The path loop detection in crypto/x509/x509_vfy.c:check_issued() does not work correctly for some combinations of ctx->chain, x and issuer. For example when the cert x is in the chain at a location other than the top, a path loop is incorrectly declared. Also if the cert x is at the top of the chain but it is self signed then a path loop is incorrectly declared. In practice the latter causes bugs in which trusted self signed certificates are seen as untrusted (e.g. some OCSP responses)
It is my understanding that a path loop should only exist if the issuer is
present in the chain at a lower position to that of the cert x. Please find
below a patch against SNAP20110815
Best Regards
Nick
_________
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 64df4d3..7bbe43b 100755
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -443,15 +443,18 @@ static int check_issued(X509_STORE_CTX *ctx, X509 *x,
X509 *issuer)
{
int i;
X509 *ch;
+ int issuer_num = 0;
+ int x_num = 0;
for (i = 0; i < sk_X509_num(ctx->chain); i++)
{
ch = sk_X509_value(ctx->chain, i);
if (ch == issuer || !X509_cmp(ch, issuer))
- {
- ret = X509_V_ERR_PATH_LOOP;
- break;
- }
+ issuer_num = issuer_num ? issuer_num : i+1;
+ if (ch == x || !X509_cmp(ch, x))
+ x_num = i+1;
}
+ if (issuer_num < x_num)
+ ret = X509_V_ERR_PATH_LOOP;
}
________________________________
The details of this company are as follows:
G4S Technology Limited, Registered Office: Challenge House, International
Drive, Tewkesbury, Gloucestershire GL20 8UQ, Registered in England No. 2382338.
This communication may contain information which is confidential, personal
and/or privileged.
It is for the exclusive use of the intended recipient(s).
If you are not the intended recipient(s), please note that any distribution,
forwarding, copying or use of this communication or the information in it is
strictly prohibited.
Any personal views expressed in this e-mail are those of the individual sender
and the company does not endorse or accept responsibility for them.
Prior to taking any action based upon this e-mail message, you should seek
appropriate confirmation of its authenticity.
This e-mail has been scanned for all viruses by MessageLabs.
|
The path loop detection in crypto/x509/x509_vfy.c:check_issued() does not work correctly for some combinations of ctx->chain, x and issuer. For example when the cert x is in the chain at a location other than the top, a path loop is incorrectly
declared. Also if the cert x is at the top of the chain but it is self signed then a path loop is incorrectly declared. In practice the latter causes bugs in which trusted self signed certificates are seen as untrusted (e.g. some OCSP responses) It is my understanding that a path loop should only exist if the issuer is present in the chain at a lower position to that of the cert x. Please find below a patch against SNAP20110815 Best Regards Nick _________ diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 64df4d3..7bbe43b 100755 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -443,15 +443,18 @@ static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer) { int i; X509 *ch; + int issuer_num = 0; + int x_num = 0;
for (i = 0; i < sk_X509_num(ctx->chain); i++) { ch = sk_X509_value(ctx->chain, i); if (ch == issuer || !X509_cmp(ch, issuer)) - { - ret = X509_V_ERR_PATH_LOOP; - break; - } + issuer_num = issuer_num ? issuer_num : i+1; + if (ch == x || !X509_cmp(ch, x)) + x_num = i+1; } + if (issuer_num < x_num) + ret = X509_V_ERR_PATH_LOOP; } The details of this company are as follows: G4S Technology Limited, Registered Office: Challenge House, International Drive, Tewkesbury, Gloucestershire GL20 8UQ, Registered in England No. 2382338. This communication may contain information which is confidential, personal and/or privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please note that any distribution, forwarding, copying or use of this communication or the information in it is strictly prohibited. Any personal views expressed in this e-mail are those of the individual sender and the company does not endorse or accept responsibility for them. Prior to taking any action based upon this e-mail message, you should seek appropriate confirmation of its authenticity. This e-mail has been scanned for all viruses by MessageLabs. |
