kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1217 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Tree: 9f33fc63c6
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '9f33fc63c6'
${ noResults }
boringssl/crypto/x509/x509_lu.c

738 lines
18 KiB
Raw Blame History 

  1. /* crypto/x509/x509_lu.c */

  2. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

  3.  * All rights reserved.

  4.  *

  5.  * This package is an SSL implementation written

  6.  * by Eric Young (eay@cryptsoft.com).

  7.  * The implementation was written so as to conform with Netscapes SSL.

  8.  *

  9.  * This library is free for commercial and non-commercial use as long as

  10.  * the following conditions are aheared to.  The following conditions

  11.  * apply to all code found in this distribution, be it the RC4, RSA,

  12.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

  13.  * included with this distribution is covered by the same copyright terms

  14.  * except that the holder is Tim Hudson (tjh@cryptsoft.com).

  15.  *

  16.  * Copyright remains Eric Young's, and as such any Copyright notices in

  17.  * the code are not to be removed.

  18.  * If this package is used in a product, Eric Young should be given attribution

  19.  * as the author of the parts of the library used.

  20.  * This can be in the form of a textual message at program startup or

  21.  * in documentation (online or textual) provided with the package.

  22.  *

  23.  * Redistribution and use in source and binary forms, with or without

  24.  * modification, are permitted provided that the following conditions

  25.  * are met:

  26.  * 1. Redistributions of source code must retain the copyright

  27.  *    notice, this list of conditions and the following disclaimer.

  28.  * 2. Redistributions in binary form must reproduce the above copyright

  29.  *    notice, this list of conditions and the following disclaimer in the

  30.  *    documentation and/or other materials provided with the distribution.

  31.  * 3. All advertising materials mentioning features or use of this software

  32.  *    must display the following acknowledgement:

  33.  *    "This product includes cryptographic software written by

  34.  *     Eric Young (eay@cryptsoft.com)"

  35.  *    The word 'cryptographic' can be left out if the rouines from the library

  36.  *    being used are not cryptographic related :-).

  37.  * 4. If you include any Windows specific code (or a derivative thereof) from

  38.  *    the apps directory (application code) you must include an acknowledgement:

  39.  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

  40.  *

  41.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

  42.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  43.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  44.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  45.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  46.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  47.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  48.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  49.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  50.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  51.  * SUCH DAMAGE.

  52.  *

  53.  * The licence and distribution terms for any publically available version or

  54.  * derivative of this code cannot be changed.  i.e. this code cannot simply be

  55.  * copied and put under another distribution licence

  56.  * [including the GNU Public Licence.] */

  57. 

  58. #include <string.h>

  59. 

  60. #include <openssl/err.h>

  61. #include <openssl/lhash.h>

  62. #include <openssl/mem.h>

  63. #include <openssl/thread.h>

  64. #include <openssl/x509.h>

  65. #include <openssl/x509v3.h>

  66. 

  67. 

  68. X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method)

  69. 	{

  70. 	X509_LOOKUP *ret;

  71. 

  72. 	ret=(X509_LOOKUP *)OPENSSL_malloc(sizeof(X509_LOOKUP));

  73. 	if (ret == NULL) return NULL;

  74. 

  75. 	ret->init=0;

  76. 	ret->skip=0;

  77. 	ret->method=method;

  78. 	ret->method_data=NULL;

  79. 	ret->store_ctx=NULL;

  80. 	if ((method->new_item != NULL) && !method->new_item(ret))

  81. 		{

  82. 		OPENSSL_free(ret);

  83. 		return NULL;

  84. 		}

  85. 	return ret;

  86. 	}

  87. 

  88. void X509_LOOKUP_free(X509_LOOKUP *ctx)

  89. 	{

  90. 	if (ctx == NULL) return;

  91. 	if (	(ctx->method != NULL) &&

  92. 		(ctx->method->free != NULL))

  93. 		(*ctx->method->free)(ctx);

  94. 	OPENSSL_free(ctx);

  95. 	}

  96. 

  97. int X509_LOOKUP_init(X509_LOOKUP *ctx)

  98. 	{

  99. 	if (ctx->method == NULL) return 0;

  100. 	if (ctx->method->init != NULL)

  101. 		return ctx->method->init(ctx);

  102. 	else

  103. 		return 1;

  104. 	}

  105. 

  106. int X509_LOOKUP_shutdown(X509_LOOKUP *ctx)

  107. 	{

  108. 	if (ctx->method == NULL) return 0;

  109. 	if (ctx->method->shutdown != NULL)

  110. 		return ctx->method->shutdown(ctx);

  111. 	else

  112. 		return 1;

  113. 	}

  114. 

  115. int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, long argl,

  116. 	     char **ret)

  117. 	{

  118. 	if (ctx->method == NULL) return -1;

  119. 	if (ctx->method->ctrl != NULL)

  120. 		return ctx->method->ctrl(ctx,cmd,argc,argl,ret);

  121. 	else

  122. 		return 1;

  123. 	}

  124. 

  125. int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type, X509_NAME *name,

  126. 	     X509_OBJECT *ret)

  127. 	{

  128. 	if ((ctx->method == NULL) || (ctx->method->get_by_subject == NULL))

  129. 		return X509_LU_FAIL;

  130. 	if (ctx->skip) return 0;

  131. 	return ctx->method->get_by_subject(ctx,type,name,ret);

  132. 	}

  133. 

  134. int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, int type, X509_NAME *name,

  135. 	     ASN1_INTEGER *serial, X509_OBJECT *ret)

  136. 	{

  137. 	if ((ctx->method == NULL) ||

  138. 		(ctx->method->get_by_issuer_serial == NULL))

  139. 		return X509_LU_FAIL;

  140. 	return ctx->method->get_by_issuer_serial(ctx,type,name,serial,ret);

  141. 	}

  142. 

  143. int X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, int type,

  144. 	     unsigned char *bytes, int len, X509_OBJECT *ret)

  145. 	{

  146. 	if ((ctx->method == NULL) || (ctx->method->get_by_fingerprint == NULL))

  147. 		return X509_LU_FAIL;

  148. 	return ctx->method->get_by_fingerprint(ctx,type,bytes,len,ret);

  149. 	}

  150. 

  151. int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, int type, char *str, int len,

  152. 	     X509_OBJECT *ret)

  153. 	{

  154. 	if ((ctx->method == NULL) || (ctx->method->get_by_alias == NULL))

  155. 		return X509_LU_FAIL;

  156. 	return ctx->method->get_by_alias(ctx,type,str,len,ret);

  157. 	}

  158. 

  159.   

  160. static int x509_object_cmp(const X509_OBJECT **a, const X509_OBJECT **b)

  161.   	{

  162.  	int ret;

  163. 

  164.  	ret=((*a)->type - (*b)->type);

  165.  	if (ret) return ret;

  166.  	switch ((*a)->type)

  167.  		{

  168.  	case X509_LU_X509:

  169.  		ret=X509_subject_name_cmp((*a)->data.x509,(*b)->data.x509);

  170.  		break;

  171.  	case X509_LU_CRL:

  172.  		ret=X509_CRL_cmp((*a)->data.crl,(*b)->data.crl);

  173.  		break;

  174. 	default:

  175. 		/* abort(); */

  176. 		return 0;

  177. 		}

  178. 	return ret;

  179. 	}

  180. 

  181. X509_STORE *X509_STORE_new(void)

  182. 	{

  183. 	X509_STORE *ret;

  184. 

  185. 	if ((ret=(X509_STORE *)OPENSSL_malloc(sizeof(X509_STORE))) == NULL)

  186. 		return NULL;

  187. 	memset(ret, 0, sizeof(*ret));

  188. 	ret->objs = sk_X509_OBJECT_new(x509_object_cmp);

  189. 	ret->cache = 1;

  190. 	ret->get_cert_methods = sk_X509_LOOKUP_new_null();

  191. 

  192. 	if ((ret->param = X509_VERIFY_PARAM_new()) == NULL)

  193. 		goto err;

  194. 

  195. 	ret->references = 1;

  196. 	return ret;

  197. err:

  198. 	if (ret)

  199. 		{

  200. 		if (ret->param)

  201. 			X509_VERIFY_PARAM_free(ret->param);

  202. 		if (ret->get_cert_methods)

  203. 			sk_X509_LOOKUP_free(ret->get_cert_methods);

  204. 		if (ret->objs)

  205. 			sk_X509_OBJECT_free(ret->objs);

  206. 		OPENSSL_free(ret);

  207. 		}

  208. 	return NULL;

  209. 	}

  210. 

  211. static void cleanup(X509_OBJECT *a)

  212. 	{

  213. 	if (a->type == X509_LU_X509)

  214. 		{

  215. 		X509_free(a->data.x509);

  216. 		}

  217. 	else if (a->type == X509_LU_CRL)

  218. 		{

  219. 		X509_CRL_free(a->data.crl);

  220. 		}

  221. 	else

  222. 		{

  223. 		/* abort(); */

  224. 		}

  225. 

  226. 	OPENSSL_free(a);

  227. 	}

  228. 

  229. void X509_STORE_free(X509_STORE *vfy)

  230. 	{

  231. 	int i;

  232. 	size_t j;

  233. 	STACK_OF(X509_LOOKUP) *sk;

  234. 	X509_LOOKUP *lu;

  235. 

  236. 	if (vfy == NULL)

  237. 	    return;

  238. 

  239. 	i=CRYPTO_add(&vfy->references,-1,CRYPTO_LOCK_X509_STORE);

  240. #ifdef REF_PRINT

  241. 	REF_PRINT("X509_STORE",vfy);

  242. #endif

  243. 	if (i > 0) return;

  244. #ifdef REF_CHECK

  245. 	if (i < 0)

  246. 		{

  247. 		fprintf(stderr,"X509_STORE_free, bad reference count\n");

  248. 		abort(); /* ok */

  249. 		}

  250. #endif

  251. 

  252. 	sk=vfy->get_cert_methods;

  253. 	for (j=0; j<sk_X509_LOOKUP_num(sk); j++)

  254. 		{

  255. 		lu=sk_X509_LOOKUP_value(sk,j);

  256. 		X509_LOOKUP_shutdown(lu);

  257. 		X509_LOOKUP_free(lu);

  258. 		}

  259. 	sk_X509_LOOKUP_free(sk);

  260. 	sk_X509_OBJECT_pop_free(vfy->objs, cleanup);

  261. 

  262. 	if (vfy->param)

  263. 		X509_VERIFY_PARAM_free(vfy->param);

  264. 	OPENSSL_free(vfy);

  265. 	}

  266. 

  267. X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m)

  268. 	{

  269. 	size_t i;

  270. 	STACK_OF(X509_LOOKUP) *sk;

  271. 	X509_LOOKUP *lu;

  272. 

  273. 	sk=v->get_cert_methods;

  274. 	for (i=0; i<sk_X509_LOOKUP_num(sk); i++)

  275. 		{

  276. 		lu=sk_X509_LOOKUP_value(sk,i);

  277. 		if (m == lu->method)

  278. 			{

  279. 			return lu;

  280. 			}

  281. 		}

  282. 	/* a new one */

  283. 	lu=X509_LOOKUP_new(m);

  284. 	if (lu == NULL)

  285. 		return NULL;

  286. 	else

  287. 		{

  288. 		lu->store_ctx=v;

  289. 		if (sk_X509_LOOKUP_push(v->get_cert_methods,lu))

  290. 			return lu;

  291. 		else

  292. 			{

  293. 			X509_LOOKUP_free(lu);

  294. 			return NULL;

  295. 			}

  296. 		}

  297. 	}

  298. 

  299. int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name,

  300. 	     X509_OBJECT *ret)

  301. 	{

  302. 	X509_STORE *ctx=vs->ctx;

  303. 	X509_LOOKUP *lu;

  304. 	X509_OBJECT stmp,*tmp;

  305. 	int i,j;

  306. 

  307. 	CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);

  308. 	tmp=X509_OBJECT_retrieve_by_subject(ctx->objs,type,name);

  309. 	CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);

  310. 

  311. 	if (tmp == NULL || type == X509_LU_CRL)

  312. 		{

  313. 		for (i=vs->current_method; i<(int)sk_X509_LOOKUP_num(ctx->get_cert_methods); i++)

  314. 			{

  315. 			lu=sk_X509_LOOKUP_value(ctx->get_cert_methods,i);

  316. 			j=X509_LOOKUP_by_subject(lu,type,name,&stmp);

  317. 			if (j < 0)

  318. 				{

  319. 				vs->current_method=j;

  320. 				return j;

  321. 				}

  322. 			else if (j)

  323. 				{

  324. 				tmp= &stmp;

  325. 				break;

  326. 				}

  327. 			}

  328. 		vs->current_method=0;

  329. 		if (tmp == NULL)

  330. 			return 0;

  331. 		}

  332. 

  333. /*	if (ret->data.ptr != NULL)

  334. 		X509_OBJECT_free_contents(ret); */

  335. 

  336. 	ret->type=tmp->type;

  337. 	ret->data.ptr=tmp->data.ptr;

  338. 

  339. 	X509_OBJECT_up_ref_count(ret);

  340. 

  341. 	return 1;

  342. 	}

  343. 

  344. int X509_STORE_add_cert(X509_STORE *ctx, X509 *x)

  345. 	{

  346. 	X509_OBJECT *obj;

  347. 	int ret=1;

  348. 

  349. 	if (x == NULL) return 0;

  350. 	obj=(X509_OBJECT *)OPENSSL_malloc(sizeof(X509_OBJECT));

  351. 	if (obj == NULL)

  352. 		{

  353. 		OPENSSL_PUT_ERROR(X509, X509_STORE_add_cert, ERR_R_MALLOC_FAILURE);

  354. 		return 0;

  355. 		}

  356. 	obj->type=X509_LU_X509;

  357. 	obj->data.x509=x;

  358. 

  359. 	CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);

  360. 

  361. 	X509_OBJECT_up_ref_count(obj);

  362. 

  363. 	if (X509_OBJECT_retrieve_match(ctx->objs, obj))

  364. 		{

  365. 		X509_OBJECT_free_contents(obj);

  366. 		OPENSSL_free(obj);

  367. 		OPENSSL_PUT_ERROR(X509, X509_STORE_add_cert, X509_R_CERT_ALREADY_IN_HASH_TABLE);

  368. 		ret=0;

  369. 		} 

  370. 	else sk_X509_OBJECT_push(ctx->objs, obj);

  371. 

  372. 	CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);

  373. 

  374. 	return ret;

  375. 	}

  376. 

  377. int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x)

  378. 	{

  379. 	X509_OBJECT *obj;

  380. 	int ret=1;

  381. 

  382. 	if (x == NULL) return 0;

  383. 	obj=(X509_OBJECT *)OPENSSL_malloc(sizeof(X509_OBJECT));

  384. 	if (obj == NULL)

  385. 		{

  386. 		OPENSSL_PUT_ERROR(X509, X509_STORE_add_crl, ERR_R_MALLOC_FAILURE);

  387. 		return 0;

  388. 		}

  389. 	obj->type=X509_LU_CRL;

  390. 	obj->data.crl=x;

  391. 

  392. 	CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);

  393. 

  394. 	X509_OBJECT_up_ref_count(obj);

  395. 

  396. 	if (X509_OBJECT_retrieve_match(ctx->objs, obj))

  397. 		{

  398. 		X509_OBJECT_free_contents(obj);

  399. 		OPENSSL_free(obj);

  400. 		OPENSSL_PUT_ERROR(X509, X509_STORE_add_crl, X509_R_CERT_ALREADY_IN_HASH_TABLE);

  401. 		ret=0;

  402. 		}

  403. 	else sk_X509_OBJECT_push(ctx->objs, obj);

  404. 

  405. 	CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);

  406. 

  407. 	return ret;

  408. 	}

  409. 

  410. void X509_OBJECT_up_ref_count(X509_OBJECT *a)

  411. 	{

  412. 	switch (a->type)

  413. 		{

  414. 	case X509_LU_X509:

  415. 		X509_up_ref(a->data.x509);

  416. 		break;

  417. 	case X509_LU_CRL:

  418. 		CRYPTO_add(&a->data.crl->references,1,CRYPTO_LOCK_X509_CRL);

  419. 		break;

  420. 		}

  421. 	}

  422. 

  423. void X509_OBJECT_free_contents(X509_OBJECT *a)

  424. 	{

  425. 	switch (a->type)

  426. 		{

  427. 	case X509_LU_X509:

  428. 		X509_free(a->data.x509);

  429. 		break;

  430. 	case X509_LU_CRL:

  431. 		X509_CRL_free(a->data.crl);

  432. 		break;

  433. 		}

  434. 	}

  435. 

  436. static int x509_object_idx_cnt(STACK_OF(X509_OBJECT) *h, int type,

  437. 	     X509_NAME *name, int *pnmatch)

  438. 	{

  439. 	X509_OBJECT stmp;

  440. 	X509 x509_s;

  441. 	X509_CINF cinf_s;

  442. 	X509_CRL crl_s;

  443. 	X509_CRL_INFO crl_info_s;

  444. 	size_t idx;

  445. 

  446. 	stmp.type=type;

  447. 	switch (type)

  448. 		{

  449. 	case X509_LU_X509:

  450. 		stmp.data.x509= &x509_s;

  451. 		x509_s.cert_info= &cinf_s;

  452. 		cinf_s.subject=name;

  453. 		break;

  454. 	case X509_LU_CRL:

  455. 		stmp.data.crl= &crl_s;

  456. 		crl_s.crl= &crl_info_s;

  457. 		crl_info_s.issuer=name;

  458. 		break;

  459. 	default:

  460. 		/* abort(); */

  461. 		return -1;

  462. 		}

  463. 

  464. 	idx = -1;

  465. 	if (sk_X509_OBJECT_find(h, &idx, &stmp) && pnmatch)

  466. 		{

  467. 		int tidx;

  468. 		const X509_OBJECT *tobj, *pstmp;

  469. 		*pnmatch = 1;

  470. 		pstmp = &stmp;

  471. 		for (tidx = idx + 1; tidx < (int)sk_X509_OBJECT_num(h); tidx++)

  472. 			{

  473. 			tobj = sk_X509_OBJECT_value(h, tidx);

  474. 			if (x509_object_cmp(&tobj, &pstmp))

  475. 				break;

  476. 			(*pnmatch)++;

  477. 			}

  478. 		}

  479. 

  480. 	return idx;

  481. 	}

  482. 

  483. 

  484. int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type,

  485. 	     X509_NAME *name)

  486. 	{

  487. 	return x509_object_idx_cnt(h, type, name, NULL);

  488. 	}

  489. 

  490. X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h, int type,

  491. 	     X509_NAME *name)

  492. 	{

  493. 	int idx;

  494. 	idx = X509_OBJECT_idx_by_subject(h, type, name);

  495. 	if (idx==-1) return NULL;

  496. 	return sk_X509_OBJECT_value(h, idx);

  497. 	}

  498. 

  499. STACK_OF(X509)* X509_STORE_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm)

  500. 	{

  501. 	int i, idx, cnt;

  502. 	STACK_OF(X509) *sk;

  503. 	X509 *x;

  504. 	X509_OBJECT *obj;

  505. 	sk = sk_X509_new_null();

  506. 	CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);

  507. 	idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_X509, nm, &cnt);

  508. 	if (idx < 0)

  509. 		{

  510. 		/* Nothing found in cache: do lookup to possibly add new

  511. 		 * objects to cache

  512. 		 */

  513. 		X509_OBJECT xobj;

  514. 		CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);

  515. 		if (!X509_STORE_get_by_subject(ctx, X509_LU_X509, nm, &xobj))

  516. 			{

  517. 			sk_X509_free(sk);

  518. 			return NULL;

  519. 			}

  520. 		X509_OBJECT_free_contents(&xobj);

  521. 		CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);

  522. 		idx = x509_object_idx_cnt(ctx->ctx->objs,X509_LU_X509,nm, &cnt);

  523. 		if (idx < 0)

  524. 			{

  525. 			CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);

  526. 			sk_X509_free(sk);

  527. 			return NULL;

  528. 			}

  529. 		}

  530. 	for (i = 0; i < cnt; i++, idx++)

  531. 		{

  532. 		obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx);

  533. 		x = obj->data.x509;

  534. 		if (!sk_X509_push(sk, X509_up_ref(x)))

  535. 			{

  536. 			CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);

  537. 			X509_free(x);

  538. 			sk_X509_pop_free(sk, X509_free);

  539. 			return NULL;

  540. 			}

  541. 		}

  542. 	CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);

  543. 	return sk;

  544. 

  545. 	}

  546. 

  547. STACK_OF(X509_CRL)* X509_STORE_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm)

  548. 	{

  549. 	int i, idx, cnt;

  550. 	STACK_OF(X509_CRL) *sk;

  551. 	X509_CRL *x;

  552. 	X509_OBJECT *obj, xobj;

  553. 	sk = sk_X509_CRL_new_null();

  554. 	CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);

  555. 	/* Check cache first */

  556. 	idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_CRL, nm, &cnt);

  557. 

  558. 	/* Always do lookup to possibly add new CRLs to cache

  559. 	 */

  560. 	CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);

  561. 	if (!X509_STORE_get_by_subject(ctx, X509_LU_CRL, nm, &xobj))

  562. 		{

  563. 		sk_X509_CRL_free(sk);

  564. 		return NULL;

  565. 		}

  566. 	X509_OBJECT_free_contents(&xobj);

  567. 	CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);

  568. 	idx = x509_object_idx_cnt(ctx->ctx->objs,X509_LU_CRL, nm, &cnt);

  569. 	if (idx < 0)

  570. 		{

  571. 		CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);

  572. 		sk_X509_CRL_free(sk);

  573. 		return NULL;

  574. 		}

  575. 

  576. 	for (i = 0; i < cnt; i++, idx++)

  577. 		{

  578. 		obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx);

  579. 		x = obj->data.crl;

  580. 		CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509_CRL);

  581. 		if (!sk_X509_CRL_push(sk, x))

  582. 			{

  583. 			CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);

  584. 			X509_CRL_free(x);

  585. 			sk_X509_CRL_pop_free(sk, X509_CRL_free);

  586. 			return NULL;

  587. 			}

  588. 		}

  589. 	CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);

  590. 	return sk;

  591. 	}

  592. 

  593. X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x)

  594. 	{

  595. 	size_t idx, i;

  596. 	X509_OBJECT *obj;

  597. 

  598. 	if (!sk_X509_OBJECT_find(h, &idx, x)) {

  599. 		return NULL;

  600. 	}

  601. 	if ((x->type != X509_LU_X509) && (x->type != X509_LU_CRL))

  602. 		return sk_X509_OBJECT_value(h, idx);

  603. 	for (i = idx; i < sk_X509_OBJECT_num(h); i++)

  604. 		{

  605. 		obj = sk_X509_OBJECT_value(h, i);

  606. 		if (x509_object_cmp((const X509_OBJECT **)&obj, (const X509_OBJECT **)&x))

  607. 			return NULL;

  608. 		if (x->type == X509_LU_X509)

  609. 			{

  610. 			if (!X509_cmp(obj->data.x509, x->data.x509))

  611. 				return obj;

  612. 			}

  613. 		else if (x->type == X509_LU_CRL)

  614. 			{

  615. 			if (!X509_CRL_match(obj->data.crl, x->data.crl))

  616. 				return obj;

  617. 			}

  618. 		else

  619. 			return obj;

  620. 		}

  621. 	return NULL;

  622. 	}

  623. 

  624. 

  625. /* Try to get issuer certificate from store. Due to limitations

  626.  * of the API this can only retrieve a single certificate matching

  627.  * a given subject name. However it will fill the cache with all

  628.  * matching certificates, so we can examine the cache for all

  629.  * matches.

  630.  *

  631.  * Return values are:

  632.  *  1 lookup successful.

  633.  *  0 certificate not found.

  634.  * -1 some other error.

  635.  */

  636. int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)

  637. 	{

  638. 	X509_NAME *xn;

  639. 	X509_OBJECT obj, *pobj;

  640. 	int ok, idx, ret;

  641. 	size_t i;

  642. 	xn=X509_get_issuer_name(x);

  643. 	ok=X509_STORE_get_by_subject(ctx,X509_LU_X509,xn,&obj);

  644. 	if (ok != X509_LU_X509)

  645. 		{

  646. 		if (ok == X509_LU_RETRY)

  647. 			{

  648. 			X509_OBJECT_free_contents(&obj);

  649. 			OPENSSL_PUT_ERROR(X509, X509_STORE_CTX_get1_issuer, X509_R_SHOULD_RETRY);

  650. 			return -1;

  651. 			}

  652. 		else if (ok != X509_LU_FAIL)

  653. 			{

  654. 			X509_OBJECT_free_contents(&obj);

  655. 			/* not good :-(, break anyway */

  656. 			return -1;

  657. 			}

  658. 		return 0;

  659. 		}

  660. 	/* If certificate matches all OK */

  661. 	if (ctx->check_issued(ctx, x, obj.data.x509))

  662. 		{

  663. 		*issuer = obj.data.x509;

  664. 		return 1;

  665. 		}

  666. 	X509_OBJECT_free_contents(&obj);

  667. 

  668. 	/* Else find index of first cert accepted by 'check_issued' */

  669. 	ret = 0;

  670. 	CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);

  671. 	idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs, X509_LU_X509, xn);

  672. 	if (idx != -1) /* should be true as we've had at least one match */

  673. 		{

  674. 		/* Look through all matching certs for suitable issuer */

  675. 		for (i = idx; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++)

  676. 			{

  677. 			pobj = sk_X509_OBJECT_value(ctx->ctx->objs, i);

  678. 			/* See if we've run past the matches */

  679. 			if (pobj->type != X509_LU_X509)

  680. 				break;

  681. 			if (X509_NAME_cmp(xn, X509_get_subject_name(pobj->data.x509)))

  682. 				break;

  683. 			if (ctx->check_issued(ctx, x, pobj->data.x509))

  684. 				{

  685. 				*issuer = pobj->data.x509;

  686. 				X509_OBJECT_up_ref_count(pobj);

  687. 				ret = 1;

  688. 				break;

  689. 				}

  690. 			}

  691. 		}

  692. 	CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);

  693. 	return ret;

  694. 	}

  695. 

  696. int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags)

  697. 	{

  698. 	return X509_VERIFY_PARAM_set_flags(ctx->param, flags);

  699. 	}

  700. 

  701. int X509_STORE_set_depth(X509_STORE *ctx, int depth)

  702. 	{

  703. 	X509_VERIFY_PARAM_set_depth(ctx->param, depth);

  704. 	return 1;

  705. 	}

  706. 

  707. int X509_STORE_set_purpose(X509_STORE *ctx, int purpose)

  708. 	{

  709. 	return X509_VERIFY_PARAM_set_purpose(ctx->param, purpose);

  710. 	}

  711. 

  712. int X509_STORE_set_trust(X509_STORE *ctx, int trust)

  713. 	{

  714. 	return X509_VERIFY_PARAM_set_trust(ctx->param, trust);

  715. 	}

  716. 

  717. int X509_STORE_set1_param(X509_STORE *ctx, X509_VERIFY_PARAM *param)

  718. 	{

  719. 	return X509_VERIFY_PARAM_set1(ctx->param, param);

  720. 	}

  721. 

  722. void X509_STORE_set_verify_cb(X509_STORE *ctx,

  723. 				  int (*verify_cb)(int, X509_STORE_CTX *))

  724. 	{

  725. 	ctx->verify_cb = verify_cb;

  726. 	}

  727. 

  728. void X509_STORE_set_lookup_crls_cb(X509_STORE *ctx,

  729. 		STACK_OF(X509_CRL)* (*cb)(X509_STORE_CTX *ctx, X509_NAME *nm))

  730. 	{

  731. 	ctx->lookup_crls = cb;

  732. 	}

  733. 

  734. X509_STORE *X509_STORE_CTX_get0_store(X509_STORE_CTX *ctx)

  735. 	{

  736. 	return ctx->ctx;

  737. 	}