Add some sanity checks when checking CRL scores
authorMatt Caswell <matt@openssl.org>
Mon, 22 Aug 2016 23:01:57 +0000 (00:01 +0100)
committerMatt Caswell <matt@openssl.org>
Mon, 22 Aug 2016 23:19:15 +0000 (00:19 +0100)
Reviewed-by: Tim Hudson <tjh@openssl.org>
crypto/x509/x509_vfy.c

index 13a9ba3..070afd1 100644 (file)
@@ -974,10 +974,10 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
         crl = sk_X509_CRL_value(crls, i);
         reasons = *preasons;
         crl_score = get_crl_score(ctx, &crl_issuer, &reasons, crl, x);
-        if (crl_score < best_score)
+        if (crl_score < best_score || crl_score == 0)
             continue;
         /* If current CRL is equivalent use it if it is newer */
-        if (crl_score == best_score) {
+        if (crl_score == best_score && best_crl != NULL) {
             int day, sec;
             if (ASN1_TIME_diff(&day, &sec, X509_CRL_get0_lastUpdate(best_crl),
                                X509_CRL_get0_lastUpdate(crl)) == 0)