Re: 0.9.7 approaching

Thu, 14 Feb 2002 12:50:06 -0800 

> Please test the 0.9.7-dev snapshots and report any problems that you
> found, even if they have been reported before (it's a good reminder
> for us), or even better, send us patches!

It used to be possible to call X509_STORE_CTX_init() with a NULL
X509_STORE pointer, in order to use the verifier without using the
builtin certificate store. (I am using X509_STORE_CTX_trusted_stack()
instead).

There was a small problem with X509_STORE_CTX_init() that dereferenced
the store pointer without checking it for NULL, and I had patched this.
I started porting forward my old patch, but found a whole bunch of new
stuff that is copied from the X509_STORE structure. The only one that I
have trouble with is get_issuer, which is initialized by default to
X509_STORE_CTX_get1_issuer(), which in turn assumes the existence of a
cert store :-)

I have attached a patch that assumes that I can initialize get_issuer to
get_issuer_sk if the store pointer is NULL...

-- 
Harald Koch <[EMAIL PROTECTED]>


==== //depot/ThirdParty/Distributions/openssl-snapshot/crypto/x509/x509_vfy.c#3 - 
/home/chk/work/openssl-snapshot/crypto/x509/x509_vfy.c ====
@@ -1055,6 +1055,4 @@
        ctx->untrusted=chain;
        ctx->last_untrusted=0;
-       ctx->purpose=store->purpose;
-       ctx->trust=store->trust;
        ctx->check_time=0;
        ctx->flags=0;
@@ -1072,17 +1070,35 @@
         */
 
-       ctx->flags = store->flags;
+       if (store)
+               ctx->purpose=store->purpose;
+       else
+               ctx->purpose=0;
+
+       if (store)
+               ctx->trust=store->trust;
+       else
+               ctx->trust = 0;
+
+       if (store)
+               ctx->flags = store->flags;
+       else
+               ctx->flags = 0;
 
-       if (store->check_issued)
+       if (store && store->check_issued)
                ctx->check_issued = store->check_issued;
        else
                ctx->check_issued = check_issued;
 
-       if (store->get_issuer)
-               ctx->get_issuer = store->get_issuer;
+       if (store)
+               {
+               if (store->get_issuer)
+                       ctx->get_issuer = store->get_issuer;
+               else
+                       ctx->get_issuer = X509_STORE_CTX_get1_issuer;
+               }
        else
-               ctx->get_issuer = X509_STORE_CTX_get1_issuer;
+               ctx->get_issuer = get_issuer_sk;
 
-       if (store->verify_cb)
+       if (store && store->verify_cb)
                ctx->verify_cb = store->verify_cb;
        else
@@ -1094,25 +1110,25 @@
                ctx->verify = internal_verify;
 
-       if (store->check_revocation)
+       if (store && store->check_revocation)
                ctx->check_revocation = store->check_revocation;
        else
                ctx->check_revocation = check_revocation;
 
-       if (store->get_crl)
+       if (store && store->get_crl)
                ctx->get_crl = store->get_crl;
        else
                ctx->get_crl = get_crl;
 
-       if (store->check_crl)
+       if (store && store->check_crl)
                ctx->check_crl = store->check_crl;
        else
                ctx->check_crl = check_crl;
 
-       if (store->cert_crl)
+       if (store && store->cert_crl)
                ctx->cert_crl = store->cert_crl;
        else
                ctx->cert_crl = cert_crl;
 
-       ctx->cleanup = store->cleanup;
+       if (store) ctx->cleanup = store->cleanup;
 
        /* This memset() can't make any sense anyway, so it's removed. As

Reply via email to