[openssl/openssl] a3dd46: Fix corruption when searching for CRLs in hashed d...

Hugo Landau noreply at github.com
Tue Jan 24 00:25:27 UTC 2023


  Branch: refs/heads/openssl-3.0
  Home:   https://github.com/openssl/openssl
  Commit: a3dd46d2c63953a5c9349ee9d559b4303fd40af6
      https://github.com/openssl/openssl/commit/a3dd46d2c63953a5c9349ee9d559b4303fd40af6
  Author: Hugo Landau <hlandau at openssl.org>
  Date:   2023-01-24 (Tue, 24 Jan 2023)

  Changed paths:
    M crypto/x509/by_dir.c

  Log Message:
  -----------
  Fix corruption when searching for CRLs in hashed directories

The by_dir certificate/CRL lookup code uses an OPENSSL_STACK to track
how many sequentially numbered CRL files have been loaded for a given
X509_NAME hash which is being requested. This avoids loading already
loaded CRL files and repeated stat() calls.

This OPENSSL_STACK is searched using sk_find, however this mutates
the OPENSSL_STACK unless it is known to be sorted. This operation
therefore requires a write lock, which was not taken.

Fix this issue by sorting the OPENSSL_STACK whenever it is mutated. This
guarantees no mutation will occur during sk_find. This is chosen over
taking a write lock during sk_find as retrieving a CRL by X509_NAME is
assumed to be a hotter path than the case where a new CRL is installed.

Also optimise the code by avoiding creating the structure to track the
last CRL file sequence number in the circumstance where it would match
the initial value, namely where no CRL with the given hash is installed.

Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20076)

(cherry picked from commit 3147785eb23bb27080a0b7accbbff46ac471e86c)




More information about the openssl-commits mailing list