Hi,
in crypto/x509/x509_d2.c:92, the failure of loading the CAfile is tested in
the following way:
if (X509_LOOKUP_load_file(lookup,file,X509_FILETYPE_PEM) != 1)
return(0);
X509_LOOKUP_load_file however returns the number of items loaded from the file.
>From crypto/x509/by_file.c, function X509_load_cert_crl_file() (indirectly
called):
...
for(i = 0; i < sk_X509_INFO_num(inf); i++) {
itmp = sk_X509_INFO_value(inf, i);
if(itmp->x509) {
X509_STORE_add_cert(ctx->store_ctx, itmp->x509);
count++;
} else if(itmp->crl) {
X509_STORE_add_crl(ctx->store_ctx, itmp->crl);
count++;
}
}
...
return count;
...
Thus, if more than one entry is contained in the CAfile loaded, an erronous
error is reported.
Proposed fix: change the failure condition to
if (X509_LOOKUP_load_file(lookup,file,X509_FILETYPE_PEM) <= 1)
return(0);
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
