+
+/* IDP name field matches CRLDP or IDP name not present */
+#define CRL_SCORE_SCOPE 4
+/* AKID present and matches cert, or AKID not present */
+#define CRL_SCORE_AKID 2
+/* times OK */
+#define CRL_SCORE_TIME 1
+
+#define CRL_SCORE_ALL 7
+
+/* IDP flags which cause a CRL to be rejected */
+
+#define IDP_REJECT (IDP_INVALID|IDP_INDIRECT|IDP_REASONS)
+
+static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl,
+ X509_NAME *nm, STACK_OF(X509_CRL) *crls)
+ {
+ int i, crl_score, best_score = -1;
+ X509_CRL *crl, *best_crl = NULL;
+ for (i = 0; i < sk_X509_CRL_num(crls); i++)
+ {
+ crl_score = 0;
+ crl = sk_X509_CRL_value(crls, i);
+ if (nm && X509_NAME_cmp(nm, X509_CRL_get_issuer(crl)))
+ continue;
+ if (check_crl_time(ctx, crl, 0))
+ crl_score |= CRL_SCORE_TIME;
+
+ if (crl->idp_flags & IDP_PRESENT)
+ {
+ if (crl->idp_flags & IDP_REJECT)
+ continue;
+ if (idp_check_scope(ctx->current_cert, crl))
+ crl_score |= CRL_SCORE_SCOPE;
+ }
+ else
+ crl_score |= CRL_SCORE_SCOPE;
+
+ if (crl->akid)
+ {
+ if (crl_akid_check(ctx, crl->akid))
+ crl_score |= CRL_SCORE_AKID;
+ }
+ else
+ crl_score |= CRL_SCORE_AKID;
+
+ if (crl_score == CRL_SCORE_ALL)
+ {
+ *pcrl = crl;
+ CRYPTO_add(&crl->references, 1, CRYPTO_LOCK_X509_CRL);
+ return 1;
+ }
+
+ if (crl_score > best_score)
+ {
+ best_crl = crl;
+ best_score = crl_score;
+ }
+ }
+ if (best_crl)
+ {
+ *pcrl = best_crl;
+ CRYPTO_add(&best_crl->references, 1, CRYPTO_LOCK_X509);
+ }
+
+ return 0;
+ }
+
+static int crl_akid_check(X509_STORE_CTX *ctx, AUTHORITY_KEYID *akid)
+ {
+ int cidx = ctx->error_depth;
+ if (cidx != sk_X509_num(ctx->chain) - 1)
+ cidx++;
+ if (X509_check_akid(sk_X509_value(ctx->chain, cidx), akid) == X509_V_OK)
+ return 1;
+ return 0;
+ }
+
+
+/* Check IDP name matches at least one CRLDP name */
+
+static int idp_check_scope(X509 *x, X509_CRL *crl)
+ {
+ int i, j, k;
+ GENERAL_NAMES *inames, *dnames;
+ if (crl->idp_flags & IDP_ONLYATTR)
+ return 0;
+ if (x->ex_flags & EXFLAG_CA)
+ {
+ if (crl->idp_flags & IDP_ONLYUSER)
+ return 0;
+ }
+ else
+ {
+ if (crl->idp_flags & IDP_ONLYCA)
+ return 0;
+ }
+ if (!crl->idp->distpoint)
+ return 1;
+ if (crl->idp->distpoint->type != 0)
+ return 1;
+ if (!x->crldp)
+ return 0;
+ inames = crl->idp->distpoint->name.fullname;
+ for (i = 0; i < sk_GENERAL_NAME_num(inames); i++)
+ {
+ GENERAL_NAME *igen = sk_GENERAL_NAME_value(inames, i);
+ for (j = 0; j < sk_DIST_POINT_num(x->crldp); j++)
+ {
+ DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, j);
+ /* We don't handle these at present */
+ if (dp->reasons || dp->CRLissuer)
+ continue;
+ if (!dp->distpoint || (dp->distpoint->type != 0))
+ continue;
+ dnames = dp->distpoint->name.fullname;
+ for (k = 0; k < sk_GENERAL_NAME_num(dnames); k++)
+ {
+ GENERAL_NAME *cgen =
+ sk_GENERAL_NAME_value(dnames, k);
+ if (!GENERAL_NAME_cmp(igen, cgen))
+ return 1;
+ }
+ }
+ }
+ return 0;
+ }
+
+/* Retrieve CRL corresponding to current certificate. Currently only
+ * one CRL is retrieved. Multiple CRLs may be needed if we handle
+ * CRLs partitioned on reason code later.
+ */
+
+static int get_crl(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509 *x)