From: Timothy Copeland Date: Tue, 2 Dec 2025 05:05:30 +0000 (+1100) Subject: check_cert_crl(): Set CRL score for CRLs returned by get_crl callback X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c7a657d8007853791f27235a176131ad1daf358a;p=thirdparty%2Fopenssl.git check_cert_crl(): Set CRL score for CRLs returned by get_crl callback Reviewed-by: Nikola Pajkovsky Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/29199) --- diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 378c170e91d..696f3286ea8 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -1353,10 +1353,20 @@ static int check_cert_crl(X509_STORE_CTX *ctx) unsigned int last_reasons = ctx->current_reasons; /* Try to retrieve relevant CRL */ - if (ctx->get_crl != NULL) + if (ctx->get_crl != NULL) { + X509 *crl_issuer = NULL; + unsigned int reasons = 0; + ok = ctx->get_crl(ctx, &crl, x); - else + if (crl != NULL) { + ctx->current_crl_score = get_crl_score(ctx, &crl_issuer, + &reasons, crl, x); + ctx->current_issuer = crl_issuer; + ctx->current_reasons = reasons; + } + } else { ok = get_crl_delta(ctx, &crl, &dcrl, x); + } /* If error looking up CRL, nothing we can do except notify callback */ if (!ok) { ok = verify_cb_crl(ctx, X509_V_ERR_UNABLE_TO_GET_CRL); diff --git a/test/crltest.c b/test/crltest.c index e6c891978b8..f04cd7192f5 100644 --- a/test/crltest.c +++ b/test/crltest.c @@ -673,6 +673,67 @@ static int test_crl_date_invalid(void) return test; } +/* + * Test to make sure X509_verify_cert sets the issuer, reasons, and + * CRL score of the CRLs it gets from X509_STORE_CTX->get_crl + */ + +static int get_crl_fn(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x) +{ + *crl = CRL_from_strings(kBasicCRL); + return 1; +} + +static int test_get_crl_fn_score(void) +{ + X509_STORE_CTX *ctx = X509_STORE_CTX_new(); + X509_STORE *store = X509_STORE_new(); + X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new(); + STACK_OF(X509) *roots = sk_X509_new_null(); + + int status = X509_V_ERR_UNSPECIFIED; + + if (!TEST_ptr(ctx) + || !TEST_ptr(store) + || !TEST_ptr(param) + || !TEST_ptr(roots)) + goto err; + + /* Create a stack; upref the cert because we free it below. */ + if (!TEST_true(X509_up_ref(test_root))) + goto err; + if (!TEST_true(sk_X509_push(roots, test_root))) { + X509_free(test_root); + goto err; + } + if (!TEST_true(X509_STORE_CTX_init(ctx, store, test_leaf, NULL))) + goto err; + + X509_STORE_CTX_set0_trusted_stack(ctx, roots); + X509_STORE_CTX_set_get_crl(ctx, &get_crl_fn); + X509_VERIFY_PARAM_set_time(param, PARAM_TIME); + if (!TEST_long_eq((long)X509_VERIFY_PARAM_get_time(param), + (long)PARAM_TIME)) + goto err; + X509_VERIFY_PARAM_set_depth(param, 16); + X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK); + X509_STORE_CTX_set0_param(ctx, param); + param = NULL; + + ERR_clear_error(); + status = X509_verify_cert(ctx) == 1 ? X509_V_OK + : X509_STORE_CTX_get_error(ctx); + + TEST_int_eq(status, X509_V_OK); + +err: + OSSL_STACK_OF_X509_free(roots); + X509_VERIFY_PARAM_free(param); + X509_STORE_CTX_free(ctx); + X509_STORE_free(store); + return status == X509_V_OK; +} + int setup_tests(void) { if (!TEST_ptr(test_root = X509_from_strings(kCRLTestRoot)) @@ -688,6 +749,7 @@ int setup_tests(void) ADD_TEST(test_known_critical_crl); ADD_TEST(test_crl_cert_issuer_ext); ADD_TEST(test_crl_date_invalid); + ADD_TEST(test_get_crl_fn_score); ADD_ALL_TESTS(test_unknown_critical_crl, OSSL_NELEM(unknown_critical_crls)); ADD_ALL_TESTS(test_reuse_crl, 6);