diff options
author | jkim <jkim@FreeBSD.org> | 2014-04-10 22:39:22 +0000 |
---|---|---|
committer | jkim <jkim@FreeBSD.org> | 2014-04-10 22:39:22 +0000 |
commit | aeb5a4ff70fa036e3502afc9daf7d02795216340 (patch) | |
tree | c5b5657bc6509d897204957128bcbeac4535b4b7 /crypto/openssl/crypto/x509/x509_vfy.c | |
parent | 8f4a94c1c91787a4ac5272d05fa061275e720a27 (diff) | |
download | FreeBSD-src-aeb5a4ff70fa036e3502afc9daf7d02795216340.zip FreeBSD-src-aeb5a4ff70fa036e3502afc9daf7d02795216340.tar.gz |
MFC: r261037, r264278
Merge OpenSSL 1.0.1f and 1.0.1g.
Diffstat (limited to 'crypto/openssl/crypto/x509/x509_vfy.c')
-rw-r--r-- | crypto/openssl/crypto/x509/x509_vfy.c | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/crypto/openssl/crypto/x509/x509_vfy.c b/crypto/openssl/crypto/x509/x509_vfy.c index 12d71f5..920066a 100644 --- a/crypto/openssl/crypto/x509/x509_vfy.c +++ b/crypto/openssl/crypto/x509/x509_vfy.c @@ -694,6 +694,7 @@ static int check_cert(X509_STORE_CTX *ctx) X509_CRL *crl = NULL, *dcrl = NULL; X509 *x; int ok, cnum; + unsigned int last_reasons; cnum = ctx->error_depth; x = sk_X509_value(ctx->chain, cnum); ctx->current_cert = x; @@ -702,6 +703,7 @@ static int check_cert(X509_STORE_CTX *ctx) ctx->current_reasons = 0; while (ctx->current_reasons != CRLDP_ALL_REASONS) { + last_reasons = ctx->current_reasons; /* Try to retrieve relevant CRL */ if (ctx->get_crl) ok = ctx->get_crl(ctx, &crl, x); @@ -745,6 +747,15 @@ static int check_cert(X509_STORE_CTX *ctx) X509_CRL_free(dcrl); crl = NULL; dcrl = NULL; + /* If reasons not updated we wont get anywhere by + * another iteration, so exit loop. + */ + if (last_reasons == ctx->current_reasons) + { + ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL; + ok = ctx->verify_cb(0, ctx); + goto err; + } } err: X509_CRL_free(crl); @@ -1451,10 +1462,9 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) * a certificate was revoked. This has since been changed since * critical extension can change the meaning of CRL entries. */ - if (crl->flags & EXFLAG_CRITICAL) + if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) + && (crl->flags & EXFLAG_CRITICAL)) { - if (ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) - return 1; ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION; ok = ctx->verify_cb(0, ctx); if(!ok) |