avoid verification loops in trusted store when path building

This commit is contained in:
Dr. Stephen Henson 2010-12-25 20:45:59 +00:00
parent c596b2ab5b
commit 2b3936e882
4 changed files with 23 additions and 0 deletions

View File

@ -4,6 +4,10 @@
Changes between 1.0.1 and 1.1.0 [xx XXX xxxx]
*) If a candidate issuer certificate is already part of the constructed
path ignore it: new debug notification X509_V_ERR_PATH_LOOP for this case.
[Steve Henson]
*) Improve forward-security support: add functions
void SSL_CTX_set_not_resumable_session_callback(SSL_CTX *ctx, int (*cb)(SSL *ssl, int is_forward_secure))

View File

@ -183,6 +183,8 @@ const char *X509_verify_cert_error_string(long n)
return("unsupported or invalid name syntax");
case X509_V_ERR_CRL_PATH_VALIDATION_ERROR:
return("CRL path validation error");
case X509_V_ERR_PATH_LOOP:
return("Path Loop");
default:
BIO_snprintf(buf,sizeof buf,"error number %ld",n);

View File

@ -439,6 +439,21 @@ static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
{
int ret;
ret = X509_check_issued(issuer, x);
if (ret == X509_V_OK)
{
int i;
X509 *ch;
for (i = 0; i < sk_X509_num(ctx->chain); i++)
{
ch = sk_X509_value(ctx->chain, i);
if (ch == issuer || !X509_cmp(ch, issuer))
{
ret = X509_V_ERR_PATH_LOOP;
break;
}
}
}
if (ret == X509_V_OK)
return 1;
/* If we haven't asked for issuer errors don't set ctx */

View File

@ -353,6 +353,8 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
#define X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX 52
#define X509_V_ERR_UNSUPPORTED_NAME_SYNTAX 53
#define X509_V_ERR_CRL_PATH_VALIDATION_ERROR 54
/* Another issuer check debug option */
#define X509_V_ERR_PATH_LOOP 55
/* The application is not happy */
#define X509_V_ERR_APPLICATION_VERIFICATION 50