Add some sanity checks when checking CRL scores

Reviewed-by: N Tim Hudson <tjh@openssl.org>

Add some sanity checks when checking CRL scores
Reviewed-by: N Tim Hudson <tjh@openssl.org>
8b7c51a0 · Matt Caswell · c6231e9c · 8b7c51a0
隐藏空白更改
内联并排

Showing with 2 addition and 2 deletion

crypto/x509/x509_vfy.c crypto/x509/x509_vfy.c +2 -2

未找到文件。
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -974,10 +974,10 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
        crl = sk_X509_CRL_value(crls, i);
        reasons = *preasons;
        crl_score = get_crl_score(ctx, &crl_issuer, &reasons, crl, x);
-        if (crl_score < best_score)
+        if (crl_score < best_score || crl_score == 0)
            continue;
        /* If current CRL is equivalent use it if it is newer */
-        if (crl_score == best_score) {
+        if (crl_score == best_score && best_crl != NULL) {
            int day, sec;
            if (ASN1_TIME_diff(&day, &sec, X509_CRL_get0_lastUpdate(best_crl),
                               X509_CRL_get0_lastUpdate(crl)) == 0)