1 files changed, 75 insertions, 5 deletions
diff --git a/src/lib/libcrypto/man/OCSP_resp_find_status.3 b/src/lib/libcrypto/man/OCSP_resp_find_status.3
index 1c4da4e99e..a32019c4d6 100644
--- a/src/lib/libcrypto/man/OCSP_resp_find_status.3
+++ b/src/lib/libcrypto/man/OCSP_resp_find_status.3
@@ -1,5 +1,6 @@
-.\" $OpenBSD: OCSP_resp_find_status.3,v 1.8 2018/03/23 23:18:17 schwarze Exp $
+.\" $OpenBSD: OCSP_resp_find_status.3,v 1.9 2019/03/15 11:15:33 schwarze Exp $
 .\" full merge up to: OpenSSL c952780c Jun 21 07:03:34 2016 -0400
+.\" selective merge up to: OpenSSL 1212818e Sep 11 13:22:14 2018 +0100
 .\"
 .\" This file is a derived work.
 .\" The changes are covered by the following Copyright and license:
@@ -18,8 +19,9 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>
-.\" Copyright (c) 2014 The OpenSSL Project.  All rights reserved.
+.\" and David von Oheimb <David.von.Oheimb@siemens.com>.
+.\" Copyright (c) 2014, 2018 The OpenSSL Project.  All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions
@@ -65,7 +67,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 23 2018 $
+.Dd $Mdocdate: March 15 2019 $
 .Dt OCSP_RESP_FIND_STATUS 3
 .Os
 .Sh NAME
@@ -81,7 +83,8 @@
 .Nm OCSP_resp_find ,
 .Nm OCSP_SINGLERESP_get0_id ,
 .Nm OCSP_single_get0_status ,
-.Nm OCSP_check_validity
+.Nm OCSP_check_validity ,
+.Nm OCSP_basic_verify
 .Nd OCSP response utility functions
 .Sh SYNOPSIS
 .In openssl/ocsp.h
@@ -141,6 +144,13 @@
 .Fa "long sec"
 .Fa "long maxsec"
 .Fc
+.Ft int
+.Fo OCSP_basic_verify
+.Fa "OCSP_BASICRESP *bs"
+.Fa "STACK_OF(X509) *certs"
+.Fa "X509_STORE *st"
+.Fa "unsigned long flags"
+.Fc
 .Sh DESCRIPTION
 .Fn OCSP_SINGLERESP_new
 allocates and initializes an empty
@@ -322,6 +332,63 @@ application.
 Any or all of these parameters can be set to
 .Dv NULL
 if their value is not required.
+.Pp
+.Fn OCSP_basic_verify
+checks that the basic response message
+.Fa bs
+is correctly signed and that the signer certificate can be validated.
+It takes
+.Fa st
+as the trusted store and
+.Fa certs
+as a set of untrusted intermediate certificates.
+The function first tries to find the signer certificate of the response in
+.Fa certs .
+It also searches the certificates the responder may have included in
+.Fa bs
+unless the
+.Fa flags
+contain
+.Dv OCSP_NOINTERN .
+It fails if the signer certificate cannot be found.
+Next, the function checks the signature of
+.Fa bs
+and fails on error unless the
+.Fa flags
+contain
+.Dv OCSP_NOSIGS .
+Then the function already returns
+success if the
+.Fa flags
+contain
+.Dv OCSP_NOVERIFY
+or if the signer certificate was found in
+.Fa certs
+and the
+.Fa flags
+contain
+.Dv OCSP_TRUSTOTHER .
+Otherwise the function continues by validating the signer certificate.
+To this end, all certificates in
+.Fa certs
+and in
+.Fa bs
+are considered as untrusted certificates for the construction of
+the validation path for the signer certificate unless the
+.Dv OCSP_NOCHAIN
+flag is set.
+After successful path
+validation, the function returns success if the
+.Dv OCSP_NOCHECKS
+flag is set.
+Otherwise it verifies that the signer certificate meets the OCSP issuer
+criteria including potential delegation.
+If this does not succeed and the
+.Fa flags
+do not contain
+.Dv OCSP_NOEXPLICIT ,
+the function checks for explicit trust for OCSP signing
+in the root CA certificate.
 .Sh RETURN VALUES
 .Fn OCSP_SINGLERESP_new ,
 .Fn OCSP_CERTSTATUS_new ,
@@ -376,6 +443,9 @@ the returned pointer should not be freed by the caller.
 returns the status of
 .Fa single
 or -1 if an error occurred.
+.Pp
+.Fn OCSP_basic_verify
+returns 1 on success, 0 on error, or -1 on fatal error such as malloc failure.
 .Sh SEE ALSO
 .Xr OCSP_cert_to_id 3 ,
 .Xr OCSP_CRLID_new 3 ,

diff --git a/src/lib/libcrypto/man/OCSP_resp_find_status.3 b/src/lib/libcrypto/man/OCSP_resp_find_status.3 index 1c4da4e99e..a32019c4d6 100644 --- a/src/lib/libcrypto/man/OCSP_resp_find_status.3 +++ b/src/lib/libcrypto/man/OCSP_resp_find_status.3
@@ -1,5 +1,6 @@
1	.\" $OpenBSD: OCSP_resp_find_status.3,v 1.8 2018/03/23 23:18:17 schwarze Exp $	1	.\" $OpenBSD: OCSP_resp_find_status.3,v 1.9 2019/03/15 11:15:33 schwarze Exp $
2	.\" full merge up to: OpenSSL c952780c Jun 21 07:03:34 2016 -0400	2	.\" full merge up to: OpenSSL c952780c Jun 21 07:03:34 2016 -0400
		3	.\" selective merge up to: OpenSSL 1212818e Sep 11 13:22:14 2018 +0100
3	.\"	4	.\"
4	.\" This file is a derived work.	5	.\" This file is a derived work.
5	.\" The changes are covered by the following Copyright and license:	6	.\" The changes are covered by the following Copyright and license:
@@ -18,8 +19,9 @@
18	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF	19	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	20	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20	.\"	21	.\"
21	.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.	22	.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>
22	.\" Copyright (c) 2014 The OpenSSL Project. All rights reserved.	23	.\" and David von Oheimb <David.von.Oheimb@siemens.com>.
		24	.\" Copyright (c) 2014, 2018 The OpenSSL Project. All rights reserved.
23	.\"	25	.\"
24	.\" Redistribution and use in source and binary forms, with or without	26	.\" Redistribution and use in source and binary forms, with or without
25	.\" modification, are permitted provided that the following conditions	27	.\" modification, are permitted provided that the following conditions
@@ -65,7 +67,7 @@
65	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED	67	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
66	.\" OF THE POSSIBILITY OF SUCH DAMAGE.	68	.\" OF THE POSSIBILITY OF SUCH DAMAGE.
67	.\"	69	.\"
68	.Dd $Mdocdate: March 23 2018 $	70	.Dd $Mdocdate: March 15 2019 $
69	.Dt OCSP_RESP_FIND_STATUS 3	71	.Dt OCSP_RESP_FIND_STATUS 3
70	.Os	72	.Os
71	.Sh NAME	73	.Sh NAME
@@ -81,7 +83,8 @@
81	.Nm OCSP_resp_find ,	83	.Nm OCSP_resp_find ,
82	.Nm OCSP_SINGLERESP_get0_id ,	84	.Nm OCSP_SINGLERESP_get0_id ,
83	.Nm OCSP_single_get0_status ,	85	.Nm OCSP_single_get0_status ,
84	.Nm OCSP_check_validity	86	.Nm OCSP_check_validity ,
		87	.Nm OCSP_basic_verify
85	.Nd OCSP response utility functions	88	.Nd OCSP response utility functions
86	.Sh SYNOPSIS	89	.Sh SYNOPSIS
87	.In openssl/ocsp.h	90	.In openssl/ocsp.h
@@ -141,6 +144,13 @@
141	.Fa "long sec"	144	.Fa "long sec"
142	.Fa "long maxsec"	145	.Fa "long maxsec"
143	.Fc	146	.Fc
		147	.Ft int
		148	.Fo OCSP_basic_verify
		149	.Fa "OCSP_BASICRESP *bs"
		150	.Fa "STACK_OF(X509) *certs"
		151	.Fa "X509_STORE *st"
		152	.Fa "unsigned long flags"
		153	.Fc
144	.Sh DESCRIPTION	154	.Sh DESCRIPTION
145	.Fn OCSP_SINGLERESP_new	155	.Fn OCSP_SINGLERESP_new
146	allocates and initializes an empty	156	allocates and initializes an empty
@@ -322,6 +332,63 @@ application.
322	Any or all of these parameters can be set to	332	Any or all of these parameters can be set to
323	.Dv NULL	333	.Dv NULL
324	if their value is not required.	334	if their value is not required.
		335	.Pp
		336	.Fn OCSP_basic_verify
		337	checks that the basic response message
		338	.Fa bs
		339	is correctly signed and that the signer certificate can be validated.
		340	It takes
		341	.Fa st
		342	as the trusted store and
		343	.Fa certs
		344	as a set of untrusted intermediate certificates.
		345	The function first tries to find the signer certificate of the response in
		346	.Fa certs .
		347	It also searches the certificates the responder may have included in
		348	.Fa bs
		349	unless the
		350	.Fa flags
		351	contain
		352	.Dv OCSP_NOINTERN .
		353	It fails if the signer certificate cannot be found.
		354	Next, the function checks the signature of
		355	.Fa bs
		356	and fails on error unless the
		357	.Fa flags
		358	contain
		359	.Dv OCSP_NOSIGS .
		360	Then the function already returns
		361	success if the
		362	.Fa flags
		363	contain
		364	.Dv OCSP_NOVERIFY
		365	or if the signer certificate was found in
		366	.Fa certs
		367	and the
		368	.Fa flags
		369	contain
		370	.Dv OCSP_TRUSTOTHER .
		371	Otherwise the function continues by validating the signer certificate.
		372	To this end, all certificates in
		373	.Fa certs
		374	and in
		375	.Fa bs
		376	are considered as untrusted certificates for the construction of
		377	the validation path for the signer certificate unless the
		378	.Dv OCSP_NOCHAIN
		379	flag is set.
		380	After successful path
		381	validation, the function returns success if the
		382	.Dv OCSP_NOCHECKS
		383	flag is set.
		384	Otherwise it verifies that the signer certificate meets the OCSP issuer
		385	criteria including potential delegation.
		386	If this does not succeed and the
		387	.Fa flags
		388	do not contain
		389	.Dv OCSP_NOEXPLICIT ,
		390	the function checks for explicit trust for OCSP signing
		391	in the root CA certificate.
325	.Sh RETURN VALUES	392	.Sh RETURN VALUES
326	.Fn OCSP_SINGLERESP_new ,	393	.Fn OCSP_SINGLERESP_new ,
327	.Fn OCSP_CERTSTATUS_new ,	394	.Fn OCSP_CERTSTATUS_new ,
@@ -376,6 +443,9 @@ the returned pointer should not be freed by the caller.
376	returns the status of	443	returns the status of
377	.Fa single	444	.Fa single
378	or -1 if an error occurred.	445	or -1 if an error occurred.
		446	.Pp
		447	.Fn OCSP_basic_verify
		448	returns 1 on success, 0 on error, or -1 on fatal error such as malloc failure.
379	.Sh SEE ALSO	449	.Sh SEE ALSO
380	.Xr OCSP_cert_to_id 3 ,	450	.Xr OCSP_cert_to_id 3 ,
381	.Xr OCSP_CRLID_new 3 ,	451	.Xr OCSP_CRLID_new 3 ,