[openssl-commits] [openssl] master update
Dr. Stephen Henson
steve at openssl.org
Tue Mar 24 12:13:38 UTC 2015
The branch master has been updated
via 4ca5efc2874e094d6382b30416824eda6dde52fe (commit)
from 86d20cb6fd3267a603a3e4ec549ef1113c13a374 (commit)
- Log -----------------------------------------------------------------
commit 4ca5efc2874e094d6382b30416824eda6dde52fe
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Sun Mar 22 17:34:56 2015 +0000
Make OCSP response verification more flexible.
If a set of certificates is supplied to OCSP_basic_verify use those in
addition to any present in the OCSP response as untrusted CAs when
verifying a certificate chain.
PR#3668
Reviewed-by: Matt Caswell <matt at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
crypto/ocsp/ocsp_vfy.c | 21 +++++++++++++++++----
1 file changed, 17 insertions(+), 4 deletions(-)
diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c
index 8beadf7..40a3b01 100644
--- a/crypto/ocsp/ocsp_vfy.c
+++ b/crypto/ocsp/ocsp_vfy.c
@@ -84,6 +84,7 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
{
X509 *signer, *x;
STACK_OF(X509) *chain = NULL;
+ STACK_OF(X509) *untrusted = NULL;
X509_STORE_CTX ctx;
int i, ret = 0;
ret = ocsp_find_signer(&signer, bs, certs, st, flags);
@@ -108,10 +109,20 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
}
if (!(flags & OCSP_NOVERIFY)) {
int init_res;
- if (flags & OCSP_NOCHAIN)
- init_res = X509_STORE_CTX_init(&ctx, st, signer, NULL);
- else
- init_res = X509_STORE_CTX_init(&ctx, st, signer, bs->certs);
+ if (flags & OCSP_NOCHAIN) {
+ untrusted = NULL;
+ } else if (bs->certs && certs) {
+ untrusted = sk_X509_dup(bs->certs);
+ for (i = 0; i < sk_X509_num(certs); i++) {
+ if (!sk_X509_push(untrusted, sk_X509_value(certs, i))) {
+ OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_MALLOC_FAILURE);
+ goto end;
+ }
+ }
+ } else {
+ untrusted = bs->certs;
+ }
+ init_res = X509_STORE_CTX_init(&ctx, st, signer, untrusted);
if (!init_res) {
ret = -1;
OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_X509_LIB);
@@ -162,6 +173,8 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
end:
if (chain)
sk_X509_pop_free(chain, X509_free);
+ if (bs->certs && certs)
+ sk_X509_free(untrusted);
return ret;
}
More information about the openssl-commits
mailing list