From 56299115581a49e87bfcdd05ca5ead9c24a74ae1 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 8 Apr 2025 11:41:04 +0200
Subject: [PATCH] System: Trust: Authorities - prevent recusrion loop when ca's
 are cross referencing eachother.

Although this is highly uncommon, it's very annoying when the certificate path leads to an "Fatat error: Allowed memory size exhausted...".
If we do end in a loop (e.g. same ca already in the path), exit the calculation and return what we found sofar.
---
 src/etc/inc/certs.inc                                 | 3 +++
 src/opnsense/mvc/app/library/OPNsense/Trust/Store.php | 6 +++++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/etc/inc/certs.inc b/src/etc/inc/certs.inc
index fef4d987a..869f341af 100644
--- a/src/etc/inc/certs.inc
+++ b/src/etc/inc/certs.inc
@@ -107,6 +107,9 @@ function ca_chain_array(&$cert)
                 $crt = false;
             }
             if ($crt) {
+                if (in_array($crt, $chain)) {
+                    break; /* exit endless loop */
+                }
                 $chain[] = $crt;
             }
         }
diff --git a/src/opnsense/mvc/app/library/OPNsense/Trust/Store.php b/src/opnsense/mvc/app/library/OPNsense/Trust/Store.php
index 1827b0e8b..48238c3ee 100644
--- a/src/opnsense/mvc/app/library/OPNsense/Trust/Store.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Trust/Store.php
@@ -596,7 +596,11 @@ class Store
     {
         $chain = [];
         while (($item = self::getCA(!isset($item) ? $caref : $item->caref)) != null) {
-            $chain[] = base64_decode((string)$item->crt);
+            $data = base64_decode((string)$item->crt);
+            if (in_array($data, $chain)) {
+                break; /* exit endless loop */
+            }
+            $chain[] = $data;
         }
         return implode("\n", $chain);
     }