summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/ts/ts_rsp_verify.c
diff options
context:
space:
mode:
authorbeck <>2017-01-29 17:49:23 +0000
committerbeck <>2017-01-29 17:49:23 +0000
commit957b11334a7afb14537322f0e4795b2e368b3f59 (patch)
tree1a54abba678898ee5270ae4f3404a50ee9a92eea /src/lib/libcrypto/ts/ts_rsp_verify.c
parentdf96e020e729c6c37a8c7fe311fdd1fe6a8718c5 (diff)
downloadopenbsd-957b11334a7afb14537322f0e4795b2e368b3f59.tar.gz
openbsd-957b11334a7afb14537322f0e4795b2e368b3f59.tar.bz2
openbsd-957b11334a7afb14537322f0e4795b2e368b3f59.zip
Send the function codes from the error functions to the bit bucket,
as was done earlier in libssl. Thanks inoguchi@ for noticing libssl had more reacharounds into this. ok jsing@ inoguchi@
Diffstat (limited to 'src/lib/libcrypto/ts/ts_rsp_verify.c')
-rw-r--r--src/lib/libcrypto/ts/ts_rsp_verify.c42
1 files changed, 20 insertions, 22 deletions
diff --git a/src/lib/libcrypto/ts/ts_rsp_verify.c b/src/lib/libcrypto/ts/ts_rsp_verify.c
index 020658bb02..36ead0671a 100644
--- a/src/lib/libcrypto/ts/ts_rsp_verify.c
+++ b/src/lib/libcrypto/ts/ts_rsp_verify.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ts_rsp_verify.c,v 1.17 2016/11/05 15:19:07 miod Exp $ */ 1/* $OpenBSD: ts_rsp_verify.c,v 1.18 2017/01/29 17:49:23 beck Exp $ */
2/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL 2/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
3 * project 2002. 3 * project 2002.
4 */ 4 */
@@ -155,28 +155,27 @@ TS_RESP_verify_signature(PKCS7 *token, STACK_OF(X509) *certs,
155 155
156 /* Some sanity checks first. */ 156 /* Some sanity checks first. */
157 if (!token) { 157 if (!token) {
158 TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE, TS_R_INVALID_NULL_POINTER); 158 TSerror(TS_R_INVALID_NULL_POINTER);
159 goto err; 159 goto err;
160 } 160 }
161 161
162 /* Check for the correct content type */ 162 /* Check for the correct content type */
163 if (!PKCS7_type_is_signed(token)) { 163 if (!PKCS7_type_is_signed(token)) {
164 TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE, TS_R_WRONG_CONTENT_TYPE); 164 TSerror(TS_R_WRONG_CONTENT_TYPE);
165 goto err; 165 goto err;
166 } 166 }
167 167
168 /* Check if there is one and only one signer. */ 168 /* Check if there is one and only one signer. */
169 sinfos = PKCS7_get_signer_info(token); 169 sinfos = PKCS7_get_signer_info(token);
170 if (!sinfos || sk_PKCS7_SIGNER_INFO_num(sinfos) != 1) { 170 if (!sinfos || sk_PKCS7_SIGNER_INFO_num(sinfos) != 1) {
171 TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE, 171 TSerror(TS_R_THERE_MUST_BE_ONE_SIGNER);
172 TS_R_THERE_MUST_BE_ONE_SIGNER);
173 goto err; 172 goto err;
174 } 173 }
175 si = sk_PKCS7_SIGNER_INFO_value(sinfos, 0); 174 si = sk_PKCS7_SIGNER_INFO_value(sinfos, 0);
176 175
177 /* Check for no content: no data to verify signature. */ 176 /* Check for no content: no data to verify signature. */
178 if (PKCS7_get_detached(token)) { 177 if (PKCS7_get_detached(token)) {
179 TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE, TS_R_NO_CONTENT); 178 TSerror(TS_R_NO_CONTENT);
180 goto err; 179 goto err;
181 } 180 }
182 181
@@ -206,7 +205,7 @@ TS_RESP_verify_signature(PKCS7 *token, STACK_OF(X509) *certs,
206 /* Verifying the signature. */ 205 /* Verifying the signature. */
207 j = PKCS7_signatureVerify(p7bio, token, si, signer); 206 j = PKCS7_signatureVerify(p7bio, token, si, signer);
208 if (j <= 0) { 207 if (j <= 0) {
209 TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE, TS_R_SIGNATURE_FAILURE); 208 TSerror(TS_R_SIGNATURE_FAILURE);
210 goto err; 209 goto err;
211 } 210 }
212 211
@@ -241,7 +240,7 @@ TS_verify_cert(X509_STORE *store, STACK_OF(X509) *untrusted, X509 *signer,
241 /* chain is an out argument. */ 240 /* chain is an out argument. */
242 *chain = NULL; 241 *chain = NULL;
243 if (X509_STORE_CTX_init(&cert_ctx, store, signer, untrusted) == 0) { 242 if (X509_STORE_CTX_init(&cert_ctx, store, signer, untrusted) == 0) {
244 TSerr(TS_F_TS_VERIFY_CERT, ERR_R_X509_LIB); 243 TSerror(ERR_R_X509_LIB);
245 goto err; 244 goto err;
246 } 245 }
247 if (X509_STORE_CTX_set_purpose(&cert_ctx, 246 if (X509_STORE_CTX_set_purpose(&cert_ctx,
@@ -251,7 +250,7 @@ TS_verify_cert(X509_STORE *store, STACK_OF(X509) *untrusted, X509 *signer,
251 if (i <= 0) { 250 if (i <= 0) {
252 int j = X509_STORE_CTX_get_error(&cert_ctx); 251 int j = X509_STORE_CTX_get_error(&cert_ctx);
253 252
254 TSerr(TS_F_TS_VERIFY_CERT, TS_R_CERTIFICATE_VERIFY_ERROR); 253 TSerror(TS_R_CERTIFICATE_VERIFY_ERROR);
255 ERR_asprintf_error_data("Verify error:%s", 254 ERR_asprintf_error_data("Verify error:%s",
256 X509_verify_cert_error_string(j)); 255 X509_verify_cert_error_string(j));
257 goto err; 256 goto err;
@@ -298,8 +297,7 @@ TS_check_signing_certs(PKCS7_SIGNER_INFO *si, STACK_OF(X509) *chain)
298 297
299err: 298err:
300 if (!ret) 299 if (!ret)
301 TSerr(TS_F_TS_CHECK_SIGNING_CERTS, 300 TSerror(TS_R_ESS_SIGNING_CERTIFICATE_ERROR);
302 TS_R_ESS_SIGNING_CERTIFICATE_ERROR);
303 ESS_SIGNING_CERT_free(ss); 301 ESS_SIGNING_CERT_free(ss);
304 return ret; 302 return ret;
305} 303}
@@ -446,7 +444,7 @@ int_TS_RESP_verify_token(TS_VERIFY_CTX *ctx, PKCS7 *token,
446 /* Check version number of response. */ 444 /* Check version number of response. */
447 if ((ctx->flags & TS_VFY_VERSION) && 445 if ((ctx->flags & TS_VFY_VERSION) &&
448 TS_TST_INFO_get_version(tst_info) != 1) { 446 TS_TST_INFO_get_version(tst_info) != 1) {
449 TSerr(TS_F_INT_TS_RESP_VERIFY_TOKEN, TS_R_UNSUPPORTED_VERSION); 447 TSerror(TS_R_UNSUPPORTED_VERSION);
450 goto err; 448 goto err;
451 } 449 }
452 450
@@ -476,14 +474,14 @@ int_TS_RESP_verify_token(TS_VERIFY_CTX *ctx, PKCS7 *token,
476 /* Check whether TSA name and signer certificate match. */ 474 /* Check whether TSA name and signer certificate match. */
477 if ((ctx->flags & TS_VFY_SIGNER) && 475 if ((ctx->flags & TS_VFY_SIGNER) &&
478 tsa_name && !TS_check_signer_name(tsa_name, signer)) { 476 tsa_name && !TS_check_signer_name(tsa_name, signer)) {
479 TSerr(TS_F_INT_TS_RESP_VERIFY_TOKEN, TS_R_TSA_NAME_MISMATCH); 477 TSerror(TS_R_TSA_NAME_MISMATCH);
480 goto err; 478 goto err;
481 } 479 }
482 480
483 /* Check whether the TSA is the expected one. */ 481 /* Check whether the TSA is the expected one. */
484 if ((ctx->flags & TS_VFY_TSA_NAME) && 482 if ((ctx->flags & TS_VFY_TSA_NAME) &&
485 !TS_check_signer_name(ctx->tsa_name, signer)) { 483 !TS_check_signer_name(ctx->tsa_name, signer)) {
486 TSerr(TS_F_INT_TS_RESP_VERIFY_TOKEN, TS_R_TSA_UNTRUSTED); 484 TSerror(TS_R_TSA_UNTRUSTED);
487 goto err; 485 goto err;
488 } 486 }
489 487
@@ -541,7 +539,7 @@ TS_check_status_info(TS_RESP *response)
541 strlcpy(failure_text, "unspecified", TS_STATUS_BUF_SIZE); 539 strlcpy(failure_text, "unspecified", TS_STATUS_BUF_SIZE);
542 540
543 /* Making up the error string. */ 541 /* Making up the error string. */
544 TSerr(TS_F_TS_CHECK_STATUS_INFO, TS_R_NO_TIME_STAMP_TOKEN); 542 TSerror(TS_R_NO_TIME_STAMP_TOKEN);
545 ERR_asprintf_error_data 543 ERR_asprintf_error_data
546 ("status code: %s, status text: %s, failure codes: %s", 544 ("status code: %s, status text: %s, failure codes: %s",
547 status_text, 545 status_text,
@@ -567,7 +565,7 @@ TS_get_status_text(STACK_OF(ASN1_UTF8STRING) *text)
567 } 565 }
568 /* Allocate memory (closing '\0' included). */ 566 /* Allocate memory (closing '\0' included). */
569 if (!(result = malloc(length))) { 567 if (!(result = malloc(length))) {
570 TSerr(TS_F_TS_GET_STATUS_TEXT, ERR_R_MALLOC_FAILURE); 568 TSerror(ERR_R_MALLOC_FAILURE);
571 return NULL; 569 return NULL;
572 } 570 }
573 /* Concatenate the descriptions. */ 571 /* Concatenate the descriptions. */
@@ -587,7 +585,7 @@ TS_check_policy(ASN1_OBJECT *req_oid, TS_TST_INFO *tst_info)
587 ASN1_OBJECT *resp_oid = TS_TST_INFO_get_policy_id(tst_info); 585 ASN1_OBJECT *resp_oid = TS_TST_INFO_get_policy_id(tst_info);
588 586
589 if (OBJ_cmp(req_oid, resp_oid) != 0) { 587 if (OBJ_cmp(req_oid, resp_oid) != 0) {
590 TSerr(TS_F_TS_CHECK_POLICY, TS_R_POLICY_MISMATCH); 588 TSerror(TS_R_POLICY_MISMATCH);
591 return 0; 589 return 0;
592 } 590 }
593 591
@@ -614,7 +612,7 @@ TS_compute_imprint(BIO *data, TS_TST_INFO *tst_info, X509_ALGOR **md_alg,
614 612
615 /* Getting the MD object. */ 613 /* Getting the MD object. */
616 if (!(md = EVP_get_digestbyobj((*md_alg)->algorithm))) { 614 if (!(md = EVP_get_digestbyobj((*md_alg)->algorithm))) {
617 TSerr(TS_F_TS_COMPUTE_IMPRINT, TS_R_UNSUPPORTED_MD_ALGORITHM); 615 TSerror(TS_R_UNSUPPORTED_MD_ALGORITHM);
618 goto err; 616 goto err;
619 } 617 }
620 618
@@ -624,7 +622,7 @@ TS_compute_imprint(BIO *data, TS_TST_INFO *tst_info, X509_ALGOR **md_alg,
624 goto err; 622 goto err;
625 *imprint_len = length; 623 *imprint_len = length;
626 if (!(*imprint = malloc(*imprint_len))) { 624 if (!(*imprint = malloc(*imprint_len))) {
627 TSerr(TS_F_TS_COMPUTE_IMPRINT, ERR_R_MALLOC_FAILURE); 625 TSerror(ERR_R_MALLOC_FAILURE);
628 goto err; 626 goto err;
629 } 627 }
630 628
@@ -675,7 +673,7 @@ TS_check_imprints(X509_ALGOR *algor_a, unsigned char *imprint_a, unsigned len_a,
675 673
676err: 674err:
677 if (!ret) 675 if (!ret)
678 TSerr(TS_F_TS_CHECK_IMPRINTS, TS_R_MESSAGE_IMPRINT_MISMATCH); 676 TSerror(TS_R_MESSAGE_IMPRINT_MISMATCH);
679 return ret; 677 return ret;
680} 678}
681 679
@@ -686,13 +684,13 @@ TS_check_nonces(const ASN1_INTEGER *a, TS_TST_INFO *tst_info)
686 684
687 /* Error if nonce is missing. */ 685 /* Error if nonce is missing. */
688 if (!b) { 686 if (!b) {
689 TSerr(TS_F_TS_CHECK_NONCES, TS_R_NONCE_NOT_RETURNED); 687 TSerror(TS_R_NONCE_NOT_RETURNED);
690 return 0; 688 return 0;
691 } 689 }
692 690
693 /* No error if a nonce is returned without being requested. */ 691 /* No error if a nonce is returned without being requested. */
694 if (ASN1_INTEGER_cmp(a, b) != 0) { 692 if (ASN1_INTEGER_cmp(a, b) != 0) {
695 TSerr(TS_F_TS_CHECK_NONCES, TS_R_NONCE_MISMATCH); 693 TSerror(TS_R_NONCE_MISMATCH);
696 return 0; 694 return 0;
697 } 695 }
698 696
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-26 21:48:47 +0000