diff options
| author | Gary Ching-Pang Lin <glin@suse.com> | 2015-07-28 11:46:38 -0400 |
|---|---|---|
| committer | Peter Jones <pjones@redhat.com> | 2015-07-28 11:46:38 -0400 |
| commit | 5ce38c90cf43ee79cd999716ea83a5a44eeb819e (patch) | |
| tree | 2fb3d9dd667c772fae5f87fa61e1501cf12da0ce /Cryptlib/OpenSSL/crypto/ocsp | |
| parent | 69ba24ff72921ecabbb47178de40dc5a79350040 (diff) | |
| download | efi-boot-shim-5ce38c90cf43ee79cd999716ea83a5a44eeb819e.tar.gz efi-boot-shim-5ce38c90cf43ee79cd999716ea83a5a44eeb819e.zip | |
Update openssl to 1.0.2d
Also update Cryptlib to edk2 r17731
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
Diffstat (limited to 'Cryptlib/OpenSSL/crypto/ocsp')
| -rw-r--r-- | Cryptlib/OpenSSL/crypto/ocsp/ocsp_cl.c | 2 | ||||
| -rw-r--r-- | Cryptlib/OpenSSL/crypto/ocsp/ocsp_err.c | 3 | ||||
| -rw-r--r-- | Cryptlib/OpenSSL/crypto/ocsp/ocsp_ext.c | 63 | ||||
| -rw-r--r-- | Cryptlib/OpenSSL/crypto/ocsp/ocsp_ht.c | 179 | ||||
| -rw-r--r-- | Cryptlib/OpenSSL/crypto/ocsp/ocsp_lib.c | 8 | ||||
| -rw-r--r-- | Cryptlib/OpenSSL/crypto/ocsp/ocsp_prn.c | 18 | ||||
| -rw-r--r-- | Cryptlib/OpenSSL/crypto/ocsp/ocsp_vfy.c | 31 |
7 files changed, 198 insertions, 106 deletions
diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_cl.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_cl.c index bbb1830b..b3612c8d 100644 --- a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_cl.c +++ b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_cl.c @@ -162,8 +162,6 @@ int OCSP_request_sign(OCSP_REQUEST *req, if (!(req->optionalSignature = sig = OCSP_SIGNATURE_new())) goto err; - if (!dgst) - dgst = EVP_sha1(); if (key) { if (!X509_check_private_key(signer, key)) { OCSPerr(OCSP_F_OCSP_REQUEST_SIGN, diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_err.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_err.c index 0bbf71f7..722043c0 100644 --- a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_err.c +++ b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_err.c @@ -1,6 +1,6 @@ /* crypto/ocsp/ocsp_err.c */ /* ==================================================================== - * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -86,6 +86,7 @@ static ERR_STRING_DATA OCSP_str_functs[] = { {ERR_FUNC(OCSP_F_OCSP_REQUEST_VERIFY), "OCSP_request_verify"}, {ERR_FUNC(OCSP_F_OCSP_RESPONSE_GET1_BASIC), "OCSP_response_get1_basic"}, {ERR_FUNC(OCSP_F_OCSP_SENDREQ_BIO), "OCSP_sendreq_bio"}, + {ERR_FUNC(OCSP_F_OCSP_SENDREQ_NBIO), "OCSP_sendreq_nbio"}, {ERR_FUNC(OCSP_F_PARSE_HTTP_LINE1), "PARSE_HTTP_LINE1"}, {ERR_FUNC(OCSP_F_REQUEST_VERIFY), "REQUEST_VERIFY"}, {0, NULL} diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_ext.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_ext.c index e341caea..c19648c7 100644 --- a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_ext.c +++ b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_ext.c @@ -287,7 +287,7 @@ int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex, int loc) } /* also CRL Entry Extensions */ - +#if 0 ASN1_STRING *ASN1_STRING_encode(ASN1_STRING *s, i2d_of_void *i2d, void *data, STACK_OF(ASN1_OBJECT) *sk) { @@ -329,6 +329,7 @@ ASN1_STRING *ASN1_STRING_encode(ASN1_STRING *s, i2d_of_void *i2d, OPENSSL_free(b); return NULL; } +#endif /* Nonce handling functions */ @@ -360,8 +361,8 @@ static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, ASN1_put_object(&tmpval, 0, len, V_ASN1_OCTET_STRING, V_ASN1_UNIVERSAL); if (val) memcpy(tmpval, val, len); - else - RAND_pseudo_bytes(tmpval, len); + else if (RAND_pseudo_bytes(tmpval, len) < 0) + goto err; if (!X509V3_add1_i2d(exts, NID_id_pkix_OCSP_Nonce, &os, 0, X509V3_ADD_REPLACE)) goto err; @@ -476,21 +477,11 @@ X509_EXTENSION *OCSP_crlID_new(char *url, long *n, char *tim) if (!(ASN1_GENERALIZEDTIME_set_string(cid->crlTime, tim))) goto err; } - if (!(x = X509_EXTENSION_new())) - goto err; - if (!(x->object = OBJ_nid2obj(NID_id_pkix_OCSP_CrlID))) - goto err; - if (!(ASN1_STRING_encode_of(OCSP_CRLID, x->value, i2d_OCSP_CRLID, cid, - NULL))) - goto err; - OCSP_CRLID_free(cid); - return x; + x = X509V3_EXT_i2d(NID_id_pkix_OCSP_CrlID, 0, cid); err: - if (x) - X509_EXTENSION_free(x); if (cid) OCSP_CRLID_free(cid); - return NULL; + return x; } /* AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER */ @@ -508,21 +499,11 @@ X509_EXTENSION *OCSP_accept_responses_new(char **oids) sk_ASN1_OBJECT_push(sk, o); oids++; } - if (!(x = X509_EXTENSION_new())) - goto err; - if (!(x->object = OBJ_nid2obj(NID_id_pkix_OCSP_acceptableResponses))) - goto err; - if (!(ASN1_STRING_encode_of(ASN1_OBJECT, x->value, i2d_ASN1_OBJECT, NULL, - sk))) - goto err; - sk_ASN1_OBJECT_pop_free(sk, ASN1_OBJECT_free); - return x; + x = X509V3_EXT_i2d(NID_id_pkix_OCSP_acceptableResponses, 0, sk); err: - if (x) - X509_EXTENSION_free(x); if (sk) sk_ASN1_OBJECT_pop_free(sk, ASN1_OBJECT_free); - return NULL; + return x; } /* ArchiveCutoff ::= GeneralizedTime */ @@ -535,21 +516,11 @@ X509_EXTENSION *OCSP_archive_cutoff_new(char *tim) goto err; if (!(ASN1_GENERALIZEDTIME_set_string(gt, tim))) goto err; - if (!(x = X509_EXTENSION_new())) - goto err; - if (!(x->object = OBJ_nid2obj(NID_id_pkix_OCSP_archiveCutoff))) - goto err; - if (!(ASN1_STRING_encode_of(ASN1_GENERALIZEDTIME, x->value, - i2d_ASN1_GENERALIZEDTIME, gt, NULL))) - goto err; - ASN1_GENERALIZEDTIME_free(gt); - return x; + x = X509V3_EXT_i2d(NID_id_pkix_OCSP_archiveCutoff, 0, gt); err: if (gt) ASN1_GENERALIZEDTIME_free(gt); - if (x) - X509_EXTENSION_free(x); - return NULL; + return x; } /* @@ -587,19 +558,9 @@ X509_EXTENSION *OCSP_url_svcloc_new(X509_NAME *issuer, char **urls) goto err; urls++; } - if (!(x = X509_EXTENSION_new())) - goto err; - if (!(x->object = OBJ_nid2obj(NID_id_pkix_OCSP_serviceLocator))) - goto err; - if (!(ASN1_STRING_encode_of(OCSP_SERVICELOC, x->value, - i2d_OCSP_SERVICELOC, sloc, NULL))) - goto err; - OCSP_SERVICELOC_free(sloc); - return x; + x = X509V3_EXT_i2d(NID_id_pkix_OCSP_serviceLocator, 0, sloc); err: - if (x) - X509_EXTENSION_free(x); if (sloc) OCSP_SERVICELOC_free(sloc); - return NULL; + return x; } diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_ht.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_ht.c index 67546428..88b26b38 100644 --- a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_ht.c +++ b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_ht.c @@ -81,9 +81,10 @@ struct ocsp_req_ctx_st { BIO *io; /* BIO to perform I/O with */ BIO *mem; /* Memory BIO response is built into */ unsigned long asn1_len; /* ASN1 length of response */ + unsigned long max_resp_len; /* Maximum length of response */ }; -#define OCSP_MAX_REQUEST_LENGTH (100 * 1024) +#define OCSP_MAX_RESP_LENGTH (100 * 1024) #define OCSP_MAX_LINE_LEN 4096; /* OCSP states */ @@ -100,15 +101,42 @@ struct ocsp_req_ctx_st { #define OHS_ASN1_HEADER 3 /* OCSP content octets being read */ #define OHS_ASN1_CONTENT 4 +/* First call: ready to start I/O */ +#define OHS_ASN1_WRITE_INIT (5 | OHS_NOREAD) /* Request being sent */ #define OHS_ASN1_WRITE (6 | OHS_NOREAD) /* Request being flushed */ #define OHS_ASN1_FLUSH (7 | OHS_NOREAD) /* Completed */ #define OHS_DONE (8 | OHS_NOREAD) +/* Headers set, no final \r\n included */ +#define OHS_HTTP_HEADER (9 | OHS_NOREAD) static int parse_http_line1(char *line); +OCSP_REQ_CTX *OCSP_REQ_CTX_new(BIO *io, int maxline) +{ + OCSP_REQ_CTX *rctx; + rctx = OPENSSL_malloc(sizeof(OCSP_REQ_CTX)); + if (!rctx) + return NULL; + rctx->state = OHS_ERROR; + rctx->max_resp_len = OCSP_MAX_RESP_LENGTH; + rctx->mem = BIO_new(BIO_s_mem()); + rctx->io = io; + rctx->asn1_len = 0; + if (maxline > 0) + rctx->iobuflen = maxline; + else + rctx->iobuflen = OCSP_MAX_LINE_LEN; + rctx->iobuf = OPENSSL_malloc(rctx->iobuflen); + if (!rctx->iobuf || !rctx->mem) { + OCSP_REQ_CTX_free(rctx); + return NULL; + } + return rctx; +} + void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx) { if (rctx->mem) @@ -118,39 +146,110 @@ void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx) OPENSSL_free(rctx); } -OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, char *path, OCSP_REQUEST *req, - int maxline) +BIO *OCSP_REQ_CTX_get0_mem_bio(OCSP_REQ_CTX *rctx) { - static char post_hdr[] = "POST %s HTTP/1.0\r\n" + return rctx->mem; +} + +void OCSP_set_max_response_length(OCSP_REQ_CTX *rctx, unsigned long len) +{ + if (len == 0) + rctx->max_resp_len = OCSP_MAX_RESP_LENGTH; + else + rctx->max_resp_len = len; +} + +int OCSP_REQ_CTX_i2d(OCSP_REQ_CTX *rctx, const ASN1_ITEM *it, ASN1_VALUE *val) +{ + static const char req_hdr[] = "Content-Type: application/ocsp-request\r\n" "Content-Length: %d\r\n\r\n"; + int reqlen = ASN1_item_i2d(val, NULL, it); + if (BIO_printf(rctx->mem, req_hdr, reqlen) <= 0) + return 0; + if (ASN1_item_i2d_bio(it, rctx->mem, val) <= 0) + return 0; + rctx->state = OHS_ASN1_WRITE_INIT; + return 1; +} - OCSP_REQ_CTX *rctx; - rctx = OPENSSL_malloc(sizeof(OCSP_REQ_CTX)); - rctx->state = OHS_FIRSTLINE; - rctx->mem = BIO_new(BIO_s_mem()); - rctx->io = io; - if (maxline > 0) - rctx->iobuflen = maxline; - else - rctx->iobuflen = OCSP_MAX_LINE_LEN; - rctx->iobuf = OPENSSL_malloc(rctx->iobuflen); - if (!path) - path = "/"; +int OCSP_REQ_CTX_nbio_d2i(OCSP_REQ_CTX *rctx, + ASN1_VALUE **pval, const ASN1_ITEM *it) +{ + int rv, len; + const unsigned char *p; + + rv = OCSP_REQ_CTX_nbio(rctx); + if (rv != 1) + return rv; - if (BIO_printf(rctx->mem, post_hdr, path, - i2d_OCSP_REQUEST(req, NULL)) <= 0) { + len = BIO_get_mem_data(rctx->mem, &p); + *pval = ASN1_item_d2i(NULL, &p, len, it); + if (*pval == NULL) { rctx->state = OHS_ERROR; return 0; } - if (i2d_OCSP_REQUEST_bio(rctx->mem, req) <= 0) { - rctx->state = OHS_ERROR; + return 1; +} + +int OCSP_REQ_CTX_http(OCSP_REQ_CTX *rctx, const char *op, const char *path) +{ + static const char http_hdr[] = "%s %s HTTP/1.0\r\n"; + + if (!path) + path = "/"; + + if (BIO_printf(rctx->mem, http_hdr, op, path) <= 0) + return 0; + rctx->state = OHS_HTTP_HEADER; + return 1; +} + +int OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, OCSP_REQUEST *req) +{ + return OCSP_REQ_CTX_i2d(rctx, ASN1_ITEM_rptr(OCSP_REQUEST), + (ASN1_VALUE *)req); +} + +int OCSP_REQ_CTX_add1_header(OCSP_REQ_CTX *rctx, + const char *name, const char *value) +{ + if (!name) return 0; + if (BIO_puts(rctx->mem, name) <= 0) + return 0; + if (value) { + if (BIO_write(rctx->mem, ": ", 2) != 2) + return 0; + if (BIO_puts(rctx->mem, value) <= 0) + return 0; } - rctx->state = OHS_ASN1_WRITE; - rctx->asn1_len = BIO_get_mem_data(rctx->mem, NULL); + if (BIO_write(rctx->mem, "\r\n", 2) != 2) + return 0; + rctx->state = OHS_HTTP_HEADER; + return 1; +} + +OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, const char *path, OCSP_REQUEST *req, + int maxline) +{ + + OCSP_REQ_CTX *rctx = NULL; + rctx = OCSP_REQ_CTX_new(io, maxline); + if (!rctx) + return NULL; + + if (!OCSP_REQ_CTX_http(rctx, "POST", path)) + goto err; + + if (req && !OCSP_REQ_CTX_set1_req(rctx, req)) + goto err; return rctx; + + err: + OCSP_REQ_CTX_free(rctx); + return NULL; } /* @@ -224,7 +323,7 @@ static int parse_http_line1(char *line) } -int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx) +int OCSP_REQ_CTX_nbio(OCSP_REQ_CTX *rctx) { int i, n; const unsigned char *p; @@ -245,6 +344,17 @@ int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx) } switch (rctx->state) { + case OHS_HTTP_HEADER: + /* Last operation was adding headers: need a final \r\n */ + if (BIO_write(rctx->mem, "\r\n", 2) != 2) { + rctx->state = OHS_ERROR; + return 0; + } + rctx->state = OHS_ASN1_WRITE_INIT; + + case OHS_ASN1_WRITE_INIT: + rctx->asn1_len = BIO_get_mem_data(rctx->mem, NULL); + rctx->state = OHS_ASN1_WRITE; case OHS_ASN1_WRITE: n = BIO_get_mem_data(rctx->mem, &p); @@ -380,7 +490,7 @@ int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx) rctx->asn1_len |= *p++; } - if (rctx->asn1_len > OCSP_MAX_REQUEST_LENGTH) { + if (rctx->asn1_len > rctx->max_resp_len) { rctx->state = OHS_ERROR; return 0; } @@ -394,18 +504,12 @@ int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx) /* Fall thru */ case OHS_ASN1_CONTENT: - n = BIO_get_mem_data(rctx->mem, &p); + n = BIO_get_mem_data(rctx->mem, NULL); if (n < (int)rctx->asn1_len) goto next_io; - *presp = d2i_OCSP_RESPONSE(NULL, &p, rctx->asn1_len); - if (*presp) { - rctx->state = OHS_DONE; - return 1; - } - - rctx->state = OHS_ERROR; - return 0; + rctx->state = OHS_DONE; + return 1; break; @@ -418,9 +522,16 @@ int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx) } +int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx) +{ + return OCSP_REQ_CTX_nbio_d2i(rctx, + (ASN1_VALUE **)presp, + ASN1_ITEM_rptr(OCSP_RESPONSE)); +} + /* Blocking OCSP request handler: now a special case of non-blocking I/O */ -OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req) +OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, const char *path, OCSP_REQUEST *req) { OCSP_RESPONSE *resp = NULL; OCSP_REQ_CTX *ctx; diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_lib.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_lib.c index a6686e5f..442a5b63 100644 --- a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_lib.c +++ b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_lib.c @@ -72,6 +72,7 @@ #include <openssl/pem.h> #include <openssl/x509v3.h> #include <openssl/ocsp.h> +#include <openssl/asn1t.h> /* Convert a certificate and its issuer to an OCSP_CERTID */ @@ -128,7 +129,8 @@ OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst, goto err; /* Calculate the issuerKey hash, excluding tag and length */ - EVP_Digest(issuerKey->data, issuerKey->length, md, &i, dgst, NULL); + if (!EVP_Digest(issuerKey->data, issuerKey->length, md, &i, dgst, NULL)) + goto err; if (!(ASN1_OCTET_STRING_set(cid->issuerKeyHash, md, i))) goto err; @@ -173,7 +175,7 @@ int OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b) * whether it is SSL. */ -int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, +int OCSP_parse_url(const char *url, char **phost, char **pport, char **ppath, int *pssl) { char *p, *buf; @@ -284,3 +286,5 @@ int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, return 0; } + +IMPLEMENT_ASN1_DUP_FUNCTION(OCSP_CERTID) diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_prn.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_prn.c index f6181771..1834256a 100644 --- a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_prn.c +++ b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_prn.c @@ -87,21 +87,21 @@ static int ocsp_certid_print(BIO *bp, OCSP_CERTID *a, int indent) typedef struct { long t; - char *m; + const char *m; } OCSP_TBLSTR; -static char *table2string(long s, OCSP_TBLSTR *ts, int len) +static const char *table2string(long s, const OCSP_TBLSTR *ts, int len) { - OCSP_TBLSTR *p; + const OCSP_TBLSTR *p; for (p = ts; p < ts + len; p++) if (p->t == s) return p->m; return "(UNKNOWN)"; } -char *OCSP_response_status_str(long s) +const char *OCSP_response_status_str(long s) { - static OCSP_TBLSTR rstat_tbl[] = { + static const OCSP_TBLSTR rstat_tbl[] = { {OCSP_RESPONSE_STATUS_SUCCESSFUL, "successful"}, {OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, "malformedrequest"}, {OCSP_RESPONSE_STATUS_INTERNALERROR, "internalerror"}, @@ -112,9 +112,9 @@ char *OCSP_response_status_str(long s) return table2string(s, rstat_tbl, 6); } -char *OCSP_cert_status_str(long s) +const char *OCSP_cert_status_str(long s) { - static OCSP_TBLSTR cstat_tbl[] = { + static const OCSP_TBLSTR cstat_tbl[] = { {V_OCSP_CERTSTATUS_GOOD, "good"}, {V_OCSP_CERTSTATUS_REVOKED, "revoked"}, {V_OCSP_CERTSTATUS_UNKNOWN, "unknown"} @@ -122,9 +122,9 @@ char *OCSP_cert_status_str(long s) return table2string(s, cstat_tbl, 3); } -char *OCSP_crl_reason_str(long s) +const char *OCSP_crl_reason_str(long s) { - OCSP_TBLSTR reason_tbl[] = { + static const OCSP_TBLSTR reason_tbl[] = { {OCSP_REVOKED_STATUS_UNSPECIFIED, "unspecified"}, {OCSP_REVOKED_STATUS_KEYCOMPROMISE, "keyCompromise"}, {OCSP_REVOKED_STATUS_CACOMPROMISE, "cACompromise"}, diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_vfy.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_vfy.c index 726ea03c..d4a257c3 100644 --- a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_vfy.c +++ b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_vfy.c @@ -83,6 +83,7 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, { X509 *signer, *x; STACK_OF(X509) *chain = NULL; + STACK_OF(X509) *untrusted = NULL; X509_STORE_CTX ctx; int i, ret = 0; ret = ocsp_find_signer(&signer, bs, certs, st, flags); @@ -107,10 +108,20 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, } if (!(flags & OCSP_NOVERIFY)) { int init_res; - if (flags & OCSP_NOCHAIN) - init_res = X509_STORE_CTX_init(&ctx, st, signer, NULL); - else - init_res = X509_STORE_CTX_init(&ctx, st, signer, bs->certs); + if (flags & OCSP_NOCHAIN) { + untrusted = NULL; + } else if (bs->certs && certs) { + untrusted = sk_X509_dup(bs->certs); + for (i = 0; i < sk_X509_num(certs); i++) { + if (!sk_X509_push(untrusted, sk_X509_value(certs, i))) { + OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_MALLOC_FAILURE); + goto end; + } + } + } else { + untrusted = bs->certs; + } + init_res = X509_STORE_CTX_init(&ctx, st, signer, untrusted); if (!init_res) { ret = -1; OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_X509_LIB); @@ -161,6 +172,8 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, end: if (chain) sk_X509_pop_free(chain, X509_free); + if (bs->certs && certs) + sk_X509_free(untrusted); return ret; } @@ -308,6 +321,8 @@ static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, } mdlen = EVP_MD_size(dgst); + if (mdlen < 0) + return -1; if ((cid->issuerNameHash->length != mdlen) || (cid->issuerKeyHash->length != mdlen)) return 0; @@ -316,7 +331,7 @@ static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, return -1; if (memcmp(md, cid->issuerNameHash->data, mdlen)) return 0; - X509_pubkey_digest(cert, EVP_sha1(), md, NULL); + X509_pubkey_digest(cert, dgst, md, NULL); if (memcmp(md, cid->issuerKeyHash->data, mdlen)) return 0; @@ -424,8 +439,10 @@ static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, X509 *signer; if (!(flags & OCSP_NOINTERN)) { signer = X509_find_by_subject(req->optionalSignature->certs, nm); - *psigner = signer; - return 1; + if (signer) { + *psigner = signer; + return 1; + } } signer = X509_find_by_subject(certs, nm); |