Commit c7a657d800 for openssl.org
commit c7a657d8007853791f27235a176131ad1daf358a
Author: Timothy Copeland <tacopeland@proton.me>
Date: Tue Dec 2 16:05:30 2025 +1100
check_cert_crl(): Set CRL score for CRLs returned by get_crl callback
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29199)
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 378c170e91..696f3286ea 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -1353,10 +1353,20 @@ static int check_cert_crl(X509_STORE_CTX *ctx)
unsigned int last_reasons = ctx->current_reasons;
/* Try to retrieve relevant CRL */
- if (ctx->get_crl != NULL)
+ if (ctx->get_crl != NULL) {
+ X509 *crl_issuer = NULL;
+ unsigned int reasons = 0;
+
ok = ctx->get_crl(ctx, &crl, x);
- else
+ if (crl != NULL) {
+ ctx->current_crl_score = get_crl_score(ctx, &crl_issuer,
+ &reasons, crl, x);
+ ctx->current_issuer = crl_issuer;
+ ctx->current_reasons = reasons;
+ }
+ } else {
ok = get_crl_delta(ctx, &crl, &dcrl, x);
+ }
/* If error looking up CRL, nothing we can do except notify callback */
if (!ok) {
ok = verify_cb_crl(ctx, X509_V_ERR_UNABLE_TO_GET_CRL);
diff --git a/test/crltest.c b/test/crltest.c
index e6c891978b..f04cd7192f 100644
--- a/test/crltest.c
+++ b/test/crltest.c
@@ -673,6 +673,67 @@ static int test_crl_date_invalid(void)
return test;
}
+/*
+ * Test to make sure X509_verify_cert sets the issuer, reasons, and
+ * CRL score of the CRLs it gets from X509_STORE_CTX->get_crl
+ */
+
+static int get_crl_fn(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x)
+{
+ *crl = CRL_from_strings(kBasicCRL);
+ return 1;
+}
+
+static int test_get_crl_fn_score(void)
+{
+ X509_STORE_CTX *ctx = X509_STORE_CTX_new();
+ X509_STORE *store = X509_STORE_new();
+ X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new();
+ STACK_OF(X509) *roots = sk_X509_new_null();
+
+ int status = X509_V_ERR_UNSPECIFIED;
+
+ if (!TEST_ptr(ctx)
+ || !TEST_ptr(store)
+ || !TEST_ptr(param)
+ || !TEST_ptr(roots))
+ goto err;
+
+ /* Create a stack; upref the cert because we free it below. */
+ if (!TEST_true(X509_up_ref(test_root)))
+ goto err;
+ if (!TEST_true(sk_X509_push(roots, test_root))) {
+ X509_free(test_root);
+ goto err;
+ }
+ if (!TEST_true(X509_STORE_CTX_init(ctx, store, test_leaf, NULL)))
+ goto err;
+
+ X509_STORE_CTX_set0_trusted_stack(ctx, roots);
+ X509_STORE_CTX_set_get_crl(ctx, &get_crl_fn);
+ X509_VERIFY_PARAM_set_time(param, PARAM_TIME);
+ if (!TEST_long_eq((long)X509_VERIFY_PARAM_get_time(param),
+ (long)PARAM_TIME))
+ goto err;
+ X509_VERIFY_PARAM_set_depth(param, 16);
+ X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);
+ X509_STORE_CTX_set0_param(ctx, param);
+ param = NULL;
+
+ ERR_clear_error();
+ status = X509_verify_cert(ctx) == 1 ? X509_V_OK
+ : X509_STORE_CTX_get_error(ctx);
+
+ TEST_int_eq(status, X509_V_OK);
+
+err:
+ OSSL_STACK_OF_X509_free(roots);
+ X509_VERIFY_PARAM_free(param);
+ X509_STORE_CTX_free(ctx);
+ X509_STORE_free(store);
+ return status == X509_V_OK;
+}
+
int setup_tests(void)
{
if (!TEST_ptr(test_root = X509_from_strings(kCRLTestRoot))
@@ -688,6 +749,7 @@ int setup_tests(void)
ADD_TEST(test_known_critical_crl);
ADD_TEST(test_crl_cert_issuer_ext);
ADD_TEST(test_crl_date_invalid);
+ ADD_TEST(test_get_crl_fn_score);
ADD_ALL_TESTS(test_unknown_critical_crl, OSSL_NELEM(unknown_critical_crls));
ADD_ALL_TESTS(test_reuse_crl, 6);