Use newest CRL.

If two CRLs are equivalent then use the one with a later lastUpdate field: this will result in the newest CRL available being used. RT#4615 Reviewed-by: N Rich Salz <rsalz@openssl.org>

Use newest CRL.
If two CRLs are equivalent then use the one with a later lastUpdate field: this will result in the newest CRL available being used. RT#4615 Reviewed-by: N Rich Salz <rsalz@openssl.org>
626aa248 · Dr. Stephen Henson · 31a7d80d · 626aa248
隐藏空白更改
内联并排

Showing with 14 addition and 6 deletion

crypto/x509/x509_vfy.c crypto/x509/x509_vfy.c +14 -6

未找到文件。
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -971,13 +971,21 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
        crl = sk_X509_CRL_value(crls, i);
        reasons = *preasons;
        crl_score = get_crl_score(ctx, &crl_issuer, &reasons, crl, x);
-
-        if (crl_score > best_score) {
-            best_crl = crl;
-            best_crl_issuer = crl_issuer;
-            best_score = crl_score;
-            best_reasons = reasons;
+        if (crl_score < best_score)
+            continue;
+        /* If current CRL is equivalent use it if it is newer */
+        if (crl_score == best_score) {
+            int day, sec;
+            if (ASN1_TIME_diff(&day, &sec, X509_CRL_get_lastUpdate(best_crl),
+                               X509_CRL_get_lastUpdate(crl)) == 0)
+                continue;
+            if (day < 0 || sec <= 0)
+                continue;
        }
+        best_crl = crl;
+        best_crl_issuer = crl_issuer;
+        best_score = crl_score;
+        best_reasons = reasons;
    }

    if (best_crl) {