[openssl-commits] [openssl] master update
Dr. Stephen Henson
steve at openssl.org
Tue Jul 26 15:28:07 UTC 2016
The branch master has been updated
via ba1a1c3783bec68830da3a375b581afc73226ff4 (commit)
via 0946a19886b0e7b8213db6559eb8b8eb63fc1503 (commit)
via 4c4a2f670b84394e4675991d805c97547f1af647 (commit)
via fc9d1ef39c97c06f83fd40a6f94c0af4da3887ea (commit)
from 61d81f0ac91cc0e8612c55f46432839f25a4c71a (commit)
- Log -----------------------------------------------------------------
commit ba1a1c3783bec68830da3a375b581afc73226ff4
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Mon Jul 25 16:57:49 2016 +0100
Deprecate X509_LU_FAIL, X509_LU_RETRY
Instead of X509_LU_FAIL, X509_LU_RETRY use 0/1 for return values.
RT#4577
Reviewed-by: Rich Salz <rsalz at openssl.org>
commit 0946a19886b0e7b8213db6559eb8b8eb63fc1503
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Mon Jul 25 16:46:05 2016 +0100
Use X509_LOOKUP_TYPE for lookup type consistently.
Reviewed-by: Rich Salz <rsalz at openssl.org>
commit 4c4a2f670b84394e4675991d805c97547f1af647
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Mon Jul 25 14:58:07 2016 +0100
Move X509_LU_RETRY, X509_LU_FAIL
X509_LU_RETRY and X509_LU_FAIL are not X509_OBJECT types so don't include
them in the enum.
Reviewed-by: Rich Salz <rsalz at openssl.org>
commit fc9d1ef39c97c06f83fd40a6f94c0af4da3887ea
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Mon Jul 25 14:05:39 2016 +0100
Remove current_method from X509_STORE_CTX
Remove current_method: it was intended as a means of retrying
lookups bit it was never used. Now that X509_verify_cert() is
a "one shot" operation it can never work as intended.
Reviewed-by: Rich Salz <rsalz at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
crypto/include/internal/x509_int.h | 2 --
crypto/x509/by_dir.c | 4 +--
crypto/x509/x509_lcl.h | 15 +++++-----
crypto/x509/x509_lu.c | 56 ++++++++++++++++----------------------
crypto/x509/x509_vfy.c | 1 -
include/openssl/x509_vfy.h | 37 +++++++++++++++----------
6 files changed, 55 insertions(+), 60 deletions(-)
diff --git a/crypto/include/internal/x509_int.h b/crypto/include/internal/x509_int.h
index 545f909..3d0b0bd 100644
--- a/crypto/include/internal/x509_int.h
+++ b/crypto/include/internal/x509_int.h
@@ -175,8 +175,6 @@ struct x509_st {
*/
struct x509_store_ctx_st { /* X509_STORE_CTX */
X509_STORE *ctx;
- /* used when looking up certs */
- int current_method;
/* The following are set by the caller */
/* The cert to check */
X509 *cert;
diff --git a/crypto/x509/by_dir.c b/crypto/x509/by_dir.c
index 5473cb1..f3a1f05 100644
--- a/crypto/x509/by_dir.c
+++ b/crypto/x509/by_dir.c
@@ -48,8 +48,8 @@ static int dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,
static int new_dir(X509_LOOKUP *lu);
static void free_dir(X509_LOOKUP *lu);
static int add_cert_dir(BY_DIR *ctx, const char *dir, int type);
-static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name,
- X509_OBJECT *ret);
+static int get_cert_by_subject(X509_LOOKUP *xl, X509_LOOKUP_TYPE type,
+ X509_NAME *name, X509_OBJECT *ret);
static X509_LOOKUP_METHOD x509_dir_lookup = {
"Load certs from files in a directory",
new_dir, /* new */
diff --git a/crypto/x509/x509_lcl.h b/crypto/x509/x509_lcl.h
index 2120b7e..0ef5bc3 100644
--- a/crypto/x509/x509_lcl.h
+++ b/crypto/x509/x509_lcl.h
@@ -74,15 +74,16 @@ struct x509_lookup_method_st {
int (*shutdown) (X509_LOOKUP *ctx);
int (*ctrl) (X509_LOOKUP *ctx, int cmd, const char *argc, long argl,
char **ret);
- int (*get_by_subject) (X509_LOOKUP *ctx, int type, X509_NAME *name,
- X509_OBJECT *ret);
- int (*get_by_issuer_serial) (X509_LOOKUP *ctx, int type, X509_NAME *name,
- ASN1_INTEGER *serial, X509_OBJECT *ret);
- int (*get_by_fingerprint) (X509_LOOKUP *ctx, int type,
+ int (*get_by_subject) (X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
+ X509_NAME *name, X509_OBJECT *ret);
+ int (*get_by_issuer_serial) (X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
+ X509_NAME *name, ASN1_INTEGER *serial,
+ X509_OBJECT *ret);
+ int (*get_by_fingerprint) (X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
unsigned char *bytes, int len,
X509_OBJECT *ret);
- int (*get_by_alias) (X509_LOOKUP *ctx, int type, char *str, int len,
- X509_OBJECT *ret);
+ int (*get_by_alias) (X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
+ char *str, int len, X509_OBJECT *ret);
};
/* This is the functions plus an instance of the local variables. */
diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c
index 6f5f269..79c68fe 100644
--- a/crypto/x509/x509_lu.c
+++ b/crypto/x509/x509_lu.c
@@ -81,38 +81,39 @@ int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, long argl,
return 1;
}
-int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type, X509_NAME *name,
- X509_OBJECT *ret)
+int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
+ X509_NAME *name, X509_OBJECT *ret)
{
if ((ctx->method == NULL) || (ctx->method->get_by_subject == NULL))
- return X509_LU_FAIL;
+ return 0;
if (ctx->skip)
return 0;
return ctx->method->get_by_subject(ctx, type, name, ret);
}
-int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, int type, X509_NAME *name,
- ASN1_INTEGER *serial, X509_OBJECT *ret)
+int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
+ X509_NAME *name, ASN1_INTEGER *serial,
+ X509_OBJECT *ret)
{
if ((ctx->method == NULL) || (ctx->method->get_by_issuer_serial == NULL))
- return X509_LU_FAIL;
+ return 0;
return ctx->method->get_by_issuer_serial(ctx, type, name, serial, ret);
}
-int X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, int type,
+int X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
unsigned char *bytes, int len,
X509_OBJECT *ret)
{
if ((ctx->method == NULL) || (ctx->method->get_by_fingerprint == NULL))
- return X509_LU_FAIL;
+ return 0;
return ctx->method->get_by_fingerprint(ctx, type, bytes, len, ret);
}
-int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, int type, char *str, int len,
- X509_OBJECT *ret)
+int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
+ char *str, int len, X509_OBJECT *ret)
{
if ((ctx->method == NULL) || (ctx->method->get_by_alias == NULL))
- return X509_LU_FAIL;
+ return 0;
return ctx->method->get_by_alias(ctx, type, str, len, ret);
}
@@ -256,7 +257,8 @@ X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m)
}
}
-X509_OBJECT *X509_STORE_CTX_get_obj_by_subject(X509_STORE_CTX *vs, int type,
+X509_OBJECT *X509_STORE_CTX_get_obj_by_subject(X509_STORE_CTX *vs,
+ X509_LOOKUP_TYPE type,
X509_NAME *name)
{
X509_OBJECT *ret = X509_OBJECT_new();
@@ -283,19 +285,14 @@ int X509_STORE_CTX_get_by_subject(X509_STORE_CTX *vs, X509_LOOKUP_TYPE type,
CRYPTO_THREAD_unlock(ctx->lock);
if (tmp == NULL || type == X509_LU_CRL) {
- for (i = vs->current_method;
- i < sk_X509_LOOKUP_num(ctx->get_cert_methods); i++) {
+ for (i = 0; i < sk_X509_LOOKUP_num(ctx->get_cert_methods); i++) {
lu = sk_X509_LOOKUP_value(ctx->get_cert_methods, i);
j = X509_LOOKUP_by_subject(lu, type, name, &stmp);
- if (j < 0) {
- vs->current_method = j;
- return j;
- } else if (j) {
+ if (j) {
tmp = &stmp;
break;
}
}
- vs->current_method = 0;
if (tmp == NULL)
return 0;
}
@@ -404,7 +401,7 @@ X509_CRL *X509_OBJECT_get0_X509_CRL(X509_OBJECT *a)
return a->data.crl;
}
-int X509_OBJECT_get_type(const X509_OBJECT *a)
+X509_LOOKUP_TYPE X509_OBJECT_get_type(const X509_OBJECT *a)
{
return a->type;
}
@@ -417,7 +414,7 @@ X509_OBJECT *X509_OBJECT_new()
X509err(X509_F_X509_OBJECT_NEW, ERR_R_MALLOC_FAILURE);
return NULL;
}
- ret->type = X509_LU_FAIL;
+ ret->type = X509_LU_NONE;
return ret;
}
@@ -439,7 +436,7 @@ void X509_OBJECT_free(X509_OBJECT *a)
OPENSSL_free(a);
}
-static int x509_object_idx_cnt(STACK_OF(X509_OBJECT) *h, int type,
+static int x509_object_idx_cnt(STACK_OF(X509_OBJECT) *h, X509_LOOKUP_TYPE type,
X509_NAME *name, int *pnmatch)
{
X509_OBJECT stmp;
@@ -478,14 +475,15 @@ static int x509_object_idx_cnt(STACK_OF(X509_OBJECT) *h, int type,
return idx;
}
-int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type,
+int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, X509_LOOKUP_TYPE type,
X509_NAME *name)
{
return x509_object_idx_cnt(h, type, name, NULL);
}
X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h,
- int type, X509_NAME *name)
+ X509_LOOKUP_TYPE type,
+ X509_NAME *name)
{
int idx;
idx = X509_OBJECT_idx_by_subject(h, type, name);
@@ -635,16 +633,8 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
*issuer = NULL;
xn = X509_get_issuer_name(x);
ok = X509_STORE_CTX_get_by_subject(ctx, X509_LU_X509, xn, obj);
- if (ok != X509_LU_X509) {
+ if (ok != 1) {
X509_OBJECT_free(obj);
- if (ok == X509_LU_RETRY) {
- X509err(X509_F_X509_STORE_CTX_GET1_ISSUER, X509_R_SHOULD_RETRY);
- return -1;
- }
- if (ok != X509_LU_FAIL) {
- /* not good :-(, break anyway */
- return -1;
- }
return 0;
}
/* If certificate matches all OK */
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index a290a5e..abe9caa 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -2216,7 +2216,6 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
int ret = 1;
ctx->ctx = store;
- ctx->current_method = 0;
ctx->cert = x509;
ctx->untrusted = chain;
ctx->crls = NULL;
diff --git a/include/openssl/x509_vfy.h b/include/openssl/x509_vfy.h
index 5cb2a40..a0f7927 100644
--- a/include/openssl/x509_vfy.h
+++ b/include/openssl/x509_vfy.h
@@ -45,10 +45,14 @@ certificate chain.
*/
typedef enum {
- X509_LU_RETRY = -1,
- X509_LU_FAIL, X509_LU_X509, X509_LU_CRL
+ X509_LU_NONE = 0,
+ X509_LU_X509, X509_LU_CRL
} X509_LOOKUP_TYPE;
+#if OPENSSL_API_COMPAT < 0x10100000L
+#define X509_LU_RETRY -1
+#define X509_LU_FAIL 0
+#endif
DEFINE_STACK_OF(X509_LOOKUP)
DEFINE_STACK_OF(X509_OBJECT)
@@ -241,16 +245,17 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
| X509_V_FLAG_INHIBIT_ANY \
| X509_V_FLAG_INHIBIT_MAP)
-int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type,
+int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, X509_LOOKUP_TYPE type,
X509_NAME *name);
X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h,
- int type, X509_NAME *name);
+ X509_LOOKUP_TYPE type,
+ X509_NAME *name);
X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h,
X509_OBJECT *x);
int X509_OBJECT_up_ref_count(X509_OBJECT *a);
X509_OBJECT *X509_OBJECT_new(void);
void X509_OBJECT_free(X509_OBJECT *a);
-int X509_OBJECT_get_type(const X509_OBJECT *a);
+X509_LOOKUP_TYPE X509_OBJECT_get_type(const X509_OBJECT *a);
X509 *X509_OBJECT_get0_X509(const X509_OBJECT *a);
X509_CRL *X509_OBJECT_get0_X509_CRL(X509_OBJECT *a);
X509_STORE *X509_STORE_new(void);
@@ -360,9 +365,10 @@ X509_LOOKUP_METHOD *X509_LOOKUP_file(void);
int X509_STORE_add_cert(X509_STORE *ctx, X509 *x);
int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x);
-int X509_STORE_CTX_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name,
- X509_OBJECT *ret);
-X509_OBJECT *X509_STORE_CTX_get_obj_by_subject(X509_STORE_CTX *vs, int type,
+int X509_STORE_CTX_get_by_subject(X509_STORE_CTX *vs, X509_LOOKUP_TYPE type,
+ X509_NAME *name, X509_OBJECT *ret);
+X509_OBJECT *X509_STORE_CTX_get_obj_by_subject(X509_STORE_CTX *vs,
+ X509_LOOKUP_TYPE type,
X509_NAME *name);
int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc,
@@ -375,15 +381,16 @@ int X509_load_cert_crl_file(X509_LOOKUP *ctx, const char *file, int type);
X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method);
void X509_LOOKUP_free(X509_LOOKUP *ctx);
int X509_LOOKUP_init(X509_LOOKUP *ctx);
-int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type, X509_NAME *name,
- X509_OBJECT *ret);
-int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, int type, X509_NAME *name,
- ASN1_INTEGER *serial, X509_OBJECT *ret);
-int X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, int type,
+int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
+ X509_NAME *name, X509_OBJECT *ret);
+int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
+ X509_NAME *name, ASN1_INTEGER *serial,
+ X509_OBJECT *ret);
+int X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
unsigned char *bytes, int len,
X509_OBJECT *ret);
-int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, int type, char *str, int len,
- X509_OBJECT *ret);
+int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
+ char *str, int len, X509_OBJECT *ret);
int X509_LOOKUP_shutdown(X509_LOOKUP *ctx);
int X509_STORE_load_locations(X509_STORE *ctx,
More information about the openssl-commits
mailing list