Fixes for new CRL/cert callbacks. Update CRL processing code to use new

[openssl.git] / crypto / x509 / x509_vfy.c

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 6fdc35a617922663d553ea384c75028163fac390..f1f5fb9b3f45d9f570131fbe7b657186facc2551 100644 (file)
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -102,7 +102,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
        X509_VERIFY_PARAM *param = ctx->param;
        int depth,i,ok=0;
        int num;
-       int (*cb)(int ok,X509_STORE_CTX *ctx);
+       int (*cb)(int xok,X509_STORE_CTX *xctx);
        STACK_OF(X509) *sktmp=NULL;
        if (ctx->cert == NULL)
                {
@@ -388,9 +388,10 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
 #else
        int i, ok=0, must_be_ca;
        X509 *x;
-       int (*cb)(int ok,X509_STORE_CTX *ctx);
+       int (*cb)(int xok,X509_STORE_CTX *xctx);
        int proxy_path_length = 0;
-       int allow_proxy_certs = !!(ctx->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
+       int allow_proxy_certs =
+               !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
        cb=ctx->verify_cb;
 
        /* must_be_ca can have 1 of 3 values:
@@ -530,7 +531,7 @@ static int check_trust(X509_STORE_CTX *ctx)
 #else
        int i, ok;
        X509 *x;
-       int (*cb)(int ok,X509_STORE_CTX *ctx);
+       int (*cb)(int xok,X509_STORE_CTX *xctx);
        cb=ctx->verify_cb;
 /* For now just check the last certificate in the chain */
        i = sk_X509_num(ctx->chain) - 1;
@@ -663,12 +664,12 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl,
        for (i = 0; i < sk_X509_CRL_num(crls); i++)
                {
                crl = sk_X509_CRL_value(crls, i);
-               if (X509_NAME_cmp(nm, X509_CRL_get_issuer(crl)))
+               if (nm && X509_NAME_cmp(nm, X509_CRL_get_issuer(crl)))
                        continue;
                if (check_crl_time(ctx, crl, 0))
                        {
                        *pcrl = crl;
-                       CRYPTO_add(&crl->references, 1, CRYPTO_LOCK_X509);
+                       CRYPTO_add(&crl->references, 1, CRYPTO_LOCK_X509_CRL);
                        return 1;
                        }
                best_crl = crl;
@@ -689,7 +690,7 @@ static int get_crl(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509 *x)
        {
        int ok;
        X509_CRL *crl = NULL;
-       X509_OBJECT xobj;
+       STACK_OF(X509_CRL) *skcrl;
        X509_NAME *nm;
        nm = X509_get_issuer_name(x);
        ok = get_crl_sk(ctx, &crl, nm, ctx->crls);
@@ -699,11 +700,13 @@ static int get_crl(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509 *x)
                return 1;
                }
 
-       ok = X509_STORE_get_by_subject(ctx, X509_LU_CRL, nm, &xobj);
+       /* Lookup CRLs from store */
 
-       if (!ok)
+       skcrl = ctx->lookup_crls(ctx, nm);
+
+       /* If no CRLs found and a near match from get_crl_sk use that */
+       if (!skcrl)
                {
-               /* If we got a near match from get_crl_sk use that */
                if (crl)
                        {
                        *pcrl = crl;
@@ -712,10 +715,18 @@ static int get_crl(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509 *x)
                return 0;
                }
 
-       *pcrl = xobj.data.crl;
+       get_crl_sk(ctx, &crl, NULL, skcrl);
+
+       sk_X509_CRL_pop_free(skcrl, X509_CRL_free);
+
+       /* If we got any kind of CRL use it and return success */
        if (crl)
-               X509_CRL_free(crl);
-       return 1;
+               {
+               *pcrl = crl;
+               return 1;
+               }
+
+       return 0;
        }
 
 /* Check CRL validity */
@@ -775,7 +786,8 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
                        }
                }
 
-       if (!check_crl_time(ctx, crl, 1))
+       ok = check_crl_time(ctx, crl, 1);
+       if (!ok)
                goto err;
 
        ok = 1;
@@ -848,7 +860,7 @@ static int check_policy(X509_STORE_CTX *ctx)
                                ctx->param->policies, ctx->param->flags);
        if (ret == 0)
                {
-               X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
+               X509err(X509_F_CHECK_POLICY,ERR_R_MALLOC_FAILURE);
                return 0;
                }
        /* Invalid or inconsistent extensions */
@@ -940,7 +952,7 @@ static int internal_verify(X509_STORE_CTX *ctx)
        int ok=0,n;
        X509 *xs,*xi;
        EVP_PKEY *pkey=NULL;
-       int (*cb)(int ok,X509_STORE_CTX *ctx);
+       int (*cb)(int xok,X509_STORE_CTX *xctx);
 
        cb=ctx->verify_cb;
 
@@ -1005,7 +1017,8 @@ static int internal_verify(X509_STORE_CTX *ctx)
 
                xs->valid = 1;
 
-               if (!check_cert_time(ctx, xs))
+               ok = check_cert_time(ctx, xs);
+               if (!ok)
                        goto end;
 
                /* The last error (if any) is still in the error value */
@@ -1078,7 +1091,7 @@ int X509_cmp_time(ASN1_TIME *ctm, time_t *cmp_time)
                offset=0;
        else
                {
-               if ((*str != '+') && (str[5] != '-'))
+               if ((*str != '+') && (*str != '-'))
                        return 0;
                offset=((str[1]-'0')*10+(str[2]-'0'))*60;
                offset+=(str[3]-'0')*10+(str[4]-'0');
@@ -1427,6 +1440,16 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
        else
                ctx->cert_crl = cert_crl;
 
+       if (store && store->lookup_certs)
+               ctx->lookup_certs = store->lookup_certs;
+       else
+               ctx->lookup_certs = X509_STORE_get1_certs;
+
+       if (store && store->lookup_crls)
+               ctx->lookup_crls = store->lookup_crls;
+       else
+               ctx->lookup_crls = X509_STORE_get1_crls;
+
        ctx->check_policy = check_policy;