summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/ocsp
diff options
context:
space:
mode:
authorbeck <>2017-01-29 17:49:23 +0000
committerbeck <>2017-01-29 17:49:23 +0000
commitd1f47bd292f36094480caa49ada36b99a69c59b0 (patch)
tree1a54abba678898ee5270ae4f3404a50ee9a92eea /src/lib/libcrypto/ocsp
parentf8c627888330b75c2eea8a3c27d0efe947a4f9da (diff)
downloadopenbsd-d1f47bd292f36094480caa49ada36b99a69c59b0.tar.gz
openbsd-d1f47bd292f36094480caa49ada36b99a69c59b0.tar.bz2
openbsd-d1f47bd292f36094480caa49ada36b99a69c59b0.zip
Send the function codes from the error functions to the bit bucket,
as was done earlier in libssl. Thanks inoguchi@ for noticing libssl had more reacharounds into this. ok jsing@ inoguchi@
Diffstat (limited to 'src/lib/libcrypto/ocsp')
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_cl.c29
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_err.c22
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_ht.c13
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_lib.c12
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_srv.c8
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_vfy.c46
6 files changed, 43 insertions, 87 deletions
diff --git a/src/lib/libcrypto/ocsp/ocsp_cl.c b/src/lib/libcrypto/ocsp/ocsp_cl.c
index 6b8fb87880..04ea6866a5 100644
--- a/src/lib/libcrypto/ocsp/ocsp_cl.c
+++ b/src/lib/libcrypto/ocsp/ocsp_cl.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ocsp_cl.c,v 1.13 2016/12/30 15:31:58 jsing Exp $ */ 1/* $OpenBSD: ocsp_cl.c,v 1.14 2017/01/29 17:49:23 beck Exp $ */
2/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL 2/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
3 * project. */ 3 * project. */
4 4
@@ -159,8 +159,7 @@ OCSP_request_sign(OCSP_REQUEST *req, X509 *signer, EVP_PKEY *key,
159 goto err; 159 goto err;
160 if (key) { 160 if (key) {
161 if (!X509_check_private_key(signer, key)) { 161 if (!X509_check_private_key(signer, key)) {
162 OCSPerr(OCSP_F_OCSP_REQUEST_SIGN, 162 OCSPerror(OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
163 OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
164 goto err; 163 goto err;
165 } 164 }
166 if (!OCSP_REQUEST_sign(req, key, dgst)) 165 if (!OCSP_REQUEST_sign(req, key, dgst))
@@ -202,13 +201,11 @@ OCSP_response_get1_basic(OCSP_RESPONSE *resp)
202 201
203 rb = resp->responseBytes; 202 rb = resp->responseBytes;
204 if (!rb) { 203 if (!rb) {
205 OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC, 204 OCSPerror(OCSP_R_NO_RESPONSE_DATA);
206 OCSP_R_NO_RESPONSE_DATA);
207 return NULL; 205 return NULL;
208 } 206 }
209 if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic) { 207 if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic) {
210 OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC, 208 OCSPerror(OCSP_R_NOT_BASIC_RESPONSE);
211 OCSP_R_NOT_BASIC_RESPONSE);
212 return NULL; 209 return NULL;
213 } 210 }
214 211
@@ -341,16 +338,14 @@ OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
341 /* Check thisUpdate is valid and not more than nsec in the future */ 338 /* Check thisUpdate is valid and not more than nsec in the future */
342 if (ASN1_time_parse(thisupd->data, thisupd->length, &tm_this, 339 if (ASN1_time_parse(thisupd->data, thisupd->length, &tm_this,
343 V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) { 340 V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) {
344 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, 341 OCSPerror(OCSP_R_ERROR_IN_THISUPDATE_FIELD);
345 OCSP_R_ERROR_IN_THISUPDATE_FIELD);
346 return 0; 342 return 0;
347 } else { 343 } else {
348 t_tmp = t_now + nsec; 344 t_tmp = t_now + nsec;
349 if (gmtime_r(&t_tmp, &tm_tmp) == NULL) 345 if (gmtime_r(&t_tmp, &tm_tmp) == NULL)
350 return 0; 346 return 0;
351 if (ASN1_time_tm_cmp(&tm_this, &tm_tmp) > 0) { 347 if (ASN1_time_tm_cmp(&tm_this, &tm_tmp) > 0) {
352 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, 348 OCSPerror(OCSP_R_STATUS_NOT_YET_VALID);
353 OCSP_R_STATUS_NOT_YET_VALID);
354 return 0; 349 return 0;
355 } 350 }
356 351
@@ -363,8 +358,7 @@ OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
363 if (gmtime_r(&t_tmp, &tm_tmp) == NULL) 358 if (gmtime_r(&t_tmp, &tm_tmp) == NULL)
364 return 0; 359 return 0;
365 if (ASN1_time_tm_cmp(&tm_this, &tm_tmp) < 0) { 360 if (ASN1_time_tm_cmp(&tm_this, &tm_tmp) < 0) {
366 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, 361 OCSPerror(OCSP_R_STATUS_TOO_OLD);
367 OCSP_R_STATUS_TOO_OLD);
368 return 0; 362 return 0;
369 } 363 }
370 } 364 }
@@ -376,24 +370,21 @@ OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
376 /* Check nextUpdate is valid and not more than nsec in the past */ 370 /* Check nextUpdate is valid and not more than nsec in the past */
377 if (ASN1_time_parse(nextupd->data, nextupd->length, &tm_next, 371 if (ASN1_time_parse(nextupd->data, nextupd->length, &tm_next,
378 V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) { 372 V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) {
379 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, 373 OCSPerror(OCSP_R_ERROR_IN_NEXTUPDATE_FIELD);
380 OCSP_R_ERROR_IN_NEXTUPDATE_FIELD);
381 return 0; 374 return 0;
382 } else { 375 } else {
383 t_tmp = t_now - nsec; 376 t_tmp = t_now - nsec;
384 if (gmtime_r(&t_tmp, &tm_tmp) == NULL) 377 if (gmtime_r(&t_tmp, &tm_tmp) == NULL)
385 return 0; 378 return 0;
386 if (ASN1_time_tm_cmp(&tm_next, &tm_tmp) < 0) { 379 if (ASN1_time_tm_cmp(&tm_next, &tm_tmp) < 0) {
387 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, 380 OCSPerror(OCSP_R_STATUS_EXPIRED);
388 OCSP_R_STATUS_EXPIRED);
389 return 0; 381 return 0;
390 } 382 }
391 } 383 }
392 384
393 /* Also don't allow nextUpdate to precede thisUpdate */ 385 /* Also don't allow nextUpdate to precede thisUpdate */
394 if (ASN1_time_tm_cmp(&tm_next, &tm_this) < 0) { 386 if (ASN1_time_tm_cmp(&tm_next, &tm_this) < 0) {
395 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, 387 OCSPerror(OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE);
396 OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE);
397 return 0; 388 return 0;
398 } 389 }
399 390
diff --git a/src/lib/libcrypto/ocsp/ocsp_err.c b/src/lib/libcrypto/ocsp/ocsp_err.c
index af781074b6..9e3237f6a4 100644
--- a/src/lib/libcrypto/ocsp/ocsp_err.c
+++ b/src/lib/libcrypto/ocsp/ocsp_err.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ocsp_err.c,v 1.7 2014/07/10 22:45:57 jsing Exp $ */ 1/* $OpenBSD: ocsp_err.c,v 1.8 2017/01/29 17:49:23 beck Exp $ */
2/* ==================================================================== 2/* ====================================================================
3 * Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved. 3 * Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved.
4 * 4 *
@@ -72,25 +72,7 @@
72#define ERR_REASON(reason) ERR_PACK(ERR_LIB_OCSP,0,reason) 72#define ERR_REASON(reason) ERR_PACK(ERR_LIB_OCSP,0,reason)
73 73
74static ERR_STRING_DATA OCSP_str_functs[]= { 74static ERR_STRING_DATA OCSP_str_functs[]= {
75 {ERR_FUNC(OCSP_F_ASN1_STRING_ENCODE), "ASN1_STRING_encode"}, 75 {ERR_FUNC(0xfff), "CRYPTO_internal"},
76 {ERR_FUNC(OCSP_F_D2I_OCSP_NONCE), "D2I_OCSP_NONCE"},
77 {ERR_FUNC(OCSP_F_OCSP_BASIC_ADD1_STATUS), "OCSP_basic_add1_status"},
78 {ERR_FUNC(OCSP_F_OCSP_BASIC_SIGN), "OCSP_basic_sign"},
79 {ERR_FUNC(OCSP_F_OCSP_BASIC_VERIFY), "OCSP_basic_verify"},
80 {ERR_FUNC(OCSP_F_OCSP_CERT_ID_NEW), "OCSP_cert_id_new"},
81 {ERR_FUNC(OCSP_F_OCSP_CHECK_DELEGATED), "OCSP_CHECK_DELEGATED"},
82 {ERR_FUNC(OCSP_F_OCSP_CHECK_IDS), "OCSP_CHECK_IDS"},
83 {ERR_FUNC(OCSP_F_OCSP_CHECK_ISSUER), "OCSP_CHECK_ISSUER"},
84 {ERR_FUNC(OCSP_F_OCSP_CHECK_VALIDITY), "OCSP_check_validity"},
85 {ERR_FUNC(OCSP_F_OCSP_MATCH_ISSUERID), "OCSP_MATCH_ISSUERID"},
86 {ERR_FUNC(OCSP_F_OCSP_PARSE_URL), "OCSP_parse_url"},
87 {ERR_FUNC(OCSP_F_OCSP_REQUEST_SIGN), "OCSP_request_sign"},
88 {ERR_FUNC(OCSP_F_OCSP_REQUEST_VERIFY), "OCSP_request_verify"},
89 {ERR_FUNC(OCSP_F_OCSP_RESPONSE_GET1_BASIC), "OCSP_response_get1_basic"},
90 {ERR_FUNC(OCSP_F_OCSP_SENDREQ_BIO), "OCSP_sendreq_bio"},
91 {ERR_FUNC(OCSP_F_OCSP_SENDREQ_NBIO), "OCSP_sendreq_nbio"},
92 {ERR_FUNC(OCSP_F_PARSE_HTTP_LINE1), "PARSE_HTTP_LINE1"},
93 {ERR_FUNC(OCSP_F_REQUEST_VERIFY), "REQUEST_VERIFY"},
94 {0, NULL} 76 {0, NULL}
95}; 77};
96 78
diff --git a/src/lib/libcrypto/ocsp/ocsp_ht.c b/src/lib/libcrypto/ocsp/ocsp_ht.c
index 61af3717b7..b9c969928a 100644
--- a/src/lib/libcrypto/ocsp/ocsp_ht.c
+++ b/src/lib/libcrypto/ocsp/ocsp_ht.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ocsp_ht.c,v 1.23 2016/11/05 15:21:20 miod Exp $ */ 1/* $OpenBSD: ocsp_ht.c,v 1.24 2017/01/29 17:49:23 beck Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2006. 3 * project 2006.
4 */ 4 */
@@ -207,8 +207,7 @@ parse_http_line1(char *line)
207 for (p = line; *p && !isspace((unsigned char)*p); p++) 207 for (p = line; *p && !isspace((unsigned char)*p); p++)
208 continue; 208 continue;
209 if (!*p) { 209 if (!*p) {
210 OCSPerr(OCSP_F_PARSE_HTTP_LINE1, 210 OCSPerror(OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
211 OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
212 return 0; 211 return 0;
213 } 212 }
214 213
@@ -216,8 +215,7 @@ parse_http_line1(char *line)
216 while (*p && isspace((unsigned char)*p)) 215 while (*p && isspace((unsigned char)*p))
217 p++; 216 p++;
218 if (!*p) { 217 if (!*p) {
219 OCSPerr(OCSP_F_PARSE_HTTP_LINE1, 218 OCSPerror(OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
220 OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
221 return 0; 219 return 0;
222 } 220 }
223 221
@@ -225,8 +223,7 @@ parse_http_line1(char *line)
225 for (q = p; *q && !isspace((unsigned char)*q); q++) 223 for (q = p; *q && !isspace((unsigned char)*q); q++)
226 continue; 224 continue;
227 if (!*q) { 225 if (!*q) {
228 OCSPerr(OCSP_F_PARSE_HTTP_LINE1, 226 OCSPerror(OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
229 OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
230 return 0; 227 return 0;
231 } 228 }
232 229
@@ -251,7 +248,7 @@ parse_http_line1(char *line)
251 *r = 0; 248 *r = 0;
252 } 249 }
253 if (retcode != 200) { 250 if (retcode != 200) {
254 OCSPerr(OCSP_F_PARSE_HTTP_LINE1, OCSP_R_SERVER_RESPONSE_ERROR); 251 OCSPerror(OCSP_R_SERVER_RESPONSE_ERROR);
255 if (!*q) 252 if (!*q)
256 ERR_asprintf_error_data("Code=%s", p); 253 ERR_asprintf_error_data("Code=%s", p);
257 else 254 else
diff --git a/src/lib/libcrypto/ocsp/ocsp_lib.c b/src/lib/libcrypto/ocsp/ocsp_lib.c
index 4a109b5513..d56a002096 100644
--- a/src/lib/libcrypto/ocsp/ocsp_lib.c
+++ b/src/lib/libcrypto/ocsp/ocsp_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ocsp_lib.c,v 1.19 2016/12/21 18:13:59 beck Exp $ */ 1/* $OpenBSD: ocsp_lib.c,v 1.20 2017/01/29 17:49:23 beck Exp $ */
2/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL 2/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
3 * project. */ 3 * project. */
4 4
@@ -115,7 +115,7 @@ OCSP_cert_id_new(const EVP_MD *dgst, X509_NAME *issuerName,
115 if (alg->algorithm != NULL) 115 if (alg->algorithm != NULL)
116 ASN1_OBJECT_free(alg->algorithm); 116 ASN1_OBJECT_free(alg->algorithm);
117 if ((nid = EVP_MD_type(dgst)) == NID_undef) { 117 if ((nid = EVP_MD_type(dgst)) == NID_undef) {
118 OCSPerr(OCSP_F_OCSP_CERT_ID_NEW, OCSP_R_UNKNOWN_NID); 118 OCSPerror(OCSP_R_UNKNOWN_NID);
119 goto err; 119 goto err;
120 } 120 }
121 if (!(alg->algorithm = OBJ_nid2obj(nid))) 121 if (!(alg->algorithm = OBJ_nid2obj(nid)))
@@ -144,7 +144,7 @@ OCSP_cert_id_new(const EVP_MD *dgst, X509_NAME *issuerName,
144 return cid; 144 return cid;
145 145
146digerr: 146digerr:
147 OCSPerr(OCSP_F_OCSP_CERT_ID_NEW, OCSP_R_DIGEST_ERR); 147 OCSPerror(OCSP_R_DIGEST_ERR);
148err: 148err:
149 if (cid) 149 if (cid)
150 OCSP_CERTID_free(cid); 150 OCSP_CERTID_free(cid);
@@ -193,11 +193,11 @@ OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pssl)
193 } else if (strncmp(url, "http://", 7) == 0) 193 } else if (strncmp(url, "http://", 7) == 0)
194 host = strdup(url + 7); 194 host = strdup(url + 7);
195 else { 195 else {
196 OCSPerr(OCSP_F_OCSP_PARSE_URL, OCSP_R_ERROR_PARSING_URL); 196 OCSPerror(OCSP_R_ERROR_PARSING_URL);
197 return 0; 197 return 0;
198 } 198 }
199 if (host == NULL) { 199 if (host == NULL) {
200 OCSPerr(OCSP_F_OCSP_PARSE_URL, ERR_R_MALLOC_FAILURE); 200 OCSPerror(ERR_R_MALLOC_FAILURE);
201 return 0; 201 return 0;
202 } 202 }
203 203
@@ -221,7 +221,7 @@ OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pssl)
221 free(host); 221 free(host);
222 free(path); 222 free(path);
223 free(port); 223 free(port);
224 OCSPerr(OCSP_F_OCSP_PARSE_URL, ERR_R_MALLOC_FAILURE); 224 OCSPerror(ERR_R_MALLOC_FAILURE);
225 return 0; 225 return 0;
226 } 226 }
227 227
diff --git a/src/lib/libcrypto/ocsp/ocsp_srv.c b/src/lib/libcrypto/ocsp/ocsp_srv.c
index ee4a5dd6db..a9e0aaab2f 100644
--- a/src/lib/libcrypto/ocsp/ocsp_srv.c
+++ b/src/lib/libcrypto/ocsp/ocsp_srv.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ocsp_srv.c,v 1.9 2016/12/30 15:31:58 jsing Exp $ */ 1/* $OpenBSD: ocsp_srv.c,v 1.10 2017/01/29 17:49:23 beck Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2001. 3 * project 2001.
4 */ 4 */
@@ -168,8 +168,7 @@ OCSP_basic_add1_status(OCSP_BASICRESP *rsp, OCSP_CERTID *cid, int status,
168 switch (cs->type = status) { 168 switch (cs->type = status) {
169 case V_OCSP_CERTSTATUS_REVOKED: 169 case V_OCSP_CERTSTATUS_REVOKED:
170 if (!revtime) { 170 if (!revtime) {
171 OCSPerr(OCSP_F_OCSP_BASIC_ADD1_STATUS, 171 OCSPerror(OCSP_R_NO_REVOKED_TIME);
172 OCSP_R_NO_REVOKED_TIME);
173 goto err; 172 goto err;
174 } 173 }
175 if (!(cs->value.revoked = ri = OCSP_REVOKEDINFO_new())) 174 if (!(cs->value.revoked = ri = OCSP_REVOKEDINFO_new()))
@@ -226,8 +225,7 @@ OCSP_basic_sign(OCSP_BASICRESP *brsp, X509 *signer, EVP_PKEY *key,
226 OCSP_RESPID *rid; 225 OCSP_RESPID *rid;
227 226
228 if (!X509_check_private_key(signer, key)) { 227 if (!X509_check_private_key(signer, key)) {
229 OCSPerr(OCSP_F_OCSP_BASIC_SIGN, 228 OCSPerror(OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
230 OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
231 goto err; 229 goto err;
232 } 230 }
233 231
diff --git a/src/lib/libcrypto/ocsp/ocsp_vfy.c b/src/lib/libcrypto/ocsp/ocsp_vfy.c
index 80dd54e958..ebdd826878 100644
--- a/src/lib/libcrypto/ocsp/ocsp_vfy.c
+++ b/src/lib/libcrypto/ocsp/ocsp_vfy.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ocsp_vfy.c,v 1.14 2016/11/05 13:27:53 miod Exp $ */ 1/* $OpenBSD: ocsp_vfy.c,v 1.15 2017/01/29 17:49:23 beck Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2000. 3 * project 2000.
4 */ 4 */
@@ -86,8 +86,7 @@ OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st,
86 86
87 ret = ocsp_find_signer(&signer, bs, certs, st, flags); 87 ret = ocsp_find_signer(&signer, bs, certs, st, flags);
88 if (!ret) { 88 if (!ret) {
89 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, 89 OCSPerror(OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
90 OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
91 goto end; 90 goto end;
92 } 91 }
93 if ((ret == 2) && (flags & OCSP_TRUSTOTHER)) 92 if ((ret == 2) && (flags & OCSP_TRUSTOTHER))
@@ -101,8 +100,7 @@ OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st,
101 EVP_PKEY_free(skey); 100 EVP_PKEY_free(skey);
102 } 101 }
103 if (!skey || ret <= 0) { 102 if (!skey || ret <= 0) {
104 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, 103 OCSPerror(OCSP_R_SIGNATURE_FAILURE);
105 OCSP_R_SIGNATURE_FAILURE);
106 goto end; 104 goto end;
107 } 105 }
108 } 106 }
@@ -116,8 +114,7 @@ OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st,
116 for (i = 0; i < sk_X509_num(certs); i++) { 114 for (i = 0; i < sk_X509_num(certs); i++) {
117 if (!sk_X509_push(untrusted, 115 if (!sk_X509_push(untrusted,
118 sk_X509_value(certs, i))) { 116 sk_X509_value(certs, i))) {
119 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, 117 OCSPerror(ERR_R_MALLOC_FAILURE);
120 ERR_R_MALLOC_FAILURE);
121 goto end; 118 goto end;
122 } 119 }
123 } 120 }
@@ -126,7 +123,7 @@ OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st,
126 init_res = X509_STORE_CTX_init(&ctx, st, signer, untrusted); 123 init_res = X509_STORE_CTX_init(&ctx, st, signer, untrusted);
127 if (!init_res) { 124 if (!init_res) {
128 ret = -1; 125 ret = -1;
129 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_X509_LIB); 126 OCSPerror(ERR_R_X509_LIB);
130 goto end; 127 goto end;
131 } 128 }
132 129
@@ -141,8 +138,7 @@ OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st,
141 X509_STORE_CTX_cleanup(&ctx); 138 X509_STORE_CTX_cleanup(&ctx);
142 if (ret <= 0) { 139 if (ret <= 0) {
143 i = X509_STORE_CTX_get_error(&ctx); 140 i = X509_STORE_CTX_get_error(&ctx);
144 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, 141 OCSPerror(OCSP_R_CERTIFICATE_VERIFY_ERROR);
145 OCSP_R_CERTIFICATE_VERIFY_ERROR);
146 ERR_asprintf_error_data("Verify error:%s", 142 ERR_asprintf_error_data("Verify error:%s",
147 X509_verify_cert_error_string(i)); 143 X509_verify_cert_error_string(i));
148 goto end; 144 goto end;
@@ -169,8 +165,7 @@ OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st,
169 x = sk_X509_value(chain, sk_X509_num(chain) - 1); 165 x = sk_X509_value(chain, sk_X509_num(chain) - 1);
170 if (X509_check_trust(x, NID_OCSP_sign, 0) != 166 if (X509_check_trust(x, NID_OCSP_sign, 0) !=
171 X509_TRUST_TRUSTED) { 167 X509_TRUST_TRUSTED) {
172 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, 168 OCSPerror(OCSP_R_ROOT_CA_NOT_TRUSTED);
173 OCSP_R_ROOT_CA_NOT_TRUSTED);
174 goto end; 169 goto end;
175 } 170 }
176 ret = 1; 171 ret = 1;
@@ -245,8 +240,7 @@ ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain,
245 sresp = bs->tbsResponseData->responses; 240 sresp = bs->tbsResponseData->responses;
246 241
247 if (sk_X509_num(chain) <= 0) { 242 if (sk_X509_num(chain) <= 0) {
248 OCSPerr(OCSP_F_OCSP_CHECK_ISSUER, 243 OCSPerror(OCSP_R_NO_CERTIFICATES_IN_CHAIN);
249 OCSP_R_NO_CERTIFICATES_IN_CHAIN);
250 return -1; 244 return -1;
251 } 245 }
252 246
@@ -288,8 +282,7 @@ ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret)
288 282
289 idcount = sk_OCSP_SINGLERESP_num(sresp); 283 idcount = sk_OCSP_SINGLERESP_num(sresp);
290 if (idcount <= 0) { 284 if (idcount <= 0) {
291 OCSPerr(OCSP_F_OCSP_CHECK_IDS, 285 OCSPerror(OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA);
292 OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA);
293 return -1; 286 return -1;
294 } 287 }
295 288
@@ -323,8 +316,7 @@ ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
323 316
324 if (!(dgst = 317 if (!(dgst =
325 EVP_get_digestbyobj(cid->hashAlgorithm->algorithm))) { 318 EVP_get_digestbyobj(cid->hashAlgorithm->algorithm))) {
326 OCSPerr(OCSP_F_OCSP_MATCH_ISSUERID, 319 OCSPerror(OCSP_R_UNKNOWN_MESSAGE_DIGEST);
327 OCSP_R_UNKNOWN_MESSAGE_DIGEST);
328 return -1; 320 return -1;
329 } 321 }
330 322
@@ -365,7 +357,7 @@ ocsp_check_delegated(X509 *x, int flags)
365 X509_check_purpose(x, -1, 0); 357 X509_check_purpose(x, -1, 0);
366 if ((x->ex_flags & EXFLAG_XKUSAGE) && (x->ex_xkusage & XKU_OCSP_SIGN)) 358 if ((x->ex_flags & EXFLAG_XKUSAGE) && (x->ex_xkusage & XKU_OCSP_SIGN))
367 return 1; 359 return 1;
368 OCSPerr(OCSP_F_OCSP_CHECK_DELEGATED, OCSP_R_MISSING_OCSPSIGNING_USAGE); 360 OCSPerror(OCSP_R_MISSING_OCSPSIGNING_USAGE);
369 return 0; 361 return 0;
370} 362}
371 363
@@ -384,20 +376,18 @@ OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, X509_STORE *store,
384 X509_STORE_CTX ctx; 376 X509_STORE_CTX ctx;
385 377
386 if (!req->optionalSignature) { 378 if (!req->optionalSignature) {
387 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_REQUEST_NOT_SIGNED); 379 OCSPerror(OCSP_R_REQUEST_NOT_SIGNED);
388 return 0; 380 return 0;
389 } 381 }
390 gen = req->tbsRequest->requestorName; 382 gen = req->tbsRequest->requestorName;
391 if (!gen || gen->type != GEN_DIRNAME) { 383 if (!gen || gen->type != GEN_DIRNAME) {
392 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, 384 OCSPerror(OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE);
393 OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE);
394 return 0; 385 return 0;
395 } 386 }
396 nm = gen->d.directoryName; 387 nm = gen->d.directoryName;
397 ret = ocsp_req_find_signer(&signer, req, nm, certs, store, flags); 388 ret = ocsp_req_find_signer(&signer, req, nm, certs, store, flags);
398 if (ret <= 0) { 389 if (ret <= 0) {
399 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, 390 OCSPerror(OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
400 OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
401 return 0; 391 return 0;
402 } 392 }
403 if ((ret == 2) && (flags & OCSP_TRUSTOTHER)) 393 if ((ret == 2) && (flags & OCSP_TRUSTOTHER))
@@ -409,8 +399,7 @@ OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, X509_STORE *store,
409 ret = OCSP_REQUEST_verify(req, skey); 399 ret = OCSP_REQUEST_verify(req, skey);
410 EVP_PKEY_free(skey); 400 EVP_PKEY_free(skey);
411 if (ret <= 0) { 401 if (ret <= 0) {
412 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, 402 OCSPerror(OCSP_R_SIGNATURE_FAILURE);
413 OCSP_R_SIGNATURE_FAILURE);
414 return 0; 403 return 0;
415 } 404 }
416 } 405 }
@@ -424,7 +413,7 @@ OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, X509_STORE *store,
424 init_res = X509_STORE_CTX_init(&ctx, store, signer, 413 init_res = X509_STORE_CTX_init(&ctx, store, signer,
425 req->optionalSignature->certs); 414 req->optionalSignature->certs);
426 if (!init_res) { 415 if (!init_res) {
427 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, ERR_R_X509_LIB); 416 OCSPerror(ERR_R_X509_LIB);
428 return 0; 417 return 0;
429 } 418 }
430 419
@@ -439,8 +428,7 @@ OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, X509_STORE *store,
439 X509_STORE_CTX_cleanup(&ctx); 428 X509_STORE_CTX_cleanup(&ctx);
440 if (ret <= 0) { 429 if (ret <= 0) {
441 ret = X509_STORE_CTX_get_error(&ctx); 430 ret = X509_STORE_CTX_get_error(&ctx);
442 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, 431 OCSPerror(OCSP_R_CERTIFICATE_VERIFY_ERROR);
443 OCSP_R_CERTIFICATE_VERIFY_ERROR);
444 ERR_asprintf_error_data("Verify error:%s", 432 ERR_asprintf_error_data("Verify error:%s",
445 X509_verify_cert_error_string(ret)); 433 X509_verify_cert_error_string(ret));
446 return 0; 434 return 0;
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-12-09 16:01:05 +0000