diff options
Diffstat (limited to 'ext/openssl/ossl_ocsp.c')
-rw-r--r-- | ext/openssl/ossl_ocsp.c | 48 |
1 files changed, 0 insertions, 48 deletions
diff --git a/ext/openssl/ossl_ocsp.c b/ext/openssl/ossl_ocsp.c index 7a92e5df..11a7ed32 100644 --- a/ext/openssl/ossl_ocsp.c +++ b/ext/openssl/ossl_ocsp.c @@ -1069,55 +1069,7 @@ ossl_ocspbres_verify(int argc, VALUE *argv, VALUE self) x509st = GetX509StorePtr(store); flg = NIL_P(flags) ? 0 : NUM2INT(flags); x509s = ossl_x509_ary2sk(certs); -#if (OPENSSL_VERSION_NUMBER < 0x1000202fL) || defined(LIBRESSL_VERSION_NUMBER) - /* - * OpenSSL had a bug that it doesn't use the certificates in x509s for - * verifying the chain. This can be a problem when the response is signed by - * a certificate issued by an intermediate CA. - * - * root_ca - * | - * intermediate_ca - * |-------------| - * end_entity ocsp_signer - * - * When the certificate hierarchy is like this, and the response contains - * only ocsp_signer certificate, the following code wrongly fails. - * - * store = OpenSSL::X509::Store.new; store.add_cert(root_ca) - * basic_response.verify([intermediate_ca], store) - * - * So add the certificates in x509s to the embedded certificates list first. - * - * This is fixed in OpenSSL 0.9.8zg, 1.0.0s, 1.0.1n, 1.0.2b. But it still - * exists in LibreSSL 2.1.10, 2.2.9, 2.3.6, 2.4.1. - */ - if (!(flg & (OCSP_NOCHAIN | OCSP_NOVERIFY)) && - sk_X509_num(x509s) && sk_X509_num(bs->certs)) { - int i; - - bs = ASN1_item_dup(ASN1_ITEM_rptr(OCSP_BASICRESP), bs); - if (!bs) { - sk_X509_pop_free(x509s, X509_free); - ossl_raise(eOCSPError, "ASN1_item_dup"); - } - - for (i = 0; i < sk_X509_num(x509s); i++) { - if (!OCSP_basic_add1_cert(bs, sk_X509_value(x509s, i))) { - sk_X509_pop_free(x509s, X509_free); - OCSP_BASICRESP_free(bs); - ossl_raise(eOCSPError, "OCSP_basic_add1_cert"); - } - } - result = OCSP_basic_verify(bs, x509s, x509st, flg); - OCSP_BASICRESP_free(bs); - } - else { - result = OCSP_basic_verify(bs, x509s, x509st, flg); - } -#else result = OCSP_basic_verify(bs, x509s, x509st, flg); -#endif sk_X509_pop_free(x509s, X509_free); if (result <= 0) ossl_clear_error(); |