check_cert_crl(): Set CRL score for CRLs returned by get_crl callback

Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29199)

(cherry picked from commit c7a657d8007853791f27235a176131ad1daf358a)

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 9af893610f7e0e4f300852d6180e4073ece2f417..e7bb7bc672432cd70dc3f4b1f9fca706fc2db6d5 100644 (file)
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -1282,10 +1282,20 @@ static int check_cert_crl(X509_STORE_CTX *ctx)
         unsigned int last_reasons = ctx->current_reasons;
 
         /* Try to retrieve relevant CRL */
-        if (ctx->get_crl != NULL)
+        if (ctx->get_crl != NULL) {
+            X509 *crl_issuer = NULL;
+            unsigned int reasons = 0;
+
             ok = ctx->get_crl(ctx, &crl, x);
-        else
+            if (crl != NULL) {
+                ctx->current_crl_score = get_crl_score(ctx, &crl_issuer,
+                                                       &reasons, crl, x);
+                ctx->current_issuer = crl_issuer;
+                ctx->current_reasons = reasons;
+            }
+        } else {
             ok = get_crl_delta(ctx, &crl, &dcrl, x);
+        }
         /* If error looking up CRL, nothing we can do except notify callback */
         if (!ok) {
             ok = verify_cb_crl(ctx, X509_V_ERR_UNABLE_TO_GET_CRL);

diff --git a/test/crltest.c b/test/crltest.c
index 07ccddd47793a29ce38e018846caed2b901864b8..27b66b51aa2e34b9314b4f4fe68c835ed4ef2ea5 100644 (file)
--- a/test/crltest.c
+++ b/test/crltest.c
@@ -560,6 +560,67 @@ static int test_reuse_crl(int idx)
     return r;
 }
 
+/*
+ * Test to make sure X509_verify_cert sets the issuer, reasons, and
+ * CRL score of the CRLs it gets from X509_STORE_CTX->get_crl
+ */
+
+static int get_crl_fn(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x)
+{
+    *crl = CRL_from_strings(kBasicCRL);
+    return 1;
+}
+
+static int test_get_crl_fn_score(void)
+{
+    X509_STORE_CTX *ctx = X509_STORE_CTX_new();
+    X509_STORE *store = X509_STORE_new();
+    X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new();
+    STACK_OF(X509) *roots = sk_X509_new_null();
+
+    int status = X509_V_ERR_UNSPECIFIED;
+
+    if (!TEST_ptr(ctx)
+        || !TEST_ptr(store)
+        || !TEST_ptr(param)
+        || !TEST_ptr(roots))
+        goto err;
+
+    /* Create a stack; upref the cert because we free it below. */
+    if (!TEST_true(X509_up_ref(test_root)))
+        goto err;
+    if (!TEST_true(sk_X509_push(roots, test_root))) {
+        X509_free(test_root);
+        goto err;
+    }
+    if (!TEST_true(X509_STORE_CTX_init(ctx, store, test_leaf, NULL)))
+        goto err;
+
+    X509_STORE_CTX_set0_trusted_stack(ctx, roots);
+    X509_STORE_CTX_set_get_crl(ctx, &get_crl_fn);
+    X509_VERIFY_PARAM_set_time(param, PARAM_TIME);
+    if (!TEST_long_eq((long)X509_VERIFY_PARAM_get_time(param),
+                      (long)PARAM_TIME))
+        goto err;
+    X509_VERIFY_PARAM_set_depth(param, 16);
+    X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);
+    X509_STORE_CTX_set0_param(ctx, param);
+    param = NULL;
+
+    ERR_clear_error();
+    status = X509_verify_cert(ctx) == 1 ? X509_V_OK
+                                        : X509_STORE_CTX_get_error(ctx);
+
+    TEST_int_eq(status, X509_V_OK);
+
+err:
+    OSSL_STACK_OF_X509_free(roots);
+    X509_VERIFY_PARAM_free(param);
+    X509_STORE_CTX_free(ctx);
+    X509_STORE_free(store);
+    return status == X509_V_OK;
+}
+
 int setup_tests(void)
 {
     if (!TEST_ptr(test_root = X509_from_strings(kCRLTestRoot))
@@ -573,6 +634,7 @@ int setup_tests(void)
     ADD_TEST(test_bad_issuer_crl);
     ADD_TEST(test_crl_empty_idp);
     ADD_TEST(test_known_critical_crl);
+    ADD_TEST(test_get_crl_fn_score);
     ADD_ALL_TESTS(test_unknown_critical_crl, OSSL_NELEM(unknown_critical_crls));
     ADD_ALL_TESTS(test_reuse_crl, 6);
     return 1;