List Info

Thread: OpenSSL: openssl/ CHANGES openssl/apps/ ca.c openssl/crypto/x509...
OpenSSL: openssl/ CHANGES openssl/apps/ ca.c openssl/crypto/x509...
user name
 2006-07-25 17:39:39 
  OpenSSL CVS Repository
  http://cvs.openssl.org/
 
____________________________________________________________
________________

  Server: cvs.openssl.org                  Name:   Dr.
Stephen Henson
  Root:   /v/openssl/cvs                   Email:  steveopenssl.org
  Module: openssl                          Date:  
25-Jul-2006 19:39:38
  Branch: HEAD                             Handle:
2006072518393602

  Modified files:
    openssl                 CHANGES
    openssl/apps            ca.c
    openssl/crypto/x509     x509.h x509_lu.c x509_vfy.c

  Log:
    Support for multiple CRLs with same issuer name in
X509_STORE. Modify
    verify logic to try to use an unexpired CRL if possible.

  Summary:
    Revision    Changes     Path
    1.1344      +4  -0      openssl/CHANGES
    1.155       +16 -3      openssl/apps/ca.c
    1.145       +1  -0      openssl/crypto/x509/x509.h
    1.27        +13 -2      openssl/crypto/x509/x509_lu.c
    1.80        +32 -1      openssl/crypto/x509/x509_vfy.c
 
____________________________________________________________
________________

  patch -p0 <<' .'
  Index: openssl/CHANGES
 
============================================================
================
  $ cvs diff -u -r1.1343 -r1.1344 CHANGES
  --- openssl/CHANGES	24 Jul 2006 12:39:20 -0000	1.1343
  +++ openssl/CHANGES	25 Jul 2006 17:39:36 -0000	1.1344
   -4,6 +4,10 
   
    Changes between 0.9.8b and 0.9.9  [xx XXX xxxx]
   
  +  *) Allow multiple CRLs to exist in an X509_STORE with
matching issuer names.
  +     Modify get_crl() to find a valid (unexpired) CRL if
possible.
  +     [Steve Henson]
  +
     *) New function X509_CRL_match() to check if two CRLs
are identical. Normally
        this would be called X509_CRL_cmp() but that name is
already used by
        a function that just compares CRL issuer names.
Cache several CRL 
   .
  patch -p0 <<' .'
  Index: openssl/apps/ca.c
 
============================================================
================
  $ cvs diff -u -r1.154 -r1.155 ca.c
  --- openssl/apps/ca.c	7 May 2006 17:09:03 -0000	1.154
  +++ openssl/apps/ca.c	25 Jul 2006 17:39:37 -0000	1.155
   -258,6 +258,7 
   	int doupdatedb=0;
   	long crldays=0;
   	long crlhours=0;
  +	long crlsec=0;
   	long errorline= -1;
   	char *configfile=NULL;
   	char *md=NULL;
   -456,6 +457,11 
   			if (--argc < 1) goto bad;
   			crlhours= atol(*(++argv));
   			}
  +		else if (strcmp(*argv,"-crlsec") == 0)
  +			{
  +			if (--argc < 1) goto bad;
  +			crlsec = atol(*(++argv));
  +			}
   		else if (strcmp(*argv,"-infiles") == 0)
   			{
   			argc--;
   -1367,7 +1373,7 
   				goto err;
   				}
   
  -		if (!crldays && !crlhours)
  +		if (!crldays && !crlhours && !crlsec)
   			{
   			if (!NCONF_get_number(conf,section,
   				ENV_DEFAULT_CRL_DAYS, &crldays))
   -1376,7 +1382,7 
   				ENV_DEFAULT_CRL_HOURS, &crlhours))
   				crlhours = 0;
   			}
  -		if ((crldays == 0) && (crlhours == 0))
  +		if ((crldays == 0) && (crlhours == 0)
&& (crlsec == 0))
   			{
   			BIO_printf(bio_err,"cannot lookup how long until
the next CRL is issued\n");
   			goto err;
   -1390,7 +1396,7 
   		if (!tmptm) goto err;
   		X509_gmtime_adj(tmptm,0);
   		X509_CRL_set_lastUpdate(crl, tmptm);	
  -		X509_gmtime_adj(tmptm,(crldays*24+crlhours)*60*60);
  +		X509_gmtime_adj(tmptm,(crldays*24+crlhours)*60*60 +
crlsec);
   		X509_CRL_set_nextUpdate(crl, tmptm);	
   
   		ASN1_TIME_free(tmptm);
   -1455,6 +1461,12 
   		if (crlnumberfile != NULL)	/* we have a CRL number that
need updating */
   			if
(!save_serial(crlnumberfile,"new",crlnumber,NULL
)) goto err;
   
  +		if (crlnumber)
  +			{
  +			BN_free(crlnumber);
  +			crlnumber = NULL;
  +			}
  +
   		if (!X509_CRL_sign(crl,pkey,dgst)) goto err;
   
   		PEM_write_bio_X509_CRL(Sout,crl);
   -1507,6 +1519,7 
   	if (free_key && key)
   		OPENSSL_free(key);
   	BN_free(serial);
  +	BN_free(crlnumber);
   	free_index(db);
   	EVP_PKEY_free(pkey);
   	if (x509) X509_free(x509);
   .
  patch -p0 <<' .'
  Index: openssl/crypto/x509/x509.h
 
============================================================
================
  $ cvs diff -u -r1.144 -r1.145 x509.h
  --- openssl/crypto/x509/x509.h	24 Jul 2006 12:39:22
-0000	1.144
  +++ openssl/crypto/x509/x509.h	25 Jul 2006 17:39:38
-0000	1.145
   -1072,6 +1072,7 
   unsigned long	X509_NAME_hash(X509_NAME *x);
   
   int		X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b);
  +int		X509_CRL_match(const X509_CRL *a, const X509_CRL
*b);
   #ifndef OPENSSL_NO_FP_API
   int		X509_print_ex_fp(FILE *bp,X509 *x, unsigned long
nmflag, unsigned long cflag);
   int		X509_print_fp(FILE *bp,X509 *x);
   .
  patch -p0 <<' .'
  Index: openssl/crypto/x509/x509_lu.c
 
============================================================
================
  $ cvs diff -u -r1.26 -r1.27 x509_lu.c
  --- openssl/crypto/x509/x509_lu.c	11 May 2005 03:45:35
-0000	1.26
  +++ openssl/crypto/x509/x509_lu.c	25 Jul 2006 17:39:38
-0000	1.27
   -459,13 +459,24 
   	X509_OBJECT *obj;
   	idx = sk_X509_OBJECT_find(h, x);
   	if (idx == -1) return NULL;
  -	if (x->type != X509_LU_X509) return
sk_X509_OBJECT_value(h, idx);
  +	if ((x->type != X509_LU_X509) && (x->type
!= X509_LU_CRL))
  +		return sk_X509_OBJECT_value(h, idx);
   	for (i = idx; i < sk_X509_OBJECT_num(h); i++)
   		{
   		obj = sk_X509_OBJECT_value(h, i);
   		if (x509_object_cmp((const X509_OBJECT **)&obj,
(const X509_OBJECT **)&x))
   			return NULL;
  -		if ((x->type != X509_LU_X509) ||
!X509_cmp(obj->data.x509, x->data.x509))
  +		if (x->type == X509_LU_X509)
  +			{
  +			if (!X509_cmp(obj->data.x509, x->data.x509))
  +				return obj;
  +			}
  +		else if (x->type == X509_LU_CRL)
  +			{
  +			if (!X509_CRL_match(obj->data.crl, x->data.crl))
  +				return obj;
  +			}
  +		else
   			return obj;
   		}
   	return NULL;
   .
  patch -p0 <<' .'
  Index: openssl/crypto/x509/x509_vfy.c
 
============================================================
================
  $ cvs diff -u -r1.79 -r1.80 x509_vfy.c
  --- openssl/crypto/x509/x509_vfy.c	5 Jun 2005 21:54:48
-0000	1.79
  +++ openssl/crypto/x509/x509_vfy.c	25 Jul 2006 17:39:38
-0000	1.80
   -713,7 +713,38 
   		return 0;
   		}
   
  -	*pcrl = xobj.data.crl;
  +	/* If CRL times not valid look through store */
  +	if (!check_crl_time(ctx, xobj.data.crl, 0))
  +		{
  +		int idx, i;
  +		X509_OBJECT *pobj;
  +		X509_OBJECT_free_contents(&xobj);
  +		idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs,
  +							X509_LU_CRL, nm);
  +		if (idx == -1)
  +			return 0;
  +		*pcrl = NULL;
  +		for (i = idx; i <
sk_X509_OBJECT_num(ctx->ctx->objs); i++)
  +			{
  +			pobj = sk_X509_OBJECT_value(ctx->ctx->objs, i);
  +			/* Check to see if it is a CRL and issuer matches */
  +			if (pobj->type != X509_LU_CRL)
  +				break;
  +			if (X509_NAME_cmp(nm,
  +					X509_CRL_get_issuer(pobj->data.crl)))
  +				break;
  +			/* Set *pcrl because the CRL will either be valid or
  +			 * a "best fit" CRL.
  +			 */
  +			*pcrl = pobj->data.crl;
  +			if (check_crl_time(ctx, *pcrl, 0))
  +				break;
  +			}
  +		if (*pcrl)
  +			CRYPTO_add(&(*pcrl)->references, 1,
CRYPTO_LOCK_X509);
  +		}
  +	else 
  +		*pcrl = xobj.data.crl;
   	if (crl)
   		X509_CRL_free(crl);
   	return 1;
   .
____________________________________________________________
__________
OpenSSL Project                                 http://www.openssl.org
CVS Repository Commit List                    
openssl-cvsopenssl.org
Automated List Manager                          
majordomoopenssl.org
[1]

about | contact  Other archives ( Real Estate discussion Medical topics )