Make editorial changes suggested by Rich Salz and add the -rsigopt option to...

Make editorial changes suggested by Rich Salz and add the -rsigopt option to the man page for the ocsp command. Reviewed-by: N Rich Salz <rsalz@openssl.org> Reviewed-by: N Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4190)

Make editorial changes suggested by Rich Salz and add the -rsigopt option to...
Make editorial changes suggested by Rich Salz and add the -rsigopt option to the man page for the ocsp command. Reviewed-by: N Rich Salz <rsalz@openssl.org> Reviewed-by: N Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4190)
89623f84 · David Cooper · Matt Caswell · b4dd21a7 · 89623f84 · 89623f84
隐藏空白更改
内联并排

Showing with 12 addition and 6 deletion

apps/ocsp.c apps/ocsp.c +3 -4

crypto/ocsp/ocsp_srv.c crypto/ocsp/ocsp_srv.c +3 -2

doc/man1/ocsp.pod doc/man1/ocsp.pod +6 -0

未找到文件。
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -719,8 +719,7 @@ redo_accept:
    X509_free(signer);
    X509_STORE_free(store);
    X509_VERIFY_PARAM_free(vpm);
-    if (rsign_sigopts != NULL)
+    sk_OPENSSL_STRING_free(rsign_sigopts);
-        sk_OPENSSL_STRING_free(rsign_sigopts);
    EVP_PKEY_free(key);
    EVP_PKEY_free(rkey);
    X509_free(cert);
@@ -971,6 +970,7 @@ static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST *req
    }
    for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++) {
        char *sigopt = sk_OPENSSL_STRING_value(sigopts, i);
        if (pkey_ctrl_string(pkctx, sigopt) <= 0) {
            BIO_printf(err, "parameter error \"%s\"\n", sigopt);
            ERR_print_errors(bio_err);
@@ -989,8 +989,7 @@ static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST *req
    *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs);
 end:
-    if (mctx != NULL)
+    EVP_MD_CTX_free(mctx);
-        EVP_MD_CTX_free(mctx);
    ASN1_TIME_free(thisupd);
    ASN1_TIME_free(nextupd);
    OCSP_BASICRESP_free(bs);

--- a/crypto/ocsp/ocsp_srv.c
+++ b/crypto/ocsp/ocsp_srv.c
@@ -175,8 +175,9 @@ int OCSP_basic_sign_ctx(OCSP_BASICRESP *brsp,
    int i;
    OCSP_RESPID *rid;
-    if (!ctx || !EVP_MD_CTX_pkey_ctx(ctx) || !EVP_PKEY_CTX_get0_pkey(EVP_MD_CTX_pkey_ctx(ctx)) ||
+    if (ctx == NULL || EVP_MD_CTX_pkey_ctx(ctx) == NULL
-        !X509_check_private_key(signer, EVP_PKEY_CTX_get0_pkey(EVP_MD_CTX_pkey_ctx(ctx)))) {
+        || EVP_PKEY_CTX_get0_pkey(EVP_MD_CTX_pkey_ctx(ctx)) == NULL
+        || !X509_check_private_key(signer, EVP_PKEY_CTX_get0_pkey(EVP_MD_CTX_pkey_ctx(ctx)))) {
        OCSPerr(OCSP_F_OCSP_BASIC_SIGN_CTX,
                OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
        goto err;

--- a/doc/man1/ocsp.pod
+++ b/doc/man1/ocsp.pod
@@ -81,6 +81,7 @@ B<openssl> B<ocsp>
 [B<-rsigner file>]
 [B<-rkey file>]
 [B<-rother file>]
+[B<-rsigopt nm:v>]
 [B<-resp_no_certs>]
 [B<-nmin n>]
 [B<-ndays n>]
@@ -340,6 +341,11 @@ subject name.
 The private key to sign OCSP responses with: if not present the file
 specified in the B<rsigner> option is used.
+=item B<-rsigopt nm:v>
+Pass options to the signature algorithm when signing OCSP responses.
+Names and values of these options are algorithm-specific.
 =item B<-port portnum>
 Port to listen for OCSP requests on. The port may also be specified