]> git.saurik.com Git - apple/security.git/blobdiff - OSX/libsecurity_apple_x509_tp/lib/TPDatabase.cpp
projects / apple / security.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Security-58286.260.20.tar.gz
[apple/security.git] / OSX / libsecurity_apple_x509_tp / lib / TPDatabase.cpp
diff --git a/OSX/libsecurity_apple_x509_tp/lib/TPDatabase.cpp b/OSX/libsecurity_apple_x509_tp/lib/TPDatabase.cpp
index 5ba632f959498ad730dad61b40b75a9f5b99c4a1..3870a8c86ca2874d93f1a26522b0a76164924543 100644 (file)
--- a/OSX/libsecurity_apple_x509_tp/lib/TPDatabase.cpp
+++ b/OSX/libsecurity_apple_x509_tp/lib/TPDatabase.cpp
@@ -119,7 +119,7 @@ TPCertInfo *tpDbFindIssuerCert(
                dlDb = dbList->DLDBHandle[dbDex];
                cert.Data = NULL;
                cert.Length = 0;
                dlDb = dbList->DLDBHandle[dbDex];
                cert.Data = NULL;
                cert.Length = 0;
-               resultHand = 0;
+               resultHand = CSSM_INVALID_HANDLE;
                record = tpCertLookup(dlDb,
                        subjectItem->issuerName(),
                        &resultHand,
                record = tpCertLookup(dlDb,
                        subjectItem->issuerName(),
                        &resultHand,
@@ -157,7 +157,7 @@ TPCertInfo *tpDbFindIssuerCert(
                         * Handle temporal invalidity - if so and this is the first one
                         * we've seen, hold on to it while we search for better one.
                         */
                         * Handle temporal invalidity - if so and this is the first one
                         * we've seen, hold on to it while we search for better one.
                         */
-                       if((crtn == CSSM_OK) && (expiredIssuer == NULL)) {
+                       if(crtn == CSSM_OK) {
                                if(issuerCert->isExpired() || issuerCert->isNotValidYet()) {
                                        /*
                                         * Exact value not important here, this just uniquely identifies
                                if(issuerCert->isExpired() || issuerCert->isNotValidYet()) {
                                        /*
                                         * Exact value not important here, this just uniquely identifies
@@ -165,6 +165,11 @@ TPCertInfo *tpDbFindIssuerCert(
                                         */
                                        tpDbDebug("tpDbFindIssuerCert: holding expired cert (1)");
                                        crtn = CSSM_CERT_STATUS_EXPIRED;
                                         */
                                        tpDbDebug("tpDbFindIssuerCert: holding expired cert (1)");
                                        crtn = CSSM_CERT_STATUS_EXPIRED;
+                                       /* Delete old stashed expired issuer */
+                                       if (expiredIssuer) {
+                                               expiredIssuer->freeUniqueRecord();
+                                               delete expiredIssuer;
+                                       }
                                        expiredIssuer = issuerCert;
                                        expiredIssuer->dlDbHandle(dlDb);
                                        expiredIssuer->uniqueRecord(record);
                                        expiredIssuer = issuerCert;
                                        expiredIssuer->dlDbHandle(dlDb);
                                        expiredIssuer->uniqueRecord(record);
@@ -174,18 +179,33 @@ TPCertInfo *tpDbFindIssuerCert(
                         * Prefer a root over an intermediate issuer if we can get one
                         * (in case a cross-signed intermediate and root are both available)
                         */
                         * Prefer a root over an intermediate issuer if we can get one
                         * (in case a cross-signed intermediate and root are both available)
                         */
-                       if((crtn == CSSM_OK) && (nonRootIssuer == NULL)) {
-                               if(!issuerCert->isSelfSigned()) {
-                                       /*
-                                        * Exact value not important here, this just uniquely identifies
-                                        * this situation in the switch below.
-                                        */
-                                       tpDbDebug("tpDbFindIssuerCert: holding non-root cert (1)");
-                                       crtn = CSSM_CERT_STATUS_IS_ROOT;
+                       if(crtn == CSSM_OK && !issuerCert->isSelfSigned()) {
+                               /*
+                                * Exact value not important here, this just uniquely identifies
+                                * this situation in the switch below.
+                                */
+                               tpDbDebug("tpDbFindIssuerCert: holding non-root cert (1)");
+                               crtn = CSSM_CERT_STATUS_IS_ROOT;
+                               /*
+                                * If the old intermediate was temporally invalid, replace it.
+                                * (Regardless of temporal validity of new one we found, because
+                                * as far as this code is concerned they're equivalent.)
+                                */
+                               if(!nonRootIssuer ||
+                                  (nonRootIssuer && (nonRootIssuer->isExpired() || nonRootIssuer->isNotValidYet()))) {
+                                       if(nonRootIssuer) {
+                                               nonRootIssuer->freeUniqueRecord();
+                                               delete nonRootIssuer;
+                                       }
                                        nonRootIssuer = issuerCert;
                                        nonRootIssuer->dlDbHandle(dlDb);
                                        nonRootIssuer->uniqueRecord(record);
                                }
                                        nonRootIssuer = issuerCert;
                                        nonRootIssuer->dlDbHandle(dlDb);
                                        nonRootIssuer->uniqueRecord(record);
                                }
+                               else {
+                                       delete issuerCert;
+                                       CSSM_DL_FreeUniqueRecord(dlDb, record);
+                                       issuerCert = NULL;
+                               }
                        }
                        switch(crtn) {
                                case CSSMERR_CSP_APPLE_PUBLIC_KEY_INCOMPLETE:
                        }
                        switch(crtn) {
                                case CSSMERR_CSP_APPLE_PUBLIC_KEY_INCOMPLETE:
@@ -248,24 +268,44 @@ TPCertInfo *tpDbFindIssuerCert(
                                                }
 
                                                /* temporal validity check, again */
                                                }
 
                                                /* temporal validity check, again */
-                                               if((crtn == CSSM_OK) && (expiredIssuer == NULL)) {
+                                               if(crtn == CSSM_OK) {
                                                        if(issuerCert->isExpired() || issuerCert->isNotValidYet()) {
                                                                tpDbDebug("tpDbFindIssuerCert: holding expired cert (2)");
                                                                crtn = CSSM_CERT_STATUS_EXPIRED;
                                                        if(issuerCert->isExpired() || issuerCert->isNotValidYet()) {
                                                                tpDbDebug("tpDbFindIssuerCert: holding expired cert (2)");
                                                                crtn = CSSM_CERT_STATUS_EXPIRED;
+                                                               /* Delete old stashed expired issuer */
+                                                               if (expiredIssuer) {
+                                                                       expiredIssuer->freeUniqueRecord();
+                                                                       delete expiredIssuer;
+                                                               }
                                                                expiredIssuer = issuerCert;
                                                                expiredIssuer->dlDbHandle(dlDb);
                                                                expiredIssuer->uniqueRecord(record);
                                                        }
                                                }
                                                /* self-signed check, again */
                                                                expiredIssuer = issuerCert;
                                                                expiredIssuer->dlDbHandle(dlDb);
                                                                expiredIssuer->uniqueRecord(record);
                                                        }
                                                }
                                                /* self-signed check, again */
-                                               if((crtn == CSSM_OK) && (nonRootIssuer == NULL)) {
-                                                       if(!issuerCert->isSelfSigned()) {
-                                                               tpDbDebug("tpDbFindIssuerCert: holding non-root cert (2)");
-                                                               crtn = CSSM_CERT_STATUS_IS_ROOT;
+                                               if(crtn == CSSM_OK && !issuerCert->isSelfSigned()) {
+                                                       tpDbDebug("tpDbFindIssuerCert: holding non-root cert (2)");
+                                                       crtn = CSSM_CERT_STATUS_IS_ROOT;
+                                                       /*
+                                                        * If the old intermediate was temporally invalid, replace it.
+                                                        * (Regardless of temporal validity of new one we found, because
+                                                        * as far as this code is concerned they're equivalent.)
+                                                        */
+                                                       if(!nonRootIssuer ||
+                                                          (nonRootIssuer && (nonRootIssuer->isExpired() || nonRootIssuer->isNotValidYet()))) {
+                                                               if(nonRootIssuer) {
+                                                                       nonRootIssuer->freeUniqueRecord();
+                                                                       delete nonRootIssuer;
+                                                               }
                                                                nonRootIssuer = issuerCert;
                                                                nonRootIssuer->dlDbHandle(dlDb);
                                                                nonRootIssuer->uniqueRecord(record);
                                                        }
                                                                nonRootIssuer = issuerCert;
                                                                nonRootIssuer->dlDbHandle(dlDb);
                                                                nonRootIssuer->uniqueRecord(record);
                                                        }
+                                                       else {
+                                                               delete issuerCert;
+                                                               CSSM_DL_FreeUniqueRecord(dlDb, record);
+                                                               issuerCert = NULL;
+                                                       }
                                                }
 
                                                foundIt = false;
                                                }
 
                                                foundIt = false;
@@ -467,6 +507,7 @@ TPCrlInfo *tpDbFindIssuerCrl(
                dlDb = dbList->DLDBHandle[dbDex];
                crl.Data = NULL;
                crl.Length = 0;
                dlDb = dbList->DLDBHandle[dbDex];
                crl.Data = NULL;
                crl.Length = 0;
+               resultHand = CSSM_INVALID_HANDLE;
                record = tpCrlLookup(dlDb,
                        &issuer,
                        vfyCtx.verifyTime,
                record = tpCrlLookup(dlDb,
                        &issuer,
                        vfyCtx.verifyTime,
mirror of Security