avoid verification loops in trusted store when path building
authorDr. Stephen Henson <steve@openssl.org>
Sat, 25 Dec 2010 20:45:59 +0000 (20:45 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Sat, 25 Dec 2010 20:45:59 +0000 (20:45 +0000)
CHANGES
crypto/x509/x509_txt.c
crypto/x509/x509_vfy.c
crypto/x509/x509_vfy.h

diff --git a/CHANGES b/CHANGES
index 6157a1e..c75e514 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,10 @@
 
  Changes between 1.0.1 and 1.1.0  [xx XXX xxxx]
 
+  *) If a candidate issuer certificate is already part of the constructed
+     path ignore it: new debug notification X509_V_ERR_PATH_LOOP for this case.
+     [Steve Henson]
+
   *) Improve forward-security support: add functions
 
        void SSL_CTX_set_not_resumable_session_callback(SSL_CTX *ctx, int (*cb)(SSL *ssl, int is_forward_secure))
index c44f753..9a0911a 100644 (file)
@@ -183,6 +183,8 @@ const char *X509_verify_cert_error_string(long n)
                return("unsupported or invalid name syntax");
        case X509_V_ERR_CRL_PATH_VALIDATION_ERROR:
                return("CRL path validation error");
+       case X509_V_ERR_PATH_LOOP:
+               return("Path Loop");
 
        default:
                BIO_snprintf(buf,sizeof buf,"error number %ld",n);
index fadf712..64df4d3 100644 (file)
@@ -439,6 +439,21 @@ static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
 {
        int ret;
        ret = X509_check_issued(issuer, x);
+       if (ret == X509_V_OK)
+               {
+               int i;
+               X509 *ch;
+               for (i = 0; i < sk_X509_num(ctx->chain); i++)
+                       {
+                       ch = sk_X509_value(ctx->chain, i);
+                       if (ch == issuer || !X509_cmp(ch, issuer))
+                               {
+                               ret = X509_V_ERR_PATH_LOOP;
+                               break;
+                               }
+                       }
+               }
+
        if (ret == X509_V_OK)
                return 1;
        /* If we haven't asked for issuer errors don't set ctx */
index 992005f..34f2f11 100644 (file)
@@ -353,6 +353,8 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
 #define                X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX        52
 #define                X509_V_ERR_UNSUPPORTED_NAME_SYNTAX              53
 #define                X509_V_ERR_CRL_PATH_VALIDATION_ERROR            54
+/* Another issuer check debug option */
+#define                X509_V_ERR_PATH_LOOP                            55
 
 /* The application is not happy */
 #define                X509_V_ERR_APPLICATION_VERIFICATION             50