Explicitly check for empty ASN.1 strings in d2i_ECPrivateKey

[openssl.git] / crypto / x509 / x509_lu.c

diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c
index 38525a8cddbc267c8e2c7a78c354438bb609c85a..79281c6bdb16feac014880f142cddf67384285e8 100644 (file)
--- a/crypto/x509/x509_lu.c
+++ b/crypto/x509/x509_lu.c
@@ -61,6 +61,7 @@
 #include <openssl/lhash.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
+#include "x509_lcl.h"
 
 X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method)
        {
@@ -238,6 +239,19 @@ void X509_STORE_free(X509_STORE *vfy)
        if (vfy == NULL)
            return;
 
+       i=CRYPTO_add(&vfy->references,-1,CRYPTO_LOCK_X509_STORE);
+#ifdef REF_PRINT
+       REF_PRINT("X509_STORE",vfy);
+#endif
+       if (i > 0) return;
+#ifdef REF_CHECK
+       if (i < 0)
+               {
+               fprintf(stderr,"X509_STORE_free, bad reference count\n");
+               abort(); /* ok */
+               }
+#endif
+
        sk=vfy->get_cert_methods;
        for (i=0; i<sk_X509_LOOKUP_num(sk); i++)
                {
@@ -626,6 +640,7 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
        X509_NAME *xn;
        X509_OBJECT obj, *pobj;
        int i, ok, idx, ret;
+       *issuer = NULL;
        xn=X509_get_issuer_name(x);
        ok=X509_STORE_get_by_subject(ctx,X509_LU_X509,xn,&obj);
        if (ok != X509_LU_X509)
@@ -647,8 +662,11 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
        /* If certificate matches all OK */
        if (ctx->check_issued(ctx, x, obj.data.x509))
                {
-               *issuer = obj.data.x509;
-               return 1;
+               if (x509_check_cert_time(ctx, obj.data.x509, 1))
+                       {
+                       *issuer = obj.data.x509;
+                       return 1;
+                       }
                }
        X509_OBJECT_free_contents(&obj);
 
@@ -670,13 +688,22 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
                        if (ctx->check_issued(ctx, x, pobj->data.x509))
                                {
                                *issuer = pobj->data.x509;
-                               X509_OBJECT_up_ref_count(pobj);
                                ret = 1;
-                               break;
+                               /*
+                                * If times check, exit with match,
+                                * otherwise keep looking. Leave last
+                                * match in issuer so we return nearest
+                                * match if no certificate time is OK.
+                                */
+
+                               if (x509_check_cert_time(ctx, *issuer, 1))
+                                       break;
                                }
                        }
                }
        CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
+       if (*issuer)
+               CRYPTO_add(&(*issuer)->references,1,CRYPTO_LOCK_X509);
        return ret;
        }
 
@@ -712,5 +739,16 @@ void X509_STORE_set_verify_cb(X509_STORE *ctx,
        ctx->verify_cb = verify_cb;
        }
 
+void X509_STORE_set_lookup_crls_cb(X509_STORE *ctx,
+               STACK_OF(X509_CRL)* (*cb)(X509_STORE_CTX *ctx, X509_NAME *nm))
+       {
+       ctx->lookup_crls = cb;
+       }
+
+X509_STORE *X509_STORE_CTX_get0_store(X509_STORE_CTX *ctx)
+       {
+       return ctx->ctx;
+       }
+
 IMPLEMENT_STACK_OF(X509_LOOKUP)
 IMPLEMENT_STACK_OF(X509_OBJECT)