Correctly check for trailing digest options. Multiple digest options to the ocsp utility are allowed: e.g. to use different digests for different certificate IDs. A digest option without a following certificate is however illegal. RT#4215 Reviewed-by: Rich Salz <rsalz@openssl.org>
diff --git a/apps/ocsp.c b/apps/ocsp.c index fd38da4..416e05c 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c
@@ -228,6 +228,7 @@ { BIO *acbio = NULL, *cbio = NULL, *derbio = NULL, *out = NULL; const EVP_MD *cert_id_md = NULL, *rsign_md = NULL; + int trailing_md = 0; CA_DB *rdb = NULL; EVP_PKEY *key = NULL, *rkey = NULL; OCSP_BASICRESP *bs = NULL; @@ -439,6 +440,7 @@ goto end; if (!sk_OPENSSL_STRING_push(reqnames, opt_arg())) goto end; + trailing_md = 0; break; case OPT_SERIAL: if (cert_id_md == NULL) @@ -447,6 +449,7 @@ goto end; if (!sk_OPENSSL_STRING_push(reqnames, opt_arg())) goto end; + trailing_md = 0; break; case OPT_INDEX: ridx_filename = opt_arg(); @@ -490,7 +493,7 @@ goto end; break; case OPT_MD: - if (cert_id_md != NULL) { + if (trailing_md) { BIO_printf(bio_err, "%s: Digest must be before -cert or -serial\n", prog); @@ -498,9 +501,16 @@ } if (!opt_md(opt_unknown(), &cert_id_md)) goto opthelp; + trailing_md = 1; break; } } + + if (trailing_md) { + BIO_printf(bio_err, "%s: Digest must be before -cert or -serial\n", + prog); + goto opthelp; + } argc = opt_num_rest(); if (argc != 0) goto opthelp;
diff --git a/doc/apps/ocsp.pod b/doc/apps/ocsp.pod index 3e667e6..a5bb22f 100644 --- a/doc/apps/ocsp.pod +++ b/doc/apps/ocsp.pod
@@ -266,24 +266,25 @@ =item B<-validity_period nsec>, B<-status_age age> these options specify the range of times, in seconds, which will be tolerated -in an OCSP response. Each certificate status response includes a B<notBefore> time and -an optional B<notAfter> time. The current time should fall between these two values, but -the interval between the two times may be only a few seconds. In practice the OCSP -responder and clients clocks may not be precisely synchronised and so such a check -may fail. To avoid this the B<-validity_period> option can be used to specify an -acceptable error range in seconds, the default value is 5 minutes. +in an OCSP response. Each certificate status response includes a B<notBefore> +time and an optional B<notAfter> time. The current time should fall between +these two values, but the interval between the two times may be only a few +seconds. In practice the OCSP responder and clients clocks may not be precisely +synchronised and so such a check may fail. To avoid this the +B<-validity_period> option can be used to specify an acceptable error range in +seconds, the default value is 5 minutes. -If the B<notAfter> time is omitted from a response then this means that new status -information is immediately available. In this case the age of the B<notBefore> field -is checked to see it is not older than B<age> seconds old. By default this additional -check is not performed. +If the B<notAfter> time is omitted from a response then this means that new +status information is immediately available. In this case the age of the +B<notBefore> field is checked to see it is not older than B<age> seconds old. +By default this additional check is not performed. =item B<-[digest]> -this option sets digest algorithm to use for certificate identification -in the OCSP request. -Any digest supported by the OpenSSL B<dgst> command can be used. -The default is SHA-1. +this option sets digest algorithm to use for certificate identification in the +OCSP request. Any digest supported by the OpenSSL B<dgst> command can be used. +The default is SHA-1. This option may be used multiple times to specify the +digest used by subsequent certificate identifiers. =back