[openssl-commits] [openssl] master update

Dr. Stephen Henson steve at openssl.org
Thu May 12 15:51:45 UTC 2016 

The branch master has been updated
       via  6302bbd21a79bd2ed59f214d6d042031384b4d12 (commit)
      from  d535e5652688447deaf8a9eddc2b8cdc4f8f6ce9 (commit)


- Log -----------------------------------------------------------------
commit 6302bbd21a79bd2ed59f214d6d042031384b4d12
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Thu May 12 15:24:06 2016 +0100

    Correctly check for trailing digest options.
    
    Multiple digest options to the ocsp utility are allowed: e.g. to use
    different digests for different certificate IDs. A digest option without
    a following certificate is however illegal.
    
    RT#4215
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 apps/ocsp.c       | 12 +++++++++++-
 doc/apps/ocsp.pod | 31 ++++++++++++++++---------------
 2 files changed, 27 insertions(+), 16 deletions(-)

diff --git a/apps/ocsp.c b/apps/ocsp.c
index fd38da4..416e05c 100644
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -228,6 +228,7 @@ int ocsp_main(int argc, char **argv)
 {
     BIO *acbio = NULL, *cbio = NULL, *derbio = NULL, *out = NULL;
     const EVP_MD *cert_id_md = NULL, *rsign_md = NULL;
+    int trailing_md = 0;
     CA_DB *rdb = NULL;
     EVP_PKEY *key = NULL, *rkey = NULL;
     OCSP_BASICRESP *bs = NULL;
@@ -439,6 +440,7 @@ int ocsp_main(int argc, char **argv)
                 goto end;
             if (!sk_OPENSSL_STRING_push(reqnames, opt_arg()))
                 goto end;
+            trailing_md = 0;
             break;
         case OPT_SERIAL:
             if (cert_id_md == NULL)
@@ -447,6 +449,7 @@ int ocsp_main(int argc, char **argv)
                 goto end;
             if (!sk_OPENSSL_STRING_push(reqnames, opt_arg()))
                 goto end;
+            trailing_md = 0;
             break;
         case OPT_INDEX:
             ridx_filename = opt_arg();
@@ -490,7 +493,7 @@ int ocsp_main(int argc, char **argv)
                 goto end;
             break;
         case OPT_MD:
-            if (cert_id_md != NULL) {
+            if (trailing_md) {
                 BIO_printf(bio_err,
                            "%s: Digest must be before -cert or -serial\n",
                            prog);
@@ -498,9 +501,16 @@ int ocsp_main(int argc, char **argv)
             }
             if (!opt_md(opt_unknown(), &cert_id_md))
                 goto opthelp;
+            trailing_md = 1;
             break;
         }
     }
+
+    if (trailing_md) {
+        BIO_printf(bio_err, "%s: Digest must be before -cert or -serial\n",
+                   prog);
+        goto opthelp;
+    }
     argc = opt_num_rest();
     if (argc != 0)
         goto opthelp;
diff --git a/doc/apps/ocsp.pod b/doc/apps/ocsp.pod
index 3e667e6..a5bb22f 100644
--- a/doc/apps/ocsp.pod
+++ b/doc/apps/ocsp.pod
@@ -266,24 +266,25 @@ only be used for testing purposes.
 =item B<-validity_period nsec>, B<-status_age age>
 
 these options specify the range of times, in seconds, which will be tolerated
-in an OCSP response. Each certificate status response includes a B<notBefore> time and
-an optional B<notAfter> time. The current time should fall between these two values, but
-the interval between the two times may be only a few seconds. In practice the OCSP
-responder and clients clocks may not be precisely synchronised and so such a check
-may fail. To avoid this the B<-validity_period> option can be used to specify an
-acceptable error range in seconds, the default value is 5 minutes.
-
-If the B<notAfter> time is omitted from a response then this means that new status
-information is immediately available. In this case the age of the B<notBefore> field
-is checked to see it is not older than B<age> seconds old. By default this additional
-check is not performed.
+in an OCSP response. Each certificate status response includes a B<notBefore>
+time and an optional B<notAfter> time. The current time should fall between
+these two values, but the interval between the two times may be only a few
+seconds. In practice the OCSP responder and clients clocks may not be precisely
+synchronised and so such a check may fail. To avoid this the
+B<-validity_period> option can be used to specify an acceptable error range in
+seconds, the default value is 5 minutes.
+
+If the B<notAfter> time is omitted from a response then this means that new
+status information is immediately available. In this case the age of the
+B<notBefore> field is checked to see it is not older than B<age> seconds old.
+By default this additional check is not performed.
 
 =item B<-[digest]>
 
-this option sets digest algorithm to use for certificate identification
-in the OCSP request.
-Any digest supported by the OpenSSL B<dgst> command can be used.
-The default is SHA-1.
+this option sets digest algorithm to use for certificate identification in the
+OCSP request. Any digest supported by the OpenSSL B<dgst> command can be used.
+The default is SHA-1. This option may be used multiple times to specify the
+digest used by subsequent certificate identifiers.
 
 =back

More information about the openssl-commits mailing list