From 016bc5ceb3bf3f60c7ff71326e3b95088ae05d2a Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Mon, 11 Sep 2006 13:00:52 +0000 Subject: [PATCH] Fixes for new CRL/cert callbacks. Update CRL processing code to use new callbacks. --- crypto/x509/x509_lu.c | 57 ++++++++++++++++++++++++++------- crypto/x509/x509_vfy.c | 71 +++++++++++------------------------------- crypto/x509/x509_vfy.h | 4 +-- 3 files changed, 66 insertions(+), 66 deletions(-) diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c index 35a8e351c0..fad7ea0689 100644 --- a/crypto/x509/x509_lu.c +++ b/crypto/x509/x509_lu.c @@ -452,9 +452,9 @@ static int x509_object_idx_cnt(STACK_OF(X509_OBJECT) *h, int type, for (tidx = idx + 1; tidx < sk_X509_OBJECT_num(h); tidx++) { tobj = sk_X509_OBJECT_value(h, tidx); - if (!x509_object_cmp(&tobj, &pstmp)) + if (x509_object_cmp(&tobj, &pstmp)) break; - *pnmatch++; + (*pnmatch)++; } } return idx; @@ -476,7 +476,7 @@ X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h, int type, return sk_X509_OBJECT_value(h, idx); } -STACK_OF(X509)* X509_STORE_get_certs(X509_STORE *st, X509_NAME *nm) +STACK_OF(X509)* X509_STORE_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm) { int i, idx, cnt; STACK_OF(X509) *sk; @@ -484,16 +484,32 @@ STACK_OF(X509)* X509_STORE_get_certs(X509_STORE *st, X509_NAME *nm) X509_OBJECT *obj; sk = sk_X509_new_null(); CRYPTO_r_lock(CRYPTO_LOCK_X509_STORE); - idx = x509_object_idx_cnt(st->objs, X509_LU_X509, nm, &cnt); + idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_X509, nm, &cnt); if (idx < 0) { + /* Nothing found in cache: do lookup to possibly add new + * objects to cache + */ + X509_OBJECT xobj; CRYPTO_r_unlock(CRYPTO_LOCK_X509_STORE); - sk_X509_free(sk); - return NULL; + if (!X509_STORE_get_by_subject(ctx, X509_LU_X509, nm, &xobj)) + { + sk_X509_free(sk); + return NULL; + } + X509_OBJECT_free_contents(&xobj); + CRYPTO_r_lock(CRYPTO_LOCK_X509_STORE); + idx = x509_object_idx_cnt(ctx->ctx->objs,X509_LU_X509,nm, &cnt); + if (idx < 0) + { + CRYPTO_r_unlock(CRYPTO_LOCK_X509_STORE); + sk_X509_free(sk); + return NULL; + } } for (i = 0; i < cnt; i++, idx++) { - obj = sk_X509_OBJECT_value(st->objs, i); + obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx); x = obj->data.x509; CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); if (!sk_X509_push(sk, x)) @@ -509,7 +525,7 @@ STACK_OF(X509)* X509_STORE_get_certs(X509_STORE *st, X509_NAME *nm) } -STACK_OF(X509_CRL)* X509_STORE_get_crls(X509_STORE *st, X509_NAME *nm) +STACK_OF(X509_CRL)* X509_STORE_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm) { int i, idx, cnt; STACK_OF(X509_CRL) *sk; @@ -517,16 +533,33 @@ STACK_OF(X509_CRL)* X509_STORE_get_crls(X509_STORE *st, X509_NAME *nm) X509_OBJECT *obj; sk = sk_X509_CRL_new_null(); CRYPTO_r_lock(CRYPTO_LOCK_X509_STORE); - idx = x509_object_idx_cnt(st->objs, X509_LU_CRL, nm, &cnt); + /* Check cache first */ + idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_CRL, nm, &cnt); if (idx < 0) { + /* Nothing found in cache: do lookup to possibly add new + * objects to cache + */ + X509_OBJECT xobj; CRYPTO_r_unlock(CRYPTO_LOCK_X509_STORE); - sk_X509_CRL_free(sk); - return NULL; + if (!X509_STORE_get_by_subject(ctx, X509_LU_CRL, nm, &xobj)) + { + sk_X509_CRL_free(sk); + return NULL; + } + X509_OBJECT_free_contents(&xobj); + CRYPTO_r_lock(CRYPTO_LOCK_X509_STORE); + idx = x509_object_idx_cnt(ctx->ctx->objs,X509_LU_CRL, nm, &cnt); + if (idx < 0) + { + CRYPTO_r_unlock(CRYPTO_LOCK_X509_STORE); + sk_X509_CRL_free(sk); + return NULL; + } } for (i = 0; i < cnt; i++, idx++) { - obj = sk_X509_OBJECT_value(st->objs, i); + obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx); x = obj->data.crl; CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509_CRL); if (!sk_X509_CRL_push(sk, x)) diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 51db63101f..f1f5fb9b3f 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -79,8 +79,6 @@ static int check_revocation(X509_STORE_CTX *ctx); static int check_cert(X509_STORE_CTX *ctx); static int check_policy(X509_STORE_CTX *ctx); static int internal_verify(X509_STORE_CTX *ctx); -static STACK_OF(X509) * lookup_certs(X509_STORE_CTX *ctx, X509_NAME *nm); -static STACK_OF(X509_CRL) * lookup_crls(X509_STORE_CTX *ctx, X509_NAME *nm); const char *X509_version="X.509" OPENSSL_VERSION_PTEXT; @@ -666,7 +664,7 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, for (i = 0; i < sk_X509_CRL_num(crls); i++) { crl = sk_X509_CRL_value(crls, i); - if (X509_NAME_cmp(nm, X509_CRL_get_issuer(crl))) + if (nm && X509_NAME_cmp(nm, X509_CRL_get_issuer(crl))) continue; if (check_crl_time(ctx, crl, 0)) { @@ -692,7 +690,7 @@ static int get_crl(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509 *x) { int ok; X509_CRL *crl = NULL; - X509_OBJECT xobj; + STACK_OF(X509_CRL) *skcrl; X509_NAME *nm; nm = X509_get_issuer_name(x); ok = get_crl_sk(ctx, &crl, nm, ctx->crls); @@ -702,11 +700,13 @@ static int get_crl(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509 *x) return 1; } - ok = X509_STORE_get_by_subject(ctx, X509_LU_CRL, nm, &xobj); + /* Lookup CRLs from store */ - if (!ok) + skcrl = ctx->lookup_crls(ctx, nm); + + /* If no CRLs found and a near match from get_crl_sk use that */ + if (!skcrl) { - /* If we got a near match from get_crl_sk use that */ if (crl) { *pcrl = crl; @@ -715,41 +715,18 @@ static int get_crl(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509 *x) return 0; } - /* If CRL times not valid look through store */ - if (!check_crl_time(ctx, xobj.data.crl, 0)) + get_crl_sk(ctx, &crl, NULL, skcrl); + + sk_X509_CRL_pop_free(skcrl, X509_CRL_free); + + /* If we got any kind of CRL use it and return success */ + if (crl) { - int idx, i; - X509_OBJECT *pobj; - X509_OBJECT_free_contents(&xobj); - idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs, - X509_LU_CRL, nm); - if (idx == -1) - return 0; - *pcrl = NULL; - for (i = idx; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++) - { - pobj = sk_X509_OBJECT_value(ctx->ctx->objs, i); - /* Check to see if it is a CRL and issuer matches */ - if (pobj->type != X509_LU_CRL) - break; - if (X509_NAME_cmp(nm, - X509_CRL_get_issuer(pobj->data.crl))) - break; - /* Set *pcrl because the CRL will either be valid or - * a "best fit" CRL. - */ - *pcrl = pobj->data.crl; - if (check_crl_time(ctx, *pcrl, 0)) - break; - } - if (*pcrl) - CRYPTO_add(&(*pcrl)->references, 1, CRYPTO_LOCK_X509); + *pcrl = crl; + return 1; } - else - *pcrl = xobj.data.crl; - if (crl) - X509_CRL_free(crl); - return 1; + + return 0; } /* Check CRL validity */ @@ -876,16 +853,6 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) return 1; } -static STACK_OF(X509) * lookup_certs(X509_STORE_CTX *ctx, X509_NAME *nm) - { - return X509_STORE_get_certs(ctx->ctx, nm); - } - -static STACK_OF(X509_CRL) * lookup_crls(X509_STORE_CTX *ctx, X509_NAME *nm) - { - return X509_STORE_get_crls(ctx->ctx, nm); - } - static int check_policy(X509_STORE_CTX *ctx) { int ret; @@ -1476,12 +1443,12 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, if (store && store->lookup_certs) ctx->lookup_certs = store->lookup_certs; else - ctx->lookup_certs = lookup_certs; + ctx->lookup_certs = X509_STORE_get1_certs; if (store && store->lookup_crls) ctx->lookup_crls = store->lookup_crls; else - ctx->lookup_crls = lookup_crls; + ctx->lookup_crls = X509_STORE_get1_crls; ctx->check_policy = check_policy; diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h index 3c550e1433..d546cd9767 100644 --- a/crypto/x509/x509_vfy.h +++ b/crypto/x509/x509_vfy.h @@ -387,8 +387,8 @@ void X509_OBJECT_free_contents(X509_OBJECT *a); X509_STORE *X509_STORE_new(void ); void X509_STORE_free(X509_STORE *v); -STACK_OF(X509)* X509_STORE_get_certs(X509_STORE *st, X509_NAME *nm); -STACK_OF(X509_CRL)* X509_STORE_get_crls(X509_STORE *st, X509_NAME *nm); +STACK_OF(X509)* X509_STORE_get1_certs(X509_STORE_CTX *st, X509_NAME *nm); +STACK_OF(X509_CRL)* X509_STORE_get1_crls(X509_STORE_CTX *st, X509_NAME *nm); int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags); int X509_STORE_set_purpose(X509_STORE *ctx, int purpose); int X509_STORE_set_trust(X509_STORE *ctx, int trust); -- 2.25.1