From a2ede6f5fa1d2343a8c49293b3219f3706dfc22d Mon Sep 17 00:00:00 2001 From: Bob Beck Date: Tue, 5 Jul 2016 00:21:48 +0000 Subject: Add several fixes from OpenSSL to make OCSP work with intermediate certificates provided in the response. - makes our newly added ocsp regress test pass too.. ok bcook@ --- lib/libssl/src/crypto/ocsp/ocsp_vfy.c | 34 ++++++++++++++++++++++++---------- 1 file changed, 24 insertions(+), 10 deletions(-) diff --git a/lib/libssl/src/crypto/ocsp/ocsp_vfy.c b/lib/libssl/src/crypto/ocsp/ocsp_vfy.c index b62394b7657..f28571b92fe 100644 --- a/lib/libssl/src/crypto/ocsp/ocsp_vfy.c +++ b/lib/libssl/src/crypto/ocsp/ocsp_vfy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ocsp_vfy.c,v 1.12 2014/07/09 19:08:10 tedu Exp $ */ +/* $OpenBSD: ocsp_vfy.c,v 1.13 2016/07/05 00:21:47 beck Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2000. */ @@ -80,6 +80,7 @@ OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st, { X509 *signer, *x; STACK_OF(X509) *chain = NULL; + STACK_OF(X509) *untrusted = NULL; X509_STORE_CTX ctx; int i, ret = 0; @@ -108,11 +109,21 @@ OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st, if (!(flags & OCSP_NOVERIFY)) { int init_res; - if (flags & OCSP_NOCHAIN) - init_res = X509_STORE_CTX_init(&ctx, st, signer, NULL); - else - init_res = X509_STORE_CTX_init(&ctx, st, signer, - bs->certs); + if (flags & OCSP_NOCHAIN) { + untrusted = NULL; + } else if (bs->certs && certs) { + untrusted = sk_X509_dup(bs->certs); + for (i = 0; i < sk_X509_num(certs); i++) { + if (!sk_X509_push(untrusted, + sk_X509_value(certs, i))) { + OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, + ERR_R_MALLOC_FAILURE); + goto end; + } + } + } else + untrusted = bs->certs; + init_res = X509_STORE_CTX_init(&ctx, st, signer, untrusted); if (!init_res) { ret = -1; OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_X509_LIB); @@ -163,6 +174,8 @@ OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st, end: if (chain) sk_X509_pop_free(chain, X509_free); + if (bs->certs && certs) + sk_X509_free(untrusted); return ret; } @@ -433,10 +446,11 @@ ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, X509_NAME *nm, X509 *signer; if (!(flags & OCSP_NOINTERN)) { - signer = - X509_find_by_subject(req->optionalSignature->certs, nm); - *psigner = signer; - return 1; + signer = X509_find_by_subject(req->optionalSignature->certs, nm); + if (signer) { + *psigner = signer; + return 1; + } } signer = X509_find_by_subject(certs, nm); -- cgit v1.2.3