summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authortedu <>2014-04-18 01:59:00 +0000
committertedu <>2014-04-18 01:59:00 +0000
commit7e187c94c34271d4b5fc5cb79fc0e129d0a63fa1 (patch)
tree88ee4831e2437f9075e786ffb662bb05fe0e3df6
parent80823cb97c2306eeedfd3544fc82a8d9a02224b6 (diff)
downloadopenbsd-7e187c94c34271d4b5fc5cb79fc0e129d0a63fa1.tar.gz
openbsd-7e187c94c34271d4b5fc5cb79fc0e129d0a63fa1.tar.bz2
openbsd-7e187c94c34271d4b5fc5cb79fc0e129d0a63fa1.zip
blunt force knf
Diffstat
-rw-r--r--src/lib/libcrypto/x509/x509_att.c42
-rw-r--r--src/lib/libcrypto/x509/x509_cmp.c109
-rw-r--r--src/lib/libcrypto/x509/x509_d2.c18
-rw-r--r--src/lib/libcrypto/x509/x509_err.c17
-rw-r--r--src/lib/libcrypto/x509/x509_ext.c84
-rw-r--r--src/lib/libcrypto/x509/x509_lu.c317
-rw-r--r--src/lib/libcrypto/x509/x509_obj.c76
-rw-r--r--src/lib/libcrypto/x509/x509_r2x.c19
-rw-r--r--src/lib/libcrypto/x509/x509_req.c49
-rw-r--r--src/lib/libcrypto/x509/x509_set.c60
-rw-r--r--src/lib/libcrypto/x509/x509_trs.c10
-rw-r--r--src/lib/libcrypto/x509/x509_txt.c7
-rw-r--r--src/lib/libcrypto/x509/x509_v3.c94
-rw-r--r--src/lib/libcrypto/x509/x509_vfy.c910
-rw-r--r--src/lib/libcrypto/x509/x509_vpm.c135
-rw-r--r--src/lib/libcrypto/x509/x509cset.c70
-rw-r--r--src/lib/libcrypto/x509/x509name.c123
-rw-r--r--src/lib/libcrypto/x509/x509rset.c12
-rw-r--r--src/lib/libcrypto/x509/x509type.c17
-rw-r--r--src/lib/libssl/src/crypto/x509/x509_att.c42
-rw-r--r--src/lib/libssl/src/crypto/x509/x509_cmp.c109
-rw-r--r--src/lib/libssl/src/crypto/x509/x509_d2.c18
-rw-r--r--src/lib/libssl/src/crypto/x509/x509_err.c17
-rw-r--r--src/lib/libssl/src/crypto/x509/x509_ext.c84
-rw-r--r--src/lib/libssl/src/crypto/x509/x509_lu.c317
-rw-r--r--src/lib/libssl/src/crypto/x509/x509_obj.c76
-rw-r--r--src/lib/libssl/src/crypto/x509/x509_r2x.c19
-rw-r--r--src/lib/libssl/src/crypto/x509/x509_req.c49
-rw-r--r--src/lib/libssl/src/crypto/x509/x509_set.c60
-rw-r--r--src/lib/libssl/src/crypto/x509/x509_trs.c10
-rw-r--r--src/lib/libssl/src/crypto/x509/x509_txt.c7
-rw-r--r--src/lib/libssl/src/crypto/x509/x509_v3.c94
-rw-r--r--src/lib/libssl/src/crypto/x509/x509_vfy.c910
-rw-r--r--src/lib/libssl/src/crypto/x509/x509_vpm.c135
-rw-r--r--src/lib/libssl/src/crypto/x509/x509cset.c70
-rw-r--r--src/lib/libssl/src/crypto/x509/x509name.c123
-rw-r--r--src/lib/libssl/src/crypto/x509/x509rset.c12
-rw-r--r--src/lib/libssl/src/crypto/x509/x509type.c17
38 files changed, 1848 insertions, 2490 deletions
diff --git a/src/lib/libcrypto/x509/x509_att.c b/src/lib/libcrypto/x509/x509_att.c
index 98460e8921..7f924fbe39 100644
--- a/src/lib/libcrypto/x509/x509_att.c
+++ b/src/lib/libcrypto/x509/x509_att.c
@@ -91,8 +91,7 @@ int X509at_get_attr_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *sk, ASN1_OBJECT *obj,
91 if (lastpos < 0) 91 if (lastpos < 0)
92 lastpos=0; 92 lastpos=0;
93 n=sk_X509_ATTRIBUTE_num(sk); 93 n=sk_X509_ATTRIBUTE_num(sk);
94 for ( ; lastpos < n; lastpos++) 94 for ( ; lastpos < n; lastpos++) {
95 {
96 ex=sk_X509_ATTRIBUTE_value(sk,lastpos); 95 ex=sk_X509_ATTRIBUTE_value(sk,lastpos);
97 if (OBJ_cmp(ex->object,obj) == 0) 96 if (OBJ_cmp(ex->object,obj) == 0)
98 return(lastpos); 97 return(lastpos);
@@ -124,18 +123,15 @@ STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr(STACK_OF(X509_ATTRIBUTE) **x,
124 X509_ATTRIBUTE *new_attr=NULL; 123 X509_ATTRIBUTE *new_attr=NULL;
125 STACK_OF(X509_ATTRIBUTE) *sk=NULL; 124 STACK_OF(X509_ATTRIBUTE) *sk=NULL;
126 125
127 if (x == NULL) 126 if (x == NULL) {
128 {
129 X509err(X509_F_X509AT_ADD1_ATTR, ERR_R_PASSED_NULL_PARAMETER); 127 X509err(X509_F_X509AT_ADD1_ATTR, ERR_R_PASSED_NULL_PARAMETER);
130 goto err2; 128 goto err2;
131 } 129 }
132 130
133 if (*x == NULL) 131 if (*x == NULL) {
134 {
135 if ((sk=sk_X509_ATTRIBUTE_new_null()) == NULL) 132 if ((sk=sk_X509_ATTRIBUTE_new_null()) == NULL)
136 goto err; 133 goto err;
137 } 134 } else
138 else
139 sk= *x; 135 sk= *x;
140 136
141 if ((new_attr=X509_ATTRIBUTE_dup(attr)) == NULL) 137 if ((new_attr=X509_ATTRIBUTE_dup(attr)) == NULL)
@@ -215,11 +211,10 @@ X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID(X509_ATTRIBUTE **attr, int nid,
215 X509_ATTRIBUTE *ret; 211 X509_ATTRIBUTE *ret;
216 212
217 obj=OBJ_nid2obj(nid); 213 obj=OBJ_nid2obj(nid);
218 if (obj == NULL) 214 if (obj == NULL) {
219 {
220 X509err(X509_F_X509_ATTRIBUTE_CREATE_BY_NID,X509_R_UNKNOWN_NID); 215 X509err(X509_F_X509_ATTRIBUTE_CREATE_BY_NID,X509_R_UNKNOWN_NID);
221 return(NULL); 216 return(NULL);
222 } 217 }
223 ret=X509_ATTRIBUTE_create_by_OBJ(attr,obj,atrtype,data,len); 218 ret=X509_ATTRIBUTE_create_by_OBJ(attr,obj,atrtype,data,len);
224 if (ret == NULL) ASN1_OBJECT_free(obj); 219 if (ret == NULL) ASN1_OBJECT_free(obj);
225 return(ret); 220 return(ret);
@@ -230,14 +225,12 @@ X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_OBJ(X509_ATTRIBUTE **attr,
230{ 225{
231 X509_ATTRIBUTE *ret; 226 X509_ATTRIBUTE *ret;
232 227
233 if ((attr == NULL) || (*attr == NULL)) 228 if ((attr == NULL) || (*attr == NULL)) {
234 { 229 if ((ret=X509_ATTRIBUTE_new()) == NULL) {
235 if ((ret=X509_ATTRIBUTE_new()) == NULL)
236 {
237 X509err(X509_F_X509_ATTRIBUTE_CREATE_BY_OBJ,ERR_R_MALLOC_FAILURE); 230 X509err(X509_F_X509_ATTRIBUTE_CREATE_BY_OBJ,ERR_R_MALLOC_FAILURE);
238 return(NULL); 231 return(NULL);
239 }
240 } 232 }
233 }
241 else 234 else
242 ret= *attr; 235 ret= *attr;
243 236
@@ -256,22 +249,21 @@ err:
256 249
257X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_txt(X509_ATTRIBUTE **attr, 250X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_txt(X509_ATTRIBUTE **attr,
258 const char *atrname, int type, const unsigned char *bytes, int len) 251 const char *atrname, int type, const unsigned char *bytes, int len)
259 { 252{
260 ASN1_OBJECT *obj; 253 ASN1_OBJECT *obj;
261 X509_ATTRIBUTE *nattr; 254 X509_ATTRIBUTE *nattr;
262 255
263 obj=OBJ_txt2obj(atrname, 0); 256 obj=OBJ_txt2obj(atrname, 0);
264 if (obj == NULL) 257 if (obj == NULL) {
265 {
266 X509err(X509_F_X509_ATTRIBUTE_CREATE_BY_TXT, 258 X509err(X509_F_X509_ATTRIBUTE_CREATE_BY_TXT,
267 X509_R_INVALID_FIELD_NAME); 259 X509_R_INVALID_FIELD_NAME);
268 ERR_add_error_data(2, "name=", atrname); 260 ERR_add_error_data(2, "name=", atrname);
269 return(NULL); 261 return(NULL);
270 } 262 }
271 nattr = X509_ATTRIBUTE_create_by_OBJ(attr,obj,type,bytes,len); 263 nattr = X509_ATTRIBUTE_create_by_OBJ(attr,obj,type,bytes,len);
272 ASN1_OBJECT_free(obj); 264 ASN1_OBJECT_free(obj);
273 return nattr; 265 return nattr;
274 } 266}
275 267
276int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, const ASN1_OBJECT *obj) 268int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, const ASN1_OBJECT *obj)
277{ 269{
@@ -310,12 +302,10 @@ int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, const void *dat
310 if (attrtype == 0) 302 if (attrtype == 0)
311 return 1; 303 return 1;
312 if(!(ttmp = ASN1_TYPE_new())) goto err; 304 if(!(ttmp = ASN1_TYPE_new())) goto err;
313 if ((len == -1) && !(attrtype & MBSTRING_FLAG)) 305 if ((len == -1) && !(attrtype & MBSTRING_FLAG)) {
314 {
315 if (!ASN1_TYPE_set1(ttmp, attrtype, data)) 306 if (!ASN1_TYPE_set1(ttmp, attrtype, data))
316 goto err; 307 goto err;
317 } 308 } else
318 else
319 ASN1_TYPE_set(ttmp, atype, stmp); 309 ASN1_TYPE_set(ttmp, atype, stmp);
320 if(!sk_ASN1_TYPE_push(attr->value.set, ttmp)) goto err; 310 if(!sk_ASN1_TYPE_push(attr->value.set, ttmp)) goto err;
321 return 1; 311 return 1;
diff --git a/src/lib/libcrypto/x509/x509_cmp.c b/src/lib/libcrypto/x509/x509_cmp.c
index 2f1b8953e5..87c4596414 100644
--- a/src/lib/libcrypto/x509/x509_cmp.c
+++ b/src/lib/libcrypto/x509/x509_cmp.c
@@ -65,7 +65,7 @@
65#include <openssl/x509v3.h> 65#include <openssl/x509v3.h>
66 66
67int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b) 67int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b)
68 { 68{
69 int i; 69 int i;
70 X509_CINF *ai,*bi; 70 X509_CINF *ai,*bi;
71 71
@@ -74,11 +74,11 @@ int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b)
74 i=M_ASN1_INTEGER_cmp(ai->serialNumber,bi->serialNumber); 74 i=M_ASN1_INTEGER_cmp(ai->serialNumber,bi->serialNumber);
75 if (i) return(i); 75 if (i) return(i);
76 return(X509_NAME_cmp(ai->issuer,bi->issuer)); 76 return(X509_NAME_cmp(ai->issuer,bi->issuer));
77 } 77}
78 78
79#ifndef OPENSSL_NO_MD5 79#ifndef OPENSSL_NO_MD5
80unsigned long X509_issuer_and_serial_hash(X509 *a) 80unsigned long X509_issuer_and_serial_hash(X509 *a)
81 { 81{
82 unsigned long ret=0; 82 unsigned long ret=0;
83 EVP_MD_CTX ctx; 83 EVP_MD_CTX ctx;
84 unsigned char md[16]; 84 unsigned char md[16];
@@ -102,68 +102,68 @@ unsigned long X509_issuer_and_serial_hash(X509 *a)
102 err: 102 err:
103 EVP_MD_CTX_cleanup(&ctx); 103 EVP_MD_CTX_cleanup(&ctx);
104 return(ret); 104 return(ret);
105 } 105}
106#endif 106#endif
107 107
108int X509_issuer_name_cmp(const X509 *a, const X509 *b) 108int X509_issuer_name_cmp(const X509 *a, const X509 *b)
109 { 109{
110 return(X509_NAME_cmp(a->cert_info->issuer,b->cert_info->issuer)); 110 return(X509_NAME_cmp(a->cert_info->issuer,b->cert_info->issuer));
111 } 111}
112 112
113int X509_subject_name_cmp(const X509 *a, const X509 *b) 113int X509_subject_name_cmp(const X509 *a, const X509 *b)
114 { 114{
115 return(X509_NAME_cmp(a->cert_info->subject,b->cert_info->subject)); 115 return(X509_NAME_cmp(a->cert_info->subject,b->cert_info->subject));
116 } 116}
117 117
118int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b) 118int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b)
119 { 119{
120 return(X509_NAME_cmp(a->crl->issuer,b->crl->issuer)); 120 return(X509_NAME_cmp(a->crl->issuer,b->crl->issuer));
121 } 121}
122 122
123#ifndef OPENSSL_NO_SHA 123#ifndef OPENSSL_NO_SHA
124int X509_CRL_match(const X509_CRL *a, const X509_CRL *b) 124int X509_CRL_match(const X509_CRL *a, const X509_CRL *b)
125 { 125{
126 return memcmp(a->sha1_hash, b->sha1_hash, 20); 126 return memcmp(a->sha1_hash, b->sha1_hash, 20);
127 } 127}
128#endif 128#endif
129 129
130X509_NAME *X509_get_issuer_name(X509 *a) 130X509_NAME *X509_get_issuer_name(X509 *a)
131 { 131{
132 return(a->cert_info->issuer); 132 return(a->cert_info->issuer);
133 } 133}
134 134
135unsigned long X509_issuer_name_hash(X509 *x) 135unsigned long X509_issuer_name_hash(X509 *x)
136 { 136{
137 return(X509_NAME_hash(x->cert_info->issuer)); 137 return(X509_NAME_hash(x->cert_info->issuer));
138 } 138}
139 139
140#ifndef OPENSSL_NO_MD5 140#ifndef OPENSSL_NO_MD5
141unsigned long X509_issuer_name_hash_old(X509 *x) 141unsigned long X509_issuer_name_hash_old(X509 *x)
142 { 142{
143 return(X509_NAME_hash_old(x->cert_info->issuer)); 143 return(X509_NAME_hash_old(x->cert_info->issuer));
144 } 144}
145#endif 145#endif
146 146
147X509_NAME *X509_get_subject_name(X509 *a) 147X509_NAME *X509_get_subject_name(X509 *a)
148 { 148{
149 return(a->cert_info->subject); 149 return(a->cert_info->subject);
150 } 150}
151 151
152ASN1_INTEGER *X509_get_serialNumber(X509 *a) 152ASN1_INTEGER *X509_get_serialNumber(X509 *a)
153 { 153{
154 return(a->cert_info->serialNumber); 154 return(a->cert_info->serialNumber);
155 } 155}
156 156
157unsigned long X509_subject_name_hash(X509 *x) 157unsigned long X509_subject_name_hash(X509 *x)
158 { 158{
159 return(X509_NAME_hash(x->cert_info->subject)); 159 return(X509_NAME_hash(x->cert_info->subject));
160 } 160}
161 161
162#ifndef OPENSSL_NO_MD5 162#ifndef OPENSSL_NO_MD5
163unsigned long X509_subject_name_hash_old(X509 *x) 163unsigned long X509_subject_name_hash_old(X509 *x)
164 { 164{
165 return(X509_NAME_hash_old(x->cert_info->subject)); 165 return(X509_NAME_hash_old(x->cert_info->subject));
166 } 166}
167#endif 167#endif
168 168
169#ifndef OPENSSL_NO_SHA 169#ifndef OPENSSL_NO_SHA
@@ -188,24 +188,22 @@ int X509_cmp(const X509 *a, const X509 *b)
188 188
189 189
190int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b) 190int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b)
191 { 191{
192 int ret; 192 int ret;
193 193
194 /* Ensure canonical encoding is present and up to date */ 194 /* Ensure canonical encoding is present and up to date */
195 195
196 if (!a->canon_enc || a->modified) 196 if (!a->canon_enc || a->modified) {
197 {
198 ret = i2d_X509_NAME((X509_NAME *)a, NULL); 197 ret = i2d_X509_NAME((X509_NAME *)a, NULL);
199 if (ret < 0) 198 if (ret < 0)
200 return -2; 199 return -2;
201 } 200 }
202 201
203 if (!b->canon_enc || b->modified) 202 if (!b->canon_enc || b->modified) {
204 {
205 ret = i2d_X509_NAME((X509_NAME *)b, NULL); 203 ret = i2d_X509_NAME((X509_NAME *)b, NULL);
206 if (ret < 0) 204 if (ret < 0)
207 return -2; 205 return -2;
208 } 206 }
209 207
210 ret = a->canon_enclen - b->canon_enclen; 208 ret = a->canon_enclen - b->canon_enclen;
211 209
@@ -214,10 +212,10 @@ int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b)
214 212
215 return memcmp(a->canon_enc, b->canon_enc, a->canon_enclen); 213 return memcmp(a->canon_enc, b->canon_enc, a->canon_enclen);
216 214
217 } 215}
218 216
219unsigned long X509_NAME_hash(X509_NAME *x) 217unsigned long X509_NAME_hash(X509_NAME *x)
220 { 218{
221 unsigned long ret=0; 219 unsigned long ret=0;
222 unsigned char md[SHA_DIGEST_LENGTH]; 220 unsigned char md[SHA_DIGEST_LENGTH];
223 221
@@ -231,7 +229,7 @@ unsigned long X509_NAME_hash(X509_NAME *x)
231 ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L) 229 ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
232 )&0xffffffffL; 230 )&0xffffffffL;
233 return(ret); 231 return(ret);
234 } 232}
235 233
236 234
237#ifndef OPENSSL_NO_MD5 235#ifndef OPENSSL_NO_MD5
@@ -239,7 +237,7 @@ unsigned long X509_NAME_hash(X509_NAME *x)
239 * this is reasonably efficient. */ 237 * this is reasonably efficient. */
240 238
241unsigned long X509_NAME_hash_old(X509_NAME *x) 239unsigned long X509_NAME_hash_old(X509_NAME *x)
242 { 240{
243 EVP_MD_CTX md_ctx; 241 EVP_MD_CTX md_ctx;
244 unsigned long ret=0; 242 unsigned long ret=0;
245 unsigned char md[16]; 243 unsigned char md[16];
@@ -257,13 +255,13 @@ unsigned long X509_NAME_hash_old(X509_NAME *x)
257 EVP_MD_CTX_cleanup(&md_ctx); 255 EVP_MD_CTX_cleanup(&md_ctx);
258 256
259 return(ret); 257 return(ret);
260 } 258}
261#endif 259#endif
262 260
263/* Search a stack of X509 for a match */ 261/* Search a stack of X509 for a match */
264X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk, X509_NAME *name, 262X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk, X509_NAME *name,
265 ASN1_INTEGER *serial) 263 ASN1_INTEGER *serial)
266 { 264{
267 int i; 265 int i;
268 X509_CINF cinf; 266 X509_CINF cinf;
269 X509 x,*x509=NULL; 267 X509 x,*x509=NULL;
@@ -274,44 +272,42 @@ X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk, X509_NAME *name,
274 cinf.serialNumber=serial; 272 cinf.serialNumber=serial;
275 cinf.issuer=name; 273 cinf.issuer=name;
276 274
277 for (i=0; i<sk_X509_num(sk); i++) 275 for (i=0; i<sk_X509_num(sk); i++) {
278 {
279 x509=sk_X509_value(sk,i); 276 x509=sk_X509_value(sk,i);
280 if (X509_issuer_and_serial_cmp(x509,&x) == 0) 277 if (X509_issuer_and_serial_cmp(x509,&x) == 0)
281 return(x509); 278 return(x509);
282 }
283 return(NULL);
284 } 279 }
280 return(NULL);
281}
285 282
286X509 *X509_find_by_subject(STACK_OF(X509) *sk, X509_NAME *name) 283X509 *X509_find_by_subject(STACK_OF(X509) *sk, X509_NAME *name)
287 { 284{
288 X509 *x509; 285 X509 *x509;
289 int i; 286 int i;
290 287
291 for (i=0; i<sk_X509_num(sk); i++) 288 for (i=0; i<sk_X509_num(sk); i++) {
292 {
293 x509=sk_X509_value(sk,i); 289 x509=sk_X509_value(sk,i);
294 if (X509_NAME_cmp(X509_get_subject_name(x509),name) == 0) 290 if (X509_NAME_cmp(X509_get_subject_name(x509),name) == 0)
295 return(x509); 291 return(x509);
296 }
297 return(NULL);
298 } 292 }
293 return(NULL);
294}
299 295
300EVP_PKEY *X509_get_pubkey(X509 *x) 296EVP_PKEY *X509_get_pubkey(X509 *x)
301 { 297{
302 if ((x == NULL) || (x->cert_info == NULL)) 298 if ((x == NULL) || (x->cert_info == NULL))
303 return(NULL); 299 return(NULL);
304 return(X509_PUBKEY_get(x->cert_info->key)); 300 return(X509_PUBKEY_get(x->cert_info->key));
305 } 301}
306 302
307ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x) 303ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x)
308 { 304{
309 if(!x) return NULL; 305 if(!x) return NULL;
310 return x->cert_info->key->public_key; 306 return x->cert_info->key->public_key;
311 } 307}
312 308
313int X509_check_private_key(X509 *x, EVP_PKEY *k) 309int X509_check_private_key(X509 *x, EVP_PKEY *k)
314 { 310{
315 EVP_PKEY *xk; 311 EVP_PKEY *xk;
316 int ret; 312 int ret;
317 313
@@ -322,8 +318,7 @@ int X509_check_private_key(X509 *x, EVP_PKEY *k)
322 else 318 else
323 ret = -2; 319 ret = -2;
324 320
325 switch (ret) 321 switch (ret) {
326 {
327 case 1: 322 case 1:
328 break; 323 break;
329 case 0: 324 case 0:
@@ -334,10 +329,10 @@ int X509_check_private_key(X509 *x, EVP_PKEY *k)
334 break; 329 break;
335 case -2: 330 case -2:
336 X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_UNKNOWN_KEY_TYPE); 331 X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_UNKNOWN_KEY_TYPE);
337 } 332 }
338 if (xk) 333 if (xk)
339 EVP_PKEY_free(xk); 334 EVP_PKEY_free(xk);
340 if (ret > 0) 335 if (ret > 0)
341 return 1; 336 return 1;
342 return 0; 337 return 0;
343 } 338}
diff --git a/src/lib/libcrypto/x509/x509_d2.c b/src/lib/libcrypto/x509/x509_d2.c
index 51410cfd1a..ed051093ac 100644
--- a/src/lib/libcrypto/x509/x509_d2.c
+++ b/src/lib/libcrypto/x509/x509_d2.c
@@ -63,7 +63,7 @@
63 63
64#ifndef OPENSSL_NO_STDIO 64#ifndef OPENSSL_NO_STDIO
65int X509_STORE_set_default_paths(X509_STORE *ctx) 65int X509_STORE_set_default_paths(X509_STORE *ctx)
66 { 66{
67 X509_LOOKUP *lookup; 67 X509_LOOKUP *lookup;
68 68
69 lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_file()); 69 lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_file());
@@ -78,30 +78,28 @@ int X509_STORE_set_default_paths(X509_STORE *ctx)
78 ERR_clear_error(); 78 ERR_clear_error();
79 79
80 return(1); 80 return(1);
81 } 81}
82 82
83int X509_STORE_load_locations(X509_STORE *ctx, const char *file, 83int X509_STORE_load_locations(X509_STORE *ctx, const char *file,
84 const char *path) 84 const char *path)
85 { 85{
86 X509_LOOKUP *lookup; 86 X509_LOOKUP *lookup;
87 87
88 if (file != NULL) 88 if (file != NULL) {
89 {
90 lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_file()); 89 lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_file());
91 if (lookup == NULL) return(0); 90 if (lookup == NULL) return(0);
92 if (X509_LOOKUP_load_file(lookup,file,X509_FILETYPE_PEM) != 1) 91 if (X509_LOOKUP_load_file(lookup,file,X509_FILETYPE_PEM) != 1)
93 return(0); 92 return(0);
94 } 93 }
95 if (path != NULL) 94 if (path != NULL) {
96 {
97 lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_hash_dir()); 95 lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_hash_dir());
98 if (lookup == NULL) return(0); 96 if (lookup == NULL) return(0);
99 if (X509_LOOKUP_add_dir(lookup,path,X509_FILETYPE_PEM) != 1) 97 if (X509_LOOKUP_add_dir(lookup,path,X509_FILETYPE_PEM) != 1)
100 return(0); 98 return(0);
101 } 99 }
102 if ((path == NULL) && (file == NULL)) 100 if ((path == NULL) && (file == NULL))
103 return(0); 101 return(0);
104 return(1); 102 return(1);
105 } 103}
106 104
107#endif 105#endif
diff --git a/src/lib/libcrypto/x509/x509_err.c b/src/lib/libcrypto/x509/x509_err.c
index a01402f416..ab5e8aaea2 100644
--- a/src/lib/libcrypto/x509/x509_err.c
+++ b/src/lib/libcrypto/x509/x509_err.c
@@ -69,7 +69,7 @@
69#define ERR_REASON(reason) ERR_PACK(ERR_LIB_X509,0,reason) 69#define ERR_REASON(reason) ERR_PACK(ERR_LIB_X509,0,reason)
70 70
71static ERR_STRING_DATA X509_str_functs[]= 71static ERR_STRING_DATA X509_str_functs[]=
72 { 72{
73{ERR_FUNC(X509_F_ADD_CERT_DIR), "ADD_CERT_DIR"}, 73{ERR_FUNC(X509_F_ADD_CERT_DIR), "ADD_CERT_DIR"},
74{ERR_FUNC(X509_F_BY_FILE_CTRL), "BY_FILE_CTRL"}, 74{ERR_FUNC(X509_F_BY_FILE_CTRL), "BY_FILE_CTRL"},
75{ERR_FUNC(X509_F_CHECK_POLICY), "CHECK_POLICY"}, 75{ERR_FUNC(X509_F_CHECK_POLICY), "CHECK_POLICY"},
@@ -116,10 +116,10 @@ static ERR_STRING_DATA X509_str_functs[]=
116{ERR_FUNC(X509_F_X509_TRUST_SET), "X509_TRUST_set"}, 116{ERR_FUNC(X509_F_X509_TRUST_SET), "X509_TRUST_set"},
117{ERR_FUNC(X509_F_X509_VERIFY_CERT), "X509_verify_cert"}, 117{ERR_FUNC(X509_F_X509_VERIFY_CERT), "X509_verify_cert"},
118{0,NULL} 118{0,NULL}
119 }; 119};
120 120
121static ERR_STRING_DATA X509_str_reasons[]= 121static ERR_STRING_DATA X509_str_reasons[]=
122 { 122{
123{ERR_REASON(X509_R_BAD_X509_FILETYPE) ,"bad x509 filetype"}, 123{ERR_REASON(X509_R_BAD_X509_FILETYPE) ,"bad x509 filetype"},
124{ERR_REASON(X509_R_BASE64_DECODE_ERROR) ,"base64 decode error"}, 124{ERR_REASON(X509_R_BASE64_DECODE_ERROR) ,"base64 decode error"},
125{ERR_REASON(X509_R_CANT_CHECK_DH_KEY) ,"cant check dh key"}, 125{ERR_REASON(X509_R_CANT_CHECK_DH_KEY) ,"cant check dh key"},
@@ -147,18 +147,17 @@ static ERR_STRING_DATA X509_str_reasons[]=
147{ERR_REASON(X509_R_WRONG_LOOKUP_TYPE) ,"wrong lookup type"}, 147{ERR_REASON(X509_R_WRONG_LOOKUP_TYPE) ,"wrong lookup type"},
148{ERR_REASON(X509_R_WRONG_TYPE) ,"wrong type"}, 148{ERR_REASON(X509_R_WRONG_TYPE) ,"wrong type"},
149{0,NULL} 149{0,NULL}
150 }; 150};
151 151
152#endif 152#endif
153 153
154void ERR_load_X509_strings(void) 154void ERR_load_X509_strings(void)
155 { 155{
156#ifndef OPENSSL_NO_ERR 156#ifndef OPENSSL_NO_ERR
157 157
158 if (ERR_func_error_string(X509_str_functs[0].error) == NULL) 158 if (ERR_func_error_string(X509_str_functs[0].error) == NULL) {
159 {
160 ERR_load_strings(0,X509_str_functs); 159 ERR_load_strings(0,X509_str_functs);
161 ERR_load_strings(0,X509_str_reasons); 160 ERR_load_strings(0,X509_str_reasons);
162 }
163#endif
164 } 161 }
162#endif
163}
diff --git a/src/lib/libcrypto/x509/x509_ext.c b/src/lib/libcrypto/x509/x509_ext.c
index e7fdacb5e4..bdc489f367 100644
--- a/src/lib/libcrypto/x509/x509_ext.c
+++ b/src/lib/libcrypto/x509/x509_ext.c
@@ -67,34 +67,34 @@
67 67
68 68
69int X509_CRL_get_ext_count(X509_CRL *x) 69int X509_CRL_get_ext_count(X509_CRL *x)
70 { 70{
71 return(X509v3_get_ext_count(x->crl->extensions)); 71 return(X509v3_get_ext_count(x->crl->extensions));
72 } 72}
73 73
74int X509_CRL_get_ext_by_NID(X509_CRL *x, int nid, int lastpos) 74int X509_CRL_get_ext_by_NID(X509_CRL *x, int nid, int lastpos)
75 { 75{
76 return(X509v3_get_ext_by_NID(x->crl->extensions,nid,lastpos)); 76 return(X509v3_get_ext_by_NID(x->crl->extensions,nid,lastpos));
77 } 77}
78 78
79int X509_CRL_get_ext_by_OBJ(X509_CRL *x, ASN1_OBJECT *obj, int lastpos) 79int X509_CRL_get_ext_by_OBJ(X509_CRL *x, ASN1_OBJECT *obj, int lastpos)
80 { 80{
81 return(X509v3_get_ext_by_OBJ(x->crl->extensions,obj,lastpos)); 81 return(X509v3_get_ext_by_OBJ(x->crl->extensions,obj,lastpos));
82 } 82}
83 83
84int X509_CRL_get_ext_by_critical(X509_CRL *x, int crit, int lastpos) 84int X509_CRL_get_ext_by_critical(X509_CRL *x, int crit, int lastpos)
85 { 85{
86 return(X509v3_get_ext_by_critical(x->crl->extensions,crit,lastpos)); 86 return(X509v3_get_ext_by_critical(x->crl->extensions,crit,lastpos));
87 } 87}
88 88
89X509_EXTENSION *X509_CRL_get_ext(X509_CRL *x, int loc) 89X509_EXTENSION *X509_CRL_get_ext(X509_CRL *x, int loc)
90 { 90{
91 return(X509v3_get_ext(x->crl->extensions,loc)); 91 return(X509v3_get_ext(x->crl->extensions,loc));
92 } 92}
93 93
94X509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc) 94X509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc)
95 { 95{
96 return(X509v3_delete_ext(x->crl->extensions,loc)); 96 return(X509v3_delete_ext(x->crl->extensions,loc));
97 } 97}
98 98
99void *X509_CRL_get_ext_d2i(X509_CRL *x, int nid, int *crit, int *idx) 99void *X509_CRL_get_ext_d2i(X509_CRL *x, int nid, int *crit, int *idx)
100{ 100{
@@ -108,44 +108,44 @@ int X509_CRL_add1_ext_i2d(X509_CRL *x, int nid, void *value, int crit,
108} 108}
109 109
110int X509_CRL_add_ext(X509_CRL *x, X509_EXTENSION *ex, int loc) 110int X509_CRL_add_ext(X509_CRL *x, X509_EXTENSION *ex, int loc)
111 { 111{
112 return(X509v3_add_ext(&(x->crl->extensions),ex,loc) != NULL); 112 return(X509v3_add_ext(&(x->crl->extensions),ex,loc) != NULL);
113 } 113}
114 114
115int X509_get_ext_count(X509 *x) 115int X509_get_ext_count(X509 *x)
116 { 116{
117 return(X509v3_get_ext_count(x->cert_info->extensions)); 117 return(X509v3_get_ext_count(x->cert_info->extensions));
118 } 118}
119 119
120int X509_get_ext_by_NID(X509 *x, int nid, int lastpos) 120int X509_get_ext_by_NID(X509 *x, int nid, int lastpos)
121 { 121{
122 return(X509v3_get_ext_by_NID(x->cert_info->extensions,nid,lastpos)); 122 return(X509v3_get_ext_by_NID(x->cert_info->extensions,nid,lastpos));
123 } 123}
124 124
125int X509_get_ext_by_OBJ(X509 *x, ASN1_OBJECT *obj, int lastpos) 125int X509_get_ext_by_OBJ(X509 *x, ASN1_OBJECT *obj, int lastpos)
126 { 126{
127 return(X509v3_get_ext_by_OBJ(x->cert_info->extensions,obj,lastpos)); 127 return(X509v3_get_ext_by_OBJ(x->cert_info->extensions,obj,lastpos));
128 } 128}
129 129
130int X509_get_ext_by_critical(X509 *x, int crit, int lastpos) 130int X509_get_ext_by_critical(X509 *x, int crit, int lastpos)
131 { 131{
132 return(X509v3_get_ext_by_critical(x->cert_info->extensions,crit,lastpos)); 132 return(X509v3_get_ext_by_critical(x->cert_info->extensions,crit,lastpos));
133 } 133}
134 134
135X509_EXTENSION *X509_get_ext(X509 *x, int loc) 135X509_EXTENSION *X509_get_ext(X509 *x, int loc)
136 { 136{
137 return(X509v3_get_ext(x->cert_info->extensions,loc)); 137 return(X509v3_get_ext(x->cert_info->extensions,loc));
138 } 138}
139 139
140X509_EXTENSION *X509_delete_ext(X509 *x, int loc) 140X509_EXTENSION *X509_delete_ext(X509 *x, int loc)
141 { 141{
142 return(X509v3_delete_ext(x->cert_info->extensions,loc)); 142 return(X509v3_delete_ext(x->cert_info->extensions,loc));
143 } 143}
144 144
145int X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc) 145int X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc)
146 { 146{
147 return(X509v3_add_ext(&(x->cert_info->extensions),ex,loc) != NULL); 147 return(X509v3_add_ext(&(x->cert_info->extensions),ex,loc) != NULL);
148 } 148}
149 149
150void *X509_get_ext_d2i(X509 *x, int nid, int *crit, int *idx) 150void *X509_get_ext_d2i(X509 *x, int nid, int *crit, int *idx)
151{ 151{
@@ -160,40 +160,40 @@ int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit,
160} 160}
161 161
162int X509_REVOKED_get_ext_count(X509_REVOKED *x) 162int X509_REVOKED_get_ext_count(X509_REVOKED *x)
163 { 163{
164 return(X509v3_get_ext_count(x->extensions)); 164 return(X509v3_get_ext_count(x->extensions));
165 } 165}
166 166
167int X509_REVOKED_get_ext_by_NID(X509_REVOKED *x, int nid, int lastpos) 167int X509_REVOKED_get_ext_by_NID(X509_REVOKED *x, int nid, int lastpos)
168 { 168{
169 return(X509v3_get_ext_by_NID(x->extensions,nid,lastpos)); 169 return(X509v3_get_ext_by_NID(x->extensions,nid,lastpos));
170 } 170}
171 171
172int X509_REVOKED_get_ext_by_OBJ(X509_REVOKED *x, ASN1_OBJECT *obj, 172int X509_REVOKED_get_ext_by_OBJ(X509_REVOKED *x, ASN1_OBJECT *obj,
173 int lastpos) 173 int lastpos)
174 { 174{
175 return(X509v3_get_ext_by_OBJ(x->extensions,obj,lastpos)); 175 return(X509v3_get_ext_by_OBJ(x->extensions,obj,lastpos));
176 } 176}
177 177
178int X509_REVOKED_get_ext_by_critical(X509_REVOKED *x, int crit, int lastpos) 178int X509_REVOKED_get_ext_by_critical(X509_REVOKED *x, int crit, int lastpos)
179 { 179{
180 return(X509v3_get_ext_by_critical(x->extensions,crit,lastpos)); 180 return(X509v3_get_ext_by_critical(x->extensions,crit,lastpos));
181 } 181}
182 182
183X509_EXTENSION *X509_REVOKED_get_ext(X509_REVOKED *x, int loc) 183X509_EXTENSION *X509_REVOKED_get_ext(X509_REVOKED *x, int loc)
184 { 184{
185 return(X509v3_get_ext(x->extensions,loc)); 185 return(X509v3_get_ext(x->extensions,loc));
186 } 186}
187 187
188X509_EXTENSION *X509_REVOKED_delete_ext(X509_REVOKED *x, int loc) 188X509_EXTENSION *X509_REVOKED_delete_ext(X509_REVOKED *x, int loc)
189 { 189{
190 return(X509v3_delete_ext(x->extensions,loc)); 190 return(X509v3_delete_ext(x->extensions,loc));
191 } 191}
192 192
193int X509_REVOKED_add_ext(X509_REVOKED *x, X509_EXTENSION *ex, int loc) 193int X509_REVOKED_add_ext(X509_REVOKED *x, X509_EXTENSION *ex, int loc)
194 { 194{
195 return(X509v3_add_ext(&(x->extensions),ex,loc) != NULL); 195 return(X509v3_add_ext(&(x->extensions),ex,loc) != NULL);
196 } 196}
197 197
198void *X509_REVOKED_get_ext_d2i(X509_REVOKED *x, int nid, int *crit, int *idx) 198void *X509_REVOKED_get_ext_d2i(X509_REVOKED *x, int nid, int *crit, int *idx)
199{ 199{
diff --git a/src/lib/libcrypto/x509/x509_lu.c b/src/lib/libcrypto/x509/x509_lu.c
index 38b034bfee..a89cd70313 100644
--- a/src/lib/libcrypto/x509/x509_lu.c
+++ b/src/lib/libcrypto/x509/x509_lu.c
@@ -63,7 +63,7 @@
63#include <openssl/x509v3.h> 63#include <openssl/x509v3.h>
64 64
65X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method) 65X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method)
66 { 66{
67 X509_LOOKUP *ret; 67 X509_LOOKUP *ret;
68 68
69 ret=(X509_LOOKUP *)malloc(sizeof(X509_LOOKUP)); 69 ret=(X509_LOOKUP *)malloc(sizeof(X509_LOOKUP));
@@ -74,50 +74,49 @@ X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method)
74 ret->method=method; 74 ret->method=method;
75 ret->method_data=NULL; 75 ret->method_data=NULL;
76 ret->store_ctx=NULL; 76 ret->store_ctx=NULL;
77 if ((method->new_item != NULL) && !method->new_item(ret)) 77 if ((method->new_item != NULL) && !method->new_item(ret)) {
78 {
79 free(ret); 78 free(ret);
80 return NULL; 79 return NULL;
81 }
82 return ret;
83 } 80 }
81 return ret;
82}
84 83
85void X509_LOOKUP_free(X509_LOOKUP *ctx) 84void X509_LOOKUP_free(X509_LOOKUP *ctx)
86 { 85{
87 if (ctx == NULL) return; 86 if (ctx == NULL) return;
88 if ( (ctx->method != NULL) && 87 if ( (ctx->method != NULL) &&
89 (ctx->method->free != NULL)) 88 (ctx->method->free != NULL))
90 (*ctx->method->free)(ctx); 89 (*ctx->method->free)(ctx);
91 free(ctx); 90 free(ctx);
92 } 91}
93 92
94int X509_LOOKUP_init(X509_LOOKUP *ctx) 93int X509_LOOKUP_init(X509_LOOKUP *ctx)
95 { 94{
96 if (ctx->method == NULL) return 0; 95 if (ctx->method == NULL) return 0;
97 if (ctx->method->init != NULL) 96 if (ctx->method->init != NULL)
98 return ctx->method->init(ctx); 97 return ctx->method->init(ctx);
99 else 98 else
100 return 1; 99 return 1;
101 } 100}
102 101
103int X509_LOOKUP_shutdown(X509_LOOKUP *ctx) 102int X509_LOOKUP_shutdown(X509_LOOKUP *ctx)
104 { 103{
105 if (ctx->method == NULL) return 0; 104 if (ctx->method == NULL) return 0;
106 if (ctx->method->shutdown != NULL) 105 if (ctx->method->shutdown != NULL)
107 return ctx->method->shutdown(ctx); 106 return ctx->method->shutdown(ctx);
108 else 107 else
109 return 1; 108 return 1;
110 } 109}
111 110
112int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, long argl, 111int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, long argl,
113 char **ret) 112 char **ret)
114 { 113{
115 if (ctx->method == NULL) return -1; 114 if (ctx->method == NULL) return -1;
116 if (ctx->method->ctrl != NULL) 115 if (ctx->method->ctrl != NULL)
117 return ctx->method->ctrl(ctx,cmd,argc,argl,ret); 116 return ctx->method->ctrl(ctx,cmd,argc,argl,ret);
118 else 117 else
119 return 1; 118 return 1;
120 } 119}
121 120
122int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type, X509_NAME *name, 121int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type, X509_NAME *name,
123 X509_OBJECT *ret) 122 X509_OBJECT *ret)
@@ -126,42 +125,41 @@ int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type, X509_NAME *name,
126 return X509_LU_FAIL; 125 return X509_LU_FAIL;
127 if (ctx->skip) return 0; 126 if (ctx->skip) return 0;
128 return ctx->method->get_by_subject(ctx,type,name,ret); 127 return ctx->method->get_by_subject(ctx,type,name,ret);
129 } 128}
130 129
131int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, int type, X509_NAME *name, 130int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, int type, X509_NAME *name,
132 ASN1_INTEGER *serial, X509_OBJECT *ret) 131 ASN1_INTEGER *serial, X509_OBJECT *ret)
133 { 132{
134 if ((ctx->method == NULL) || 133 if ((ctx->method == NULL) ||
135 (ctx->method->get_by_issuer_serial == NULL)) 134 (ctx->method->get_by_issuer_serial == NULL))
136 return X509_LU_FAIL; 135 return X509_LU_FAIL;
137 return ctx->method->get_by_issuer_serial(ctx,type,name,serial,ret); 136 return ctx->method->get_by_issuer_serial(ctx,type,name,serial,ret);
138 } 137}
139 138
140int X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, int type, 139int X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, int type,
141 unsigned char *bytes, int len, X509_OBJECT *ret) 140 unsigned char *bytes, int len, X509_OBJECT *ret)
142 { 141{
143 if ((ctx->method == NULL) || (ctx->method->get_by_fingerprint == NULL)) 142 if ((ctx->method == NULL) || (ctx->method->get_by_fingerprint == NULL))
144 return X509_LU_FAIL; 143 return X509_LU_FAIL;
145 return ctx->method->get_by_fingerprint(ctx,type,bytes,len,ret); 144 return ctx->method->get_by_fingerprint(ctx,type,bytes,len,ret);
146 } 145}
147 146
148int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, int type, char *str, int len, 147int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, int type, char *str, int len,
149 X509_OBJECT *ret) 148 X509_OBJECT *ret)
150 { 149{
151 if ((ctx->method == NULL) || (ctx->method->get_by_alias == NULL)) 150 if ((ctx->method == NULL) || (ctx->method->get_by_alias == NULL))
152 return X509_LU_FAIL; 151 return X509_LU_FAIL;
153 return ctx->method->get_by_alias(ctx,type,str,len,ret); 152 return ctx->method->get_by_alias(ctx,type,str,len,ret);
154 } 153}
155 154
156 155
157static int x509_object_cmp(const X509_OBJECT * const *a, const X509_OBJECT * const *b) 156static int x509_object_cmp(const X509_OBJECT * const *a, const X509_OBJECT * const *b)
158 { 157 {
159 int ret; 158 int ret;
160 159
161 ret=((*a)->type - (*b)->type); 160 ret=((*a)->type - (*b)->type);
162 if (ret) return ret; 161 if (ret) return ret;
163 switch ((*a)->type) 162 switch ((*a)->type) {
164 {
165 case X509_LU_X509: 163 case X509_LU_X509:
166 ret=X509_subject_name_cmp((*a)->data.x509,(*b)->data.x509); 164 ret=X509_subject_name_cmp((*a)->data.x509,(*b)->data.x509);
167 break; 165 break;
@@ -171,12 +169,12 @@ static int x509_object_cmp(const X509_OBJECT * const *a, const X509_OBJECT * con
171 default: 169 default:
172 /* abort(); */ 170 /* abort(); */
173 return 0; 171 return 0;
174 }
175 return ret;
176 } 172 }
173 return ret;
174}
177 175
178X509_STORE *X509_STORE_new(void) 176X509_STORE *X509_STORE_new(void)
179 { 177{
180 X509_STORE *ret; 178 X509_STORE *ret;
181 179
182 if ((ret=(X509_STORE *)malloc(sizeof(X509_STORE))) == NULL) 180 if ((ret=(X509_STORE *)malloc(sizeof(X509_STORE))) == NULL)
@@ -191,7 +189,7 @@ X509_STORE *X509_STORE_new(void)
191 sk_X509_OBJECT_free(ret->objs); 189 sk_X509_OBJECT_free(ret->objs);
192 free(ret); 190 free(ret);
193 return NULL; 191 return NULL;
194 } 192}
195 193
196 ret->get_issuer = 0; 194 ret->get_issuer = 0;
197 ret->check_issued = 0; 195 ret->check_issued = 0;
@@ -203,37 +201,31 @@ X509_STORE *X509_STORE_new(void)
203 ret->lookup_crls = 0; 201 ret->lookup_crls = 0;
204 ret->cleanup = 0; 202 ret->cleanup = 0;
205 203
206 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE, ret, &ret->ex_data)) 204 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE, ret, &ret->ex_data)) {
207 {
208 sk_X509_OBJECT_free(ret->objs); 205 sk_X509_OBJECT_free(ret->objs);
209 free(ret); 206 free(ret);
210 return NULL; 207 return NULL;
211 } 208 }
212 209
213 ret->references=1; 210 ret->references=1;
214 return ret; 211 return ret;
215 } 212}
216 213
217static void cleanup(X509_OBJECT *a) 214static void cleanup(X509_OBJECT *a)
218 { 215{
219 if (a->type == X509_LU_X509) 216 if (a->type == X509_LU_X509) {
220 {
221 X509_free(a->data.x509); 217 X509_free(a->data.x509);
222 } 218 } else if (a->type == X509_LU_CRL) {
223 else if (a->type == X509_LU_CRL)
224 {
225 X509_CRL_free(a->data.crl); 219 X509_CRL_free(a->data.crl);
226 } 220 } else {
227 else
228 {
229 /* abort(); */ 221 /* abort(); */
230 } 222 }
231 223
232 free(a); 224 free(a);
233 } 225}
234 226
235void X509_STORE_free(X509_STORE *vfy) 227void X509_STORE_free(X509_STORE *vfy)
236 { 228{
237 int i; 229 int i;
238 STACK_OF(X509_LOOKUP) *sk; 230 STACK_OF(X509_LOOKUP) *sk;
239 X509_LOOKUP *lu; 231 X509_LOOKUP *lu;
@@ -242,12 +234,11 @@ void X509_STORE_free(X509_STORE *vfy)
242 return; 234 return;
243 235
244 sk=vfy->get_cert_methods; 236 sk=vfy->get_cert_methods;
245 for (i=0; i<sk_X509_LOOKUP_num(sk); i++) 237 for (i=0; i<sk_X509_LOOKUP_num(sk); i++) {
246 {
247 lu=sk_X509_LOOKUP_value(sk,i); 238 lu=sk_X509_LOOKUP_value(sk,i);
248 X509_LOOKUP_shutdown(lu); 239 X509_LOOKUP_shutdown(lu);
249 X509_LOOKUP_free(lu); 240 X509_LOOKUP_free(lu);
250 } 241 }
251 sk_X509_LOOKUP_free(sk); 242 sk_X509_LOOKUP_free(sk);
252 sk_X509_OBJECT_pop_free(vfy->objs, cleanup); 243 sk_X509_OBJECT_pop_free(vfy->objs, cleanup);
253 244
@@ -255,43 +246,39 @@ void X509_STORE_free(X509_STORE *vfy)
255 if (vfy->param) 246 if (vfy->param)
256 X509_VERIFY_PARAM_free(vfy->param); 247 X509_VERIFY_PARAM_free(vfy->param);
257 free(vfy); 248 free(vfy);
258 } 249}
259 250
260X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m) 251X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m)
261 { 252{
262 int i; 253 int i;
263 STACK_OF(X509_LOOKUP) *sk; 254 STACK_OF(X509_LOOKUP) *sk;
264 X509_LOOKUP *lu; 255 X509_LOOKUP *lu;
265 256
266 sk=v->get_cert_methods; 257 sk=v->get_cert_methods;
267 for (i=0; i<sk_X509_LOOKUP_num(sk); i++) 258 for (i=0; i<sk_X509_LOOKUP_num(sk); i++) {
268 {
269 lu=sk_X509_LOOKUP_value(sk,i); 259 lu=sk_X509_LOOKUP_value(sk,i);
270 if (m == lu->method) 260 if (m == lu->method) {
271 {
272 return lu; 261 return lu;
273 }
274 } 262 }
263 }
275 /* a new one */ 264 /* a new one */
276 lu=X509_LOOKUP_new(m); 265 lu=X509_LOOKUP_new(m);
277 if (lu == NULL) 266 if (lu == NULL)
278 return NULL; 267 return NULL;
279 else 268 else {
280 {
281 lu->store_ctx=v; 269 lu->store_ctx=v;
282 if (sk_X509_LOOKUP_push(v->get_cert_methods,lu)) 270 if (sk_X509_LOOKUP_push(v->get_cert_methods,lu))
283 return lu; 271 return lu;
284 else 272 else {
285 {
286 X509_LOOKUP_free(lu); 273 X509_LOOKUP_free(lu);
287 return NULL; 274 return NULL;
288 }
289 } 275 }
290 } 276 }
277}
291 278
292int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name, 279int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name,
293 X509_OBJECT *ret) 280 X509_OBJECT *ret)
294 { 281{
295 X509_STORE *ctx=vs->ctx; 282 X509_STORE *ctx=vs->ctx;
296 X509_LOOKUP *lu; 283 X509_LOOKUP *lu;
297 X509_OBJECT stmp,*tmp; 284 X509_OBJECT stmp,*tmp;
@@ -301,27 +288,22 @@ int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name,
301 tmp=X509_OBJECT_retrieve_by_subject(ctx->objs,type,name); 288 tmp=X509_OBJECT_retrieve_by_subject(ctx->objs,type,name);
302 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); 289 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
303 290
304 if (tmp == NULL || type == X509_LU_CRL) 291 if (tmp == NULL || type == X509_LU_CRL) {
305 { 292 for (i=vs->current_method; i<sk_X509_LOOKUP_num(ctx->get_cert_methods); i++) {
306 for (i=vs->current_method; i<sk_X509_LOOKUP_num(ctx->get_cert_methods); i++)
307 {
308 lu=sk_X509_LOOKUP_value(ctx->get_cert_methods,i); 293 lu=sk_X509_LOOKUP_value(ctx->get_cert_methods,i);
309 j=X509_LOOKUP_by_subject(lu,type,name,&stmp); 294 j=X509_LOOKUP_by_subject(lu,type,name,&stmp);
310 if (j < 0) 295 if (j < 0) {
311 {
312 vs->current_method=j; 296 vs->current_method=j;
313 return j; 297 return j;
314 } 298 } else if (j) {
315 else if (j)
316 {
317 tmp= &stmp; 299 tmp= &stmp;
318 break; 300 break;
319 }
320 } 301 }
302 }
321 vs->current_method=0; 303 vs->current_method=0;
322 if (tmp == NULL) 304 if (tmp == NULL)
323 return 0; 305 return 0;
324 } 306 }
325 307
326/* if (ret->data.ptr != NULL) 308/* if (ret->data.ptr != NULL)
327 X509_OBJECT_free_contents(ret); */ 309 X509_OBJECT_free_contents(ret); */
@@ -332,20 +314,19 @@ int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name,
332 X509_OBJECT_up_ref_count(ret); 314 X509_OBJECT_up_ref_count(ret);
333 315
334 return 1; 316 return 1;
335 } 317}
336 318
337int X509_STORE_add_cert(X509_STORE *ctx, X509 *x) 319int X509_STORE_add_cert(X509_STORE *ctx, X509 *x)
338 { 320{
339 X509_OBJECT *obj; 321 X509_OBJECT *obj;
340 int ret=1; 322 int ret=1;
341 323
342 if (x == NULL) return 0; 324 if (x == NULL) return 0;
343 obj=(X509_OBJECT *)malloc(sizeof(X509_OBJECT)); 325 obj=(X509_OBJECT *)malloc(sizeof(X509_OBJECT));
344 if (obj == NULL) 326 if (obj == NULL) {
345 {
346 X509err(X509_F_X509_STORE_ADD_CERT,ERR_R_MALLOC_FAILURE); 327 X509err(X509_F_X509_STORE_ADD_CERT,ERR_R_MALLOC_FAILURE);
347 return 0; 328 return 0;
348 } 329 }
349 obj->type=X509_LU_X509; 330 obj->type=X509_LU_X509;
350 obj->data.x509=x; 331 obj->data.x509=x;
351 332
@@ -353,32 +334,30 @@ int X509_STORE_add_cert(X509_STORE *ctx, X509 *x)
353 334
354 X509_OBJECT_up_ref_count(obj); 335 X509_OBJECT_up_ref_count(obj);
355 336
356 if (X509_OBJECT_retrieve_match(ctx->objs, obj)) 337 if (X509_OBJECT_retrieve_match(ctx->objs, obj)) {
357 {
358 X509_OBJECT_free_contents(obj); 338 X509_OBJECT_free_contents(obj);
359 free(obj); 339 free(obj);
360 X509err(X509_F_X509_STORE_ADD_CERT,X509_R_CERT_ALREADY_IN_HASH_TABLE); 340 X509err(X509_F_X509_STORE_ADD_CERT,X509_R_CERT_ALREADY_IN_HASH_TABLE);
361 ret=0; 341 ret=0;
362 } 342 }
363 else sk_X509_OBJECT_push(ctx->objs, obj); 343 else sk_X509_OBJECT_push(ctx->objs, obj);
364 344
365 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); 345 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
366 346
367 return ret; 347 return ret;
368 } 348}
369 349
370int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x) 350int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x)
371 { 351{
372 X509_OBJECT *obj; 352 X509_OBJECT *obj;
373 int ret=1; 353 int ret=1;
374 354
375 if (x == NULL) return 0; 355 if (x == NULL) return 0;
376 obj=(X509_OBJECT *)malloc(sizeof(X509_OBJECT)); 356 obj=(X509_OBJECT *)malloc(sizeof(X509_OBJECT));
377 if (obj == NULL) 357 if (obj == NULL) {
378 {
379 X509err(X509_F_X509_STORE_ADD_CRL,ERR_R_MALLOC_FAILURE); 358 X509err(X509_F_X509_STORE_ADD_CRL,ERR_R_MALLOC_FAILURE);
380 return 0; 359 return 0;
381 } 360 }
382 obj->type=X509_LU_CRL; 361 obj->type=X509_LU_CRL;
383 obj->data.crl=x; 362 obj->data.crl=x;
384 363
@@ -386,49 +365,46 @@ int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x)
386 365
387 X509_OBJECT_up_ref_count(obj); 366 X509_OBJECT_up_ref_count(obj);
388 367
389 if (X509_OBJECT_retrieve_match(ctx->objs, obj)) 368 if (X509_OBJECT_retrieve_match(ctx->objs, obj)) {
390 {
391 X509_OBJECT_free_contents(obj); 369 X509_OBJECT_free_contents(obj);
392 free(obj); 370 free(obj);
393 X509err(X509_F_X509_STORE_ADD_CRL,X509_R_CERT_ALREADY_IN_HASH_TABLE); 371 X509err(X509_F_X509_STORE_ADD_CRL,X509_R_CERT_ALREADY_IN_HASH_TABLE);
394 ret=0; 372 ret=0;
395 } 373 } else
396 else sk_X509_OBJECT_push(ctx->objs, obj); 374 sk_X509_OBJECT_push(ctx->objs, obj);
397 375
398 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); 376 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
399 377
400 return ret; 378 return ret;
401 } 379}
402 380
403void X509_OBJECT_up_ref_count(X509_OBJECT *a) 381void X509_OBJECT_up_ref_count(X509_OBJECT *a)
404 { 382{
405 switch (a->type) 383 switch (a->type) {
406 {
407 case X509_LU_X509: 384 case X509_LU_X509:
408 CRYPTO_add(&a->data.x509->references,1,CRYPTO_LOCK_X509); 385 CRYPTO_add(&a->data.x509->references,1,CRYPTO_LOCK_X509);
409 break; 386 break;
410 case X509_LU_CRL: 387 case X509_LU_CRL:
411 CRYPTO_add(&a->data.crl->references,1,CRYPTO_LOCK_X509_CRL); 388 CRYPTO_add(&a->data.crl->references,1,CRYPTO_LOCK_X509_CRL);
412 break; 389 break;
413 }
414 } 390 }
391}
415 392
416void X509_OBJECT_free_contents(X509_OBJECT *a) 393void X509_OBJECT_free_contents(X509_OBJECT *a)
417 { 394{
418 switch (a->type) 395 switch (a->type) {
419 {
420 case X509_LU_X509: 396 case X509_LU_X509:
421 X509_free(a->data.x509); 397 X509_free(a->data.x509);
422 break; 398 break;
423 case X509_LU_CRL: 399 case X509_LU_CRL:
424 X509_CRL_free(a->data.crl); 400 X509_CRL_free(a->data.crl);
425 break; 401 break;
426 }
427 } 402 }
403}
428 404
429static int x509_object_idx_cnt(STACK_OF(X509_OBJECT) *h, int type, 405static int x509_object_idx_cnt(STACK_OF(X509_OBJECT) *h, int type,
430 X509_NAME *name, int *pnmatch) 406 X509_NAME *name, int *pnmatch)
431 { 407{
432 X509_OBJECT stmp; 408 X509_OBJECT stmp;
433 X509 x509_s; 409 X509 x509_s;
434 X509_CINF cinf_s; 410 X509_CINF cinf_s;
@@ -437,8 +413,7 @@ static int x509_object_idx_cnt(STACK_OF(X509_OBJECT) *h, int type,
437 int idx; 413 int idx;
438 414
439 stmp.type=type; 415 stmp.type=type;
440 switch (type) 416 switch (type) {
441 {
442 case X509_LU_X509: 417 case X509_LU_X509:
443 stmp.data.x509= &x509_s; 418 stmp.data.x509= &x509_s;
444 x509_s.cert_info= &cinf_s; 419 x509_s.cert_info= &cinf_s;
@@ -452,44 +427,42 @@ static int x509_object_idx_cnt(STACK_OF(X509_OBJECT) *h, int type,
452 default: 427 default:
453 /* abort(); */ 428 /* abort(); */
454 return -1; 429 return -1;
455 } 430 }
456 431
457 idx = sk_X509_OBJECT_find(h,&stmp); 432 idx = sk_X509_OBJECT_find(h,&stmp);
458 if (idx >= 0 && pnmatch) 433 if (idx >= 0 && pnmatch) {
459 {
460 int tidx; 434 int tidx;
461 const X509_OBJECT *tobj, *pstmp; 435 const X509_OBJECT *tobj, *pstmp;
462 *pnmatch = 1; 436 *pnmatch = 1;
463 pstmp = &stmp; 437 pstmp = &stmp;
464 for (tidx = idx + 1; tidx < sk_X509_OBJECT_num(h); tidx++) 438 for (tidx = idx + 1; tidx < sk_X509_OBJECT_num(h); tidx++) {
465 {
466 tobj = sk_X509_OBJECT_value(h, tidx); 439 tobj = sk_X509_OBJECT_value(h, tidx);
467 if (x509_object_cmp(&tobj, &pstmp)) 440 if (x509_object_cmp(&tobj, &pstmp))
468 break; 441 break;
469 (*pnmatch)++; 442 (*pnmatch)++;
470 }
471 } 443 }
472 return idx;
473 } 444 }
445 return idx;
446}
474 447
475 448
476int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type, 449int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type,
477 X509_NAME *name) 450 X509_NAME *name)
478 { 451{
479 return x509_object_idx_cnt(h, type, name, NULL); 452 return x509_object_idx_cnt(h, type, name, NULL);
480 } 453}
481 454
482X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h, int type, 455X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h, int type,
483 X509_NAME *name) 456 X509_NAME *name)
484 { 457{
485 int idx; 458 int idx;
486 idx = X509_OBJECT_idx_by_subject(h, type, name); 459 idx = X509_OBJECT_idx_by_subject(h, type, name);
487 if (idx==-1) return NULL; 460 if (idx==-1) return NULL;
488 return sk_X509_OBJECT_value(h, idx); 461 return sk_X509_OBJECT_value(h, idx);
489 } 462}
490 463
491STACK_OF(X509)* X509_STORE_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm) 464STACK_OF(X509)* X509_STORE_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm)
492 { 465{
493 int i, idx, cnt; 466 int i, idx, cnt;
494 STACK_OF(X509) *sk; 467 STACK_OF(X509) *sk;
495 X509 *x; 468 X509 *x;
@@ -497,48 +470,43 @@ STACK_OF(X509)* X509_STORE_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm)
497 sk = sk_X509_new_null(); 470 sk = sk_X509_new_null();
498 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); 471 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
499 idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_X509, nm, &cnt); 472 idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_X509, nm, &cnt);
500 if (idx < 0) 473 if (idx < 0) {
501 {
502 /* Nothing found in cache: do lookup to possibly add new 474 /* Nothing found in cache: do lookup to possibly add new
503 * objects to cache 475 * objects to cache
504 */ 476 */
505 X509_OBJECT xobj; 477 X509_OBJECT xobj;
506 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); 478 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
507 if (!X509_STORE_get_by_subject(ctx, X509_LU_X509, nm, &xobj)) 479 if (!X509_STORE_get_by_subject(ctx, X509_LU_X509, nm, &xobj)) {
508 {
509 sk_X509_free(sk); 480 sk_X509_free(sk);
510 return NULL; 481 return NULL;
511 } 482 }
512 X509_OBJECT_free_contents(&xobj); 483 X509_OBJECT_free_contents(&xobj);
513 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); 484 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
514 idx = x509_object_idx_cnt(ctx->ctx->objs,X509_LU_X509,nm, &cnt); 485 idx = x509_object_idx_cnt(ctx->ctx->objs,X509_LU_X509,nm, &cnt);
515 if (idx < 0) 486 if (idx < 0) {
516 {
517 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); 487 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
518 sk_X509_free(sk); 488 sk_X509_free(sk);
519 return NULL; 489 return NULL;
520 }
521 } 490 }
522 for (i = 0; i < cnt; i++, idx++) 491 }
523 { 492 for (i = 0; i < cnt; i++, idx++) {
524 obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx); 493 obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx);
525 x = obj->data.x509; 494 x = obj->data.x509;
526 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); 495 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
527 if (!sk_X509_push(sk, x)) 496 if (!sk_X509_push(sk, x)) {
528 {
529 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); 497 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
530 X509_free(x); 498 X509_free(x);
531 sk_X509_pop_free(sk, X509_free); 499 sk_X509_pop_free(sk, X509_free);
532 return NULL; 500 return NULL;
533 }
534 } 501 }
502 }
535 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); 503 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
536 return sk; 504 return sk;
537 505
538 } 506}
539 507
540STACK_OF(X509_CRL)* X509_STORE_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm) 508STACK_OF(X509_CRL)* X509_STORE_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm)
541 { 509{
542 int i, idx, cnt; 510 int i, idx, cnt;
543 STACK_OF(X509_CRL) *sk; 511 STACK_OF(X509_CRL) *sk;
544 X509_CRL *x; 512 X509_CRL *x;
@@ -551,66 +519,57 @@ STACK_OF(X509_CRL)* X509_STORE_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm)
551 /* Always do lookup to possibly add new CRLs to cache 519 /* Always do lookup to possibly add new CRLs to cache
552 */ 520 */
553 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); 521 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
554 if (!X509_STORE_get_by_subject(ctx, X509_LU_CRL, nm, &xobj)) 522 if (!X509_STORE_get_by_subject(ctx, X509_LU_CRL, nm, &xobj)) {
555 {
556 sk_X509_CRL_free(sk); 523 sk_X509_CRL_free(sk);
557 return NULL; 524 return NULL;
558 } 525 }
559 X509_OBJECT_free_contents(&xobj); 526 X509_OBJECT_free_contents(&xobj);
560 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); 527 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
561 idx = x509_object_idx_cnt(ctx->ctx->objs,X509_LU_CRL, nm, &cnt); 528 idx = x509_object_idx_cnt(ctx->ctx->objs,X509_LU_CRL, nm, &cnt);
562 if (idx < 0) 529 if (idx < 0) {
563 {
564 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); 530 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
565 sk_X509_CRL_free(sk); 531 sk_X509_CRL_free(sk);
566 return NULL; 532 return NULL;
567 } 533 }
568 534
569 for (i = 0; i < cnt; i++, idx++) 535 for (i = 0; i < cnt; i++, idx++) {
570 {
571 obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx); 536 obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx);
572 x = obj->data.crl; 537 x = obj->data.crl;
573 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509_CRL); 538 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509_CRL);
574 if (!sk_X509_CRL_push(sk, x)) 539 if (!sk_X509_CRL_push(sk, x)) {
575 {
576 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); 540 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
577 X509_CRL_free(x); 541 X509_CRL_free(x);
578 sk_X509_CRL_pop_free(sk, X509_CRL_free); 542 sk_X509_CRL_pop_free(sk, X509_CRL_free);
579 return NULL; 543 return NULL;
580 }
581 } 544 }
545 }
582 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); 546 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
583 return sk; 547 return sk;
584 } 548}
585 549
586X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x) 550X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x)
587 { 551{
588 int idx, i; 552 int idx, i;
589 X509_OBJECT *obj; 553 X509_OBJECT *obj;
590 idx = sk_X509_OBJECT_find(h, x); 554 idx = sk_X509_OBJECT_find(h, x);
591 if (idx == -1) return NULL; 555 if (idx == -1) return NULL;
592 if ((x->type != X509_LU_X509) && (x->type != X509_LU_CRL)) 556 if ((x->type != X509_LU_X509) && (x->type != X509_LU_CRL))
593 return sk_X509_OBJECT_value(h, idx); 557 return sk_X509_OBJECT_value(h, idx);
594 for (i = idx; i < sk_X509_OBJECT_num(h); i++) 558 for (i = idx; i < sk_X509_OBJECT_num(h); i++) {
595 {
596 obj = sk_X509_OBJECT_value(h, i); 559 obj = sk_X509_OBJECT_value(h, i);
597 if (x509_object_cmp((const X509_OBJECT **)&obj, (const X509_OBJECT **)&x)) 560 if (x509_object_cmp((const X509_OBJECT **)&obj, (const X509_OBJECT **)&x))
598 return NULL; 561 return NULL;
599 if (x->type == X509_LU_X509) 562 if (x->type == X509_LU_X509) {
600 {
601 if (!X509_cmp(obj->data.x509, x->data.x509)) 563 if (!X509_cmp(obj->data.x509, x->data.x509))
602 return obj; 564 return obj;
603 } 565 } else if (x->type == X509_LU_CRL) {
604 else if (x->type == X509_LU_CRL)
605 {
606 if (!X509_CRL_match(obj->data.crl, x->data.crl)) 566 if (!X509_CRL_match(obj->data.crl, x->data.crl))
607 return obj; 567 return obj;
608 } 568 } else
609 else
610 return obj; 569 return obj;
611 }
612 return NULL;
613 } 570 }
571 return NULL;
572}
614 573
615 574
616/* Try to get issuer certificate from store. Due to limitations 575/* Try to get issuer certificate from store. Due to limitations
@@ -625,95 +584,87 @@ X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x
625 * -1 some other error. 584 * -1 some other error.
626 */ 585 */
627int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) 586int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
628 { 587{
629 X509_NAME *xn; 588 X509_NAME *xn;
630 X509_OBJECT obj, *pobj; 589 X509_OBJECT obj, *pobj;
631 int i, ok, idx, ret; 590 int i, ok, idx, ret;
632 xn=X509_get_issuer_name(x); 591 xn=X509_get_issuer_name(x);
633 ok=X509_STORE_get_by_subject(ctx,X509_LU_X509,xn,&obj); 592 ok=X509_STORE_get_by_subject(ctx,X509_LU_X509,xn,&obj);
634 if (ok != X509_LU_X509) 593 if (ok != X509_LU_X509) {
635 { 594 if (ok == X509_LU_RETRY) {
636 if (ok == X509_LU_RETRY)
637 {
638 X509_OBJECT_free_contents(&obj); 595 X509_OBJECT_free_contents(&obj);
639 X509err(X509_F_X509_STORE_CTX_GET1_ISSUER,X509_R_SHOULD_RETRY); 596 X509err(X509_F_X509_STORE_CTX_GET1_ISSUER,X509_R_SHOULD_RETRY);
640 return -1; 597 return -1;
641 } 598 } else if (ok != X509_LU_FAIL) {
642 else if (ok != X509_LU_FAIL)
643 {
644 X509_OBJECT_free_contents(&obj); 599 X509_OBJECT_free_contents(&obj);
645 /* not good :-(, break anyway */ 600 /* not good :-(, break anyway */
646 return -1; 601 return -1;
647 }
648 return 0;
649 } 602 }
603 return 0;
604 }
650 /* If certificate matches all OK */ 605 /* If certificate matches all OK */
651 if (ctx->check_issued(ctx, x, obj.data.x509)) 606 if (ctx->check_issued(ctx, x, obj.data.x509)) {
652 {
653 *issuer = obj.data.x509; 607 *issuer = obj.data.x509;
654 return 1; 608 return 1;
655 } 609 }
656 X509_OBJECT_free_contents(&obj); 610 X509_OBJECT_free_contents(&obj);
657 611
658 /* Else find index of first cert accepted by 'check_issued' */ 612 /* Else find index of first cert accepted by 'check_issued' */
659 ret = 0; 613 ret = 0;
660 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); 614 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
661 idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs, X509_LU_X509, xn); 615 idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs, X509_LU_X509, xn);
662 if (idx != -1) /* should be true as we've had at least one match */ 616 if (idx != -1) /* should be true as we've had at least one match */ {
663 {
664 /* Look through all matching certs for suitable issuer */ 617 /* Look through all matching certs for suitable issuer */
665 for (i = idx; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++) 618 for (i = idx; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++) {
666 {
667 pobj = sk_X509_OBJECT_value(ctx->ctx->objs, i); 619 pobj = sk_X509_OBJECT_value(ctx->ctx->objs, i);
668 /* See if we've run past the matches */ 620 /* See if we've run past the matches */
669 if (pobj->type != X509_LU_X509) 621 if (pobj->type != X509_LU_X509)
670 break; 622 break;
671 if (X509_NAME_cmp(xn, X509_get_subject_name(pobj->data.x509))) 623 if (X509_NAME_cmp(xn, X509_get_subject_name(pobj->data.x509)))
672 break; 624 break;
673 if (ctx->check_issued(ctx, x, pobj->data.x509)) 625 if (ctx->check_issued(ctx, x, pobj->data.x509)) {
674 {
675 *issuer = pobj->data.x509; 626 *issuer = pobj->data.x509;
676 X509_OBJECT_up_ref_count(pobj); 627 X509_OBJECT_up_ref_count(pobj);
677 ret = 1; 628 ret = 1;
678 break; 629 break;
679 }
680 } 630 }
681 } 631 }
632 }
682 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); 633 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
683 return ret; 634 return ret;
684 } 635}
685 636
686int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags) 637int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags)
687 { 638{
688 return X509_VERIFY_PARAM_set_flags(ctx->param, flags); 639 return X509_VERIFY_PARAM_set_flags(ctx->param, flags);
689 } 640}
690 641
691int X509_STORE_set_depth(X509_STORE *ctx, int depth) 642int X509_STORE_set_depth(X509_STORE *ctx, int depth)
692 { 643{
693 X509_VERIFY_PARAM_set_depth(ctx->param, depth); 644 X509_VERIFY_PARAM_set_depth(ctx->param, depth);
694 return 1; 645 return 1;
695 } 646}
696 647
697int X509_STORE_set_purpose(X509_STORE *ctx, int purpose) 648int X509_STORE_set_purpose(X509_STORE *ctx, int purpose)
698 { 649{
699 return X509_VERIFY_PARAM_set_purpose(ctx->param, purpose); 650 return X509_VERIFY_PARAM_set_purpose(ctx->param, purpose);
700 } 651}
701 652
702int X509_STORE_set_trust(X509_STORE *ctx, int trust) 653int X509_STORE_set_trust(X509_STORE *ctx, int trust)
703 { 654{
704 return X509_VERIFY_PARAM_set_trust(ctx->param, trust); 655 return X509_VERIFY_PARAM_set_trust(ctx->param, trust);
705 } 656}
706 657
707int X509_STORE_set1_param(X509_STORE *ctx, X509_VERIFY_PARAM *param) 658int X509_STORE_set1_param(X509_STORE *ctx, X509_VERIFY_PARAM *param)
708 { 659{
709 return X509_VERIFY_PARAM_set1(ctx->param, param); 660 return X509_VERIFY_PARAM_set1(ctx->param, param);
710 } 661}
711 662
712void X509_STORE_set_verify_cb(X509_STORE *ctx, 663void X509_STORE_set_verify_cb(X509_STORE *ctx,
713 int (*verify_cb)(int, X509_STORE_CTX *)) 664 int (*verify_cb)(int, X509_STORE_CTX *))
714 { 665{
715 ctx->verify_cb = verify_cb; 666 ctx->verify_cb = verify_cb;
716 } 667}
717 668
718IMPLEMENT_STACK_OF(X509_LOOKUP) 669IMPLEMENT_STACK_OF(X509_LOOKUP)
719IMPLEMENT_STACK_OF(X509_OBJECT) 670IMPLEMENT_STACK_OF(X509_OBJECT)
diff --git a/src/lib/libcrypto/x509/x509_obj.c b/src/lib/libcrypto/x509/x509_obj.c
index 5f38315f22..d0c02f833e 100644
--- a/src/lib/libcrypto/x509/x509_obj.c
+++ b/src/lib/libcrypto/x509/x509_obj.c
@@ -64,7 +64,7 @@
64#include <openssl/buffer.h> 64#include <openssl/buffer.h>
65 65
66char *X509_NAME_oneline(X509_NAME *a, char *buf, int len) 66char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
67 { 67{
68 X509_NAME_ENTRY *ne; 68 X509_NAME_ENTRY *ne;
69int i; 69int i;
70 int n,lold,l,l1,l2,num,j,type; 70 int n,lold,l,l1,l2,num,j,type;
@@ -76,103 +76,85 @@ int i;
76 int gs_doit[4]; 76 int gs_doit[4];
77 char tmp_buf[80]; 77 char tmp_buf[80];
78 78
79 if (buf == NULL) 79 if (buf == NULL) {
80 {
81 if ((b=BUF_MEM_new()) == NULL) goto err; 80 if ((b=BUF_MEM_new()) == NULL) goto err;
82 if (!BUF_MEM_grow(b,200)) goto err; 81 if (!BUF_MEM_grow(b,200)) goto err;
83 b->data[0]='\0'; 82 b->data[0]='\0';
84 len=200; 83 len=200;
84 }
85 if (a == NULL) {
86 if(b) {
87 buf=b->data;
88 free(b);
85 } 89 }
86 if (a == NULL) 90 strlcpy(buf,"NO X509_NAME",len);
87 { 91 return buf;
88 if(b) 92 }
89 {
90 buf=b->data;
91 free(b);
92 }
93 strlcpy(buf,"NO X509_NAME",len);
94 return buf;
95 }
96 93
97 len--; /* space for '\0' */ 94 len--; /* space for '\0' */
98 l=0; 95 l=0;
99 for (i=0; i<sk_X509_NAME_ENTRY_num(a->entries); i++) 96 for (i=0; i<sk_X509_NAME_ENTRY_num(a->entries); i++) {
100 {
101 ne=sk_X509_NAME_ENTRY_value(a->entries,i); 97 ne=sk_X509_NAME_ENTRY_value(a->entries,i);
102 n=OBJ_obj2nid(ne->object); 98 n=OBJ_obj2nid(ne->object);
103 if ((n == NID_undef) || ((s=OBJ_nid2sn(n)) == NULL)) 99 if ((n == NID_undef) || ((s=OBJ_nid2sn(n)) == NULL)) {
104 {
105 i2t_ASN1_OBJECT(tmp_buf,sizeof(tmp_buf),ne->object); 100 i2t_ASN1_OBJECT(tmp_buf,sizeof(tmp_buf),ne->object);
106 s=tmp_buf; 101 s=tmp_buf;
107 } 102 }
108 l1=strlen(s); 103 l1=strlen(s);
109 104
110 type=ne->value->type; 105 type=ne->value->type;
111 num=ne->value->length; 106 num=ne->value->length;
112 q=ne->value->data; 107 q=ne->value->data;
113 if ((type == V_ASN1_GENERALSTRING) && ((num%4) == 0)) 108 if ((type == V_ASN1_GENERALSTRING) && ((num%4) == 0)) {
114 {
115 gs_doit[0]=gs_doit[1]=gs_doit[2]=gs_doit[3]=0; 109 gs_doit[0]=gs_doit[1]=gs_doit[2]=gs_doit[3]=0;
116 for (j=0; j<num; j++) 110 for (j=0; j<num; j++)
117 if (q[j] != 0) gs_doit[j&3]=1; 111 if (q[j] != 0) gs_doit[j&3]=1;
118 112
119 if (gs_doit[0]|gs_doit[1]|gs_doit[2]) 113 if (gs_doit[0]|gs_doit[1]|gs_doit[2])
120 gs_doit[0]=gs_doit[1]=gs_doit[2]=gs_doit[3]=1; 114 gs_doit[0]=gs_doit[1]=gs_doit[2]=gs_doit[3]=1;
121 else 115 else {
122 {
123 gs_doit[0]=gs_doit[1]=gs_doit[2]=0; 116 gs_doit[0]=gs_doit[1]=gs_doit[2]=0;
124 gs_doit[3]=1; 117 gs_doit[3]=1;
125 }
126 } 118 }
127 else 119 } else
128 gs_doit[0]=gs_doit[1]=gs_doit[2]=gs_doit[3]=1; 120 gs_doit[0]=gs_doit[1]=gs_doit[2]=gs_doit[3]=1;
129 121
130 for (l2=j=0; j<num; j++) 122 for (l2=j=0; j<num; j++) {
131 {
132 if (!gs_doit[j&3]) continue; 123 if (!gs_doit[j&3]) continue;
133 l2++; 124 l2++;
134 if ((q[j] < ' ') || (q[j] > '~')) l2+=3; 125 if ((q[j] < ' ') || (q[j] > '~')) l2+=3;
135 } 126 }
136 127
137 lold=l; 128 lold=l;
138 l+=1+l1+1+l2; 129 l+=1+l1+1+l2;
139 if (b != NULL) 130 if (b != NULL) {
140 {
141 if (!BUF_MEM_grow(b,l+1)) goto err; 131 if (!BUF_MEM_grow(b,l+1)) goto err;
142 p= &(b->data[lold]); 132 p= &(b->data[lold]);
143 } 133 } else if (l > len) {
144 else if (l > len)
145 {
146 break; 134 break;
147 } 135 } else
148 else
149 p= &(buf[lold]); 136 p= &(buf[lold]);
150 *(p++)='/'; 137 *(p++)='/';
151 memcpy(p,s,(unsigned int)l1); p+=l1; 138 memcpy(p,s,(unsigned int)l1); p+=l1;
152 *(p++)='='; 139 *(p++)='=';
153 q=ne->value->data; 140 q=ne->value->data;
154 for (j=0; j<num; j++) 141 for (j=0; j<num; j++) {
155 {
156 if (!gs_doit[j&3]) continue; 142 if (!gs_doit[j&3]) continue;
157 n=q[j]; 143 n=q[j];
158 if ((n < ' ') || (n > '~')) 144 if ((n < ' ') || (n > '~')) {
159 {
160 *(p++)='\\'; 145 *(p++)='\\';
161 *(p++)='x'; 146 *(p++)='x';
162 *(p++)=hex[(n>>4)&0x0f]; 147 *(p++)=hex[(n>>4)&0x0f];
163 *(p++)=hex[n&0x0f]; 148 *(p++)=hex[n&0x0f];
164 } 149 } else
165 else
166 *(p++)=n; 150 *(p++)=n;
167 }
168 *p='\0';
169 } 151 }
170 if (b != NULL) 152 *p='\0';
171 { 153 }
154 if (b != NULL) {
172 p=b->data; 155 p=b->data;
173 free(b); 156 free(b);
174 } 157 } else
175 else
176 p=buf; 158 p=buf;
177 if (i == 0) 159 if (i == 0)
178 *p = '\0'; 160 *p = '\0';
@@ -181,5 +163,5 @@ err:
181 X509err(X509_F_X509_NAME_ONELINE,ERR_R_MALLOC_FAILURE); 163 X509err(X509_F_X509_NAME_ONELINE,ERR_R_MALLOC_FAILURE);
182 if (b != NULL) BUF_MEM_free(b); 164 if (b != NULL) BUF_MEM_free(b);
183 return(NULL); 165 return(NULL);
184 } 166}
185 167
diff --git a/src/lib/libcrypto/x509/x509_r2x.c b/src/lib/libcrypto/x509/x509_r2x.c
index 254a14693d..f084447334 100644
--- a/src/lib/libcrypto/x509/x509_r2x.c
+++ b/src/lib/libcrypto/x509/x509_r2x.c
@@ -66,27 +66,25 @@
66#include <openssl/buffer.h> 66#include <openssl/buffer.h>
67 67
68X509 *X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey) 68X509 *X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey)
69 { 69{
70 X509 *ret=NULL; 70 X509 *ret=NULL;
71 X509_CINF *xi=NULL; 71 X509_CINF *xi=NULL;
72 X509_NAME *xn; 72 X509_NAME *xn;
73 73
74 if ((ret=X509_new()) == NULL) 74 if ((ret=X509_new()) == NULL) {
75 {
76 X509err(X509_F_X509_REQ_TO_X509,ERR_R_MALLOC_FAILURE); 75 X509err(X509_F_X509_REQ_TO_X509,ERR_R_MALLOC_FAILURE);
77 goto err; 76 goto err;
78 } 77 }
79 78
80 /* duplicate the request */ 79 /* duplicate the request */
81 xi=ret->cert_info; 80 xi=ret->cert_info;
82 81
83 if (sk_X509_ATTRIBUTE_num(r->req_info->attributes) != 0) 82 if (sk_X509_ATTRIBUTE_num(r->req_info->attributes) != 0) {
84 {
85 if ((xi->version=M_ASN1_INTEGER_new()) == NULL) goto err; 83 if ((xi->version=M_ASN1_INTEGER_new()) == NULL) goto err;
86 if (!ASN1_INTEGER_set(xi->version,2)) goto err; 84 if (!ASN1_INTEGER_set(xi->version,2)) goto err;
87/* xi->extensions=ri->attributes; <- bad, should not ever be done 85/* xi->extensions=ri->attributes; <- bad, should not ever be done
88 ri->attributes=NULL; */ 86 ri->attributes=NULL; */
89 } 87 }
90 88
91 xn=X509_REQ_get_subject_name(r); 89 xn=X509_REQ_get_subject_name(r);
92 if (X509_set_subject_name(ret,X509_NAME_dup(xn)) == 0) 90 if (X509_set_subject_name(ret,X509_NAME_dup(xn)) == 0)
@@ -103,12 +101,11 @@ X509 *X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey)
103 101
104 if (!X509_sign(ret,pkey,EVP_md5())) 102 if (!X509_sign(ret,pkey,EVP_md5()))
105 goto err; 103 goto err;
106 if (0) 104 if (0) {
107 {
108err: 105err:
109 X509_free(ret); 106 X509_free(ret);
110 ret=NULL; 107 ret=NULL;
111 }
112 return(ret);
113 } 108 }
109 return(ret);
110}
114 111
diff --git a/src/lib/libcrypto/x509/x509_req.c b/src/lib/libcrypto/x509/x509_req.c
index 1c5cee8030..12725ed7e9 100644
--- a/src/lib/libcrypto/x509/x509_req.c
+++ b/src/lib/libcrypto/x509/x509_req.c
@@ -68,18 +68,17 @@
68#include <openssl/pem.h> 68#include <openssl/pem.h>
69 69
70X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md) 70X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
71 { 71{
72 X509_REQ *ret; 72 X509_REQ *ret;
73 X509_REQ_INFO *ri; 73 X509_REQ_INFO *ri;
74 int i; 74 int i;
75 EVP_PKEY *pktmp; 75 EVP_PKEY *pktmp;
76 76
77 ret=X509_REQ_new(); 77 ret=X509_REQ_new();
78 if (ret == NULL) 78 if (ret == NULL) {
79 {
80 X509err(X509_F_X509_TO_X509_REQ,ERR_R_MALLOC_FAILURE); 79 X509err(X509_F_X509_TO_X509_REQ,ERR_R_MALLOC_FAILURE);
81 goto err; 80 goto err;
82 } 81 }
83 82
84 ri=ret->req_info; 83 ri=ret->req_info;
85 84
@@ -96,32 +95,30 @@ X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
96 EVP_PKEY_free(pktmp); 95 EVP_PKEY_free(pktmp);
97 if (!i) goto err; 96 if (!i) goto err;
98 97
99 if (pkey != NULL) 98 if (pkey != NULL) {
100 {
101 if (!X509_REQ_sign(ret,pkey,md)) 99 if (!X509_REQ_sign(ret,pkey,md))
102 goto err; 100 goto err;
103 } 101 }
104 return(ret); 102 return(ret);
105err: 103err:
106 X509_REQ_free(ret); 104 X509_REQ_free(ret);
107 return(NULL); 105 return(NULL);
108 } 106}
109 107
110EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req) 108EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req)
111 { 109{
112 if ((req == NULL) || (req->req_info == NULL)) 110 if ((req == NULL) || (req->req_info == NULL))
113 return(NULL); 111 return(NULL);
114 return(X509_PUBKEY_get(req->req_info->pubkey)); 112 return(X509_PUBKEY_get(req->req_info->pubkey));
115 } 113}
116 114
117int X509_REQ_check_private_key(X509_REQ *x, EVP_PKEY *k) 115int X509_REQ_check_private_key(X509_REQ *x, EVP_PKEY *k)
118 { 116{
119 EVP_PKEY *xk=NULL; 117 EVP_PKEY *xk=NULL;
120 int ok=0; 118 int ok=0;
121 119
122 xk=X509_REQ_get_pubkey(x); 120 xk=X509_REQ_get_pubkey(x);
123 switch (EVP_PKEY_cmp(xk, k)) 121 switch (EVP_PKEY_cmp(xk, k)) {
124 {
125 case 1: 122 case 1:
126 ok=1; 123 ok=1;
127 break; 124 break;
@@ -133,26 +130,24 @@ int X509_REQ_check_private_key(X509_REQ *x, EVP_PKEY *k)
133 break; 130 break;
134 case -2: 131 case -2:
135#ifndef OPENSSL_NO_EC 132#ifndef OPENSSL_NO_EC
136 if (k->type == EVP_PKEY_EC) 133 if (k->type == EVP_PKEY_EC) {
137 {
138 X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY, ERR_R_EC_LIB); 134 X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY, ERR_R_EC_LIB);
139 break; 135 break;
140 } 136 }
141#endif 137#endif
142#ifndef OPENSSL_NO_DH 138#ifndef OPENSSL_NO_DH
143 if (k->type == EVP_PKEY_DH) 139 if (k->type == EVP_PKEY_DH) {
144 {
145 /* No idea */ 140 /* No idea */
146 X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_CANT_CHECK_DH_KEY); 141 X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_CANT_CHECK_DH_KEY);
147 break; 142 break;
148 } 143 }
149#endif 144#endif
150 X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_UNKNOWN_KEY_TYPE); 145 X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_UNKNOWN_KEY_TYPE);
151 } 146 }
152 147
153 EVP_PKEY_free(xk); 148 EVP_PKEY_free(xk);
154 return(ok); 149 return(ok);
155 } 150}
156 151
157/* It seems several organisations had the same idea of including a list of 152/* It seems several organisations had the same idea of including a list of
158 * extensions in a certificate request. There are at least two OIDs that are 153 * extensions in a certificate request. There are at least two OIDs that are
@@ -184,7 +179,7 @@ void X509_REQ_set_extension_nids(int *nids)
184} 179}
185 180
186STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req) 181STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req)
187 { 182{
188 X509_ATTRIBUTE *attr; 183 X509_ATTRIBUTE *attr;
189 ASN1_TYPE *ext = NULL; 184 ASN1_TYPE *ext = NULL;
190 int idx, *pnid; 185 int idx, *pnid;
@@ -192,8 +187,7 @@ STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req)
192 187
193 if ((req == NULL) || (req->req_info == NULL) || !ext_nids) 188 if ((req == NULL) || (req->req_info == NULL) || !ext_nids)
194 return(NULL); 189 return(NULL);
195 for (pnid = ext_nids; *pnid != NID_undef; pnid++) 190 for (pnid = ext_nids; *pnid != NID_undef; pnid++) {
196 {
197 idx = X509_REQ_get_attr_by_NID(req, *pnid, -1); 191 idx = X509_REQ_get_attr_by_NID(req, *pnid, -1);
198 if (idx == -1) 192 if (idx == -1)
199 continue; 193 continue;
@@ -202,7 +196,7 @@ STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req)
202 else if(sk_ASN1_TYPE_num(attr->value.set)) 196 else if(sk_ASN1_TYPE_num(attr->value.set))
203 ext = sk_ASN1_TYPE_value(attr->value.set, 0); 197 ext = sk_ASN1_TYPE_value(attr->value.set, 0);
204 break; 198 break;
205 } 199 }
206 if(!ext || (ext->type != V_ASN1_SEQUENCE)) 200 if(!ext || (ext->type != V_ASN1_SEQUENCE))
207 return NULL; 201 return NULL;
208 p = ext->value.sequence->data; 202 p = ext->value.sequence->data;
@@ -235,11 +229,10 @@ int X509_REQ_add_extensions_nid(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts,
235 at = NULL; 229 at = NULL;
236 attr->single = 0; 230 attr->single = 0;
237 attr->object = OBJ_nid2obj(nid); 231 attr->object = OBJ_nid2obj(nid);
238 if (!req->req_info->attributes) 232 if (!req->req_info->attributes) {
239 {
240 if (!(req->req_info->attributes = sk_X509_ATTRIBUTE_new_null())) 233 if (!(req->req_info->attributes = sk_X509_ATTRIBUTE_new_null()))
241 goto err; 234 goto err;
242 } 235 }
243 if(!sk_X509_ATTRIBUTE_push(req->req_info->attributes, attr)) goto err; 236 if(!sk_X509_ATTRIBUTE_push(req->req_info->attributes, attr)) goto err;
244 return 1; 237 return 1;
245 err: 238 err:
diff --git a/src/lib/libcrypto/x509/x509_set.c b/src/lib/libcrypto/x509/x509_set.c
index 4b94fc5847..dfe9eb68ff 100644
--- a/src/lib/libcrypto/x509/x509_set.c
+++ b/src/lib/libcrypto/x509/x509_set.c
@@ -64,87 +64,77 @@
64#include <openssl/x509.h> 64#include <openssl/x509.h>
65 65
66int X509_set_version(X509 *x, long version) 66int X509_set_version(X509 *x, long version)
67 { 67{
68 if (x == NULL) return(0); 68 if (x == NULL) return(0);
69 if (x->cert_info->version == NULL) 69 if (x->cert_info->version == NULL) {
70 {
71 if ((x->cert_info->version=M_ASN1_INTEGER_new()) == NULL) 70 if ((x->cert_info->version=M_ASN1_INTEGER_new()) == NULL)
72 return(0); 71 return(0);
73 }
74 return(ASN1_INTEGER_set(x->cert_info->version,version));
75 } 72 }
73 return(ASN1_INTEGER_set(x->cert_info->version,version));
74}
76 75
77int X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial) 76int X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial)
78 { 77{
79 ASN1_INTEGER *in; 78 ASN1_INTEGER *in;
80 79
81 if (x == NULL) return(0); 80 if (x == NULL) return(0);
82 in=x->cert_info->serialNumber; 81 in=x->cert_info->serialNumber;
83 if (in != serial) 82 if (in != serial) {
84 {
85 in=M_ASN1_INTEGER_dup(serial); 83 in=M_ASN1_INTEGER_dup(serial);
86 if (in != NULL) 84 if (in != NULL) {
87 {
88 M_ASN1_INTEGER_free(x->cert_info->serialNumber); 85 M_ASN1_INTEGER_free(x->cert_info->serialNumber);
89 x->cert_info->serialNumber=in; 86 x->cert_info->serialNumber=in;
90 }
91 } 87 }
92 return(in != NULL);
93 } 88 }
89 return(in != NULL);
90}
94 91
95int X509_set_issuer_name(X509 *x, X509_NAME *name) 92int X509_set_issuer_name(X509 *x, X509_NAME *name)
96 { 93{
97 if ((x == NULL) || (x->cert_info == NULL)) return(0); 94 if ((x == NULL) || (x->cert_info == NULL)) return(0);
98 return(X509_NAME_set(&x->cert_info->issuer,name)); 95 return(X509_NAME_set(&x->cert_info->issuer,name));
99 } 96}
100 97
101int X509_set_subject_name(X509 *x, X509_NAME *name) 98int X509_set_subject_name(X509 *x, X509_NAME *name)
102 { 99{
103 if ((x == NULL) || (x->cert_info == NULL)) return(0); 100 if ((x == NULL) || (x->cert_info == NULL)) return(0);
104 return(X509_NAME_set(&x->cert_info->subject,name)); 101 return(X509_NAME_set(&x->cert_info->subject,name));
105 } 102}
106 103
107int X509_set_notBefore(X509 *x, const ASN1_TIME *tm) 104int X509_set_notBefore(X509 *x, const ASN1_TIME *tm)
108 { 105{
109 ASN1_TIME *in; 106 ASN1_TIME *in;
110 107
111 if ((x == NULL) || (x->cert_info->validity == NULL)) return(0); 108 if ((x == NULL) || (x->cert_info->validity == NULL)) return(0);
112 in=x->cert_info->validity->notBefore; 109 in=x->cert_info->validity->notBefore;
113 if (in != tm) 110 if (in != tm) {
114 {
115 in=M_ASN1_TIME_dup(tm); 111 in=M_ASN1_TIME_dup(tm);
116 if (in != NULL) 112 if (in != NULL) {
117 {
118 M_ASN1_TIME_free(x->cert_info->validity->notBefore); 113 M_ASN1_TIME_free(x->cert_info->validity->notBefore);
119 x->cert_info->validity->notBefore=in; 114 x->cert_info->validity->notBefore=in;
120 }
121 } 115 }
122 return(in != NULL);
123 } 116 }
117 return(in != NULL);
118}
124 119
125int X509_set_notAfter(X509 *x, const ASN1_TIME *tm) 120int X509_set_notAfter(X509 *x, const ASN1_TIME *tm)
126 { 121{
127 ASN1_TIME *in; 122 ASN1_TIME *in;
128 123
129 if ((x == NULL) || (x->cert_info->validity == NULL)) return(0); 124 if ((x == NULL) || (x->cert_info->validity == NULL)) return(0);
130 in=x->cert_info->validity->notAfter; 125 in=x->cert_info->validity->notAfter;
131 if (in != tm) 126 if (in != tm) {
132 {
133 in=M_ASN1_TIME_dup(tm); 127 in=M_ASN1_TIME_dup(tm);
134 if (in != NULL) 128 if (in != NULL) {
135 {
136 M_ASN1_TIME_free(x->cert_info->validity->notAfter); 129 M_ASN1_TIME_free(x->cert_info->validity->notAfter);
137 x->cert_info->validity->notAfter=in; 130 x->cert_info->validity->notAfter=in;
138 }
139 } 131 }
140 return(in != NULL);
141 } 132 }
133 return(in != NULL);
134}
142 135
143int X509_set_pubkey(X509 *x, EVP_PKEY *pkey) 136int X509_set_pubkey(X509 *x, EVP_PKEY *pkey)
144 { 137{
145 if ((x == NULL) || (x->cert_info == NULL)) return(0); 138 if ((x == NULL) || (x->cert_info == NULL)) return(0);
146 return(X509_PUBKEY_set(&(x->cert_info->key),pkey)); 139 return(X509_PUBKEY_set(&(x->cert_info->key),pkey));
147 } 140}
148
149
150
diff --git a/src/lib/libcrypto/x509/x509_trs.c b/src/lib/libcrypto/x509/x509_trs.c
index 7bb5094e64..bdda53ec6b 100644
--- a/src/lib/libcrypto/x509/x509_trs.c
+++ b/src/lib/libcrypto/x509/x509_trs.c
@@ -174,7 +174,8 @@ int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int),
174 return 0; 174 return 0;
175 } 175 }
176 trtmp->flags = X509_TRUST_DYNAMIC; 176 trtmp->flags = X509_TRUST_DYNAMIC;
177 } else trtmp = X509_TRUST_get0(idx); 177 } else
178 trtmp = X509_TRUST_get0(idx);
178 179
179 /* free existing name if dynamic */ 180 /* free existing name if dynamic */
180 if(trtmp->flags & X509_TRUST_DYNAMIC_NAME) free(trtmp->name); 181 if(trtmp->flags & X509_TRUST_DYNAMIC_NAME) free(trtmp->name);
@@ -208,15 +209,14 @@ int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int),
208} 209}
209 210
210static void trtable_free(X509_TRUST *p) 211static void trtable_free(X509_TRUST *p)
211 { 212{
212 if(!p) return; 213 if(!p) return;
213 if (p->flags & X509_TRUST_DYNAMIC) 214 if (p->flags & X509_TRUST_DYNAMIC) {
214 {
215 if (p->flags & X509_TRUST_DYNAMIC_NAME) 215 if (p->flags & X509_TRUST_DYNAMIC_NAME)
216 free(p->name); 216 free(p->name);
217 free(p); 217 free(p);
218 }
219 } 218 }
219}
220 220
221void X509_TRUST_cleanup(void) 221void X509_TRUST_cleanup(void)
222{ 222{
diff --git a/src/lib/libcrypto/x509/x509_txt.c b/src/lib/libcrypto/x509/x509_txt.c
index 27f6c7176a..509948618e 100644
--- a/src/lib/libcrypto/x509/x509_txt.c
+++ b/src/lib/libcrypto/x509/x509_txt.c
@@ -69,11 +69,10 @@
69#include <openssl/objects.h> 69#include <openssl/objects.h>
70 70
71const char *X509_verify_cert_error_string(long n) 71const char *X509_verify_cert_error_string(long n)
72 { 72{
73 static char buf[100]; 73 static char buf[100];
74 74
75 switch ((int)n) 75 switch ((int)n) {
76 {
77 case X509_V_OK: 76 case X509_V_OK:
78 return("ok"); 77 return("ok");
79 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: 78 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
@@ -187,7 +186,7 @@ const char *X509_verify_cert_error_string(long n)
187 default: 186 default:
188 (void) snprintf(buf,sizeof buf,"error number %ld",n); 187 (void) snprintf(buf,sizeof buf,"error number %ld",n);
189 return(buf); 188 return(buf);
190 }
191 } 189 }
190}
192 191
193 192
diff --git a/src/lib/libcrypto/x509/x509_v3.c b/src/lib/libcrypto/x509/x509_v3.c
index 42e6f0ab05..f41fab3367 100644
--- a/src/lib/libcrypto/x509/x509_v3.c
+++ b/src/lib/libcrypto/x509/x509_v3.c
@@ -66,24 +66,24 @@
66#include <openssl/x509v3.h> 66#include <openssl/x509v3.h>
67 67
68int X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x) 68int X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x)
69 { 69{
70 if (x == NULL) return(0); 70 if (x == NULL) return(0);
71 return(sk_X509_EXTENSION_num(x)); 71 return(sk_X509_EXTENSION_num(x));
72 } 72}
73 73
74int X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x, int nid, 74int X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x, int nid,
75 int lastpos) 75 int lastpos)
76 { 76{
77 ASN1_OBJECT *obj; 77 ASN1_OBJECT *obj;
78 78
79 obj=OBJ_nid2obj(nid); 79 obj=OBJ_nid2obj(nid);
80 if (obj == NULL) return(-2); 80 if (obj == NULL) return(-2);
81 return(X509v3_get_ext_by_OBJ(x,obj,lastpos)); 81 return(X509v3_get_ext_by_OBJ(x,obj,lastpos));
82 } 82}
83 83
84int X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *sk, ASN1_OBJECT *obj, 84int X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *sk, ASN1_OBJECT *obj,
85 int lastpos) 85 int lastpos)
86 { 86{
87 int n; 87 int n;
88 X509_EXTENSION *ex; 88 X509_EXTENSION *ex;
89 89
@@ -92,18 +92,17 @@ int X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *sk, ASN1_OBJECT *obj,
92 if (lastpos < 0) 92 if (lastpos < 0)
93 lastpos=0; 93 lastpos=0;
94 n=sk_X509_EXTENSION_num(sk); 94 n=sk_X509_EXTENSION_num(sk);
95 for ( ; lastpos < n; lastpos++) 95 for ( ; lastpos < n; lastpos++) {
96 {
97 ex=sk_X509_EXTENSION_value(sk,lastpos); 96 ex=sk_X509_EXTENSION_value(sk,lastpos);
98 if (OBJ_cmp(ex->object,obj) == 0) 97 if (OBJ_cmp(ex->object,obj) == 0)
99 return(lastpos); 98 return(lastpos);
100 }
101 return(-1);
102 } 99 }
100 return(-1);
101}
103 102
104int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *sk, int crit, 103int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *sk, int crit,
105 int lastpos) 104 int lastpos)
106 { 105{
107 int n; 106 int n;
108 X509_EXTENSION *ex; 107 X509_EXTENSION *ex;
109 108
@@ -112,53 +111,49 @@ int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *sk, int crit,
112 if (lastpos < 0) 111 if (lastpos < 0)
113 lastpos=0; 112 lastpos=0;
114 n=sk_X509_EXTENSION_num(sk); 113 n=sk_X509_EXTENSION_num(sk);
115 for ( ; lastpos < n; lastpos++) 114 for ( ; lastpos < n; lastpos++) {
116 {
117 ex=sk_X509_EXTENSION_value(sk,lastpos); 115 ex=sk_X509_EXTENSION_value(sk,lastpos);
118 if ( ((ex->critical > 0) && crit) || 116 if ( ((ex->critical > 0) && crit) ||
119 ((ex->critical <= 0) && !crit)) 117 ((ex->critical <= 0) && !crit))
120 return(lastpos); 118 return(lastpos);
121 }
122 return(-1);
123 } 119 }
120 return(-1);
121}
124 122
125X509_EXTENSION *X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x, int loc) 123X509_EXTENSION *X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x, int loc)
126 { 124{
127 if (x == NULL || sk_X509_EXTENSION_num(x) <= loc || loc < 0) 125 if (x == NULL || sk_X509_EXTENSION_num(x) <= loc || loc < 0)
128 return NULL; 126 return NULL;
129 else 127 else
130 return sk_X509_EXTENSION_value(x,loc); 128 return sk_X509_EXTENSION_value(x,loc);
131 } 129}
132 130
133X509_EXTENSION *X509v3_delete_ext(STACK_OF(X509_EXTENSION) *x, int loc) 131X509_EXTENSION *X509v3_delete_ext(STACK_OF(X509_EXTENSION) *x, int loc)
134 { 132{
135 X509_EXTENSION *ret; 133 X509_EXTENSION *ret;
136 134
137 if (x == NULL || sk_X509_EXTENSION_num(x) <= loc || loc < 0) 135 if (x == NULL || sk_X509_EXTENSION_num(x) <= loc || loc < 0)
138 return(NULL); 136 return(NULL);
139 ret=sk_X509_EXTENSION_delete(x,loc); 137 ret=sk_X509_EXTENSION_delete(x,loc);
140 return(ret); 138 return(ret);
141 } 139}
142 140
143STACK_OF(X509_EXTENSION) *X509v3_add_ext(STACK_OF(X509_EXTENSION) **x, 141STACK_OF(X509_EXTENSION) *X509v3_add_ext(STACK_OF(X509_EXTENSION) **x,
144 X509_EXTENSION *ex, int loc) 142 X509_EXTENSION *ex, int loc)
145 { 143{
146 X509_EXTENSION *new_ex=NULL; 144 X509_EXTENSION *new_ex=NULL;
147 int n; 145 int n;
148 STACK_OF(X509_EXTENSION) *sk=NULL; 146 STACK_OF(X509_EXTENSION) *sk=NULL;
149 147
150 if (x == NULL) 148 if (x == NULL) {
151 {
152 X509err(X509_F_X509V3_ADD_EXT,ERR_R_PASSED_NULL_PARAMETER); 149 X509err(X509_F_X509V3_ADD_EXT,ERR_R_PASSED_NULL_PARAMETER);
153 goto err2; 150 goto err2;
154 } 151 }
155 152
156 if (*x == NULL) 153 if (*x == NULL) {
157 {
158 if ((sk=sk_X509_EXTENSION_new_null()) == NULL) 154 if ((sk=sk_X509_EXTENSION_new_null()) == NULL)
159 goto err; 155 goto err;
160 } 156 } else
161 else
162 sk= *x; 157 sk= *x;
163 158
164 n=sk_X509_EXTENSION_num(sk); 159 n=sk_X509_EXTENSION_num(sk);
@@ -178,39 +173,36 @@ err2:
178 if (new_ex != NULL) X509_EXTENSION_free(new_ex); 173 if (new_ex != NULL) X509_EXTENSION_free(new_ex);
179 if (sk != NULL) sk_X509_EXTENSION_free(sk); 174 if (sk != NULL) sk_X509_EXTENSION_free(sk);
180 return(NULL); 175 return(NULL);
181 } 176}
182 177
183X509_EXTENSION *X509_EXTENSION_create_by_NID(X509_EXTENSION **ex, int nid, 178X509_EXTENSION *X509_EXTENSION_create_by_NID(X509_EXTENSION **ex, int nid,
184 int crit, ASN1_OCTET_STRING *data) 179 int crit, ASN1_OCTET_STRING *data)
185 { 180{
186 ASN1_OBJECT *obj; 181 ASN1_OBJECT *obj;
187 X509_EXTENSION *ret; 182 X509_EXTENSION *ret;
188 183
189 obj=OBJ_nid2obj(nid); 184 obj=OBJ_nid2obj(nid);
190 if (obj == NULL) 185 if (obj == NULL) {
191 {
192 X509err(X509_F_X509_EXTENSION_CREATE_BY_NID,X509_R_UNKNOWN_NID); 186 X509err(X509_F_X509_EXTENSION_CREATE_BY_NID,X509_R_UNKNOWN_NID);
193 return(NULL); 187 return(NULL);
194 } 188 }
195 ret=X509_EXTENSION_create_by_OBJ(ex,obj,crit,data); 189 ret=X509_EXTENSION_create_by_OBJ(ex,obj,crit,data);
196 if (ret == NULL) ASN1_OBJECT_free(obj); 190 if (ret == NULL) ASN1_OBJECT_free(obj);
197 return(ret); 191 return(ret);
198 } 192}
199 193
200X509_EXTENSION *X509_EXTENSION_create_by_OBJ(X509_EXTENSION **ex, 194X509_EXTENSION *X509_EXTENSION_create_by_OBJ(X509_EXTENSION **ex,
201 ASN1_OBJECT *obj, int crit, ASN1_OCTET_STRING *data) 195 ASN1_OBJECT *obj, int crit, ASN1_OCTET_STRING *data)
202 { 196{
203 X509_EXTENSION *ret; 197 X509_EXTENSION *ret;
204 198
205 if ((ex == NULL) || (*ex == NULL)) 199 if ((ex == NULL) || (*ex == NULL)) {
206 {
207 if ((ret=X509_EXTENSION_new()) == NULL) 200 if ((ret=X509_EXTENSION_new()) == NULL)
208 { 201 {
209 X509err(X509_F_X509_EXTENSION_CREATE_BY_OBJ,ERR_R_MALLOC_FAILURE); 202 X509err(X509_F_X509_EXTENSION_CREATE_BY_OBJ,ERR_R_MALLOC_FAILURE);
210 return(NULL); 203 return(NULL);
211 }
212 } 204 }
213 else 205 } else
214 ret= *ex; 206 ret= *ex;
215 207
216 if (!X509_EXTENSION_set_object(ret,obj)) 208 if (!X509_EXTENSION_set_object(ret,obj))
@@ -226,49 +218,49 @@ err:
226 if ((ex == NULL) || (ret != *ex)) 218 if ((ex == NULL) || (ret != *ex))
227 X509_EXTENSION_free(ret); 219 X509_EXTENSION_free(ret);
228 return(NULL); 220 return(NULL);
229 } 221}
230 222
231int X509_EXTENSION_set_object(X509_EXTENSION *ex, ASN1_OBJECT *obj) 223int X509_EXTENSION_set_object(X509_EXTENSION *ex, ASN1_OBJECT *obj)
232 { 224{
233 if ((ex == NULL) || (obj == NULL)) 225 if ((ex == NULL) || (obj == NULL))
234 return(0); 226 return(0);
235 ASN1_OBJECT_free(ex->object); 227 ASN1_OBJECT_free(ex->object);
236 ex->object=OBJ_dup(obj); 228 ex->object=OBJ_dup(obj);
237 return(1); 229 return(1);
238 } 230}
239 231
240int X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit) 232int X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit)
241 { 233{
242 if (ex == NULL) return(0); 234 if (ex == NULL) return(0);
243 ex->critical=(crit)?0xFF:-1; 235 ex->critical=(crit)?0xFF:-1;
244 return(1); 236 return(1);
245 } 237}
246 238
247int X509_EXTENSION_set_data(X509_EXTENSION *ex, ASN1_OCTET_STRING *data) 239int X509_EXTENSION_set_data(X509_EXTENSION *ex, ASN1_OCTET_STRING *data)
248 { 240{
249 int i; 241 int i;
250 242
251 if (ex == NULL) return(0); 243 if (ex == NULL) return(0);
252 i=M_ASN1_OCTET_STRING_set(ex->value,data->data,data->length); 244 i=M_ASN1_OCTET_STRING_set(ex->value,data->data,data->length);
253 if (!i) return(0); 245 if (!i) return(0);
254 return(1); 246 return(1);
255 } 247}
256 248
257ASN1_OBJECT *X509_EXTENSION_get_object(X509_EXTENSION *ex) 249ASN1_OBJECT *X509_EXTENSION_get_object(X509_EXTENSION *ex)
258 { 250{
259 if (ex == NULL) return(NULL); 251 if (ex == NULL) return(NULL);
260 return(ex->object); 252 return(ex->object);
261 } 253}
262 254
263ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *ex) 255ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *ex)
264 { 256{
265 if (ex == NULL) return(NULL); 257 if (ex == NULL) return(NULL);
266 return(ex->value); 258 return(ex->value);
267 } 259}
268 260
269int X509_EXTENSION_get_critical(X509_EXTENSION *ex) 261int X509_EXTENSION_get_critical(X509_EXTENSION *ex)
270 { 262{
271 if (ex == NULL) return(0); 263 if (ex == NULL) return(0);
272 if(ex->critical > 0) return 1; 264 if(ex->critical > 0) return 1;
273 return 0; 265 return 0;
274 } 266}
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index 077bfd8f2d..6e9dd7cc6a 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -139,19 +139,19 @@ const char X509_version[]="X.509" OPENSSL_VERSION_PTEXT;
139 139
140 140
141static int null_callback(int ok, X509_STORE_CTX *e) 141static int null_callback(int ok, X509_STORE_CTX *e)
142 { 142{
143 return ok; 143 return ok;
144 } 144}
145 145
146#if 0 146#if 0
147static int x509_subject_cmp(X509 **a, X509 **b) 147static int x509_subject_cmp(X509 **a, X509 **b)
148 { 148{
149 return X509_subject_name_cmp(*a,*b); 149 return X509_subject_name_cmp(*a,*b);
150 } 150}
151#endif 151#endif
152 152
153int X509_verify_cert(X509_STORE_CTX *ctx) 153int X509_verify_cert(X509_STORE_CTX *ctx)
154 { 154{
155 X509 *x,*xtmp,*chain_ss=NULL; 155 X509 *x,*xtmp,*chain_ss=NULL;
156 int bad_chain = 0; 156 int bad_chain = 0;
157 X509_VERIFY_PARAM *param = ctx->param; 157 X509_VERIFY_PARAM *param = ctx->param;
@@ -159,43 +159,38 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
159 int num; 159 int num;
160 int (*cb)(int xok,X509_STORE_CTX *xctx); 160 int (*cb)(int xok,X509_STORE_CTX *xctx);
161 STACK_OF(X509) *sktmp=NULL; 161 STACK_OF(X509) *sktmp=NULL;
162 if (ctx->cert == NULL) 162 if (ctx->cert == NULL) {
163 {
164 X509err(X509_F_X509_VERIFY_CERT,X509_R_NO_CERT_SET_FOR_US_TO_VERIFY); 163 X509err(X509_F_X509_VERIFY_CERT,X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
165 return -1; 164 return -1;
166 } 165 }
167 166
168 cb=ctx->verify_cb; 167 cb=ctx->verify_cb;
169 168
170 /* first we make sure the chain we are going to build is 169 /* first we make sure the chain we are going to build is
171 * present and that the first entry is in place */ 170 * present and that the first entry is in place */
172 if (ctx->chain == NULL) 171 if (ctx->chain == NULL) {
173 {
174 if ( ((ctx->chain=sk_X509_new_null()) == NULL) || 172 if ( ((ctx->chain=sk_X509_new_null()) == NULL) ||
175 (!sk_X509_push(ctx->chain,ctx->cert))) 173 (!sk_X509_push(ctx->chain,ctx->cert))) {
176 {
177 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); 174 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
178 goto end; 175 goto end;
179 } 176 }
180 CRYPTO_add(&ctx->cert->references,1,CRYPTO_LOCK_X509); 177 CRYPTO_add(&ctx->cert->references,1,CRYPTO_LOCK_X509);
181 ctx->last_untrusted=1; 178 ctx->last_untrusted=1;
182 } 179 }
183 180
184 /* We use a temporary STACK so we can chop and hack at it */ 181 /* We use a temporary STACK so we can chop and hack at it */
185 if (ctx->untrusted != NULL 182 if (ctx->untrusted != NULL
186 && (sktmp=sk_X509_dup(ctx->untrusted)) == NULL) 183 && (sktmp=sk_X509_dup(ctx->untrusted)) == NULL) {
187 {
188 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); 184 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
189 goto end; 185 goto end;
190 } 186 }
191 187
192 num=sk_X509_num(ctx->chain); 188 num=sk_X509_num(ctx->chain);
193 x=sk_X509_value(ctx->chain,num-1); 189 x=sk_X509_value(ctx->chain,num-1);
194 depth=param->depth; 190 depth=param->depth;
195 191
196 192
197 for (;;) 193 for (;;) {
198 {
199 /* If we have enough, we break */ 194 /* If we have enough, we break */
200 if (depth < num) break; /* FIXME: If this happens, we should take 195 if (depth < num) break; /* FIXME: If this happens, we should take
201 * note of it and, if appropriate, use the 196 * note of it and, if appropriate, use the
@@ -207,16 +202,13 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
207 if (ctx->check_issued(ctx, x,x)) break; 202 if (ctx->check_issued(ctx, x,x)) break;
208 203
209 /* If we were passed a cert chain, use it first */ 204 /* If we were passed a cert chain, use it first */
210 if (ctx->untrusted != NULL) 205 if (ctx->untrusted != NULL) {
211 {
212 xtmp=find_issuer(ctx, sktmp,x); 206 xtmp=find_issuer(ctx, sktmp,x);
213 if (xtmp != NULL) 207 if (xtmp != NULL) {
214 { 208 if (!sk_X509_push(ctx->chain,xtmp)) {
215 if (!sk_X509_push(ctx->chain,xtmp))
216 {
217 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); 209 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
218 goto end; 210 goto end;
219 } 211 }
220 CRYPTO_add(&xtmp->references,1,CRYPTO_LOCK_X509); 212 CRYPTO_add(&xtmp->references,1,CRYPTO_LOCK_X509);
221 (void)sk_X509_delete_ptr(sktmp,xtmp); 213 (void)sk_X509_delete_ptr(sktmp,xtmp);
222 ctx->last_untrusted++; 214 ctx->last_untrusted++;
@@ -225,10 +217,10 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
225 /* reparse the full chain for 217 /* reparse the full chain for
226 * the next one */ 218 * the next one */
227 continue; 219 continue;
228 }
229 } 220 }
230 break;
231 } 221 }
222 break;
223 }
232 224
233 /* at this point, chain should contain a list of untrusted 225 /* at this point, chain should contain a list of untrusted
234 * certificates. We now need to add at least one trusted one, 226 * certificates. We now need to add at least one trusted one,
@@ -240,18 +232,15 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
240 232
241 i=sk_X509_num(ctx->chain); 233 i=sk_X509_num(ctx->chain);
242 x=sk_X509_value(ctx->chain,i-1); 234 x=sk_X509_value(ctx->chain,i-1);
243 if (ctx->check_issued(ctx, x, x)) 235 if (ctx->check_issued(ctx, x, x)) {
244 {
245 /* we have a self signed certificate */ 236 /* we have a self signed certificate */
246 if (sk_X509_num(ctx->chain) == 1) 237 if (sk_X509_num(ctx->chain) == 1) {
247 {
248 /* We have a single self signed certificate: see if 238 /* We have a single self signed certificate: see if
249 * we can find it in the store. We must have an exact 239 * we can find it in the store. We must have an exact
250 * match to avoid possible impersonation. 240 * match to avoid possible impersonation.
251 */ 241 */
252 ok = ctx->get_issuer(&xtmp, ctx, x); 242 ok = ctx->get_issuer(&xtmp, ctx, x);
253 if ((ok <= 0) || X509_cmp(x, xtmp)) 243 if ((ok <= 0) || X509_cmp(x, xtmp)) {
254 {
255 ctx->error=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT; 244 ctx->error=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
256 ctx->current_cert=x; 245 ctx->current_cert=x;
257 ctx->error_depth=i-1; 246 ctx->error_depth=i-1;
@@ -259,9 +248,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
259 bad_chain = 1; 248 bad_chain = 1;
260 ok=cb(0,ctx); 249 ok=cb(0,ctx);
261 if (!ok) goto end; 250 if (!ok) goto end;
262 } 251 } else {
263 else
264 {
265 /* We have a match: replace certificate with store version 252 /* We have a match: replace certificate with store version
266 * so we get any trust settings. 253 * so we get any trust settings.
267 */ 254 */
@@ -269,21 +256,18 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
269 x = xtmp; 256 x = xtmp;
270 (void)sk_X509_set(ctx->chain, i - 1, x); 257 (void)sk_X509_set(ctx->chain, i - 1, x);
271 ctx->last_untrusted=0; 258 ctx->last_untrusted=0;
272 }
273 } 259 }
274 else 260 } else {
275 {
276 /* extract and save self signed certificate for later use */ 261 /* extract and save self signed certificate for later use */
277 chain_ss=sk_X509_pop(ctx->chain); 262 chain_ss=sk_X509_pop(ctx->chain);
278 ctx->last_untrusted--; 263 ctx->last_untrusted--;
279 num--; 264 num--;
280 x=sk_X509_value(ctx->chain,num-1); 265 x=sk_X509_value(ctx->chain,num-1);
281 }
282 } 266 }
267 }
283 268
284 /* We now lookup certs from the certificate store */ 269 /* We now lookup certs from the certificate store */
285 for (;;) 270 for (;;) {
286 {
287 /* If we have enough, we break */ 271 /* If we have enough, we break */
288 if (depth < num) break; 272 if (depth < num) break;
289 273
@@ -296,30 +280,25 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
296 if (ok == 0) break; 280 if (ok == 0) break;
297 281
298 x = xtmp; 282 x = xtmp;
299 if (!sk_X509_push(ctx->chain,x)) 283 if (!sk_X509_push(ctx->chain,x)) {
300 {
301 X509_free(xtmp); 284 X509_free(xtmp);
302 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); 285 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
303 return 0; 286 return 0;
304 }
305 num++;
306 } 287 }
288 num++;
289 }
307 290
308 /* we now have our chain, lets check it... */ 291 /* we now have our chain, lets check it... */
309 292
310 /* Is last certificate looked up self signed? */ 293 /* Is last certificate looked up self signed? */
311 if (!ctx->check_issued(ctx,x,x)) 294 if (!ctx->check_issued(ctx,x,x)) {
312 { 295 if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) {
313 if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss))
314 {
315 if (ctx->last_untrusted >= num) 296 if (ctx->last_untrusted >= num)
316 ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; 297 ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
317 else 298 else
318 ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT; 299 ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
319 ctx->current_cert=x; 300 ctx->current_cert=x;
320 } 301 } else {
321 else
322 {
323 302
324 sk_X509_push(ctx->chain,chain_ss); 303 sk_X509_push(ctx->chain,chain_ss);
325 num++; 304 num++;
@@ -327,13 +306,13 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
327 ctx->current_cert=chain_ss; 306 ctx->current_cert=chain_ss;
328 ctx->error=X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN; 307 ctx->error=X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
329 chain_ss=NULL; 308 chain_ss=NULL;
330 } 309 }
331 310
332 ctx->error_depth=num-1; 311 ctx->error_depth=num-1;
333 bad_chain = 1; 312 bad_chain = 1;
334 ok=cb(0,ctx); 313 ok=cb(0,ctx);
335 if (!ok) goto end; 314 if (!ok) goto end;
336 } 315 }
337 316
338 /* We have the chain complete: now we need to check its purpose */ 317 /* We have the chain complete: now we need to check its purpose */
339 ok = check_chain_extensions(ctx); 318 ok = check_chain_extensions(ctx);
@@ -381,15 +360,14 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
381 if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK)) 360 if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK))
382 ok = ctx->check_policy(ctx); 361 ok = ctx->check_policy(ctx);
383 if(!ok) goto end; 362 if(!ok) goto end;
384 if (0) 363 if (0) {
385 {
386end: 364end:
387 X509_get_pubkey_parameters(NULL,ctx->chain); 365 X509_get_pubkey_parameters(NULL,ctx->chain);
388 } 366 }
389 if (sktmp != NULL) sk_X509_free(sktmp); 367 if (sktmp != NULL) sk_X509_free(sktmp);
390 if (chain_ss != NULL) X509_free(chain_ss); 368 if (chain_ss != NULL) X509_free(chain_ss);
391 return ok; 369 return ok;
392 } 370}
393 371
394 372
395/* Given a STACK_OF(X509) find the issuer of cert (if any) 373/* Given a STACK_OF(X509) find the issuer of cert (if any)
@@ -399,12 +377,11 @@ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
399{ 377{
400 int i; 378 int i;
401 X509 *issuer; 379 X509 *issuer;
402 for (i = 0; i < sk_X509_num(sk); i++) 380 for (i = 0; i < sk_X509_num(sk); i++) {
403 {
404 issuer = sk_X509_value(sk, i); 381 issuer = sk_X509_value(sk, i);
405 if (ctx->check_issued(ctx, x, issuer)) 382 if (ctx->check_issued(ctx, x, issuer))
406 return issuer; 383 return issuer;
407 } 384 }
408 return NULL; 385 return NULL;
409} 386}
410 387
@@ -431,12 +408,10 @@ static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
431static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) 408static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
432{ 409{
433 *issuer = find_issuer(ctx, ctx->other_ctx, x); 410 *issuer = find_issuer(ctx, ctx->other_ctx, x);
434 if (*issuer) 411 if (*issuer) {
435 {
436 CRYPTO_add(&(*issuer)->references,1,CRYPTO_LOCK_X509); 412 CRYPTO_add(&(*issuer)->references,1,CRYPTO_LOCK_X509);
437 return 1; 413 return 1;
438 } 414 } else
439 else
440 return 0; 415 return 0;
441} 416}
442 417
@@ -469,13 +444,10 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
469 must_be_ca = -1; 444 must_be_ca = -1;
470 445
471 /* CRL path validation */ 446 /* CRL path validation */
472 if (ctx->parent) 447 if (ctx->parent) {
473 {
474 allow_proxy_certs = 0; 448 allow_proxy_certs = 0;
475 purpose = X509_PURPOSE_CRL_SIGN; 449 purpose = X509_PURPOSE_CRL_SIGN;
476 } 450 } else {
477 else
478 {
479 allow_proxy_certs = 451 allow_proxy_certs =
480 !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS); 452 !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
481 /* A hack to keep people who don't want to modify their 453 /* A hack to keep people who don't want to modify their
@@ -483,96 +455,82 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
483 if (getenv("OPENSSL_ALLOW_PROXY_CERTS")) 455 if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))
484 allow_proxy_certs = 1; 456 allow_proxy_certs = 1;
485 purpose = ctx->param->purpose; 457 purpose = ctx->param->purpose;
486 } 458 }
487 459
488 /* Check all untrusted certificates */ 460 /* Check all untrusted certificates */
489 for (i = 0; i < ctx->last_untrusted; i++) 461 for (i = 0; i < ctx->last_untrusted; i++) {
490 {
491 int ret; 462 int ret;
492 x = sk_X509_value(ctx->chain, i); 463 x = sk_X509_value(ctx->chain, i);
493 if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) 464 if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
494 && (x->ex_flags & EXFLAG_CRITICAL)) 465 && (x->ex_flags & EXFLAG_CRITICAL)) {
495 {
496 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION; 466 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION;
497 ctx->error_depth = i; 467 ctx->error_depth = i;
498 ctx->current_cert = x; 468 ctx->current_cert = x;
499 ok=cb(0,ctx); 469 ok=cb(0,ctx);
500 if (!ok) goto end; 470 if (!ok) goto end;
501 } 471 }
502 if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) 472 if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) {
503 {
504 ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED; 473 ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED;
505 ctx->error_depth = i; 474 ctx->error_depth = i;
506 ctx->current_cert = x; 475 ctx->current_cert = x;
507 ok=cb(0,ctx); 476 ok=cb(0,ctx);
508 if (!ok) goto end; 477 if (!ok) goto end;
509 } 478 }
510 ret = X509_check_ca(x); 479 ret = X509_check_ca(x);
511 switch(must_be_ca) 480 switch(must_be_ca) {
512 {
513 case -1: 481 case -1:
514 if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) 482 if ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
515 && (ret != 1) && (ret != 0)) 483 && (ret != 1) && (ret != 0)) {
516 {
517 ret = 0; 484 ret = 0;
518 ctx->error = X509_V_ERR_INVALID_CA; 485 ctx->error = X509_V_ERR_INVALID_CA;
519 } 486 } else
520 else
521 ret = 1; 487 ret = 1;
522 break; 488 break;
523 case 0: 489 case 0:
524 if (ret != 0) 490 if (ret != 0) {
525 {
526 ret = 0; 491 ret = 0;
527 ctx->error = X509_V_ERR_INVALID_NON_CA; 492 ctx->error = X509_V_ERR_INVALID_NON_CA;
528 } 493 } else
529 else
530 ret = 1; 494 ret = 1;
531 break; 495 break;
532 default: 496 default:
533 if ((ret == 0) 497 if ((ret == 0)
534 || ((ctx->param->flags & X509_V_FLAG_X509_STRICT) 498 || ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
535 && (ret != 1))) 499 && (ret != 1))) {
536 {
537 ret = 0; 500 ret = 0;
538 ctx->error = X509_V_ERR_INVALID_CA; 501 ctx->error = X509_V_ERR_INVALID_CA;
539 } 502 } else
540 else
541 ret = 1; 503 ret = 1;
542 break; 504 break;
543 } 505 }
544 if (ret == 0) 506 if (ret == 0) {
545 {
546 ctx->error_depth = i; 507 ctx->error_depth = i;
547 ctx->current_cert = x; 508 ctx->current_cert = x;
548 ok=cb(0,ctx); 509 ok=cb(0,ctx);
549 if (!ok) goto end; 510 if (!ok) goto end;
550 } 511 }
551 if (ctx->param->purpose > 0) 512 if (ctx->param->purpose > 0) {
552 {
553 ret = X509_check_purpose(x, purpose, must_be_ca > 0); 513 ret = X509_check_purpose(x, purpose, must_be_ca > 0);
554 if ((ret == 0) 514 if ((ret == 0)
555 || ((ctx->param->flags & X509_V_FLAG_X509_STRICT) 515 || ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
556 && (ret != 1))) 516 && (ret != 1))) {
557 {
558 ctx->error = X509_V_ERR_INVALID_PURPOSE; 517 ctx->error = X509_V_ERR_INVALID_PURPOSE;
559 ctx->error_depth = i; 518 ctx->error_depth = i;
560 ctx->current_cert = x; 519 ctx->current_cert = x;
561 ok=cb(0,ctx); 520 ok=cb(0,ctx);
562 if (!ok) goto end; 521 if (!ok) goto end;
563 }
564 } 522 }
523 }
565 /* Check pathlen if not self issued */ 524 /* Check pathlen if not self issued */
566 if ((i > 1) && !(x->ex_flags & EXFLAG_SI) 525 if ((i > 1) && !(x->ex_flags & EXFLAG_SI)
567 && (x->ex_pathlen != -1) 526 && (x->ex_pathlen != -1)
568 && (plen > (x->ex_pathlen + proxy_path_length + 1))) 527 && (plen > (x->ex_pathlen + proxy_path_length + 1))) {
569 {
570 ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED; 528 ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
571 ctx->error_depth = i; 529 ctx->error_depth = i;
572 ctx->current_cert = x; 530 ctx->current_cert = x;
573 ok=cb(0,ctx); 531 ok=cb(0,ctx);
574 if (!ok) goto end; 532 if (!ok) goto end;
575 } 533 }
576 /* Increment path length if not self issued */ 534 /* Increment path length if not self issued */
577 if (!(x->ex_flags & EXFLAG_SI)) 535 if (!(x->ex_flags & EXFLAG_SI))
578 plen++; 536 plen++;
@@ -580,23 +538,20 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
580 certificate must be another proxy certificate or a EE 538 certificate must be another proxy certificate or a EE
581 certificate. If not, the next certificate must be a 539 certificate. If not, the next certificate must be a
582 CA certificate. */ 540 CA certificate. */
583 if (x->ex_flags & EXFLAG_PROXY) 541 if (x->ex_flags & EXFLAG_PROXY) {
584 { 542 if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen) {
585 if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen)
586 {
587 ctx->error = 543 ctx->error =
588 X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED; 544 X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED;
589 ctx->error_depth = i; 545 ctx->error_depth = i;
590 ctx->current_cert = x; 546 ctx->current_cert = x;
591 ok=cb(0,ctx); 547 ok=cb(0,ctx);
592 if (!ok) goto end; 548 if (!ok) goto end;
593 } 549 }
594 proxy_path_length++; 550 proxy_path_length++;
595 must_be_ca = 0; 551 must_be_ca = 0;
596 } 552 } else
597 else
598 must_be_ca = 1; 553 must_be_ca = 1;
599 } 554 }
600 ok = 1; 555 ok = 1;
601 end: 556 end:
602 return ok; 557 return ok;
@@ -604,12 +559,11 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
604} 559}
605 560
606static int check_name_constraints(X509_STORE_CTX *ctx) 561static int check_name_constraints(X509_STORE_CTX *ctx)
607 { 562{
608 X509 *x; 563 X509 *x;
609 int i, j, rv; 564 int i, j, rv;
610 /* Check name constraints for all certificates */ 565 /* Check name constraints for all certificates */
611 for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) 566 for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) {
612 {
613 x = sk_X509_value(ctx->chain, i); 567 x = sk_X509_value(ctx->chain, i);
614 /* Ignore self issued certs unless last in chain */ 568 /* Ignore self issued certs unless last in chain */
615 if (i && (x->ex_flags & EXFLAG_SI)) 569 if (i && (x->ex_flags & EXFLAG_SI))
@@ -619,25 +573,22 @@ static int check_name_constraints(X509_STORE_CTX *ctx)
619 * speaking needed but if it includes constraints it is to be 573 * speaking needed but if it includes constraints it is to be
620 * assumed it expects them to be obeyed. 574 * assumed it expects them to be obeyed.
621 */ 575 */
622 for (j = sk_X509_num(ctx->chain) - 1; j > i; j--) 576 for (j = sk_X509_num(ctx->chain) - 1; j > i; j--) {
623 {
624 NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc; 577 NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc;
625 if (nc) 578 if (nc) {
626 {
627 rv = NAME_CONSTRAINTS_check(x, nc); 579 rv = NAME_CONSTRAINTS_check(x, nc);
628 if (rv != X509_V_OK) 580 if (rv != X509_V_OK) {
629 {
630 ctx->error = rv; 581 ctx->error = rv;
631 ctx->error_depth = i; 582 ctx->error_depth = i;
632 ctx->current_cert = x; 583 ctx->current_cert = x;
633 if (!ctx->verify_cb(0,ctx)) 584 if (!ctx->verify_cb(0,ctx))
634 return 0; 585 return 0;
635 }
636 } 586 }
637 } 587 }
638 } 588 }
639 return 1;
640 } 589 }
590 return 1;
591}
641 592
642static int check_trust(X509_STORE_CTX *ctx) 593static int check_trust(X509_STORE_CTX *ctx)
643{ 594{
@@ -666,30 +617,27 @@ static int check_trust(X509_STORE_CTX *ctx)
666} 617}
667 618
668static int check_revocation(X509_STORE_CTX *ctx) 619static int check_revocation(X509_STORE_CTX *ctx)
669 { 620{
670 int i, last, ok; 621 int i, last, ok;
671 if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK)) 622 if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK))
672 return 1; 623 return 1;
673 if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL) 624 if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL)
674 last = sk_X509_num(ctx->chain) - 1; 625 last = sk_X509_num(ctx->chain) - 1;
675 else 626 else {
676 {
677 /* If checking CRL paths this isn't the EE certificate */ 627 /* If checking CRL paths this isn't the EE certificate */
678 if (ctx->parent) 628 if (ctx->parent)
679 return 1; 629 return 1;
680 last = 0; 630 last = 0;
681 } 631 }
682 for(i = 0; i <= last; i++) 632 for(i = 0; i <= last; i++) {
683 {
684 ctx->error_depth = i; 633 ctx->error_depth = i;
685 ok = check_cert(ctx); 634 ok = check_cert(ctx);
686 if (!ok) return ok; 635 if (!ok) return ok;
687 }
688 return 1;
689 } 636 }
637 return 1;
638}
690 639
691static int check_cert(X509_STORE_CTX *ctx) 640static int check_cert(X509_STORE_CTX *ctx) {
692 {
693 X509_CRL *crl = NULL, *dcrl = NULL; 641 X509_CRL *crl = NULL, *dcrl = NULL;
694 X509 *x; 642 X509 *x;
695 int ok, cnum; 643 int ok, cnum;
@@ -700,8 +648,7 @@ static int check_cert(X509_STORE_CTX *ctx)
700 ctx->current_issuer = NULL; 648 ctx->current_issuer = NULL;
701 ctx->current_crl_score = 0; 649 ctx->current_crl_score = 0;
702 ctx->current_reasons = 0; 650 ctx->current_reasons = 0;
703 while (ctx->current_reasons != CRLDP_ALL_REASONS) 651 while (ctx->current_reasons != CRLDP_ALL_REASONS) {
704 {
705 last_reasons = ctx->current_reasons; 652 last_reasons = ctx->current_reasons;
706 /* Try to retrieve relevant CRL */ 653 /* Try to retrieve relevant CRL */
707 if (ctx->get_crl) 654 if (ctx->get_crl)
@@ -711,36 +658,32 @@ static int check_cert(X509_STORE_CTX *ctx)
711 /* If error looking up CRL, nothing we can do except 658 /* If error looking up CRL, nothing we can do except
712 * notify callback 659 * notify callback
713 */ 660 */
714 if(!ok) 661 if(!ok) {
715 {
716 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL; 662 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
717 ok = ctx->verify_cb(0, ctx); 663 ok = ctx->verify_cb(0, ctx);
718 goto err; 664 goto err;
719 } 665 }
720 ctx->current_crl = crl; 666 ctx->current_crl = crl;
721 ok = ctx->check_crl(ctx, crl); 667 ok = ctx->check_crl(ctx, crl);
722 if (!ok) 668 if (!ok)
723 goto err; 669 goto err;
724 670
725 if (dcrl) 671 if (dcrl) {
726 {
727 ok = ctx->check_crl(ctx, dcrl); 672 ok = ctx->check_crl(ctx, dcrl);
728 if (!ok) 673 if (!ok)
729 goto err; 674 goto err;
730 ok = ctx->cert_crl(ctx, dcrl, x); 675 ok = ctx->cert_crl(ctx, dcrl, x);
731 if (!ok) 676 if (!ok)
732 goto err; 677 goto err;
733 } 678 } else
734 else
735 ok = 1; 679 ok = 1;
736 680
737 /* Don't look in full CRL if delta reason is removefromCRL */ 681 /* Don't look in full CRL if delta reason is removefromCRL */
738 if (ok != 2) 682 if (ok != 2) {
739 {
740 ok = ctx->cert_crl(ctx, crl, x); 683 ok = ctx->cert_crl(ctx, crl, x);
741 if (!ok) 684 if (!ok)
742 goto err; 685 goto err;
743 } 686 }
744 687
745 X509_CRL_free(crl); 688 X509_CRL_free(crl);
746 X509_CRL_free(dcrl); 689 X509_CRL_free(dcrl);
@@ -749,26 +692,25 @@ static int check_cert(X509_STORE_CTX *ctx)
749 /* If reasons not updated we wont get anywhere by 692 /* If reasons not updated we wont get anywhere by
750 * another iteration, so exit loop. 693 * another iteration, so exit loop.
751 */ 694 */
752 if (last_reasons == ctx->current_reasons) 695 if (last_reasons == ctx->current_reasons) {
753 {
754 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL; 696 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
755 ok = ctx->verify_cb(0, ctx); 697 ok = ctx->verify_cb(0, ctx);
756 goto err; 698 goto err;
757 }
758 } 699 }
759 err: 700 }
701err:
760 X509_CRL_free(crl); 702 X509_CRL_free(crl);
761 X509_CRL_free(dcrl); 703 X509_CRL_free(dcrl);
762 704
763 ctx->current_crl = NULL; 705 ctx->current_crl = NULL;
764 return ok; 706 return ok;
765 707
766 } 708}
767 709
768/* Check CRL times against values in X509_STORE_CTX */ 710/* Check CRL times against values in X509_STORE_CTX */
769 711
770static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) 712static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
771 { 713{
772 time_t *ptime; 714 time_t *ptime;
773 int i; 715 int i;
774 if (notify) 716 if (notify)
@@ -779,80 +721,72 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
779 ptime = NULL; 721 ptime = NULL;
780 722
781 i=X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime); 723 i=X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime);
782 if (i == 0) 724 if (i == 0) {
783 {
784 if (!notify) 725 if (!notify)
785 return 0; 726 return 0;
786 ctx->error=X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD; 727 ctx->error=X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD;
787 if (!ctx->verify_cb(0, ctx)) 728 if (!ctx->verify_cb(0, ctx))
788 return 0; 729 return 0;
789 } 730 }
790 731
791 if (i > 0) 732 if (i > 0) {
792 {
793 if (!notify) 733 if (!notify)
794 return 0; 734 return 0;
795 ctx->error=X509_V_ERR_CRL_NOT_YET_VALID; 735 ctx->error=X509_V_ERR_CRL_NOT_YET_VALID;
796 if (!ctx->verify_cb(0, ctx)) 736 if (!ctx->verify_cb(0, ctx))
797 return 0; 737 return 0;
798 } 738 }
799 739
800 if(X509_CRL_get_nextUpdate(crl)) 740 if(X509_CRL_get_nextUpdate(crl)) {
801 {
802 i=X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime); 741 i=X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime);
803 742
804 if (i == 0) 743 if (i == 0) {
805 {
806 if (!notify) 744 if (!notify)
807 return 0; 745 return 0;
808 ctx->error=X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD; 746 ctx->error=X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD;
809 if (!ctx->verify_cb(0, ctx)) 747 if (!ctx->verify_cb(0, ctx))
810 return 0; 748 return 0;
811 } 749 }
812 /* Ignore expiry of base CRL is delta is valid */ 750 /* Ignore expiry of base CRL is delta is valid */
813 if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) 751 if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) {
814 {
815 if (!notify) 752 if (!notify)
816 return 0; 753 return 0;
817 ctx->error=X509_V_ERR_CRL_HAS_EXPIRED; 754 ctx->error=X509_V_ERR_CRL_HAS_EXPIRED;
818 if (!ctx->verify_cb(0, ctx)) 755 if (!ctx->verify_cb(0, ctx))
819 return 0; 756 return 0;
820 }
821 } 757 }
758 }
822 759
823 if (notify) 760 if (notify)
824 ctx->current_crl = NULL; 761 ctx->current_crl = NULL;
825 762
826 return 1; 763 return 1;
827 } 764}
828 765
829static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, 766static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
830 X509 **pissuer, int *pscore, unsigned int *preasons, 767 X509 **pissuer, int *pscore, unsigned int *preasons,
831 STACK_OF(X509_CRL) *crls) 768 STACK_OF(X509_CRL) *crls)
832 { 769{
833 int i, crl_score, best_score = *pscore; 770 int i, crl_score, best_score = *pscore;
834 unsigned int reasons, best_reasons = 0; 771 unsigned int reasons, best_reasons = 0;
835 X509 *x = ctx->current_cert; 772 X509 *x = ctx->current_cert;
836 X509_CRL *crl, *best_crl = NULL; 773 X509_CRL *crl, *best_crl = NULL;
837 X509 *crl_issuer = NULL, *best_crl_issuer = NULL; 774 X509 *crl_issuer = NULL, *best_crl_issuer = NULL;
838 775
839 for (i = 0; i < sk_X509_CRL_num(crls); i++) 776 for (i = 0; i < sk_X509_CRL_num(crls); i++) {
840 {
841 crl = sk_X509_CRL_value(crls, i); 777 crl = sk_X509_CRL_value(crls, i);
842 reasons = *preasons; 778 reasons = *preasons;
843 crl_score = get_crl_score(ctx, &crl_issuer, &reasons, crl, x); 779 crl_score = get_crl_score(ctx, &crl_issuer, &reasons, crl, x);
844 780
845 if (crl_score > best_score) 781 if (crl_score > best_score) {
846 {
847 best_crl = crl; 782 best_crl = crl;
848 best_crl_issuer = crl_issuer; 783 best_crl_issuer = crl_issuer;
849 best_score = crl_score; 784 best_score = crl_score;
850 best_reasons = reasons; 785 best_reasons = reasons;
851 }
852 } 786 }
787 }
853 788
854 if (best_crl) 789 if (best_crl) {
855 {
856 if (*pcrl) 790 if (*pcrl)
857 X509_CRL_free(*pcrl); 791 X509_CRL_free(*pcrl);
858 *pcrl = best_crl; 792 *pcrl = best_crl;
@@ -860,49 +794,44 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
860 *pscore = best_score; 794 *pscore = best_score;
861 *preasons = best_reasons; 795 *preasons = best_reasons;
862 CRYPTO_add(&best_crl->references, 1, CRYPTO_LOCK_X509_CRL); 796 CRYPTO_add(&best_crl->references, 1, CRYPTO_LOCK_X509_CRL);
863 if (*pdcrl) 797 if (*pdcrl) {
864 {
865 X509_CRL_free(*pdcrl); 798 X509_CRL_free(*pdcrl);
866 *pdcrl = NULL; 799 *pdcrl = NULL;
867 }
868 get_delta_sk(ctx, pdcrl, pscore, best_crl, crls);
869 } 800 }
801 get_delta_sk(ctx, pdcrl, pscore, best_crl, crls);
802 }
870 803
871 if (best_score >= CRL_SCORE_VALID) 804 if (best_score >= CRL_SCORE_VALID)
872 return 1; 805 return 1;
873 806
874 return 0; 807 return 0;
875 } 808}
876 809
877/* Compare two CRL extensions for delta checking purposes. They should be 810/* Compare two CRL extensions for delta checking purposes. They should be
878 * both present or both absent. If both present all fields must be identical. 811 * both present or both absent. If both present all fields must be identical.
879 */ 812 */
880 813
881static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid) 814static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
882 { 815{
883 ASN1_OCTET_STRING *exta, *extb; 816 ASN1_OCTET_STRING *exta, *extb;
884 int i; 817 int i;
885 i = X509_CRL_get_ext_by_NID(a, nid, -1); 818 i = X509_CRL_get_ext_by_NID(a, nid, -1);
886 if (i >= 0) 819 if (i >= 0) {
887 {
888 /* Can't have multiple occurrences */ 820 /* Can't have multiple occurrences */
889 if (X509_CRL_get_ext_by_NID(a, nid, i) != -1) 821 if (X509_CRL_get_ext_by_NID(a, nid, i) != -1)
890 return 0; 822 return 0;
891 exta = X509_EXTENSION_get_data(X509_CRL_get_ext(a, i)); 823 exta = X509_EXTENSION_get_data(X509_CRL_get_ext(a, i));
892 } 824 } else
893 else
894 exta = NULL; 825 exta = NULL;
895 826
896 i = X509_CRL_get_ext_by_NID(b, nid, -1); 827 i = X509_CRL_get_ext_by_NID(b, nid, -1);
897 828
898 if (i >= 0) 829 if (i >= 0) {
899 {
900 830
901 if (X509_CRL_get_ext_by_NID(b, nid, i) != -1) 831 if (X509_CRL_get_ext_by_NID(b, nid, i) != -1)
902 return 0; 832 return 0;
903 extb = X509_EXTENSION_get_data(X509_CRL_get_ext(b, i)); 833 extb = X509_EXTENSION_get_data(X509_CRL_get_ext(b, i));
904 } 834 } else
905 else
906 extb = NULL; 835 extb = NULL;
907 836
908 if (!exta && !extb) 837 if (!exta && !extb)
@@ -916,12 +845,12 @@ static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
916 return 0; 845 return 0;
917 846
918 return 1; 847 return 1;
919 } 848}
920 849
921/* See if a base and delta are compatible */ 850/* See if a base and delta are compatible */
922 851
923static int check_delta_base(X509_CRL *delta, X509_CRL *base) 852static int check_delta_base(X509_CRL *delta, X509_CRL *base)
924 { 853{
925 /* Delta CRL must be a delta */ 854 /* Delta CRL must be a delta */
926 if (!delta->base_crl_number) 855 if (!delta->base_crl_number)
927 return 0; 856 return 0;
@@ -944,7 +873,7 @@ static int check_delta_base(X509_CRL *delta, X509_CRL *base)
944 if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0) 873 if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0)
945 return 1; 874 return 1;
946 return 0; 875 return 0;
947 } 876}
948 877
949/* For a given base CRL find a delta... maybe extend to delta scoring 878/* For a given base CRL find a delta... maybe extend to delta scoring
950 * or retrieve a chain of deltas... 879 * or retrieve a chain of deltas...
@@ -952,27 +881,25 @@ static int check_delta_base(X509_CRL *delta, X509_CRL *base)
952 881
953static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore, 882static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore,
954 X509_CRL *base, STACK_OF(X509_CRL) *crls) 883 X509_CRL *base, STACK_OF(X509_CRL) *crls)
955 { 884{
956 X509_CRL *delta; 885 X509_CRL *delta;
957 int i; 886 int i;
958 if (!(ctx->param->flags & X509_V_FLAG_USE_DELTAS)) 887 if (!(ctx->param->flags & X509_V_FLAG_USE_DELTAS))
959 return; 888 return;
960 if (!((ctx->current_cert->ex_flags | base->flags) & EXFLAG_FRESHEST)) 889 if (!((ctx->current_cert->ex_flags | base->flags) & EXFLAG_FRESHEST))
961 return; 890 return;
962 for (i = 0; i < sk_X509_CRL_num(crls); i++) 891 for (i = 0; i < sk_X509_CRL_num(crls); i++) {
963 {
964 delta = sk_X509_CRL_value(crls, i); 892 delta = sk_X509_CRL_value(crls, i);
965 if (check_delta_base(delta, base)) 893 if (check_delta_base(delta, base)) {
966 {
967 if (check_crl_time(ctx, delta, 0)) 894 if (check_crl_time(ctx, delta, 0))
968 *pscore |= CRL_SCORE_TIME_DELTA; 895 *pscore |= CRL_SCORE_TIME_DELTA;
969 CRYPTO_add(&delta->references, 1, CRYPTO_LOCK_X509_CRL); 896 CRYPTO_add(&delta->references, 1, CRYPTO_LOCK_X509_CRL);
970 *dcrl = delta; 897 *dcrl = delta;
971 return; 898 return;
972 }
973 } 899 }
974 *dcrl = NULL;
975 } 900 }
901 *dcrl = NULL;
902}
976 903
977/* For a given CRL return how suitable it is for the supplied certificate 'x'. 904/* For a given CRL return how suitable it is for the supplied certificate 'x'.
978 * The return value is a mask of several criteria. 905 * The return value is a mask of several criteria.
@@ -984,7 +911,7 @@ static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore,
984static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, 911static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
985 unsigned int *preasons, 912 unsigned int *preasons,
986 X509_CRL *crl, X509 *x) 913 X509_CRL *crl, X509 *x)
987 { 914{
988 915
989 int crl_score = 0; 916 int crl_score = 0;
990 unsigned int tmp_reasons = *preasons, crl_reasons; 917 unsigned int tmp_reasons = *preasons, crl_reasons;
@@ -995,27 +922,22 @@ static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
995 if (crl->idp_flags & IDP_INVALID) 922 if (crl->idp_flags & IDP_INVALID)
996 return 0; 923 return 0;
997 /* Reason codes or indirect CRLs need extended CRL support */ 924 /* Reason codes or indirect CRLs need extended CRL support */
998 if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT)) 925 if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT)) {
999 {
1000 if (crl->idp_flags & (IDP_INDIRECT | IDP_REASONS)) 926 if (crl->idp_flags & (IDP_INDIRECT | IDP_REASONS))
1001 return 0; 927 return 0;
1002 } 928 } else if (crl->idp_flags & IDP_REASONS) {
1003 else if (crl->idp_flags & IDP_REASONS)
1004 {
1005 /* If no new reasons reject */ 929 /* If no new reasons reject */
1006 if (!(crl->idp_reasons & ~tmp_reasons)) 930 if (!(crl->idp_reasons & ~tmp_reasons))
1007 return 0; 931 return 0;
1008 } 932 }
1009 /* Don't process deltas at this stage */ 933 /* Don't process deltas at this stage */
1010 else if (crl->base_crl_number) 934 else if (crl->base_crl_number)
1011 return 0; 935 return 0;
1012 /* If issuer name doesn't match certificate need indirect CRL */ 936 /* If issuer name doesn't match certificate need indirect CRL */
1013 if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl))) 937 if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl))) {
1014 {
1015 if (!(crl->idp_flags & IDP_INDIRECT)) 938 if (!(crl->idp_flags & IDP_INDIRECT))
1016 return 0; 939 return 0;
1017 } 940 } else
1018 else
1019 crl_score |= CRL_SCORE_ISSUER_NAME; 941 crl_score |= CRL_SCORE_ISSUER_NAME;
1020 942
1021 if (!(crl->flags & EXFLAG_CRITICAL)) 943 if (!(crl->flags & EXFLAG_CRITICAL))
@@ -1035,24 +957,23 @@ static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
1035 957
1036 /* Check cert for matching CRL distribution points */ 958 /* Check cert for matching CRL distribution points */
1037 959
1038 if (crl_crldp_check(x, crl, crl_score, &crl_reasons)) 960 if (crl_crldp_check(x, crl, crl_score, &crl_reasons)) {
1039 {
1040 /* If no new reasons reject */ 961 /* If no new reasons reject */
1041 if (!(crl_reasons & ~tmp_reasons)) 962 if (!(crl_reasons & ~tmp_reasons))
1042 return 0; 963 return 0;
1043 tmp_reasons |= crl_reasons; 964 tmp_reasons |= crl_reasons;
1044 crl_score |= CRL_SCORE_SCOPE; 965 crl_score |= CRL_SCORE_SCOPE;
1045 } 966 }
1046 967
1047 *preasons = tmp_reasons; 968 *preasons = tmp_reasons;
1048 969
1049 return crl_score; 970 return crl_score;
1050 971
1051 } 972}
1052 973
1053static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, 974static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl,
1054 X509 **pissuer, int *pcrl_score) 975 X509 **pissuer, int *pcrl_score)
1055 { 976{
1056 X509 *crl_issuer = NULL; 977 X509 *crl_issuer = NULL;
1057 X509_NAME *cnm = X509_CRL_get_issuer(crl); 978 X509_NAME *cnm = X509_CRL_get_issuer(crl);
1058 int cidx = ctx->error_depth; 979 int cidx = ctx->error_depth;
@@ -1063,28 +984,24 @@ static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl,
1063 984
1064 crl_issuer = sk_X509_value(ctx->chain, cidx); 985 crl_issuer = sk_X509_value(ctx->chain, cidx);
1065 986
1066 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) 987 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
1067 { 988 if (*pcrl_score & CRL_SCORE_ISSUER_NAME) {
1068 if (*pcrl_score & CRL_SCORE_ISSUER_NAME)
1069 {
1070 *pcrl_score |= CRL_SCORE_AKID|CRL_SCORE_ISSUER_CERT; 989 *pcrl_score |= CRL_SCORE_AKID|CRL_SCORE_ISSUER_CERT;
1071 *pissuer = crl_issuer; 990 *pissuer = crl_issuer;
1072 return; 991 return;
1073 }
1074 } 992 }
993 }
1075 994
1076 for (cidx++; cidx < sk_X509_num(ctx->chain); cidx++) 995 for (cidx++; cidx < sk_X509_num(ctx->chain); cidx++) {
1077 {
1078 crl_issuer = sk_X509_value(ctx->chain, cidx); 996 crl_issuer = sk_X509_value(ctx->chain, cidx);
1079 if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm)) 997 if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm))
1080 continue; 998 continue;
1081 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) 999 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
1082 {
1083 *pcrl_score |= CRL_SCORE_AKID|CRL_SCORE_SAME_PATH; 1000 *pcrl_score |= CRL_SCORE_AKID|CRL_SCORE_SAME_PATH;
1084 *pissuer = crl_issuer; 1001 *pissuer = crl_issuer;
1085 return; 1002 return;
1086 }
1087 } 1003 }
1004 }
1088 1005
1089 /* Anything else needs extended CRL support */ 1006 /* Anything else needs extended CRL support */
1090 1007
@@ -1094,19 +1011,17 @@ static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl,
1094 /* Otherwise the CRL issuer is not on the path. Look for it in the 1011 /* Otherwise the CRL issuer is not on the path. Look for it in the
1095 * set of untrusted certificates. 1012 * set of untrusted certificates.
1096 */ 1013 */
1097 for (i = 0; i < sk_X509_num(ctx->untrusted); i++) 1014 for (i = 0; i < sk_X509_num(ctx->untrusted); i++) {
1098 {
1099 crl_issuer = sk_X509_value(ctx->untrusted, i); 1015 crl_issuer = sk_X509_value(ctx->untrusted, i);
1100 if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm)) 1016 if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm))
1101 continue; 1017 continue;
1102 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) 1018 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
1103 {
1104 *pissuer = crl_issuer; 1019 *pissuer = crl_issuer;
1105 *pcrl_score |= CRL_SCORE_AKID; 1020 *pcrl_score |= CRL_SCORE_AKID;
1106 return; 1021 return;
1107 }
1108 } 1022 }
1109 } 1023 }
1024}
1110 1025
1111/* Check the path of a CRL issuer certificate. This creates a new 1026/* Check the path of a CRL issuer certificate. This creates a new
1112 * X509_STORE_CTX and populates it with most of the parameters from the 1027 * X509_STORE_CTX and populates it with most of the parameters from the
@@ -1116,7 +1031,7 @@ static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl,
1116 */ 1031 */
1117 1032
1118static int check_crl_path(X509_STORE_CTX *ctx, X509 *x) 1033static int check_crl_path(X509_STORE_CTX *ctx, X509 *x)
1119 { 1034{
1120 X509_STORE_CTX crl_ctx; 1035 X509_STORE_CTX crl_ctx;
1121 int ret; 1036 int ret;
1122 /* Don't allow recursive CRL path validation */ 1037 /* Don't allow recursive CRL path validation */
@@ -1144,7 +1059,7 @@ static int check_crl_path(X509_STORE_CTX *ctx, X509 *x)
1144 err: 1059 err:
1145 X509_STORE_CTX_cleanup(&crl_ctx); 1060 X509_STORE_CTX_cleanup(&crl_ctx);
1146 return ret; 1061 return ret;
1147 } 1062}
1148 1063
1149/* RFC3280 says nothing about the relationship between CRL path 1064/* RFC3280 says nothing about the relationship between CRL path
1150 * and certificate path, which could lead to situations where a 1065 * and certificate path, which could lead to situations where a
@@ -1157,14 +1072,14 @@ static int check_crl_path(X509_STORE_CTX *ctx, X509 *x)
1157static int check_crl_chain(X509_STORE_CTX *ctx, 1072static int check_crl_chain(X509_STORE_CTX *ctx,
1158 STACK_OF(X509) *cert_path, 1073 STACK_OF(X509) *cert_path,
1159 STACK_OF(X509) *crl_path) 1074 STACK_OF(X509) *crl_path)
1160 { 1075{
1161 X509 *cert_ta, *crl_ta; 1076 X509 *cert_ta, *crl_ta;
1162 cert_ta = sk_X509_value(cert_path, sk_X509_num(cert_path) - 1); 1077 cert_ta = sk_X509_value(cert_path, sk_X509_num(cert_path) - 1);
1163 crl_ta = sk_X509_value(crl_path, sk_X509_num(crl_path) - 1); 1078 crl_ta = sk_X509_value(crl_path, sk_X509_num(crl_path) - 1);
1164 if (!X509_cmp(cert_ta, crl_ta)) 1079 if (!X509_cmp(cert_ta, crl_ta))
1165 return 1; 1080 return 1;
1166 return 0; 1081 return 0;
1167 } 1082}
1168 1083
1169/* Check for match between two dist point names: three separate cases. 1084/* Check for match between two dist point names: three separate cases.
1170 * 1. Both are relative names and compare X509_NAME types. 1085 * 1. Both are relative names and compare X509_NAME types.
@@ -1175,125 +1090,110 @@ static int check_crl_chain(X509_STORE_CTX *ctx,
1175 1090
1176 1091
1177static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b) 1092static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b)
1178 { 1093{
1179 X509_NAME *nm = NULL; 1094 X509_NAME *nm = NULL;
1180 GENERAL_NAMES *gens = NULL; 1095 GENERAL_NAMES *gens = NULL;
1181 GENERAL_NAME *gena, *genb; 1096 GENERAL_NAME *gena, *genb;
1182 int i, j; 1097 int i, j;
1183 if (!a || !b) 1098 if (!a || !b)
1184 return 1; 1099 return 1;
1185 if (a->type == 1) 1100 if (a->type == 1) {
1186 {
1187 if (!a->dpname) 1101 if (!a->dpname)
1188 return 0; 1102 return 0;
1189 /* Case 1: two X509_NAME */ 1103 /* Case 1: two X509_NAME */
1190 if (b->type == 1) 1104 if (b->type == 1) {
1191 {
1192 if (!b->dpname) 1105 if (!b->dpname)
1193 return 0; 1106 return 0;
1194 if (!X509_NAME_cmp(a->dpname, b->dpname)) 1107 if (!X509_NAME_cmp(a->dpname, b->dpname))
1195 return 1; 1108 return 1;
1196 else 1109 else
1197 return 0; 1110 return 0;
1198 } 1111 }
1199 /* Case 2: set name and GENERAL_NAMES appropriately */ 1112 /* Case 2: set name and GENERAL_NAMES appropriately */
1200 nm = a->dpname; 1113 nm = a->dpname;
1201 gens = b->name.fullname; 1114 gens = b->name.fullname;
1202 } 1115 } else if (b->type == 1) {
1203 else if (b->type == 1)
1204 {
1205 if (!b->dpname) 1116 if (!b->dpname)
1206 return 0; 1117 return 0;
1207 /* Case 2: set name and GENERAL_NAMES appropriately */ 1118 /* Case 2: set name and GENERAL_NAMES appropriately */
1208 gens = a->name.fullname; 1119 gens = a->name.fullname;
1209 nm = b->dpname; 1120 nm = b->dpname;
1210 } 1121 }
1211 1122
1212 /* Handle case 2 with one GENERAL_NAMES and one X509_NAME */ 1123 /* Handle case 2 with one GENERAL_NAMES and one X509_NAME */
1213 if (nm) 1124 if (nm) {
1214 { 1125 for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
1215 for (i = 0; i < sk_GENERAL_NAME_num(gens); i++)
1216 {
1217 gena = sk_GENERAL_NAME_value(gens, i); 1126 gena = sk_GENERAL_NAME_value(gens, i);
1218 if (gena->type != GEN_DIRNAME) 1127 if (gena->type != GEN_DIRNAME)
1219 continue; 1128 continue;
1220 if (!X509_NAME_cmp(nm, gena->d.directoryName)) 1129 if (!X509_NAME_cmp(nm, gena->d.directoryName))
1221 return 1; 1130 return 1;
1222 }
1223 return 0;
1224 } 1131 }
1132 return 0;
1133 }
1225 1134
1226 /* Else case 3: two GENERAL_NAMES */ 1135 /* Else case 3: two GENERAL_NAMES */
1227 1136
1228 for (i = 0; i < sk_GENERAL_NAME_num(a->name.fullname); i++) 1137 for (i = 0; i < sk_GENERAL_NAME_num(a->name.fullname); i++) {
1229 {
1230 gena = sk_GENERAL_NAME_value(a->name.fullname, i); 1138 gena = sk_GENERAL_NAME_value(a->name.fullname, i);
1231 for (j = 0; j < sk_GENERAL_NAME_num(b->name.fullname); j++) 1139 for (j = 0; j < sk_GENERAL_NAME_num(b->name.fullname); j++) {
1232 {
1233 genb = sk_GENERAL_NAME_value(b->name.fullname, j); 1140 genb = sk_GENERAL_NAME_value(b->name.fullname, j);
1234 if (!GENERAL_NAME_cmp(gena, genb)) 1141 if (!GENERAL_NAME_cmp(gena, genb))
1235 return 1; 1142 return 1;
1236 }
1237 } 1143 }
1144 }
1238 1145
1239 return 0; 1146 return 0;
1240 1147
1241 } 1148}
1242 1149
1243static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score) 1150static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score)
1244 { 1151{
1245 int i; 1152 int i;
1246 X509_NAME *nm = X509_CRL_get_issuer(crl); 1153 X509_NAME *nm = X509_CRL_get_issuer(crl);
1247 /* If no CRLissuer return is successful iff don't need a match */ 1154 /* If no CRLissuer return is successful iff don't need a match */
1248 if (!dp->CRLissuer) 1155 if (!dp->CRLissuer)
1249 return !!(crl_score & CRL_SCORE_ISSUER_NAME); 1156 return !!(crl_score & CRL_SCORE_ISSUER_NAME);
1250 for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) 1157 for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) {
1251 {
1252 GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i); 1158 GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i);
1253 if (gen->type != GEN_DIRNAME) 1159 if (gen->type != GEN_DIRNAME)
1254 continue; 1160 continue;
1255 if (!X509_NAME_cmp(gen->d.directoryName, nm)) 1161 if (!X509_NAME_cmp(gen->d.directoryName, nm))
1256 return 1; 1162 return 1;
1257 }
1258 return 0;
1259 } 1163 }
1164 return 0;
1165}
1260 1166
1261/* Check CRLDP and IDP */ 1167/* Check CRLDP and IDP */
1262 1168
1263static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, 1169static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
1264 unsigned int *preasons) 1170 unsigned int *preasons)
1265 { 1171{
1266 int i; 1172 int i;
1267 if (crl->idp_flags & IDP_ONLYATTR) 1173 if (crl->idp_flags & IDP_ONLYATTR)
1268 return 0; 1174 return 0;
1269 if (x->ex_flags & EXFLAG_CA) 1175 if (x->ex_flags & EXFLAG_CA) {
1270 {
1271 if (crl->idp_flags & IDP_ONLYUSER) 1176 if (crl->idp_flags & IDP_ONLYUSER)
1272 return 0; 1177 return 0;
1273 } 1178 } else {
1274 else
1275 {
1276 if (crl->idp_flags & IDP_ONLYCA) 1179 if (crl->idp_flags & IDP_ONLYCA)
1277 return 0; 1180 return 0;
1278 } 1181 }
1279 *preasons = crl->idp_reasons; 1182 *preasons = crl->idp_reasons;
1280 for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++) 1183 for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++) {
1281 {
1282 DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i); 1184 DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i);
1283 if (crldp_check_crlissuer(dp, crl, crl_score)) 1185 if (crldp_check_crlissuer(dp, crl, crl_score)) {
1284 {
1285 if (!crl->idp || 1186 if (!crl->idp ||
1286 idp_check_dp(dp->distpoint, crl->idp->distpoint)) 1187 idp_check_dp(dp->distpoint, crl->idp->distpoint)) {
1287 {
1288 *preasons &= dp->dp_reasons; 1188 *preasons &= dp->dp_reasons;
1289 return 1; 1189 return 1;
1290 }
1291 } 1190 }
1292 } 1191 }
1192 }
1293 if ((!crl->idp || !crl->idp->distpoint) && (crl_score & CRL_SCORE_ISSUER_NAME)) 1193 if ((!crl->idp || !crl->idp->distpoint) && (crl_score & CRL_SCORE_ISSUER_NAME))
1294 return 1; 1194 return 1;
1295 return 0; 1195 return 0;
1296 } 1196}
1297 1197
1298/* Retrieve CRL corresponding to current certificate. 1198/* Retrieve CRL corresponding to current certificate.
1299 * If deltas enabled try to find a delta CRL too 1199 * If deltas enabled try to find a delta CRL too
@@ -1301,7 +1201,7 @@ static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
1301 1201
1302static int get_crl_delta(X509_STORE_CTX *ctx, 1202static int get_crl_delta(X509_STORE_CTX *ctx,
1303 X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x) 1203 X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x)
1304 { 1204{
1305 int ok; 1205 int ok;
1306 X509 *issuer = NULL; 1206 X509 *issuer = NULL;
1307 int crl_score = 0; 1207 int crl_score = 0;
@@ -1331,129 +1231,113 @@ static int get_crl_delta(X509_STORE_CTX *ctx,
1331 done: 1231 done:
1332 1232
1333 /* If we got any kind of CRL use it and return success */ 1233 /* If we got any kind of CRL use it and return success */
1334 if (crl) 1234 if (crl) {
1335 {
1336 ctx->current_issuer = issuer; 1235 ctx->current_issuer = issuer;
1337 ctx->current_crl_score = crl_score; 1236 ctx->current_crl_score = crl_score;
1338 ctx->current_reasons = reasons; 1237 ctx->current_reasons = reasons;
1339 *pcrl = crl; 1238 *pcrl = crl;
1340 *pdcrl = dcrl; 1239 *pdcrl = dcrl;
1341 return 1; 1240 return 1;
1342 } 1241 }
1343 1242
1344 return 0; 1243 return 0;
1345 } 1244}
1346 1245
1347/* Check CRL validity */ 1246/* Check CRL validity */
1348static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) 1247static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
1349 { 1248{
1350 X509 *issuer = NULL; 1249 X509 *issuer = NULL;
1351 EVP_PKEY *ikey = NULL; 1250 EVP_PKEY *ikey = NULL;
1352 int ok = 0, chnum, cnum; 1251 int ok = 0, chnum, cnum;
1353 cnum = ctx->error_depth; 1252 cnum = ctx->error_depth;
1354 chnum = sk_X509_num(ctx->chain) - 1; 1253 chnum = sk_X509_num(ctx->chain) - 1;
1355 /* if we have an alternative CRL issuer cert use that */ 1254 /* if we have an alternative CRL issuer cert use that */
1356 if (ctx->current_issuer) 1255 if (ctx->current_issuer) {
1357 issuer = ctx->current_issuer; 1256 issuer = ctx->current_issuer;
1358 1257 } else if (cnum < chnum) {
1359 /* Else find CRL issuer: if not last certificate then issuer 1258 /* Else find CRL issuer: if not last certificate then issuer
1360 * is next certificate in chain. 1259 * is next certificate in chain.
1361 */ 1260 */
1362 else if (cnum < chnum)
1363 issuer = sk_X509_value(ctx->chain, cnum + 1); 1261 issuer = sk_X509_value(ctx->chain, cnum + 1);
1364 else 1262 } else {
1365 {
1366 issuer = sk_X509_value(ctx->chain, chnum); 1263 issuer = sk_X509_value(ctx->chain, chnum);
1367 /* If not self signed, can't check signature */ 1264 /* If not self signed, can't check signature */
1368 if(!ctx->check_issued(ctx, issuer, issuer)) 1265 if(!ctx->check_issued(ctx, issuer, issuer)) {
1369 {
1370 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER; 1266 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER;
1371 ok = ctx->verify_cb(0, ctx); 1267 ok = ctx->verify_cb(0, ctx);
1372 if(!ok) goto err; 1268 if(!ok) goto err;
1373 }
1374 } 1269 }
1270 }
1375 1271
1376 if(issuer) 1272 if(issuer) {
1377 {
1378 /* Skip most tests for deltas because they have already 1273 /* Skip most tests for deltas because they have already
1379 * been done 1274 * been done
1380 */ 1275 */
1381 if (!crl->base_crl_number) 1276 if (!crl->base_crl_number) {
1382 {
1383 /* Check for cRLSign bit if keyUsage present */ 1277 /* Check for cRLSign bit if keyUsage present */
1384 if ((issuer->ex_flags & EXFLAG_KUSAGE) && 1278 if ((issuer->ex_flags & EXFLAG_KUSAGE) &&
1385 !(issuer->ex_kusage & KU_CRL_SIGN)) 1279 !(issuer->ex_kusage & KU_CRL_SIGN)) {
1386 {
1387 ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN; 1280 ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN;
1388 ok = ctx->verify_cb(0, ctx); 1281 ok = ctx->verify_cb(0, ctx);
1389 if(!ok) goto err; 1282 if(!ok) goto err;
1390 } 1283 }
1391 1284
1392 if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) 1285 if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) {
1393 {
1394 ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE; 1286 ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE;
1395 ok = ctx->verify_cb(0, ctx); 1287 ok = ctx->verify_cb(0, ctx);
1396 if(!ok) goto err; 1288 if(!ok) goto err;
1397 } 1289 }
1398 1290
1399 if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH)) 1291 if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH)) {
1400 { 1292 if (check_crl_path(ctx, ctx->current_issuer) <= 0) {
1401 if (check_crl_path(ctx, ctx->current_issuer) <= 0)
1402 {
1403 ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR; 1293 ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR;
1404 ok = ctx->verify_cb(0, ctx); 1294 ok = ctx->verify_cb(0, ctx);
1405 if(!ok) goto err; 1295 if(!ok) goto err;
1406 }
1407 } 1296 }
1297 }
1408 1298
1409 if (crl->idp_flags & IDP_INVALID) 1299 if (crl->idp_flags & IDP_INVALID) {
1410 {
1411 ctx->error = X509_V_ERR_INVALID_EXTENSION; 1300 ctx->error = X509_V_ERR_INVALID_EXTENSION;
1412 ok = ctx->verify_cb(0, ctx); 1301 ok = ctx->verify_cb(0, ctx);
1413 if(!ok) goto err; 1302 if(!ok) goto err;
1414 } 1303 }
1415 1304
1416 1305
1417 } 1306 }
1418 1307
1419 if (!(ctx->current_crl_score & CRL_SCORE_TIME)) 1308 if (!(ctx->current_crl_score & CRL_SCORE_TIME)) {
1420 {
1421 ok = check_crl_time(ctx, crl, 1); 1309 ok = check_crl_time(ctx, crl, 1);
1422 if (!ok) 1310 if (!ok)
1423 goto err; 1311 goto err;
1424 } 1312 }
1425 1313
1426 /* Attempt to get issuer certificate public key */ 1314 /* Attempt to get issuer certificate public key */
1427 ikey = X509_get_pubkey(issuer); 1315 ikey = X509_get_pubkey(issuer);
1428 1316
1429 if(!ikey) 1317 if(!ikey) {
1430 {
1431 ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; 1318 ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
1432 ok = ctx->verify_cb(0, ctx); 1319 ok = ctx->verify_cb(0, ctx);
1433 if (!ok) goto err; 1320 if (!ok) goto err;
1434 } 1321 } else {
1435 else
1436 {
1437 /* Verify CRL signature */ 1322 /* Verify CRL signature */
1438 if(X509_CRL_verify(crl, ikey) <= 0) 1323 if(X509_CRL_verify(crl, ikey) <= 0) {
1439 {
1440 ctx->error=X509_V_ERR_CRL_SIGNATURE_FAILURE; 1324 ctx->error=X509_V_ERR_CRL_SIGNATURE_FAILURE;
1441 ok = ctx->verify_cb(0, ctx); 1325 ok = ctx->verify_cb(0, ctx);
1442 if (!ok) goto err; 1326 if (!ok) goto err;
1443 }
1444 } 1327 }
1445 } 1328 }
1329 }
1446 1330
1447 ok = 1; 1331 ok = 1;
1448 1332
1449 err: 1333err:
1450 EVP_PKEY_free(ikey); 1334 EVP_PKEY_free(ikey);
1451 return ok; 1335 return ok;
1452 } 1336}
1453 1337
1454/* Check certificate against CRL */ 1338/* Check certificate against CRL */
1455static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) 1339static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
1456 { 1340{
1457 int ok; 1341 int ok;
1458 X509_REVOKED *rev; 1342 X509_REVOKED *rev;
1459 /* The rules changed for this... previously if a CRL contained 1343 /* The rules changed for this... previously if a CRL contained
@@ -1462,51 +1346,46 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
1462 * critical extension can change the meaning of CRL entries. 1346 * critical extension can change the meaning of CRL entries.
1463 */ 1347 */
1464 if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) 1348 if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
1465 && (crl->flags & EXFLAG_CRITICAL)) 1349 && (crl->flags & EXFLAG_CRITICAL)) {
1466 {
1467 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION; 1350 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
1468 ok = ctx->verify_cb(0, ctx); 1351 ok = ctx->verify_cb(0, ctx);
1469 if(!ok) 1352 if(!ok)
1470 return 0; 1353 return 0;
1471 } 1354 }
1472 /* Look for serial number of certificate in CRL 1355 /* Look for serial number of certificate in CRL
1473 * If found make sure reason is not removeFromCRL. 1356 * If found make sure reason is not removeFromCRL.
1474 */ 1357 */
1475 if (X509_CRL_get0_by_cert(crl, &rev, x)) 1358 if (X509_CRL_get0_by_cert(crl, &rev, x)) {
1476 {
1477 if (rev->reason == CRL_REASON_REMOVE_FROM_CRL) 1359 if (rev->reason == CRL_REASON_REMOVE_FROM_CRL)
1478 return 2; 1360 return 2;
1479 ctx->error = X509_V_ERR_CERT_REVOKED; 1361 ctx->error = X509_V_ERR_CERT_REVOKED;
1480 ok = ctx->verify_cb(0, ctx); 1362 ok = ctx->verify_cb(0, ctx);
1481 if (!ok) 1363 if (!ok)
1482 return 0; 1364 return 0;
1483 } 1365 }
1484 1366
1485 return 1; 1367 return 1;
1486 } 1368}
1487 1369
1488static int check_policy(X509_STORE_CTX *ctx) 1370static int check_policy(X509_STORE_CTX *ctx)
1489 { 1371{
1490 int ret; 1372 int ret;
1491 if (ctx->parent) 1373 if (ctx->parent)
1492 return 1; 1374 return 1;
1493 ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain, 1375 ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain,
1494 ctx->param->policies, ctx->param->flags); 1376 ctx->param->policies, ctx->param->flags);
1495 if (ret == 0) 1377 if (ret == 0) {
1496 {
1497 X509err(X509_F_CHECK_POLICY,ERR_R_MALLOC_FAILURE); 1378 X509err(X509_F_CHECK_POLICY,ERR_R_MALLOC_FAILURE);
1498 return 0; 1379 return 0;
1499 } 1380 }
1500 /* Invalid or inconsistent extensions */ 1381 /* Invalid or inconsistent extensions */
1501 if (ret == -1) 1382 if (ret == -1) {
1502 {
1503 /* Locate certificates with bad extensions and notify 1383 /* Locate certificates with bad extensions and notify
1504 * callback. 1384 * callback.
1505 */ 1385 */
1506 X509 *x; 1386 X509 *x;
1507 int i; 1387 int i;
1508 for (i = 1; i < sk_X509_num(ctx->chain); i++) 1388 for (i = 1; i < sk_X509_num(ctx->chain); i++) {
1509 {
1510 x = sk_X509_value(ctx->chain, i); 1389 x = sk_X509_value(ctx->chain, i);
1511 if (!(x->ex_flags & EXFLAG_INVALID_POLICY)) 1390 if (!(x->ex_flags & EXFLAG_INVALID_POLICY))
1512 continue; 1391 continue;
@@ -1514,29 +1393,27 @@ static int check_policy(X509_STORE_CTX *ctx)
1514 ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION; 1393 ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION;
1515 if(!ctx->verify_cb(0, ctx)) 1394 if(!ctx->verify_cb(0, ctx))
1516 return 0; 1395 return 0;
1517 }
1518 return 1;
1519 } 1396 }
1520 if (ret == -2) 1397 return 1;
1521 { 1398 }
1399 if (ret == -2) {
1522 ctx->current_cert = NULL; 1400 ctx->current_cert = NULL;
1523 ctx->error = X509_V_ERR_NO_EXPLICIT_POLICY; 1401 ctx->error = X509_V_ERR_NO_EXPLICIT_POLICY;
1524 return ctx->verify_cb(0, ctx); 1402 return ctx->verify_cb(0, ctx);
1525 } 1403 }
1526 1404
1527 if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) 1405 if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) {
1528 {
1529 ctx->current_cert = NULL; 1406 ctx->current_cert = NULL;
1530 ctx->error = X509_V_OK; 1407 ctx->error = X509_V_OK;
1531 if (!ctx->verify_cb(2, ctx)) 1408 if (!ctx->verify_cb(2, ctx))
1532 return 0; 1409 return 0;
1533 } 1410 }
1534 1411
1535 return 1; 1412 return 1;
1536 } 1413}
1537 1414
1538static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) 1415static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
1539 { 1416{
1540 time_t *ptime; 1417 time_t *ptime;
1541 int i; 1418 int i;
1542 1419
@@ -1546,44 +1423,40 @@ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
1546 ptime = NULL; 1423 ptime = NULL;
1547 1424
1548 i=X509_cmp_time(X509_get_notBefore(x), ptime); 1425 i=X509_cmp_time(X509_get_notBefore(x), ptime);
1549 if (i == 0) 1426 if (i == 0) {
1550 {
1551 ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; 1427 ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
1552 ctx->current_cert=x; 1428 ctx->current_cert=x;
1553 if (!ctx->verify_cb(0, ctx)) 1429 if (!ctx->verify_cb(0, ctx))
1554 return 0; 1430 return 0;
1555 } 1431 }
1556 1432
1557 if (i > 0) 1433 if (i > 0) {
1558 {
1559 ctx->error=X509_V_ERR_CERT_NOT_YET_VALID; 1434 ctx->error=X509_V_ERR_CERT_NOT_YET_VALID;
1560 ctx->current_cert=x; 1435 ctx->current_cert=x;
1561 if (!ctx->verify_cb(0, ctx)) 1436 if (!ctx->verify_cb(0, ctx))
1562 return 0; 1437 return 0;
1563 } 1438 }
1564 1439
1565 i=X509_cmp_time(X509_get_notAfter(x), ptime); 1440 i=X509_cmp_time(X509_get_notAfter(x), ptime);
1566 if (i == 0) 1441 if (i == 0) {
1567 {
1568 ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; 1442 ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
1569 ctx->current_cert=x; 1443 ctx->current_cert=x;
1570 if (!ctx->verify_cb(0, ctx)) 1444 if (!ctx->verify_cb(0, ctx))
1571 return 0; 1445 return 0;
1572 } 1446 }
1573 1447
1574 if (i < 0) 1448 if (i < 0) {
1575 {
1576 ctx->error=X509_V_ERR_CERT_HAS_EXPIRED; 1449 ctx->error=X509_V_ERR_CERT_HAS_EXPIRED;
1577 ctx->current_cert=x; 1450 ctx->current_cert=x;
1578 if (!ctx->verify_cb(0, ctx)) 1451 if (!ctx->verify_cb(0, ctx))
1579 return 0; 1452 return 0;
1580 } 1453 }
1581 1454
1582 return 1; 1455 return 1;
1583 } 1456}
1584 1457
1585static int internal_verify(X509_STORE_CTX *ctx) 1458static int internal_verify(X509_STORE_CTX *ctx)
1586 { 1459{
1587 int ok=0,n; 1460 int ok=0,n;
1588 X509 *xs,*xi; 1461 X509 *xs,*xi;
1589 EVP_PKEY *pkey=NULL; 1462 EVP_PKEY *pkey=NULL;
@@ -1598,55 +1471,45 @@ static int internal_verify(X509_STORE_CTX *ctx)
1598 1471
1599 if (ctx->check_issued(ctx, xi, xi)) 1472 if (ctx->check_issued(ctx, xi, xi))
1600 xs=xi; 1473 xs=xi;
1601 else 1474 else {
1602 { 1475 if (n <= 0) {
1603 if (n <= 0)
1604 {
1605 ctx->error=X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE; 1476 ctx->error=X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
1606 ctx->current_cert=xi; 1477 ctx->current_cert=xi;
1607 ok=cb(0,ctx); 1478 ok=cb(0,ctx);
1608 goto end; 1479 goto end;
1609 } 1480 } else {
1610 else
1611 {
1612 n--; 1481 n--;
1613 ctx->error_depth=n; 1482 ctx->error_depth=n;
1614 xs=sk_X509_value(ctx->chain,n); 1483 xs=sk_X509_value(ctx->chain,n);
1615 }
1616 } 1484 }
1485 }
1617 1486
1618/* ctx->error=0; not needed */ 1487/* ctx->error=0; not needed */
1619 while (n >= 0) 1488 while (n >= 0) {
1620 {
1621 ctx->error_depth=n; 1489 ctx->error_depth=n;
1622 1490
1623 /* Skip signature check for self signed certificates unless 1491 /* Skip signature check for self signed certificates unless
1624 * explicitly asked for. It doesn't add any security and 1492 * explicitly asked for. It doesn't add any security and
1625 * just wastes time. 1493 * just wastes time.
1626 */ 1494 */
1627 if (!xs->valid && (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) 1495 if (!xs->valid && (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) {
1628 { 1496 if ((pkey=X509_get_pubkey(xi)) == NULL) {
1629 if ((pkey=X509_get_pubkey(xi)) == NULL)
1630 {
1631 ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; 1497 ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
1632 ctx->current_cert=xi; 1498 ctx->current_cert=xi;
1633 ok=(*cb)(0,ctx); 1499 ok=(*cb)(0,ctx);
1634 if (!ok) goto end; 1500 if (!ok) goto end;
1635 } 1501 } else if (X509_verify(xs,pkey) <= 0) {
1636 else if (X509_verify(xs,pkey) <= 0)
1637 {
1638 ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE; 1502 ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE;
1639 ctx->current_cert=xs; 1503 ctx->current_cert=xs;
1640 ok=(*cb)(0,ctx); 1504 ok=(*cb)(0,ctx);
1641 if (!ok) 1505 if (!ok) {
1642 {
1643 EVP_PKEY_free(pkey); 1506 EVP_PKEY_free(pkey);
1644 goto end; 1507 goto end;
1645 }
1646 } 1508 }
1509 }
1647 EVP_PKEY_free(pkey); 1510 EVP_PKEY_free(pkey);
1648 pkey=NULL; 1511 pkey=NULL;
1649 } 1512 }
1650 1513
1651 xs->valid = 1; 1514 xs->valid = 1;
1652 1515
@@ -1661,16 +1524,15 @@ static int internal_verify(X509_STORE_CTX *ctx)
1661 if (!ok) goto end; 1524 if (!ok) goto end;
1662 1525
1663 n--; 1526 n--;
1664 if (n >= 0) 1527 if (n >= 0) {
1665 {
1666 xi=xs; 1528 xi=xs;
1667 xs=sk_X509_value(ctx->chain,n); 1529 xs=sk_X509_value(ctx->chain,n);
1668 }
1669 } 1530 }
1531 }
1670 ok=1; 1532 ok=1;
1671end: 1533end:
1672 return ok; 1534 return ok;
1673 } 1535}
1674 1536
1675int X509_cmp_current_time(const ASN1_TIME *ctm) 1537int X509_cmp_current_time(const ASN1_TIME *ctm)
1676{ 1538{
@@ -1678,7 +1540,7 @@ int X509_cmp_current_time(const ASN1_TIME *ctm)
1678} 1540}
1679 1541
1680int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time) 1542int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
1681 { 1543{
1682 char *str; 1544 char *str;
1683 ASN1_TIME atm; 1545 ASN1_TIME atm;
1684 long offset; 1546 long offset;
@@ -1688,49 +1550,44 @@ int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
1688 p=buff1; 1550 p=buff1;
1689 i=ctm->length; 1551 i=ctm->length;
1690 str=(char *)ctm->data; 1552 str=(char *)ctm->data;
1691 if (ctm->type == V_ASN1_UTCTIME) 1553 if (ctm->type == V_ASN1_UTCTIME) {
1692 {
1693 if ((i < 11) || (i > 17)) return 0; 1554 if ((i < 11) || (i > 17)) return 0;
1694 memcpy(p,str,10); 1555 memcpy(p,str,10);
1695 p+=10; 1556 p+=10;
1696 str+=10; 1557 str+=10;
1697 } 1558 } else {
1698 else
1699 {
1700 if (i < 13) return 0; 1559 if (i < 13) return 0;
1701 memcpy(p,str,12); 1560 memcpy(p,str,12);
1702 p+=12; 1561 p+=12;
1703 str+=12; 1562 str+=12;
1704 } 1563 }
1705 1564
1706 if ((*str == 'Z') || (*str == '-') || (*str == '+')) 1565 if ((*str == 'Z') || (*str == '-') || (*str == '+')) {
1707 { *(p++)='0'; *(p++)='0'; } 1566 *(p++)='0';
1708 else 1567 *(p++)='0';
1709 { 1568 } else {
1710 *(p++)= *(str++); 1569 *(p++)= *(str++);
1711 *(p++)= *(str++); 1570 *(p++)= *(str++);
1712 /* Skip any fractional seconds... */ 1571 /* Skip any fractional seconds... */
1713 if (*str == '.') 1572 if (*str == '.') {
1714 {
1715 str++; 1573 str++;
1716 while ((*str >= '0') && (*str <= '9')) str++; 1574 while ((*str >= '0') && (*str <= '9')) str++;
1717 }
1718
1719 } 1575 }
1576
1577 }
1720 *(p++)='Z'; 1578 *(p++)='Z';
1721 *(p++)='\0'; 1579 *(p++)='\0';
1722 1580
1723 if (*str == 'Z') 1581 if (*str == 'Z')
1724 offset=0; 1582 offset=0;
1725 else 1583 else {
1726 {
1727 if ((*str != '+') && (*str != '-')) 1584 if ((*str != '+') && (*str != '-'))
1728 return 0; 1585 return 0;
1729 offset=((str[1]-'0')*10+(str[2]-'0'))*60; 1586 offset=((str[1]-'0')*10+(str[2]-'0'))*60;
1730 offset+=(str[3]-'0')*10+(str[4]-'0'); 1587 offset+=(str[3]-'0')*10+(str[4]-'0');
1731 if (*str == '-') 1588 if (*str == '-')
1732 offset= -offset; 1589 offset= -offset;
1733 } 1590 }
1734 atm.type=ctm->type; 1591 atm.type=ctm->type;
1735 atm.flags = 0; 1592 atm.flags = 0;
1736 atm.length=sizeof(buff2); 1593 atm.length=sizeof(buff2);
@@ -1739,8 +1596,7 @@ int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
1739 if (X509_time_adj(&atm, offset*60, cmp_time) == NULL) 1596 if (X509_time_adj(&atm, offset*60, cmp_time) == NULL)
1740 return 0; 1597 return 0;
1741 1598
1742 if (ctm->type == V_ASN1_UTCTIME) 1599 if (ctm->type == V_ASN1_UTCTIME) {
1743 {
1744 i=(buff1[0]-'0')*10+(buff1[1]-'0'); 1600 i=(buff1[0]-'0')*10+(buff1[1]-'0');
1745 if (i < 50) i+=100; /* cf. RFC 2459 */ 1601 if (i < 50) i+=100; /* cf. RFC 2459 */
1746 j=(buff2[0]-'0')*10+(buff2[1]-'0'); 1602 j=(buff2[0]-'0')*10+(buff2[1]-'0');
@@ -1748,13 +1604,13 @@ int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
1748 1604
1749 if (i < j) return -1; 1605 if (i < j) return -1;
1750 if (i > j) return 1; 1606 if (i > j) return 1;
1751 } 1607 }
1752 i=strcmp(buff1,buff2); 1608 i=strcmp(buff1,buff2);
1753 if (i == 0) /* wait a second then return younger :-) */ 1609 if (i == 0) /* wait a second then return younger :-) */
1754 return -1; 1610 return -1;
1755 else 1611 else
1756 return i; 1612 return i;
1757 } 1613}
1758 1614
1759ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj) 1615ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj)
1760{ 1616{
@@ -1762,168 +1618,161 @@ ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj)
1762} 1618}
1763 1619
1764ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm) 1620ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm)
1765 { 1621{
1766 return X509_time_adj_ex(s, 0, offset_sec, in_tm); 1622 return X509_time_adj_ex(s, 0, offset_sec, in_tm);
1767 } 1623}
1768 1624
1769ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s, 1625ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s,
1770 int offset_day, long offset_sec, time_t *in_tm) 1626 int offset_day, long offset_sec, time_t *in_tm)
1771 { 1627{
1772 time_t t; 1628 time_t t;
1773 1629
1774 if (in_tm) t = *in_tm; 1630 if (in_tm) t = *in_tm;
1775 else time(&t); 1631 else time(&t);
1776 1632
1777 if (s && !(s->flags & ASN1_STRING_FLAG_MSTRING)) 1633 if (s && !(s->flags & ASN1_STRING_FLAG_MSTRING)) {
1778 {
1779 if (s->type == V_ASN1_UTCTIME) 1634 if (s->type == V_ASN1_UTCTIME)
1780 return ASN1_UTCTIME_adj(s,t, offset_day, offset_sec); 1635 return ASN1_UTCTIME_adj(s,t, offset_day, offset_sec);
1781 if (s->type == V_ASN1_GENERALIZEDTIME) 1636 if (s->type == V_ASN1_GENERALIZEDTIME)
1782 return ASN1_GENERALIZEDTIME_adj(s, t, offset_day, 1637 return ASN1_GENERALIZEDTIME_adj(s, t, offset_day,
1783 offset_sec); 1638 offset_sec);
1784 }
1785 return ASN1_TIME_adj(s, t, offset_day, offset_sec);
1786 } 1639 }
1640 return ASN1_TIME_adj(s, t, offset_day, offset_sec);
1641}
1787 1642
1788int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain) 1643int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
1789 { 1644{
1790 EVP_PKEY *ktmp=NULL,*ktmp2; 1645 EVP_PKEY *ktmp=NULL,*ktmp2;
1791 int i,j; 1646 int i,j;
1792 1647
1793 if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) return 1; 1648 if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) return 1;
1794 1649
1795 for (i=0; i<sk_X509_num(chain); i++) 1650 for (i=0; i<sk_X509_num(chain); i++) {
1796 {
1797 ktmp=X509_get_pubkey(sk_X509_value(chain,i)); 1651 ktmp=X509_get_pubkey(sk_X509_value(chain,i));
1798 if (ktmp == NULL) 1652 if (ktmp == NULL) {
1799 {
1800 X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY); 1653 X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY);
1801 return 0; 1654 return 0;
1802 } 1655 }
1803 if (!EVP_PKEY_missing_parameters(ktmp)) 1656 if (!EVP_PKEY_missing_parameters(ktmp))
1804 break; 1657 break;
1805 else 1658 else {
1806 {
1807 EVP_PKEY_free(ktmp); 1659 EVP_PKEY_free(ktmp);
1808 ktmp=NULL; 1660 ktmp=NULL;
1809 }
1810 } 1661 }
1811 if (ktmp == NULL) 1662 }
1812 { 1663 if (ktmp == NULL) {
1813 X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN); 1664 X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN);
1814 return 0; 1665 return 0;
1815 } 1666 }
1816 1667
1817 /* first, populate the other certs */ 1668 /* first, populate the other certs */
1818 for (j=i-1; j >= 0; j--) 1669 for (j=i-1; j >= 0; j--) {
1819 {
1820 ktmp2=X509_get_pubkey(sk_X509_value(chain,j)); 1670 ktmp2=X509_get_pubkey(sk_X509_value(chain,j));
1821 EVP_PKEY_copy_parameters(ktmp2,ktmp); 1671 EVP_PKEY_copy_parameters(ktmp2,ktmp);
1822 EVP_PKEY_free(ktmp2); 1672 EVP_PKEY_free(ktmp2);
1823 } 1673 }
1824 1674
1825 if (pkey != NULL) EVP_PKEY_copy_parameters(pkey,ktmp); 1675 if (pkey != NULL) EVP_PKEY_copy_parameters(pkey,ktmp);
1826 EVP_PKEY_free(ktmp); 1676 EVP_PKEY_free(ktmp);
1827 return 1; 1677 return 1;
1828 } 1678}
1829 1679
1830int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, 1680int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
1831 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) 1681 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
1832 { 1682{
1833 /* This function is (usually) called only once, by 1683 /* This function is (usually) called only once, by
1834 * SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c). */ 1684 * SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c). */
1835 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX, argl, argp, 1685 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX, argl, argp,
1836 new_func, dup_func, free_func); 1686 new_func, dup_func, free_func);
1837 } 1687}
1838 1688
1839int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data) 1689int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data)
1840 { 1690{
1841 return CRYPTO_set_ex_data(&ctx->ex_data,idx,data); 1691 return CRYPTO_set_ex_data(&ctx->ex_data,idx,data);
1842 } 1692}
1843 1693
1844void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx) 1694void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx)
1845 { 1695{
1846 return CRYPTO_get_ex_data(&ctx->ex_data,idx); 1696 return CRYPTO_get_ex_data(&ctx->ex_data,idx);
1847 } 1697}
1848 1698
1849int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx) 1699int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx)
1850 { 1700{
1851 return ctx->error; 1701 return ctx->error;
1852 } 1702}
1853 1703
1854void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err) 1704void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err)
1855 { 1705{
1856 ctx->error=err; 1706 ctx->error=err;
1857 } 1707}
1858 1708
1859int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx) 1709int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx)
1860 { 1710{
1861 return ctx->error_depth; 1711 return ctx->error_depth;
1862 } 1712}
1863 1713
1864X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx) 1714X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx)
1865 { 1715{
1866 return ctx->current_cert; 1716 return ctx->current_cert;
1867 } 1717}
1868 1718
1869STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx) 1719STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx)
1870 { 1720{
1871 return ctx->chain; 1721 return ctx->chain;
1872 } 1722}
1873 1723
1874STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx) 1724STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx)
1875 { 1725{
1876 int i; 1726 int i;
1877 X509 *x; 1727 X509 *x;
1878 STACK_OF(X509) *chain; 1728 STACK_OF(X509) *chain;
1879 if (!ctx->chain || !(chain = sk_X509_dup(ctx->chain))) return NULL; 1729 if (!ctx->chain || !(chain = sk_X509_dup(ctx->chain))) return NULL;
1880 for (i = 0; i < sk_X509_num(chain); i++) 1730 for (i = 0; i < sk_X509_num(chain); i++) {
1881 {
1882 x = sk_X509_value(chain, i); 1731 x = sk_X509_value(chain, i);
1883 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); 1732 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
1884 }
1885 return chain;
1886 } 1733 }
1734 return chain;
1735}
1887 1736
1888X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx) 1737X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx)
1889 { 1738{
1890 return ctx->current_issuer; 1739 return ctx->current_issuer;
1891 } 1740}
1892 1741
1893X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx) 1742X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx)
1894 { 1743{
1895 return ctx->current_crl; 1744 return ctx->current_crl;
1896 } 1745}
1897 1746
1898X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx) 1747X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx)
1899 { 1748{
1900 return ctx->parent; 1749 return ctx->parent;
1901 } 1750}
1902 1751
1903void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x) 1752void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x)
1904 { 1753{
1905 ctx->cert=x; 1754 ctx->cert=x;
1906 } 1755}
1907 1756
1908void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) 1757void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
1909 { 1758{
1910 ctx->untrusted=sk; 1759 ctx->untrusted=sk;
1911 } 1760}
1912 1761
1913void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk) 1762void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk)
1914 { 1763{
1915 ctx->crls=sk; 1764 ctx->crls=sk;
1916 } 1765}
1917 1766
1918int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose) 1767int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose)
1919 { 1768{
1920 return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0); 1769 return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0);
1921 } 1770}
1922 1771
1923int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust) 1772int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust)
1924 { 1773{
1925 return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust); 1774 return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust);
1926 } 1775}
1927 1776
1928/* This function is used to set the X509_STORE_CTX purpose and trust 1777/* This function is used to set the X509_STORE_CTX purpose and trust
1929 * values. This is intended to be used when another structure has its 1778 * values. This is intended to be used when another structure has its
@@ -1942,41 +1791,35 @@ int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
1942 /* If purpose not set use default */ 1791 /* If purpose not set use default */
1943 if (!purpose) purpose = def_purpose; 1792 if (!purpose) purpose = def_purpose;
1944 /* If we have a purpose then check it is valid */ 1793 /* If we have a purpose then check it is valid */
1945 if (purpose) 1794 if (purpose) {
1946 {
1947 X509_PURPOSE *ptmp; 1795 X509_PURPOSE *ptmp;
1948 idx = X509_PURPOSE_get_by_id(purpose); 1796 idx = X509_PURPOSE_get_by_id(purpose);
1949 if (idx == -1) 1797 if (idx == -1) {
1950 {
1951 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, 1798 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
1952 X509_R_UNKNOWN_PURPOSE_ID); 1799 X509_R_UNKNOWN_PURPOSE_ID);
1953 return 0; 1800 return 0;
1954 } 1801 }
1955 ptmp = X509_PURPOSE_get0(idx); 1802 ptmp = X509_PURPOSE_get0(idx);
1956 if (ptmp->trust == X509_TRUST_DEFAULT) 1803 if (ptmp->trust == X509_TRUST_DEFAULT) {
1957 {
1958 idx = X509_PURPOSE_get_by_id(def_purpose); 1804 idx = X509_PURPOSE_get_by_id(def_purpose);
1959 if (idx == -1) 1805 if (idx == -1) {
1960 {
1961 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, 1806 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
1962 X509_R_UNKNOWN_PURPOSE_ID); 1807 X509_R_UNKNOWN_PURPOSE_ID);
1963 return 0; 1808 return 0;
1964 }
1965 ptmp = X509_PURPOSE_get0(idx);
1966 } 1809 }
1810 ptmp = X509_PURPOSE_get0(idx);
1811 }
1967 /* If trust not set then get from purpose default */ 1812 /* If trust not set then get from purpose default */
1968 if (!trust) trust = ptmp->trust; 1813 if (!trust) trust = ptmp->trust;
1969 } 1814 }
1970 if (trust) 1815 if (trust) {
1971 {
1972 idx = X509_TRUST_get_by_id(trust); 1816 idx = X509_TRUST_get_by_id(trust);
1973 if (idx == -1) 1817 if (idx == -1) {
1974 {
1975 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, 1818 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
1976 X509_R_UNKNOWN_TRUST_ID); 1819 X509_R_UNKNOWN_TRUST_ID);
1977 return 0; 1820 return 0;
1978 }
1979 } 1821 }
1822 }
1980 1823
1981 if (purpose && !ctx->param->purpose) ctx->param->purpose = purpose; 1824 if (purpose && !ctx->param->purpose) ctx->param->purpose = purpose;
1982 if (trust && !ctx->param->trust) ctx->param->trust = trust; 1825 if (trust && !ctx->param->trust) ctx->param->trust = trust;
@@ -1987,11 +1830,10 @@ X509_STORE_CTX *X509_STORE_CTX_new(void)
1987{ 1830{
1988 X509_STORE_CTX *ctx; 1831 X509_STORE_CTX *ctx;
1989 ctx = (X509_STORE_CTX *)malloc(sizeof(X509_STORE_CTX)); 1832 ctx = (X509_STORE_CTX *)malloc(sizeof(X509_STORE_CTX));
1990 if (!ctx) 1833 if (!ctx) {
1991 {
1992 X509err(X509_F_X509_STORE_CTX_NEW,ERR_R_MALLOC_FAILURE); 1834 X509err(X509_F_X509_STORE_CTX_NEW,ERR_R_MALLOC_FAILURE);
1993 return NULL; 1835 return NULL;
1994 } 1836 }
1995 memset(ctx, 0, sizeof(X509_STORE_CTX)); 1837 memset(ctx, 0, sizeof(X509_STORE_CTX));
1996 return ctx; 1838 return ctx;
1997} 1839}
@@ -2004,7 +1846,7 @@ void X509_STORE_CTX_free(X509_STORE_CTX *ctx)
2004 1846
2005int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, 1847int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
2006 STACK_OF(X509) *chain) 1848 STACK_OF(X509) *chain)
2007 { 1849{
2008 int ret = 1; 1850 int ret = 1;
2009 ctx->ctx=store; 1851 ctx->ctx=store;
2010 ctx->current_method=0; 1852 ctx->current_method=0;
@@ -2028,11 +1870,10 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
2028 1870
2029 ctx->param = X509_VERIFY_PARAM_new(); 1871 ctx->param = X509_VERIFY_PARAM_new();
2030 1872
2031 if (!ctx->param) 1873 if (!ctx->param) {
2032 {
2033 X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE); 1874 X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE);
2034 return 0; 1875 return 0;
2035 } 1876 }
2036 1877
2037 /* Inherit callbacks and flags from X509_STORE if not set 1878 /* Inherit callbacks and flags from X509_STORE if not set
2038 * use defaults. 1879 * use defaults.
@@ -2044,23 +1885,20 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
2044 else 1885 else
2045 ctx->param->inh_flags |= X509_VP_FLAG_DEFAULT|X509_VP_FLAG_ONCE; 1886 ctx->param->inh_flags |= X509_VP_FLAG_DEFAULT|X509_VP_FLAG_ONCE;
2046 1887
2047 if (store) 1888 if (store) {
2048 {
2049 ctx->verify_cb = store->verify_cb; 1889 ctx->verify_cb = store->verify_cb;
2050 ctx->cleanup = store->cleanup; 1890 ctx->cleanup = store->cleanup;
2051 } 1891 } else
2052 else
2053 ctx->cleanup = 0; 1892 ctx->cleanup = 0;
2054 1893
2055 if (ret) 1894 if (ret)
2056 ret = X509_VERIFY_PARAM_inherit(ctx->param, 1895 ret = X509_VERIFY_PARAM_inherit(ctx->param,
2057 X509_VERIFY_PARAM_lookup("default")); 1896 X509_VERIFY_PARAM_lookup("default"));
2058 1897
2059 if (ret == 0) 1898 if (ret == 0) {
2060 {
2061 X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE); 1899 X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE);
2062 return 0; 1900 return 0;
2063 } 1901 }
2064 1902
2065 if (store && store->check_issued) 1903 if (store && store->check_issued)
2066 ctx->check_issued = store->check_issued; 1904 ctx->check_issued = store->check_issued;
@@ -2120,14 +1958,13 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
2120 * corresponding "new" here and remove this bogus initialisation. */ 1958 * corresponding "new" here and remove this bogus initialisation. */
2121 /* memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA)); */ 1959 /* memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA)); */
2122 if(!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, 1960 if(!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx,
2123 &(ctx->ex_data))) 1961 &(ctx->ex_data))) {
2124 {
2125 free(ctx); 1962 free(ctx);
2126 X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE); 1963 X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE);
2127 return 0; 1964 return 0;
2128 }
2129 return 1;
2130 } 1965 }
1966 return 1;
1967}
2131 1968
2132/* Set alternative lookup method: just a STACK of trusted certificates. 1969/* Set alternative lookup method: just a STACK of trusted certificates.
2133 * This avoids X509_STORE nastiness where it isn't needed. 1970 * This avoids X509_STORE nastiness where it isn't needed.
@@ -2140,79 +1977,76 @@ void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
2140} 1977}
2141 1978
2142void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) 1979void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
2143 { 1980{
2144 if (ctx->cleanup) ctx->cleanup(ctx); 1981 if (ctx->cleanup) ctx->cleanup(ctx);
2145 if (ctx->param != NULL) 1982 if (ctx->param != NULL) {
2146 {
2147 if (ctx->parent == NULL) 1983 if (ctx->parent == NULL)
2148 X509_VERIFY_PARAM_free(ctx->param); 1984 X509_VERIFY_PARAM_free(ctx->param);
2149 ctx->param=NULL; 1985 ctx->param=NULL;
2150 } 1986 }
2151 if (ctx->tree != NULL) 1987 if (ctx->tree != NULL) {
2152 {
2153 X509_policy_tree_free(ctx->tree); 1988 X509_policy_tree_free(ctx->tree);
2154 ctx->tree=NULL; 1989 ctx->tree=NULL;
2155 } 1990 }
2156 if (ctx->chain != NULL) 1991 if (ctx->chain != NULL) {
2157 {
2158 sk_X509_pop_free(ctx->chain,X509_free); 1992 sk_X509_pop_free(ctx->chain,X509_free);
2159 ctx->chain=NULL; 1993 ctx->chain=NULL;
2160 } 1994 }
2161 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, &(ctx->ex_data)); 1995 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, &(ctx->ex_data));
2162 memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA)); 1996 memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA));
2163 } 1997}
2164 1998
2165void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth) 1999void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth)
2166 { 2000{
2167 X509_VERIFY_PARAM_set_depth(ctx->param, depth); 2001 X509_VERIFY_PARAM_set_depth(ctx->param, depth);
2168 } 2002}
2169 2003
2170void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags) 2004void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags)
2171 { 2005{
2172 X509_VERIFY_PARAM_set_flags(ctx->param, flags); 2006 X509_VERIFY_PARAM_set_flags(ctx->param, flags);
2173 } 2007}
2174 2008
2175void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, time_t t) 2009void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, time_t t)
2176 { 2010{
2177 X509_VERIFY_PARAM_set_time(ctx->param, t); 2011 X509_VERIFY_PARAM_set_time(ctx->param, t);
2178 } 2012}
2179 2013
2180void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, 2014void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
2181 int (*verify_cb)(int, X509_STORE_CTX *)) 2015 int (*verify_cb)(int, X509_STORE_CTX *))
2182 { 2016{
2183 ctx->verify_cb=verify_cb; 2017 ctx->verify_cb=verify_cb;
2184 } 2018}
2185 2019
2186X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx) 2020X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx)
2187 { 2021{
2188 return ctx->tree; 2022 return ctx->tree;
2189 } 2023}
2190 2024
2191int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx) 2025int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx)
2192 { 2026{
2193 return ctx->explicit_policy; 2027 return ctx->explicit_policy;
2194 } 2028}
2195 2029
2196int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name) 2030int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name)
2197 { 2031{
2198 const X509_VERIFY_PARAM *param; 2032 const X509_VERIFY_PARAM *param;
2199 param = X509_VERIFY_PARAM_lookup(name); 2033 param = X509_VERIFY_PARAM_lookup(name);
2200 if (!param) 2034 if (!param)
2201 return 0; 2035 return 0;
2202 return X509_VERIFY_PARAM_inherit(ctx->param, param); 2036 return X509_VERIFY_PARAM_inherit(ctx->param, param);
2203 } 2037}
2204 2038
2205X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx) 2039X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx)
2206 { 2040{
2207 return ctx->param; 2041 return ctx->param;
2208 } 2042}
2209 2043
2210void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param) 2044void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param)
2211 { 2045{
2212 if (ctx->param) 2046 if (ctx->param)
2213 X509_VERIFY_PARAM_free(ctx->param); 2047 X509_VERIFY_PARAM_free(ctx->param);
2214 ctx->param = param; 2048 ctx->param = param;
2215 } 2049}
2216 2050
2217IMPLEMENT_STACK_OF(X509) 2051IMPLEMENT_STACK_OF(X509)
2218IMPLEMENT_ASN1_SET_OF(X509) 2052IMPLEMENT_ASN1_SET_OF(X509)
diff --git a/src/lib/libcrypto/x509/x509_vpm.c b/src/lib/libcrypto/x509/x509_vpm.c
index 5e3eba4029..7f0824f75e 100644
--- a/src/lib/libcrypto/x509/x509_vpm.c
+++ b/src/lib/libcrypto/x509/x509_vpm.c
@@ -68,7 +68,7 @@
68/* X509_VERIFY_PARAM functions */ 68/* X509_VERIFY_PARAM functions */
69 69
70static void x509_verify_param_zero(X509_VERIFY_PARAM *param) 70static void x509_verify_param_zero(X509_VERIFY_PARAM *param)
71 { 71{
72 if (!param) 72 if (!param)
73 return; 73 return;
74 param->name = NULL; 74 param->name = NULL;
@@ -78,27 +78,26 @@ static void x509_verify_param_zero(X509_VERIFY_PARAM *param)
78 param->inh_flags = 0; 78 param->inh_flags = 0;
79 param->flags = 0; 79 param->flags = 0;
80 param->depth = -1; 80 param->depth = -1;
81 if (param->policies) 81 if (param->policies) {
82 {
83 sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free); 82 sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
84 param->policies = NULL; 83 param->policies = NULL;
85 }
86 } 84 }
85}
87 86
88X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void) 87X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void)
89 { 88{
90 X509_VERIFY_PARAM *param; 89 X509_VERIFY_PARAM *param;
91 param = malloc(sizeof(X509_VERIFY_PARAM)); 90 param = malloc(sizeof(X509_VERIFY_PARAM));
92 memset(param, 0, sizeof(X509_VERIFY_PARAM)); 91 memset(param, 0, sizeof(X509_VERIFY_PARAM));
93 x509_verify_param_zero(param); 92 x509_verify_param_zero(param);
94 return param; 93 return param;
95 } 94}
96 95
97void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param) 96void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param)
98 { 97{
99 x509_verify_param_zero(param); 98 x509_verify_param_zero(param);
100 free(param); 99 free(param);
101 } 100}
102 101
103/* This function determines how parameters are "inherited" from one structure 102/* This function determines how parameters are "inherited" from one structure
104 * to another. There are several different ways this can happen. 103 * to another. There are several different ways this can happen.
@@ -146,7 +145,7 @@ void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param)
146 145
147int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, 146int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest,
148 const X509_VERIFY_PARAM *src) 147 const X509_VERIFY_PARAM *src)
149 { 148{
150 unsigned long inh_flags; 149 unsigned long inh_flags;
151 int to_default, to_overwrite; 150 int to_default, to_overwrite;
152 if (!src) 151 if (!src)
@@ -175,104 +174,101 @@ int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest,
175 174
176 /* If overwrite or check time not set, copy across */ 175 /* If overwrite or check time not set, copy across */
177 176
178 if (to_overwrite || !(dest->flags & X509_V_FLAG_USE_CHECK_TIME)) 177 if (to_overwrite || !(dest->flags & X509_V_FLAG_USE_CHECK_TIME)) {
179 {
180 dest->check_time = src->check_time; 178 dest->check_time = src->check_time;
181 dest->flags &= ~X509_V_FLAG_USE_CHECK_TIME; 179 dest->flags &= ~X509_V_FLAG_USE_CHECK_TIME;
182 /* Don't need to copy flag: that is done below */ 180 /* Don't need to copy flag: that is done below */
183 } 181 }
184 182
185 if (inh_flags & X509_VP_FLAG_RESET_FLAGS) 183 if (inh_flags & X509_VP_FLAG_RESET_FLAGS)
186 dest->flags = 0; 184 dest->flags = 0;
187 185
188 dest->flags |= src->flags; 186 dest->flags |= src->flags;
189 187
190 if (test_x509_verify_param_copy(policies, NULL)) 188 if (test_x509_verify_param_copy(policies, NULL)) {
191 {
192 if (!X509_VERIFY_PARAM_set1_policies(dest, src->policies)) 189 if (!X509_VERIFY_PARAM_set1_policies(dest, src->policies))
193 return 0; 190 return 0;
194 } 191 }
195 192
196 return 1; 193 return 1;
197 } 194}
198 195
199int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to, 196int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to,
200 const X509_VERIFY_PARAM *from) 197 const X509_VERIFY_PARAM *from)
201 { 198{
202 unsigned long save_flags = to->inh_flags; 199 unsigned long save_flags = to->inh_flags;
203 int ret; 200 int ret;
204 to->inh_flags |= X509_VP_FLAG_DEFAULT; 201 to->inh_flags |= X509_VP_FLAG_DEFAULT;
205 ret = X509_VERIFY_PARAM_inherit(to, from); 202 ret = X509_VERIFY_PARAM_inherit(to, from);
206 to->inh_flags = save_flags; 203 to->inh_flags = save_flags;
207 return ret; 204 return ret;
208 } 205}
209 206
210int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name) 207int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name)
211 { 208{
212 if (param->name) 209 if (param->name)
213 free(param->name); 210 free(param->name);
214 param->name = BUF_strdup(name); 211 param->name = BUF_strdup(name);
215 if (param->name) 212 if (param->name)
216 return 1; 213 return 1;
217 return 0; 214 return 0;
218 } 215}
219 216
220int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags) 217int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags)
221 { 218{
222 param->flags |= flags; 219 param->flags |= flags;
223 if (flags & X509_V_FLAG_POLICY_MASK) 220 if (flags & X509_V_FLAG_POLICY_MASK)
224 param->flags |= X509_V_FLAG_POLICY_CHECK; 221 param->flags |= X509_V_FLAG_POLICY_CHECK;
225 return 1; 222 return 1;
226 } 223}
227 224
228int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, unsigned long flags) 225int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, unsigned long flags)
229 { 226{
230 param->flags &= ~flags; 227 param->flags &= ~flags;
231 return 1; 228 return 1;
232 } 229}
233 230
234unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param) 231unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param)
235 { 232{
236 return param->flags; 233 return param->flags;
237 } 234}
238 235
239int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose) 236int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose)
240 { 237{
241 return X509_PURPOSE_set(&param->purpose, purpose); 238 return X509_PURPOSE_set(&param->purpose, purpose);
242 } 239}
243 240
244int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust) 241int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust)
245 { 242{
246 return X509_TRUST_set(&param->trust, trust); 243 return X509_TRUST_set(&param->trust, trust);
247 } 244}
248 245
249void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth) 246void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth)
250 { 247{
251 param->depth = depth; 248 param->depth = depth;
252 } 249}
253 250
254void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t) 251void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t)
255 { 252{
256 param->check_time = t; 253 param->check_time = t;
257 param->flags |= X509_V_FLAG_USE_CHECK_TIME; 254 param->flags |= X509_V_FLAG_USE_CHECK_TIME;
258 } 255}
259 256
260int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, ASN1_OBJECT *policy) 257int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, ASN1_OBJECT *policy)
261 { 258{
262 if (!param->policies) 259 if (!param->policies) {
263 {
264 param->policies = sk_ASN1_OBJECT_new_null(); 260 param->policies = sk_ASN1_OBJECT_new_null();
265 if (!param->policies) 261 if (!param->policies)
266 return 0; 262 return 0;
267 } 263 }
268 if (!sk_ASN1_OBJECT_push(param->policies, policy)) 264 if (!sk_ASN1_OBJECT_push(param->policies, policy))
269 return 0; 265 return 0;
270 return 1; 266 return 1;
271 } 267}
272 268
273int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param, 269int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
274 STACK_OF(ASN1_OBJECT) *policies) 270 STACK_OF(ASN1_OBJECT) *policies)
275 { 271{
276 int i; 272 int i;
277 ASN1_OBJECT *oid, *doid; 273 ASN1_OBJECT *oid, *doid;
278 if (!param) 274 if (!param)
@@ -280,36 +276,33 @@ int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
280 if (param->policies) 276 if (param->policies)
281 sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free); 277 sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
282 278
283 if (!policies) 279 if (!policies) {
284 {
285 param->policies = NULL; 280 param->policies = NULL;
286 return 1; 281 return 1;
287 } 282 }
288 283
289 param->policies = sk_ASN1_OBJECT_new_null(); 284 param->policies = sk_ASN1_OBJECT_new_null();
290 if (!param->policies) 285 if (!param->policies)
291 return 0; 286 return 0;
292 287
293 for (i = 0; i < sk_ASN1_OBJECT_num(policies); i++) 288 for (i = 0; i < sk_ASN1_OBJECT_num(policies); i++) {
294 {
295 oid = sk_ASN1_OBJECT_value(policies, i); 289 oid = sk_ASN1_OBJECT_value(policies, i);
296 doid = OBJ_dup(oid); 290 doid = OBJ_dup(oid);
297 if (!doid) 291 if (!doid)
298 return 0; 292 return 0;
299 if (!sk_ASN1_OBJECT_push(param->policies, doid)) 293 if (!sk_ASN1_OBJECT_push(param->policies, doid)) {
300 {
301 ASN1_OBJECT_free(doid); 294 ASN1_OBJECT_free(doid);
302 return 0; 295 return 0;
303 }
304 } 296 }
297 }
305 param->flags |= X509_V_FLAG_POLICY_CHECK; 298 param->flags |= X509_V_FLAG_POLICY_CHECK;
306 return 1; 299 return 1;
307 } 300}
308 301
309int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param) 302int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param)
310 { 303{
311 return param->depth; 304 return param->depth;
312 } 305}
313 306
314/* Default verify parameters: these are used for various 307/* Default verify parameters: these are used for various
315 * applications and can be overridden by the user specified table. 308 * applications and can be overridden by the user specified table.
@@ -367,15 +360,16 @@ static const X509_VERIFY_PARAM default_table[] = {
367 X509_TRUST_SSL_SERVER, /* trust */ 360 X509_TRUST_SSL_SERVER, /* trust */
368 -1, /* depth */ 361 -1, /* depth */
369 NULL /* policies */ 362 NULL /* policies */
370 }}; 363 }
364};
371 365
372static STACK_OF(X509_VERIFY_PARAM) *param_table = NULL; 366static STACK_OF(X509_VERIFY_PARAM) *param_table = NULL;
373 367
374static int table_cmp(const X509_VERIFY_PARAM *a, const X509_VERIFY_PARAM *b) 368static int table_cmp(const X509_VERIFY_PARAM *a, const X509_VERIFY_PARAM *b)
375 369
376 { 370{
377 return strcmp(a->name, b->name); 371 return strcmp(a->name, b->name);
378 } 372}
379 373
380DECLARE_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM, 374DECLARE_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM,
381 table); 375 table);
@@ -384,55 +378,50 @@ IMPLEMENT_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM,
384 378
385static int param_cmp(const X509_VERIFY_PARAM * const *a, 379static int param_cmp(const X509_VERIFY_PARAM * const *a,
386 const X509_VERIFY_PARAM * const *b) 380 const X509_VERIFY_PARAM * const *b)
387 { 381{
388 return strcmp((*a)->name, (*b)->name); 382 return strcmp((*a)->name, (*b)->name);
389 } 383}
390 384
391int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param) 385int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param)
392 { 386{
393 int idx; 387 int idx;
394 X509_VERIFY_PARAM *ptmp; 388 X509_VERIFY_PARAM *ptmp;
395 if (!param_table) 389 if (!param_table) {
396 {
397 param_table = sk_X509_VERIFY_PARAM_new(param_cmp); 390 param_table = sk_X509_VERIFY_PARAM_new(param_cmp);
398 if (!param_table) 391 if (!param_table)
399 return 0; 392 return 0;
400 } 393 } else {
401 else
402 {
403 idx = sk_X509_VERIFY_PARAM_find(param_table, param); 394 idx = sk_X509_VERIFY_PARAM_find(param_table, param);
404 if (idx != -1) 395 if (idx != -1) {
405 {
406 ptmp = sk_X509_VERIFY_PARAM_value(param_table, idx); 396 ptmp = sk_X509_VERIFY_PARAM_value(param_table, idx);
407 X509_VERIFY_PARAM_free(ptmp); 397 X509_VERIFY_PARAM_free(ptmp);
408 (void)sk_X509_VERIFY_PARAM_delete(param_table, idx); 398 (void)sk_X509_VERIFY_PARAM_delete(param_table, idx);
409 }
410 } 399 }
400 }
411 if (!sk_X509_VERIFY_PARAM_push(param_table, param)) 401 if (!sk_X509_VERIFY_PARAM_push(param_table, param))
412 return 0; 402 return 0;
413 return 1; 403 return 1;
414 } 404}
415 405
416const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name) 406const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name)
417 { 407{
418 int idx; 408 int idx;
419 X509_VERIFY_PARAM pm; 409 X509_VERIFY_PARAM pm;
420 410
421 pm.name = (char *)name; 411 pm.name = (char *)name;
422 if (param_table) 412 if (param_table) {
423 {
424 idx = sk_X509_VERIFY_PARAM_find(param_table, &pm); 413 idx = sk_X509_VERIFY_PARAM_find(param_table, &pm);
425 if (idx != -1) 414 if (idx != -1)
426 return sk_X509_VERIFY_PARAM_value(param_table, idx); 415 return sk_X509_VERIFY_PARAM_value(param_table, idx);
427 } 416 }
428 return OBJ_bsearch_table(&pm, default_table, 417 return OBJ_bsearch_table(&pm, default_table,
429 sizeof(default_table)/sizeof(X509_VERIFY_PARAM)); 418 sizeof(default_table)/sizeof(X509_VERIFY_PARAM));
430 } 419}
431 420
432void X509_VERIFY_PARAM_table_cleanup(void) 421void X509_VERIFY_PARAM_table_cleanup(void)
433 { 422{
434 if (param_table) 423 if (param_table)
435 sk_X509_VERIFY_PARAM_pop_free(param_table, 424 sk_X509_VERIFY_PARAM_pop_free(param_table,
436 X509_VERIFY_PARAM_free); 425 X509_VERIFY_PARAM_free);
437 param_table = NULL; 426 param_table = NULL;
438 } 427}
diff --git a/src/lib/libcrypto/x509/x509cset.c b/src/lib/libcrypto/x509/x509cset.c
index 3109defb0b..bb39cf4e04 100644
--- a/src/lib/libcrypto/x509/x509cset.c
+++ b/src/lib/libcrypto/x509/x509cset.c
@@ -64,107 +64,97 @@
64#include <openssl/x509.h> 64#include <openssl/x509.h>
65 65
66int X509_CRL_set_version(X509_CRL *x, long version) 66int X509_CRL_set_version(X509_CRL *x, long version)
67 { 67{
68 if (x == NULL) return(0); 68 if (x == NULL) return(0);
69 if (x->crl->version == NULL) 69 if (x->crl->version == NULL) {
70 {
71 if ((x->crl->version=M_ASN1_INTEGER_new()) == NULL) 70 if ((x->crl->version=M_ASN1_INTEGER_new()) == NULL)
72 return(0); 71 return(0);
73 }
74 return(ASN1_INTEGER_set(x->crl->version,version));
75 } 72 }
73 return(ASN1_INTEGER_set(x->crl->version,version));
74}
76 75
77int X509_CRL_set_issuer_name(X509_CRL *x, X509_NAME *name) 76int X509_CRL_set_issuer_name(X509_CRL *x, X509_NAME *name)
78 { 77{
79 if ((x == NULL) || (x->crl == NULL)) return(0); 78 if ((x == NULL) || (x->crl == NULL)) return(0);
80 return(X509_NAME_set(&x->crl->issuer,name)); 79 return(X509_NAME_set(&x->crl->issuer,name));
81 } 80}
82 81
83 82
84int X509_CRL_set_lastUpdate(X509_CRL *x, const ASN1_TIME *tm) 83int X509_CRL_set_lastUpdate(X509_CRL *x, const ASN1_TIME *tm)
85 { 84{
86 ASN1_TIME *in; 85 ASN1_TIME *in;
87 86
88 if (x == NULL) return(0); 87 if (x == NULL) return(0);
89 in=x->crl->lastUpdate; 88 in=x->crl->lastUpdate;
90 if (in != tm) 89 if (in != tm) {
91 {
92 in=M_ASN1_TIME_dup(tm); 90 in=M_ASN1_TIME_dup(tm);
93 if (in != NULL) 91 if (in != NULL) {
94 {
95 M_ASN1_TIME_free(x->crl->lastUpdate); 92 M_ASN1_TIME_free(x->crl->lastUpdate);
96 x->crl->lastUpdate=in; 93 x->crl->lastUpdate=in;
97 }
98 } 94 }
99 return(in != NULL);
100 } 95 }
96 return(in != NULL);
97}
101 98
102int X509_CRL_set_nextUpdate(X509_CRL *x, const ASN1_TIME *tm) 99int X509_CRL_set_nextUpdate(X509_CRL *x, const ASN1_TIME *tm)
103 { 100{
104 ASN1_TIME *in; 101 ASN1_TIME *in;
105 102
106 if (x == NULL) return(0); 103 if (x == NULL) return(0);
107 in=x->crl->nextUpdate; 104 in=x->crl->nextUpdate;
108 if (in != tm) 105 if (in != tm) {
109 {
110 in=M_ASN1_TIME_dup(tm); 106 in=M_ASN1_TIME_dup(tm);
111 if (in != NULL) 107 if (in != NULL) {
112 {
113 M_ASN1_TIME_free(x->crl->nextUpdate); 108 M_ASN1_TIME_free(x->crl->nextUpdate);
114 x->crl->nextUpdate=in; 109 x->crl->nextUpdate=in;
115 }
116 } 110 }
117 return(in != NULL);
118 } 111 }
112 return(in != NULL);
113}
119 114
120int X509_CRL_sort(X509_CRL *c) 115int X509_CRL_sort(X509_CRL *c)
121 { 116{
122 int i; 117 int i;
123 X509_REVOKED *r; 118 X509_REVOKED *r;
124 /* sort the data so it will be written in serial 119 /* sort the data so it will be written in serial
125 * number order */ 120 * number order */
126 sk_X509_REVOKED_sort(c->crl->revoked); 121 sk_X509_REVOKED_sort(c->crl->revoked);
127 for (i=0; i<sk_X509_REVOKED_num(c->crl->revoked); i++) 122 for (i=0; i<sk_X509_REVOKED_num(c->crl->revoked); i++) {
128 {
129 r=sk_X509_REVOKED_value(c->crl->revoked,i); 123 r=sk_X509_REVOKED_value(c->crl->revoked,i);
130 r->sequence=i; 124 r->sequence=i;
131 } 125 }
132 c->crl->enc.modified = 1; 126 c->crl->enc.modified = 1;
133 return 1; 127 return 1;
134 } 128}
135 129
136int X509_REVOKED_set_revocationDate(X509_REVOKED *x, ASN1_TIME *tm) 130int X509_REVOKED_set_revocationDate(X509_REVOKED *x, ASN1_TIME *tm)
137 { 131{
138 ASN1_TIME *in; 132 ASN1_TIME *in;
139 133
140 if (x == NULL) return(0); 134 if (x == NULL) return(0);
141 in=x->revocationDate; 135 in=x->revocationDate;
142 if (in != tm) 136 if (in != tm) {
143 {
144 in=M_ASN1_TIME_dup(tm); 137 in=M_ASN1_TIME_dup(tm);
145 if (in != NULL) 138 if (in != NULL) {
146 {
147 M_ASN1_TIME_free(x->revocationDate); 139 M_ASN1_TIME_free(x->revocationDate);
148 x->revocationDate=in; 140 x->revocationDate=in;
149 }
150 } 141 }
151 return(in != NULL);
152 } 142 }
143 return(in != NULL);
144}
153 145
154int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial) 146int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial)
155 { 147{
156 ASN1_INTEGER *in; 148 ASN1_INTEGER *in;
157 149
158 if (x == NULL) return(0); 150 if (x == NULL) return(0);
159 in=x->serialNumber; 151 in=x->serialNumber;
160 if (in != serial) 152 if (in != serial) {
161 {
162 in=M_ASN1_INTEGER_dup(serial); 153 in=M_ASN1_INTEGER_dup(serial);
163 if (in != NULL) 154 if (in != NULL) {
164 {
165 M_ASN1_INTEGER_free(x->serialNumber); 155 M_ASN1_INTEGER_free(x->serialNumber);
166 x->serialNumber=in; 156 x->serialNumber=in;
167 }
168 } 157 }
169 return(in != NULL);
170 } 158 }
159 return(in != NULL);
160}
diff --git a/src/lib/libcrypto/x509/x509name.c b/src/lib/libcrypto/x509/x509name.c
index 27bc4dc9a3..729fb060f8 100644
--- a/src/lib/libcrypto/x509/x509name.c
+++ b/src/lib/libcrypto/x509/x509name.c
@@ -65,17 +65,17 @@
65#include <openssl/x509.h> 65#include <openssl/x509.h>
66 66
67int X509_NAME_get_text_by_NID(X509_NAME *name, int nid, char *buf, int len) 67int X509_NAME_get_text_by_NID(X509_NAME *name, int nid, char *buf, int len)
68 { 68{
69 ASN1_OBJECT *obj; 69 ASN1_OBJECT *obj;
70 70
71 obj=OBJ_nid2obj(nid); 71 obj=OBJ_nid2obj(nid);
72 if (obj == NULL) return(-1); 72 if (obj == NULL) return(-1);
73 return(X509_NAME_get_text_by_OBJ(name,obj,buf,len)); 73 return(X509_NAME_get_text_by_OBJ(name,obj,buf,len));
74 } 74}
75 75
76int X509_NAME_get_text_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, char *buf, 76int X509_NAME_get_text_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, char *buf,
77 int len) 77 int len)
78 { 78{
79 int i; 79 int i;
80 ASN1_STRING *data; 80 ASN1_STRING *data;
81 81
@@ -87,27 +87,27 @@ int X509_NAME_get_text_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, char *buf,
87 memcpy(buf,data->data,i); 87 memcpy(buf,data->data,i);
88 buf[i]='\0'; 88 buf[i]='\0';
89 return(i); 89 return(i);
90 } 90}
91 91
92int X509_NAME_entry_count(X509_NAME *name) 92int X509_NAME_entry_count(X509_NAME *name)
93 { 93{
94 if (name == NULL) return(0); 94 if (name == NULL) return(0);
95 return(sk_X509_NAME_ENTRY_num(name->entries)); 95 return(sk_X509_NAME_ENTRY_num(name->entries));
96 } 96}
97 97
98int X509_NAME_get_index_by_NID(X509_NAME *name, int nid, int lastpos) 98int X509_NAME_get_index_by_NID(X509_NAME *name, int nid, int lastpos)
99 { 99{
100 ASN1_OBJECT *obj; 100 ASN1_OBJECT *obj;
101 101
102 obj=OBJ_nid2obj(nid); 102 obj=OBJ_nid2obj(nid);
103 if (obj == NULL) return(-2); 103 if (obj == NULL) return(-2);
104 return(X509_NAME_get_index_by_OBJ(name,obj,lastpos)); 104 return(X509_NAME_get_index_by_OBJ(name,obj,lastpos));
105 } 105}
106 106
107/* NOTE: you should be passsing -1, not 0 as lastpos */ 107/* NOTE: you should be passsing -1, not 0 as lastpos */
108int X509_NAME_get_index_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, 108int X509_NAME_get_index_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj,
109 int lastpos) 109 int lastpos)
110 { 110{
111 int n; 111 int n;
112 X509_NAME_ENTRY *ne; 112 X509_NAME_ENTRY *ne;
113 STACK_OF(X509_NAME_ENTRY) *sk; 113 STACK_OF(X509_NAME_ENTRY) *sk;
@@ -117,26 +117,25 @@ int X509_NAME_get_index_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj,
117 lastpos= -1; 117 lastpos= -1;
118 sk=name->entries; 118 sk=name->entries;
119 n=sk_X509_NAME_ENTRY_num(sk); 119 n=sk_X509_NAME_ENTRY_num(sk);
120 for (lastpos++; lastpos < n; lastpos++) 120 for (lastpos++; lastpos < n; lastpos++) {
121 {
122 ne=sk_X509_NAME_ENTRY_value(sk,lastpos); 121 ne=sk_X509_NAME_ENTRY_value(sk,lastpos);
123 if (OBJ_cmp(ne->object,obj) == 0) 122 if (OBJ_cmp(ne->object,obj) == 0)
124 return(lastpos); 123 return(lastpos);
125 }
126 return(-1);
127 } 124 }
125 return(-1);
126}
128 127
129X509_NAME_ENTRY *X509_NAME_get_entry(X509_NAME *name, int loc) 128X509_NAME_ENTRY *X509_NAME_get_entry(X509_NAME *name, int loc)
130 { 129{
131 if(name == NULL || sk_X509_NAME_ENTRY_num(name->entries) <= loc 130 if(name == NULL || sk_X509_NAME_ENTRY_num(name->entries) <= loc
132 || loc < 0) 131 || loc < 0)
133 return(NULL); 132 return(NULL);
134 else 133 else
135 return(sk_X509_NAME_ENTRY_value(name->entries,loc)); 134 return(sk_X509_NAME_ENTRY_value(name->entries,loc));
136 } 135}
137 136
138X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, int loc) 137X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, int loc)
139 { 138{
140 X509_NAME_ENTRY *ret; 139 X509_NAME_ENTRY *ret;
141 int i,n,set_prev,set_next; 140 int i,n,set_prev,set_next;
142 STACK_OF(X509_NAME_ENTRY) *sk; 141 STACK_OF(X509_NAME_ENTRY) *sk;
@@ -169,7 +168,7 @@ X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, int loc)
169 for (i=loc; i<n; i++) 168 for (i=loc; i<n; i++)
170 sk_X509_NAME_ENTRY_value(sk,i)->set--; 169 sk_X509_NAME_ENTRY_value(sk,i)->set--;
171 return(ret); 170 return(ret);
172 } 171}
173 172
174int X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int type, 173int X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int type,
175 unsigned char *bytes, int len, int loc, int set) 174 unsigned char *bytes, int len, int loc, int set)
@@ -211,7 +210,7 @@ int X509_NAME_add_entry_by_txt(X509_NAME *name, const char *field, int type,
211 * prepend to the guy we are about to stomp on. */ 210 * prepend to the guy we are about to stomp on. */
212int X509_NAME_add_entry(X509_NAME *name, X509_NAME_ENTRY *ne, int loc, 211int X509_NAME_add_entry(X509_NAME *name, X509_NAME_ENTRY *ne, int loc,
213 int set) 212 int set)
214 { 213{
215 X509_NAME_ENTRY *new_name=NULL; 214 X509_NAME_ENTRY *new_name=NULL;
216 int n,i,inc; 215 int n,i,inc;
217 STACK_OF(X509_NAME_ENTRY) *sk; 216 STACK_OF(X509_NAME_ENTRY) *sk;
@@ -224,101 +223,87 @@ int X509_NAME_add_entry(X509_NAME *name, X509_NAME_ENTRY *ne, int loc,
224 223
225 name->modified=1; 224 name->modified=1;
226 225
227 if (set == -1) 226 if (set == -1) {
228 { 227 if (loc == 0) {
229 if (loc == 0)
230 {
231 set=0; 228 set=0;
232 inc=1; 229 inc=1;
233 } 230 } else {
234 else
235 {
236 set=sk_X509_NAME_ENTRY_value(sk,loc-1)->set; 231 set=sk_X509_NAME_ENTRY_value(sk,loc-1)->set;
237 inc=0; 232 inc=0;
238 }
239 } 233 }
240 else /* if (set >= 0) */ 234 } else /* if (set >= 0) */ {
241 { 235 if (loc >= n) {
242 if (loc >= n)
243 {
244 if (loc != 0) 236 if (loc != 0)
245 set=sk_X509_NAME_ENTRY_value(sk,loc-1)->set+1; 237 set=sk_X509_NAME_ENTRY_value(sk,loc-1)->set+1;
246 else 238 else
247 set=0; 239 set=0;
248 } 240 } else
249 else
250 set=sk_X509_NAME_ENTRY_value(sk,loc)->set; 241 set=sk_X509_NAME_ENTRY_value(sk,loc)->set;
251 inc=(set == 0)?1:0; 242 inc=(set == 0)?1:0;
252 } 243 }
253 244
254 if ((new_name=X509_NAME_ENTRY_dup(ne)) == NULL) 245 if ((new_name=X509_NAME_ENTRY_dup(ne)) == NULL)
255 goto err; 246 goto err;
256 new_name->set=set; 247 new_name->set=set;
257 if (!sk_X509_NAME_ENTRY_insert(sk,new_name,loc)) 248 if (!sk_X509_NAME_ENTRY_insert(sk,new_name,loc)) {
258 {
259 X509err(X509_F_X509_NAME_ADD_ENTRY,ERR_R_MALLOC_FAILURE); 249 X509err(X509_F_X509_NAME_ADD_ENTRY,ERR_R_MALLOC_FAILURE);
260 goto err; 250 goto err;
261 } 251 }
262 if (inc) 252 if (inc) {
263 {
264 n=sk_X509_NAME_ENTRY_num(sk); 253 n=sk_X509_NAME_ENTRY_num(sk);
265 for (i=loc+1; i<n; i++) 254 for (i=loc+1; i<n; i++)
266 sk_X509_NAME_ENTRY_value(sk,i-1)->set+=1; 255 sk_X509_NAME_ENTRY_value(sk,i-1)->set+=1;
267 } 256 }
268 return(1); 257 return(1);
269err: 258err:
270 if (new_name != NULL) 259 if (new_name != NULL)
271 X509_NAME_ENTRY_free(new_name); 260 X509_NAME_ENTRY_free(new_name);
272 return(0); 261 return(0);
273 } 262}
274 263
275X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne, 264X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne,
276 const char *field, int type, const unsigned char *bytes, int len) 265 const char *field, int type, const unsigned char *bytes, int len)
277 { 266{
278 ASN1_OBJECT *obj; 267 ASN1_OBJECT *obj;
279 X509_NAME_ENTRY *nentry; 268 X509_NAME_ENTRY *nentry;
280 269
281 obj=OBJ_txt2obj(field, 0); 270 obj=OBJ_txt2obj(field, 0);
282 if (obj == NULL) 271 if (obj == NULL) {
283 {
284 X509err(X509_F_X509_NAME_ENTRY_CREATE_BY_TXT, 272 X509err(X509_F_X509_NAME_ENTRY_CREATE_BY_TXT,
285 X509_R_INVALID_FIELD_NAME); 273 X509_R_INVALID_FIELD_NAME);
286 ERR_add_error_data(2, "name=", field); 274 ERR_add_error_data(2, "name=", field);
287 return(NULL); 275 return(NULL);
288 } 276 }
289 nentry = X509_NAME_ENTRY_create_by_OBJ(ne,obj,type,bytes,len); 277 nentry = X509_NAME_ENTRY_create_by_OBJ(ne,obj,type,bytes,len);
290 ASN1_OBJECT_free(obj); 278 ASN1_OBJECT_free(obj);
291 return nentry; 279 return nentry;
292 } 280}
293 281
294X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid, 282X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid,
295 int type, unsigned char *bytes, int len) 283 int type, unsigned char *bytes, int len)
296 { 284{
297 ASN1_OBJECT *obj; 285 ASN1_OBJECT *obj;
298 X509_NAME_ENTRY *nentry; 286 X509_NAME_ENTRY *nentry;
299 287
300 obj=OBJ_nid2obj(nid); 288 obj=OBJ_nid2obj(nid);
301 if (obj == NULL) 289 if (obj == NULL) {
302 {
303 X509err(X509_F_X509_NAME_ENTRY_CREATE_BY_NID,X509_R_UNKNOWN_NID); 290 X509err(X509_F_X509_NAME_ENTRY_CREATE_BY_NID,X509_R_UNKNOWN_NID);
304 return(NULL); 291 return(NULL);
305 } 292 }
306 nentry = X509_NAME_ENTRY_create_by_OBJ(ne,obj,type,bytes,len); 293 nentry = X509_NAME_ENTRY_create_by_OBJ(ne,obj,type,bytes,len);
307 ASN1_OBJECT_free(obj); 294 ASN1_OBJECT_free(obj);
308 return nentry; 295 return nentry;
309 } 296}
310 297
311X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne, 298X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne,
312 ASN1_OBJECT *obj, int type, const unsigned char *bytes, int len) 299 ASN1_OBJECT *obj, int type, const unsigned char *bytes, int len)
313 { 300{
314 X509_NAME_ENTRY *ret; 301 X509_NAME_ENTRY *ret;
315 302
316 if ((ne == NULL) || (*ne == NULL)) 303 if ((ne == NULL) || (*ne == NULL)) {
317 {
318 if ((ret=X509_NAME_ENTRY_new()) == NULL) 304 if ((ret=X509_NAME_ENTRY_new()) == NULL)
319 return(NULL); 305 return(NULL);
320 } 306 } else
321 else
322 ret= *ne; 307 ret= *ne;
323 308
324 if (!X509_NAME_ENTRY_set_object(ret,obj)) 309 if (!X509_NAME_ENTRY_set_object(ret,obj))
@@ -332,23 +317,22 @@ err:
332 if ((ne == NULL) || (ret != *ne)) 317 if ((ne == NULL) || (ret != *ne))
333 X509_NAME_ENTRY_free(ret); 318 X509_NAME_ENTRY_free(ret);
334 return(NULL); 319 return(NULL);
335 } 320}
336 321
337int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, ASN1_OBJECT *obj) 322int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, ASN1_OBJECT *obj)
338 { 323{
339 if ((ne == NULL) || (obj == NULL)) 324 if ((ne == NULL) || (obj == NULL)) {
340 {
341 X509err(X509_F_X509_NAME_ENTRY_SET_OBJECT,ERR_R_PASSED_NULL_PARAMETER); 325 X509err(X509_F_X509_NAME_ENTRY_SET_OBJECT,ERR_R_PASSED_NULL_PARAMETER);
342 return(0); 326 return(0);
343 } 327 }
344 ASN1_OBJECT_free(ne->object); 328 ASN1_OBJECT_free(ne->object);
345 ne->object=OBJ_dup(obj); 329 ne->object=OBJ_dup(obj);
346 return((ne->object == NULL)?0:1); 330 return((ne->object == NULL)?0:1);
347 } 331}
348 332
349int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type, 333int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type,
350 const unsigned char *bytes, int len) 334 const unsigned char *bytes, int len)
351 { 335{
352 int i; 336 int i;
353 337
354 if ((ne == NULL) || ((bytes == NULL) && (len != 0))) return(0); 338 if ((ne == NULL) || ((bytes == NULL) && (len != 0))) return(0);
@@ -359,25 +343,24 @@ int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type,
359 if (len < 0) len=strlen((const char *)bytes); 343 if (len < 0) len=strlen((const char *)bytes);
360 i=ASN1_STRING_set(ne->value,bytes,len); 344 i=ASN1_STRING_set(ne->value,bytes,len);
361 if (!i) return(0); 345 if (!i) return(0);
362 if (type != V_ASN1_UNDEF) 346 if (type != V_ASN1_UNDEF) {
363 {
364 if (type == V_ASN1_APP_CHOOSE) 347 if (type == V_ASN1_APP_CHOOSE)
365 ne->value->type=ASN1_PRINTABLE_type(bytes,len); 348 ne->value->type=ASN1_PRINTABLE_type(bytes,len);
366 else 349 else
367 ne->value->type=type; 350 ne->value->type=type;
368 }
369 return(1);
370 } 351 }
352 return(1);
353}
371 354
372ASN1_OBJECT *X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *ne) 355ASN1_OBJECT *X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *ne)
373 { 356{
374 if (ne == NULL) return(NULL); 357 if (ne == NULL) return(NULL);
375 return(ne->object); 358 return(ne->object);
376 } 359}
377 360
378ASN1_STRING *X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *ne) 361ASN1_STRING *X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *ne)
379 { 362{
380 if (ne == NULL) return(NULL); 363 if (ne == NULL) return(NULL);
381 return(ne->value); 364 return(ne->value);
382 } 365}
383 366
diff --git a/src/lib/libcrypto/x509/x509rset.c b/src/lib/libcrypto/x509/x509rset.c
index d9f6b57372..fab93cce97 100644
--- a/src/lib/libcrypto/x509/x509rset.c
+++ b/src/lib/libcrypto/x509/x509rset.c
@@ -64,20 +64,20 @@
64#include <openssl/x509.h> 64#include <openssl/x509.h>
65 65
66int X509_REQ_set_version(X509_REQ *x, long version) 66int X509_REQ_set_version(X509_REQ *x, long version)
67 { 67{
68 if (x == NULL) return(0); 68 if (x == NULL) return(0);
69 return(ASN1_INTEGER_set(x->req_info->version,version)); 69 return(ASN1_INTEGER_set(x->req_info->version,version));
70 } 70}
71 71
72int X509_REQ_set_subject_name(X509_REQ *x, X509_NAME *name) 72int X509_REQ_set_subject_name(X509_REQ *x, X509_NAME *name)
73 { 73{
74 if ((x == NULL) || (x->req_info == NULL)) return(0); 74 if ((x == NULL) || (x->req_info == NULL)) return(0);
75 return(X509_NAME_set(&x->req_info->subject,name)); 75 return(X509_NAME_set(&x->req_info->subject,name));
76 } 76}
77 77
78int X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey) 78int X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey)
79 { 79{
80 if ((x == NULL) || (x->req_info == NULL)) return(0); 80 if ((x == NULL) || (x->req_info == NULL)) return(0);
81 return(X509_PUBKEY_set(&x->req_info->pubkey,pkey)); 81 return(X509_PUBKEY_set(&x->req_info->pubkey,pkey));
82 } 82}
83 83
diff --git a/src/lib/libcrypto/x509/x509type.c b/src/lib/libcrypto/x509/x509type.c
index 9702ec5310..ff06cfcab9 100644
--- a/src/lib/libcrypto/x509/x509type.c
+++ b/src/lib/libcrypto/x509/x509type.c
@@ -63,7 +63,7 @@
63#include <openssl/x509.h> 63#include <openssl/x509.h>
64 64
65int X509_certificate_type(X509 *x, EVP_PKEY *pkey) 65int X509_certificate_type(X509 *x, EVP_PKEY *pkey)
66 { 66{
67 EVP_PKEY *pk; 67 EVP_PKEY *pk;
68 int ret=0,i; 68 int ret=0,i;
69 69
@@ -76,8 +76,7 @@ int X509_certificate_type(X509 *x, EVP_PKEY *pkey)
76 76
77 if (pk == NULL) return(0); 77 if (pk == NULL) return(0);
78 78
79 switch (pk->type) 79 switch (pk->type) {
80 {
81 case EVP_PKEY_RSA: 80 case EVP_PKEY_RSA:
82 ret=EVP_PK_RSA|EVP_PKT_SIGN; 81 ret=EVP_PK_RSA|EVP_PKT_SIGN;
83/* if (!sign only extension) */ 82/* if (!sign only extension) */
@@ -98,14 +97,12 @@ int X509_certificate_type(X509 *x, EVP_PKEY *pkey)
98 break; 97 break;
99 default: 98 default:
100 break; 99 break;
101 } 100 }
102 101
103 i=OBJ_obj2nid(x->sig_alg->algorithm); 102 i=OBJ_obj2nid(x->sig_alg->algorithm);
104 if (i && OBJ_find_sigid_algs(i, NULL, &i)) 103 if (i && OBJ_find_sigid_algs(i, NULL, &i)) {
105 {
106 104
107 switch (i) 105 switch (i) {
108 {
109 case NID_rsaEncryption: 106 case NID_rsaEncryption:
110 case NID_rsa: 107 case NID_rsa:
111 ret|=EVP_PKS_RSA; 108 ret|=EVP_PKS_RSA;
@@ -119,13 +116,13 @@ int X509_certificate_type(X509 *x, EVP_PKEY *pkey)
119 break; 116 break;
120 default: 117 default:
121 break; 118 break;
122 }
123 } 119 }
120 }
124 121
125 if (EVP_PKEY_size(pk) <= 1024/8)/* /8 because it's 1024 bits we look 122 if (EVP_PKEY_size(pk) <= 1024/8)/* /8 because it's 1024 bits we look
126 for, not bytes */ 123 for, not bytes */
127 ret|=EVP_PKT_EXP; 124 ret|=EVP_PKT_EXP;
128 if(pkey==NULL) EVP_PKEY_free(pk); 125 if(pkey==NULL) EVP_PKEY_free(pk);
129 return(ret); 126 return(ret);
130 } 127}
131 128
diff --git a/src/lib/libssl/src/crypto/x509/x509_att.c b/src/lib/libssl/src/crypto/x509/x509_att.c
index 98460e8921..7f924fbe39 100644
--- a/src/lib/libssl/src/crypto/x509/x509_att.c
+++ b/src/lib/libssl/src/crypto/x509/x509_att.c
@@ -91,8 +91,7 @@ int X509at_get_attr_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *sk, ASN1_OBJECT *obj,
91 if (lastpos < 0) 91 if (lastpos < 0)
92 lastpos=0; 92 lastpos=0;
93 n=sk_X509_ATTRIBUTE_num(sk); 93 n=sk_X509_ATTRIBUTE_num(sk);
94 for ( ; lastpos < n; lastpos++) 94 for ( ; lastpos < n; lastpos++) {
95 {
96 ex=sk_X509_ATTRIBUTE_value(sk,lastpos); 95 ex=sk_X509_ATTRIBUTE_value(sk,lastpos);
97 if (OBJ_cmp(ex->object,obj) == 0) 96 if (OBJ_cmp(ex->object,obj) == 0)
98 return(lastpos); 97 return(lastpos);
@@ -124,18 +123,15 @@ STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr(STACK_OF(X509_ATTRIBUTE) **x,
124 X509_ATTRIBUTE *new_attr=NULL; 123 X509_ATTRIBUTE *new_attr=NULL;
125 STACK_OF(X509_ATTRIBUTE) *sk=NULL; 124 STACK_OF(X509_ATTRIBUTE) *sk=NULL;
126 125
127 if (x == NULL) 126 if (x == NULL) {
128 {
129 X509err(X509_F_X509AT_ADD1_ATTR, ERR_R_PASSED_NULL_PARAMETER); 127 X509err(X509_F_X509AT_ADD1_ATTR, ERR_R_PASSED_NULL_PARAMETER);
130 goto err2; 128 goto err2;
131 } 129 }
132 130
133 if (*x == NULL) 131 if (*x == NULL) {
134 {
135 if ((sk=sk_X509_ATTRIBUTE_new_null()) == NULL) 132 if ((sk=sk_X509_ATTRIBUTE_new_null()) == NULL)
136 goto err; 133 goto err;
137 } 134 } else
138 else
139 sk= *x; 135 sk= *x;
140 136
141 if ((new_attr=X509_ATTRIBUTE_dup(attr)) == NULL) 137 if ((new_attr=X509_ATTRIBUTE_dup(attr)) == NULL)
@@ -215,11 +211,10 @@ X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID(X509_ATTRIBUTE **attr, int nid,
215 X509_ATTRIBUTE *ret; 211 X509_ATTRIBUTE *ret;
216 212
217 obj=OBJ_nid2obj(nid); 213 obj=OBJ_nid2obj(nid);
218 if (obj == NULL) 214 if (obj == NULL) {
219 {
220 X509err(X509_F_X509_ATTRIBUTE_CREATE_BY_NID,X509_R_UNKNOWN_NID); 215 X509err(X509_F_X509_ATTRIBUTE_CREATE_BY_NID,X509_R_UNKNOWN_NID);
221 return(NULL); 216 return(NULL);
222 } 217 }
223 ret=X509_ATTRIBUTE_create_by_OBJ(attr,obj,atrtype,data,len); 218 ret=X509_ATTRIBUTE_create_by_OBJ(attr,obj,atrtype,data,len);
224 if (ret == NULL) ASN1_OBJECT_free(obj); 219 if (ret == NULL) ASN1_OBJECT_free(obj);
225 return(ret); 220 return(ret);
@@ -230,14 +225,12 @@ X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_OBJ(X509_ATTRIBUTE **attr,
230{ 225{
231 X509_ATTRIBUTE *ret; 226 X509_ATTRIBUTE *ret;
232 227
233 if ((attr == NULL) || (*attr == NULL)) 228 if ((attr == NULL) || (*attr == NULL)) {
234 { 229 if ((ret=X509_ATTRIBUTE_new()) == NULL) {
235 if ((ret=X509_ATTRIBUTE_new()) == NULL)
236 {
237 X509err(X509_F_X509_ATTRIBUTE_CREATE_BY_OBJ,ERR_R_MALLOC_FAILURE); 230 X509err(X509_F_X509_ATTRIBUTE_CREATE_BY_OBJ,ERR_R_MALLOC_FAILURE);
238 return(NULL); 231 return(NULL);
239 }
240 } 232 }
233 }
241 else 234 else
242 ret= *attr; 235 ret= *attr;
243 236
@@ -256,22 +249,21 @@ err:
256 249
257X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_txt(X509_ATTRIBUTE **attr, 250X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_txt(X509_ATTRIBUTE **attr,
258 const char *atrname, int type, const unsigned char *bytes, int len) 251 const char *atrname, int type, const unsigned char *bytes, int len)
259 { 252{
260 ASN1_OBJECT *obj; 253 ASN1_OBJECT *obj;
261 X509_ATTRIBUTE *nattr; 254 X509_ATTRIBUTE *nattr;
262 255
263 obj=OBJ_txt2obj(atrname, 0); 256 obj=OBJ_txt2obj(atrname, 0);
264 if (obj == NULL) 257 if (obj == NULL) {
265 {
266 X509err(X509_F_X509_ATTRIBUTE_CREATE_BY_TXT, 258 X509err(X509_F_X509_ATTRIBUTE_CREATE_BY_TXT,
267 X509_R_INVALID_FIELD_NAME); 259 X509_R_INVALID_FIELD_NAME);
268 ERR_add_error_data(2, "name=", atrname); 260 ERR_add_error_data(2, "name=", atrname);
269 return(NULL); 261 return(NULL);
270 } 262 }
271 nattr = X509_ATTRIBUTE_create_by_OBJ(attr,obj,type,bytes,len); 263 nattr = X509_ATTRIBUTE_create_by_OBJ(attr,obj,type,bytes,len);
272 ASN1_OBJECT_free(obj); 264 ASN1_OBJECT_free(obj);
273 return nattr; 265 return nattr;
274 } 266}
275 267
276int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, const ASN1_OBJECT *obj) 268int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, const ASN1_OBJECT *obj)
277{ 269{
@@ -310,12 +302,10 @@ int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, const void *dat
310 if (attrtype == 0) 302 if (attrtype == 0)
311 return 1; 303 return 1;
312 if(!(ttmp = ASN1_TYPE_new())) goto err; 304 if(!(ttmp = ASN1_TYPE_new())) goto err;
313 if ((len == -1) && !(attrtype & MBSTRING_FLAG)) 305 if ((len == -1) && !(attrtype & MBSTRING_FLAG)) {
314 {
315 if (!ASN1_TYPE_set1(ttmp, attrtype, data)) 306 if (!ASN1_TYPE_set1(ttmp, attrtype, data))
316 goto err; 307 goto err;
317 } 308 } else
318 else
319 ASN1_TYPE_set(ttmp, atype, stmp); 309 ASN1_TYPE_set(ttmp, atype, stmp);
320 if(!sk_ASN1_TYPE_push(attr->value.set, ttmp)) goto err; 310 if(!sk_ASN1_TYPE_push(attr->value.set, ttmp)) goto err;
321 return 1; 311 return 1;
diff --git a/src/lib/libssl/src/crypto/x509/x509_cmp.c b/src/lib/libssl/src/crypto/x509/x509_cmp.c
index 2f1b8953e5..87c4596414 100644
--- a/src/lib/libssl/src/crypto/x509/x509_cmp.c
+++ b/src/lib/libssl/src/crypto/x509/x509_cmp.c
@@ -65,7 +65,7 @@
65#include <openssl/x509v3.h> 65#include <openssl/x509v3.h>
66 66
67int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b) 67int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b)
68 { 68{
69 int i; 69 int i;
70 X509_CINF *ai,*bi; 70 X509_CINF *ai,*bi;
71 71
@@ -74,11 +74,11 @@ int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b)
74 i=M_ASN1_INTEGER_cmp(ai->serialNumber,bi->serialNumber); 74 i=M_ASN1_INTEGER_cmp(ai->serialNumber,bi->serialNumber);
75 if (i) return(i); 75 if (i) return(i);
76 return(X509_NAME_cmp(ai->issuer,bi->issuer)); 76 return(X509_NAME_cmp(ai->issuer,bi->issuer));
77 } 77}
78 78
79#ifndef OPENSSL_NO_MD5 79#ifndef OPENSSL_NO_MD5
80unsigned long X509_issuer_and_serial_hash(X509 *a) 80unsigned long X509_issuer_and_serial_hash(X509 *a)
81 { 81{
82 unsigned long ret=0; 82 unsigned long ret=0;
83 EVP_MD_CTX ctx; 83 EVP_MD_CTX ctx;
84 unsigned char md[16]; 84 unsigned char md[16];
@@ -102,68 +102,68 @@ unsigned long X509_issuer_and_serial_hash(X509 *a)
102 err: 102 err:
103 EVP_MD_CTX_cleanup(&ctx); 103 EVP_MD_CTX_cleanup(&ctx);
104 return(ret); 104 return(ret);
105 } 105}
106#endif 106#endif
107 107
108int X509_issuer_name_cmp(const X509 *a, const X509 *b) 108int X509_issuer_name_cmp(const X509 *a, const X509 *b)
109 { 109{
110 return(X509_NAME_cmp(a->cert_info->issuer,b->cert_info->issuer)); 110 return(X509_NAME_cmp(a->cert_info->issuer,b->cert_info->issuer));
111 } 111}
112 112
113int X509_subject_name_cmp(const X509 *a, const X509 *b) 113int X509_subject_name_cmp(const X509 *a, const X509 *b)
114 { 114{
115 return(X509_NAME_cmp(a->cert_info->subject,b->cert_info->subject)); 115 return(X509_NAME_cmp(a->cert_info->subject,b->cert_info->subject));
116 } 116}
117 117
118int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b) 118int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b)
119 { 119{
120 return(X509_NAME_cmp(a->crl->issuer,b->crl->issuer)); 120 return(X509_NAME_cmp(a->crl->issuer,b->crl->issuer));
121 } 121}
122 122
123#ifndef OPENSSL_NO_SHA 123#ifndef OPENSSL_NO_SHA
124int X509_CRL_match(const X509_CRL *a, const X509_CRL *b) 124int X509_CRL_match(const X509_CRL *a, const X509_CRL *b)
125 { 125{
126 return memcmp(a->sha1_hash, b->sha1_hash, 20); 126 return memcmp(a->sha1_hash, b->sha1_hash, 20);
127 } 127}
128#endif 128#endif
129 129
130X509_NAME *X509_get_issuer_name(X509 *a) 130X509_NAME *X509_get_issuer_name(X509 *a)
131 { 131{
132 return(a->cert_info->issuer); 132 return(a->cert_info->issuer);
133 } 133}
134 134
135unsigned long X509_issuer_name_hash(X509 *x) 135unsigned long X509_issuer_name_hash(X509 *x)
136 { 136{
137 return(X509_NAME_hash(x->cert_info->issuer)); 137 return(X509_NAME_hash(x->cert_info->issuer));
138 } 138}
139 139
140#ifndef OPENSSL_NO_MD5 140#ifndef OPENSSL_NO_MD5
141unsigned long X509_issuer_name_hash_old(X509 *x) 141unsigned long X509_issuer_name_hash_old(X509 *x)
142 { 142{
143 return(X509_NAME_hash_old(x->cert_info->issuer)); 143 return(X509_NAME_hash_old(x->cert_info->issuer));
144 } 144}
145#endif 145#endif
146 146
147X509_NAME *X509_get_subject_name(X509 *a) 147X509_NAME *X509_get_subject_name(X509 *a)
148 { 148{
149 return(a->cert_info->subject); 149 return(a->cert_info->subject);
150 } 150}
151 151
152ASN1_INTEGER *X509_get_serialNumber(X509 *a) 152ASN1_INTEGER *X509_get_serialNumber(X509 *a)
153 { 153{
154 return(a->cert_info->serialNumber); 154 return(a->cert_info->serialNumber);
155 } 155}
156 156
157unsigned long X509_subject_name_hash(X509 *x) 157unsigned long X509_subject_name_hash(X509 *x)
158 { 158{
159 return(X509_NAME_hash(x->cert_info->subject)); 159 return(X509_NAME_hash(x->cert_info->subject));
160 } 160}
161 161
162#ifndef OPENSSL_NO_MD5 162#ifndef OPENSSL_NO_MD5
163unsigned long X509_subject_name_hash_old(X509 *x) 163unsigned long X509_subject_name_hash_old(X509 *x)
164 { 164{
165 return(X509_NAME_hash_old(x->cert_info->subject)); 165 return(X509_NAME_hash_old(x->cert_info->subject));
166 } 166}
167#endif 167#endif
168 168
169#ifndef OPENSSL_NO_SHA 169#ifndef OPENSSL_NO_SHA
@@ -188,24 +188,22 @@ int X509_cmp(const X509 *a, const X509 *b)
188 188
189 189
190int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b) 190int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b)
191 { 191{
192 int ret; 192 int ret;
193 193
194 /* Ensure canonical encoding is present and up to date */ 194 /* Ensure canonical encoding is present and up to date */
195 195
196 if (!a->canon_enc || a->modified) 196 if (!a->canon_enc || a->modified) {
197 {
198 ret = i2d_X509_NAME((X509_NAME *)a, NULL); 197 ret = i2d_X509_NAME((X509_NAME *)a, NULL);
199 if (ret < 0) 198 if (ret < 0)
200 return -2; 199 return -2;
201 } 200 }
202 201
203 if (!b->canon_enc || b->modified) 202 if (!b->canon_enc || b->modified) {
204 {
205 ret = i2d_X509_NAME((X509_NAME *)b, NULL); 203 ret = i2d_X509_NAME((X509_NAME *)b, NULL);
206 if (ret < 0) 204 if (ret < 0)
207 return -2; 205 return -2;
208 } 206 }
209 207
210 ret = a->canon_enclen - b->canon_enclen; 208 ret = a->canon_enclen - b->canon_enclen;
211 209
@@ -214,10 +212,10 @@ int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b)
214 212
215 return memcmp(a->canon_enc, b->canon_enc, a->canon_enclen); 213 return memcmp(a->canon_enc, b->canon_enc, a->canon_enclen);
216 214
217 } 215}
218 216
219unsigned long X509_NAME_hash(X509_NAME *x) 217unsigned long X509_NAME_hash(X509_NAME *x)
220 { 218{
221 unsigned long ret=0; 219 unsigned long ret=0;
222 unsigned char md[SHA_DIGEST_LENGTH]; 220 unsigned char md[SHA_DIGEST_LENGTH];
223 221
@@ -231,7 +229,7 @@ unsigned long X509_NAME_hash(X509_NAME *x)
231 ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L) 229 ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
232 )&0xffffffffL; 230 )&0xffffffffL;
233 return(ret); 231 return(ret);
234 } 232}
235 233
236 234
237#ifndef OPENSSL_NO_MD5 235#ifndef OPENSSL_NO_MD5
@@ -239,7 +237,7 @@ unsigned long X509_NAME_hash(X509_NAME *x)
239 * this is reasonably efficient. */ 237 * this is reasonably efficient. */
240 238
241unsigned long X509_NAME_hash_old(X509_NAME *x) 239unsigned long X509_NAME_hash_old(X509_NAME *x)
242 { 240{
243 EVP_MD_CTX md_ctx; 241 EVP_MD_CTX md_ctx;
244 unsigned long ret=0; 242 unsigned long ret=0;
245 unsigned char md[16]; 243 unsigned char md[16];
@@ -257,13 +255,13 @@ unsigned long X509_NAME_hash_old(X509_NAME *x)
257 EVP_MD_CTX_cleanup(&md_ctx); 255 EVP_MD_CTX_cleanup(&md_ctx);
258 256
259 return(ret); 257 return(ret);
260 } 258}
261#endif 259#endif
262 260
263/* Search a stack of X509 for a match */ 261/* Search a stack of X509 for a match */
264X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk, X509_NAME *name, 262X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk, X509_NAME *name,
265 ASN1_INTEGER *serial) 263 ASN1_INTEGER *serial)
266 { 264{
267 int i; 265 int i;
268 X509_CINF cinf; 266 X509_CINF cinf;
269 X509 x,*x509=NULL; 267 X509 x,*x509=NULL;
@@ -274,44 +272,42 @@ X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk, X509_NAME *name,
274 cinf.serialNumber=serial; 272 cinf.serialNumber=serial;
275 cinf.issuer=name; 273 cinf.issuer=name;
276 274
277 for (i=0; i<sk_X509_num(sk); i++) 275 for (i=0; i<sk_X509_num(sk); i++) {
278 {
279 x509=sk_X509_value(sk,i); 276 x509=sk_X509_value(sk,i);
280 if (X509_issuer_and_serial_cmp(x509,&x) == 0) 277 if (X509_issuer_and_serial_cmp(x509,&x) == 0)
281 return(x509); 278 return(x509);
282 }
283 return(NULL);
284 } 279 }
280 return(NULL);
281}
285 282
286X509 *X509_find_by_subject(STACK_OF(X509) *sk, X509_NAME *name) 283X509 *X509_find_by_subject(STACK_OF(X509) *sk, X509_NAME *name)
287 { 284{
288 X509 *x509; 285 X509 *x509;
289 int i; 286 int i;
290 287
291 for (i=0; i<sk_X509_num(sk); i++) 288 for (i=0; i<sk_X509_num(sk); i++) {
292 {
293 x509=sk_X509_value(sk,i); 289 x509=sk_X509_value(sk,i);
294 if (X509_NAME_cmp(X509_get_subject_name(x509),name) == 0) 290 if (X509_NAME_cmp(X509_get_subject_name(x509),name) == 0)
295 return(x509); 291 return(x509);
296 }
297 return(NULL);
298 } 292 }
293 return(NULL);
294}
299 295
300EVP_PKEY *X509_get_pubkey(X509 *x) 296EVP_PKEY *X509_get_pubkey(X509 *x)
301 { 297{
302 if ((x == NULL) || (x->cert_info == NULL)) 298 if ((x == NULL) || (x->cert_info == NULL))
303 return(NULL); 299 return(NULL);
304 return(X509_PUBKEY_get(x->cert_info->key)); 300 return(X509_PUBKEY_get(x->cert_info->key));
305 } 301}
306 302
307ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x) 303ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x)
308 { 304{
309 if(!x) return NULL; 305 if(!x) return NULL;
310 return x->cert_info->key->public_key; 306 return x->cert_info->key->public_key;
311 } 307}
312 308
313int X509_check_private_key(X509 *x, EVP_PKEY *k) 309int X509_check_private_key(X509 *x, EVP_PKEY *k)
314 { 310{
315 EVP_PKEY *xk; 311 EVP_PKEY *xk;
316 int ret; 312 int ret;
317 313
@@ -322,8 +318,7 @@ int X509_check_private_key(X509 *x, EVP_PKEY *k)
322 else 318 else
323 ret = -2; 319 ret = -2;
324 320
325 switch (ret) 321 switch (ret) {
326 {
327 case 1: 322 case 1:
328 break; 323 break;
329 case 0: 324 case 0:
@@ -334,10 +329,10 @@ int X509_check_private_key(X509 *x, EVP_PKEY *k)
334 break; 329 break;
335 case -2: 330 case -2:
336 X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_UNKNOWN_KEY_TYPE); 331 X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_UNKNOWN_KEY_TYPE);
337 } 332 }
338 if (xk) 333 if (xk)
339 EVP_PKEY_free(xk); 334 EVP_PKEY_free(xk);
340 if (ret > 0) 335 if (ret > 0)
341 return 1; 336 return 1;
342 return 0; 337 return 0;
343 } 338}
diff --git a/src/lib/libssl/src/crypto/x509/x509_d2.c b/src/lib/libssl/src/crypto/x509/x509_d2.c
index 51410cfd1a..ed051093ac 100644
--- a/src/lib/libssl/src/crypto/x509/x509_d2.c
+++ b/src/lib/libssl/src/crypto/x509/x509_d2.c
@@ -63,7 +63,7 @@
63 63
64#ifndef OPENSSL_NO_STDIO 64#ifndef OPENSSL_NO_STDIO
65int X509_STORE_set_default_paths(X509_STORE *ctx) 65int X509_STORE_set_default_paths(X509_STORE *ctx)
66 { 66{
67 X509_LOOKUP *lookup; 67 X509_LOOKUP *lookup;
68 68
69 lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_file()); 69 lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_file());
@@ -78,30 +78,28 @@ int X509_STORE_set_default_paths(X509_STORE *ctx)
78 ERR_clear_error(); 78 ERR_clear_error();
79 79
80 return(1); 80 return(1);
81 } 81}
82 82
83int X509_STORE_load_locations(X509_STORE *ctx, const char *file, 83int X509_STORE_load_locations(X509_STORE *ctx, const char *file,
84 const char *path) 84 const char *path)
85 { 85{
86 X509_LOOKUP *lookup; 86 X509_LOOKUP *lookup;
87 87
88 if (file != NULL) 88 if (file != NULL) {
89 {
90 lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_file()); 89 lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_file());
91 if (lookup == NULL) return(0); 90 if (lookup == NULL) return(0);
92 if (X509_LOOKUP_load_file(lookup,file,X509_FILETYPE_PEM) != 1) 91 if (X509_LOOKUP_load_file(lookup,file,X509_FILETYPE_PEM) != 1)
93 return(0); 92 return(0);
94 } 93 }
95 if (path != NULL) 94 if (path != NULL) {
96 {
97 lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_hash_dir()); 95 lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_hash_dir());
98 if (lookup == NULL) return(0); 96 if (lookup == NULL) return(0);
99 if (X509_LOOKUP_add_dir(lookup,path,X509_FILETYPE_PEM) != 1) 97 if (X509_LOOKUP_add_dir(lookup,path,X509_FILETYPE_PEM) != 1)
100 return(0); 98 return(0);
101 } 99 }
102 if ((path == NULL) && (file == NULL)) 100 if ((path == NULL) && (file == NULL))
103 return(0); 101 return(0);
104 return(1); 102 return(1);
105 } 103}
106 104
107#endif 105#endif
diff --git a/src/lib/libssl/src/crypto/x509/x509_err.c b/src/lib/libssl/src/crypto/x509/x509_err.c
index a01402f416..ab5e8aaea2 100644
--- a/src/lib/libssl/src/crypto/x509/x509_err.c
+++ b/src/lib/libssl/src/crypto/x509/x509_err.c
@@ -69,7 +69,7 @@
69#define ERR_REASON(reason) ERR_PACK(ERR_LIB_X509,0,reason) 69#define ERR_REASON(reason) ERR_PACK(ERR_LIB_X509,0,reason)
70 70
71static ERR_STRING_DATA X509_str_functs[]= 71static ERR_STRING_DATA X509_str_functs[]=
72 { 72{
73{ERR_FUNC(X509_F_ADD_CERT_DIR), "ADD_CERT_DIR"}, 73{ERR_FUNC(X509_F_ADD_CERT_DIR), "ADD_CERT_DIR"},
74{ERR_FUNC(X509_F_BY_FILE_CTRL), "BY_FILE_CTRL"}, 74{ERR_FUNC(X509_F_BY_FILE_CTRL), "BY_FILE_CTRL"},
75{ERR_FUNC(X509_F_CHECK_POLICY), "CHECK_POLICY"}, 75{ERR_FUNC(X509_F_CHECK_POLICY), "CHECK_POLICY"},
@@ -116,10 +116,10 @@ static ERR_STRING_DATA X509_str_functs[]=
116{ERR_FUNC(X509_F_X509_TRUST_SET), "X509_TRUST_set"}, 116{ERR_FUNC(X509_F_X509_TRUST_SET), "X509_TRUST_set"},
117{ERR_FUNC(X509_F_X509_VERIFY_CERT), "X509_verify_cert"}, 117{ERR_FUNC(X509_F_X509_VERIFY_CERT), "X509_verify_cert"},
118{0,NULL} 118{0,NULL}
119 }; 119};
120 120
121static ERR_STRING_DATA X509_str_reasons[]= 121static ERR_STRING_DATA X509_str_reasons[]=
122 { 122{
123{ERR_REASON(X509_R_BAD_X509_FILETYPE) ,"bad x509 filetype"}, 123{ERR_REASON(X509_R_BAD_X509_FILETYPE) ,"bad x509 filetype"},
124{ERR_REASON(X509_R_BASE64_DECODE_ERROR) ,"base64 decode error"}, 124{ERR_REASON(X509_R_BASE64_DECODE_ERROR) ,"base64 decode error"},
125{ERR_REASON(X509_R_CANT_CHECK_DH_KEY) ,"cant check dh key"}, 125{ERR_REASON(X509_R_CANT_CHECK_DH_KEY) ,"cant check dh key"},
@@ -147,18 +147,17 @@ static ERR_STRING_DATA X509_str_reasons[]=
147{ERR_REASON(X509_R_WRONG_LOOKUP_TYPE) ,"wrong lookup type"}, 147{ERR_REASON(X509_R_WRONG_LOOKUP_TYPE) ,"wrong lookup type"},
148{ERR_REASON(X509_R_WRONG_TYPE) ,"wrong type"}, 148{ERR_REASON(X509_R_WRONG_TYPE) ,"wrong type"},
149{0,NULL} 149{0,NULL}
150 }; 150};
151 151
152#endif 152#endif
153 153
154void ERR_load_X509_strings(void) 154void ERR_load_X509_strings(void)
155 { 155{
156#ifndef OPENSSL_NO_ERR 156#ifndef OPENSSL_NO_ERR
157 157
158 if (ERR_func_error_string(X509_str_functs[0].error) == NULL) 158 if (ERR_func_error_string(X509_str_functs[0].error) == NULL) {
159 {
160 ERR_load_strings(0,X509_str_functs); 159 ERR_load_strings(0,X509_str_functs);
161 ERR_load_strings(0,X509_str_reasons); 160 ERR_load_strings(0,X509_str_reasons);
162 }
163#endif
164 } 161 }
162#endif
163}
diff --git a/src/lib/libssl/src/crypto/x509/x509_ext.c b/src/lib/libssl/src/crypto/x509/x509_ext.c
index e7fdacb5e4..bdc489f367 100644
--- a/src/lib/libssl/src/crypto/x509/x509_ext.c
+++ b/src/lib/libssl/src/crypto/x509/x509_ext.c
@@ -67,34 +67,34 @@
67 67
68 68
69int X509_CRL_get_ext_count(X509_CRL *x) 69int X509_CRL_get_ext_count(X509_CRL *x)
70 { 70{
71 return(X509v3_get_ext_count(x->crl->extensions)); 71 return(X509v3_get_ext_count(x->crl->extensions));
72 } 72}
73 73
74int X509_CRL_get_ext_by_NID(X509_CRL *x, int nid, int lastpos) 74int X509_CRL_get_ext_by_NID(X509_CRL *x, int nid, int lastpos)
75 { 75{
76 return(X509v3_get_ext_by_NID(x->crl->extensions,nid,lastpos)); 76 return(X509v3_get_ext_by_NID(x->crl->extensions,nid,lastpos));
77 } 77}
78 78
79int X509_CRL_get_ext_by_OBJ(X509_CRL *x, ASN1_OBJECT *obj, int lastpos) 79int X509_CRL_get_ext_by_OBJ(X509_CRL *x, ASN1_OBJECT *obj, int lastpos)
80 { 80{
81 return(X509v3_get_ext_by_OBJ(x->crl->extensions,obj,lastpos)); 81 return(X509v3_get_ext_by_OBJ(x->crl->extensions,obj,lastpos));
82 } 82}
83 83
84int X509_CRL_get_ext_by_critical(X509_CRL *x, int crit, int lastpos) 84int X509_CRL_get_ext_by_critical(X509_CRL *x, int crit, int lastpos)
85 { 85{
86 return(X509v3_get_ext_by_critical(x->crl->extensions,crit,lastpos)); 86 return(X509v3_get_ext_by_critical(x->crl->extensions,crit,lastpos));
87 } 87}
88 88
89X509_EXTENSION *X509_CRL_get_ext(X509_CRL *x, int loc) 89X509_EXTENSION *X509_CRL_get_ext(X509_CRL *x, int loc)
90 { 90{
91 return(X509v3_get_ext(x->crl->extensions,loc)); 91 return(X509v3_get_ext(x->crl->extensions,loc));
92 } 92}
93 93
94X509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc) 94X509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc)
95 { 95{
96 return(X509v3_delete_ext(x->crl->extensions,loc)); 96 return(X509v3_delete_ext(x->crl->extensions,loc));
97 } 97}
98 98
99void *X509_CRL_get_ext_d2i(X509_CRL *x, int nid, int *crit, int *idx) 99void *X509_CRL_get_ext_d2i(X509_CRL *x, int nid, int *crit, int *idx)
100{ 100{
@@ -108,44 +108,44 @@ int X509_CRL_add1_ext_i2d(X509_CRL *x, int nid, void *value, int crit,
108} 108}
109 109
110int X509_CRL_add_ext(X509_CRL *x, X509_EXTENSION *ex, int loc) 110int X509_CRL_add_ext(X509_CRL *x, X509_EXTENSION *ex, int loc)
111 { 111{
112 return(X509v3_add_ext(&(x->crl->extensions),ex,loc) != NULL); 112 return(X509v3_add_ext(&(x->crl->extensions),ex,loc) != NULL);
113 } 113}
114 114
115int X509_get_ext_count(X509 *x) 115int X509_get_ext_count(X509 *x)
116 { 116{
117 return(X509v3_get_ext_count(x->cert_info->extensions)); 117 return(X509v3_get_ext_count(x->cert_info->extensions));
118 } 118}
119 119
120int X509_get_ext_by_NID(X509 *x, int nid, int lastpos) 120int X509_get_ext_by_NID(X509 *x, int nid, int lastpos)
121 { 121{
122 return(X509v3_get_ext_by_NID(x->cert_info->extensions,nid,lastpos)); 122 return(X509v3_get_ext_by_NID(x->cert_info->extensions,nid,lastpos));
123 } 123}
124 124
125int X509_get_ext_by_OBJ(X509 *x, ASN1_OBJECT *obj, int lastpos) 125int X509_get_ext_by_OBJ(X509 *x, ASN1_OBJECT *obj, int lastpos)
126 { 126{
127 return(X509v3_get_ext_by_OBJ(x->cert_info->extensions,obj,lastpos)); 127 return(X509v3_get_ext_by_OBJ(x->cert_info->extensions,obj,lastpos));
128 } 128}
129 129
130int X509_get_ext_by_critical(X509 *x, int crit, int lastpos) 130int X509_get_ext_by_critical(X509 *x, int crit, int lastpos)
131 { 131{
132 return(X509v3_get_ext_by_critical(x->cert_info->extensions,crit,lastpos)); 132 return(X509v3_get_ext_by_critical(x->cert_info->extensions,crit,lastpos));
133 } 133}
134 134
135X509_EXTENSION *X509_get_ext(X509 *x, int loc) 135X509_EXTENSION *X509_get_ext(X509 *x, int loc)
136 { 136{
137 return(X509v3_get_ext(x->cert_info->extensions,loc)); 137 return(X509v3_get_ext(x->cert_info->extensions,loc));
138 } 138}
139 139
140X509_EXTENSION *X509_delete_ext(X509 *x, int loc) 140X509_EXTENSION *X509_delete_ext(X509 *x, int loc)
141 { 141{
142 return(X509v3_delete_ext(x->cert_info->extensions,loc)); 142 return(X509v3_delete_ext(x->cert_info->extensions,loc));
143 } 143}
144 144
145int X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc) 145int X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc)
146 { 146{
147 return(X509v3_add_ext(&(x->cert_info->extensions),ex,loc) != NULL); 147 return(X509v3_add_ext(&(x->cert_info->extensions),ex,loc) != NULL);
148 } 148}
149 149
150void *X509_get_ext_d2i(X509 *x, int nid, int *crit, int *idx) 150void *X509_get_ext_d2i(X509 *x, int nid, int *crit, int *idx)
151{ 151{
@@ -160,40 +160,40 @@ int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit,
160} 160}
161 161
162int X509_REVOKED_get_ext_count(X509_REVOKED *x) 162int X509_REVOKED_get_ext_count(X509_REVOKED *x)
163 { 163{
164 return(X509v3_get_ext_count(x->extensions)); 164 return(X509v3_get_ext_count(x->extensions));
165 } 165}
166 166
167int X509_REVOKED_get_ext_by_NID(X509_REVOKED *x, int nid, int lastpos) 167int X509_REVOKED_get_ext_by_NID(X509_REVOKED *x, int nid, int lastpos)
168 { 168{
169 return(X509v3_get_ext_by_NID(x->extensions,nid,lastpos)); 169 return(X509v3_get_ext_by_NID(x->extensions,nid,lastpos));
170 } 170}
171 171
172int X509_REVOKED_get_ext_by_OBJ(X509_REVOKED *x, ASN1_OBJECT *obj, 172int X509_REVOKED_get_ext_by_OBJ(X509_REVOKED *x, ASN1_OBJECT *obj,
173 int lastpos) 173 int lastpos)
174 { 174{
175 return(X509v3_get_ext_by_OBJ(x->extensions,obj,lastpos)); 175 return(X509v3_get_ext_by_OBJ(x->extensions,obj,lastpos));
176 } 176}
177 177
178int X509_REVOKED_get_ext_by_critical(X509_REVOKED *x, int crit, int lastpos) 178int X509_REVOKED_get_ext_by_critical(X509_REVOKED *x, int crit, int lastpos)
179 { 179{
180 return(X509v3_get_ext_by_critical(x->extensions,crit,lastpos)); 180 return(X509v3_get_ext_by_critical(x->extensions,crit,lastpos));
181 } 181}
182 182
183X509_EXTENSION *X509_REVOKED_get_ext(X509_REVOKED *x, int loc) 183X509_EXTENSION *X509_REVOKED_get_ext(X509_REVOKED *x, int loc)
184 { 184{
185 return(X509v3_get_ext(x->extensions,loc)); 185 return(X509v3_get_ext(x->extensions,loc));
186 } 186}
187 187
188X509_EXTENSION *X509_REVOKED_delete_ext(X509_REVOKED *x, int loc) 188X509_EXTENSION *X509_REVOKED_delete_ext(X509_REVOKED *x, int loc)
189 { 189{
190 return(X509v3_delete_ext(x->extensions,loc)); 190 return(X509v3_delete_ext(x->extensions,loc));
191 } 191}
192 192
193int X509_REVOKED_add_ext(X509_REVOKED *x, X509_EXTENSION *ex, int loc) 193int X509_REVOKED_add_ext(X509_REVOKED *x, X509_EXTENSION *ex, int loc)
194 { 194{
195 return(X509v3_add_ext(&(x->extensions),ex,loc) != NULL); 195 return(X509v3_add_ext(&(x->extensions),ex,loc) != NULL);
196 } 196}
197 197
198void *X509_REVOKED_get_ext_d2i(X509_REVOKED *x, int nid, int *crit, int *idx) 198void *X509_REVOKED_get_ext_d2i(X509_REVOKED *x, int nid, int *crit, int *idx)
199{ 199{
diff --git a/src/lib/libssl/src/crypto/x509/x509_lu.c b/src/lib/libssl/src/crypto/x509/x509_lu.c
index 38b034bfee..a89cd70313 100644
--- a/src/lib/libssl/src/crypto/x509/x509_lu.c
+++ b/src/lib/libssl/src/crypto/x509/x509_lu.c
@@ -63,7 +63,7 @@
63#include <openssl/x509v3.h> 63#include <openssl/x509v3.h>
64 64
65X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method) 65X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method)
66 { 66{
67 X509_LOOKUP *ret; 67 X509_LOOKUP *ret;
68 68
69 ret=(X509_LOOKUP *)malloc(sizeof(X509_LOOKUP)); 69 ret=(X509_LOOKUP *)malloc(sizeof(X509_LOOKUP));
@@ -74,50 +74,49 @@ X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method)
74 ret->method=method; 74 ret->method=method;
75 ret->method_data=NULL; 75 ret->method_data=NULL;
76 ret->store_ctx=NULL; 76 ret->store_ctx=NULL;
77 if ((method->new_item != NULL) && !method->new_item(ret)) 77 if ((method->new_item != NULL) && !method->new_item(ret)) {
78 {
79 free(ret); 78 free(ret);
80 return NULL; 79 return NULL;
81 }
82 return ret;
83 } 80 }
81 return ret;
82}
84 83
85void X509_LOOKUP_free(X509_LOOKUP *ctx) 84void X509_LOOKUP_free(X509_LOOKUP *ctx)
86 { 85{
87 if (ctx == NULL) return; 86 if (ctx == NULL) return;
88 if ( (ctx->method != NULL) && 87 if ( (ctx->method != NULL) &&
89 (ctx->method->free != NULL)) 88 (ctx->method->free != NULL))
90 (*ctx->method->free)(ctx); 89 (*ctx->method->free)(ctx);
91 free(ctx); 90 free(ctx);
92 } 91}
93 92
94int X509_LOOKUP_init(X509_LOOKUP *ctx) 93int X509_LOOKUP_init(X509_LOOKUP *ctx)
95 { 94{
96 if (ctx->method == NULL) return 0; 95 if (ctx->method == NULL) return 0;
97 if (ctx->method->init != NULL) 96 if (ctx->method->init != NULL)
98 return ctx->method->init(ctx); 97 return ctx->method->init(ctx);
99 else 98 else
100 return 1; 99 return 1;
101 } 100}
102 101
103int X509_LOOKUP_shutdown(X509_LOOKUP *ctx) 102int X509_LOOKUP_shutdown(X509_LOOKUP *ctx)
104 { 103{
105 if (ctx->method == NULL) return 0; 104 if (ctx->method == NULL) return 0;
106 if (ctx->method->shutdown != NULL) 105 if (ctx->method->shutdown != NULL)
107 return ctx->method->shutdown(ctx); 106 return ctx->method->shutdown(ctx);
108 else 107 else
109 return 1; 108 return 1;
110 } 109}
111 110
112int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, long argl, 111int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, long argl,
113 char **ret) 112 char **ret)
114 { 113{
115 if (ctx->method == NULL) return -1; 114 if (ctx->method == NULL) return -1;
116 if (ctx->method->ctrl != NULL) 115 if (ctx->method->ctrl != NULL)
117 return ctx->method->ctrl(ctx,cmd,argc,argl,ret); 116 return ctx->method->ctrl(ctx,cmd,argc,argl,ret);
118 else 117 else
119 return 1; 118 return 1;
120 } 119}
121 120
122int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type, X509_NAME *name, 121int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type, X509_NAME *name,
123 X509_OBJECT *ret) 122 X509_OBJECT *ret)
@@ -126,42 +125,41 @@ int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type, X509_NAME *name,
126 return X509_LU_FAIL; 125 return X509_LU_FAIL;
127 if (ctx->skip) return 0; 126 if (ctx->skip) return 0;
128 return ctx->method->get_by_subject(ctx,type,name,ret); 127 return ctx->method->get_by_subject(ctx,type,name,ret);
129 } 128}
130 129
131int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, int type, X509_NAME *name, 130int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, int type, X509_NAME *name,
132 ASN1_INTEGER *serial, X509_OBJECT *ret) 131 ASN1_INTEGER *serial, X509_OBJECT *ret)
133 { 132{
134 if ((ctx->method == NULL) || 133 if ((ctx->method == NULL) ||
135 (ctx->method->get_by_issuer_serial == NULL)) 134 (ctx->method->get_by_issuer_serial == NULL))
136 return X509_LU_FAIL; 135 return X509_LU_FAIL;
137 return ctx->method->get_by_issuer_serial(ctx,type,name,serial,ret); 136 return ctx->method->get_by_issuer_serial(ctx,type,name,serial,ret);
138 } 137}
139 138
140int X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, int type, 139int X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, int type,
141 unsigned char *bytes, int len, X509_OBJECT *ret) 140 unsigned char *bytes, int len, X509_OBJECT *ret)
142 { 141{
143 if ((ctx->method == NULL) || (ctx->method->get_by_fingerprint == NULL)) 142 if ((ctx->method == NULL) || (ctx->method->get_by_fingerprint == NULL))
144 return X509_LU_FAIL; 143 return X509_LU_FAIL;
145 return ctx->method->get_by_fingerprint(ctx,type,bytes,len,ret); 144 return ctx->method->get_by_fingerprint(ctx,type,bytes,len,ret);
146 } 145}
147 146
148int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, int type, char *str, int len, 147int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, int type, char *str, int len,
149 X509_OBJECT *ret) 148 X509_OBJECT *ret)
150 { 149{
151 if ((ctx->method == NULL) || (ctx->method->get_by_alias == NULL)) 150 if ((ctx->method == NULL) || (ctx->method->get_by_alias == NULL))
152 return X509_LU_FAIL; 151 return X509_LU_FAIL;
153 return ctx->method->get_by_alias(ctx,type,str,len,ret); 152 return ctx->method->get_by_alias(ctx,type,str,len,ret);
154 } 153}
155 154
156 155
157static int x509_object_cmp(const X509_OBJECT * const *a, const X509_OBJECT * const *b) 156static int x509_object_cmp(const X509_OBJECT * const *a, const X509_OBJECT * const *b)
158 { 157 {
159 int ret; 158 int ret;
160 159
161 ret=((*a)->type - (*b)->type); 160 ret=((*a)->type - (*b)->type);
162 if (ret) return ret; 161 if (ret) return ret;
163 switch ((*a)->type) 162 switch ((*a)->type) {
164 {
165 case X509_LU_X509: 163 case X509_LU_X509:
166 ret=X509_subject_name_cmp((*a)->data.x509,(*b)->data.x509); 164 ret=X509_subject_name_cmp((*a)->data.x509,(*b)->data.x509);
167 break; 165 break;
@@ -171,12 +169,12 @@ static int x509_object_cmp(const X509_OBJECT * const *a, const X509_OBJECT * con
171 default: 169 default:
172 /* abort(); */ 170 /* abort(); */
173 return 0; 171 return 0;
174 }
175 return ret;
176 } 172 }
173 return ret;
174}
177 175
178X509_STORE *X509_STORE_new(void) 176X509_STORE *X509_STORE_new(void)
179 { 177{
180 X509_STORE *ret; 178 X509_STORE *ret;
181 179
182 if ((ret=(X509_STORE *)malloc(sizeof(X509_STORE))) == NULL) 180 if ((ret=(X509_STORE *)malloc(sizeof(X509_STORE))) == NULL)
@@ -191,7 +189,7 @@ X509_STORE *X509_STORE_new(void)
191 sk_X509_OBJECT_free(ret->objs); 189 sk_X509_OBJECT_free(ret->objs);
192 free(ret); 190 free(ret);
193 return NULL; 191 return NULL;
194 } 192}
195 193
196 ret->get_issuer = 0; 194 ret->get_issuer = 0;
197 ret->check_issued = 0; 195 ret->check_issued = 0;
@@ -203,37 +201,31 @@ X509_STORE *X509_STORE_new(void)
203 ret->lookup_crls = 0; 201 ret->lookup_crls = 0;
204 ret->cleanup = 0; 202 ret->cleanup = 0;
205 203
206 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE, ret, &ret->ex_data)) 204 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE, ret, &ret->ex_data)) {
207 {
208 sk_X509_OBJECT_free(ret->objs); 205 sk_X509_OBJECT_free(ret->objs);
209 free(ret); 206 free(ret);
210 return NULL; 207 return NULL;
211 } 208 }
212 209
213 ret->references=1; 210 ret->references=1;
214 return ret; 211 return ret;
215 } 212}
216 213
217static void cleanup(X509_OBJECT *a) 214static void cleanup(X509_OBJECT *a)
218 { 215{
219 if (a->type == X509_LU_X509) 216 if (a->type == X509_LU_X509) {
220 {
221 X509_free(a->data.x509); 217 X509_free(a->data.x509);
222 } 218 } else if (a->type == X509_LU_CRL) {
223 else if (a->type == X509_LU_CRL)
224 {
225 X509_CRL_free(a->data.crl); 219 X509_CRL_free(a->data.crl);
226 } 220 } else {
227 else
228 {
229 /* abort(); */ 221 /* abort(); */
230 } 222 }
231 223
232 free(a); 224 free(a);
233 } 225}
234 226
235void X509_STORE_free(X509_STORE *vfy) 227void X509_STORE_free(X509_STORE *vfy)
236 { 228{
237 int i; 229 int i;
238 STACK_OF(X509_LOOKUP) *sk; 230 STACK_OF(X509_LOOKUP) *sk;
239 X509_LOOKUP *lu; 231 X509_LOOKUP *lu;
@@ -242,12 +234,11 @@ void X509_STORE_free(X509_STORE *vfy)
242 return; 234 return;
243 235
244 sk=vfy->get_cert_methods; 236 sk=vfy->get_cert_methods;
245 for (i=0; i<sk_X509_LOOKUP_num(sk); i++) 237 for (i=0; i<sk_X509_LOOKUP_num(sk); i++) {
246 {
247 lu=sk_X509_LOOKUP_value(sk,i); 238 lu=sk_X509_LOOKUP_value(sk,i);
248 X509_LOOKUP_shutdown(lu); 239 X509_LOOKUP_shutdown(lu);
249 X509_LOOKUP_free(lu); 240 X509_LOOKUP_free(lu);
250 } 241 }
251 sk_X509_LOOKUP_free(sk); 242 sk_X509_LOOKUP_free(sk);
252 sk_X509_OBJECT_pop_free(vfy->objs, cleanup); 243 sk_X509_OBJECT_pop_free(vfy->objs, cleanup);
253 244
@@ -255,43 +246,39 @@ void X509_STORE_free(X509_STORE *vfy)
255 if (vfy->param) 246 if (vfy->param)
256 X509_VERIFY_PARAM_free(vfy->param); 247 X509_VERIFY_PARAM_free(vfy->param);
257 free(vfy); 248 free(vfy);
258 } 249}
259 250
260X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m) 251X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m)
261 { 252{
262 int i; 253 int i;
263 STACK_OF(X509_LOOKUP) *sk; 254 STACK_OF(X509_LOOKUP) *sk;
264 X509_LOOKUP *lu; 255 X509_LOOKUP *lu;
265 256
266 sk=v->get_cert_methods; 257 sk=v->get_cert_methods;
267 for (i=0; i<sk_X509_LOOKUP_num(sk); i++) 258 for (i=0; i<sk_X509_LOOKUP_num(sk); i++) {
268 {
269 lu=sk_X509_LOOKUP_value(sk,i); 259 lu=sk_X509_LOOKUP_value(sk,i);
270 if (m == lu->method) 260 if (m == lu->method) {
271 {
272 return lu; 261 return lu;
273 }
274 } 262 }
263 }
275 /* a new one */ 264 /* a new one */
276 lu=X509_LOOKUP_new(m); 265 lu=X509_LOOKUP_new(m);
277 if (lu == NULL) 266 if (lu == NULL)
278 return NULL; 267 return NULL;
279 else 268 else {
280 {
281 lu->store_ctx=v; 269 lu->store_ctx=v;
282 if (sk_X509_LOOKUP_push(v->get_cert_methods,lu)) 270 if (sk_X509_LOOKUP_push(v->get_cert_methods,lu))
283 return lu; 271 return lu;
284 else 272 else {
285 {
286 X509_LOOKUP_free(lu); 273 X509_LOOKUP_free(lu);
287 return NULL; 274 return NULL;
288 }
289 } 275 }
290 } 276 }
277}
291 278
292int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name, 279int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name,
293 X509_OBJECT *ret) 280 X509_OBJECT *ret)
294 { 281{
295 X509_STORE *ctx=vs->ctx; 282 X509_STORE *ctx=vs->ctx;
296 X509_LOOKUP *lu; 283 X509_LOOKUP *lu;
297 X509_OBJECT stmp,*tmp; 284 X509_OBJECT stmp,*tmp;
@@ -301,27 +288,22 @@ int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name,
301 tmp=X509_OBJECT_retrieve_by_subject(ctx->objs,type,name); 288 tmp=X509_OBJECT_retrieve_by_subject(ctx->objs,type,name);
302 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); 289 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
303 290
304 if (tmp == NULL || type == X509_LU_CRL) 291 if (tmp == NULL || type == X509_LU_CRL) {
305 { 292 for (i=vs->current_method; i<sk_X509_LOOKUP_num(ctx->get_cert_methods); i++) {
306 for (i=vs->current_method; i<sk_X509_LOOKUP_num(ctx->get_cert_methods); i++)
307 {
308 lu=sk_X509_LOOKUP_value(ctx->get_cert_methods,i); 293 lu=sk_X509_LOOKUP_value(ctx->get_cert_methods,i);
309 j=X509_LOOKUP_by_subject(lu,type,name,&stmp); 294 j=X509_LOOKUP_by_subject(lu,type,name,&stmp);
310 if (j < 0) 295 if (j < 0) {
311 {
312 vs->current_method=j; 296 vs->current_method=j;
313 return j; 297 return j;
314 } 298 } else if (j) {
315 else if (j)
316 {
317 tmp= &stmp; 299 tmp= &stmp;
318 break; 300 break;
319 }
320 } 301 }
302 }
321 vs->current_method=0; 303 vs->current_method=0;
322 if (tmp == NULL) 304 if (tmp == NULL)
323 return 0; 305 return 0;
324 } 306 }
325 307
326/* if (ret->data.ptr != NULL) 308/* if (ret->data.ptr != NULL)
327 X509_OBJECT_free_contents(ret); */ 309 X509_OBJECT_free_contents(ret); */
@@ -332,20 +314,19 @@ int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name,
332 X509_OBJECT_up_ref_count(ret); 314 X509_OBJECT_up_ref_count(ret);
333 315
334 return 1; 316 return 1;
335 } 317}
336 318
337int X509_STORE_add_cert(X509_STORE *ctx, X509 *x) 319int X509_STORE_add_cert(X509_STORE *ctx, X509 *x)
338 { 320{
339 X509_OBJECT *obj; 321 X509_OBJECT *obj;
340 int ret=1; 322 int ret=1;
341 323
342 if (x == NULL) return 0; 324 if (x == NULL) return 0;
343 obj=(X509_OBJECT *)malloc(sizeof(X509_OBJECT)); 325 obj=(X509_OBJECT *)malloc(sizeof(X509_OBJECT));
344 if (obj == NULL) 326 if (obj == NULL) {
345 {
346 X509err(X509_F_X509_STORE_ADD_CERT,ERR_R_MALLOC_FAILURE); 327 X509err(X509_F_X509_STORE_ADD_CERT,ERR_R_MALLOC_FAILURE);
347 return 0; 328 return 0;
348 } 329 }
349 obj->type=X509_LU_X509; 330 obj->type=X509_LU_X509;
350 obj->data.x509=x; 331 obj->data.x509=x;
351 332
@@ -353,32 +334,30 @@ int X509_STORE_add_cert(X509_STORE *ctx, X509 *x)
353 334
354 X509_OBJECT_up_ref_count(obj); 335 X509_OBJECT_up_ref_count(obj);
355 336
356 if (X509_OBJECT_retrieve_match(ctx->objs, obj)) 337 if (X509_OBJECT_retrieve_match(ctx->objs, obj)) {
357 {
358 X509_OBJECT_free_contents(obj); 338 X509_OBJECT_free_contents(obj);
359 free(obj); 339 free(obj);
360 X509err(X509_F_X509_STORE_ADD_CERT,X509_R_CERT_ALREADY_IN_HASH_TABLE); 340 X509err(X509_F_X509_STORE_ADD_CERT,X509_R_CERT_ALREADY_IN_HASH_TABLE);
361 ret=0; 341 ret=0;
362 } 342 }
363 else sk_X509_OBJECT_push(ctx->objs, obj); 343 else sk_X509_OBJECT_push(ctx->objs, obj);
364 344
365 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); 345 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
366 346
367 return ret; 347 return ret;
368 } 348}
369 349
370int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x) 350int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x)
371 { 351{
372 X509_OBJECT *obj; 352 X509_OBJECT *obj;
373 int ret=1; 353 int ret=1;
374 354
375 if (x == NULL) return 0; 355 if (x == NULL) return 0;
376 obj=(X509_OBJECT *)malloc(sizeof(X509_OBJECT)); 356 obj=(X509_OBJECT *)malloc(sizeof(X509_OBJECT));
377 if (obj == NULL) 357 if (obj == NULL) {
378 {
379 X509err(X509_F_X509_STORE_ADD_CRL,ERR_R_MALLOC_FAILURE); 358 X509err(X509_F_X509_STORE_ADD_CRL,ERR_R_MALLOC_FAILURE);
380 return 0; 359 return 0;
381 } 360 }
382 obj->type=X509_LU_CRL; 361 obj->type=X509_LU_CRL;
383 obj->data.crl=x; 362 obj->data.crl=x;
384 363
@@ -386,49 +365,46 @@ int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x)
386 365
387 X509_OBJECT_up_ref_count(obj); 366 X509_OBJECT_up_ref_count(obj);
388 367
389 if (X509_OBJECT_retrieve_match(ctx->objs, obj)) 368 if (X509_OBJECT_retrieve_match(ctx->objs, obj)) {
390 {
391 X509_OBJECT_free_contents(obj); 369 X509_OBJECT_free_contents(obj);
392 free(obj); 370 free(obj);
393 X509err(X509_F_X509_STORE_ADD_CRL,X509_R_CERT_ALREADY_IN_HASH_TABLE); 371 X509err(X509_F_X509_STORE_ADD_CRL,X509_R_CERT_ALREADY_IN_HASH_TABLE);
394 ret=0; 372 ret=0;
395 } 373 } else
396 else sk_X509_OBJECT_push(ctx->objs, obj); 374 sk_X509_OBJECT_push(ctx->objs, obj);
397 375
398 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); 376 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
399 377
400 return ret; 378 return ret;
401 } 379}
402 380
403void X509_OBJECT_up_ref_count(X509_OBJECT *a) 381void X509_OBJECT_up_ref_count(X509_OBJECT *a)
404 { 382{
405 switch (a->type) 383 switch (a->type) {
406 {
407 case X509_LU_X509: 384 case X509_LU_X509:
408 CRYPTO_add(&a->data.x509->references,1,CRYPTO_LOCK_X509); 385 CRYPTO_add(&a->data.x509->references,1,CRYPTO_LOCK_X509);
409 break; 386 break;
410 case X509_LU_CRL: 387 case X509_LU_CRL:
411 CRYPTO_add(&a->data.crl->references,1,CRYPTO_LOCK_X509_CRL); 388 CRYPTO_add(&a->data.crl->references,1,CRYPTO_LOCK_X509_CRL);
412 break; 389 break;
413 }
414 } 390 }
391}
415 392
416void X509_OBJECT_free_contents(X509_OBJECT *a) 393void X509_OBJECT_free_contents(X509_OBJECT *a)
417 { 394{
418 switch (a->type) 395 switch (a->type) {
419 {
420 case X509_LU_X509: 396 case X509_LU_X509:
421 X509_free(a->data.x509); 397 X509_free(a->data.x509);
422 break; 398 break;
423 case X509_LU_CRL: 399 case X509_LU_CRL:
424 X509_CRL_free(a->data.crl); 400 X509_CRL_free(a->data.crl);
425 break; 401 break;
426 }
427 } 402 }
403}
428 404
429static int x509_object_idx_cnt(STACK_OF(X509_OBJECT) *h, int type, 405static int x509_object_idx_cnt(STACK_OF(X509_OBJECT) *h, int type,
430 X509_NAME *name, int *pnmatch) 406 X509_NAME *name, int *pnmatch)
431 { 407{
432 X509_OBJECT stmp; 408 X509_OBJECT stmp;
433 X509 x509_s; 409 X509 x509_s;
434 X509_CINF cinf_s; 410 X509_CINF cinf_s;
@@ -437,8 +413,7 @@ static int x509_object_idx_cnt(STACK_OF(X509_OBJECT) *h, int type,
437 int idx; 413 int idx;
438 414
439 stmp.type=type; 415 stmp.type=type;
440 switch (type) 416 switch (type) {
441 {
442 case X509_LU_X509: 417 case X509_LU_X509:
443 stmp.data.x509= &x509_s; 418 stmp.data.x509= &x509_s;
444 x509_s.cert_info= &cinf_s; 419 x509_s.cert_info= &cinf_s;
@@ -452,44 +427,42 @@ static int x509_object_idx_cnt(STACK_OF(X509_OBJECT) *h, int type,
452 default: 427 default:
453 /* abort(); */ 428 /* abort(); */
454 return -1; 429 return -1;
455 } 430 }
456 431
457 idx = sk_X509_OBJECT_find(h,&stmp); 432 idx = sk_X509_OBJECT_find(h,&stmp);
458 if (idx >= 0 && pnmatch) 433 if (idx >= 0 && pnmatch) {
459 {
460 int tidx; 434 int tidx;
461 const X509_OBJECT *tobj, *pstmp; 435 const X509_OBJECT *tobj, *pstmp;
462 *pnmatch = 1; 436 *pnmatch = 1;
463 pstmp = &stmp; 437 pstmp = &stmp;
464 for (tidx = idx + 1; tidx < sk_X509_OBJECT_num(h); tidx++) 438 for (tidx = idx + 1; tidx < sk_X509_OBJECT_num(h); tidx++) {
465 {
466 tobj = sk_X509_OBJECT_value(h, tidx); 439 tobj = sk_X509_OBJECT_value(h, tidx);
467 if (x509_object_cmp(&tobj, &pstmp)) 440 if (x509_object_cmp(&tobj, &pstmp))
468 break; 441 break;
469 (*pnmatch)++; 442 (*pnmatch)++;
470 }
471 } 443 }
472 return idx;
473 } 444 }
445 return idx;
446}
474 447
475 448
476int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type, 449int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type,
477 X509_NAME *name) 450 X509_NAME *name)
478 { 451{
479 return x509_object_idx_cnt(h, type, name, NULL); 452 return x509_object_idx_cnt(h, type, name, NULL);
480 } 453}
481 454
482X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h, int type, 455X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h, int type,
483 X509_NAME *name) 456 X509_NAME *name)
484 { 457{
485 int idx; 458 int idx;
486 idx = X509_OBJECT_idx_by_subject(h, type, name); 459 idx = X509_OBJECT_idx_by_subject(h, type, name);
487 if (idx==-1) return NULL; 460 if (idx==-1) return NULL;
488 return sk_X509_OBJECT_value(h, idx); 461 return sk_X509_OBJECT_value(h, idx);
489 } 462}
490 463
491STACK_OF(X509)* X509_STORE_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm) 464STACK_OF(X509)* X509_STORE_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm)
492 { 465{
493 int i, idx, cnt; 466 int i, idx, cnt;
494 STACK_OF(X509) *sk; 467 STACK_OF(X509) *sk;
495 X509 *x; 468 X509 *x;
@@ -497,48 +470,43 @@ STACK_OF(X509)* X509_STORE_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm)
497 sk = sk_X509_new_null(); 470 sk = sk_X509_new_null();
498 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); 471 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
499 idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_X509, nm, &cnt); 472 idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_X509, nm, &cnt);
500 if (idx < 0) 473 if (idx < 0) {
501 {
502 /* Nothing found in cache: do lookup to possibly add new 474 /* Nothing found in cache: do lookup to possibly add new
503 * objects to cache 475 * objects to cache
504 */ 476 */
505 X509_OBJECT xobj; 477 X509_OBJECT xobj;
506 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); 478 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
507 if (!X509_STORE_get_by_subject(ctx, X509_LU_X509, nm, &xobj)) 479 if (!X509_STORE_get_by_subject(ctx, X509_LU_X509, nm, &xobj)) {
508 {
509 sk_X509_free(sk); 480 sk_X509_free(sk);
510 return NULL; 481 return NULL;
511 } 482 }
512 X509_OBJECT_free_contents(&xobj); 483 X509_OBJECT_free_contents(&xobj);
513 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); 484 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
514 idx = x509_object_idx_cnt(ctx->ctx->objs,X509_LU_X509,nm, &cnt); 485 idx = x509_object_idx_cnt(ctx->ctx->objs,X509_LU_X509,nm, &cnt);
515 if (idx < 0) 486 if (idx < 0) {
516 {
517 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); 487 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
518 sk_X509_free(sk); 488 sk_X509_free(sk);
519 return NULL; 489 return NULL;
520 }
521 } 490 }
522 for (i = 0; i < cnt; i++, idx++) 491 }
523 { 492 for (i = 0; i < cnt; i++, idx++) {
524 obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx); 493 obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx);
525 x = obj->data.x509; 494 x = obj->data.x509;
526 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); 495 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
527 if (!sk_X509_push(sk, x)) 496 if (!sk_X509_push(sk, x)) {
528 {
529 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); 497 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
530 X509_free(x); 498 X509_free(x);
531 sk_X509_pop_free(sk, X509_free); 499 sk_X509_pop_free(sk, X509_free);
532 return NULL; 500 return NULL;
533 }
534 } 501 }
502 }
535 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); 503 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
536 return sk; 504 return sk;
537 505
538 } 506}
539 507
540STACK_OF(X509_CRL)* X509_STORE_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm) 508STACK_OF(X509_CRL)* X509_STORE_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm)
541 { 509{
542 int i, idx, cnt; 510 int i, idx, cnt;
543 STACK_OF(X509_CRL) *sk; 511 STACK_OF(X509_CRL) *sk;
544 X509_CRL *x; 512 X509_CRL *x;
@@ -551,66 +519,57 @@ STACK_OF(X509_CRL)* X509_STORE_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm)
551 /* Always do lookup to possibly add new CRLs to cache 519 /* Always do lookup to possibly add new CRLs to cache
552 */ 520 */
553 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); 521 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
554 if (!X509_STORE_get_by_subject(ctx, X509_LU_CRL, nm, &xobj)) 522 if (!X509_STORE_get_by_subject(ctx, X509_LU_CRL, nm, &xobj)) {
555 {
556 sk_X509_CRL_free(sk); 523 sk_X509_CRL_free(sk);
557 return NULL; 524 return NULL;
558 } 525 }
559 X509_OBJECT_free_contents(&xobj); 526 X509_OBJECT_free_contents(&xobj);
560 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); 527 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
561 idx = x509_object_idx_cnt(ctx->ctx->objs,X509_LU_CRL, nm, &cnt); 528 idx = x509_object_idx_cnt(ctx->ctx->objs,X509_LU_CRL, nm, &cnt);
562 if (idx < 0) 529 if (idx < 0) {
563 {
564 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); 530 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
565 sk_X509_CRL_free(sk); 531 sk_X509_CRL_free(sk);
566 return NULL; 532 return NULL;
567 } 533 }
568 534
569 for (i = 0; i < cnt; i++, idx++) 535 for (i = 0; i < cnt; i++, idx++) {
570 {
571 obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx); 536 obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx);
572 x = obj->data.crl; 537 x = obj->data.crl;
573 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509_CRL); 538 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509_CRL);
574 if (!sk_X509_CRL_push(sk, x)) 539 if (!sk_X509_CRL_push(sk, x)) {
575 {
576 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); 540 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
577 X509_CRL_free(x); 541 X509_CRL_free(x);
578 sk_X509_CRL_pop_free(sk, X509_CRL_free); 542 sk_X509_CRL_pop_free(sk, X509_CRL_free);
579 return NULL; 543 return NULL;
580 }
581 } 544 }
545 }
582 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); 546 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
583 return sk; 547 return sk;
584 } 548}
585 549
586X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x) 550X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x)
587 { 551{
588 int idx, i; 552 int idx, i;
589 X509_OBJECT *obj; 553 X509_OBJECT *obj;
590 idx = sk_X509_OBJECT_find(h, x); 554 idx = sk_X509_OBJECT_find(h, x);
591 if (idx == -1) return NULL; 555 if (idx == -1) return NULL;
592 if ((x->type != X509_LU_X509) && (x->type != X509_LU_CRL)) 556 if ((x->type != X509_LU_X509) && (x->type != X509_LU_CRL))
593 return sk_X509_OBJECT_value(h, idx); 557 return sk_X509_OBJECT_value(h, idx);
594 for (i = idx; i < sk_X509_OBJECT_num(h); i++) 558 for (i = idx; i < sk_X509_OBJECT_num(h); i++) {
595 {
596 obj = sk_X509_OBJECT_value(h, i); 559 obj = sk_X509_OBJECT_value(h, i);
597 if (x509_object_cmp((const X509_OBJECT **)&obj, (const X509_OBJECT **)&x)) 560 if (x509_object_cmp((const X509_OBJECT **)&obj, (const X509_OBJECT **)&x))
598 return NULL; 561 return NULL;
599 if (x->type == X509_LU_X509) 562 if (x->type == X509_LU_X509) {
600 {
601 if (!X509_cmp(obj->data.x509, x->data.x509)) 563 if (!X509_cmp(obj->data.x509, x->data.x509))
602 return obj; 564 return obj;
603 } 565 } else if (x->type == X509_LU_CRL) {
604 else if (x->type == X509_LU_CRL)
605 {
606 if (!X509_CRL_match(obj->data.crl, x->data.crl)) 566 if (!X509_CRL_match(obj->data.crl, x->data.crl))
607 return obj; 567 return obj;
608 } 568 } else
609 else
610 return obj; 569 return obj;
611 }
612 return NULL;
613 } 570 }
571 return NULL;
572}
614 573
615 574
616/* Try to get issuer certificate from store. Due to limitations 575/* Try to get issuer certificate from store. Due to limitations
@@ -625,95 +584,87 @@ X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x
625 * -1 some other error. 584 * -1 some other error.
626 */ 585 */
627int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) 586int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
628 { 587{
629 X509_NAME *xn; 588 X509_NAME *xn;
630 X509_OBJECT obj, *pobj; 589 X509_OBJECT obj, *pobj;
631 int i, ok, idx, ret; 590 int i, ok, idx, ret;
632 xn=X509_get_issuer_name(x); 591 xn=X509_get_issuer_name(x);
633 ok=X509_STORE_get_by_subject(ctx,X509_LU_X509,xn,&obj); 592 ok=X509_STORE_get_by_subject(ctx,X509_LU_X509,xn,&obj);
634 if (ok != X509_LU_X509) 593 if (ok != X509_LU_X509) {
635 { 594 if (ok == X509_LU_RETRY) {
636 if (ok == X509_LU_RETRY)
637 {
638 X509_OBJECT_free_contents(&obj); 595 X509_OBJECT_free_contents(&obj);
639 X509err(X509_F_X509_STORE_CTX_GET1_ISSUER,X509_R_SHOULD_RETRY); 596 X509err(X509_F_X509_STORE_CTX_GET1_ISSUER,X509_R_SHOULD_RETRY);
640 return -1; 597 return -1;
641 } 598 } else if (ok != X509_LU_FAIL) {
642 else if (ok != X509_LU_FAIL)
643 {
644 X509_OBJECT_free_contents(&obj); 599 X509_OBJECT_free_contents(&obj);
645 /* not good :-(, break anyway */ 600 /* not good :-(, break anyway */
646 return -1; 601 return -1;
647 }
648 return 0;
649 } 602 }
603 return 0;
604 }
650 /* If certificate matches all OK */ 605 /* If certificate matches all OK */
651 if (ctx->check_issued(ctx, x, obj.data.x509)) 606 if (ctx->check_issued(ctx, x, obj.data.x509)) {
652 {
653 *issuer = obj.data.x509; 607 *issuer = obj.data.x509;
654 return 1; 608 return 1;
655 } 609 }
656 X509_OBJECT_free_contents(&obj); 610 X509_OBJECT_free_contents(&obj);
657 611
658 /* Else find index of first cert accepted by 'check_issued' */ 612 /* Else find index of first cert accepted by 'check_issued' */
659 ret = 0; 613 ret = 0;
660 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); 614 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
661 idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs, X509_LU_X509, xn); 615 idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs, X509_LU_X509, xn);
662 if (idx != -1) /* should be true as we've had at least one match */ 616 if (idx != -1) /* should be true as we've had at least one match */ {
663 {
664 /* Look through all matching certs for suitable issuer */ 617 /* Look through all matching certs for suitable issuer */
665 for (i = idx; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++) 618 for (i = idx; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++) {
666 {
667 pobj = sk_X509_OBJECT_value(ctx->ctx->objs, i); 619 pobj = sk_X509_OBJECT_value(ctx->ctx->objs, i);
668 /* See if we've run past the matches */ 620 /* See if we've run past the matches */
669 if (pobj->type != X509_LU_X509) 621 if (pobj->type != X509_LU_X509)
670 break; 622 break;
671 if (X509_NAME_cmp(xn, X509_get_subject_name(pobj->data.x509))) 623 if (X509_NAME_cmp(xn, X509_get_subject_name(pobj->data.x509)))
672 break; 624 break;
673 if (ctx->check_issued(ctx, x, pobj->data.x509)) 625 if (ctx->check_issued(ctx, x, pobj->data.x509)) {
674 {
675 *issuer = pobj->data.x509; 626 *issuer = pobj->data.x509;
676 X509_OBJECT_up_ref_count(pobj); 627 X509_OBJECT_up_ref_count(pobj);
677 ret = 1; 628 ret = 1;
678 break; 629 break;
679 }
680 } 630 }
681 } 631 }
632 }
682 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); 633 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
683 return ret; 634 return ret;
684 } 635}
685 636
686int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags) 637int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags)
687 { 638{
688 return X509_VERIFY_PARAM_set_flags(ctx->param, flags); 639 return X509_VERIFY_PARAM_set_flags(ctx->param, flags);
689 } 640}
690 641
691int X509_STORE_set_depth(X509_STORE *ctx, int depth) 642int X509_STORE_set_depth(X509_STORE *ctx, int depth)
692 { 643{
693 X509_VERIFY_PARAM_set_depth(ctx->param, depth); 644 X509_VERIFY_PARAM_set_depth(ctx->param, depth);
694 return 1; 645 return 1;
695 } 646}
696 647
697int X509_STORE_set_purpose(X509_STORE *ctx, int purpose) 648int X509_STORE_set_purpose(X509_STORE *ctx, int purpose)
698 { 649{
699 return X509_VERIFY_PARAM_set_purpose(ctx->param, purpose); 650 return X509_VERIFY_PARAM_set_purpose(ctx->param, purpose);
700 } 651}
701 652
702int X509_STORE_set_trust(X509_STORE *ctx, int trust) 653int X509_STORE_set_trust(X509_STORE *ctx, int trust)
703 { 654{
704 return X509_VERIFY_PARAM_set_trust(ctx->param, trust); 655 return X509_VERIFY_PARAM_set_trust(ctx->param, trust);
705 } 656}
706 657
707int X509_STORE_set1_param(X509_STORE *ctx, X509_VERIFY_PARAM *param) 658int X509_STORE_set1_param(X509_STORE *ctx, X509_VERIFY_PARAM *param)
708 { 659{
709 return X509_VERIFY_PARAM_set1(ctx->param, param); 660 return X509_VERIFY_PARAM_set1(ctx->param, param);
710 } 661}
711 662
712void X509_STORE_set_verify_cb(X509_STORE *ctx, 663void X509_STORE_set_verify_cb(X509_STORE *ctx,
713 int (*verify_cb)(int, X509_STORE_CTX *)) 664 int (*verify_cb)(int, X509_STORE_CTX *))
714 { 665{
715 ctx->verify_cb = verify_cb; 666 ctx->verify_cb = verify_cb;
716 } 667}
717 668
718IMPLEMENT_STACK_OF(X509_LOOKUP) 669IMPLEMENT_STACK_OF(X509_LOOKUP)
719IMPLEMENT_STACK_OF(X509_OBJECT) 670IMPLEMENT_STACK_OF(X509_OBJECT)
diff --git a/src/lib/libssl/src/crypto/x509/x509_obj.c b/src/lib/libssl/src/crypto/x509/x509_obj.c
index 5f38315f22..d0c02f833e 100644
--- a/src/lib/libssl/src/crypto/x509/x509_obj.c
+++ b/src/lib/libssl/src/crypto/x509/x509_obj.c
@@ -64,7 +64,7 @@
64#include <openssl/buffer.h> 64#include <openssl/buffer.h>
65 65
66char *X509_NAME_oneline(X509_NAME *a, char *buf, int len) 66char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
67 { 67{
68 X509_NAME_ENTRY *ne; 68 X509_NAME_ENTRY *ne;
69int i; 69int i;
70 int n,lold,l,l1,l2,num,j,type; 70 int n,lold,l,l1,l2,num,j,type;
@@ -76,103 +76,85 @@ int i;
76 int gs_doit[4]; 76 int gs_doit[4];
77 char tmp_buf[80]; 77 char tmp_buf[80];
78 78
79 if (buf == NULL) 79 if (buf == NULL) {
80 {
81 if ((b=BUF_MEM_new()) == NULL) goto err; 80 if ((b=BUF_MEM_new()) == NULL) goto err;
82 if (!BUF_MEM_grow(b,200)) goto err; 81 if (!BUF_MEM_grow(b,200)) goto err;
83 b->data[0]='\0'; 82 b->data[0]='\0';
84 len=200; 83 len=200;
84 }
85 if (a == NULL) {
86 if(b) {
87 buf=b->data;
88 free(b);
85 } 89 }
86 if (a == NULL) 90 strlcpy(buf,"NO X509_NAME",len);
87 { 91 return buf;
88 if(b) 92 }
89 {
90 buf=b->data;
91 free(b);
92 }
93 strlcpy(buf,"NO X509_NAME",len);
94 return buf;
95 }
96 93
97 len--; /* space for '\0' */ 94 len--; /* space for '\0' */
98 l=0; 95 l=0;
99 for (i=0; i<sk_X509_NAME_ENTRY_num(a->entries); i++) 96 for (i=0; i<sk_X509_NAME_ENTRY_num(a->entries); i++) {
100 {
101 ne=sk_X509_NAME_ENTRY_value(a->entries,i); 97 ne=sk_X509_NAME_ENTRY_value(a->entries,i);
102 n=OBJ_obj2nid(ne->object); 98 n=OBJ_obj2nid(ne->object);
103 if ((n == NID_undef) || ((s=OBJ_nid2sn(n)) == NULL)) 99 if ((n == NID_undef) || ((s=OBJ_nid2sn(n)) == NULL)) {
104 {
105 i2t_ASN1_OBJECT(tmp_buf,sizeof(tmp_buf),ne->object); 100 i2t_ASN1_OBJECT(tmp_buf,sizeof(tmp_buf),ne->object);
106 s=tmp_buf; 101 s=tmp_buf;
107 } 102 }
108 l1=strlen(s); 103 l1=strlen(s);
109 104
110 type=ne->value->type; 105 type=ne->value->type;
111 num=ne->value->length; 106 num=ne->value->length;
112 q=ne->value->data; 107 q=ne->value->data;
113 if ((type == V_ASN1_GENERALSTRING) && ((num%4) == 0)) 108 if ((type == V_ASN1_GENERALSTRING) && ((num%4) == 0)) {
114 {
115 gs_doit[0]=gs_doit[1]=gs_doit[2]=gs_doit[3]=0; 109 gs_doit[0]=gs_doit[1]=gs_doit[2]=gs_doit[3]=0;
116 for (j=0; j<num; j++) 110 for (j=0; j<num; j++)
117 if (q[j] != 0) gs_doit[j&3]=1; 111 if (q[j] != 0) gs_doit[j&3]=1;
118 112
119 if (gs_doit[0]|gs_doit[1]|gs_doit[2]) 113 if (gs_doit[0]|gs_doit[1]|gs_doit[2])
120 gs_doit[0]=gs_doit[1]=gs_doit[2]=gs_doit[3]=1; 114 gs_doit[0]=gs_doit[1]=gs_doit[2]=gs_doit[3]=1;
121 else 115 else {
122 {
123 gs_doit[0]=gs_doit[1]=gs_doit[2]=0; 116 gs_doit[0]=gs_doit[1]=gs_doit[2]=0;
124 gs_doit[3]=1; 117 gs_doit[3]=1;
125 }
126 } 118 }
127 else 119 } else
128 gs_doit[0]=gs_doit[1]=gs_doit[2]=gs_doit[3]=1; 120 gs_doit[0]=gs_doit[1]=gs_doit[2]=gs_doit[3]=1;
129 121
130 for (l2=j=0; j<num; j++) 122 for (l2=j=0; j<num; j++) {
131 {
132 if (!gs_doit[j&3]) continue; 123 if (!gs_doit[j&3]) continue;
133 l2++; 124 l2++;
134 if ((q[j] < ' ') || (q[j] > '~')) l2+=3; 125 if ((q[j] < ' ') || (q[j] > '~')) l2+=3;
135 } 126 }
136 127
137 lold=l; 128 lold=l;
138 l+=1+l1+1+l2; 129 l+=1+l1+1+l2;
139 if (b != NULL) 130 if (b != NULL) {
140 {
141 if (!BUF_MEM_grow(b,l+1)) goto err; 131 if (!BUF_MEM_grow(b,l+1)) goto err;
142 p= &(b->data[lold]); 132 p= &(b->data[lold]);
143 } 133 } else if (l > len) {
144 else if (l > len)
145 {
146 break; 134 break;
147 } 135 } else
148 else
149 p= &(buf[lold]); 136 p= &(buf[lold]);
150 *(p++)='/'; 137 *(p++)='/';
151 memcpy(p,s,(unsigned int)l1); p+=l1; 138 memcpy(p,s,(unsigned int)l1); p+=l1;
152 *(p++)='='; 139 *(p++)='=';
153 q=ne->value->data; 140 q=ne->value->data;
154 for (j=0; j<num; j++) 141 for (j=0; j<num; j++) {
155 {
156 if (!gs_doit[j&3]) continue; 142 if (!gs_doit[j&3]) continue;
157 n=q[j]; 143 n=q[j];
158 if ((n < ' ') || (n > '~')) 144 if ((n < ' ') || (n > '~')) {
159 {
160 *(p++)='\\'; 145 *(p++)='\\';
161 *(p++)='x'; 146 *(p++)='x';
162 *(p++)=hex[(n>>4)&0x0f]; 147 *(p++)=hex[(n>>4)&0x0f];
163 *(p++)=hex[n&0x0f]; 148 *(p++)=hex[n&0x0f];
164 } 149 } else
165 else
166 *(p++)=n; 150 *(p++)=n;
167 }
168 *p='\0';
169 } 151 }
170 if (b != NULL) 152 *p='\0';
171 { 153 }
154 if (b != NULL) {
172 p=b->data; 155 p=b->data;
173 free(b); 156 free(b);
174 } 157 } else
175 else
176 p=buf; 158 p=buf;
177 if (i == 0) 159 if (i == 0)
178 *p = '\0'; 160 *p = '\0';
@@ -181,5 +163,5 @@ err:
181 X509err(X509_F_X509_NAME_ONELINE,ERR_R_MALLOC_FAILURE); 163 X509err(X509_F_X509_NAME_ONELINE,ERR_R_MALLOC_FAILURE);
182 if (b != NULL) BUF_MEM_free(b); 164 if (b != NULL) BUF_MEM_free(b);
183 return(NULL); 165 return(NULL);
184 } 166}
185 167
diff --git a/src/lib/libssl/src/crypto/x509/x509_r2x.c b/src/lib/libssl/src/crypto/x509/x509_r2x.c
index 254a14693d..f084447334 100644
--- a/src/lib/libssl/src/crypto/x509/x509_r2x.c
+++ b/src/lib/libssl/src/crypto/x509/x509_r2x.c
@@ -66,27 +66,25 @@
66#include <openssl/buffer.h> 66#include <openssl/buffer.h>
67 67
68X509 *X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey) 68X509 *X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey)
69 { 69{
70 X509 *ret=NULL; 70 X509 *ret=NULL;
71 X509_CINF *xi=NULL; 71 X509_CINF *xi=NULL;
72 X509_NAME *xn; 72 X509_NAME *xn;
73 73
74 if ((ret=X509_new()) == NULL) 74 if ((ret=X509_new()) == NULL) {
75 {
76 X509err(X509_F_X509_REQ_TO_X509,ERR_R_MALLOC_FAILURE); 75 X509err(X509_F_X509_REQ_TO_X509,ERR_R_MALLOC_FAILURE);
77 goto err; 76 goto err;
78 } 77 }
79 78
80 /* duplicate the request */ 79 /* duplicate the request */
81 xi=ret->cert_info; 80 xi=ret->cert_info;
82 81
83 if (sk_X509_ATTRIBUTE_num(r->req_info->attributes) != 0) 82 if (sk_X509_ATTRIBUTE_num(r->req_info->attributes) != 0) {
84 {
85 if ((xi->version=M_ASN1_INTEGER_new()) == NULL) goto err; 83 if ((xi->version=M_ASN1_INTEGER_new()) == NULL) goto err;
86 if (!ASN1_INTEGER_set(xi->version,2)) goto err; 84 if (!ASN1_INTEGER_set(xi->version,2)) goto err;
87/* xi->extensions=ri->attributes; <- bad, should not ever be done 85/* xi->extensions=ri->attributes; <- bad, should not ever be done
88 ri->attributes=NULL; */ 86 ri->attributes=NULL; */
89 } 87 }
90 88
91 xn=X509_REQ_get_subject_name(r); 89 xn=X509_REQ_get_subject_name(r);
92 if (X509_set_subject_name(ret,X509_NAME_dup(xn)) == 0) 90 if (X509_set_subject_name(ret,X509_NAME_dup(xn)) == 0)
@@ -103,12 +101,11 @@ X509 *X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey)
103 101
104 if (!X509_sign(ret,pkey,EVP_md5())) 102 if (!X509_sign(ret,pkey,EVP_md5()))
105 goto err; 103 goto err;
106 if (0) 104 if (0) {
107 {
108err: 105err:
109 X509_free(ret); 106 X509_free(ret);
110 ret=NULL; 107 ret=NULL;
111 }
112 return(ret);
113 } 108 }
109 return(ret);
110}
114 111
diff --git a/src/lib/libssl/src/crypto/x509/x509_req.c b/src/lib/libssl/src/crypto/x509/x509_req.c
index 1c5cee8030..12725ed7e9 100644
--- a/src/lib/libssl/src/crypto/x509/x509_req.c
+++ b/src/lib/libssl/src/crypto/x509/x509_req.c
@@ -68,18 +68,17 @@
68#include <openssl/pem.h> 68#include <openssl/pem.h>
69 69
70X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md) 70X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
71 { 71{
72 X509_REQ *ret; 72 X509_REQ *ret;
73 X509_REQ_INFO *ri; 73 X509_REQ_INFO *ri;
74 int i; 74 int i;
75 EVP_PKEY *pktmp; 75 EVP_PKEY *pktmp;
76 76
77 ret=X509_REQ_new(); 77 ret=X509_REQ_new();
78 if (ret == NULL) 78 if (ret == NULL) {
79 {
80 X509err(X509_F_X509_TO_X509_REQ,ERR_R_MALLOC_FAILURE); 79 X509err(X509_F_X509_TO_X509_REQ,ERR_R_MALLOC_FAILURE);
81 goto err; 80 goto err;
82 } 81 }
83 82
84 ri=ret->req_info; 83 ri=ret->req_info;
85 84
@@ -96,32 +95,30 @@ X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
96 EVP_PKEY_free(pktmp); 95 EVP_PKEY_free(pktmp);
97 if (!i) goto err; 96 if (!i) goto err;
98 97
99 if (pkey != NULL) 98 if (pkey != NULL) {
100 {
101 if (!X509_REQ_sign(ret,pkey,md)) 99 if (!X509_REQ_sign(ret,pkey,md))
102 goto err; 100 goto err;
103 } 101 }
104 return(ret); 102 return(ret);
105err: 103err:
106 X509_REQ_free(ret); 104 X509_REQ_free(ret);
107 return(NULL); 105 return(NULL);
108 } 106}
109 107
110EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req) 108EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req)
111 { 109{
112 if ((req == NULL) || (req->req_info == NULL)) 110 if ((req == NULL) || (req->req_info == NULL))
113 return(NULL); 111 return(NULL);
114 return(X509_PUBKEY_get(req->req_info->pubkey)); 112 return(X509_PUBKEY_get(req->req_info->pubkey));
115 } 113}
116 114
117int X509_REQ_check_private_key(X509_REQ *x, EVP_PKEY *k) 115int X509_REQ_check_private_key(X509_REQ *x, EVP_PKEY *k)
118 { 116{
119 EVP_PKEY *xk=NULL; 117 EVP_PKEY *xk=NULL;
120 int ok=0; 118 int ok=0;
121 119
122 xk=X509_REQ_get_pubkey(x); 120 xk=X509_REQ_get_pubkey(x);
123 switch (EVP_PKEY_cmp(xk, k)) 121 switch (EVP_PKEY_cmp(xk, k)) {
124 {
125 case 1: 122 case 1:
126 ok=1; 123 ok=1;
127 break; 124 break;
@@ -133,26 +130,24 @@ int X509_REQ_check_private_key(X509_REQ *x, EVP_PKEY *k)
133 break; 130 break;
134 case -2: 131 case -2:
135#ifndef OPENSSL_NO_EC 132#ifndef OPENSSL_NO_EC
136 if (k->type == EVP_PKEY_EC) 133 if (k->type == EVP_PKEY_EC) {
137 {
138 X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY, ERR_R_EC_LIB); 134 X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY, ERR_R_EC_LIB);
139 break; 135 break;
140 } 136 }
141#endif 137#endif
142#ifndef OPENSSL_NO_DH 138#ifndef OPENSSL_NO_DH
143 if (k->type == EVP_PKEY_DH) 139 if (k->type == EVP_PKEY_DH) {
144 {
145 /* No idea */ 140 /* No idea */
146 X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_CANT_CHECK_DH_KEY); 141 X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_CANT_CHECK_DH_KEY);
147 break; 142 break;
148 } 143 }
149#endif 144#endif
150 X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_UNKNOWN_KEY_TYPE); 145 X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_UNKNOWN_KEY_TYPE);
151 } 146 }
152 147
153 EVP_PKEY_free(xk); 148 EVP_PKEY_free(xk);
154 return(ok); 149 return(ok);
155 } 150}
156 151
157/* It seems several organisations had the same idea of including a list of 152/* It seems several organisations had the same idea of including a list of
158 * extensions in a certificate request. There are at least two OIDs that are 153 * extensions in a certificate request. There are at least two OIDs that are
@@ -184,7 +179,7 @@ void X509_REQ_set_extension_nids(int *nids)
184} 179}
185 180
186STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req) 181STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req)
187 { 182{
188 X509_ATTRIBUTE *attr; 183 X509_ATTRIBUTE *attr;
189 ASN1_TYPE *ext = NULL; 184 ASN1_TYPE *ext = NULL;
190 int idx, *pnid; 185 int idx, *pnid;
@@ -192,8 +187,7 @@ STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req)
192 187
193 if ((req == NULL) || (req->req_info == NULL) || !ext_nids) 188 if ((req == NULL) || (req->req_info == NULL) || !ext_nids)
194 return(NULL); 189 return(NULL);
195 for (pnid = ext_nids; *pnid != NID_undef; pnid++) 190 for (pnid = ext_nids; *pnid != NID_undef; pnid++) {
196 {
197 idx = X509_REQ_get_attr_by_NID(req, *pnid, -1); 191 idx = X509_REQ_get_attr_by_NID(req, *pnid, -1);
198 if (idx == -1) 192 if (idx == -1)
199 continue; 193 continue;
@@ -202,7 +196,7 @@ STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req)
202 else if(sk_ASN1_TYPE_num(attr->value.set)) 196 else if(sk_ASN1_TYPE_num(attr->value.set))
203 ext = sk_ASN1_TYPE_value(attr->value.set, 0); 197 ext = sk_ASN1_TYPE_value(attr->value.set, 0);
204 break; 198 break;
205 } 199 }
206 if(!ext || (ext->type != V_ASN1_SEQUENCE)) 200 if(!ext || (ext->type != V_ASN1_SEQUENCE))
207 return NULL; 201 return NULL;
208 p = ext->value.sequence->data; 202 p = ext->value.sequence->data;
@@ -235,11 +229,10 @@ int X509_REQ_add_extensions_nid(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts,
235 at = NULL; 229 at = NULL;
236 attr->single = 0; 230 attr->single = 0;
237 attr->object = OBJ_nid2obj(nid); 231 attr->object = OBJ_nid2obj(nid);
238 if (!req->req_info->attributes) 232 if (!req->req_info->attributes) {
239 {
240 if (!(req->req_info->attributes = sk_X509_ATTRIBUTE_new_null())) 233 if (!(req->req_info->attributes = sk_X509_ATTRIBUTE_new_null()))
241 goto err; 234 goto err;
242 } 235 }
243 if(!sk_X509_ATTRIBUTE_push(req->req_info->attributes, attr)) goto err; 236 if(!sk_X509_ATTRIBUTE_push(req->req_info->attributes, attr)) goto err;
244 return 1; 237 return 1;
245 err: 238 err:
diff --git a/src/lib/libssl/src/crypto/x509/x509_set.c b/src/lib/libssl/src/crypto/x509/x509_set.c
index 4b94fc5847..dfe9eb68ff 100644
--- a/src/lib/libssl/src/crypto/x509/x509_set.c
+++ b/src/lib/libssl/src/crypto/x509/x509_set.c
@@ -64,87 +64,77 @@
64#include <openssl/x509.h> 64#include <openssl/x509.h>
65 65
66int X509_set_version(X509 *x, long version) 66int X509_set_version(X509 *x, long version)
67 { 67{
68 if (x == NULL) return(0); 68 if (x == NULL) return(0);
69 if (x->cert_info->version == NULL) 69 if (x->cert_info->version == NULL) {
70 {
71 if ((x->cert_info->version=M_ASN1_INTEGER_new()) == NULL) 70 if ((x->cert_info->version=M_ASN1_INTEGER_new()) == NULL)
72 return(0); 71 return(0);
73 }
74 return(ASN1_INTEGER_set(x->cert_info->version,version));
75 } 72 }
73 return(ASN1_INTEGER_set(x->cert_info->version,version));
74}
76 75
77int X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial) 76int X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial)
78 { 77{
79 ASN1_INTEGER *in; 78 ASN1_INTEGER *in;
80 79
81 if (x == NULL) return(0); 80 if (x == NULL) return(0);
82 in=x->cert_info->serialNumber; 81 in=x->cert_info->serialNumber;
83 if (in != serial) 82 if (in != serial) {
84 {
85 in=M_ASN1_INTEGER_dup(serial); 83 in=M_ASN1_INTEGER_dup(serial);
86 if (in != NULL) 84 if (in != NULL) {
87 {
88 M_ASN1_INTEGER_free(x->cert_info->serialNumber); 85 M_ASN1_INTEGER_free(x->cert_info->serialNumber);
89 x->cert_info->serialNumber=in; 86 x->cert_info->serialNumber=in;
90 }
91 } 87 }
92 return(in != NULL);
93 } 88 }
89 return(in != NULL);
90}
94 91
95int X509_set_issuer_name(X509 *x, X509_NAME *name) 92int X509_set_issuer_name(X509 *x, X509_NAME *name)
96 { 93{
97 if ((x == NULL) || (x->cert_info == NULL)) return(0); 94 if ((x == NULL) || (x->cert_info == NULL)) return(0);
98 return(X509_NAME_set(&x->cert_info->issuer,name)); 95 return(X509_NAME_set(&x->cert_info->issuer,name));
99 } 96}
100 97
101int X509_set_subject_name(X509 *x, X509_NAME *name) 98int X509_set_subject_name(X509 *x, X509_NAME *name)
102 { 99{
103 if ((x == NULL) || (x->cert_info == NULL)) return(0); 100 if ((x == NULL) || (x->cert_info == NULL)) return(0);
104 return(X509_NAME_set(&x->cert_info->subject,name)); 101 return(X509_NAME_set(&x->cert_info->subject,name));
105 } 102}
106 103
107int X509_set_notBefore(X509 *x, const ASN1_TIME *tm) 104int X509_set_notBefore(X509 *x, const ASN1_TIME *tm)
108 { 105{
109 ASN1_TIME *in; 106 ASN1_TIME *in;
110 107
111 if ((x == NULL) || (x->cert_info->validity == NULL)) return(0); 108 if ((x == NULL) || (x->cert_info->validity == NULL)) return(0);
112 in=x->cert_info->validity->notBefore; 109 in=x->cert_info->validity->notBefore;
113 if (in != tm) 110 if (in != tm) {
114 {
115 in=M_ASN1_TIME_dup(tm); 111 in=M_ASN1_TIME_dup(tm);
116 if (in != NULL) 112 if (in != NULL) {
117 {
118 M_ASN1_TIME_free(x->cert_info->validity->notBefore); 113 M_ASN1_TIME_free(x->cert_info->validity->notBefore);
119 x->cert_info->validity->notBefore=in; 114 x->cert_info->validity->notBefore=in;
120 }
121 } 115 }
122 return(in != NULL);
123 } 116 }
117 return(in != NULL);
118}
124 119
125int X509_set_notAfter(X509 *x, const ASN1_TIME *tm) 120int X509_set_notAfter(X509 *x, const ASN1_TIME *tm)
126 { 121{
127 ASN1_TIME *in; 122 ASN1_TIME *in;
128 123
129 if ((x == NULL) || (x->cert_info->validity == NULL)) return(0); 124 if ((x == NULL) || (x->cert_info->validity == NULL)) return(0);
130 in=x->cert_info->validity->notAfter; 125 in=x->cert_info->validity->notAfter;
131 if (in != tm) 126 if (in != tm) {
132 {
133 in=M_ASN1_TIME_dup(tm); 127 in=M_ASN1_TIME_dup(tm);
134 if (in != NULL) 128 if (in != NULL) {
135 {
136 M_ASN1_TIME_free(x->cert_info->validity->notAfter); 129 M_ASN1_TIME_free(x->cert_info->validity->notAfter);
137 x->cert_info->validity->notAfter=in; 130 x->cert_info->validity->notAfter=in;
138 }
139 } 131 }
140 return(in != NULL);
141 } 132 }
133 return(in != NULL);
134}
142 135
143int X509_set_pubkey(X509 *x, EVP_PKEY *pkey) 136int X509_set_pubkey(X509 *x, EVP_PKEY *pkey)
144 { 137{
145 if ((x == NULL) || (x->cert_info == NULL)) return(0); 138 if ((x == NULL) || (x->cert_info == NULL)) return(0);
146 return(X509_PUBKEY_set(&(x->cert_info->key),pkey)); 139 return(X509_PUBKEY_set(&(x->cert_info->key),pkey));
147 } 140}
148
149
150
diff --git a/src/lib/libssl/src/crypto/x509/x509_trs.c b/src/lib/libssl/src/crypto/x509/x509_trs.c
index 7bb5094e64..bdda53ec6b 100644
--- a/src/lib/libssl/src/crypto/x509/x509_trs.c
+++ b/src/lib/libssl/src/crypto/x509/x509_trs.c
@@ -174,7 +174,8 @@ int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int),
174 return 0; 174 return 0;
175 } 175 }
176 trtmp->flags = X509_TRUST_DYNAMIC; 176 trtmp->flags = X509_TRUST_DYNAMIC;
177 } else trtmp = X509_TRUST_get0(idx); 177 } else
178 trtmp = X509_TRUST_get0(idx);
178 179
179 /* free existing name if dynamic */ 180 /* free existing name if dynamic */
180 if(trtmp->flags & X509_TRUST_DYNAMIC_NAME) free(trtmp->name); 181 if(trtmp->flags & X509_TRUST_DYNAMIC_NAME) free(trtmp->name);
@@ -208,15 +209,14 @@ int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int),
208} 209}
209 210
210static void trtable_free(X509_TRUST *p) 211static void trtable_free(X509_TRUST *p)
211 { 212{
212 if(!p) return; 213 if(!p) return;
213 if (p->flags & X509_TRUST_DYNAMIC) 214 if (p->flags & X509_TRUST_DYNAMIC) {
214 {
215 if (p->flags & X509_TRUST_DYNAMIC_NAME) 215 if (p->flags & X509_TRUST_DYNAMIC_NAME)
216 free(p->name); 216 free(p->name);
217 free(p); 217 free(p);
218 }
219 } 218 }
219}
220 220
221void X509_TRUST_cleanup(void) 221void X509_TRUST_cleanup(void)
222{ 222{
diff --git a/src/lib/libssl/src/crypto/x509/x509_txt.c b/src/lib/libssl/src/crypto/x509/x509_txt.c
index 27f6c7176a..509948618e 100644
--- a/src/lib/libssl/src/crypto/x509/x509_txt.c
+++ b/src/lib/libssl/src/crypto/x509/x509_txt.c
@@ -69,11 +69,10 @@
69#include <openssl/objects.h> 69#include <openssl/objects.h>
70 70
71const char *X509_verify_cert_error_string(long n) 71const char *X509_verify_cert_error_string(long n)
72 { 72{
73 static char buf[100]; 73 static char buf[100];
74 74
75 switch ((int)n) 75 switch ((int)n) {
76 {
77 case X509_V_OK: 76 case X509_V_OK:
78 return("ok"); 77 return("ok");
79 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: 78 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
@@ -187,7 +186,7 @@ const char *X509_verify_cert_error_string(long n)
187 default: 186 default:
188 (void) snprintf(buf,sizeof buf,"error number %ld",n); 187 (void) snprintf(buf,sizeof buf,"error number %ld",n);
189 return(buf); 188 return(buf);
190 }
191 } 189 }
190}
192 191
193 192
diff --git a/src/lib/libssl/src/crypto/x509/x509_v3.c b/src/lib/libssl/src/crypto/x509/x509_v3.c
index 42e6f0ab05..f41fab3367 100644
--- a/src/lib/libssl/src/crypto/x509/x509_v3.c
+++ b/src/lib/libssl/src/crypto/x509/x509_v3.c
@@ -66,24 +66,24 @@
66#include <openssl/x509v3.h> 66#include <openssl/x509v3.h>
67 67
68int X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x) 68int X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x)
69 { 69{
70 if (x == NULL) return(0); 70 if (x == NULL) return(0);
71 return(sk_X509_EXTENSION_num(x)); 71 return(sk_X509_EXTENSION_num(x));
72 } 72}
73 73
74int X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x, int nid, 74int X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x, int nid,
75 int lastpos) 75 int lastpos)
76 { 76{
77 ASN1_OBJECT *obj; 77 ASN1_OBJECT *obj;
78 78
79 obj=OBJ_nid2obj(nid); 79 obj=OBJ_nid2obj(nid);
80 if (obj == NULL) return(-2); 80 if (obj == NULL) return(-2);
81 return(X509v3_get_ext_by_OBJ(x,obj,lastpos)); 81 return(X509v3_get_ext_by_OBJ(x,obj,lastpos));
82 } 82}
83 83
84int X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *sk, ASN1_OBJECT *obj, 84int X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *sk, ASN1_OBJECT *obj,
85 int lastpos) 85 int lastpos)
86 { 86{
87 int n; 87 int n;
88 X509_EXTENSION *ex; 88 X509_EXTENSION *ex;
89 89
@@ -92,18 +92,17 @@ int X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *sk, ASN1_OBJECT *obj,
92 if (lastpos < 0) 92 if (lastpos < 0)
93 lastpos=0; 93 lastpos=0;
94 n=sk_X509_EXTENSION_num(sk); 94 n=sk_X509_EXTENSION_num(sk);
95 for ( ; lastpos < n; lastpos++) 95 for ( ; lastpos < n; lastpos++) {
96 {
97 ex=sk_X509_EXTENSION_value(sk,lastpos); 96 ex=sk_X509_EXTENSION_value(sk,lastpos);
98 if (OBJ_cmp(ex->object,obj) == 0) 97 if (OBJ_cmp(ex->object,obj) == 0)
99 return(lastpos); 98 return(lastpos);
100 }
101 return(-1);
102 } 99 }
100 return(-1);
101}
103 102
104int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *sk, int crit, 103int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *sk, int crit,
105 int lastpos) 104 int lastpos)
106 { 105{
107 int n; 106 int n;
108 X509_EXTENSION *ex; 107 X509_EXTENSION *ex;
109 108
@@ -112,53 +111,49 @@ int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *sk, int crit,
112 if (lastpos < 0) 111 if (lastpos < 0)
113 lastpos=0; 112 lastpos=0;
114 n=sk_X509_EXTENSION_num(sk); 113 n=sk_X509_EXTENSION_num(sk);
115 for ( ; lastpos < n; lastpos++) 114 for ( ; lastpos < n; lastpos++) {
116 {
117 ex=sk_X509_EXTENSION_value(sk,lastpos); 115 ex=sk_X509_EXTENSION_value(sk,lastpos);
118 if ( ((ex->critical > 0) && crit) || 116 if ( ((ex->critical > 0) && crit) ||
119 ((ex->critical <= 0) && !crit)) 117 ((ex->critical <= 0) && !crit))
120 return(lastpos); 118 return(lastpos);
121 }
122 return(-1);
123 } 119 }
120 return(-1);
121}
124 122
125X509_EXTENSION *X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x, int loc) 123X509_EXTENSION *X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x, int loc)
126 { 124{
127 if (x == NULL || sk_X509_EXTENSION_num(x) <= loc || loc < 0) 125 if (x == NULL || sk_X509_EXTENSION_num(x) <= loc || loc < 0)
128 return NULL; 126 return NULL;
129 else 127 else
130 return sk_X509_EXTENSION_value(x,loc); 128 return sk_X509_EXTENSION_value(x,loc);
131 } 129}
132 130
133X509_EXTENSION *X509v3_delete_ext(STACK_OF(X509_EXTENSION) *x, int loc) 131X509_EXTENSION *X509v3_delete_ext(STACK_OF(X509_EXTENSION) *x, int loc)
134 { 132{
135 X509_EXTENSION *ret; 133 X509_EXTENSION *ret;
136 134
137 if (x == NULL || sk_X509_EXTENSION_num(x) <= loc || loc < 0) 135 if (x == NULL || sk_X509_EXTENSION_num(x) <= loc || loc < 0)
138 return(NULL); 136 return(NULL);
139 ret=sk_X509_EXTENSION_delete(x,loc); 137 ret=sk_X509_EXTENSION_delete(x,loc);
140 return(ret); 138 return(ret);
141 } 139}
142 140
143STACK_OF(X509_EXTENSION) *X509v3_add_ext(STACK_OF(X509_EXTENSION) **x, 141STACK_OF(X509_EXTENSION) *X509v3_add_ext(STACK_OF(X509_EXTENSION) **x,
144 X509_EXTENSION *ex, int loc) 142 X509_EXTENSION *ex, int loc)
145 { 143{
146 X509_EXTENSION *new_ex=NULL; 144 X509_EXTENSION *new_ex=NULL;
147 int n; 145 int n;
148 STACK_OF(X509_EXTENSION) *sk=NULL; 146 STACK_OF(X509_EXTENSION) *sk=NULL;
149 147
150 if (x == NULL) 148 if (x == NULL) {
151 {
152 X509err(X509_F_X509V3_ADD_EXT,ERR_R_PASSED_NULL_PARAMETER); 149 X509err(X509_F_X509V3_ADD_EXT,ERR_R_PASSED_NULL_PARAMETER);
153 goto err2; 150 goto err2;
154 } 151 }
155 152
156 if (*x == NULL) 153 if (*x == NULL) {
157 {
158 if ((sk=sk_X509_EXTENSION_new_null()) == NULL) 154 if ((sk=sk_X509_EXTENSION_new_null()) == NULL)
159 goto err; 155 goto err;
160 } 156 } else
161 else
162 sk= *x; 157 sk= *x;
163 158
164 n=sk_X509_EXTENSION_num(sk); 159 n=sk_X509_EXTENSION_num(sk);
@@ -178,39 +173,36 @@ err2:
178 if (new_ex != NULL) X509_EXTENSION_free(new_ex); 173 if (new_ex != NULL) X509_EXTENSION_free(new_ex);
179 if (sk != NULL) sk_X509_EXTENSION_free(sk); 174 if (sk != NULL) sk_X509_EXTENSION_free(sk);
180 return(NULL); 175 return(NULL);
181 } 176}
182 177
183X509_EXTENSION *X509_EXTENSION_create_by_NID(X509_EXTENSION **ex, int nid, 178X509_EXTENSION *X509_EXTENSION_create_by_NID(X509_EXTENSION **ex, int nid,
184 int crit, ASN1_OCTET_STRING *data) 179 int crit, ASN1_OCTET_STRING *data)
185 { 180{
186 ASN1_OBJECT *obj; 181 ASN1_OBJECT *obj;
187 X509_EXTENSION *ret; 182 X509_EXTENSION *ret;
188 183
189 obj=OBJ_nid2obj(nid); 184 obj=OBJ_nid2obj(nid);
190 if (obj == NULL) 185 if (obj == NULL) {
191 {
192 X509err(X509_F_X509_EXTENSION_CREATE_BY_NID,X509_R_UNKNOWN_NID); 186 X509err(X509_F_X509_EXTENSION_CREATE_BY_NID,X509_R_UNKNOWN_NID);
193 return(NULL); 187 return(NULL);
194 } 188 }
195 ret=X509_EXTENSION_create_by_OBJ(ex,obj,crit,data); 189 ret=X509_EXTENSION_create_by_OBJ(ex,obj,crit,data);
196 if (ret == NULL) ASN1_OBJECT_free(obj); 190 if (ret == NULL) ASN1_OBJECT_free(obj);
197 return(ret); 191 return(ret);
198 } 192}
199 193
200X509_EXTENSION *X509_EXTENSION_create_by_OBJ(X509_EXTENSION **ex, 194X509_EXTENSION *X509_EXTENSION_create_by_OBJ(X509_EXTENSION **ex,
201 ASN1_OBJECT *obj, int crit, ASN1_OCTET_STRING *data) 195 ASN1_OBJECT *obj, int crit, ASN1_OCTET_STRING *data)
202 { 196{
203 X509_EXTENSION *ret; 197 X509_EXTENSION *ret;
204 198
205 if ((ex == NULL) || (*ex == NULL)) 199 if ((ex == NULL) || (*ex == NULL)) {
206 {
207 if ((ret=X509_EXTENSION_new()) == NULL) 200 if ((ret=X509_EXTENSION_new()) == NULL)
208 { 201 {
209 X509err(X509_F_X509_EXTENSION_CREATE_BY_OBJ,ERR_R_MALLOC_FAILURE); 202 X509err(X509_F_X509_EXTENSION_CREATE_BY_OBJ,ERR_R_MALLOC_FAILURE);
210 return(NULL); 203 return(NULL);
211 }
212 } 204 }
213 else 205 } else
214 ret= *ex; 206 ret= *ex;
215 207
216 if (!X509_EXTENSION_set_object(ret,obj)) 208 if (!X509_EXTENSION_set_object(ret,obj))
@@ -226,49 +218,49 @@ err:
226 if ((ex == NULL) || (ret != *ex)) 218 if ((ex == NULL) || (ret != *ex))
227 X509_EXTENSION_free(ret); 219 X509_EXTENSION_free(ret);
228 return(NULL); 220 return(NULL);
229 } 221}
230 222
231int X509_EXTENSION_set_object(X509_EXTENSION *ex, ASN1_OBJECT *obj) 223int X509_EXTENSION_set_object(X509_EXTENSION *ex, ASN1_OBJECT *obj)
232 { 224{
233 if ((ex == NULL) || (obj == NULL)) 225 if ((ex == NULL) || (obj == NULL))
234 return(0); 226 return(0);
235 ASN1_OBJECT_free(ex->object); 227 ASN1_OBJECT_free(ex->object);
236 ex->object=OBJ_dup(obj); 228 ex->object=OBJ_dup(obj);
237 return(1); 229 return(1);
238 } 230}
239 231
240int X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit) 232int X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit)
241 { 233{
242 if (ex == NULL) return(0); 234 if (ex == NULL) return(0);
243 ex->critical=(crit)?0xFF:-1; 235 ex->critical=(crit)?0xFF:-1;
244 return(1); 236 return(1);
245 } 237}
246 238
247int X509_EXTENSION_set_data(X509_EXTENSION *ex, ASN1_OCTET_STRING *data) 239int X509_EXTENSION_set_data(X509_EXTENSION *ex, ASN1_OCTET_STRING *data)
248 { 240{
249 int i; 241 int i;
250 242
251 if (ex == NULL) return(0); 243 if (ex == NULL) return(0);
252 i=M_ASN1_OCTET_STRING_set(ex->value,data->data,data->length); 244 i=M_ASN1_OCTET_STRING_set(ex->value,data->data,data->length);
253 if (!i) return(0); 245 if (!i) return(0);
254 return(1); 246 return(1);
255 } 247}
256 248
257ASN1_OBJECT *X509_EXTENSION_get_object(X509_EXTENSION *ex) 249ASN1_OBJECT *X509_EXTENSION_get_object(X509_EXTENSION *ex)
258 { 250{
259 if (ex == NULL) return(NULL); 251 if (ex == NULL) return(NULL);
260 return(ex->object); 252 return(ex->object);
261 } 253}
262 254
263ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *ex) 255ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *ex)
264 { 256{
265 if (ex == NULL) return(NULL); 257 if (ex == NULL) return(NULL);
266 return(ex->value); 258 return(ex->value);
267 } 259}
268 260
269int X509_EXTENSION_get_critical(X509_EXTENSION *ex) 261int X509_EXTENSION_get_critical(X509_EXTENSION *ex)
270 { 262{
271 if (ex == NULL) return(0); 263 if (ex == NULL) return(0);
272 if(ex->critical > 0) return 1; 264 if(ex->critical > 0) return 1;
273 return 0; 265 return 0;
274 } 266}
diff --git a/src/lib/libssl/src/crypto/x509/x509_vfy.c b/src/lib/libssl/src/crypto/x509/x509_vfy.c
index 077bfd8f2d..6e9dd7cc6a 100644
--- a/src/lib/libssl/src/crypto/x509/x509_vfy.c
+++ b/src/lib/libssl/src/crypto/x509/x509_vfy.c
@@ -139,19 +139,19 @@ const char X509_version[]="X.509" OPENSSL_VERSION_PTEXT;
139 139
140 140
141static int null_callback(int ok, X509_STORE_CTX *e) 141static int null_callback(int ok, X509_STORE_CTX *e)
142 { 142{
143 return ok; 143 return ok;
144 } 144}
145 145
146#if 0 146#if 0
147static int x509_subject_cmp(X509 **a, X509 **b) 147static int x509_subject_cmp(X509 **a, X509 **b)
148 { 148{
149 return X509_subject_name_cmp(*a,*b); 149 return X509_subject_name_cmp(*a,*b);
150 } 150}
151#endif 151#endif
152 152
153int X509_verify_cert(X509_STORE_CTX *ctx) 153int X509_verify_cert(X509_STORE_CTX *ctx)
154 { 154{
155 X509 *x,*xtmp,*chain_ss=NULL; 155 X509 *x,*xtmp,*chain_ss=NULL;
156 int bad_chain = 0; 156 int bad_chain = 0;
157 X509_VERIFY_PARAM *param = ctx->param; 157 X509_VERIFY_PARAM *param = ctx->param;
@@ -159,43 +159,38 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
159 int num; 159 int num;
160 int (*cb)(int xok,X509_STORE_CTX *xctx); 160 int (*cb)(int xok,X509_STORE_CTX *xctx);
161 STACK_OF(X509) *sktmp=NULL; 161 STACK_OF(X509) *sktmp=NULL;
162 if (ctx->cert == NULL) 162 if (ctx->cert == NULL) {
163 {
164 X509err(X509_F_X509_VERIFY_CERT,X509_R_NO_CERT_SET_FOR_US_TO_VERIFY); 163 X509err(X509_F_X509_VERIFY_CERT,X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
165 return -1; 164 return -1;
166 } 165 }
167 166
168 cb=ctx->verify_cb; 167 cb=ctx->verify_cb;
169 168
170 /* first we make sure the chain we are going to build is 169 /* first we make sure the chain we are going to build is
171 * present and that the first entry is in place */ 170 * present and that the first entry is in place */
172 if (ctx->chain == NULL) 171 if (ctx->chain == NULL) {
173 {
174 if ( ((ctx->chain=sk_X509_new_null()) == NULL) || 172 if ( ((ctx->chain=sk_X509_new_null()) == NULL) ||
175 (!sk_X509_push(ctx->chain,ctx->cert))) 173 (!sk_X509_push(ctx->chain,ctx->cert))) {
176 {
177 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); 174 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
178 goto end; 175 goto end;
179 } 176 }
180 CRYPTO_add(&ctx->cert->references,1,CRYPTO_LOCK_X509); 177 CRYPTO_add(&ctx->cert->references,1,CRYPTO_LOCK_X509);
181 ctx->last_untrusted=1; 178 ctx->last_untrusted=1;
182 } 179 }
183 180
184 /* We use a temporary STACK so we can chop and hack at it */ 181 /* We use a temporary STACK so we can chop and hack at it */
185 if (ctx->untrusted != NULL 182 if (ctx->untrusted != NULL
186 && (sktmp=sk_X509_dup(ctx->untrusted)) == NULL) 183 && (sktmp=sk_X509_dup(ctx->untrusted)) == NULL) {
187 {
188 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); 184 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
189 goto end; 185 goto end;
190 } 186 }
191 187
192 num=sk_X509_num(ctx->chain); 188 num=sk_X509_num(ctx->chain);
193 x=sk_X509_value(ctx->chain,num-1); 189 x=sk_X509_value(ctx->chain,num-1);
194 depth=param->depth; 190 depth=param->depth;
195 191
196 192
197 for (;;) 193 for (;;) {
198 {
199 /* If we have enough, we break */ 194 /* If we have enough, we break */
200 if (depth < num) break; /* FIXME: If this happens, we should take 195 if (depth < num) break; /* FIXME: If this happens, we should take
201 * note of it and, if appropriate, use the 196 * note of it and, if appropriate, use the
@@ -207,16 +202,13 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
207 if (ctx->check_issued(ctx, x,x)) break; 202 if (ctx->check_issued(ctx, x,x)) break;
208 203
209 /* If we were passed a cert chain, use it first */ 204 /* If we were passed a cert chain, use it first */
210 if (ctx->untrusted != NULL) 205 if (ctx->untrusted != NULL) {
211 {
212 xtmp=find_issuer(ctx, sktmp,x); 206 xtmp=find_issuer(ctx, sktmp,x);
213 if (xtmp != NULL) 207 if (xtmp != NULL) {
214 { 208 if (!sk_X509_push(ctx->chain,xtmp)) {
215 if (!sk_X509_push(ctx->chain,xtmp))
216 {
217 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); 209 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
218 goto end; 210 goto end;
219 } 211 }
220 CRYPTO_add(&xtmp->references,1,CRYPTO_LOCK_X509); 212 CRYPTO_add(&xtmp->references,1,CRYPTO_LOCK_X509);
221 (void)sk_X509_delete_ptr(sktmp,xtmp); 213 (void)sk_X509_delete_ptr(sktmp,xtmp);
222 ctx->last_untrusted++; 214 ctx->last_untrusted++;
@@ -225,10 +217,10 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
225 /* reparse the full chain for 217 /* reparse the full chain for
226 * the next one */ 218 * the next one */
227 continue; 219 continue;
228 }
229 } 220 }
230 break;
231 } 221 }
222 break;
223 }
232 224
233 /* at this point, chain should contain a list of untrusted 225 /* at this point, chain should contain a list of untrusted
234 * certificates. We now need to add at least one trusted one, 226 * certificates. We now need to add at least one trusted one,
@@ -240,18 +232,15 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
240 232
241 i=sk_X509_num(ctx->chain); 233 i=sk_X509_num(ctx->chain);
242 x=sk_X509_value(ctx->chain,i-1); 234 x=sk_X509_value(ctx->chain,i-1);
243 if (ctx->check_issued(ctx, x, x)) 235 if (ctx->check_issued(ctx, x, x)) {
244 {
245 /* we have a self signed certificate */ 236 /* we have a self signed certificate */
246 if (sk_X509_num(ctx->chain) == 1) 237 if (sk_X509_num(ctx->chain) == 1) {
247 {
248 /* We have a single self signed certificate: see if 238 /* We have a single self signed certificate: see if
249 * we can find it in the store. We must have an exact 239 * we can find it in the store. We must have an exact
250 * match to avoid possible impersonation. 240 * match to avoid possible impersonation.
251 */ 241 */
252 ok = ctx->get_issuer(&xtmp, ctx, x); 242 ok = ctx->get_issuer(&xtmp, ctx, x);
253 if ((ok <= 0) || X509_cmp(x, xtmp)) 243 if ((ok <= 0) || X509_cmp(x, xtmp)) {
254 {
255 ctx->error=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT; 244 ctx->error=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
256 ctx->current_cert=x; 245 ctx->current_cert=x;
257 ctx->error_depth=i-1; 246 ctx->error_depth=i-1;
@@ -259,9 +248,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
259 bad_chain = 1; 248 bad_chain = 1;
260 ok=cb(0,ctx); 249 ok=cb(0,ctx);
261 if (!ok) goto end; 250 if (!ok) goto end;
262 } 251 } else {
263 else
264 {
265 /* We have a match: replace certificate with store version 252 /* We have a match: replace certificate with store version
266 * so we get any trust settings. 253 * so we get any trust settings.
267 */ 254 */
@@ -269,21 +256,18 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
269 x = xtmp; 256 x = xtmp;
270 (void)sk_X509_set(ctx->chain, i - 1, x); 257 (void)sk_X509_set(ctx->chain, i - 1, x);
271 ctx->last_untrusted=0; 258 ctx->last_untrusted=0;
272 }
273 } 259 }
274 else 260 } else {
275 {
276 /* extract and save self signed certificate for later use */ 261 /* extract and save self signed certificate for later use */
277 chain_ss=sk_X509_pop(ctx->chain); 262 chain_ss=sk_X509_pop(ctx->chain);
278 ctx->last_untrusted--; 263 ctx->last_untrusted--;
279 num--; 264 num--;
280 x=sk_X509_value(ctx->chain,num-1); 265 x=sk_X509_value(ctx->chain,num-1);
281 }
282 } 266 }
267 }
283 268
284 /* We now lookup certs from the certificate store */ 269 /* We now lookup certs from the certificate store */
285 for (;;) 270 for (;;) {
286 {
287 /* If we have enough, we break */ 271 /* If we have enough, we break */
288 if (depth < num) break; 272 if (depth < num) break;
289 273
@@ -296,30 +280,25 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
296 if (ok == 0) break; 280 if (ok == 0) break;
297 281
298 x = xtmp; 282 x = xtmp;
299 if (!sk_X509_push(ctx->chain,x)) 283 if (!sk_X509_push(ctx->chain,x)) {
300 {
301 X509_free(xtmp); 284 X509_free(xtmp);
302 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); 285 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
303 return 0; 286 return 0;
304 }
305 num++;
306 } 287 }
288 num++;
289 }
307 290
308 /* we now have our chain, lets check it... */ 291 /* we now have our chain, lets check it... */
309 292
310 /* Is last certificate looked up self signed? */ 293 /* Is last certificate looked up self signed? */
311 if (!ctx->check_issued(ctx,x,x)) 294 if (!ctx->check_issued(ctx,x,x)) {
312 { 295 if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) {
313 if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss))
314 {
315 if (ctx->last_untrusted >= num) 296 if (ctx->last_untrusted >= num)
316 ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; 297 ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
317 else 298 else
318 ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT; 299 ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
319 ctx->current_cert=x; 300 ctx->current_cert=x;
320 } 301 } else {
321 else
322 {
323 302
324 sk_X509_push(ctx->chain,chain_ss); 303 sk_X509_push(ctx->chain,chain_ss);
325 num++; 304 num++;
@@ -327,13 +306,13 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
327 ctx->current_cert=chain_ss; 306 ctx->current_cert=chain_ss;
328 ctx->error=X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN; 307 ctx->error=X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
329 chain_ss=NULL; 308 chain_ss=NULL;
330 } 309 }
331 310
332 ctx->error_depth=num-1; 311 ctx->error_depth=num-1;
333 bad_chain = 1; 312 bad_chain = 1;
334 ok=cb(0,ctx); 313 ok=cb(0,ctx);
335 if (!ok) goto end; 314 if (!ok) goto end;
336 } 315 }
337 316
338 /* We have the chain complete: now we need to check its purpose */ 317 /* We have the chain complete: now we need to check its purpose */
339 ok = check_chain_extensions(ctx); 318 ok = check_chain_extensions(ctx);
@@ -381,15 +360,14 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
381 if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK)) 360 if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK))
382 ok = ctx->check_policy(ctx); 361 ok = ctx->check_policy(ctx);
383 if(!ok) goto end; 362 if(!ok) goto end;
384 if (0) 363 if (0) {
385 {
386end: 364end:
387 X509_get_pubkey_parameters(NULL,ctx->chain); 365 X509_get_pubkey_parameters(NULL,ctx->chain);
388 } 366 }
389 if (sktmp != NULL) sk_X509_free(sktmp); 367 if (sktmp != NULL) sk_X509_free(sktmp);
390 if (chain_ss != NULL) X509_free(chain_ss); 368 if (chain_ss != NULL) X509_free(chain_ss);
391 return ok; 369 return ok;
392 } 370}
393 371
394 372
395/* Given a STACK_OF(X509) find the issuer of cert (if any) 373/* Given a STACK_OF(X509) find the issuer of cert (if any)
@@ -399,12 +377,11 @@ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
399{ 377{
400 int i; 378 int i;
401 X509 *issuer; 379 X509 *issuer;
402 for (i = 0; i < sk_X509_num(sk); i++) 380 for (i = 0; i < sk_X509_num(sk); i++) {
403 {
404 issuer = sk_X509_value(sk, i); 381 issuer = sk_X509_value(sk, i);
405 if (ctx->check_issued(ctx, x, issuer)) 382 if (ctx->check_issued(ctx, x, issuer))
406 return issuer; 383 return issuer;
407 } 384 }
408 return NULL; 385 return NULL;
409} 386}
410 387
@@ -431,12 +408,10 @@ static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
431static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) 408static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
432{ 409{
433 *issuer = find_issuer(ctx, ctx->other_ctx, x); 410 *issuer = find_issuer(ctx, ctx->other_ctx, x);
434 if (*issuer) 411 if (*issuer) {
435 {
436 CRYPTO_add(&(*issuer)->references,1,CRYPTO_LOCK_X509); 412 CRYPTO_add(&(*issuer)->references,1,CRYPTO_LOCK_X509);
437 return 1; 413 return 1;
438 } 414 } else
439 else
440 return 0; 415 return 0;
441} 416}
442 417
@@ -469,13 +444,10 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
469 must_be_ca = -1; 444 must_be_ca = -1;
470 445
471 /* CRL path validation */ 446 /* CRL path validation */
472 if (ctx->parent) 447 if (ctx->parent) {
473 {
474 allow_proxy_certs = 0; 448 allow_proxy_certs = 0;
475 purpose = X509_PURPOSE_CRL_SIGN; 449 purpose = X509_PURPOSE_CRL_SIGN;
476 } 450 } else {
477 else
478 {
479 allow_proxy_certs = 451 allow_proxy_certs =
480 !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS); 452 !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
481 /* A hack to keep people who don't want to modify their 453 /* A hack to keep people who don't want to modify their
@@ -483,96 +455,82 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
483 if (getenv("OPENSSL_ALLOW_PROXY_CERTS")) 455 if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))
484 allow_proxy_certs = 1; 456 allow_proxy_certs = 1;
485 purpose = ctx->param->purpose; 457 purpose = ctx->param->purpose;
486 } 458 }
487 459
488 /* Check all untrusted certificates */ 460 /* Check all untrusted certificates */
489 for (i = 0; i < ctx->last_untrusted; i++) 461 for (i = 0; i < ctx->last_untrusted; i++) {
490 {
491 int ret; 462 int ret;
492 x = sk_X509_value(ctx->chain, i); 463 x = sk_X509_value(ctx->chain, i);
493 if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) 464 if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
494 && (x->ex_flags & EXFLAG_CRITICAL)) 465 && (x->ex_flags & EXFLAG_CRITICAL)) {
495 {
496 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION; 466 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION;
497 ctx->error_depth = i; 467 ctx->error_depth = i;
498 ctx->current_cert = x; 468 ctx->current_cert = x;
499 ok=cb(0,ctx); 469 ok=cb(0,ctx);
500 if (!ok) goto end; 470 if (!ok) goto end;
501 } 471 }
502 if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) 472 if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) {
503 {
504 ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED; 473 ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED;
505 ctx->error_depth = i; 474 ctx->error_depth = i;
506 ctx->current_cert = x; 475 ctx->current_cert = x;
507 ok=cb(0,ctx); 476 ok=cb(0,ctx);
508 if (!ok) goto end; 477 if (!ok) goto end;
509 } 478 }
510 ret = X509_check_ca(x); 479 ret = X509_check_ca(x);
511 switch(must_be_ca) 480 switch(must_be_ca) {
512 {
513 case -1: 481 case -1:
514 if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) 482 if ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
515 && (ret != 1) && (ret != 0)) 483 && (ret != 1) && (ret != 0)) {
516 {
517 ret = 0; 484 ret = 0;
518 ctx->error = X509_V_ERR_INVALID_CA; 485 ctx->error = X509_V_ERR_INVALID_CA;
519 } 486 } else
520 else
521 ret = 1; 487 ret = 1;
522 break; 488 break;
523 case 0: 489 case 0:
524 if (ret != 0) 490 if (ret != 0) {
525 {
526 ret = 0; 491 ret = 0;
527 ctx->error = X509_V_ERR_INVALID_NON_CA; 492 ctx->error = X509_V_ERR_INVALID_NON_CA;
528 } 493 } else
529 else
530 ret = 1; 494 ret = 1;
531 break; 495 break;
532 default: 496 default:
533 if ((ret == 0) 497 if ((ret == 0)
534 || ((ctx->param->flags & X509_V_FLAG_X509_STRICT) 498 || ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
535 && (ret != 1))) 499 && (ret != 1))) {
536 {
537 ret = 0; 500 ret = 0;
538 ctx->error = X509_V_ERR_INVALID_CA; 501 ctx->error = X509_V_ERR_INVALID_CA;
539 } 502 } else
540 else
541 ret = 1; 503 ret = 1;
542 break; 504 break;
543 } 505 }
544 if (ret == 0) 506 if (ret == 0) {
545 {
546 ctx->error_depth = i; 507 ctx->error_depth = i;
547 ctx->current_cert = x; 508 ctx->current_cert = x;
548 ok=cb(0,ctx); 509 ok=cb(0,ctx);
549 if (!ok) goto end; 510 if (!ok) goto end;
550 } 511 }
551 if (ctx->param->purpose > 0) 512 if (ctx->param->purpose > 0) {
552 {
553 ret = X509_check_purpose(x, purpose, must_be_ca > 0); 513 ret = X509_check_purpose(x, purpose, must_be_ca > 0);
554 if ((ret == 0) 514 if ((ret == 0)
555 || ((ctx->param->flags & X509_V_FLAG_X509_STRICT) 515 || ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
556 && (ret != 1))) 516 && (ret != 1))) {
557 {
558 ctx->error = X509_V_ERR_INVALID_PURPOSE; 517 ctx->error = X509_V_ERR_INVALID_PURPOSE;
559 ctx->error_depth = i; 518 ctx->error_depth = i;
560 ctx->current_cert = x; 519 ctx->current_cert = x;
561 ok=cb(0,ctx); 520 ok=cb(0,ctx);
562 if (!ok) goto end; 521 if (!ok) goto end;
563 }
564 } 522 }
523 }
565 /* Check pathlen if not self issued */ 524 /* Check pathlen if not self issued */
566 if ((i > 1) && !(x->ex_flags & EXFLAG_SI) 525 if ((i > 1) && !(x->ex_flags & EXFLAG_SI)
567 && (x->ex_pathlen != -1) 526 && (x->ex_pathlen != -1)
568 && (plen > (x->ex_pathlen + proxy_path_length + 1))) 527 && (plen > (x->ex_pathlen + proxy_path_length + 1))) {
569 {
570 ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED; 528 ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
571 ctx->error_depth = i; 529 ctx->error_depth = i;
572 ctx->current_cert = x; 530 ctx->current_cert = x;
573 ok=cb(0,ctx); 531 ok=cb(0,ctx);
574 if (!ok) goto end; 532 if (!ok) goto end;
575 } 533 }
576 /* Increment path length if not self issued */ 534 /* Increment path length if not self issued */
577 if (!(x->ex_flags & EXFLAG_SI)) 535 if (!(x->ex_flags & EXFLAG_SI))
578 plen++; 536 plen++;
@@ -580,23 +538,20 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
580 certificate must be another proxy certificate or a EE 538 certificate must be another proxy certificate or a EE
581 certificate. If not, the next certificate must be a 539 certificate. If not, the next certificate must be a
582 CA certificate. */ 540 CA certificate. */
583 if (x->ex_flags & EXFLAG_PROXY) 541 if (x->ex_flags & EXFLAG_PROXY) {
584 { 542 if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen) {
585 if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen)
586 {
587 ctx->error = 543 ctx->error =
588 X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED; 544 X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED;
589 ctx->error_depth = i; 545 ctx->error_depth = i;
590 ctx->current_cert = x; 546 ctx->current_cert = x;
591 ok=cb(0,ctx); 547 ok=cb(0,ctx);
592 if (!ok) goto end; 548 if (!ok) goto end;
593 } 549 }
594 proxy_path_length++; 550 proxy_path_length++;
595 must_be_ca = 0; 551 must_be_ca = 0;
596 } 552 } else
597 else
598 must_be_ca = 1; 553 must_be_ca = 1;
599 } 554 }
600 ok = 1; 555 ok = 1;
601 end: 556 end:
602 return ok; 557 return ok;
@@ -604,12 +559,11 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
604} 559}
605 560
606static int check_name_constraints(X509_STORE_CTX *ctx) 561static int check_name_constraints(X509_STORE_CTX *ctx)
607 { 562{
608 X509 *x; 563 X509 *x;
609 int i, j, rv; 564 int i, j, rv;
610 /* Check name constraints for all certificates */ 565 /* Check name constraints for all certificates */
611 for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) 566 for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) {
612 {
613 x = sk_X509_value(ctx->chain, i); 567 x = sk_X509_value(ctx->chain, i);
614 /* Ignore self issued certs unless last in chain */ 568 /* Ignore self issued certs unless last in chain */
615 if (i && (x->ex_flags & EXFLAG_SI)) 569 if (i && (x->ex_flags & EXFLAG_SI))
@@ -619,25 +573,22 @@ static int check_name_constraints(X509_STORE_CTX *ctx)
619 * speaking needed but if it includes constraints it is to be 573 * speaking needed but if it includes constraints it is to be
620 * assumed it expects them to be obeyed. 574 * assumed it expects them to be obeyed.
621 */ 575 */
622 for (j = sk_X509_num(ctx->chain) - 1; j > i; j--) 576 for (j = sk_X509_num(ctx->chain) - 1; j > i; j--) {
623 {
624 NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc; 577 NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc;
625 if (nc) 578 if (nc) {
626 {
627 rv = NAME_CONSTRAINTS_check(x, nc); 579 rv = NAME_CONSTRAINTS_check(x, nc);
628 if (rv != X509_V_OK) 580 if (rv != X509_V_OK) {
629 {
630 ctx->error = rv; 581 ctx->error = rv;
631 ctx->error_depth = i; 582 ctx->error_depth = i;
632 ctx->current_cert = x; 583 ctx->current_cert = x;
633 if (!ctx->verify_cb(0,ctx)) 584 if (!ctx->verify_cb(0,ctx))
634 return 0; 585 return 0;
635 }
636 } 586 }
637 } 587 }
638 } 588 }
639 return 1;
640 } 589 }
590 return 1;
591}
641 592
642static int check_trust(X509_STORE_CTX *ctx) 593static int check_trust(X509_STORE_CTX *ctx)
643{ 594{
@@ -666,30 +617,27 @@ static int check_trust(X509_STORE_CTX *ctx)
666} 617}
667 618
668static int check_revocation(X509_STORE_CTX *ctx) 619static int check_revocation(X509_STORE_CTX *ctx)
669 { 620{
670 int i, last, ok; 621 int i, last, ok;
671 if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK)) 622 if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK))
672 return 1; 623 return 1;
673 if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL) 624 if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL)
674 last = sk_X509_num(ctx->chain) - 1; 625 last = sk_X509_num(ctx->chain) - 1;
675 else 626 else {
676 {
677 /* If checking CRL paths this isn't the EE certificate */ 627 /* If checking CRL paths this isn't the EE certificate */
678 if (ctx->parent) 628 if (ctx->parent)
679 return 1; 629 return 1;
680 last = 0; 630 last = 0;
681 } 631 }
682 for(i = 0; i <= last; i++) 632 for(i = 0; i <= last; i++) {
683 {
684 ctx->error_depth = i; 633 ctx->error_depth = i;
685 ok = check_cert(ctx); 634 ok = check_cert(ctx);
686 if (!ok) return ok; 635 if (!ok) return ok;
687 }
688 return 1;
689 } 636 }
637 return 1;
638}
690 639
691static int check_cert(X509_STORE_CTX *ctx) 640static int check_cert(X509_STORE_CTX *ctx) {
692 {
693 X509_CRL *crl = NULL, *dcrl = NULL; 641 X509_CRL *crl = NULL, *dcrl = NULL;
694 X509 *x; 642 X509 *x;
695 int ok, cnum; 643 int ok, cnum;
@@ -700,8 +648,7 @@ static int check_cert(X509_STORE_CTX *ctx)
700 ctx->current_issuer = NULL; 648 ctx->current_issuer = NULL;
701 ctx->current_crl_score = 0; 649 ctx->current_crl_score = 0;
702 ctx->current_reasons = 0; 650 ctx->current_reasons = 0;
703 while (ctx->current_reasons != CRLDP_ALL_REASONS) 651 while (ctx->current_reasons != CRLDP_ALL_REASONS) {
704 {
705 last_reasons = ctx->current_reasons; 652 last_reasons = ctx->current_reasons;
706 /* Try to retrieve relevant CRL */ 653 /* Try to retrieve relevant CRL */
707 if (ctx->get_crl) 654 if (ctx->get_crl)
@@ -711,36 +658,32 @@ static int check_cert(X509_STORE_CTX *ctx)
711 /* If error looking up CRL, nothing we can do except 658 /* If error looking up CRL, nothing we can do except
712 * notify callback 659 * notify callback
713 */ 660 */
714 if(!ok) 661 if(!ok) {
715 {
716 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL; 662 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
717 ok = ctx->verify_cb(0, ctx); 663 ok = ctx->verify_cb(0, ctx);
718 goto err; 664 goto err;
719 } 665 }
720 ctx->current_crl = crl; 666 ctx->current_crl = crl;
721 ok = ctx->check_crl(ctx, crl); 667 ok = ctx->check_crl(ctx, crl);
722 if (!ok) 668 if (!ok)
723 goto err; 669 goto err;
724 670
725 if (dcrl) 671 if (dcrl) {
726 {
727 ok = ctx->check_crl(ctx, dcrl); 672 ok = ctx->check_crl(ctx, dcrl);
728 if (!ok) 673 if (!ok)
729 goto err; 674 goto err;
730 ok = ctx->cert_crl(ctx, dcrl, x); 675 ok = ctx->cert_crl(ctx, dcrl, x);
731 if (!ok) 676 if (!ok)
732 goto err; 677 goto err;
733 } 678 } else
734 else
735 ok = 1; 679 ok = 1;
736 680
737 /* Don't look in full CRL if delta reason is removefromCRL */ 681 /* Don't look in full CRL if delta reason is removefromCRL */
738 if (ok != 2) 682 if (ok != 2) {
739 {
740 ok = ctx->cert_crl(ctx, crl, x); 683 ok = ctx->cert_crl(ctx, crl, x);
741 if (!ok) 684 if (!ok)
742 goto err; 685 goto err;
743 } 686 }
744 687
745 X509_CRL_free(crl); 688 X509_CRL_free(crl);
746 X509_CRL_free(dcrl); 689 X509_CRL_free(dcrl);
@@ -749,26 +692,25 @@ static int check_cert(X509_STORE_CTX *ctx)
749 /* If reasons not updated we wont get anywhere by 692 /* If reasons not updated we wont get anywhere by
750 * another iteration, so exit loop. 693 * another iteration, so exit loop.
751 */ 694 */
752 if (last_reasons == ctx->current_reasons) 695 if (last_reasons == ctx->current_reasons) {
753 {
754 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL; 696 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
755 ok = ctx->verify_cb(0, ctx); 697 ok = ctx->verify_cb(0, ctx);
756 goto err; 698 goto err;
757 }
758 } 699 }
759 err: 700 }
701err:
760 X509_CRL_free(crl); 702 X509_CRL_free(crl);
761 X509_CRL_free(dcrl); 703 X509_CRL_free(dcrl);
762 704
763 ctx->current_crl = NULL; 705 ctx->current_crl = NULL;
764 return ok; 706 return ok;
765 707
766 } 708}
767 709
768/* Check CRL times against values in X509_STORE_CTX */ 710/* Check CRL times against values in X509_STORE_CTX */
769 711
770static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) 712static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
771 { 713{
772 time_t *ptime; 714 time_t *ptime;
773 int i; 715 int i;
774 if (notify) 716 if (notify)
@@ -779,80 +721,72 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
779 ptime = NULL; 721 ptime = NULL;
780 722
781 i=X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime); 723 i=X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime);
782 if (i == 0) 724 if (i == 0) {
783 {
784 if (!notify) 725 if (!notify)
785 return 0; 726 return 0;
786 ctx->error=X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD; 727 ctx->error=X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD;
787 if (!ctx->verify_cb(0, ctx)) 728 if (!ctx->verify_cb(0, ctx))
788 return 0; 729 return 0;
789 } 730 }
790 731
791 if (i > 0) 732 if (i > 0) {
792 {
793 if (!notify) 733 if (!notify)
794 return 0; 734 return 0;
795 ctx->error=X509_V_ERR_CRL_NOT_YET_VALID; 735 ctx->error=X509_V_ERR_CRL_NOT_YET_VALID;
796 if (!ctx->verify_cb(0, ctx)) 736 if (!ctx->verify_cb(0, ctx))
797 return 0; 737 return 0;
798 } 738 }
799 739
800 if(X509_CRL_get_nextUpdate(crl)) 740 if(X509_CRL_get_nextUpdate(crl)) {
801 {
802 i=X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime); 741 i=X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime);
803 742
804 if (i == 0) 743 if (i == 0) {
805 {
806 if (!notify) 744 if (!notify)
807 return 0; 745 return 0;
808 ctx->error=X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD; 746 ctx->error=X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD;
809 if (!ctx->verify_cb(0, ctx)) 747 if (!ctx->verify_cb(0, ctx))
810 return 0; 748 return 0;
811 } 749 }
812 /* Ignore expiry of base CRL is delta is valid */ 750 /* Ignore expiry of base CRL is delta is valid */
813 if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) 751 if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) {
814 {
815 if (!notify) 752 if (!notify)
816 return 0; 753 return 0;
817 ctx->error=X509_V_ERR_CRL_HAS_EXPIRED; 754 ctx->error=X509_V_ERR_CRL_HAS_EXPIRED;
818 if (!ctx->verify_cb(0, ctx)) 755 if (!ctx->verify_cb(0, ctx))
819 return 0; 756 return 0;
820 }
821 } 757 }
758 }
822 759
823 if (notify) 760 if (notify)
824 ctx->current_crl = NULL; 761 ctx->current_crl = NULL;
825 762
826 return 1; 763 return 1;
827 } 764}
828 765
829static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, 766static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
830 X509 **pissuer, int *pscore, unsigned int *preasons, 767 X509 **pissuer, int *pscore, unsigned int *preasons,
831 STACK_OF(X509_CRL) *crls) 768 STACK_OF(X509_CRL) *crls)
832 { 769{
833 int i, crl_score, best_score = *pscore; 770 int i, crl_score, best_score = *pscore;
834 unsigned int reasons, best_reasons = 0; 771 unsigned int reasons, best_reasons = 0;
835 X509 *x = ctx->current_cert; 772 X509 *x = ctx->current_cert;
836 X509_CRL *crl, *best_crl = NULL; 773 X509_CRL *crl, *best_crl = NULL;
837 X509 *crl_issuer = NULL, *best_crl_issuer = NULL; 774 X509 *crl_issuer = NULL, *best_crl_issuer = NULL;
838 775
839 for (i = 0; i < sk_X509_CRL_num(crls); i++) 776 for (i = 0; i < sk_X509_CRL_num(crls); i++) {
840 {
841 crl = sk_X509_CRL_value(crls, i); 777 crl = sk_X509_CRL_value(crls, i);
842 reasons = *preasons; 778 reasons = *preasons;
843 crl_score = get_crl_score(ctx, &crl_issuer, &reasons, crl, x); 779 crl_score = get_crl_score(ctx, &crl_issuer, &reasons, crl, x);
844 780
845 if (crl_score > best_score) 781 if (crl_score > best_score) {
846 {
847 best_crl = crl; 782 best_crl = crl;
848 best_crl_issuer = crl_issuer; 783 best_crl_issuer = crl_issuer;
849 best_score = crl_score; 784 best_score = crl_score;
850 best_reasons = reasons; 785 best_reasons = reasons;
851 }
852 } 786 }
787 }
853 788
854 if (best_crl) 789 if (best_crl) {
855 {
856 if (*pcrl) 790 if (*pcrl)
857 X509_CRL_free(*pcrl); 791 X509_CRL_free(*pcrl);
858 *pcrl = best_crl; 792 *pcrl = best_crl;
@@ -860,49 +794,44 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
860 *pscore = best_score; 794 *pscore = best_score;
861 *preasons = best_reasons; 795 *preasons = best_reasons;
862 CRYPTO_add(&best_crl->references, 1, CRYPTO_LOCK_X509_CRL); 796 CRYPTO_add(&best_crl->references, 1, CRYPTO_LOCK_X509_CRL);
863 if (*pdcrl) 797 if (*pdcrl) {
864 {
865 X509_CRL_free(*pdcrl); 798 X509_CRL_free(*pdcrl);
866 *pdcrl = NULL; 799 *pdcrl = NULL;
867 }
868 get_delta_sk(ctx, pdcrl, pscore, best_crl, crls);
869 } 800 }
801 get_delta_sk(ctx, pdcrl, pscore, best_crl, crls);
802 }
870 803
871 if (best_score >= CRL_SCORE_VALID) 804 if (best_score >= CRL_SCORE_VALID)
872 return 1; 805 return 1;
873 806
874 return 0; 807 return 0;
875 } 808}
876 809
877/* Compare two CRL extensions for delta checking purposes. They should be 810/* Compare two CRL extensions for delta checking purposes. They should be
878 * both present or both absent. If both present all fields must be identical. 811 * both present or both absent. If both present all fields must be identical.
879 */ 812 */
880 813
881static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid) 814static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
882 { 815{
883 ASN1_OCTET_STRING *exta, *extb; 816 ASN1_OCTET_STRING *exta, *extb;
884 int i; 817 int i;
885 i = X509_CRL_get_ext_by_NID(a, nid, -1); 818 i = X509_CRL_get_ext_by_NID(a, nid, -1);
886 if (i >= 0) 819 if (i >= 0) {
887 {
888 /* Can't have multiple occurrences */ 820 /* Can't have multiple occurrences */
889 if (X509_CRL_get_ext_by_NID(a, nid, i) != -1) 821 if (X509_CRL_get_ext_by_NID(a, nid, i) != -1)
890 return 0; 822 return 0;
891 exta = X509_EXTENSION_get_data(X509_CRL_get_ext(a, i)); 823 exta = X509_EXTENSION_get_data(X509_CRL_get_ext(a, i));
892 } 824 } else
893 else
894 exta = NULL; 825 exta = NULL;
895 826
896 i = X509_CRL_get_ext_by_NID(b, nid, -1); 827 i = X509_CRL_get_ext_by_NID(b, nid, -1);
897 828
898 if (i >= 0) 829 if (i >= 0) {
899 {
900 830
901 if (X509_CRL_get_ext_by_NID(b, nid, i) != -1) 831 if (X509_CRL_get_ext_by_NID(b, nid, i) != -1)
902 return 0; 832 return 0;
903 extb = X509_EXTENSION_get_data(X509_CRL_get_ext(b, i)); 833 extb = X509_EXTENSION_get_data(X509_CRL_get_ext(b, i));
904 } 834 } else
905 else
906 extb = NULL; 835 extb = NULL;
907 836
908 if (!exta && !extb) 837 if (!exta && !extb)
@@ -916,12 +845,12 @@ static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
916 return 0; 845 return 0;
917 846
918 return 1; 847 return 1;
919 } 848}
920 849
921/* See if a base and delta are compatible */ 850/* See if a base and delta are compatible */
922 851
923static int check_delta_base(X509_CRL *delta, X509_CRL *base) 852static int check_delta_base(X509_CRL *delta, X509_CRL *base)
924 { 853{
925 /* Delta CRL must be a delta */ 854 /* Delta CRL must be a delta */
926 if (!delta->base_crl_number) 855 if (!delta->base_crl_number)
927 return 0; 856 return 0;
@@ -944,7 +873,7 @@ static int check_delta_base(X509_CRL *delta, X509_CRL *base)
944 if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0) 873 if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0)
945 return 1; 874 return 1;
946 return 0; 875 return 0;
947 } 876}
948 877
949/* For a given base CRL find a delta... maybe extend to delta scoring 878/* For a given base CRL find a delta... maybe extend to delta scoring
950 * or retrieve a chain of deltas... 879 * or retrieve a chain of deltas...
@@ -952,27 +881,25 @@ static int check_delta_base(X509_CRL *delta, X509_CRL *base)
952 881
953static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore, 882static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore,
954 X509_CRL *base, STACK_OF(X509_CRL) *crls) 883 X509_CRL *base, STACK_OF(X509_CRL) *crls)
955 { 884{
956 X509_CRL *delta; 885 X509_CRL *delta;
957 int i; 886 int i;
958 if (!(ctx->param->flags & X509_V_FLAG_USE_DELTAS)) 887 if (!(ctx->param->flags & X509_V_FLAG_USE_DELTAS))
959 return; 888 return;
960 if (!((ctx->current_cert->ex_flags | base->flags) & EXFLAG_FRESHEST)) 889 if (!((ctx->current_cert->ex_flags | base->flags) & EXFLAG_FRESHEST))
961 return; 890 return;
962 for (i = 0; i < sk_X509_CRL_num(crls); i++) 891 for (i = 0; i < sk_X509_CRL_num(crls); i++) {
963 {
964 delta = sk_X509_CRL_value(crls, i); 892 delta = sk_X509_CRL_value(crls, i);
965 if (check_delta_base(delta, base)) 893 if (check_delta_base(delta, base)) {
966 {
967 if (check_crl_time(ctx, delta, 0)) 894 if (check_crl_time(ctx, delta, 0))
968 *pscore |= CRL_SCORE_TIME_DELTA; 895 *pscore |= CRL_SCORE_TIME_DELTA;
969 CRYPTO_add(&delta->references, 1, CRYPTO_LOCK_X509_CRL); 896 CRYPTO_add(&delta->references, 1, CRYPTO_LOCK_X509_CRL);
970 *dcrl = delta; 897 *dcrl = delta;
971 return; 898 return;
972 }
973 } 899 }
974 *dcrl = NULL;
975 } 900 }
901 *dcrl = NULL;
902}
976 903
977/* For a given CRL return how suitable it is for the supplied certificate 'x'. 904/* For a given CRL return how suitable it is for the supplied certificate 'x'.
978 * The return value is a mask of several criteria. 905 * The return value is a mask of several criteria.
@@ -984,7 +911,7 @@ static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore,
984static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, 911static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
985 unsigned int *preasons, 912 unsigned int *preasons,
986 X509_CRL *crl, X509 *x) 913 X509_CRL *crl, X509 *x)
987 { 914{
988 915
989 int crl_score = 0; 916 int crl_score = 0;
990 unsigned int tmp_reasons = *preasons, crl_reasons; 917 unsigned int tmp_reasons = *preasons, crl_reasons;
@@ -995,27 +922,22 @@ static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
995 if (crl->idp_flags & IDP_INVALID) 922 if (crl->idp_flags & IDP_INVALID)
996 return 0; 923 return 0;
997 /* Reason codes or indirect CRLs need extended CRL support */ 924 /* Reason codes or indirect CRLs need extended CRL support */
998 if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT)) 925 if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT)) {
999 {
1000 if (crl->idp_flags & (IDP_INDIRECT | IDP_REASONS)) 926 if (crl->idp_flags & (IDP_INDIRECT | IDP_REASONS))
1001 return 0; 927 return 0;
1002 } 928 } else if (crl->idp_flags & IDP_REASONS) {
1003 else if (crl->idp_flags & IDP_REASONS)
1004 {
1005 /* If no new reasons reject */ 929 /* If no new reasons reject */
1006 if (!(crl->idp_reasons & ~tmp_reasons)) 930 if (!(crl->idp_reasons & ~tmp_reasons))
1007 return 0; 931 return 0;
1008 } 932 }
1009 /* Don't process deltas at this stage */ 933 /* Don't process deltas at this stage */
1010 else if (crl->base_crl_number) 934 else if (crl->base_crl_number)
1011 return 0; 935 return 0;
1012 /* If issuer name doesn't match certificate need indirect CRL */ 936 /* If issuer name doesn't match certificate need indirect CRL */
1013 if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl))) 937 if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl))) {
1014 {
1015 if (!(crl->idp_flags & IDP_INDIRECT)) 938 if (!(crl->idp_flags & IDP_INDIRECT))
1016 return 0; 939 return 0;
1017 } 940 } else
1018 else
1019 crl_score |= CRL_SCORE_ISSUER_NAME; 941 crl_score |= CRL_SCORE_ISSUER_NAME;
1020 942
1021 if (!(crl->flags & EXFLAG_CRITICAL)) 943 if (!(crl->flags & EXFLAG_CRITICAL))
@@ -1035,24 +957,23 @@ static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
1035 957
1036 /* Check cert for matching CRL distribution points */ 958 /* Check cert for matching CRL distribution points */
1037 959
1038 if (crl_crldp_check(x, crl, crl_score, &crl_reasons)) 960 if (crl_crldp_check(x, crl, crl_score, &crl_reasons)) {
1039 {
1040 /* If no new reasons reject */ 961 /* If no new reasons reject */
1041 if (!(crl_reasons & ~tmp_reasons)) 962 if (!(crl_reasons & ~tmp_reasons))
1042 return 0; 963 return 0;
1043 tmp_reasons |= crl_reasons; 964 tmp_reasons |= crl_reasons;
1044 crl_score |= CRL_SCORE_SCOPE; 965 crl_score |= CRL_SCORE_SCOPE;
1045 } 966 }
1046 967
1047 *preasons = tmp_reasons; 968 *preasons = tmp_reasons;
1048 969
1049 return crl_score; 970 return crl_score;
1050 971
1051 } 972}
1052 973
1053static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, 974static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl,
1054 X509 **pissuer, int *pcrl_score) 975 X509 **pissuer, int *pcrl_score)
1055 { 976{
1056 X509 *crl_issuer = NULL; 977 X509 *crl_issuer = NULL;
1057 X509_NAME *cnm = X509_CRL_get_issuer(crl); 978 X509_NAME *cnm = X509_CRL_get_issuer(crl);
1058 int cidx = ctx->error_depth; 979 int cidx = ctx->error_depth;
@@ -1063,28 +984,24 @@ static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl,
1063 984
1064 crl_issuer = sk_X509_value(ctx->chain, cidx); 985 crl_issuer = sk_X509_value(ctx->chain, cidx);
1065 986
1066 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) 987 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
1067 { 988 if (*pcrl_score & CRL_SCORE_ISSUER_NAME) {
1068 if (*pcrl_score & CRL_SCORE_ISSUER_NAME)
1069 {
1070 *pcrl_score |= CRL_SCORE_AKID|CRL_SCORE_ISSUER_CERT; 989 *pcrl_score |= CRL_SCORE_AKID|CRL_SCORE_ISSUER_CERT;
1071 *pissuer = crl_issuer; 990 *pissuer = crl_issuer;
1072 return; 991 return;
1073 }
1074 } 992 }
993 }
1075 994
1076 for (cidx++; cidx < sk_X509_num(ctx->chain); cidx++) 995 for (cidx++; cidx < sk_X509_num(ctx->chain); cidx++) {
1077 {
1078 crl_issuer = sk_X509_value(ctx->chain, cidx); 996 crl_issuer = sk_X509_value(ctx->chain, cidx);
1079 if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm)) 997 if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm))
1080 continue; 998 continue;
1081 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) 999 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
1082 {
1083 *pcrl_score |= CRL_SCORE_AKID|CRL_SCORE_SAME_PATH; 1000 *pcrl_score |= CRL_SCORE_AKID|CRL_SCORE_SAME_PATH;
1084 *pissuer = crl_issuer; 1001 *pissuer = crl_issuer;
1085 return; 1002 return;
1086 }
1087 } 1003 }
1004 }
1088 1005
1089 /* Anything else needs extended CRL support */ 1006 /* Anything else needs extended CRL support */
1090 1007
@@ -1094,19 +1011,17 @@ static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl,
1094 /* Otherwise the CRL issuer is not on the path. Look for it in the 1011 /* Otherwise the CRL issuer is not on the path. Look for it in the
1095 * set of untrusted certificates. 1012 * set of untrusted certificates.
1096 */ 1013 */
1097 for (i = 0; i < sk_X509_num(ctx->untrusted); i++) 1014 for (i = 0; i < sk_X509_num(ctx->untrusted); i++) {
1098 {
1099 crl_issuer = sk_X509_value(ctx->untrusted, i); 1015 crl_issuer = sk_X509_value(ctx->untrusted, i);
1100 if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm)) 1016 if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm))
1101 continue; 1017 continue;
1102 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) 1018 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
1103 {
1104 *pissuer = crl_issuer; 1019 *pissuer = crl_issuer;
1105 *pcrl_score |= CRL_SCORE_AKID; 1020 *pcrl_score |= CRL_SCORE_AKID;
1106 return; 1021 return;
1107 }
1108 } 1022 }
1109 } 1023 }
1024}
1110 1025
1111/* Check the path of a CRL issuer certificate. This creates a new 1026/* Check the path of a CRL issuer certificate. This creates a new
1112 * X509_STORE_CTX and populates it with most of the parameters from the 1027 * X509_STORE_CTX and populates it with most of the parameters from the
@@ -1116,7 +1031,7 @@ static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl,
1116 */ 1031 */
1117 1032
1118static int check_crl_path(X509_STORE_CTX *ctx, X509 *x) 1033static int check_crl_path(X509_STORE_CTX *ctx, X509 *x)
1119 { 1034{
1120 X509_STORE_CTX crl_ctx; 1035 X509_STORE_CTX crl_ctx;
1121 int ret; 1036 int ret;
1122 /* Don't allow recursive CRL path validation */ 1037 /* Don't allow recursive CRL path validation */
@@ -1144,7 +1059,7 @@ static int check_crl_path(X509_STORE_CTX *ctx, X509 *x)
1144 err: 1059 err:
1145 X509_STORE_CTX_cleanup(&crl_ctx); 1060 X509_STORE_CTX_cleanup(&crl_ctx);
1146 return ret; 1061 return ret;
1147 } 1062}
1148 1063
1149/* RFC3280 says nothing about the relationship between CRL path 1064/* RFC3280 says nothing about the relationship between CRL path
1150 * and certificate path, which could lead to situations where a 1065 * and certificate path, which could lead to situations where a
@@ -1157,14 +1072,14 @@ static int check_crl_path(X509_STORE_CTX *ctx, X509 *x)
1157static int check_crl_chain(X509_STORE_CTX *ctx, 1072static int check_crl_chain(X509_STORE_CTX *ctx,
1158 STACK_OF(X509) *cert_path, 1073 STACK_OF(X509) *cert_path,
1159 STACK_OF(X509) *crl_path) 1074 STACK_OF(X509) *crl_path)
1160 { 1075{
1161 X509 *cert_ta, *crl_ta; 1076 X509 *cert_ta, *crl_ta;
1162 cert_ta = sk_X509_value(cert_path, sk_X509_num(cert_path) - 1); 1077 cert_ta = sk_X509_value(cert_path, sk_X509_num(cert_path) - 1);
1163 crl_ta = sk_X509_value(crl_path, sk_X509_num(crl_path) - 1); 1078 crl_ta = sk_X509_value(crl_path, sk_X509_num(crl_path) - 1);
1164 if (!X509_cmp(cert_ta, crl_ta)) 1079 if (!X509_cmp(cert_ta, crl_ta))
1165 return 1; 1080 return 1;
1166 return 0; 1081 return 0;
1167 } 1082}
1168 1083
1169/* Check for match between two dist point names: three separate cases. 1084/* Check for match between two dist point names: three separate cases.
1170 * 1. Both are relative names and compare X509_NAME types. 1085 * 1. Both are relative names and compare X509_NAME types.
@@ -1175,125 +1090,110 @@ static int check_crl_chain(X509_STORE_CTX *ctx,
1175 1090
1176 1091
1177static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b) 1092static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b)
1178 { 1093{
1179 X509_NAME *nm = NULL; 1094 X509_NAME *nm = NULL;
1180 GENERAL_NAMES *gens = NULL; 1095 GENERAL_NAMES *gens = NULL;
1181 GENERAL_NAME *gena, *genb; 1096 GENERAL_NAME *gena, *genb;
1182 int i, j; 1097 int i, j;
1183 if (!a || !b) 1098 if (!a || !b)
1184 return 1; 1099 return 1;
1185 if (a->type == 1) 1100 if (a->type == 1) {
1186 {
1187 if (!a->dpname) 1101 if (!a->dpname)
1188 return 0; 1102 return 0;
1189 /* Case 1: two X509_NAME */ 1103 /* Case 1: two X509_NAME */
1190 if (b->type == 1) 1104 if (b->type == 1) {
1191 {
1192 if (!b->dpname) 1105 if (!b->dpname)
1193 return 0; 1106 return 0;
1194 if (!X509_NAME_cmp(a->dpname, b->dpname)) 1107 if (!X509_NAME_cmp(a->dpname, b->dpname))
1195 return 1; 1108 return 1;
1196 else 1109 else
1197 return 0; 1110 return 0;
1198 } 1111 }
1199 /* Case 2: set name and GENERAL_NAMES appropriately */ 1112 /* Case 2: set name and GENERAL_NAMES appropriately */
1200 nm = a->dpname; 1113 nm = a->dpname;
1201 gens = b->name.fullname; 1114 gens = b->name.fullname;
1202 } 1115 } else if (b->type == 1) {
1203 else if (b->type == 1)
1204 {
1205 if (!b->dpname) 1116 if (!b->dpname)
1206 return 0; 1117 return 0;
1207 /* Case 2: set name and GENERAL_NAMES appropriately */ 1118 /* Case 2: set name and GENERAL_NAMES appropriately */
1208 gens = a->name.fullname; 1119 gens = a->name.fullname;
1209 nm = b->dpname; 1120 nm = b->dpname;
1210 } 1121 }
1211 1122
1212 /* Handle case 2 with one GENERAL_NAMES and one X509_NAME */ 1123 /* Handle case 2 with one GENERAL_NAMES and one X509_NAME */
1213 if (nm) 1124 if (nm) {
1214 { 1125 for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
1215 for (i = 0; i < sk_GENERAL_NAME_num(gens); i++)
1216 {
1217 gena = sk_GENERAL_NAME_value(gens, i); 1126 gena = sk_GENERAL_NAME_value(gens, i);
1218 if (gena->type != GEN_DIRNAME) 1127 if (gena->type != GEN_DIRNAME)
1219 continue; 1128 continue;
1220 if (!X509_NAME_cmp(nm, gena->d.directoryName)) 1129 if (!X509_NAME_cmp(nm, gena->d.directoryName))
1221 return 1; 1130 return 1;
1222 }
1223 return 0;
1224 } 1131 }
1132 return 0;
1133 }
1225 1134
1226 /* Else case 3: two GENERAL_NAMES */ 1135 /* Else case 3: two GENERAL_NAMES */
1227 1136
1228 for (i = 0; i < sk_GENERAL_NAME_num(a->name.fullname); i++) 1137 for (i = 0; i < sk_GENERAL_NAME_num(a->name.fullname); i++) {
1229 {
1230 gena = sk_GENERAL_NAME_value(a->name.fullname, i); 1138 gena = sk_GENERAL_NAME_value(a->name.fullname, i);
1231 for (j = 0; j < sk_GENERAL_NAME_num(b->name.fullname); j++) 1139 for (j = 0; j < sk_GENERAL_NAME_num(b->name.fullname); j++) {
1232 {
1233 genb = sk_GENERAL_NAME_value(b->name.fullname, j); 1140 genb = sk_GENERAL_NAME_value(b->name.fullname, j);
1234 if (!GENERAL_NAME_cmp(gena, genb)) 1141 if (!GENERAL_NAME_cmp(gena, genb))
1235 return 1; 1142 return 1;
1236 }
1237 } 1143 }
1144 }
1238 1145
1239 return 0; 1146 return 0;
1240 1147
1241 } 1148}
1242 1149
1243static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score) 1150static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score)
1244 { 1151{
1245 int i; 1152 int i;
1246 X509_NAME *nm = X509_CRL_get_issuer(crl); 1153 X509_NAME *nm = X509_CRL_get_issuer(crl);
1247 /* If no CRLissuer return is successful iff don't need a match */ 1154 /* If no CRLissuer return is successful iff don't need a match */
1248 if (!dp->CRLissuer) 1155 if (!dp->CRLissuer)
1249 return !!(crl_score & CRL_SCORE_ISSUER_NAME); 1156 return !!(crl_score & CRL_SCORE_ISSUER_NAME);
1250 for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) 1157 for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) {
1251 {
1252 GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i); 1158 GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i);
1253 if (gen->type != GEN_DIRNAME) 1159 if (gen->type != GEN_DIRNAME)
1254 continue; 1160 continue;
1255 if (!X509_NAME_cmp(gen->d.directoryName, nm)) 1161 if (!X509_NAME_cmp(gen->d.directoryName, nm))
1256 return 1; 1162 return 1;
1257 }
1258 return 0;
1259 } 1163 }
1164 return 0;
1165}
1260 1166
1261/* Check CRLDP and IDP */ 1167/* Check CRLDP and IDP */
1262 1168
1263static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, 1169static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
1264 unsigned int *preasons) 1170 unsigned int *preasons)
1265 { 1171{
1266 int i; 1172 int i;
1267 if (crl->idp_flags & IDP_ONLYATTR) 1173 if (crl->idp_flags & IDP_ONLYATTR)
1268 return 0; 1174 return 0;
1269 if (x->ex_flags & EXFLAG_CA) 1175 if (x->ex_flags & EXFLAG_CA) {
1270 {
1271 if (crl->idp_flags & IDP_ONLYUSER) 1176 if (crl->idp_flags & IDP_ONLYUSER)
1272 return 0; 1177 return 0;
1273 } 1178 } else {
1274 else
1275 {
1276 if (crl->idp_flags & IDP_ONLYCA) 1179 if (crl->idp_flags & IDP_ONLYCA)
1277 return 0; 1180 return 0;
1278 } 1181 }
1279 *preasons = crl->idp_reasons; 1182 *preasons = crl->idp_reasons;
1280 for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++) 1183 for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++) {
1281 {
1282 DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i); 1184 DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i);
1283 if (crldp_check_crlissuer(dp, crl, crl_score)) 1185 if (crldp_check_crlissuer(dp, crl, crl_score)) {
1284 {
1285 if (!crl->idp || 1186 if (!crl->idp ||
1286 idp_check_dp(dp->distpoint, crl->idp->distpoint)) 1187 idp_check_dp(dp->distpoint, crl->idp->distpoint)) {
1287 {
1288 *preasons &= dp->dp_reasons; 1188 *preasons &= dp->dp_reasons;
1289 return 1; 1189 return 1;
1290 }
1291 } 1190 }
1292 } 1191 }
1192 }
1293 if ((!crl->idp || !crl->idp->distpoint) && (crl_score & CRL_SCORE_ISSUER_NAME)) 1193 if ((!crl->idp || !crl->idp->distpoint) && (crl_score & CRL_SCORE_ISSUER_NAME))
1294 return 1; 1194 return 1;
1295 return 0; 1195 return 0;
1296 } 1196}
1297 1197
1298/* Retrieve CRL corresponding to current certificate. 1198/* Retrieve CRL corresponding to current certificate.
1299 * If deltas enabled try to find a delta CRL too 1199 * If deltas enabled try to find a delta CRL too
@@ -1301,7 +1201,7 @@ static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
1301 1201
1302static int get_crl_delta(X509_STORE_CTX *ctx, 1202static int get_crl_delta(X509_STORE_CTX *ctx,
1303 X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x) 1203 X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x)
1304 { 1204{
1305 int ok; 1205 int ok;
1306 X509 *issuer = NULL; 1206 X509 *issuer = NULL;
1307 int crl_score = 0; 1207 int crl_score = 0;
@@ -1331,129 +1231,113 @@ static int get_crl_delta(X509_STORE_CTX *ctx,
1331 done: 1231 done:
1332 1232
1333 /* If we got any kind of CRL use it and return success */ 1233 /* If we got any kind of CRL use it and return success */
1334 if (crl) 1234 if (crl) {
1335 {
1336 ctx->current_issuer = issuer; 1235 ctx->current_issuer = issuer;
1337 ctx->current_crl_score = crl_score; 1236 ctx->current_crl_score = crl_score;
1338 ctx->current_reasons = reasons; 1237 ctx->current_reasons = reasons;
1339 *pcrl = crl; 1238 *pcrl = crl;
1340 *pdcrl = dcrl; 1239 *pdcrl = dcrl;
1341 return 1; 1240 return 1;
1342 } 1241 }
1343 1242
1344 return 0; 1243 return 0;
1345 } 1244}
1346 1245
1347/* Check CRL validity */ 1246/* Check CRL validity */
1348static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) 1247static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
1349 { 1248{
1350 X509 *issuer = NULL; 1249 X509 *issuer = NULL;
1351 EVP_PKEY *ikey = NULL; 1250 EVP_PKEY *ikey = NULL;
1352 int ok = 0, chnum, cnum; 1251 int ok = 0, chnum, cnum;
1353 cnum = ctx->error_depth; 1252 cnum = ctx->error_depth;
1354 chnum = sk_X509_num(ctx->chain) - 1; 1253 chnum = sk_X509_num(ctx->chain) - 1;
1355 /* if we have an alternative CRL issuer cert use that */ 1254 /* if we have an alternative CRL issuer cert use that */
1356 if (ctx->current_issuer) 1255 if (ctx->current_issuer) {
1357 issuer = ctx->current_issuer; 1256 issuer = ctx->current_issuer;
1358 1257 } else if (cnum < chnum) {
1359 /* Else find CRL issuer: if not last certificate then issuer 1258 /* Else find CRL issuer: if not last certificate then issuer
1360 * is next certificate in chain. 1259 * is next certificate in chain.
1361 */ 1260 */
1362 else if (cnum < chnum)
1363 issuer = sk_X509_value(ctx->chain, cnum + 1); 1261 issuer = sk_X509_value(ctx->chain, cnum + 1);
1364 else 1262 } else {
1365 {
1366 issuer = sk_X509_value(ctx->chain, chnum); 1263 issuer = sk_X509_value(ctx->chain, chnum);
1367 /* If not self signed, can't check signature */ 1264 /* If not self signed, can't check signature */
1368 if(!ctx->check_issued(ctx, issuer, issuer)) 1265 if(!ctx->check_issued(ctx, issuer, issuer)) {
1369 {
1370 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER; 1266 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER;
1371 ok = ctx->verify_cb(0, ctx); 1267 ok = ctx->verify_cb(0, ctx);
1372 if(!ok) goto err; 1268 if(!ok) goto err;
1373 }
1374 } 1269 }
1270 }
1375 1271
1376 if(issuer) 1272 if(issuer) {
1377 {
1378 /* Skip most tests for deltas because they have already 1273 /* Skip most tests for deltas because they have already
1379 * been done 1274 * been done
1380 */ 1275 */
1381 if (!crl->base_crl_number) 1276 if (!crl->base_crl_number) {
1382 {
1383 /* Check for cRLSign bit if keyUsage present */ 1277 /* Check for cRLSign bit if keyUsage present */
1384 if ((issuer->ex_flags & EXFLAG_KUSAGE) && 1278 if ((issuer->ex_flags & EXFLAG_KUSAGE) &&
1385 !(issuer->ex_kusage & KU_CRL_SIGN)) 1279 !(issuer->ex_kusage & KU_CRL_SIGN)) {
1386 {
1387 ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN; 1280 ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN;
1388 ok = ctx->verify_cb(0, ctx); 1281 ok = ctx->verify_cb(0, ctx);
1389 if(!ok) goto err; 1282 if(!ok) goto err;
1390 } 1283 }
1391 1284
1392 if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) 1285 if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) {
1393 {
1394 ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE; 1286 ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE;
1395 ok = ctx->verify_cb(0, ctx); 1287 ok = ctx->verify_cb(0, ctx);
1396 if(!ok) goto err; 1288 if(!ok) goto err;
1397 } 1289 }
1398 1290
1399 if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH)) 1291 if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH)) {
1400 { 1292 if (check_crl_path(ctx, ctx->current_issuer) <= 0) {
1401 if (check_crl_path(ctx, ctx->current_issuer) <= 0)
1402 {
1403 ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR; 1293 ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR;
1404 ok = ctx->verify_cb(0, ctx); 1294 ok = ctx->verify_cb(0, ctx);
1405 if(!ok) goto err; 1295 if(!ok) goto err;
1406 }
1407 } 1296 }
1297 }
1408 1298
1409 if (crl->idp_flags & IDP_INVALID) 1299 if (crl->idp_flags & IDP_INVALID) {
1410 {
1411 ctx->error = X509_V_ERR_INVALID_EXTENSION; 1300 ctx->error = X509_V_ERR_INVALID_EXTENSION;
1412 ok = ctx->verify_cb(0, ctx); 1301 ok = ctx->verify_cb(0, ctx);
1413 if(!ok) goto err; 1302 if(!ok) goto err;
1414 } 1303 }
1415 1304
1416 1305
1417 } 1306 }
1418 1307
1419 if (!(ctx->current_crl_score & CRL_SCORE_TIME)) 1308 if (!(ctx->current_crl_score & CRL_SCORE_TIME)) {
1420 {
1421 ok = check_crl_time(ctx, crl, 1); 1309 ok = check_crl_time(ctx, crl, 1);
1422 if (!ok) 1310 if (!ok)
1423 goto err; 1311 goto err;
1424 } 1312 }
1425 1313
1426 /* Attempt to get issuer certificate public key */ 1314 /* Attempt to get issuer certificate public key */
1427 ikey = X509_get_pubkey(issuer); 1315 ikey = X509_get_pubkey(issuer);
1428 1316
1429 if(!ikey) 1317 if(!ikey) {
1430 {
1431 ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; 1318 ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
1432 ok = ctx->verify_cb(0, ctx); 1319 ok = ctx->verify_cb(0, ctx);
1433 if (!ok) goto err; 1320 if (!ok) goto err;
1434 } 1321 } else {
1435 else
1436 {
1437 /* Verify CRL signature */ 1322 /* Verify CRL signature */
1438 if(X509_CRL_verify(crl, ikey) <= 0) 1323 if(X509_CRL_verify(crl, ikey) <= 0) {
1439 {
1440 ctx->error=X509_V_ERR_CRL_SIGNATURE_FAILURE; 1324 ctx->error=X509_V_ERR_CRL_SIGNATURE_FAILURE;
1441 ok = ctx->verify_cb(0, ctx); 1325 ok = ctx->verify_cb(0, ctx);
1442 if (!ok) goto err; 1326 if (!ok) goto err;
1443 }
1444 } 1327 }
1445 } 1328 }
1329 }
1446 1330
1447 ok = 1; 1331 ok = 1;
1448 1332
1449 err: 1333err:
1450 EVP_PKEY_free(ikey); 1334 EVP_PKEY_free(ikey);
1451 return ok; 1335 return ok;
1452 } 1336}
1453 1337
1454/* Check certificate against CRL */ 1338/* Check certificate against CRL */
1455static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) 1339static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
1456 { 1340{
1457 int ok; 1341 int ok;
1458 X509_REVOKED *rev; 1342 X509_REVOKED *rev;
1459 /* The rules changed for this... previously if a CRL contained 1343 /* The rules changed for this... previously if a CRL contained
@@ -1462,51 +1346,46 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
1462 * critical extension can change the meaning of CRL entries. 1346 * critical extension can change the meaning of CRL entries.
1463 */ 1347 */
1464 if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) 1348 if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
1465 && (crl->flags & EXFLAG_CRITICAL)) 1349 && (crl->flags & EXFLAG_CRITICAL)) {
1466 {
1467 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION; 1350 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
1468 ok = ctx->verify_cb(0, ctx); 1351 ok = ctx->verify_cb(0, ctx);
1469 if(!ok) 1352 if(!ok)
1470 return 0; 1353 return 0;
1471 } 1354 }
1472 /* Look for serial number of certificate in CRL 1355 /* Look for serial number of certificate in CRL
1473 * If found make sure reason is not removeFromCRL. 1356 * If found make sure reason is not removeFromCRL.
1474 */ 1357 */
1475 if (X509_CRL_get0_by_cert(crl, &rev, x)) 1358 if (X509_CRL_get0_by_cert(crl, &rev, x)) {
1476 {
1477 if (rev->reason == CRL_REASON_REMOVE_FROM_CRL) 1359 if (rev->reason == CRL_REASON_REMOVE_FROM_CRL)
1478 return 2; 1360 return 2;
1479 ctx->error = X509_V_ERR_CERT_REVOKED; 1361 ctx->error = X509_V_ERR_CERT_REVOKED;
1480 ok = ctx->verify_cb(0, ctx); 1362 ok = ctx->verify_cb(0, ctx);
1481 if (!ok) 1363 if (!ok)
1482 return 0; 1364 return 0;
1483 } 1365 }
1484 1366
1485 return 1; 1367 return 1;
1486 } 1368}
1487 1369
1488static int check_policy(X509_STORE_CTX *ctx) 1370static int check_policy(X509_STORE_CTX *ctx)
1489 { 1371{
1490 int ret; 1372 int ret;
1491 if (ctx->parent) 1373 if (ctx->parent)
1492 return 1; 1374 return 1;
1493 ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain, 1375 ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain,
1494 ctx->param->policies, ctx->param->flags); 1376 ctx->param->policies, ctx->param->flags);
1495 if (ret == 0) 1377 if (ret == 0) {
1496 {
1497 X509err(X509_F_CHECK_POLICY,ERR_R_MALLOC_FAILURE); 1378 X509err(X509_F_CHECK_POLICY,ERR_R_MALLOC_FAILURE);
1498 return 0; 1379 return 0;
1499 } 1380 }
1500 /* Invalid or inconsistent extensions */ 1381 /* Invalid or inconsistent extensions */
1501 if (ret == -1) 1382 if (ret == -1) {
1502 {
1503 /* Locate certificates with bad extensions and notify 1383 /* Locate certificates with bad extensions and notify
1504 * callback. 1384 * callback.
1505 */ 1385 */
1506 X509 *x; 1386 X509 *x;
1507 int i; 1387 int i;
1508 for (i = 1; i < sk_X509_num(ctx->chain); i++) 1388 for (i = 1; i < sk_X509_num(ctx->chain); i++) {
1509 {
1510 x = sk_X509_value(ctx->chain, i); 1389 x = sk_X509_value(ctx->chain, i);
1511 if (!(x->ex_flags & EXFLAG_INVALID_POLICY)) 1390 if (!(x->ex_flags & EXFLAG_INVALID_POLICY))
1512 continue; 1391 continue;
@@ -1514,29 +1393,27 @@ static int check_policy(X509_STORE_CTX *ctx)
1514 ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION; 1393 ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION;
1515 if(!ctx->verify_cb(0, ctx)) 1394 if(!ctx->verify_cb(0, ctx))
1516 return 0; 1395 return 0;
1517 }
1518 return 1;
1519 } 1396 }
1520 if (ret == -2) 1397 return 1;
1521 { 1398 }
1399 if (ret == -2) {
1522 ctx->current_cert = NULL; 1400 ctx->current_cert = NULL;
1523 ctx->error = X509_V_ERR_NO_EXPLICIT_POLICY; 1401 ctx->error = X509_V_ERR_NO_EXPLICIT_POLICY;
1524 return ctx->verify_cb(0, ctx); 1402 return ctx->verify_cb(0, ctx);
1525 } 1403 }
1526 1404
1527 if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) 1405 if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) {
1528 {
1529 ctx->current_cert = NULL; 1406 ctx->current_cert = NULL;
1530 ctx->error = X509_V_OK; 1407 ctx->error = X509_V_OK;
1531 if (!ctx->verify_cb(2, ctx)) 1408 if (!ctx->verify_cb(2, ctx))
1532 return 0; 1409 return 0;
1533 } 1410 }
1534 1411
1535 return 1; 1412 return 1;
1536 } 1413}
1537 1414
1538static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) 1415static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
1539 { 1416{
1540 time_t *ptime; 1417 time_t *ptime;
1541 int i; 1418 int i;
1542 1419
@@ -1546,44 +1423,40 @@ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
1546 ptime = NULL; 1423 ptime = NULL;
1547 1424
1548 i=X509_cmp_time(X509_get_notBefore(x), ptime); 1425 i=X509_cmp_time(X509_get_notBefore(x), ptime);
1549 if (i == 0) 1426 if (i == 0) {
1550 {
1551 ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; 1427 ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
1552 ctx->current_cert=x; 1428 ctx->current_cert=x;
1553 if (!ctx->verify_cb(0, ctx)) 1429 if (!ctx->verify_cb(0, ctx))
1554 return 0; 1430 return 0;
1555 } 1431 }
1556 1432
1557 if (i > 0) 1433 if (i > 0) {
1558 {
1559 ctx->error=X509_V_ERR_CERT_NOT_YET_VALID; 1434 ctx->error=X509_V_ERR_CERT_NOT_YET_VALID;
1560 ctx->current_cert=x; 1435 ctx->current_cert=x;
1561 if (!ctx->verify_cb(0, ctx)) 1436 if (!ctx->verify_cb(0, ctx))
1562 return 0; 1437 return 0;
1563 } 1438 }
1564 1439
1565 i=X509_cmp_time(X509_get_notAfter(x), ptime); 1440 i=X509_cmp_time(X509_get_notAfter(x), ptime);
1566 if (i == 0) 1441 if (i == 0) {
1567 {
1568 ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; 1442 ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
1569 ctx->current_cert=x; 1443 ctx->current_cert=x;
1570 if (!ctx->verify_cb(0, ctx)) 1444 if (!ctx->verify_cb(0, ctx))
1571 return 0; 1445 return 0;
1572 } 1446 }
1573 1447
1574 if (i < 0) 1448 if (i < 0) {
1575 {
1576 ctx->error=X509_V_ERR_CERT_HAS_EXPIRED; 1449 ctx->error=X509_V_ERR_CERT_HAS_EXPIRED;
1577 ctx->current_cert=x; 1450 ctx->current_cert=x;
1578 if (!ctx->verify_cb(0, ctx)) 1451 if (!ctx->verify_cb(0, ctx))
1579 return 0; 1452 return 0;
1580 } 1453 }
1581 1454
1582 return 1; 1455 return 1;
1583 } 1456}
1584 1457
1585static int internal_verify(X509_STORE_CTX *ctx) 1458static int internal_verify(X509_STORE_CTX *ctx)
1586 { 1459{
1587 int ok=0,n; 1460 int ok=0,n;
1588 X509 *xs,*xi; 1461 X509 *xs,*xi;
1589 EVP_PKEY *pkey=NULL; 1462 EVP_PKEY *pkey=NULL;
@@ -1598,55 +1471,45 @@ static int internal_verify(X509_STORE_CTX *ctx)
1598 1471
1599 if (ctx->check_issued(ctx, xi, xi)) 1472 if (ctx->check_issued(ctx, xi, xi))
1600 xs=xi; 1473 xs=xi;
1601 else 1474 else {
1602 { 1475 if (n <= 0) {
1603 if (n <= 0)
1604 {
1605 ctx->error=X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE; 1476 ctx->error=X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
1606 ctx->current_cert=xi; 1477 ctx->current_cert=xi;
1607 ok=cb(0,ctx); 1478 ok=cb(0,ctx);
1608 goto end; 1479 goto end;
1609 } 1480 } else {
1610 else
1611 {
1612 n--; 1481 n--;
1613 ctx->error_depth=n; 1482 ctx->error_depth=n;
1614 xs=sk_X509_value(ctx->chain,n); 1483 xs=sk_X509_value(ctx->chain,n);
1615 }
1616 } 1484 }
1485 }
1617 1486
1618/* ctx->error=0; not needed */ 1487/* ctx->error=0; not needed */
1619 while (n >= 0) 1488 while (n >= 0) {
1620 {
1621 ctx->error_depth=n; 1489 ctx->error_depth=n;
1622 1490
1623 /* Skip signature check for self signed certificates unless 1491 /* Skip signature check for self signed certificates unless
1624 * explicitly asked for. It doesn't add any security and 1492 * explicitly asked for. It doesn't add any security and
1625 * just wastes time. 1493 * just wastes time.
1626 */ 1494 */
1627 if (!xs->valid && (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) 1495 if (!xs->valid && (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) {
1628 { 1496 if ((pkey=X509_get_pubkey(xi)) == NULL) {
1629 if ((pkey=X509_get_pubkey(xi)) == NULL)
1630 {
1631 ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; 1497 ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
1632 ctx->current_cert=xi; 1498 ctx->current_cert=xi;
1633 ok=(*cb)(0,ctx); 1499 ok=(*cb)(0,ctx);
1634 if (!ok) goto end; 1500 if (!ok) goto end;
1635 } 1501 } else if (X509_verify(xs,pkey) <= 0) {
1636 else if (X509_verify(xs,pkey) <= 0)
1637 {
1638 ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE; 1502 ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE;
1639 ctx->current_cert=xs; 1503 ctx->current_cert=xs;
1640 ok=(*cb)(0,ctx); 1504 ok=(*cb)(0,ctx);
1641 if (!ok) 1505 if (!ok) {
1642 {
1643 EVP_PKEY_free(pkey); 1506 EVP_PKEY_free(pkey);
1644 goto end; 1507 goto end;
1645 }
1646 } 1508 }
1509 }
1647 EVP_PKEY_free(pkey); 1510 EVP_PKEY_free(pkey);
1648 pkey=NULL; 1511 pkey=NULL;
1649 } 1512 }
1650 1513
1651 xs->valid = 1; 1514 xs->valid = 1;
1652 1515
@@ -1661,16 +1524,15 @@ static int internal_verify(X509_STORE_CTX *ctx)
1661 if (!ok) goto end; 1524 if (!ok) goto end;
1662 1525
1663 n--; 1526 n--;
1664 if (n >= 0) 1527 if (n >= 0) {
1665 {
1666 xi=xs; 1528 xi=xs;
1667 xs=sk_X509_value(ctx->chain,n); 1529 xs=sk_X509_value(ctx->chain,n);
1668 }
1669 } 1530 }
1531 }
1670 ok=1; 1532 ok=1;
1671end: 1533end:
1672 return ok; 1534 return ok;
1673 } 1535}
1674 1536
1675int X509_cmp_current_time(const ASN1_TIME *ctm) 1537int X509_cmp_current_time(const ASN1_TIME *ctm)
1676{ 1538{
@@ -1678,7 +1540,7 @@ int X509_cmp_current_time(const ASN1_TIME *ctm)
1678} 1540}
1679 1541
1680int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time) 1542int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
1681 { 1543{
1682 char *str; 1544 char *str;
1683 ASN1_TIME atm; 1545 ASN1_TIME atm;
1684 long offset; 1546 long offset;
@@ -1688,49 +1550,44 @@ int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
1688 p=buff1; 1550 p=buff1;
1689 i=ctm->length; 1551 i=ctm->length;
1690 str=(char *)ctm->data; 1552 str=(char *)ctm->data;
1691 if (ctm->type == V_ASN1_UTCTIME) 1553 if (ctm->type == V_ASN1_UTCTIME) {
1692 {
1693 if ((i < 11) || (i > 17)) return 0; 1554 if ((i < 11) || (i > 17)) return 0;
1694 memcpy(p,str,10); 1555 memcpy(p,str,10);
1695 p+=10; 1556 p+=10;
1696 str+=10; 1557 str+=10;
1697 } 1558 } else {
1698 else
1699 {
1700 if (i < 13) return 0; 1559 if (i < 13) return 0;
1701 memcpy(p,str,12); 1560 memcpy(p,str,12);
1702 p+=12; 1561 p+=12;
1703 str+=12; 1562 str+=12;
1704 } 1563 }
1705 1564
1706 if ((*str == 'Z') || (*str == '-') || (*str == '+')) 1565 if ((*str == 'Z') || (*str == '-') || (*str == '+')) {
1707 { *(p++)='0'; *(p++)='0'; } 1566 *(p++)='0';
1708 else 1567 *(p++)='0';
1709 { 1568 } else {
1710 *(p++)= *(str++); 1569 *(p++)= *(str++);
1711 *(p++)= *(str++); 1570 *(p++)= *(str++);
1712 /* Skip any fractional seconds... */ 1571 /* Skip any fractional seconds... */
1713 if (*str == '.') 1572 if (*str == '.') {
1714 {
1715 str++; 1573 str++;
1716 while ((*str >= '0') && (*str <= '9')) str++; 1574 while ((*str >= '0') && (*str <= '9')) str++;
1717 }
1718
1719 } 1575 }
1576
1577 }
1720 *(p++)='Z'; 1578 *(p++)='Z';
1721 *(p++)='\0'; 1579 *(p++)='\0';
1722 1580
1723 if (*str == 'Z') 1581 if (*str == 'Z')
1724 offset=0; 1582 offset=0;
1725 else 1583 else {
1726 {
1727 if ((*str != '+') && (*str != '-')) 1584 if ((*str != '+') && (*str != '-'))
1728 return 0; 1585 return 0;
1729 offset=((str[1]-'0')*10+(str[2]-'0'))*60; 1586 offset=((str[1]-'0')*10+(str[2]-'0'))*60;
1730 offset+=(str[3]-'0')*10+(str[4]-'0'); 1587 offset+=(str[3]-'0')*10+(str[4]-'0');
1731 if (*str == '-') 1588 if (*str == '-')
1732 offset= -offset; 1589 offset= -offset;
1733 } 1590 }
1734 atm.type=ctm->type; 1591 atm.type=ctm->type;
1735 atm.flags = 0; 1592 atm.flags = 0;
1736 atm.length=sizeof(buff2); 1593 atm.length=sizeof(buff2);
@@ -1739,8 +1596,7 @@ int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
1739 if (X509_time_adj(&atm, offset*60, cmp_time) == NULL) 1596 if (X509_time_adj(&atm, offset*60, cmp_time) == NULL)
1740 return 0; 1597 return 0;
1741 1598
1742 if (ctm->type == V_ASN1_UTCTIME) 1599 if (ctm->type == V_ASN1_UTCTIME) {
1743 {
1744 i=(buff1[0]-'0')*10+(buff1[1]-'0'); 1600 i=(buff1[0]-'0')*10+(buff1[1]-'0');
1745 if (i < 50) i+=100; /* cf. RFC 2459 */ 1601 if (i < 50) i+=100; /* cf. RFC 2459 */
1746 j=(buff2[0]-'0')*10+(buff2[1]-'0'); 1602 j=(buff2[0]-'0')*10+(buff2[1]-'0');
@@ -1748,13 +1604,13 @@ int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
1748 1604
1749 if (i < j) return -1; 1605 if (i < j) return -1;
1750 if (i > j) return 1; 1606 if (i > j) return 1;
1751 } 1607 }
1752 i=strcmp(buff1,buff2); 1608 i=strcmp(buff1,buff2);
1753 if (i == 0) /* wait a second then return younger :-) */ 1609 if (i == 0) /* wait a second then return younger :-) */
1754 return -1; 1610 return -1;
1755 else 1611 else
1756 return i; 1612 return i;
1757 } 1613}
1758 1614
1759ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj) 1615ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj)
1760{ 1616{
@@ -1762,168 +1618,161 @@ ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj)
1762} 1618}
1763 1619
1764ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm) 1620ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm)
1765 { 1621{
1766 return X509_time_adj_ex(s, 0, offset_sec, in_tm); 1622 return X509_time_adj_ex(s, 0, offset_sec, in_tm);
1767 } 1623}
1768 1624
1769ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s, 1625ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s,
1770 int offset_day, long offset_sec, time_t *in_tm) 1626 int offset_day, long offset_sec, time_t *in_tm)
1771 { 1627{
1772 time_t t; 1628 time_t t;
1773 1629
1774 if (in_tm) t = *in_tm; 1630 if (in_tm) t = *in_tm;
1775 else time(&t); 1631 else time(&t);
1776 1632
1777 if (s && !(s->flags & ASN1_STRING_FLAG_MSTRING)) 1633 if (s && !(s->flags & ASN1_STRING_FLAG_MSTRING)) {
1778 {
1779 if (s->type == V_ASN1_UTCTIME) 1634 if (s->type == V_ASN1_UTCTIME)
1780 return ASN1_UTCTIME_adj(s,t, offset_day, offset_sec); 1635 return ASN1_UTCTIME_adj(s,t, offset_day, offset_sec);
1781 if (s->type == V_ASN1_GENERALIZEDTIME) 1636 if (s->type == V_ASN1_GENERALIZEDTIME)
1782 return ASN1_GENERALIZEDTIME_adj(s, t, offset_day, 1637 return ASN1_GENERALIZEDTIME_adj(s, t, offset_day,
1783 offset_sec); 1638 offset_sec);
1784 }
1785 return ASN1_TIME_adj(s, t, offset_day, offset_sec);
1786 } 1639 }
1640 return ASN1_TIME_adj(s, t, offset_day, offset_sec);
1641}
1787 1642
1788int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain) 1643int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
1789 { 1644{
1790 EVP_PKEY *ktmp=NULL,*ktmp2; 1645 EVP_PKEY *ktmp=NULL,*ktmp2;
1791 int i,j; 1646 int i,j;
1792 1647
1793 if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) return 1; 1648 if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) return 1;
1794 1649
1795 for (i=0; i<sk_X509_num(chain); i++) 1650 for (i=0; i<sk_X509_num(chain); i++) {
1796 {
1797 ktmp=X509_get_pubkey(sk_X509_value(chain,i)); 1651 ktmp=X509_get_pubkey(sk_X509_value(chain,i));
1798 if (ktmp == NULL) 1652 if (ktmp == NULL) {
1799 {
1800 X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY); 1653 X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY);
1801 return 0; 1654 return 0;
1802 } 1655 }
1803 if (!EVP_PKEY_missing_parameters(ktmp)) 1656 if (!EVP_PKEY_missing_parameters(ktmp))
1804 break; 1657 break;
1805 else 1658 else {
1806 {
1807 EVP_PKEY_free(ktmp); 1659 EVP_PKEY_free(ktmp);
1808 ktmp=NULL; 1660 ktmp=NULL;
1809 }
1810 } 1661 }
1811 if (ktmp == NULL) 1662 }
1812 { 1663 if (ktmp == NULL) {
1813 X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN); 1664 X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN);
1814 return 0; 1665 return 0;
1815 } 1666 }
1816 1667
1817 /* first, populate the other certs */ 1668 /* first, populate the other certs */
1818 for (j=i-1; j >= 0; j--) 1669 for (j=i-1; j >= 0; j--) {
1819 {
1820 ktmp2=X509_get_pubkey(sk_X509_value(chain,j)); 1670 ktmp2=X509_get_pubkey(sk_X509_value(chain,j));
1821 EVP_PKEY_copy_parameters(ktmp2,ktmp); 1671 EVP_PKEY_copy_parameters(ktmp2,ktmp);
1822 EVP_PKEY_free(ktmp2); 1672 EVP_PKEY_free(ktmp2);
1823 } 1673 }
1824 1674
1825 if (pkey != NULL) EVP_PKEY_copy_parameters(pkey,ktmp); 1675 if (pkey != NULL) EVP_PKEY_copy_parameters(pkey,ktmp);
1826 EVP_PKEY_free(ktmp); 1676 EVP_PKEY_free(ktmp);
1827 return 1; 1677 return 1;
1828 } 1678}
1829 1679
1830int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, 1680int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
1831 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) 1681 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
1832 { 1682{
1833 /* This function is (usually) called only once, by 1683 /* This function is (usually) called only once, by
1834 * SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c). */ 1684 * SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c). */
1835 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX, argl, argp, 1685 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX, argl, argp,
1836 new_func, dup_func, free_func); 1686 new_func, dup_func, free_func);
1837 } 1687}
1838 1688
1839int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data) 1689int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data)
1840 { 1690{
1841 return CRYPTO_set_ex_data(&ctx->ex_data,idx,data); 1691 return CRYPTO_set_ex_data(&ctx->ex_data,idx,data);
1842 } 1692}
1843 1693
1844void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx) 1694void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx)
1845 { 1695{
1846 return CRYPTO_get_ex_data(&ctx->ex_data,idx); 1696 return CRYPTO_get_ex_data(&ctx->ex_data,idx);
1847 } 1697}
1848 1698
1849int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx) 1699int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx)
1850 { 1700{
1851 return ctx->error; 1701 return ctx->error;
1852 } 1702}
1853 1703
1854void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err) 1704void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err)
1855 { 1705{
1856 ctx->error=err; 1706 ctx->error=err;
1857 } 1707}
1858 1708
1859int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx) 1709int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx)
1860 { 1710{
1861 return ctx->error_depth; 1711 return ctx->error_depth;
1862 } 1712}
1863 1713
1864X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx) 1714X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx)
1865 { 1715{
1866 return ctx->current_cert; 1716 return ctx->current_cert;
1867 } 1717}
1868 1718
1869STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx) 1719STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx)
1870 { 1720{
1871 return ctx->chain; 1721 return ctx->chain;
1872 } 1722}
1873 1723
1874STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx) 1724STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx)
1875 { 1725{
1876 int i; 1726 int i;
1877 X509 *x; 1727 X509 *x;
1878 STACK_OF(X509) *chain; 1728 STACK_OF(X509) *chain;
1879 if (!ctx->chain || !(chain = sk_X509_dup(ctx->chain))) return NULL; 1729 if (!ctx->chain || !(chain = sk_X509_dup(ctx->chain))) return NULL;
1880 for (i = 0; i < sk_X509_num(chain); i++) 1730 for (i = 0; i < sk_X509_num(chain); i++) {
1881 {
1882 x = sk_X509_value(chain, i); 1731 x = sk_X509_value(chain, i);
1883 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); 1732 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
1884 }
1885 return chain;
1886 } 1733 }
1734 return chain;
1735}
1887 1736
1888X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx) 1737X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx)
1889 { 1738{
1890 return ctx->current_issuer; 1739 return ctx->current_issuer;
1891 } 1740}
1892 1741
1893X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx) 1742X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx)
1894 { 1743{
1895 return ctx->current_crl; 1744 return ctx->current_crl;
1896 } 1745}
1897 1746
1898X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx) 1747X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx)
1899 { 1748{
1900 return ctx->parent; 1749 return ctx->parent;
1901 } 1750}
1902 1751
1903void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x) 1752void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x)
1904 { 1753{
1905 ctx->cert=x; 1754 ctx->cert=x;
1906 } 1755}
1907 1756
1908void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) 1757void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
1909 { 1758{
1910 ctx->untrusted=sk; 1759 ctx->untrusted=sk;
1911 } 1760}
1912 1761
1913void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk) 1762void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk)
1914 { 1763{
1915 ctx->crls=sk; 1764 ctx->crls=sk;
1916 } 1765}
1917 1766
1918int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose) 1767int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose)
1919 { 1768{
1920 return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0); 1769 return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0);
1921 } 1770}
1922 1771
1923int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust) 1772int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust)
1924 { 1773{
1925 return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust); 1774 return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust);
1926 } 1775}
1927 1776
1928/* This function is used to set the X509_STORE_CTX purpose and trust 1777/* This function is used to set the X509_STORE_CTX purpose and trust
1929 * values. This is intended to be used when another structure has its 1778 * values. This is intended to be used when another structure has its
@@ -1942,41 +1791,35 @@ int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
1942 /* If purpose not set use default */ 1791 /* If purpose not set use default */
1943 if (!purpose) purpose = def_purpose; 1792 if (!purpose) purpose = def_purpose;
1944 /* If we have a purpose then check it is valid */ 1793 /* If we have a purpose then check it is valid */
1945 if (purpose) 1794 if (purpose) {
1946 {
1947 X509_PURPOSE *ptmp; 1795 X509_PURPOSE *ptmp;
1948 idx = X509_PURPOSE_get_by_id(purpose); 1796 idx = X509_PURPOSE_get_by_id(purpose);
1949 if (idx == -1) 1797 if (idx == -1) {
1950 {
1951 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, 1798 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
1952 X509_R_UNKNOWN_PURPOSE_ID); 1799 X509_R_UNKNOWN_PURPOSE_ID);
1953 return 0; 1800 return 0;
1954 } 1801 }
1955 ptmp = X509_PURPOSE_get0(idx); 1802 ptmp = X509_PURPOSE_get0(idx);
1956 if (ptmp->trust == X509_TRUST_DEFAULT) 1803 if (ptmp->trust == X509_TRUST_DEFAULT) {
1957 {
1958 idx = X509_PURPOSE_get_by_id(def_purpose); 1804 idx = X509_PURPOSE_get_by_id(def_purpose);
1959 if (idx == -1) 1805 if (idx == -1) {
1960 {
1961 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, 1806 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
1962 X509_R_UNKNOWN_PURPOSE_ID); 1807 X509_R_UNKNOWN_PURPOSE_ID);
1963 return 0; 1808 return 0;
1964 }
1965 ptmp = X509_PURPOSE_get0(idx);
1966 } 1809 }
1810 ptmp = X509_PURPOSE_get0(idx);
1811 }
1967 /* If trust not set then get from purpose default */ 1812 /* If trust not set then get from purpose default */
1968 if (!trust) trust = ptmp->trust; 1813 if (!trust) trust = ptmp->trust;
1969 } 1814 }
1970 if (trust) 1815 if (trust) {
1971 {
1972 idx = X509_TRUST_get_by_id(trust); 1816 idx = X509_TRUST_get_by_id(trust);
1973 if (idx == -1) 1817 if (idx == -1) {
1974 {
1975 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, 1818 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
1976 X509_R_UNKNOWN_TRUST_ID); 1819 X509_R_UNKNOWN_TRUST_ID);
1977 return 0; 1820 return 0;
1978 }
1979 } 1821 }
1822 }
1980 1823
1981 if (purpose && !ctx->param->purpose) ctx->param->purpose = purpose; 1824 if (purpose && !ctx->param->purpose) ctx->param->purpose = purpose;
1982 if (trust && !ctx->param->trust) ctx->param->trust = trust; 1825 if (trust && !ctx->param->trust) ctx->param->trust = trust;
@@ -1987,11 +1830,10 @@ X509_STORE_CTX *X509_STORE_CTX_new(void)
1987{ 1830{
1988 X509_STORE_CTX *ctx; 1831 X509_STORE_CTX *ctx;
1989 ctx = (X509_STORE_CTX *)malloc(sizeof(X509_STORE_CTX)); 1832 ctx = (X509_STORE_CTX *)malloc(sizeof(X509_STORE_CTX));
1990 if (!ctx) 1833 if (!ctx) {
1991 {
1992 X509err(X509_F_X509_STORE_CTX_NEW,ERR_R_MALLOC_FAILURE); 1834 X509err(X509_F_X509_STORE_CTX_NEW,ERR_R_MALLOC_FAILURE);
1993 return NULL; 1835 return NULL;
1994 } 1836 }
1995 memset(ctx, 0, sizeof(X509_STORE_CTX)); 1837 memset(ctx, 0, sizeof(X509_STORE_CTX));
1996 return ctx; 1838 return ctx;
1997} 1839}
@@ -2004,7 +1846,7 @@ void X509_STORE_CTX_free(X509_STORE_CTX *ctx)
2004 1846
2005int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, 1847int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
2006 STACK_OF(X509) *chain) 1848 STACK_OF(X509) *chain)
2007 { 1849{
2008 int ret = 1; 1850 int ret = 1;
2009 ctx->ctx=store; 1851 ctx->ctx=store;
2010 ctx->current_method=0; 1852 ctx->current_method=0;
@@ -2028,11 +1870,10 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
2028 1870
2029 ctx->param = X509_VERIFY_PARAM_new(); 1871 ctx->param = X509_VERIFY_PARAM_new();
2030 1872
2031 if (!ctx->param) 1873 if (!ctx->param) {
2032 {
2033 X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE); 1874 X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE);
2034 return 0; 1875 return 0;
2035 } 1876 }
2036 1877
2037 /* Inherit callbacks and flags from X509_STORE if not set 1878 /* Inherit callbacks and flags from X509_STORE if not set
2038 * use defaults. 1879 * use defaults.
@@ -2044,23 +1885,20 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
2044 else 1885 else
2045 ctx->param->inh_flags |= X509_VP_FLAG_DEFAULT|X509_VP_FLAG_ONCE; 1886 ctx->param->inh_flags |= X509_VP_FLAG_DEFAULT|X509_VP_FLAG_ONCE;
2046 1887
2047 if (store) 1888 if (store) {
2048 {
2049 ctx->verify_cb = store->verify_cb; 1889 ctx->verify_cb = store->verify_cb;
2050 ctx->cleanup = store->cleanup; 1890 ctx->cleanup = store->cleanup;
2051 } 1891 } else
2052 else
2053 ctx->cleanup = 0; 1892 ctx->cleanup = 0;
2054 1893
2055 if (ret) 1894 if (ret)
2056 ret = X509_VERIFY_PARAM_inherit(ctx->param, 1895 ret = X509_VERIFY_PARAM_inherit(ctx->param,
2057 X509_VERIFY_PARAM_lookup("default")); 1896 X509_VERIFY_PARAM_lookup("default"));
2058 1897
2059 if (ret == 0) 1898 if (ret == 0) {
2060 {
2061 X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE); 1899 X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE);
2062 return 0; 1900 return 0;
2063 } 1901 }
2064 1902
2065 if (store && store->check_issued) 1903 if (store && store->check_issued)
2066 ctx->check_issued = store->check_issued; 1904 ctx->check_issued = store->check_issued;
@@ -2120,14 +1958,13 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
2120 * corresponding "new" here and remove this bogus initialisation. */ 1958 * corresponding "new" here and remove this bogus initialisation. */
2121 /* memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA)); */ 1959 /* memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA)); */
2122 if(!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, 1960 if(!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx,
2123 &(ctx->ex_data))) 1961 &(ctx->ex_data))) {
2124 {
2125 free(ctx); 1962 free(ctx);
2126 X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE); 1963 X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE);
2127 return 0; 1964 return 0;
2128 }
2129 return 1;
2130 } 1965 }
1966 return 1;
1967}
2131 1968
2132/* Set alternative lookup method: just a STACK of trusted certificates. 1969/* Set alternative lookup method: just a STACK of trusted certificates.
2133 * This avoids X509_STORE nastiness where it isn't needed. 1970 * This avoids X509_STORE nastiness where it isn't needed.
@@ -2140,79 +1977,76 @@ void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
2140} 1977}
2141 1978
2142void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) 1979void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
2143 { 1980{
2144 if (ctx->cleanup) ctx->cleanup(ctx); 1981 if (ctx->cleanup) ctx->cleanup(ctx);
2145 if (ctx->param != NULL) 1982 if (ctx->param != NULL) {
2146 {
2147 if (ctx->parent == NULL) 1983 if (ctx->parent == NULL)
2148 X509_VERIFY_PARAM_free(ctx->param); 1984 X509_VERIFY_PARAM_free(ctx->param);
2149 ctx->param=NULL; 1985 ctx->param=NULL;
2150 } 1986 }
2151 if (ctx->tree != NULL) 1987 if (ctx->tree != NULL) {
2152 {
2153 X509_policy_tree_free(ctx->tree); 1988 X509_policy_tree_free(ctx->tree);
2154 ctx->tree=NULL; 1989 ctx->tree=NULL;
2155 } 1990 }
2156 if (ctx->chain != NULL) 1991 if (ctx->chain != NULL) {
2157 {
2158 sk_X509_pop_free(ctx->chain,X509_free); 1992 sk_X509_pop_free(ctx->chain,X509_free);
2159 ctx->chain=NULL; 1993 ctx->chain=NULL;
2160 } 1994 }
2161 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, &(ctx->ex_data)); 1995 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, &(ctx->ex_data));
2162 memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA)); 1996 memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA));
2163 } 1997}
2164 1998
2165void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth) 1999void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth)
2166 { 2000{
2167 X509_VERIFY_PARAM_set_depth(ctx->param, depth); 2001 X509_VERIFY_PARAM_set_depth(ctx->param, depth);
2168 } 2002}
2169 2003
2170void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags) 2004void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags)
2171 { 2005{
2172 X509_VERIFY_PARAM_set_flags(ctx->param, flags); 2006 X509_VERIFY_PARAM_set_flags(ctx->param, flags);
2173 } 2007}
2174 2008
2175void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, time_t t) 2009void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, time_t t)
2176 { 2010{
2177 X509_VERIFY_PARAM_set_time(ctx->param, t); 2011 X509_VERIFY_PARAM_set_time(ctx->param, t);
2178 } 2012}
2179 2013
2180void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, 2014void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
2181 int (*verify_cb)(int, X509_STORE_CTX *)) 2015 int (*verify_cb)(int, X509_STORE_CTX *))
2182 { 2016{
2183 ctx->verify_cb=verify_cb; 2017 ctx->verify_cb=verify_cb;
2184 } 2018}
2185 2019
2186X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx) 2020X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx)
2187 { 2021{
2188 return ctx->tree; 2022 return ctx->tree;
2189 } 2023}
2190 2024
2191int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx) 2025int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx)
2192 { 2026{
2193 return ctx->explicit_policy; 2027 return ctx->explicit_policy;
2194 } 2028}
2195 2029
2196int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name) 2030int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name)
2197 { 2031{
2198 const X509_VERIFY_PARAM *param; 2032 const X509_VERIFY_PARAM *param;
2199 param = X509_VERIFY_PARAM_lookup(name); 2033 param = X509_VERIFY_PARAM_lookup(name);
2200 if (!param) 2034 if (!param)
2201 return 0; 2035 return 0;
2202 return X509_VERIFY_PARAM_inherit(ctx->param, param); 2036 return X509_VERIFY_PARAM_inherit(ctx->param, param);
2203 } 2037}
2204 2038
2205X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx) 2039X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx)
2206 { 2040{
2207 return ctx->param; 2041 return ctx->param;
2208 } 2042}
2209 2043
2210void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param) 2044void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param)
2211 { 2045{
2212 if (ctx->param) 2046 if (ctx->param)
2213 X509_VERIFY_PARAM_free(ctx->param); 2047 X509_VERIFY_PARAM_free(ctx->param);
2214 ctx->param = param; 2048 ctx->param = param;
2215 } 2049}
2216 2050
2217IMPLEMENT_STACK_OF(X509) 2051IMPLEMENT_STACK_OF(X509)
2218IMPLEMENT_ASN1_SET_OF(X509) 2052IMPLEMENT_ASN1_SET_OF(X509)
diff --git a/src/lib/libssl/src/crypto/x509/x509_vpm.c b/src/lib/libssl/src/crypto/x509/x509_vpm.c
index 5e3eba4029..7f0824f75e 100644
--- a/src/lib/libssl/src/crypto/x509/x509_vpm.c
+++ b/src/lib/libssl/src/crypto/x509/x509_vpm.c
@@ -68,7 +68,7 @@
68/* X509_VERIFY_PARAM functions */ 68/* X509_VERIFY_PARAM functions */
69 69
70static void x509_verify_param_zero(X509_VERIFY_PARAM *param) 70static void x509_verify_param_zero(X509_VERIFY_PARAM *param)
71 { 71{
72 if (!param) 72 if (!param)
73 return; 73 return;
74 param->name = NULL; 74 param->name = NULL;
@@ -78,27 +78,26 @@ static void x509_verify_param_zero(X509_VERIFY_PARAM *param)
78 param->inh_flags = 0; 78 param->inh_flags = 0;
79 param->flags = 0; 79 param->flags = 0;
80 param->depth = -1; 80 param->depth = -1;
81 if (param->policies) 81 if (param->policies) {
82 {
83 sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free); 82 sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
84 param->policies = NULL; 83 param->policies = NULL;
85 }
86 } 84 }
85}
87 86
88X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void) 87X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void)
89 { 88{
90 X509_VERIFY_PARAM *param; 89 X509_VERIFY_PARAM *param;
91 param = malloc(sizeof(X509_VERIFY_PARAM)); 90 param = malloc(sizeof(X509_VERIFY_PARAM));
92 memset(param, 0, sizeof(X509_VERIFY_PARAM)); 91 memset(param, 0, sizeof(X509_VERIFY_PARAM));
93 x509_verify_param_zero(param); 92 x509_verify_param_zero(param);
94 return param; 93 return param;
95 } 94}
96 95
97void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param) 96void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param)
98 { 97{
99 x509_verify_param_zero(param); 98 x509_verify_param_zero(param);
100 free(param); 99 free(param);
101 } 100}
102 101
103/* This function determines how parameters are "inherited" from one structure 102/* This function determines how parameters are "inherited" from one structure
104 * to another. There are several different ways this can happen. 103 * to another. There are several different ways this can happen.
@@ -146,7 +145,7 @@ void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param)
146 145
147int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, 146int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest,
148 const X509_VERIFY_PARAM *src) 147 const X509_VERIFY_PARAM *src)
149 { 148{
150 unsigned long inh_flags; 149 unsigned long inh_flags;
151 int to_default, to_overwrite; 150 int to_default, to_overwrite;
152 if (!src) 151 if (!src)
@@ -175,104 +174,101 @@ int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest,
175 174
176 /* If overwrite or check time not set, copy across */ 175 /* If overwrite or check time not set, copy across */
177 176
178 if (to_overwrite || !(dest->flags & X509_V_FLAG_USE_CHECK_TIME)) 177 if (to_overwrite || !(dest->flags & X509_V_FLAG_USE_CHECK_TIME)) {
179 {
180 dest->check_time = src->check_time; 178 dest->check_time = src->check_time;
181 dest->flags &= ~X509_V_FLAG_USE_CHECK_TIME; 179 dest->flags &= ~X509_V_FLAG_USE_CHECK_TIME;
182 /* Don't need to copy flag: that is done below */ 180 /* Don't need to copy flag: that is done below */
183 } 181 }
184 182
185 if (inh_flags & X509_VP_FLAG_RESET_FLAGS) 183 if (inh_flags & X509_VP_FLAG_RESET_FLAGS)
186 dest->flags = 0; 184 dest->flags = 0;
187 185
188 dest->flags |= src->flags; 186 dest->flags |= src->flags;
189 187
190 if (test_x509_verify_param_copy(policies, NULL)) 188 if (test_x509_verify_param_copy(policies, NULL)) {
191 {
192 if (!X509_VERIFY_PARAM_set1_policies(dest, src->policies)) 189 if (!X509_VERIFY_PARAM_set1_policies(dest, src->policies))
193 return 0; 190 return 0;
194 } 191 }
195 192
196 return 1; 193 return 1;
197 } 194}
198 195
199int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to, 196int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to,
200 const X509_VERIFY_PARAM *from) 197 const X509_VERIFY_PARAM *from)
201 { 198{
202 unsigned long save_flags = to->inh_flags; 199 unsigned long save_flags = to->inh_flags;
203 int ret; 200 int ret;
204 to->inh_flags |= X509_VP_FLAG_DEFAULT; 201 to->inh_flags |= X509_VP_FLAG_DEFAULT;
205 ret = X509_VERIFY_PARAM_inherit(to, from); 202 ret = X509_VERIFY_PARAM_inherit(to, from);
206 to->inh_flags = save_flags; 203 to->inh_flags = save_flags;
207 return ret; 204 return ret;
208 } 205}
209 206
210int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name) 207int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name)
211 { 208{
212 if (param->name) 209 if (param->name)
213 free(param->name); 210 free(param->name);
214 param->name = BUF_strdup(name); 211 param->name = BUF_strdup(name);
215 if (param->name) 212 if (param->name)
216 return 1; 213 return 1;
217 return 0; 214 return 0;
218 } 215}
219 216
220int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags) 217int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags)
221 { 218{
222 param->flags |= flags; 219 param->flags |= flags;
223 if (flags & X509_V_FLAG_POLICY_MASK) 220 if (flags & X509_V_FLAG_POLICY_MASK)
224 param->flags |= X509_V_FLAG_POLICY_CHECK; 221 param->flags |= X509_V_FLAG_POLICY_CHECK;
225 return 1; 222 return 1;
226 } 223}
227 224
228int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, unsigned long flags) 225int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, unsigned long flags)
229 { 226{
230 param->flags &= ~flags; 227 param->flags &= ~flags;
231 return 1; 228 return 1;
232 } 229}
233 230
234unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param) 231unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param)
235 { 232{
236 return param->flags; 233 return param->flags;
237 } 234}
238 235
239int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose) 236int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose)
240 { 237{
241 return X509_PURPOSE_set(&param->purpose, purpose); 238 return X509_PURPOSE_set(&param->purpose, purpose);
242 } 239}
243 240
244int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust) 241int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust)
245 { 242{
246 return X509_TRUST_set(&param->trust, trust); 243 return X509_TRUST_set(&param->trust, trust);
247 } 244}
248 245
249void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth) 246void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth)
250 { 247{
251 param->depth = depth; 248 param->depth = depth;
252 } 249}
253 250
254void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t) 251void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t)
255 { 252{
256 param->check_time = t; 253 param->check_time = t;
257 param->flags |= X509_V_FLAG_USE_CHECK_TIME; 254 param->flags |= X509_V_FLAG_USE_CHECK_TIME;
258 } 255}
259 256
260int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, ASN1_OBJECT *policy) 257int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, ASN1_OBJECT *policy)
261 { 258{
262 if (!param->policies) 259 if (!param->policies) {
263 {
264 param->policies = sk_ASN1_OBJECT_new_null(); 260 param->policies = sk_ASN1_OBJECT_new_null();
265 if (!param->policies) 261 if (!param->policies)
266 return 0; 262 return 0;
267 } 263 }
268 if (!sk_ASN1_OBJECT_push(param->policies, policy)) 264 if (!sk_ASN1_OBJECT_push(param->policies, policy))
269 return 0; 265 return 0;
270 return 1; 266 return 1;
271 } 267}
272 268
273int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param, 269int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
274 STACK_OF(ASN1_OBJECT) *policies) 270 STACK_OF(ASN1_OBJECT) *policies)
275 { 271{
276 int i; 272 int i;
277 ASN1_OBJECT *oid, *doid; 273 ASN1_OBJECT *oid, *doid;
278 if (!param) 274 if (!param)
@@ -280,36 +276,33 @@ int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
280 if (param->policies) 276 if (param->policies)
281 sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free); 277 sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
282 278
283 if (!policies) 279 if (!policies) {
284 {
285 param->policies = NULL; 280 param->policies = NULL;
286 return 1; 281 return 1;
287 } 282 }
288 283
289 param->policies = sk_ASN1_OBJECT_new_null(); 284 param->policies = sk_ASN1_OBJECT_new_null();
290 if (!param->policies) 285 if (!param->policies)
291 return 0; 286 return 0;
292 287
293 for (i = 0; i < sk_ASN1_OBJECT_num(policies); i++) 288 for (i = 0; i < sk_ASN1_OBJECT_num(policies); i++) {
294 {
295 oid = sk_ASN1_OBJECT_value(policies, i); 289 oid = sk_ASN1_OBJECT_value(policies, i);
296 doid = OBJ_dup(oid); 290 doid = OBJ_dup(oid);
297 if (!doid) 291 if (!doid)
298 return 0; 292 return 0;
299 if (!sk_ASN1_OBJECT_push(param->policies, doid)) 293 if (!sk_ASN1_OBJECT_push(param->policies, doid)) {
300 {
301 ASN1_OBJECT_free(doid); 294 ASN1_OBJECT_free(doid);
302 return 0; 295 return 0;
303 }
304 } 296 }
297 }
305 param->flags |= X509_V_FLAG_POLICY_CHECK; 298 param->flags |= X509_V_FLAG_POLICY_CHECK;
306 return 1; 299 return 1;
307 } 300}
308 301
309int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param) 302int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param)
310 { 303{
311 return param->depth; 304 return param->depth;
312 } 305}
313 306
314/* Default verify parameters: these are used for various 307/* Default verify parameters: these are used for various
315 * applications and can be overridden by the user specified table. 308 * applications and can be overridden by the user specified table.
@@ -367,15 +360,16 @@ static const X509_VERIFY_PARAM default_table[] = {
367 X509_TRUST_SSL_SERVER, /* trust */ 360 X509_TRUST_SSL_SERVER, /* trust */
368 -1, /* depth */ 361 -1, /* depth */
369 NULL /* policies */ 362 NULL /* policies */
370 }}; 363 }
364};
371 365
372static STACK_OF(X509_VERIFY_PARAM) *param_table = NULL; 366static STACK_OF(X509_VERIFY_PARAM) *param_table = NULL;
373 367
374static int table_cmp(const X509_VERIFY_PARAM *a, const X509_VERIFY_PARAM *b) 368static int table_cmp(const X509_VERIFY_PARAM *a, const X509_VERIFY_PARAM *b)
375 369
376 { 370{
377 return strcmp(a->name, b->name); 371 return strcmp(a->name, b->name);
378 } 372}
379 373
380DECLARE_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM, 374DECLARE_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM,
381 table); 375 table);
@@ -384,55 +378,50 @@ IMPLEMENT_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM,
384 378
385static int param_cmp(const X509_VERIFY_PARAM * const *a, 379static int param_cmp(const X509_VERIFY_PARAM * const *a,
386 const X509_VERIFY_PARAM * const *b) 380 const X509_VERIFY_PARAM * const *b)
387 { 381{
388 return strcmp((*a)->name, (*b)->name); 382 return strcmp((*a)->name, (*b)->name);
389 } 383}
390 384
391int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param) 385int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param)
392 { 386{
393 int idx; 387 int idx;
394 X509_VERIFY_PARAM *ptmp; 388 X509_VERIFY_PARAM *ptmp;
395 if (!param_table) 389 if (!param_table) {
396 {
397 param_table = sk_X509_VERIFY_PARAM_new(param_cmp); 390 param_table = sk_X509_VERIFY_PARAM_new(param_cmp);
398 if (!param_table) 391 if (!param_table)
399 return 0; 392 return 0;
400 } 393 } else {
401 else
402 {
403 idx = sk_X509_VERIFY_PARAM_find(param_table, param); 394 idx = sk_X509_VERIFY_PARAM_find(param_table, param);
404 if (idx != -1) 395 if (idx != -1) {
405 {
406 ptmp = sk_X509_VERIFY_PARAM_value(param_table, idx); 396 ptmp = sk_X509_VERIFY_PARAM_value(param_table, idx);
407 X509_VERIFY_PARAM_free(ptmp); 397 X509_VERIFY_PARAM_free(ptmp);
408 (void)sk_X509_VERIFY_PARAM_delete(param_table, idx); 398 (void)sk_X509_VERIFY_PARAM_delete(param_table, idx);
409 }
410 } 399 }
400 }
411 if (!sk_X509_VERIFY_PARAM_push(param_table, param)) 401 if (!sk_X509_VERIFY_PARAM_push(param_table, param))
412 return 0; 402 return 0;
413 return 1; 403 return 1;
414 } 404}
415 405
416const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name) 406const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name)
417 { 407{
418 int idx; 408 int idx;
419 X509_VERIFY_PARAM pm; 409 X509_VERIFY_PARAM pm;
420 410
421 pm.name = (char *)name; 411 pm.name = (char *)name;
422 if (param_table) 412 if (param_table) {
423 {
424 idx = sk_X509_VERIFY_PARAM_find(param_table, &pm); 413 idx = sk_X509_VERIFY_PARAM_find(param_table, &pm);
425 if (idx != -1) 414 if (idx != -1)
426 return sk_X509_VERIFY_PARAM_value(param_table, idx); 415 return sk_X509_VERIFY_PARAM_value(param_table, idx);
427 } 416 }
428 return OBJ_bsearch_table(&pm, default_table, 417 return OBJ_bsearch_table(&pm, default_table,
429 sizeof(default_table)/sizeof(X509_VERIFY_PARAM)); 418 sizeof(default_table)/sizeof(X509_VERIFY_PARAM));
430 } 419}
431 420
432void X509_VERIFY_PARAM_table_cleanup(void) 421void X509_VERIFY_PARAM_table_cleanup(void)
433 { 422{
434 if (param_table) 423 if (param_table)
435 sk_X509_VERIFY_PARAM_pop_free(param_table, 424 sk_X509_VERIFY_PARAM_pop_free(param_table,
436 X509_VERIFY_PARAM_free); 425 X509_VERIFY_PARAM_free);
437 param_table = NULL; 426 param_table = NULL;
438 } 427}
diff --git a/src/lib/libssl/src/crypto/x509/x509cset.c b/src/lib/libssl/src/crypto/x509/x509cset.c
index 3109defb0b..bb39cf4e04 100644
--- a/src/lib/libssl/src/crypto/x509/x509cset.c
+++ b/src/lib/libssl/src/crypto/x509/x509cset.c
@@ -64,107 +64,97 @@
64#include <openssl/x509.h> 64#include <openssl/x509.h>
65 65
66int X509_CRL_set_version(X509_CRL *x, long version) 66int X509_CRL_set_version(X509_CRL *x, long version)
67 { 67{
68 if (x == NULL) return(0); 68 if (x == NULL) return(0);
69 if (x->crl->version == NULL) 69 if (x->crl->version == NULL) {
70 {
71 if ((x->crl->version=M_ASN1_INTEGER_new()) == NULL) 70 if ((x->crl->version=M_ASN1_INTEGER_new()) == NULL)
72 return(0); 71 return(0);
73 }
74 return(ASN1_INTEGER_set(x->crl->version,version));
75 } 72 }
73 return(ASN1_INTEGER_set(x->crl->version,version));
74}
76 75
77int X509_CRL_set_issuer_name(X509_CRL *x, X509_NAME *name) 76int X509_CRL_set_issuer_name(X509_CRL *x, X509_NAME *name)
78 { 77{
79 if ((x == NULL) || (x->crl == NULL)) return(0); 78 if ((x == NULL) || (x->crl == NULL)) return(0);
80 return(X509_NAME_set(&x->crl->issuer,name)); 79 return(X509_NAME_set(&x->crl->issuer,name));
81 } 80}
82 81
83 82
84int X509_CRL_set_lastUpdate(X509_CRL *x, const ASN1_TIME *tm) 83int X509_CRL_set_lastUpdate(X509_CRL *x, const ASN1_TIME *tm)
85 { 84{
86 ASN1_TIME *in; 85 ASN1_TIME *in;
87 86
88 if (x == NULL) return(0); 87 if (x == NULL) return(0);
89 in=x->crl->lastUpdate; 88 in=x->crl->lastUpdate;
90 if (in != tm) 89 if (in != tm) {
91 {
92 in=M_ASN1_TIME_dup(tm); 90 in=M_ASN1_TIME_dup(tm);
93 if (in != NULL) 91 if (in != NULL) {
94 {
95 M_ASN1_TIME_free(x->crl->lastUpdate); 92 M_ASN1_TIME_free(x->crl->lastUpdate);
96 x->crl->lastUpdate=in; 93 x->crl->lastUpdate=in;
97 }
98 } 94 }
99 return(in != NULL);
100 } 95 }
96 return(in != NULL);
97}
101 98
102int X509_CRL_set_nextUpdate(X509_CRL *x, const ASN1_TIME *tm) 99int X509_CRL_set_nextUpdate(X509_CRL *x, const ASN1_TIME *tm)
103 { 100{
104 ASN1_TIME *in; 101 ASN1_TIME *in;
105 102
106 if (x == NULL) return(0); 103 if (x == NULL) return(0);
107 in=x->crl->nextUpdate; 104 in=x->crl->nextUpdate;
108 if (in != tm) 105 if (in != tm) {
109 {
110 in=M_ASN1_TIME_dup(tm); 106 in=M_ASN1_TIME_dup(tm);
111 if (in != NULL) 107 if (in != NULL) {
112 {
113 M_ASN1_TIME_free(x->crl->nextUpdate); 108 M_ASN1_TIME_free(x->crl->nextUpdate);
114 x->crl->nextUpdate=in; 109 x->crl->nextUpdate=in;
115 }
116 } 110 }
117 return(in != NULL);
118 } 111 }
112 return(in != NULL);
113}
119 114
120int X509_CRL_sort(X509_CRL *c) 115int X509_CRL_sort(X509_CRL *c)
121 { 116{
122 int i; 117 int i;
123 X509_REVOKED *r; 118 X509_REVOKED *r;
124 /* sort the data so it will be written in serial 119 /* sort the data so it will be written in serial
125 * number order */ 120 * number order */
126 sk_X509_REVOKED_sort(c->crl->revoked); 121 sk_X509_REVOKED_sort(c->crl->revoked);
127 for (i=0; i<sk_X509_REVOKED_num(c->crl->revoked); i++) 122 for (i=0; i<sk_X509_REVOKED_num(c->crl->revoked); i++) {
128 {
129 r=sk_X509_REVOKED_value(c->crl->revoked,i); 123 r=sk_X509_REVOKED_value(c->crl->revoked,i);
130 r->sequence=i; 124 r->sequence=i;
131 } 125 }
132 c->crl->enc.modified = 1; 126 c->crl->enc.modified = 1;
133 return 1; 127 return 1;
134 } 128}
135 129
136int X509_REVOKED_set_revocationDate(X509_REVOKED *x, ASN1_TIME *tm) 130int X509_REVOKED_set_revocationDate(X509_REVOKED *x, ASN1_TIME *tm)
137 { 131{
138 ASN1_TIME *in; 132 ASN1_TIME *in;
139 133
140 if (x == NULL) return(0); 134 if (x == NULL) return(0);
141 in=x->revocationDate; 135 in=x->revocationDate;
142 if (in != tm) 136 if (in != tm) {
143 {
144 in=M_ASN1_TIME_dup(tm); 137 in=M_ASN1_TIME_dup(tm);
145 if (in != NULL) 138 if (in != NULL) {
146 {
147 M_ASN1_TIME_free(x->revocationDate); 139 M_ASN1_TIME_free(x->revocationDate);
148 x->revocationDate=in; 140 x->revocationDate=in;
149 }
150 } 141 }
151 return(in != NULL);
152 } 142 }
143 return(in != NULL);
144}
153 145
154int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial) 146int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial)
155 { 147{
156 ASN1_INTEGER *in; 148 ASN1_INTEGER *in;
157 149
158 if (x == NULL) return(0); 150 if (x == NULL) return(0);
159 in=x->serialNumber; 151 in=x->serialNumber;
160 if (in != serial) 152 if (in != serial) {
161 {
162 in=M_ASN1_INTEGER_dup(serial); 153 in=M_ASN1_INTEGER_dup(serial);
163 if (in != NULL) 154 if (in != NULL) {
164 {
165 M_ASN1_INTEGER_free(x->serialNumber); 155 M_ASN1_INTEGER_free(x->serialNumber);
166 x->serialNumber=in; 156 x->serialNumber=in;
167 }
168 } 157 }
169 return(in != NULL);
170 } 158 }
159 return(in != NULL);
160}
diff --git a/src/lib/libssl/src/crypto/x509/x509name.c b/src/lib/libssl/src/crypto/x509/x509name.c
index 27bc4dc9a3..729fb060f8 100644
--- a/src/lib/libssl/src/crypto/x509/x509name.c
+++ b/src/lib/libssl/src/crypto/x509/x509name.c
@@ -65,17 +65,17 @@
65#include <openssl/x509.h> 65#include <openssl/x509.h>
66 66
67int X509_NAME_get_text_by_NID(X509_NAME *name, int nid, char *buf, int len) 67int X509_NAME_get_text_by_NID(X509_NAME *name, int nid, char *buf, int len)
68 { 68{
69 ASN1_OBJECT *obj; 69 ASN1_OBJECT *obj;
70 70
71 obj=OBJ_nid2obj(nid); 71 obj=OBJ_nid2obj(nid);
72 if (obj == NULL) return(-1); 72 if (obj == NULL) return(-1);
73 return(X509_NAME_get_text_by_OBJ(name,obj,buf,len)); 73 return(X509_NAME_get_text_by_OBJ(name,obj,buf,len));
74 } 74}
75 75
76int X509_NAME_get_text_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, char *buf, 76int X509_NAME_get_text_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, char *buf,
77 int len) 77 int len)
78 { 78{
79 int i; 79 int i;
80 ASN1_STRING *data; 80 ASN1_STRING *data;
81 81
@@ -87,27 +87,27 @@ int X509_NAME_get_text_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, char *buf,
87 memcpy(buf,data->data,i); 87 memcpy(buf,data->data,i);
88 buf[i]='\0'; 88 buf[i]='\0';
89 return(i); 89 return(i);
90 } 90}
91 91
92int X509_NAME_entry_count(X509_NAME *name) 92int X509_NAME_entry_count(X509_NAME *name)
93 { 93{
94 if (name == NULL) return(0); 94 if (name == NULL) return(0);
95 return(sk_X509_NAME_ENTRY_num(name->entries)); 95 return(sk_X509_NAME_ENTRY_num(name->entries));
96 } 96}
97 97
98int X509_NAME_get_index_by_NID(X509_NAME *name, int nid, int lastpos) 98int X509_NAME_get_index_by_NID(X509_NAME *name, int nid, int lastpos)
99 { 99{
100 ASN1_OBJECT *obj; 100 ASN1_OBJECT *obj;
101 101
102 obj=OBJ_nid2obj(nid); 102 obj=OBJ_nid2obj(nid);
103 if (obj == NULL) return(-2); 103 if (obj == NULL) return(-2);
104 return(X509_NAME_get_index_by_OBJ(name,obj,lastpos)); 104 return(X509_NAME_get_index_by_OBJ(name,obj,lastpos));
105 } 105}
106 106
107/* NOTE: you should be passsing -1, not 0 as lastpos */ 107/* NOTE: you should be passsing -1, not 0 as lastpos */
108int X509_NAME_get_index_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, 108int X509_NAME_get_index_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj,
109 int lastpos) 109 int lastpos)
110 { 110{
111 int n; 111 int n;
112 X509_NAME_ENTRY *ne; 112 X509_NAME_ENTRY *ne;
113 STACK_OF(X509_NAME_ENTRY) *sk; 113 STACK_OF(X509_NAME_ENTRY) *sk;
@@ -117,26 +117,25 @@ int X509_NAME_get_index_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj,
117 lastpos= -1; 117 lastpos= -1;
118 sk=name->entries; 118 sk=name->entries;
119 n=sk_X509_NAME_ENTRY_num(sk); 119 n=sk_X509_NAME_ENTRY_num(sk);
120 for (lastpos++; lastpos < n; lastpos++) 120 for (lastpos++; lastpos < n; lastpos++) {
121 {
122 ne=sk_X509_NAME_ENTRY_value(sk,lastpos); 121 ne=sk_X509_NAME_ENTRY_value(sk,lastpos);
123 if (OBJ_cmp(ne->object,obj) == 0) 122 if (OBJ_cmp(ne->object,obj) == 0)
124 return(lastpos); 123 return(lastpos);
125 }
126 return(-1);
127 } 124 }
125 return(-1);
126}
128 127
129X509_NAME_ENTRY *X509_NAME_get_entry(X509_NAME *name, int loc) 128X509_NAME_ENTRY *X509_NAME_get_entry(X509_NAME *name, int loc)
130 { 129{
131 if(name == NULL || sk_X509_NAME_ENTRY_num(name->entries) <= loc 130 if(name == NULL || sk_X509_NAME_ENTRY_num(name->entries) <= loc
132 || loc < 0) 131 || loc < 0)
133 return(NULL); 132 return(NULL);
134 else 133 else
135 return(sk_X509_NAME_ENTRY_value(name->entries,loc)); 134 return(sk_X509_NAME_ENTRY_value(name->entries,loc));
136 } 135}
137 136
138X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, int loc) 137X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, int loc)
139 { 138{
140 X509_NAME_ENTRY *ret; 139 X509_NAME_ENTRY *ret;
141 int i,n,set_prev,set_next; 140 int i,n,set_prev,set_next;
142 STACK_OF(X509_NAME_ENTRY) *sk; 141 STACK_OF(X509_NAME_ENTRY) *sk;
@@ -169,7 +168,7 @@ X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, int loc)
169 for (i=loc; i<n; i++) 168 for (i=loc; i<n; i++)
170 sk_X509_NAME_ENTRY_value(sk,i)->set--; 169 sk_X509_NAME_ENTRY_value(sk,i)->set--;
171 return(ret); 170 return(ret);
172 } 171}
173 172
174int X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int type, 173int X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int type,
175 unsigned char *bytes, int len, int loc, int set) 174 unsigned char *bytes, int len, int loc, int set)
@@ -211,7 +210,7 @@ int X509_NAME_add_entry_by_txt(X509_NAME *name, const char *field, int type,
211 * prepend to the guy we are about to stomp on. */ 210 * prepend to the guy we are about to stomp on. */
212int X509_NAME_add_entry(X509_NAME *name, X509_NAME_ENTRY *ne, int loc, 211int X509_NAME_add_entry(X509_NAME *name, X509_NAME_ENTRY *ne, int loc,
213 int set) 212 int set)
214 { 213{
215 X509_NAME_ENTRY *new_name=NULL; 214 X509_NAME_ENTRY *new_name=NULL;
216 int n,i,inc; 215 int n,i,inc;
217 STACK_OF(X509_NAME_ENTRY) *sk; 216 STACK_OF(X509_NAME_ENTRY) *sk;
@@ -224,101 +223,87 @@ int X509_NAME_add_entry(X509_NAME *name, X509_NAME_ENTRY *ne, int loc,
224 223
225 name->modified=1; 224 name->modified=1;
226 225
227 if (set == -1) 226 if (set == -1) {
228 { 227 if (loc == 0) {
229 if (loc == 0)
230 {
231 set=0; 228 set=0;
232 inc=1; 229 inc=1;
233 } 230 } else {
234 else
235 {
236 set=sk_X509_NAME_ENTRY_value(sk,loc-1)->set; 231 set=sk_X509_NAME_ENTRY_value(sk,loc-1)->set;
237 inc=0; 232 inc=0;
238 }
239 } 233 }
240 else /* if (set >= 0) */ 234 } else /* if (set >= 0) */ {
241 { 235 if (loc >= n) {
242 if (loc >= n)
243 {
244 if (loc != 0) 236 if (loc != 0)
245 set=sk_X509_NAME_ENTRY_value(sk,loc-1)->set+1; 237 set=sk_X509_NAME_ENTRY_value(sk,loc-1)->set+1;
246 else 238 else
247 set=0; 239 set=0;
248 } 240 } else
249 else
250 set=sk_X509_NAME_ENTRY_value(sk,loc)->set; 241 set=sk_X509_NAME_ENTRY_value(sk,loc)->set;
251 inc=(set == 0)?1:0; 242 inc=(set == 0)?1:0;
252 } 243 }
253 244
254 if ((new_name=X509_NAME_ENTRY_dup(ne)) == NULL) 245 if ((new_name=X509_NAME_ENTRY_dup(ne)) == NULL)
255 goto err; 246 goto err;
256 new_name->set=set; 247 new_name->set=set;
257 if (!sk_X509_NAME_ENTRY_insert(sk,new_name,loc)) 248 if (!sk_X509_NAME_ENTRY_insert(sk,new_name,loc)) {
258 {
259 X509err(X509_F_X509_NAME_ADD_ENTRY,ERR_R_MALLOC_FAILURE); 249 X509err(X509_F_X509_NAME_ADD_ENTRY,ERR_R_MALLOC_FAILURE);
260 goto err; 250 goto err;
261 } 251 }
262 if (inc) 252 if (inc) {
263 {
264 n=sk_X509_NAME_ENTRY_num(sk); 253 n=sk_X509_NAME_ENTRY_num(sk);
265 for (i=loc+1; i<n; i++) 254 for (i=loc+1; i<n; i++)
266 sk_X509_NAME_ENTRY_value(sk,i-1)->set+=1; 255 sk_X509_NAME_ENTRY_value(sk,i-1)->set+=1;
267 } 256 }
268 return(1); 257 return(1);
269err: 258err:
270 if (new_name != NULL) 259 if (new_name != NULL)
271 X509_NAME_ENTRY_free(new_name); 260 X509_NAME_ENTRY_free(new_name);
272 return(0); 261 return(0);
273 } 262}
274 263
275X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne, 264X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne,
276 const char *field, int type, const unsigned char *bytes, int len) 265 const char *field, int type, const unsigned char *bytes, int len)
277 { 266{
278 ASN1_OBJECT *obj; 267 ASN1_OBJECT *obj;
279 X509_NAME_ENTRY *nentry; 268 X509_NAME_ENTRY *nentry;
280 269
281 obj=OBJ_txt2obj(field, 0); 270 obj=OBJ_txt2obj(field, 0);
282 if (obj == NULL) 271 if (obj == NULL) {
283 {
284 X509err(X509_F_X509_NAME_ENTRY_CREATE_BY_TXT, 272 X509err(X509_F_X509_NAME_ENTRY_CREATE_BY_TXT,
285 X509_R_INVALID_FIELD_NAME); 273 X509_R_INVALID_FIELD_NAME);
286 ERR_add_error_data(2, "name=", field); 274 ERR_add_error_data(2, "name=", field);
287 return(NULL); 275 return(NULL);
288 } 276 }
289 nentry = X509_NAME_ENTRY_create_by_OBJ(ne,obj,type,bytes,len); 277 nentry = X509_NAME_ENTRY_create_by_OBJ(ne,obj,type,bytes,len);
290 ASN1_OBJECT_free(obj); 278 ASN1_OBJECT_free(obj);
291 return nentry; 279 return nentry;
292 } 280}
293 281
294X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid, 282X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid,
295 int type, unsigned char *bytes, int len) 283 int type, unsigned char *bytes, int len)
296 { 284{
297 ASN1_OBJECT *obj; 285 ASN1_OBJECT *obj;
298 X509_NAME_ENTRY *nentry; 286 X509_NAME_ENTRY *nentry;
299 287
300 obj=OBJ_nid2obj(nid); 288 obj=OBJ_nid2obj(nid);
301 if (obj == NULL) 289 if (obj == NULL) {
302 {
303 X509err(X509_F_X509_NAME_ENTRY_CREATE_BY_NID,X509_R_UNKNOWN_NID); 290 X509err(X509_F_X509_NAME_ENTRY_CREATE_BY_NID,X509_R_UNKNOWN_NID);
304 return(NULL); 291 return(NULL);
305 } 292 }
306 nentry = X509_NAME_ENTRY_create_by_OBJ(ne,obj,type,bytes,len); 293 nentry = X509_NAME_ENTRY_create_by_OBJ(ne,obj,type,bytes,len);
307 ASN1_OBJECT_free(obj); 294 ASN1_OBJECT_free(obj);
308 return nentry; 295 return nentry;
309 } 296}
310 297
311X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne, 298X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne,
312 ASN1_OBJECT *obj, int type, const unsigned char *bytes, int len) 299 ASN1_OBJECT *obj, int type, const unsigned char *bytes, int len)
313 { 300{
314 X509_NAME_ENTRY *ret; 301 X509_NAME_ENTRY *ret;
315 302
316 if ((ne == NULL) || (*ne == NULL)) 303 if ((ne == NULL) || (*ne == NULL)) {
317 {
318 if ((ret=X509_NAME_ENTRY_new()) == NULL) 304 if ((ret=X509_NAME_ENTRY_new()) == NULL)
319 return(NULL); 305 return(NULL);
320 } 306 } else
321 else
322 ret= *ne; 307 ret= *ne;
323 308
324 if (!X509_NAME_ENTRY_set_object(ret,obj)) 309 if (!X509_NAME_ENTRY_set_object(ret,obj))
@@ -332,23 +317,22 @@ err:
332 if ((ne == NULL) || (ret != *ne)) 317 if ((ne == NULL) || (ret != *ne))
333 X509_NAME_ENTRY_free(ret); 318 X509_NAME_ENTRY_free(ret);
334 return(NULL); 319 return(NULL);
335 } 320}
336 321
337int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, ASN1_OBJECT *obj) 322int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, ASN1_OBJECT *obj)
338 { 323{
339 if ((ne == NULL) || (obj == NULL)) 324 if ((ne == NULL) || (obj == NULL)) {
340 {
341 X509err(X509_F_X509_NAME_ENTRY_SET_OBJECT,ERR_R_PASSED_NULL_PARAMETER); 325 X509err(X509_F_X509_NAME_ENTRY_SET_OBJECT,ERR_R_PASSED_NULL_PARAMETER);
342 return(0); 326 return(0);
343 } 327 }
344 ASN1_OBJECT_free(ne->object); 328 ASN1_OBJECT_free(ne->object);
345 ne->object=OBJ_dup(obj); 329 ne->object=OBJ_dup(obj);
346 return((ne->object == NULL)?0:1); 330 return((ne->object == NULL)?0:1);
347 } 331}
348 332
349int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type, 333int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type,
350 const unsigned char *bytes, int len) 334 const unsigned char *bytes, int len)
351 { 335{
352 int i; 336 int i;
353 337
354 if ((ne == NULL) || ((bytes == NULL) && (len != 0))) return(0); 338 if ((ne == NULL) || ((bytes == NULL) && (len != 0))) return(0);
@@ -359,25 +343,24 @@ int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type,
359 if (len < 0) len=strlen((const char *)bytes); 343 if (len < 0) len=strlen((const char *)bytes);
360 i=ASN1_STRING_set(ne->value,bytes,len); 344 i=ASN1_STRING_set(ne->value,bytes,len);
361 if (!i) return(0); 345 if (!i) return(0);
362 if (type != V_ASN1_UNDEF) 346 if (type != V_ASN1_UNDEF) {
363 {
364 if (type == V_ASN1_APP_CHOOSE) 347 if (type == V_ASN1_APP_CHOOSE)
365 ne->value->type=ASN1_PRINTABLE_type(bytes,len); 348 ne->value->type=ASN1_PRINTABLE_type(bytes,len);
366 else 349 else
367 ne->value->type=type; 350 ne->value->type=type;
368 }
369 return(1);
370 } 351 }
352 return(1);
353}
371 354
372ASN1_OBJECT *X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *ne) 355ASN1_OBJECT *X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *ne)
373 { 356{
374 if (ne == NULL) return(NULL); 357 if (ne == NULL) return(NULL);
375 return(ne->object); 358 return(ne->object);
376 } 359}
377 360
378ASN1_STRING *X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *ne) 361ASN1_STRING *X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *ne)
379 { 362{
380 if (ne == NULL) return(NULL); 363 if (ne == NULL) return(NULL);
381 return(ne->value); 364 return(ne->value);
382 } 365}
383 366
diff --git a/src/lib/libssl/src/crypto/x509/x509rset.c b/src/lib/libssl/src/crypto/x509/x509rset.c
index d9f6b57372..fab93cce97 100644
--- a/src/lib/libssl/src/crypto/x509/x509rset.c
+++ b/src/lib/libssl/src/crypto/x509/x509rset.c
@@ -64,20 +64,20 @@
64#include <openssl/x509.h> 64#include <openssl/x509.h>
65 65
66int X509_REQ_set_version(X509_REQ *x, long version) 66int X509_REQ_set_version(X509_REQ *x, long version)
67 { 67{
68 if (x == NULL) return(0); 68 if (x == NULL) return(0);
69 return(ASN1_INTEGER_set(x->req_info->version,version)); 69 return(ASN1_INTEGER_set(x->req_info->version,version));
70 } 70}
71 71
72int X509_REQ_set_subject_name(X509_REQ *x, X509_NAME *name) 72int X509_REQ_set_subject_name(X509_REQ *x, X509_NAME *name)
73 { 73{
74 if ((x == NULL) || (x->req_info == NULL)) return(0); 74 if ((x == NULL) || (x->req_info == NULL)) return(0);
75 return(X509_NAME_set(&x->req_info->subject,name)); 75 return(X509_NAME_set(&x->req_info->subject,name));
76 } 76}
77 77
78int X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey) 78int X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey)
79 { 79{
80 if ((x == NULL) || (x->req_info == NULL)) return(0); 80 if ((x == NULL) || (x->req_info == NULL)) return(0);
81 return(X509_PUBKEY_set(&x->req_info->pubkey,pkey)); 81 return(X509_PUBKEY_set(&x->req_info->pubkey,pkey));
82 } 82}
83 83
diff --git a/src/lib/libssl/src/crypto/x509/x509type.c b/src/lib/libssl/src/crypto/x509/x509type.c
index 9702ec5310..ff06cfcab9 100644
--- a/src/lib/libssl/src/crypto/x509/x509type.c
+++ b/src/lib/libssl/src/crypto/x509/x509type.c
@@ -63,7 +63,7 @@
63#include <openssl/x509.h> 63#include <openssl/x509.h>
64 64
65int X509_certificate_type(X509 *x, EVP_PKEY *pkey) 65int X509_certificate_type(X509 *x, EVP_PKEY *pkey)
66 { 66{
67 EVP_PKEY *pk; 67 EVP_PKEY *pk;
68 int ret=0,i; 68 int ret=0,i;
69 69
@@ -76,8 +76,7 @@ int X509_certificate_type(X509 *x, EVP_PKEY *pkey)
76 76
77 if (pk == NULL) return(0); 77 if (pk == NULL) return(0);
78 78
79 switch (pk->type) 79 switch (pk->type) {
80 {
81 case EVP_PKEY_RSA: 80 case EVP_PKEY_RSA:
82 ret=EVP_PK_RSA|EVP_PKT_SIGN; 81 ret=EVP_PK_RSA|EVP_PKT_SIGN;
83/* if (!sign only extension) */ 82/* if (!sign only extension) */
@@ -98,14 +97,12 @@ int X509_certificate_type(X509 *x, EVP_PKEY *pkey)
98 break; 97 break;
99 default: 98 default:
100 break; 99 break;
101 } 100 }
102 101
103 i=OBJ_obj2nid(x->sig_alg->algorithm); 102 i=OBJ_obj2nid(x->sig_alg->algorithm);
104 if (i && OBJ_find_sigid_algs(i, NULL, &i)) 103 if (i && OBJ_find_sigid_algs(i, NULL, &i)) {
105 {
106 104
107 switch (i) 105 switch (i) {
108 {
109 case NID_rsaEncryption: 106 case NID_rsaEncryption:
110 case NID_rsa: 107 case NID_rsa:
111 ret|=EVP_PKS_RSA; 108 ret|=EVP_PKS_RSA;
@@ -119,13 +116,13 @@ int X509_certificate_type(X509 *x, EVP_PKEY *pkey)
119 break; 116 break;
120 default: 117 default:
121 break; 118 break;
122 }
123 } 119 }
120 }
124 121
125 if (EVP_PKEY_size(pk) <= 1024/8)/* /8 because it's 1024 bits we look 122 if (EVP_PKEY_size(pk) <= 1024/8)/* /8 because it's 1024 bits we look
126 for, not bytes */ 123 for, not bytes */
127 ret|=EVP_PKT_EXP; 124 ret|=EVP_PKT_EXP;
128 if(pkey==NULL) EVP_PKEY_free(pk); 125 if(pkey==NULL) EVP_PKEY_free(pk);
129 return(ret); 126 return(ret);
130 } 127}
131 128
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-28 04:28:09 +0000