Make editorial changes suggested by Rich Salz and add the -rsigopt option to the...

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4190)

diff --git a/apps/ocsp.c b/apps/ocsp.c
index 379e111ac4d9a26d7e2f332453a54cfe82b71602..b9bad81f24e31d0a7e4695113a46b027a08eb46e 100644 (file)
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -719,8 +719,7 @@ redo_accept:
     X509_free(signer);
     X509_STORE_free(store);
     X509_VERIFY_PARAM_free(vpm);
-    if (rsign_sigopts != NULL)
-        sk_OPENSSL_STRING_free(rsign_sigopts);
+    sk_OPENSSL_STRING_free(rsign_sigopts);
     EVP_PKEY_free(key);
     EVP_PKEY_free(rkey);
     X509_free(cert);
@@ -971,6 +970,7 @@ static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST *req
     }
     for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++) {
         char *sigopt = sk_OPENSSL_STRING_value(sigopts, i);
+
         if (pkey_ctrl_string(pkctx, sigopt) <= 0) {
             BIO_printf(err, "parameter error \"%s\"\n", sigopt);
             ERR_print_errors(bio_err);
@@ -989,8 +989,7 @@ static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST *req
     *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs);
 
  end:
-    if (mctx != NULL)
-        EVP_MD_CTX_free(mctx);
+    EVP_MD_CTX_free(mctx);
     ASN1_TIME_free(thisupd);
     ASN1_TIME_free(nextupd);
     OCSP_BASICRESP_free(bs);

diff --git a/crypto/ocsp/ocsp_srv.c b/crypto/ocsp/ocsp_srv.c
index d31a3c0c2597b17bf6ac89cda6777a5b1ae0b834..b459e695b93ebc6d2a184e0ec7535858af98b51c 100644 (file)
--- a/crypto/ocsp/ocsp_srv.c
+++ b/crypto/ocsp/ocsp_srv.c
@@ -175,8 +175,9 @@ int OCSP_basic_sign_ctx(OCSP_BASICRESP *brsp,
     int i;
     OCSP_RESPID *rid;
 
-    if (!ctx || !EVP_MD_CTX_pkey_ctx(ctx) || !EVP_PKEY_CTX_get0_pkey(EVP_MD_CTX_pkey_ctx(ctx)) ||
-        !X509_check_private_key(signer, EVP_PKEY_CTX_get0_pkey(EVP_MD_CTX_pkey_ctx(ctx)))) {
+    if (ctx == NULL || EVP_MD_CTX_pkey_ctx(ctx) == NULL
+        || EVP_PKEY_CTX_get0_pkey(EVP_MD_CTX_pkey_ctx(ctx)) == NULL
+        || !X509_check_private_key(signer, EVP_PKEY_CTX_get0_pkey(EVP_MD_CTX_pkey_ctx(ctx)))) {
         OCSPerr(OCSP_F_OCSP_BASIC_SIGN_CTX,
                 OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
         goto err;

diff --git a/doc/man1/ocsp.pod b/doc/man1/ocsp.pod
index 46fff32985aff940f329622b3bb6cd8d60325656..44f1a60aa00a5d7ab37103b1dab77ee966e1fe8d 100644 (file)
--- a/doc/man1/ocsp.pod
+++ b/doc/man1/ocsp.pod
@@ -81,6 +81,7 @@ B<openssl> B<ocsp>
 [B<-rsigner file>]
 [B<-rkey file>]
 [B<-rother file>]
+[B<-rsigopt nm:v>]
 [B<-resp_no_certs>]
 [B<-nmin n>]
 [B<-ndays n>]
@@ -340,6 +341,11 @@ subject name.
 The private key to sign OCSP responses with: if not present the file
 specified in the B<rsigner> option is used.
 
+=item B<-rsigopt nm:v>
+
+Pass options to the signature algorithm when signing OCSP responses.
+Names and values of these options are algorithm-specific.
+
 =item B<-port portnum>
 
 Port to listen for OCSP requests on. The port may also be specified