Changes between 0.9.6 and 0.9.7 [xx XXX 2000]
+ *) New OCSP verify flag OCSP_TRUSTOTHER. When set the "other" certificates
+ passed by the function are trusted implicitly. If any of them signed the
+ reponse then it is assumed to be valid and is not verified.
+ [Steve Henson]
+
*) Zero the premaster secret after deriving the master secret in
DH ciphersuites.
[Steve Henson]
#include <openssl/ocsp.h>
#include <openssl/err.h>
-static X509 *ocsp_find_signer(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
+static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
X509_STORE *st, unsigned long flags);
static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id);
static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain, unsigned long flags);
STACK_OF(X509) *chain = NULL;
X509_STORE_CTX ctx;
int i, ret = 0;
- signer = ocsp_find_signer(bs, certs, st, flags);
- if (!signer)
+ ret = ocsp_find_signer(&signer, bs, certs, st, flags);
+ if (!ret)
{
OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
goto end;
}
+ if ((ret == 2) && (flags & OCSP_TRUSTOTHER))
+ flags |= OCSP_NOVERIFY;
if (!(flags & OCSP_NOSIGS))
{
EVP_PKEY *skey;
}
-static X509 *ocsp_find_signer(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
+static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
X509_STORE *st, unsigned long flags)
{
X509 *signer;
OCSP_RESPID *rid = bs->tbsResponseData->responderId;
if ((signer = ocsp_find_signer_sk(certs, rid)))
- return signer;
+ {
+ *psigner = signer;
+ return 2;
+ }
if(!(flags & OCSP_NOINTERN) &&
(signer = ocsp_find_signer_sk(bs->certs, rid)))
- return signer;
+ {
+ *psigner = signer;
+ return 1;
+ }
/* Maybe lookup from store if by subject name */
- return NULL;
+ *psigner = NULL;
+ return 0;
}
projects / openssl.git / commitdiff