Nick Lewis via RT wrote:
The path loop detection in crypto/x509/x509_vfy.c:check_issued() does not work
correctly for some combinations of ctx->chain, x and issuer. For example when
the cert x is in the chain at a location other than the top, a path loop is
incorrectly declared. Also if the cert x is at the top of the chain but it is self
signed then a path loop is incorrectly declared. In practice the latter causes
bugs in which trusted self signed certificates are seen as untrusted (e.g. some
OCSP responses)
It is my understanding that a path loop should only exist if the issuer is
present in the chain at a lower position to that of the cert x. Please find
below a patch against SNAP20110815
Best Regards
Nick
_________
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 64df4d3..7bbe43b 100755
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -443,15 +443,18 @@ static int check_issued(X509_STORE_CTX *ctx, X509 *x,
X509 *issuer)
{
int i;
X509 *ch;
+ int issuer_num = 0;
+ int x_num = 0;
for (i = 0; i< sk_X509_num(ctx->chain); i++)
{
ch = sk_X509_value(ctx->chain, i);
if (ch == issuer || !X509_cmp(ch, issuer))
- {
- ret = X509_V_ERR_PATH_LOOP;
- break;
- }
+ issuer_num = issuer_num ? issuer_num : i+1;
+ if (ch == x || !X509_cmp(ch, x))
+ x_num = i+1;
}
+ if (issuer_num< x_num)
+ ret = X509_V_ERR_PATH_LOOP;
}
The patch above fix some issues with self issued but break other
non-self issued.
Roumen
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
