embed CRL serial number and signature fields

Reviewed-by: Rich Salz <rsalz@openssl.org>
author: Dr. Stephen Henson <steve@openssl.org> 2015-10-11 21:13:42 +0100
committer: Dr. Stephen Henson <steve@openssl.org> 2015-10-15 15:36:58 +0100
commit: 34a42e1489bf4f45bfad069eceba56315d4713be (patch)
tree: 4760645e956a4a508f52e46cfd51286d3038fe3e /crypto
parent: 81e4943843773a04067703e0dc1668ec5d3b4cf1 (diff)
5 files changed, 18 insertions, 23 deletions
diff --git a/crypto/include/internal/x509_int.h b/crypto/include/internal/x509_int.h
index 87bd68d993..5997a21c61 100644
--- a/crypto/include/internal/x509_int.h
+++ b/crypto/include/internal/x509_int.h
@@ -121,7 +121,7 @@ struct X509_crl_info_st {
 struct X509_crl_st {
     X509_CRL_INFO crl;          /* signed CRL data */
     X509_ALGOR sig_alg;         /* CRL signature algorithm */
-    ASN1_BIT_STRING *signature; /* CRL signature */
+    ASN1_BIT_STRING signature; /* CRL signature */
     int references;
     int flags;
     /*
@@ -145,7 +145,7 @@ struct X509_crl_st {
 };
 
 struct x509_revoked_st {
-    ASN1_INTEGER *serialNumber; /* revoked entry serial number */
+    ASN1_INTEGER serialNumber; /* revoked entry serial number */
     ASN1_TIME *revocationDate;  /* revocation date */
     STACK_OF(X509_EXTENSION) *extensions;   /* CRL entry extensions: optional */
     /* decoded value of CRLissuer extension: set if indirect CRL */
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 9cecde75cd..1ae3675e2e 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -2088,7 +2088,7 @@ X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer,
          * Add only if not also in base. TODO: need something cleverer here
          * for some more complex CRLs covering multiple CAs.
          */
-        if (!X509_CRL_get0_by_serial(base, &rvtmp, rvn->serialNumber)) {
+        if (!X509_CRL_get0_by_serial(base, &rvtmp, &rvn->serialNumber)) {
             rvtmp = X509_REVOKED_dup(rvn);
             if (!rvtmp)
                 goto memerr;
diff --git a/crypto/x509/x509cset.c b/crypto/x509/x509cset.c
index a779fd4f48..899d4925ae 100644
--- a/crypto/x509/x509cset.c
+++ b/crypto/x509/x509cset.c
@@ -172,7 +172,7 @@ void X509_CRL_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg,
                              X509_CRL *crl)
 {
     if (psig != NULL)
-        *psig = crl->signature;
+        *psig = &crl->signature;
     if (palg != NULL)
         *palg = &crl->sig_alg;
 }
@@ -206,7 +206,7 @@ int X509_REVOKED_set_revocationDate(X509_REVOKED *x, ASN1_TIME *tm)
 
 ASN1_INTEGER *X509_REVOKED_get0_serialNumber(X509_REVOKED *x)
 {
-    return x->serialNumber;
+    return &x->serialNumber;
 }
 
 int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial)
@@ -215,15 +215,10 @@ int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial)
 
     if (x == NULL)
         return (0);
-    in = x->serialNumber;
-    if (in != serial) {
-        in = ASN1_INTEGER_dup(serial);
-        if (in != NULL) {
-            ASN1_INTEGER_free(x->serialNumber);
-            x->serialNumber = in;
-        }
-    }
-    return (in != NULL);
+    in = &x->serialNumber;
+    if (in != serial)
+        return ASN1_STRING_copy(in, serial);
+    return 1;
 }
 
 STACK_OF(X509_EXTENSION) *X509_REVOKED_get0_extensions(X509_REVOKED *r)
diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c
index 1f844504c7..5c5f573dbb 100644
--- a/crypto/x509/x_all.c
+++ b/crypto/x509/x_all.c
@@ -131,14 +131,14 @@ int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md)
 {
     x->crl.enc.modified = 1;
     return (ASN1_item_sign(ASN1_ITEM_rptr(X509_CRL_INFO), &x->crl.sig_alg,
-                           &x->sig_alg, x->signature, &x->crl, pkey, md));
+                           &x->sig_alg, &x->signature, &x->crl, pkey, md));
 }
 
 int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx)
 {
     x->crl.enc.modified = 1;
     return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CRL_INFO),
-                              &x->crl.sig_alg, &x->sig_alg, x->signature,
+                              &x->crl.sig_alg, &x->sig_alg, &x->signature,
                               &x->crl, ctx);
 }
 
diff --git a/crypto/x509/x_crl.c b/crypto/x509/x_crl.c
index c8889d1c25..79fa5ca34f 100644
--- a/crypto/x509/x_crl.c
+++ b/crypto/x509/x_crl.c
@@ -69,7 +69,7 @@ static int X509_REVOKED_cmp(const X509_REVOKED *const *a,
 static void setup_idp(X509_CRL *crl, ISSUING_DIST_POINT *idp);
 
 ASN1_SEQUENCE(X509_REVOKED) = {
-        ASN1_SIMPLE(X509_REVOKED,serialNumber, ASN1_INTEGER),
+        ASN1_EMBED(X509_REVOKED,serialNumber, ASN1_INTEGER),
         ASN1_SIMPLE(X509_REVOKED,revocationDate, ASN1_TIME),
         ASN1_SEQUENCE_OF_OPT(X509_REVOKED,extensions, X509_EXTENSION)
 } ASN1_SEQUENCE_END(X509_REVOKED)
@@ -333,7 +333,7 @@ static void setup_idp(X509_CRL *crl, ISSUING_DIST_POINT *idp)
 ASN1_SEQUENCE_ref(X509_CRL, crl_cb, CRYPTO_LOCK_X509_CRL) = {
         ASN1_EMBED(X509_CRL, crl, X509_CRL_INFO),
         ASN1_EMBED(X509_CRL, sig_alg, X509_ALGOR),
-        ASN1_SIMPLE(X509_CRL, signature, ASN1_BIT_STRING)
+        ASN1_EMBED(X509_CRL, signature, ASN1_BIT_STRING)
 } ASN1_SEQUENCE_END_ref(X509_CRL, X509_CRL)
 
 IMPLEMENT_ASN1_FUNCTIONS(X509_REVOKED)
@@ -349,8 +349,8 @@ IMPLEMENT_ASN1_DUP_FUNCTION(X509_CRL)
 static int X509_REVOKED_cmp(const X509_REVOKED *const *a,
                             const X509_REVOKED *const *b)
 {
-    return (ASN1_STRING_cmp((ASN1_STRING *)(*a)->serialNumber,
-                            (ASN1_STRING *)(*b)->serialNumber));
+    return (ASN1_STRING_cmp((ASN1_STRING *)&(*a)->serialNumber,
+                            (ASN1_STRING *)&(*b)->serialNumber));
 }
 
 int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev)
@@ -394,7 +394,7 @@ int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x)
 static int def_crl_verify(X509_CRL *crl, EVP_PKEY *r)
 {
     return (ASN1_item_verify(ASN1_ITEM_rptr(X509_CRL_INFO),
-                             &crl->sig_alg, crl->signature, &crl->crl, r));
+                             &crl->sig_alg, &crl->signature, &crl->crl, r));
 }
 
 static int crl_revoked_issuer_match(X509_CRL *crl, X509_NAME *nm,
@@ -430,7 +430,7 @@ static int def_crl_lookup(X509_CRL *crl,
 {
     X509_REVOKED rtmp, *rev;
     int idx;
-    rtmp.serialNumber = serial;
+    rtmp.serialNumber = *serial;
     /*
      * Sort revoked into serial number order if not already sorted. Do this
      * under a lock to avoid race condition.
@@ -446,7 +446,7 @@ static int def_crl_lookup(X509_CRL *crl,
     /* Need to look for matching name */
     for (; idx < sk_X509_REVOKED_num(crl->crl.revoked); idx++) {
         rev = sk_X509_REVOKED_value(crl->crl.revoked, idx);
-        if (ASN1_INTEGER_cmp(rev->serialNumber, serial))
+        if (ASN1_INTEGER_cmp(&rev->serialNumber, serial))
             return 0;
         if (crl_revoked_issuer_match(crl, issuer, rev)) {
             if (ret)
author	Dr. Stephen Henson <steve@openssl.org>	2015-10-11 21:13:42 +0100
committer	Dr. Stephen Henson <steve@openssl.org>	2015-10-15 15:36:58 +0100
commit	34a42e1489bf4f45bfad069eceba56315d4713be (patch)
tree	4760645e956a4a508f52e46cfd51286d3038fe3e /crypto
parent	81e4943843773a04067703e0dc1668ec5d3b4cf1 (diff)