Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
OpenHarmony
Third Party Openssl
提交
f6e7d014
T
Third Party Openssl
项目概览
OpenHarmony
/
Third Party Openssl
1 年多 前同步成功
通知
10
Star
18
Fork
1
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
T
Third Party Openssl
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
提交
f6e7d014
编写于
18年前
作者:
D
Dr. Stephen Henson
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Support for multiple CRLs with same issuer name in X509_STORE. Modify
verify logic to try to use an unexpired CRL if possible.
上级
edc54021
变更
5
隐藏空白更改
内联
并排
Showing
5 changed file
with
66 addition
and
6 deletion
+66
-6
CHANGES
CHANGES
+4
-0
apps/ca.c
apps/ca.c
+16
-3
crypto/x509/x509.h
crypto/x509/x509.h
+1
-0
crypto/x509/x509_lu.c
crypto/x509/x509_lu.c
+13
-2
crypto/x509/x509_vfy.c
crypto/x509/x509_vfy.c
+32
-1
未找到文件。
CHANGES
浏览文件 @
f6e7d014
...
...
@@ -4,6 +4,10 @@
Changes between 0.9.8b and 0.9.9 [xx XXX xxxx]
*) Allow multiple CRLs to exist in an X509_STORE with matching issuer names.
Modify get_crl() to find a valid (unexpired) CRL if possible.
[Steve Henson]
*) New function X509_CRL_match() to check if two CRLs are identical. Normally
this would be called X509_CRL_cmp() but that name is already used by
a function that just compares CRL issuer names. Cache several CRL
...
...
This diff is collapsed.
Click to expand it.
apps/ca.c
浏览文件 @
f6e7d014
...
...
@@ -258,6 +258,7 @@ int MAIN(int argc, char **argv)
int
doupdatedb
=
0
;
long
crldays
=
0
;
long
crlhours
=
0
;
long
crlsec
=
0
;
long
errorline
=
-
1
;
char
*
configfile
=
NULL
;
char
*
md
=
NULL
;
...
...
@@ -456,6 +457,11 @@ EF_ALIGNMENT=0;
if
(
--
argc
<
1
)
goto
bad
;
crlhours
=
atol
(
*
(
++
argv
));
}
else
if
(
strcmp
(
*
argv
,
"-crlsec"
)
==
0
)
{
if
(
--
argc
<
1
)
goto
bad
;
crlsec
=
atol
(
*
(
++
argv
));
}
else
if
(
strcmp
(
*
argv
,
"-infiles"
)
==
0
)
{
argc
--
;
...
...
@@ -1367,7 +1373,7 @@ bad:
goto
err
;
}
if
(
!
crldays
&&
!
crlhours
)
if
(
!
crldays
&&
!
crlhours
&&
!
crlsec
)
{
if
(
!
NCONF_get_number
(
conf
,
section
,
ENV_DEFAULT_CRL_DAYS
,
&
crldays
))
...
...
@@ -1376,7 +1382,7 @@ bad:
ENV_DEFAULT_CRL_HOURS
,
&
crlhours
))
crlhours
=
0
;
}
if
((
crldays
==
0
)
&&
(
crlhours
==
0
))
if
((
crldays
==
0
)
&&
(
crlhours
==
0
)
&&
(
crlsec
==
0
)
)
{
BIO_printf
(
bio_err
,
"cannot lookup how long until the next CRL is issued
\n
"
);
goto
err
;
...
...
@@ -1390,7 +1396,7 @@ bad:
if
(
!
tmptm
)
goto
err
;
X509_gmtime_adj
(
tmptm
,
0
);
X509_CRL_set_lastUpdate
(
crl
,
tmptm
);
X509_gmtime_adj
(
tmptm
,(
crldays
*
24
+
crlhours
)
*
60
*
60
);
X509_gmtime_adj
(
tmptm
,(
crldays
*
24
+
crlhours
)
*
60
*
60
+
crlsec
);
X509_CRL_set_nextUpdate
(
crl
,
tmptm
);
ASN1_TIME_free
(
tmptm
);
...
...
@@ -1455,6 +1461,12 @@ bad:
if
(
crlnumberfile
!=
NULL
)
/* we have a CRL number that need updating */
if
(
!
save_serial
(
crlnumberfile
,
"new"
,
crlnumber
,
NULL
))
goto
err
;
if
(
crlnumber
)
{
BN_free
(
crlnumber
);
crlnumber
=
NULL
;
}
if
(
!
X509_CRL_sign
(
crl
,
pkey
,
dgst
))
goto
err
;
PEM_write_bio_X509_CRL
(
Sout
,
crl
);
...
...
@@ -1507,6 +1519,7 @@ err:
if
(
free_key
&&
key
)
OPENSSL_free
(
key
);
BN_free
(
serial
);
BN_free
(
crlnumber
);
free_index
(
db
);
EVP_PKEY_free
(
pkey
);
if
(
x509
)
X509_free
(
x509
);
...
...
This diff is collapsed.
Click to expand it.
crypto/x509/x509.h
浏览文件 @
f6e7d014
...
...
@@ -1072,6 +1072,7 @@ int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b);
unsigned
long
X509_NAME_hash
(
X509_NAME
*
x
);
int
X509_CRL_cmp
(
const
X509_CRL
*
a
,
const
X509_CRL
*
b
);
int
X509_CRL_match
(
const
X509_CRL
*
a
,
const
X509_CRL
*
b
);
#ifndef OPENSSL_NO_FP_API
int
X509_print_ex_fp
(
FILE
*
bp
,
X509
*
x
,
unsigned
long
nmflag
,
unsigned
long
cflag
);
int
X509_print_fp
(
FILE
*
bp
,
X509
*
x
);
...
...
This diff is collapsed.
Click to expand it.
crypto/x509/x509_lu.c
浏览文件 @
f6e7d014
...
...
@@ -459,13 +459,24 @@ X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x
X509_OBJECT
*
obj
;
idx
=
sk_X509_OBJECT_find
(
h
,
x
);
if
(
idx
==
-
1
)
return
NULL
;
if
(
x
->
type
!=
X509_LU_X509
)
return
sk_X509_OBJECT_value
(
h
,
idx
);
if
((
x
->
type
!=
X509_LU_X509
)
&&
(
x
->
type
!=
X509_LU_CRL
))
return
sk_X509_OBJECT_value
(
h
,
idx
);
for
(
i
=
idx
;
i
<
sk_X509_OBJECT_num
(
h
);
i
++
)
{
obj
=
sk_X509_OBJECT_value
(
h
,
i
);
if
(
x509_object_cmp
((
const
X509_OBJECT
**
)
&
obj
,
(
const
X509_OBJECT
**
)
&
x
))
return
NULL
;
if
((
x
->
type
!=
X509_LU_X509
)
||
!
X509_cmp
(
obj
->
data
.
x509
,
x
->
data
.
x509
))
if
(
x
->
type
==
X509_LU_X509
)
{
if
(
!
X509_cmp
(
obj
->
data
.
x509
,
x
->
data
.
x509
))
return
obj
;
}
else
if
(
x
->
type
==
X509_LU_CRL
)
{
if
(
!
X509_CRL_match
(
obj
->
data
.
crl
,
x
->
data
.
crl
))
return
obj
;
}
else
return
obj
;
}
return
NULL
;
...
...
This diff is collapsed.
Click to expand it.
crypto/x509/x509_vfy.c
浏览文件 @
f6e7d014
...
...
@@ -713,7 +713,38 @@ static int get_crl(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509 *x)
return
0
;
}
*
pcrl
=
xobj
.
data
.
crl
;
/* If CRL times not valid look through store */
if
(
!
check_crl_time
(
ctx
,
xobj
.
data
.
crl
,
0
))
{
int
idx
,
i
;
X509_OBJECT
*
pobj
;
X509_OBJECT_free_contents
(
&
xobj
);
idx
=
X509_OBJECT_idx_by_subject
(
ctx
->
ctx
->
objs
,
X509_LU_CRL
,
nm
);
if
(
idx
==
-
1
)
return
0
;
*
pcrl
=
NULL
;
for
(
i
=
idx
;
i
<
sk_X509_OBJECT_num
(
ctx
->
ctx
->
objs
);
i
++
)
{
pobj
=
sk_X509_OBJECT_value
(
ctx
->
ctx
->
objs
,
i
);
/* Check to see if it is a CRL and issuer matches */
if
(
pobj
->
type
!=
X509_LU_CRL
)
break
;
if
(
X509_NAME_cmp
(
nm
,
X509_CRL_get_issuer
(
pobj
->
data
.
crl
)))
break
;
/* Set *pcrl because the CRL will either be valid or
* a "best fit" CRL.
*/
*
pcrl
=
pobj
->
data
.
crl
;
if
(
check_crl_time
(
ctx
,
*
pcrl
,
0
))
break
;
}
if
(
*
pcrl
)
CRYPTO_add
(
&
(
*
pcrl
)
->
references
,
1
,
CRYPTO_LOCK_X509
);
}
else
*
pcrl
=
xobj
.
data
.
crl
;
if
(
crl
)
X509_CRL_free
(
crl
);
return
1
;
...
...
This diff is collapsed.
Click to expand it.
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录
新手
引导
客服
返回
顶部