[openssl/openssl] 44da71: Fix corruption when searching for CRLs in hashed d...

Hugo Landau noreply at github.com
Thu Jan 26 09:24:20 UTC 2023


  Branch: refs/heads/OpenSSL_1_1_1-stable
  Home:   https://github.com/openssl/openssl
  Commit: 44da71693cdad2deb6430a47d3f3ee9f57065091
      https://github.com/openssl/openssl/commit/44da71693cdad2deb6430a47d3f3ee9f57065091
  Author: Hugo Landau <hlandau at openssl.org>
  Date:   2023-01-24 (Tue, 24 Jan 2023)

  Changed paths:
    M crypto/x509/by_dir.c

  Log Message:
  -----------
  Fix corruption when searching for CRLs in hashed directories (1.1)

The by_dir certificate/CRL lookup code uses an OPENSSL_STACK to track
how many sequentially numbered CRL files have been loaded for a given
X509_NAME hash which is being requested. This avoids loading already
loaded CRL files and repeated stat() calls.

This OPENSSL_STACK is searched using sk_find, however this mutates
the OPENSSL_STACK unless it is known to be sorted. This operation
therefore requires a write lock, which was not taken.

Fix this issue by sorting the OPENSSL_STACK whenever it is mutated. This
guarantees no mutation will occur during sk_find. This is chosen over
taking a write lock during sk_find as retrieving a CRL by X509_NAME is
assumed to be a hotter path than the case where a new CRL is installed.

Also optimise the code by avoiding creating the structure to track the
last CRL file sequence number in the circumstance where it would match
the initial value, namely where no CRL with the given hash is installed.

Reviewed-by: Paul Dale <pauli at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20127)




More information about the openssl-commits mailing list