From e96a65a93d32b74ff1c8720021ae845e6dcae06b Mon Sep 17 00:00:00 2001 From: Per Allansson Date: Fri, 26 Apr 2024 09:30:42 +0200 Subject: [PATCH 1/2] An expired CRL should not override a successful match in other CRL --- src/crl.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/crl.c b/src/crl.c index 3e61ec95e4..4c4ec8898e 100644 --- a/src/crl.c +++ b/src/crl.c @@ -392,6 +392,8 @@ static int CheckCertCRLList(WOLFSSL_CRL* crl, byte* issuerHash, byte* serial, for (crle = crl->crlList; crle != NULL; crle = crle->next) { if (XMEMCMP(crle->issuerHash, issuerHash, CRL_DIGEST_SIZE) == 0) { + int nextDateValid = 1; + WOLFSSL_MSG("Found CRL Entry on list"); if (crle->verified == 0) { @@ -426,16 +428,18 @@ static int CheckCertCRLList(WOLFSSL_CRL* crl, byte* issuerHash, byte* serial, #if !defined(NO_ASN_TIME) && !defined(WOLFSSL_NO_CRL_DATE_CHECK) if (!XVALIDATE_DATE(crle->nextDate,crle->nextDateFormat, AFTER)) { WOLFSSL_MSG("CRL next date is no longer valid"); - ret = ASN_AFTER_DATE_E; + nextDateValid = 0; } #endif } - if (ret == 0) { + if (nextDateValid) { foundEntry = 1; ret = FindRevokedSerial(crle->certs, serial, serialSz, serialHash, crle->totalCerts); if (ret != 0) break; + } else if (foundEntry == 0) { + ret = ASN_AFTER_DATE_E; } } } From b88803cbb3d7c68e5718143975ee5b23f7d1c8c4 Mon Sep 17 00:00:00 2001 From: Per Allansson Date: Fri, 3 May 2024 06:42:06 +0200 Subject: [PATCH 2/2] Fix formatting --- src/crl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/crl.c b/src/crl.c index 4c4ec8898e..0a61ba654c 100644 --- a/src/crl.c +++ b/src/crl.c @@ -438,7 +438,8 @@ static int CheckCertCRLList(WOLFSSL_CRL* crl, byte* issuerHash, byte* serial, serialHash, crle->totalCerts); if (ret != 0) break; - } else if (foundEntry == 0) { + } + else if (foundEntry == 0) { ret = ASN_AFTER_DATE_E; } }