src - OpenBSD base system

diff options


context:
space:
mode:

author	Markus Friedl <markus@cvs.openbsd.org>	2004-04-25 18:57:52 +0000
committer	Markus Friedl <markus@cvs.openbsd.org>	2004-04-25 18:57:52 +0000
commit	840af56478d680c6217cd84de9404db219ea196f (patch)
tree	1204d90b331b5500f12f3e44a0c2fa4f5659fd8a
parent	6eb107b71f410fa9f4b7e3d5027ec786c8f7921f (diff)

update missing pieces from 0.9.7d; ok henning

crank minor for API extensions

Diffstat

-rw-r--r--

lib/libcrypto/evp/digest.c

-rw-r--r--

lib/libcrypto/x509/x509_txt.c

-rw-r--r--

lib/libcrypto/x509/x509_vfy.c

3 files changed, 67 insertions, 11 deletions

diff --git a/lib/libcrypto/evp/digest.c b/lib/libcrypto/evp/digest.c
index b22eed44211..0623ddf1f05 100644
--- a/lib/libcrypto/evp/digest.c
+++ b/lib/libcrypto/evp/digest.c

@@ -248,6 +248,7 @@ int EVP_MD_CTX_copy(EVP_MD_CTX *out, const EVP_MD_CTX *in)

int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in)

{

+ unsigned char *tmp_buf;

if ((in == NULL) || (in->digest == NULL))

{

EVPerr(EVP_F_EVP_MD_CTX_COPY,EVP_R_INPUT_NOT_INITIALIZED);

@@ -262,15 +263,22 @@ int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in)

}

#endif

+ if (out->digest == in->digest)

+ {

+ tmp_buf = out->md_data;

+ EVP_MD_CTX_set_flags(out,EVP_MD_CTX_FLAG_REUSE);

+ }

+ else tmp_buf = NULL;

EVP_MD_CTX_cleanup(out);

memcpy(out,in,sizeof *out);

if (out->digest->ctx_size)

{

- out->md_data=OPENSSL_malloc(out->digest->ctx_size);

+ if (tmp_buf) out->md_data = tmp_buf;

+ else out->md_data=OPENSSL_malloc(out->digest->ctx_size);

memcpy(out->md_data,in->md_data,out->digest->ctx_size);

}

if (out->digest->copy)

return out->digest->copy(out,in);

@@ -308,7 +316,8 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)

if (ctx->digest && ctx->digest->cleanup

&& !EVP_MD_CTX_test_flags(ctx,EVP_MD_CTX_FLAG_CLEANED))

ctx->digest->cleanup(ctx);

- if (ctx->digest && ctx->digest->ctx_size && ctx->md_data)

+ if (ctx->digest && ctx->digest->ctx_size && ctx->md_data

+ && !EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_REUSE))

{

OPENSSL_cleanse(ctx->md_data,ctx->digest->ctx_size);

OPENSSL_free(ctx->md_data);

diff --git a/lib/libcrypto/x509/x509_txt.c b/lib/libcrypto/x509/x509_txt.c
index 9d09ae17e82..e31ebc6741a 100644
--- a/lib/libcrypto/x509/x509_txt.c
+++ b/lib/libcrypto/x509/x509_txt.c

@@ -147,8 +147,14 @@ const char *X509_verify_cert_error_string(long n)

case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION:

return("unhandled critical extension");

+ case X509_V_ERR_KEYUSAGE_NO_CRL_SIGN:

+ return("key usage does not include CRL signing");

+ case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION:

+ return("unhandled critical CRL extension");

default:

- snprintf(buf,sizeof buf,"error number %ld",n);

+ BIO_snprintf(buf,sizeof buf,"error number %ld",n);

return(buf);

}

diff --git a/lib/libcrypto/x509/x509_vfy.c b/lib/libcrypto/x509/x509_vfy.c
index 2bb21b443ec..2e4d0b823ab 100644
--- a/lib/libcrypto/x509/x509_vfy.c
+++ b/lib/libcrypto/x509/x509_vfy.c

@@ -383,6 +383,7 @@ static int check_chain_purpose(X509_STORE_CTX *ctx)

/* Check all untrusted certificates */

for (i = 0; i < ctx->last_untrusted; i++)

{

+ int ret;

x = sk_X509_value(ctx->chain, i);

if (!(ctx->flags & X509_V_FLAG_IGNORE_CRITICAL)

&& (x->ex_flags & EXFLAG_CRITICAL))

@@ -393,7 +394,10 @@ static int check_chain_purpose(X509_STORE_CTX *ctx)

ok=cb(0,ctx);

if (!ok) goto end;

}

- if (!X509_check_purpose(x, ctx->purpose, i))

+ ret = X509_check_purpose(x, ctx->purpose, i);

+ if ((ret == 0)

+ || ((ctx->flags & X509_V_FLAG_X509_STRICT)

+ && (ret != 1)))

{

if (i)

ctx->error = X509_V_ERR_INVALID_CA;

@@ -537,6 +541,14 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)

if(issuer)

{

+ /* Check for cRLSign bit if keyUsage present */

+ if ((issuer->ex_flags & EXFLAG_KUSAGE) &&

+ !(issuer->ex_kusage & KU_CRL_SIGN))

+ {

+ ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN;

+ ok = ctx->verify_cb(0, ctx);

+ if(!ok) goto err;

+ }

/* Attempt to get issuer certificate public key */

ikey = X509_get_pubkey(issuer);

@@ -611,17 +623,46 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)

{

int idx, ok;

X509_REVOKED rtmp;

+ STACK_OF(X509_EXTENSION) *exts;

+ X509_EXTENSION *ext;

/* Look for serial number of certificate in CRL */

rtmp.serialNumber = X509_get_serialNumber(x);

idx = sk_X509_REVOKED_find(crl->crl->revoked, &rtmp);

- /* Not found: OK */

- if(idx == -1) return 1;

- /* Otherwise revoked: want something cleverer than

+ /* If found assume revoked: want something cleverer than

* this to handle entry extensions in V2 CRLs.

- ctx->error = X509_V_ERR_CERT_REVOKED;

- ok = ctx->verify_cb(0, ctx);

- return ok;

+ if(idx >= 0)

+ {

+ ctx->error = X509_V_ERR_CERT_REVOKED;

+ ok = ctx->verify_cb(0, ctx);

+ if (!ok) return 0;

+ }

+ if (ctx->flags & X509_V_FLAG_IGNORE_CRITICAL)

+ return 1;

+ /* See if we have any critical CRL extensions: since we

+ * currently don't handle any CRL extensions the CRL must be

+ * rejected.

+ * This code accesses the X509_CRL structure directly: applications

+ * shouldn't do this.

+ */

+ exts = crl->crl->extensions;

+ for (idx = 0; idx < sk_X509_EXTENSION_num(exts); idx++)

+ {

+ ext = sk_X509_EXTENSION_value(exts, idx);

+ if (ext->critical > 0)

+ {

+ ctx->error =

+ X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;

+ ok = ctx->verify_cb(0, ctx);

+ if(!ok) return 0;

+ break;

+ }

+ return 1;

}

static int internal_verify(X509_STORE_CTX *ctx)