kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
893 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Tree: ac6900b0d3
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'ac6900b0d3'
${ noResults }
boringssl/crypto/x509/x509_lu.c

741 lines
18 KiB
Raw Blame History 

  1. /* crypto/x509/x509_lu.c */

  2. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

  3.  * All rights reserved.

  4.  *

  5.  * This package is an SSL implementation written

  6.  * by Eric Young (eay@cryptsoft.com).

  7.  * The implementation was written so as to conform with Netscapes SSL.

  8.  *

  9.  * This library is free for commercial and non-commercial use as long as

  10.  * the following conditions are aheared to.  The following conditions

  11.  * apply to all code found in this distribution, be it the RC4, RSA,

  12.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

  13.  * included with this distribution is covered by the same copyright terms

  14.  * except that the holder is Tim Hudson (tjh@cryptsoft.com).

  15.  *

  16.  * Copyright remains Eric Young's, and as such any Copyright notices in

  17.  * the code are not to be removed.

  18.  * If this package is used in a product, Eric Young should be given attribution

  19.  * as the author of the parts of the library used.

  20.  * This can be in the form of a textual message at program startup or

  21.  * in documentation (online or textual) provided with the package.

  22.  *

  23.  * Redistribution and use in source and binary forms, with or without

  24.  * modification, are permitted provided that the following conditions

  25.  * are met:

  26.  * 1. Redistributions of source code must retain the copyright

  27.  *    notice, this list of conditions and the following disclaimer.

  28.  * 2. Redistributions in binary form must reproduce the above copyright

  29.  *    notice, this list of conditions and the following disclaimer in the

  30.  *    documentation and/or other materials provided with the distribution.

  31.  * 3. All advertising materials mentioning features or use of this software

  32.  *    must display the following acknowledgement:

  33.  *    "This product includes cryptographic software written by

  34.  *     Eric Young (eay@cryptsoft.com)"

  35.  *    The word 'cryptographic' can be left out if the rouines from the library

  36.  *    being used are not cryptographic related :-).

  37.  * 4. If you include any Windows specific code (or a derivative thereof) from

  38.  *    the apps directory (application code) you must include an acknowledgement:

  39.  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

  40.  *

  41.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

  42.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  43.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  44.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  45.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  46.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  47.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  48.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  49.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  50.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  51.  * SUCH DAMAGE.

  52.  *

  53.  * The licence and distribution terms for any publically available version or

  54.  * derivative of this code cannot be changed.  i.e. this code cannot simply be

  55.  * copied and put under another distribution licence

  56.  * [including the GNU Public Licence.] */

  57. 

  58. #include <string.h>

  59. 

  60. #include <openssl/err.h>

  61. #include <openssl/lhash.h>

  62. #include <openssl/mem.h>

  63. #include <openssl/x509.h>

  64. #include <openssl/x509v3.h>

  65. 

  66. 

  67. X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method)

  68. 	{

  69. 	X509_LOOKUP *ret;

  70. 

  71. 	ret=(X509_LOOKUP *)OPENSSL_malloc(sizeof(X509_LOOKUP));

  72. 	if (ret == NULL) return NULL;

  73. 

  74. 	ret->init=0;

  75. 	ret->skip=0;

  76. 	ret->method=method;

  77. 	ret->method_data=NULL;

  78. 	ret->store_ctx=NULL;

  79. 	if ((method->new_item != NULL) && !method->new_item(ret))

  80. 		{

  81. 		OPENSSL_free(ret);

  82. 		return NULL;

  83. 		}

  84. 	return ret;

  85. 	}

  86. 

  87. void X509_LOOKUP_free(X509_LOOKUP *ctx)

  88. 	{

  89. 	if (ctx == NULL) return;

  90. 	if (	(ctx->method != NULL) &&

  91. 		(ctx->method->free != NULL))

  92. 		(*ctx->method->free)(ctx);

  93. 	OPENSSL_free(ctx);

  94. 	}

  95. 

  96. int X509_LOOKUP_init(X509_LOOKUP *ctx)

  97. 	{

  98. 	if (ctx->method == NULL) return 0;

  99. 	if (ctx->method->init != NULL)

  100. 		return ctx->method->init(ctx);

  101. 	else

  102. 		return 1;

  103. 	}

  104. 

  105. int X509_LOOKUP_shutdown(X509_LOOKUP *ctx)

  106. 	{

  107. 	if (ctx->method == NULL) return 0;

  108. 	if (ctx->method->shutdown != NULL)

  109. 		return ctx->method->shutdown(ctx);

  110. 	else

  111. 		return 1;

  112. 	}

  113. 

  114. int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, long argl,

  115. 	     char **ret)

  116. 	{

  117. 	if (ctx->method == NULL) return -1;

  118. 	if (ctx->method->ctrl != NULL)

  119. 		return ctx->method->ctrl(ctx,cmd,argc,argl,ret);

  120. 	else

  121. 		return 1;

  122. 	}

  123. 

  124. int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type, X509_NAME *name,

  125. 	     X509_OBJECT *ret)

  126. 	{

  127. 	if ((ctx->method == NULL) || (ctx->method->get_by_subject == NULL))

  128. 		return X509_LU_FAIL;

  129. 	if (ctx->skip) return 0;

  130. 	return ctx->method->get_by_subject(ctx,type,name,ret);

  131. 	}

  132. 

  133. int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, int type, X509_NAME *name,

  134. 	     ASN1_INTEGER *serial, X509_OBJECT *ret)

  135. 	{

  136. 	if ((ctx->method == NULL) ||

  137. 		(ctx->method->get_by_issuer_serial == NULL))

  138. 		return X509_LU_FAIL;

  139. 	return ctx->method->get_by_issuer_serial(ctx,type,name,serial,ret);

  140. 	}

  141. 

  142. int X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, int type,

  143. 	     unsigned char *bytes, int len, X509_OBJECT *ret)

  144. 	{

  145. 	if ((ctx->method == NULL) || (ctx->method->get_by_fingerprint == NULL))

  146. 		return X509_LU_FAIL;

  147. 	return ctx->method->get_by_fingerprint(ctx,type,bytes,len,ret);

  148. 	}

  149. 

  150. int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, int type, char *str, int len,

  151. 	     X509_OBJECT *ret)

  152. 	{

  153. 	if ((ctx->method == NULL) || (ctx->method->get_by_alias == NULL))

  154. 		return X509_LU_FAIL;

  155. 	return ctx->method->get_by_alias(ctx,type,str,len,ret);

  156. 	}

  157. 

  158.   

  159. static int x509_object_cmp(const X509_OBJECT **a, const X509_OBJECT **b)

  160.   	{

  161.  	int ret;

  162. 

  163.  	ret=((*a)->type - (*b)->type);

  164.  	if (ret) return ret;

  165.  	switch ((*a)->type)

  166.  		{

  167.  	case X509_LU_X509:

  168.  		ret=X509_subject_name_cmp((*a)->data.x509,(*b)->data.x509);

  169.  		break;

  170.  	case X509_LU_CRL:

  171.  		ret=X509_CRL_cmp((*a)->data.crl,(*b)->data.crl);

  172.  		break;

  173. 	default:

  174. 		/* abort(); */

  175. 		return 0;

  176. 		}

  177. 	return ret;

  178. 	}

  179. 

  180. X509_STORE *X509_STORE_new(void)

  181. 	{

  182. 	X509_STORE *ret;

  183. 

  184. 	if ((ret=(X509_STORE *)OPENSSL_malloc(sizeof(X509_STORE))) == NULL)

  185. 		return NULL;

  186. 	memset(ret, 0, sizeof(*ret));

  187. 	ret->objs = sk_X509_OBJECT_new(x509_object_cmp);

  188. 	ret->cache = 1;

  189. 	ret->get_cert_methods = sk_X509_LOOKUP_new_null();

  190. 

  191. 	if ((ret->param = X509_VERIFY_PARAM_new()) == NULL)

  192. 		goto err;

  193. 

  194. 	if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE, ret, &ret->ex_data))

  195. 		goto err;

  196. 

  197. 	ret->references = 1;

  198. 	return ret;

  199. err:

  200. 	if (ret)

  201. 		{

  202. 		if (ret->param)

  203. 			X509_VERIFY_PARAM_free(ret->param);

  204. 		if (ret->get_cert_methods)

  205. 			sk_X509_LOOKUP_free(ret->get_cert_methods);

  206. 		if (ret->objs)

  207. 			sk_X509_OBJECT_free(ret->objs);

  208. 		OPENSSL_free(ret);

  209. 		}

  210. 	return NULL;

  211. 	}

  212. 

  213. static void cleanup(X509_OBJECT *a)

  214. 	{

  215. 	if (a->type == X509_LU_X509)

  216. 		{

  217. 		X509_free(a->data.x509);

  218. 		}

  219. 	else if (a->type == X509_LU_CRL)

  220. 		{

  221. 		X509_CRL_free(a->data.crl);

  222. 		}

  223. 	else

  224. 		{

  225. 		/* abort(); */

  226. 		}

  227. 

  228. 	OPENSSL_free(a);

  229. 	}

  230. 

  231. void X509_STORE_free(X509_STORE *vfy)

  232. 	{

  233. 	int i;

  234. 	size_t j;

  235. 	STACK_OF(X509_LOOKUP) *sk;

  236. 	X509_LOOKUP *lu;

  237. 

  238. 	if (vfy == NULL)

  239. 	    return;

  240. 

  241. 	i=CRYPTO_add(&vfy->references,-1,CRYPTO_LOCK_X509_STORE);

  242. #ifdef REF_PRINT

  243. 	REF_PRINT("X509_STORE",vfy);

  244. #endif

  245. 	if (i > 0) return;

  246. #ifdef REF_CHECK

  247. 	if (i < 0)

  248. 		{

  249. 		fprintf(stderr,"X509_STORE_free, bad reference count\n");

  250. 		abort(); /* ok */

  251. 		}

  252. #endif

  253. 

  254. 	sk=vfy->get_cert_methods;

  255. 	for (j=0; j<sk_X509_LOOKUP_num(sk); j++)

  256. 		{

  257. 		lu=sk_X509_LOOKUP_value(sk,j);

  258. 		X509_LOOKUP_shutdown(lu);

  259. 		X509_LOOKUP_free(lu);

  260. 		}

  261. 	sk_X509_LOOKUP_free(sk);

  262. 	sk_X509_OBJECT_pop_free(vfy->objs, cleanup);

  263. 

  264. 	CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE, vfy, &vfy->ex_data);

  265. 	if (vfy->param)

  266. 		X509_VERIFY_PARAM_free(vfy->param);

  267. 	OPENSSL_free(vfy);

  268. 	}

  269. 

  270. X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m)

  271. 	{

  272. 	size_t i;

  273. 	STACK_OF(X509_LOOKUP) *sk;

  274. 	X509_LOOKUP *lu;

  275. 

  276. 	sk=v->get_cert_methods;

  277. 	for (i=0; i<sk_X509_LOOKUP_num(sk); i++)

  278. 		{

  279. 		lu=sk_X509_LOOKUP_value(sk,i);

  280. 		if (m == lu->method)

  281. 			{

  282. 			return lu;

  283. 			}

  284. 		}

  285. 	/* a new one */

  286. 	lu=X509_LOOKUP_new(m);

  287. 	if (lu == NULL)

  288. 		return NULL;

  289. 	else

  290. 		{

  291. 		lu->store_ctx=v;

  292. 		if (sk_X509_LOOKUP_push(v->get_cert_methods,lu))

  293. 			return lu;

  294. 		else

  295. 			{

  296. 			X509_LOOKUP_free(lu);

  297. 			return NULL;

  298. 			}

  299. 		}

  300. 	}

  301. 

  302. int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name,

  303. 	     X509_OBJECT *ret)

  304. 	{

  305. 	X509_STORE *ctx=vs->ctx;

  306. 	X509_LOOKUP *lu;

  307. 	X509_OBJECT stmp,*tmp;

  308. 	int i,j;

  309. 

  310. 	CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);

  311. 	tmp=X509_OBJECT_retrieve_by_subject(ctx->objs,type,name);

  312. 	CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);

  313. 

  314. 	if (tmp == NULL || type == X509_LU_CRL)

  315. 		{

  316. 		for (i=vs->current_method; i<(int)sk_X509_LOOKUP_num(ctx->get_cert_methods); i++)

  317. 			{

  318. 			lu=sk_X509_LOOKUP_value(ctx->get_cert_methods,i);

  319. 			j=X509_LOOKUP_by_subject(lu,type,name,&stmp);

  320. 			if (j < 0)

  321. 				{

  322. 				vs->current_method=j;

  323. 				return j;

  324. 				}

  325. 			else if (j)

  326. 				{

  327. 				tmp= &stmp;

  328. 				break;

  329. 				}

  330. 			}

  331. 		vs->current_method=0;

  332. 		if (tmp == NULL)

  333. 			return 0;

  334. 		}

  335. 

  336. /*	if (ret->data.ptr != NULL)

  337. 		X509_OBJECT_free_contents(ret); */

  338. 

  339. 	ret->type=tmp->type;

  340. 	ret->data.ptr=tmp->data.ptr;

  341. 

  342. 	X509_OBJECT_up_ref_count(ret);

  343. 

  344. 	return 1;

  345. 	}

  346. 

  347. int X509_STORE_add_cert(X509_STORE *ctx, X509 *x)

  348. 	{

  349. 	X509_OBJECT *obj;

  350. 	int ret=1;

  351. 

  352. 	if (x == NULL) return 0;

  353. 	obj=(X509_OBJECT *)OPENSSL_malloc(sizeof(X509_OBJECT));

  354. 	if (obj == NULL)

  355. 		{

  356. 		OPENSSL_PUT_ERROR(X509, X509_STORE_add_cert, ERR_R_MALLOC_FAILURE);

  357. 		return 0;

  358. 		}

  359. 	obj->type=X509_LU_X509;

  360. 	obj->data.x509=x;

  361. 

  362. 	CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);

  363. 

  364. 	X509_OBJECT_up_ref_count(obj);

  365. 

  366. 	if (X509_OBJECT_retrieve_match(ctx->objs, obj))

  367. 		{

  368. 		X509_OBJECT_free_contents(obj);

  369. 		OPENSSL_free(obj);

  370. 		OPENSSL_PUT_ERROR(X509, X509_STORE_add_cert, X509_R_CERT_ALREADY_IN_HASH_TABLE);

  371. 		ret=0;

  372. 		} 

  373. 	else sk_X509_OBJECT_push(ctx->objs, obj);

  374. 

  375. 	CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);

  376. 

  377. 	return ret;

  378. 	}

  379. 

  380. int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x)

  381. 	{

  382. 	X509_OBJECT *obj;

  383. 	int ret=1;

  384. 

  385. 	if (x == NULL) return 0;

  386. 	obj=(X509_OBJECT *)OPENSSL_malloc(sizeof(X509_OBJECT));

  387. 	if (obj == NULL)

  388. 		{

  389. 		OPENSSL_PUT_ERROR(X509, X509_STORE_add_crl, ERR_R_MALLOC_FAILURE);

  390. 		return 0;

  391. 		}

  392. 	obj->type=X509_LU_CRL;

  393. 	obj->data.crl=x;

  394. 

  395. 	CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);

  396. 

  397. 	X509_OBJECT_up_ref_count(obj);

  398. 

  399. 	if (X509_OBJECT_retrieve_match(ctx->objs, obj))

  400. 		{

  401. 		X509_OBJECT_free_contents(obj);

  402. 		OPENSSL_free(obj);

  403. 		OPENSSL_PUT_ERROR(X509, X509_STORE_add_crl, X509_R_CERT_ALREADY_IN_HASH_TABLE);

  404. 		ret=0;

  405. 		}

  406. 	else sk_X509_OBJECT_push(ctx->objs, obj);

  407. 

  408. 	CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);

  409. 

  410. 	return ret;

  411. 	}

  412. 

  413. void X509_OBJECT_up_ref_count(X509_OBJECT *a)

  414. 	{

  415. 	switch (a->type)

  416. 		{

  417. 	case X509_LU_X509:

  418. 		X509_up_ref(a->data.x509);

  419. 		break;

  420. 	case X509_LU_CRL:

  421. 		CRYPTO_add(&a->data.crl->references,1,CRYPTO_LOCK_X509_CRL);

  422. 		break;

  423. 		}

  424. 	}

  425. 

  426. void X509_OBJECT_free_contents(X509_OBJECT *a)

  427. 	{

  428. 	switch (a->type)

  429. 		{

  430. 	case X509_LU_X509:

  431. 		X509_free(a->data.x509);

  432. 		break;

  433. 	case X509_LU_CRL:

  434. 		X509_CRL_free(a->data.crl);

  435. 		break;

  436. 		}

  437. 	}

  438. 

  439. static int x509_object_idx_cnt(STACK_OF(X509_OBJECT) *h, int type,

  440. 	     X509_NAME *name, int *pnmatch)

  441. 	{

  442. 	X509_OBJECT stmp;

  443. 	X509 x509_s;

  444. 	X509_CINF cinf_s;

  445. 	X509_CRL crl_s;

  446. 	X509_CRL_INFO crl_info_s;

  447. 	size_t idx;

  448. 

  449. 	stmp.type=type;

  450. 	switch (type)

  451. 		{

  452. 	case X509_LU_X509:

  453. 		stmp.data.x509= &x509_s;

  454. 		x509_s.cert_info= &cinf_s;

  455. 		cinf_s.subject=name;

  456. 		break;

  457. 	case X509_LU_CRL:

  458. 		stmp.data.crl= &crl_s;

  459. 		crl_s.crl= &crl_info_s;

  460. 		crl_info_s.issuer=name;

  461. 		break;

  462. 	default:

  463. 		/* abort(); */

  464. 		return -1;

  465. 		}

  466. 

  467. 	idx = -1;

  468. 	if (sk_X509_OBJECT_find(h, &idx, &stmp) && pnmatch)

  469. 		{

  470. 		int tidx;

  471. 		const X509_OBJECT *tobj, *pstmp;

  472. 		*pnmatch = 1;

  473. 		pstmp = &stmp;

  474. 		for (tidx = idx + 1; tidx < (int)sk_X509_OBJECT_num(h); tidx++)

  475. 			{

  476. 			tobj = sk_X509_OBJECT_value(h, tidx);

  477. 			if (x509_object_cmp(&tobj, &pstmp))

  478. 				break;

  479. 			(*pnmatch)++;

  480. 			}

  481. 		}

  482. 

  483. 	return idx;

  484. 	}

  485. 

  486. 

  487. int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type,

  488. 	     X509_NAME *name)

  489. 	{

  490. 	return x509_object_idx_cnt(h, type, name, NULL);

  491. 	}

  492. 

  493. X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h, int type,

  494. 	     X509_NAME *name)

  495. 	{

  496. 	int idx;

  497. 	idx = X509_OBJECT_idx_by_subject(h, type, name);

  498. 	if (idx==-1) return NULL;

  499. 	return sk_X509_OBJECT_value(h, idx);

  500. 	}

  501. 

  502. STACK_OF(X509)* X509_STORE_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm)

  503. 	{

  504. 	int i, idx, cnt;

  505. 	STACK_OF(X509) *sk;

  506. 	X509 *x;

  507. 	X509_OBJECT *obj;

  508. 	sk = sk_X509_new_null();

  509. 	CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);

  510. 	idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_X509, nm, &cnt);

  511. 	if (idx < 0)

  512. 		{

  513. 		/* Nothing found in cache: do lookup to possibly add new

  514. 		 * objects to cache

  515. 		 */

  516. 		X509_OBJECT xobj;

  517. 		CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);

  518. 		if (!X509_STORE_get_by_subject(ctx, X509_LU_X509, nm, &xobj))

  519. 			{

  520. 			sk_X509_free(sk);

  521. 			return NULL;

  522. 			}

  523. 		X509_OBJECT_free_contents(&xobj);

  524. 		CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);

  525. 		idx = x509_object_idx_cnt(ctx->ctx->objs,X509_LU_X509,nm, &cnt);

  526. 		if (idx < 0)

  527. 			{

  528. 			CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);

  529. 			sk_X509_free(sk);

  530. 			return NULL;

  531. 			}

  532. 		}

  533. 	for (i = 0; i < cnt; i++, idx++)

  534. 		{

  535. 		obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx);

  536. 		x = obj->data.x509;

  537. 		if (!sk_X509_push(sk, X509_up_ref(x)))

  538. 			{

  539. 			CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);

  540. 			X509_free(x);

  541. 			sk_X509_pop_free(sk, X509_free);

  542. 			return NULL;

  543. 			}

  544. 		}

  545. 	CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);

  546. 	return sk;

  547. 

  548. 	}

  549. 

  550. STACK_OF(X509_CRL)* X509_STORE_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm)

  551. 	{

  552. 	int i, idx, cnt;

  553. 	STACK_OF(X509_CRL) *sk;

  554. 	X509_CRL *x;

  555. 	X509_OBJECT *obj, xobj;

  556. 	sk = sk_X509_CRL_new_null();

  557. 	CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);

  558. 	/* Check cache first */

  559. 	idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_CRL, nm, &cnt);

  560. 

  561. 	/* Always do lookup to possibly add new CRLs to cache

  562. 	 */

  563. 	CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);

  564. 	if (!X509_STORE_get_by_subject(ctx, X509_LU_CRL, nm, &xobj))

  565. 		{

  566. 		sk_X509_CRL_free(sk);

  567. 		return NULL;

  568. 		}

  569. 	X509_OBJECT_free_contents(&xobj);

  570. 	CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);

  571. 	idx = x509_object_idx_cnt(ctx->ctx->objs,X509_LU_CRL, nm, &cnt);

  572. 	if (idx < 0)

  573. 		{

  574. 		CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);

  575. 		sk_X509_CRL_free(sk);

  576. 		return NULL;

  577. 		}

  578. 

  579. 	for (i = 0; i < cnt; i++, idx++)

  580. 		{

  581. 		obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx);

  582. 		x = obj->data.crl;

  583. 		CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509_CRL);

  584. 		if (!sk_X509_CRL_push(sk, x))

  585. 			{

  586. 			CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);

  587. 			X509_CRL_free(x);

  588. 			sk_X509_CRL_pop_free(sk, X509_CRL_free);

  589. 			return NULL;

  590. 			}

  591. 		}

  592. 	CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);

  593. 	return sk;

  594. 	}

  595. 

  596. X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x)

  597. 	{

  598. 	size_t idx, i;

  599. 	X509_OBJECT *obj;

  600. 

  601. 	if (!sk_X509_OBJECT_find(h, &idx, x)) {

  602. 		return NULL;

  603. 	}

  604. 	if ((x->type != X509_LU_X509) && (x->type != X509_LU_CRL))

  605. 		return sk_X509_OBJECT_value(h, idx);

  606. 	for (i = idx; i < sk_X509_OBJECT_num(h); i++)

  607. 		{

  608. 		obj = sk_X509_OBJECT_value(h, i);

  609. 		if (x509_object_cmp((const X509_OBJECT **)&obj, (const X509_OBJECT **)&x))

  610. 			return NULL;

  611. 		if (x->type == X509_LU_X509)

  612. 			{

  613. 			if (!X509_cmp(obj->data.x509, x->data.x509))

  614. 				return obj;

  615. 			}

  616. 		else if (x->type == X509_LU_CRL)

  617. 			{

  618. 			if (!X509_CRL_match(obj->data.crl, x->data.crl))

  619. 				return obj;

  620. 			}

  621. 		else

  622. 			return obj;

  623. 		}

  624. 	return NULL;

  625. 	}

  626. 

  627. 

  628. /* Try to get issuer certificate from store. Due to limitations

  629.  * of the API this can only retrieve a single certificate matching

  630.  * a given subject name. However it will fill the cache with all

  631.  * matching certificates, so we can examine the cache for all

  632.  * matches.

  633.  *

  634.  * Return values are:

  635.  *  1 lookup successful.

  636.  *  0 certificate not found.

  637.  * -1 some other error.

  638.  */

  639. int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)

  640. 	{

  641. 	X509_NAME *xn;

  642. 	X509_OBJECT obj, *pobj;

  643. 	int ok, idx, ret;

  644. 	size_t i;

  645. 	xn=X509_get_issuer_name(x);

  646. 	ok=X509_STORE_get_by_subject(ctx,X509_LU_X509,xn,&obj);

  647. 	if (ok != X509_LU_X509)

  648. 		{

  649. 		if (ok == X509_LU_RETRY)

  650. 			{

  651. 			X509_OBJECT_free_contents(&obj);

  652. 			OPENSSL_PUT_ERROR(X509, X509_STORE_CTX_get1_issuer, X509_R_SHOULD_RETRY);

  653. 			return -1;

  654. 			}

  655. 		else if (ok != X509_LU_FAIL)

  656. 			{

  657. 			X509_OBJECT_free_contents(&obj);

  658. 			/* not good :-(, break anyway */

  659. 			return -1;

  660. 			}

  661. 		return 0;

  662. 		}

  663. 	/* If certificate matches all OK */

  664. 	if (ctx->check_issued(ctx, x, obj.data.x509))

  665. 		{

  666. 		*issuer = obj.data.x509;

  667. 		return 1;

  668. 		}

  669. 	X509_OBJECT_free_contents(&obj);

  670. 

  671. 	/* Else find index of first cert accepted by 'check_issued' */

  672. 	ret = 0;

  673. 	CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);

  674. 	idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs, X509_LU_X509, xn);

  675. 	if (idx != -1) /* should be true as we've had at least one match */

  676. 		{

  677. 		/* Look through all matching certs for suitable issuer */

  678. 		for (i = idx; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++)

  679. 			{

  680. 			pobj = sk_X509_OBJECT_value(ctx->ctx->objs, i);

  681. 			/* See if we've run past the matches */

  682. 			if (pobj->type != X509_LU_X509)

  683. 				break;

  684. 			if (X509_NAME_cmp(xn, X509_get_subject_name(pobj->data.x509)))

  685. 				break;

  686. 			if (ctx->check_issued(ctx, x, pobj->data.x509))

  687. 				{

  688. 				*issuer = pobj->data.x509;

  689. 				X509_OBJECT_up_ref_count(pobj);

  690. 				ret = 1;

  691. 				break;

  692. 				}

  693. 			}

  694. 		}

  695. 	CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);

  696. 	return ret;

  697. 	}

  698. 

  699. int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags)

  700. 	{

  701. 	return X509_VERIFY_PARAM_set_flags(ctx->param, flags);

  702. 	}

  703. 

  704. int X509_STORE_set_depth(X509_STORE *ctx, int depth)

  705. 	{

  706. 	X509_VERIFY_PARAM_set_depth(ctx->param, depth);

  707. 	return 1;

  708. 	}

  709. 

  710. int X509_STORE_set_purpose(X509_STORE *ctx, int purpose)

  711. 	{

  712. 	return X509_VERIFY_PARAM_set_purpose(ctx->param, purpose);

  713. 	}

  714. 

  715. int X509_STORE_set_trust(X509_STORE *ctx, int trust)

  716. 	{

  717. 	return X509_VERIFY_PARAM_set_trust(ctx->param, trust);

  718. 	}

  719. 

  720. int X509_STORE_set1_param(X509_STORE *ctx, X509_VERIFY_PARAM *param)

  721. 	{

  722. 	return X509_VERIFY_PARAM_set1(ctx->param, param);

  723. 	}

  724. 

  725. void X509_STORE_set_verify_cb(X509_STORE *ctx,

  726. 				  int (*verify_cb)(int, X509_STORE_CTX *))

  727. 	{

  728. 	ctx->verify_cb = verify_cb;

  729. 	}

  730. 

  731. void X509_STORE_set_lookup_crls_cb(X509_STORE *ctx,

  732. 		STACK_OF(X509_CRL)* (*cb)(X509_STORE_CTX *ctx, X509_NAME *nm))

  733. 	{

  734. 	ctx->lookup_crls = cb;

  735. 	}

  736. 

  737. X509_STORE *X509_STORE_CTX_get0_store(X509_STORE_CTX *ctx)

  738. 	{

  739. 	return ctx->ctx;

  740. 	}