avoid verification loops in trusted store when path building

CHANGES

@@ -4,6 +4,10 @@
 
  Changes between 1.0.1 and 1.1.0  [xx XXX xxxx]
 
+  *) If a candidate issuer certificate is already part of the constructed
+     path ignore it: new debug notification X509_V_ERR_PATH_LOOP for this case.
+     [Steve Henson]
+
   *) Improve forward-security support: add functions
 
        void SSL_CTX_set_not_resumable_session_callback(SSL_CTX *ctx, int (*cb)(SSL *ssl, int is_forward_secure))

crypto/x509/x509_txt.c

@@ -183,6 +183,8 @@ const char *X509_verify_cert_error_string(long n)
 		return("unsupported or invalid name syntax");
 	case X509_V_ERR_CRL_PATH_VALIDATION_ERROR:
 		return("CRL path validation error");
+	case X509_V_ERR_PATH_LOOP:
+		return("Path Loop");
 
 	default:
 		BIO_snprintf(buf,sizeof buf,"error number %ld",n);

crypto/x509/x509_vfy.c

@@ -439,6 +439,21 @@ static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
 {
 	int ret;
 	ret = X509_check_issued(issuer, x);
+	if (ret == X509_V_OK)
+		{
+		int i;
+		X509 *ch;
+		for (i = 0; i < sk_X509_num(ctx->chain); i++)
+			{
+			ch = sk_X509_value(ctx->chain, i);
+			if (ch == issuer || !X509_cmp(ch, issuer))
+				{
+				ret = X509_V_ERR_PATH_LOOP;
+				break;
+				}
+			}
+		}
+
 	if (ret == X509_V_OK)
 		return 1;
 	/* If we haven't asked for issuer errors don't set ctx */

crypto/x509/x509_vfy.h

@@ -353,6 +353,8 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
 #define		X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX	52
 #define		X509_V_ERR_UNSUPPORTED_NAME_SYNTAX		53
 #define		X509_V_ERR_CRL_PATH_VALIDATION_ERROR		54
+/* Another issuer check debug option */
+#define		X509_V_ERR_PATH_LOOP				55
 
 /* The application is not happy */
 #define		X509_V_ERR_APPLICATION_VERIFICATION		50