mirrors/wolfssl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

An expired CRL should not override a successful match in other CRL

Browse Source
This commit is contained in:
Per Allansson 2024-04-26 09:30:42 +02:00
parent e1bd4dd1ec
commit e96a65a93d
No known key found for this signature in database
GPG Key ID: 6471ED8DCBA4FB89
1 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/crl.c
View File

@ -392,6 +392,8 @@ static int CheckCertCRLList(WOLFSSL_CRL* crl, byte* issuerHash, byte* serial,
for (crle = crl->crlList; crle != NULL; crle = crle->next) {
if (XMEMCMP(crle->issuerHash, issuerHash, CRL_DIGEST_SIZE) == 0) {
int nextDateValid = 1;
WOLFSSL_MSG("Found CRL Entry on list");
if (crle->verified == 0) {
@ -426,16 +428,18 @@ static int CheckCertCRLList(WOLFSSL_CRL* crl, byte* issuerHash, byte* serial,
#if !defined(NO_ASN_TIME) && !defined(WOLFSSL_NO_CRL_DATE_CHECK)
if (!XVALIDATE_DATE(crle->nextDate,crle->nextDateFormat, AFTER)) {
WOLFSSL_MSG("CRL next date is no longer valid");
ret = ASN_AFTER_DATE_E;
nextDateValid = 0;
}
#endif
}
if (ret == 0) {
if (nextDateValid) {
foundEntry = 1;
ret = FindRevokedSerial(crle->certs, serial, serialSz,
serialHash, crle->totalCerts);
if (ret != 0)
break;
} else if (foundEntry == 0) {
ret = ASN_AFTER_DATE_E;
}
}
}