diff options
| author | Damien Miller <djm@cvs.openbsd.org> | 2005-04-29 05:39:34 +0000 |
|---|---|---|
| committer | Damien Miller <djm@cvs.openbsd.org> | 2005-04-29 05:39:34 +0000 |
| commit | 96d1d9b6e08bc96e9e2ca66809e78057a7ad7715 (patch) | |
| tree | 3c21c706afbaf02026085e88634587633cdae96a /lib/libcrypto/x509 | |
| parent | ccd50423df222a7b368ec130192398b49e23114a (diff) | |
resolve conflicts
Diffstat (limited to 'lib/libcrypto/x509')
| -rw-r--r-- | lib/libcrypto/x509/by_file.c | 4 | ||||
| -rw-r--r-- | lib/libcrypto/x509/x509.h | 11 | ||||
| -rw-r--r-- | lib/libcrypto/x509/x509_cmp.c | 48 | ||||
| -rw-r--r-- | lib/libcrypto/x509/x509_r2x.c | 6 | ||||
| -rw-r--r-- | lib/libcrypto/x509/x509_req.c | 35 | ||||
| -rw-r--r-- | lib/libcrypto/x509/x509_txt.c | 13 | ||||
| -rw-r--r-- | lib/libcrypto/x509/x509_vfy.c | 131 | ||||
| -rw-r--r-- | lib/libcrypto/x509/x509_vfy.h | 8 | ||||
| -rw-r--r-- | lib/libcrypto/x509/x509cset.c | 1 | ||||
| -rw-r--r-- | lib/libcrypto/x509/x509name.c | 10 | ||||
| -rw-r--r-- | lib/libcrypto/x509/x_all.c | 1 |
11 files changed, 205 insertions, 63 deletions
diff --git a/lib/libcrypto/x509/by_file.c b/lib/libcrypto/x509/by_file.c index b4b04183d07..a5e0d4aefa1 100644 --- a/lib/libcrypto/x509/by_file.c +++ b/lib/libcrypto/x509/by_file.c @@ -150,7 +150,7 @@ int X509_load_cert_file(X509_LOOKUP *ctx, const char *file, int type) x=PEM_read_bio_X509_AUX(in,NULL,NULL,NULL); if (x == NULL) { - if ((ERR_GET_REASON(ERR_peek_error()) == + if ((ERR_GET_REASON(ERR_peek_last_error()) == PEM_R_NO_START_LINE) && (count > 0)) { ERR_clear_error(); @@ -217,7 +217,7 @@ int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type) x=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL); if (x == NULL) { - if ((ERR_GET_REASON(ERR_peek_error()) == + if ((ERR_GET_REASON(ERR_peek_last_error()) == PEM_R_NO_START_LINE) && (count > 0)) { ERR_clear_error(); diff --git a/lib/libcrypto/x509/x509.h b/lib/libcrypto/x509/x509.h index 8d0c7e2e179..e8c1a59cf2f 100644 --- a/lib/libcrypto/x509/x509.h +++ b/lib/libcrypto/x509/x509.h @@ -410,6 +410,7 @@ typedef struct X509_crl_info_st ASN1_TIME *nextUpdate; STACK_OF(X509_REVOKED) *revoked; STACK_OF(X509_EXTENSION) /* [0] */ *extensions; + ASN1_ENCODING enc; } X509_CRL_INFO; struct X509_crl_st @@ -1037,18 +1038,18 @@ int X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int type, int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type, unsigned char *bytes, int len, int loc, int set); X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne, - char *field, int type, unsigned char *bytes, int len); + const char *field, int type, const unsigned char *bytes, int len); X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid, int type,unsigned char *bytes, int len); -int X509_NAME_add_entry_by_txt(X509_NAME *name, char *field, int type, - unsigned char *bytes, int len, int loc, int set); +int X509_NAME_add_entry_by_txt(X509_NAME *name, const char *field, int type, + const unsigned char *bytes, int len, int loc, int set); X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne, - ASN1_OBJECT *obj, int type,unsigned char *bytes, + ASN1_OBJECT *obj, int type,const unsigned char *bytes, int len); int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, ASN1_OBJECT *obj); int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type, - unsigned char *bytes, int len); + const unsigned char *bytes, int len); ASN1_OBJECT * X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *ne); ASN1_STRING * X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *ne); diff --git a/lib/libcrypto/x509/x509_cmp.c b/lib/libcrypto/x509/x509_cmp.c index f460102f497..030d0966fc0 100644 --- a/lib/libcrypto/x509/x509_cmp.c +++ b/lib/libcrypto/x509/x509_cmp.c @@ -254,33 +254,49 @@ static int nocase_spacenorm_cmp(const ASN1_STRING *a, const ASN1_STRING *b) return 0; } +static int asn1_string_memcmp(ASN1_STRING *a, ASN1_STRING *b) + { + int j; + j = a->length - b->length; + if (j) + return j; + return memcmp(a->data, b->data, a->length); + } + +#define STR_TYPE_CMP (B_ASN1_PRINTABLESTRING|B_ASN1_T61STRING|B_ASN1_UTF8STRING) + int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b) { int i,j; X509_NAME_ENTRY *na,*nb; - if (sk_X509_NAME_ENTRY_num(a->entries) - != sk_X509_NAME_ENTRY_num(b->entries)) - return sk_X509_NAME_ENTRY_num(a->entries) - -sk_X509_NAME_ENTRY_num(b->entries); + unsigned long nabit, nbbit; + + j = sk_X509_NAME_ENTRY_num(a->entries) + - sk_X509_NAME_ENTRY_num(b->entries); + if (j) + return j; for (i=sk_X509_NAME_ENTRY_num(a->entries)-1; i>=0; i--) { na=sk_X509_NAME_ENTRY_value(a->entries,i); nb=sk_X509_NAME_ENTRY_value(b->entries,i); j=na->value->type-nb->value->type; - if (j) return(j); - if (na->value->type == V_ASN1_PRINTABLESTRING) + if (j) + { + nabit = ASN1_tag2bit(na->value->type); + nbbit = ASN1_tag2bit(nb->value->type); + if (!(nabit & STR_TYPE_CMP) || + !(nbbit & STR_TYPE_CMP)) + return j; + j = asn1_string_memcmp(na->value, nb->value); + } + else if (na->value->type == V_ASN1_PRINTABLESTRING) j=nocase_spacenorm_cmp(na->value, nb->value); else if (na->value->type == V_ASN1_IA5STRING && OBJ_obj2nid(na->object) == NID_pkcs9_emailAddress) j=nocase_cmp(na->value, nb->value); else - { - j=na->value->length-nb->value->length; - if (j) return(j); - j=memcmp(na->value->data,nb->value->data, - na->value->length); - } + j = asn1_string_memcmp(na->value, nb->value); if (j) return(j); j=na->set-nb->set; if (j) return(j); @@ -306,10 +322,16 @@ unsigned long X509_NAME_hash(X509_NAME *x) { unsigned long ret=0; unsigned char md[16]; + EVP_MD_CTX md_ctx; /* Make sure X509_NAME structure contains valid cached encoding */ i2d_X509_NAME(x,NULL); - EVP_Digest(x->bytes->data, x->bytes->length, md, NULL, EVP_md5(), NULL); + EVP_MD_CTX_init(&md_ctx); + EVP_MD_CTX_set_flags(&md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + EVP_DigestInit_ex(&md_ctx, EVP_md5(), NULL); + EVP_DigestUpdate(&md_ctx, x->bytes->data, x->bytes->length); + EVP_DigestFinal_ex(&md_ctx,md,NULL); + EVP_MD_CTX_cleanup(&md_ctx); ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)| ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L) diff --git a/lib/libcrypto/x509/x509_r2x.c b/lib/libcrypto/x509/x509_r2x.c index db051033d9b..fb8a78dabeb 100644 --- a/lib/libcrypto/x509/x509_r2x.c +++ b/lib/libcrypto/x509/x509_r2x.c @@ -92,8 +92,10 @@ X509 *X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey) X509_set_subject_name(ret,X509_NAME_dup(xn)); X509_set_issuer_name(ret,X509_NAME_dup(xn)); - X509_gmtime_adj(xi->validity->notBefore,0); - X509_gmtime_adj(xi->validity->notAfter,(long)60*60*24*days); + if (X509_gmtime_adj(xi->validity->notBefore,0) == NULL) + goto err; + if (X509_gmtime_adj(xi->validity->notAfter,(long)60*60*24*days) == NULL) + goto err; X509_set_pubkey(ret,X509_REQ_get_pubkey(r)); diff --git a/lib/libcrypto/x509/x509_req.c b/lib/libcrypto/x509/x509_req.c index 0affa3bf306..59fc6ca5484 100644 --- a/lib/libcrypto/x509/x509_req.c +++ b/lib/libcrypto/x509/x509_req.c @@ -118,7 +118,7 @@ EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req) * used and there may be more: so the list is configurable. */ -static int ext_nid_list[] = { NID_ms_ext_req, NID_ext_req, NID_undef}; +static int ext_nid_list[] = { NID_ext_req, NID_ms_ext_req, NID_undef}; static int *ext_nids = ext_nid_list; @@ -143,32 +143,33 @@ void X509_REQ_set_extension_nids(int *nids) } STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req) -{ + { X509_ATTRIBUTE *attr; - STACK_OF(X509_ATTRIBUTE) *sk; ASN1_TYPE *ext = NULL; - int i; + int idx, *pnid; unsigned char *p; - if ((req == NULL) || (req->req_info == NULL)) + + if ((req == NULL) || (req->req_info == NULL) || !ext_nids) return(NULL); - sk=req->req_info->attributes; - if (!sk) return NULL; - for(i = 0; i < sk_X509_ATTRIBUTE_num(sk); i++) { - attr = sk_X509_ATTRIBUTE_value(sk, i); - if(X509_REQ_extension_nid(OBJ_obj2nid(attr->object))) { - if(attr->single) ext = attr->value.single; - else if(sk_ASN1_TYPE_num(attr->value.set)) - ext = sk_ASN1_TYPE_value(attr->value.set, 0); - break; + for (pnid = ext_nids; *pnid != NID_undef; pnid++) + { + idx = X509_REQ_get_attr_by_NID(req, *pnid, -1); + if (idx == -1) + continue; + attr = X509_REQ_get_attr(req, idx); + if(attr->single) ext = attr->value.single; + else if(sk_ASN1_TYPE_num(attr->value.set)) + ext = sk_ASN1_TYPE_value(attr->value.set, 0); + break; } - } - if(!ext || (ext->type != V_ASN1_SEQUENCE)) return NULL; + if(!ext || (ext->type != V_ASN1_SEQUENCE)) + return NULL; p = ext->value.sequence->data; return d2i_ASN1_SET_OF_X509_EXTENSION(NULL, &p, ext->value.sequence->length, d2i_X509_EXTENSION, X509_EXTENSION_free, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL); -} + } /* Add a STACK_OF extensions to a certificate request: allow alternative OIDs * in case we want to create a non standard one. diff --git a/lib/libcrypto/x509/x509_txt.c b/lib/libcrypto/x509/x509_txt.c index e31ebc6741a..f19e66a238a 100644 --- a/lib/libcrypto/x509/x509_txt.c +++ b/lib/libcrypto/x509/x509_txt.c @@ -122,8 +122,14 @@ const char *X509_verify_cert_error_string(long n) return("certificate revoked"); case X509_V_ERR_INVALID_CA: return ("invalid CA certificate"); + case X509_V_ERR_INVALID_NON_CA: + return ("invalid non-CA certificate (has CA markings)"); case X509_V_ERR_PATH_LENGTH_EXCEEDED: return ("path length constraint exceeded"); + case X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED: + return("proxy path length constraint exceeded"); + case X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED: + return("proxy cerificates not allowed, please set the appropriate flag"); case X509_V_ERR_INVALID_PURPOSE: return ("unsupported certificate purpose"); case X509_V_ERR_CERT_UNTRUSTED: @@ -140,19 +146,16 @@ const char *X509_verify_cert_error_string(long n) return("authority and issuer serial number mismatch"); case X509_V_ERR_KEYUSAGE_NO_CERTSIGN: return("key usage does not include certificate signing"); - case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER: return("unable to get CRL issuer certificate"); - case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION: return("unhandled critical extension"); - case X509_V_ERR_KEYUSAGE_NO_CRL_SIGN: return("key usage does not include CRL signing"); - + case X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE: + return("key usage does not include digital signature"); case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION: return("unhandled critical CRL extension"); - default: BIO_snprintf(buf,sizeof buf,"error number %ld",n); return(buf); diff --git a/lib/libcrypto/x509/x509_vfy.c b/lib/libcrypto/x509/x509_vfy.c index 2e4d0b823ab..e43c861ee77 100644 --- a/lib/libcrypto/x509/x509_vfy.c +++ b/lib/libcrypto/x509/x509_vfy.c @@ -73,7 +73,7 @@ static int null_callback(int ok,X509_STORE_CTX *e); static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x); -static int check_chain_purpose(X509_STORE_CTX *ctx); +static int check_chain_extensions(X509_STORE_CTX *ctx); static int check_trust(X509_STORE_CTX *ctx); static int check_revocation(X509_STORE_CTX *ctx); static int check_cert(X509_STORE_CTX *ctx); @@ -281,7 +281,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx) } /* We have the chain complete: now we need to check its purpose */ - if (ctx->purpose > 0) ok = check_chain_purpose(ctx); + ok = check_chain_extensions(ctx); if (!ok) goto end; @@ -365,21 +365,39 @@ static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) else return 0; } - + /* Check a certificate chains extensions for consistency * with the supplied purpose */ -static int check_chain_purpose(X509_STORE_CTX *ctx) +static int check_chain_extensions(X509_STORE_CTX *ctx) { #ifdef OPENSSL_NO_CHAIN_VERIFY return 1; #else - int i, ok=0; + int i, ok=0, must_be_ca; X509 *x; int (*cb)(); + int proxy_path_length = 0; + int allow_proxy_certs = !!(ctx->flags & X509_V_FLAG_ALLOW_PROXY_CERTS); cb=ctx->verify_cb; + + /* must_be_ca can have 1 of 3 values: + -1: we accept both CA and non-CA certificates, to allow direct + use of self-signed certificates (which are marked as CA). + 0: we only accept non-CA certificates. This is currently not + used, but the possibility is present for future extensions. + 1: we only accept CA certificates. This is currently used for + all certificates in the chain except the leaf certificate. + */ + must_be_ca = -1; + + /* A hack to keep people who don't want to modify their software + happy */ + if (getenv("OPENSSL_ALLOW_PROXY_CERTS")) + allow_proxy_certs = 1; + /* Check all untrusted certificates */ for (i = 0; i < ctx->last_untrusted; i++) { @@ -394,23 +412,73 @@ static int check_chain_purpose(X509_STORE_CTX *ctx) ok=cb(0,ctx); if (!ok) goto end; } - ret = X509_check_purpose(x, ctx->purpose, i); - if ((ret == 0) - || ((ctx->flags & X509_V_FLAG_X509_STRICT) - && (ret != 1))) + if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) { - if (i) + ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED; + ctx->error_depth = i; + ctx->current_cert = x; + ok=cb(0,ctx); + if (!ok) goto end; + } + ret = X509_check_ca(x); + switch(must_be_ca) + { + case -1: + if ((ctx->flags & X509_V_FLAG_X509_STRICT) + && (ret != 1) && (ret != 0)) + { + ret = 0; ctx->error = X509_V_ERR_INVALID_CA; + } else - ctx->error = X509_V_ERR_INVALID_PURPOSE; + ret = 1; + break; + case 0: + if (ret != 0) + { + ret = 0; + ctx->error = X509_V_ERR_INVALID_NON_CA; + } + else + ret = 1; + break; + default: + if ((ret == 0) + || ((ctx->flags & X509_V_FLAG_X509_STRICT) + && (ret != 1))) + { + ret = 0; + ctx->error = X509_V_ERR_INVALID_CA; + } + else + ret = 1; + break; + } + if (ret == 0) + { ctx->error_depth = i; ctx->current_cert = x; ok=cb(0,ctx); if (!ok) goto end; } + if (ctx->purpose > 0) + { + ret = X509_check_purpose(x, ctx->purpose, + must_be_ca > 0); + if ((ret == 0) + || ((ctx->flags & X509_V_FLAG_X509_STRICT) + && (ret != 1))) + { + ctx->error = X509_V_ERR_INVALID_PURPOSE; + ctx->error_depth = i; + ctx->current_cert = x; + ok=cb(0,ctx); + if (!ok) goto end; + } + } /* Check pathlen */ if ((i > 1) && (x->ex_pathlen != -1) - && (i > (x->ex_pathlen + 1))) + && (i > (x->ex_pathlen + proxy_path_length + 1))) { ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED; ctx->error_depth = i; @@ -418,6 +486,32 @@ static int check_chain_purpose(X509_STORE_CTX *ctx) ok=cb(0,ctx); if (!ok) goto end; } + /* If this certificate is a proxy certificate, the next + certificate must be another proxy certificate or a EE + certificate. If not, the next certificate must be a + CA certificate. */ + if (x->ex_flags & EXFLAG_PROXY) + { + PROXY_CERT_INFO_EXTENSION *pci = + X509_get_ext_d2i(x, NID_proxyCertInfo, + NULL, NULL); + if (pci->pcPathLengthConstraint && + ASN1_INTEGER_get(pci->pcPathLengthConstraint) + < i) + { + PROXY_CERT_INFO_EXTENSION_free(pci); + ctx->error = X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED; + ctx->error_depth = i; + ctx->current_cert = x; + ok=cb(0,ctx); + if (!ok) goto end; + } + PROXY_CERT_INFO_EXTENSION_free(pci); + proxy_path_length++; + must_be_ca = 0; + } + else + must_be_ca = 1; } ok = 1; end: @@ -627,6 +721,15 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) X509_EXTENSION *ext; /* Look for serial number of certificate in CRL */ rtmp.serialNumber = X509_get_serialNumber(x); + /* Sort revoked into serial number order if not already sorted. + * Do this under a lock to avoid race condition. + */ + if (!sk_X509_REVOKED_is_sorted(crl->crl->revoked)) + { + CRYPTO_w_lock(CRYPTO_LOCK_X509_CRL); + sk_X509_REVOKED_sort(crl->crl->revoked); + CRYPTO_w_unlock(CRYPTO_LOCK_X509_CRL); + } idx = sk_X509_REVOKED_find(crl->crl->revoked, &rtmp); /* If found assume revoked: want something cleverer than * this to handle entry extensions in V2 CRLs. @@ -772,6 +875,7 @@ static int internal_verify(X509_STORE_CTX *ctx) } /* The last error (if any) is still in the error value */ + ctx->current_issuer=xi; ctx->current_cert=xs; ok=(*cb)(1,ctx); if (!ok) goto end; @@ -851,7 +955,8 @@ int X509_cmp_time(ASN1_TIME *ctm, time_t *cmp_time) atm.length=sizeof(buff2); atm.data=(unsigned char *)buff2; - X509_time_adj(&atm,-offset*60, cmp_time); + if (X509_time_adj(&atm,-offset*60, cmp_time) == NULL) + return 0; if (ctm->type == V_ASN1_UTCTIME) { diff --git a/lib/libcrypto/x509/x509_vfy.h b/lib/libcrypto/x509/x509_vfy.h index 198495884cf..7fd1f0bc4de 100644 --- a/lib/libcrypto/x509/x509_vfy.h +++ b/lib/libcrypto/x509/x509_vfy.h @@ -276,7 +276,7 @@ struct x509_store_ctx_st /* X509_STORE_CTX */ #define X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY 6 #define X509_V_ERR_CERT_SIGNATURE_FAILURE 7 #define X509_V_ERR_CRL_SIGNATURE_FAILURE 8 -#define X509_V_ERR_CERT_NOT_YET_VALID 9 +#define X509_V_ERR_CERT_NOT_YET_VALID 9 #define X509_V_ERR_CERT_HAS_EXPIRED 10 #define X509_V_ERR_CRL_NOT_YET_VALID 11 #define X509_V_ERR_CRL_HAS_EXPIRED 12 @@ -306,6 +306,10 @@ struct x509_store_ctx_st /* X509_STORE_CTX */ #define X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION 34 #define X509_V_ERR_KEYUSAGE_NO_CRL_SIGN 35 #define X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION 36 +#define X509_V_ERR_INVALID_NON_CA 37 +#define X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED 38 +#define X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE 39 +#define X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED 40 /* The application is not happy */ #define X509_V_ERR_APPLICATION_VERIFICATION 50 @@ -324,6 +328,8 @@ struct x509_store_ctx_st /* X509_STORE_CTX */ #define X509_V_FLAG_IGNORE_CRITICAL 0x10 /* Disable workarounds for broken certificates */ #define X509_V_FLAG_X509_STRICT 0x20 +/* Enable proxy certificate validation */ +#define X509_V_FLAG_ALLOW_PROXY_CERTS 0x40 int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type, X509_NAME *name); diff --git a/lib/libcrypto/x509/x509cset.c b/lib/libcrypto/x509/x509cset.c index 6cac440ea93..9d1646d5c8d 100644 --- a/lib/libcrypto/x509/x509cset.c +++ b/lib/libcrypto/x509/x509cset.c @@ -129,6 +129,7 @@ int X509_CRL_sort(X509_CRL *c) r=sk_X509_REVOKED_value(c->crl->revoked,i); r->sequence=i; } + c->crl->enc.modified = 1; return 1; } diff --git a/lib/libcrypto/x509/x509name.c b/lib/libcrypto/x509/x509name.c index 4c20e03eced..068abfe5f04 100644 --- a/lib/libcrypto/x509/x509name.c +++ b/lib/libcrypto/x509/x509name.c @@ -195,8 +195,8 @@ int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type, return ret; } -int X509_NAME_add_entry_by_txt(X509_NAME *name, char *field, int type, - unsigned char *bytes, int len, int loc, int set) +int X509_NAME_add_entry_by_txt(X509_NAME *name, const char *field, int type, + const unsigned char *bytes, int len, int loc, int set) { X509_NAME_ENTRY *ne; int ret; @@ -273,7 +273,7 @@ err: } X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne, - char *field, int type, unsigned char *bytes, int len) + const char *field, int type, const unsigned char *bytes, int len) { ASN1_OBJECT *obj; X509_NAME_ENTRY *nentry; @@ -309,7 +309,7 @@ X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid, } X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne, - ASN1_OBJECT *obj, int type, unsigned char *bytes, int len) + ASN1_OBJECT *obj, int type, const unsigned char *bytes, int len) { X509_NAME_ENTRY *ret; @@ -347,7 +347,7 @@ int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, ASN1_OBJECT *obj) } int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type, - unsigned char *bytes, int len) + const unsigned char *bytes, int len) { int i; diff --git a/lib/libcrypto/x509/x_all.c b/lib/libcrypto/x509/x_all.c index fb5015cd4de..ac6dea493a8 100644 --- a/lib/libcrypto/x509/x_all.c +++ b/lib/libcrypto/x509/x_all.c @@ -103,6 +103,7 @@ int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md) int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md) { + x->crl->enc.modified = 1; return(ASN1_item_sign(ASN1_ITEM_rptr(X509_CRL_INFO),x->crl->sig_alg, x->sig_alg, x->signature, x->crl,pkey,md)); } |