diff options
| author | beck <> | 2016-07-05 00:21:47 +0000 |
|---|---|---|
| committer | beck <> | 2016-07-05 00:21:47 +0000 |
| commit | 25f89b1a60c16a8a6f6b2258cfebc4c8db737315 (patch) | |
| tree | b44185a3fa343b35b802a261d6882be093b31286 | |
| parent | 8ca672b0a38f12fad46b1bdabd8d1a03a3102167 (diff) | |
| download | openbsd-25f89b1a60c16a8a6f6b2258cfebc4c8db737315.tar.gz openbsd-25f89b1a60c16a8a6f6b2258cfebc4c8db737315.tar.bz2 openbsd-25f89b1a60c16a8a6f6b2258cfebc4c8db737315.zip | |
Add several fixes from OpenSSL to make OCSP work with intermediate
certificates provided in the response. - makes our newly added
ocsp regress test pass too..
ok bcook@
| -rw-r--r-- | src/lib/libcrypto/ocsp/ocsp_vfy.c | 34 | ||||
| -rw-r--r-- | src/lib/libssl/src/crypto/ocsp/ocsp_vfy.c | 34 |
2 files changed, 48 insertions, 20 deletions
diff --git a/src/lib/libcrypto/ocsp/ocsp_vfy.c b/src/lib/libcrypto/ocsp/ocsp_vfy.c index b62394b765..f28571b92f 100644 --- a/src/lib/libcrypto/ocsp/ocsp_vfy.c +++ b/src/lib/libcrypto/ocsp/ocsp_vfy.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ocsp_vfy.c,v 1.12 2014/07/09 19:08:10 tedu Exp $ */ | 1 | /* $OpenBSD: ocsp_vfy.c,v 1.13 2016/07/05 00:21:47 beck Exp $ */ |
| 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL | 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL |
| 3 | * project 2000. | 3 | * project 2000. |
| 4 | */ | 4 | */ |
| @@ -80,6 +80,7 @@ OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st, | |||
| 80 | { | 80 | { |
| 81 | X509 *signer, *x; | 81 | X509 *signer, *x; |
| 82 | STACK_OF(X509) *chain = NULL; | 82 | STACK_OF(X509) *chain = NULL; |
| 83 | STACK_OF(X509) *untrusted = NULL; | ||
| 83 | X509_STORE_CTX ctx; | 84 | X509_STORE_CTX ctx; |
| 84 | int i, ret = 0; | 85 | int i, ret = 0; |
| 85 | 86 | ||
| @@ -108,11 +109,21 @@ OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st, | |||
| 108 | if (!(flags & OCSP_NOVERIFY)) { | 109 | if (!(flags & OCSP_NOVERIFY)) { |
| 109 | int init_res; | 110 | int init_res; |
| 110 | 111 | ||
| 111 | if (flags & OCSP_NOCHAIN) | 112 | if (flags & OCSP_NOCHAIN) { |
| 112 | init_res = X509_STORE_CTX_init(&ctx, st, signer, NULL); | 113 | untrusted = NULL; |
| 113 | else | 114 | } else if (bs->certs && certs) { |
| 114 | init_res = X509_STORE_CTX_init(&ctx, st, signer, | 115 | untrusted = sk_X509_dup(bs->certs); |
| 115 | bs->certs); | 116 | for (i = 0; i < sk_X509_num(certs); i++) { |
| 117 | if (!sk_X509_push(untrusted, | ||
| 118 | sk_X509_value(certs, i))) { | ||
| 119 | OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, | ||
| 120 | ERR_R_MALLOC_FAILURE); | ||
| 121 | goto end; | ||
| 122 | } | ||
| 123 | } | ||
| 124 | } else | ||
| 125 | untrusted = bs->certs; | ||
| 126 | init_res = X509_STORE_CTX_init(&ctx, st, signer, untrusted); | ||
| 116 | if (!init_res) { | 127 | if (!init_res) { |
| 117 | ret = -1; | 128 | ret = -1; |
| 118 | OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_X509_LIB); | 129 | OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_X509_LIB); |
| @@ -163,6 +174,8 @@ OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st, | |||
| 163 | end: | 174 | end: |
| 164 | if (chain) | 175 | if (chain) |
| 165 | sk_X509_pop_free(chain, X509_free); | 176 | sk_X509_pop_free(chain, X509_free); |
| 177 | if (bs->certs && certs) | ||
| 178 | sk_X509_free(untrusted); | ||
| 166 | return ret; | 179 | return ret; |
| 167 | } | 180 | } |
| 168 | 181 | ||
| @@ -433,10 +446,11 @@ ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, X509_NAME *nm, | |||
| 433 | X509 *signer; | 446 | X509 *signer; |
| 434 | 447 | ||
| 435 | if (!(flags & OCSP_NOINTERN)) { | 448 | if (!(flags & OCSP_NOINTERN)) { |
| 436 | signer = | 449 | signer = X509_find_by_subject(req->optionalSignature->certs, nm); |
| 437 | X509_find_by_subject(req->optionalSignature->certs, nm); | 450 | if (signer) { |
| 438 | *psigner = signer; | 451 | *psigner = signer; |
| 439 | return 1; | 452 | return 1; |
| 453 | } | ||
| 440 | } | 454 | } |
| 441 | 455 | ||
| 442 | signer = X509_find_by_subject(certs, nm); | 456 | signer = X509_find_by_subject(certs, nm); |
diff --git a/src/lib/libssl/src/crypto/ocsp/ocsp_vfy.c b/src/lib/libssl/src/crypto/ocsp/ocsp_vfy.c index b62394b765..f28571b92f 100644 --- a/src/lib/libssl/src/crypto/ocsp/ocsp_vfy.c +++ b/src/lib/libssl/src/crypto/ocsp/ocsp_vfy.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ocsp_vfy.c,v 1.12 2014/07/09 19:08:10 tedu Exp $ */ | 1 | /* $OpenBSD: ocsp_vfy.c,v 1.13 2016/07/05 00:21:47 beck Exp $ */ |
| 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL | 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL |
| 3 | * project 2000. | 3 | * project 2000. |
| 4 | */ | 4 | */ |
| @@ -80,6 +80,7 @@ OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st, | |||
| 80 | { | 80 | { |
| 81 | X509 *signer, *x; | 81 | X509 *signer, *x; |
| 82 | STACK_OF(X509) *chain = NULL; | 82 | STACK_OF(X509) *chain = NULL; |
| 83 | STACK_OF(X509) *untrusted = NULL; | ||
| 83 | X509_STORE_CTX ctx; | 84 | X509_STORE_CTX ctx; |
| 84 | int i, ret = 0; | 85 | int i, ret = 0; |
| 85 | 86 | ||
| @@ -108,11 +109,21 @@ OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st, | |||
| 108 | if (!(flags & OCSP_NOVERIFY)) { | 109 | if (!(flags & OCSP_NOVERIFY)) { |
| 109 | int init_res; | 110 | int init_res; |
| 110 | 111 | ||
| 111 | if (flags & OCSP_NOCHAIN) | 112 | if (flags & OCSP_NOCHAIN) { |
| 112 | init_res = X509_STORE_CTX_init(&ctx, st, signer, NULL); | 113 | untrusted = NULL; |
| 113 | else | 114 | } else if (bs->certs && certs) { |
| 114 | init_res = X509_STORE_CTX_init(&ctx, st, signer, | 115 | untrusted = sk_X509_dup(bs->certs); |
| 115 | bs->certs); | 116 | for (i = 0; i < sk_X509_num(certs); i++) { |
| 117 | if (!sk_X509_push(untrusted, | ||
| 118 | sk_X509_value(certs, i))) { | ||
| 119 | OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, | ||
| 120 | ERR_R_MALLOC_FAILURE); | ||
| 121 | goto end; | ||
| 122 | } | ||
| 123 | } | ||
| 124 | } else | ||
| 125 | untrusted = bs->certs; | ||
| 126 | init_res = X509_STORE_CTX_init(&ctx, st, signer, untrusted); | ||
| 116 | if (!init_res) { | 127 | if (!init_res) { |
| 117 | ret = -1; | 128 | ret = -1; |
| 118 | OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_X509_LIB); | 129 | OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_X509_LIB); |
| @@ -163,6 +174,8 @@ OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st, | |||
| 163 | end: | 174 | end: |
| 164 | if (chain) | 175 | if (chain) |
| 165 | sk_X509_pop_free(chain, X509_free); | 176 | sk_X509_pop_free(chain, X509_free); |
| 177 | if (bs->certs && certs) | ||
| 178 | sk_X509_free(untrusted); | ||
| 166 | return ret; | 179 | return ret; |
| 167 | } | 180 | } |
| 168 | 181 | ||
| @@ -433,10 +446,11 @@ ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, X509_NAME *nm, | |||
| 433 | X509 *signer; | 446 | X509 *signer; |
| 434 | 447 | ||
| 435 | if (!(flags & OCSP_NOINTERN)) { | 448 | if (!(flags & OCSP_NOINTERN)) { |
| 436 | signer = | 449 | signer = X509_find_by_subject(req->optionalSignature->certs, nm); |
| 437 | X509_find_by_subject(req->optionalSignature->certs, nm); | 450 | if (signer) { |
| 438 | *psigner = signer; | 451 | *psigner = signer; |
| 439 | return 1; | 452 | return 1; |
| 453 | } | ||
| 440 | } | 454 | } |
| 441 | 455 | ||
| 442 | signer = X509_find_by_subject(certs, nm); | 456 | signer = X509_find_by_subject(certs, nm); |