Fixes for new CRL/cert callbacks. Update CRL processing code to use new

callbacks.

crypto/x509/x509_lu.c

@@ -452,9 +452,9 @@ static int x509_object_idx_cnt(STACK_OF(X509_OBJECT) *h, int type,
 		for (tidx = idx + 1; tidx < sk_X509_OBJECT_num(h); tidx++)
 			{
 			tobj = sk_X509_OBJECT_value(h, tidx);
-			if (!x509_object_cmp(&tobj, &pstmp))
+			if (x509_object_cmp(&tobj, &pstmp))
 				break;
-			*pnmatch++;
+			(*pnmatch)++;
 			}
 		}
 	return idx;
@@ -476,7 +476,7 @@ X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h, int type,
 	return sk_X509_OBJECT_value(h, idx);
 }
 
-STACK_OF(X509)* X509_STORE_get_certs(X509_STORE *st, X509_NAME *nm)
+STACK_OF(X509)* X509_STORE_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm)
 	{
 	int i, idx, cnt;
 	STACK_OF(X509) *sk;
@@ -484,16 +484,32 @@ STACK_OF(X509)* X509_STORE_get_certs(X509_STORE *st, X509_NAME *nm)
 	X509_OBJECT *obj;
 	sk = sk_X509_new_null();
 	CRYPTO_r_lock(CRYPTO_LOCK_X509_STORE);
-	idx = x509_object_idx_cnt(st->objs, X509_LU_X509, nm, &cnt);
+	idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_X509, nm, &cnt);
 	if (idx < 0)
 		{
+		/* Nothing found in cache: do lookup to possibly add new
+		 * objects to cache
+		 */
+		X509_OBJECT xobj;
 		CRYPTO_r_unlock(CRYPTO_LOCK_X509_STORE);
-		sk_X509_free(sk);
-		return NULL;
+		if (!X509_STORE_get_by_subject(ctx, X509_LU_X509, nm, &xobj))
+			{
+			sk_X509_free(sk);
+			return NULL;
+			}
+		X509_OBJECT_free_contents(&xobj);
+		CRYPTO_r_lock(CRYPTO_LOCK_X509_STORE);
+		idx = x509_object_idx_cnt(ctx->ctx->objs,X509_LU_X509,nm, &cnt);
+		if (idx < 0)
+			{
+			CRYPTO_r_unlock(CRYPTO_LOCK_X509_STORE);
+			sk_X509_free(sk);
+			return NULL;
+			}
 		}
 	for (i = 0; i < cnt; i++, idx++)
 		{
-		obj = sk_X509_OBJECT_value(st->objs, i);
+		obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx);
 		x = obj->data.x509;
 		CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
 		if (!sk_X509_push(sk, x))
@@ -509,7 +525,7 @@ STACK_OF(X509)* X509_STORE_get_certs(X509_STORE *st, X509_NAME *nm)
 
 	}
 
-STACK_OF(X509_CRL)* X509_STORE_get_crls(X509_STORE *st, X509_NAME *nm)
+STACK_OF(X509_CRL)* X509_STORE_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm)
 	{
 	int i, idx, cnt;
 	STACK_OF(X509_CRL) *sk;
@@ -517,16 +533,33 @@ STACK_OF(X509_CRL)* X509_STORE_get_crls(X509_STORE *st, X509_NAME *nm)
 	X509_OBJECT *obj;
 	sk = sk_X509_CRL_new_null();
 	CRYPTO_r_lock(CRYPTO_LOCK_X509_STORE);
-	idx = x509_object_idx_cnt(st->objs, X509_LU_CRL, nm, &cnt);
+	/* Check cache first */
+	idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_CRL, nm, &cnt);
 	if (idx < 0)
 		{
+		/* Nothing found in cache: do lookup to possibly add new
+		 * objects to cache
+		 */
+		X509_OBJECT xobj;
 		CRYPTO_r_unlock(CRYPTO_LOCK_X509_STORE);
-		sk_X509_CRL_free(sk);
-		return NULL;
+		if (!X509_STORE_get_by_subject(ctx, X509_LU_CRL, nm, &xobj))
+			{
+			sk_X509_CRL_free(sk);
+			return NULL;
+			}
+		X509_OBJECT_free_contents(&xobj);
+		CRYPTO_r_lock(CRYPTO_LOCK_X509_STORE);
+		idx = x509_object_idx_cnt(ctx->ctx->objs,X509_LU_CRL, nm, &cnt);
+		if (idx < 0)
+			{
+			CRYPTO_r_unlock(CRYPTO_LOCK_X509_STORE);
+			sk_X509_CRL_free(sk);
+			return NULL;
+			}
 		}
 	for (i = 0; i < cnt; i++, idx++)
 		{
-		obj = sk_X509_OBJECT_value(st->objs, i);
+		obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx);
 		x = obj->data.crl;
 		CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509_CRL);
 		if (!sk_X509_CRL_push(sk, x))

crypto/x509/x509_vfy.c

@@ -79,8 +79,6 @@ static int check_revocation(X509_STORE_CTX *ctx);
 static int check_cert(X509_STORE_CTX *ctx);
 static int check_policy(X509_STORE_CTX *ctx);
 static int internal_verify(X509_STORE_CTX *ctx);
-static STACK_OF(X509) * lookup_certs(X509_STORE_CTX *ctx, X509_NAME *nm);
-static STACK_OF(X509_CRL) * lookup_crls(X509_STORE_CTX *ctx, X509_NAME *nm);
 const char *X509_version="X.509" OPENSSL_VERSION_PTEXT;
 
 
@@ -666,7 +664,7 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl,
 	for (i = 0; i < sk_X509_CRL_num(crls); i++)
 		{
 		crl = sk_X509_CRL_value(crls, i);
-		if (X509_NAME_cmp(nm, X509_CRL_get_issuer(crl)))
+		if (nm && X509_NAME_cmp(nm, X509_CRL_get_issuer(crl)))
 			continue;
 		if (check_crl_time(ctx, crl, 0))
 			{
@@ -692,7 +690,7 @@ static int get_crl(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509 *x)
 	{
 	int ok;
 	X509_CRL *crl = NULL;
-	X509_OBJECT xobj;
+	STACK_OF(X509_CRL) *skcrl;
 	X509_NAME *nm;
 	nm = X509_get_issuer_name(x);
 	ok = get_crl_sk(ctx, &crl, nm, ctx->crls);
@@ -702,11 +700,13 @@ static int get_crl(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509 *x)
 		return 1;
 		}
 
-	ok = X509_STORE_get_by_subject(ctx, X509_LU_CRL, nm, &xobj);
+	/* Lookup CRLs from store */
 
-	if (!ok)
+	skcrl = ctx->lookup_crls(ctx, nm);
+
+	/* If no CRLs found and a near match from get_crl_sk use that */
+	if (!skcrl)
 		{
-		/* If we got a near match from get_crl_sk use that */
 		if (crl)
 			{
 			*pcrl = crl;
@@ -715,41 +715,18 @@ static int get_crl(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509 *x)
 		return 0;
 		}
 
-	/* If CRL times not valid look through store */
-	if (!check_crl_time(ctx, xobj.data.crl, 0))
+	get_crl_sk(ctx, &crl, NULL, skcrl);
+
+	sk_X509_CRL_pop_free(skcrl, X509_CRL_free);
+
+	/* If we got any kind of CRL use it and return success */
+	if (crl)
 		{
-		int idx, i;
-		X509_OBJECT *pobj;
-		X509_OBJECT_free_contents(&xobj);
-		idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs,
-							X509_LU_CRL, nm);
-		if (idx == -1)
-			return 0;
-		*pcrl = NULL;
-		for (i = idx; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++)
-			{
-			pobj = sk_X509_OBJECT_value(ctx->ctx->objs, i);
-			/* Check to see if it is a CRL and issuer matches */
-			if (pobj->type != X509_LU_CRL)
-				break;
-			if (X509_NAME_cmp(nm,
-					X509_CRL_get_issuer(pobj->data.crl)))
-				break;
-			/* Set *pcrl because the CRL will either be valid or
-			 * a "best fit" CRL.
-			 */
-			*pcrl = pobj->data.crl;
-			if (check_crl_time(ctx, *pcrl, 0))
-				break;
-			}
-		if (*pcrl)
-			CRYPTO_add(&(*pcrl)->references, 1, CRYPTO_LOCK_X509);
+		*pcrl = crl;
+		return 1;
 		}
-	else 
-		*pcrl = xobj.data.crl;
-	if (crl)
-		X509_CRL_free(crl);
-	return 1;
+
+	return 0;
 	}
 
 /* Check CRL validity */
@@ -876,16 +853,6 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
 	return 1;
 	}
 
-static STACK_OF(X509) * lookup_certs(X509_STORE_CTX *ctx, X509_NAME *nm)
-	{
-	return X509_STORE_get_certs(ctx->ctx, nm);
-	}
-
-static STACK_OF(X509_CRL) * lookup_crls(X509_STORE_CTX *ctx, X509_NAME *nm)
-	{
-	return X509_STORE_get_crls(ctx->ctx, nm);
-	}
-
 static int check_policy(X509_STORE_CTX *ctx)
 	{
 	int ret;
@@ -1476,12 +1443,12 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
 	if (store && store->lookup_certs)
 		ctx->lookup_certs = store->lookup_certs;
 	else
-		ctx->lookup_certs = lookup_certs;
+		ctx->lookup_certs = X509_STORE_get1_certs;
 
 	if (store && store->lookup_crls)
 		ctx->lookup_crls = store->lookup_crls;
 	else
-		ctx->lookup_crls = lookup_crls;
+		ctx->lookup_crls = X509_STORE_get1_crls;
 
 	ctx->check_policy = check_policy;
 

crypto/x509/x509_vfy.h

@@ -387,8 +387,8 @@ void X509_OBJECT_free_contents(X509_OBJECT *a);
 X509_STORE *X509_STORE_new(void );
 void X509_STORE_free(X509_STORE *v);
 
-STACK_OF(X509)* X509_STORE_get_certs(X509_STORE *st, X509_NAME *nm);
-STACK_OF(X509_CRL)* X509_STORE_get_crls(X509_STORE *st, X509_NAME *nm);
+STACK_OF(X509)* X509_STORE_get1_certs(X509_STORE_CTX *st, X509_NAME *nm);
+STACK_OF(X509_CRL)* X509_STORE_get1_crls(X509_STORE_CTX *st, X509_NAME *nm);
 int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags);
 int X509_STORE_set_purpose(X509_STORE *ctx, int purpose);
 int X509_STORE_set_trust(X509_STORE *ctx, int trust);