Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
OpenHarmony
Third Party Openssl
提交
46a58ab9
T
Third Party Openssl
项目概览
OpenHarmony
/
Third Party Openssl
8 个月 前同步成功
通知
8
Star
18
Fork
1
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
T
Third Party Openssl
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
提交
46a58ab9
编写于
2月 12, 2001
作者:
D
Dr. Stephen Henson
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Modify OCSP nonce behaviour.
上级
94fcd013
变更
5
隐藏空白更改
内联
并排
Showing
5 changed file
with
93 addition
and
100 deletion
+93
-100
CHANGES
CHANGES
+9
-0
apps/ocsp.c
apps/ocsp.c
+8
-3
crypto/ocsp/ocsp.h
crypto/ocsp/ocsp.h
+35
-54
crypto/ocsp/ocsp_err.c
crypto/ocsp/ocsp_err.c
+0
-20
crypto/ocsp/ocsp_ext.c
crypto/ocsp/ocsp_ext.c
+41
-23
未找到文件。
CHANGES
浏览文件 @
46a58ab9
...
...
@@ -3,6 +3,15 @@
Changes between 0.9.6 and 0.9.7 [xx XXX 2000]
*) New nonce behavior. The return value of OCSP_check_nonce() now
reflects the various checks performed. Applications can decide
whether to tolerate certain situations such as an absent nonce
in a response when one was present in a request: the ocsp application
just prints out a warning. New function OCSP_add1_basic_nonce()
this is to allow responders to include a nonce in a response even if
the request is nonce-less.
[Steve Henson]
*) Use the cached encoding of an X509_NAME structure rather than
copying it. This is apparently the reason for the libsafe "errors"
but the code is actually correct.
...
...
apps/ocsp.c
浏览文件 @
46a58ab9
...
...
@@ -515,10 +515,15 @@ int MAIN(int argc, char **argv)
if
(
!
noverify
)
{
if
(
req
&&
(
OCSP_check_nonce
(
req
,
bs
)
<=
0
))
if
(
req
&&
(
(
i
=
OCSP_check_nonce
(
req
,
bs
)
)
<=
0
))
{
BIO_printf
(
bio_err
,
"Nonce Verify error
\n
"
);
goto
end
;
if
(
i
==
-
1
)
BIO_printf
(
bio_err
,
"WARNING: no nonce in response
\n
"
);
else
{
BIO_printf
(
bio_err
,
"Nonce Verify error
\n
"
);
goto
end
;
}
}
i
=
OCSP_basic_verify
(
bs
,
verify_other
,
store
,
verify_flags
);
...
...
crypto/ocsp/ocsp.h
浏览文件 @
46a58ab9
...
...
@@ -415,6 +415,7 @@ OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst,
OCSP_ONEREQ
*
OCSP_request_add0_id
(
OCSP_REQUEST
*
req
,
OCSP_CERTID
*
cid
);
int
OCSP_request_add1_nonce
(
OCSP_REQUEST
*
req
,
unsigned
char
*
val
,
int
len
);
int
OCSP_basic_add1_nonce
(
OCSP_BASICRESP
*
resp
,
unsigned
char
*
val
,
int
len
);
int
OCSP_check_nonce
(
OCSP_REQUEST
*
req
,
OCSP_BASICRESP
*
bs
);
int
OCSP_copy_nonce
(
OCSP_BASICRESP
*
resp
,
OCSP_REQUEST
*
req
);
...
...
@@ -557,63 +558,43 @@ void ERR_load_OCSP_strings(void);
/* Error codes for the OCSP functions. */
/* Function codes. */
#define OCSP_F_ASN1_STRING_ENCODE 106
#define OCSP_F_BASIC_RESPONSE_NEW 100
#define OCSP_F_BASIC_RESPONSE_VERIFY 101
#define OCSP_F_CERT_ID_NEW 102
#define OCSP_F_CERT_STATUS_NEW 103
#define OCSP_F_D2I_OCSP_NONCE 109
#define OCSP_F_OCSP_BASIC_ADD1_STATUS 118
#define OCSP_F_OCSP_BASIC_SIGN 119
#define OCSP_F_OCSP_BASIC_VERIFY 113
#define OCSP_F_OCSP_CHECK_DELEGATED 117
#define OCSP_F_OCSP_CHECK_IDS 114
#define OCSP_F_OCSP_CHECK_ISSUER 115
#define OCSP_F_OCSP_CHECK_NONCE 112
#define OCSP_F_OCSP_MATCH_ISSUERID 116
#define OCSP_F_OCSP_REQUEST_SIGN 120
#define OCSP_F_ASN1_STRING_ENCODE 100
#define OCSP_F_CERT_ID_NEW 101
#define OCSP_F_D2I_OCSP_NONCE 102
#define OCSP_F_OCSP_BASIC_ADD1_STATUS 103
#define OCSP_F_OCSP_BASIC_SIGN 104
#define OCSP_F_OCSP_BASIC_VERIFY 105
#define OCSP_F_OCSP_CHECK_DELEGATED 106
#define OCSP_F_OCSP_CHECK_IDS 107
#define OCSP_F_OCSP_CHECK_ISSUER 108
#define OCSP_F_OCSP_MATCH_ISSUERID 109
#define OCSP_F_OCSP_REQUEST_SIGN 110
#define OCSP_F_OCSP_RESPONSE_GET1_BASIC 111
#define OCSP_F_OCSP_SENDREQ_BIO 110
#define OCSP_F_REQUEST_VERIFY 104
#define OCSP_F_RESPONSE_VERIFY 105
#define OCSP_F_S2I_OCSP_NONCE 107
#define OCSP_F_V2I_OCSP_CRLID 108
#define OCSP_F_OCSP_SENDREQ_BIO 112
#define OCSP_F_REQUEST_VERIFY 113
/* Reason codes. */
#define OCSP_R_BAD_DATA 108
#define OCSP_R_BAD_TAG 100
#define OCSP_R_CERTIFICATE_VERIFY_ERROR 126
#define OCSP_R_DIGEST_ERR 101
#define OCSP_R_FAILED_TO_OPEN 109
#define OCSP_R_FAILED_TO_READ 110
#define OCSP_R_FAILED_TO_STAT 111
#define OCSP_R_MISSING_OCSPSIGNING_USAGE 131
#define OCSP_R_MISSING_VALUE 112
#define OCSP_R_NONCE_MISSING_IN_RESPONSE 121
#define OCSP_R_NONCE_VALUE_MISMATCH 122
#define OCSP_R_NOT_BASIC_RESPONSE 120
#define OCSP_R_NO_CERTIFICATE 102
#define OCSP_R_NO_CERTIFICATES_IN_CHAIN 128
#define OCSP_R_NO_CONTENT 115
#define OCSP_R_NO_PUBLIC_KEY 103
#define OCSP_R_NO_RESPONSE_DATA 104
#define OCSP_R_NO_REVOKED_TIME 132
#define OCSP_R_NO_SIGNATURE 105
#define OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE 133
#define OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA 129
#define OCSP_R_REVOKED_NO_TIME 106
#define OCSP_R_ROOT_CA_NOT_TRUSTED 127
#define OCSP_R_SERVER_READ_ERROR 116
#define OCSP_R_SERVER_RESPONSE_ERROR 117
#define OCSP_R_SERVER_RESPONSE_PARSE_ERROR 118
#define OCSP_R_SERVER_WRITE_ERROR 119
#define OCSP_R_SIGNATURE_FAILURE 124
#define OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND 125
#define OCSP_R_UNEXPECTED_NONCE_IN_RESPONSE 123
#define OCSP_R_UNKNOWN_MESSAGE_DIGEST 130
#define OCSP_R_UNKNOWN_NID 107
#define OCSP_R_UNSUPPORTED_OPTION 113
#define OCSP_R_VALUE_ALREADY 114
#define OCSP_R_BAD_DATA 100
#define OCSP_R_CERTIFICATE_VERIFY_ERROR 101
#define OCSP_R_DIGEST_ERR 102
#define OCSP_R_MISSING_OCSPSIGNING_USAGE 103
#define OCSP_R_NOT_BASIC_RESPONSE 104
#define OCSP_R_NO_CERTIFICATES_IN_CHAIN 105
#define OCSP_R_NO_CONTENT 106
#define OCSP_R_NO_PUBLIC_KEY 107
#define OCSP_R_NO_RESPONSE_DATA 108
#define OCSP_R_NO_REVOKED_TIME 109
#define OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE 110
#define OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA 111
#define OCSP_R_ROOT_CA_NOT_TRUSTED 112
#define OCSP_R_SERVER_READ_ERROR 113
#define OCSP_R_SERVER_RESPONSE_ERROR 114
#define OCSP_R_SERVER_RESPONSE_PARSE_ERROR 115
#define OCSP_R_SERVER_WRITE_ERROR 116
#define OCSP_R_SIGNATURE_FAILURE 117
#define OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND 118
#define OCSP_R_UNKNOWN_MESSAGE_DIGEST 119
#define OCSP_R_UNKNOWN_NID 120
#ifdef __cplusplus
}
...
...
crypto/ocsp/ocsp_err.c
浏览文件 @
46a58ab9
...
...
@@ -67,10 +67,7 @@
static
ERR_STRING_DATA
OCSP_str_functs
[]
=
{
{
ERR_PACK
(
0
,
OCSP_F_ASN1_STRING_ENCODE
,
0
),
"ASN1_STRING_encode"
},
{
ERR_PACK
(
0
,
OCSP_F_BASIC_RESPONSE_NEW
,
0
),
"BASIC_RESPONSE_NEW"
},
{
ERR_PACK
(
0
,
OCSP_F_BASIC_RESPONSE_VERIFY
,
0
),
"BASIC_RESPONSE_VERIFY"
},
{
ERR_PACK
(
0
,
OCSP_F_CERT_ID_NEW
,
0
),
"CERT_ID_NEW"
},
{
ERR_PACK
(
0
,
OCSP_F_CERT_STATUS_NEW
,
0
),
"CERT_STATUS_NEW"
},
{
ERR_PACK
(
0
,
OCSP_F_D2I_OCSP_NONCE
,
0
),
"D2I_OCSP_NONCE"
},
{
ERR_PACK
(
0
,
OCSP_F_OCSP_BASIC_ADD1_STATUS
,
0
),
"OCSP_basic_add1_status"
},
{
ERR_PACK
(
0
,
OCSP_F_OCSP_BASIC_SIGN
,
0
),
"OCSP_basic_sign"
},
...
...
@@ -78,42 +75,28 @@ static ERR_STRING_DATA OCSP_str_functs[]=
{
ERR_PACK
(
0
,
OCSP_F_OCSP_CHECK_DELEGATED
,
0
),
"OCSP_CHECK_DELEGATED"
},
{
ERR_PACK
(
0
,
OCSP_F_OCSP_CHECK_IDS
,
0
),
"OCSP_CHECK_IDS"
},
{
ERR_PACK
(
0
,
OCSP_F_OCSP_CHECK_ISSUER
,
0
),
"OCSP_CHECK_ISSUER"
},
{
ERR_PACK
(
0
,
OCSP_F_OCSP_CHECK_NONCE
,
0
),
"OCSP_check_nonce"
},
{
ERR_PACK
(
0
,
OCSP_F_OCSP_MATCH_ISSUERID
,
0
),
"OCSP_MATCH_ISSUERID"
},
{
ERR_PACK
(
0
,
OCSP_F_OCSP_REQUEST_SIGN
,
0
),
"OCSP_request_sign"
},
{
ERR_PACK
(
0
,
OCSP_F_OCSP_RESPONSE_GET1_BASIC
,
0
),
"OCSP_response_get1_basic"
},
{
ERR_PACK
(
0
,
OCSP_F_OCSP_SENDREQ_BIO
,
0
),
"OCSP_sendreq_bio"
},
{
ERR_PACK
(
0
,
OCSP_F_REQUEST_VERIFY
,
0
),
"REQUEST_VERIFY"
},
{
ERR_PACK
(
0
,
OCSP_F_RESPONSE_VERIFY
,
0
),
"RESPONSE_VERIFY"
},
{
ERR_PACK
(
0
,
OCSP_F_S2I_OCSP_NONCE
,
0
),
"S2I_OCSP_NONCE"
},
{
ERR_PACK
(
0
,
OCSP_F_V2I_OCSP_CRLID
,
0
),
"V2I_OCSP_CRLID"
},
{
0
,
NULL
}
};
static
ERR_STRING_DATA
OCSP_str_reasons
[]
=
{
{
OCSP_R_BAD_DATA
,
"bad data"
},
{
OCSP_R_BAD_TAG
,
"bad tag"
},
{
OCSP_R_CERTIFICATE_VERIFY_ERROR
,
"certificate verify error"
},
{
OCSP_R_DIGEST_ERR
,
"digest err"
},
{
OCSP_R_FAILED_TO_OPEN
,
"failed to open"
},
{
OCSP_R_FAILED_TO_READ
,
"failed to read"
},
{
OCSP_R_FAILED_TO_STAT
,
"failed to stat"
},
{
OCSP_R_MISSING_OCSPSIGNING_USAGE
,
"missing ocspsigning usage"
},
{
OCSP_R_MISSING_VALUE
,
"missing value"
},
{
OCSP_R_NONCE_MISSING_IN_RESPONSE
,
"nonce missing in response"
},
{
OCSP_R_NONCE_VALUE_MISMATCH
,
"nonce value mismatch"
},
{
OCSP_R_NOT_BASIC_RESPONSE
,
"not basic response"
},
{
OCSP_R_NO_CERTIFICATE
,
"no certificate"
},
{
OCSP_R_NO_CERTIFICATES_IN_CHAIN
,
"no certificates in chain"
},
{
OCSP_R_NO_CONTENT
,
"no content"
},
{
OCSP_R_NO_PUBLIC_KEY
,
"no public key"
},
{
OCSP_R_NO_RESPONSE_DATA
,
"no response data"
},
{
OCSP_R_NO_REVOKED_TIME
,
"no revoked time"
},
{
OCSP_R_NO_SIGNATURE
,
"no signature"
},
{
OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE
,
"private key does not match certificate"
},
{
OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA
,
"response contains no revocation data"
},
{
OCSP_R_REVOKED_NO_TIME
,
"revoked no time"
},
{
OCSP_R_ROOT_CA_NOT_TRUSTED
,
"root ca not trusted"
},
{
OCSP_R_SERVER_READ_ERROR
,
"server read error"
},
{
OCSP_R_SERVER_RESPONSE_ERROR
,
"server response error"
},
...
...
@@ -121,11 +104,8 @@ static ERR_STRING_DATA OCSP_str_reasons[]=
{
OCSP_R_SERVER_WRITE_ERROR
,
"server write error"
},
{
OCSP_R_SIGNATURE_FAILURE
,
"signature failure"
},
{
OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND
,
"signer certificate not found"
},
{
OCSP_R_UNEXPECTED_NONCE_IN_RESPONSE
,
"unexpected nonce in response"
},
{
OCSP_R_UNKNOWN_MESSAGE_DIGEST
,
"unknown message digest"
},
{
OCSP_R_UNKNOWN_NID
,
"unknown nid"
},
{
OCSP_R_UNSUPPORTED_OPTION
,
"unsupported option"
},
{
OCSP_R_VALUE_ALREADY
,
"value already"
},
{
0
,
NULL
}
};
...
...
crypto/ocsp/ocsp_ext.c
浏览文件 @
46a58ab9
...
...
@@ -303,11 +303,11 @@ err:
/* Nonce handling functions */
/* Add a nonce to an
OCSP request
. A nonce can be specificed or if NULL
/* Add a nonce to an
extension stack
. A nonce can be specificed or if NULL
* a random nonce will be generated.
*/
int
OCSP_request_add1_nonce
(
OCSP_REQUEST
*
req
,
unsigned
char
*
val
,
int
len
)
static
int
ocsp_add1_nonce
(
STACK_OF
(
X509_EXTENSION
)
**
exts
,
unsigned
char
*
val
,
int
len
)
{
unsigned
char
*
tmpval
;
ASN1_OCTET_STRING
os
;
...
...
@@ -321,7 +321,7 @@ int OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len)
}
os
.
data
=
tmpval
;
os
.
length
=
len
;
if
(
!
OCSP_REQUEST_add1_ext_i2d
(
req
,
NID_id_pkix_OCSP_Nonce
,
if
(
!
X509V3_add1_i2d
(
exts
,
NID_id_pkix_OCSP_Nonce
,
&
os
,
0
,
X509V3_ADD_REPLACE
))
goto
err
;
ret
=
1
;
...
...
@@ -330,9 +330,34 @@ int OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len)
return
ret
;
}
/* Check nonce validity in a request and response: the nonce
* must be either absent in both or present and equal in both.
/* Add nonce to an OCSP request */
int
OCSP_request_add1_nonce
(
OCSP_REQUEST
*
req
,
unsigned
char
*
val
,
int
len
)
{
return
ocsp_add1_nonce
(
&
req
->
tbsRequest
->
requestExtensions
,
val
,
len
);
}
/* Same as above but for a response */
int
OCSP_basic_add1_nonce
(
OCSP_BASICRESP
*
resp
,
unsigned
char
*
val
,
int
len
)
{
return
ocsp_add1_nonce
(
&
resp
->
tbsResponseData
->
responseExtensions
,
val
,
len
);
}
/* Check nonce validity in a request and response.
* Return value reflects result:
* 1: nonces present and equal.
* 2: nonces both absent.
* 3: nonce present in response only.
* 0: nonces both present and not equal.
* -1: nonce in request only.
*
* For most responders clients can check return > 0.
* If responder doesn't handle nonces return != 0 may be
* necessary. return == 0 is always an error.
*/
int
OCSP_check_nonce
(
OCSP_REQUEST
*
req
,
OCSP_BASICRESP
*
bs
)
{
/*
...
...
@@ -343,32 +368,25 @@ int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs)
* freed immediately anyway.
*/
int
re
t
=
0
,
re
q_idx
,
resp_idx
;
int
req_idx
,
resp_idx
;
X509_EXTENSION
*
req_ext
,
*
resp_ext
;
req_idx
=
OCSP_REQUEST_get_ext_by_NID
(
req
,
NID_id_pkix_OCSP_Nonce
,
-
1
);
resp_idx
=
OCSP_BASICRESP_get_ext_by_NID
(
bs
,
NID_id_pkix_OCSP_Nonce
,
-
1
);
/* If both absent its OK */
if
((
req_idx
<
0
)
&&
(
resp_idx
<
0
))
return
1
;
/* Check both absent */
if
((
req_idx
<
0
)
&&
(
resp_idx
<
0
))
return
2
;
/* Check in request only */
if
((
req_idx
>=
0
)
&&
(
resp_idx
<
0
))
{
OCSPerr
(
OCSP_F_OCSP_CHECK_NONCE
,
OCSP_R_NONCE_MISSING_IN_RESPONSE
);
goto
err
;
}
return
-
1
;
/* Check in response but not request */
if
((
req_idx
<
0
)
&&
(
resp_idx
>=
0
))
{
OCSPerr
(
OCSP_F_OCSP_CHECK_NONCE
,
OCSP_R_UNEXPECTED_NONCE_IN_RESPONSE
);
goto
err
;
}
return
3
;
/* Otherwise nonce in request and response so retrieve the extensions */
req_ext
=
OCSP_REQUEST_get_ext
(
req
,
req_idx
);
resp_ext
=
OCSP_BASICRESP_get_ext
(
bs
,
resp_idx
);
if
(
ASN1_OCTET_STRING_cmp
(
req_ext
->
value
,
resp_ext
->
value
))
{
OCSPerr
(
OCSP_F_OCSP_CHECK_NONCE
,
OCSP_R_NONCE_VALUE_MISMATCH
);
goto
err
;
}
ret
=
1
;
err:
return
ret
;
return
0
;
return
1
;
}
/* Copy the nonce value (if any) from an OCSP request to
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录