summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/ocsp/ocsp_cl.c
diff options
context:
space:
mode:
authorbeck <>2017-01-29 17:49:23 +0000
committerbeck <>2017-01-29 17:49:23 +0000
commit957b11334a7afb14537322f0e4795b2e368b3f59 (patch)
tree1a54abba678898ee5270ae4f3404a50ee9a92eea /src/lib/libcrypto/ocsp/ocsp_cl.c
parentdf96e020e729c6c37a8c7fe311fdd1fe6a8718c5 (diff)
downloadopenbsd-957b11334a7afb14537322f0e4795b2e368b3f59.tar.gz
openbsd-957b11334a7afb14537322f0e4795b2e368b3f59.tar.bz2
openbsd-957b11334a7afb14537322f0e4795b2e368b3f59.zip
Send the function codes from the error functions to the bit bucket,
as was done earlier in libssl. Thanks inoguchi@ for noticing libssl had more reacharounds into this. ok jsing@ inoguchi@
Diffstat (limited to 'src/lib/libcrypto/ocsp/ocsp_cl.c')
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_cl.c29
1 files changed, 10 insertions, 19 deletions
diff --git a/src/lib/libcrypto/ocsp/ocsp_cl.c b/src/lib/libcrypto/ocsp/ocsp_cl.c
index 6b8fb87880..04ea6866a5 100644
--- a/src/lib/libcrypto/ocsp/ocsp_cl.c
+++ b/src/lib/libcrypto/ocsp/ocsp_cl.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ocsp_cl.c,v 1.13 2016/12/30 15:31:58 jsing Exp $ */ 1/* $OpenBSD: ocsp_cl.c,v 1.14 2017/01/29 17:49:23 beck Exp $ */
2/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL 2/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
3 * project. */ 3 * project. */
4 4
@@ -159,8 +159,7 @@ OCSP_request_sign(OCSP_REQUEST *req, X509 *signer, EVP_PKEY *key,
159 goto err; 159 goto err;
160 if (key) { 160 if (key) {
161 if (!X509_check_private_key(signer, key)) { 161 if (!X509_check_private_key(signer, key)) {
162 OCSPerr(OCSP_F_OCSP_REQUEST_SIGN, 162 OCSPerror(OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
163 OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
164 goto err; 163 goto err;
165 } 164 }
166 if (!OCSP_REQUEST_sign(req, key, dgst)) 165 if (!OCSP_REQUEST_sign(req, key, dgst))
@@ -202,13 +201,11 @@ OCSP_response_get1_basic(OCSP_RESPONSE *resp)
202 201
203 rb = resp->responseBytes; 202 rb = resp->responseBytes;
204 if (!rb) { 203 if (!rb) {
205 OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC, 204 OCSPerror(OCSP_R_NO_RESPONSE_DATA);
206 OCSP_R_NO_RESPONSE_DATA);
207 return NULL; 205 return NULL;
208 } 206 }
209 if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic) { 207 if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic) {
210 OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC, 208 OCSPerror(OCSP_R_NOT_BASIC_RESPONSE);
211 OCSP_R_NOT_BASIC_RESPONSE);
212 return NULL; 209 return NULL;
213 } 210 }
214 211
@@ -341,16 +338,14 @@ OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
341 /* Check thisUpdate is valid and not more than nsec in the future */ 338 /* Check thisUpdate is valid and not more than nsec in the future */
342 if (ASN1_time_parse(thisupd->data, thisupd->length, &tm_this, 339 if (ASN1_time_parse(thisupd->data, thisupd->length, &tm_this,
343 V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) { 340 V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) {
344 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, 341 OCSPerror(OCSP_R_ERROR_IN_THISUPDATE_FIELD);
345 OCSP_R_ERROR_IN_THISUPDATE_FIELD);
346 return 0; 342 return 0;
347 } else { 343 } else {
348 t_tmp = t_now + nsec; 344 t_tmp = t_now + nsec;
349 if (gmtime_r(&t_tmp, &tm_tmp) == NULL) 345 if (gmtime_r(&t_tmp, &tm_tmp) == NULL)
350 return 0; 346 return 0;
351 if (ASN1_time_tm_cmp(&tm_this, &tm_tmp) > 0) { 347 if (ASN1_time_tm_cmp(&tm_this, &tm_tmp) > 0) {
352 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, 348 OCSPerror(OCSP_R_STATUS_NOT_YET_VALID);
353 OCSP_R_STATUS_NOT_YET_VALID);
354 return 0; 349 return 0;
355 } 350 }
356 351
@@ -363,8 +358,7 @@ OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
363 if (gmtime_r(&t_tmp, &tm_tmp) == NULL) 358 if (gmtime_r(&t_tmp, &tm_tmp) == NULL)
364 return 0; 359 return 0;
365 if (ASN1_time_tm_cmp(&tm_this, &tm_tmp) < 0) { 360 if (ASN1_time_tm_cmp(&tm_this, &tm_tmp) < 0) {
366 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, 361 OCSPerror(OCSP_R_STATUS_TOO_OLD);
367 OCSP_R_STATUS_TOO_OLD);
368 return 0; 362 return 0;
369 } 363 }
370 } 364 }
@@ -376,24 +370,21 @@ OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
376 /* Check nextUpdate is valid and not more than nsec in the past */ 370 /* Check nextUpdate is valid and not more than nsec in the past */
377 if (ASN1_time_parse(nextupd->data, nextupd->length, &tm_next, 371 if (ASN1_time_parse(nextupd->data, nextupd->length, &tm_next,
378 V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) { 372 V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) {
379 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, 373 OCSPerror(OCSP_R_ERROR_IN_NEXTUPDATE_FIELD);
380 OCSP_R_ERROR_IN_NEXTUPDATE_FIELD);
381 return 0; 374 return 0;
382 } else { 375 } else {
383 t_tmp = t_now - nsec; 376 t_tmp = t_now - nsec;
384 if (gmtime_r(&t_tmp, &tm_tmp) == NULL) 377 if (gmtime_r(&t_tmp, &tm_tmp) == NULL)
385 return 0; 378 return 0;
386 if (ASN1_time_tm_cmp(&tm_next, &tm_tmp) < 0) { 379 if (ASN1_time_tm_cmp(&tm_next, &tm_tmp) < 0) {
387 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, 380 OCSPerror(OCSP_R_STATUS_EXPIRED);
388 OCSP_R_STATUS_EXPIRED);
389 return 0; 381 return 0;
390 } 382 }
391 } 383 }
392 384
393 /* Also don't allow nextUpdate to precede thisUpdate */ 385 /* Also don't allow nextUpdate to precede thisUpdate */
394 if (ASN1_time_tm_cmp(&tm_next, &tm_this) < 0) { 386 if (ASN1_time_tm_cmp(&tm_next, &tm_this) < 0) {
395 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, 387 OCSPerror(OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE);
396 OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE);
397 return 0; 388 return 0;
398 } 389 }
399 390
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-26 20:00:49 +0000