From 34a42e1489bf4f45bfad069eceba56315d4713be Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Sun, 11 Oct 2015 21:13:42 +0100 Subject: [PATCH] embed CRL serial number and signature fields Reviewed-by: Rich Salz --- crypto/include/internal/x509_int.h | 4 ++-- crypto/x509/x509_vfy.c | 2 +- crypto/x509/x509cset.c | 17 ++++++----------- crypto/x509/x_all.c | 4 ++-- crypto/x509/x_crl.c | 14 +++++++------- 5 files changed, 18 insertions(+), 23 deletions(-) diff --git a/crypto/include/internal/x509_int.h b/crypto/include/internal/x509_int.h index 87bd68d993..5997a21c61 100644 --- a/crypto/include/internal/x509_int.h +++ b/crypto/include/internal/x509_int.h @@ -121,7 +121,7 @@ struct X509_crl_info_st { struct X509_crl_st { X509_CRL_INFO crl; /* signed CRL data */ X509_ALGOR sig_alg; /* CRL signature algorithm */ - ASN1_BIT_STRING *signature; /* CRL signature */ + ASN1_BIT_STRING signature; /* CRL signature */ int references; int flags; /* @@ -145,7 +145,7 @@ struct X509_crl_st { }; struct x509_revoked_st { - ASN1_INTEGER *serialNumber; /* revoked entry serial number */ + ASN1_INTEGER serialNumber; /* revoked entry serial number */ ASN1_TIME *revocationDate; /* revocation date */ STACK_OF(X509_EXTENSION) *extensions; /* CRL entry extensions: optional */ /* decoded value of CRLissuer extension: set if indirect CRL */ diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 9cecde75cd..1ae3675e2e 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -2088,7 +2088,7 @@ X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer, * Add only if not also in base. TODO: need something cleverer here * for some more complex CRLs covering multiple CAs. */ - if (!X509_CRL_get0_by_serial(base, &rvtmp, rvn->serialNumber)) { + if (!X509_CRL_get0_by_serial(base, &rvtmp, &rvn->serialNumber)) { rvtmp = X509_REVOKED_dup(rvn); if (!rvtmp) goto memerr; diff --git a/crypto/x509/x509cset.c b/crypto/x509/x509cset.c index a779fd4f48..899d4925ae 100644 --- a/crypto/x509/x509cset.c +++ b/crypto/x509/x509cset.c @@ -172,7 +172,7 @@ void X509_CRL_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, X509_CRL *crl) { if (psig != NULL) - *psig = crl->signature; + *psig = &crl->signature; if (palg != NULL) *palg = &crl->sig_alg; } @@ -206,7 +206,7 @@ int X509_REVOKED_set_revocationDate(X509_REVOKED *x, ASN1_TIME *tm) ASN1_INTEGER *X509_REVOKED_get0_serialNumber(X509_REVOKED *x) { - return x->serialNumber; + return &x->serialNumber; } int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial) @@ -215,15 +215,10 @@ int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial) if (x == NULL) return (0); - in = x->serialNumber; - if (in != serial) { - in = ASN1_INTEGER_dup(serial); - if (in != NULL) { - ASN1_INTEGER_free(x->serialNumber); - x->serialNumber = in; - } - } - return (in != NULL); + in = &x->serialNumber; + if (in != serial) + return ASN1_STRING_copy(in, serial); + return 1; } STACK_OF(X509_EXTENSION) *X509_REVOKED_get0_extensions(X509_REVOKED *r) diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c index 1f844504c7..5c5f573dbb 100644 --- a/crypto/x509/x_all.c +++ b/crypto/x509/x_all.c @@ -131,14 +131,14 @@ int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md) { x->crl.enc.modified = 1; return (ASN1_item_sign(ASN1_ITEM_rptr(X509_CRL_INFO), &x->crl.sig_alg, - &x->sig_alg, x->signature, &x->crl, pkey, md)); + &x->sig_alg, &x->signature, &x->crl, pkey, md)); } int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx) { x->crl.enc.modified = 1; return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CRL_INFO), - &x->crl.sig_alg, &x->sig_alg, x->signature, + &x->crl.sig_alg, &x->sig_alg, &x->signature, &x->crl, ctx); } diff --git a/crypto/x509/x_crl.c b/crypto/x509/x_crl.c index c8889d1c25..79fa5ca34f 100644 --- a/crypto/x509/x_crl.c +++ b/crypto/x509/x_crl.c @@ -69,7 +69,7 @@ static int X509_REVOKED_cmp(const X509_REVOKED *const *a, static void setup_idp(X509_CRL *crl, ISSUING_DIST_POINT *idp); ASN1_SEQUENCE(X509_REVOKED) = { - ASN1_SIMPLE(X509_REVOKED,serialNumber, ASN1_INTEGER), + ASN1_EMBED(X509_REVOKED,serialNumber, ASN1_INTEGER), ASN1_SIMPLE(X509_REVOKED,revocationDate, ASN1_TIME), ASN1_SEQUENCE_OF_OPT(X509_REVOKED,extensions, X509_EXTENSION) } ASN1_SEQUENCE_END(X509_REVOKED) @@ -333,7 +333,7 @@ static void setup_idp(X509_CRL *crl, ISSUING_DIST_POINT *idp) ASN1_SEQUENCE_ref(X509_CRL, crl_cb, CRYPTO_LOCK_X509_CRL) = { ASN1_EMBED(X509_CRL, crl, X509_CRL_INFO), ASN1_EMBED(X509_CRL, sig_alg, X509_ALGOR), - ASN1_SIMPLE(X509_CRL, signature, ASN1_BIT_STRING) + ASN1_EMBED(X509_CRL, signature, ASN1_BIT_STRING) } ASN1_SEQUENCE_END_ref(X509_CRL, X509_CRL) IMPLEMENT_ASN1_FUNCTIONS(X509_REVOKED) @@ -349,8 +349,8 @@ IMPLEMENT_ASN1_DUP_FUNCTION(X509_CRL) static int X509_REVOKED_cmp(const X509_REVOKED *const *a, const X509_REVOKED *const *b) { - return (ASN1_STRING_cmp((ASN1_STRING *)(*a)->serialNumber, - (ASN1_STRING *)(*b)->serialNumber)); + return (ASN1_STRING_cmp((ASN1_STRING *)&(*a)->serialNumber, + (ASN1_STRING *)&(*b)->serialNumber)); } int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev) @@ -394,7 +394,7 @@ int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x) static int def_crl_verify(X509_CRL *crl, EVP_PKEY *r) { return (ASN1_item_verify(ASN1_ITEM_rptr(X509_CRL_INFO), - &crl->sig_alg, crl->signature, &crl->crl, r)); + &crl->sig_alg, &crl->signature, &crl->crl, r)); } static int crl_revoked_issuer_match(X509_CRL *crl, X509_NAME *nm, @@ -430,7 +430,7 @@ static int def_crl_lookup(X509_CRL *crl, { X509_REVOKED rtmp, *rev; int idx; - rtmp.serialNumber = serial; + rtmp.serialNumber = *serial; /* * Sort revoked into serial number order if not already sorted. Do this * under a lock to avoid race condition. @@ -446,7 +446,7 @@ static int def_crl_lookup(X509_CRL *crl, /* Need to look for matching name */ for (; idx < sk_X509_REVOKED_num(crl->crl.revoked); idx++) { rev = sk_X509_REVOKED_value(crl->crl.revoked, idx); - if (ASN1_INTEGER_cmp(rev->serialNumber, serial)) + if (ASN1_INTEGER_cmp(&rev->serialNumber, serial)) return 0; if (crl_revoked_issuer_match(crl, issuer, rev)) { if (ret) -- GitLab