|
|
578744b |
diff -up openssl-0.9.8m/crypto/x509/x509_lu.c.multi-crl openssl-0.9.8m/crypto/x509/x509_lu.c
|
|
|
578744b |
--- openssl-0.9.8m/crypto/x509/x509_lu.c.multi-crl 2010-02-19 19:25:39.000000000 +0100
|
|
|
578744b |
+++ openssl-0.9.8m/crypto/x509/x509_lu.c 2010-03-22 18:21:20.000000000 +0100
|
|
|
578744b |
@@ -458,7 +458,18 @@ X509_OBJECT *X509_OBJECT_retrieve_by_sub
|
|
|
578744b |
idx = X509_OBJECT_idx_by_subject(h, type, name);
|
|
|
578744b |
if (idx==-1) return NULL;
|
|
|
8cbc33e |
return sk_X509_OBJECT_value(h, idx);
|
|
|
578744b |
- }
|
|
|
578744b |
+}
|
|
|
578744b |
+
|
|
|
8cbc33e |
+static int x509_crl_match(const X509_CRL *a, const X509_CRL *b)
|
|
|
8cbc33e |
+{
|
|
|
8cbc33e |
+ if (a->signature == NULL || b->signature == NULL)
|
|
|
8cbc33e |
+ return a->signature != b->signature;
|
|
|
8cbc33e |
+
|
|
|
8cbc33e |
+ if (a->signature->length != b->signature->length)
|
|
|
8cbc33e |
+ return 0;
|
|
|
8cbc33e |
+
|
|
|
8cbc33e |
+ return memcmp(a->signature->data, b->signature->data, a->signature->length);
|
|
|
8cbc33e |
+}
|
|
|
578744b |
|
|
|
8cbc33e |
X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x)
|
|
|
578744b |
{
|
|
|
578744b |
@@ -466,13 +477,24 @@ X509_OBJECT *X509_OBJECT_retrieve_match(
|
|
|
8cbc33e |
X509_OBJECT *obj;
|
|
|
8cbc33e |
idx = sk_X509_OBJECT_find(h, x);
|
|
|
8cbc33e |
if (idx == -1) return NULL;
|
|
|
8cbc33e |
- if (x->type != X509_LU_X509) return sk_X509_OBJECT_value(h, idx);
|
|
|
8cbc33e |
+ if ((x->type != X509_LU_X509) && (x->type != X509_LU_CRL))
|
|
|
8cbc33e |
+ return sk_X509_OBJECT_value(h, idx);
|
|
|
8cbc33e |
for (i = idx; i < sk_X509_OBJECT_num(h); i++)
|
|
|
8cbc33e |
{
|
|
|
8cbc33e |
obj = sk_X509_OBJECT_value(h, i);
|
|
|
8cbc33e |
if (x509_object_cmp((const X509_OBJECT **)&obj, (const X509_OBJECT **)&x))
|
|
|
8cbc33e |
return NULL;
|
|
|
8cbc33e |
- if ((x->type != X509_LU_X509) || !X509_cmp(obj->data.x509, x->data.x509))
|
|
|
8cbc33e |
+ if (x->type == X509_LU_X509)
|
|
|
8cbc33e |
+ {
|
|
|
8cbc33e |
+ if (!X509_cmp(obj->data.x509, x->data.x509))
|
|
|
8cbc33e |
+ return obj;
|
|
|
8cbc33e |
+ }
|
|
|
8cbc33e |
+ else if (x->type == X509_LU_CRL)
|
|
|
8cbc33e |
+ {
|
|
|
8cbc33e |
+ if (!x509_crl_match(obj->data.crl, x->data.crl))
|
|
|
8cbc33e |
+ return obj;
|
|
|
8cbc33e |
+ }
|
|
|
8cbc33e |
+ else
|
|
|
8cbc33e |
return obj;
|
|
|
8cbc33e |
}
|
|
|
8cbc33e |
return NULL;
|
|
|
578744b |
diff -up openssl-0.9.8m/crypto/x509/x509_vfy.c.multi-crl openssl-0.9.8m/crypto/x509/x509_vfy.c
|
|
|
578744b |
--- openssl-0.9.8m/crypto/x509/x509_vfy.c.multi-crl 2009-06-26 13:34:21.000000000 +0200
|
|
|
578744b |
+++ openssl-0.9.8m/crypto/x509/x509_vfy.c 2010-03-22 18:17:30.000000000 +0100
|
|
|
8cbc33e |
@@ -725,7 +725,38 @@ static int get_crl(X509_STORE_CTX *ctx,
|
|
|
8cbc33e |
return 0;
|
|
|
8cbc33e |
}
|
|
|
8cbc33e |
|
|
|
8cbc33e |
- *pcrl = xobj.data.crl;
|
|
|
8cbc33e |
+ /* If CRL times not valid look through store */
|
|
|
8cbc33e |
+ if (!check_crl_time(ctx, xobj.data.crl, 0))
|
|
|
8cbc33e |
+ {
|
|
|
8cbc33e |
+ int idx, i;
|
|
|
8cbc33e |
+ X509_OBJECT *pobj;
|
|
|
8cbc33e |
+ X509_OBJECT_free_contents(&xobj);
|
|
|
8cbc33e |
+ idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs,
|
|
|
8cbc33e |
+ X509_LU_CRL, nm);
|
|
|
8cbc33e |
+ if (idx == -1)
|
|
|
8cbc33e |
+ return 0;
|
|
|
8cbc33e |
+ *pcrl = NULL;
|
|
|
8cbc33e |
+ for (i = idx; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++)
|
|
|
8cbc33e |
+ {
|
|
|
8cbc33e |
+ pobj = sk_X509_OBJECT_value(ctx->ctx->objs, i);
|
|
|
8cbc33e |
+ /* Check to see if it is a CRL and issuer matches */
|
|
|
8cbc33e |
+ if (pobj->type != X509_LU_CRL)
|
|
|
8cbc33e |
+ break;
|
|
|
8cbc33e |
+ if (X509_NAME_cmp(nm,
|
|
|
8cbc33e |
+ X509_CRL_get_issuer(pobj->data.crl)))
|
|
|
8cbc33e |
+ break;
|
|
|
8cbc33e |
+ /* Set *pcrl because the CRL will either be valid or
|
|
|
8cbc33e |
+ * a "best fit" CRL.
|
|
|
8cbc33e |
+ */
|
|
|
8cbc33e |
+ *pcrl = pobj->data.crl;
|
|
|
8cbc33e |
+ if (check_crl_time(ctx, *pcrl, 0))
|
|
|
8cbc33e |
+ break;
|
|
|
8cbc33e |
+ }
|
|
|
8cbc33e |
+ if (*pcrl)
|
|
|
8cbc33e |
+ CRYPTO_add(&(*pcrl)->references, 1, CRYPTO_LOCK_X509);
|
|
|
8cbc33e |
+ }
|
|
|
8cbc33e |
+ else
|
|
|
8cbc33e |
+ *pcrl = xobj.data.crl;
|
|
|
8cbc33e |
if (crl)
|
|
|
8cbc33e |
X509_CRL_free(crl);
|
|
|
8cbc33e |
return 1;
|