Fix OCSP_basic_verify() cert chain construction in case bs->certs is NULL#4124
Fix OCSP_basic_verify() cert chain construction in case bs->certs is NULL#4124DDvO wants to merge 3 commits intoopenssl:masterfrom
Conversation
openssl-machine
added
the
hold: cla required
|
The automatic Travis CI build given above failed due to an unrelated memory leak in |
richsalz
removed
the
hold: cla required
|
CLA on file, removing tag. |
|
This is unreview-able. It looks like partial re-base. Unfortunately I don't have an advice how to do it right, as it always worked for me as I expected... |
DDvO
force-pushed
the
fix-OCSP_basic_verify
branch
from
7d87f88 to
e2b0593
Compare
openssl-machine
added
the
hold: cla required
…NULL Now the certs arg is not any more neglected when building the signer cert chain. Added case to test/recipes/80-test_ocsp.t proving fix for 3-level CA hierarchy. See also http://rt.openssl.org/Ticket/Display.html?id=4620
DDvO
force-pushed
the
fix-OCSP_basic_verify
branch
from
e2b0593 to
20aaac5
Compare
openssl-machine
added
the
hold: cla required
|
Oops, I had made a mistake when rebasing, such that my commit went somewhat below the head. |
richsalz
removed
the
hold: cla required
|
For some reason, the cla-check failure tag appears still present, although Rich has cleared the need-cla label. The actual code change of the crypto library for the fix is tiny: 2 new lines.
|
test/recipes/80-test_ocsp.t
Outdated
| my $CAfile = shift; | ||
| my $untrusted = $CAfile; | ||
| my $expected_exit = shift; | ||
| if (!looks_like_number($expected_exit)) { |
There was a problem hiding this comment.
This looks quite horrible. Can we not just add the extra argument to the other tests (perhaps with "" meaning "use CAfile")?
|
@mattcaswell thanks for the first review. |
|
This applies cleanly to master and 1.1.0. I suspect the issue is present in 1.0.2 as well, but this PR won't apply cleanly to that branch due to the test. It may be appropriate to have a second PR which just makes the main change without the test for 1.0.2. |
mattcaswell
added
the
approval: review pending
|
I haven't tried with 1.0.2. |
|
The test uses the new test framework which isn't available in 1.0.2, so couldn't be back ported without additional work. There may be an equivalent test in the old 1.0.2 way of doing things that you could amend - I've not checked - but it's probably not worth the effort. To do a PR to fix specifically 1.0.2, just create a new branch based on OpenSSL_1_0_2-stable and make the relevant change. Then create the PR in the normal way, but instead of master (the default) select OpenSSL_1_0_2-stable as the target branch. |
richsalz
left a comment
richsalz
left a comment
There was a problem hiding this comment.
One minor change, one comment
crypto/ocsp/ocsp_vfy.c
Outdated
| goto f_err; | ||
| } | ||
| } | ||
| } else if (certs) { |
There was a problem hiding this comment.
Please add != NULL explicitly.
| my $title = shift; | ||
| my $inputfile = shift; | ||
| my $CAfile = shift; | ||
| my $untrusted = shift; |
There was a problem hiding this comment.
this could be shift || $CAfile if you wanted. Or not. :)
|
Re-formulated the certs check as requested. |
…NULL Now the certs arg is not any more neglected when building the signer cert chain. Added case to test/recipes/80-test_ocsp.t proving fix for 3-level CA hierarchy. See also http://rt.openssl.org/Ticket/Display.html?id=4620 Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Rich Salz <[email protected]> (Merged from #4124)
richsalz
added
approval: done
…NULL Now the certs arg is not any more neglected when building the signer cert chain. Added case to test/recipes/80-test_ocsp.t proving fix for 3-level CA hierarchy. See also http://rt.openssl.org/Ticket/Display.html?id=4620 Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Rich Salz <[email protected]> (Merged from #4124) (cherry picked from commit 121738d)
|
merged to 1.1.0 and master; thanks! |
…NULL Now the certs arg is not any more neglected when building the signer cert chain. Added case to test/recipes/80-test_ocsp.t proving fix for 3-level CA hierarchy. See also http://rt.openssl.org/Ticket/Display.html?id=4620 Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Rich Salz <[email protected]> (Merged from openssl#4124) (cherry picked from commit 121738d)
5 participants
Now the certs arg is not any more neglected when building the signer cert chain.
Added case to test/recipes/80-test_ocsp.t proving fix for 3-level CA hierarchy.
See also http://rt.openssl.org/Ticket/Display.html?id=4620
It seems that OCSP_basic_verify(bs, certs, st, flags) unfortunately is
not documented, but from its code it becomes clear that the "certs"
parameter is meant to be a set of untrusted certificates, which is first
used (together with bs->certs) to determine the signer cert of the OCSP
response "bs" and then is partly(!) used to construct the chain of certs
towards a trusted (root) cert in the store passed in the "st" parameter.
As long as the OCSP response pointed to by "bs" includes a non-NULL
bs->certs field, OCSP_basic_verify() takes the union of any certs in the
"certs" parameter and in bs->certs as untrusted certs for chain
construction, but if bs->certs is NULL, i.e. when the OCSP responder did
not include any certs its response, for some reason OCSP_basic_verify()
does not take "certs" but bs->certs, which corresponds to the empty set.
This fix takes "certs" as the set of untrusted certs in case bs->certs is NULL.
Checklist