Merge pull request #7476 from per-allansson/one-crl-to-rule-them-all

SparkiDev · web-flow · commit 52861cbdbf87 · 2024-05-08T09:47:22.000+10:00
An expired CRL should not override a successful match in other CRL
diff --git a/src/crl.c b/src/crl.c
@@ -392,6 +392,8 @@ static int CheckCertCRLList(WOLFSSL_CRL* crl, byte* issuerHash, byte* serial,
 
     for (crle = crl->crlList; crle != NULL; crle = crle->next) {
         if (XMEMCMP(crle->issuerHash, issuerHash, CRL_DIGEST_SIZE) == 0) {
+            int nextDateValid = 1;
+
             WOLFSSL_MSG("Found CRL Entry on list");
 
             if (crle->verified == 0) {
@@ -426,17 +428,20 @@ static int CheckCertCRLList(WOLFSSL_CRL* crl, byte* issuerHash, byte* serial,
             #if !defined(NO_ASN_TIME) && !defined(WOLFSSL_NO_CRL_DATE_CHECK)
                 if (!XVALIDATE_DATE(crle->nextDate,crle->nextDateFormat, AFTER)) {
                     WOLFSSL_MSG("CRL next date is no longer valid");
-                    ret = ASN_AFTER_DATE_E;
+                    nextDateValid = 0;
                 }
             #endif
             }
-            if (ret == 0) {
+            if (nextDateValid) {
                 foundEntry = 1;
                 ret = FindRevokedSerial(crle->certs, serial, serialSz,
                         serialHash, crle->totalCerts);
                 if (ret != 0)
                     break;
             }
+            else if (foundEntry == 0) {
+                ret = ASN_AFTER_DATE_E;
+            }
         }
     }
 

Original file line number	Diff line number	Diff line change
`@@ -392,6 +392,8 @@ static int CheckCertCRLList(WOLFSSL_CRL* crl, byte* issuerHash, byte* serial,`
`392`	`392`
`393`	`393`	`for (crle = crl->crlList; crle != NULL; crle = crle->next) {`
`394`	`394`	`if (XMEMCMP(crle->issuerHash, issuerHash, CRL_DIGEST_SIZE) == 0) {`
	`395`	`+ int nextDateValid = 1;`
	`396`	`+`
`395`	`397`	`WOLFSSL_MSG("Found CRL Entry on list");`
`396`	`398`
`397`	`399`	`if (crle->verified == 0) {`
`@@ -426,17 +428,20 @@ static int CheckCertCRLList(WOLFSSL_CRL* crl, byte* issuerHash, byte* serial,`
`426`	`428`	`#if !defined(NO_ASN_TIME) && !defined(WOLFSSL_NO_CRL_DATE_CHECK)`
`427`	`429`	`if (!XVALIDATE_DATE(crle->nextDate,crle->nextDateFormat, AFTER)) {`
`428`	`430`	`WOLFSSL_MSG("CRL next date is no longer valid");`
`429`		`- ret = ASN_AFTER_DATE_E;`
	`431`	`+ nextDateValid = 0;`
`430`	`432`	`}`
`431`	`433`	`#endif`
`432`	`434`	`}`
`433`		`- if (ret == 0) {`
	`435`	`+ if (nextDateValid) {`
`434`	`436`	`foundEntry = 1;`
`435`	`437`	`ret = FindRevokedSerial(crle->certs, serial, serialSz,`
`436`	`438`	`serialHash, crle->totalCerts);`
`437`	`439`	`if (ret != 0)`
`438`	`440`	`break;`
`439`	`441`	`}`
	`442`	`+ else if (foundEntry == 0) {`
	`443`	`+ ret = ASN_AFTER_DATE_E;`
	`444`	`+ }`
`440`	`445`	`}`
`441`	`446`	`}`
`442`	`447`