[openssl] master update
dev at ddvo.net
dev at ddvo.net
Sat Mar 6 12:10:34 UTC 2021
The branch master has been updated
via 0dca5ede0d7a98bc9061f4a50846732e50ffda0f (commit)
from 9b9d24f0331f7175137bc60023e7a165ee886551 (commit)
- Log -----------------------------------------------------------------
commit 0dca5ede0d7a98bc9061f4a50846732e50ffda0f
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Mon Feb 8 19:13:26 2021 +0100
Make more use of X509_add_certs(); minor related code & comments cleanup
This is a follow-up on #12615.
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14436)
-----------------------------------------------------------------------
Summary of changes:
crypto/ocsp/ocsp_cl.c | 38 ++++++++------------------------------
crypto/ocsp/ocsp_srv.c | 13 ++-----------
crypto/x509/x509_cmp.c | 7 +++----
3 files changed, 13 insertions(+), 45 deletions(-)
diff --git a/crypto/ocsp/ocsp_cl.c b/crypto/ocsp/ocsp_cl.c
index 421b6ac341..2d544b444e 100644
--- a/crypto/ocsp/ocsp_cl.c
+++ b/crypto/ocsp/ocsp_cl.c
@@ -27,7 +27,6 @@
* Add an OCSP_CERTID to an OCSP request. Return new OCSP_ONEREQ pointer:
* useful if we want to add extensions.
*/
-
OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid)
{
OCSP_ONEREQ *one = NULL;
@@ -45,7 +44,6 @@ OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid)
}
/* Set requestorName from an X509_NAME structure */
-
int OCSP_request_set1_name(OCSP_REQUEST *req, const X509_NAME *nm)
{
GENERAL_NAME *gen = GENERAL_NAME_new();
@@ -63,19 +61,15 @@ int OCSP_request_set1_name(OCSP_REQUEST *req, const X509_NAME *nm)
}
/* Add a certificate to an OCSP request */
-
int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert)
{
- OCSP_SIGNATURE *sig;
-
- if (req->optionalSignature == NULL)
- req->optionalSignature = OCSP_SIGNATURE_new();
- sig = req->optionalSignature;
- if (sig == NULL)
+ if (req->optionalSignature == NULL
+ && (req->optionalSignature = OCSP_SIGNATURE_new()) == NULL)
return 0;
if (cert == NULL)
return 1;
- return ossl_x509_add_cert_new(&sig->certs, cert, X509_ADD_FLAG_UP_REF);
+ return ossl_x509_add_cert_new(&req->optionalSignature->certs, cert,
+ X509_ADD_FLAG_UP_REF);
}
/*
@@ -83,16 +77,12 @@ int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert)
* optional signers certificate and include one or more optional certificates
* in the request. Behaves like PKCS7_sign().
*/
-
int OCSP_request_sign(OCSP_REQUEST *req,
X509 *signer,
EVP_PKEY *key,
const EVP_MD *dgst,
STACK_OF(X509) *certs, unsigned long flags)
{
- int i;
- X509 *x;
-
if (!OCSP_request_set1_name(req, X509_get_subject_name(signer)))
goto err;
@@ -109,13 +99,10 @@ int OCSP_request_sign(OCSP_REQUEST *req,
}
if ((flags & OCSP_NOCERTS) == 0) {
- if (!OCSP_request_add1_cert(req, signer))
+ if (!OCSP_request_add1_cert(req, signer)
+ || !X509_add_certs(req->optionalSignature->certs, certs,
+ X509_ADD_FLAG_UP_REF))
goto err;
- for (i = 0; i < sk_X509_num(certs); i++) {
- x = sk_X509_value(certs, i);
- if (!OCSP_request_add1_cert(req, x))
- goto err;
- }
}
return 1;
@@ -126,7 +113,6 @@ int OCSP_request_sign(OCSP_REQUEST *req,
}
/* Get response status */
-
int OCSP_response_status(OCSP_RESPONSE *resp)
{
return ASN1_ENUMERATED_get(resp->responseStatus);
@@ -136,7 +122,6 @@ int OCSP_response_status(OCSP_RESPONSE *resp)
* Extract basic response from OCSP_RESPONSE or NULL if no basic response
* present.
*/
-
OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp)
{
OCSP_RESPBYTES *rb = resp->responseBytes;
@@ -168,9 +153,7 @@ const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *bs)
return &bs->tbsResponseData;
}
-/*
- * Return number of OCSP_SINGLERESP responses present in a basic response.
- */
+/* Return number of OCSP_SINGLERESP responses present in a basic response */
int OCSP_resp_count(OCSP_BASICRESP *bs)
{
@@ -180,7 +163,6 @@ int OCSP_resp_count(OCSP_BASICRESP *bs)
}
/* Extract an OCSP_SINGLERESP response with a given index */
-
OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx)
{
if (bs == NULL)
@@ -237,7 +219,6 @@ int OCSP_resp_get1_id(const OCSP_BASICRESP *bs,
}
/* Look single response matching a given certificate ID */
-
int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last)
{
int i;
@@ -264,7 +245,6 @@ int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last)
* revtime and reason values are only set if the certificate status is
* revoked. Returns numerical value of status.
*/
-
int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
ASN1_GENERALIZEDTIME **revtime,
ASN1_GENERALIZEDTIME **thisupd,
@@ -300,7 +280,6 @@ int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
* This function combines the previous ones: look up a certificate ID and if
* found extract status information. Return 0 is successful.
*/
-
int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
int *reason,
ASN1_GENERALIZEDTIME **revtime,
@@ -328,7 +307,6 @@ int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
* accepting very old responses without a nextUpdate field an optional maxage
* parameter specifies the maximum age the thisUpdate field can be.
*/
-
int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
ASN1_GENERALIZEDTIME *nextupd, long nsec, long maxsec)
{
diff --git a/crypto/ocsp/ocsp_srv.c b/crypto/ocsp/ocsp_srv.c
index 4a864f2d79..2bd8b40d65 100644
--- a/crypto/ocsp/ocsp_srv.c
+++ b/crypto/ocsp/ocsp_srv.c
@@ -20,7 +20,6 @@
* Utility functions related to sending OCSP responses and extracting
* relevant information from the request.
*/
-
int OCSP_request_onereq_count(OCSP_REQUEST *req)
{
return sk_OCSP_ONEREQ_num(req->tbsRequest.requestList);
@@ -155,7 +154,6 @@ OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp,
}
/* Add a certificate to an OCSP request */
-
int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert)
{
return ossl_x509_add_cert_new(&resp->certs, cert, X509_ADD_FLAG_UP_REF);
@@ -166,12 +164,10 @@ int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert)
* set the responderID to the subject name in the signer's certificate, and
* include one or more optional certificates in the response.
*/
-
int OCSP_basic_sign_ctx(OCSP_BASICRESP *brsp,
X509 *signer, EVP_MD_CTX *ctx,
STACK_OF(X509) *certs, unsigned long flags)
{
- int i;
OCSP_RESPID *rid;
EVP_PKEY *pkey;
@@ -187,13 +183,9 @@ int OCSP_basic_sign_ctx(OCSP_BASICRESP *brsp,
}
if (!(flags & OCSP_NOCERTS)) {
- if (!OCSP_basic_add1_cert(brsp, signer))
+ if (!OCSP_basic_add1_cert(brsp, signer)
+ || !X509_add_certs(brsp->certs, certs, X509_ADD_FLAG_UP_REF))
goto err;
- for (i = 0; i < sk_X509_num(certs); i++) {
- X509 *tmpcert = sk_X509_value(certs, i);
- if (!OCSP_basic_add1_cert(brsp, tmpcert))
- goto err;
- }
}
rid = &brsp->tbsResponseData.responderId;
@@ -212,7 +204,6 @@ int OCSP_basic_sign_ctx(OCSP_BASICRESP *brsp,
* Right now, I think that not doing double hashing is the right thing.
* -- Richard Levitte
*/
-
if (!OCSP_BASICRESP_sign_ctx(brsp, ctx, 0))
goto err;
diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c
index c29fe3cc5f..a149bf49dc 100644
--- a/crypto/x509/x509_cmp.c
+++ b/crypto/x509/x509_cmp.c
@@ -177,8 +177,7 @@ int X509_cmp(const X509 *a, const X509 *b)
int ossl_x509_add_cert_new(STACK_OF(X509) **p_sk, X509 *cert, int flags)
{
- if (*p_sk == NULL
- && (*p_sk = sk_X509_new_null()) == NULL) {
+ if (*p_sk == NULL && (*p_sk = sk_X509_new_null()) == NULL) {
ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
return 0;
}
@@ -216,7 +215,7 @@ int X509_add_cert(STACK_OF(X509) *sk, X509 *cert, int flags)
}
int X509_add_certs(STACK_OF(X509) *sk, STACK_OF(X509) *certs, int flags)
-/* compiler would allow 'const' for the list of certs, yet they are up-ref'ed */
+/* compiler would allow 'const' for the certs, yet they may get up-ref'ed */
{
if (sk == NULL) {
ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER);
@@ -227,7 +226,7 @@ int X509_add_certs(STACK_OF(X509) *sk, STACK_OF(X509) *certs, int flags)
int ossl_x509_add_certs_new(STACK_OF(X509) **p_sk, STACK_OF(X509) *certs,
int flags)
-/* compiler would allow 'const' for the list of certs, yet they are up-ref'ed */
+/* compiler would allow 'const' for the certs, yet they may get up-ref'ed */
{
int n = sk_X509_num(certs /* may be NULL */);
int i;
More information about the openssl-commits
mailing list