diff options
| author | Tomas Mraz <tomas@openssl.org> | 2021-04-26 12:08:27 +0200 |
|---|---|---|
| committer | Tomas Mraz <tomas@openssl.org> | 2021-04-28 09:38:31 +0200 |
| commit | eaf8a40d97d642ccd2c55fbf8bb8ee3242aec04a (patch) | |
| tree | 23ef2d3756c42a91841270eb74330a8840dbf5d0 /crypto/ocsp | |
| parent | c0a79e9836a9aa30912978f69fab3b3bb3a8ddc5 (diff) | |
| download | openssl-eaf8a40d97d642ccd2c55fbf8bb8ee3242aec04a.zip openssl-eaf8a40d97d642ccd2c55fbf8bb8ee3242aec04a.tar.gz openssl-eaf8a40d97d642ccd2c55fbf8bb8ee3242aec04a.tar.bz2 | |
Prefer fetch over legacy get_digestby/get_cipherby
Fixes #14198
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15028)
Diffstat (limited to 'crypto/ocsp')
| -rw-r--r-- | crypto/ocsp/ocsp_vfy.c | 50 |
1 files changed, 34 insertions, 16 deletions
diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c index 02af584..4231c3f 100644 --- a/crypto/ocsp/ocsp_vfy.c +++ b/crypto/ocsp/ocsp_vfy.c @@ -7,10 +7,11 @@ * https://www.openssl.org/source/license.html */ +#include <string.h> #include <openssl/ocsp.h> -#include "ocsp_local.h" #include <openssl/err.h> -#include <string.h> +#include "internal/sizes.h" +#include "ocsp_local.h" static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs, unsigned long flags); @@ -302,42 +303,56 @@ static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret) static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, STACK_OF(OCSP_SINGLERESP) *sresp) { + int ret = -1; + EVP_MD *dgst = NULL; + /* If only one ID to match then do it */ if (cid != NULL) { - const EVP_MD *dgst = EVP_get_digestbyobj(cid->hashAlgorithm.algorithm); + char name[OSSL_MAX_NAME_SIZE]; const X509_NAME *iname; int mdlen; unsigned char md[EVP_MAX_MD_SIZE]; + OBJ_obj2txt(name, sizeof(name), cid->hashAlgorithm.algorithm, 0); + + (void)ERR_set_mark(); + dgst = EVP_MD_fetch(NULL, name, NULL); + if (dgst == NULL) + dgst = (EVP_MD *)EVP_get_digestbyname(name); + if (dgst == NULL) { + (void)ERR_clear_last_mark(); ERR_raise(ERR_LIB_OCSP, OCSP_R_UNKNOWN_MESSAGE_DIGEST); - return -1; + goto end; } + (void)ERR_pop_to_mark(); mdlen = EVP_MD_size(dgst); if (mdlen < 0) { ERR_raise(ERR_LIB_OCSP, OCSP_R_DIGEST_SIZE_ERR); - return -1; + goto end; } if (cid->issuerNameHash.length != mdlen || - cid->issuerKeyHash.length != mdlen) - return 0; + cid->issuerKeyHash.length != mdlen) { + ret = 0; + goto end; + } iname = X509_get_subject_name(cert); - if (!X509_NAME_digest(iname, dgst, md, NULL)) { - ERR_raise(ERR_LIB_OCSP, OCSP_R_DIGEST_NAME_ERR); - return -1; + if (!X509_NAME_digest(iname, dgst, md, NULL)) + goto end; + if (memcmp(md, cid->issuerNameHash.data, mdlen) != 0) { + ret = 0; + goto end; } - if (memcmp(md, cid->issuerNameHash.data, mdlen) != 0) - return 0; if (!X509_pubkey_digest(cert, dgst, md, NULL)) { ERR_raise(ERR_LIB_OCSP, OCSP_R_DIGEST_ERR); - return -1; + goto end; } - if (memcmp(md, cid->issuerKeyHash.data, mdlen) != 0) - return 0; + ret = memcmp(md, cid->issuerKeyHash.data, mdlen) == 0; + goto end; } else { /* We have to match the whole lot */ - int i, ret; + int i; OCSP_CERTID *tmpid; for (i = 0; i < sk_OCSP_SINGLERESP_num(sresp); i++) { @@ -348,6 +363,9 @@ static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, } } return 1; +end: + EVP_MD_free(dgst); + return ret; } static int ocsp_check_delegated(X509 *x) |