Home Explore Help
Sign In
OWEALs
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
2
0
Fork 0
Files Issues 8 Wiki
Browse Source

Merge pull request #7476 from per-allansson/one-crl-to-rule-them-all

An expired CRL should not override a successful match in other CRL
Sean Parkinson 2 weeks ago
parent
97110700b2 b88803cbb3
commit
52861cbdbf
1 changed files with 7 additions and 2 deletions
Split View Show Diff Stats
  1. 7 2
      src/crl.c

+ 7 - 2
src/crl.c
View File 

@@ -392,6 +392,8 @@ static int CheckCertCRLList(WOLFSSL_CRL* crl, byte* issuerHash, byte* serial,
 
 
     for (crle = crl->crlList; crle != NULL; crle = crle->next) {
 
         if (XMEMCMP(crle->issuerHash, issuerHash, CRL_DIGEST_SIZE) == 0) {
 
+            int nextDateValid = 1;
 
+
 
             WOLFSSL_MSG("Found CRL Entry on list");
 
 
             if (crle->verified == 0) {
 
@@ -426,17 +428,20 @@ static int CheckCertCRLList(WOLFSSL_CRL* crl, byte* issuerHash, byte* serial,
 
             #if !defined(NO_ASN_TIME) && !defined(WOLFSSL_NO_CRL_DATE_CHECK)
 
                 if (!XVALIDATE_DATE(crle->nextDate,crle->nextDateFormat, AFTER)) {
 
                     WOLFSSL_MSG("CRL next date is no longer valid");
 
-                    ret = ASN_AFTER_DATE_E;
 
+                    nextDateValid = 0;
 
                 }
 
             #endif
 
             }
 
-            if (ret == 0) {
 
+            if (nextDateValid) {
 
                 foundEntry = 1;
 
                 ret = FindRevokedSerial(crle->certs, serial, serialSz,
 
                         serialHash, crle->totalCerts);
 
                 if (ret != 0)
 
                     break;
 
             }
 
+            else if (foundEntry == 0) {
 
+                ret = ASN_AFTER_DATE_E;
 
+            }
 
         }
 
     }