From 89623f84299a66761ba4c69f01dbd86fc584d0a3 Mon Sep 17 00:00:00 2001 From: David Cooper Date: Tue, 12 Dec 2017 16:01:22 -0500 Subject: [PATCH] Make editorial changes suggested by Rich Salz and add the -rsigopt option to the man page for the ocsp command. Reviewed-by: Rich Salz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/4190) --- apps/ocsp.c | 7 +++---- crypto/ocsp/ocsp_srv.c | 5 +++-- doc/man1/ocsp.pod | 6 ++++++ 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/apps/ocsp.c b/apps/ocsp.c index 379e111ac4..b9bad81f24 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -719,8 +719,7 @@ redo_accept: X509_free(signer); X509_STORE_free(store); X509_VERIFY_PARAM_free(vpm); - if (rsign_sigopts != NULL) - sk_OPENSSL_STRING_free(rsign_sigopts); + sk_OPENSSL_STRING_free(rsign_sigopts); EVP_PKEY_free(key); EVP_PKEY_free(rkey); X509_free(cert); @@ -971,6 +970,7 @@ static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST *req } for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++) { char *sigopt = sk_OPENSSL_STRING_value(sigopts, i); + if (pkey_ctrl_string(pkctx, sigopt) <= 0) { BIO_printf(err, "parameter error \"%s\"\n", sigopt); ERR_print_errors(bio_err); @@ -989,8 +989,7 @@ static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST *req *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs); end: - if (mctx != NULL) - EVP_MD_CTX_free(mctx); + EVP_MD_CTX_free(mctx); ASN1_TIME_free(thisupd); ASN1_TIME_free(nextupd); OCSP_BASICRESP_free(bs); diff --git a/crypto/ocsp/ocsp_srv.c b/crypto/ocsp/ocsp_srv.c index d31a3c0c25..b459e695b9 100644 --- a/crypto/ocsp/ocsp_srv.c +++ b/crypto/ocsp/ocsp_srv.c @@ -175,8 +175,9 @@ int OCSP_basic_sign_ctx(OCSP_BASICRESP *brsp, int i; OCSP_RESPID *rid; - if (!ctx || !EVP_MD_CTX_pkey_ctx(ctx) || !EVP_PKEY_CTX_get0_pkey(EVP_MD_CTX_pkey_ctx(ctx)) || - !X509_check_private_key(signer, EVP_PKEY_CTX_get0_pkey(EVP_MD_CTX_pkey_ctx(ctx)))) { + if (ctx == NULL || EVP_MD_CTX_pkey_ctx(ctx) == NULL + || EVP_PKEY_CTX_get0_pkey(EVP_MD_CTX_pkey_ctx(ctx)) == NULL + || !X509_check_private_key(signer, EVP_PKEY_CTX_get0_pkey(EVP_MD_CTX_pkey_ctx(ctx)))) { OCSPerr(OCSP_F_OCSP_BASIC_SIGN_CTX, OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE); goto err; diff --git a/doc/man1/ocsp.pod b/doc/man1/ocsp.pod index 46fff32985..44f1a60aa0 100644 --- a/doc/man1/ocsp.pod +++ b/doc/man1/ocsp.pod @@ -81,6 +81,7 @@ B B [B<-rsigner file>] [B<-rkey file>] [B<-rother file>] +[B<-rsigopt nm:v>] [B<-resp_no_certs>] [B<-nmin n>] [B<-ndays n>] @@ -340,6 +341,11 @@ subject name. The private key to sign OCSP responses with: if not present the file specified in the B option is used. +=item B<-rsigopt nm:v> + +Pass options to the signature algorithm when signing OCSP responses. +Names and values of these options are algorithm-specific. + =item B<-port portnum> Port to listen for OCSP requests on. The port may also be specified -- 2.34.1