Loop bug(?) in X509_verify_cert() => x509_vrfy.c:254

Mon, 06 Dec 2010 20:20:56 -0800 

I have a set of cross certified CAs feeding a wireless Access Point and 
supplicant. This structure will look a bit strange but that is by design 
(testing). I have four CAs: CAa, CAb, CAc, and CAd.

My structure is:

  CAd ------> supplicant
      |
      |--> CAa -----> CAb --> hostapd
            ^          |
            |-- CAc <--|

Specifically, CAd is the Trust Anchor CA in this test case. CAa/Cab/CAc are 
cross certified certificates off their respective CAs. Their respective Trust 
Anchors /are not/ included in this test case -- just the cross certified 
certificates.

CAd generated a certificate for the supplicant. CAd signed CAa, which signed 
CAb, which generated a certificate for hostapd. Inclusion of the CAb->CAc->CAa 
loop is the specific test I am running.

I have reduced my test apparatus to s_client and s_server because wireless 
introduces too much debug overhead.

I am running this test under FreeBSD 8.1 with OpenSSL 0.9.8p but version 
matters little as I have also used "g" (Debian) and 1.0.0b.

What happens is X509_verify_cert() gets stuck in a loop around line  
x509_vrfy.c:254 loading the looped certificates until depth==num .

This loop is fairly simple and I /think/ the problem could be resolved if there 
was an additional check to see if the certificate it's loading is already 
loaded. I am not an OpenSSL source jockey. 


My command lines are, roughly (I have to remove certain information):

openssl s_client -connect localhost:443 -verify 64 -cert 
/etc/hostapd/CAd.supp.cert.pem -certform pem -key 
/etc/hostapd/CAd.supp.priv.pem -keyform pem -pass "pass:xyzzy" -CAfile 
/etc/hostapd/CAd.cert.pem -debug -no_ssl2


openssl s_server -accept 443 -verify 64
-cert /etc/hostapd/CAb.hostapd.cert.pem
-certform pem -key /etc/hostapd/CAd.hostapd.priv.pem -keyform pem -pass 
"pass:xyzzy" -debug -CAfile /etc/hostapd/CAd.cert.sll.pem
-no_tmp_rsa -no_ssl2 -no_dhe


The file CAd.cert.sll.pem contains the CAd self signed root, the cross signed 
certificates, and the hostapd certificate.





______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [email protected]
Automated List Manager                           [email protected]

Reply via email to