diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2016-05-12 15:24:06 +0100 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2016-05-12 16:50:55 +0100 |
| commit | 6302bbd21a79bd2ed59f214d6d042031384b4d12 (patch) | |
| tree | 72bc1def0c3937e935ffa582b29d3f5cebf24a85 /apps | |
| parent | d535e5652688447deaf8a9eddc2b8cdc4f8f6ce9 (diff) | |
| download | openssl-6302bbd21a79bd2ed59f214d6d042031384b4d12.tar.gz | |
Correctly check for trailing digest options.
Multiple digest options to the ocsp utility are allowed: e.g. to use
different digests for different certificate IDs. A digest option without
a following certificate is however illegal.
RT#4215
Reviewed-by: Rich Salz <rsalz@openssl.org>
Diffstat (limited to 'apps')
| -rw-r--r-- | apps/ocsp.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/apps/ocsp.c b/apps/ocsp.c index fd38da44e3..416e05caef 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -228,6 +228,7 @@ int ocsp_main(int argc, char **argv) { BIO *acbio = NULL, *cbio = NULL, *derbio = NULL, *out = NULL; const EVP_MD *cert_id_md = NULL, *rsign_md = NULL; + int trailing_md = 0; CA_DB *rdb = NULL; EVP_PKEY *key = NULL, *rkey = NULL; OCSP_BASICRESP *bs = NULL; @@ -439,6 +440,7 @@ int ocsp_main(int argc, char **argv) goto end; if (!sk_OPENSSL_STRING_push(reqnames, opt_arg())) goto end; + trailing_md = 0; break; case OPT_SERIAL: if (cert_id_md == NULL) @@ -447,6 +449,7 @@ int ocsp_main(int argc, char **argv) goto end; if (!sk_OPENSSL_STRING_push(reqnames, opt_arg())) goto end; + trailing_md = 0; break; case OPT_INDEX: ridx_filename = opt_arg(); @@ -490,7 +493,7 @@ int ocsp_main(int argc, char **argv) goto end; break; case OPT_MD: - if (cert_id_md != NULL) { + if (trailing_md) { BIO_printf(bio_err, "%s: Digest must be before -cert or -serial\n", prog); @@ -498,9 +501,16 @@ int ocsp_main(int argc, char **argv) } if (!opt_md(opt_unknown(), &cert_id_md)) goto opthelp; + trailing_md = 1; break; } } + + if (trailing_md) { + BIO_printf(bio_err, "%s: Digest must be before -cert or -serial\n", + prog); + goto opthelp; + } argc = opt_num_rest(); if (argc != 0) goto opthelp; |