by_NID(a, nid, 0); | 886 | i = X509_CRL_get_ext_by_NID(a, nid, -1); |
| 876 | if (i >= 0) | 887 | if (i >= 0) |
| 877 | { | 888 | { |
| 878 | /* Can't have multiple occurrences */ | 889 | /* Can't have multiple occurrences */ |
| @@ -883,7 +894,7 @@ static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid) | |||
| 883 | else | 894 | else |
| 884 | exta = NULL; | 895 | exta = NULL; |
| 885 | 896 | ||
| 886 | i = X509_CRL_get_ext_by_NID(b, nid, 0); | 897 | i = X509_CRL_get_ext_by_NID(b, nid, -1); |
| 887 | 898 | ||
| 888 | if (i >= 0) | 899 | if (i >= 0) |
| 889 | { | 900 | { |
| @@ -1451,10 +1462,9 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) | |||
| 1451 | * a certificate was revoked. This has since been changed since | 1462 | * a certificate was revoked. This has since been changed since |
| 1452 | * critical extension can change the meaning of CRL entries. | 1463 | * critical extension can change the meaning of CRL entries. |
| 1453 | */ | 1464 | */ |
| 1454 | if (crl->flags & EXFLAG_CRITICAL) | 1465 | if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) |
| 1466 | && (crl->flags & EXFLAG_CRITICAL)) | ||
| 1455 | { | 1467 | { |
| 1456 | if (ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) | ||
| 1457 | return 1; | ||
| 1458 | ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION; | 1468 | ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION; |
| 1459 | ok = ctx->verify_cb(0, ctx); | 1469 | ok = ctx->verify_cb(0, ctx); |
| 1460 | if(!ok) | 1470 | if(!ok) |