summaryrefslogtreecommitdiff
path: root/Cryptlib/OpenSSL/crypto/ocsp
diff options
context:
space:
mode:
Diffstat (limited to 'Cryptlib/OpenSSL/crypto/ocsp')
-rw-r--r--Cryptlib/OpenSSL/crypto/ocsp/ocsp_cl.c2
-rw-r--r--Cryptlib/OpenSSL/crypto/ocsp/ocsp_err.c3
-rw-r--r--Cryptlib/OpenSSL/crypto/ocsp/ocsp_ext.c63
-rw-r--r--Cryptlib/OpenSSL/crypto/ocsp/ocsp_ht.c179
-rw-r--r--Cryptlib/OpenSSL/crypto/ocsp/ocsp_lib.c8
-rw-r--r--Cryptlib/OpenSSL/crypto/ocsp/ocsp_prn.c18
-rw-r--r--Cryptlib/OpenSSL/crypto/ocsp/ocsp_vfy.c31
7 files changed, 198 insertions, 106 deletions
diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_cl.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_cl.c
index bbb1830b..b3612c8d 100644
--- a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_cl.c
+++ b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_cl.c
@@ -162,8 +162,6 @@ int OCSP_request_sign(OCSP_REQUEST *req,
if (!(req->optionalSignature = sig = OCSP_SIGNATURE_new()))
goto err;
- if (!dgst)
- dgst = EVP_sha1();
if (key) {
if (!X509_check_private_key(signer, key)) {
OCSPerr(OCSP_F_OCSP_REQUEST_SIGN,
diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_err.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_err.c
index 0bbf71f7..722043c0 100644
--- a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_err.c
+++ b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_err.c
@@ -1,6 +1,6 @@
/* crypto/ocsp/ocsp_err.c */
/* ====================================================================
- * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -86,6 +86,7 @@ static ERR_STRING_DATA OCSP_str_functs[] = {
{ERR_FUNC(OCSP_F_OCSP_REQUEST_VERIFY), "OCSP_request_verify"},
{ERR_FUNC(OCSP_F_OCSP_RESPONSE_GET1_BASIC), "OCSP_response_get1_basic"},
{ERR_FUNC(OCSP_F_OCSP_SENDREQ_BIO), "OCSP_sendreq_bio"},
+ {ERR_FUNC(OCSP_F_OCSP_SENDREQ_NBIO), "OCSP_sendreq_nbio"},
{ERR_FUNC(OCSP_F_PARSE_HTTP_LINE1), "PARSE_HTTP_LINE1"},
{ERR_FUNC(OCSP_F_REQUEST_VERIFY), "REQUEST_VERIFY"},
{0, NULL}
diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_ext.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_ext.c
index e341caea..c19648c7 100644
--- a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_ext.c
+++ b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_ext.c
@@ -287,7 +287,7 @@ int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex, int loc)
}
/* also CRL Entry Extensions */
-
+#if 0
ASN1_STRING *ASN1_STRING_encode(ASN1_STRING *s, i2d_of_void *i2d,
void *data, STACK_OF(ASN1_OBJECT) *sk)
{
@@ -329,6 +329,7 @@ ASN1_STRING *ASN1_STRING_encode(ASN1_STRING *s, i2d_of_void *i2d,
OPENSSL_free(b);
return NULL;
}
+#endif
/* Nonce handling functions */
@@ -360,8 +361,8 @@ static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts,
ASN1_put_object(&tmpval, 0, len, V_ASN1_OCTET_STRING, V_ASN1_UNIVERSAL);
if (val)
memcpy(tmpval, val, len);
- else
- RAND_pseudo_bytes(tmpval, len);
+ else if (RAND_pseudo_bytes(tmpval, len) < 0)
+ goto err;
if (!X509V3_add1_i2d(exts, NID_id_pkix_OCSP_Nonce,
&os, 0, X509V3_ADD_REPLACE))
goto err;
@@ -476,21 +477,11 @@ X509_EXTENSION *OCSP_crlID_new(char *url, long *n, char *tim)
if (!(ASN1_GENERALIZEDTIME_set_string(cid->crlTime, tim)))
goto err;
}
- if (!(x = X509_EXTENSION_new()))
- goto err;
- if (!(x->object = OBJ_nid2obj(NID_id_pkix_OCSP_CrlID)))
- goto err;
- if (!(ASN1_STRING_encode_of(OCSP_CRLID, x->value, i2d_OCSP_CRLID, cid,
- NULL)))
- goto err;
- OCSP_CRLID_free(cid);
- return x;
+ x = X509V3_EXT_i2d(NID_id_pkix_OCSP_CrlID, 0, cid);
err:
- if (x)
- X509_EXTENSION_free(x);
if (cid)
OCSP_CRLID_free(cid);
- return NULL;
+ return x;
}
/* AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER */
@@ -508,21 +499,11 @@ X509_EXTENSION *OCSP_accept_responses_new(char **oids)
sk_ASN1_OBJECT_push(sk, o);
oids++;
}
- if (!(x = X509_EXTENSION_new()))
- goto err;
- if (!(x->object = OBJ_nid2obj(NID_id_pkix_OCSP_acceptableResponses)))
- goto err;
- if (!(ASN1_STRING_encode_of(ASN1_OBJECT, x->value, i2d_ASN1_OBJECT, NULL,
- sk)))
- goto err;
- sk_ASN1_OBJECT_pop_free(sk, ASN1_OBJECT_free);
- return x;
+ x = X509V3_EXT_i2d(NID_id_pkix_OCSP_acceptableResponses, 0, sk);
err:
- if (x)
- X509_EXTENSION_free(x);
if (sk)
sk_ASN1_OBJECT_pop_free(sk, ASN1_OBJECT_free);
- return NULL;
+ return x;
}
/* ArchiveCutoff ::= GeneralizedTime */
@@ -535,21 +516,11 @@ X509_EXTENSION *OCSP_archive_cutoff_new(char *tim)
goto err;
if (!(ASN1_GENERALIZEDTIME_set_string(gt, tim)))
goto err;
- if (!(x = X509_EXTENSION_new()))
- goto err;
- if (!(x->object = OBJ_nid2obj(NID_id_pkix_OCSP_archiveCutoff)))
- goto err;
- if (!(ASN1_STRING_encode_of(ASN1_GENERALIZEDTIME, x->value,
- i2d_ASN1_GENERALIZEDTIME, gt, NULL)))
- goto err;
- ASN1_GENERALIZEDTIME_free(gt);
- return x;
+ x = X509V3_EXT_i2d(NID_id_pkix_OCSP_archiveCutoff, 0, gt);
err:
if (gt)
ASN1_GENERALIZEDTIME_free(gt);
- if (x)
- X509_EXTENSION_free(x);
- return NULL;
+ return x;
}
/*
@@ -587,19 +558,9 @@ X509_EXTENSION *OCSP_url_svcloc_new(X509_NAME *issuer, char **urls)
goto err;
urls++;
}
- if (!(x = X509_EXTENSION_new()))
- goto err;
- if (!(x->object = OBJ_nid2obj(NID_id_pkix_OCSP_serviceLocator)))
- goto err;
- if (!(ASN1_STRING_encode_of(OCSP_SERVICELOC, x->value,
- i2d_OCSP_SERVICELOC, sloc, NULL)))
- goto err;
- OCSP_SERVICELOC_free(sloc);
- return x;
+ x = X509V3_EXT_i2d(NID_id_pkix_OCSP_serviceLocator, 0, sloc);
err:
- if (x)
- X509_EXTENSION_free(x);
if (sloc)
OCSP_SERVICELOC_free(sloc);
- return NULL;
+ return x;
}
diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_ht.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_ht.c
index 67546428..88b26b38 100644
--- a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_ht.c
+++ b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_ht.c
@@ -81,9 +81,10 @@ struct ocsp_req_ctx_st {
BIO *io; /* BIO to perform I/O with */
BIO *mem; /* Memory BIO response is built into */
unsigned long asn1_len; /* ASN1 length of response */
+ unsigned long max_resp_len; /* Maximum length of response */
};
-#define OCSP_MAX_REQUEST_LENGTH (100 * 1024)
+#define OCSP_MAX_RESP_LENGTH (100 * 1024)
#define OCSP_MAX_LINE_LEN 4096;
/* OCSP states */
@@ -100,15 +101,42 @@ struct ocsp_req_ctx_st {
#define OHS_ASN1_HEADER 3
/* OCSP content octets being read */
#define OHS_ASN1_CONTENT 4
+/* First call: ready to start I/O */
+#define OHS_ASN1_WRITE_INIT (5 | OHS_NOREAD)
/* Request being sent */
#define OHS_ASN1_WRITE (6 | OHS_NOREAD)
/* Request being flushed */
#define OHS_ASN1_FLUSH (7 | OHS_NOREAD)
/* Completed */
#define OHS_DONE (8 | OHS_NOREAD)
+/* Headers set, no final \r\n included */
+#define OHS_HTTP_HEADER (9 | OHS_NOREAD)
static int parse_http_line1(char *line);
+OCSP_REQ_CTX *OCSP_REQ_CTX_new(BIO *io, int maxline)
+{
+ OCSP_REQ_CTX *rctx;
+ rctx = OPENSSL_malloc(sizeof(OCSP_REQ_CTX));
+ if (!rctx)
+ return NULL;
+ rctx->state = OHS_ERROR;
+ rctx->max_resp_len = OCSP_MAX_RESP_LENGTH;
+ rctx->mem = BIO_new(BIO_s_mem());
+ rctx->io = io;
+ rctx->asn1_len = 0;
+ if (maxline > 0)
+ rctx->iobuflen = maxline;
+ else
+ rctx->iobuflen = OCSP_MAX_LINE_LEN;
+ rctx->iobuf = OPENSSL_malloc(rctx->iobuflen);
+ if (!rctx->iobuf || !rctx->mem) {
+ OCSP_REQ_CTX_free(rctx);
+ return NULL;
+ }
+ return rctx;
+}
+
void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx)
{
if (rctx->mem)
@@ -118,39 +146,110 @@ void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx)
OPENSSL_free(rctx);
}
-OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, char *path, OCSP_REQUEST *req,
- int maxline)
+BIO *OCSP_REQ_CTX_get0_mem_bio(OCSP_REQ_CTX *rctx)
{
- static char post_hdr[] = "POST %s HTTP/1.0\r\n"
+ return rctx->mem;
+}
+
+void OCSP_set_max_response_length(OCSP_REQ_CTX *rctx, unsigned long len)
+{
+ if (len == 0)
+ rctx->max_resp_len = OCSP_MAX_RESP_LENGTH;
+ else
+ rctx->max_resp_len = len;
+}
+
+int OCSP_REQ_CTX_i2d(OCSP_REQ_CTX *rctx, const ASN1_ITEM *it, ASN1_VALUE *val)
+{
+ static const char req_hdr[] =
"Content-Type: application/ocsp-request\r\n"
"Content-Length: %d\r\n\r\n";
+ int reqlen = ASN1_item_i2d(val, NULL, it);
+ if (BIO_printf(rctx->mem, req_hdr, reqlen) <= 0)
+ return 0;
+ if (ASN1_item_i2d_bio(it, rctx->mem, val) <= 0)
+ return 0;
+ rctx->state = OHS_ASN1_WRITE_INIT;
+ return 1;
+}
- OCSP_REQ_CTX *rctx;
- rctx = OPENSSL_malloc(sizeof(OCSP_REQ_CTX));
- rctx->state = OHS_FIRSTLINE;
- rctx->mem = BIO_new(BIO_s_mem());
- rctx->io = io;
- if (maxline > 0)
- rctx->iobuflen = maxline;
- else
- rctx->iobuflen = OCSP_MAX_LINE_LEN;
- rctx->iobuf = OPENSSL_malloc(rctx->iobuflen);
- if (!path)
- path = "/";
+int OCSP_REQ_CTX_nbio_d2i(OCSP_REQ_CTX *rctx,
+ ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+ int rv, len;
+ const unsigned char *p;
+
+ rv = OCSP_REQ_CTX_nbio(rctx);
+ if (rv != 1)
+ return rv;
- if (BIO_printf(rctx->mem, post_hdr, path,
- i2d_OCSP_REQUEST(req, NULL)) <= 0) {
+ len = BIO_get_mem_data(rctx->mem, &p);
+ *pval = ASN1_item_d2i(NULL, &p, len, it);
+ if (*pval == NULL) {
rctx->state = OHS_ERROR;
return 0;
}
- if (i2d_OCSP_REQUEST_bio(rctx->mem, req) <= 0) {
- rctx->state = OHS_ERROR;
+ return 1;
+}
+
+int OCSP_REQ_CTX_http(OCSP_REQ_CTX *rctx, const char *op, const char *path)
+{
+ static const char http_hdr[] = "%s %s HTTP/1.0\r\n";
+
+ if (!path)
+ path = "/";
+
+ if (BIO_printf(rctx->mem, http_hdr, op, path) <= 0)
+ return 0;
+ rctx->state = OHS_HTTP_HEADER;
+ return 1;
+}
+
+int OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, OCSP_REQUEST *req)
+{
+ return OCSP_REQ_CTX_i2d(rctx, ASN1_ITEM_rptr(OCSP_REQUEST),
+ (ASN1_VALUE *)req);
+}
+
+int OCSP_REQ_CTX_add1_header(OCSP_REQ_CTX *rctx,
+ const char *name, const char *value)
+{
+ if (!name)
return 0;
+ if (BIO_puts(rctx->mem, name) <= 0)
+ return 0;
+ if (value) {
+ if (BIO_write(rctx->mem, ": ", 2) != 2)
+ return 0;
+ if (BIO_puts(rctx->mem, value) <= 0)
+ return 0;
}
- rctx->state = OHS_ASN1_WRITE;
- rctx->asn1_len = BIO_get_mem_data(rctx->mem, NULL);
+ if (BIO_write(rctx->mem, "\r\n", 2) != 2)
+ return 0;
+ rctx->state = OHS_HTTP_HEADER;
+ return 1;
+}
+
+OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, const char *path, OCSP_REQUEST *req,
+ int maxline)
+{
+
+ OCSP_REQ_CTX *rctx = NULL;
+ rctx = OCSP_REQ_CTX_new(io, maxline);
+ if (!rctx)
+ return NULL;
+
+ if (!OCSP_REQ_CTX_http(rctx, "POST", path))
+ goto err;
+
+ if (req && !OCSP_REQ_CTX_set1_req(rctx, req))
+ goto err;
return rctx;
+
+ err:
+ OCSP_REQ_CTX_free(rctx);
+ return NULL;
}
/*
@@ -224,7 +323,7 @@ static int parse_http_line1(char *line)
}
-int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx)
+int OCSP_REQ_CTX_nbio(OCSP_REQ_CTX *rctx)
{
int i, n;
const unsigned char *p;
@@ -245,6 +344,17 @@ int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx)
}
switch (rctx->state) {
+ case OHS_HTTP_HEADER:
+ /* Last operation was adding headers: need a final \r\n */
+ if (BIO_write(rctx->mem, "\r\n", 2) != 2) {
+ rctx->state = OHS_ERROR;
+ return 0;
+ }
+ rctx->state = OHS_ASN1_WRITE_INIT;
+
+ case OHS_ASN1_WRITE_INIT:
+ rctx->asn1_len = BIO_get_mem_data(rctx->mem, NULL);
+ rctx->state = OHS_ASN1_WRITE;
case OHS_ASN1_WRITE:
n = BIO_get_mem_data(rctx->mem, &p);
@@ -380,7 +490,7 @@ int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx)
rctx->asn1_len |= *p++;
}
- if (rctx->asn1_len > OCSP_MAX_REQUEST_LENGTH) {
+ if (rctx->asn1_len > rctx->max_resp_len) {
rctx->state = OHS_ERROR;
return 0;
}
@@ -394,18 +504,12 @@ int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx)
/* Fall thru */
case OHS_ASN1_CONTENT:
- n = BIO_get_mem_data(rctx->mem, &p);
+ n = BIO_get_mem_data(rctx->mem, NULL);
if (n < (int)rctx->asn1_len)
goto next_io;
- *presp = d2i_OCSP_RESPONSE(NULL, &p, rctx->asn1_len);
- if (*presp) {
- rctx->state = OHS_DONE;
- return 1;
- }
-
- rctx->state = OHS_ERROR;
- return 0;
+ rctx->state = OHS_DONE;
+ return 1;
break;
@@ -418,9 +522,16 @@ int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx)
}
+int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx)
+{
+ return OCSP_REQ_CTX_nbio_d2i(rctx,
+ (ASN1_VALUE **)presp,
+ ASN1_ITEM_rptr(OCSP_RESPONSE));
+}
+
/* Blocking OCSP request handler: now a special case of non-blocking I/O */
-OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req)
+OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, const char *path, OCSP_REQUEST *req)
{
OCSP_RESPONSE *resp = NULL;
OCSP_REQ_CTX *ctx;
diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_lib.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_lib.c
index a6686e5f..442a5b63 100644
--- a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_lib.c
+++ b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_lib.c
@@ -72,6 +72,7 @@
#include <openssl/pem.h>
#include <openssl/x509v3.h>
#include <openssl/ocsp.h>
+#include <openssl/asn1t.h>
/* Convert a certificate and its issuer to an OCSP_CERTID */
@@ -128,7 +129,8 @@ OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst,
goto err;
/* Calculate the issuerKey hash, excluding tag and length */
- EVP_Digest(issuerKey->data, issuerKey->length, md, &i, dgst, NULL);
+ if (!EVP_Digest(issuerKey->data, issuerKey->length, md, &i, dgst, NULL))
+ goto err;
if (!(ASN1_OCTET_STRING_set(cid->issuerKeyHash, md, i)))
goto err;
@@ -173,7 +175,7 @@ int OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b)
* whether it is SSL.
*/
-int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath,
+int OCSP_parse_url(const char *url, char **phost, char **pport, char **ppath,
int *pssl)
{
char *p, *buf;
@@ -284,3 +286,5 @@ int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath,
return 0;
}
+
+IMPLEMENT_ASN1_DUP_FUNCTION(OCSP_CERTID)
diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_prn.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_prn.c
index f6181771..1834256a 100644
--- a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_prn.c
+++ b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_prn.c
@@ -87,21 +87,21 @@ static int ocsp_certid_print(BIO *bp, OCSP_CERTID *a, int indent)
typedef struct {
long t;
- char *m;
+ const char *m;
} OCSP_TBLSTR;
-static char *table2string(long s, OCSP_TBLSTR *ts, int len)
+static const char *table2string(long s, const OCSP_TBLSTR *ts, int len)
{
- OCSP_TBLSTR *p;
+ const OCSP_TBLSTR *p;
for (p = ts; p < ts + len; p++)
if (p->t == s)
return p->m;
return "(UNKNOWN)";
}
-char *OCSP_response_status_str(long s)
+const char *OCSP_response_status_str(long s)
{
- static OCSP_TBLSTR rstat_tbl[] = {
+ static const OCSP_TBLSTR rstat_tbl[] = {
{OCSP_RESPONSE_STATUS_SUCCESSFUL, "successful"},
{OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, "malformedrequest"},
{OCSP_RESPONSE_STATUS_INTERNALERROR, "internalerror"},
@@ -112,9 +112,9 @@ char *OCSP_response_status_str(long s)
return table2string(s, rstat_tbl, 6);
}
-char *OCSP_cert_status_str(long s)
+const char *OCSP_cert_status_str(long s)
{
- static OCSP_TBLSTR cstat_tbl[] = {
+ static const OCSP_TBLSTR cstat_tbl[] = {
{V_OCSP_CERTSTATUS_GOOD, "good"},
{V_OCSP_CERTSTATUS_REVOKED, "revoked"},
{V_OCSP_CERTSTATUS_UNKNOWN, "unknown"}
@@ -122,9 +122,9 @@ char *OCSP_cert_status_str(long s)
return table2string(s, cstat_tbl, 3);
}
-char *OCSP_crl_reason_str(long s)
+const char *OCSP_crl_reason_str(long s)
{
- OCSP_TBLSTR reason_tbl[] = {
+ static const OCSP_TBLSTR reason_tbl[] = {
{OCSP_REVOKED_STATUS_UNSPECIFIED, "unspecified"},
{OCSP_REVOKED_STATUS_KEYCOMPROMISE, "keyCompromise"},
{OCSP_REVOKED_STATUS_CACOMPROMISE, "cACompromise"},
diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_vfy.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_vfy.c
index 726ea03c..d4a257c3 100644
--- a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_vfy.c
+++ b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_vfy.c
@@ -83,6 +83,7 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
{
X509 *signer, *x;
STACK_OF(X509) *chain = NULL;
+ STACK_OF(X509) *untrusted = NULL;
X509_STORE_CTX ctx;
int i, ret = 0;
ret = ocsp_find_signer(&signer, bs, certs, st, flags);
@@ -107,10 +108,20 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
}
if (!(flags & OCSP_NOVERIFY)) {
int init_res;
- if (flags & OCSP_NOCHAIN)
- init_res = X509_STORE_CTX_init(&ctx, st, signer, NULL);
- else
- init_res = X509_STORE_CTX_init(&ctx, st, signer, bs->certs);
+ if (flags & OCSP_NOCHAIN) {
+ untrusted = NULL;
+ } else if (bs->certs && certs) {
+ untrusted = sk_X509_dup(bs->certs);
+ for (i = 0; i < sk_X509_num(certs); i++) {
+ if (!sk_X509_push(untrusted, sk_X509_value(certs, i))) {
+ OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_MALLOC_FAILURE);
+ goto end;
+ }
+ }
+ } else {
+ untrusted = bs->certs;
+ }
+ init_res = X509_STORE_CTX_init(&ctx, st, signer, untrusted);
if (!init_res) {
ret = -1;
OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_X509_LIB);
@@ -161,6 +172,8 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
end:
if (chain)
sk_X509_pop_free(chain, X509_free);
+ if (bs->certs && certs)
+ sk_X509_free(untrusted);
return ret;
}
@@ -308,6 +321,8 @@ static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
}
mdlen = EVP_MD_size(dgst);
+ if (mdlen < 0)
+ return -1;
if ((cid->issuerNameHash->length != mdlen) ||
(cid->issuerKeyHash->length != mdlen))
return 0;
@@ -316,7 +331,7 @@ static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
return -1;
if (memcmp(md, cid->issuerNameHash->data, mdlen))
return 0;
- X509_pubkey_digest(cert, EVP_sha1(), md, NULL);
+ X509_pubkey_digest(cert, dgst, md, NULL);
if (memcmp(md, cid->issuerKeyHash->data, mdlen))
return 0;
@@ -424,8 +439,10 @@ static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req,
X509 *signer;
if (!(flags & OCSP_NOINTERN)) {
signer = X509_find_by_subject(req->optionalSignature->certs, nm);
- *psigner = signer;
- return 1;
+ if (signer) {
+ *psigner = signer;
+ return 1;
+ }
}
signer = X509_find_by_subject(certs, nm);
generated by cgit v1.2.3 (git 2.39.1) at 2025-12-17 06:43:34 +0000