Fix to stop X509_time_adj() using GeneralizedTime.

[openssl.git] / crypto / x509 / x509_vfy.c

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index db62c9f6a348cead99bae90c22fa592edab3a160..73eecd6ee4087c5f56ca97ff4b55dc1073a957f0 100644 (file)
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -80,10 +80,7 @@ const char *X509_version="X.509" OPENSSL_VERSION_PTEXT;
 
 static STACK_OF(CRYPTO_EX_DATA_FUNCS) *x509_store_ctx_method=NULL;
 static int x509_store_ctx_num=0;
 
 static STACK_OF(CRYPTO_EX_DATA_FUNCS) *x509_store_ctx_method=NULL;
 static int x509_store_ctx_num=0;

-#if 0
-static int x509_store_num=1;
-static STACK *x509_store_method=NULL;
-#endif
+

 
 static int null_callback(int ok, X509_STORE_CTX *e)
        {
 
 static int null_callback(int ok, X509_STORE_CTX *e)
        {


@@ -339,16 +336,15 @@ static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
        ret = X509_check_issued(issuer, x);
        if (ret == X509_V_OK)
                return 1;
        ret = X509_check_issued(issuer, x);
        if (ret == X509_V_OK)
                return 1;

-       else
-               {
-               ctx->error = ret;
-               ctx->current_cert = x;
-               ctx->current_issuer = issuer;
-               if ((ctx->flags & X509_V_FLAG_CB_ISSUER_CHECK) && ctx->verify_cb)
-                       return ctx->verify_cb(0, ctx);
-               else
-                       return 0;
-               }
+       /* If we haven't asked for issuer errors don't set ctx */
+       if (!(ctx->flags & X509_V_FLAG_CB_ISSUER_CHECK))
+               return 0;
+
+       ctx->error = ret;
+       ctx->current_cert = x;
+       ctx->current_issuer = issuer;
+       if (ctx->verify_cb)
+               return ctx->verify_cb(0, ctx);

        return 0;
 }
 
        return 0;
 }
 


@@ -649,14 +645,16 @@ ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj)
 ASN1_TIME *X509_time_adj(ASN1_TIME *s, long adj, time_t *in_tm)
        {
        time_t t;
 ASN1_TIME *X509_time_adj(ASN1_TIME *s, long adj, time_t *in_tm)
        {
        time_t t;

+       int type = -1;

 
        if (in_tm) t = *in_tm;
        else time(&t);
 
        t+=adj;
 
        if (in_tm) t = *in_tm;
        else time(&t);
 
        t+=adj;

-       if (!s) return ASN1_TIME_set(s, t);
-       if (s->type == V_ASN1_UTCTIME) return ASN1_UTCTIME_set(s,t);
-       return ASN1_GENERALIZEDTIME_set(s, t);
+       if (s) type = s->type;
+       if (type == V_ASN1_UTCTIME) return ASN1_UTCTIME_set(s,t);
+       if (type == V_ASN1_GENERALIZEDTIME) return ASN1_GENERALIZEDTIME_set(s, t);
+       return ASN1_TIME_set(s, t);

        }
 
 int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
        }
 
 int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)


@@ -703,12 +701,17 @@ int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
 
 int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
             CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
 
 int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
             CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)

-        {
-        x509_store_ctx_num++;
-        return CRYPTO_get_ex_new_index(x509_store_ctx_num-1,
+       {
+       /* This function is (usually) called only once, by
+        * SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c).
+        * That function uses locking, so we don't (usually)
+        * have to worry about locking here. For the whole cruel
+        * truth, see crypto/ex_data.c */
+       x509_store_ctx_num++;
+       return CRYPTO_get_ex_new_index(x509_store_ctx_num-1,

                &x509_store_ctx_method,
                &x509_store_ctx_method,

-                argl,argp,new_func,dup_func,free_func);
-        }
+               argl,argp,new_func,dup_func,free_func);
+       }

 
 int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data)
        {
 
 int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data)
        {