X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=crypto%2Focsp%2Focsp_vfy.c;h=7470f1c04816df9a6f89bcb241b772c3db85c675;hp=8868c980cbaadf9d3ed7b117bc7d2e262e92ab64;hb=50d5199120d2d669039e75c17499483aa7607430;hpb=9020b86250a610e50a6f77e1b929457a3dd115dc diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c index 8868c980cb..7470f1c048 100644 --- a/crypto/ocsp/ocsp_vfy.c +++ b/crypto/ocsp/ocsp_vfy.c @@ -59,7 +59,7 @@ #include #include -static X509 *ocsp_find_signer(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, +static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st, unsigned long flags); static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id); static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain, unsigned long flags); @@ -76,12 +76,14 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, STACK_OF(X509) *chain = NULL; X509_STORE_CTX ctx; int i, ret = 0; - signer = ocsp_find_signer(bs, certs, st, flags); - if (!signer) + ret = ocsp_find_signer(&signer, bs, certs, st, flags); + if (!ret) { OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND); goto end; } + if ((ret == 2) && (flags & OCSP_TRUSTOTHER)) + flags |= OCSP_NOVERIFY; if (!(flags & OCSP_NOSIGS)) { EVP_PKEY *skey; @@ -148,19 +150,26 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, } -static X509 *ocsp_find_signer(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, +static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st, unsigned long flags) { X509 *signer; OCSP_RESPID *rid = bs->tbsResponseData->responderId; if ((signer = ocsp_find_signer_sk(certs, rid))) - return signer; + { + *psigner = signer; + return 2; + } if(!(flags & OCSP_NOINTERN) && (signer = ocsp_find_signer_sk(bs->certs, rid))) - return signer; + { + *psigner = signer; + return 1; + } /* Maybe lookup from store if by subject name */ - return NULL; + *psigner = NULL; + return 0; }