X509_LOOKUP problem

Sat, 2 Jan 1999 11:51:19 -0800 

Hi there,

About April Ben made a change to crypto/x509/by_file.c to with adding CRLs
to the X509_LOOKUP as well as certs. However, the return value of that
function has me a bit confused - after that chance, the function
considered it an error unless the file contained a cert AND a CRL. I would
have thought it more logical to make it an error if the file contained
neither.

Anyway, the point of this is that Bodo's change on the 26/27th October to
X509_STORE_load_locations in crypto/x509/x509_d2.c started paying
attention to these return values. The upshot is that a call to 
SSL_CTX_load_verify_locations with a file containing a CA cert but no CRL
returns an error (which breaks existing code).

In s_server.c for example, the following lines appear to disguise this
problem and it appears that if one passes in a CAfile it will result in an
error return code in the first function but the second function will
succeed so nothing will be reported;

[s_server.c:643]
        if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
                (!SSL_CTX_set_default_verify_paths(ctx)))

For now I've made do with patching the by_file.c as per the attached diff.

I'd appreciate any thoughts on how this should work. Mark was happy to
commit this change but I'd appreciate some feedback first.

Cheers,
Geoff


----------------------------------------------------------------------
Geoff Thorpe                                    Email: [EMAIL PROTECTED]
Cryptographic Software Engineer, C2Net Europe    http://www.int.c2.net
----------------------------------------------------------------------
May I just take this opportunity to say that of all the people I have
EVER emailed, you are definitely one of them.

diff -u -r1.8 by_file.c
--- by_file.c   1999/09/11 17:54:11     1.8
+++ by_file.c   1999/11/04 20:34:30
@@ -104,7 +104,7 @@
                                X509_FILETYPE_PEM);
                        ok2=X509_load_crl_file(ctx,X509_get_default_cert_file(),
                                X509_FILETYPE_PEM);
-                       if (!ok || !ok2)
+                       if (!ok && !ok2)
                                {
                                X509err(X509_F_BY_FILE_CTRL,X509_R_LOADING_DEFAULTS);
                                }
@@ -124,7 +124,7 @@
                        }
                break;
                }
-       return((ok && ok2)?ok:0);
+       return((ok || ok2)?ok:0);
        }
 
 int X509_load_cert_file(X509_LOOKUP *ctx, const char *file, int type)

Reply via email to