Loading CHANGES +6 −0 Original line number Original line Diff line number Diff line Loading @@ -4,6 +4,12 @@ Changes between 0.9.8b and 0.9.9 [xx XXX xxxx] Changes between 0.9.8b and 0.9.9 [xx XXX xxxx] *) New function X509_CRL_match() to check if two CRLs are identical. Normally this would be called X509_CRL_cmp() but that name is already used by a function that just compares CRL issuer names. Cache several CRL extensions in X509_CRL structure and cache CRLDP in X509. [Steve Henson] *) Store a "canonical" representation of X509_NAME structure (ASN1 Name) *) Store a "canonical" representation of X509_NAME structure (ASN1 Name) this maps equivalent X509_NAME structures into a consistent structure. this maps equivalent X509_NAME structures into a consistent structure. Name comparison can then be performed rapidly using memcmp(). Name comparison can then be performed rapidly using memcmp(). Loading crypto/asn1/x_crl.c +37 −1 Original line number Original line Diff line number Diff line Loading @@ -60,6 +60,7 @@ #include "cryptlib.h" #include "cryptlib.h" #include <openssl/asn1t.h> #include <openssl/asn1t.h> #include <openssl/x509.h> #include <openssl/x509.h> #include <openssl/x509v3.h> static int X509_REVOKED_cmp(const X509_REVOKED * const *a, static int X509_REVOKED_cmp(const X509_REVOKED * const *a, const X509_REVOKED * const *b); const X509_REVOKED * const *b); Loading Loading @@ -102,7 +103,42 @@ ASN1_SEQUENCE_enc(X509_CRL_INFO, enc, crl_inf_cb) = { ASN1_EXP_SEQUENCE_OF_OPT(X509_CRL_INFO, extensions, X509_EXTENSION, 0) ASN1_EXP_SEQUENCE_OF_OPT(X509_CRL_INFO, extensions, X509_EXTENSION, 0) } ASN1_SEQUENCE_END_enc(X509_CRL_INFO, X509_CRL_INFO) } ASN1_SEQUENCE_END_enc(X509_CRL_INFO, X509_CRL_INFO) ASN1_SEQUENCE_ref(X509_CRL, 0, CRYPTO_LOCK_X509_CRL) = { /* The X509_CRL structure needs a bit of customisation. Cache some extensions * and hash of the whole CRL. */ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) { X509_CRL *crl = (X509_CRL *)*pval; switch(operation) { case ASN1_OP_NEW_POST: crl->idp = NULL; crl->akid = NULL; break; case ASN1_OP_D2I_POST: #ifndef OPENSSL_NO_SHA X509_CRL_digest(crl, EVP_sha1(), crl->sha1_hash, NULL); #endif crl->idp = X509_CRL_get_ext_d2i(crl, NID_issuing_distribution_point, NULL, NULL); crl->akid = X509_CRL_get_ext_d2i(crl, NID_authority_key_identifier, NULL, NULL); break; case ASN1_OP_FREE_POST: if (crl->akid) AUTHORITY_KEYID_free(crl->akid); if (crl->idp) ISSUING_DIST_POINT_free(crl->idp); break; } return 1; } ASN1_SEQUENCE_ref(X509_CRL, crl_cb, CRYPTO_LOCK_X509_CRL) = { ASN1_SIMPLE(X509_CRL, crl, X509_CRL_INFO), ASN1_SIMPLE(X509_CRL, crl, X509_CRL_INFO), ASN1_SIMPLE(X509_CRL, sig_alg, X509_ALGOR), ASN1_SIMPLE(X509_CRL, sig_alg, X509_ALGOR), ASN1_SIMPLE(X509_CRL, signature, ASN1_BIT_STRING) ASN1_SIMPLE(X509_CRL, signature, ASN1_BIT_STRING) Loading crypto/asn1/x_x509.c +2 −0 Original line number Original line Diff line number Diff line Loading @@ -96,6 +96,7 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, ret->skid = NULL; ret->skid = NULL; ret->akid = NULL; ret->akid = NULL; ret->aux = NULL; ret->aux = NULL; ret->crldp = NULL; CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509, ret, &ret->ex_data); CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509, ret, &ret->ex_data); break; break; Loading @@ -109,6 +110,7 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, X509_CERT_AUX_free(ret->aux); X509_CERT_AUX_free(ret->aux); ASN1_OCTET_STRING_free(ret->skid); ASN1_OCTET_STRING_free(ret->skid); AUTHORITY_KEYID_free(ret->akid); AUTHORITY_KEYID_free(ret->akid); CRL_DIST_POINTS_free(ret->crldp); policy_cache_free(ret->policy_cache); policy_cache_free(ret->policy_cache); if (ret->name != NULL) OPENSSL_free(ret->name); if (ret->name != NULL) OPENSSL_free(ret->name); Loading crypto/ossl_typ.h +4 −0 Original line number Original line Diff line number Diff line Loading @@ -168,6 +168,10 @@ typedef struct X509_POLICY_LEVEL_st X509_POLICY_LEVEL; typedef struct X509_POLICY_TREE_st X509_POLICY_TREE; typedef struct X509_POLICY_TREE_st X509_POLICY_TREE; typedef struct X509_POLICY_CACHE_st X509_POLICY_CACHE; typedef struct X509_POLICY_CACHE_st X509_POLICY_CACHE; typedef struct AUTHORITY_KEYID_st AUTHORITY_KEYID; typedef struct DIST_POINT_st DIST_POINT; typedef struct ISSUING_DIST_POINT_st ISSUING_DIST_POINT; /* If placed in pkcs12.h, we end up with a circular depency with pkcs7.h */ /* If placed in pkcs12.h, we end up with a circular depency with pkcs7.h */ #define DECLARE_PKCS12_STACK_OF(type) /* Nothing */ #define DECLARE_PKCS12_STACK_OF(type) /* Nothing */ #define IMPLEMENT_PKCS12_STACK_OF(type) /* Nothing */ #define IMPLEMENT_PKCS12_STACK_OF(type) /* Nothing */ Loading crypto/x509/x509.h +9 −1 Original line number Original line Diff line number Diff line Loading @@ -288,8 +288,9 @@ struct x509_st unsigned long ex_xkusage; unsigned long ex_xkusage; unsigned long ex_nscert; unsigned long ex_nscert; ASN1_OCTET_STRING *skid; ASN1_OCTET_STRING *skid; struct AUTHORITY_KEYID_st *akid; AUTHORITY_KEYID *akid; X509_POLICY_CACHE *policy_cache; X509_POLICY_CACHE *policy_cache; STACK_OF(DIST_POINT) *crldp; #ifndef OPENSSL_NO_SHA #ifndef OPENSSL_NO_SHA unsigned char sha1_hash[SHA_DIGEST_LENGTH]; unsigned char sha1_hash[SHA_DIGEST_LENGTH]; #endif #endif Loading Loading @@ -449,6 +450,13 @@ struct X509_crl_st X509_ALGOR *sig_alg; X509_ALGOR *sig_alg; ASN1_BIT_STRING *signature; ASN1_BIT_STRING *signature; int references; int references; int flags; /* Copies of various extensions */ AUTHORITY_KEYID *akid; ISSUING_DIST_POINT *idp; #ifndef OPENSSL_NO_SHA unsigned char sha1_hash[SHA_DIGEST_LENGTH]; #endif } /* X509_CRL */; } /* X509_CRL */; DECLARE_STACK_OF(X509_CRL) DECLARE_STACK_OF(X509_CRL) Loading Loading
CHANGES +6 −0 Original line number Original line Diff line number Diff line Loading @@ -4,6 +4,12 @@ Changes between 0.9.8b and 0.9.9 [xx XXX xxxx] Changes between 0.9.8b and 0.9.9 [xx XXX xxxx] *) New function X509_CRL_match() to check if two CRLs are identical. Normally this would be called X509_CRL_cmp() but that name is already used by a function that just compares CRL issuer names. Cache several CRL extensions in X509_CRL structure and cache CRLDP in X509. [Steve Henson] *) Store a "canonical" representation of X509_NAME structure (ASN1 Name) *) Store a "canonical" representation of X509_NAME structure (ASN1 Name) this maps equivalent X509_NAME structures into a consistent structure. this maps equivalent X509_NAME structures into a consistent structure. Name comparison can then be performed rapidly using memcmp(). Name comparison can then be performed rapidly using memcmp(). Loading
crypto/asn1/x_crl.c +37 −1 Original line number Original line Diff line number Diff line Loading @@ -60,6 +60,7 @@ #include "cryptlib.h" #include "cryptlib.h" #include <openssl/asn1t.h> #include <openssl/asn1t.h> #include <openssl/x509.h> #include <openssl/x509.h> #include <openssl/x509v3.h> static int X509_REVOKED_cmp(const X509_REVOKED * const *a, static int X509_REVOKED_cmp(const X509_REVOKED * const *a, const X509_REVOKED * const *b); const X509_REVOKED * const *b); Loading Loading @@ -102,7 +103,42 @@ ASN1_SEQUENCE_enc(X509_CRL_INFO, enc, crl_inf_cb) = { ASN1_EXP_SEQUENCE_OF_OPT(X509_CRL_INFO, extensions, X509_EXTENSION, 0) ASN1_EXP_SEQUENCE_OF_OPT(X509_CRL_INFO, extensions, X509_EXTENSION, 0) } ASN1_SEQUENCE_END_enc(X509_CRL_INFO, X509_CRL_INFO) } ASN1_SEQUENCE_END_enc(X509_CRL_INFO, X509_CRL_INFO) ASN1_SEQUENCE_ref(X509_CRL, 0, CRYPTO_LOCK_X509_CRL) = { /* The X509_CRL structure needs a bit of customisation. Cache some extensions * and hash of the whole CRL. */ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) { X509_CRL *crl = (X509_CRL *)*pval; switch(operation) { case ASN1_OP_NEW_POST: crl->idp = NULL; crl->akid = NULL; break; case ASN1_OP_D2I_POST: #ifndef OPENSSL_NO_SHA X509_CRL_digest(crl, EVP_sha1(), crl->sha1_hash, NULL); #endif crl->idp = X509_CRL_get_ext_d2i(crl, NID_issuing_distribution_point, NULL, NULL); crl->akid = X509_CRL_get_ext_d2i(crl, NID_authority_key_identifier, NULL, NULL); break; case ASN1_OP_FREE_POST: if (crl->akid) AUTHORITY_KEYID_free(crl->akid); if (crl->idp) ISSUING_DIST_POINT_free(crl->idp); break; } return 1; } ASN1_SEQUENCE_ref(X509_CRL, crl_cb, CRYPTO_LOCK_X509_CRL) = { ASN1_SIMPLE(X509_CRL, crl, X509_CRL_INFO), ASN1_SIMPLE(X509_CRL, crl, X509_CRL_INFO), ASN1_SIMPLE(X509_CRL, sig_alg, X509_ALGOR), ASN1_SIMPLE(X509_CRL, sig_alg, X509_ALGOR), ASN1_SIMPLE(X509_CRL, signature, ASN1_BIT_STRING) ASN1_SIMPLE(X509_CRL, signature, ASN1_BIT_STRING) Loading
crypto/asn1/x_x509.c +2 −0 Original line number Original line Diff line number Diff line Loading @@ -96,6 +96,7 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, ret->skid = NULL; ret->skid = NULL; ret->akid = NULL; ret->akid = NULL; ret->aux = NULL; ret->aux = NULL; ret->crldp = NULL; CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509, ret, &ret->ex_data); CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509, ret, &ret->ex_data); break; break; Loading @@ -109,6 +110,7 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, X509_CERT_AUX_free(ret->aux); X509_CERT_AUX_free(ret->aux); ASN1_OCTET_STRING_free(ret->skid); ASN1_OCTET_STRING_free(ret->skid); AUTHORITY_KEYID_free(ret->akid); AUTHORITY_KEYID_free(ret->akid); CRL_DIST_POINTS_free(ret->crldp); policy_cache_free(ret->policy_cache); policy_cache_free(ret->policy_cache); if (ret->name != NULL) OPENSSL_free(ret->name); if (ret->name != NULL) OPENSSL_free(ret->name); Loading
crypto/ossl_typ.h +4 −0 Original line number Original line Diff line number Diff line Loading @@ -168,6 +168,10 @@ typedef struct X509_POLICY_LEVEL_st X509_POLICY_LEVEL; typedef struct X509_POLICY_TREE_st X509_POLICY_TREE; typedef struct X509_POLICY_TREE_st X509_POLICY_TREE; typedef struct X509_POLICY_CACHE_st X509_POLICY_CACHE; typedef struct X509_POLICY_CACHE_st X509_POLICY_CACHE; typedef struct AUTHORITY_KEYID_st AUTHORITY_KEYID; typedef struct DIST_POINT_st DIST_POINT; typedef struct ISSUING_DIST_POINT_st ISSUING_DIST_POINT; /* If placed in pkcs12.h, we end up with a circular depency with pkcs7.h */ /* If placed in pkcs12.h, we end up with a circular depency with pkcs7.h */ #define DECLARE_PKCS12_STACK_OF(type) /* Nothing */ #define DECLARE_PKCS12_STACK_OF(type) /* Nothing */ #define IMPLEMENT_PKCS12_STACK_OF(type) /* Nothing */ #define IMPLEMENT_PKCS12_STACK_OF(type) /* Nothing */ Loading
crypto/x509/x509.h +9 −1 Original line number Original line Diff line number Diff line Loading @@ -288,8 +288,9 @@ struct x509_st unsigned long ex_xkusage; unsigned long ex_xkusage; unsigned long ex_nscert; unsigned long ex_nscert; ASN1_OCTET_STRING *skid; ASN1_OCTET_STRING *skid; struct AUTHORITY_KEYID_st *akid; AUTHORITY_KEYID *akid; X509_POLICY_CACHE *policy_cache; X509_POLICY_CACHE *policy_cache; STACK_OF(DIST_POINT) *crldp; #ifndef OPENSSL_NO_SHA #ifndef OPENSSL_NO_SHA unsigned char sha1_hash[SHA_DIGEST_LENGTH]; unsigned char sha1_hash[SHA_DIGEST_LENGTH]; #endif #endif Loading Loading @@ -449,6 +450,13 @@ struct X509_crl_st X509_ALGOR *sig_alg; X509_ALGOR *sig_alg; ASN1_BIT_STRING *signature; ASN1_BIT_STRING *signature; int references; int references; int flags; /* Copies of various extensions */ AUTHORITY_KEYID *akid; ISSUING_DIST_POINT *idp; #ifndef OPENSSL_NO_SHA unsigned char sha1_hash[SHA_DIGEST_LENGTH]; #endif } /* X509_CRL */; } /* X509_CRL */; DECLARE_STACK_OF(X509_CRL) DECLARE_STACK_OF(X509_CRL) Loading
