Skip to content

X509_V_FLAG_NO_CHECK_TIME leaves ctx->current_crl set #18992

New issue
New issue
Closed
Closed
X509_V_FLAG_NO_CHECK_TIME leaves ctx->current_crl set#18992
Assignees
faramir-dev
Labels
branch: 1.1.1Applies to OpenSSL_1_1_1-stable branch (EOL)branch: 3.0Applies to openssl-3.0 branchbranch: masterApplies to master branchgood first issueBite size change that could be a good starthelp wantedtriaged: bugThe issue/pr is/fixes a bug
@davidben

Description

@davidben
davidben
opened on Aug 12, 2022

d35ff2c added a X509_V_FLAG_NO_CHECK_TIME check into check_crl_time, but placed it after this code:

    if (notify)
        ctx->current_crl = crl;

This looks like a bug. notify is about a verify callback, but X509_V_FLAG_NO_CHECK_TIME skips all that. In particular, check_crl_time ends by undoing that state at the bottom, yet X509_V_FLAG_NO_CHECK_TIME skips that cleanup, and leaves a stray current_crl in there. Instead, the X509_V_FLAG_NO_CHECK_TIME check should have been placed at the beginning of the function.

Metadata

Metadata

Assignees

Labels

branch: 1.1.1Applies to OpenSSL_1_1_1-stable branch (EOL)branch: 3.0Applies to openssl-3.0 branchbranch: masterApplies to master branchgood first issueBite size change that could be a good starthelp wantedtriaged: bugThe issue/pr is/fixes a bug

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions