diff options
Diffstat (limited to 'src/lib/libcrypto/ocsp/ocsp_cl.c')
| -rw-r--r-- | src/lib/libcrypto/ocsp/ocsp_cl.c | 29 |
1 files changed, 10 insertions, 19 deletions
diff --git a/src/lib/libcrypto/ocsp/ocsp_cl.c b/src/lib/libcrypto/ocsp/ocsp_cl.c index 6b8fb87880..04ea6866a5 100644 --- a/src/lib/libcrypto/ocsp/ocsp_cl.c +++ b/src/lib/libcrypto/ocsp/ocsp_cl.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ocsp_cl.c,v 1.13 2016/12/30 15:31:58 jsing Exp $ */ | 1 | /* $OpenBSD: ocsp_cl.c,v 1.14 2017/01/29 17:49:23 beck Exp $ */ |
| 2 | /* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL | 2 | /* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL |
| 3 | * project. */ | 3 | * project. */ |
| 4 | 4 | ||
| @@ -159,8 +159,7 @@ OCSP_request_sign(OCSP_REQUEST *req, X509 *signer, EVP_PKEY *key, | |||
| 159 | goto err; | 159 | goto err; |
| 160 | if (key) { | 160 | if (key) { |
| 161 | if (!X509_check_private_key(signer, key)) { | 161 | if (!X509_check_private_key(signer, key)) { |
| 162 | OCSPerr(OCSP_F_OCSP_REQUEST_SIGN, | 162 | OCSPerror(OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE); |
| 163 | OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE); | ||
| 164 | goto err; | 163 | goto err; |
| 165 | } | 164 | } |
| 166 | if (!OCSP_REQUEST_sign(req, key, dgst)) | 165 | if (!OCSP_REQUEST_sign(req, key, dgst)) |
| @@ -202,13 +201,11 @@ OCSP_response_get1_basic(OCSP_RESPONSE *resp) | |||
| 202 | 201 | ||
| 203 | rb = resp->responseBytes; | 202 | rb = resp->responseBytes; |
| 204 | if (!rb) { | 203 | if (!rb) { |
| 205 | OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC, | 204 | OCSPerror(OCSP_R_NO_RESPONSE_DATA); |
| 206 | OCSP_R_NO_RESPONSE_DATA); | ||
| 207 | return NULL; | 205 | return NULL; |
| 208 | } | 206 | } |
| 209 | if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic) { | 207 | if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic) { |
| 210 | OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC, | 208 | OCSPerror(OCSP_R_NOT_BASIC_RESPONSE); |
| 211 | OCSP_R_NOT_BASIC_RESPONSE); | ||
| 212 | return NULL; | 209 | return NULL; |
| 213 | } | 210 | } |
| 214 | 211 | ||
| @@ -341,16 +338,14 @@ OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd, | |||
| 341 | /* Check thisUpdate is valid and not more than nsec in the future */ | 338 | /* Check thisUpdate is valid and not more than nsec in the future */ |
| 342 | if (ASN1_time_parse(thisupd->data, thisupd->length, &tm_this, | 339 | if (ASN1_time_parse(thisupd->data, thisupd->length, &tm_this, |
| 343 | V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) { | 340 | V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) { |
| 344 | OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, | 341 | OCSPerror(OCSP_R_ERROR_IN_THISUPDATE_FIELD); |
| 345 | OCSP_R_ERROR_IN_THISUPDATE_FIELD); | ||
| 346 | return 0; | 342 | return 0; |
| 347 | } else { | 343 | } else { |
| 348 | t_tmp = t_now + nsec; | 344 | t_tmp = t_now + nsec; |
| 349 | if (gmtime_r(&t_tmp, &tm_tmp) == NULL) | 345 | if (gmtime_r(&t_tmp, &tm_tmp) == NULL) |
| 350 | return 0; | 346 | return 0; |
| 351 | if (ASN1_time_tm_cmp(&tm_this, &tm_tmp) > 0) { | 347 | if (ASN1_time_tm_cmp(&tm_this, &tm_tmp) > 0) { |
| 352 | OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, | 348 | OCSPerror(OCSP_R_STATUS_NOT_YET_VALID); |
| 353 | OCSP_R_STATUS_NOT_YET_VALID); | ||
| 354 | return 0; | 349 | return 0; |
| 355 | } | 350 | } |
| 356 | 351 | ||
| @@ -363,8 +358,7 @@ OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd, | |||
| 363 | if (gmtime_r(&t_tmp, &tm_tmp) == NULL) | 358 | if (gmtime_r(&t_tmp, &tm_tmp) == NULL) |
| 364 | return 0; | 359 | return 0; |
| 365 | if (ASN1_time_tm_cmp(&tm_this, &tm_tmp) < 0) { | 360 | if (ASN1_time_tm_cmp(&tm_this, &tm_tmp) < 0) { |
| 366 | OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, | 361 | OCSPerror(OCSP_R_STATUS_TOO_OLD); |
| 367 | OCSP_R_STATUS_TOO_OLD); | ||
| 368 | return 0; | 362 | return 0; |
| 369 | } | 363 | } |
| 370 | } | 364 | } |
| @@ -376,24 +370,21 @@ OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd, | |||
| 376 | /* Check nextUpdate is valid and not more than nsec in the past */ | 370 | /* Check nextUpdate is valid and not more than nsec in the past */ |
| 377 | if (ASN1_time_parse(nextupd->data, nextupd->length, &tm_next, | 371 | if (ASN1_time_parse(nextupd->data, nextupd->length, &tm_next, |
| 378 | V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) { | 372 | V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) { |
| 379 | OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, | 373 | OCSPerror(OCSP_R_ERROR_IN_NEXTUPDATE_FIELD); |
| 380 | OCSP_R_ERROR_IN_NEXTUPDATE_FIELD); | ||
| 381 | return 0; | 374 | return 0; |
| 382 | } else { | 375 | } else { |
| 383 | t_tmp = t_now - nsec; | 376 | t_tmp = t_now - nsec; |
| 384 | if (gmtime_r(&t_tmp, &tm_tmp) == NULL) | 377 | if (gmtime_r(&t_tmp, &tm_tmp) == NULL) |
| 385 | return 0; | 378 | return 0; |
| 386 | if (ASN1_time_tm_cmp(&tm_next, &tm_tmp) < 0) { | 379 | if (ASN1_time_tm_cmp(&tm_next, &tm_tmp) < 0) { |
| 387 | OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, | 380 | OCSPerror(OCSP_R_STATUS_EXPIRED); |
| 388 | OCSP_R_STATUS_EXPIRED); | ||
| 389 | return 0; | 381 | return 0; |
| 390 | } | 382 | } |
| 391 | } | 383 | } |
| 392 | 384 | ||
| 393 | /* Also don't allow nextUpdate to precede thisUpdate */ | 385 | /* Also don't allow nextUpdate to precede thisUpdate */ |
| 394 | if (ASN1_time_tm_cmp(&tm_next, &tm_this) < 0) { | 386 | if (ASN1_time_tm_cmp(&tm_next, &tm_this) < 0) { |
| 395 | OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, | 387 | OCSPerror(OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE); |
| 396 | OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE); | ||
| 397 | return 0; | 388 | return 0; |
| 398 | } | 389 | } |
| 399 | 390 | ||