|
I sent this in a while back, but it may have fallen victim
to some rt outage. Here it is again - the original source
source file hasn't changed in the meantime, so I haven't
retested.
I modified crypto/x509/x509_lu.c similar to the following,
to support live update to the certificate revocation list.
- Enhancement request
- all platforms
- OpenSSL 0.9.8-beta5
Briefly, X509_STORE_add_crl needs to be able to accept
a CRL input when a previous revision of the same CRL is
already there. Otherwise, we have to reboot the server
(OpenLDAP slapd in my case) to update the CRL. I actually
wrote a parallel function X509_STORE_replace_crl, and
call it from a replacement for X509_load_crl_file, but for
simplicity I propose to just fix X509_STORE_add_crl.
Thanks,
Donn Cave, donn@u.washington.edu
------------------------------------------------------
*** x509_lu.c.dist Fri Jun 17 11:20:56 2005
--- x509_lu.c Fri Jun 17 11:22:35 2005
***************
*** 359,364 ****
--- 359,365 ----
{
X509_OBJECT *obj;
int ret=1;
+ int idx;
if (x == NULL) return 0;
obj=(X509_OBJECT *)OPENSSL_malloc(sizeof(X509_OBJECT));
***************
*** 374,392 ****
X509_OBJECT_up_ref_count(obj);
! if (X509_OBJECT_retrieve_match(ctx->objs, obj))
! {
! X509_OBJECT_free_contents(obj);
! OPENSSL_free(obj);
! X509err
(X509_F_X509_STORE_ADD_CRL,X509_R_CERT_ALREADY_IN_HASH_TABLE);
! ret=0;
! }
! else sk_X509_OBJECT_push(ctx->objs, obj);
CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
! return ret;
! }
void X509_OBJECT_up_ref_count(X509_OBJECT *a)
{
--- 375,388 ----
X509_OBJECT_up_ref_count(obj);
! idx=sk_X509_OBJECT_find(ctx->objs, obj);
! if (idx >= 0) sk_X509_OBJECT_delete(ctx->objs, idx);
! sk_X509_OBJECT_push(ctx->objs, obj);
CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
! return 1;
! }
void X509_OBJECT_up_ref_count(X509_OBJECT *a)
{
|
