From: Dr. Stephen Henson Date: Thu, 12 May 2016 14:24:06 +0000 (+0100) Subject: Correctly check for trailing digest options. X-Git-Tag: OpenSSL_1_1_0-pre6~857 X-Git-Url: https://git.openssl.org/?p=openssl.git;a=commitdiff_plain;h=6302bbd21a79bd2ed59f214d6d042031384b4d12 Correctly check for trailing digest options. Multiple digest options to the ocsp utility are allowed: e.g. to use different digests for different certificate IDs. A digest option without a following certificate is however illegal. RT#4215 Reviewed-by: Rich Salz --- diff --git a/apps/ocsp.c b/apps/ocsp.c index fd38da44e3..416e05caef 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -228,6 +228,7 @@ int ocsp_main(int argc, char **argv) { BIO *acbio = NULL, *cbio = NULL, *derbio = NULL, *out = NULL; const EVP_MD *cert_id_md = NULL, *rsign_md = NULL; + int trailing_md = 0; CA_DB *rdb = NULL; EVP_PKEY *key = NULL, *rkey = NULL; OCSP_BASICRESP *bs = NULL; @@ -439,6 +440,7 @@ int ocsp_main(int argc, char **argv) goto end; if (!sk_OPENSSL_STRING_push(reqnames, opt_arg())) goto end; + trailing_md = 0; break; case OPT_SERIAL: if (cert_id_md == NULL) @@ -447,6 +449,7 @@ int ocsp_main(int argc, char **argv) goto end; if (!sk_OPENSSL_STRING_push(reqnames, opt_arg())) goto end; + trailing_md = 0; break; case OPT_INDEX: ridx_filename = opt_arg(); @@ -490,7 +493,7 @@ int ocsp_main(int argc, char **argv) goto end; break; case OPT_MD: - if (cert_id_md != NULL) { + if (trailing_md) { BIO_printf(bio_err, "%s: Digest must be before -cert or -serial\n", prog); @@ -498,9 +501,16 @@ int ocsp_main(int argc, char **argv) } if (!opt_md(opt_unknown(), &cert_id_md)) goto opthelp; + trailing_md = 1; break; } } + + if (trailing_md) { + BIO_printf(bio_err, "%s: Digest must be before -cert or -serial\n", + prog); + goto opthelp; + } argc = opt_num_rest(); if (argc != 0) goto opthelp; diff --git a/doc/apps/ocsp.pod b/doc/apps/ocsp.pod index 3e667e678e..a5bb22f819 100644 --- a/doc/apps/ocsp.pod +++ b/doc/apps/ocsp.pod @@ -266,24 +266,25 @@ only be used for testing purposes. =item B<-validity_period nsec>, B<-status_age age> these options specify the range of times, in seconds, which will be tolerated -in an OCSP response. Each certificate status response includes a B time and -an optional B time. The current time should fall between these two values, but -the interval between the two times may be only a few seconds. In practice the OCSP -responder and clients clocks may not be precisely synchronised and so such a check -may fail. To avoid this the B<-validity_period> option can be used to specify an -acceptable error range in seconds, the default value is 5 minutes. - -If the B time is omitted from a response then this means that new status -information is immediately available. In this case the age of the B field -is checked to see it is not older than B seconds old. By default this additional -check is not performed. +in an OCSP response. Each certificate status response includes a B +time and an optional B time. The current time should fall between +these two values, but the interval between the two times may be only a few +seconds. In practice the OCSP responder and clients clocks may not be precisely +synchronised and so such a check may fail. To avoid this the +B<-validity_period> option can be used to specify an acceptable error range in +seconds, the default value is 5 minutes. + +If the B time is omitted from a response then this means that new +status information is immediately available. In this case the age of the +B field is checked to see it is not older than B seconds old. +By default this additional check is not performed. =item B<-[digest]> -this option sets digest algorithm to use for certificate identification -in the OCSP request. -Any digest supported by the OpenSSL B command can be used. -The default is SHA-1. +this option sets digest algorithm to use for certificate identification in the +OCSP request. Any digest supported by the OpenSSL B command can be used. +The default is SHA-1. This option may be used multiple times to specify the +digest used by subsequent certificate identifiers. =back