diff options
Diffstat (limited to 'src/lib/libcrypto/x509/x509_lu.c')
| -rw-r--r-- | src/lib/libcrypto/x509/x509_lu.c | 23 |
1 files changed, 18 insertions, 5 deletions
diff --git a/src/lib/libcrypto/x509/x509_lu.c b/src/lib/libcrypto/x509/x509_lu.c index 8d3e4f4dce..b522c88c25 100644 --- a/src/lib/libcrypto/x509/x509_lu.c +++ b/src/lib/libcrypto/x509/x509_lu.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_lu.c,v 1.16 2014/07/11 08:44:49 jsing Exp $ */ | 1 | /* $OpenBSD: x509_lu.c,v 1.17 2014/07/11 12:52:41 miod Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -62,6 +62,7 @@ | |||
| 62 | #include <openssl/lhash.h> | 62 | #include <openssl/lhash.h> |
| 63 | #include <openssl/x509.h> | 63 | #include <openssl/x509.h> |
| 64 | #include <openssl/x509v3.h> | 64 | #include <openssl/x509v3.h> |
| 65 | #include "x509_lcl.h" | ||
| 65 | 66 | ||
| 66 | X509_LOOKUP * | 67 | X509_LOOKUP * |
| 67 | X509_LOOKUP_new(X509_LOOKUP_METHOD *method) | 68 | X509_LOOKUP_new(X509_LOOKUP_METHOD *method) |
| @@ -632,6 +633,8 @@ X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) | |||
| 632 | X509_NAME *xn; | 633 | X509_NAME *xn; |
| 633 | X509_OBJECT obj, *pobj; | 634 | X509_OBJECT obj, *pobj; |
| 634 | int i, ok, idx, ret; | 635 | int i, ok, idx, ret; |
| 636 | |||
| 637 | *issuer = NULL; | ||
| 635 | xn = X509_get_issuer_name(x); | 638 | xn = X509_get_issuer_name(x); |
| 636 | ok = X509_STORE_get_by_subject(ctx, X509_LU_X509, xn, &obj); | 639 | ok = X509_STORE_get_by_subject(ctx, X509_LU_X509, xn, &obj); |
| 637 | if (ok != X509_LU_X509) { | 640 | if (ok != X509_LU_X509) { |
| @@ -649,8 +652,10 @@ X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) | |||
| 649 | } | 652 | } |
| 650 | /* If certificate matches all OK */ | 653 | /* If certificate matches all OK */ |
| 651 | if (ctx->check_issued(ctx, x, obj.data.x509)) { | 654 | if (ctx->check_issued(ctx, x, obj.data.x509)) { |
| 652 | *issuer = obj.data.x509; | 655 | if (x509_check_cert_time(ctx, obj.data.x509, 1)) { |
| 653 | return 1; | 656 | *issuer = obj.data.x509; |
| 657 | return 1; | ||
| 658 | } | ||
| 654 | } | 659 | } |
| 655 | X509_OBJECT_free_contents(&obj); | 660 | X509_OBJECT_free_contents(&obj); |
| 656 | 661 | ||
| @@ -670,13 +675,21 @@ X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) | |||
| 670 | break; | 675 | break; |
| 671 | if (ctx->check_issued(ctx, x, pobj->data.x509)) { | 676 | if (ctx->check_issued(ctx, x, pobj->data.x509)) { |
| 672 | *issuer = pobj->data.x509; | 677 | *issuer = pobj->data.x509; |
| 673 | X509_OBJECT_up_ref_count(pobj); | ||
| 674 | ret = 1; | 678 | ret = 1; |
| 675 | break; | 679 | /* |
| 680 | * If times check, exit with match, | ||
| 681 | * otherwise keep looking. Leave last | ||
| 682 | * match in issuer so we return nearest | ||
| 683 | * match if no certificate time is OK. | ||
| 684 | */ | ||
| 685 | if (x509_check_cert_time(ctx, *issuer, 1)) | ||
| 686 | break; | ||
| 676 | } | 687 | } |
| 677 | } | 688 | } |
| 678 | } | 689 | } |
| 679 | CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); | 690 | CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); |
| 691 | if (*issuer) | ||
| 692 | CRYPTO_add(&(*issuer)->references, 1, CRYPTO_LOCK_X509); | ||
| 680 | return ret; | 693 | return ret; |
| 681 | } | 694 | } |
| 682 | 695 | ||