mirror of
https://github.com/zeek/zeek.git
synced 2025-10-10 18:48:20 +00:00
Adjust coding style & fix test failures.
I am still not 100% convinced that there is no memory leak hidden somwehere... This also makes everything compile with OpenSSL 1.0.2 for me.
This commit is contained in:
Johanna Amann
parent
ea4cf7dbe9
commit
6a93abea32
4 changed files with 53 additions and 44 deletions
|
|
@ -239,8 +239,6 @@ function x509_get_certificate_string%(cert: opaque of x509, pem: bool &default=F
|
|||
## x509_get_certificate_string x509_verify
|
||||
function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_certs: table_string_of_string, verify_time: time &default=network_time()%): X509::Result
|
||||
%{
|
||||
stack_st_X509* ocsp_certs;
|
||||
|
||||
RecordVal* rval = 0;
|
||||
X509_STORE* ctx = x509_get_root_store(root_certs->AsTableVal());
|
||||
if ( ! ctx )
|
||||
|
|
@ -284,6 +282,7 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c
|
|||
OCSP_SINGLERESP *single = 0;
|
||||
X509_STORE_CTX *csc = 0;
|
||||
OCSP_CERTID *certid = 0;
|
||||
stack_st_X509* ocsp_certs = nullptr;
|
||||
int status = -1;
|
||||
int out = -1;
|
||||
int result = -1;
|
||||
|
|
@ -310,7 +309,6 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c
|
|||
goto x509_ocsp_cleanup;
|
||||
}
|
||||
|
||||
|
||||
// the following code took me _forever_ to get right.
|
||||
// The OCSP_basic_verify command takes a list of certificates. However (which is not immediately
|
||||
// visible or understandable), those are only used to find the signer certificate. They are _not_
|
||||
|
|
@ -319,21 +317,10 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c
|
|||
// the lookup.
|
||||
// Yay.
|
||||
|
||||
ocsp_certs = sk_X509_dup(OCSP_resp_get0_certs(basic));
|
||||
if ( !ocsp_certs )
|
||||
{
|
||||
ocsp_certs = sk_X509_new_null();
|
||||
if ( !ocsp_certs )
|
||||
{
|
||||
rval = x509_result_record(-1, "Could not allocate basic x509 stack");
|
||||
goto x509_ocsp_cleanup;
|
||||
}
|
||||
}
|
||||
|
||||
issuer_certificate = 0;
|
||||
for ( int i = 0; i < sk_X509_num(untrusted_certs); i++)
|
||||
{
|
||||
sk_X509_push(ocsp_certs, X509_dup(sk_X509_value(untrusted_certs, i)));
|
||||
OCSP_basic_add1_cert(basic, sk_X509_value(untrusted_certs, i));
|
||||
|
||||
if ( X509_NAME_cmp(X509_get_issuer_name(cert), X509_get_subject_name(sk_X509_value(untrusted_certs, i))) == 0 )
|
||||
issuer_certificate = sk_X509_value(untrusted_certs, i);
|
||||
|
|
@ -358,6 +345,14 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c
|
|||
goto x509_ocsp_cleanup;
|
||||
}
|
||||
|
||||
{
|
||||
auto basic_certs = OCSP_resp_get0_certs(basic);
|
||||
if ( basic_certs )
|
||||
ocsp_certs = sk_X509_dup(basic_certs);
|
||||
|
||||
assert(ocsp_certs);
|
||||
}
|
||||
|
||||
csc = X509_STORE_CTX_new();
|
||||
X509_STORE_CTX_init(csc, ctx, signer, ocsp_certs);
|
||||
X509_STORE_CTX_set_time(csc, 0, (time_t) verify_time);
|
||||
|
|
@ -383,7 +378,7 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c
|
|||
|
||||
// ok, now we verified the OCSP response. This means that we have a valid chain tying it
|
||||
// to a root that we trust and that the signature also hopefully is valid. This does not yet
|
||||
// mean that the ocsp response actually matches the certificate the server send us or that
|
||||
// mean that the ocsp response actually matches the certificate the server sent us or that
|
||||
// the OCSP response even says that the certificate is valid.
|
||||
|
||||
// let's start this out by checking that the response is actually for the certificate we want
|
||||
|
|
@ -457,6 +452,9 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c
|
|||
|
||||
x509_ocsp_cleanup:
|
||||
|
||||
if ( ocsp_certs )
|
||||
sk_X509_free(ocsp_certs);
|
||||
|
||||
if ( untrusted_certs )
|
||||
sk_X509_free(untrusted_certs);
|
||||
|
||||
|
|
@ -573,12 +571,13 @@ function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_str
|
|||
|
||||
x509_verify_chainerror:
|
||||
|
||||
RecordVal* rrecord = x509_result_record(X509_STORE_CTX_get_error(csc), X509_verify_cert_error_string(X509_STORE_CTX_get_error(csc)), chainVector);
|
||||
|
||||
X509_STORE_CTX_cleanup(csc);
|
||||
X509_STORE_CTX_free(csc);
|
||||
|
||||
sk_X509_free(untrusted_certs);
|
||||
|
||||
RecordVal* rrecord = x509_result_record(X509_STORE_CTX_get_error(csc), X509_verify_cert_error_string(X509_STORE_CTX_get_error(csc)), chainVector);
|
||||
|
||||
return rrecord;
|
||||
%}
|
||||
|
||||
|
|
@ -673,7 +672,7 @@ function sct_verify%(cert: opaque of x509, logid: string, log_key: string, signa
|
|||
x->cert_info->enc.modified = 1;
|
||||
cert_length = i2d_X509_CINF(x->cert_info, &cert_out);
|
||||
#else
|
||||
i2d_re_X509_tbs(x, &cert_out);
|
||||
cert_length = i2d_re_X509_tbs(x, &cert_out);
|
||||
#endif
|
||||
data.append(reinterpret_cast<const char*>(issuer_key_hash->Bytes()), issuer_key_hash->Len());
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue