Loading CHANGES +5 −0 Original line number Diff line number Diff line Loading @@ -3,6 +3,11 @@ Changes between 0.9.6 and 0.9.7 [xx XXX 2000] *) New OCSP verify flag OCSP_TRUSTOTHER. When set the "other" certificates passed by the function are trusted implicitly. If any of them signed the reponse then it is assumed to be valid and is not verified. [Steve Henson] *) Zero the premaster secret after deriving the master secret in DH ciphersuites. [Steve Henson] Loading crypto/ocsp/ocsp.h +1 −0 Original line number Diff line number Diff line Loading @@ -85,6 +85,7 @@ extern "C" { #define OCSP_NOCASIGN 0x40 #define OCSP_NODELEGATED 0x80 #define OCSP_NOCHECKS 0x100 #define OCSP_TRUSTOTHER 0x200 /* CertID ::= SEQUENCE { * hashAlgorithm AlgorithmIdentifier, Loading crypto/ocsp/ocsp_vfy.c +16 −7 Original line number Diff line number Diff line Loading @@ -59,7 +59,7 @@ #include <openssl/ocsp.h> #include <openssl/err.h> static X509 *ocsp_find_signer(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st, unsigned long flags); static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id); static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain, unsigned long flags); Loading @@ -76,12 +76,14 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, STACK_OF(X509) *chain = NULL; X509_STORE_CTX ctx; int i, ret = 0; signer = ocsp_find_signer(bs, certs, st, flags); if (!signer) ret = ocsp_find_signer(&signer, bs, certs, st, flags); if (!ret) { OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND); goto end; } if ((ret == 2) && (flags & OCSP_TRUSTOTHER)) flags |= OCSP_NOVERIFY; if (!(flags & OCSP_NOSIGS)) { EVP_PKEY *skey; Loading Loading @@ -148,19 +150,26 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, } static X509 *ocsp_find_signer(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st, unsigned long flags) { X509 *signer; OCSP_RESPID *rid = bs->tbsResponseData->responderId; if ((signer = ocsp_find_signer_sk(certs, rid))) return signer; { *psigner = signer; return 2; } if(!(flags & OCSP_NOINTERN) && (signer = ocsp_find_signer_sk(bs->certs, rid))) return signer; { *psigner = signer; return 1; } /* Maybe lookup from store if by subject name */ return NULL; *psigner = NULL; return 0; } Loading Loading
CHANGES +5 −0 Original line number Diff line number Diff line Loading @@ -3,6 +3,11 @@ Changes between 0.9.6 and 0.9.7 [xx XXX 2000] *) New OCSP verify flag OCSP_TRUSTOTHER. When set the "other" certificates passed by the function are trusted implicitly. If any of them signed the reponse then it is assumed to be valid and is not verified. [Steve Henson] *) Zero the premaster secret after deriving the master secret in DH ciphersuites. [Steve Henson] Loading
crypto/ocsp/ocsp.h +1 −0 Original line number Diff line number Diff line Loading @@ -85,6 +85,7 @@ extern "C" { #define OCSP_NOCASIGN 0x40 #define OCSP_NODELEGATED 0x80 #define OCSP_NOCHECKS 0x100 #define OCSP_TRUSTOTHER 0x200 /* CertID ::= SEQUENCE { * hashAlgorithm AlgorithmIdentifier, Loading
crypto/ocsp/ocsp_vfy.c +16 −7 Original line number Diff line number Diff line Loading @@ -59,7 +59,7 @@ #include <openssl/ocsp.h> #include <openssl/err.h> static X509 *ocsp_find_signer(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st, unsigned long flags); static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id); static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain, unsigned long flags); Loading @@ -76,12 +76,14 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, STACK_OF(X509) *chain = NULL; X509_STORE_CTX ctx; int i, ret = 0; signer = ocsp_find_signer(bs, certs, st, flags); if (!signer) ret = ocsp_find_signer(&signer, bs, certs, st, flags); if (!ret) { OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND); goto end; } if ((ret == 2) && (flags & OCSP_TRUSTOTHER)) flags |= OCSP_NOVERIFY; if (!(flags & OCSP_NOSIGS)) { EVP_PKEY *skey; Loading Loading @@ -148,19 +150,26 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, } static X509 *ocsp_find_signer(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st, unsigned long flags) { X509 *signer; OCSP_RESPID *rid = bs->tbsResponseData->responderId; if ((signer = ocsp_find_signer_sk(certs, rid))) return signer; { *psigner = signer; return 2; } if(!(flags & OCSP_NOINTERN) && (signer = ocsp_find_signer_sk(bs->certs, rid))) return signer; { *psigner = signer; return 1; } /* Maybe lookup from store if by subject name */ return NULL; *psigner = NULL; return 0; } Loading
