Nick Lewis via RT wrote:
> The path loop detection in crypto/x509/x509_vfy.c:check_issued() does not
> work correctly for some combinations of ctx->chain, x and issuer. For example
> when the cert x is in the chain at a location other than the top, a path loop
> is incorrectly declared. Also if the cert x is at the top of the chain but it
> is self signed then a path loop is incorrectly declared. In practice the
> latter causes bugs in which trusted self signed certificates are seen as
> untrusted (e.g. some OCSP responses)
>
> It is my understanding that a path loop should only exist if the issuer is
> present in the chain at a lower position to that of the cert x. Please find
> below a patch against SNAP20110815
>
> Best Regards
> Nick
> _________
>
>
> diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
> index 64df4d3..7bbe43b 100755
> --- a/crypto/x509/x509_vfy.c
> +++ b/crypto/x509/x509_vfy.c
> @@ -443,15 +443,18 @@ static int check_issued(X509_STORE_CTX *ctx, X509 *x,
> X509 *issuer)
> {
> int i;
> X509 *ch;
> + int issuer_num = 0;
> + int x_num = 0;
> for (i = 0; i< sk_X509_num(ctx->chain); i++)
> {
> ch = sk_X509_value(ctx->chain, i);
> if (ch == issuer || !X509_cmp(ch, issuer))
> - {
> - ret = X509_V_ERR_PATH_LOOP;
> - break;
> - }
> + issuer_num = issuer_num ? issuer_num : i+1;
> + if (ch == x || !X509_cmp(ch, x))
> + x_num = i+1;
> }
> + if (issuer_num< x_num)
> + ret = X509_V_ERR_PATH_LOOP;
> }
>
The patch above fix some issues with self issued but break other
non-self issued.
Roumen
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
