diff options
author | Markus Friedl <markus@cvs.openbsd.org> | 2004-04-08 08:13:25 +0000 |
---|---|---|
committer | Markus Friedl <markus@cvs.openbsd.org> | 2004-04-08 08:13:25 +0000 |
commit | a8ded74b07a6ac09d163286b7b4cf6aa35efa00c (patch) | |
tree | 0f8c708eea2ff880861c53a789b21637e475ad07 /lib | |
parent | 39742baebd0068e2a7d7a0d76c0fec797b61e8a6 (diff) |
backout for now
Diffstat (limited to 'lib')
-rw-r--r-- | lib/libssl/src/crypto/evp/digest.c | 15 | ||||
-rw-r--r-- | lib/libssl/src/crypto/x509/x509_txt.c | 8 | ||||
-rw-r--r-- | lib/libssl/src/crypto/x509/x509_vfy.c | 55 |
3 files changed, 11 insertions, 67 deletions
diff --git a/lib/libssl/src/crypto/evp/digest.c b/lib/libssl/src/crypto/evp/digest.c index 0623ddf1f05..b22eed44211 100644 --- a/lib/libssl/src/crypto/evp/digest.c +++ b/lib/libssl/src/crypto/evp/digest.c @@ -248,7 +248,6 @@ int EVP_MD_CTX_copy(EVP_MD_CTX *out, const EVP_MD_CTX *in) int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in) { - unsigned char *tmp_buf; if ((in == NULL) || (in->digest == NULL)) { EVPerr(EVP_F_EVP_MD_CTX_COPY,EVP_R_INPUT_NOT_INITIALIZED); @@ -263,22 +262,15 @@ int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in) } #endif - if (out->digest == in->digest) - { - tmp_buf = out->md_data; - EVP_MD_CTX_set_flags(out,EVP_MD_CTX_FLAG_REUSE); - } - else tmp_buf = NULL; EVP_MD_CTX_cleanup(out); memcpy(out,in,sizeof *out); if (out->digest->ctx_size) { - if (tmp_buf) out->md_data = tmp_buf; - else out->md_data=OPENSSL_malloc(out->digest->ctx_size); + out->md_data=OPENSSL_malloc(out->digest->ctx_size); memcpy(out->md_data,in->md_data,out->digest->ctx_size); } - + if (out->digest->copy) return out->digest->copy(out,in); @@ -316,8 +308,7 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) if (ctx->digest && ctx->digest->cleanup && !EVP_MD_CTX_test_flags(ctx,EVP_MD_CTX_FLAG_CLEANED)) ctx->digest->cleanup(ctx); - if (ctx->digest && ctx->digest->ctx_size && ctx->md_data - && !EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_REUSE)) + if (ctx->digest && ctx->digest->ctx_size && ctx->md_data) { OPENSSL_cleanse(ctx->md_data,ctx->digest->ctx_size); OPENSSL_free(ctx->md_data); diff --git a/lib/libssl/src/crypto/x509/x509_txt.c b/lib/libssl/src/crypto/x509/x509_txt.c index e31ebc6741a..9d09ae17e82 100644 --- a/lib/libssl/src/crypto/x509/x509_txt.c +++ b/lib/libssl/src/crypto/x509/x509_txt.c @@ -147,14 +147,8 @@ const char *X509_verify_cert_error_string(long n) case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION: return("unhandled critical extension"); - case X509_V_ERR_KEYUSAGE_NO_CRL_SIGN: - return("key usage does not include CRL signing"); - - case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION: - return("unhandled critical CRL extension"); - default: - BIO_snprintf(buf,sizeof buf,"error number %ld",n); + snprintf(buf,sizeof buf,"error number %ld",n); return(buf); } } diff --git a/lib/libssl/src/crypto/x509/x509_vfy.c b/lib/libssl/src/crypto/x509/x509_vfy.c index 2e4d0b823ab..2bb21b443ec 100644 --- a/lib/libssl/src/crypto/x509/x509_vfy.c +++ b/lib/libssl/src/crypto/x509/x509_vfy.c @@ -383,7 +383,6 @@ static int check_chain_purpose(X509_STORE_CTX *ctx) /* Check all untrusted certificates */ for (i = 0; i < ctx->last_untrusted; i++) { - int ret; x = sk_X509_value(ctx->chain, i); if (!(ctx->flags & X509_V_FLAG_IGNORE_CRITICAL) && (x->ex_flags & EXFLAG_CRITICAL)) @@ -394,10 +393,7 @@ static int check_chain_purpose(X509_STORE_CTX *ctx) ok=cb(0,ctx); if (!ok) goto end; } - ret = X509_check_purpose(x, ctx->purpose, i); - if ((ret == 0) - || ((ctx->flags & X509_V_FLAG_X509_STRICT) - && (ret != 1))) + if (!X509_check_purpose(x, ctx->purpose, i)) { if (i) ctx->error = X509_V_ERR_INVALID_CA; @@ -541,14 +537,6 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) if(issuer) { - /* Check for cRLSign bit if keyUsage present */ - if ((issuer->ex_flags & EXFLAG_KUSAGE) && - !(issuer->ex_kusage & KU_CRL_SIGN)) - { - ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN; - ok = ctx->verify_cb(0, ctx); - if(!ok) goto err; - } /* Attempt to get issuer certificate public key */ ikey = X509_get_pubkey(issuer); @@ -623,46 +611,17 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) { int idx, ok; X509_REVOKED rtmp; - STACK_OF(X509_EXTENSION) *exts; - X509_EXTENSION *ext; /* Look for serial number of certificate in CRL */ rtmp.serialNumber = X509_get_serialNumber(x); idx = sk_X509_REVOKED_find(crl->crl->revoked, &rtmp); - /* If found assume revoked: want something cleverer than + /* Not found: OK */ + if(idx == -1) return 1; + /* Otherwise revoked: want something cleverer than * this to handle entry extensions in V2 CRLs. */ - if(idx >= 0) - { - ctx->error = X509_V_ERR_CERT_REVOKED; - ok = ctx->verify_cb(0, ctx); - if (!ok) return 0; - } - - if (ctx->flags & X509_V_FLAG_IGNORE_CRITICAL) - return 1; - - /* See if we have any critical CRL extensions: since we - * currently don't handle any CRL extensions the CRL must be - * rejected. - * This code accesses the X509_CRL structure directly: applications - * shouldn't do this. - */ - - exts = crl->crl->extensions; - - for (idx = 0; idx < sk_X509_EXTENSION_num(exts); idx++) - { - ext = sk_X509_EXTENSION_value(exts, idx); - if (ext->critical > 0) - { - ctx->error = - X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION; - ok = ctx->verify_cb(0, ctx); - if(!ok) return 0; - break; - } - } - return 1; + ctx->error = X509_V_ERR_CERT_REVOKED; + ok = ctx->verify_cb(0, ctx); + return ok; } static int internal_verify(X509_STORE_CTX *ctx) |