5 files changed, 127 insertions, 19 deletions
diff --git a/src/lib/libcrypto/x509/by_file.c b/src/lib/libcrypto/x509/by_file.c
index 92e00d2d73..b4b04183d0 100644
--- a/src/lib/libcrypto/x509/by_file.c
+++ b/src/lib/libcrypto/x509/by_file.c
@@ -100,18 +100,19 @@ static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,
        case X509_L_FILE_LOAD:
                if (argl == X509_FILETYPE_DEFAULT)
                        {
-                        ok = (X509_load_cert_crl_file(ctx,X509_get_default_cert_file(),
+                        file = (char *)Getenv(X509_get_default_cert_file_env());
-                                X509_FILETYPE_PEM) != 0);
+                        if (file)
+                                ok = (X509_load_cert_crl_file(ctx,file,
+                                              X509_FILETYPE_PEM) != 0);
+                        else
+                                ok = (X509_load_cert_crl_file(ctx,X509_get_default_cert_file(),
+                                              X509_FILETYPE_PEM) != 0);
                        if (!ok)
                                {
                                X509err(X509_F_BY_FILE_CTRL,X509_R_LOADING_DEFAULTS);
                                }
-                        else
-                                {
-                                file=(char *)Getenv(X509_get_default_cert_file_env());
-                                ok = (X509_load_cert_crl_file(ctx,file,
-                                        X509_FILETYPE_PEM) != 0);
-                                }
                        }
                else
                        {
@@ -284,7 +285,8 @@ int X509_load_cert_crl_file(X509_LOOKUP *ctx, const char *file, int type)
                if(itmp->x509) {
                        X509_STORE_add_cert(ctx->store_ctx, itmp->x509);
                        count++;
-                } else if(itmp->crl) {
+                }
+                if(itmp->crl) {
                        X509_STORE_add_crl(ctx->store_ctx, itmp->crl);
                        count++;
                }
diff --git a/src/lib/libcrypto/x509/x509.h b/src/lib/libcrypto/x509/x509.h
index 7095440d36..eaad5685a8 100644
--- a/src/lib/libcrypto/x509/x509.h
+++ b/src/lib/libcrypto/x509/x509.h
@@ -87,7 +87,6 @@
 #ifndef OPENSSL_NO_SHA
 #include <openssl/sha.h>
 #endif
-#include <openssl/evp.h>
 #include <openssl/e_os2.h>
 #include <openssl/ossl_typ.h>
@@ -487,10 +486,12 @@ typedef struct Netscape_certificate_sequence
        STACK_OF(X509) *certs;
        } NETSCAPE_CERT_SEQUENCE;
+/* Unused (and iv length is wrong)
 typedef struct CBCParameter_st
        {
        unsigned char iv[8];
        } CBC_PARAM;
+*/
 /* Password based encryption structure */
diff --git a/src/lib/libcrypto/x509/x509_cmp.c b/src/lib/libcrypto/x509/x509_cmp.c
index cd20b6d66f..f460102f49 100644
--- a/src/lib/libcrypto/x509/x509_cmp.c
+++ b/src/lib/libcrypto/x509/x509_cmp.c
@@ -57,6 +57,7 @@
 */
 #include <stdio.h>
+#include <ctype.h>
 #include "cryptlib.h"
 #include <openssl/asn1.h>
 #include <openssl/objects.h>
@@ -81,13 +82,14 @@ unsigned long X509_issuer_and_serial_hash(X509 *a)
        unsigned long ret=0;
        EVP_MD_CTX ctx;
        unsigned char md[16];
-        char str[256];
+        char *f;
        EVP_MD_CTX_init(&ctx);
-        X509_NAME_oneline(a->cert_info->issuer,str,256);
+        f=X509_NAME_oneline(a->cert_info->issuer,NULL,0);
-        ret=strlen(str);
+        ret=strlen(f);
        EVP_DigestInit_ex(&ctx, EVP_md5(), NULL);
-        EVP_DigestUpdate(&ctx,(unsigned char *)str,ret);
+        EVP_DigestUpdate(&ctx,(unsigned char *)f,ret);
+        OPENSSL_free(f);
        EVP_DigestUpdate(&ctx,(unsigned char *)a->cert_info->serialNumber->data,
                (unsigned long)a->cert_info->serialNumber->length);
        EVP_DigestFinal_ex(&ctx,&(md[0]),NULL);
@@ -159,6 +161,99 @@ int X509_cmp(const X509 *a, const X509 *b)
 }
 #endif
+/* Case insensitive string comparision */
+static int nocase_cmp(const ASN1_STRING *a, const ASN1_STRING *b)
+{
+        int i;
+        if (a->length != b->length)
+                return (a->length - b->length);
+        for (i=0; i<a->length; i++)
+        {
+                int ca, cb;
+                ca = tolower(a->data[i]);
+                cb = tolower(b->data[i]);
+                if (ca != cb)
+                        return(ca-cb);
+        }
+        return 0;
+}
+/* Case insensitive string comparision with space normalization 
+ * Space normalization - ignore leading, trailing spaces, 
+ *       multiple spaces between characters are replaced by single space  
+ */
+static int nocase_spacenorm_cmp(const ASN1_STRING *a, const ASN1_STRING *b)
+{
+        unsigned char *pa = NULL, *pb = NULL;
+        int la, lb;
+        
+        la = a->length;
+        lb = b->length;
+        pa = a->data;
+        pb = b->data;
+        /* skip leading spaces */
+        while (la > 0 && isspace(*pa))
+        {
+                la--;
+                pa++;
+        }
+        while (lb > 0 && isspace(*pb))
+        {
+                lb--;
+                pb++;
+        }
+        /* skip trailing spaces */
+        while (la > 0 && isspace(pa[la-1]))
+                la--;
+        while (lb > 0 && isspace(pb[lb-1]))
+                lb--;
+        /* compare strings with space normalization */
+        while (la > 0 && lb > 0)
+        {
+                int ca, cb;
+                /* compare character */
+                ca = tolower(*pa);
+                cb = tolower(*pb);
+                if (ca != cb)
+                        return (ca - cb);
+                pa++; pb++;
+                la--; lb--;
+                if (la <= 0 || lb <= 0)
+                        break;
+                /* is white space next character ? */
+                if (isspace(*pa) && isspace(*pb))
+                {
+                        /* skip remaining white spaces */
+                        while (la > 0 && isspace(*pa))
+                        {
+                                la--;
+                                pa++;
+                        }
+                        while (lb > 0 && isspace(*pb))
+                        {
+                                lb--;
+                                pb++;
+                        }
+                }
+        }
+        if (la > 0 || lb > 0)
+                return la - lb;
+        return 0;
+}
 int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b)
        {
        int i,j;
@@ -172,10 +267,20 @@ int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b)
                {
                na=sk_X509_NAME_ENTRY_value(a->entries,i);
                nb=sk_X509_NAME_ENTRY_value(b->entries,i);
-                j=na->value->length-nb->value->length;
+                j=na->value->type-nb->value->type;
                if (j) return(j);
-                j=memcmp(na->value->data,nb->value->data,
+                if (na->value->type == V_ASN1_PRINTABLESTRING)
-                        na->value->length);
+                        j=nocase_spacenorm_cmp(na->value, nb->value);
+                else if (na->value->type == V_ASN1_IA5STRING
+                        && OBJ_obj2nid(na->object) == NID_pkcs9_emailAddress)
+                        j=nocase_cmp(na->value, nb->value);
+                else
+                        {
+                        j=na->value->length-nb->value->length;
+                        if (j) return(j);
+                        j=memcmp(na->value->data,nb->value->data,
+                                na->value->length);
+                        }
                if (j) return(j);
                j=na->set-nb->set;
                if (j) return(j);
diff --git a/src/lib/libcrypto/x509/x509_v3.c b/src/lib/libcrypto/x509/x509_v3.c
index b5f7daa2e5..67b1796a92 100644
--- a/src/lib/libcrypto/x509/x509_v3.c
+++ b/src/lib/libcrypto/x509/x509_v3.c
@@ -116,7 +116,7 @@ int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *sk, int crit,
                {
                ex=sk_X509_EXTENSION_value(sk,lastpos);
                if (    ((ex->critical > 0) && crit) ||
-                        (!(ex->critical <= 0) && !crit))
+                        ((ex->critical <= 0) && !crit))
                        return(lastpos);
                }
        return(-1);
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index db12f7bd35..552d1e7251 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -756,7 +756,7 @@ int X509_cmp_time(ASN1_TIME *ctm, time_t *cmp_time)
        {
        char *str;
        ASN1_TIME atm;
-        time_t offset;
+        long offset;
        char buff1[24],buff2[24],*p;
        int i,j;

diff --git a/src/lib/libcrypto/x509/by_file.c b/src/lib/libcrypto/x509/by_file.c index 92e00d2d73..b4b04183d0 100644 --- a/src/lib/libcrypto/x509/by_file.c +++ b/src/lib/libcrypto/x509/by_file.c
@@ -100,18 +100,19 @@ static int by_file_ctrl(X509_LOOKUP ctx, int cmd, const char argp, long argl,
100	case X509_L_FILE_LOAD:	100	case X509_L_FILE_LOAD:
101	if (argl == X509_FILETYPE_DEFAULT)	101	if (argl == X509_FILETYPE_DEFAULT)
102	{	102	{
103	ok = (X509_load_cert_crl_file(ctx,X509_get_default_cert_file(),	103	file = (char *)Getenv(X509_get_default_cert_file_env());
104	X509_FILETYPE_PEM) != 0);	104	if (file)
		105	ok = (X509_load_cert_crl_file(ctx,file,
		106	X509_FILETYPE_PEM) != 0);
		107
		108	else
		109	ok = (X509_load_cert_crl_file(ctx,X509_get_default_cert_file(),
		110	X509_FILETYPE_PEM) != 0);
		111
105	if (!ok)	112	if (!ok)
106	{	113	{
107	X509err(X509_F_BY_FILE_CTRL,X509_R_LOADING_DEFAULTS);	114	X509err(X509_F_BY_FILE_CTRL,X509_R_LOADING_DEFAULTS);
108	}	115	}
109	else
110	{
111	file=(char *)Getenv(X509_get_default_cert_file_env());
112	ok = (X509_load_cert_crl_file(ctx,file,
113	X509_FILETYPE_PEM) != 0);
114	}
115	}	116	}
116	else	117	else
117	{	118	{
@@ -284,7 +285,8 @@ int X509_load_cert_crl_file(X509_LOOKUP ctx, const char file, int type)
284	if(itmp->x509) {	285	if(itmp->x509) {
285	X509_STORE_add_cert(ctx->store_ctx, itmp->x509);	286	X509_STORE_add_cert(ctx->store_ctx, itmp->x509);
286	count++;	287	count++;
287	} else if(itmp->crl) {	288	}
		289	if(itmp->crl) {
288	X509_STORE_add_crl(ctx->store_ctx, itmp->crl);	290	X509_STORE_add_crl(ctx->store_ctx, itmp->crl);
289	count++;	291	count++;
290	}	292	}


diff --git a/src/lib/libcrypto/x509/x509.h b/src/lib/libcrypto/x509/x509.h index 7095440d36..eaad5685a8 100644 --- a/src/lib/libcrypto/x509/x509.h +++ b/src/lib/libcrypto/x509/x509.h
@@ -87,7 +87,6 @@
87	#ifndef OPENSSL_NO_SHA	87	#ifndef OPENSSL_NO_SHA
88	#include <openssl/sha.h>	88	#include <openssl/sha.h>
89	#endif	89	#endif
90	#include <openssl/evp.h>
91	#include <openssl/e_os2.h>	90	#include <openssl/e_os2.h>
92	#include <openssl/ossl_typ.h>	91	#include <openssl/ossl_typ.h>
93		92
@@ -487,10 +486,12 @@ typedef struct Netscape_certificate_sequence
487	STACK_OF(X509) *certs;	486	STACK_OF(X509) *certs;
488	} NETSCAPE_CERT_SEQUENCE;	487	} NETSCAPE_CERT_SEQUENCE;
489		488
		489	/* Unused (and iv length is wrong)
490	typedef struct CBCParameter_st	490	typedef struct CBCParameter_st
491	{	491	{
492	unsigned char iv[8];	492	unsigned char iv[8];
493	} CBC_PARAM;	493	} CBC_PARAM;
		494	*/
494		495
495	/* Password based encryption structure */	496	/* Password based encryption structure */
496		497


diff --git a/src/lib/libcrypto/x509/x509_cmp.c b/src/lib/libcrypto/x509/x509_cmp.c index cd20b6d66f..f460102f49 100644 --- a/src/lib/libcrypto/x509/x509_cmp.c +++ b/src/lib/libcrypto/x509/x509_cmp.c
@@ -57,6 +57,7 @@
57	*/	57	*/
58		58
59	#include <stdio.h>	59	#include <stdio.h>
		60	#include <ctype.h>
60	#include "cryptlib.h"	61	#include "cryptlib.h"
61	#include <openssl/asn1.h>	62	#include <openssl/asn1.h>
62	#include <openssl/objects.h>	63	#include <openssl/objects.h>
@@ -81,13 +82,14 @@ unsigned long X509_issuer_and_serial_hash(X509 *a)
81	unsigned long ret=0;	82	unsigned long ret=0;
82	EVP_MD_CTX ctx;	83	EVP_MD_CTX ctx;
83	unsigned char md[16];	84	unsigned char md[16];
84	char str[256];	85	char *f;
85		86
86	EVP_MD_CTX_init(&ctx);	87	EVP_MD_CTX_init(&ctx);
87	X509_NAME_oneline(a->cert_info->issuer,str,256);	88	f=X509_NAME_oneline(a->cert_info->issuer,NULL,0);
88	ret=strlen(str);	89	ret=strlen(f);
89	EVP_DigestInit_ex(&ctx, EVP_md5(), NULL);	90	EVP_DigestInit_ex(&ctx, EVP_md5(), NULL);
90	EVP_DigestUpdate(&ctx,(unsigned char *)str,ret);	91	EVP_DigestUpdate(&ctx,(unsigned char *)f,ret);
		92	OPENSSL_free(f);
91	EVP_DigestUpdate(&ctx,(unsigned char *)a->cert_info->serialNumber->data,	93	EVP_DigestUpdate(&ctx,(unsigned char *)a->cert_info->serialNumber->data,
92	(unsigned long)a->cert_info->serialNumber->length);	94	(unsigned long)a->cert_info->serialNumber->length);
93	EVP_DigestFinal_ex(&ctx,&(md[0]),NULL);	95	EVP_DigestFinal_ex(&ctx,&(md[0]),NULL);
@@ -159,6 +161,99 @@ int X509_cmp(const X509 a, const X509 b)
159	}	161	}
160	#endif	162	#endif
161		163
		164
		165	/* Case insensitive string comparision */
		166	static int nocase_cmp(const ASN1_STRING a, const ASN1_STRING b)
		167	{
		168	int i;
		169
		170	if (a->length != b->length)
		171	return (a->length - b->length);
		172
		173	for (i=0; i<a->length; i++)
		174	{
		175	int ca, cb;
		176
		177	ca = tolower(a->data[i]);
		178	cb = tolower(b->data[i]);
		179
		180	if (ca != cb)
		181	return(ca-cb);
		182	}
		183	return 0;
		184	}
		185
		186	/* Case insensitive string comparision with space normalization
		187	* Space normalization - ignore leading, trailing spaces,
		188	* multiple spaces between characters are replaced by single space
		189	*/
		190	static int nocase_spacenorm_cmp(const ASN1_STRING a, const ASN1_STRING b)
		191	{
		192	unsigned char pa = NULL, pb = NULL;
		193	int la, lb;
		194
		195	la = a->length;
		196	lb = b->length;
		197	pa = a->data;
		198	pb = b->data;
		199
		200	/* skip leading spaces */
		201	while (la > 0 && isspace(*pa))
		202	{
		203	la--;
		204	pa++;
		205	}
		206	while (lb > 0 && isspace(*pb))
		207	{
		208	lb--;
		209	pb++;
		210	}
		211
		212	/* skip trailing spaces */
		213	while (la > 0 && isspace(pa[la-1]))
		214	la--;
		215	while (lb > 0 && isspace(pb[lb-1]))
		216	lb--;
		217
		218	/* compare strings with space normalization */
		219	while (la > 0 && lb > 0)
		220	{
		221	int ca, cb;
		222
		223	/* compare character */
		224	ca = tolower(*pa);
		225	cb = tolower(*pb);
		226	if (ca != cb)
		227	return (ca - cb);
		228
		229	pa++; pb++;
		230	la--; lb--;
		231
		232	if (la <= 0 \|\| lb <= 0)
		233	break;
		234
		235	/* is white space next character ? */
		236	if (isspace(pa) && isspace(pb))
		237	{
		238	/* skip remaining white spaces */
		239	while (la > 0 && isspace(*pa))
		240	{
		241	la--;
		242	pa++;
		243	}
		244	while (lb > 0 && isspace(*pb))
		245	{
		246	lb--;
		247	pb++;
		248	}
		249	}
		250	}
		251	if (la > 0 \|\| lb > 0)
		252	return la - lb;
		253
		254	return 0;
		255	}
		256
162	int X509_NAME_cmp(const X509_NAME a, const X509_NAME b)	257	int X509_NAME_cmp(const X509_NAME a, const X509_NAME b)
163	{	258	{
164	int i,j;	259	int i,j;
@@ -172,10 +267,20 @@ int X509_NAME_cmp(const X509_NAME a, const X509_NAME b)
172	{	267	{
173	na=sk_X509_NAME_ENTRY_value(a->entries,i);	268	na=sk_X509_NAME_ENTRY_value(a->entries,i);
174	nb=sk_X509_NAME_ENTRY_value(b->entries,i);	269	nb=sk_X509_NAME_ENTRY_value(b->entries,i);
175	j=na->value->length-nb->value->length;	270	j=na->value->type-nb->value->type;
176	if (j) return(j);	271	if (j) return(j);
177	j=memcmp(na->value->data,nb->value->data,	272	if (na->value->type == V_ASN1_PRINTABLESTRING)
178	na->value->length);	273	j=nocase_spacenorm_cmp(na->value, nb->value);
		274	else if (na->value->type == V_ASN1_IA5STRING
		275	&& OBJ_obj2nid(na->object) == NID_pkcs9_emailAddress)
		276	j=nocase_cmp(na->value, nb->value);
		277	else
		278	{
		279	j=na->value->length-nb->value->length;
		280	if (j) return(j);
		281	j=memcmp(na->value->data,nb->value->data,
		282	na->value->length);
		283	}
179	if (j) return(j);	284	if (j) return(j);
180	j=na->set-nb->set;	285	j=na->set-nb->set;
181	if (j) return(j);	286	if (j) return(j);


diff --git a/src/lib/libcrypto/x509/x509_v3.c b/src/lib/libcrypto/x509/x509_v3.c index b5f7daa2e5..67b1796a92 100644 --- a/src/lib/libcrypto/x509/x509_v3.c +++ b/src/lib/libcrypto/x509/x509_v3.c
@@ -116,7 +116,7 @@ int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *sk, int crit,
116	{	116	{
117	ex=sk_X509_EXTENSION_value(sk,lastpos);	117	ex=sk_X509_EXTENSION_value(sk,lastpos);
118	if ( ((ex->critical > 0) && crit) \|\|	118	if ( ((ex->critical > 0) && crit) \|\|
119	(!(ex->critical <= 0) && !crit))	119	((ex->critical <= 0) && !crit))
120	return(lastpos);	120	return(lastpos);
121	}	121	}
122	return(-1);	122	return(-1);


diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c index db12f7bd35..552d1e7251 100644 --- a/src/lib/libcrypto/x509/x509_vfy.c +++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -756,7 +756,7 @@ int X509_cmp_time(ASN1_TIME ctm, time_t cmp_time)
756	{	756	{
757	char *str;	757	char *str;
758	ASN1_TIME atm;	758	ASN1_TIME atm;
759	time_t offset;	759	long offset;
760	char buff1[24],buff2[24],*p;	760	char buff1[24],buff2[24],*p;
761	int i,j;	761	int i,j;
762		762