From d32f5d8733df9938727710d4194e92813c421ef1 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Sun, 17 Apr 2016 13:48:53 +0200 Subject: [PATCH] Restore OCSP_basic_verify() error return semantics Recently, OCSP_basic_verify() was changed to always return 0 on error, when it would previously return 0 on error and < 0 on fatal error. This restores the previous semantics back. Reviewed-by: Rich Salz --- crypto/ocsp/ocsp_err.c | 3 ++- crypto/ocsp/ocsp_vfy.c | 35 +++++++++++++++++++++-------------- include/openssl/ocsp.h | 1 + 3 files changed, 24 insertions(+), 15 deletions(-) diff --git a/crypto/ocsp/ocsp_err.c b/crypto/ocsp/ocsp_err.c index 16960a7cd3..9043dd2274 100644 --- a/crypto/ocsp/ocsp_err.c +++ b/crypto/ocsp/ocsp_err.c @@ -1,5 +1,5 @@ /* ==================================================================== - * Copyright (c) 1999-2015 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2016 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -110,6 +110,7 @@ static ERR_STRING_DATA OCSP_str_reasons[] = { {ERR_REASON(OCSP_R_NO_PUBLIC_KEY), "no public key"}, {ERR_REASON(OCSP_R_NO_RESPONSE_DATA), "no response data"}, {ERR_REASON(OCSP_R_NO_REVOKED_TIME), "no revoked time"}, + {ERR_REASON(OCSP_R_NO_SIGNER_KEY), "no signer key"}, {ERR_REASON(OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE), "private key does not match certificate"}, {ERR_REASON(OCSP_R_REQUEST_NOT_SIGNED), "request not signed"}, diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c index 16931caf2e..2b55401aea 100644 --- a/crypto/ocsp/ocsp_vfy.c +++ b/crypto/ocsp/ocsp_vfy.c @@ -3,7 +3,7 @@ * 2000. */ /* ==================================================================== - * Copyright (c) 2000-2004 The OpenSSL Project. All rights reserved. + * Copyright (c) 2000-2016 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -88,24 +88,27 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, if (!ret) { OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND); - goto err; + goto end; } ctx = X509_STORE_CTX_new(); if (ctx == NULL) { OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_MALLOC_FAILURE); - goto err; + goto f_err; } if ((ret == 2) && (flags & OCSP_TRUSTOTHER)) flags |= OCSP_NOVERIFY; if (!(flags & OCSP_NOSIGS)) { EVP_PKEY *skey; skey = X509_get0_pubkey(signer); - if (skey) - ret = OCSP_BASICRESP_verify(bs, skey, 0); - if (!skey || ret <= 0) { - OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNATURE_FAILURE); + if (skey == NULL) { + OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_NO_SIGNER_KEY); goto err; } + ret = OCSP_BASICRESP_verify(bs, skey, 0); + if (ret <= 0) { + OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNATURE_FAILURE); + goto end; + } } if (!(flags & OCSP_NOVERIFY)) { int init_res; @@ -116,7 +119,7 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, for (i = 0; i < sk_X509_num(certs); i++) { if (!sk_X509_push(untrusted, sk_X509_value(certs, i))) { OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_MALLOC_FAILURE); - goto err; + goto f_err; } } } else { @@ -125,7 +128,7 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, init_res = X509_STORE_CTX_init(ctx, st, signer, untrusted); if (!init_res) { OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_X509_LIB); - goto err; + goto f_err; } X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_OCSP_HELPER); @@ -137,7 +140,7 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, OCSP_R_CERTIFICATE_VERIFY_ERROR); ERR_add_error_data(2, "Verify error:", X509_verify_cert_error_string(i)); - goto err; + goto end; } if (flags & OCSP_NOCHECKS) { ret = 1; @@ -167,16 +170,20 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, } ret = 1; } - goto end; - - err: - ret = 0; end: X509_STORE_CTX_free(ctx); sk_X509_pop_free(chain, X509_free); if (bs->certs && certs) sk_X509_free(untrusted); return ret; + goto end; + + err: + ret = 0; + goto end; + f_err: + ret = -1; + goto end; } static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, diff --git a/include/openssl/ocsp.h b/include/openssl/ocsp.h index 02fd6b06be..546e9bcb56 100644 --- a/include/openssl/ocsp.h +++ b/include/openssl/ocsp.h @@ -432,6 +432,7 @@ void ERR_load_OCSP_strings(void); # define OCSP_R_NO_PUBLIC_KEY 107 # define OCSP_R_NO_RESPONSE_DATA 108 # define OCSP_R_NO_REVOKED_TIME 109 +# define OCSP_R_NO_SIGNER_KEY 130 # define OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE 110 # define OCSP_R_REQUEST_NOT_SIGNED 128 # define OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA 111