QuasarApp/openssl
4
0
Fork 0
mirror of https://github.com/QuasarApp/openssl.git synced 2025-04-30 19:54:39 +00:00
Code Issues Projects Releases Wiki Activity

OCSP: Add return value checks.

Browse Source 
The calls are unlikely to fail but better checking their return than not.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12648)
This commit is contained in:
Pauli 2020-08-15 10:35:59 +10:00
parent c9dcbc0759
commit c51a8af8cc
4 changed files with 39 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
crypto/err/openssl.txt
View File

@ -2678,6 +2678,8 @@ OBJ_R_UNKNOWN_NID:101:unknown nid
OBJ_R_UNKNOWN_OBJECT_NAME:103:unknown object name OBJ_R_UNKNOWN_OBJECT_NAME:103:unknown object name
OCSP_R_CERTIFICATE_VERIFY_ERROR:101:certificate verify error OCSP_R_CERTIFICATE_VERIFY_ERROR:101:certificate verify error
OCSP_R_DIGEST_ERR:102:digest err OCSP_R_DIGEST_ERR:102:digest err
OCSP_R_DIGEST_NAME_ERR:106:digest name err
OCSP_R_DIGEST_SIZE_ERR:107:digest size err
OCSP_R_ERROR_IN_NEXTUPDATE_FIELD:122:error in nextupdate field OCSP_R_ERROR_IN_NEXTUPDATE_FIELD:122:error in nextupdate field
OCSP_R_ERROR_IN_THISUPDATE_FIELD:123:error in thisupdate field OCSP_R_ERROR_IN_THISUPDATE_FIELD:123:error in thisupdate field
OCSP_R_MISSING_OCSPSIGNING_USAGE:103:missing ocspsigning usage OCSP_R_MISSING_OCSPSIGNING_USAGE:103:missing ocspsigning usage

2
crypto/ocsp/ocsp_err.c
View File

@ -17,6 +17,8 @@ static const ERR_STRING_DATA OCSP_str_reasons[] = {
{ERR_PACK(ERR_LIB_OCSP, 0, OCSP_R_CERTIFICATE_VERIFY_ERROR), {ERR_PACK(ERR_LIB_OCSP, 0, OCSP_R_CERTIFICATE_VERIFY_ERROR),
"certificate verify error"}, "certificate verify error"},
{ERR_PACK(ERR_LIB_OCSP, 0, OCSP_R_DIGEST_ERR), "digest err"}, {ERR_PACK(ERR_LIB_OCSP, 0, OCSP_R_DIGEST_ERR), "digest err"},
{ERR_PACK(ERR_LIB_OCSP, 0, OCSP_R_DIGEST_NAME_ERR), "digest name err"},
{ERR_PACK(ERR_LIB_OCSP, 0, OCSP_R_DIGEST_SIZE_ERR), "digest size err"},
{ERR_PACK(ERR_LIB_OCSP, 0, OCSP_R_ERROR_IN_NEXTUPDATE_FIELD), {ERR_PACK(ERR_LIB_OCSP, 0, OCSP_R_ERROR_IN_NEXTUPDATE_FIELD),
"error in nextupdate field"}, "error in nextupdate field"},
{ERR_PACK(ERR_LIB_OCSP, 0, OCSP_R_ERROR_IN_THISUPDATE_FIELD), {ERR_PACK(ERR_LIB_OCSP, 0, OCSP_R_ERROR_IN_THISUPDATE_FIELD),

53
crypto/ocsp/ocsp_vfy.c
View File

@ -54,6 +54,7 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
flags |= OCSP_NOVERIFY; flags |= OCSP_NOVERIFY;
if (!(flags & OCSP_NOSIGS)) { if (!(flags & OCSP_NOSIGS)) {
EVP_PKEY *skey; EVP_PKEY *skey;
skey = X509_get0_pubkey(signer); skey = X509_get0_pubkey(signer);
if (skey == NULL) { if (skey == NULL) {
OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_NO_SIGNER_KEY); OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_NO_SIGNER_KEY);
@ -153,6 +154,7 @@ static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs,
{ {
X509 *signer; X509 *signer;
OCSP_RESPID *rid = &bs->tbsResponseData.responderId; OCSP_RESPID *rid = &bs->tbsResponseData.responderId;
if ((signer = ocsp_find_signer_sk(certs, rid))) { if ((signer = ocsp_find_signer_sk(certs, rid))) {
*psigner = signer; *psigner = signer;
return 2; return 2;
@ -187,8 +189,9 @@ static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id)
/* Calculate hash of each key and compare */ /* Calculate hash of each key and compare */
for (i = 0; i < sk_X509_num(certs); i++) { for (i = 0; i < sk_X509_num(certs); i++) {
x = sk_X509_value(certs, i); x = sk_X509_value(certs, i);
X509_pubkey_digest(x, EVP_sha1(), tmphash, NULL); if (!X509_pubkey_digest(x, EVP_sha1(), tmphash, NULL))
if (!memcmp(keyhash, tmphash, SHA_DIGEST_LENGTH)) break;
if (memcmp(keyhash, tmphash, SHA_DIGEST_LENGTH) == 0)
return x; return x;
} }
return NULL; return NULL;
@ -200,8 +203,8 @@ static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain)
X509 *signer, *sca; X509 *signer, *sca;
OCSP_CERTID *caid = NULL; OCSP_CERTID *caid = NULL;
int i; int i;
sresp = bs->tbsResponseData.responses;
sresp = bs->tbsResponseData.responses;
if (sk_X509_num(chain) <= 0) { if (sk_X509_num(chain) <= 0) {
OCSPerr(OCSP_F_OCSP_CHECK_ISSUER, OCSP_R_NO_CERTIFICATES_IN_CHAIN); OCSPerr(OCSP_F_OCSP_CHECK_ISSUER, OCSP_R_NO_CERTIFICATES_IN_CHAIN);
return -1; return -1;
@ -274,52 +277,60 @@ static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret)
return 1; return 1;
} }
/*
* Match the certificate issuer ID.
* Returns -1 on error, 0 if there is no match and 1 if there is a match.
*/
static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
STACK_OF(OCSP_SINGLERESP) *sresp) STACK_OF(OCSP_SINGLERESP) *sresp)
{ {
/* If only one ID to match then do it */ /* If only one ID to match then do it */
if (cid) { if (cid != NULL) {
const EVP_MD *dgst; const EVP_MD *dgst;
const X509_NAME *iname; const X509_NAME *iname;
int mdlen; int mdlen;
unsigned char md[EVP_MAX_MD_SIZE]; unsigned char md[EVP_MAX_MD_SIZE];
if ((dgst = EVP_get_digestbyobj(cid->hashAlgorithm.algorithm))
== NULL) { dgst = EVP_get_digestbyobj(cid->hashAlgorithm.algorithm);
OCSPerr(OCSP_F_OCSP_MATCH_ISSUERID, if (dgst == NULL) {
OCSP_R_UNKNOWN_MESSAGE_DIGEST); OCSPerr(0, OCSP_R_UNKNOWN_MESSAGE_DIGEST);
return -1; return -1;
} }
mdlen = EVP_MD_size(dgst); mdlen = EVP_MD_size(dgst);
if (mdlen < 0) if (mdlen < 0) {
OCSPerr(0, OCSP_R_DIGEST_SIZE_ERR);
return -1; return -1;
if ((cid->issuerNameHash.length != mdlen) || }
(cid->issuerKeyHash.length != mdlen)) if (cid->issuerNameHash.length != mdlen ||
cid->issuerKeyHash.length != mdlen)
return 0; return 0;
iname = X509_get_subject_name(cert); iname = X509_get_subject_name(cert);
if (!X509_NAME_digest(iname, dgst, md, NULL)) if (!X509_NAME_digest(iname, dgst, md, NULL)) {
OCSPerr(0, OCSP_R_DIGEST_NAME_ERR);
return -1; return -1;
if (memcmp(md, cid->issuerNameHash.data, mdlen)) }
if (memcmp(md, cid->issuerNameHash.data, mdlen) != 0)
return 0; return 0;
X509_pubkey_digest(cert, dgst, md, NULL); if (!X509_pubkey_digest(cert, dgst, md, NULL)) {
if (memcmp(md, cid->issuerKeyHash.data, mdlen)) OCSPerr(0, OCSP_R_DIGEST_ERR);
return -1;
}
if (memcmp(md, cid->issuerKeyHash.data, mdlen) != 0)
return 0; return 0;
return 1;
} else { } else {
/* We have to match the whole lot */ /* We have to match the whole lot */
int i, ret; int i, ret;
OCSP_CERTID *tmpid; OCSP_CERTID *tmpid;
for (i = 0; i < sk_OCSP_SINGLERESP_num(sresp); i++) { for (i = 0; i < sk_OCSP_SINGLERESP_num(sresp); i++) {
tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId; tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId;
ret = ocsp_match_issuerid(cert, tmpid, NULL); ret = ocsp_match_issuerid(cert, tmpid, NULL);
if (ret <= 0) if (ret <= 0)
return ret; return ret;
} }
return 1;
} }
return 1;
} }
static int ocsp_check_delegated(X509 *x) static int ocsp_check_delegated(X509 *x)
@ -381,6 +392,7 @@ int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs,
} }
if (!(flags & OCSP_NOVERIFY)) { if (!(flags & OCSP_NOVERIFY)) {
int init_res; int init_res;
if (flags & OCSP_NOCHAIN) if (flags & OCSP_NOCHAIN)
init_res = X509_STORE_CTX_init(ctx, store, signer, NULL); init_res = X509_STORE_CTX_init(ctx, store, signer, NULL);
else else
@ -419,6 +431,7 @@ static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req,
unsigned long flags) unsigned long flags)
{ {
X509 *signer; X509 *signer;
if (!(flags & OCSP_NOINTERN)) { if (!(flags & OCSP_NOINTERN)) {
signer = X509_find_by_subject(req->optionalSignature->certs, nm); signer = X509_find_by_subject(req->optionalSignature->certs, nm);
if (signer) { if (signer) {

2
include/openssl/ocsperr.h
View File

@ -50,6 +50,8 @@ int ERR_load_OCSP_strings(void);
*/ */
# define OCSP_R_CERTIFICATE_VERIFY_ERROR 101 # define OCSP_R_CERTIFICATE_VERIFY_ERROR 101
# define OCSP_R_DIGEST_ERR 102 # define OCSP_R_DIGEST_ERR 102
# define OCSP_R_DIGEST_NAME_ERR 106
# define OCSP_R_DIGEST_SIZE_ERR 107
# define OCSP_R_ERROR_IN_NEXTUPDATE_FIELD 122 # define OCSP_R_ERROR_IN_NEXTUPDATE_FIELD 122
# define OCSP_R_ERROR_IN_THISUPDATE_FIELD 123 # define OCSP_R_ERROR_IN_THISUPDATE_FIELD 123
# define OCSP_R_MISSING_OCSPSIGNING_USAGE 103 # define OCSP_R_MISSING_OCSPSIGNING_USAGE 103