diff options
Diffstat (limited to 'src/lib/libcrypto/ocsp/ocsp_vfy.c')
| -rw-r--r-- | src/lib/libcrypto/ocsp/ocsp_vfy.c | 46 |
1 files changed, 17 insertions, 29 deletions
diff --git a/src/lib/libcrypto/ocsp/ocsp_vfy.c b/src/lib/libcrypto/ocsp/ocsp_vfy.c index 80dd54e958..ebdd826878 100644 --- a/src/lib/libcrypto/ocsp/ocsp_vfy.c +++ b/src/lib/libcrypto/ocsp/ocsp_vfy.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ocsp_vfy.c,v 1.14 2016/11/05 13:27:53 miod Exp $ */ | 1 | /* $OpenBSD: ocsp_vfy.c,v 1.15 2017/01/29 17:49:23 beck Exp $ */ |
| 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL | 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL |
| 3 | * project 2000. | 3 | * project 2000. |
| 4 | */ | 4 | */ |
| @@ -86,8 +86,7 @@ OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st, | |||
| 86 | 86 | ||
| 87 | ret = ocsp_find_signer(&signer, bs, certs, st, flags); | 87 | ret = ocsp_find_signer(&signer, bs, certs, st, flags); |
| 88 | if (!ret) { | 88 | if (!ret) { |
| 89 | OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, | 89 | OCSPerror(OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND); |
| 90 | OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND); | ||
| 91 | goto end; | 90 | goto end; |
| 92 | } | 91 | } |
| 93 | if ((ret == 2) && (flags & OCSP_TRUSTOTHER)) | 92 | if ((ret == 2) && (flags & OCSP_TRUSTOTHER)) |
| @@ -101,8 +100,7 @@ OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st, | |||
| 101 | EVP_PKEY_free(skey); | 100 | EVP_PKEY_free(skey); |
| 102 | } | 101 | } |
| 103 | if (!skey || ret <= 0) { | 102 | if (!skey || ret <= 0) { |
| 104 | OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, | 103 | OCSPerror(OCSP_R_SIGNATURE_FAILURE); |
| 105 | OCSP_R_SIGNATURE_FAILURE); | ||
| 106 | goto end; | 104 | goto end; |
| 107 | } | 105 | } |
| 108 | } | 106 | } |
| @@ -116,8 +114,7 @@ OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st, | |||
| 116 | for (i = 0; i < sk_X509_num(certs); i++) { | 114 | for (i = 0; i < sk_X509_num(certs); i++) { |
| 117 | if (!sk_X509_push(untrusted, | 115 | if (!sk_X509_push(untrusted, |
| 118 | sk_X509_value(certs, i))) { | 116 | sk_X509_value(certs, i))) { |
| 119 | OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, | 117 | OCSPerror(ERR_R_MALLOC_FAILURE); |
| 120 | ERR_R_MALLOC_FAILURE); | ||
| 121 | goto end; | 118 | goto end; |
| 122 | } | 119 | } |
| 123 | } | 120 | } |
| @@ -126,7 +123,7 @@ OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st, | |||
| 126 | init_res = X509_STORE_CTX_init(&ctx, st, signer, untrusted); | 123 | init_res = X509_STORE_CTX_init(&ctx, st, signer, untrusted); |
| 127 | if (!init_res) { | 124 | if (!init_res) { |
| 128 | ret = -1; | 125 | ret = -1; |
| 129 | OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_X509_LIB); | 126 | OCSPerror(ERR_R_X509_LIB); |
| 130 | goto end; | 127 | goto end; |
| 131 | } | 128 | } |
| 132 | 129 | ||
| @@ -141,8 +138,7 @@ OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st, | |||
| 141 | X509_STORE_CTX_cleanup(&ctx); | 138 | X509_STORE_CTX_cleanup(&ctx); |
| 142 | if (ret <= 0) { | 139 | if (ret <= 0) { |
| 143 | i = X509_STORE_CTX_get_error(&ctx); | 140 | i = X509_STORE_CTX_get_error(&ctx); |
| 144 | OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, | 141 | OCSPerror(OCSP_R_CERTIFICATE_VERIFY_ERROR); |
| 145 | OCSP_R_CERTIFICATE_VERIFY_ERROR); | ||
| 146 | ERR_asprintf_error_data("Verify error:%s", | 142 | ERR_asprintf_error_data("Verify error:%s", |
| 147 | X509_verify_cert_error_string(i)); | 143 | X509_verify_cert_error_string(i)); |
| 148 | goto end; | 144 | goto end; |
| @@ -169,8 +165,7 @@ OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st, | |||
| 169 | x = sk_X509_value(chain, sk_X509_num(chain) - 1); | 165 | x = sk_X509_value(chain, sk_X509_num(chain) - 1); |
| 170 | if (X509_check_trust(x, NID_OCSP_sign, 0) != | 166 | if (X509_check_trust(x, NID_OCSP_sign, 0) != |
| 171 | X509_TRUST_TRUSTED) { | 167 | X509_TRUST_TRUSTED) { |
| 172 | OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, | 168 | OCSPerror(OCSP_R_ROOT_CA_NOT_TRUSTED); |
| 173 | OCSP_R_ROOT_CA_NOT_TRUSTED); | ||
| 174 | goto end; | 169 | goto end; |
| 175 | } | 170 | } |
| 176 | ret = 1; | 171 | ret = 1; |
| @@ -245,8 +240,7 @@ ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain, | |||
| 245 | sresp = bs->tbsResponseData->responses; | 240 | sresp = bs->tbsResponseData->responses; |
| 246 | 241 | ||
| 247 | if (sk_X509_num(chain) <= 0) { | 242 | if (sk_X509_num(chain) <= 0) { |
| 248 | OCSPerr(OCSP_F_OCSP_CHECK_ISSUER, | 243 | OCSPerror(OCSP_R_NO_CERTIFICATES_IN_CHAIN); |
| 249 | OCSP_R_NO_CERTIFICATES_IN_CHAIN); | ||
| 250 | return -1; | 244 | return -1; |
| 251 | } | 245 | } |
| 252 | 246 | ||
| @@ -288,8 +282,7 @@ ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret) | |||
| 288 | 282 | ||
| 289 | idcount = sk_OCSP_SINGLERESP_num(sresp); | 283 | idcount = sk_OCSP_SINGLERESP_num(sresp); |
| 290 | if (idcount <= 0) { | 284 | if (idcount <= 0) { |
| 291 | OCSPerr(OCSP_F_OCSP_CHECK_IDS, | 285 | OCSPerror(OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA); |
| 292 | OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA); | ||
| 293 | return -1; | 286 | return -1; |
| 294 | } | 287 | } |
| 295 | 288 | ||
| @@ -323,8 +316,7 @@ ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, | |||
| 323 | 316 | ||
| 324 | if (!(dgst = | 317 | if (!(dgst = |
| 325 | EVP_get_digestbyobj(cid->hashAlgorithm->algorithm))) { | 318 | EVP_get_digestbyobj(cid->hashAlgorithm->algorithm))) { |
| 326 | OCSPerr(OCSP_F_OCSP_MATCH_ISSUERID, | 319 | OCSPerror(OCSP_R_UNKNOWN_MESSAGE_DIGEST); |
| 327 | OCSP_R_UNKNOWN_MESSAGE_DIGEST); | ||
| 328 | return -1; | 320 | return -1; |
| 329 | } | 321 | } |
| 330 | 322 | ||
| @@ -365,7 +357,7 @@ ocsp_check_delegated(X509 *x, int flags) | |||
| 365 | X509_check_purpose(x, -1, 0); | 357 | X509_check_purpose(x, -1, 0); |
| 366 | if ((x->ex_flags & EXFLAG_XKUSAGE) && (x->ex_xkusage & XKU_OCSP_SIGN)) | 358 | if ((x->ex_flags & EXFLAG_XKUSAGE) && (x->ex_xkusage & XKU_OCSP_SIGN)) |
| 367 | return 1; | 359 | return 1; |
| 368 | OCSPerr(OCSP_F_OCSP_CHECK_DELEGATED, OCSP_R_MISSING_OCSPSIGNING_USAGE); | 360 | OCSPerror(OCSP_R_MISSING_OCSPSIGNING_USAGE); |
| 369 | return 0; | 361 | return 0; |
| 370 | } | 362 | } |
| 371 | 363 | ||
| @@ -384,20 +376,18 @@ OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, X509_STORE *store, | |||
| 384 | X509_STORE_CTX ctx; | 376 | X509_STORE_CTX ctx; |
| 385 | 377 | ||
| 386 | if (!req->optionalSignature) { | 378 | if (!req->optionalSignature) { |
| 387 | OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_REQUEST_NOT_SIGNED); | 379 | OCSPerror(OCSP_R_REQUEST_NOT_SIGNED); |
| 388 | return 0; | 380 | return 0; |
| 389 | } | 381 | } |
| 390 | gen = req->tbsRequest->requestorName; | 382 | gen = req->tbsRequest->requestorName; |
| 391 | if (!gen || gen->type != GEN_DIRNAME) { | 383 | if (!gen || gen->type != GEN_DIRNAME) { |
| 392 | OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, | 384 | OCSPerror(OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE); |
| 393 | OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE); | ||
| 394 | return 0; | 385 | return 0; |
| 395 | } | 386 | } |
| 396 | nm = gen->d.directoryName; | 387 | nm = gen->d.directoryName; |
| 397 | ret = ocsp_req_find_signer(&signer, req, nm, certs, store, flags); | 388 | ret = ocsp_req_find_signer(&signer, req, nm, certs, store, flags); |
| 398 | if (ret <= 0) { | 389 | if (ret <= 0) { |
| 399 | OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, | 390 | OCSPerror(OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND); |
| 400 | OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND); | ||
| 401 | return 0; | 391 | return 0; |
| 402 | } | 392 | } |
| 403 | if ((ret == 2) && (flags & OCSP_TRUSTOTHER)) | 393 | if ((ret == 2) && (flags & OCSP_TRUSTOTHER)) |
| @@ -409,8 +399,7 @@ OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, X509_STORE *store, | |||
| 409 | ret = OCSP_REQUEST_verify(req, skey); | 399 | ret = OCSP_REQUEST_verify(req, skey); |
| 410 | EVP_PKEY_free(skey); | 400 | EVP_PKEY_free(skey); |
| 411 | if (ret <= 0) { | 401 | if (ret <= 0) { |
| 412 | OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, | 402 | OCSPerror(OCSP_R_SIGNATURE_FAILURE); |
| 413 | OCSP_R_SIGNATURE_FAILURE); | ||
| 414 | return 0; | 403 | return 0; |
| 415 | } | 404 | } |
| 416 | } | 405 | } |
| @@ -424,7 +413,7 @@ OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, X509_STORE *store, | |||
| 424 | init_res = X509_STORE_CTX_init(&ctx, store, signer, | 413 | init_res = X509_STORE_CTX_init(&ctx, store, signer, |
| 425 | req->optionalSignature->certs); | 414 | req->optionalSignature->certs); |
| 426 | if (!init_res) { | 415 | if (!init_res) { |
| 427 | OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, ERR_R_X509_LIB); | 416 | OCSPerror(ERR_R_X509_LIB); |
| 428 | return 0; | 417 | return 0; |
| 429 | } | 418 | } |
| 430 | 419 | ||
| @@ -439,8 +428,7 @@ OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, X509_STORE *store, | |||
| 439 | X509_STORE_CTX_cleanup(&ctx); | 428 | X509_STORE_CTX_cleanup(&ctx); |
| 440 | if (ret <= 0) { | 429 | if (ret <= 0) { |
| 441 | ret = X509_STORE_CTX_get_error(&ctx); | 430 | ret = X509_STORE_CTX_get_error(&ctx); |
| 442 | OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, | 431 | OCSPerror(OCSP_R_CERTIFICATE_VERIFY_ERROR); |
| 443 | OCSP_R_CERTIFICATE_VERIFY_ERROR); | ||
| 444 | ERR_asprintf_error_data("Verify error:%s", | 432 | ERR_asprintf_error_data("Verify error:%s", |
| 445 | X509_verify_cert_error_string(ret)); | 433 | X509_verify_cert_error_string(ret)); |
| 446 | return 0; | 434 | return 0; |