[openssl] master update
dev at ddvo.net
dev at ddvo.net
Sat Mar 6 12:02:53 UTC 2021
The branch master has been updated
via 9b9d24f0331f7175137bc60023e7a165ee886551 (commit)
via f477cdfadd9604eef162a98f5f69c7ca61da5a26 (commit)
from 29ce1066bc54838ecb835244b03d763b55d7fadb (commit)
- Log -----------------------------------------------------------------
commit 9b9d24f0331f7175137bc60023e7a165ee886551
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Mon Mar 1 08:56:46 2021 +0100
OCSP_resp_find_status.pod: Complete the RETURN VALUES section
Supersedes #11877. Also make order in NAME section consistent.
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14347)
commit f477cdfadd9604eef162a98f5f69c7ca61da5a26
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Mon Mar 1 08:54:52 2021 +0100
crypto/ocsp/ocsp_cl.c: coding style improvements
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14347)
-----------------------------------------------------------------------
Summary of changes:
crypto/ocsp/ocsp_cl.c | 46 ++++++++++++++-------------
doc/man3/OCSP_resp_find_status.pod | 65 +++++++++++++++++++++++---------------
2 files changed, 63 insertions(+), 48 deletions(-)
diff --git a/crypto/ocsp/ocsp_cl.c b/crypto/ocsp/ocsp_cl.c
index 40d26fb871..421b6ac341 100644
--- a/crypto/ocsp/ocsp_cl.c
+++ b/crypto/ocsp/ocsp_cl.c
@@ -38,21 +38,18 @@ OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid)
one->reqCert = cid;
if (req && !sk_OCSP_ONEREQ_push(req->tbsRequest.requestList, one)) {
one->reqCert = NULL; /* do not free on error */
- goto err;
+ OCSP_ONEREQ_free(one);
+ return NULL;
}
return one;
- err:
- OCSP_ONEREQ_free(one);
- return NULL;
}
/* Set requestorName from an X509_NAME structure */
int OCSP_request_set1_name(OCSP_REQUEST *req, const X509_NAME *nm)
{
- GENERAL_NAME *gen;
+ GENERAL_NAME *gen = GENERAL_NAME_new();
- gen = GENERAL_NAME_new();
if (gen == NULL)
return 0;
if (!X509_NAME_set(&gen->d.directoryName, nm)) {
@@ -70,6 +67,7 @@ int OCSP_request_set1_name(OCSP_REQUEST *req, const X509_NAME *nm)
int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert)
{
OCSP_SIGNATURE *sig;
+
if (req->optionalSignature == NULL)
req->optionalSignature = OCSP_SIGNATURE_new();
sig = req->optionalSignature;
@@ -100,7 +98,7 @@ int OCSP_request_sign(OCSP_REQUEST *req,
if ((req->optionalSignature = OCSP_SIGNATURE_new()) == NULL)
goto err;
- if (key) {
+ if (key != NULL) {
if (!X509_check_private_key(signer, key)) {
ERR_raise(ERR_LIB_OCSP,
OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
@@ -110,7 +108,7 @@ int OCSP_request_sign(OCSP_REQUEST *req,
goto err;
}
- if (!(flags & OCSP_NOCERTS)) {
+ if ((flags & OCSP_NOCERTS) == 0) {
if (!OCSP_request_add1_cert(req, signer))
goto err;
for (i = 0; i < sk_X509_num(certs); i++) {
@@ -141,9 +139,9 @@ int OCSP_response_status(OCSP_RESPONSE *resp)
OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp)
{
- OCSP_RESPBYTES *rb;
- rb = resp->responseBytes;
- if (!rb) {
+ OCSP_RESPBYTES *rb = resp->responseBytes;
+
+ if (rb == NULL) {
ERR_raise(ERR_LIB_OCSP, OCSP_R_NO_RESPONSE_DATA);
return NULL;
}
@@ -176,7 +174,7 @@ const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *bs)
int OCSP_resp_count(OCSP_BASICRESP *bs)
{
- if (!bs)
+ if (bs == NULL)
return -1;
return sk_OCSP_SINGLERESP_num(bs->tbsResponseData.responses);
}
@@ -185,12 +183,12 @@ int OCSP_resp_count(OCSP_BASICRESP *bs)
OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx)
{
- if (!bs)
+ if (bs == NULL)
return NULL;
return sk_OCSP_SINGLERESP_value(bs->tbsResponseData.responses, idx);
}
-const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at(const OCSP_BASICRESP* bs)
+const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at(const OCSP_BASICRESP *bs)
{
return bs->tbsResponseData.producedAt;
}
@@ -245,7 +243,8 @@ int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last)
int i;
STACK_OF(OCSP_SINGLERESP) *sresp;
OCSP_SINGLERESP *single;
- if (!bs)
+
+ if (bs == NULL)
return -1;
if (last < 0)
last = 0;
@@ -273,12 +272,14 @@ int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
{
int ret;
OCSP_CERTSTATUS *cst;
- if (!single)
+
+ if (single == NULL)
return -1;
cst = single->certStatus;
ret = cst->type;
if (ret == V_OCSP_CERTSTATUS_REVOKED) {
OCSP_REVOKEDINFO *rev = cst->value.revoked;
+
if (revtime)
*revtime = rev->revocationTime;
if (reason) {
@@ -288,9 +289,9 @@ int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
*reason = -1;
}
}
- if (thisupd)
+ if (thisupd != NULL)
*thisupd = single->thisUpdate;
- if (nextupd)
+ if (nextupd != NULL)
*nextupd = single->nextUpdate;
return ret;
}
@@ -306,15 +307,15 @@ int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
ASN1_GENERALIZEDTIME **thisupd,
ASN1_GENERALIZEDTIME **nextupd)
{
- int i;
+ int i = OCSP_resp_find(bs, id, -1);
OCSP_SINGLERESP *single;
- i = OCSP_resp_find(bs, id, -1);
+
/* Maybe check for multiple responses and give an error? */
if (i < 0)
return 0;
single = OCSP_resp_get0(bs, i);
i = OCSP_single_get0_status(single, reason, revtime, thisupd, nextupd);
- if (status)
+ if (status != NULL)
*status = i;
return 1;
}
@@ -333,6 +334,7 @@ int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
{
int ret = 1;
time_t t_now, t_tmp;
+
time(&t_now);
/* Check thisUpdate is valid and not more than nsec in the future */
if (!ASN1_GENERALIZEDTIME_check(thisupd)) {
@@ -358,7 +360,7 @@ int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
}
}
- if (!nextupd)
+ if (nextupd == NULL)
return ret;
/* Check nextUpdate is valid and not more than nsec in the past */
diff --git a/doc/man3/OCSP_resp_find_status.pod b/doc/man3/OCSP_resp_find_status.pod
index bc3c2127bc..3ded33f425 100644
--- a/doc/man3/OCSP_resp_find_status.pod
+++ b/doc/man3/OCSP_resp_find_status.pod
@@ -2,17 +2,13 @@
=head1 NAME
-OCSP_resp_get0_certs,
-OCSP_resp_get0_signer,
-OCSP_resp_get0_id,
-OCSP_resp_get1_id,
-OCSP_resp_get0_produced_at,
-OCSP_resp_get0_signature,
-OCSP_resp_get0_tbs_sigalg,
-OCSP_resp_get0_respdata,
-OCSP_resp_find_status, OCSP_resp_count, OCSP_resp_get0, OCSP_resp_find,
-OCSP_single_get0_status, OCSP_check_validity,
-OCSP_basic_verify
+OCSP_resp_find_status, OCSP_resp_count,
+OCSP_resp_get0, OCSP_resp_find, OCSP_single_get0_status,
+OCSP_resp_get0_produced_at, OCSP_resp_get0_signature,
+OCSP_resp_get0_tbs_sigalg, OCSP_resp_get0_respdata,
+OCSP_resp_get0_certs, OCSP_resp_get0_signer,
+OCSP_resp_get0_id, OCSP_resp_get1_id,
+OCSP_check_validity, OCSP_basic_verify
- OCSP response utility functions
=head1 SYNOPSIS
@@ -75,9 +71,8 @@ B<OCSP_REVOKED_STATUS_CERTIFICATEHOLD> or B<OCSP_REVOKED_STATUS_REMOVEFROMCRL>.
OCSP_resp_count() returns the number of B<OCSP_SINGLERESP> structures in I<bs>.
-OCSP_resp_get0() returns the B<OCSP_SINGLERESP> structure in I<bs>
-corresponding to index I<idx>. Where I<idx> runs from 0 to
-OCSP_resp_count(bs) - 1.
+OCSP_resp_get0() returns the B<OCSP_SINGLERESP> structure in I<bs> corresponding
+to index I<idx>, where I<idx> runs from 0 to OCSP_resp_count(bs) - 1.
OCSP_resp_find() searches I<bs> for I<id> and returns the index of the first
matching entry after I<last> or starting from the beginning if I<last> is -1.
@@ -105,10 +100,11 @@ signed the response are known via some out-of-band mechanism.
OCSP_resp_get0_id() gets the responder id of I<bs>. If the responder ID is
a name then <*pname> is set to the name and I<*pid> is set to NULL. If the
responder ID is by key ID then I<*pid> is set to the key ID and I<*pname>
-is set to NULL. OCSP_resp_get1_id() leaves ownership of I<*pid> and I<*pname>
-with the caller, who is responsible for freeing them. Both functions return 1
-in case of success and 0 in case of failure. If OCSP_resp_get1_id() returns 0,
-no freeing of the results is necessary.
+is set to NULL.
+
+OCSP_resp_get1_id() is the same as OCSP_resp_get0_id()
+but leaves ownership of I<*pid> and I<*pname> with the caller,
+who is responsible for freeing them unless the function returns 0.
OCSP_check_validity() checks the validity of its I<thisupd> and I<nextupd>
arguments, which will be typically obtained from OCSP_resp_find_status() or
@@ -148,23 +144,40 @@ trust for OCSP signing in the root CA certificate.
OCSP_resp_find_status() returns 1 if I<id> is found in I<bs> and 0 otherwise.
-OCSP_resp_count() returns the total number of B<OCSP_SINGLERESP> fields in
-I<bs>.
+OCSP_resp_count() returns the total number of B<OCSP_SINGLERESP> fields in I<bs>
+or -1 on error.
OCSP_resp_get0() returns a pointer to an B<OCSP_SINGLERESP> structure or
-NULL if I<idx> is out of range.
+NULL on error, such as I<idx> being out of range.
-OCSP_resp_find() returns the index of I<id> in I<bs> (which may be 0) or -1 if
-I<id> was not found.
+OCSP_resp_find() returns the index of I<id> in I<bs> (which may be 0)
+or -1 on error, such as when I<id> was not found.
OCSP_single_get0_status() returns the status of I<single> or -1 if an error
occurred.
+OCSP_resp_get0_produced_at() returns the B<producedAt> field from I<bs>.
+
+OCSP_resp_get0_signature() returns the signature from I<bs>.
+
+OCSP_resp_get0_tbs_sigalg() returns the B<signatureAlgorithm> field from I<bs>.
+
+OCSP_resp_get0_respdata() returns the B<tbsResponseData> field from I<bs>.
+
+OCSP_resp_get0_certs() returns any certificates included in I<bs>.
+
OCSP_resp_get0_signer() returns 1 if the signing certificate was located,
-or 0 on error.
+or 0 if not found or on error.
+
+OCSP_resp_get0_id() and OCSP_resp_get1_id() return 1 on success, 0 on failure.
+
+OCSP_check_validity() returns 1 if I<thisupd> and I<nextupd> are valid time
+values and the current time + I<sec> is not before I<thisupd> and,
+if I<maxsec> >= 0, the current time - I<maxsec> is not past I<nextupd>.
+Otherwise it returns 0 to indicate an error.
-OCSP_basic_verify() returns 1 on success, 0 on error, or -1 on fatal error such
-as malloc failure.
+OCSP_basic_verify() returns 1 on success, 0 on verification not successful,
+or -1 on a fatal error such as malloc failure.
=head1 NOTES
More information about the openssl-commits
mailing list