Sorry, that's: x509_vfy.c:234. I added some debug statements and I can't type.
:)
Roughly, this loop:
/* We now lookup certs from the certificate store */
for (;;)
{
/* If we have enough, we break */
if (depth < num) break;
/* If we are self signed, we break */
if (ctx->check_issued(ctx,x,x)) break;
ok = ctx->get_issuer(&xtmp, ctx, x);
if (ok < 0) return ok;
if (ok == 0) break;
...
> -----Original Message-----
> From: [email protected] [mailto:[email protected]]
> On Behalf Of EXT-Glatting, Dennis P
> Sent: Monday, December 06, 2010 8:00 PM
> To: [email protected]
> Subject: Loop bug(?) in X509_verify_cert() => x509_vrfy.c:254
>
> I have a set of cross certified CAs feeding a wireless Access Point and
> supplicant. This structure will look a bit strange but that is by design
> (testing). I have four CAs: CAa, CAb, CAc, and CAd.
>
> My structure is:
>
> CAd ------> supplicant
> |
> |--> CAa -----> CAb --> hostapd
> ^ |
> |-- CAc <--|
>
> Specifically, CAd is the Trust Anchor CA in this test case. CAa/Cab/CAc
> are cross certified certificates off their respective CAs. Their
> respective Trust Anchors /are not/ included in this test case -- just the
> cross certified certificates.
>
> CAd generated a certificate for the supplicant. CAd signed CAa, which
> signed CAb, which generated a certificate for hostapd. Inclusion of the
> CAb->CAc->CAa loop is the specific test I am running.
>
> I have reduced my test apparatus to s_client and s_server because wireless
> introduces too much debug overhead.
>
> I am running this test under FreeBSD 8.1 with OpenSSL 0.9.8p but version
> matters little as I have also used "g" (Debian) and 1.0.0b.
>
> What happens is X509_verify_cert() gets stuck in a loop around line
> x509_vrfy.c:254 loading the looped certificates until depth==num .
>
> This loop is fairly simple and I /think/ the problem could be resolved if
> there was an additional check to see if the certificate it's loading is
> already loaded. I am not an OpenSSL source jockey.
>
>
> My command lines are, roughly (I have to remove certain information):
>
> openssl s_client -connect localhost:443 -verify 64 -cert
> /etc/hostapd/CAd.supp.cert.pem -certform pem -key
> /etc/hostapd/CAd.supp.priv.pem -keyform pem -pass "pass:xyzzy" -CAfile
> /etc/hostapd/CAd.cert.pem -debug -no_ssl2
>
>
> openssl s_server -accept 443 -verify 64
> -cert /etc/hostapd/CAb.hostapd.cert.pem
> -certform pem -key /etc/hostapd/CAd.hostapd.priv.pem -keyform pem -pass
> "pass:xyzzy" -debug -CAfile /etc/hostapd/CAd.cert.sll.pem
> -no_tmp_rsa -no_ssl2 -no_dhe
>
>
> The file CAd.cert.sll.pem contains the CAd self signed root, the cross
> signed certificates, and the hostapd certificate.
>
>
>
>
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> Development Mailing List [email protected]
> Automated List Manager [email protected]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
