Add opaque ID structure.

[openssl.git] / crypto / x509 / x509_vfy.c
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c

index 92a3cc7a28cedc2b5053e0614a69d3bc5c53adac..ab9bf8d18420f92b0a33f021b23a560a996352b9 100644 (file)
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -69,6 +69,7 @@
  #include <openssl/x509.h>
  #include <openssl/x509v3.h>
  #include <openssl/objects.h>
  #include <openssl/x509.h>
  #include <openssl/x509v3.h>
  #include <openssl/objects.h>
+#include "vpm_int.h"
  
  /* CRL score values */
  
  
  /* CRL score values */
  
@@ -165,7 +166,7 @@ static int cert_self_signed(X509 *x)
  static X509 *lookup_cert_match(X509_STORE_CTX *ctx, X509 *x)
         {
         STACK_OF(X509) *certs;
  static X509 *lookup_cert_match(X509_STORE_CTX *ctx, X509 *x)
         {
         STACK_OF(X509) *certs;
-       X509 *xtmp;
+       X509 *xtmp = NULL;
         int i;
         /* Lookup all certs with matching subject name */
         certs = ctx->lookup_certs(ctx, X509_get_subject_name(x));
         int i;
         /* Lookup all certs with matching subject name */
         certs = ctx->lookup_certs(ctx, X509_get_subject_name(x));
@@ -736,18 +737,19 @@ static int check_id_error(X509_STORE_CTX *ctx, int errcode)
  static int check_id(X509_STORE_CTX *ctx)
         {
         X509_VERIFY_PARAM *vpm = ctx->param;
  static int check_id(X509_STORE_CTX *ctx)
         {
         X509_VERIFY_PARAM *vpm = ctx->param;
+       X509_VERIFY_PARAM_ID *id = vpm->id;
         X509 *x = ctx->cert;
         X509 *x = ctx->cert;
-       if (vpm->host && !X509_check_host(x, vpm->host, vpm->hostlen, 0))
+       if (id->host && !X509_check_host(x, id->host, id->hostlen, 0))
                 {
                 if (!check_id_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH))
                         return 0;
                 }
                 {
                 if (!check_id_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH))
                         return 0;
                 }
-       if (vpm->email && !X509_check_email(x, vpm->email, vpm->emaillen, 0))
+       if (id->email && !X509_check_email(x, id->email, id->emaillen, 0))
                 {
                 if (!check_id_error(ctx, X509_V_ERR_EMAIL_MISMATCH))
                         return 0;
                 }
                 {
                 if (!check_id_error(ctx, X509_V_ERR_EMAIL_MISMATCH))
                         return 0;
                 }
-       if (vpm->ip && !X509_check_ip(x, vpm->ip, vpm->iplen, 0))
+       if (id->ip && !X509_check_ip(x, id->ip, id->iplen, 0))
                 {
                 if (!check_id_error(ctx, X509_V_ERR_IP_ADDRESS_MISMATCH))
                         return 0;
                 {
                 if (!check_id_error(ctx, X509_V_ERR_IP_ADDRESS_MISMATCH))
                         return 0;
@@ -787,20 +789,17 @@ static int check_trust(X509_STORE_CTX *ctx)
          */
         if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN)
                 {
          */
         if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN)
                 {
+               X509 *mx;
                 if (ctx->last_untrusted < sk_X509_num(ctx->chain))
                         return X509_TRUST_TRUSTED;
                 if (ctx->last_untrusted < sk_X509_num(ctx->chain))
                         return X509_TRUST_TRUSTED;
-               if (sk_X509_num(ctx->chain) == 1)
+               x = sk_X509_value(ctx->chain, 0);
+               mx = lookup_cert_match(ctx, x);
+               if (mx)
                         {
                         {
-                       X509 *mx;
-                       x = sk_X509_value(ctx->chain, 0);
-                       mx = lookup_cert_match(ctx, x);
-                       if (mx)
-                               {
-                               (void)sk_X509_set(ctx->chain, 0, mx);
-                               X509_free(x);
-                               ctx->last_untrusted = 0;
-                               return X509_TRUST_TRUSTED;
-                               }
+                       (void)sk_X509_set(ctx->chain, 0, mx);
+                       X509_free(x);
+                       ctx->last_untrusted = 0;
+                       return X509_TRUST_TRUSTED;
                         }
                 }
  
                         }
                 }
  
@@ -838,6 +837,7 @@ static int check_cert(X509_STORE_CTX *ctx)
         X509_CRL *crl = NULL, *dcrl = NULL;
         X509 *x;
         int ok, cnum;
         X509_CRL *crl = NULL, *dcrl = NULL;
         X509 *x;
         int ok, cnum;
+       unsigned int last_reasons;
         cnum = ctx->error_depth;
         x = sk_X509_value(ctx->chain, cnum);
         ctx->current_cert = x;
         cnum = ctx->error_depth;
         x = sk_X509_value(ctx->chain, cnum);
         ctx->current_cert = x;
@@ -846,6 +846,7 @@ static int check_cert(X509_STORE_CTX *ctx)
         ctx->current_reasons = 0;
         while (ctx->current_reasons != CRLDP_ALL_REASONS)
                 {
         ctx->current_reasons = 0;
         while (ctx->current_reasons != CRLDP_ALL_REASONS)
                 {
+               last_reasons = ctx->current_reasons;
                 /* Try to retrieve relevant CRL */
                 if (ctx->get_crl)
                         ok = ctx->get_crl(ctx, &crl, x);
                 /* Try to retrieve relevant CRL */
                 if (ctx->get_crl)
                         ok = ctx->get_crl(ctx, &crl, x);
@@ -889,6 +890,15 @@ static int check_cert(X509_STORE_CTX *ctx)
                 X509_CRL_free(dcrl);
                 crl = NULL;
                 dcrl = NULL;
                 X509_CRL_free(dcrl);
                 crl = NULL;
                 dcrl = NULL;
+               /* If reasons not updated we wont get anywhere by
+                * another iteration, so exit loop.
+                */
+               if (last_reasons == ctx->current_reasons)
+                       {
+                       ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
+                       ok = ctx->verify_cb(0, ctx);
+                       goto err;
+                       }
                 }
         err:
         X509_CRL_free(crl);
                 }
         err:
         X509_CRL_free(crl);
@@ -1745,7 +1755,10 @@ static int internal_verify(X509_STORE_CTX *ctx)
         else
                 {
                 if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN && n == 0)
         else
                 {
                 if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN && n == 0)
-                       return check_cert_time(ctx, xi);
+                       {
+                       xs = xi;
+                       goto check_cert;
+                       }
                 if (n <= 0)
                         {
                         ctx->error=X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
                 if (n <= 0)
                         {
                         ctx->error=X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
@@ -1796,6 +1809,7 @@ static int internal_verify(X509_STORE_CTX *ctx)
  
                 xs->valid = 1;
  
  
                 xs->valid = 1;
  
+               check_cert:
                 ok = check_cert_time(ctx, xs);
                 if (!ok)
                         goto end;
                 ok = check_cert_time(ctx, xs);
                 if (!ok)
                         goto end;