Loading CHANGES +2 −0 Original line number Diff line number Diff line Loading @@ -3,6 +3,8 @@ _______________ Changes between 1.0.x and 1.1.0 [xx XXX xxxx] *) Fix OCSP checking. [Rob Stradling <rob.stradling@comodo.com> and Ben Laurie] *) New option -crl_download in several openssl utilities to download CRLs from CRLDP extension in certificates. Loading apps/ocsp.c +5 −5 Original line number Diff line number Diff line Loading @@ -866,6 +866,8 @@ int MAIN(int argc, char **argv) goto end; } ret = 0; if (!noverify) { if (req && ((i = OCSP_check_nonce(req, bs)) <= 0)) Loading @@ -875,17 +877,17 @@ int MAIN(int argc, char **argv) else { BIO_printf(bio_err, "Nonce Verify error\n"); ret = 1; goto end; } } i = OCSP_basic_verify(bs, verify_other, store, verify_flags); if (i < 0) i = OCSP_basic_verify(bs, NULL, store, 0); if(i <= 0) { BIO_printf(bio_err, "Response Verify Failure\n"); ERR_print_errors(bio_err); ret = 1; } else BIO_printf(bio_err, "Response verify OK\n"); Loading @@ -893,9 +895,7 @@ int MAIN(int argc, char **argv) } if (!print_ocsp_summary(out, bs, req, reqnames, ids, nsec, maxage)) goto end; ret = 0; ret = 1; end: ERR_print_errors(bio_err); Loading crypto/ocsp/ocsp_vfy.c +66 −7 Original line number Diff line number Diff line Loading @@ -77,8 +77,10 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, { X509 *signer, *x; STACK_OF(X509) *chain = NULL; STACK_OF(X509) *tmpchain = NULL; X509_STORE *tmpstore = NULL; X509_STORE_CTX ctx; int i, ret = 0; int i, ret; ret = ocsp_find_signer(&signer, bs, certs, st, flags); if (!ret) { Loading @@ -86,7 +88,7 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, goto end; } if ((ret == 2) && (flags & OCSP_TRUSTOTHER)) flags |= OCSP_NOVERIFY; chain = certs; if (!(flags & OCSP_NOSIGS)) { EVP_PKEY *skey; Loading @@ -102,6 +104,60 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, if (!(flags & OCSP_NOVERIFY)) { int init_res; /* If we trust the signer, we don't need to build a chain. * (If the signer is a root certificate, X509_verify_cert() * would fail anyway!) */ if (chain == certs) goto verified_chain; /* If we trust some "other" certificates, mark them as * explicitly trusted (because some of them might be * Intermediate CA Certificates), put them in a store and * attempt to build a trusted chain. */ if ((flags & OCSP_TRUSTOTHER) && (certs != NULL)) { ASN1_OBJECT *objtmp = OBJ_nid2obj(NID_OCSP_sign); tmpstore = X509_STORE_new(); if (!tmpstore) { ret = -1; OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_MALLOC_FAILURE); goto end; } for (i = 0; i < sk_X509_num(certs); i++) { X509 *xother = sk_X509_value(certs, i); X509_add1_trust_object(xother, objtmp); if (!X509_STORE_add_cert(tmpstore, xother)) { ret = -1; goto end; } } init_res = X509_STORE_CTX_init(&ctx, tmpstore, signer, NULL); if (!init_res) { ret = -1; OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,ERR_R_X509_LIB); goto end; } X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER); ret = X509_verify_cert(&ctx); if (ret == 1) { chain = tmpchain = X509_STORE_CTX_get1_chain(&ctx); X509_STORE_CTX_cleanup(&ctx); goto verified_chain; } X509_STORE_CTX_cleanup(&ctx); } /* Attempt to build a chain up to a Root Certificate in the * trust store provided by the caller. */ if(flags & OCSP_NOCHAIN) init_res = X509_STORE_CTX_init(&ctx, st, signer, NULL); else Loading @@ -115,7 +171,7 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER); ret = X509_verify_cert(&ctx); chain = X509_STORE_CTX_get1_chain(&ctx); chain = tmpchain = X509_STORE_CTX_get1_chain(&ctx); X509_STORE_CTX_cleanup(&ctx); if (ret <= 0) { Loading @@ -125,6 +181,8 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_verify_cert_error_string(i)); goto end; } verified_chain: if(flags & OCSP_NOCHECKS) { ret = 1; Loading Loading @@ -155,7 +213,8 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, end: if(chain) sk_X509_pop_free(chain, X509_free); if(tmpchain) sk_X509_pop_free(tmpchain, X509_free); if(tmpstore) X509_STORE_free(tmpstore); return ret; } Loading crypto/x509v3/v3_purp.c +1 −1 Original line number Diff line number Diff line Loading @@ -87,7 +87,7 @@ static X509_PURPOSE xstandard[] = { {X509_PURPOSE_SMIME_ENCRYPT, X509_TRUST_EMAIL, 0, check_purpose_smime_encrypt, "S/MIME encryption", "smimeencrypt", NULL}, {X509_PURPOSE_CRL_SIGN, X509_TRUST_COMPAT, 0, check_purpose_crl_sign, "CRL signing", "crlsign", NULL}, {X509_PURPOSE_ANY, X509_TRUST_DEFAULT, 0, no_check, "Any Purpose", "any", NULL}, {X509_PURPOSE_OCSP_HELPER, X509_TRUST_COMPAT, 0, ocsp_helper, "OCSP helper", "ocsphelper", NULL}, {X509_PURPOSE_OCSP_HELPER, X509_TRUST_OCSP_SIGN, 0, ocsp_helper, "OCSP helper", "ocsphelper", NULL}, {X509_PURPOSE_TIMESTAMP_SIGN, X509_TRUST_TSA, 0, check_purpose_timestamp_sign, "Time Stamp signing", "timestampsign", NULL}, }; Loading test/Makefile +5 −1 Original line number Diff line number Diff line Loading @@ -185,7 +185,7 @@ alltests: \ test_enc test_x509 test_rsa test_crl test_sid \ test_gen test_req test_pkcs7 test_verify test_dh test_dsa \ test_ss test_ca test_engine test_evp test_ssl test_tsa test_ige \ test_jpake test_srp test_cms test_v3name test_jpake test_srp test_cms test_v3name test_ocsp test_evp: ../util/shlib_wrap.sh ./$(EVPTEST) evptests.txt Loading Loading @@ -367,6 +367,10 @@ test_v3name: $(V3NAMETEST)$(EXE_EXT) @echo "Test X509v3_check_*" ../util/shlib_wrap.sh ./$(V3NAMETEST) test_ocsp: @echo "Test OCSP" @sh ./tocsp lint: lint -DLINT $(INCLUDES) $(SRC)>fluff Loading Loading
CHANGES +2 −0 Original line number Diff line number Diff line Loading @@ -3,6 +3,8 @@ _______________ Changes between 1.0.x and 1.1.0 [xx XXX xxxx] *) Fix OCSP checking. [Rob Stradling <rob.stradling@comodo.com> and Ben Laurie] *) New option -crl_download in several openssl utilities to download CRLs from CRLDP extension in certificates. Loading
apps/ocsp.c +5 −5 Original line number Diff line number Diff line Loading @@ -866,6 +866,8 @@ int MAIN(int argc, char **argv) goto end; } ret = 0; if (!noverify) { if (req && ((i = OCSP_check_nonce(req, bs)) <= 0)) Loading @@ -875,17 +877,17 @@ int MAIN(int argc, char **argv) else { BIO_printf(bio_err, "Nonce Verify error\n"); ret = 1; goto end; } } i = OCSP_basic_verify(bs, verify_other, store, verify_flags); if (i < 0) i = OCSP_basic_verify(bs, NULL, store, 0); if(i <= 0) { BIO_printf(bio_err, "Response Verify Failure\n"); ERR_print_errors(bio_err); ret = 1; } else BIO_printf(bio_err, "Response verify OK\n"); Loading @@ -893,9 +895,7 @@ int MAIN(int argc, char **argv) } if (!print_ocsp_summary(out, bs, req, reqnames, ids, nsec, maxage)) goto end; ret = 0; ret = 1; end: ERR_print_errors(bio_err); Loading
crypto/ocsp/ocsp_vfy.c +66 −7 Original line number Diff line number Diff line Loading @@ -77,8 +77,10 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, { X509 *signer, *x; STACK_OF(X509) *chain = NULL; STACK_OF(X509) *tmpchain = NULL; X509_STORE *tmpstore = NULL; X509_STORE_CTX ctx; int i, ret = 0; int i, ret; ret = ocsp_find_signer(&signer, bs, certs, st, flags); if (!ret) { Loading @@ -86,7 +88,7 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, goto end; } if ((ret == 2) && (flags & OCSP_TRUSTOTHER)) flags |= OCSP_NOVERIFY; chain = certs; if (!(flags & OCSP_NOSIGS)) { EVP_PKEY *skey; Loading @@ -102,6 +104,60 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, if (!(flags & OCSP_NOVERIFY)) { int init_res; /* If we trust the signer, we don't need to build a chain. * (If the signer is a root certificate, X509_verify_cert() * would fail anyway!) */ if (chain == certs) goto verified_chain; /* If we trust some "other" certificates, mark them as * explicitly trusted (because some of them might be * Intermediate CA Certificates), put them in a store and * attempt to build a trusted chain. */ if ((flags & OCSP_TRUSTOTHER) && (certs != NULL)) { ASN1_OBJECT *objtmp = OBJ_nid2obj(NID_OCSP_sign); tmpstore = X509_STORE_new(); if (!tmpstore) { ret = -1; OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_MALLOC_FAILURE); goto end; } for (i = 0; i < sk_X509_num(certs); i++) { X509 *xother = sk_X509_value(certs, i); X509_add1_trust_object(xother, objtmp); if (!X509_STORE_add_cert(tmpstore, xother)) { ret = -1; goto end; } } init_res = X509_STORE_CTX_init(&ctx, tmpstore, signer, NULL); if (!init_res) { ret = -1; OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,ERR_R_X509_LIB); goto end; } X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER); ret = X509_verify_cert(&ctx); if (ret == 1) { chain = tmpchain = X509_STORE_CTX_get1_chain(&ctx); X509_STORE_CTX_cleanup(&ctx); goto verified_chain; } X509_STORE_CTX_cleanup(&ctx); } /* Attempt to build a chain up to a Root Certificate in the * trust store provided by the caller. */ if(flags & OCSP_NOCHAIN) init_res = X509_STORE_CTX_init(&ctx, st, signer, NULL); else Loading @@ -115,7 +171,7 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER); ret = X509_verify_cert(&ctx); chain = X509_STORE_CTX_get1_chain(&ctx); chain = tmpchain = X509_STORE_CTX_get1_chain(&ctx); X509_STORE_CTX_cleanup(&ctx); if (ret <= 0) { Loading @@ -125,6 +181,8 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_verify_cert_error_string(i)); goto end; } verified_chain: if(flags & OCSP_NOCHECKS) { ret = 1; Loading Loading @@ -155,7 +213,8 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, end: if(chain) sk_X509_pop_free(chain, X509_free); if(tmpchain) sk_X509_pop_free(tmpchain, X509_free); if(tmpstore) X509_STORE_free(tmpstore); return ret; } Loading
crypto/x509v3/v3_purp.c +1 −1 Original line number Diff line number Diff line Loading @@ -87,7 +87,7 @@ static X509_PURPOSE xstandard[] = { {X509_PURPOSE_SMIME_ENCRYPT, X509_TRUST_EMAIL, 0, check_purpose_smime_encrypt, "S/MIME encryption", "smimeencrypt", NULL}, {X509_PURPOSE_CRL_SIGN, X509_TRUST_COMPAT, 0, check_purpose_crl_sign, "CRL signing", "crlsign", NULL}, {X509_PURPOSE_ANY, X509_TRUST_DEFAULT, 0, no_check, "Any Purpose", "any", NULL}, {X509_PURPOSE_OCSP_HELPER, X509_TRUST_COMPAT, 0, ocsp_helper, "OCSP helper", "ocsphelper", NULL}, {X509_PURPOSE_OCSP_HELPER, X509_TRUST_OCSP_SIGN, 0, ocsp_helper, "OCSP helper", "ocsphelper", NULL}, {X509_PURPOSE_TIMESTAMP_SIGN, X509_TRUST_TSA, 0, check_purpose_timestamp_sign, "Time Stamp signing", "timestampsign", NULL}, }; Loading
test/Makefile +5 −1 Original line number Diff line number Diff line Loading @@ -185,7 +185,7 @@ alltests: \ test_enc test_x509 test_rsa test_crl test_sid \ test_gen test_req test_pkcs7 test_verify test_dh test_dsa \ test_ss test_ca test_engine test_evp test_ssl test_tsa test_ige \ test_jpake test_srp test_cms test_v3name test_jpake test_srp test_cms test_v3name test_ocsp test_evp: ../util/shlib_wrap.sh ./$(EVPTEST) evptests.txt Loading Loading @@ -367,6 +367,10 @@ test_v3name: $(V3NAMETEST)$(EXE_EXT) @echo "Test X509v3_check_*" ../util/shlib_wrap.sh ./$(V3NAMETEST) test_ocsp: @echo "Test OCSP" @sh ./tocsp lint: lint -DLINT $(INCLUDES) $(SRC)>fluff Loading
