From a8ded74b07a6ac09d163286b7b4cf6aa35efa00c Mon Sep 17 00:00:00 2001
From: Markus Friedl <markus@cvs.openbsd.org>
Date: Thu, 8 Apr 2004 08:13:25 +0000
Subject: backout for now

---
 lib/libssl/src/crypto/evp/digest.c    | 15 ++--------
 lib/libssl/src/crypto/x509/x509_txt.c |  8 +----
 lib/libssl/src/crypto/x509/x509_vfy.c | 55 +++++------------------------------
 3 files changed, 11 insertions(+), 67 deletions(-)

(limited to 'lib/libssl')

diff --git a/lib/libssl/src/crypto/evp/digest.c b/lib/libssl/src/crypto/evp/digest.c
index 0623ddf1f05..b22eed44211 100644
--- a/lib/libssl/src/crypto/evp/digest.c
+++ b/lib/libssl/src/crypto/evp/digest.c
@@ -248,7 +248,6 @@ int EVP_MD_CTX_copy(EVP_MD_CTX *out, const EVP_MD_CTX *in)
 
 int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in)
 	{
-	unsigned char *tmp_buf;
 	if ((in == NULL) || (in->digest == NULL))
 		{
 		EVPerr(EVP_F_EVP_MD_CTX_COPY,EVP_R_INPUT_NOT_INITIALIZED);
@@ -263,22 +262,15 @@ int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in)
 		}
 #endif
 
-	if (out->digest == in->digest)
-		{
-		tmp_buf = out->md_data;
-	    	EVP_MD_CTX_set_flags(out,EVP_MD_CTX_FLAG_REUSE);
-		}
-	else tmp_buf = NULL;
 	EVP_MD_CTX_cleanup(out);
 	memcpy(out,in,sizeof *out);
 
 	if (out->digest->ctx_size)
 		{
-		if (tmp_buf) out->md_data = tmp_buf;
-		else out->md_data=OPENSSL_malloc(out->digest->ctx_size);
+		out->md_data=OPENSSL_malloc(out->digest->ctx_size);
 		memcpy(out->md_data,in->md_data,out->digest->ctx_size);
 		}
-
+	
 	if (out->digest->copy)
 		return out->digest->copy(out,in);
 	
@@ -316,8 +308,7 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
 	if (ctx->digest && ctx->digest->cleanup
 	    && !EVP_MD_CTX_test_flags(ctx,EVP_MD_CTX_FLAG_CLEANED))
 		ctx->digest->cleanup(ctx);
-	if (ctx->digest && ctx->digest->ctx_size && ctx->md_data
-	    && !EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_REUSE))
+	if (ctx->digest && ctx->digest->ctx_size && ctx->md_data)
 		{
 		OPENSSL_cleanse(ctx->md_data,ctx->digest->ctx_size);
 		OPENSSL_free(ctx->md_data);
diff --git a/lib/libssl/src/crypto/x509/x509_txt.c b/lib/libssl/src/crypto/x509/x509_txt.c
index e31ebc6741a..9d09ae17e82 100644
--- a/lib/libssl/src/crypto/x509/x509_txt.c
+++ b/lib/libssl/src/crypto/x509/x509_txt.c
@@ -147,14 +147,8 @@ const char *X509_verify_cert_error_string(long n)
 	case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION:
 		return("unhandled critical extension");
 
-	case X509_V_ERR_KEYUSAGE_NO_CRL_SIGN:
-		return("key usage does not include CRL signing");
-
-	case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION:
-		return("unhandled critical CRL extension");
-
 	default:
-		BIO_snprintf(buf,sizeof buf,"error number %ld",n);
+		snprintf(buf,sizeof buf,"error number %ld",n);
 		return(buf);
 		}
 	}
diff --git a/lib/libssl/src/crypto/x509/x509_vfy.c b/lib/libssl/src/crypto/x509/x509_vfy.c
index 2e4d0b823ab..2bb21b443ec 100644
--- a/lib/libssl/src/crypto/x509/x509_vfy.c
+++ b/lib/libssl/src/crypto/x509/x509_vfy.c
@@ -383,7 +383,6 @@ static int check_chain_purpose(X509_STORE_CTX *ctx)
 	/* Check all untrusted certificates */
 	for (i = 0; i < ctx->last_untrusted; i++)
 		{
-		int ret;
 		x = sk_X509_value(ctx->chain, i);
 		if (!(ctx->flags & X509_V_FLAG_IGNORE_CRITICAL)
 			&& (x->ex_flags & EXFLAG_CRITICAL))
@@ -394,10 +393,7 @@ static int check_chain_purpose(X509_STORE_CTX *ctx)
 			ok=cb(0,ctx);
 			if (!ok) goto end;
 			}
-		ret = X509_check_purpose(x, ctx->purpose, i);
-		if ((ret == 0)
-			 || ((ctx->flags & X509_V_FLAG_X509_STRICT)
-				&& (ret != 1)))
+		if (!X509_check_purpose(x, ctx->purpose, i))
 			{
 			if (i)
 				ctx->error = X509_V_ERR_INVALID_CA;
@@ -541,14 +537,6 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
 
 	if(issuer)
 		{
-		/* Check for cRLSign bit if keyUsage present */
-		if ((issuer->ex_flags & EXFLAG_KUSAGE) &&
-			!(issuer->ex_kusage & KU_CRL_SIGN))
-			{
-			ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN;
-			ok = ctx->verify_cb(0, ctx);
-			if(!ok) goto err;
-			}
 
 		/* Attempt to get issuer certificate public key */
 		ikey = X509_get_pubkey(issuer);
@@ -623,46 +611,17 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
 	{
 	int idx, ok;
 	X509_REVOKED rtmp;
-	STACK_OF(X509_EXTENSION) *exts;
-	X509_EXTENSION *ext;
 	/* Look for serial number of certificate in CRL */
 	rtmp.serialNumber = X509_get_serialNumber(x);
 	idx = sk_X509_REVOKED_find(crl->crl->revoked, &rtmp);
-	/* If found assume revoked: want something cleverer than
+	/* Not found: OK */
+	if(idx == -1) return 1;
+	/* Otherwise revoked: want something cleverer than
 	 * this to handle entry extensions in V2 CRLs.
 	 */
-	if(idx >= 0)
-		{
-		ctx->error = X509_V_ERR_CERT_REVOKED;
-		ok = ctx->verify_cb(0, ctx);
-		if (!ok) return 0;
-		}
-
-	if (ctx->flags & X509_V_FLAG_IGNORE_CRITICAL)
-		return 1;
-
-	/* See if we have any critical CRL extensions: since we
-	 * currently don't handle any CRL extensions the CRL must be
-	 * rejected. 
-	 * This code accesses the X509_CRL structure directly: applications
-	 * shouldn't do this.
-	 */
-
-	exts = crl->crl->extensions;
-
-	for (idx = 0; idx < sk_X509_EXTENSION_num(exts); idx++)
-		{
-		ext = sk_X509_EXTENSION_value(exts, idx);
-		if (ext->critical > 0)
-			{
-			ctx->error =
-				X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
-			ok = ctx->verify_cb(0, ctx);
-			if(!ok) return 0;
-			break;
-			}
-		}
-	return 1;
+	ctx->error = X509_V_ERR_CERT_REVOKED;
+	ok = ctx->verify_cb(0, ctx);
+	return ok;
 	}
 
 static int internal_verify(X509_STORE_CTX *ctx)
-- 
cgit v1.2.3