Fix verify loop with CRL checking.

PR #3090
Reported by: Franck Youssef <fry@open.ch>

If no new reason codes are obtained after checking a CRL exit with an
error to avoid repeatedly checking the same CRL.

This will only happen if verify errors such as invalid CRL scope are
overridden in a callback.

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 5f6687e609802ea3a944d65079b3b5482bdefb63..fe7ca83ae7b20ccd512ef14533ecf36275295acb 100644 (file)
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -838,6 +838,7 @@ static int check_cert(X509_STORE_CTX *ctx)
        X509_CRL *crl = NULL, *dcrl = NULL;
        X509 *x;
        int ok, cnum;
+       unsigned int last_reasons;
        cnum = ctx->error_depth;
        x = sk_X509_value(ctx->chain, cnum);
        ctx->current_cert = x;
@@ -846,6 +847,7 @@ static int check_cert(X509_STORE_CTX *ctx)
        ctx->current_reasons = 0;
        while (ctx->current_reasons != CRLDP_ALL_REASONS)
                {
+               last_reasons = ctx->current_reasons;
                /* Try to retrieve relevant CRL */
                if (ctx->get_crl)
                        ok = ctx->get_crl(ctx, &crl, x);
@@ -889,6 +891,15 @@ static int check_cert(X509_STORE_CTX *ctx)
                X509_CRL_free(dcrl);
                crl = NULL;
                dcrl = NULL;
+               /* If reasons not updated we wont get anywhere by
+                * another iteration, so exit loop.
+                */
+               if (last_reasons == ctx->current_reasons)
+                       {
+                       ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
+                       ok = ctx->verify_cb(0, ctx);
+                       goto err;
+                       }
                }
        err:
        X509_CRL_free(crl);