Add some sanity checks when checking CRL scores

author Matt Caswell <matt@openssl.org>

Mon, 22 Aug 2016 23:01:57 +0000 (00:01 +0100)

committer Matt Caswell <matt@openssl.org>

Mon, 22 Aug 2016 23:19:15 +0000 (00:19 +0100)
author Matt Caswell <matt@openssl.org>
Mon, 22 Aug 2016 23:01:57 +0000 (00:01 +0100)
committer Matt Caswell <matt@openssl.org>
Mon, 22 Aug 2016 23:19:15 +0000 (00:19 +0100)
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c

index 13a9ba3c38d4a2078e34fd343eb284f6060518c5..070afd1d2bd0475198f5ff8b3816a8cba34d3f46 100644 (file)
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -974,10 +974,10 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
          crl = sk_X509_CRL_value(crls, i);
          reasons = *preasons;
          crl_score = get_crl_score(ctx, &crl_issuer, &reasons, crl, x);
-        if (crl_score < best_score)
+        if (crl_score < best_score || crl_score == 0)
              continue;
          /* If current CRL is equivalent use it if it is newer */
-        if (crl_score == best_score) {
+        if (crl_score == best_score && best_crl != NULL) {
              int day, sec;
              if (ASN1_TIME_diff(&day, &sec, X509_CRL_get0_lastUpdate(best_crl),
                                 X509_CRL_get0_lastUpdate(crl)) == 0)
author	Matt Caswell <matt@openssl.org>
	Mon, 22 Aug 2016 23:01:57 +0000 (00:01 +0100)
committer	Matt Caswell <matt@openssl.org>
	Mon, 22 Aug 2016 23:19:15 +0000 (00:19 +0100)