summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjsing <>2014-04-21 16:32:06 +0000
committerjsing <>2014-04-21 16:32:06 +0000
commitdbe50a7f3c84521e4543ad2e5292244bd0b81414 (patch)
treebe04a70e8733f1afb3ae549ad26c1c50ec666f15
parent4e74c38c506a70910cb7f88175f2f718983bbdc6 (diff)
downloadopenbsd-dbe50a7f3c84521e4543ad2e5292244bd0b81414.tar.gz
openbsd-dbe50a7f3c84521e4543ad2e5292244bd0b81414.tar.bz2
openbsd-dbe50a7f3c84521e4543ad2e5292244bd0b81414.zip
KNF.
Diffstat
-rw-r--r--src/lib/libcrypto/ts/ts.h139
-rw-r--r--src/lib/libcrypto/ts/ts_asn1.c164
-rw-r--r--src/lib/libcrypto/ts/ts_conf.c422
-rw-r--r--src/lib/libcrypto/ts/ts_err.c205
-rw-r--r--src/lib/libcrypto/ts/ts_lib.c59
-rw-r--r--src/lib/libcrypto/ts/ts_req_print.c18
-rw-r--r--src/lib/libcrypto/ts/ts_req_utils.c204
-rw-r--r--src/lib/libcrypto/ts/ts_rsp_print.c140
-rw-r--r--src/lib/libcrypto/ts/ts_rsp_sign.c789
-rw-r--r--src/lib/libcrypto/ts/ts_rsp_utils.c358
-rw-r--r--src/lib/libcrypto/ts/ts_rsp_verify.c507
-rw-r--r--src/lib/libcrypto/ts/ts_verify_ctx.c80
-rw-r--r--src/lib/libssl/src/crypto/ts/ts.h139
-rw-r--r--src/lib/libssl/src/crypto/ts/ts_asn1.c164
-rw-r--r--src/lib/libssl/src/crypto/ts/ts_conf.c422
-rw-r--r--src/lib/libssl/src/crypto/ts/ts_err.c205
-rw-r--r--src/lib/libssl/src/crypto/ts/ts_lib.c59
-rw-r--r--src/lib/libssl/src/crypto/ts/ts_req_print.c18
-rw-r--r--src/lib/libssl/src/crypto/ts/ts_req_utils.c204
-rw-r--r--src/lib/libssl/src/crypto/ts/ts_rsp_print.c140
-rw-r--r--src/lib/libssl/src/crypto/ts/ts_rsp_sign.c789
-rw-r--r--src/lib/libssl/src/crypto/ts/ts_rsp_utils.c358
-rw-r--r--src/lib/libssl/src/crypto/ts/ts_rsp_verify.c507
-rw-r--r--src/lib/libssl/src/crypto/ts/ts_verify_ctx.c80
24 files changed, 3236 insertions, 2934 deletions
diff --git a/src/lib/libcrypto/ts/ts.h b/src/lib/libcrypto/ts/ts.h
index 88e0111453..3c5ab727db 100644
--- a/src/lib/libcrypto/ts/ts.h
+++ b/src/lib/libcrypto/ts/ts.h
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -103,11 +103,10 @@ MessageImprint ::= SEQUENCE {
103 hashedMessage OCTET STRING } 103 hashedMessage OCTET STRING }
104*/ 104*/
105 105
106typedef struct TS_msg_imprint_st 106typedef struct TS_msg_imprint_st {
107 {
108 X509_ALGOR *hash_algo; 107 X509_ALGOR *hash_algo;
109 ASN1_OCTET_STRING *hashed_msg; 108 ASN1_OCTET_STRING *hashed_msg;
110 } TS_MSG_IMPRINT; 109} TS_MSG_IMPRINT;
111 110
112/* 111/*
113TimeStampReq ::= SEQUENCE { 112TimeStampReq ::= SEQUENCE {
@@ -121,15 +120,14 @@ TimeStampReq ::= SEQUENCE {
121 extensions [0] IMPLICIT Extensions OPTIONAL } 120 extensions [0] IMPLICIT Extensions OPTIONAL }
122*/ 121*/
123 122
124typedef struct TS_req_st 123typedef struct TS_req_st {
125 {
126 ASN1_INTEGER *version; 124 ASN1_INTEGER *version;
127 TS_MSG_IMPRINT *msg_imprint; 125 TS_MSG_IMPRINT *msg_imprint;
128 ASN1_OBJECT *policy_id; /* OPTIONAL */ 126 ASN1_OBJECT *policy_id; /* OPTIONAL */
129 ASN1_INTEGER *nonce; /* OPTIONAL */ 127 ASN1_INTEGER *nonce; /* OPTIONAL */
130 ASN1_BOOLEAN cert_req; /* DEFAULT FALSE */ 128 ASN1_BOOLEAN cert_req; /* DEFAULT FALSE */
131 STACK_OF(X509_EXTENSION) *extensions; /* [0] OPTIONAL */ 129 STACK_OF(X509_EXTENSION) *extensions; /* [0] OPTIONAL */
132 } TS_REQ; 130} TS_REQ;
133 131
134/* 132/*
135Accuracy ::= SEQUENCE { 133Accuracy ::= SEQUENCE {
@@ -138,12 +136,11 @@ Accuracy ::= SEQUENCE {
138 micros [1] INTEGER (1..999) OPTIONAL } 136 micros [1] INTEGER (1..999) OPTIONAL }
139*/ 137*/
140 138
141typedef struct TS_accuracy_st 139typedef struct TS_accuracy_st {
142 {
143 ASN1_INTEGER *seconds; 140 ASN1_INTEGER *seconds;
144 ASN1_INTEGER *millis; 141 ASN1_INTEGER *millis;
145 ASN1_INTEGER *micros; 142 ASN1_INTEGER *micros;
146 } TS_ACCURACY; 143} TS_ACCURACY;
147 144
148/* 145/*
149TSTInfo ::= SEQUENCE { 146TSTInfo ::= SEQUENCE {
@@ -165,8 +162,7 @@ TSTInfo ::= SEQUENCE {
165 extensions [1] IMPLICIT Extensions OPTIONAL } 162 extensions [1] IMPLICIT Extensions OPTIONAL }
166*/ 163*/
167 164
168typedef struct TS_tst_info_st 165typedef struct TS_tst_info_st {
169 {
170 ASN1_INTEGER *version; 166 ASN1_INTEGER *version;
171 ASN1_OBJECT *policy_id; 167 ASN1_OBJECT *policy_id;
172 TS_MSG_IMPRINT *msg_imprint; 168 TS_MSG_IMPRINT *msg_imprint;
@@ -177,7 +173,7 @@ typedef struct TS_tst_info_st
177 ASN1_INTEGER *nonce; 173 ASN1_INTEGER *nonce;
178 GENERAL_NAME *tsa; 174 GENERAL_NAME *tsa;
179 STACK_OF(X509_EXTENSION) *extensions; 175 STACK_OF(X509_EXTENSION) *extensions;
180 } TS_TST_INFO; 176} TS_TST_INFO;
181 177
182/* 178/*
183PKIStatusInfo ::= SEQUENCE { 179PKIStatusInfo ::= SEQUENCE {
@@ -212,12 +208,11 @@ PKIFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String
212#define TS_INFO_ADD_INFO_NOT_AVAILABLE 17 208#define TS_INFO_ADD_INFO_NOT_AVAILABLE 17
213#define TS_INFO_SYSTEM_FAILURE 25 209#define TS_INFO_SYSTEM_FAILURE 25
214 210
215typedef struct TS_status_info_st 211typedef struct TS_status_info_st {
216 {
217 ASN1_INTEGER *status; 212 ASN1_INTEGER *status;
218 STACK_OF(ASN1_UTF8STRING) *text; 213 STACK_OF(ASN1_UTF8STRING) *text;
219 ASN1_BIT_STRING *failure_info; 214 ASN1_BIT_STRING *failure_info;
220 } TS_STATUS_INFO; 215} TS_STATUS_INFO;
221 216
222DECLARE_STACK_OF(ASN1_UTF8STRING) 217DECLARE_STACK_OF(ASN1_UTF8STRING)
223DECLARE_ASN1_SET_OF(ASN1_UTF8STRING) 218DECLARE_ASN1_SET_OF(ASN1_UTF8STRING)
@@ -228,12 +223,11 @@ TimeStampResp ::= SEQUENCE {
228 timeStampToken TimeStampToken OPTIONAL } 223 timeStampToken TimeStampToken OPTIONAL }
229*/ 224*/
230 225
231typedef struct TS_resp_st 226typedef struct TS_resp_st {
232 {
233 TS_STATUS_INFO *status_info; 227 TS_STATUS_INFO *status_info;
234 PKCS7 *token; 228 PKCS7 *token;
235 TS_TST_INFO *tst_info; 229 TS_TST_INFO *tst_info;
236 } TS_RESP; 230} TS_RESP;
237 231
238/* The structure below would belong to the ESS component. */ 232/* The structure below would belong to the ESS component. */
239 233
@@ -244,11 +238,10 @@ IssuerSerial ::= SEQUENCE {
244 } 238 }
245*/ 239*/
246 240
247typedef struct ESS_issuer_serial 241typedef struct ESS_issuer_serial {
248 {
249 STACK_OF(GENERAL_NAME) *issuer; 242 STACK_OF(GENERAL_NAME) *issuer;
250 ASN1_INTEGER *serial; 243 ASN1_INTEGER *serial;
251 } ESS_ISSUER_SERIAL; 244} ESS_ISSUER_SERIAL;
252 245
253/* 246/*
254ESSCertID ::= SEQUENCE { 247ESSCertID ::= SEQUENCE {
@@ -257,11 +250,10 @@ ESSCertID ::= SEQUENCE {
257} 250}
258*/ 251*/
259 252
260typedef struct ESS_cert_id 253typedef struct ESS_cert_id {
261 {
262 ASN1_OCTET_STRING *hash; /* Always SHA-1 digest. */ 254 ASN1_OCTET_STRING *hash; /* Always SHA-1 digest. */
263 ESS_ISSUER_SERIAL *issuer_serial; 255 ESS_ISSUER_SERIAL *issuer_serial;
264 } ESS_CERT_ID; 256} ESS_CERT_ID;
265 257
266DECLARE_STACK_OF(ESS_CERT_ID) 258DECLARE_STACK_OF(ESS_CERT_ID)
267DECLARE_ASN1_SET_OF(ESS_CERT_ID) 259DECLARE_ASN1_SET_OF(ESS_CERT_ID)
@@ -273,11 +265,10 @@ SigningCertificate ::= SEQUENCE {
273} 265}
274*/ 266*/
275 267
276typedef struct ESS_signing_cert 268typedef struct ESS_signing_cert {
277 {
278 STACK_OF(ESS_CERT_ID) *cert_ids; 269 STACK_OF(ESS_CERT_ID) *cert_ids;
279 STACK_OF(POLICYINFO) *policy_info; 270 STACK_OF(POLICYINFO) *policy_info;
280 } ESS_SIGNING_CERT; 271} ESS_SIGNING_CERT;
281 272
282 273
283TS_REQ *TS_REQ_new(void); 274TS_REQ *TS_REQ_new(void);
@@ -296,7 +287,7 @@ TS_MSG_IMPRINT *TS_MSG_IMPRINT_new(void);
296void TS_MSG_IMPRINT_free(TS_MSG_IMPRINT *a); 287void TS_MSG_IMPRINT_free(TS_MSG_IMPRINT *a);
297int i2d_TS_MSG_IMPRINT(const TS_MSG_IMPRINT *a, unsigned char **pp); 288int i2d_TS_MSG_IMPRINT(const TS_MSG_IMPRINT *a, unsigned char **pp);
298TS_MSG_IMPRINT *d2i_TS_MSG_IMPRINT(TS_MSG_IMPRINT **a, 289TS_MSG_IMPRINT *d2i_TS_MSG_IMPRINT(TS_MSG_IMPRINT **a,
299 const unsigned char **pp, long length); 290 const unsigned char **pp, long length);
300 291
301TS_MSG_IMPRINT *TS_MSG_IMPRINT_dup(TS_MSG_IMPRINT *a); 292TS_MSG_IMPRINT *TS_MSG_IMPRINT_dup(TS_MSG_IMPRINT *a);
302 293
@@ -320,15 +311,15 @@ int i2d_TS_RESP_bio(BIO *fp, TS_RESP *a);
320TS_STATUS_INFO *TS_STATUS_INFO_new(void); 311TS_STATUS_INFO *TS_STATUS_INFO_new(void);
321void TS_STATUS_INFO_free(TS_STATUS_INFO *a); 312void TS_STATUS_INFO_free(TS_STATUS_INFO *a);
322int i2d_TS_STATUS_INFO(const TS_STATUS_INFO *a, unsigned char **pp); 313int i2d_TS_STATUS_INFO(const TS_STATUS_INFO *a, unsigned char **pp);
323TS_STATUS_INFO *d2i_TS_STATUS_INFO(TS_STATUS_INFO **a, 314TS_STATUS_INFO *d2i_TS_STATUS_INFO(TS_STATUS_INFO **a,
324 const unsigned char **pp, long length); 315 const unsigned char **pp, long length);
325TS_STATUS_INFO *TS_STATUS_INFO_dup(TS_STATUS_INFO *a); 316TS_STATUS_INFO *TS_STATUS_INFO_dup(TS_STATUS_INFO *a);
326 317
327TS_TST_INFO *TS_TST_INFO_new(void); 318TS_TST_INFO *TS_TST_INFO_new(void);
328void TS_TST_INFO_free(TS_TST_INFO *a); 319void TS_TST_INFO_free(TS_TST_INFO *a);
329int i2d_TS_TST_INFO(const TS_TST_INFO *a, unsigned char **pp); 320int i2d_TS_TST_INFO(const TS_TST_INFO *a, unsigned char **pp);
330TS_TST_INFO *d2i_TS_TST_INFO(TS_TST_INFO **a, const unsigned char **pp, 321TS_TST_INFO *d2i_TS_TST_INFO(TS_TST_INFO **a, const unsigned char **pp,
331 long length); 322 long length);
332TS_TST_INFO *TS_TST_INFO_dup(TS_TST_INFO *a); 323TS_TST_INFO *TS_TST_INFO_dup(TS_TST_INFO *a);
333 324
334TS_TST_INFO *d2i_TS_TST_INFO_fp(FILE *fp, TS_TST_INFO **a); 325TS_TST_INFO *d2i_TS_TST_INFO_fp(FILE *fp, TS_TST_INFO **a);
@@ -340,30 +331,30 @@ TS_ACCURACY *TS_ACCURACY_new(void);
340void TS_ACCURACY_free(TS_ACCURACY *a); 331void TS_ACCURACY_free(TS_ACCURACY *a);
341int i2d_TS_ACCURACY(const TS_ACCURACY *a, unsigned char **pp); 332int i2d_TS_ACCURACY(const TS_ACCURACY *a, unsigned char **pp);
342TS_ACCURACY *d2i_TS_ACCURACY(TS_ACCURACY **a, const unsigned char **pp, 333TS_ACCURACY *d2i_TS_ACCURACY(TS_ACCURACY **a, const unsigned char **pp,
343 long length); 334 long length);
344TS_ACCURACY *TS_ACCURACY_dup(TS_ACCURACY *a); 335TS_ACCURACY *TS_ACCURACY_dup(TS_ACCURACY *a);
345 336
346ESS_ISSUER_SERIAL *ESS_ISSUER_SERIAL_new(void); 337ESS_ISSUER_SERIAL *ESS_ISSUER_SERIAL_new(void);
347void ESS_ISSUER_SERIAL_free(ESS_ISSUER_SERIAL *a); 338void ESS_ISSUER_SERIAL_free(ESS_ISSUER_SERIAL *a);
348int i2d_ESS_ISSUER_SERIAL(const ESS_ISSUER_SERIAL *a, 339int i2d_ESS_ISSUER_SERIAL(const ESS_ISSUER_SERIAL *a,
349 unsigned char **pp); 340 unsigned char **pp);
350ESS_ISSUER_SERIAL *d2i_ESS_ISSUER_SERIAL(ESS_ISSUER_SERIAL **a, 341ESS_ISSUER_SERIAL *d2i_ESS_ISSUER_SERIAL(ESS_ISSUER_SERIAL **a,
351 const unsigned char **pp, long length); 342 const unsigned char **pp, long length);
352ESS_ISSUER_SERIAL *ESS_ISSUER_SERIAL_dup(ESS_ISSUER_SERIAL *a); 343ESS_ISSUER_SERIAL *ESS_ISSUER_SERIAL_dup(ESS_ISSUER_SERIAL *a);
353 344
354ESS_CERT_ID *ESS_CERT_ID_new(void); 345ESS_CERT_ID *ESS_CERT_ID_new(void);
355void ESS_CERT_ID_free(ESS_CERT_ID *a); 346void ESS_CERT_ID_free(ESS_CERT_ID *a);
356int i2d_ESS_CERT_ID(const ESS_CERT_ID *a, unsigned char **pp); 347int i2d_ESS_CERT_ID(const ESS_CERT_ID *a, unsigned char **pp);
357ESS_CERT_ID *d2i_ESS_CERT_ID(ESS_CERT_ID **a, const unsigned char **pp, 348ESS_CERT_ID *d2i_ESS_CERT_ID(ESS_CERT_ID **a, const unsigned char **pp,
358 long length); 349 long length);
359ESS_CERT_ID *ESS_CERT_ID_dup(ESS_CERT_ID *a); 350ESS_CERT_ID *ESS_CERT_ID_dup(ESS_CERT_ID *a);
360 351
361ESS_SIGNING_CERT *ESS_SIGNING_CERT_new(void); 352ESS_SIGNING_CERT *ESS_SIGNING_CERT_new(void);
362void ESS_SIGNING_CERT_free(ESS_SIGNING_CERT *a); 353void ESS_SIGNING_CERT_free(ESS_SIGNING_CERT *a);
363int i2d_ESS_SIGNING_CERT(const ESS_SIGNING_CERT *a, 354int i2d_ESS_SIGNING_CERT(const ESS_SIGNING_CERT *a,
364 unsigned char **pp); 355 unsigned char **pp);
365ESS_SIGNING_CERT *d2i_ESS_SIGNING_CERT(ESS_SIGNING_CERT **a, 356ESS_SIGNING_CERT *d2i_ESS_SIGNING_CERT(ESS_SIGNING_CERT **a,
366 const unsigned char **pp, long length); 357 const unsigned char **pp, long length);
367ESS_SIGNING_CERT *ESS_SIGNING_CERT_dup(ESS_SIGNING_CERT *a); 358ESS_SIGNING_CERT *ESS_SIGNING_CERT_dup(ESS_SIGNING_CERT *a);
368 359
369void ERR_load_TS_strings(void); 360void ERR_load_TS_strings(void);
@@ -485,19 +476,18 @@ struct TS_resp_ctx;
485typedef ASN1_INTEGER *(*TS_serial_cb)(struct TS_resp_ctx *, void *); 476typedef ASN1_INTEGER *(*TS_serial_cb)(struct TS_resp_ctx *, void *);
486 477
487/* This must return the seconds and microseconds since Jan 1, 1970 in 478/* This must return the seconds and microseconds since Jan 1, 1970 in
488 the sec and usec variables allocated by the caller. 479 the sec and usec variables allocated by the caller.
489 Return non-zero for success and zero for failure. */ 480 Return non-zero for success and zero for failure. */
490typedef int (*TS_time_cb)(struct TS_resp_ctx *, void *, long *sec, long *usec); 481typedef int (*TS_time_cb)(struct TS_resp_ctx *, void *, long *sec, long *usec);
491 482
492/* This must process the given extension. 483/* This must process the given extension.
493 * It can modify the TS_TST_INFO object of the context. 484 * It can modify the TS_TST_INFO object of the context.
494 * Return values: !0 (processed), 0 (error, it must set the 485 * Return values: !0 (processed), 0 (error, it must set the
495 * status info/failure info of the response). 486 * status info/failure info of the response).
496 */ 487 */
497typedef int (*TS_extension_cb)(struct TS_resp_ctx *, X509_EXTENSION *, void *); 488typedef int (*TS_extension_cb)(struct TS_resp_ctx *, X509_EXTENSION *, void *);
498 489
499typedef struct TS_resp_ctx 490typedef struct TS_resp_ctx {
500 {
501 X509 *signer_cert; 491 X509 *signer_cert;
502 EVP_PKEY *signer_key; 492 EVP_PKEY *signer_key;
503 STACK_OF(X509) *certs; /* Certs to include in signed data. */ 493 STACK_OF(X509) *certs; /* Certs to include in signed data. */
@@ -514,10 +504,10 @@ typedef struct TS_resp_ctx
514 /* Callback functions. */ 504 /* Callback functions. */
515 TS_serial_cb serial_cb; 505 TS_serial_cb serial_cb;
516 void *serial_cb_data; /* User data for serial_cb. */ 506 void *serial_cb_data; /* User data for serial_cb. */
517 507
518 TS_time_cb time_cb; 508 TS_time_cb time_cb;
519 void *time_cb_data; /* User data for time_cb. */ 509 void *time_cb_data; /* User data for time_cb. */
520 510
521 TS_extension_cb extension_cb; 511 TS_extension_cb extension_cb;
522 void *extension_cb_data; /* User data for extension_cb. */ 512 void *extension_cb_data; /* User data for extension_cb. */
523 513
@@ -525,7 +515,7 @@ typedef struct TS_resp_ctx
525 TS_REQ *request; 515 TS_REQ *request;
526 TS_RESP *response; 516 TS_RESP *response;
527 TS_TST_INFO *tst_info; 517 TS_TST_INFO *tst_info;
528 } TS_RESP_CTX; 518} TS_RESP_CTX;
529 519
530DECLARE_STACK_OF(EVP_MD) 520DECLARE_STACK_OF(EVP_MD)
531DECLARE_ASN1_SET_OF(EVP_MD) 521DECLARE_ASN1_SET_OF(EVP_MD)
@@ -546,23 +536,23 @@ int TS_RESP_CTX_set_def_policy(TS_RESP_CTX *ctx, ASN1_OBJECT *def_policy);
546/* No additional certs are included in the response by default. */ 536/* No additional certs are included in the response by default. */
547int TS_RESP_CTX_set_certs(TS_RESP_CTX *ctx, STACK_OF(X509) *certs); 537int TS_RESP_CTX_set_certs(TS_RESP_CTX *ctx, STACK_OF(X509) *certs);
548 538
549/* Adds a new acceptable policy, only the default policy 539/* Adds a new acceptable policy, only the default policy
550 is accepted by default. */ 540 is accepted by default. */
551int TS_RESP_CTX_add_policy(TS_RESP_CTX *ctx, ASN1_OBJECT *policy); 541int TS_RESP_CTX_add_policy(TS_RESP_CTX *ctx, ASN1_OBJECT *policy);
552 542
553/* Adds a new acceptable message digest. Note that no message digests 543/* Adds a new acceptable message digest. Note that no message digests
554 are accepted by default. The md argument is shared with the caller. */ 544 are accepted by default. The md argument is shared with the caller. */
555int TS_RESP_CTX_add_md(TS_RESP_CTX *ctx, const EVP_MD *md); 545int TS_RESP_CTX_add_md(TS_RESP_CTX *ctx, const EVP_MD *md);
556 546
557/* Accuracy is not included by default. */ 547/* Accuracy is not included by default. */
558int TS_RESP_CTX_set_accuracy(TS_RESP_CTX *ctx, 548int TS_RESP_CTX_set_accuracy(TS_RESP_CTX *ctx,
559 int secs, int millis, int micros); 549 int secs, int millis, int micros);
560 550
561/* Clock precision digits, i.e. the number of decimal digits: 551/* Clock precision digits, i.e. the number of decimal digits:
562 '0' means sec, '3' msec, '6' usec, and so on. Default is 0. */ 552 '0' means sec, '3' msec, '6' usec, and so on. Default is 0. */
563int TS_RESP_CTX_set_clock_precision_digits(TS_RESP_CTX *ctx, 553int TS_RESP_CTX_set_clock_precision_digits(TS_RESP_CTX *ctx,
564 unsigned clock_precision_digits); 554 unsigned clock_precision_digits);
565/* At most we accept usec precision. */ 555/* At most we accept usec precision. */
566#define TS_MAX_CLOCK_PRECISION_DIGITS 6 556#define TS_MAX_CLOCK_PRECISION_DIGITS 6
567 557
568/* No flags are set by default. */ 558/* No flags are set by default. */
@@ -574,19 +564,19 @@ void TS_RESP_CTX_set_serial_cb(TS_RESP_CTX *ctx, TS_serial_cb cb, void *data);
574/* Default callback uses the gettimeofday() and gmtime() system calls. */ 564/* Default callback uses the gettimeofday() and gmtime() system calls. */
575void TS_RESP_CTX_set_time_cb(TS_RESP_CTX *ctx, TS_time_cb cb, void *data); 565void TS_RESP_CTX_set_time_cb(TS_RESP_CTX *ctx, TS_time_cb cb, void *data);
576 566
577/* Default callback rejects all extensions. The extension callback is called 567/* Default callback rejects all extensions. The extension callback is called
578 * when the TS_TST_INFO object is already set up and not signed yet. */ 568 * when the TS_TST_INFO object is already set up and not signed yet. */
579/* FIXME: extension handling is not tested yet. */ 569/* FIXME: extension handling is not tested yet. */
580void TS_RESP_CTX_set_extension_cb(TS_RESP_CTX *ctx, 570void TS_RESP_CTX_set_extension_cb(TS_RESP_CTX *ctx,
581 TS_extension_cb cb, void *data); 571 TS_extension_cb cb, void *data);
582 572
583/* The following methods can be used in the callbacks. */ 573/* The following methods can be used in the callbacks. */
584int TS_RESP_CTX_set_status_info(TS_RESP_CTX *ctx, 574int TS_RESP_CTX_set_status_info(TS_RESP_CTX *ctx,
585 int status, const char *text); 575 int status, const char *text);
586 576
587/* Sets the status info only if it is still TS_STATUS_GRANTED. */ 577/* Sets the status info only if it is still TS_STATUS_GRANTED. */
588int TS_RESP_CTX_set_status_info_cond(TS_RESP_CTX *ctx, 578int TS_RESP_CTX_set_status_info_cond(TS_RESP_CTX *ctx,
589 int status, const char *text); 579 int status, const char *text);
590 580
591int TS_RESP_CTX_add_failure_info(TS_RESP_CTX *ctx, int failure); 581int TS_RESP_CTX_add_failure_info(TS_RESP_CTX *ctx, int failure);
592 582
@@ -595,7 +585,7 @@ TS_REQ *TS_RESP_CTX_get_request(TS_RESP_CTX *ctx);
595 585
596TS_TST_INFO *TS_RESP_CTX_get_tst_info(TS_RESP_CTX *ctx); 586TS_TST_INFO *TS_RESP_CTX_get_tst_info(TS_RESP_CTX *ctx);
597 587
598/* 588/*
599 * Creates the signed TS_TST_INFO and puts it in TS_RESP. 589 * Creates the signed TS_TST_INFO and puts it in TS_RESP.
600 * In case of errors it sets the status info properly. 590 * In case of errors it sets the status info properly.
601 * Returns NULL only in case of memory allocation/fatal error. 591 * Returns NULL only in case of memory allocation/fatal error.
@@ -608,7 +598,7 @@ TS_RESP *TS_RESP_create_response(TS_RESP_CTX *ctx, BIO *req_bio);
608 */ 598 */
609 599
610int TS_RESP_verify_signature(PKCS7 *token, STACK_OF(X509) *certs, 600int TS_RESP_verify_signature(PKCS7 *token, STACK_OF(X509) *certs,
611 X509_STORE *store, X509 **signer_out); 601 X509_STORE *store, X509 **signer_out);
612 602
613/* Context structure for the generic verify method. */ 603/* Context structure for the generic verify method. */
614 604
@@ -648,8 +638,7 @@ int TS_RESP_verify_signature(PKCS7 *token, STACK_OF(X509) *certs,
648 | TS_VFY_SIGNER \ 638 | TS_VFY_SIGNER \
649 | TS_VFY_TSA_NAME) 639 | TS_VFY_TSA_NAME)
650 640
651typedef struct TS_verify_ctx 641typedef struct TS_verify_ctx {
652 {
653 /* Set this to the union of TS_VFY_... flags you want to carry out. */ 642 /* Set this to the union of TS_VFY_... flags you want to carry out. */
654 unsigned flags; 643 unsigned flags;
655 644
@@ -660,7 +649,7 @@ typedef struct TS_verify_ctx
660 /* Must be set only with TS_VFY_POLICY. */ 649 /* Must be set only with TS_VFY_POLICY. */
661 ASN1_OBJECT *policy; 650 ASN1_OBJECT *policy;
662 651
663 /* Must be set only with TS_VFY_IMPRINT. If md_alg is NULL, 652 /* Must be set only with TS_VFY_IMPRINT. If md_alg is NULL,
664 the algorithm from the response is used. */ 653 the algorithm from the response is used. */
665 X509_ALGOR *md_alg; 654 X509_ALGOR *md_alg;
666 unsigned char *imprint; 655 unsigned char *imprint;
@@ -674,7 +663,7 @@ typedef struct TS_verify_ctx
674 663
675 /* Must be set only with TS_VFY_TSA_NAME. */ 664 /* Must be set only with TS_VFY_TSA_NAME. */
676 GENERAL_NAME *tsa_name; 665 GENERAL_NAME *tsa_name;
677 } TS_VERIFY_CTX; 666} TS_VERIFY_CTX;
678 667
679int TS_RESP_verify_response(TS_VERIFY_CTX *ctx, TS_RESP *response); 668int TS_RESP_verify_response(TS_VERIFY_CTX *ctx, TS_RESP *response);
680int TS_RESP_verify_token(TS_VERIFY_CTX *ctx, PKCS7 *token); 669int TS_RESP_verify_token(TS_VERIFY_CTX *ctx, PKCS7 *token);
@@ -690,7 +679,7 @@ void TS_VERIFY_CTX_init(TS_VERIFY_CTX *ctx);
690void TS_VERIFY_CTX_free(TS_VERIFY_CTX *ctx); 679void TS_VERIFY_CTX_free(TS_VERIFY_CTX *ctx);
691void TS_VERIFY_CTX_cleanup(TS_VERIFY_CTX *ctx); 680void TS_VERIFY_CTX_cleanup(TS_VERIFY_CTX *ctx);
692 681
693/* 682/*
694 * If ctx is NULL, it allocates and returns a new object, otherwise 683 * If ctx is NULL, it allocates and returns a new object, otherwise
695 * it returns ctx. It initialises all the members as follows: 684 * it returns ctx. It initialises all the members as follows:
696 * flags = TS_VFY_ALL_IMPRINT & ~(TS_VFY_TSA_NAME | TS_VFY_SIGNATURE) 685 * flags = TS_VFY_ALL_IMPRINT & ~(TS_VFY_TSA_NAME | TS_VFY_SIGNATURE)
@@ -730,27 +719,27 @@ STACK_OF(X509) *TS_CONF_load_certs(const char *file);
730EVP_PKEY *TS_CONF_load_key(const char *file, const char *pass); 719EVP_PKEY *TS_CONF_load_key(const char *file, const char *pass);
731const char *TS_CONF_get_tsa_section(CONF *conf, const char *section); 720const char *TS_CONF_get_tsa_section(CONF *conf, const char *section);
732int TS_CONF_set_serial(CONF *conf, const char *section, TS_serial_cb cb, 721int TS_CONF_set_serial(CONF *conf, const char *section, TS_serial_cb cb,
733 TS_RESP_CTX *ctx); 722 TS_RESP_CTX *ctx);
734int TS_CONF_set_crypto_device(CONF *conf, const char *section, 723int TS_CONF_set_crypto_device(CONF *conf, const char *section,
735 const char *device); 724 const char *device);
736int TS_CONF_set_default_engine(const char *name); 725int TS_CONF_set_default_engine(const char *name);
737int TS_CONF_set_signer_cert(CONF *conf, const char *section, 726int TS_CONF_set_signer_cert(CONF *conf, const char *section,
738 const char *cert, TS_RESP_CTX *ctx); 727 const char *cert, TS_RESP_CTX *ctx);
739int TS_CONF_set_certs(CONF *conf, const char *section, const char *certs, 728int TS_CONF_set_certs(CONF *conf, const char *section, const char *certs,
740 TS_RESP_CTX *ctx); 729 TS_RESP_CTX *ctx);
741int TS_CONF_set_signer_key(CONF *conf, const char *section, 730int TS_CONF_set_signer_key(CONF *conf, const char *section,
742 const char *key, const char *pass, TS_RESP_CTX *ctx); 731 const char *key, const char *pass, TS_RESP_CTX *ctx);
743int TS_CONF_set_def_policy(CONF *conf, const char *section, 732int TS_CONF_set_def_policy(CONF *conf, const char *section,
744 const char *policy, TS_RESP_CTX *ctx); 733 const char *policy, TS_RESP_CTX *ctx);
745int TS_CONF_set_policies(CONF *conf, const char *section, TS_RESP_CTX *ctx); 734int TS_CONF_set_policies(CONF *conf, const char *section, TS_RESP_CTX *ctx);
746int TS_CONF_set_digests(CONF *conf, const char *section, TS_RESP_CTX *ctx); 735int TS_CONF_set_digests(CONF *conf, const char *section, TS_RESP_CTX *ctx);
747int TS_CONF_set_accuracy(CONF *conf, const char *section, TS_RESP_CTX *ctx); 736int TS_CONF_set_accuracy(CONF *conf, const char *section, TS_RESP_CTX *ctx);
748int TS_CONF_set_clock_precision_digits(CONF *conf, const char *section, 737int TS_CONF_set_clock_precision_digits(CONF *conf, const char *section,
749 TS_RESP_CTX *ctx); 738 TS_RESP_CTX *ctx);
750int TS_CONF_set_ordering(CONF *conf, const char *section, TS_RESP_CTX *ctx); 739int TS_CONF_set_ordering(CONF *conf, const char *section, TS_RESP_CTX *ctx);
751int TS_CONF_set_tsa_name(CONF *conf, const char *section, TS_RESP_CTX *ctx); 740int TS_CONF_set_tsa_name(CONF *conf, const char *section, TS_RESP_CTX *ctx);
752int TS_CONF_set_ess_cert_id_chain(CONF *conf, const char *section, 741int TS_CONF_set_ess_cert_id_chain(CONF *conf, const char *section,
753 TS_RESP_CTX *ctx); 742 TS_RESP_CTX *ctx);
754 743
755/* -------------------------------------------------- */ 744/* -------------------------------------------------- */
756/* BEGIN ERROR CODES */ 745/* BEGIN ERROR CODES */
diff --git a/src/lib/libcrypto/ts/ts_asn1.c b/src/lib/libcrypto/ts/ts_asn1.c
index 40b730c5e2..9e16b01f93 100644
--- a/src/lib/libcrypto/ts/ts_asn1.c
+++ b/src/lib/libcrypto/ts/ts_asn1.c
@@ -9,7 +9,7 @@
9 * are met: 9 * are met:
10 * 10 *
11 * 1. Redistributions of source code must retain the above copyright 11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer. 12 * notice, this list of conditions and the following disclaimer.
13 * 13 *
14 * 2. Redistributions in binary form must reproduce the above copyright 14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in 15 * notice, this list of conditions and the following disclaimer in
@@ -66,27 +66,35 @@ ASN1_SEQUENCE(TS_MSG_IMPRINT) = {
66 66
67IMPLEMENT_ASN1_FUNCTIONS_const(TS_MSG_IMPRINT) 67IMPLEMENT_ASN1_FUNCTIONS_const(TS_MSG_IMPRINT)
68IMPLEMENT_ASN1_DUP_FUNCTION(TS_MSG_IMPRINT) 68IMPLEMENT_ASN1_DUP_FUNCTION(TS_MSG_IMPRINT)
69
69#ifndef OPENSSL_NO_BIO 70#ifndef OPENSSL_NO_BIO
70TS_MSG_IMPRINT *d2i_TS_MSG_IMPRINT_bio(BIO *bp, TS_MSG_IMPRINT **a) 71TS_MSG_IMPRINT *
71 { 72d2i_TS_MSG_IMPRINT_bio(BIO *bp, TS_MSG_IMPRINT **a)
72 return ASN1_d2i_bio_of(TS_MSG_IMPRINT, TS_MSG_IMPRINT_new, d2i_TS_MSG_IMPRINT, bp, a); 73{
73 } 74 return ASN1_d2i_bio_of(TS_MSG_IMPRINT, TS_MSG_IMPRINT_new,
75 d2i_TS_MSG_IMPRINT, bp, a);
76}
74 77
75int i2d_TS_MSG_IMPRINT_bio(BIO *bp, TS_MSG_IMPRINT *a) 78int
79i2d_TS_MSG_IMPRINT_bio(BIO *bp, TS_MSG_IMPRINT *a)
76{ 80{
77 return ASN1_i2d_bio_of_const(TS_MSG_IMPRINT, i2d_TS_MSG_IMPRINT, bp, a); 81 return ASN1_i2d_bio_of_const(TS_MSG_IMPRINT, i2d_TS_MSG_IMPRINT, bp, a);
78} 82}
79#endif 83#endif
84
80#ifndef OPENSSL_NO_FP_API 85#ifndef OPENSSL_NO_FP_API
81TS_MSG_IMPRINT *d2i_TS_MSG_IMPRINT_fp(FILE *fp, TS_MSG_IMPRINT **a) 86TS_MSG_IMPRINT *
82 { 87d2i_TS_MSG_IMPRINT_fp(FILE *fp, TS_MSG_IMPRINT **a)
83 return ASN1_d2i_fp_of(TS_MSG_IMPRINT, TS_MSG_IMPRINT_new, d2i_TS_MSG_IMPRINT, fp, a); 88{
84 } 89 return ASN1_d2i_fp_of(TS_MSG_IMPRINT, TS_MSG_IMPRINT_new,
90 d2i_TS_MSG_IMPRINT, fp, a);
91}
85 92
86int i2d_TS_MSG_IMPRINT_fp(FILE *fp, TS_MSG_IMPRINT *a) 93int
87 { 94i2d_TS_MSG_IMPRINT_fp(FILE *fp, TS_MSG_IMPRINT *a)
95{
88 return ASN1_i2d_fp_of_const(TS_MSG_IMPRINT, i2d_TS_MSG_IMPRINT, fp, a); 96 return ASN1_i2d_fp_of_const(TS_MSG_IMPRINT, i2d_TS_MSG_IMPRINT, fp, a);
89 } 97}
90#endif 98#endif
91 99
92ASN1_SEQUENCE(TS_REQ) = { 100ASN1_SEQUENCE(TS_REQ) = {
@@ -100,27 +108,33 @@ ASN1_SEQUENCE(TS_REQ) = {
100 108
101IMPLEMENT_ASN1_FUNCTIONS_const(TS_REQ) 109IMPLEMENT_ASN1_FUNCTIONS_const(TS_REQ)
102IMPLEMENT_ASN1_DUP_FUNCTION(TS_REQ) 110IMPLEMENT_ASN1_DUP_FUNCTION(TS_REQ)
111
103#ifndef OPENSSL_NO_BIO 112#ifndef OPENSSL_NO_BIO
104TS_REQ *d2i_TS_REQ_bio(BIO *bp, TS_REQ **a) 113TS_REQ *
105 { 114d2i_TS_REQ_bio(BIO *bp, TS_REQ **a)
115{
106 return ASN1_d2i_bio_of(TS_REQ, TS_REQ_new, d2i_TS_REQ, bp, a); 116 return ASN1_d2i_bio_of(TS_REQ, TS_REQ_new, d2i_TS_REQ, bp, a);
107 } 117}
108 118
109int i2d_TS_REQ_bio(BIO *bp, TS_REQ *a) 119int
110 { 120i2d_TS_REQ_bio(BIO *bp, TS_REQ *a)
121{
111 return ASN1_i2d_bio_of_const(TS_REQ, i2d_TS_REQ, bp, a); 122 return ASN1_i2d_bio_of_const(TS_REQ, i2d_TS_REQ, bp, a);
112 } 123}
113#endif 124#endif
125
114#ifndef OPENSSL_NO_FP_API 126#ifndef OPENSSL_NO_FP_API
115TS_REQ *d2i_TS_REQ_fp(FILE *fp, TS_REQ **a) 127TS_REQ *
116 { 128d2i_TS_REQ_fp(FILE *fp, TS_REQ **a)
129{
117 return ASN1_d2i_fp_of(TS_REQ, TS_REQ_new, d2i_TS_REQ, fp, a); 130 return ASN1_d2i_fp_of(TS_REQ, TS_REQ_new, d2i_TS_REQ, fp, a);
118 } 131}
119 132
120int i2d_TS_REQ_fp(FILE *fp, TS_REQ *a) 133int
121 { 134i2d_TS_REQ_fp(FILE *fp, TS_REQ *a)
135{
122 return ASN1_i2d_fp_of_const(TS_REQ, i2d_TS_REQ, fp, a); 136 return ASN1_i2d_fp_of_const(TS_REQ, i2d_TS_REQ, fp, a);
123 } 137}
124#endif 138#endif
125 139
126ASN1_SEQUENCE(TS_ACCURACY) = { 140ASN1_SEQUENCE(TS_ACCURACY) = {
@@ -147,27 +161,35 @@ ASN1_SEQUENCE(TS_TST_INFO) = {
147 161
148IMPLEMENT_ASN1_FUNCTIONS_const(TS_TST_INFO) 162IMPLEMENT_ASN1_FUNCTIONS_const(TS_TST_INFO)
149IMPLEMENT_ASN1_DUP_FUNCTION(TS_TST_INFO) 163IMPLEMENT_ASN1_DUP_FUNCTION(TS_TST_INFO)
164
150#ifndef OPENSSL_NO_BIO 165#ifndef OPENSSL_NO_BIO
151TS_TST_INFO *d2i_TS_TST_INFO_bio(BIO *bp, TS_TST_INFO **a) 166TS_TST_INFO *
152 { 167d2i_TS_TST_INFO_bio(BIO *bp, TS_TST_INFO **a)
153 return ASN1_d2i_bio_of(TS_TST_INFO, TS_TST_INFO_new, d2i_TS_TST_INFO, bp, a); 168{
154 } 169 return ASN1_d2i_bio_of(TS_TST_INFO, TS_TST_INFO_new, d2i_TS_TST_INFO,
170 bp, a);
171}
155 172
156int i2d_TS_TST_INFO_bio(BIO *bp, TS_TST_INFO *a) 173int
157 { 174i2d_TS_TST_INFO_bio(BIO *bp, TS_TST_INFO *a)
175{
158 return ASN1_i2d_bio_of_const(TS_TST_INFO, i2d_TS_TST_INFO, bp, a); 176 return ASN1_i2d_bio_of_const(TS_TST_INFO, i2d_TS_TST_INFO, bp, a);
159 } 177}
160#endif 178#endif
179
161#ifndef OPENSSL_NO_FP_API 180#ifndef OPENSSL_NO_FP_API
162TS_TST_INFO *d2i_TS_TST_INFO_fp(FILE *fp, TS_TST_INFO **a) 181TS_TST_INFO *
163 { 182d2i_TS_TST_INFO_fp(FILE *fp, TS_TST_INFO **a)
164 return ASN1_d2i_fp_of(TS_TST_INFO, TS_TST_INFO_new, d2i_TS_TST_INFO, fp, a); 183{
165 } 184 return ASN1_d2i_fp_of(TS_TST_INFO, TS_TST_INFO_new, d2i_TS_TST_INFO,
185 fp, a);
186}
166 187
167int i2d_TS_TST_INFO_fp(FILE *fp, TS_TST_INFO *a) 188int
168 { 189i2d_TS_TST_INFO_fp(FILE *fp, TS_TST_INFO *a)
190{
169 return ASN1_i2d_fp_of_const(TS_TST_INFO, i2d_TS_TST_INFO, fp, a); 191 return ASN1_i2d_fp_of_const(TS_TST_INFO, i2d_TS_TST_INFO, fp, a);
170 } 192}
171#endif 193#endif
172 194
173ASN1_SEQUENCE(TS_STATUS_INFO) = { 195ASN1_SEQUENCE(TS_STATUS_INFO) = {
@@ -179,7 +201,8 @@ ASN1_SEQUENCE(TS_STATUS_INFO) = {
179IMPLEMENT_ASN1_FUNCTIONS_const(TS_STATUS_INFO) 201IMPLEMENT_ASN1_FUNCTIONS_const(TS_STATUS_INFO)
180IMPLEMENT_ASN1_DUP_FUNCTION(TS_STATUS_INFO) 202IMPLEMENT_ASN1_DUP_FUNCTION(TS_STATUS_INFO)
181 203
182static int ts_resp_set_tst_info(TS_RESP *a) 204static int
205ts_resp_set_tst_info(TS_RESP *a)
183{ 206{
184 long status; 207 long status;
185 208
@@ -194,7 +217,8 @@ static int ts_resp_set_tst_info(TS_RESP *a)
194 TS_TST_INFO_free(a->tst_info); 217 TS_TST_INFO_free(a->tst_info);
195 a->tst_info = PKCS7_to_TS_TST_INFO(a->token); 218 a->tst_info = PKCS7_to_TS_TST_INFO(a->token);
196 if (!a->tst_info) { 219 if (!a->tst_info) {
197 TSerr(TS_F_TS_RESP_SET_TST_INFO, TS_R_PKCS7_TO_TS_TST_INFO_FAILED); 220 TSerr(TS_F_TS_RESP_SET_TST_INFO,
221 TS_R_PKCS7_TO_TS_TST_INFO_FAILED);
198 return 0; 222 return 0;
199 } 223 }
200 } else if (status == 0 || status == 1) { 224 } else if (status == 0 || status == 1) {
@@ -205,10 +229,11 @@ static int ts_resp_set_tst_info(TS_RESP *a)
205 return 1; 229 return 1;
206} 230}
207 231
208static int ts_resp_cb(int op, ASN1_VALUE **pval, const ASN1_ITEM *it, 232static int
209 void *exarg) 233ts_resp_cb(int op, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
210{ 234{
211 TS_RESP *ts_resp = (TS_RESP *)*pval; 235 TS_RESP *ts_resp = (TS_RESP *)*pval;
236
212 if (op == ASN1_OP_NEW_POST) { 237 if (op == ASN1_OP_NEW_POST) {
213 ts_resp->tst_info = NULL; 238 ts_resp->tst_info = NULL;
214 } else if (op == ASN1_OP_FREE_POST) { 239 } else if (op == ASN1_OP_FREE_POST) {
@@ -228,27 +253,33 @@ ASN1_SEQUENCE_cb(TS_RESP, ts_resp_cb) = {
228 253
229IMPLEMENT_ASN1_FUNCTIONS_const(TS_RESP) 254IMPLEMENT_ASN1_FUNCTIONS_const(TS_RESP)
230IMPLEMENT_ASN1_DUP_FUNCTION(TS_RESP) 255IMPLEMENT_ASN1_DUP_FUNCTION(TS_RESP)
256
231#ifndef OPENSSL_NO_BIO 257#ifndef OPENSSL_NO_BIO
232TS_RESP *d2i_TS_RESP_bio(BIO *bp, TS_RESP **a) 258TS_RESP *
233 { 259d2i_TS_RESP_bio(BIO *bp, TS_RESP **a)
260{
234 return ASN1_d2i_bio_of(TS_RESP, TS_RESP_new, d2i_TS_RESP, bp, a); 261 return ASN1_d2i_bio_of(TS_RESP, TS_RESP_new, d2i_TS_RESP, bp, a);
235 } 262}
236 263
237int i2d_TS_RESP_bio(BIO *bp, TS_RESP *a) 264int
238 { 265i2d_TS_RESP_bio(BIO *bp, TS_RESP *a)
266{
239 return ASN1_i2d_bio_of_const(TS_RESP, i2d_TS_RESP, bp, a); 267 return ASN1_i2d_bio_of_const(TS_RESP, i2d_TS_RESP, bp, a);
240 } 268}
241#endif 269#endif
270
242#ifndef OPENSSL_NO_FP_API 271#ifndef OPENSSL_NO_FP_API
243TS_RESP *d2i_TS_RESP_fp(FILE *fp, TS_RESP **a) 272TS_RESP *
244 { 273d2i_TS_RESP_fp(FILE *fp, TS_RESP **a)
274{
245 return ASN1_d2i_fp_of(TS_RESP, TS_RESP_new, d2i_TS_RESP, fp, a); 275 return ASN1_d2i_fp_of(TS_RESP, TS_RESP_new, d2i_TS_RESP, fp, a);
246 } 276}
247 277
248int i2d_TS_RESP_fp(FILE *fp, TS_RESP *a) 278int
249 { 279i2d_TS_RESP_fp(FILE *fp, TS_RESP *a)
280{
250 return ASN1_i2d_fp_of_const(TS_RESP, i2d_TS_RESP, fp, a); 281 return ASN1_i2d_fp_of_const(TS_RESP, i2d_TS_RESP, fp, a);
251 } 282}
252#endif 283#endif
253 284
254ASN1_SEQUENCE(ESS_ISSUER_SERIAL) = { 285ASN1_SEQUENCE(ESS_ISSUER_SERIAL) = {
@@ -276,7 +307,8 @@ IMPLEMENT_ASN1_FUNCTIONS_const(ESS_SIGNING_CERT)
276IMPLEMENT_ASN1_DUP_FUNCTION(ESS_SIGNING_CERT) 307IMPLEMENT_ASN1_DUP_FUNCTION(ESS_SIGNING_CERT)
277 308
278/* Getting encapsulated TS_TST_INFO object from PKCS7. */ 309/* Getting encapsulated TS_TST_INFO object from PKCS7. */
279TS_TST_INFO *PKCS7_to_TS_TST_INFO(PKCS7 *token) 310TS_TST_INFO *
311PKCS7_to_TS_TST_INFO(PKCS7 *token)
280{ 312{
281 PKCS7_SIGNED *pkcs7_signed; 313 PKCS7_SIGNED *pkcs7_signed;
282 PKCS7 *enveloped; 314 PKCS7 *enveloped;
@@ -284,35 +316,31 @@ TS_TST_INFO *PKCS7_to_TS_TST_INFO(PKCS7 *token)
284 ASN1_OCTET_STRING *tst_info_der; 316 ASN1_OCTET_STRING *tst_info_der;
285 const unsigned char *p; 317 const unsigned char *p;
286 318
287 if (!PKCS7_type_is_signed(token)) 319 if (!PKCS7_type_is_signed(token)) {
288 {
289 TSerr(TS_F_PKCS7_TO_TS_TST_INFO, TS_R_BAD_PKCS7_TYPE); 320 TSerr(TS_F_PKCS7_TO_TS_TST_INFO, TS_R_BAD_PKCS7_TYPE);
290 return NULL; 321 return NULL;
291 } 322 }
292 323
293 /* Content must be present. */ 324 /* Content must be present. */
294 if (PKCS7_get_detached(token)) 325 if (PKCS7_get_detached(token)) {
295 {
296 TSerr(TS_F_PKCS7_TO_TS_TST_INFO, TS_R_DETACHED_CONTENT); 326 TSerr(TS_F_PKCS7_TO_TS_TST_INFO, TS_R_DETACHED_CONTENT);
297 return NULL; 327 return NULL;
298 } 328 }
299 329
300 /* We have a signed data with content. */ 330 /* We have a signed data with content. */
301 pkcs7_signed = token->d.sign; 331 pkcs7_signed = token->d.sign;
302 enveloped = pkcs7_signed->contents; 332 enveloped = pkcs7_signed->contents;
303 if (OBJ_obj2nid(enveloped->type) != NID_id_smime_ct_TSTInfo) 333 if (OBJ_obj2nid(enveloped->type) != NID_id_smime_ct_TSTInfo) {
304 {
305 TSerr(TS_F_PKCS7_TO_TS_TST_INFO, TS_R_BAD_PKCS7_TYPE); 334 TSerr(TS_F_PKCS7_TO_TS_TST_INFO, TS_R_BAD_PKCS7_TYPE);
306 return NULL; 335 return NULL;
307 } 336 }
308 337
309 /* We have a DER encoded TST_INFO as the signed data. */ 338 /* We have a DER encoded TST_INFO as the signed data. */
310 tst_info_wrapper = enveloped->d.other; 339 tst_info_wrapper = enveloped->d.other;
311 if (tst_info_wrapper->type != V_ASN1_OCTET_STRING) 340 if (tst_info_wrapper->type != V_ASN1_OCTET_STRING) {
312 {
313 TSerr(TS_F_PKCS7_TO_TS_TST_INFO, TS_R_BAD_TYPE); 341 TSerr(TS_F_PKCS7_TO_TS_TST_INFO, TS_R_BAD_TYPE);
314 return NULL; 342 return NULL;
315 } 343 }
316 344
317 /* We have the correct ASN1_OCTET_STRING type. */ 345 /* We have the correct ASN1_OCTET_STRING type. */
318 tst_info_der = tst_info_wrapper->value.octet_string; 346 tst_info_der = tst_info_wrapper->value.octet_string;
diff --git a/src/lib/libcrypto/ts/ts_conf.c b/src/lib/libcrypto/ts/ts_conf.c
index 212f8bf702..f8cf3b514c 100644
--- a/src/lib/libcrypto/ts/ts_conf.c
+++ b/src/lib/libcrypto/ts/ts_conf.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -85,420 +85,440 @@
85#define ENV_VALUE_SECS "secs" 85#define ENV_VALUE_SECS "secs"
86#define ENV_VALUE_MILLISECS "millisecs" 86#define ENV_VALUE_MILLISECS "millisecs"
87#define ENV_VALUE_MICROSECS "microsecs" 87#define ENV_VALUE_MICROSECS "microsecs"
88#define ENV_CLOCK_PRECISION_DIGITS "clock_precision_digits" 88#define ENV_CLOCK_PRECISION_DIGITS "clock_precision_digits"
89#define ENV_VALUE_YES "yes" 89#define ENV_VALUE_YES "yes"
90#define ENV_VALUE_NO "no" 90#define ENV_VALUE_NO "no"
91 91
92/* Function definitions for certificate and key loading. */ 92/* Function definitions for certificate and key loading. */
93 93
94X509 *TS_CONF_load_cert(const char *file) 94X509 *
95 { 95TS_CONF_load_cert(const char *file)
96{
96 BIO *cert = NULL; 97 BIO *cert = NULL;
97 X509 *x = NULL; 98 X509 *x = NULL;
98 99
99 if ((cert = BIO_new_file(file, "r")) == NULL) goto end; 100 if ((cert = BIO_new_file(file, "r")) == NULL)
101 goto end;
100 x = PEM_read_bio_X509_AUX(cert, NULL, NULL, NULL); 102 x = PEM_read_bio_X509_AUX(cert, NULL, NULL, NULL);
103
101end: 104end:
102 if (x == NULL) 105 if (x == NULL)
103 fprintf(stderr, "unable to load certificate: %s\n", file); 106 fprintf(stderr, "unable to load certificate: %s\n", file);
104 BIO_free(cert); 107 BIO_free(cert);
105 return x; 108 return x;
106 } 109}
107 110
108STACK_OF(X509) *TS_CONF_load_certs(const char *file) 111STACK_OF(X509) *TS_CONF_load_certs(const char *file)
109 { 112{
110 BIO *certs = NULL; 113 BIO *certs = NULL;
111 STACK_OF(X509) *othercerts = NULL; 114 STACK_OF(X509) *othercerts = NULL;
112 STACK_OF(X509_INFO) *allcerts = NULL; 115 STACK_OF(X509_INFO) *allcerts = NULL;
113 int i; 116 int i;
114 117
115 if (!(certs = BIO_new_file(file, "r"))) goto end; 118 if (!(certs = BIO_new_file(file, "r")))
119 goto end;
116 120
117 if (!(othercerts = sk_X509_new_null())) goto end; 121 if (!(othercerts = sk_X509_new_null()))
122 goto end;
118 allcerts = PEM_X509_INFO_read_bio(certs, NULL, NULL, NULL); 123 allcerts = PEM_X509_INFO_read_bio(certs, NULL, NULL, NULL);
119 for(i = 0; i < sk_X509_INFO_num(allcerts); i++) 124 for (i = 0; i < sk_X509_INFO_num(allcerts); i++) {
120 {
121 X509_INFO *xi = sk_X509_INFO_value(allcerts, i); 125 X509_INFO *xi = sk_X509_INFO_value(allcerts, i);
122 if (xi->x509) 126 if (xi->x509) {
123 {
124 sk_X509_push(othercerts, xi->x509); 127 sk_X509_push(othercerts, xi->x509);
125 xi->x509 = NULL; 128 xi->x509 = NULL;
126 }
127 } 129 }
130 }
131
128end: 132end:
129 if (othercerts == NULL) 133 if (othercerts == NULL)
130 fprintf(stderr, "unable to load certificates: %s\n", file); 134 fprintf(stderr, "unable to load certificates: %s\n", file);
131 sk_X509_INFO_pop_free(allcerts, X509_INFO_free); 135 sk_X509_INFO_pop_free(allcerts, X509_INFO_free);
132 BIO_free(certs); 136 BIO_free(certs);
133 return othercerts; 137 return othercerts;
134 } 138}
135 139
136EVP_PKEY *TS_CONF_load_key(const char *file, const char *pass) 140EVP_PKEY *
137 { 141TS_CONF_load_key(const char *file, const char *pass)
142{
138 BIO *key = NULL; 143 BIO *key = NULL;
139 EVP_PKEY *pkey = NULL; 144 EVP_PKEY *pkey = NULL;
140 145
141 if (!(key = BIO_new_file(file, "r"))) goto end; 146 if (!(key = BIO_new_file(file, "r")))
147 goto end;
142 pkey = PEM_read_bio_PrivateKey(key, NULL, NULL, (char *) pass); 148 pkey = PEM_read_bio_PrivateKey(key, NULL, NULL, (char *) pass);
143 end: 149
150end:
144 if (pkey == NULL) 151 if (pkey == NULL)
145 fprintf(stderr, "unable to load private key: %s\n", file); 152 fprintf(stderr, "unable to load private key: %s\n", file);
146 BIO_free(key); 153 BIO_free(key);
147 return pkey; 154 return pkey;
148 } 155}
149 156
150/* Function definitions for handling configuration options. */ 157/* Function definitions for handling configuration options. */
151 158
152static void TS_CONF_lookup_fail(const char *name, const char *tag) 159static void
153 { 160TS_CONF_lookup_fail(const char *name, const char *tag)
161{
154 fprintf(stderr, "variable lookup failed for %s::%s\n", name, tag); 162 fprintf(stderr, "variable lookup failed for %s::%s\n", name, tag);
155 } 163}
156 164
157static void TS_CONF_invalid(const char *name, const char *tag) 165static void
158 { 166TS_CONF_invalid(const char *name, const char *tag)
167{
159 fprintf(stderr, "invalid variable value for %s::%s\n", name, tag); 168 fprintf(stderr, "invalid variable value for %s::%s\n", name, tag);
160 } 169}
161 170
162const char *TS_CONF_get_tsa_section(CONF *conf, const char *section) 171const char *
163 { 172TS_CONF_get_tsa_section(CONF *conf, const char *section)
164 if (!section) 173{
165 { 174 if (!section) {
166 section = NCONF_get_string(conf, BASE_SECTION, ENV_DEFAULT_TSA); 175 section = NCONF_get_string(conf, BASE_SECTION, ENV_DEFAULT_TSA);
167 if (!section) 176 if (!section)
168 TS_CONF_lookup_fail(BASE_SECTION, ENV_DEFAULT_TSA); 177 TS_CONF_lookup_fail(BASE_SECTION, ENV_DEFAULT_TSA);
169 }
170 return section;
171 } 178 }
179 return section;
180}
172 181
173int TS_CONF_set_serial(CONF *conf, const char *section, TS_serial_cb cb, 182int
174 TS_RESP_CTX *ctx) 183TS_CONF_set_serial(CONF *conf, const char *section, TS_serial_cb cb,
175 { 184 TS_RESP_CTX *ctx)
185{
176 int ret = 0; 186 int ret = 0;
177 char *serial = NCONF_get_string(conf, section, ENV_SERIAL); 187 char *serial = NCONF_get_string(conf, section, ENV_SERIAL);
178 if (!serial) 188
179 { 189 if (!serial) {
180 TS_CONF_lookup_fail(section, ENV_SERIAL); 190 TS_CONF_lookup_fail(section, ENV_SERIAL);
181 goto err; 191 goto err;
182 } 192 }
183 TS_RESP_CTX_set_serial_cb(ctx, cb, serial); 193 TS_RESP_CTX_set_serial_cb(ctx, cb, serial);
184 194
185 ret = 1; 195 ret = 1;
186 err: 196
197err:
187 return ret; 198 return ret;
188 } 199}
189 200
190#ifndef OPENSSL_NO_ENGINE 201#ifndef OPENSSL_NO_ENGINE
191 202
192int TS_CONF_set_crypto_device(CONF *conf, const char *section, 203int
193 const char *device) 204TS_CONF_set_crypto_device(CONF *conf, const char *section, const char *device)
194 { 205{
195 int ret = 0; 206 int ret = 0;
196 207
197 if (!device) 208 if (!device)
198 device = NCONF_get_string(conf, section, 209 device = NCONF_get_string(conf, section, ENV_CRYPTO_DEVICE);
199 ENV_CRYPTO_DEVICE);
200 210
201 if (device && !TS_CONF_set_default_engine(device)) 211 if (device && !TS_CONF_set_default_engine(device)) {
202 {
203 TS_CONF_invalid(section, ENV_CRYPTO_DEVICE); 212 TS_CONF_invalid(section, ENV_CRYPTO_DEVICE);
204 goto err; 213 goto err;
205 } 214 }
206 ret = 1; 215 ret = 1;
207 err: 216
217err:
208 return ret; 218 return ret;
209 } 219}
210 220
211int TS_CONF_set_default_engine(const char *name) 221int
212 { 222TS_CONF_set_default_engine(const char *name)
223{
213 ENGINE *e = NULL; 224 ENGINE *e = NULL;
214 int ret = 0; 225 int ret = 0;
215 226
216 /* Leave the default if builtin specified. */ 227 /* Leave the default if builtin specified. */
217 if (strcmp(name, "builtin") == 0) return 1; 228 if (strcmp(name, "builtin") == 0)
229 return 1;
218 230
219 if (!(e = ENGINE_by_id(name))) goto err; 231 if (!(e = ENGINE_by_id(name)))
232 goto err;
220 /* All the operations are going to be carried out by the engine. */ 233 /* All the operations are going to be carried out by the engine. */
221 if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) goto err; 234 if (!ENGINE_set_default(e, ENGINE_METHOD_ALL))
235 goto err;
222 ret = 1; 236 ret = 1;
223 err: 237
224 if (!ret) 238err:
225 { 239 if (!ret) {
226 TSerr(TS_F_TS_CONF_SET_DEFAULT_ENGINE, 240 TSerr(TS_F_TS_CONF_SET_DEFAULT_ENGINE,
227 TS_R_COULD_NOT_SET_ENGINE); 241 TS_R_COULD_NOT_SET_ENGINE);
228 ERR_add_error_data(2, "engine:", name); 242 ERR_add_error_data(2, "engine:", name);
229 }
230 if (e) ENGINE_free(e);
231 return ret;
232 } 243 }
244 if (e)
245 ENGINE_free(e);
246 return ret;
247}
233 248
234#endif 249#endif
235 250
236int TS_CONF_set_signer_cert(CONF *conf, const char *section, 251int
237 const char *cert, TS_RESP_CTX *ctx) 252TS_CONF_set_signer_cert(CONF *conf, const char *section, const char *cert,
238 { 253 TS_RESP_CTX *ctx)
254{
239 int ret = 0; 255 int ret = 0;
240 X509 *cert_obj = NULL; 256 X509 *cert_obj = NULL;
241 if (!cert) 257
242 cert = NCONF_get_string(conf, section, ENV_SIGNER_CERT);
243 if (!cert) 258 if (!cert)
244 { 259 cert = NCONF_get_string(conf, section, ENV_SIGNER_CERT);
260 if (!cert) {
245 TS_CONF_lookup_fail(section, ENV_SIGNER_CERT); 261 TS_CONF_lookup_fail(section, ENV_SIGNER_CERT);
246 goto err; 262 goto err;
247 } 263 }
248 if (!(cert_obj = TS_CONF_load_cert(cert))) 264 if (!(cert_obj = TS_CONF_load_cert(cert)))
249 goto err; 265 goto err;
250 if (!TS_RESP_CTX_set_signer_cert(ctx, cert_obj)) 266 if (!TS_RESP_CTX_set_signer_cert(ctx, cert_obj))
251 goto err; 267 goto err;
252 268
253 ret = 1; 269 ret = 1;
254 err: 270
271err:
255 X509_free(cert_obj); 272 X509_free(cert_obj);
256 return ret; 273 return ret;
257 } 274}
258 275
259int TS_CONF_set_certs(CONF *conf, const char *section, const char *certs, 276int
260 TS_RESP_CTX *ctx) 277TS_CONF_set_certs(CONF *conf, const char *section, const char *certs,
261 { 278 TS_RESP_CTX *ctx)
279{
262 int ret = 0; 280 int ret = 0;
263 STACK_OF(X509) *certs_obj = NULL; 281 STACK_OF(X509) *certs_obj = NULL;
264 if (!certs) 282
283 if (!certs)
265 certs = NCONF_get_string(conf, section, ENV_CERTS); 284 certs = NCONF_get_string(conf, section, ENV_CERTS);
266 /* Certificate chain is optional. */ 285 /* Certificate chain is optional. */
267 if (!certs) goto end; 286 if (!certs)
268 if (!(certs_obj = TS_CONF_load_certs(certs))) goto err; 287 goto end;
269 if (!TS_RESP_CTX_set_certs(ctx, certs_obj)) goto err; 288 if (!(certs_obj = TS_CONF_load_certs(certs)))
270 end: 289 goto err;
290 if (!TS_RESP_CTX_set_certs(ctx, certs_obj))
291 goto err;
292
293end:
271 ret = 1; 294 ret = 1;
272 err: 295err:
273 sk_X509_pop_free(certs_obj, X509_free); 296 sk_X509_pop_free(certs_obj, X509_free);
274 return ret; 297 return ret;
275 } 298}
276 299
277int TS_CONF_set_signer_key(CONF *conf, const char *section, 300int
278 const char *key, const char *pass, 301TS_CONF_set_signer_key(CONF *conf, const char *section, const char *key,
279 TS_RESP_CTX *ctx) 302 const char *pass, TS_RESP_CTX *ctx)
280 { 303{
281 int ret = 0; 304 int ret = 0;
282 EVP_PKEY *key_obj = NULL; 305 EVP_PKEY *key_obj = NULL;
283 if (!key) 306
284 key = NCONF_get_string(conf, section, ENV_SIGNER_KEY);
285 if (!key) 307 if (!key)
286 { 308 key = NCONF_get_string(conf, section, ENV_SIGNER_KEY);
309 if (!key) {
287 TS_CONF_lookup_fail(section, ENV_SIGNER_KEY); 310 TS_CONF_lookup_fail(section, ENV_SIGNER_KEY);
288 goto err; 311 goto err;
289 } 312 }
290 if (!(key_obj = TS_CONF_load_key(key, pass))) goto err; 313 if (!(key_obj = TS_CONF_load_key(key, pass)))
291 if (!TS_RESP_CTX_set_signer_key(ctx, key_obj)) goto err; 314 goto err;
315 if (!TS_RESP_CTX_set_signer_key(ctx, key_obj))
316 goto err;
292 317
293 ret = 1; 318 ret = 1;
294 err: 319
320err:
295 EVP_PKEY_free(key_obj); 321 EVP_PKEY_free(key_obj);
296 return ret; 322 return ret;
297 } 323}
298 324
299int TS_CONF_set_def_policy(CONF *conf, const char *section, 325int
300 const char *policy, TS_RESP_CTX *ctx) 326TS_CONF_set_def_policy(CONF *conf, const char *section, const char *policy,
301 { 327 TS_RESP_CTX *ctx)
328{
302 int ret = 0; 329 int ret = 0;
303 ASN1_OBJECT *policy_obj = NULL; 330 ASN1_OBJECT *policy_obj = NULL;
304 if (!policy) 331
305 policy = NCONF_get_string(conf, section, 332 if (!policy)
306 ENV_DEFAULT_POLICY); 333 policy = NCONF_get_string(conf, section, ENV_DEFAULT_POLICY);
307 if (!policy) 334 if (!policy) {
308 {
309 TS_CONF_lookup_fail(section, ENV_DEFAULT_POLICY); 335 TS_CONF_lookup_fail(section, ENV_DEFAULT_POLICY);
310 goto err; 336 goto err;
311 } 337 }
312 if (!(policy_obj = OBJ_txt2obj(policy, 0))) 338 if (!(policy_obj = OBJ_txt2obj(policy, 0))) {
313 {
314 TS_CONF_invalid(section, ENV_DEFAULT_POLICY); 339 TS_CONF_invalid(section, ENV_DEFAULT_POLICY);
315 goto err; 340 goto err;
316 } 341 }
317 if (!TS_RESP_CTX_set_def_policy(ctx, policy_obj)) 342 if (!TS_RESP_CTX_set_def_policy(ctx, policy_obj))
318 goto err; 343 goto err;
319 344
320 ret = 1; 345 ret = 1;
321 err: 346
347err:
322 ASN1_OBJECT_free(policy_obj); 348 ASN1_OBJECT_free(policy_obj);
323 return ret; 349 return ret;
324 } 350}
325 351
326int TS_CONF_set_policies(CONF *conf, const char *section, 352int
327 TS_RESP_CTX *ctx) 353TS_CONF_set_policies(CONF *conf, const char *section, TS_RESP_CTX *ctx)
328 { 354{
329 int ret = 0; 355 int ret = 0;
330 int i; 356 int i;
331 STACK_OF(CONF_VALUE) *list = NULL; 357 STACK_OF(CONF_VALUE) *list = NULL;
332 char *policies = NCONF_get_string(conf, section, 358 char *policies = NCONF_get_string(conf, section, ENV_OTHER_POLICIES);
333 ENV_OTHER_POLICIES); 359
334 /* If no other policy is specified, that's fine. */ 360 /* If no other policy is specified, that's fine. */
335 if (policies && !(list = X509V3_parse_list(policies))) 361 if (policies && !(list = X509V3_parse_list(policies))) {
336 {
337 TS_CONF_invalid(section, ENV_OTHER_POLICIES); 362 TS_CONF_invalid(section, ENV_OTHER_POLICIES);
338 goto err; 363 goto err;
339 } 364 }
340 for (i = 0; i < sk_CONF_VALUE_num(list); ++i) 365 for (i = 0; i < sk_CONF_VALUE_num(list); ++i) {
341 {
342 CONF_VALUE *val = sk_CONF_VALUE_value(list, i); 366 CONF_VALUE *val = sk_CONF_VALUE_value(list, i);
343 const char *extval = val->value ? val->value : val->name; 367 const char *extval = val->value ? val->value : val->name;
344 ASN1_OBJECT *objtmp; 368 ASN1_OBJECT *objtmp;
345 if (!(objtmp = OBJ_txt2obj(extval, 0))) 369 if (!(objtmp = OBJ_txt2obj(extval, 0))) {
346 {
347 TS_CONF_invalid(section, ENV_OTHER_POLICIES); 370 TS_CONF_invalid(section, ENV_OTHER_POLICIES);
348 goto err; 371 goto err;
349 } 372 }
350 if (!TS_RESP_CTX_add_policy(ctx, objtmp)) 373 if (!TS_RESP_CTX_add_policy(ctx, objtmp))
351 goto err; 374 goto err;
352 ASN1_OBJECT_free(objtmp); 375 ASN1_OBJECT_free(objtmp);
353 } 376 }
354 377
355 ret = 1; 378 ret = 1;
356 err: 379
380err:
357 sk_CONF_VALUE_pop_free(list, X509V3_conf_free); 381 sk_CONF_VALUE_pop_free(list, X509V3_conf_free);
358 return ret; 382 return ret;
359 } 383}
360 384
361int TS_CONF_set_digests(CONF *conf, const char *section, 385int
362 TS_RESP_CTX *ctx) 386TS_CONF_set_digests(CONF *conf, const char *section, TS_RESP_CTX *ctx)
363 { 387{
364 int ret = 0; 388 int ret = 0;
365 int i; 389 int i;
366 STACK_OF(CONF_VALUE) *list = NULL; 390 STACK_OF(CONF_VALUE) *list = NULL;
367 char *digests = NCONF_get_string(conf, section, ENV_DIGESTS); 391 char *digests = NCONF_get_string(conf, section, ENV_DIGESTS);
368 if (!digests) 392
369 { 393 if (!digests) {
370 TS_CONF_lookup_fail(section, ENV_DIGESTS); 394 TS_CONF_lookup_fail(section, ENV_DIGESTS);
371 goto err; 395 goto err;
372 } 396 }
373 if (!(list = X509V3_parse_list(digests))) 397 if (!(list = X509V3_parse_list(digests))) {
374 {
375 TS_CONF_invalid(section, ENV_DIGESTS); 398 TS_CONF_invalid(section, ENV_DIGESTS);
376 goto err; 399 goto err;
377 } 400 }
378 if (sk_CONF_VALUE_num(list) == 0) 401 if (sk_CONF_VALUE_num(list) == 0) {
379 {
380 TS_CONF_invalid(section, ENV_DIGESTS); 402 TS_CONF_invalid(section, ENV_DIGESTS);
381 goto err; 403 goto err;
382 } 404 }
383 for (i = 0; i < sk_CONF_VALUE_num(list); ++i) 405 for (i = 0; i < sk_CONF_VALUE_num(list); ++i) {
384 {
385 CONF_VALUE *val = sk_CONF_VALUE_value(list, i); 406 CONF_VALUE *val = sk_CONF_VALUE_value(list, i);
386 const char *extval = val->value ? val->value : val->name; 407 const char *extval = val->value ? val->value : val->name;
387 const EVP_MD *md; 408 const EVP_MD *md;
388 if (!(md = EVP_get_digestbyname(extval))) 409 if (!(md = EVP_get_digestbyname(extval))) {
389 {
390 TS_CONF_invalid(section, ENV_DIGESTS); 410 TS_CONF_invalid(section, ENV_DIGESTS);
391 goto err; 411 goto err;
392 } 412 }
393 if (!TS_RESP_CTX_add_md(ctx, md)) 413 if (!TS_RESP_CTX_add_md(ctx, md))
394 goto err; 414 goto err;
395 } 415 }
396 416
397 ret = 1; 417 ret = 1;
398 err: 418
419err:
399 sk_CONF_VALUE_pop_free(list, X509V3_conf_free); 420 sk_CONF_VALUE_pop_free(list, X509V3_conf_free);
400 return ret; 421 return ret;
401 } 422}
402 423
403int TS_CONF_set_accuracy(CONF *conf, const char *section, TS_RESP_CTX *ctx) 424int
404 { 425TS_CONF_set_accuracy(CONF *conf, const char *section, TS_RESP_CTX *ctx)
426{
405 int ret = 0; 427 int ret = 0;
406 int i; 428 int i;
407 int secs = 0, millis = 0, micros = 0; 429 int secs = 0, millis = 0, micros = 0;
408 STACK_OF(CONF_VALUE) *list = NULL; 430 STACK_OF(CONF_VALUE) *list = NULL;
409 char *accuracy = NCONF_get_string(conf, section, ENV_ACCURACY); 431 char *accuracy = NCONF_get_string(conf, section, ENV_ACCURACY);
410 432
411 if (accuracy && !(list = X509V3_parse_list(accuracy))) 433 if (accuracy && !(list = X509V3_parse_list(accuracy))) {
412 {
413 TS_CONF_invalid(section, ENV_ACCURACY); 434 TS_CONF_invalid(section, ENV_ACCURACY);
414 goto err; 435 goto err;
415 } 436 }
416 for (i = 0; i < sk_CONF_VALUE_num(list); ++i) 437 for (i = 0; i < sk_CONF_VALUE_num(list); ++i) {
417 {
418 CONF_VALUE *val = sk_CONF_VALUE_value(list, i); 438 CONF_VALUE *val = sk_CONF_VALUE_value(list, i);
419 if (strcmp(val->name, ENV_VALUE_SECS) == 0) 439 if (strcmp(val->name, ENV_VALUE_SECS) == 0) {
420 { 440 if (val->value)
421 if (val->value) secs = atoi(val->value); 441 secs = atoi(val->value);
422 } 442 } else if (strcmp(val->name, ENV_VALUE_MILLISECS) == 0) {
423 else if (strcmp(val->name, ENV_VALUE_MILLISECS) == 0) 443 if (val->value)
424 { 444 millis = atoi(val->value);
425 if (val->value) millis = atoi(val->value); 445 } else if (strcmp(val->name, ENV_VALUE_MICROSECS) == 0) {
426 } 446 if (val->value)
427 else if (strcmp(val->name, ENV_VALUE_MICROSECS) == 0) 447 micros = atoi(val->value);
428 { 448 } else {
429 if (val->value) micros = atoi(val->value);
430 }
431 else
432 {
433 TS_CONF_invalid(section, ENV_ACCURACY); 449 TS_CONF_invalid(section, ENV_ACCURACY);
434 goto err; 450 goto err;
435 }
436 } 451 }
452 }
437 if (!TS_RESP_CTX_set_accuracy(ctx, secs, millis, micros)) 453 if (!TS_RESP_CTX_set_accuracy(ctx, secs, millis, micros))
438 goto err; 454 goto err;
439 455
440 ret = 1; 456 ret = 1;
441 err: 457
458err:
442 sk_CONF_VALUE_pop_free(list, X509V3_conf_free); 459 sk_CONF_VALUE_pop_free(list, X509V3_conf_free);
443 return ret; 460 return ret;
444 } 461}
445 462
446int TS_CONF_set_clock_precision_digits(CONF *conf, const char *section, 463int
447 TS_RESP_CTX *ctx) 464TS_CONF_set_clock_precision_digits(CONF *conf, const char *section,
448 { 465 TS_RESP_CTX *ctx)
466{
449 int ret = 0; 467 int ret = 0;
450 long digits = 0; 468 long digits = 0;
451 469
452 /* If not specified, set the default value to 0, i.e. sec precision */ 470 /* If not specified, set the default value to 0, i.e. sec precision */
453 if (!NCONF_get_number_e(conf, section, ENV_CLOCK_PRECISION_DIGITS, 471 if (!NCONF_get_number_e(conf, section, ENV_CLOCK_PRECISION_DIGITS,
454 &digits)) 472 &digits))
455 digits = 0; 473 digits = 0;
456 if (digits < 0 || digits > TS_MAX_CLOCK_PRECISION_DIGITS) 474 if (digits < 0 || digits > TS_MAX_CLOCK_PRECISION_DIGITS) {
457 {
458 TS_CONF_invalid(section, ENV_CLOCK_PRECISION_DIGITS); 475 TS_CONF_invalid(section, ENV_CLOCK_PRECISION_DIGITS);
459 goto err; 476 goto err;
460 } 477 }
461 478
462 if (!TS_RESP_CTX_set_clock_precision_digits(ctx, digits)) 479 if (!TS_RESP_CTX_set_clock_precision_digits(ctx, digits))
463 goto err; 480 goto err;
464 481
465 return 1; 482 return 1;
466 err: 483
484err:
467 return ret; 485 return ret;
468 } 486}
469 487
470static int TS_CONF_add_flag(CONF *conf, const char *section, const char *field, 488static int
471 int flag, TS_RESP_CTX *ctx) 489TS_CONF_add_flag(CONF *conf, const char *section, const char *field, int flag,
472 { 490 TS_RESP_CTX *ctx)
491{
473 /* Default is false. */ 492 /* Default is false. */
474 const char *value = NCONF_get_string(conf, section, field); 493 const char *value = NCONF_get_string(conf, section, field);
475 if (value) 494
476 { 495 if (value) {
477 if (strcmp(value, ENV_VALUE_YES) == 0) 496 if (strcmp(value, ENV_VALUE_YES) == 0)
478 TS_RESP_CTX_add_flags(ctx, flag); 497 TS_RESP_CTX_add_flags(ctx, flag);
479 else if (strcmp(value, ENV_VALUE_NO) != 0) 498 else if (strcmp(value, ENV_VALUE_NO) != 0) {
480 {
481 TS_CONF_invalid(section, field); 499 TS_CONF_invalid(section, field);
482 return 0; 500 return 0;
483 }
484 } 501 }
502 }
485 503
486 return 1; 504 return 1;
487 } 505}
488 506
489int TS_CONF_set_ordering(CONF *conf, const char *section, TS_RESP_CTX *ctx) 507int
490 { 508TS_CONF_set_ordering(CONF *conf, const char *section, TS_RESP_CTX *ctx)
509{
491 return TS_CONF_add_flag(conf, section, ENV_ORDERING, TS_ORDERING, ctx); 510 return TS_CONF_add_flag(conf, section, ENV_ORDERING, TS_ORDERING, ctx);
492 } 511}
493 512
494int TS_CONF_set_tsa_name(CONF *conf, const char *section, TS_RESP_CTX *ctx) 513int
495 { 514TS_CONF_set_tsa_name(CONF *conf, const char *section, TS_RESP_CTX *ctx)
515{
496 return TS_CONF_add_flag(conf, section, ENV_TSA_NAME, TS_TSA_NAME, ctx); 516 return TS_CONF_add_flag(conf, section, ENV_TSA_NAME, TS_TSA_NAME, ctx);
497 } 517}
498 518
499int TS_CONF_set_ess_cert_id_chain(CONF *conf, const char *section, 519int
500 TS_RESP_CTX *ctx) 520TS_CONF_set_ess_cert_id_chain(CONF *conf, const char *section, TS_RESP_CTX *ctx)
501 { 521{
502 return TS_CONF_add_flag(conf, section, ENV_ESS_CERT_ID_CHAIN, 522 return TS_CONF_add_flag(conf, section, ENV_ESS_CERT_ID_CHAIN,
503 TS_ESS_CERT_ID_CHAIN, ctx); 523 TS_ESS_CERT_ID_CHAIN, ctx);
504 } 524}
diff --git a/src/lib/libcrypto/ts/ts_err.c b/src/lib/libcrypto/ts/ts_err.c
index a08b0ffa23..1185d22fd7 100644
--- a/src/lib/libcrypto/ts/ts_err.c
+++ b/src/lib/libcrypto/ts/ts_err.c
@@ -7,7 +7,7 @@
7 * are met: 7 * are met:
8 * 8 *
9 * 1. Redistributions of source code must retain the above copyright 9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer. 10 * notice, this list of conditions and the following disclaimer.
11 * 11 *
12 * 2. Redistributions in binary form must reproduce the above copyright 12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in 13 * notice, this list of conditions and the following disclaimer in
@@ -68,112 +68,109 @@
68#define ERR_FUNC(func) ERR_PACK(ERR_LIB_TS,func,0) 68#define ERR_FUNC(func) ERR_PACK(ERR_LIB_TS,func,0)
69#define ERR_REASON(reason) ERR_PACK(ERR_LIB_TS,0,reason) 69#define ERR_REASON(reason) ERR_PACK(ERR_LIB_TS,0,reason)
70 70
71static ERR_STRING_DATA TS_str_functs[]= 71static ERR_STRING_DATA TS_str_functs[] = {
72 { 72 {ERR_FUNC(TS_F_D2I_TS_RESP), "d2i_TS_RESP"},
73{ERR_FUNC(TS_F_D2I_TS_RESP), "d2i_TS_RESP"}, 73 {ERR_FUNC(TS_F_DEF_SERIAL_CB), "DEF_SERIAL_CB"},
74{ERR_FUNC(TS_F_DEF_SERIAL_CB), "DEF_SERIAL_CB"}, 74 {ERR_FUNC(TS_F_DEF_TIME_CB), "DEF_TIME_CB"},
75{ERR_FUNC(TS_F_DEF_TIME_CB), "DEF_TIME_CB"}, 75 {ERR_FUNC(TS_F_ESS_ADD_SIGNING_CERT), "ESS_ADD_SIGNING_CERT"},
76{ERR_FUNC(TS_F_ESS_ADD_SIGNING_CERT), "ESS_ADD_SIGNING_CERT"}, 76 {ERR_FUNC(TS_F_ESS_CERT_ID_NEW_INIT), "ESS_CERT_ID_NEW_INIT"},
77{ERR_FUNC(TS_F_ESS_CERT_ID_NEW_INIT), "ESS_CERT_ID_NEW_INIT"}, 77 {ERR_FUNC(TS_F_ESS_SIGNING_CERT_NEW_INIT), "ESS_SIGNING_CERT_NEW_INIT"},
78{ERR_FUNC(TS_F_ESS_SIGNING_CERT_NEW_INIT), "ESS_SIGNING_CERT_NEW_INIT"}, 78 {ERR_FUNC(TS_F_INT_TS_RESP_VERIFY_TOKEN), "INT_TS_RESP_VERIFY_TOKEN"},
79{ERR_FUNC(TS_F_INT_TS_RESP_VERIFY_TOKEN), "INT_TS_RESP_VERIFY_TOKEN"}, 79 {ERR_FUNC(TS_F_PKCS7_TO_TS_TST_INFO), "PKCS7_to_TS_TST_INFO"},
80{ERR_FUNC(TS_F_PKCS7_TO_TS_TST_INFO), "PKCS7_to_TS_TST_INFO"}, 80 {ERR_FUNC(TS_F_TS_ACCURACY_SET_MICROS), "TS_ACCURACY_set_micros"},
81{ERR_FUNC(TS_F_TS_ACCURACY_SET_MICROS), "TS_ACCURACY_set_micros"}, 81 {ERR_FUNC(TS_F_TS_ACCURACY_SET_MILLIS), "TS_ACCURACY_set_millis"},
82{ERR_FUNC(TS_F_TS_ACCURACY_SET_MILLIS), "TS_ACCURACY_set_millis"}, 82 {ERR_FUNC(TS_F_TS_ACCURACY_SET_SECONDS), "TS_ACCURACY_set_seconds"},
83{ERR_FUNC(TS_F_TS_ACCURACY_SET_SECONDS), "TS_ACCURACY_set_seconds"}, 83 {ERR_FUNC(TS_F_TS_CHECK_IMPRINTS), "TS_CHECK_IMPRINTS"},
84{ERR_FUNC(TS_F_TS_CHECK_IMPRINTS), "TS_CHECK_IMPRINTS"}, 84 {ERR_FUNC(TS_F_TS_CHECK_NONCES), "TS_CHECK_NONCES"},
85{ERR_FUNC(TS_F_TS_CHECK_NONCES), "TS_CHECK_NONCES"}, 85 {ERR_FUNC(TS_F_TS_CHECK_POLICY), "TS_CHECK_POLICY"},
86{ERR_FUNC(TS_F_TS_CHECK_POLICY), "TS_CHECK_POLICY"}, 86 {ERR_FUNC(TS_F_TS_CHECK_SIGNING_CERTS), "TS_CHECK_SIGNING_CERTS"},
87{ERR_FUNC(TS_F_TS_CHECK_SIGNING_CERTS), "TS_CHECK_SIGNING_CERTS"}, 87 {ERR_FUNC(TS_F_TS_CHECK_STATUS_INFO), "TS_CHECK_STATUS_INFO"},
88{ERR_FUNC(TS_F_TS_CHECK_STATUS_INFO), "TS_CHECK_STATUS_INFO"}, 88 {ERR_FUNC(TS_F_TS_COMPUTE_IMPRINT), "TS_COMPUTE_IMPRINT"},
89{ERR_FUNC(TS_F_TS_COMPUTE_IMPRINT), "TS_COMPUTE_IMPRINT"}, 89 {ERR_FUNC(TS_F_TS_CONF_SET_DEFAULT_ENGINE), "TS_CONF_set_default_engine"},
90{ERR_FUNC(TS_F_TS_CONF_SET_DEFAULT_ENGINE), "TS_CONF_set_default_engine"}, 90 {ERR_FUNC(TS_F_TS_GET_STATUS_TEXT), "TS_GET_STATUS_TEXT"},
91{ERR_FUNC(TS_F_TS_GET_STATUS_TEXT), "TS_GET_STATUS_TEXT"}, 91 {ERR_FUNC(TS_F_TS_MSG_IMPRINT_SET_ALGO), "TS_MSG_IMPRINT_set_algo"},
92{ERR_FUNC(TS_F_TS_MSG_IMPRINT_SET_ALGO), "TS_MSG_IMPRINT_set_algo"}, 92 {ERR_FUNC(TS_F_TS_REQ_SET_MSG_IMPRINT), "TS_REQ_set_msg_imprint"},
93{ERR_FUNC(TS_F_TS_REQ_SET_MSG_IMPRINT), "TS_REQ_set_msg_imprint"}, 93 {ERR_FUNC(TS_F_TS_REQ_SET_NONCE), "TS_REQ_set_nonce"},
94{ERR_FUNC(TS_F_TS_REQ_SET_NONCE), "TS_REQ_set_nonce"}, 94 {ERR_FUNC(TS_F_TS_REQ_SET_POLICY_ID), "TS_REQ_set_policy_id"},
95{ERR_FUNC(TS_F_TS_REQ_SET_POLICY_ID), "TS_REQ_set_policy_id"}, 95 {ERR_FUNC(TS_F_TS_RESP_CREATE_RESPONSE), "TS_RESP_create_response"},
96{ERR_FUNC(TS_F_TS_RESP_CREATE_RESPONSE), "TS_RESP_create_response"}, 96 {ERR_FUNC(TS_F_TS_RESP_CREATE_TST_INFO), "TS_RESP_CREATE_TST_INFO"},
97{ERR_FUNC(TS_F_TS_RESP_CREATE_TST_INFO), "TS_RESP_CREATE_TST_INFO"}, 97 {ERR_FUNC(TS_F_TS_RESP_CTX_ADD_FAILURE_INFO), "TS_RESP_CTX_add_failure_info"},
98{ERR_FUNC(TS_F_TS_RESP_CTX_ADD_FAILURE_INFO), "TS_RESP_CTX_add_failure_info"}, 98 {ERR_FUNC(TS_F_TS_RESP_CTX_ADD_MD), "TS_RESP_CTX_add_md"},
99{ERR_FUNC(TS_F_TS_RESP_CTX_ADD_MD), "TS_RESP_CTX_add_md"}, 99 {ERR_FUNC(TS_F_TS_RESP_CTX_ADD_POLICY), "TS_RESP_CTX_add_policy"},
100{ERR_FUNC(TS_F_TS_RESP_CTX_ADD_POLICY), "TS_RESP_CTX_add_policy"}, 100 {ERR_FUNC(TS_F_TS_RESP_CTX_NEW), "TS_RESP_CTX_new"},
101{ERR_FUNC(TS_F_TS_RESP_CTX_NEW), "TS_RESP_CTX_new"}, 101 {ERR_FUNC(TS_F_TS_RESP_CTX_SET_ACCURACY), "TS_RESP_CTX_set_accuracy"},
102{ERR_FUNC(TS_F_TS_RESP_CTX_SET_ACCURACY), "TS_RESP_CTX_set_accuracy"}, 102 {ERR_FUNC(TS_F_TS_RESP_CTX_SET_CERTS), "TS_RESP_CTX_set_certs"},
103{ERR_FUNC(TS_F_TS_RESP_CTX_SET_CERTS), "TS_RESP_CTX_set_certs"}, 103 {ERR_FUNC(TS_F_TS_RESP_CTX_SET_DEF_POLICY), "TS_RESP_CTX_set_def_policy"},
104{ERR_FUNC(TS_F_TS_RESP_CTX_SET_DEF_POLICY), "TS_RESP_CTX_set_def_policy"}, 104 {ERR_FUNC(TS_F_TS_RESP_CTX_SET_SIGNER_CERT), "TS_RESP_CTX_set_signer_cert"},
105{ERR_FUNC(TS_F_TS_RESP_CTX_SET_SIGNER_CERT), "TS_RESP_CTX_set_signer_cert"}, 105 {ERR_FUNC(TS_F_TS_RESP_CTX_SET_STATUS_INFO), "TS_RESP_CTX_set_status_info"},
106{ERR_FUNC(TS_F_TS_RESP_CTX_SET_STATUS_INFO), "TS_RESP_CTX_set_status_info"}, 106 {ERR_FUNC(TS_F_TS_RESP_GET_POLICY), "TS_RESP_GET_POLICY"},
107{ERR_FUNC(TS_F_TS_RESP_GET_POLICY), "TS_RESP_GET_POLICY"}, 107 {ERR_FUNC(TS_F_TS_RESP_SET_GENTIME_WITH_PRECISION), "TS_RESP_SET_GENTIME_WITH_PRECISION"},
108{ERR_FUNC(TS_F_TS_RESP_SET_GENTIME_WITH_PRECISION), "TS_RESP_SET_GENTIME_WITH_PRECISION"}, 108 {ERR_FUNC(TS_F_TS_RESP_SET_STATUS_INFO), "TS_RESP_set_status_info"},
109{ERR_FUNC(TS_F_TS_RESP_SET_STATUS_INFO), "TS_RESP_set_status_info"}, 109 {ERR_FUNC(TS_F_TS_RESP_SET_TST_INFO), "TS_RESP_set_tst_info"},
110{ERR_FUNC(TS_F_TS_RESP_SET_TST_INFO), "TS_RESP_set_tst_info"}, 110 {ERR_FUNC(TS_F_TS_RESP_SIGN), "TS_RESP_SIGN"},
111{ERR_FUNC(TS_F_TS_RESP_SIGN), "TS_RESP_SIGN"}, 111 {ERR_FUNC(TS_F_TS_RESP_VERIFY_SIGNATURE), "TS_RESP_verify_signature"},
112{ERR_FUNC(TS_F_TS_RESP_VERIFY_SIGNATURE), "TS_RESP_verify_signature"}, 112 {ERR_FUNC(TS_F_TS_RESP_VERIFY_TOKEN), "TS_RESP_verify_token"},
113{ERR_FUNC(TS_F_TS_RESP_VERIFY_TOKEN), "TS_RESP_verify_token"}, 113 {ERR_FUNC(TS_F_TS_TST_INFO_SET_ACCURACY), "TS_TST_INFO_set_accuracy"},
114{ERR_FUNC(TS_F_TS_TST_INFO_SET_ACCURACY), "TS_TST_INFO_set_accuracy"}, 114 {ERR_FUNC(TS_F_TS_TST_INFO_SET_MSG_IMPRINT), "TS_TST_INFO_set_msg_imprint"},
115{ERR_FUNC(TS_F_TS_TST_INFO_SET_MSG_IMPRINT), "TS_TST_INFO_set_msg_imprint"}, 115 {ERR_FUNC(TS_F_TS_TST_INFO_SET_NONCE), "TS_TST_INFO_set_nonce"},
116{ERR_FUNC(TS_F_TS_TST_INFO_SET_NONCE), "TS_TST_INFO_set_nonce"}, 116 {ERR_FUNC(TS_F_TS_TST_INFO_SET_POLICY_ID), "TS_TST_INFO_set_policy_id"},
117{ERR_FUNC(TS_F_TS_TST_INFO_SET_POLICY_ID), "TS_TST_INFO_set_policy_id"}, 117 {ERR_FUNC(TS_F_TS_TST_INFO_SET_SERIAL), "TS_TST_INFO_set_serial"},
118{ERR_FUNC(TS_F_TS_TST_INFO_SET_SERIAL), "TS_TST_INFO_set_serial"}, 118 {ERR_FUNC(TS_F_TS_TST_INFO_SET_TIME), "TS_TST_INFO_set_time"},
119{ERR_FUNC(TS_F_TS_TST_INFO_SET_TIME), "TS_TST_INFO_set_time"}, 119 {ERR_FUNC(TS_F_TS_TST_INFO_SET_TSA), "TS_TST_INFO_set_tsa"},
120{ERR_FUNC(TS_F_TS_TST_INFO_SET_TSA), "TS_TST_INFO_set_tsa"}, 120 {ERR_FUNC(TS_F_TS_VERIFY), "TS_VERIFY"},
121{ERR_FUNC(TS_F_TS_VERIFY), "TS_VERIFY"}, 121 {ERR_FUNC(TS_F_TS_VERIFY_CERT), "TS_VERIFY_CERT"},
122{ERR_FUNC(TS_F_TS_VERIFY_CERT), "TS_VERIFY_CERT"}, 122 {ERR_FUNC(TS_F_TS_VERIFY_CTX_NEW), "TS_VERIFY_CTX_new"},
123{ERR_FUNC(TS_F_TS_VERIFY_CTX_NEW), "TS_VERIFY_CTX_new"}, 123 {0, NULL}
124{0,NULL} 124};
125 };
126 125
127static ERR_STRING_DATA TS_str_reasons[]= 126static ERR_STRING_DATA TS_str_reasons[]= {
128 { 127 {ERR_REASON(TS_R_BAD_PKCS7_TYPE) , "bad pkcs7 type"},
129{ERR_REASON(TS_R_BAD_PKCS7_TYPE) ,"bad pkcs7 type"}, 128 {ERR_REASON(TS_R_BAD_TYPE) , "bad type"},
130{ERR_REASON(TS_R_BAD_TYPE) ,"bad type"}, 129 {ERR_REASON(TS_R_CERTIFICATE_VERIFY_ERROR), "certificate verify error"},
131{ERR_REASON(TS_R_CERTIFICATE_VERIFY_ERROR),"certificate verify error"}, 130 {ERR_REASON(TS_R_COULD_NOT_SET_ENGINE) , "could not set engine"},
132{ERR_REASON(TS_R_COULD_NOT_SET_ENGINE) ,"could not set engine"}, 131 {ERR_REASON(TS_R_COULD_NOT_SET_TIME) , "could not set time"},
133{ERR_REASON(TS_R_COULD_NOT_SET_TIME) ,"could not set time"}, 132 {ERR_REASON(TS_R_D2I_TS_RESP_INT_FAILED) , "d2i ts resp int failed"},
134{ERR_REASON(TS_R_D2I_TS_RESP_INT_FAILED) ,"d2i ts resp int failed"}, 133 {ERR_REASON(TS_R_DETACHED_CONTENT) , "detached content"},
135{ERR_REASON(TS_R_DETACHED_CONTENT) ,"detached content"}, 134 {ERR_REASON(TS_R_ESS_ADD_SIGNING_CERT_ERROR), "ess add signing cert error"},
136{ERR_REASON(TS_R_ESS_ADD_SIGNING_CERT_ERROR),"ess add signing cert error"}, 135 {ERR_REASON(TS_R_ESS_SIGNING_CERTIFICATE_ERROR), "ess signing certificate error"},
137{ERR_REASON(TS_R_ESS_SIGNING_CERTIFICATE_ERROR),"ess signing certificate error"}, 136 {ERR_REASON(TS_R_INVALID_NULL_POINTER) , "invalid null pointer"},
138{ERR_REASON(TS_R_INVALID_NULL_POINTER) ,"invalid null pointer"}, 137 {ERR_REASON(TS_R_INVALID_SIGNER_CERTIFICATE_PURPOSE), "invalid signer certificate purpose"},
139{ERR_REASON(TS_R_INVALID_SIGNER_CERTIFICATE_PURPOSE),"invalid signer certificate purpose"}, 138 {ERR_REASON(TS_R_MESSAGE_IMPRINT_MISMATCH), "message imprint mismatch"},
140{ERR_REASON(TS_R_MESSAGE_IMPRINT_MISMATCH),"message imprint mismatch"}, 139 {ERR_REASON(TS_R_NONCE_MISMATCH) , "nonce mismatch"},
141{ERR_REASON(TS_R_NONCE_MISMATCH) ,"nonce mismatch"}, 140 {ERR_REASON(TS_R_NONCE_NOT_RETURNED) , "nonce not returned"},
142{ERR_REASON(TS_R_NONCE_NOT_RETURNED) ,"nonce not returned"}, 141 {ERR_REASON(TS_R_NO_CONTENT) , "no content"},
143{ERR_REASON(TS_R_NO_CONTENT) ,"no content"}, 142 {ERR_REASON(TS_R_NO_TIME_STAMP_TOKEN) , "no time stamp token"},
144{ERR_REASON(TS_R_NO_TIME_STAMP_TOKEN) ,"no time stamp token"}, 143 {ERR_REASON(TS_R_PKCS7_ADD_SIGNATURE_ERROR), "pkcs7 add signature error"},
145{ERR_REASON(TS_R_PKCS7_ADD_SIGNATURE_ERROR),"pkcs7 add signature error"}, 144 {ERR_REASON(TS_R_PKCS7_ADD_SIGNED_ATTR_ERROR), "pkcs7 add signed attr error"},
146{ERR_REASON(TS_R_PKCS7_ADD_SIGNED_ATTR_ERROR),"pkcs7 add signed attr error"}, 145 {ERR_REASON(TS_R_PKCS7_TO_TS_TST_INFO_FAILED), "pkcs7 to ts tst info failed"},
147{ERR_REASON(TS_R_PKCS7_TO_TS_TST_INFO_FAILED),"pkcs7 to ts tst info failed"}, 146 {ERR_REASON(TS_R_POLICY_MISMATCH) , "policy mismatch"},
148{ERR_REASON(TS_R_POLICY_MISMATCH) ,"policy mismatch"}, 147 {ERR_REASON(TS_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE), "private key does not match certificate"},
149{ERR_REASON(TS_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE),"private key does not match certificate"}, 148 {ERR_REASON(TS_R_RESPONSE_SETUP_ERROR) , "response setup error"},
150{ERR_REASON(TS_R_RESPONSE_SETUP_ERROR) ,"response setup error"}, 149 {ERR_REASON(TS_R_SIGNATURE_FAILURE) , "signature failure"},
151{ERR_REASON(TS_R_SIGNATURE_FAILURE) ,"signature failure"}, 150 {ERR_REASON(TS_R_THERE_MUST_BE_ONE_SIGNER), "there must be one signer"},
152{ERR_REASON(TS_R_THERE_MUST_BE_ONE_SIGNER),"there must be one signer"}, 151 {ERR_REASON(TS_R_TIME_SYSCALL_ERROR) , "time syscall error"},
153{ERR_REASON(TS_R_TIME_SYSCALL_ERROR) ,"time syscall error"}, 152 {ERR_REASON(TS_R_TOKEN_NOT_PRESENT) , "token not present"},
154{ERR_REASON(TS_R_TOKEN_NOT_PRESENT) ,"token not present"}, 153 {ERR_REASON(TS_R_TOKEN_PRESENT) , "token present"},
155{ERR_REASON(TS_R_TOKEN_PRESENT) ,"token present"}, 154 {ERR_REASON(TS_R_TSA_NAME_MISMATCH) , "tsa name mismatch"},
156{ERR_REASON(TS_R_TSA_NAME_MISMATCH) ,"tsa name mismatch"}, 155 {ERR_REASON(TS_R_TSA_UNTRUSTED) , "tsa untrusted"},
157{ERR_REASON(TS_R_TSA_UNTRUSTED) ,"tsa untrusted"}, 156 {ERR_REASON(TS_R_TST_INFO_SETUP_ERROR) , "tst info setup error"},
158{ERR_REASON(TS_R_TST_INFO_SETUP_ERROR) ,"tst info setup error"}, 157 {ERR_REASON(TS_R_TS_DATASIGN) , "ts datasign"},
159{ERR_REASON(TS_R_TS_DATASIGN) ,"ts datasign"}, 158 {ERR_REASON(TS_R_UNACCEPTABLE_POLICY) , "unacceptable policy"},
160{ERR_REASON(TS_R_UNACCEPTABLE_POLICY) ,"unacceptable policy"}, 159 {ERR_REASON(TS_R_UNSUPPORTED_MD_ALGORITHM), "unsupported md algorithm"},
161{ERR_REASON(TS_R_UNSUPPORTED_MD_ALGORITHM),"unsupported md algorithm"}, 160 {ERR_REASON(TS_R_UNSUPPORTED_VERSION) , "unsupported version"},
162{ERR_REASON(TS_R_UNSUPPORTED_VERSION) ,"unsupported version"}, 161 {ERR_REASON(TS_R_WRONG_CONTENT_TYPE) , "wrong content type"},
163{ERR_REASON(TS_R_WRONG_CONTENT_TYPE) ,"wrong content type"}, 162 {0, NULL}
164{0,NULL} 163};
165 };
166 164
167#endif 165#endif
168 166
169void ERR_load_TS_strings(void) 167void
170 { 168ERR_load_TS_strings(void)
169{
171#ifndef OPENSSL_NO_ERR 170#ifndef OPENSSL_NO_ERR
172 171 if (ERR_func_error_string(TS_str_functs[0].error) == NULL) {
173 if (ERR_func_error_string(TS_str_functs[0].error) == NULL) 172 ERR_load_strings(0, TS_str_functs);
174 { 173 ERR_load_strings(0, TS_str_reasons);
175 ERR_load_strings(0,TS_str_functs);
176 ERR_load_strings(0,TS_str_reasons);
177 }
178#endif
179 } 174 }
175#endif
176}
diff --git a/src/lib/libcrypto/ts/ts_lib.c b/src/lib/libcrypto/ts/ts_lib.c
index a8de801e28..81a5f23cd5 100644
--- a/src/lib/libcrypto/ts/ts_lib.c
+++ b/src/lib/libcrypto/ts/ts_lib.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -67,27 +67,28 @@
67 67
68/* Function definitions. */ 68/* Function definitions. */
69 69
70int TS_ASN1_INTEGER_print_bio(BIO *bio, const ASN1_INTEGER *num) 70int
71 { 71TS_ASN1_INTEGER_print_bio(BIO *bio, const ASN1_INTEGER *num)
72{
72 BIGNUM num_bn; 73 BIGNUM num_bn;
73 int result = 0; 74 int result = 0;
74 char *hex; 75 char *hex;
75 76
76 BN_init(&num_bn); 77 BN_init(&num_bn);
77 ASN1_INTEGER_to_BN(num, &num_bn); 78 ASN1_INTEGER_to_BN(num, &num_bn);
78 if ((hex = BN_bn2hex(&num_bn))) 79 if ((hex = BN_bn2hex(&num_bn))) {
79 {
80 result = BIO_write(bio, "0x", 2) > 0; 80 result = BIO_write(bio, "0x", 2) > 0;
81 result = result && BIO_write(bio, hex, strlen(hex)) > 0; 81 result = result && BIO_write(bio, hex, strlen(hex)) > 0;
82 free(hex); 82 free(hex);
83 } 83 }
84 BN_free(&num_bn); 84 BN_free(&num_bn);
85 85
86 return result; 86 return result;
87 } 87}
88 88
89int TS_OBJ_print_bio(BIO *bio, const ASN1_OBJECT *obj) 89int
90 { 90TS_OBJ_print_bio(BIO *bio, const ASN1_OBJECT *obj)
91{
91 char obj_txt[128]; 92 char obj_txt[128];
92 93
93 int len = OBJ_obj2txt(obj_txt, sizeof(obj_txt), obj, 0); 94 int len = OBJ_obj2txt(obj_txt, sizeof(obj_txt), obj, 0);
@@ -95,51 +96,53 @@ int TS_OBJ_print_bio(BIO *bio, const ASN1_OBJECT *obj)
95 BIO_write(bio, "\n", 1); 96 BIO_write(bio, "\n", 1);
96 97
97 return 1; 98 return 1;
98 } 99}
99 100
100int TS_ext_print_bio(BIO *bio, const STACK_OF(X509_EXTENSION) *extensions) 101int
101 { 102TS_ext_print_bio(BIO *bio, const STACK_OF(X509_EXTENSION) *extensions)
103{
102 int i, critical, n; 104 int i, critical, n;
103 X509_EXTENSION *ex; 105 X509_EXTENSION *ex;
104 ASN1_OBJECT *obj; 106 ASN1_OBJECT *obj;
105 107
106 BIO_printf(bio, "Extensions:\n"); 108 BIO_printf(bio, "Extensions:\n");
107 n = X509v3_get_ext_count(extensions); 109 n = X509v3_get_ext_count(extensions);
108 for (i = 0; i < n; i++) 110 for (i = 0; i < n; i++) {
109 {
110 ex = X509v3_get_ext(extensions, i); 111 ex = X509v3_get_ext(extensions, i);
111 obj = X509_EXTENSION_get_object(ex); 112 obj = X509_EXTENSION_get_object(ex);
112 i2a_ASN1_OBJECT(bio, obj); 113 i2a_ASN1_OBJECT(bio, obj);
113 critical = X509_EXTENSION_get_critical(ex); 114 critical = X509_EXTENSION_get_critical(ex);
114 BIO_printf(bio, ": %s\n", critical ? "critical" : ""); 115 BIO_printf(bio, ": %s\n", critical ? "critical" : "");
115 if (!X509V3_EXT_print(bio, ex, 0, 4)) 116 if (!X509V3_EXT_print(bio, ex, 0, 4)) {
116 {
117 BIO_printf(bio, "%4s", ""); 117 BIO_printf(bio, "%4s", "");
118 M_ASN1_OCTET_STRING_print(bio, ex->value); 118 M_ASN1_OCTET_STRING_print(bio, ex->value);
119 }
120 BIO_write(bio, "\n", 1);
121 } 119 }
120 BIO_write(bio, "\n", 1);
121 }
122 122
123 return 1; 123 return 1;
124 } 124}
125 125
126int TS_X509_ALGOR_print_bio(BIO *bio, const X509_ALGOR *alg) 126int
127 { 127TS_X509_ALGOR_print_bio(BIO *bio, const X509_ALGOR *alg)
128{
128 int i = OBJ_obj2nid(alg->algorithm); 129 int i = OBJ_obj2nid(alg->algorithm);
130
129 return BIO_printf(bio, "Hash Algorithm: %s\n", 131 return BIO_printf(bio, "Hash Algorithm: %s\n",
130 (i == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(i)); 132 (i == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(i));
131 } 133}
132 134
133int TS_MSG_IMPRINT_print_bio(BIO *bio, TS_MSG_IMPRINT *a) 135int
134 { 136TS_MSG_IMPRINT_print_bio(BIO *bio, TS_MSG_IMPRINT *a)
137{
135 const ASN1_OCTET_STRING *msg; 138 const ASN1_OCTET_STRING *msg;
136 139
137 TS_X509_ALGOR_print_bio(bio, TS_MSG_IMPRINT_get_algo(a)); 140 TS_X509_ALGOR_print_bio(bio, TS_MSG_IMPRINT_get_algo(a));
138 141
139 BIO_printf(bio, "Message data:\n"); 142 BIO_printf(bio, "Message data:\n");
140 msg = TS_MSG_IMPRINT_get_msg(a); 143 msg = TS_MSG_IMPRINT_get_msg(a);
141 BIO_dump_indent(bio, (const char *)M_ASN1_STRING_data(msg), 144 BIO_dump_indent(bio, (const char *)M_ASN1_STRING_data(msg),
142 M_ASN1_STRING_length(msg), 4); 145 M_ASN1_STRING_length(msg), 4);
143 146
144 return 1; 147 return 1;
145 } 148}
diff --git a/src/lib/libcrypto/ts/ts_req_print.c b/src/lib/libcrypto/ts/ts_req_print.c
index eba12c3824..53bf0c8eb8 100644
--- a/src/lib/libcrypto/ts/ts_req_print.c
+++ b/src/lib/libcrypto/ts/ts_req_print.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -65,13 +65,15 @@
65 65
66/* Function definitions. */ 66/* Function definitions. */
67 67
68int TS_REQ_print_bio(BIO *bio, TS_REQ *a) 68int
69 { 69TS_REQ_print_bio(BIO *bio, TS_REQ *a)
70{
70 int v; 71 int v;
71 ASN1_OBJECT *policy_id; 72 ASN1_OBJECT *policy_id;
72 const ASN1_INTEGER *nonce; 73 const ASN1_INTEGER *nonce;
73 74
74 if (a == NULL) return 0; 75 if (a == NULL)
76 return 0;
75 77
76 v = TS_REQ_get_version(a); 78 v = TS_REQ_get_version(a);
77 BIO_printf(bio, "Version: %d\n", v); 79 BIO_printf(bio, "Version: %d\n", v);
@@ -82,7 +84,7 @@ int TS_REQ_print_bio(BIO *bio, TS_REQ *a)
82 policy_id = TS_REQ_get_policy_id(a); 84 policy_id = TS_REQ_get_policy_id(a);
83 if (policy_id == NULL) 85 if (policy_id == NULL)
84 BIO_printf(bio, "unspecified\n"); 86 BIO_printf(bio, "unspecified\n");
85 else 87 else
86 TS_OBJ_print_bio(bio, policy_id); 88 TS_OBJ_print_bio(bio, policy_id);
87 89
88 BIO_printf(bio, "Nonce: "); 90 BIO_printf(bio, "Nonce: ");
@@ -93,10 +95,10 @@ int TS_REQ_print_bio(BIO *bio, TS_REQ *a)
93 TS_ASN1_INTEGER_print_bio(bio, nonce); 95 TS_ASN1_INTEGER_print_bio(bio, nonce);
94 BIO_write(bio, "\n", 1); 96 BIO_write(bio, "\n", 1);
95 97
96 BIO_printf(bio, "Certificate required: %s\n", 98 BIO_printf(bio, "Certificate required: %s\n",
97 TS_REQ_get_cert_req(a) ? "yes" : "no"); 99 TS_REQ_get_cert_req(a) ? "yes" : "no");
98 100
99 TS_ext_print_bio(bio, TS_REQ_get_exts(a)); 101 TS_ext_print_bio(bio, TS_REQ_get_exts(a));
100 102
101 return 1; 103 return 1;
102 } 104}
diff --git a/src/lib/libcrypto/ts/ts_req_utils.c b/src/lib/libcrypto/ts/ts_req_utils.c
index 43280c1587..7518d7ab78 100644
--- a/src/lib/libcrypto/ts/ts_req_utils.c
+++ b/src/lib/libcrypto/ts/ts_req_utils.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -62,173 +62,193 @@
62#include <openssl/x509v3.h> 62#include <openssl/x509v3.h>
63#include <openssl/ts.h> 63#include <openssl/ts.h>
64 64
65int TS_REQ_set_version(TS_REQ *a, long version) 65int
66 { 66TS_REQ_set_version(TS_REQ *a, long version)
67{
67 return ASN1_INTEGER_set(a->version, version); 68 return ASN1_INTEGER_set(a->version, version);
68 } 69}
69 70
70long TS_REQ_get_version(const TS_REQ *a) 71long
71 { 72TS_REQ_get_version(const TS_REQ *a)
73{
72 return ASN1_INTEGER_get(a->version); 74 return ASN1_INTEGER_get(a->version);
73 } 75}
74 76
75int TS_REQ_set_msg_imprint(TS_REQ *a, TS_MSG_IMPRINT *msg_imprint) 77int
76 { 78TS_REQ_set_msg_imprint(TS_REQ *a, TS_MSG_IMPRINT *msg_imprint)
79{
77 TS_MSG_IMPRINT *new_msg_imprint; 80 TS_MSG_IMPRINT *new_msg_imprint;
78 81
79 if (a->msg_imprint == msg_imprint) 82 if (a->msg_imprint == msg_imprint)
80 return 1; 83 return 1;
81 new_msg_imprint = TS_MSG_IMPRINT_dup(msg_imprint); 84 new_msg_imprint = TS_MSG_IMPRINT_dup(msg_imprint);
82 if (new_msg_imprint == NULL) 85 if (new_msg_imprint == NULL) {
83 {
84 TSerr(TS_F_TS_REQ_SET_MSG_IMPRINT, ERR_R_MALLOC_FAILURE); 86 TSerr(TS_F_TS_REQ_SET_MSG_IMPRINT, ERR_R_MALLOC_FAILURE);
85 return 0; 87 return 0;
86 } 88 }
87 TS_MSG_IMPRINT_free(a->msg_imprint); 89 TS_MSG_IMPRINT_free(a->msg_imprint);
88 a->msg_imprint = new_msg_imprint; 90 a->msg_imprint = new_msg_imprint;
89 return 1; 91 return 1;
90 } 92}
91 93
92TS_MSG_IMPRINT *TS_REQ_get_msg_imprint(TS_REQ *a) 94TS_MSG_IMPRINT *
93 { 95TS_REQ_get_msg_imprint(TS_REQ *a)
96{
94 return a->msg_imprint; 97 return a->msg_imprint;
95 } 98}
96 99
97int TS_MSG_IMPRINT_set_algo(TS_MSG_IMPRINT *a, X509_ALGOR *alg) 100int
98 { 101TS_MSG_IMPRINT_set_algo(TS_MSG_IMPRINT *a, X509_ALGOR *alg)
102{
99 X509_ALGOR *new_alg; 103 X509_ALGOR *new_alg;
100 104
101 if (a->hash_algo == alg) 105 if (a->hash_algo == alg)
102 return 1; 106 return 1;
103 new_alg = X509_ALGOR_dup(alg); 107 new_alg = X509_ALGOR_dup(alg);
104 if (new_alg == NULL) 108 if (new_alg == NULL) {
105 {
106 TSerr(TS_F_TS_MSG_IMPRINT_SET_ALGO, ERR_R_MALLOC_FAILURE); 109 TSerr(TS_F_TS_MSG_IMPRINT_SET_ALGO, ERR_R_MALLOC_FAILURE);
107 return 0; 110 return 0;
108 } 111 }
109 X509_ALGOR_free(a->hash_algo); 112 X509_ALGOR_free(a->hash_algo);
110 a->hash_algo = new_alg; 113 a->hash_algo = new_alg;
111 return 1; 114 return 1;
112 } 115}
113 116
114X509_ALGOR *TS_MSG_IMPRINT_get_algo(TS_MSG_IMPRINT *a) 117X509_ALGOR *
115 { 118TS_MSG_IMPRINT_get_algo(TS_MSG_IMPRINT *a)
119{
116 return a->hash_algo; 120 return a->hash_algo;
117 } 121}
118 122
119int TS_MSG_IMPRINT_set_msg(TS_MSG_IMPRINT *a, unsigned char *d, int len) 123int
120 { 124TS_MSG_IMPRINT_set_msg(TS_MSG_IMPRINT *a, unsigned char *d, int len)
125{
121 return ASN1_OCTET_STRING_set(a->hashed_msg, d, len); 126 return ASN1_OCTET_STRING_set(a->hashed_msg, d, len);
122 } 127}
123 128
124ASN1_OCTET_STRING *TS_MSG_IMPRINT_get_msg(TS_MSG_IMPRINT *a) 129ASN1_OCTET_STRING *
125 { 130TS_MSG_IMPRINT_get_msg(TS_MSG_IMPRINT *a)
131{
126 return a->hashed_msg; 132 return a->hashed_msg;
127 } 133}
128 134
129int TS_REQ_set_policy_id(TS_REQ *a, ASN1_OBJECT *policy) 135int
130 { 136TS_REQ_set_policy_id(TS_REQ *a, ASN1_OBJECT *policy)
137{
131 ASN1_OBJECT *new_policy; 138 ASN1_OBJECT *new_policy;
132 139
133 if (a->policy_id == policy) 140 if (a->policy_id == policy)
134 return 1; 141 return 1;
135 new_policy = OBJ_dup(policy); 142 new_policy = OBJ_dup(policy);
136 if (new_policy == NULL) 143 if (new_policy == NULL) {
137 {
138 TSerr(TS_F_TS_REQ_SET_POLICY_ID, ERR_R_MALLOC_FAILURE); 144 TSerr(TS_F_TS_REQ_SET_POLICY_ID, ERR_R_MALLOC_FAILURE);
139 return 0; 145 return 0;
140 } 146 }
141 ASN1_OBJECT_free(a->policy_id); 147 ASN1_OBJECT_free(a->policy_id);
142 a->policy_id = new_policy; 148 a->policy_id = new_policy;
143 return 1; 149 return 1;
144 } 150}
145 151
146ASN1_OBJECT *TS_REQ_get_policy_id(TS_REQ *a) 152ASN1_OBJECT *
147 { 153TS_REQ_get_policy_id(TS_REQ *a)
154{
148 return a->policy_id; 155 return a->policy_id;
149 } 156}
150 157
151int TS_REQ_set_nonce(TS_REQ *a, const ASN1_INTEGER *nonce) 158int
152 { 159TS_REQ_set_nonce(TS_REQ *a, const ASN1_INTEGER *nonce)
160{
153 ASN1_INTEGER *new_nonce; 161 ASN1_INTEGER *new_nonce;
154 162
155 if (a->nonce == nonce) 163 if (a->nonce == nonce)
156 return 1; 164 return 1;
157 new_nonce = ASN1_INTEGER_dup(nonce); 165 new_nonce = ASN1_INTEGER_dup(nonce);
158 if (new_nonce == NULL) 166 if (new_nonce == NULL) {
159 {
160 TSerr(TS_F_TS_REQ_SET_NONCE, ERR_R_MALLOC_FAILURE); 167 TSerr(TS_F_TS_REQ_SET_NONCE, ERR_R_MALLOC_FAILURE);
161 return 0; 168 return 0;
162 } 169 }
163 ASN1_INTEGER_free(a->nonce); 170 ASN1_INTEGER_free(a->nonce);
164 a->nonce = new_nonce; 171 a->nonce = new_nonce;
165 return 1; 172 return 1;
166 } 173}
167 174
168const ASN1_INTEGER *TS_REQ_get_nonce(const TS_REQ *a) 175const ASN1_INTEGER *
169 { 176TS_REQ_get_nonce(const TS_REQ *a)
177{
170 return a->nonce; 178 return a->nonce;
171 } 179}
172 180
173int TS_REQ_set_cert_req(TS_REQ *a, int cert_req) 181int
174 { 182TS_REQ_set_cert_req(TS_REQ *a, int cert_req)
183{
175 a->cert_req = cert_req ? 0xFF : 0x00; 184 a->cert_req = cert_req ? 0xFF : 0x00;
176 return 1; 185 return 1;
177 } 186}
178 187
179int TS_REQ_get_cert_req(const TS_REQ *a) 188int
180 { 189TS_REQ_get_cert_req(const TS_REQ *a)
190{
181 return a->cert_req ? 1 : 0; 191 return a->cert_req ? 1 : 0;
182 } 192}
183 193
184STACK_OF(X509_EXTENSION) *TS_REQ_get_exts(TS_REQ *a) 194STACK_OF(X509_EXTENSION) *TS_REQ_get_exts(TS_REQ *a)
185 { 195{
186 return a->extensions; 196 return a->extensions;
187 } 197}
188 198
189void TS_REQ_ext_free(TS_REQ *a) 199void
190 { 200TS_REQ_ext_free(TS_REQ *a)
191 if (!a) return; 201{
202 if (!a)
203 return;
192 sk_X509_EXTENSION_pop_free(a->extensions, X509_EXTENSION_free); 204 sk_X509_EXTENSION_pop_free(a->extensions, X509_EXTENSION_free);
193 a->extensions = NULL; 205 a->extensions = NULL;
194 } 206}
195 207
196int TS_REQ_get_ext_count(TS_REQ *a) 208int
197 { 209TS_REQ_get_ext_count(TS_REQ *a)
210{
198 return X509v3_get_ext_count(a->extensions); 211 return X509v3_get_ext_count(a->extensions);
199 } 212}
200 213
201int TS_REQ_get_ext_by_NID(TS_REQ *a, int nid, int lastpos) 214int
202 { 215TS_REQ_get_ext_by_NID(TS_REQ *a, int nid, int lastpos)
216{
203 return X509v3_get_ext_by_NID(a->extensions, nid, lastpos); 217 return X509v3_get_ext_by_NID(a->extensions, nid, lastpos);
204 } 218}
205 219
206int TS_REQ_get_ext_by_OBJ(TS_REQ *a, ASN1_OBJECT *obj, int lastpos) 220int
207 { 221TS_REQ_get_ext_by_OBJ(TS_REQ *a, ASN1_OBJECT *obj, int lastpos)
222{
208 return X509v3_get_ext_by_OBJ(a->extensions, obj, lastpos); 223 return X509v3_get_ext_by_OBJ(a->extensions, obj, lastpos);
209 } 224}
210 225
211int TS_REQ_get_ext_by_critical(TS_REQ *a, int crit, int lastpos) 226int
212 { 227TS_REQ_get_ext_by_critical(TS_REQ *a, int crit, int lastpos)
228{
213 return X509v3_get_ext_by_critical(a->extensions, crit, lastpos); 229 return X509v3_get_ext_by_critical(a->extensions, crit, lastpos);
214 } 230}
215 231
216X509_EXTENSION *TS_REQ_get_ext(TS_REQ *a, int loc) 232X509_EXTENSION *
217 { 233TS_REQ_get_ext(TS_REQ *a, int loc)
218 return X509v3_get_ext(a->extensions,loc); 234{
219 } 235 return X509v3_get_ext(a->extensions, loc);
220 236}
221X509_EXTENSION *TS_REQ_delete_ext(TS_REQ *a, int loc) 237
222 { 238X509_EXTENSION *
223 return X509v3_delete_ext(a->extensions,loc); 239TS_REQ_delete_ext(TS_REQ *a, int loc)
224 } 240{
225 241 return X509v3_delete_ext(a->extensions, loc);
226int TS_REQ_add_ext(TS_REQ *a, X509_EXTENSION *ex, int loc) 242}
227 { 243
228 return X509v3_add_ext(&a->extensions,ex,loc) != NULL; 244int
229 } 245TS_REQ_add_ext(TS_REQ *a, X509_EXTENSION *ex, int loc)
230 246{
231void *TS_REQ_get_ext_d2i(TS_REQ *a, int nid, int *crit, int *idx) 247 return X509v3_add_ext(&a->extensions, ex, loc) != NULL;
232 { 248}
249
250void *
251TS_REQ_get_ext_d2i(TS_REQ *a, int nid, int *crit, int *idx)
252{
233 return X509V3_get_d2i(a->extensions, nid, crit, idx); 253 return X509V3_get_d2i(a->extensions, nid, crit, idx);
234 } 254}
diff --git a/src/lib/libcrypto/ts/ts_rsp_print.c b/src/lib/libcrypto/ts/ts_rsp_print.c
index 21062517ba..248674f4e5 100644
--- a/src/lib/libcrypto/ts/ts_rsp_print.c
+++ b/src/lib/libcrypto/ts/ts_rsp_print.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -63,22 +63,22 @@
63#include <openssl/x509v3.h> 63#include <openssl/x509v3.h>
64#include "ts.h" 64#include "ts.h"
65 65
66struct status_map_st 66struct status_map_st {
67 {
68 int bit; 67 int bit;
69 const char *text; 68 const char *text;
70 }; 69};
71 70
72/* Local function declarations. */ 71/* Local function declarations. */
73 72
74static int TS_status_map_print(BIO *bio, struct status_map_st *a, 73static int TS_status_map_print(BIO *bio, struct status_map_st *a,
75 ASN1_BIT_STRING *v); 74 ASN1_BIT_STRING *v);
76static int TS_ACCURACY_print_bio(BIO *bio, const TS_ACCURACY *accuracy); 75static int TS_ACCURACY_print_bio(BIO *bio, const TS_ACCURACY *accuracy);
77 76
78/* Function definitions. */ 77/* Function definitions. */
79 78
80int TS_RESP_print_bio(BIO *bio, TS_RESP *a) 79int
81 { 80TS_RESP_print_bio(BIO *bio, TS_RESP *a)
81{
82 TS_TST_INFO *tst_info; 82 TS_TST_INFO *tst_info;
83 83
84 BIO_printf(bio, "Status info:\n"); 84 BIO_printf(bio, "Status info:\n");
@@ -90,98 +90,111 @@ int TS_RESP_print_bio(BIO *bio, TS_RESP *a)
90 TS_TST_INFO_print_bio(bio, TS_RESP_get_tst_info(a)); 90 TS_TST_INFO_print_bio(bio, TS_RESP_get_tst_info(a));
91 else 91 else
92 BIO_printf(bio, "Not included.\n"); 92 BIO_printf(bio, "Not included.\n");
93 93
94 return 1; 94 return 1;
95 } 95}
96 96
97int TS_STATUS_INFO_print_bio(BIO *bio, TS_STATUS_INFO *a) 97int
98 { 98TS_STATUS_INFO_print_bio(BIO *bio, TS_STATUS_INFO *a)
99 static const char *status_map[] = 99{
100 { 100 static const char *status_map[] = {
101 "Granted.", 101 "Granted.",
102 "Granted with modifications.", 102 "Granted with modifications.",
103 "Rejected.", 103 "Rejected.",
104 "Waiting.", 104 "Waiting.",
105 "Revocation warning.", 105 "Revocation warning.",
106 "Revoked." 106 "Revoked."
107 }; 107 };
108 static struct status_map_st failure_map[] = 108 static struct status_map_st failure_map[] = {
109 {
110 TS_INFO_BAD_ALG,
111 "unrecognized or unsupported algorithm identifier"
112 },
113 {
114 TS_INFO_BAD_REQUEST,
115 "transaction not permitted or supported"
116 },
109 { 117 {
110 { TS_INFO_BAD_ALG, 118 TS_INFO_BAD_DATA_FORMAT,
111 "unrecognized or unsupported algorithm identifier" }, 119 "the data submitted has the wrong format"
112 { TS_INFO_BAD_REQUEST, 120 },
113 "transaction not permitted or supported" }, 121 {
114 { TS_INFO_BAD_DATA_FORMAT, 122 TS_INFO_TIME_NOT_AVAILABLE,
115 "the data submitted has the wrong format" }, 123 "the TSA's time source is not available"
116 { TS_INFO_TIME_NOT_AVAILABLE, 124 },
117 "the TSA's time source is not available" }, 125 {
118 { TS_INFO_UNACCEPTED_POLICY, 126 TS_INFO_UNACCEPTED_POLICY,
119 "the requested TSA policy is not supported by the TSA" }, 127 "the requested TSA policy is not supported by the TSA"
120 { TS_INFO_UNACCEPTED_EXTENSION, 128 },
121 "the requested extension is not supported by the TSA" }, 129 {
122 { TS_INFO_ADD_INFO_NOT_AVAILABLE, 130 TS_INFO_UNACCEPTED_EXTENSION,
123 "the additional information requested could not be understood " 131 "the requested extension is not supported by the TSA"
124 "or is not available" }, 132 },
125 { TS_INFO_SYSTEM_FAILURE, 133 {
126 "the request cannot be handled due to system failure" }, 134 TS_INFO_ADD_INFO_NOT_AVAILABLE,
135 "the additional information requested could not be understood "
136 "or is not available"
137 },
138 {
139 TS_INFO_SYSTEM_FAILURE,
140 "the request cannot be handled due to system failure"
141 },
127 { -1, NULL } 142 { -1, NULL }
128 }; 143 };
129 long status; 144 long status;
130 int i, lines = 0; 145 int i, lines = 0;
131 146
132 /* Printing status code. */ 147 /* Printing status code. */
133 BIO_printf(bio, "Status: "); 148 BIO_printf(bio, "Status: ");
134 status = ASN1_INTEGER_get(a->status); 149 status = ASN1_INTEGER_get(a->status);
135 if (0 <= status && status < (long)(sizeof(status_map)/sizeof(status_map[0]))) 150 if (0 <= status &&
151 status < (long)(sizeof(status_map) / sizeof(status_map[0])))
136 BIO_printf(bio, "%s\n", status_map[status]); 152 BIO_printf(bio, "%s\n", status_map[status]);
137 else 153 else
138 BIO_printf(bio, "out of bounds\n"); 154 BIO_printf(bio, "out of bounds\n");
139 155
140 /* Printing status description. */ 156 /* Printing status description. */
141 BIO_printf(bio, "Status description: "); 157 BIO_printf(bio, "Status description: ");
142 for (i = 0; i < sk_ASN1_UTF8STRING_num(a->text); ++i) 158 for (i = 0; i < sk_ASN1_UTF8STRING_num(a->text); ++i) {
143 {
144 if (i > 0) 159 if (i > 0)
145 BIO_puts(bio, "\t"); 160 BIO_puts(bio, "\t");
146 ASN1_STRING_print_ex(bio, sk_ASN1_UTF8STRING_value(a->text, i), 161 ASN1_STRING_print_ex(bio, sk_ASN1_UTF8STRING_value(a->text, i),
147 0); 162 0);
148 BIO_puts(bio, "\n"); 163 BIO_puts(bio, "\n");
149 } 164 }
150 if (i == 0) 165 if (i == 0)
151 BIO_printf(bio, "unspecified\n"); 166 BIO_printf(bio, "unspecified\n");
152 167
153 /* Printing failure information. */ 168 /* Printing failure information. */
154 BIO_printf(bio, "Failure info: "); 169 BIO_printf(bio, "Failure info: ");
155 if (a->failure_info != NULL) 170 if (a->failure_info != NULL)
156 lines = TS_status_map_print(bio, failure_map, 171 lines = TS_status_map_print(bio, failure_map, a->failure_info);
157 a->failure_info);
158 if (lines == 0) 172 if (lines == 0)
159 BIO_printf(bio, "unspecified"); 173 BIO_printf(bio, "unspecified");
160 BIO_printf(bio, "\n"); 174 BIO_printf(bio, "\n");
161 175
162 return 1; 176 return 1;
163 } 177}
164 178
165static int TS_status_map_print(BIO *bio, struct status_map_st *a, 179static int
166 ASN1_BIT_STRING *v) 180TS_status_map_print(BIO *bio, struct status_map_st *a, ASN1_BIT_STRING *v)
167 { 181{
168 int lines = 0; 182 int lines = 0;
169 183
170 for (; a->bit >= 0; ++a) 184 for (; a->bit >= 0; ++a) {
171 { 185 if (ASN1_BIT_STRING_get_bit(v, a->bit)) {
172 if (ASN1_BIT_STRING_get_bit(v, a->bit))
173 {
174 if (++lines > 1) 186 if (++lines > 1)
175 BIO_printf(bio, ", "); 187 BIO_printf(bio, ", ");
176 BIO_printf(bio, "%s", a->text); 188 BIO_printf(bio, "%s", a->text);
177 }
178 } 189 }
190 }
179 191
180 return lines; 192 return lines;
181 } 193}
182 194
183int TS_TST_INFO_print_bio(BIO *bio, TS_TST_INFO *a) 195int
184 { 196TS_TST_INFO_print_bio(BIO *bio, TS_TST_INFO *a)
197{
185 int v; 198 int v;
186 ASN1_OBJECT *policy_id; 199 ASN1_OBJECT *policy_id;
187 const ASN1_INTEGER *serial; 200 const ASN1_INTEGER *serial;
@@ -190,7 +203,8 @@ int TS_TST_INFO_print_bio(BIO *bio, TS_TST_INFO *a)
190 const ASN1_INTEGER *nonce; 203 const ASN1_INTEGER *nonce;
191 GENERAL_NAME *tsa_name; 204 GENERAL_NAME *tsa_name;
192 205
193 if (a == NULL) return 0; 206 if (a == NULL)
207 return 0;
194 208
195 /* Print version. */ 209 /* Print version. */
196 v = TS_TST_INFO_get_version(a); 210 v = TS_TST_INFO_get_version(a);
@@ -229,8 +243,8 @@ int TS_TST_INFO_print_bio(BIO *bio, TS_TST_INFO *a)
229 BIO_write(bio, "\n", 1); 243 BIO_write(bio, "\n", 1);
230 244
231 /* Print ordering. */ 245 /* Print ordering. */
232 BIO_printf(bio, "Ordering: %s\n", 246 BIO_printf(bio, "Ordering: %s\n",
233 TS_TST_INFO_get_ordering(a) ? "yes" : "no"); 247 TS_TST_INFO_get_ordering(a) ? "yes" : "no");
234 248
235 /* Print nonce. */ 249 /* Print nonce. */
236 BIO_printf(bio, "Nonce: "); 250 BIO_printf(bio, "Nonce: ");
@@ -246,23 +260,23 @@ int TS_TST_INFO_print_bio(BIO *bio, TS_TST_INFO *a)
246 tsa_name = TS_TST_INFO_get_tsa(a); 260 tsa_name = TS_TST_INFO_get_tsa(a);
247 if (tsa_name == NULL) 261 if (tsa_name == NULL)
248 BIO_printf(bio, "unspecified"); 262 BIO_printf(bio, "unspecified");
249 else 263 else {
250 {
251 STACK_OF(CONF_VALUE) *nval; 264 STACK_OF(CONF_VALUE) *nval;
252 if ((nval = i2v_GENERAL_NAME(NULL, tsa_name, NULL))) 265 if ((nval = i2v_GENERAL_NAME(NULL, tsa_name, NULL)))
253 X509V3_EXT_val_prn(bio, nval, 0, 0); 266 X509V3_EXT_val_prn(bio, nval, 0, 0);
254 sk_CONF_VALUE_pop_free(nval, X509V3_conf_free); 267 sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
255 } 268 }
256 BIO_write(bio, "\n", 1); 269 BIO_write(bio, "\n", 1);
257 270
258 /* Print extensions. */ 271 /* Print extensions. */
259 TS_ext_print_bio(bio, TS_TST_INFO_get_exts(a)); 272 TS_ext_print_bio(bio, TS_TST_INFO_get_exts(a));
260 273
261 return 1; 274 return 1;
262 } 275}
263 276
264static int TS_ACCURACY_print_bio(BIO *bio, const TS_ACCURACY *accuracy) 277static int
265 { 278TS_ACCURACY_print_bio(BIO *bio, const TS_ACCURACY *accuracy)
279{
266 const ASN1_INTEGER *seconds = TS_ACCURACY_get_seconds(accuracy); 280 const ASN1_INTEGER *seconds = TS_ACCURACY_get_seconds(accuracy);
267 const ASN1_INTEGER *millis = TS_ACCURACY_get_millis(accuracy); 281 const ASN1_INTEGER *millis = TS_ACCURACY_get_millis(accuracy);
268 const ASN1_INTEGER *micros = TS_ACCURACY_get_micros(accuracy); 282 const ASN1_INTEGER *micros = TS_ACCURACY_get_micros(accuracy);
@@ -284,4 +298,4 @@ static int TS_ACCURACY_print_bio(BIO *bio, const TS_ACCURACY *accuracy)
284 BIO_printf(bio, " micros"); 298 BIO_printf(bio, " micros");
285 299
286 return 1; 300 return 1;
287 } 301}
diff --git a/src/lib/libcrypto/ts/ts_rsp_sign.c b/src/lib/libcrypto/ts/ts_rsp_sign.c
index 17f81b4a35..71530d7f24 100644
--- a/src/lib/libcrypto/ts/ts_rsp_sign.c
+++ b/src/lib/libcrypto/ts/ts_rsp_sign.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -76,102 +76,107 @@ static void TS_RESP_CTX_init(TS_RESP_CTX *ctx);
76static void TS_RESP_CTX_cleanup(TS_RESP_CTX *ctx); 76static void TS_RESP_CTX_cleanup(TS_RESP_CTX *ctx);
77static int TS_RESP_check_request(TS_RESP_CTX *ctx); 77static int TS_RESP_check_request(TS_RESP_CTX *ctx);
78static ASN1_OBJECT *TS_RESP_get_policy(TS_RESP_CTX *ctx); 78static ASN1_OBJECT *TS_RESP_get_policy(TS_RESP_CTX *ctx);
79static TS_TST_INFO *TS_RESP_create_tst_info(TS_RESP_CTX *ctx, 79static TS_TST_INFO *TS_RESP_create_tst_info(TS_RESP_CTX *ctx,
80 ASN1_OBJECT *policy); 80 ASN1_OBJECT *policy);
81static int TS_RESP_process_extensions(TS_RESP_CTX *ctx); 81static int TS_RESP_process_extensions(TS_RESP_CTX *ctx);
82static int TS_RESP_sign(TS_RESP_CTX *ctx); 82static int TS_RESP_sign(TS_RESP_CTX *ctx);
83 83
84static ESS_SIGNING_CERT *ESS_SIGNING_CERT_new_init(X509 *signcert, 84static ESS_SIGNING_CERT *ESS_SIGNING_CERT_new_init(X509 *signcert,
85 STACK_OF(X509) *certs); 85 STACK_OF(X509) *certs);
86static ESS_CERT_ID *ESS_CERT_ID_new_init(X509 *cert, int issuer_needed); 86static ESS_CERT_ID *ESS_CERT_ID_new_init(X509 *cert, int issuer_needed);
87static int TS_TST_INFO_content_new(PKCS7 *p7); 87static int TS_TST_INFO_content_new(PKCS7 *p7);
88static int ESS_add_signing_cert(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc); 88static int ESS_add_signing_cert(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc);
89 89
90static ASN1_GENERALIZEDTIME *TS_RESP_set_genTime_with_precision( 90static ASN1_GENERALIZEDTIME *TS_RESP_set_genTime_with_precision(
91 ASN1_GENERALIZEDTIME *, long, long, unsigned); 91 ASN1_GENERALIZEDTIME *, long, long, unsigned);
92 92
93/* Default callbacks for response generation. */ 93/* Default callbacks for response generation. */
94 94
95static ASN1_INTEGER *def_serial_cb(struct TS_resp_ctx *ctx, void *data) 95static ASN1_INTEGER *
96 { 96def_serial_cb(struct TS_resp_ctx *ctx, void *data)
97{
97 ASN1_INTEGER *serial = ASN1_INTEGER_new(); 98 ASN1_INTEGER *serial = ASN1_INTEGER_new();
98 if (!serial) goto err; 99
99 if (!ASN1_INTEGER_set(serial, 1)) goto err; 100 if (!serial)
101 goto err;
102 if (!ASN1_INTEGER_set(serial, 1))
103 goto err;
100 return serial; 104 return serial;
101 err: 105
106err:
102 TSerr(TS_F_DEF_SERIAL_CB, ERR_R_MALLOC_FAILURE); 107 TSerr(TS_F_DEF_SERIAL_CB, ERR_R_MALLOC_FAILURE);
103 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION, 108 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
104 "Error during serial number generation."); 109 "Error during serial number generation.");
105 return NULL; 110 return NULL;
106 } 111}
107 112
108#if defined(OPENSSL_SYS_UNIX) 113#if defined(OPENSSL_SYS_UNIX)
109 114
110/* Use the gettimeofday function call. */ 115/* Use the gettimeofday function call. */
111static int def_time_cb(struct TS_resp_ctx *ctx, void *data, 116static int
112 long *sec, long *usec) 117def_time_cb(struct TS_resp_ctx *ctx, void *data, long *sec, long *usec)
113 { 118{
114 struct timeval tv; 119 struct timeval tv;
115 if (gettimeofday(&tv, NULL) != 0) 120
116 { 121 if (gettimeofday(&tv, NULL) != 0) {
117 TSerr(TS_F_DEF_TIME_CB, TS_R_TIME_SYSCALL_ERROR); 122 TSerr(TS_F_DEF_TIME_CB, TS_R_TIME_SYSCALL_ERROR);
118 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION, 123 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
119 "Time is not available."); 124 "Time is not available.");
120 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_TIME_NOT_AVAILABLE); 125 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_TIME_NOT_AVAILABLE);
121 return 0; 126 return 0;
122 } 127 }
123 /* Return time to caller. */ 128 /* Return time to caller. */
124 *sec = tv.tv_sec; 129 *sec = tv.tv_sec;
125 *usec = tv.tv_usec; 130 *usec = tv.tv_usec;
126 131
127 return 1; 132 return 1;
128 } 133}
129 134
130#else 135#else
131 136
132/* Use the time function call that provides only seconds precision. */ 137/* Use the time function call that provides only seconds precision. */
133static int def_time_cb(struct TS_resp_ctx *ctx, void *data, 138static int
134 long *sec, long *usec) 139def_time_cb(struct TS_resp_ctx *ctx, void *data, long *sec, long *usec)
135 { 140{
136 time_t t; 141 time_t t;
137 if (time(&t) == (time_t) -1) 142
138 { 143 if (time(&t) == (time_t) - 1) {
139 TSerr(TS_F_DEF_TIME_CB, TS_R_TIME_SYSCALL_ERROR); 144 TSerr(TS_F_DEF_TIME_CB, TS_R_TIME_SYSCALL_ERROR);
140 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION, 145 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
141 "Time is not available."); 146 "Time is not available.");
142 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_TIME_NOT_AVAILABLE); 147 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_TIME_NOT_AVAILABLE);
143 return 0; 148 return 0;
144 } 149 }
145 /* Return time to caller, only second precision. */ 150 /* Return time to caller, only second precision. */
146 *sec = (long) t; 151 *sec = (long) t;
147 *usec = 0; 152 *usec = 0;
148 153
149 return 1; 154 return 1;
150 } 155}
151 156
152#endif 157#endif
153 158
154static int def_extension_cb(struct TS_resp_ctx *ctx, X509_EXTENSION *ext, 159static int
155 void *data) 160def_extension_cb(struct TS_resp_ctx *ctx, X509_EXTENSION *ext, void *data)
156 { 161{
157 /* No extensions are processed here. */ 162 /* No extensions are processed here. */
158 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION, 163 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
159 "Unsupported extension."); 164 "Unsupported extension.");
160 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_UNACCEPTED_EXTENSION); 165 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_UNACCEPTED_EXTENSION);
161 return 0; 166 return 0;
162 } 167}
163 168
164/* TS_RESP_CTX management functions. */ 169/* TS_RESP_CTX management functions. */
165 170
166TS_RESP_CTX *TS_RESP_CTX_new() 171TS_RESP_CTX *
167 { 172TS_RESP_CTX_new()
173{
168 TS_RESP_CTX *ctx; 174 TS_RESP_CTX *ctx;
169 175
170 if (!(ctx = (TS_RESP_CTX *) malloc(sizeof(TS_RESP_CTX)))) 176 if (!(ctx = (TS_RESP_CTX *) malloc(sizeof(TS_RESP_CTX)))) {
171 {
172 TSerr(TS_F_TS_RESP_CTX_NEW, ERR_R_MALLOC_FAILURE); 177 TSerr(TS_F_TS_RESP_CTX_NEW, ERR_R_MALLOC_FAILURE);
173 return NULL; 178 return NULL;
174 } 179 }
175 memset(ctx, 0, sizeof(TS_RESP_CTX)); 180 memset(ctx, 0, sizeof(TS_RESP_CTX));
176 181
177 /* Setting default callbacks. */ 182 /* Setting default callbacks. */
@@ -180,11 +185,13 @@ TS_RESP_CTX *TS_RESP_CTX_new()
180 ctx->extension_cb = def_extension_cb; 185 ctx->extension_cb = def_extension_cb;
181 186
182 return ctx; 187 return ctx;
183 } 188}
184 189
185void TS_RESP_CTX_free(TS_RESP_CTX *ctx) 190void
186 { 191TS_RESP_CTX_free(TS_RESP_CTX *ctx)
187 if (!ctx) return; 192{
193 if (!ctx)
194 return;
188 195
189 X509_free(ctx->signer_cert); 196 X509_free(ctx->signer_cert);
190 EVP_PKEY_free(ctx->signer_key); 197 EVP_PKEY_free(ctx->signer_key);
@@ -196,95 +203,108 @@ void TS_RESP_CTX_free(TS_RESP_CTX *ctx)
196 ASN1_INTEGER_free(ctx->millis); 203 ASN1_INTEGER_free(ctx->millis);
197 ASN1_INTEGER_free(ctx->micros); 204 ASN1_INTEGER_free(ctx->micros);
198 free(ctx); 205 free(ctx);
199 } 206}
200 207
201int TS_RESP_CTX_set_signer_cert(TS_RESP_CTX *ctx, X509 *signer) 208int
202 { 209TS_RESP_CTX_set_signer_cert(TS_RESP_CTX *ctx, X509 *signer)
203 if (X509_check_purpose(signer, X509_PURPOSE_TIMESTAMP_SIGN, 0) != 1) 210{
204 { 211 if (X509_check_purpose(signer, X509_PURPOSE_TIMESTAMP_SIGN, 0) != 1) {
205 TSerr(TS_F_TS_RESP_CTX_SET_SIGNER_CERT, 212 TSerr(TS_F_TS_RESP_CTX_SET_SIGNER_CERT,
206 TS_R_INVALID_SIGNER_CERTIFICATE_PURPOSE); 213 TS_R_INVALID_SIGNER_CERTIFICATE_PURPOSE);
207 return 0; 214 return 0;
208 } 215 }
209 if (ctx->signer_cert) X509_free(ctx->signer_cert); 216 if (ctx->signer_cert)
217 X509_free(ctx->signer_cert);
210 ctx->signer_cert = signer; 218 ctx->signer_cert = signer;
211 CRYPTO_add(&ctx->signer_cert->references, +1, CRYPTO_LOCK_X509); 219 CRYPTO_add(&ctx->signer_cert->references, +1, CRYPTO_LOCK_X509);
212 return 1; 220 return 1;
213 } 221}
214 222
215int TS_RESP_CTX_set_signer_key(TS_RESP_CTX *ctx, EVP_PKEY *key) 223int
216 { 224TS_RESP_CTX_set_signer_key(TS_RESP_CTX *ctx, EVP_PKEY *key)
217 if (ctx->signer_key) EVP_PKEY_free(ctx->signer_key); 225{
226 if (ctx->signer_key)
227 EVP_PKEY_free(ctx->signer_key);
218 ctx->signer_key = key; 228 ctx->signer_key = key;
219 CRYPTO_add(&ctx->signer_key->references, +1, CRYPTO_LOCK_EVP_PKEY); 229 CRYPTO_add(&ctx->signer_key->references, +1, CRYPTO_LOCK_EVP_PKEY);
220 230
221 return 1; 231 return 1;
222 } 232}
223 233
224int TS_RESP_CTX_set_def_policy(TS_RESP_CTX *ctx, ASN1_OBJECT *def_policy) 234int
225 { 235TS_RESP_CTX_set_def_policy(TS_RESP_CTX *ctx, ASN1_OBJECT *def_policy)
226 if (ctx->default_policy) ASN1_OBJECT_free(ctx->default_policy); 236{
227 if (!(ctx->default_policy = OBJ_dup(def_policy))) goto err; 237 if (ctx->default_policy)
238 ASN1_OBJECT_free(ctx->default_policy);
239 if (!(ctx->default_policy = OBJ_dup(def_policy)))
240 goto err;
228 return 1; 241 return 1;
229 err: 242
243err:
230 TSerr(TS_F_TS_RESP_CTX_SET_DEF_POLICY, ERR_R_MALLOC_FAILURE); 244 TSerr(TS_F_TS_RESP_CTX_SET_DEF_POLICY, ERR_R_MALLOC_FAILURE);
231 return 0; 245 return 0;
232 } 246}
233 247
234int TS_RESP_CTX_set_certs(TS_RESP_CTX *ctx, STACK_OF(X509) *certs) 248int
235 { 249TS_RESP_CTX_set_certs(TS_RESP_CTX *ctx, STACK_OF(X509) *certs)
250{
236 int i; 251 int i;
237 252
238 if (ctx->certs) 253 if (ctx->certs) {
239 {
240 sk_X509_pop_free(ctx->certs, X509_free); 254 sk_X509_pop_free(ctx->certs, X509_free);
241 ctx->certs = NULL; 255 ctx->certs = NULL;
242 } 256 }
243 if (!certs) return 1; 257 if (!certs)
244 if (!(ctx->certs = sk_X509_dup(certs))) 258 return 1;
245 { 259 if (!(ctx->certs = sk_X509_dup(certs))) {
246 TSerr(TS_F_TS_RESP_CTX_SET_CERTS, ERR_R_MALLOC_FAILURE); 260 TSerr(TS_F_TS_RESP_CTX_SET_CERTS, ERR_R_MALLOC_FAILURE);
247 return 0; 261 return 0;
248 } 262 }
249 for (i = 0; i < sk_X509_num(ctx->certs); ++i) 263 for (i = 0; i < sk_X509_num(ctx->certs); ++i) {
250 {
251 X509 *cert = sk_X509_value(ctx->certs, i); 264 X509 *cert = sk_X509_value(ctx->certs, i);
252 CRYPTO_add(&cert->references, +1, CRYPTO_LOCK_X509); 265 CRYPTO_add(&cert->references, +1, CRYPTO_LOCK_X509);
253 } 266 }
254 267
255 return 1; 268 return 1;
256 } 269}
257 270
258int TS_RESP_CTX_add_policy(TS_RESP_CTX *ctx, ASN1_OBJECT *policy) 271int
259 { 272TS_RESP_CTX_add_policy(TS_RESP_CTX *ctx, ASN1_OBJECT *policy)
273{
260 ASN1_OBJECT *copy = NULL; 274 ASN1_OBJECT *copy = NULL;
261 275
262 /* Create new policy stack if necessary. */ 276 /* Create new policy stack if necessary. */
263 if (!ctx->policies && !(ctx->policies = sk_ASN1_OBJECT_new_null())) 277 if (!ctx->policies && !(ctx->policies = sk_ASN1_OBJECT_new_null()))
278 goto err;
279 if (!(copy = OBJ_dup(policy)))
280 goto err;
281 if (!sk_ASN1_OBJECT_push(ctx->policies, copy))
264 goto err; 282 goto err;
265 if (!(copy = OBJ_dup(policy))) goto err;
266 if (!sk_ASN1_OBJECT_push(ctx->policies, copy)) goto err;
267 283
268 return 1; 284 return 1;
269 err: 285
286err:
270 TSerr(TS_F_TS_RESP_CTX_ADD_POLICY, ERR_R_MALLOC_FAILURE); 287 TSerr(TS_F_TS_RESP_CTX_ADD_POLICY, ERR_R_MALLOC_FAILURE);
271 ASN1_OBJECT_free(copy); 288 ASN1_OBJECT_free(copy);
272 return 0; 289 return 0;
273 } 290}
274 291
275int TS_RESP_CTX_add_md(TS_RESP_CTX *ctx, const EVP_MD *md) 292int
276 { 293TS_RESP_CTX_add_md(TS_RESP_CTX *ctx, const EVP_MD *md)
294{
277 /* Create new md stack if necessary. */ 295 /* Create new md stack if necessary. */
278 if (!ctx->mds && !(ctx->mds = sk_EVP_MD_new_null())) 296 if (!ctx->mds && !(ctx->mds = sk_EVP_MD_new_null()))
279 goto err; 297 goto err;
280 /* Add the shared md, no copy needed. */ 298 /* Add the shared md, no copy needed. */
281 if (!sk_EVP_MD_push(ctx->mds, (EVP_MD *)md)) goto err; 299 if (!sk_EVP_MD_push(ctx->mds, (EVP_MD *)md))
300 goto err;
282 301
283 return 1; 302 return 1;
284 err: 303
304err:
285 TSerr(TS_F_TS_RESP_CTX_ADD_MD, ERR_R_MALLOC_FAILURE); 305 TSerr(TS_F_TS_RESP_CTX_ADD_MD, ERR_R_MALLOC_FAILURE);
286 return 0; 306 return 0;
287 } 307}
288 308
289#define TS_RESP_CTX_accuracy_free(ctx) \ 309#define TS_RESP_CTX_accuracy_free(ctx) \
290 ASN1_INTEGER_free(ctx->seconds); \ 310 ASN1_INTEGER_free(ctx->seconds); \
@@ -294,129 +314,142 @@ int TS_RESP_CTX_add_md(TS_RESP_CTX *ctx, const EVP_MD *md)
294 ASN1_INTEGER_free(ctx->micros); \ 314 ASN1_INTEGER_free(ctx->micros); \
295 ctx->micros = NULL; 315 ctx->micros = NULL;
296 316
297int TS_RESP_CTX_set_accuracy(TS_RESP_CTX *ctx, 317int
298 int secs, int millis, int micros) 318TS_RESP_CTX_set_accuracy(TS_RESP_CTX *ctx, int secs, int millis, int micros)
299 { 319{
300
301 TS_RESP_CTX_accuracy_free(ctx); 320 TS_RESP_CTX_accuracy_free(ctx);
302 if (secs && (!(ctx->seconds = ASN1_INTEGER_new()) 321 if (secs && (!(ctx->seconds = ASN1_INTEGER_new()) ||
303 || !ASN1_INTEGER_set(ctx->seconds, secs))) 322 !ASN1_INTEGER_set(ctx->seconds, secs)))
304 goto err; 323 goto err;
305 if (millis && (!(ctx->millis = ASN1_INTEGER_new()) 324 if (millis && (!(ctx->millis = ASN1_INTEGER_new()) ||
306 || !ASN1_INTEGER_set(ctx->millis, millis))) 325 !ASN1_INTEGER_set(ctx->millis, millis)))
307 goto err; 326 goto err;
308 if (micros && (!(ctx->micros = ASN1_INTEGER_new()) 327 if (micros && (!(ctx->micros = ASN1_INTEGER_new()) ||
309 || !ASN1_INTEGER_set(ctx->micros, micros))) 328 !ASN1_INTEGER_set(ctx->micros, micros)))
310 goto err; 329 goto err;
311 330
312 return 1; 331 return 1;
313 err: 332
333err:
314 TS_RESP_CTX_accuracy_free(ctx); 334 TS_RESP_CTX_accuracy_free(ctx);
315 TSerr(TS_F_TS_RESP_CTX_SET_ACCURACY, ERR_R_MALLOC_FAILURE); 335 TSerr(TS_F_TS_RESP_CTX_SET_ACCURACY, ERR_R_MALLOC_FAILURE);
316 return 0; 336 return 0;
317 } 337}
318 338
319void TS_RESP_CTX_add_flags(TS_RESP_CTX *ctx, int flags) 339void
320 { 340TS_RESP_CTX_add_flags(TS_RESP_CTX *ctx, int flags)
341{
321 ctx->flags |= flags; 342 ctx->flags |= flags;
322 } 343}
323 344
324void TS_RESP_CTX_set_serial_cb(TS_RESP_CTX *ctx, TS_serial_cb cb, void *data) 345void
325 { 346TS_RESP_CTX_set_serial_cb(TS_RESP_CTX *ctx, TS_serial_cb cb, void *data)
347{
326 ctx->serial_cb = cb; 348 ctx->serial_cb = cb;
327 ctx->serial_cb_data = data; 349 ctx->serial_cb_data = data;
328 } 350}
329 351
330void TS_RESP_CTX_set_time_cb(TS_RESP_CTX *ctx, TS_time_cb cb, void *data) 352void
331 { 353TS_RESP_CTX_set_time_cb(TS_RESP_CTX *ctx, TS_time_cb cb, void *data)
354{
332 ctx->time_cb = cb; 355 ctx->time_cb = cb;
333 ctx->time_cb_data = data; 356 ctx->time_cb_data = data;
334 } 357}
335 358
336void TS_RESP_CTX_set_extension_cb(TS_RESP_CTX *ctx, 359void
337 TS_extension_cb cb, void *data) 360TS_RESP_CTX_set_extension_cb(TS_RESP_CTX *ctx, TS_extension_cb cb, void *data)
338 { 361{
339 ctx->extension_cb = cb; 362 ctx->extension_cb = cb;
340 ctx->extension_cb_data = data; 363 ctx->extension_cb_data = data;
341 } 364}
342 365
343int TS_RESP_CTX_set_status_info(TS_RESP_CTX *ctx, 366int
344 int status, const char *text) 367TS_RESP_CTX_set_status_info(TS_RESP_CTX *ctx, int status, const char *text)
345 { 368{
346 TS_STATUS_INFO *si = NULL; 369 TS_STATUS_INFO *si = NULL;
347 ASN1_UTF8STRING *utf8_text = NULL; 370 ASN1_UTF8STRING *utf8_text = NULL;
348 int ret = 0; 371 int ret = 0;
349 372
350 if (!(si = TS_STATUS_INFO_new())) goto err; 373 if (!(si = TS_STATUS_INFO_new()))
351 if (!ASN1_INTEGER_set(si->status, status)) goto err; 374 goto err;
352 if (text) 375 if (!ASN1_INTEGER_set(si->status, status))
353 { 376 goto err;
354 if (!(utf8_text = ASN1_UTF8STRING_new()) 377 if (text) {
355 || !ASN1_STRING_set(utf8_text, text, strlen(text))) 378 if (!(utf8_text = ASN1_UTF8STRING_new()) ||
379 !ASN1_STRING_set(utf8_text, text, strlen(text)))
356 goto err; 380 goto err;
357 if (!si->text && !(si->text = sk_ASN1_UTF8STRING_new_null())) 381 if (!si->text && !(si->text = sk_ASN1_UTF8STRING_new_null()))
358 goto err; 382 goto err;
359 if (!sk_ASN1_UTF8STRING_push(si->text, utf8_text)) goto err; 383 if (!sk_ASN1_UTF8STRING_push(si->text, utf8_text))
384 goto err;
360 utf8_text = NULL; /* Ownership is lost. */ 385 utf8_text = NULL; /* Ownership is lost. */
361 } 386 }
362 if (!TS_RESP_set_status_info(ctx->response, si)) goto err; 387 if (!TS_RESP_set_status_info(ctx->response, si))
388 goto err;
363 ret = 1; 389 ret = 1;
364 err: 390
391err:
365 if (!ret) 392 if (!ret)
366 TSerr(TS_F_TS_RESP_CTX_SET_STATUS_INFO, ERR_R_MALLOC_FAILURE); 393 TSerr(TS_F_TS_RESP_CTX_SET_STATUS_INFO, ERR_R_MALLOC_FAILURE);
367 TS_STATUS_INFO_free(si); 394 TS_STATUS_INFO_free(si);
368 ASN1_UTF8STRING_free(utf8_text); 395 ASN1_UTF8STRING_free(utf8_text);
369 return ret; 396 return ret;
370 } 397}
371 398
372int TS_RESP_CTX_set_status_info_cond(TS_RESP_CTX *ctx, 399int
373 int status, const char *text) 400TS_RESP_CTX_set_status_info_cond(TS_RESP_CTX *ctx, int status, const char *text)
374 { 401{
375 int ret = 1; 402 int ret = 1;
376 TS_STATUS_INFO *si = TS_RESP_get_status_info(ctx->response); 403 TS_STATUS_INFO *si = TS_RESP_get_status_info(ctx->response);
377 404
378 if (ASN1_INTEGER_get(si->status) == TS_STATUS_GRANTED) 405 if (ASN1_INTEGER_get(si->status) == TS_STATUS_GRANTED) {
379 {
380 /* Status has not been set, set it now. */ 406 /* Status has not been set, set it now. */
381 ret = TS_RESP_CTX_set_status_info(ctx, status, text); 407 ret = TS_RESP_CTX_set_status_info(ctx, status, text);
382 }
383 return ret;
384 } 408 }
409 return ret;
410}
385 411
386int TS_RESP_CTX_add_failure_info(TS_RESP_CTX *ctx, int failure) 412int
387 { 413TS_RESP_CTX_add_failure_info(TS_RESP_CTX *ctx, int failure)
414{
388 TS_STATUS_INFO *si = TS_RESP_get_status_info(ctx->response); 415 TS_STATUS_INFO *si = TS_RESP_get_status_info(ctx->response);
416
389 if (!si->failure_info && !(si->failure_info = ASN1_BIT_STRING_new())) 417 if (!si->failure_info && !(si->failure_info = ASN1_BIT_STRING_new()))
390 goto err; 418 goto err;
391 if (!ASN1_BIT_STRING_set_bit(si->failure_info, failure, 1)) 419 if (!ASN1_BIT_STRING_set_bit(si->failure_info, failure, 1))
392 goto err; 420 goto err;
393 return 1; 421 return 1;
394 err: 422
423err:
395 TSerr(TS_F_TS_RESP_CTX_ADD_FAILURE_INFO, ERR_R_MALLOC_FAILURE); 424 TSerr(TS_F_TS_RESP_CTX_ADD_FAILURE_INFO, ERR_R_MALLOC_FAILURE);
396 return 0; 425 return 0;
397 } 426}
398 427
399TS_REQ *TS_RESP_CTX_get_request(TS_RESP_CTX *ctx) 428TS_REQ *
400 { 429TS_RESP_CTX_get_request(TS_RESP_CTX *ctx)
430{
401 return ctx->request; 431 return ctx->request;
402 } 432}
403 433
404TS_TST_INFO *TS_RESP_CTX_get_tst_info(TS_RESP_CTX *ctx) 434TS_TST_INFO *
405 { 435TS_RESP_CTX_get_tst_info(TS_RESP_CTX *ctx)
436{
406 return ctx->tst_info; 437 return ctx->tst_info;
407 } 438}
408 439
409int TS_RESP_CTX_set_clock_precision_digits(TS_RESP_CTX *ctx, unsigned precision) 440int
410 { 441TS_RESP_CTX_set_clock_precision_digits(TS_RESP_CTX *ctx, unsigned precision)
411 if (precision > TS_MAX_CLOCK_PRECISION_DIGITS) 442{
412 return 0; 443 if (precision > TS_MAX_CLOCK_PRECISION_DIGITS)
413 ctx->clock_precision_digits = precision; 444 return 0;
414 return 1; 445 ctx->clock_precision_digits = precision;
415 } 446 return 1;
447}
416 448
417/* Main entry method of the response generation. */ 449/* Main entry method of the response generation. */
418TS_RESP *TS_RESP_create_response(TS_RESP_CTX *ctx, BIO *req_bio) 450TS_RESP *
419 { 451TS_RESP_create_response(TS_RESP_CTX *ctx, BIO *req_bio)
452{
420 ASN1_OBJECT *policy; 453 ASN1_OBJECT *policy;
421 TS_RESP *response; 454 TS_RESP *response;
422 int result = 0; 455 int result = 0;
@@ -424,87 +457,90 @@ TS_RESP *TS_RESP_create_response(TS_RESP_CTX *ctx, BIO *req_bio)
424 TS_RESP_CTX_init(ctx); 457 TS_RESP_CTX_init(ctx);
425 458
426 /* Creating the response object. */ 459 /* Creating the response object. */
427 if (!(ctx->response = TS_RESP_new())) 460 if (!(ctx->response = TS_RESP_new())) {
428 {
429 TSerr(TS_F_TS_RESP_CREATE_RESPONSE, ERR_R_MALLOC_FAILURE); 461 TSerr(TS_F_TS_RESP_CREATE_RESPONSE, ERR_R_MALLOC_FAILURE);
430 goto end; 462 goto end;
431 } 463 }
432 464
433 /* Parsing DER request. */ 465 /* Parsing DER request. */
434 if (!(ctx->request = d2i_TS_REQ_bio(req_bio, NULL))) 466 if (!(ctx->request = d2i_TS_REQ_bio(req_bio, NULL))) {
435 {
436 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION, 467 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
437 "Bad request format or " 468 "Bad request format or "
438 "system error."); 469 "system error.");
439 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_BAD_DATA_FORMAT); 470 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_BAD_DATA_FORMAT);
440 goto end; 471 goto end;
441 } 472 }
442 473
443 /* Setting default status info. */ 474 /* Setting default status info. */
444 if (!TS_RESP_CTX_set_status_info(ctx, TS_STATUS_GRANTED, NULL)) 475 if (!TS_RESP_CTX_set_status_info(ctx, TS_STATUS_GRANTED, NULL))
445 goto end; 476 goto end;
446 477
447 /* Checking the request format. */ 478 /* Checking the request format. */
448 if (!TS_RESP_check_request(ctx)) goto end; 479 if (!TS_RESP_check_request(ctx))
480 goto end;
449 481
450 /* Checking acceptable policies. */ 482 /* Checking acceptable policies. */
451 if (!(policy = TS_RESP_get_policy(ctx))) goto end; 483 if (!(policy = TS_RESP_get_policy(ctx)))
484 goto end;
452 485
453 /* Creating the TS_TST_INFO object. */ 486 /* Creating the TS_TST_INFO object. */
454 if (!(ctx->tst_info = TS_RESP_create_tst_info(ctx, policy))) 487 if (!(ctx->tst_info = TS_RESP_create_tst_info(ctx, policy)))
455 goto end; 488 goto end;
456 489
457 /* Processing extensions. */ 490 /* Processing extensions. */
458 if (!TS_RESP_process_extensions(ctx)) goto end; 491 if (!TS_RESP_process_extensions(ctx))
492 goto end;
459 493
460 /* Generating the signature. */ 494 /* Generating the signature. */
461 if (!TS_RESP_sign(ctx)) goto end; 495 if (!TS_RESP_sign(ctx))
496 goto end;
462 497
463 /* Everything was successful. */ 498 /* Everything was successful. */
464 result = 1; 499 result = 1;
465 end: 500
466 if (!result) 501end:
467 { 502 if (!result) {
468 TSerr(TS_F_TS_RESP_CREATE_RESPONSE, TS_R_RESPONSE_SETUP_ERROR); 503 TSerr(TS_F_TS_RESP_CREATE_RESPONSE, TS_R_RESPONSE_SETUP_ERROR);
469 if (ctx->response != NULL) 504 if (ctx->response != NULL) {
470 {
471 if (TS_RESP_CTX_set_status_info_cond(ctx, 505 if (TS_RESP_CTX_set_status_info_cond(ctx,
472 TS_STATUS_REJECTION, "Error during response " 506 TS_STATUS_REJECTION, "Error during response "
473 "generation.") == 0) 507 "generation.") == 0) {
474 {
475 TS_RESP_free(ctx->response); 508 TS_RESP_free(ctx->response);
476 ctx->response = NULL; 509 ctx->response = NULL;
477 }
478 } 510 }
479 } 511 }
512 }
480 response = ctx->response; 513 response = ctx->response;
481 ctx->response = NULL; /* Ownership will be returned to caller. */ 514 ctx->response = NULL; /* Ownership will be returned to caller. */
482 TS_RESP_CTX_cleanup(ctx); 515 TS_RESP_CTX_cleanup(ctx);
483 return response; 516 return response;
484 } 517}
485 518
486/* Initializes the variable part of the context. */ 519/* Initializes the variable part of the context. */
487static void TS_RESP_CTX_init(TS_RESP_CTX *ctx) 520static void
488 { 521TS_RESP_CTX_init(TS_RESP_CTX *ctx)
522{
489 ctx->request = NULL; 523 ctx->request = NULL;
490 ctx->response = NULL; 524 ctx->response = NULL;
491 ctx->tst_info = NULL; 525 ctx->tst_info = NULL;
492 } 526}
493 527
494/* Cleans up the variable part of the context. */ 528/* Cleans up the variable part of the context. */
495static void TS_RESP_CTX_cleanup(TS_RESP_CTX *ctx) 529static void
496 { 530TS_RESP_CTX_cleanup(TS_RESP_CTX *ctx)
531{
497 TS_REQ_free(ctx->request); 532 TS_REQ_free(ctx->request);
498 ctx->request = NULL; 533 ctx->request = NULL;
499 TS_RESP_free(ctx->response); 534 TS_RESP_free(ctx->response);
500 ctx->response = NULL; 535 ctx->response = NULL;
501 TS_TST_INFO_free(ctx->tst_info); 536 TS_TST_INFO_free(ctx->tst_info);
502 ctx->tst_info = NULL; 537 ctx->tst_info = NULL;
503 } 538}
504 539
505/* Checks the format and content of the request. */ 540/* Checks the format and content of the request. */
506static int TS_RESP_check_request(TS_RESP_CTX *ctx) 541static int
507 { 542TS_RESP_check_request(TS_RESP_CTX *ctx)
543{
508 TS_REQ *request = ctx->request; 544 TS_REQ *request = ctx->request;
509 TS_MSG_IMPRINT *msg_imprint; 545 TS_MSG_IMPRINT *msg_imprint;
510 X509_ALGOR *md_alg; 546 X509_ALGOR *md_alg;
@@ -514,95 +550,88 @@ static int TS_RESP_check_request(TS_RESP_CTX *ctx)
514 int i; 550 int i;
515 551
516 /* Checking request version. */ 552 /* Checking request version. */
517 if (TS_REQ_get_version(request) != 1) 553 if (TS_REQ_get_version(request) != 1) {
518 {
519 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION, 554 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
520 "Bad request version."); 555 "Bad request version.");
521 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_BAD_REQUEST); 556 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_BAD_REQUEST);
522 return 0; 557 return 0;
523 } 558 }
524 559
525 /* Checking message digest algorithm. */ 560 /* Checking message digest algorithm. */
526 msg_imprint = TS_REQ_get_msg_imprint(request); 561 msg_imprint = TS_REQ_get_msg_imprint(request);
527 md_alg = TS_MSG_IMPRINT_get_algo(msg_imprint); 562 md_alg = TS_MSG_IMPRINT_get_algo(msg_imprint);
528 md_alg_id = OBJ_obj2nid(md_alg->algorithm); 563 md_alg_id = OBJ_obj2nid(md_alg->algorithm);
529 for (i = 0; !md && i < sk_EVP_MD_num(ctx->mds); ++i) 564 for (i = 0; !md && i < sk_EVP_MD_num(ctx->mds); ++i) {
530 {
531 EVP_MD *current_md = sk_EVP_MD_value(ctx->mds, i); 565 EVP_MD *current_md = sk_EVP_MD_value(ctx->mds, i);
532 if (md_alg_id == EVP_MD_type(current_md)) 566 if (md_alg_id == EVP_MD_type(current_md))
533 md = current_md; 567 md = current_md;
534 } 568 }
535 if (!md) 569 if (!md) {
536 {
537 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION, 570 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
538 "Message digest algorithm is " 571 "Message digest algorithm is "
539 "not supported."); 572 "not supported.");
540 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_BAD_ALG); 573 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_BAD_ALG);
541 return 0; 574 return 0;
542 } 575 }
543 576
544 /* No message digest takes parameter. */ 577 /* No message digest takes parameter. */
545 if (md_alg->parameter 578 if (md_alg->parameter &&
546 && ASN1_TYPE_get(md_alg->parameter) != V_ASN1_NULL) 579 ASN1_TYPE_get(md_alg->parameter) != V_ASN1_NULL) {
547 {
548 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION, 580 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
549 "Superfluous message digest " 581 "Superfluous message digest "
550 "parameter."); 582 "parameter.");
551 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_BAD_ALG); 583 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_BAD_ALG);
552 return 0; 584 return 0;
553 } 585 }
554 /* Checking message digest size. */ 586 /* Checking message digest size. */
555 digest = TS_MSG_IMPRINT_get_msg(msg_imprint); 587 digest = TS_MSG_IMPRINT_get_msg(msg_imprint);
556 if (digest->length != EVP_MD_size(md)) 588 if (digest->length != EVP_MD_size(md)) {
557 {
558 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION, 589 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
559 "Bad message digest."); 590 "Bad message digest.");
560 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_BAD_DATA_FORMAT); 591 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_BAD_DATA_FORMAT);
561 return 0; 592 return 0;
562 } 593 }
563 594
564 return 1; 595 return 1;
565 } 596}
566 597
567/* Returns the TSA policy based on the requested and acceptable policies. */ 598/* Returns the TSA policy based on the requested and acceptable policies. */
568static ASN1_OBJECT *TS_RESP_get_policy(TS_RESP_CTX *ctx) 599static ASN1_OBJECT *
569 { 600TS_RESP_get_policy(TS_RESP_CTX *ctx)
601{
570 ASN1_OBJECT *requested = TS_REQ_get_policy_id(ctx->request); 602 ASN1_OBJECT *requested = TS_REQ_get_policy_id(ctx->request);
571 ASN1_OBJECT *policy = NULL; 603 ASN1_OBJECT *policy = NULL;
572 int i; 604 int i;
573 605
574 if (ctx->default_policy == NULL) 606 if (ctx->default_policy == NULL) {
575 {
576 TSerr(TS_F_TS_RESP_GET_POLICY, TS_R_INVALID_NULL_POINTER); 607 TSerr(TS_F_TS_RESP_GET_POLICY, TS_R_INVALID_NULL_POINTER);
577 return NULL; 608 return NULL;
578 } 609 }
579 /* Return the default policy if none is requested or the default is 610 /* Return the default policy if none is requested or the default is
580 requested. */ 611 requested. */
581 if (!requested || !OBJ_cmp(requested, ctx->default_policy)) 612 if (!requested || !OBJ_cmp(requested, ctx->default_policy))
582 policy = ctx->default_policy; 613 policy = ctx->default_policy;
583 614
584 /* Check if the policy is acceptable. */ 615 /* Check if the policy is acceptable. */
585 for (i = 0; !policy && i < sk_ASN1_OBJECT_num(ctx->policies); ++i) 616 for (i = 0; !policy && i < sk_ASN1_OBJECT_num(ctx->policies); ++i) {
586 {
587 ASN1_OBJECT *current = sk_ASN1_OBJECT_value(ctx->policies, i); 617 ASN1_OBJECT *current = sk_ASN1_OBJECT_value(ctx->policies, i);
588 if (!OBJ_cmp(requested, current)) 618 if (!OBJ_cmp(requested, current))
589 policy = current; 619 policy = current;
590 } 620 }
591 if (!policy) 621 if (!policy) {
592 {
593 TSerr(TS_F_TS_RESP_GET_POLICY, TS_R_UNACCEPTABLE_POLICY); 622 TSerr(TS_F_TS_RESP_GET_POLICY, TS_R_UNACCEPTABLE_POLICY);
594 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION, 623 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
595 "Requested policy is not " 624 "Requested policy is not "
596 "supported."); 625 "supported.");
597 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_UNACCEPTED_POLICY); 626 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_UNACCEPTED_POLICY);
598 }
599 return policy;
600 } 627 }
628 return policy;
629}
601 630
602/* Creates the TS_TST_INFO object based on the settings of the context. */ 631/* Creates the TS_TST_INFO object based on the settings of the context. */
603static TS_TST_INFO *TS_RESP_create_tst_info(TS_RESP_CTX *ctx, 632static TS_TST_INFO *
604 ASN1_OBJECT *policy) 633TS_RESP_create_tst_info(TS_RESP_CTX *ctx, ASN1_OBJECT *policy)
605 { 634{
606 int result = 0; 635 int result = 0;
607 TS_TST_INFO *tst_info = NULL; 636 TS_TST_INFO *tst_info = NULL;
608 ASN1_INTEGER *serial = NULL; 637 ASN1_INTEGER *serial = NULL;
@@ -612,24 +641,26 @@ static TS_TST_INFO *TS_RESP_create_tst_info(TS_RESP_CTX *ctx,
612 const ASN1_INTEGER *nonce; 641 const ASN1_INTEGER *nonce;
613 GENERAL_NAME *tsa_name = NULL; 642 GENERAL_NAME *tsa_name = NULL;
614 643
615 if (!(tst_info = TS_TST_INFO_new())) goto end; 644 if (!(tst_info = TS_TST_INFO_new()))
616 if (!TS_TST_INFO_set_version(tst_info, 1)) goto end; 645 goto end;
617 if (!TS_TST_INFO_set_policy_id(tst_info, policy)) goto end; 646 if (!TS_TST_INFO_set_version(tst_info, 1))
647 goto end;
648 if (!TS_TST_INFO_set_policy_id(tst_info, policy))
649 goto end;
618 if (!TS_TST_INFO_set_msg_imprint(tst_info, ctx->request->msg_imprint)) 650 if (!TS_TST_INFO_set_msg_imprint(tst_info, ctx->request->msg_imprint))
619 goto end; 651 goto end;
620 if (!(serial = (*ctx->serial_cb)(ctx, ctx->serial_cb_data)) 652 if (!(serial = (*ctx->serial_cb)(ctx, ctx->serial_cb_data)) ||
621 || !TS_TST_INFO_set_serial(tst_info, serial)) 653 !TS_TST_INFO_set_serial(tst_info, serial))
622 goto end; 654 goto end;
623 if (!(*ctx->time_cb)(ctx, ctx->time_cb_data, &sec, &usec) 655 if (!(*ctx->time_cb)(ctx, ctx->time_cb_data, &sec, &usec) ||
624 || !(asn1_time = TS_RESP_set_genTime_with_precision(NULL, 656 !(asn1_time = TS_RESP_set_genTime_with_precision(NULL, sec, usec,
625 sec, usec, 657 ctx->clock_precision_digits)) ||
626 ctx->clock_precision_digits)) 658 !TS_TST_INFO_set_time(tst_info, asn1_time))
627 || !TS_TST_INFO_set_time(tst_info, asn1_time))
628 goto end; 659 goto end;
629 660
630 /* Setting accuracy if needed. */ 661 /* Setting accuracy if needed. */
631 if ((ctx->seconds || ctx->millis || ctx->micros) 662 if ((ctx->seconds || ctx->millis || ctx->micros) &&
632 && !(accuracy = TS_ACCURACY_new())) 663 !(accuracy = TS_ACCURACY_new()))
633 goto end; 664 goto end;
634 665
635 if (ctx->seconds && !TS_ACCURACY_set_seconds(accuracy, ctx->seconds)) 666 if (ctx->seconds && !TS_ACCURACY_set_seconds(accuracy, ctx->seconds))
@@ -638,58 +669,60 @@ static TS_TST_INFO *TS_RESP_create_tst_info(TS_RESP_CTX *ctx,
638 goto end; 669 goto end;
639 if (ctx->micros && !TS_ACCURACY_set_micros(accuracy, ctx->micros)) 670 if (ctx->micros && !TS_ACCURACY_set_micros(accuracy, ctx->micros))
640 goto end; 671 goto end;
641 if (accuracy && !TS_TST_INFO_set_accuracy(tst_info, accuracy)) 672 if (accuracy && !TS_TST_INFO_set_accuracy(tst_info, accuracy))
642 goto end; 673 goto end;
643 674
644 /* Setting ordering. */ 675 /* Setting ordering. */
645 if ((ctx->flags & TS_ORDERING) 676 if ((ctx->flags & TS_ORDERING) &&
646 && !TS_TST_INFO_set_ordering(tst_info, 1)) 677 !TS_TST_INFO_set_ordering(tst_info, 1))
647 goto end; 678 goto end;
648 679
649 /* Setting nonce if needed. */ 680 /* Setting nonce if needed. */
650 if ((nonce = TS_REQ_get_nonce(ctx->request)) != NULL 681 if ((nonce = TS_REQ_get_nonce(ctx->request)) != NULL &&
651 && !TS_TST_INFO_set_nonce(tst_info, nonce)) 682 !TS_TST_INFO_set_nonce(tst_info, nonce))
652 goto end; 683 goto end;
653 684
654 /* Setting TSA name to subject of signer certificate. */ 685 /* Setting TSA name to subject of signer certificate. */
655 if (ctx->flags & TS_TSA_NAME) 686 if (ctx->flags & TS_TSA_NAME) {
656 { 687 if (!(tsa_name = GENERAL_NAME_new()))
657 if (!(tsa_name = GENERAL_NAME_new())) goto end; 688 goto end;
658 tsa_name->type = GEN_DIRNAME; 689 tsa_name->type = GEN_DIRNAME;
659 tsa_name->d.dirn = 690 tsa_name->d.dirn =
660 X509_NAME_dup(ctx->signer_cert->cert_info->subject); 691 X509_NAME_dup(ctx->signer_cert->cert_info->subject);
661 if (!tsa_name->d.dirn) goto end; 692 if (!tsa_name->d.dirn)
662 if (!TS_TST_INFO_set_tsa(tst_info, tsa_name)) goto end; 693 goto end;
663 } 694 if (!TS_TST_INFO_set_tsa(tst_info, tsa_name))
695 goto end;
696 }
664 697
665 result = 1; 698 result = 1;
666 end: 699
667 if (!result) 700end:
668 { 701 if (!result) {
669 TS_TST_INFO_free(tst_info); 702 TS_TST_INFO_free(tst_info);
670 tst_info = NULL; 703 tst_info = NULL;
671 TSerr(TS_F_TS_RESP_CREATE_TST_INFO, TS_R_TST_INFO_SETUP_ERROR); 704 TSerr(TS_F_TS_RESP_CREATE_TST_INFO, TS_R_TST_INFO_SETUP_ERROR);
672 TS_RESP_CTX_set_status_info_cond(ctx, TS_STATUS_REJECTION, 705 TS_RESP_CTX_set_status_info_cond(ctx, TS_STATUS_REJECTION,
673 "Error during TSTInfo " 706 "Error during TSTInfo "
674 "generation."); 707 "generation.");
675 } 708 }
676 GENERAL_NAME_free(tsa_name); 709 GENERAL_NAME_free(tsa_name);
677 TS_ACCURACY_free(accuracy); 710 TS_ACCURACY_free(accuracy);
678 ASN1_GENERALIZEDTIME_free(asn1_time); 711 ASN1_GENERALIZEDTIME_free(asn1_time);
679 ASN1_INTEGER_free(serial); 712 ASN1_INTEGER_free(serial);
680 713
681 return tst_info; 714 return tst_info;
682 } 715}
683 716
684/* Processing the extensions of the request. */ 717/* Processing the extensions of the request. */
685static int TS_RESP_process_extensions(TS_RESP_CTX *ctx) 718static int
686 { 719TS_RESP_process_extensions(TS_RESP_CTX *ctx)
720{
687 STACK_OF(X509_EXTENSION) *exts = TS_REQ_get_exts(ctx->request); 721 STACK_OF(X509_EXTENSION) *exts = TS_REQ_get_exts(ctx->request);
688 int i; 722 int i;
689 int ok = 1; 723 int ok = 1;
690 724
691 for (i = 0; ok && i < sk_X509_EXTENSION_num(exts); ++i) 725 for (i = 0; ok && i < sk_X509_EXTENSION_num(exts); ++i) {
692 {
693 X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i); 726 X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i);
694 /* XXXXX The last argument was previously 727 /* XXXXX The last argument was previously
695 (void *)ctx->extension_cb, but ISO C doesn't permit 728 (void *)ctx->extension_cb, but ISO C doesn't permit
@@ -699,14 +732,15 @@ static int TS_RESP_process_extensions(TS_RESP_CTX *ctx)
699 anyway... 732 anyway...
700 */ 733 */
701 ok = (*ctx->extension_cb)(ctx, ext, NULL); 734 ok = (*ctx->extension_cb)(ctx, ext, NULL);
702 } 735 }
703 736
704 return ok; 737 return ok;
705 } 738}
706 739
707/* Functions for signing the TS_TST_INFO structure of the context. */ 740/* Functions for signing the TS_TST_INFO structure of the context. */
708static int TS_RESP_sign(TS_RESP_CTX *ctx) 741static int
709 { 742TS_RESP_sign(TS_RESP_CTX *ctx)
743{
710 int ret = 0; 744 int ret = 0;
711 PKCS7 *p7 = NULL; 745 PKCS7 *p7 = NULL;
712 PKCS7_SIGNER_INFO *si; 746 PKCS7_SIGNER_INFO *si;
@@ -718,9 +752,9 @@ static int TS_RESP_sign(TS_RESP_CTX *ctx)
718 752
719 /* Check if signcert and pkey match. */ 753 /* Check if signcert and pkey match. */
720 if (!X509_check_private_key(ctx->signer_cert, ctx->signer_key)) { 754 if (!X509_check_private_key(ctx->signer_cert, ctx->signer_key)) {
721 TSerr(TS_F_TS_RESP_SIGN, 755 TSerr(TS_F_TS_RESP_SIGN,
722 TS_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE); 756 TS_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
723 goto err; 757 goto err;
724 } 758 }
725 759
726 /* Create a new PKCS7 signed object. */ 760 /* Create a new PKCS7 signed object. */
@@ -728,57 +762,54 @@ static int TS_RESP_sign(TS_RESP_CTX *ctx)
728 TSerr(TS_F_TS_RESP_SIGN, ERR_R_MALLOC_FAILURE); 762 TSerr(TS_F_TS_RESP_SIGN, ERR_R_MALLOC_FAILURE);
729 goto err; 763 goto err;
730 } 764 }
731 if (!PKCS7_set_type(p7, NID_pkcs7_signed)) goto err; 765 if (!PKCS7_set_type(p7, NID_pkcs7_signed))
766 goto err;
732 767
733 /* Force SignedData version to be 3 instead of the default 1. */ 768 /* Force SignedData version to be 3 instead of the default 1. */
734 if (!ASN1_INTEGER_set(p7->d.sign->version, 3)) goto err; 769 if (!ASN1_INTEGER_set(p7->d.sign->version, 3))
770 goto err;
735 771
736 /* Add signer certificate and optional certificate chain. */ 772 /* Add signer certificate and optional certificate chain. */
737 if (TS_REQ_get_cert_req(ctx->request)) 773 if (TS_REQ_get_cert_req(ctx->request)) {
738 {
739 PKCS7_add_certificate(p7, ctx->signer_cert); 774 PKCS7_add_certificate(p7, ctx->signer_cert);
740 if (ctx->certs) 775 if (ctx->certs) {
741 { 776 for (i = 0; i < sk_X509_num(ctx->certs); ++i) {
742 for(i = 0; i < sk_X509_num(ctx->certs); ++i)
743 {
744 X509 *cert = sk_X509_value(ctx->certs, i); 777 X509 *cert = sk_X509_value(ctx->certs, i);
745 PKCS7_add_certificate(p7, cert); 778 PKCS7_add_certificate(p7, cert);
746 }
747 } 779 }
748 } 780 }
781 }
749 782
750 /* Add a new signer info. */ 783 /* Add a new signer info. */
751 if (!(si = PKCS7_add_signature(p7, ctx->signer_cert, 784 if (!(si = PKCS7_add_signature(p7, ctx->signer_cert,
752 ctx->signer_key, EVP_sha1()))) 785 ctx->signer_key, EVP_sha1()))) {
753 {
754 TSerr(TS_F_TS_RESP_SIGN, TS_R_PKCS7_ADD_SIGNATURE_ERROR); 786 TSerr(TS_F_TS_RESP_SIGN, TS_R_PKCS7_ADD_SIGNATURE_ERROR);
755 goto err; 787 goto err;
756 } 788 }
757 789
758 /* Add content type signed attribute to the signer info. */ 790 /* Add content type signed attribute to the signer info. */
759 oid = OBJ_nid2obj(NID_id_smime_ct_TSTInfo); 791 oid = OBJ_nid2obj(NID_id_smime_ct_TSTInfo);
760 if (!PKCS7_add_signed_attribute(si, NID_pkcs9_contentType, 792 if (!PKCS7_add_signed_attribute(si, NID_pkcs9_contentType,
761 V_ASN1_OBJECT, oid)) 793 V_ASN1_OBJECT, oid)) {
762 {
763 TSerr(TS_F_TS_RESP_SIGN, TS_R_PKCS7_ADD_SIGNED_ATTR_ERROR); 794 TSerr(TS_F_TS_RESP_SIGN, TS_R_PKCS7_ADD_SIGNED_ATTR_ERROR);
764 goto err; 795 goto err;
765 } 796 }
766 797
767 /* Create the ESS SigningCertificate attribute which contains 798 /* Create the ESS SigningCertificate attribute which contains
768 the signer certificate id and optionally the certificate chain. */ 799 the signer certificate id and optionally the certificate chain. */
769 certs = ctx->flags & TS_ESS_CERT_ID_CHAIN ? ctx->certs : NULL; 800 certs = ctx->flags & TS_ESS_CERT_ID_CHAIN ? ctx->certs : NULL;
770 if (!(sc = ESS_SIGNING_CERT_new_init(ctx->signer_cert, certs))) 801 if (!(sc = ESS_SIGNING_CERT_new_init(ctx->signer_cert, certs)))
771 goto err; 802 goto err;
772 803
773 /* Add SigningCertificate signed attribute to the signer info. */ 804 /* Add SigningCertificate signed attribute to the signer info. */
774 if (!ESS_add_signing_cert(si, sc)) 805 if (!ESS_add_signing_cert(si, sc)) {
775 {
776 TSerr(TS_F_TS_RESP_SIGN, TS_R_ESS_ADD_SIGNING_CERT_ERROR); 806 TSerr(TS_F_TS_RESP_SIGN, TS_R_ESS_ADD_SIGNING_CERT_ERROR);
777 goto err; 807 goto err;
778 } 808 }
779 809
780 /* Add a new empty NID_id_smime_ct_TSTInfo encapsulated content. */ 810 /* Add a new empty NID_id_smime_ct_TSTInfo encapsulated content. */
781 if (!TS_TST_INFO_content_new(p7)) goto err; 811 if (!TS_TST_INFO_content_new(p7))
812 goto err;
782 813
783 /* Add the DER encoded tst_info to the PKCS7 structure. */ 814 /* Add the DER encoded tst_info to the PKCS7 structure. */
784 if (!(p7bio = PKCS7_dataInit(p7, NULL))) { 815 if (!(p7bio = PKCS7_dataInit(p7, NULL))) {
@@ -787,18 +818,16 @@ static int TS_RESP_sign(TS_RESP_CTX *ctx)
787 } 818 }
788 819
789 /* Convert tst_info to DER. */ 820 /* Convert tst_info to DER. */
790 if (!i2d_TS_TST_INFO_bio(p7bio, ctx->tst_info)) 821 if (!i2d_TS_TST_INFO_bio(p7bio, ctx->tst_info)) {
791 {
792 TSerr(TS_F_TS_RESP_SIGN, TS_R_TS_DATASIGN); 822 TSerr(TS_F_TS_RESP_SIGN, TS_R_TS_DATASIGN);
793 goto err; 823 goto err;
794 } 824 }
795 825
796 /* Create the signature and add it to the signer info. */ 826 /* Create the signature and add it to the signer info. */
797 if (!PKCS7_dataFinal(p7, p7bio)) 827 if (!PKCS7_dataFinal(p7, p7bio)) {
798 {
799 TSerr(TS_F_TS_RESP_SIGN, TS_R_TS_DATASIGN); 828 TSerr(TS_F_TS_RESP_SIGN, TS_R_TS_DATASIGN);
800 goto err; 829 goto err;
801 } 830 }
802 831
803 /* Set new PKCS7 and TST_INFO objects. */ 832 /* Set new PKCS7 and TST_INFO objects. */
804 TS_RESP_set_tst_info(ctx->response, p7, ctx->tst_info); 833 TS_RESP_set_tst_info(ctx->response, p7, ctx->tst_info);
@@ -806,152 +835,163 @@ static int TS_RESP_sign(TS_RESP_CTX *ctx)
806 ctx->tst_info = NULL; /* Ownership is lost. */ 835 ctx->tst_info = NULL; /* Ownership is lost. */
807 836
808 ret = 1; 837 ret = 1;
809 err: 838
839err:
810 if (!ret) 840 if (!ret)
811 TS_RESP_CTX_set_status_info_cond(ctx, TS_STATUS_REJECTION, 841 TS_RESP_CTX_set_status_info_cond(ctx, TS_STATUS_REJECTION,
812 "Error during signature " 842 "Error during signature "
813 "generation."); 843 "generation.");
814 BIO_free_all(p7bio); 844 BIO_free_all(p7bio);
815 ESS_SIGNING_CERT_free(sc); 845 ESS_SIGNING_CERT_free(sc);
816 PKCS7_free(p7); 846 PKCS7_free(p7);
817 return ret; 847 return ret;
818 } 848}
819 849
820static ESS_SIGNING_CERT *ESS_SIGNING_CERT_new_init(X509 *signcert, 850static ESS_SIGNING_CERT *
821 STACK_OF(X509) *certs) 851ESS_SIGNING_CERT_new_init(X509 *signcert, STACK_OF(X509) *certs)
822 { 852{
823 ESS_CERT_ID *cid; 853 ESS_CERT_ID *cid;
824 ESS_SIGNING_CERT *sc = NULL; 854 ESS_SIGNING_CERT *sc = NULL;
825 int i; 855 int i;
826 856
827 /* Creating the ESS_CERT_ID stack. */ 857 /* Creating the ESS_CERT_ID stack. */
828 if (!(sc = ESS_SIGNING_CERT_new())) goto err; 858 if (!(sc = ESS_SIGNING_CERT_new()))
859 goto err;
829 if (!sc->cert_ids && !(sc->cert_ids = sk_ESS_CERT_ID_new_null())) 860 if (!sc->cert_ids && !(sc->cert_ids = sk_ESS_CERT_ID_new_null()))
830 goto err; 861 goto err;
831 862
832 /* Adding the signing certificate id. */ 863 /* Adding the signing certificate id. */
833 if (!(cid = ESS_CERT_ID_new_init(signcert, 0)) 864 if (!(cid = ESS_CERT_ID_new_init(signcert, 0)) ||
834 || !sk_ESS_CERT_ID_push(sc->cert_ids, cid)) 865 !sk_ESS_CERT_ID_push(sc->cert_ids, cid))
835 goto err; 866 goto err;
836 /* Adding the certificate chain ids. */ 867 /* Adding the certificate chain ids. */
837 for (i = 0; i < sk_X509_num(certs); ++i) 868 for (i = 0; i < sk_X509_num(certs); ++i) {
838 {
839 X509 *cert = sk_X509_value(certs, i); 869 X509 *cert = sk_X509_value(certs, i);
840 if (!(cid = ESS_CERT_ID_new_init(cert, 1)) 870 if (!(cid = ESS_CERT_ID_new_init(cert, 1)) ||
841 || !sk_ESS_CERT_ID_push(sc->cert_ids, cid)) 871 !sk_ESS_CERT_ID_push(sc->cert_ids, cid))
842 goto err; 872 goto err;
843 } 873 }
844 874
845 return sc; 875 return sc;
876
846err: 877err:
847 ESS_SIGNING_CERT_free(sc); 878 ESS_SIGNING_CERT_free(sc);
848 TSerr(TS_F_ESS_SIGNING_CERT_NEW_INIT, ERR_R_MALLOC_FAILURE); 879 TSerr(TS_F_ESS_SIGNING_CERT_NEW_INIT, ERR_R_MALLOC_FAILURE);
849 return NULL; 880 return NULL;
850 } 881}
851 882
852static ESS_CERT_ID *ESS_CERT_ID_new_init(X509 *cert, int issuer_needed) 883static ESS_CERT_ID *
853 { 884ESS_CERT_ID_new_init(X509 *cert, int issuer_needed)
885{
854 ESS_CERT_ID *cid = NULL; 886 ESS_CERT_ID *cid = NULL;
855 GENERAL_NAME *name = NULL; 887 GENERAL_NAME *name = NULL;
856 888
857 /* Recompute SHA1 hash of certificate if necessary (side effect). */ 889 /* Recompute SHA1 hash of certificate if necessary (side effect). */
858 X509_check_purpose(cert, -1, 0); 890 X509_check_purpose(cert, -1, 0);
859 891
860 if (!(cid = ESS_CERT_ID_new())) goto err; 892 if (!(cid = ESS_CERT_ID_new()))
893 goto err;
861 if (!ASN1_OCTET_STRING_set(cid->hash, cert->sha1_hash, 894 if (!ASN1_OCTET_STRING_set(cid->hash, cert->sha1_hash,
862 sizeof(cert->sha1_hash))) 895 sizeof(cert->sha1_hash)))
863 goto err; 896 goto err;
864 897
865 /* Setting the issuer/serial if requested. */ 898 /* Setting the issuer/serial if requested. */
866 if (issuer_needed) 899 if (issuer_needed) {
867 {
868 /* Creating issuer/serial structure. */ 900 /* Creating issuer/serial structure. */
869 if (!cid->issuer_serial 901 if (!cid->issuer_serial &&
870 && !(cid->issuer_serial = ESS_ISSUER_SERIAL_new())) 902 !(cid->issuer_serial = ESS_ISSUER_SERIAL_new()))
871 goto err; 903 goto err;
872 /* Creating general name from the certificate issuer. */ 904 /* Creating general name from the certificate issuer. */
873 if (!(name = GENERAL_NAME_new())) goto err; 905 if (!(name = GENERAL_NAME_new()))
906 goto err;
874 name->type = GEN_DIRNAME; 907 name->type = GEN_DIRNAME;
875 if (!(name->d.dirn = X509_NAME_dup(cert->cert_info->issuer))) 908 if (!(name->d.dirn = X509_NAME_dup(cert->cert_info->issuer)))
876 goto err; 909 goto err;
877 if (!sk_GENERAL_NAME_push(cid->issuer_serial->issuer, name)) 910 if (!sk_GENERAL_NAME_push(cid->issuer_serial->issuer, name))
878 goto err; 911 goto err;
879 name = NULL; /* Ownership is lost. */ 912 name = NULL; /* Ownership is lost. */
880 /* Setting the serial number. */ 913 /* Setting the serial number. */
881 ASN1_INTEGER_free(cid->issuer_serial->serial); 914 ASN1_INTEGER_free(cid->issuer_serial->serial);
882 if (!(cid->issuer_serial->serial = 915 if (!(cid->issuer_serial->serial =
883 ASN1_INTEGER_dup(cert->cert_info->serialNumber))) 916 ASN1_INTEGER_dup(cert->cert_info->serialNumber)))
884 goto err; 917 goto err;
885 } 918 }
886 919
887 return cid; 920 return cid;
921
888err: 922err:
889 GENERAL_NAME_free(name); 923 GENERAL_NAME_free(name);
890 ESS_CERT_ID_free(cid); 924 ESS_CERT_ID_free(cid);
891 TSerr(TS_F_ESS_CERT_ID_NEW_INIT, ERR_R_MALLOC_FAILURE); 925 TSerr(TS_F_ESS_CERT_ID_NEW_INIT, ERR_R_MALLOC_FAILURE);
892 return NULL; 926 return NULL;
893 } 927}
894 928
895static int TS_TST_INFO_content_new(PKCS7 *p7) 929static int
896 { 930TS_TST_INFO_content_new(PKCS7 *p7)
931{
897 PKCS7 *ret = NULL; 932 PKCS7 *ret = NULL;
898 ASN1_OCTET_STRING *octet_string = NULL; 933 ASN1_OCTET_STRING *octet_string = NULL;
899 934
900 /* Create new encapsulated NID_id_smime_ct_TSTInfo content. */ 935 /* Create new encapsulated NID_id_smime_ct_TSTInfo content. */
901 if (!(ret = PKCS7_new())) goto err; 936 if (!(ret = PKCS7_new()))
902 if (!(ret->d.other = ASN1_TYPE_new())) goto err; 937 goto err;
938 if (!(ret->d.other = ASN1_TYPE_new()))
939 goto err;
903 ret->type = OBJ_nid2obj(NID_id_smime_ct_TSTInfo); 940 ret->type = OBJ_nid2obj(NID_id_smime_ct_TSTInfo);
904 if (!(octet_string = ASN1_OCTET_STRING_new())) goto err; 941 if (!(octet_string = ASN1_OCTET_STRING_new()))
942 goto err;
905 ASN1_TYPE_set(ret->d.other, V_ASN1_OCTET_STRING, octet_string); 943 ASN1_TYPE_set(ret->d.other, V_ASN1_OCTET_STRING, octet_string);
906 octet_string = NULL; 944 octet_string = NULL;
907 945
908 /* Add encapsulated content to signed PKCS7 structure. */ 946 /* Add encapsulated content to signed PKCS7 structure. */
909 if (!PKCS7_set_content(p7, ret)) goto err; 947 if (!PKCS7_set_content(p7, ret))
948 goto err;
910 949
911 return 1; 950 return 1;
912 err: 951
952err:
913 ASN1_OCTET_STRING_free(octet_string); 953 ASN1_OCTET_STRING_free(octet_string);
914 PKCS7_free(ret); 954 PKCS7_free(ret);
915 return 0; 955 return 0;
916 } 956}
917 957
918static int ESS_add_signing_cert(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc) 958static int
919 { 959ESS_add_signing_cert(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc)
960{
920 ASN1_STRING *seq = NULL; 961 ASN1_STRING *seq = NULL;
921 unsigned char *p, *pp = NULL; 962 unsigned char *p, *pp = NULL;
922 int len; 963 int len;
923 964
924 len = i2d_ESS_SIGNING_CERT(sc, NULL); 965 len = i2d_ESS_SIGNING_CERT(sc, NULL);
925 if (!(pp = (unsigned char *) malloc(len))) 966 if (!(pp = (unsigned char *) malloc(len))) {
926 {
927 TSerr(TS_F_ESS_ADD_SIGNING_CERT, ERR_R_MALLOC_FAILURE); 967 TSerr(TS_F_ESS_ADD_SIGNING_CERT, ERR_R_MALLOC_FAILURE);
928 goto err; 968 goto err;
929 } 969 }
930 p = pp; 970 p = pp;
931 i2d_ESS_SIGNING_CERT(sc, &p); 971 i2d_ESS_SIGNING_CERT(sc, &p);
932 if (!(seq = ASN1_STRING_new()) || !ASN1_STRING_set(seq, pp, len)) 972 if (!(seq = ASN1_STRING_new()) || !ASN1_STRING_set(seq, pp, len)) {
933 {
934 TSerr(TS_F_ESS_ADD_SIGNING_CERT, ERR_R_MALLOC_FAILURE); 973 TSerr(TS_F_ESS_ADD_SIGNING_CERT, ERR_R_MALLOC_FAILURE);
935 goto err; 974 goto err;
936 } 975 }
937 free(pp); pp = NULL; 976 free(pp);
938 return PKCS7_add_signed_attribute(si, 977 pp = NULL;
939 NID_id_smime_aa_signingCertificate, 978 return PKCS7_add_signed_attribute(si,
940 V_ASN1_SEQUENCE, seq); 979 NID_id_smime_aa_signingCertificate, V_ASN1_SEQUENCE, seq);
941 err: 980
981err:
942 ASN1_STRING_free(seq); 982 ASN1_STRING_free(seq);
943 free(pp); 983 free(pp);
944 984
945 return 0; 985 return 0;
946 } 986}
947 987
948 988
949static ASN1_GENERALIZEDTIME * 989static ASN1_GENERALIZEDTIME *
950TS_RESP_set_genTime_with_precision(ASN1_GENERALIZEDTIME *asn1_time, 990TS_RESP_set_genTime_with_precision(ASN1_GENERALIZEDTIME *asn1_time,
951 long sec, long usec, unsigned precision) 991 long sec, long usec, unsigned precision)
952 { 992{
953 time_t time_sec = (time_t) sec; 993 time_t time_sec = (time_t) sec;
954 struct tm *tm = NULL; 994 struct tm *tm = NULL;
955 char genTime_str[17 + TS_MAX_CLOCK_PRECISION_DIGITS]; 995 char genTime_str[17 + TS_MAX_CLOCK_PRECISION_DIGITS];
956 char usecstr[TS_MAX_CLOCK_PRECISION_DIGITS + 2]; 996 char usecstr[TS_MAX_CLOCK_PRECISION_DIGITS + 2];
957 char *p; 997 char *p;
@@ -960,26 +1000,25 @@ TS_RESP_set_genTime_with_precision(ASN1_GENERALIZEDTIME *asn1_time,
960 if (precision > TS_MAX_CLOCK_PRECISION_DIGITS) 1000 if (precision > TS_MAX_CLOCK_PRECISION_DIGITS)
961 goto err; 1001 goto err;
962 1002
963
964 if (!(tm = gmtime(&time_sec))) 1003 if (!(tm = gmtime(&time_sec)))
965 goto err; 1004 goto err;
966 1005
967 /* 1006 /*
968 * Put "genTime_str" in GeneralizedTime format. We work around the 1007 * Put "genTime_str" in GeneralizedTime format. We work around the
969 * restrictions imposed by rfc3280 (i.e. "GeneralizedTime values MUST 1008 * restrictions imposed by rfc3280 (i.e. "GeneralizedTime values MUST
970 * NOT include fractional seconds") and OpenSSL related functions to 1009 * NOT include fractional seconds") and OpenSSL related functions to
971 * meet the rfc3161 requirement: "GeneralizedTime syntax can include 1010 * meet the rfc3161 requirement: "GeneralizedTime syntax can include
972 * fraction-of-second details". 1011 * fraction-of-second details".
973 */ 1012 */
974 if (precision > 0) { 1013 if (precision > 0) {
975 /* To make things a bit harder, X.690 | ISO/IEC 8825-1 provides 1014 /* To make things a bit harder, X.690 | ISO/IEC 8825-1 provides
976 the following restrictions for a DER-encoding, which OpenSSL 1015 the following restrictions for a DER-encoding, which OpenSSL
977 (specifically ASN1_GENERALIZEDTIME_check() function) doesn't 1016 (specifically ASN1_GENERALIZEDTIME_check() function) doesn't
978 support: 1017 support:
979 "The encoding MUST terminate with a "Z" (which means "Zulu" 1018 "The encoding MUST terminate with a "Z" (which means "Zulu"
980 time). The decimal point element, if present, MUST be the 1019 time). The decimal point element, if present, MUST be the
981 point option ".". The fractional-seconds elements, 1020 point option ".". The fractional-seconds elements,
982 if present, MUST omit all trailing 0's; 1021 if present, MUST omit all trailing 0's;
983 if the elements correspond to 0, they MUST be wholly 1022 if the elements correspond to 0, they MUST be wholly
984 omitted, and the decimal point element also MUST be 1023 omitted, and the decimal point element also MUST be
985 omitted." */ 1024 omitted." */
@@ -999,7 +1038,7 @@ TS_RESP_set_genTime_with_precision(ASN1_GENERALIZEDTIME *asn1_time,
999 } 1038 }
1000 rv = snprintf(genTime_str, sizeof(genTime_str), 1039 rv = snprintf(genTime_str, sizeof(genTime_str),
1001 "%04d%02d%02d%02d%02d%02d%sZ", 1040 "%04d%02d%02d%02d%02d%02d%sZ",
1002 tm->tm_year + 1900, tm->tm_mon + 1, tm->tm_mday, 1041 tm->tm_year + 1900, tm->tm_mon + 1, tm->tm_mday,
1003 tm->tm_hour, tm->tm_min, tm->tm_sec, usecstr); 1042 tm->tm_hour, tm->tm_min, tm->tm_sec, usecstr);
1004 if (rv == -1 || rv >= sizeof(genTime_str)) 1043 if (rv == -1 || rv >= sizeof(genTime_str))
1005 goto err; 1044 goto err;
@@ -1007,14 +1046,14 @@ TS_RESP_set_genTime_with_precision(ASN1_GENERALIZEDTIME *asn1_time,
1007 /* Now call OpenSSL to check and set our genTime value */ 1046 /* Now call OpenSSL to check and set our genTime value */
1008 if (!asn1_time && !(asn1_time = M_ASN1_GENERALIZEDTIME_new())) 1047 if (!asn1_time && !(asn1_time = M_ASN1_GENERALIZEDTIME_new()))
1009 goto err; 1048 goto err;
1010 if (!ASN1_GENERALIZEDTIME_set_string(asn1_time, genTime_str)) 1049 if (!ASN1_GENERALIZEDTIME_set_string(asn1_time, genTime_str)) {
1011 {
1012 ASN1_GENERALIZEDTIME_free(asn1_time); 1050 ASN1_GENERALIZEDTIME_free(asn1_time);
1013 goto err; 1051 goto err;
1014 } 1052 }
1015 1053
1016 return asn1_time; 1054 return asn1_time;
1017 err: 1055
1056err:
1018 TSerr(TS_F_TS_RESP_SET_GENTIME_WITH_PRECISION, TS_R_COULD_NOT_SET_TIME); 1057 TSerr(TS_F_TS_RESP_SET_GENTIME_WITH_PRECISION, TS_R_COULD_NOT_SET_TIME);
1019 return NULL; 1058 return NULL;
1020 } 1059}
diff --git a/src/lib/libcrypto/ts/ts_rsp_utils.c b/src/lib/libcrypto/ts/ts_rsp_utils.c
index 401c1fdc51..89c3e8f63c 100644
--- a/src/lib/libcrypto/ts/ts_rsp_utils.c
+++ b/src/lib/libcrypto/ts/ts_rsp_utils.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -64,346 +64,372 @@
64 64
65/* Function definitions. */ 65/* Function definitions. */
66 66
67int TS_RESP_set_status_info(TS_RESP *a, TS_STATUS_INFO *status_info) 67int
68 { 68TS_RESP_set_status_info(TS_RESP *a, TS_STATUS_INFO *status_info)
69{
69 TS_STATUS_INFO *new_status_info; 70 TS_STATUS_INFO *new_status_info;
70 71
71 if (a->status_info == status_info) 72 if (a->status_info == status_info)
72 return 1; 73 return 1;
73 new_status_info = TS_STATUS_INFO_dup(status_info); 74 new_status_info = TS_STATUS_INFO_dup(status_info);
74 if (new_status_info == NULL) 75 if (new_status_info == NULL) {
75 {
76 TSerr(TS_F_TS_RESP_SET_STATUS_INFO, ERR_R_MALLOC_FAILURE); 76 TSerr(TS_F_TS_RESP_SET_STATUS_INFO, ERR_R_MALLOC_FAILURE);
77 return 0; 77 return 0;
78 } 78 }
79 TS_STATUS_INFO_free(a->status_info); 79 TS_STATUS_INFO_free(a->status_info);
80 a->status_info = new_status_info; 80 a->status_info = new_status_info;
81 81
82 return 1; 82 return 1;
83 } 83}
84 84
85TS_STATUS_INFO *TS_RESP_get_status_info(TS_RESP *a) 85TS_STATUS_INFO *
86 { 86TS_RESP_get_status_info(TS_RESP *a)
87{
87 return a->status_info; 88 return a->status_info;
88 } 89}
89 90
90/* Caller loses ownership of PKCS7 and TS_TST_INFO objects. */ 91/* Caller loses ownership of PKCS7 and TS_TST_INFO objects. */
91void TS_RESP_set_tst_info(TS_RESP *a, PKCS7 *p7, TS_TST_INFO *tst_info) 92void
92 { 93TS_RESP_set_tst_info(TS_RESP *a, PKCS7 *p7, TS_TST_INFO *tst_info)
94{
93 /* Set new PKCS7 and TST_INFO objects. */ 95 /* Set new PKCS7 and TST_INFO objects. */
94 PKCS7_free(a->token); 96 PKCS7_free(a->token);
95 a->token = p7; 97 a->token = p7;
96 TS_TST_INFO_free(a->tst_info); 98 TS_TST_INFO_free(a->tst_info);
97 a->tst_info = tst_info; 99 a->tst_info = tst_info;
98 } 100}
99 101
100PKCS7 *TS_RESP_get_token(TS_RESP *a) 102PKCS7 *
101 { 103TS_RESP_get_token(TS_RESP *a)
104{
102 return a->token; 105 return a->token;
103 } 106}
104 107
105TS_TST_INFO *TS_RESP_get_tst_info(TS_RESP *a) 108TS_TST_INFO *
106 { 109TS_RESP_get_tst_info(TS_RESP *a)
110{
107 return a->tst_info; 111 return a->tst_info;
108 } 112}
109 113
110int TS_TST_INFO_set_version(TS_TST_INFO *a, long version) 114int
111 { 115TS_TST_INFO_set_version(TS_TST_INFO *a, long version)
116{
112 return ASN1_INTEGER_set(a->version, version); 117 return ASN1_INTEGER_set(a->version, version);
113 } 118}
114 119
115long TS_TST_INFO_get_version(const TS_TST_INFO *a) 120long
116 { 121TS_TST_INFO_get_version(const TS_TST_INFO *a)
122{
117 return ASN1_INTEGER_get(a->version); 123 return ASN1_INTEGER_get(a->version);
118 } 124}
119 125
120int TS_TST_INFO_set_policy_id(TS_TST_INFO *a, ASN1_OBJECT *policy) 126int
121 { 127TS_TST_INFO_set_policy_id(TS_TST_INFO *a, ASN1_OBJECT *policy)
128{
122 ASN1_OBJECT *new_policy; 129 ASN1_OBJECT *new_policy;
123 130
124 if (a->policy_id == policy) 131 if (a->policy_id == policy)
125 return 1; 132 return 1;
126 new_policy = OBJ_dup(policy); 133 new_policy = OBJ_dup(policy);
127 if (new_policy == NULL) 134 if (new_policy == NULL) {
128 {
129 TSerr(TS_F_TS_TST_INFO_SET_POLICY_ID, ERR_R_MALLOC_FAILURE); 135 TSerr(TS_F_TS_TST_INFO_SET_POLICY_ID, ERR_R_MALLOC_FAILURE);
130 return 0; 136 return 0;
131 } 137 }
132 ASN1_OBJECT_free(a->policy_id); 138 ASN1_OBJECT_free(a->policy_id);
133 a->policy_id = new_policy; 139 a->policy_id = new_policy;
134 return 1; 140 return 1;
135 } 141}
136 142
137ASN1_OBJECT *TS_TST_INFO_get_policy_id(TS_TST_INFO *a) 143ASN1_OBJECT *
138 { 144TS_TST_INFO_get_policy_id(TS_TST_INFO *a)
145{
139 return a->policy_id; 146 return a->policy_id;
140 } 147}
141 148
142int TS_TST_INFO_set_msg_imprint(TS_TST_INFO *a, TS_MSG_IMPRINT *msg_imprint) 149int
143 { 150TS_TST_INFO_set_msg_imprint(TS_TST_INFO *a, TS_MSG_IMPRINT *msg_imprint)
151{
144 TS_MSG_IMPRINT *new_msg_imprint; 152 TS_MSG_IMPRINT *new_msg_imprint;
145 153
146 if (a->msg_imprint == msg_imprint) 154 if (a->msg_imprint == msg_imprint)
147 return 1; 155 return 1;
148 new_msg_imprint = TS_MSG_IMPRINT_dup(msg_imprint); 156 new_msg_imprint = TS_MSG_IMPRINT_dup(msg_imprint);
149 if (new_msg_imprint == NULL) 157 if (new_msg_imprint == NULL) {
150 {
151 TSerr(TS_F_TS_TST_INFO_SET_MSG_IMPRINT, ERR_R_MALLOC_FAILURE); 158 TSerr(TS_F_TS_TST_INFO_SET_MSG_IMPRINT, ERR_R_MALLOC_FAILURE);
152 return 0; 159 return 0;
153 } 160 }
154 TS_MSG_IMPRINT_free(a->msg_imprint); 161 TS_MSG_IMPRINT_free(a->msg_imprint);
155 a->msg_imprint = new_msg_imprint; 162 a->msg_imprint = new_msg_imprint;
156 return 1; 163 return 1;
157 } 164}
158 165
159TS_MSG_IMPRINT *TS_TST_INFO_get_msg_imprint(TS_TST_INFO *a) 166TS_MSG_IMPRINT *
160 { 167TS_TST_INFO_get_msg_imprint(TS_TST_INFO *a)
168{
161 return a->msg_imprint; 169 return a->msg_imprint;
162 } 170}
163 171
164int TS_TST_INFO_set_serial(TS_TST_INFO *a, const ASN1_INTEGER *serial) 172int
165 { 173TS_TST_INFO_set_serial(TS_TST_INFO *a, const ASN1_INTEGER *serial)
174{
166 ASN1_INTEGER *new_serial; 175 ASN1_INTEGER *new_serial;
167 176
168 if (a->serial == serial) 177 if (a->serial == serial)
169 return 1; 178 return 1;
170 new_serial = ASN1_INTEGER_dup(serial); 179 new_serial = ASN1_INTEGER_dup(serial);
171 if (new_serial == NULL) 180 if (new_serial == NULL) {
172 {
173 TSerr(TS_F_TS_TST_INFO_SET_SERIAL, ERR_R_MALLOC_FAILURE); 181 TSerr(TS_F_TS_TST_INFO_SET_SERIAL, ERR_R_MALLOC_FAILURE);
174 return 0; 182 return 0;
175 } 183 }
176 ASN1_INTEGER_free(a->serial); 184 ASN1_INTEGER_free(a->serial);
177 a->serial = new_serial; 185 a->serial = new_serial;
178 return 1; 186 return 1;
179 } 187}
180 188
181const ASN1_INTEGER *TS_TST_INFO_get_serial(const TS_TST_INFO *a) 189const ASN1_INTEGER *
182 { 190TS_TST_INFO_get_serial(const TS_TST_INFO *a)
191{
183 return a->serial; 192 return a->serial;
184 } 193}
185 194
186int TS_TST_INFO_set_time(TS_TST_INFO *a, const ASN1_GENERALIZEDTIME *gtime) 195int
187 { 196TS_TST_INFO_set_time(TS_TST_INFO *a, const ASN1_GENERALIZEDTIME *gtime)
197{
188 ASN1_GENERALIZEDTIME *new_time; 198 ASN1_GENERALIZEDTIME *new_time;
189 199
190 if (a->time == gtime) 200 if (a->time == gtime)
191 return 1; 201 return 1;
192 new_time = M_ASN1_GENERALIZEDTIME_dup(gtime); 202 new_time = M_ASN1_GENERALIZEDTIME_dup(gtime);
193 if (new_time == NULL) 203 if (new_time == NULL) {
194 {
195 TSerr(TS_F_TS_TST_INFO_SET_TIME, ERR_R_MALLOC_FAILURE); 204 TSerr(TS_F_TS_TST_INFO_SET_TIME, ERR_R_MALLOC_FAILURE);
196 return 0; 205 return 0;
197 } 206 }
198 ASN1_GENERALIZEDTIME_free(a->time); 207 ASN1_GENERALIZEDTIME_free(a->time);
199 a->time = new_time; 208 a->time = new_time;
200 return 1; 209 return 1;
201 } 210}
202 211
203const ASN1_GENERALIZEDTIME *TS_TST_INFO_get_time(const TS_TST_INFO *a) 212const ASN1_GENERALIZEDTIME *
204 { 213TS_TST_INFO_get_time(const TS_TST_INFO *a)
214{
205 return a->time; 215 return a->time;
206 } 216}
207 217
208int TS_TST_INFO_set_accuracy(TS_TST_INFO *a, TS_ACCURACY *accuracy) 218int
209 { 219TS_TST_INFO_set_accuracy(TS_TST_INFO *a, TS_ACCURACY *accuracy)
220{
210 TS_ACCURACY *new_accuracy; 221 TS_ACCURACY *new_accuracy;
211 222
212 if (a->accuracy == accuracy) 223 if (a->accuracy == accuracy)
213 return 1; 224 return 1;
214 new_accuracy = TS_ACCURACY_dup(accuracy); 225 new_accuracy = TS_ACCURACY_dup(accuracy);
215 if (new_accuracy == NULL) 226 if (new_accuracy == NULL) {
216 {
217 TSerr(TS_F_TS_TST_INFO_SET_ACCURACY, ERR_R_MALLOC_FAILURE); 227 TSerr(TS_F_TS_TST_INFO_SET_ACCURACY, ERR_R_MALLOC_FAILURE);
218 return 0; 228 return 0;
219 } 229 }
220 TS_ACCURACY_free(a->accuracy); 230 TS_ACCURACY_free(a->accuracy);
221 a->accuracy = new_accuracy; 231 a->accuracy = new_accuracy;
222 return 1; 232 return 1;
223 } 233}
224 234
225TS_ACCURACY *TS_TST_INFO_get_accuracy(TS_TST_INFO *a) 235TS_ACCURACY *
226 { 236TS_TST_INFO_get_accuracy(TS_TST_INFO *a)
237{
227 return a->accuracy; 238 return a->accuracy;
228 } 239}
229 240
230int TS_ACCURACY_set_seconds(TS_ACCURACY *a, const ASN1_INTEGER *seconds) 241int
231 { 242TS_ACCURACY_set_seconds(TS_ACCURACY *a, const ASN1_INTEGER *seconds)
243{
232 ASN1_INTEGER *new_seconds; 244 ASN1_INTEGER *new_seconds;
233 245
234 if (a->seconds == seconds) 246 if (a->seconds == seconds)
235 return 1; 247 return 1;
236 new_seconds = ASN1_INTEGER_dup(seconds); 248 new_seconds = ASN1_INTEGER_dup(seconds);
237 if (new_seconds == NULL) 249 if (new_seconds == NULL) {
238 {
239 TSerr(TS_F_TS_ACCURACY_SET_SECONDS, ERR_R_MALLOC_FAILURE); 250 TSerr(TS_F_TS_ACCURACY_SET_SECONDS, ERR_R_MALLOC_FAILURE);
240 return 0; 251 return 0;
241 } 252 }
242 ASN1_INTEGER_free(a->seconds); 253 ASN1_INTEGER_free(a->seconds);
243 a->seconds = new_seconds; 254 a->seconds = new_seconds;
244 return 1; 255 return 1;
245 } 256}
246 257
247const ASN1_INTEGER *TS_ACCURACY_get_seconds(const TS_ACCURACY *a) 258const ASN1_INTEGER *
248 { 259TS_ACCURACY_get_seconds(const TS_ACCURACY *a)
260{
249 return a->seconds; 261 return a->seconds;
250 } 262}
251 263
252int TS_ACCURACY_set_millis(TS_ACCURACY *a, const ASN1_INTEGER *millis) 264int
253 { 265TS_ACCURACY_set_millis(TS_ACCURACY *a, const ASN1_INTEGER *millis)
266{
254 ASN1_INTEGER *new_millis = NULL; 267 ASN1_INTEGER *new_millis = NULL;
255 268
256 if (a->millis == millis) 269 if (a->millis == millis)
257 return 1; 270 return 1;
258 if (millis != NULL) 271 if (millis != NULL) {
259 {
260 new_millis = ASN1_INTEGER_dup(millis); 272 new_millis = ASN1_INTEGER_dup(millis);
261 if (new_millis == NULL) 273 if (new_millis == NULL) {
262 { 274 TSerr(TS_F_TS_ACCURACY_SET_MILLIS,
263 TSerr(TS_F_TS_ACCURACY_SET_MILLIS, 275 ERR_R_MALLOC_FAILURE);
264 ERR_R_MALLOC_FAILURE);
265 return 0; 276 return 0;
266 }
267 } 277 }
278 }
268 ASN1_INTEGER_free(a->millis); 279 ASN1_INTEGER_free(a->millis);
269 a->millis = new_millis; 280 a->millis = new_millis;
270 return 1; 281 return 1;
271 } 282}
272 283
273const ASN1_INTEGER *TS_ACCURACY_get_millis(const TS_ACCURACY *a) 284const ASN1_INTEGER *
274 { 285TS_ACCURACY_get_millis(const TS_ACCURACY *a)
286{
275 return a->millis; 287 return a->millis;
276 } 288}
277 289
278int TS_ACCURACY_set_micros(TS_ACCURACY *a, const ASN1_INTEGER *micros) 290int
279 { 291TS_ACCURACY_set_micros(TS_ACCURACY *a, const ASN1_INTEGER *micros)
292{
280 ASN1_INTEGER *new_micros = NULL; 293 ASN1_INTEGER *new_micros = NULL;
281 294
282 if (a->micros == micros) 295 if (a->micros == micros)
283 return 1; 296 return 1;
284 if (micros != NULL) 297 if (micros != NULL) {
285 {
286 new_micros = ASN1_INTEGER_dup(micros); 298 new_micros = ASN1_INTEGER_dup(micros);
287 if (new_micros == NULL) 299 if (new_micros == NULL) {
288 { 300 TSerr(TS_F_TS_ACCURACY_SET_MICROS,
289 TSerr(TS_F_TS_ACCURACY_SET_MICROS, 301 ERR_R_MALLOC_FAILURE);
290 ERR_R_MALLOC_FAILURE);
291 return 0; 302 return 0;
292 }
293 } 303 }
304 }
294 ASN1_INTEGER_free(a->micros); 305 ASN1_INTEGER_free(a->micros);
295 a->micros = new_micros; 306 a->micros = new_micros;
296 return 1; 307 return 1;
297 } 308}
298 309
299const ASN1_INTEGER *TS_ACCURACY_get_micros(const TS_ACCURACY *a) 310const ASN1_INTEGER *
300 { 311TS_ACCURACY_get_micros(const TS_ACCURACY *a)
312{
301 return a->micros; 313 return a->micros;
302 } 314}
303 315
304int TS_TST_INFO_set_ordering(TS_TST_INFO *a, int ordering) 316int
305 { 317TS_TST_INFO_set_ordering(TS_TST_INFO *a, int ordering)
318{
306 a->ordering = ordering ? 0xFF : 0x00; 319 a->ordering = ordering ? 0xFF : 0x00;
307 return 1; 320 return 1;
308 } 321}
309 322
310int TS_TST_INFO_get_ordering(const TS_TST_INFO *a) 323int
311 { 324TS_TST_INFO_get_ordering(const TS_TST_INFO *a)
325{
312 return a->ordering ? 1 : 0; 326 return a->ordering ? 1 : 0;
313 } 327}
314 328
315int TS_TST_INFO_set_nonce(TS_TST_INFO *a, const ASN1_INTEGER *nonce) 329int
316 { 330TS_TST_INFO_set_nonce(TS_TST_INFO *a, const ASN1_INTEGER *nonce)
331{
317 ASN1_INTEGER *new_nonce; 332 ASN1_INTEGER *new_nonce;
318 333
319 if (a->nonce == nonce) 334 if (a->nonce == nonce)
320 return 1; 335 return 1;
321 new_nonce = ASN1_INTEGER_dup(nonce); 336 new_nonce = ASN1_INTEGER_dup(nonce);
322 if (new_nonce == NULL) 337 if (new_nonce == NULL) {
323 {
324 TSerr(TS_F_TS_TST_INFO_SET_NONCE, ERR_R_MALLOC_FAILURE); 338 TSerr(TS_F_TS_TST_INFO_SET_NONCE, ERR_R_MALLOC_FAILURE);
325 return 0; 339 return 0;
326 } 340 }
327 ASN1_INTEGER_free(a->nonce); 341 ASN1_INTEGER_free(a->nonce);
328 a->nonce = new_nonce; 342 a->nonce = new_nonce;
329 return 1; 343 return 1;
330 } 344}
331 345
332const ASN1_INTEGER *TS_TST_INFO_get_nonce(const TS_TST_INFO *a) 346const ASN1_INTEGER *
333 { 347TS_TST_INFO_get_nonce(const TS_TST_INFO *a)
348{
334 return a->nonce; 349 return a->nonce;
335 } 350}
336 351
337int TS_TST_INFO_set_tsa(TS_TST_INFO *a, GENERAL_NAME *tsa) 352int
338 { 353TS_TST_INFO_set_tsa(TS_TST_INFO *a, GENERAL_NAME *tsa)
354{
339 GENERAL_NAME *new_tsa; 355 GENERAL_NAME *new_tsa;
340 356
341 if (a->tsa == tsa) 357 if (a->tsa == tsa)
342 return 1; 358 return 1;
343 new_tsa = GENERAL_NAME_dup(tsa); 359 new_tsa = GENERAL_NAME_dup(tsa);
344 if (new_tsa == NULL) 360 if (new_tsa == NULL) {
345 {
346 TSerr(TS_F_TS_TST_INFO_SET_TSA, ERR_R_MALLOC_FAILURE); 361 TSerr(TS_F_TS_TST_INFO_SET_TSA, ERR_R_MALLOC_FAILURE);
347 return 0; 362 return 0;
348 } 363 }
349 GENERAL_NAME_free(a->tsa); 364 GENERAL_NAME_free(a->tsa);
350 a->tsa = new_tsa; 365 a->tsa = new_tsa;
351 return 1; 366 return 1;
352 } 367}
353 368
354GENERAL_NAME *TS_TST_INFO_get_tsa(TS_TST_INFO *a) 369GENERAL_NAME *
355 { 370TS_TST_INFO_get_tsa(TS_TST_INFO *a)
371{
356 return a->tsa; 372 return a->tsa;
357 } 373}
358 374
359STACK_OF(X509_EXTENSION) *TS_TST_INFO_get_exts(TS_TST_INFO *a) 375STACK_OF(X509_EXTENSION) *TS_TST_INFO_get_exts(TS_TST_INFO *a)
360 { 376{
361 return a->extensions; 377 return a->extensions;
362 } 378}
363 379
364void TS_TST_INFO_ext_free(TS_TST_INFO *a) 380void
365 { 381TS_TST_INFO_ext_free(TS_TST_INFO *a)
366 if (!a) return; 382{
383 if (!a)
384 return;
367 sk_X509_EXTENSION_pop_free(a->extensions, X509_EXTENSION_free); 385 sk_X509_EXTENSION_pop_free(a->extensions, X509_EXTENSION_free);
368 a->extensions = NULL; 386 a->extensions = NULL;
369 } 387}
370 388
371int TS_TST_INFO_get_ext_count(TS_TST_INFO *a) 389int
372 { 390TS_TST_INFO_get_ext_count(TS_TST_INFO *a)
391{
373 return X509v3_get_ext_count(a->extensions); 392 return X509v3_get_ext_count(a->extensions);
374 } 393}
375 394
376int TS_TST_INFO_get_ext_by_NID(TS_TST_INFO *a, int nid, int lastpos) 395int
377 { 396TS_TST_INFO_get_ext_by_NID(TS_TST_INFO *a, int nid, int lastpos)
397{
378 return X509v3_get_ext_by_NID(a->extensions, nid, lastpos); 398 return X509v3_get_ext_by_NID(a->extensions, nid, lastpos);
379 } 399}
380 400
381int TS_TST_INFO_get_ext_by_OBJ(TS_TST_INFO *a, ASN1_OBJECT *obj, int lastpos) 401int
382 { 402TS_TST_INFO_get_ext_by_OBJ(TS_TST_INFO *a, ASN1_OBJECT *obj, int lastpos)
403{
383 return X509v3_get_ext_by_OBJ(a->extensions, obj, lastpos); 404 return X509v3_get_ext_by_OBJ(a->extensions, obj, lastpos);
384 } 405}
385 406
386int TS_TST_INFO_get_ext_by_critical(TS_TST_INFO *a, int crit, int lastpos) 407int
387 { 408TS_TST_INFO_get_ext_by_critical(TS_TST_INFO *a, int crit, int lastpos)
409{
388 return X509v3_get_ext_by_critical(a->extensions, crit, lastpos); 410 return X509v3_get_ext_by_critical(a->extensions, crit, lastpos);
389 } 411}
390 412
391X509_EXTENSION *TS_TST_INFO_get_ext(TS_TST_INFO *a, int loc) 413X509_EXTENSION *
392 { 414TS_TST_INFO_get_ext(TS_TST_INFO *a, int loc)
393 return X509v3_get_ext(a->extensions,loc); 415{
394 } 416 return X509v3_get_ext(a->extensions, loc);
395 417}
396X509_EXTENSION *TS_TST_INFO_delete_ext(TS_TST_INFO *a, int loc) 418
397 { 419X509_EXTENSION *
398 return X509v3_delete_ext(a->extensions,loc); 420TS_TST_INFO_delete_ext(TS_TST_INFO *a, int loc)
399 } 421{
400 422 return X509v3_delete_ext(a->extensions, loc);
401int TS_TST_INFO_add_ext(TS_TST_INFO *a, X509_EXTENSION *ex, int loc) 423}
402 { 424
403 return X509v3_add_ext(&a->extensions,ex,loc) != NULL; 425int
404 } 426TS_TST_INFO_add_ext(TS_TST_INFO *a, X509_EXTENSION *ex, int loc)
405 427{
406void *TS_TST_INFO_get_ext_d2i(TS_TST_INFO *a, int nid, int *crit, int *idx) 428 return X509v3_add_ext(&a->extensions, ex, loc) != NULL;
407 { 429}
430
431void *
432TS_TST_INFO_get_ext_d2i(TS_TST_INFO *a, int nid, int *crit, int *idx)
433{
408 return X509V3_get_d2i(a->extensions, nid, crit, idx); 434 return X509V3_get_d2i(a->extensions, nid, crit, idx);
409 } 435}
diff --git a/src/lib/libcrypto/ts/ts_rsp_verify.c b/src/lib/libcrypto/ts/ts_rsp_verify.c
index 7484b10d60..66e35dab3a 100644
--- a/src/lib/libcrypto/ts/ts_rsp_verify.c
+++ b/src/lib/libcrypto/ts/ts_rsp_verify.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -65,38 +65,39 @@
65/* Private function declarations. */ 65/* Private function declarations. */
66 66
67static int TS_verify_cert(X509_STORE *store, STACK_OF(X509) *untrusted, 67static int TS_verify_cert(X509_STORE *store, STACK_OF(X509) *untrusted,
68 X509 *signer, STACK_OF(X509) **chain); 68 X509 *signer, STACK_OF(X509) **chain);
69static int TS_check_signing_certs(PKCS7_SIGNER_INFO *si, STACK_OF(X509) *chain); 69static int TS_check_signing_certs(PKCS7_SIGNER_INFO *si, STACK_OF(X509) *chain);
70static ESS_SIGNING_CERT *ESS_get_signing_cert(PKCS7_SIGNER_INFO *si); 70static ESS_SIGNING_CERT *ESS_get_signing_cert(PKCS7_SIGNER_INFO *si);
71static int TS_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert); 71static int TS_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert);
72static int TS_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509_CINF *cinfo); 72static int TS_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509_CINF *cinfo);
73static int int_TS_RESP_verify_token(TS_VERIFY_CTX *ctx, 73static int int_TS_RESP_verify_token(TS_VERIFY_CTX *ctx,
74 PKCS7 *token, TS_TST_INFO *tst_info); 74 PKCS7 *token, TS_TST_INFO *tst_info);
75static int TS_check_status_info(TS_RESP *response); 75static int TS_check_status_info(TS_RESP *response);
76static char *TS_get_status_text(STACK_OF(ASN1_UTF8STRING) *text); 76static char *TS_get_status_text(STACK_OF(ASN1_UTF8STRING) *text);
77static int TS_check_policy(ASN1_OBJECT *req_oid, TS_TST_INFO *tst_info); 77static int TS_check_policy(ASN1_OBJECT *req_oid, TS_TST_INFO *tst_info);
78static int TS_compute_imprint(BIO *data, TS_TST_INFO *tst_info, 78static int TS_compute_imprint(BIO *data, TS_TST_INFO *tst_info,
79 X509_ALGOR **md_alg, 79 X509_ALGOR **md_alg,
80 unsigned char **imprint, unsigned *imprint_len); 80 unsigned char **imprint, unsigned *imprint_len);
81static int TS_check_imprints(X509_ALGOR *algor_a, 81static int TS_check_imprints(X509_ALGOR *algor_a,
82 unsigned char *imprint_a, unsigned len_a, 82 unsigned char *imprint_a, unsigned len_a,
83 TS_TST_INFO *tst_info); 83 TS_TST_INFO *tst_info);
84static int TS_check_nonces(const ASN1_INTEGER *a, TS_TST_INFO *tst_info); 84static int TS_check_nonces(const ASN1_INTEGER *a, TS_TST_INFO *tst_info);
85static int TS_check_signer_name(GENERAL_NAME *tsa_name, X509 *signer); 85static int TS_check_signer_name(GENERAL_NAME *tsa_name, X509 *signer);
86static int TS_find_name(STACK_OF(GENERAL_NAME) *gen_names, GENERAL_NAME *name); 86static int TS_find_name(STACK_OF(GENERAL_NAME) *gen_names, GENERAL_NAME *name);
87 87
88/* 88/*
89 * Local mapping between response codes and descriptions. 89 * Local mapping between response codes and descriptions.
90 * Don't forget to change TS_STATUS_BUF_SIZE when modifying 90 * Don't forget to change TS_STATUS_BUF_SIZE when modifying
91 * the elements of this array. 91 * the elements of this array.
92 */ 92 */
93static const char *TS_status_text[] = 93static const char *TS_status_text[] = {
94 { "granted", 94 "granted",
95 "grantedWithMods", 95 "grantedWithMods",
96 "rejection", 96 "rejection",
97 "waiting", 97 "waiting",
98 "revocationWarning", 98 "revocationWarning",
99 "revocationNotification" }; 99 "revocationNotification"
100};
100 101
101#define TS_STATUS_TEXT_SIZE (sizeof(TS_status_text)/sizeof(*TS_status_text)) 102#define TS_STATUS_TEXT_SIZE (sizeof(TS_status_text)/sizeof(*TS_status_text))
102 103
@@ -106,19 +107,19 @@ static const char *TS_status_text[] =
106 */ 107 */
107#define TS_STATUS_BUF_SIZE 256 108#define TS_STATUS_BUF_SIZE 256
108 109
109static struct 110static struct {
110 {
111 int code; 111 int code;
112 const char *text; 112 const char *text;
113 } TS_failure_info[] = 113} TS_failure_info[] = {
114 { { TS_INFO_BAD_ALG, "badAlg" }, 114 { TS_INFO_BAD_ALG, "badAlg" },
115 { TS_INFO_BAD_REQUEST, "badRequest" }, 115 { TS_INFO_BAD_REQUEST, "badRequest" },
116 { TS_INFO_BAD_DATA_FORMAT, "badDataFormat" }, 116 { TS_INFO_BAD_DATA_FORMAT, "badDataFormat" },
117 { TS_INFO_TIME_NOT_AVAILABLE, "timeNotAvailable" }, 117 { TS_INFO_TIME_NOT_AVAILABLE, "timeNotAvailable" },
118 { TS_INFO_UNACCEPTED_POLICY, "unacceptedPolicy" }, 118 { TS_INFO_UNACCEPTED_POLICY, "unacceptedPolicy" },
119 { TS_INFO_UNACCEPTED_EXTENSION, "unacceptedExtension" }, 119 { TS_INFO_UNACCEPTED_EXTENSION, "unacceptedExtension" },
120 { TS_INFO_ADD_INFO_NOT_AVAILABLE, "addInfoNotAvailable" }, 120 { TS_INFO_ADD_INFO_NOT_AVAILABLE, "addInfoNotAvailable" },
121 { TS_INFO_SYSTEM_FAILURE, "systemFailure" } }; 121 { TS_INFO_SYSTEM_FAILURE, "systemFailure" }
122};
122 123
123#define TS_FAILURE_INFO_SIZE (sizeof(TS_failure_info) / \ 124#define TS_FAILURE_INFO_SIZE (sizeof(TS_failure_info) / \
124 sizeof(*TS_failure_info)) 125 sizeof(*TS_failure_info))
@@ -137,9 +138,10 @@ static struct
137 * - Verify the signature value. 138 * - Verify the signature value.
138 * - Returns the signer certificate in 'signer', if 'signer' is not NULL. 139 * - Returns the signer certificate in 'signer', if 'signer' is not NULL.
139 */ 140 */
140int TS_RESP_verify_signature(PKCS7 *token, STACK_OF(X509) *certs, 141int
141 X509_STORE *store, X509 **signer_out) 142TS_RESP_verify_signature(PKCS7 *token, STACK_OF(X509) *certs,
142 { 143 X509_STORE *store, X509 **signer_out)
144{
143 STACK_OF(PKCS7_SIGNER_INFO) *sinfos = NULL; 145 STACK_OF(PKCS7_SIGNER_INFO) *sinfos = NULL;
144 PKCS7_SIGNER_INFO *si; 146 PKCS7_SIGNER_INFO *si;
145 STACK_OF(X509) *signers = NULL; 147 STACK_OF(X509) *signers = NULL;
@@ -150,87 +152,86 @@ int TS_RESP_verify_signature(PKCS7 *token, STACK_OF(X509) *certs,
150 BIO *p7bio = NULL; 152 BIO *p7bio = NULL;
151 153
152 /* Some sanity checks first. */ 154 /* Some sanity checks first. */
153 if (!token) 155 if (!token) {
154 {
155 TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE, TS_R_INVALID_NULL_POINTER); 156 TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE, TS_R_INVALID_NULL_POINTER);
156 goto err; 157 goto err;
157 } 158 }
158 159
159 /* Check for the correct content type */ 160 /* Check for the correct content type */
160 if(!PKCS7_type_is_signed(token)) 161 if (!PKCS7_type_is_signed(token)) {
161 {
162 TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE, TS_R_WRONG_CONTENT_TYPE); 162 TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE, TS_R_WRONG_CONTENT_TYPE);
163 goto err; 163 goto err;
164 } 164 }
165 165
166 /* Check if there is one and only one signer. */ 166 /* Check if there is one and only one signer. */
167 sinfos = PKCS7_get_signer_info(token); 167 sinfos = PKCS7_get_signer_info(token);
168 if (!sinfos || sk_PKCS7_SIGNER_INFO_num(sinfos) != 1) 168 if (!sinfos || sk_PKCS7_SIGNER_INFO_num(sinfos) != 1) {
169 {
170 TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE, 169 TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE,
171 TS_R_THERE_MUST_BE_ONE_SIGNER); 170 TS_R_THERE_MUST_BE_ONE_SIGNER);
172 goto err; 171 goto err;
173 } 172 }
174 si = sk_PKCS7_SIGNER_INFO_value(sinfos, 0); 173 si = sk_PKCS7_SIGNER_INFO_value(sinfos, 0);
175 174
176 /* Check for no content: no data to verify signature. */ 175 /* Check for no content: no data to verify signature. */
177 if (PKCS7_get_detached(token)) 176 if (PKCS7_get_detached(token)) {
178 {
179 TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE, TS_R_NO_CONTENT); 177 TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE, TS_R_NO_CONTENT);
180 goto err; 178 goto err;
181 } 179 }
182 180
183 /* Get hold of the signer certificate, search only internal 181 /* Get hold of the signer certificate, search only internal
184 certificates if it was requested. */ 182 certificates if it was requested. */
185 signers = PKCS7_get0_signers(token, certs, 0); 183 signers = PKCS7_get0_signers(token, certs, 0);
186 if (!signers || sk_X509_num(signers) != 1) goto err; 184 if (!signers || sk_X509_num(signers) != 1)
185 goto err;
187 signer = sk_X509_value(signers, 0); 186 signer = sk_X509_value(signers, 0);
188 187
189 /* Now verify the certificate. */ 188 /* Now verify the certificate. */
190 if (!TS_verify_cert(store, certs, signer, &chain)) goto err; 189 if (!TS_verify_cert(store, certs, signer, &chain))
190 goto err;
191 191
192 /* Check if the signer certificate is consistent with the 192 /* Check if the signer certificate is consistent with the
193 ESS extension. */ 193 ESS extension. */
194 if (!TS_check_signing_certs(si, chain)) goto err; 194 if (!TS_check_signing_certs(si, chain))
195 goto err;
195 196
196 /* Creating the message digest. */ 197 /* Creating the message digest. */
197 p7bio = PKCS7_dataInit(token, NULL); 198 p7bio = PKCS7_dataInit(token, NULL);
198 199
199 /* We now have to 'read' from p7bio to calculate digests etc. */ 200 /* We now have to 'read' from p7bio to calculate digests etc. */
200 while ((i = BIO_read(p7bio,buf,sizeof(buf))) > 0); 201 while ((i = BIO_read(p7bio, buf, sizeof(buf))) > 0)
202 ;
201 203
202 /* Verifying the signature. */ 204 /* Verifying the signature. */
203 j = PKCS7_signatureVerify(p7bio, token, si, signer); 205 j = PKCS7_signatureVerify(p7bio, token, si, signer);
204 if (j <= 0) 206 if (j <= 0) {
205 {
206 TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE, TS_R_SIGNATURE_FAILURE); 207 TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE, TS_R_SIGNATURE_FAILURE);
207 goto err; 208 goto err;
208 } 209 }
209 210
210 /* Return the signer certificate if needed. */ 211 /* Return the signer certificate if needed. */
211 if (signer_out) 212 if (signer_out) {
212 {
213 *signer_out = signer; 213 *signer_out = signer;
214 CRYPTO_add(&signer->references, 1, CRYPTO_LOCK_X509); 214 CRYPTO_add(&signer->references, 1, CRYPTO_LOCK_X509);
215 } 215 }
216 216
217 ret = 1; 217 ret = 1;
218 218
219 err: 219err:
220 BIO_free_all(p7bio); 220 BIO_free_all(p7bio);
221 sk_X509_pop_free(chain, X509_free); 221 sk_X509_pop_free(chain, X509_free);
222 sk_X509_free(signers); 222 sk_X509_free(signers);
223 223
224 return ret; 224 return ret;
225 } 225}
226 226
227/* 227/*
228 * The certificate chain is returned in chain. Caller is responsible for 228 * The certificate chain is returned in chain. Caller is responsible for
229 * freeing the vector. 229 * freeing the vector.
230 */ 230 */
231static int TS_verify_cert(X509_STORE *store, STACK_OF(X509) *untrusted, 231static int
232 X509 *signer, STACK_OF(X509) **chain) 232TS_verify_cert(X509_STORE *store, STACK_OF(X509) *untrusted, X509 *signer,
233 { 233 STACK_OF(X509) **chain)
234{
234 X509_STORE_CTX cert_ctx; 235 X509_STORE_CTX cert_ctx;
235 int i; 236 int i;
236 int ret = 1; 237 int ret = 1;
@@ -240,110 +241,115 @@ static int TS_verify_cert(X509_STORE *store, STACK_OF(X509) *untrusted,
240 X509_STORE_CTX_init(&cert_ctx, store, signer, untrusted); 241 X509_STORE_CTX_init(&cert_ctx, store, signer, untrusted);
241 X509_STORE_CTX_set_purpose(&cert_ctx, X509_PURPOSE_TIMESTAMP_SIGN); 242 X509_STORE_CTX_set_purpose(&cert_ctx, X509_PURPOSE_TIMESTAMP_SIGN);
242 i = X509_verify_cert(&cert_ctx); 243 i = X509_verify_cert(&cert_ctx);
243 if (i <= 0) 244 if (i <= 0) {
244 {
245 int j = X509_STORE_CTX_get_error(&cert_ctx); 245 int j = X509_STORE_CTX_get_error(&cert_ctx);
246 TSerr(TS_F_TS_VERIFY_CERT, TS_R_CERTIFICATE_VERIFY_ERROR); 246 TSerr(TS_F_TS_VERIFY_CERT, TS_R_CERTIFICATE_VERIFY_ERROR);
247 ERR_add_error_data(2, "Verify error:", 247 ERR_add_error_data(2, "Verify error:",
248 X509_verify_cert_error_string(j)); 248 X509_verify_cert_error_string(j));
249 ret = 0; 249 ret = 0;
250 } 250 } else {
251 else
252 {
253 /* Get a copy of the certificate chain. */ 251 /* Get a copy of the certificate chain. */
254 *chain = X509_STORE_CTX_get1_chain(&cert_ctx); 252 *chain = X509_STORE_CTX_get1_chain(&cert_ctx);
255 } 253 }
256 254
257 X509_STORE_CTX_cleanup(&cert_ctx); 255 X509_STORE_CTX_cleanup(&cert_ctx);
258 256
259 return ret; 257 return ret;
260 } 258}
261 259
262static int TS_check_signing_certs(PKCS7_SIGNER_INFO *si, STACK_OF(X509) *chain) 260static int
263 { 261TS_check_signing_certs(PKCS7_SIGNER_INFO *si, STACK_OF(X509) *chain)
262{
264 ESS_SIGNING_CERT *ss = ESS_get_signing_cert(si); 263 ESS_SIGNING_CERT *ss = ESS_get_signing_cert(si);
265 STACK_OF(ESS_CERT_ID) *cert_ids = NULL; 264 STACK_OF(ESS_CERT_ID) *cert_ids = NULL;
266 X509 *cert; 265 X509 *cert;
267 int i = 0; 266 int i = 0;
268 int ret = 0; 267 int ret = 0;
269 268
270 if (!ss) goto err; 269 if (!ss)
270 goto err;
271 cert_ids = ss->cert_ids; 271 cert_ids = ss->cert_ids;
272 /* The signer certificate must be the first in cert_ids. */ 272 /* The signer certificate must be the first in cert_ids. */
273 cert = sk_X509_value(chain, 0); 273 cert = sk_X509_value(chain, 0);
274 if (TS_find_cert(cert_ids, cert) != 0) goto err; 274 if (TS_find_cert(cert_ids, cert) != 0)
275 275 goto err;
276
276 /* Check the other certificates of the chain if there are more 277 /* Check the other certificates of the chain if there are more
277 than one certificate ids in cert_ids. */ 278 than one certificate ids in cert_ids. */
278 if (sk_ESS_CERT_ID_num(cert_ids) > 1) 279 if (sk_ESS_CERT_ID_num(cert_ids) > 1) {
279 {
280 /* All the certificates of the chain must be in cert_ids. */ 280 /* All the certificates of the chain must be in cert_ids. */
281 for (i = 1; i < sk_X509_num(chain); ++i) 281 for (i = 1; i < sk_X509_num(chain); ++i) {
282 {
283 cert = sk_X509_value(chain, i); 282 cert = sk_X509_value(chain, i);
284 if (TS_find_cert(cert_ids, cert) < 0) goto err; 283 if (TS_find_cert(cert_ids, cert) < 0)
285 } 284 goto err;
286 } 285 }
286 }
287 ret = 1; 287 ret = 1;
288 err: 288
289err:
289 if (!ret) 290 if (!ret)
290 TSerr(TS_F_TS_CHECK_SIGNING_CERTS, 291 TSerr(TS_F_TS_CHECK_SIGNING_CERTS,
291 TS_R_ESS_SIGNING_CERTIFICATE_ERROR); 292 TS_R_ESS_SIGNING_CERTIFICATE_ERROR);
292 ESS_SIGNING_CERT_free(ss); 293 ESS_SIGNING_CERT_free(ss);
293 return ret; 294 return ret;
294 } 295}
295 296
296static ESS_SIGNING_CERT *ESS_get_signing_cert(PKCS7_SIGNER_INFO *si) 297static ESS_SIGNING_CERT *
297 { 298ESS_get_signing_cert(PKCS7_SIGNER_INFO *si)
299{
298 ASN1_TYPE *attr; 300 ASN1_TYPE *attr;
299 const unsigned char *p; 301 const unsigned char *p;
300 attr = PKCS7_get_signed_attribute(si, 302
301 NID_id_smime_aa_signingCertificate); 303 attr = PKCS7_get_signed_attribute(si,
302 if (!attr) return NULL; 304 NID_id_smime_aa_signingCertificate);
305 if (!attr)
306 return NULL;
303 p = attr->value.sequence->data; 307 p = attr->value.sequence->data;
304 return d2i_ESS_SIGNING_CERT(NULL, &p, attr->value.sequence->length); 308 return d2i_ESS_SIGNING_CERT(NULL, &p, attr->value.sequence->length);
305 } 309}
306 310
307/* Returns < 0 if certificate is not found, certificate index otherwise. */ 311/* Returns < 0 if certificate is not found, certificate index otherwise. */
308static int TS_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert) 312static int
309 { 313TS_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert)
314{
310 int i; 315 int i;
311 316
312 if (!cert_ids || !cert) return -1; 317 if (!cert_ids || !cert)
318 return -1;
313 319
314 /* Recompute SHA1 hash of certificate if necessary (side effect). */ 320 /* Recompute SHA1 hash of certificate if necessary (side effect). */
315 X509_check_purpose(cert, -1, 0); 321 X509_check_purpose(cert, -1, 0);
316 322
317 /* Look for cert in the cert_ids vector. */ 323 /* Look for cert in the cert_ids vector. */
318 for (i = 0; i < sk_ESS_CERT_ID_num(cert_ids); ++i) 324 for (i = 0; i < sk_ESS_CERT_ID_num(cert_ids); ++i) {
319 {
320 ESS_CERT_ID *cid = sk_ESS_CERT_ID_value(cert_ids, i); 325 ESS_CERT_ID *cid = sk_ESS_CERT_ID_value(cert_ids, i);
321 326
322 /* Check the SHA-1 hash first. */ 327 /* Check the SHA-1 hash first. */
323 if (cid->hash->length == sizeof(cert->sha1_hash) 328 if (cid->hash->length == sizeof(cert->sha1_hash) &&
324 && !memcmp(cid->hash->data, cert->sha1_hash, 329 !memcmp(cid->hash->data, cert->sha1_hash,
325 sizeof(cert->sha1_hash))) 330 sizeof(cert->sha1_hash))) {
326 {
327 /* Check the issuer/serial as well if specified. */ 331 /* Check the issuer/serial as well if specified. */
328 ESS_ISSUER_SERIAL *is = cid->issuer_serial; 332 ESS_ISSUER_SERIAL *is = cid->issuer_serial;
329 if (!is || !TS_issuer_serial_cmp(is, cert->cert_info)) 333 if (!is || !TS_issuer_serial_cmp(is, cert->cert_info))
330 return i; 334 return i;
331 }
332 } 335 }
333
334 return -1;
335 } 336 }
336 337
337static int TS_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509_CINF *cinfo) 338 return -1;
338 { 339}
340
341static int
342TS_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509_CINF *cinfo)
343{
339 GENERAL_NAME *issuer; 344 GENERAL_NAME *issuer;
340 345
341 if (!is || !cinfo || sk_GENERAL_NAME_num(is->issuer) != 1) return -1; 346 if (!is || !cinfo || sk_GENERAL_NAME_num(is->issuer) != 1)
347 return -1;
342 348
343 /* Check the issuer first. It must be a directory name. */ 349 /* Check the issuer first. It must be a directory name. */
344 issuer = sk_GENERAL_NAME_value(is->issuer, 0); 350 issuer = sk_GENERAL_NAME_value(is->issuer, 0);
345 if (issuer->type != GEN_DIRNAME 351 if (issuer->type != GEN_DIRNAME ||
346 || X509_NAME_cmp(issuer->d.dirn, cinfo->issuer)) 352 X509_NAME_cmp(issuer->d.dirn, cinfo->issuer))
347 return -1; 353 return -1;
348 354
349 /* Check the serial number, too. */ 355 /* Check the serial number, too. */
@@ -351,50 +357,54 @@ static int TS_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509_CINF *cinfo)
351 return -1; 357 return -1;
352 358
353 return 0; 359 return 0;
354 } 360}
355 361
356/* 362/*
357 * Verifies whether 'response' contains a valid response with regards 363 * Verifies whether 'response' contains a valid response with regards
358 * to the settings of the context: 364 * to the settings of the context:
359 * - Gives an error message if the TS_TST_INFO is not present. 365 * - Gives an error message if the TS_TST_INFO is not present.
360 * - Calls _TS_RESP_verify_token to verify the token content. 366 * - Calls _TS_RESP_verify_token to verify the token content.
361 */ 367 */
362int TS_RESP_verify_response(TS_VERIFY_CTX *ctx, TS_RESP *response) 368int
363 { 369TS_RESP_verify_response(TS_VERIFY_CTX *ctx, TS_RESP *response)
370{
364 PKCS7 *token = TS_RESP_get_token(response); 371 PKCS7 *token = TS_RESP_get_token(response);
365 TS_TST_INFO *tst_info = TS_RESP_get_tst_info(response); 372 TS_TST_INFO *tst_info = TS_RESP_get_tst_info(response);
366 int ret = 0; 373 int ret = 0;
367 374
368 /* Check if we have a successful TS_TST_INFO object in place. */ 375 /* Check if we have a successful TS_TST_INFO object in place. */
369 if (!TS_check_status_info(response)) goto err; 376 if (!TS_check_status_info(response))
377 goto err;
370 378
371 /* Check the contents of the time stamp token. */ 379 /* Check the contents of the time stamp token. */
372 if (!int_TS_RESP_verify_token(ctx, token, tst_info)) 380 if (!int_TS_RESP_verify_token(ctx, token, tst_info))
373 goto err; 381 goto err;
374 382
375 ret = 1; 383 ret = 1;
376 err: 384
385err:
377 return ret; 386 return ret;
378 } 387}
379 388
380/* 389/*
381 * Tries to extract a TS_TST_INFO structure from the PKCS7 token and 390 * Tries to extract a TS_TST_INFO structure from the PKCS7 token and
382 * calls the internal int_TS_RESP_verify_token function for verifying it. 391 * calls the internal int_TS_RESP_verify_token function for verifying it.
383 */ 392 */
384int TS_RESP_verify_token(TS_VERIFY_CTX *ctx, PKCS7 *token) 393int
385 { 394TS_RESP_verify_token(TS_VERIFY_CTX *ctx, PKCS7 *token)
395{
386 TS_TST_INFO *tst_info = PKCS7_to_TS_TST_INFO(token); 396 TS_TST_INFO *tst_info = PKCS7_to_TS_TST_INFO(token);
387 int ret = 0; 397 int ret = 0;
388 if (tst_info) 398
389 { 399 if (tst_info) {
390 ret = int_TS_RESP_verify_token(ctx, token, tst_info); 400 ret = int_TS_RESP_verify_token(ctx, token, tst_info);
391 TS_TST_INFO_free(tst_info); 401 TS_TST_INFO_free(tst_info);
392 }
393 return ret;
394 } 402 }
403 return ret;
404}
395 405
396/* 406/*
397 * Verifies whether the 'token' contains a valid time stamp token 407 * Verifies whether the 'token' contains a valid time stamp token
398 * with regards to the settings of the context. Only those checks are 408 * with regards to the settings of the context. Only those checks are
399 * carried out that are specified in the context: 409 * carried out that are specified in the context:
400 * - Verifies the signature of the TS_TST_INFO. 410 * - Verifies the signature of the TS_TST_INFO.
@@ -405,9 +415,10 @@ int TS_RESP_verify_token(TS_VERIFY_CTX *ctx, PKCS7 *token)
405 * - Check if the TSA name matches the signer. 415 * - Check if the TSA name matches the signer.
406 * - Check if the TSA name is the expected TSA. 416 * - Check if the TSA name is the expected TSA.
407 */ 417 */
408static int int_TS_RESP_verify_token(TS_VERIFY_CTX *ctx, 418static int
409 PKCS7 *token, TS_TST_INFO *tst_info) 419int_TS_RESP_verify_token(TS_VERIFY_CTX *ctx, PKCS7 *token,
410 { 420 TS_TST_INFO *tst_info)
421{
411 X509 *signer = NULL; 422 X509 *signer = NULL;
412 GENERAL_NAME *tsa_name = TS_TST_INFO_get_tsa(tst_info); 423 GENERAL_NAME *tsa_name = TS_TST_INFO_get_tsa(tst_info);
413 X509_ALGOR *md_alg = NULL; 424 X509_ALGOR *md_alg = NULL;
@@ -416,68 +427,66 @@ static int int_TS_RESP_verify_token(TS_VERIFY_CTX *ctx,
416 int ret = 0; 427 int ret = 0;
417 428
418 /* Verify the signature. */ 429 /* Verify the signature. */
419 if ((ctx->flags & TS_VFY_SIGNATURE) 430 if ((ctx->flags & TS_VFY_SIGNATURE) &&
420 && !TS_RESP_verify_signature(token, ctx->certs, ctx->store, 431 !TS_RESP_verify_signature(token, ctx->certs, ctx->store, &signer))
421 &signer))
422 goto err; 432 goto err;
423 433
424 /* Check version number of response. */ 434 /* Check version number of response. */
425 if ((ctx->flags & TS_VFY_VERSION) 435 if ((ctx->flags & TS_VFY_VERSION) &&
426 && TS_TST_INFO_get_version(tst_info) != 1) 436 TS_TST_INFO_get_version(tst_info) != 1) {
427 {
428 TSerr(TS_F_INT_TS_RESP_VERIFY_TOKEN, TS_R_UNSUPPORTED_VERSION); 437 TSerr(TS_F_INT_TS_RESP_VERIFY_TOKEN, TS_R_UNSUPPORTED_VERSION);
429 goto err; 438 goto err;
430 } 439 }
431 440
432 /* Check policies. */ 441 /* Check policies. */
433 if ((ctx->flags & TS_VFY_POLICY) 442 if ((ctx->flags & TS_VFY_POLICY) &&
434 && !TS_check_policy(ctx->policy, tst_info)) 443 !TS_check_policy(ctx->policy, tst_info))
435 goto err; 444 goto err;
436 445
437 /* Check message imprints. */ 446 /* Check message imprints. */
438 if ((ctx->flags & TS_VFY_IMPRINT) 447 if ((ctx->flags & TS_VFY_IMPRINT) &&
439 && !TS_check_imprints(ctx->md_alg, ctx->imprint, ctx->imprint_len, 448 !TS_check_imprints(ctx->md_alg, ctx->imprint, ctx->imprint_len,
440 tst_info)) 449 tst_info))
441 goto err; 450 goto err;
442 451
443 /* Compute and check message imprints. */ 452 /* Compute and check message imprints. */
444 if ((ctx->flags & TS_VFY_DATA) 453 if ((ctx->flags & TS_VFY_DATA) &&
445 && (!TS_compute_imprint(ctx->data, tst_info, 454 (!TS_compute_imprint(ctx->data, tst_info,
446 &md_alg, &imprint, &imprint_len) 455 &md_alg, &imprint, &imprint_len) ||
447 || !TS_check_imprints(md_alg, imprint, imprint_len, tst_info))) 456 !TS_check_imprints(md_alg, imprint, imprint_len, tst_info)))
448 goto err; 457 goto err;
449 458
450 /* Check nonces. */ 459 /* Check nonces. */
451 if ((ctx->flags & TS_VFY_NONCE) 460 if ((ctx->flags & TS_VFY_NONCE) &&
452 && !TS_check_nonces(ctx->nonce, tst_info)) 461 !TS_check_nonces(ctx->nonce, tst_info))
453 goto err; 462 goto err;
454 463
455 /* Check whether TSA name and signer certificate match. */ 464 /* Check whether TSA name and signer certificate match. */
456 if ((ctx->flags & TS_VFY_SIGNER) 465 if ((ctx->flags & TS_VFY_SIGNER) &&
457 && tsa_name && !TS_check_signer_name(tsa_name, signer)) 466 tsa_name && !TS_check_signer_name(tsa_name, signer)) {
458 {
459 TSerr(TS_F_INT_TS_RESP_VERIFY_TOKEN, TS_R_TSA_NAME_MISMATCH); 467 TSerr(TS_F_INT_TS_RESP_VERIFY_TOKEN, TS_R_TSA_NAME_MISMATCH);
460 goto err; 468 goto err;
461 } 469 }
462 470
463 /* Check whether the TSA is the expected one. */ 471 /* Check whether the TSA is the expected one. */
464 if ((ctx->flags & TS_VFY_TSA_NAME) 472 if ((ctx->flags & TS_VFY_TSA_NAME) &&
465 && !TS_check_signer_name(ctx->tsa_name, signer)) 473 !TS_check_signer_name(ctx->tsa_name, signer)) {
466 {
467 TSerr(TS_F_INT_TS_RESP_VERIFY_TOKEN, TS_R_TSA_UNTRUSTED); 474 TSerr(TS_F_INT_TS_RESP_VERIFY_TOKEN, TS_R_TSA_UNTRUSTED);
468 goto err; 475 goto err;
469 } 476 }
470 477
471 ret = 1; 478 ret = 1;
472 err: 479
480err:
473 X509_free(signer); 481 X509_free(signer);
474 X509_ALGOR_free(md_alg); 482 X509_ALGOR_free(md_alg);
475 free(imprint); 483 free(imprint);
476 return ret; 484 return ret;
477 } 485}
478 486
479static int TS_check_status_info(TS_RESP *response) 487static int
480 { 488TS_check_status_info(TS_RESP *response)
489{
481 TS_STATUS_INFO *info = TS_RESP_get_status_info(response); 490 TS_STATUS_INFO *info = TS_RESP_get_status_info(response);
482 long status = ASN1_INTEGER_get(info->status); 491 long status = ASN1_INTEGER_get(info->status);
483 const char *status_text = NULL; 492 const char *status_text = NULL;
@@ -485,7 +494,8 @@ static int TS_check_status_info(TS_RESP *response)
485 char failure_text[TS_STATUS_BUF_SIZE] = ""; 494 char failure_text[TS_STATUS_BUF_SIZE] = "";
486 495
487 /* Check if everything went fine. */ 496 /* Check if everything went fine. */
488 if (status == 0 || status == 1) return 1; 497 if (status == 0 || status == 1)
498 return 1;
489 499
490 /* There was an error, get the description in status_text. */ 500 /* There was an error, get the description in status_text. */
491 if (0 <= status && status < (long)TS_STATUS_TEXT_SIZE) 501 if (0 <= status && status < (long)TS_STATUS_TEXT_SIZE)
@@ -494,93 +504,88 @@ static int TS_check_status_info(TS_RESP *response)
494 status_text = "unknown code"; 504 status_text = "unknown code";
495 505
496 /* Set the embedded_status_text to the returned description. */ 506 /* Set the embedded_status_text to the returned description. */
497 if (sk_ASN1_UTF8STRING_num(info->text) > 0 507 if (sk_ASN1_UTF8STRING_num(info->text) > 0 &&
498 && !(embedded_status_text = TS_get_status_text(info->text))) 508 !(embedded_status_text = TS_get_status_text(info->text)))
499 return 0; 509 return 0;
500 510
501 /* Filling in failure_text with the failure information. */ 511 /* Filling in failure_text with the failure information. */
502 if (info->failure_info) 512 if (info->failure_info) {
503 {
504 int i; 513 int i;
505 int first = 1; 514 int first = 1;
506 for (i = 0; i < (int)TS_FAILURE_INFO_SIZE; ++i) 515 for (i = 0; i < (int)TS_FAILURE_INFO_SIZE; ++i) {
507 {
508 if (ASN1_BIT_STRING_get_bit(info->failure_info, 516 if (ASN1_BIT_STRING_get_bit(info->failure_info,
509 TS_failure_info[i].code)) 517 TS_failure_info[i].code)) {
510 {
511 if (!first) 518 if (!first)
512 strlcat(failure_text, ",", 519 strlcat(failure_text, ",",
513 TS_STATUS_BUF_SIZE); 520 TS_STATUS_BUF_SIZE);
514 else 521 else
515 first = 0; 522 first = 0;
516 strlcat(failure_text, TS_failure_info[i].text, 523 strlcat(failure_text, TS_failure_info[i].text,
517 TS_STATUS_BUF_SIZE); 524 TS_STATUS_BUF_SIZE);
518 }
519 } 525 }
520 } 526 }
527 }
521 if (failure_text[0] == '\0') 528 if (failure_text[0] == '\0')
522 strlcpy(failure_text, "unspecified", TS_STATUS_BUF_SIZE); 529 strlcpy(failure_text, "unspecified", TS_STATUS_BUF_SIZE);
523 530
524 /* Making up the error string. */ 531 /* Making up the error string. */
525 TSerr(TS_F_TS_CHECK_STATUS_INFO, TS_R_NO_TIME_STAMP_TOKEN); 532 TSerr(TS_F_TS_CHECK_STATUS_INFO, TS_R_NO_TIME_STAMP_TOKEN);
526 ERR_add_error_data(6, 533 ERR_add_error_data(6,
527 "status code: ", status_text, 534 "status code: ", status_text,
528 ", status text: ", embedded_status_text ? 535 ", status text: ", embedded_status_text ?
529 embedded_status_text : "unspecified", 536 embedded_status_text : "unspecified",
530 ", failure codes: ", failure_text); 537 ", failure codes: ", failure_text);
531 free(embedded_status_text); 538 free(embedded_status_text);
532 539
533 return 0; 540 return 0;
534 } 541}
535 542
536static char *TS_get_status_text(STACK_OF(ASN1_UTF8STRING) *text) 543static char *
537 { 544TS_get_status_text(STACK_OF(ASN1_UTF8STRING) *text)
545{
538 int i; 546 int i;
539 unsigned int length = 0; 547 unsigned int length = 0;
540 char *result = NULL; 548 char *result = NULL;
541 549
542 /* Determine length first. */ 550 /* Determine length first. */
543 for (i = 0; i < sk_ASN1_UTF8STRING_num(text); ++i) 551 for (i = 0; i < sk_ASN1_UTF8STRING_num(text); ++i) {
544 {
545 ASN1_UTF8STRING *current = sk_ASN1_UTF8STRING_value(text, i); 552 ASN1_UTF8STRING *current = sk_ASN1_UTF8STRING_value(text, i);
546 length += ASN1_STRING_length(current); 553 length += ASN1_STRING_length(current);
547 length += 1; /* separator character */ 554 length += 1; /* separator character */
548 } 555 }
549 /* Allocate memory (closing '\0' included). */ 556 /* Allocate memory (closing '\0' included). */
550 if (!(result = malloc(length))) 557 if (!(result = malloc(length))) {
551 {
552 TSerr(TS_F_TS_GET_STATUS_TEXT, ERR_R_MALLOC_FAILURE); 558 TSerr(TS_F_TS_GET_STATUS_TEXT, ERR_R_MALLOC_FAILURE);
553 return NULL; 559 return NULL;
554 } 560 }
555 /* Concatenate the descriptions. */ 561 /* Concatenate the descriptions. */
556 result[0] = '\0'; 562 result[0] = '\0';
557 for (i = 0; i < sk_ASN1_UTF8STRING_num(text); ++i) 563 for (i = 0; i < sk_ASN1_UTF8STRING_num(text); ++i) {
558 {
559 ASN1_UTF8STRING *current = sk_ASN1_UTF8STRING_value(text, i); 564 ASN1_UTF8STRING *current = sk_ASN1_UTF8STRING_value(text, i);
560 if (i > 0) 565 if (i > 0)
561 strlcat(result, "/", length); 566 strlcat(result, "/", length);
562 strlcat(result, ASN1_STRING_data(current), length); 567 strlcat(result, ASN1_STRING_data(current), length);
563 }
564 return result;
565 } 568 }
569 return result;
570}
566 571
567static int TS_check_policy(ASN1_OBJECT *req_oid, TS_TST_INFO *tst_info) 572static int
568 { 573TS_check_policy(ASN1_OBJECT *req_oid, TS_TST_INFO *tst_info)
574{
569 ASN1_OBJECT *resp_oid = TS_TST_INFO_get_policy_id(tst_info); 575 ASN1_OBJECT *resp_oid = TS_TST_INFO_get_policy_id(tst_info);
570 576
571 if (OBJ_cmp(req_oid, resp_oid) != 0) 577 if (OBJ_cmp(req_oid, resp_oid) != 0) {
572 {
573 TSerr(TS_F_TS_CHECK_POLICY, TS_R_POLICY_MISMATCH); 578 TSerr(TS_F_TS_CHECK_POLICY, TS_R_POLICY_MISMATCH);
574 return 0; 579 return 0;
575 } 580 }
576 581
577 return 1; 582 return 1;
578 } 583}
579 584
580static int TS_compute_imprint(BIO *data, TS_TST_INFO *tst_info, 585static int
581 X509_ALGOR **md_alg, 586TS_compute_imprint(BIO *data, TS_TST_INFO *tst_info, X509_ALGOR **md_alg,
582 unsigned char **imprint, unsigned *imprint_len) 587 unsigned char **imprint, unsigned *imprint_len)
583 { 588{
584 TS_MSG_IMPRINT *msg_imprint = TS_TST_INFO_get_msg_imprint(tst_info); 589 TS_MSG_IMPRINT *msg_imprint = TS_TST_INFO_get_msg_imprint(tst_info);
585 X509_ALGOR *md_alg_resp = TS_MSG_IMPRINT_get_algo(msg_imprint); 590 X509_ALGOR *md_alg_resp = TS_MSG_IMPRINT_get_algo(msg_imprint);
586 const EVP_MD *md; 591 const EVP_MD *md;
@@ -592,136 +597,136 @@ static int TS_compute_imprint(BIO *data, TS_TST_INFO *tst_info,
592 *imprint = NULL; 597 *imprint = NULL;
593 598
594 /* Return the MD algorithm of the response. */ 599 /* Return the MD algorithm of the response. */
595 if (!(*md_alg = X509_ALGOR_dup(md_alg_resp))) goto err; 600 if (!(*md_alg = X509_ALGOR_dup(md_alg_resp)))
601 goto err;
596 602
597 /* Getting the MD object. */ 603 /* Getting the MD object. */
598 if (!(md = EVP_get_digestbyobj((*md_alg)->algorithm))) 604 if (!(md = EVP_get_digestbyobj((*md_alg)->algorithm))) {
599 {
600 TSerr(TS_F_TS_COMPUTE_IMPRINT, TS_R_UNSUPPORTED_MD_ALGORITHM); 605 TSerr(TS_F_TS_COMPUTE_IMPRINT, TS_R_UNSUPPORTED_MD_ALGORITHM);
601 goto err; 606 goto err;
602 } 607 }
603 608
604 /* Compute message digest. */ 609 /* Compute message digest. */
605 length = EVP_MD_size(md); 610 length = EVP_MD_size(md);
606 if (length < 0) 611 if (length < 0)
607 goto err; 612 goto err;
608 *imprint_len = length; 613 *imprint_len = length;
609 if (!(*imprint = malloc(*imprint_len))) 614 if (!(*imprint = malloc(*imprint_len))) {
610 {
611 TSerr(TS_F_TS_COMPUTE_IMPRINT, ERR_R_MALLOC_FAILURE); 615 TSerr(TS_F_TS_COMPUTE_IMPRINT, ERR_R_MALLOC_FAILURE);
612 goto err; 616 goto err;
613 } 617 }
614 618
615 if (!EVP_DigestInit(&md_ctx, md)) 619 if (!EVP_DigestInit(&md_ctx, md))
616 goto err; 620 goto err;
617 while ((length = BIO_read(data, buffer, sizeof(buffer))) > 0) 621 while ((length = BIO_read(data, buffer, sizeof(buffer))) > 0) {
618 {
619 if (!EVP_DigestUpdate(&md_ctx, buffer, length)) 622 if (!EVP_DigestUpdate(&md_ctx, buffer, length))
620 goto err; 623 goto err;
621 } 624 }
622 if (!EVP_DigestFinal(&md_ctx, *imprint, NULL)) 625 if (!EVP_DigestFinal(&md_ctx, *imprint, NULL))
623 goto err; 626 goto err;
624 627
625 return 1; 628 return 1;
626 err: 629
630err:
627 X509_ALGOR_free(*md_alg); 631 X509_ALGOR_free(*md_alg);
628 free(*imprint); 632 free(*imprint);
629 *imprint = NULL; 633 *imprint = NULL;
630 *imprint_len = 0; 634 *imprint_len = 0;
631 return 0; 635 return 0;
632 } 636}
633 637
634static int TS_check_imprints(X509_ALGOR *algor_a, 638static int
635 unsigned char *imprint_a, unsigned len_a, 639TS_check_imprints(X509_ALGOR *algor_a, unsigned char *imprint_a, unsigned len_a,
636 TS_TST_INFO *tst_info) 640 TS_TST_INFO *tst_info)
637 { 641{
638 TS_MSG_IMPRINT *b = TS_TST_INFO_get_msg_imprint(tst_info); 642 TS_MSG_IMPRINT *b = TS_TST_INFO_get_msg_imprint(tst_info);
639 X509_ALGOR *algor_b = TS_MSG_IMPRINT_get_algo(b); 643 X509_ALGOR *algor_b = TS_MSG_IMPRINT_get_algo(b);
640 int ret = 0; 644 int ret = 0;
641 645
642 /* algor_a is optional. */ 646 /* algor_a is optional. */
643 if (algor_a) 647 if (algor_a) {
644 {
645 /* Compare algorithm OIDs. */ 648 /* Compare algorithm OIDs. */
646 if (OBJ_cmp(algor_a->algorithm, algor_b->algorithm)) goto err; 649 if (OBJ_cmp(algor_a->algorithm, algor_b->algorithm))
650 goto err;
647 651
648 /* The parameter must be NULL in both. */ 652 /* The parameter must be NULL in both. */
649 if ((algor_a->parameter 653 if ((algor_a->parameter &&
650 && ASN1_TYPE_get(algor_a->parameter) != V_ASN1_NULL) 654 ASN1_TYPE_get(algor_a->parameter) != V_ASN1_NULL) ||
651 || (algor_b->parameter 655 (algor_b->parameter &&
652 && ASN1_TYPE_get(algor_b->parameter) != V_ASN1_NULL)) 656 ASN1_TYPE_get(algor_b->parameter) != V_ASN1_NULL))
653 goto err; 657 goto err;
654 } 658 }
655 659
656 /* Compare octet strings. */ 660 /* Compare octet strings. */
657 ret = len_a == (unsigned) ASN1_STRING_length(b->hashed_msg) && 661 ret = len_a == (unsigned) ASN1_STRING_length(b->hashed_msg) &&
658 memcmp(imprint_a, ASN1_STRING_data(b->hashed_msg), len_a) == 0; 662 memcmp(imprint_a, ASN1_STRING_data(b->hashed_msg), len_a) == 0;
659 err: 663
664err:
660 if (!ret) 665 if (!ret)
661 TSerr(TS_F_TS_CHECK_IMPRINTS, TS_R_MESSAGE_IMPRINT_MISMATCH); 666 TSerr(TS_F_TS_CHECK_IMPRINTS, TS_R_MESSAGE_IMPRINT_MISMATCH);
662 return ret; 667 return ret;
663 } 668}
664 669
665static int TS_check_nonces(const ASN1_INTEGER *a, TS_TST_INFO *tst_info) 670static int
666 { 671TS_check_nonces(const ASN1_INTEGER *a, TS_TST_INFO *tst_info)
672{
667 const ASN1_INTEGER *b = TS_TST_INFO_get_nonce(tst_info); 673 const ASN1_INTEGER *b = TS_TST_INFO_get_nonce(tst_info);
668 674
669 /* Error if nonce is missing. */ 675 /* Error if nonce is missing. */
670 if (!b) 676 if (!b) {
671 {
672 TSerr(TS_F_TS_CHECK_NONCES, TS_R_NONCE_NOT_RETURNED); 677 TSerr(TS_F_TS_CHECK_NONCES, TS_R_NONCE_NOT_RETURNED);
673 return 0; 678 return 0;
674 } 679 }
675 680
676 /* No error if a nonce is returned without being requested. */ 681 /* No error if a nonce is returned without being requested. */
677 if (ASN1_INTEGER_cmp(a, b) != 0) 682 if (ASN1_INTEGER_cmp(a, b) != 0) {
678 {
679 TSerr(TS_F_TS_CHECK_NONCES, TS_R_NONCE_MISMATCH); 683 TSerr(TS_F_TS_CHECK_NONCES, TS_R_NONCE_MISMATCH);
680 return 0; 684 return 0;
681 } 685 }
682 686
683 return 1; 687 return 1;
684 } 688}
685 689
686/* Check if the specified TSA name matches either the subject 690/* Check if the specified TSA name matches either the subject
687 or one of the subject alternative names of the TSA certificate. */ 691 or one of the subject alternative names of the TSA certificate. */
688static int TS_check_signer_name(GENERAL_NAME *tsa_name, X509 *signer) 692static int
689 { 693TS_check_signer_name(GENERAL_NAME *tsa_name, X509 *signer)
694{
690 STACK_OF(GENERAL_NAME) *gen_names = NULL; 695 STACK_OF(GENERAL_NAME) *gen_names = NULL;
691 int idx = -1; 696 int idx = -1;
692 int found = 0; 697 int found = 0;
693 698
694 /* Check the subject name first. */ 699 /* Check the subject name first. */
695 if (tsa_name->type == GEN_DIRNAME 700 if (tsa_name->type == GEN_DIRNAME &&
696 && X509_name_cmp(tsa_name->d.dirn, signer->cert_info->subject) == 0) 701 X509_name_cmp(tsa_name->d.dirn, signer->cert_info->subject) == 0)
697 return 1; 702 return 1;
698 703
699 /* Check all the alternative names. */ 704 /* Check all the alternative names. */
700 gen_names = X509_get_ext_d2i(signer, NID_subject_alt_name, 705 gen_names = X509_get_ext_d2i(signer, NID_subject_alt_name,
701 NULL, &idx); 706 NULL, &idx);
702 while (gen_names != NULL 707 while (gen_names != NULL &&
703 && !(found = TS_find_name(gen_names, tsa_name) >= 0)) 708 !(found = TS_find_name(gen_names, tsa_name) >= 0)) {
704 {
705 /* Get the next subject alternative name, 709 /* Get the next subject alternative name,
706 although there should be no more than one. */ 710 although there should be no more than one. */
707 GENERAL_NAMES_free(gen_names); 711 GENERAL_NAMES_free(gen_names);
708 gen_names = X509_get_ext_d2i(signer, NID_subject_alt_name, 712 gen_names = X509_get_ext_d2i(signer, NID_subject_alt_name,
709 NULL, &idx); 713 NULL, &idx);
710 }
711 if (gen_names) GENERAL_NAMES_free(gen_names);
712
713 return found;
714 } 714 }
715 if (gen_names)
716 GENERAL_NAMES_free(gen_names);
717
718 return found;
719}
715 720
716/* Returns 1 if name is in gen_names, 0 otherwise. */ 721/* Returns 1 if name is in gen_names, 0 otherwise. */
717static int TS_find_name(STACK_OF(GENERAL_NAME) *gen_names, GENERAL_NAME *name) 722static int
718 { 723TS_find_name(STACK_OF(GENERAL_NAME) *gen_names, GENERAL_NAME *name)
724{
719 int i, found; 725 int i, found;
720 for (i = 0, found = 0; !found && i < sk_GENERAL_NAME_num(gen_names); 726 for (i = 0, found = 0; !found && i < sk_GENERAL_NAME_num(gen_names);
721 ++i) 727 ++i) {
722 {
723 GENERAL_NAME *current = sk_GENERAL_NAME_value(gen_names, i); 728 GENERAL_NAME *current = sk_GENERAL_NAME_value(gen_names, i);
724 found = GENERAL_NAME_cmp(current, name) == 0; 729 found = GENERAL_NAME_cmp(current, name) == 0;
725 }
726 return found ? i - 1 : -1;
727 } 730 }
731 return found ? i - 1 : -1;
732}
diff --git a/src/lib/libcrypto/ts/ts_verify_ctx.c b/src/lib/libcrypto/ts/ts_verify_ctx.c
index 629107aeec..3fc772678c 100644
--- a/src/lib/libcrypto/ts/ts_verify_ctx.c
+++ b/src/lib/libcrypto/ts/ts_verify_ctx.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -60,34 +60,40 @@
60#include <openssl/objects.h> 60#include <openssl/objects.h>
61#include <openssl/ts.h> 61#include <openssl/ts.h>
62 62
63TS_VERIFY_CTX *TS_VERIFY_CTX_new(void) 63TS_VERIFY_CTX *
64 { 64TS_VERIFY_CTX_new(void)
65 TS_VERIFY_CTX *ctx = 65{
66 (TS_VERIFY_CTX *) malloc(sizeof(TS_VERIFY_CTX)); 66 TS_VERIFY_CTX *ctx = (TS_VERIFY_CTX *) malloc(sizeof(TS_VERIFY_CTX));
67
67 if (ctx) 68 if (ctx)
68 memset(ctx, 0, sizeof(TS_VERIFY_CTX)); 69 memset(ctx, 0, sizeof(TS_VERIFY_CTX));
69 else 70 else
70 TSerr(TS_F_TS_VERIFY_CTX_NEW, ERR_R_MALLOC_FAILURE); 71 TSerr(TS_F_TS_VERIFY_CTX_NEW, ERR_R_MALLOC_FAILURE);
71 return ctx; 72 return ctx;
72 } 73}
73 74
74void TS_VERIFY_CTX_init(TS_VERIFY_CTX *ctx) 75void
75 { 76TS_VERIFY_CTX_init(TS_VERIFY_CTX *ctx)
77{
76 OPENSSL_assert(ctx != NULL); 78 OPENSSL_assert(ctx != NULL);
77 memset(ctx, 0, sizeof(TS_VERIFY_CTX)); 79 memset(ctx, 0, sizeof(TS_VERIFY_CTX));
78 } 80}
79 81
80void TS_VERIFY_CTX_free(TS_VERIFY_CTX *ctx) 82void
81 { 83TS_VERIFY_CTX_free(TS_VERIFY_CTX *ctx)
82 if (!ctx) return; 84{
85 if (!ctx)
86 return;
83 87
84 TS_VERIFY_CTX_cleanup(ctx); 88 TS_VERIFY_CTX_cleanup(ctx);
85 free(ctx); 89 free(ctx);
86 } 90}
87 91
88void TS_VERIFY_CTX_cleanup(TS_VERIFY_CTX *ctx) 92void
89 { 93TS_VERIFY_CTX_cleanup(TS_VERIFY_CTX *ctx)
90 if (!ctx) return; 94{
95 if (!ctx)
96 return;
91 97
92 X509_STORE_free(ctx->store); 98 X509_STORE_free(ctx->store);
93 sk_X509_pop_free(ctx->certs, X509_free); 99 sk_X509_pop_free(ctx->certs, X509_free);
@@ -96,7 +102,7 @@ void TS_VERIFY_CTX_cleanup(TS_VERIFY_CTX *ctx)
96 102
97 X509_ALGOR_free(ctx->md_alg); 103 X509_ALGOR_free(ctx->md_alg);
98 free(ctx->imprint); 104 free(ctx->imprint);
99 105
100 BIO_free_all(ctx->data); 106 BIO_free_all(ctx->data);
101 107
102 ASN1_INTEGER_free(ctx->nonce); 108 ASN1_INTEGER_free(ctx->nonce);
@@ -104,10 +110,11 @@ void TS_VERIFY_CTX_cleanup(TS_VERIFY_CTX *ctx)
104 GENERAL_NAME_free(ctx->tsa_name); 110 GENERAL_NAME_free(ctx->tsa_name);
105 111
106 TS_VERIFY_CTX_init(ctx); 112 TS_VERIFY_CTX_init(ctx);
107 } 113}
108 114
109TS_VERIFY_CTX *TS_REQ_to_TS_VERIFY_CTX(TS_REQ *req, TS_VERIFY_CTX *ctx) 115TS_VERIFY_CTX *
110 { 116TS_REQ_to_TS_VERIFY_CTX(TS_REQ *req, TS_VERIFY_CTX *ctx)
117{
111 TS_VERIFY_CTX *ret = ctx; 118 TS_VERIFY_CTX *ret = ctx;
112 ASN1_OBJECT *policy; 119 ASN1_OBJECT *policy;
113 TS_MSG_IMPRINT *imprint; 120 TS_MSG_IMPRINT *imprint;
@@ -118,42 +125,43 @@ TS_VERIFY_CTX *TS_REQ_to_TS_VERIFY_CTX(TS_REQ *req, TS_VERIFY_CTX *ctx)
118 OPENSSL_assert(req != NULL); 125 OPENSSL_assert(req != NULL);
119 if (ret) 126 if (ret)
120 TS_VERIFY_CTX_cleanup(ret); 127 TS_VERIFY_CTX_cleanup(ret);
121 else 128 else if (!(ret = TS_VERIFY_CTX_new()))
122 if (!(ret = TS_VERIFY_CTX_new())) return NULL; 129 return NULL;
123 130
124 /* Setting flags. */ 131 /* Setting flags. */
125 ret->flags = TS_VFY_ALL_IMPRINT & ~(TS_VFY_TSA_NAME | TS_VFY_SIGNATURE); 132 ret->flags = TS_VFY_ALL_IMPRINT & ~(TS_VFY_TSA_NAME | TS_VFY_SIGNATURE);
126 133
127 /* Setting policy. */ 134 /* Setting policy. */
128 if ((policy = TS_REQ_get_policy_id(req)) != NULL) 135 if ((policy = TS_REQ_get_policy_id(req)) != NULL) {
129 { 136 if (!(ret->policy = OBJ_dup(policy)))
130 if (!(ret->policy = OBJ_dup(policy))) goto err; 137 goto err;
131 } 138 } else
132 else
133 ret->flags &= ~TS_VFY_POLICY; 139 ret->flags &= ~TS_VFY_POLICY;
134 140
135 /* Setting md_alg, imprint and imprint_len. */ 141 /* Setting md_alg, imprint and imprint_len. */
136 imprint = TS_REQ_get_msg_imprint(req); 142 imprint = TS_REQ_get_msg_imprint(req);
137 md_alg = TS_MSG_IMPRINT_get_algo(imprint); 143 md_alg = TS_MSG_IMPRINT_get_algo(imprint);
138 if (!(ret->md_alg = X509_ALGOR_dup(md_alg))) goto err; 144 if (!(ret->md_alg = X509_ALGOR_dup(md_alg)))
145 goto err;
139 msg = TS_MSG_IMPRINT_get_msg(imprint); 146 msg = TS_MSG_IMPRINT_get_msg(imprint);
140 ret->imprint_len = ASN1_STRING_length(msg); 147 ret->imprint_len = ASN1_STRING_length(msg);
141 if (!(ret->imprint = malloc(ret->imprint_len))) goto err; 148 if (!(ret->imprint = malloc(ret->imprint_len)))
149 goto err;
142 memcpy(ret->imprint, ASN1_STRING_data(msg), ret->imprint_len); 150 memcpy(ret->imprint, ASN1_STRING_data(msg), ret->imprint_len);
143 151
144 /* Setting nonce. */ 152 /* Setting nonce. */
145 if ((nonce = TS_REQ_get_nonce(req)) != NULL) 153 if ((nonce = TS_REQ_get_nonce(req)) != NULL) {
146 { 154 if (!(ret->nonce = ASN1_INTEGER_dup(nonce)))
147 if (!(ret->nonce = ASN1_INTEGER_dup(nonce))) goto err; 155 goto err;
148 } 156 } else
149 else
150 ret->flags &= ~TS_VFY_NONCE; 157 ret->flags &= ~TS_VFY_NONCE;
151 158
152 return ret; 159 return ret;
153 err: 160
161err:
154 if (ctx) 162 if (ctx)
155 TS_VERIFY_CTX_cleanup(ctx); 163 TS_VERIFY_CTX_cleanup(ctx);
156 else 164 else
157 TS_VERIFY_CTX_free(ret); 165 TS_VERIFY_CTX_free(ret);
158 return NULL; 166 return NULL;
159 } 167}
diff --git a/src/lib/libssl/src/crypto/ts/ts.h b/src/lib/libssl/src/crypto/ts/ts.h
index 88e0111453..3c5ab727db 100644
--- a/src/lib/libssl/src/crypto/ts/ts.h
+++ b/src/lib/libssl/src/crypto/ts/ts.h
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -103,11 +103,10 @@ MessageImprint ::= SEQUENCE {
103 hashedMessage OCTET STRING } 103 hashedMessage OCTET STRING }
104*/ 104*/
105 105
106typedef struct TS_msg_imprint_st 106typedef struct TS_msg_imprint_st {
107 {
108 X509_ALGOR *hash_algo; 107 X509_ALGOR *hash_algo;
109 ASN1_OCTET_STRING *hashed_msg; 108 ASN1_OCTET_STRING *hashed_msg;
110 } TS_MSG_IMPRINT; 109} TS_MSG_IMPRINT;
111 110
112/* 111/*
113TimeStampReq ::= SEQUENCE { 112TimeStampReq ::= SEQUENCE {
@@ -121,15 +120,14 @@ TimeStampReq ::= SEQUENCE {
121 extensions [0] IMPLICIT Extensions OPTIONAL } 120 extensions [0] IMPLICIT Extensions OPTIONAL }
122*/ 121*/
123 122
124typedef struct TS_req_st 123typedef struct TS_req_st {
125 {
126 ASN1_INTEGER *version; 124 ASN1_INTEGER *version;
127 TS_MSG_IMPRINT *msg_imprint; 125 TS_MSG_IMPRINT *msg_imprint;
128 ASN1_OBJECT *policy_id; /* OPTIONAL */ 126 ASN1_OBJECT *policy_id; /* OPTIONAL */
129 ASN1_INTEGER *nonce; /* OPTIONAL */ 127 ASN1_INTEGER *nonce; /* OPTIONAL */
130 ASN1_BOOLEAN cert_req; /* DEFAULT FALSE */ 128 ASN1_BOOLEAN cert_req; /* DEFAULT FALSE */
131 STACK_OF(X509_EXTENSION) *extensions; /* [0] OPTIONAL */ 129 STACK_OF(X509_EXTENSION) *extensions; /* [0] OPTIONAL */
132 } TS_REQ; 130} TS_REQ;
133 131
134/* 132/*
135Accuracy ::= SEQUENCE { 133Accuracy ::= SEQUENCE {
@@ -138,12 +136,11 @@ Accuracy ::= SEQUENCE {
138 micros [1] INTEGER (1..999) OPTIONAL } 136 micros [1] INTEGER (1..999) OPTIONAL }
139*/ 137*/
140 138
141typedef struct TS_accuracy_st 139typedef struct TS_accuracy_st {
142 {
143 ASN1_INTEGER *seconds; 140 ASN1_INTEGER *seconds;
144 ASN1_INTEGER *millis; 141 ASN1_INTEGER *millis;
145 ASN1_INTEGER *micros; 142 ASN1_INTEGER *micros;
146 } TS_ACCURACY; 143} TS_ACCURACY;
147 144
148/* 145/*
149TSTInfo ::= SEQUENCE { 146TSTInfo ::= SEQUENCE {
@@ -165,8 +162,7 @@ TSTInfo ::= SEQUENCE {
165 extensions [1] IMPLICIT Extensions OPTIONAL } 162 extensions [1] IMPLICIT Extensions OPTIONAL }
166*/ 163*/
167 164
168typedef struct TS_tst_info_st 165typedef struct TS_tst_info_st {
169 {
170 ASN1_INTEGER *version; 166 ASN1_INTEGER *version;
171 ASN1_OBJECT *policy_id; 167 ASN1_OBJECT *policy_id;
172 TS_MSG_IMPRINT *msg_imprint; 168 TS_MSG_IMPRINT *msg_imprint;
@@ -177,7 +173,7 @@ typedef struct TS_tst_info_st
177 ASN1_INTEGER *nonce; 173 ASN1_INTEGER *nonce;
178 GENERAL_NAME *tsa; 174 GENERAL_NAME *tsa;
179 STACK_OF(X509_EXTENSION) *extensions; 175 STACK_OF(X509_EXTENSION) *extensions;
180 } TS_TST_INFO; 176} TS_TST_INFO;
181 177
182/* 178/*
183PKIStatusInfo ::= SEQUENCE { 179PKIStatusInfo ::= SEQUENCE {
@@ -212,12 +208,11 @@ PKIFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String
212#define TS_INFO_ADD_INFO_NOT_AVAILABLE 17 208#define TS_INFO_ADD_INFO_NOT_AVAILABLE 17
213#define TS_INFO_SYSTEM_FAILURE 25 209#define TS_INFO_SYSTEM_FAILURE 25
214 210
215typedef struct TS_status_info_st 211typedef struct TS_status_info_st {
216 {
217 ASN1_INTEGER *status; 212 ASN1_INTEGER *status;
218 STACK_OF(ASN1_UTF8STRING) *text; 213 STACK_OF(ASN1_UTF8STRING) *text;
219 ASN1_BIT_STRING *failure_info; 214 ASN1_BIT_STRING *failure_info;
220 } TS_STATUS_INFO; 215} TS_STATUS_INFO;
221 216
222DECLARE_STACK_OF(ASN1_UTF8STRING) 217DECLARE_STACK_OF(ASN1_UTF8STRING)
223DECLARE_ASN1_SET_OF(ASN1_UTF8STRING) 218DECLARE_ASN1_SET_OF(ASN1_UTF8STRING)
@@ -228,12 +223,11 @@ TimeStampResp ::= SEQUENCE {
228 timeStampToken TimeStampToken OPTIONAL } 223 timeStampToken TimeStampToken OPTIONAL }
229*/ 224*/
230 225
231typedef struct TS_resp_st 226typedef struct TS_resp_st {
232 {
233 TS_STATUS_INFO *status_info; 227 TS_STATUS_INFO *status_info;
234 PKCS7 *token; 228 PKCS7 *token;
235 TS_TST_INFO *tst_info; 229 TS_TST_INFO *tst_info;
236 } TS_RESP; 230} TS_RESP;
237 231
238/* The structure below would belong to the ESS component. */ 232/* The structure below would belong to the ESS component. */
239 233
@@ -244,11 +238,10 @@ IssuerSerial ::= SEQUENCE {
244 } 238 }
245*/ 239*/
246 240
247typedef struct ESS_issuer_serial 241typedef struct ESS_issuer_serial {
248 {
249 STACK_OF(GENERAL_NAME) *issuer; 242 STACK_OF(GENERAL_NAME) *issuer;
250 ASN1_INTEGER *serial; 243 ASN1_INTEGER *serial;
251 } ESS_ISSUER_SERIAL; 244} ESS_ISSUER_SERIAL;
252 245
253/* 246/*
254ESSCertID ::= SEQUENCE { 247ESSCertID ::= SEQUENCE {
@@ -257,11 +250,10 @@ ESSCertID ::= SEQUENCE {
257} 250}
258*/ 251*/
259 252
260typedef struct ESS_cert_id 253typedef struct ESS_cert_id {
261 {
262 ASN1_OCTET_STRING *hash; /* Always SHA-1 digest. */ 254 ASN1_OCTET_STRING *hash; /* Always SHA-1 digest. */
263 ESS_ISSUER_SERIAL *issuer_serial; 255 ESS_ISSUER_SERIAL *issuer_serial;
264 } ESS_CERT_ID; 256} ESS_CERT_ID;
265 257
266DECLARE_STACK_OF(ESS_CERT_ID) 258DECLARE_STACK_OF(ESS_CERT_ID)
267DECLARE_ASN1_SET_OF(ESS_CERT_ID) 259DECLARE_ASN1_SET_OF(ESS_CERT_ID)
@@ -273,11 +265,10 @@ SigningCertificate ::= SEQUENCE {
273} 265}
274*/ 266*/
275 267
276typedef struct ESS_signing_cert 268typedef struct ESS_signing_cert {
277 {
278 STACK_OF(ESS_CERT_ID) *cert_ids; 269 STACK_OF(ESS_CERT_ID) *cert_ids;
279 STACK_OF(POLICYINFO) *policy_info; 270 STACK_OF(POLICYINFO) *policy_info;
280 } ESS_SIGNING_CERT; 271} ESS_SIGNING_CERT;
281 272
282 273
283TS_REQ *TS_REQ_new(void); 274TS_REQ *TS_REQ_new(void);
@@ -296,7 +287,7 @@ TS_MSG_IMPRINT *TS_MSG_IMPRINT_new(void);
296void TS_MSG_IMPRINT_free(TS_MSG_IMPRINT *a); 287void TS_MSG_IMPRINT_free(TS_MSG_IMPRINT *a);
297int i2d_TS_MSG_IMPRINT(const TS_MSG_IMPRINT *a, unsigned char **pp); 288int i2d_TS_MSG_IMPRINT(const TS_MSG_IMPRINT *a, unsigned char **pp);
298TS_MSG_IMPRINT *d2i_TS_MSG_IMPRINT(TS_MSG_IMPRINT **a, 289TS_MSG_IMPRINT *d2i_TS_MSG_IMPRINT(TS_MSG_IMPRINT **a,
299 const unsigned char **pp, long length); 290 const unsigned char **pp, long length);
300 291
301TS_MSG_IMPRINT *TS_MSG_IMPRINT_dup(TS_MSG_IMPRINT *a); 292TS_MSG_IMPRINT *TS_MSG_IMPRINT_dup(TS_MSG_IMPRINT *a);
302 293
@@ -320,15 +311,15 @@ int i2d_TS_RESP_bio(BIO *fp, TS_RESP *a);
320TS_STATUS_INFO *TS_STATUS_INFO_new(void); 311TS_STATUS_INFO *TS_STATUS_INFO_new(void);
321void TS_STATUS_INFO_free(TS_STATUS_INFO *a); 312void TS_STATUS_INFO_free(TS_STATUS_INFO *a);
322int i2d_TS_STATUS_INFO(const TS_STATUS_INFO *a, unsigned char **pp); 313int i2d_TS_STATUS_INFO(const TS_STATUS_INFO *a, unsigned char **pp);
323TS_STATUS_INFO *d2i_TS_STATUS_INFO(TS_STATUS_INFO **a, 314TS_STATUS_INFO *d2i_TS_STATUS_INFO(TS_STATUS_INFO **a,
324 const unsigned char **pp, long length); 315 const unsigned char **pp, long length);
325TS_STATUS_INFO *TS_STATUS_INFO_dup(TS_STATUS_INFO *a); 316TS_STATUS_INFO *TS_STATUS_INFO_dup(TS_STATUS_INFO *a);
326 317
327TS_TST_INFO *TS_TST_INFO_new(void); 318TS_TST_INFO *TS_TST_INFO_new(void);
328void TS_TST_INFO_free(TS_TST_INFO *a); 319void TS_TST_INFO_free(TS_TST_INFO *a);
329int i2d_TS_TST_INFO(const TS_TST_INFO *a, unsigned char **pp); 320int i2d_TS_TST_INFO(const TS_TST_INFO *a, unsigned char **pp);
330TS_TST_INFO *d2i_TS_TST_INFO(TS_TST_INFO **a, const unsigned char **pp, 321TS_TST_INFO *d2i_TS_TST_INFO(TS_TST_INFO **a, const unsigned char **pp,
331 long length); 322 long length);
332TS_TST_INFO *TS_TST_INFO_dup(TS_TST_INFO *a); 323TS_TST_INFO *TS_TST_INFO_dup(TS_TST_INFO *a);
333 324
334TS_TST_INFO *d2i_TS_TST_INFO_fp(FILE *fp, TS_TST_INFO **a); 325TS_TST_INFO *d2i_TS_TST_INFO_fp(FILE *fp, TS_TST_INFO **a);
@@ -340,30 +331,30 @@ TS_ACCURACY *TS_ACCURACY_new(void);
340void TS_ACCURACY_free(TS_ACCURACY *a); 331void TS_ACCURACY_free(TS_ACCURACY *a);
341int i2d_TS_ACCURACY(const TS_ACCURACY *a, unsigned char **pp); 332int i2d_TS_ACCURACY(const TS_ACCURACY *a, unsigned char **pp);
342TS_ACCURACY *d2i_TS_ACCURACY(TS_ACCURACY **a, const unsigned char **pp, 333TS_ACCURACY *d2i_TS_ACCURACY(TS_ACCURACY **a, const unsigned char **pp,
343 long length); 334 long length);
344TS_ACCURACY *TS_ACCURACY_dup(TS_ACCURACY *a); 335TS_ACCURACY *TS_ACCURACY_dup(TS_ACCURACY *a);
345 336
346ESS_ISSUER_SERIAL *ESS_ISSUER_SERIAL_new(void); 337ESS_ISSUER_SERIAL *ESS_ISSUER_SERIAL_new(void);
347void ESS_ISSUER_SERIAL_free(ESS_ISSUER_SERIAL *a); 338void ESS_ISSUER_SERIAL_free(ESS_ISSUER_SERIAL *a);
348int i2d_ESS_ISSUER_SERIAL(const ESS_ISSUER_SERIAL *a, 339int i2d_ESS_ISSUER_SERIAL(const ESS_ISSUER_SERIAL *a,
349 unsigned char **pp); 340 unsigned char **pp);
350ESS_ISSUER_SERIAL *d2i_ESS_ISSUER_SERIAL(ESS_ISSUER_SERIAL **a, 341ESS_ISSUER_SERIAL *d2i_ESS_ISSUER_SERIAL(ESS_ISSUER_SERIAL **a,
351 const unsigned char **pp, long length); 342 const unsigned char **pp, long length);
352ESS_ISSUER_SERIAL *ESS_ISSUER_SERIAL_dup(ESS_ISSUER_SERIAL *a); 343ESS_ISSUER_SERIAL *ESS_ISSUER_SERIAL_dup(ESS_ISSUER_SERIAL *a);
353 344
354ESS_CERT_ID *ESS_CERT_ID_new(void); 345ESS_CERT_ID *ESS_CERT_ID_new(void);
355void ESS_CERT_ID_free(ESS_CERT_ID *a); 346void ESS_CERT_ID_free(ESS_CERT_ID *a);
356int i2d_ESS_CERT_ID(const ESS_CERT_ID *a, unsigned char **pp); 347int i2d_ESS_CERT_ID(const ESS_CERT_ID *a, unsigned char **pp);
357ESS_CERT_ID *d2i_ESS_CERT_ID(ESS_CERT_ID **a, const unsigned char **pp, 348ESS_CERT_ID *d2i_ESS_CERT_ID(ESS_CERT_ID **a, const unsigned char **pp,
358 long length); 349 long length);
359ESS_CERT_ID *ESS_CERT_ID_dup(ESS_CERT_ID *a); 350ESS_CERT_ID *ESS_CERT_ID_dup(ESS_CERT_ID *a);
360 351
361ESS_SIGNING_CERT *ESS_SIGNING_CERT_new(void); 352ESS_SIGNING_CERT *ESS_SIGNING_CERT_new(void);
362void ESS_SIGNING_CERT_free(ESS_SIGNING_CERT *a); 353void ESS_SIGNING_CERT_free(ESS_SIGNING_CERT *a);
363int i2d_ESS_SIGNING_CERT(const ESS_SIGNING_CERT *a, 354int i2d_ESS_SIGNING_CERT(const ESS_SIGNING_CERT *a,
364 unsigned char **pp); 355 unsigned char **pp);
365ESS_SIGNING_CERT *d2i_ESS_SIGNING_CERT(ESS_SIGNING_CERT **a, 356ESS_SIGNING_CERT *d2i_ESS_SIGNING_CERT(ESS_SIGNING_CERT **a,
366 const unsigned char **pp, long length); 357 const unsigned char **pp, long length);
367ESS_SIGNING_CERT *ESS_SIGNING_CERT_dup(ESS_SIGNING_CERT *a); 358ESS_SIGNING_CERT *ESS_SIGNING_CERT_dup(ESS_SIGNING_CERT *a);
368 359
369void ERR_load_TS_strings(void); 360void ERR_load_TS_strings(void);
@@ -485,19 +476,18 @@ struct TS_resp_ctx;
485typedef ASN1_INTEGER *(*TS_serial_cb)(struct TS_resp_ctx *, void *); 476typedef ASN1_INTEGER *(*TS_serial_cb)(struct TS_resp_ctx *, void *);
486 477
487/* This must return the seconds and microseconds since Jan 1, 1970 in 478/* This must return the seconds and microseconds since Jan 1, 1970 in
488 the sec and usec variables allocated by the caller. 479 the sec and usec variables allocated by the caller.
489 Return non-zero for success and zero for failure. */ 480 Return non-zero for success and zero for failure. */
490typedef int (*TS_time_cb)(struct TS_resp_ctx *, void *, long *sec, long *usec); 481typedef int (*TS_time_cb)(struct TS_resp_ctx *, void *, long *sec, long *usec);
491 482
492/* This must process the given extension. 483/* This must process the given extension.
493 * It can modify the TS_TST_INFO object of the context. 484 * It can modify the TS_TST_INFO object of the context.
494 * Return values: !0 (processed), 0 (error, it must set the 485 * Return values: !0 (processed), 0 (error, it must set the
495 * status info/failure info of the response). 486 * status info/failure info of the response).
496 */ 487 */
497typedef int (*TS_extension_cb)(struct TS_resp_ctx *, X509_EXTENSION *, void *); 488typedef int (*TS_extension_cb)(struct TS_resp_ctx *, X509_EXTENSION *, void *);
498 489
499typedef struct TS_resp_ctx 490typedef struct TS_resp_ctx {
500 {
501 X509 *signer_cert; 491 X509 *signer_cert;
502 EVP_PKEY *signer_key; 492 EVP_PKEY *signer_key;
503 STACK_OF(X509) *certs; /* Certs to include in signed data. */ 493 STACK_OF(X509) *certs; /* Certs to include in signed data. */
@@ -514,10 +504,10 @@ typedef struct TS_resp_ctx
514 /* Callback functions. */ 504 /* Callback functions. */
515 TS_serial_cb serial_cb; 505 TS_serial_cb serial_cb;
516 void *serial_cb_data; /* User data for serial_cb. */ 506 void *serial_cb_data; /* User data for serial_cb. */
517 507
518 TS_time_cb time_cb; 508 TS_time_cb time_cb;
519 void *time_cb_data; /* User data for time_cb. */ 509 void *time_cb_data; /* User data for time_cb. */
520 510
521 TS_extension_cb extension_cb; 511 TS_extension_cb extension_cb;
522 void *extension_cb_data; /* User data for extension_cb. */ 512 void *extension_cb_data; /* User data for extension_cb. */
523 513
@@ -525,7 +515,7 @@ typedef struct TS_resp_ctx
525 TS_REQ *request; 515 TS_REQ *request;
526 TS_RESP *response; 516 TS_RESP *response;
527 TS_TST_INFO *tst_info; 517 TS_TST_INFO *tst_info;
528 } TS_RESP_CTX; 518} TS_RESP_CTX;
529 519
530DECLARE_STACK_OF(EVP_MD) 520DECLARE_STACK_OF(EVP_MD)
531DECLARE_ASN1_SET_OF(EVP_MD) 521DECLARE_ASN1_SET_OF(EVP_MD)
@@ -546,23 +536,23 @@ int TS_RESP_CTX_set_def_policy(TS_RESP_CTX *ctx, ASN1_OBJECT *def_policy);
546/* No additional certs are included in the response by default. */ 536/* No additional certs are included in the response by default. */
547int TS_RESP_CTX_set_certs(TS_RESP_CTX *ctx, STACK_OF(X509) *certs); 537int TS_RESP_CTX_set_certs(TS_RESP_CTX *ctx, STACK_OF(X509) *certs);
548 538
549/* Adds a new acceptable policy, only the default policy 539/* Adds a new acceptable policy, only the default policy
550 is accepted by default. */ 540 is accepted by default. */
551int TS_RESP_CTX_add_policy(TS_RESP_CTX *ctx, ASN1_OBJECT *policy); 541int TS_RESP_CTX_add_policy(TS_RESP_CTX *ctx, ASN1_OBJECT *policy);
552 542
553/* Adds a new acceptable message digest. Note that no message digests 543/* Adds a new acceptable message digest. Note that no message digests
554 are accepted by default. The md argument is shared with the caller. */ 544 are accepted by default. The md argument is shared with the caller. */
555int TS_RESP_CTX_add_md(TS_RESP_CTX *ctx, const EVP_MD *md); 545int TS_RESP_CTX_add_md(TS_RESP_CTX *ctx, const EVP_MD *md);
556 546
557/* Accuracy is not included by default. */ 547/* Accuracy is not included by default. */
558int TS_RESP_CTX_set_accuracy(TS_RESP_CTX *ctx, 548int TS_RESP_CTX_set_accuracy(TS_RESP_CTX *ctx,
559 int secs, int millis, int micros); 549 int secs, int millis, int micros);
560 550
561/* Clock precision digits, i.e. the number of decimal digits: 551/* Clock precision digits, i.e. the number of decimal digits:
562 '0' means sec, '3' msec, '6' usec, and so on. Default is 0. */ 552 '0' means sec, '3' msec, '6' usec, and so on. Default is 0. */
563int TS_RESP_CTX_set_clock_precision_digits(TS_RESP_CTX *ctx, 553int TS_RESP_CTX_set_clock_precision_digits(TS_RESP_CTX *ctx,
564 unsigned clock_precision_digits); 554 unsigned clock_precision_digits);
565/* At most we accept usec precision. */ 555/* At most we accept usec precision. */
566#define TS_MAX_CLOCK_PRECISION_DIGITS 6 556#define TS_MAX_CLOCK_PRECISION_DIGITS 6
567 557
568/* No flags are set by default. */ 558/* No flags are set by default. */
@@ -574,19 +564,19 @@ void TS_RESP_CTX_set_serial_cb(TS_RESP_CTX *ctx, TS_serial_cb cb, void *data);
574/* Default callback uses the gettimeofday() and gmtime() system calls. */ 564/* Default callback uses the gettimeofday() and gmtime() system calls. */
575void TS_RESP_CTX_set_time_cb(TS_RESP_CTX *ctx, TS_time_cb cb, void *data); 565void TS_RESP_CTX_set_time_cb(TS_RESP_CTX *ctx, TS_time_cb cb, void *data);
576 566
577/* Default callback rejects all extensions. The extension callback is called 567/* Default callback rejects all extensions. The extension callback is called
578 * when the TS_TST_INFO object is already set up and not signed yet. */ 568 * when the TS_TST_INFO object is already set up and not signed yet. */
579/* FIXME: extension handling is not tested yet. */ 569/* FIXME: extension handling is not tested yet. */
580void TS_RESP_CTX_set_extension_cb(TS_RESP_CTX *ctx, 570void TS_RESP_CTX_set_extension_cb(TS_RESP_CTX *ctx,
581 TS_extension_cb cb, void *data); 571 TS_extension_cb cb, void *data);
582 572
583/* The following methods can be used in the callbacks. */ 573/* The following methods can be used in the callbacks. */
584int TS_RESP_CTX_set_status_info(TS_RESP_CTX *ctx, 574int TS_RESP_CTX_set_status_info(TS_RESP_CTX *ctx,
585 int status, const char *text); 575 int status, const char *text);
586 576
587/* Sets the status info only if it is still TS_STATUS_GRANTED. */ 577/* Sets the status info only if it is still TS_STATUS_GRANTED. */
588int TS_RESP_CTX_set_status_info_cond(TS_RESP_CTX *ctx, 578int TS_RESP_CTX_set_status_info_cond(TS_RESP_CTX *ctx,
589 int status, const char *text); 579 int status, const char *text);
590 580
591int TS_RESP_CTX_add_failure_info(TS_RESP_CTX *ctx, int failure); 581int TS_RESP_CTX_add_failure_info(TS_RESP_CTX *ctx, int failure);
592 582
@@ -595,7 +585,7 @@ TS_REQ *TS_RESP_CTX_get_request(TS_RESP_CTX *ctx);
595 585
596TS_TST_INFO *TS_RESP_CTX_get_tst_info(TS_RESP_CTX *ctx); 586TS_TST_INFO *TS_RESP_CTX_get_tst_info(TS_RESP_CTX *ctx);
597 587
598/* 588/*
599 * Creates the signed TS_TST_INFO and puts it in TS_RESP. 589 * Creates the signed TS_TST_INFO and puts it in TS_RESP.
600 * In case of errors it sets the status info properly. 590 * In case of errors it sets the status info properly.
601 * Returns NULL only in case of memory allocation/fatal error. 591 * Returns NULL only in case of memory allocation/fatal error.
@@ -608,7 +598,7 @@ TS_RESP *TS_RESP_create_response(TS_RESP_CTX *ctx, BIO *req_bio);
608 */ 598 */
609 599
610int TS_RESP_verify_signature(PKCS7 *token, STACK_OF(X509) *certs, 600int TS_RESP_verify_signature(PKCS7 *token, STACK_OF(X509) *certs,
611 X509_STORE *store, X509 **signer_out); 601 X509_STORE *store, X509 **signer_out);
612 602
613/* Context structure for the generic verify method. */ 603/* Context structure for the generic verify method. */
614 604
@@ -648,8 +638,7 @@ int TS_RESP_verify_signature(PKCS7 *token, STACK_OF(X509) *certs,
648 | TS_VFY_SIGNER \ 638 | TS_VFY_SIGNER \
649 | TS_VFY_TSA_NAME) 639 | TS_VFY_TSA_NAME)
650 640
651typedef struct TS_verify_ctx 641typedef struct TS_verify_ctx {
652 {
653 /* Set this to the union of TS_VFY_... flags you want to carry out. */ 642 /* Set this to the union of TS_VFY_... flags you want to carry out. */
654 unsigned flags; 643 unsigned flags;
655 644
@@ -660,7 +649,7 @@ typedef struct TS_verify_ctx
660 /* Must be set only with TS_VFY_POLICY. */ 649 /* Must be set only with TS_VFY_POLICY. */
661 ASN1_OBJECT *policy; 650 ASN1_OBJECT *policy;
662 651
663 /* Must be set only with TS_VFY_IMPRINT. If md_alg is NULL, 652 /* Must be set only with TS_VFY_IMPRINT. If md_alg is NULL,
664 the algorithm from the response is used. */ 653 the algorithm from the response is used. */
665 X509_ALGOR *md_alg; 654 X509_ALGOR *md_alg;
666 unsigned char *imprint; 655 unsigned char *imprint;
@@ -674,7 +663,7 @@ typedef struct TS_verify_ctx
674 663
675 /* Must be set only with TS_VFY_TSA_NAME. */ 664 /* Must be set only with TS_VFY_TSA_NAME. */
676 GENERAL_NAME *tsa_name; 665 GENERAL_NAME *tsa_name;
677 } TS_VERIFY_CTX; 666} TS_VERIFY_CTX;
678 667
679int TS_RESP_verify_response(TS_VERIFY_CTX *ctx, TS_RESP *response); 668int TS_RESP_verify_response(TS_VERIFY_CTX *ctx, TS_RESP *response);
680int TS_RESP_verify_token(TS_VERIFY_CTX *ctx, PKCS7 *token); 669int TS_RESP_verify_token(TS_VERIFY_CTX *ctx, PKCS7 *token);
@@ -690,7 +679,7 @@ void TS_VERIFY_CTX_init(TS_VERIFY_CTX *ctx);
690void TS_VERIFY_CTX_free(TS_VERIFY_CTX *ctx); 679void TS_VERIFY_CTX_free(TS_VERIFY_CTX *ctx);
691void TS_VERIFY_CTX_cleanup(TS_VERIFY_CTX *ctx); 680void TS_VERIFY_CTX_cleanup(TS_VERIFY_CTX *ctx);
692 681
693/* 682/*
694 * If ctx is NULL, it allocates and returns a new object, otherwise 683 * If ctx is NULL, it allocates and returns a new object, otherwise
695 * it returns ctx. It initialises all the members as follows: 684 * it returns ctx. It initialises all the members as follows:
696 * flags = TS_VFY_ALL_IMPRINT & ~(TS_VFY_TSA_NAME | TS_VFY_SIGNATURE) 685 * flags = TS_VFY_ALL_IMPRINT & ~(TS_VFY_TSA_NAME | TS_VFY_SIGNATURE)
@@ -730,27 +719,27 @@ STACK_OF(X509) *TS_CONF_load_certs(const char *file);
730EVP_PKEY *TS_CONF_load_key(const char *file, const char *pass); 719EVP_PKEY *TS_CONF_load_key(const char *file, const char *pass);
731const char *TS_CONF_get_tsa_section(CONF *conf, const char *section); 720const char *TS_CONF_get_tsa_section(CONF *conf, const char *section);
732int TS_CONF_set_serial(CONF *conf, const char *section, TS_serial_cb cb, 721int TS_CONF_set_serial(CONF *conf, const char *section, TS_serial_cb cb,
733 TS_RESP_CTX *ctx); 722 TS_RESP_CTX *ctx);
734int TS_CONF_set_crypto_device(CONF *conf, const char *section, 723int TS_CONF_set_crypto_device(CONF *conf, const char *section,
735 const char *device); 724 const char *device);
736int TS_CONF_set_default_engine(const char *name); 725int TS_CONF_set_default_engine(const char *name);
737int TS_CONF_set_signer_cert(CONF *conf, const char *section, 726int TS_CONF_set_signer_cert(CONF *conf, const char *section,
738 const char *cert, TS_RESP_CTX *ctx); 727 const char *cert, TS_RESP_CTX *ctx);
739int TS_CONF_set_certs(CONF *conf, const char *section, const char *certs, 728int TS_CONF_set_certs(CONF *conf, const char *section, const char *certs,
740 TS_RESP_CTX *ctx); 729 TS_RESP_CTX *ctx);
741int TS_CONF_set_signer_key(CONF *conf, const char *section, 730int TS_CONF_set_signer_key(CONF *conf, const char *section,
742 const char *key, const char *pass, TS_RESP_CTX *ctx); 731 const char *key, const char *pass, TS_RESP_CTX *ctx);
743int TS_CONF_set_def_policy(CONF *conf, const char *section, 732int TS_CONF_set_def_policy(CONF *conf, const char *section,
744 const char *policy, TS_RESP_CTX *ctx); 733 const char *policy, TS_RESP_CTX *ctx);
745int TS_CONF_set_policies(CONF *conf, const char *section, TS_RESP_CTX *ctx); 734int TS_CONF_set_policies(CONF *conf, const char *section, TS_RESP_CTX *ctx);
746int TS_CONF_set_digests(CONF *conf, const char *section, TS_RESP_CTX *ctx); 735int TS_CONF_set_digests(CONF *conf, const char *section, TS_RESP_CTX *ctx);
747int TS_CONF_set_accuracy(CONF *conf, const char *section, TS_RESP_CTX *ctx); 736int TS_CONF_set_accuracy(CONF *conf, const char *section, TS_RESP_CTX *ctx);
748int TS_CONF_set_clock_precision_digits(CONF *conf, const char *section, 737int TS_CONF_set_clock_precision_digits(CONF *conf, const char *section,
749 TS_RESP_CTX *ctx); 738 TS_RESP_CTX *ctx);
750int TS_CONF_set_ordering(CONF *conf, const char *section, TS_RESP_CTX *ctx); 739int TS_CONF_set_ordering(CONF *conf, const char *section, TS_RESP_CTX *ctx);
751int TS_CONF_set_tsa_name(CONF *conf, const char *section, TS_RESP_CTX *ctx); 740int TS_CONF_set_tsa_name(CONF *conf, const char *section, TS_RESP_CTX *ctx);
752int TS_CONF_set_ess_cert_id_chain(CONF *conf, const char *section, 741int TS_CONF_set_ess_cert_id_chain(CONF *conf, const char *section,
753 TS_RESP_CTX *ctx); 742 TS_RESP_CTX *ctx);
754 743
755/* -------------------------------------------------- */ 744/* -------------------------------------------------- */
756/* BEGIN ERROR CODES */ 745/* BEGIN ERROR CODES */
diff --git a/src/lib/libssl/src/crypto/ts/ts_asn1.c b/src/lib/libssl/src/crypto/ts/ts_asn1.c
index 40b730c5e2..9e16b01f93 100644
--- a/src/lib/libssl/src/crypto/ts/ts_asn1.c
+++ b/src/lib/libssl/src/crypto/ts/ts_asn1.c
@@ -9,7 +9,7 @@
9 * are met: 9 * are met:
10 * 10 *
11 * 1. Redistributions of source code must retain the above copyright 11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer. 12 * notice, this list of conditions and the following disclaimer.
13 * 13 *
14 * 2. Redistributions in binary form must reproduce the above copyright 14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in 15 * notice, this list of conditions and the following disclaimer in
@@ -66,27 +66,35 @@ ASN1_SEQUENCE(TS_MSG_IMPRINT) = {
66 66
67IMPLEMENT_ASN1_FUNCTIONS_const(TS_MSG_IMPRINT) 67IMPLEMENT_ASN1_FUNCTIONS_const(TS_MSG_IMPRINT)
68IMPLEMENT_ASN1_DUP_FUNCTION(TS_MSG_IMPRINT) 68IMPLEMENT_ASN1_DUP_FUNCTION(TS_MSG_IMPRINT)
69
69#ifndef OPENSSL_NO_BIO 70#ifndef OPENSSL_NO_BIO
70TS_MSG_IMPRINT *d2i_TS_MSG_IMPRINT_bio(BIO *bp, TS_MSG_IMPRINT **a) 71TS_MSG_IMPRINT *
71 { 72d2i_TS_MSG_IMPRINT_bio(BIO *bp, TS_MSG_IMPRINT **a)
72 return ASN1_d2i_bio_of(TS_MSG_IMPRINT, TS_MSG_IMPRINT_new, d2i_TS_MSG_IMPRINT, bp, a); 73{
73 } 74 return ASN1_d2i_bio_of(TS_MSG_IMPRINT, TS_MSG_IMPRINT_new,
75 d2i_TS_MSG_IMPRINT, bp, a);
76}
74 77
75int i2d_TS_MSG_IMPRINT_bio(BIO *bp, TS_MSG_IMPRINT *a) 78int
79i2d_TS_MSG_IMPRINT_bio(BIO *bp, TS_MSG_IMPRINT *a)
76{ 80{
77 return ASN1_i2d_bio_of_const(TS_MSG_IMPRINT, i2d_TS_MSG_IMPRINT, bp, a); 81 return ASN1_i2d_bio_of_const(TS_MSG_IMPRINT, i2d_TS_MSG_IMPRINT, bp, a);
78} 82}
79#endif 83#endif
84
80#ifndef OPENSSL_NO_FP_API 85#ifndef OPENSSL_NO_FP_API
81TS_MSG_IMPRINT *d2i_TS_MSG_IMPRINT_fp(FILE *fp, TS_MSG_IMPRINT **a) 86TS_MSG_IMPRINT *
82 { 87d2i_TS_MSG_IMPRINT_fp(FILE *fp, TS_MSG_IMPRINT **a)
83 return ASN1_d2i_fp_of(TS_MSG_IMPRINT, TS_MSG_IMPRINT_new, d2i_TS_MSG_IMPRINT, fp, a); 88{
84 } 89 return ASN1_d2i_fp_of(TS_MSG_IMPRINT, TS_MSG_IMPRINT_new,
90 d2i_TS_MSG_IMPRINT, fp, a);
91}
85 92
86int i2d_TS_MSG_IMPRINT_fp(FILE *fp, TS_MSG_IMPRINT *a) 93int
87 { 94i2d_TS_MSG_IMPRINT_fp(FILE *fp, TS_MSG_IMPRINT *a)
95{
88 return ASN1_i2d_fp_of_const(TS_MSG_IMPRINT, i2d_TS_MSG_IMPRINT, fp, a); 96 return ASN1_i2d_fp_of_const(TS_MSG_IMPRINT, i2d_TS_MSG_IMPRINT, fp, a);
89 } 97}
90#endif 98#endif
91 99
92ASN1_SEQUENCE(TS_REQ) = { 100ASN1_SEQUENCE(TS_REQ) = {
@@ -100,27 +108,33 @@ ASN1_SEQUENCE(TS_REQ) = {
100 108
101IMPLEMENT_ASN1_FUNCTIONS_const(TS_REQ) 109IMPLEMENT_ASN1_FUNCTIONS_const(TS_REQ)
102IMPLEMENT_ASN1_DUP_FUNCTION(TS_REQ) 110IMPLEMENT_ASN1_DUP_FUNCTION(TS_REQ)
111
103#ifndef OPENSSL_NO_BIO 112#ifndef OPENSSL_NO_BIO
104TS_REQ *d2i_TS_REQ_bio(BIO *bp, TS_REQ **a) 113TS_REQ *
105 { 114d2i_TS_REQ_bio(BIO *bp, TS_REQ **a)
115{
106 return ASN1_d2i_bio_of(TS_REQ, TS_REQ_new, d2i_TS_REQ, bp, a); 116 return ASN1_d2i_bio_of(TS_REQ, TS_REQ_new, d2i_TS_REQ, bp, a);
107 } 117}
108 118
109int i2d_TS_REQ_bio(BIO *bp, TS_REQ *a) 119int
110 { 120i2d_TS_REQ_bio(BIO *bp, TS_REQ *a)
121{
111 return ASN1_i2d_bio_of_const(TS_REQ, i2d_TS_REQ, bp, a); 122 return ASN1_i2d_bio_of_const(TS_REQ, i2d_TS_REQ, bp, a);
112 } 123}
113#endif 124#endif
125
114#ifndef OPENSSL_NO_FP_API 126#ifndef OPENSSL_NO_FP_API
115TS_REQ *d2i_TS_REQ_fp(FILE *fp, TS_REQ **a) 127TS_REQ *
116 { 128d2i_TS_REQ_fp(FILE *fp, TS_REQ **a)
129{
117 return ASN1_d2i_fp_of(TS_REQ, TS_REQ_new, d2i_TS_REQ, fp, a); 130 return ASN1_d2i_fp_of(TS_REQ, TS_REQ_new, d2i_TS_REQ, fp, a);
118 } 131}
119 132
120int i2d_TS_REQ_fp(FILE *fp, TS_REQ *a) 133int
121 { 134i2d_TS_REQ_fp(FILE *fp, TS_REQ *a)
135{
122 return ASN1_i2d_fp_of_const(TS_REQ, i2d_TS_REQ, fp, a); 136 return ASN1_i2d_fp_of_const(TS_REQ, i2d_TS_REQ, fp, a);
123 } 137}
124#endif 138#endif
125 139
126ASN1_SEQUENCE(TS_ACCURACY) = { 140ASN1_SEQUENCE(TS_ACCURACY) = {
@@ -147,27 +161,35 @@ ASN1_SEQUENCE(TS_TST_INFO) = {
147 161
148IMPLEMENT_ASN1_FUNCTIONS_const(TS_TST_INFO) 162IMPLEMENT_ASN1_FUNCTIONS_const(TS_TST_INFO)
149IMPLEMENT_ASN1_DUP_FUNCTION(TS_TST_INFO) 163IMPLEMENT_ASN1_DUP_FUNCTION(TS_TST_INFO)
164
150#ifndef OPENSSL_NO_BIO 165#ifndef OPENSSL_NO_BIO
151TS_TST_INFO *d2i_TS_TST_INFO_bio(BIO *bp, TS_TST_INFO **a) 166TS_TST_INFO *
152 { 167d2i_TS_TST_INFO_bio(BIO *bp, TS_TST_INFO **a)
153 return ASN1_d2i_bio_of(TS_TST_INFO, TS_TST_INFO_new, d2i_TS_TST_INFO, bp, a); 168{
154 } 169 return ASN1_d2i_bio_of(TS_TST_INFO, TS_TST_INFO_new, d2i_TS_TST_INFO,
170 bp, a);
171}
155 172
156int i2d_TS_TST_INFO_bio(BIO *bp, TS_TST_INFO *a) 173int
157 { 174i2d_TS_TST_INFO_bio(BIO *bp, TS_TST_INFO *a)
175{
158 return ASN1_i2d_bio_of_const(TS_TST_INFO, i2d_TS_TST_INFO, bp, a); 176 return ASN1_i2d_bio_of_const(TS_TST_INFO, i2d_TS_TST_INFO, bp, a);
159 } 177}
160#endif 178#endif
179
161#ifndef OPENSSL_NO_FP_API 180#ifndef OPENSSL_NO_FP_API
162TS_TST_INFO *d2i_TS_TST_INFO_fp(FILE *fp, TS_TST_INFO **a) 181TS_TST_INFO *
163 { 182d2i_TS_TST_INFO_fp(FILE *fp, TS_TST_INFO **a)
164 return ASN1_d2i_fp_of(TS_TST_INFO, TS_TST_INFO_new, d2i_TS_TST_INFO, fp, a); 183{
165 } 184 return ASN1_d2i_fp_of(TS_TST_INFO, TS_TST_INFO_new, d2i_TS_TST_INFO,
185 fp, a);
186}
166 187
167int i2d_TS_TST_INFO_fp(FILE *fp, TS_TST_INFO *a) 188int
168 { 189i2d_TS_TST_INFO_fp(FILE *fp, TS_TST_INFO *a)
190{
169 return ASN1_i2d_fp_of_const(TS_TST_INFO, i2d_TS_TST_INFO, fp, a); 191 return ASN1_i2d_fp_of_const(TS_TST_INFO, i2d_TS_TST_INFO, fp, a);
170 } 192}
171#endif 193#endif
172 194
173ASN1_SEQUENCE(TS_STATUS_INFO) = { 195ASN1_SEQUENCE(TS_STATUS_INFO) = {
@@ -179,7 +201,8 @@ ASN1_SEQUENCE(TS_STATUS_INFO) = {
179IMPLEMENT_ASN1_FUNCTIONS_const(TS_STATUS_INFO) 201IMPLEMENT_ASN1_FUNCTIONS_const(TS_STATUS_INFO)
180IMPLEMENT_ASN1_DUP_FUNCTION(TS_STATUS_INFO) 202IMPLEMENT_ASN1_DUP_FUNCTION(TS_STATUS_INFO)
181 203
182static int ts_resp_set_tst_info(TS_RESP *a) 204static int
205ts_resp_set_tst_info(TS_RESP *a)
183{ 206{
184 long status; 207 long status;
185 208
@@ -194,7 +217,8 @@ static int ts_resp_set_tst_info(TS_RESP *a)
194 TS_TST_INFO_free(a->tst_info); 217 TS_TST_INFO_free(a->tst_info);
195 a->tst_info = PKCS7_to_TS_TST_INFO(a->token); 218 a->tst_info = PKCS7_to_TS_TST_INFO(a->token);
196 if (!a->tst_info) { 219 if (!a->tst_info) {
197 TSerr(TS_F_TS_RESP_SET_TST_INFO, TS_R_PKCS7_TO_TS_TST_INFO_FAILED); 220 TSerr(TS_F_TS_RESP_SET_TST_INFO,
221 TS_R_PKCS7_TO_TS_TST_INFO_FAILED);
198 return 0; 222 return 0;
199 } 223 }
200 } else if (status == 0 || status == 1) { 224 } else if (status == 0 || status == 1) {
@@ -205,10 +229,11 @@ static int ts_resp_set_tst_info(TS_RESP *a)
205 return 1; 229 return 1;
206} 230}
207 231
208static int ts_resp_cb(int op, ASN1_VALUE **pval, const ASN1_ITEM *it, 232static int
209 void *exarg) 233ts_resp_cb(int op, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
210{ 234{
211 TS_RESP *ts_resp = (TS_RESP *)*pval; 235 TS_RESP *ts_resp = (TS_RESP *)*pval;
236
212 if (op == ASN1_OP_NEW_POST) { 237 if (op == ASN1_OP_NEW_POST) {
213 ts_resp->tst_info = NULL; 238 ts_resp->tst_info = NULL;
214 } else if (op == ASN1_OP_FREE_POST) { 239 } else if (op == ASN1_OP_FREE_POST) {
@@ -228,27 +253,33 @@ ASN1_SEQUENCE_cb(TS_RESP, ts_resp_cb) = {
228 253
229IMPLEMENT_ASN1_FUNCTIONS_const(TS_RESP) 254IMPLEMENT_ASN1_FUNCTIONS_const(TS_RESP)
230IMPLEMENT_ASN1_DUP_FUNCTION(TS_RESP) 255IMPLEMENT_ASN1_DUP_FUNCTION(TS_RESP)
256
231#ifndef OPENSSL_NO_BIO 257#ifndef OPENSSL_NO_BIO
232TS_RESP *d2i_TS_RESP_bio(BIO *bp, TS_RESP **a) 258TS_RESP *
233 { 259d2i_TS_RESP_bio(BIO *bp, TS_RESP **a)
260{
234 return ASN1_d2i_bio_of(TS_RESP, TS_RESP_new, d2i_TS_RESP, bp, a); 261 return ASN1_d2i_bio_of(TS_RESP, TS_RESP_new, d2i_TS_RESP, bp, a);
235 } 262}
236 263
237int i2d_TS_RESP_bio(BIO *bp, TS_RESP *a) 264int
238 { 265i2d_TS_RESP_bio(BIO *bp, TS_RESP *a)
266{
239 return ASN1_i2d_bio_of_const(TS_RESP, i2d_TS_RESP, bp, a); 267 return ASN1_i2d_bio_of_const(TS_RESP, i2d_TS_RESP, bp, a);
240 } 268}
241#endif 269#endif
270
242#ifndef OPENSSL_NO_FP_API 271#ifndef OPENSSL_NO_FP_API
243TS_RESP *d2i_TS_RESP_fp(FILE *fp, TS_RESP **a) 272TS_RESP *
244 { 273d2i_TS_RESP_fp(FILE *fp, TS_RESP **a)
274{
245 return ASN1_d2i_fp_of(TS_RESP, TS_RESP_new, d2i_TS_RESP, fp, a); 275 return ASN1_d2i_fp_of(TS_RESP, TS_RESP_new, d2i_TS_RESP, fp, a);
246 } 276}
247 277
248int i2d_TS_RESP_fp(FILE *fp, TS_RESP *a) 278int
249 { 279i2d_TS_RESP_fp(FILE *fp, TS_RESP *a)
280{
250 return ASN1_i2d_fp_of_const(TS_RESP, i2d_TS_RESP, fp, a); 281 return ASN1_i2d_fp_of_const(TS_RESP, i2d_TS_RESP, fp, a);
251 } 282}
252#endif 283#endif
253 284
254ASN1_SEQUENCE(ESS_ISSUER_SERIAL) = { 285ASN1_SEQUENCE(ESS_ISSUER_SERIAL) = {
@@ -276,7 +307,8 @@ IMPLEMENT_ASN1_FUNCTIONS_const(ESS_SIGNING_CERT)
276IMPLEMENT_ASN1_DUP_FUNCTION(ESS_SIGNING_CERT) 307IMPLEMENT_ASN1_DUP_FUNCTION(ESS_SIGNING_CERT)
277 308
278/* Getting encapsulated TS_TST_INFO object from PKCS7. */ 309/* Getting encapsulated TS_TST_INFO object from PKCS7. */
279TS_TST_INFO *PKCS7_to_TS_TST_INFO(PKCS7 *token) 310TS_TST_INFO *
311PKCS7_to_TS_TST_INFO(PKCS7 *token)
280{ 312{
281 PKCS7_SIGNED *pkcs7_signed; 313 PKCS7_SIGNED *pkcs7_signed;
282 PKCS7 *enveloped; 314 PKCS7 *enveloped;
@@ -284,35 +316,31 @@ TS_TST_INFO *PKCS7_to_TS_TST_INFO(PKCS7 *token)
284 ASN1_OCTET_STRING *tst_info_der; 316 ASN1_OCTET_STRING *tst_info_der;
285 const unsigned char *p; 317 const unsigned char *p;
286 318
287 if (!PKCS7_type_is_signed(token)) 319 if (!PKCS7_type_is_signed(token)) {
288 {
289 TSerr(TS_F_PKCS7_TO_TS_TST_INFO, TS_R_BAD_PKCS7_TYPE); 320 TSerr(TS_F_PKCS7_TO_TS_TST_INFO, TS_R_BAD_PKCS7_TYPE);
290 return NULL; 321 return NULL;
291 } 322 }
292 323
293 /* Content must be present. */ 324 /* Content must be present. */
294 if (PKCS7_get_detached(token)) 325 if (PKCS7_get_detached(token)) {
295 {
296 TSerr(TS_F_PKCS7_TO_TS_TST_INFO, TS_R_DETACHED_CONTENT); 326 TSerr(TS_F_PKCS7_TO_TS_TST_INFO, TS_R_DETACHED_CONTENT);
297 return NULL; 327 return NULL;
298 } 328 }
299 329
300 /* We have a signed data with content. */ 330 /* We have a signed data with content. */
301 pkcs7_signed = token->d.sign; 331 pkcs7_signed = token->d.sign;
302 enveloped = pkcs7_signed->contents; 332 enveloped = pkcs7_signed->contents;
303 if (OBJ_obj2nid(enveloped->type) != NID_id_smime_ct_TSTInfo) 333 if (OBJ_obj2nid(enveloped->type) != NID_id_smime_ct_TSTInfo) {
304 {
305 TSerr(TS_F_PKCS7_TO_TS_TST_INFO, TS_R_BAD_PKCS7_TYPE); 334 TSerr(TS_F_PKCS7_TO_TS_TST_INFO, TS_R_BAD_PKCS7_TYPE);
306 return NULL; 335 return NULL;
307 } 336 }
308 337
309 /* We have a DER encoded TST_INFO as the signed data. */ 338 /* We have a DER encoded TST_INFO as the signed data. */
310 tst_info_wrapper = enveloped->d.other; 339 tst_info_wrapper = enveloped->d.other;
311 if (tst_info_wrapper->type != V_ASN1_OCTET_STRING) 340 if (tst_info_wrapper->type != V_ASN1_OCTET_STRING) {
312 {
313 TSerr(TS_F_PKCS7_TO_TS_TST_INFO, TS_R_BAD_TYPE); 341 TSerr(TS_F_PKCS7_TO_TS_TST_INFO, TS_R_BAD_TYPE);
314 return NULL; 342 return NULL;
315 } 343 }
316 344
317 /* We have the correct ASN1_OCTET_STRING type. */ 345 /* We have the correct ASN1_OCTET_STRING type. */
318 tst_info_der = tst_info_wrapper->value.octet_string; 346 tst_info_der = tst_info_wrapper->value.octet_string;
diff --git a/src/lib/libssl/src/crypto/ts/ts_conf.c b/src/lib/libssl/src/crypto/ts/ts_conf.c
index 212f8bf702..f8cf3b514c 100644
--- a/src/lib/libssl/src/crypto/ts/ts_conf.c
+++ b/src/lib/libssl/src/crypto/ts/ts_conf.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -85,420 +85,440 @@
85#define ENV_VALUE_SECS "secs" 85#define ENV_VALUE_SECS "secs"
86#define ENV_VALUE_MILLISECS "millisecs" 86#define ENV_VALUE_MILLISECS "millisecs"
87#define ENV_VALUE_MICROSECS "microsecs" 87#define ENV_VALUE_MICROSECS "microsecs"
88#define ENV_CLOCK_PRECISION_DIGITS "clock_precision_digits" 88#define ENV_CLOCK_PRECISION_DIGITS "clock_precision_digits"
89#define ENV_VALUE_YES "yes" 89#define ENV_VALUE_YES "yes"
90#define ENV_VALUE_NO "no" 90#define ENV_VALUE_NO "no"
91 91
92/* Function definitions for certificate and key loading. */ 92/* Function definitions for certificate and key loading. */
93 93
94X509 *TS_CONF_load_cert(const char *file) 94X509 *
95 { 95TS_CONF_load_cert(const char *file)
96{
96 BIO *cert = NULL; 97 BIO *cert = NULL;
97 X509 *x = NULL; 98 X509 *x = NULL;
98 99
99 if ((cert = BIO_new_file(file, "r")) == NULL) goto end; 100 if ((cert = BIO_new_file(file, "r")) == NULL)
101 goto end;
100 x = PEM_read_bio_X509_AUX(cert, NULL, NULL, NULL); 102 x = PEM_read_bio_X509_AUX(cert, NULL, NULL, NULL);
103
101end: 104end:
102 if (x == NULL) 105 if (x == NULL)
103 fprintf(stderr, "unable to load certificate: %s\n", file); 106 fprintf(stderr, "unable to load certificate: %s\n", file);
104 BIO_free(cert); 107 BIO_free(cert);
105 return x; 108 return x;
106 } 109}
107 110
108STACK_OF(X509) *TS_CONF_load_certs(const char *file) 111STACK_OF(X509) *TS_CONF_load_certs(const char *file)
109 { 112{
110 BIO *certs = NULL; 113 BIO *certs = NULL;
111 STACK_OF(X509) *othercerts = NULL; 114 STACK_OF(X509) *othercerts = NULL;
112 STACK_OF(X509_INFO) *allcerts = NULL; 115 STACK_OF(X509_INFO) *allcerts = NULL;
113 int i; 116 int i;
114 117
115 if (!(certs = BIO_new_file(file, "r"))) goto end; 118 if (!(certs = BIO_new_file(file, "r")))
119 goto end;
116 120
117 if (!(othercerts = sk_X509_new_null())) goto end; 121 if (!(othercerts = sk_X509_new_null()))
122 goto end;
118 allcerts = PEM_X509_INFO_read_bio(certs, NULL, NULL, NULL); 123 allcerts = PEM_X509_INFO_read_bio(certs, NULL, NULL, NULL);
119 for(i = 0; i < sk_X509_INFO_num(allcerts); i++) 124 for (i = 0; i < sk_X509_INFO_num(allcerts); i++) {
120 {
121 X509_INFO *xi = sk_X509_INFO_value(allcerts, i); 125 X509_INFO *xi = sk_X509_INFO_value(allcerts, i);
122 if (xi->x509) 126 if (xi->x509) {
123 {
124 sk_X509_push(othercerts, xi->x509); 127 sk_X509_push(othercerts, xi->x509);
125 xi->x509 = NULL; 128 xi->x509 = NULL;
126 }
127 } 129 }
130 }
131
128end: 132end:
129 if (othercerts == NULL) 133 if (othercerts == NULL)
130 fprintf(stderr, "unable to load certificates: %s\n", file); 134 fprintf(stderr, "unable to load certificates: %s\n", file);
131 sk_X509_INFO_pop_free(allcerts, X509_INFO_free); 135 sk_X509_INFO_pop_free(allcerts, X509_INFO_free);
132 BIO_free(certs); 136 BIO_free(certs);
133 return othercerts; 137 return othercerts;
134 } 138}
135 139
136EVP_PKEY *TS_CONF_load_key(const char *file, const char *pass) 140EVP_PKEY *
137 { 141TS_CONF_load_key(const char *file, const char *pass)
142{
138 BIO *key = NULL; 143 BIO *key = NULL;
139 EVP_PKEY *pkey = NULL; 144 EVP_PKEY *pkey = NULL;
140 145
141 if (!(key = BIO_new_file(file, "r"))) goto end; 146 if (!(key = BIO_new_file(file, "r")))
147 goto end;
142 pkey = PEM_read_bio_PrivateKey(key, NULL, NULL, (char *) pass); 148 pkey = PEM_read_bio_PrivateKey(key, NULL, NULL, (char *) pass);
143 end: 149
150end:
144 if (pkey == NULL) 151 if (pkey == NULL)
145 fprintf(stderr, "unable to load private key: %s\n", file); 152 fprintf(stderr, "unable to load private key: %s\n", file);
146 BIO_free(key); 153 BIO_free(key);
147 return pkey; 154 return pkey;
148 } 155}
149 156
150/* Function definitions for handling configuration options. */ 157/* Function definitions for handling configuration options. */
151 158
152static void TS_CONF_lookup_fail(const char *name, const char *tag) 159static void
153 { 160TS_CONF_lookup_fail(const char *name, const char *tag)
161{
154 fprintf(stderr, "variable lookup failed for %s::%s\n", name, tag); 162 fprintf(stderr, "variable lookup failed for %s::%s\n", name, tag);
155 } 163}
156 164
157static void TS_CONF_invalid(const char *name, const char *tag) 165static void
158 { 166TS_CONF_invalid(const char *name, const char *tag)
167{
159 fprintf(stderr, "invalid variable value for %s::%s\n", name, tag); 168 fprintf(stderr, "invalid variable value for %s::%s\n", name, tag);
160 } 169}
161 170
162const char *TS_CONF_get_tsa_section(CONF *conf, const char *section) 171const char *
163 { 172TS_CONF_get_tsa_section(CONF *conf, const char *section)
164 if (!section) 173{
165 { 174 if (!section) {
166 section = NCONF_get_string(conf, BASE_SECTION, ENV_DEFAULT_TSA); 175 section = NCONF_get_string(conf, BASE_SECTION, ENV_DEFAULT_TSA);
167 if (!section) 176 if (!section)
168 TS_CONF_lookup_fail(BASE_SECTION, ENV_DEFAULT_TSA); 177 TS_CONF_lookup_fail(BASE_SECTION, ENV_DEFAULT_TSA);
169 }
170 return section;
171 } 178 }
179 return section;
180}
172 181
173int TS_CONF_set_serial(CONF *conf, const char *section, TS_serial_cb cb, 182int
174 TS_RESP_CTX *ctx) 183TS_CONF_set_serial(CONF *conf, const char *section, TS_serial_cb cb,
175 { 184 TS_RESP_CTX *ctx)
185{
176 int ret = 0; 186 int ret = 0;
177 char *serial = NCONF_get_string(conf, section, ENV_SERIAL); 187 char *serial = NCONF_get_string(conf, section, ENV_SERIAL);
178 if (!serial) 188
179 { 189 if (!serial) {
180 TS_CONF_lookup_fail(section, ENV_SERIAL); 190 TS_CONF_lookup_fail(section, ENV_SERIAL);
181 goto err; 191 goto err;
182 } 192 }
183 TS_RESP_CTX_set_serial_cb(ctx, cb, serial); 193 TS_RESP_CTX_set_serial_cb(ctx, cb, serial);
184 194
185 ret = 1; 195 ret = 1;
186 err: 196
197err:
187 return ret; 198 return ret;
188 } 199}
189 200
190#ifndef OPENSSL_NO_ENGINE 201#ifndef OPENSSL_NO_ENGINE
191 202
192int TS_CONF_set_crypto_device(CONF *conf, const char *section, 203int
193 const char *device) 204TS_CONF_set_crypto_device(CONF *conf, const char *section, const char *device)
194 { 205{
195 int ret = 0; 206 int ret = 0;
196 207
197 if (!device) 208 if (!device)
198 device = NCONF_get_string(conf, section, 209 device = NCONF_get_string(conf, section, ENV_CRYPTO_DEVICE);
199 ENV_CRYPTO_DEVICE);
200 210
201 if (device && !TS_CONF_set_default_engine(device)) 211 if (device && !TS_CONF_set_default_engine(device)) {
202 {
203 TS_CONF_invalid(section, ENV_CRYPTO_DEVICE); 212 TS_CONF_invalid(section, ENV_CRYPTO_DEVICE);
204 goto err; 213 goto err;
205 } 214 }
206 ret = 1; 215 ret = 1;
207 err: 216
217err:
208 return ret; 218 return ret;
209 } 219}
210 220
211int TS_CONF_set_default_engine(const char *name) 221int
212 { 222TS_CONF_set_default_engine(const char *name)
223{
213 ENGINE *e = NULL; 224 ENGINE *e = NULL;
214 int ret = 0; 225 int ret = 0;
215 226
216 /* Leave the default if builtin specified. */ 227 /* Leave the default if builtin specified. */
217 if (strcmp(name, "builtin") == 0) return 1; 228 if (strcmp(name, "builtin") == 0)
229 return 1;
218 230
219 if (!(e = ENGINE_by_id(name))) goto err; 231 if (!(e = ENGINE_by_id(name)))
232 goto err;
220 /* All the operations are going to be carried out by the engine. */ 233 /* All the operations are going to be carried out by the engine. */
221 if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) goto err; 234 if (!ENGINE_set_default(e, ENGINE_METHOD_ALL))
235 goto err;
222 ret = 1; 236 ret = 1;
223 err: 237
224 if (!ret) 238err:
225 { 239 if (!ret) {
226 TSerr(TS_F_TS_CONF_SET_DEFAULT_ENGINE, 240 TSerr(TS_F_TS_CONF_SET_DEFAULT_ENGINE,
227 TS_R_COULD_NOT_SET_ENGINE); 241 TS_R_COULD_NOT_SET_ENGINE);
228 ERR_add_error_data(2, "engine:", name); 242 ERR_add_error_data(2, "engine:", name);
229 }
230 if (e) ENGINE_free(e);
231 return ret;
232 } 243 }
244 if (e)
245 ENGINE_free(e);
246 return ret;
247}
233 248
234#endif 249#endif
235 250
236int TS_CONF_set_signer_cert(CONF *conf, const char *section, 251int
237 const char *cert, TS_RESP_CTX *ctx) 252TS_CONF_set_signer_cert(CONF *conf, const char *section, const char *cert,
238 { 253 TS_RESP_CTX *ctx)
254{
239 int ret = 0; 255 int ret = 0;
240 X509 *cert_obj = NULL; 256 X509 *cert_obj = NULL;
241 if (!cert) 257
242 cert = NCONF_get_string(conf, section, ENV_SIGNER_CERT);
243 if (!cert) 258 if (!cert)
244 { 259 cert = NCONF_get_string(conf, section, ENV_SIGNER_CERT);
260 if (!cert) {
245 TS_CONF_lookup_fail(section, ENV_SIGNER_CERT); 261 TS_CONF_lookup_fail(section, ENV_SIGNER_CERT);
246 goto err; 262 goto err;
247 } 263 }
248 if (!(cert_obj = TS_CONF_load_cert(cert))) 264 if (!(cert_obj = TS_CONF_load_cert(cert)))
249 goto err; 265 goto err;
250 if (!TS_RESP_CTX_set_signer_cert(ctx, cert_obj)) 266 if (!TS_RESP_CTX_set_signer_cert(ctx, cert_obj))
251 goto err; 267 goto err;
252 268
253 ret = 1; 269 ret = 1;
254 err: 270
271err:
255 X509_free(cert_obj); 272 X509_free(cert_obj);
256 return ret; 273 return ret;
257 } 274}
258 275
259int TS_CONF_set_certs(CONF *conf, const char *section, const char *certs, 276int
260 TS_RESP_CTX *ctx) 277TS_CONF_set_certs(CONF *conf, const char *section, const char *certs,
261 { 278 TS_RESP_CTX *ctx)
279{
262 int ret = 0; 280 int ret = 0;
263 STACK_OF(X509) *certs_obj = NULL; 281 STACK_OF(X509) *certs_obj = NULL;
264 if (!certs) 282
283 if (!certs)
265 certs = NCONF_get_string(conf, section, ENV_CERTS); 284 certs = NCONF_get_string(conf, section, ENV_CERTS);
266 /* Certificate chain is optional. */ 285 /* Certificate chain is optional. */
267 if (!certs) goto end; 286 if (!certs)
268 if (!(certs_obj = TS_CONF_load_certs(certs))) goto err; 287 goto end;
269 if (!TS_RESP_CTX_set_certs(ctx, certs_obj)) goto err; 288 if (!(certs_obj = TS_CONF_load_certs(certs)))
270 end: 289 goto err;
290 if (!TS_RESP_CTX_set_certs(ctx, certs_obj))
291 goto err;
292
293end:
271 ret = 1; 294 ret = 1;
272 err: 295err:
273 sk_X509_pop_free(certs_obj, X509_free); 296 sk_X509_pop_free(certs_obj, X509_free);
274 return ret; 297 return ret;
275 } 298}
276 299
277int TS_CONF_set_signer_key(CONF *conf, const char *section, 300int
278 const char *key, const char *pass, 301TS_CONF_set_signer_key(CONF *conf, const char *section, const char *key,
279 TS_RESP_CTX *ctx) 302 const char *pass, TS_RESP_CTX *ctx)
280 { 303{
281 int ret = 0; 304 int ret = 0;
282 EVP_PKEY *key_obj = NULL; 305 EVP_PKEY *key_obj = NULL;
283 if (!key) 306
284 key = NCONF_get_string(conf, section, ENV_SIGNER_KEY);
285 if (!key) 307 if (!key)
286 { 308 key = NCONF_get_string(conf, section, ENV_SIGNER_KEY);
309 if (!key) {
287 TS_CONF_lookup_fail(section, ENV_SIGNER_KEY); 310 TS_CONF_lookup_fail(section, ENV_SIGNER_KEY);
288 goto err; 311 goto err;
289 } 312 }
290 if (!(key_obj = TS_CONF_load_key(key, pass))) goto err; 313 if (!(key_obj = TS_CONF_load_key(key, pass)))
291 if (!TS_RESP_CTX_set_signer_key(ctx, key_obj)) goto err; 314 goto err;
315 if (!TS_RESP_CTX_set_signer_key(ctx, key_obj))
316 goto err;
292 317
293 ret = 1; 318 ret = 1;
294 err: 319
320err:
295 EVP_PKEY_free(key_obj); 321 EVP_PKEY_free(key_obj);
296 return ret; 322 return ret;
297 } 323}
298 324
299int TS_CONF_set_def_policy(CONF *conf, const char *section, 325int
300 const char *policy, TS_RESP_CTX *ctx) 326TS_CONF_set_def_policy(CONF *conf, const char *section, const char *policy,
301 { 327 TS_RESP_CTX *ctx)
328{
302 int ret = 0; 329 int ret = 0;
303 ASN1_OBJECT *policy_obj = NULL; 330 ASN1_OBJECT *policy_obj = NULL;
304 if (!policy) 331
305 policy = NCONF_get_string(conf, section, 332 if (!policy)
306 ENV_DEFAULT_POLICY); 333 policy = NCONF_get_string(conf, section, ENV_DEFAULT_POLICY);
307 if (!policy) 334 if (!policy) {
308 {
309 TS_CONF_lookup_fail(section, ENV_DEFAULT_POLICY); 335 TS_CONF_lookup_fail(section, ENV_DEFAULT_POLICY);
310 goto err; 336 goto err;
311 } 337 }
312 if (!(policy_obj = OBJ_txt2obj(policy, 0))) 338 if (!(policy_obj = OBJ_txt2obj(policy, 0))) {
313 {
314 TS_CONF_invalid(section, ENV_DEFAULT_POLICY); 339 TS_CONF_invalid(section, ENV_DEFAULT_POLICY);
315 goto err; 340 goto err;
316 } 341 }
317 if (!TS_RESP_CTX_set_def_policy(ctx, policy_obj)) 342 if (!TS_RESP_CTX_set_def_policy(ctx, policy_obj))
318 goto err; 343 goto err;
319 344
320 ret = 1; 345 ret = 1;
321 err: 346
347err:
322 ASN1_OBJECT_free(policy_obj); 348 ASN1_OBJECT_free(policy_obj);
323 return ret; 349 return ret;
324 } 350}
325 351
326int TS_CONF_set_policies(CONF *conf, const char *section, 352int
327 TS_RESP_CTX *ctx) 353TS_CONF_set_policies(CONF *conf, const char *section, TS_RESP_CTX *ctx)
328 { 354{
329 int ret = 0; 355 int ret = 0;
330 int i; 356 int i;
331 STACK_OF(CONF_VALUE) *list = NULL; 357 STACK_OF(CONF_VALUE) *list = NULL;
332 char *policies = NCONF_get_string(conf, section, 358 char *policies = NCONF_get_string(conf, section, ENV_OTHER_POLICIES);
333 ENV_OTHER_POLICIES); 359
334 /* If no other policy is specified, that's fine. */ 360 /* If no other policy is specified, that's fine. */
335 if (policies && !(list = X509V3_parse_list(policies))) 361 if (policies && !(list = X509V3_parse_list(policies))) {
336 {
337 TS_CONF_invalid(section, ENV_OTHER_POLICIES); 362 TS_CONF_invalid(section, ENV_OTHER_POLICIES);
338 goto err; 363 goto err;
339 } 364 }
340 for (i = 0; i < sk_CONF_VALUE_num(list); ++i) 365 for (i = 0; i < sk_CONF_VALUE_num(list); ++i) {
341 {
342 CONF_VALUE *val = sk_CONF_VALUE_value(list, i); 366 CONF_VALUE *val = sk_CONF_VALUE_value(list, i);
343 const char *extval = val->value ? val->value : val->name; 367 const char *extval = val->value ? val->value : val->name;
344 ASN1_OBJECT *objtmp; 368 ASN1_OBJECT *objtmp;
345 if (!(objtmp = OBJ_txt2obj(extval, 0))) 369 if (!(objtmp = OBJ_txt2obj(extval, 0))) {
346 {
347 TS_CONF_invalid(section, ENV_OTHER_POLICIES); 370 TS_CONF_invalid(section, ENV_OTHER_POLICIES);
348 goto err; 371 goto err;
349 } 372 }
350 if (!TS_RESP_CTX_add_policy(ctx, objtmp)) 373 if (!TS_RESP_CTX_add_policy(ctx, objtmp))
351 goto err; 374 goto err;
352 ASN1_OBJECT_free(objtmp); 375 ASN1_OBJECT_free(objtmp);
353 } 376 }
354 377
355 ret = 1; 378 ret = 1;
356 err: 379
380err:
357 sk_CONF_VALUE_pop_free(list, X509V3_conf_free); 381 sk_CONF_VALUE_pop_free(list, X509V3_conf_free);
358 return ret; 382 return ret;
359 } 383}
360 384
361int TS_CONF_set_digests(CONF *conf, const char *section, 385int
362 TS_RESP_CTX *ctx) 386TS_CONF_set_digests(CONF *conf, const char *section, TS_RESP_CTX *ctx)
363 { 387{
364 int ret = 0; 388 int ret = 0;
365 int i; 389 int i;
366 STACK_OF(CONF_VALUE) *list = NULL; 390 STACK_OF(CONF_VALUE) *list = NULL;
367 char *digests = NCONF_get_string(conf, section, ENV_DIGESTS); 391 char *digests = NCONF_get_string(conf, section, ENV_DIGESTS);
368 if (!digests) 392
369 { 393 if (!digests) {
370 TS_CONF_lookup_fail(section, ENV_DIGESTS); 394 TS_CONF_lookup_fail(section, ENV_DIGESTS);
371 goto err; 395 goto err;
372 } 396 }
373 if (!(list = X509V3_parse_list(digests))) 397 if (!(list = X509V3_parse_list(digests))) {
374 {
375 TS_CONF_invalid(section, ENV_DIGESTS); 398 TS_CONF_invalid(section, ENV_DIGESTS);
376 goto err; 399 goto err;
377 } 400 }
378 if (sk_CONF_VALUE_num(list) == 0) 401 if (sk_CONF_VALUE_num(list) == 0) {
379 {
380 TS_CONF_invalid(section, ENV_DIGESTS); 402 TS_CONF_invalid(section, ENV_DIGESTS);
381 goto err; 403 goto err;
382 } 404 }
383 for (i = 0; i < sk_CONF_VALUE_num(list); ++i) 405 for (i = 0; i < sk_CONF_VALUE_num(list); ++i) {
384 {
385 CONF_VALUE *val = sk_CONF_VALUE_value(list, i); 406 CONF_VALUE *val = sk_CONF_VALUE_value(list, i);
386 const char *extval = val->value ? val->value : val->name; 407 const char *extval = val->value ? val->value : val->name;
387 const EVP_MD *md; 408 const EVP_MD *md;
388 if (!(md = EVP_get_digestbyname(extval))) 409 if (!(md = EVP_get_digestbyname(extval))) {
389 {
390 TS_CONF_invalid(section, ENV_DIGESTS); 410 TS_CONF_invalid(section, ENV_DIGESTS);
391 goto err; 411 goto err;
392 } 412 }
393 if (!TS_RESP_CTX_add_md(ctx, md)) 413 if (!TS_RESP_CTX_add_md(ctx, md))
394 goto err; 414 goto err;
395 } 415 }
396 416
397 ret = 1; 417 ret = 1;
398 err: 418
419err:
399 sk_CONF_VALUE_pop_free(list, X509V3_conf_free); 420 sk_CONF_VALUE_pop_free(list, X509V3_conf_free);
400 return ret; 421 return ret;
401 } 422}
402 423
403int TS_CONF_set_accuracy(CONF *conf, const char *section, TS_RESP_CTX *ctx) 424int
404 { 425TS_CONF_set_accuracy(CONF *conf, const char *section, TS_RESP_CTX *ctx)
426{
405 int ret = 0; 427 int ret = 0;
406 int i; 428 int i;
407 int secs = 0, millis = 0, micros = 0; 429 int secs = 0, millis = 0, micros = 0;
408 STACK_OF(CONF_VALUE) *list = NULL; 430 STACK_OF(CONF_VALUE) *list = NULL;
409 char *accuracy = NCONF_get_string(conf, section, ENV_ACCURACY); 431 char *accuracy = NCONF_get_string(conf, section, ENV_ACCURACY);
410 432
411 if (accuracy && !(list = X509V3_parse_list(accuracy))) 433 if (accuracy && !(list = X509V3_parse_list(accuracy))) {
412 {
413 TS_CONF_invalid(section, ENV_ACCURACY); 434 TS_CONF_invalid(section, ENV_ACCURACY);
414 goto err; 435 goto err;
415 } 436 }
416 for (i = 0; i < sk_CONF_VALUE_num(list); ++i) 437 for (i = 0; i < sk_CONF_VALUE_num(list); ++i) {
417 {
418 CONF_VALUE *val = sk_CONF_VALUE_value(list, i); 438 CONF_VALUE *val = sk_CONF_VALUE_value(list, i);
419 if (strcmp(val->name, ENV_VALUE_SECS) == 0) 439 if (strcmp(val->name, ENV_VALUE_SECS) == 0) {
420 { 440 if (val->value)
421 if (val->value) secs = atoi(val->value); 441 secs = atoi(val->value);
422 } 442 } else if (strcmp(val->name, ENV_VALUE_MILLISECS) == 0) {
423 else if (strcmp(val->name, ENV_VALUE_MILLISECS) == 0) 443 if (val->value)
424 { 444 millis = atoi(val->value);
425 if (val->value) millis = atoi(val->value); 445 } else if (strcmp(val->name, ENV_VALUE_MICROSECS) == 0) {
426 } 446 if (val->value)
427 else if (strcmp(val->name, ENV_VALUE_MICROSECS) == 0) 447 micros = atoi(val->value);
428 { 448 } else {
429 if (val->value) micros = atoi(val->value);
430 }
431 else
432 {
433 TS_CONF_invalid(section, ENV_ACCURACY); 449 TS_CONF_invalid(section, ENV_ACCURACY);
434 goto err; 450 goto err;
435 }
436 } 451 }
452 }
437 if (!TS_RESP_CTX_set_accuracy(ctx, secs, millis, micros)) 453 if (!TS_RESP_CTX_set_accuracy(ctx, secs, millis, micros))
438 goto err; 454 goto err;
439 455
440 ret = 1; 456 ret = 1;
441 err: 457
458err:
442 sk_CONF_VALUE_pop_free(list, X509V3_conf_free); 459 sk_CONF_VALUE_pop_free(list, X509V3_conf_free);
443 return ret; 460 return ret;
444 } 461}
445 462
446int TS_CONF_set_clock_precision_digits(CONF *conf, const char *section, 463int
447 TS_RESP_CTX *ctx) 464TS_CONF_set_clock_precision_digits(CONF *conf, const char *section,
448 { 465 TS_RESP_CTX *ctx)
466{
449 int ret = 0; 467 int ret = 0;
450 long digits = 0; 468 long digits = 0;
451 469
452 /* If not specified, set the default value to 0, i.e. sec precision */ 470 /* If not specified, set the default value to 0, i.e. sec precision */
453 if (!NCONF_get_number_e(conf, section, ENV_CLOCK_PRECISION_DIGITS, 471 if (!NCONF_get_number_e(conf, section, ENV_CLOCK_PRECISION_DIGITS,
454 &digits)) 472 &digits))
455 digits = 0; 473 digits = 0;
456 if (digits < 0 || digits > TS_MAX_CLOCK_PRECISION_DIGITS) 474 if (digits < 0 || digits > TS_MAX_CLOCK_PRECISION_DIGITS) {
457 {
458 TS_CONF_invalid(section, ENV_CLOCK_PRECISION_DIGITS); 475 TS_CONF_invalid(section, ENV_CLOCK_PRECISION_DIGITS);
459 goto err; 476 goto err;
460 } 477 }
461 478
462 if (!TS_RESP_CTX_set_clock_precision_digits(ctx, digits)) 479 if (!TS_RESP_CTX_set_clock_precision_digits(ctx, digits))
463 goto err; 480 goto err;
464 481
465 return 1; 482 return 1;
466 err: 483
484err:
467 return ret; 485 return ret;
468 } 486}
469 487
470static int TS_CONF_add_flag(CONF *conf, const char *section, const char *field, 488static int
471 int flag, TS_RESP_CTX *ctx) 489TS_CONF_add_flag(CONF *conf, const char *section, const char *field, int flag,
472 { 490 TS_RESP_CTX *ctx)
491{
473 /* Default is false. */ 492 /* Default is false. */
474 const char *value = NCONF_get_string(conf, section, field); 493 const char *value = NCONF_get_string(conf, section, field);
475 if (value) 494
476 { 495 if (value) {
477 if (strcmp(value, ENV_VALUE_YES) == 0) 496 if (strcmp(value, ENV_VALUE_YES) == 0)
478 TS_RESP_CTX_add_flags(ctx, flag); 497 TS_RESP_CTX_add_flags(ctx, flag);
479 else if (strcmp(value, ENV_VALUE_NO) != 0) 498 else if (strcmp(value, ENV_VALUE_NO) != 0) {
480 {
481 TS_CONF_invalid(section, field); 499 TS_CONF_invalid(section, field);
482 return 0; 500 return 0;
483 }
484 } 501 }
502 }
485 503
486 return 1; 504 return 1;
487 } 505}
488 506
489int TS_CONF_set_ordering(CONF *conf, const char *section, TS_RESP_CTX *ctx) 507int
490 { 508TS_CONF_set_ordering(CONF *conf, const char *section, TS_RESP_CTX *ctx)
509{
491 return TS_CONF_add_flag(conf, section, ENV_ORDERING, TS_ORDERING, ctx); 510 return TS_CONF_add_flag(conf, section, ENV_ORDERING, TS_ORDERING, ctx);
492 } 511}
493 512
494int TS_CONF_set_tsa_name(CONF *conf, const char *section, TS_RESP_CTX *ctx) 513int
495 { 514TS_CONF_set_tsa_name(CONF *conf, const char *section, TS_RESP_CTX *ctx)
515{
496 return TS_CONF_add_flag(conf, section, ENV_TSA_NAME, TS_TSA_NAME, ctx); 516 return TS_CONF_add_flag(conf, section, ENV_TSA_NAME, TS_TSA_NAME, ctx);
497 } 517}
498 518
499int TS_CONF_set_ess_cert_id_chain(CONF *conf, const char *section, 519int
500 TS_RESP_CTX *ctx) 520TS_CONF_set_ess_cert_id_chain(CONF *conf, const char *section, TS_RESP_CTX *ctx)
501 { 521{
502 return TS_CONF_add_flag(conf, section, ENV_ESS_CERT_ID_CHAIN, 522 return TS_CONF_add_flag(conf, section, ENV_ESS_CERT_ID_CHAIN,
503 TS_ESS_CERT_ID_CHAIN, ctx); 523 TS_ESS_CERT_ID_CHAIN, ctx);
504 } 524}
diff --git a/src/lib/libssl/src/crypto/ts/ts_err.c b/src/lib/libssl/src/crypto/ts/ts_err.c
index a08b0ffa23..1185d22fd7 100644
--- a/src/lib/libssl/src/crypto/ts/ts_err.c
+++ b/src/lib/libssl/src/crypto/ts/ts_err.c
@@ -7,7 +7,7 @@
7 * are met: 7 * are met:
8 * 8 *
9 * 1. Redistributions of source code must retain the above copyright 9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer. 10 * notice, this list of conditions and the following disclaimer.
11 * 11 *
12 * 2. Redistributions in binary form must reproduce the above copyright 12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in 13 * notice, this list of conditions and the following disclaimer in
@@ -68,112 +68,109 @@
68#define ERR_FUNC(func) ERR_PACK(ERR_LIB_TS,func,0) 68#define ERR_FUNC(func) ERR_PACK(ERR_LIB_TS,func,0)
69#define ERR_REASON(reason) ERR_PACK(ERR_LIB_TS,0,reason) 69#define ERR_REASON(reason) ERR_PACK(ERR_LIB_TS,0,reason)
70 70
71static ERR_STRING_DATA TS_str_functs[]= 71static ERR_STRING_DATA TS_str_functs[] = {
72 { 72 {ERR_FUNC(TS_F_D2I_TS_RESP), "d2i_TS_RESP"},
73{ERR_FUNC(TS_F_D2I_TS_RESP), "d2i_TS_RESP"}, 73 {ERR_FUNC(TS_F_DEF_SERIAL_CB), "DEF_SERIAL_CB"},
74{ERR_FUNC(TS_F_DEF_SERIAL_CB), "DEF_SERIAL_CB"}, 74 {ERR_FUNC(TS_F_DEF_TIME_CB), "DEF_TIME_CB"},
75{ERR_FUNC(TS_F_DEF_TIME_CB), "DEF_TIME_CB"}, 75 {ERR_FUNC(TS_F_ESS_ADD_SIGNING_CERT), "ESS_ADD_SIGNING_CERT"},
76{ERR_FUNC(TS_F_ESS_ADD_SIGNING_CERT), "ESS_ADD_SIGNING_CERT"}, 76 {ERR_FUNC(TS_F_ESS_CERT_ID_NEW_INIT), "ESS_CERT_ID_NEW_INIT"},
77{ERR_FUNC(TS_F_ESS_CERT_ID_NEW_INIT), "ESS_CERT_ID_NEW_INIT"}, 77 {ERR_FUNC(TS_F_ESS_SIGNING_CERT_NEW_INIT), "ESS_SIGNING_CERT_NEW_INIT"},
78{ERR_FUNC(TS_F_ESS_SIGNING_CERT_NEW_INIT), "ESS_SIGNING_CERT_NEW_INIT"}, 78 {ERR_FUNC(TS_F_INT_TS_RESP_VERIFY_TOKEN), "INT_TS_RESP_VERIFY_TOKEN"},
79{ERR_FUNC(TS_F_INT_TS_RESP_VERIFY_TOKEN), "INT_TS_RESP_VERIFY_TOKEN"}, 79 {ERR_FUNC(TS_F_PKCS7_TO_TS_TST_INFO), "PKCS7_to_TS_TST_INFO"},
80{ERR_FUNC(TS_F_PKCS7_TO_TS_TST_INFO), "PKCS7_to_TS_TST_INFO"}, 80 {ERR_FUNC(TS_F_TS_ACCURACY_SET_MICROS), "TS_ACCURACY_set_micros"},
81{ERR_FUNC(TS_F_TS_ACCURACY_SET_MICROS), "TS_ACCURACY_set_micros"}, 81 {ERR_FUNC(TS_F_TS_ACCURACY_SET_MILLIS), "TS_ACCURACY_set_millis"},
82{ERR_FUNC(TS_F_TS_ACCURACY_SET_MILLIS), "TS_ACCURACY_set_millis"}, 82 {ERR_FUNC(TS_F_TS_ACCURACY_SET_SECONDS), "TS_ACCURACY_set_seconds"},
83{ERR_FUNC(TS_F_TS_ACCURACY_SET_SECONDS), "TS_ACCURACY_set_seconds"}, 83 {ERR_FUNC(TS_F_TS_CHECK_IMPRINTS), "TS_CHECK_IMPRINTS"},
84{ERR_FUNC(TS_F_TS_CHECK_IMPRINTS), "TS_CHECK_IMPRINTS"}, 84 {ERR_FUNC(TS_F_TS_CHECK_NONCES), "TS_CHECK_NONCES"},
85{ERR_FUNC(TS_F_TS_CHECK_NONCES), "TS_CHECK_NONCES"}, 85 {ERR_FUNC(TS_F_TS_CHECK_POLICY), "TS_CHECK_POLICY"},
86{ERR_FUNC(TS_F_TS_CHECK_POLICY), "TS_CHECK_POLICY"}, 86 {ERR_FUNC(TS_F_TS_CHECK_SIGNING_CERTS), "TS_CHECK_SIGNING_CERTS"},
87{ERR_FUNC(TS_F_TS_CHECK_SIGNING_CERTS), "TS_CHECK_SIGNING_CERTS"}, 87 {ERR_FUNC(TS_F_TS_CHECK_STATUS_INFO), "TS_CHECK_STATUS_INFO"},
88{ERR_FUNC(TS_F_TS_CHECK_STATUS_INFO), "TS_CHECK_STATUS_INFO"}, 88 {ERR_FUNC(TS_F_TS_COMPUTE_IMPRINT), "TS_COMPUTE_IMPRINT"},
89{ERR_FUNC(TS_F_TS_COMPUTE_IMPRINT), "TS_COMPUTE_IMPRINT"}, 89 {ERR_FUNC(TS_F_TS_CONF_SET_DEFAULT_ENGINE), "TS_CONF_set_default_engine"},
90{ERR_FUNC(TS_F_TS_CONF_SET_DEFAULT_ENGINE), "TS_CONF_set_default_engine"}, 90 {ERR_FUNC(TS_F_TS_GET_STATUS_TEXT), "TS_GET_STATUS_TEXT"},
91{ERR_FUNC(TS_F_TS_GET_STATUS_TEXT), "TS_GET_STATUS_TEXT"}, 91 {ERR_FUNC(TS_F_TS_MSG_IMPRINT_SET_ALGO), "TS_MSG_IMPRINT_set_algo"},
92{ERR_FUNC(TS_F_TS_MSG_IMPRINT_SET_ALGO), "TS_MSG_IMPRINT_set_algo"}, 92 {ERR_FUNC(TS_F_TS_REQ_SET_MSG_IMPRINT), "TS_REQ_set_msg_imprint"},
93{ERR_FUNC(TS_F_TS_REQ_SET_MSG_IMPRINT), "TS_REQ_set_msg_imprint"}, 93 {ERR_FUNC(TS_F_TS_REQ_SET_NONCE), "TS_REQ_set_nonce"},
94{ERR_FUNC(TS_F_TS_REQ_SET_NONCE), "TS_REQ_set_nonce"}, 94 {ERR_FUNC(TS_F_TS_REQ_SET_POLICY_ID), "TS_REQ_set_policy_id"},
95{ERR_FUNC(TS_F_TS_REQ_SET_POLICY_ID), "TS_REQ_set_policy_id"}, 95 {ERR_FUNC(TS_F_TS_RESP_CREATE_RESPONSE), "TS_RESP_create_response"},
96{ERR_FUNC(TS_F_TS_RESP_CREATE_RESPONSE), "TS_RESP_create_response"}, 96 {ERR_FUNC(TS_F_TS_RESP_CREATE_TST_INFO), "TS_RESP_CREATE_TST_INFO"},
97{ERR_FUNC(TS_F_TS_RESP_CREATE_TST_INFO), "TS_RESP_CREATE_TST_INFO"}, 97 {ERR_FUNC(TS_F_TS_RESP_CTX_ADD_FAILURE_INFO), "TS_RESP_CTX_add_failure_info"},
98{ERR_FUNC(TS_F_TS_RESP_CTX_ADD_FAILURE_INFO), "TS_RESP_CTX_add_failure_info"}, 98 {ERR_FUNC(TS_F_TS_RESP_CTX_ADD_MD), "TS_RESP_CTX_add_md"},
99{ERR_FUNC(TS_F_TS_RESP_CTX_ADD_MD), "TS_RESP_CTX_add_md"}, 99 {ERR_FUNC(TS_F_TS_RESP_CTX_ADD_POLICY), "TS_RESP_CTX_add_policy"},
100{ERR_FUNC(TS_F_TS_RESP_CTX_ADD_POLICY), "TS_RESP_CTX_add_policy"}, 100 {ERR_FUNC(TS_F_TS_RESP_CTX_NEW), "TS_RESP_CTX_new"},
101{ERR_FUNC(TS_F_TS_RESP_CTX_NEW), "TS_RESP_CTX_new"}, 101 {ERR_FUNC(TS_F_TS_RESP_CTX_SET_ACCURACY), "TS_RESP_CTX_set_accuracy"},
102{ERR_FUNC(TS_F_TS_RESP_CTX_SET_ACCURACY), "TS_RESP_CTX_set_accuracy"}, 102 {ERR_FUNC(TS_F_TS_RESP_CTX_SET_CERTS), "TS_RESP_CTX_set_certs"},
103{ERR_FUNC(TS_F_TS_RESP_CTX_SET_CERTS), "TS_RESP_CTX_set_certs"}, 103 {ERR_FUNC(TS_F_TS_RESP_CTX_SET_DEF_POLICY), "TS_RESP_CTX_set_def_policy"},
104{ERR_FUNC(TS_F_TS_RESP_CTX_SET_DEF_POLICY), "TS_RESP_CTX_set_def_policy"}, 104 {ERR_FUNC(TS_F_TS_RESP_CTX_SET_SIGNER_CERT), "TS_RESP_CTX_set_signer_cert"},
105{ERR_FUNC(TS_F_TS_RESP_CTX_SET_SIGNER_CERT), "TS_RESP_CTX_set_signer_cert"}, 105 {ERR_FUNC(TS_F_TS_RESP_CTX_SET_STATUS_INFO), "TS_RESP_CTX_set_status_info"},
106{ERR_FUNC(TS_F_TS_RESP_CTX_SET_STATUS_INFO), "TS_RESP_CTX_set_status_info"}, 106 {ERR_FUNC(TS_F_TS_RESP_GET_POLICY), "TS_RESP_GET_POLICY"},
107{ERR_FUNC(TS_F_TS_RESP_GET_POLICY), "TS_RESP_GET_POLICY"}, 107 {ERR_FUNC(TS_F_TS_RESP_SET_GENTIME_WITH_PRECISION), "TS_RESP_SET_GENTIME_WITH_PRECISION"},
108{ERR_FUNC(TS_F_TS_RESP_SET_GENTIME_WITH_PRECISION), "TS_RESP_SET_GENTIME_WITH_PRECISION"}, 108 {ERR_FUNC(TS_F_TS_RESP_SET_STATUS_INFO), "TS_RESP_set_status_info"},
109{ERR_FUNC(TS_F_TS_RESP_SET_STATUS_INFO), "TS_RESP_set_status_info"}, 109 {ERR_FUNC(TS_F_TS_RESP_SET_TST_INFO), "TS_RESP_set_tst_info"},
110{ERR_FUNC(TS_F_TS_RESP_SET_TST_INFO), "TS_RESP_set_tst_info"}, 110 {ERR_FUNC(TS_F_TS_RESP_SIGN), "TS_RESP_SIGN"},
111{ERR_FUNC(TS_F_TS_RESP_SIGN), "TS_RESP_SIGN"}, 111 {ERR_FUNC(TS_F_TS_RESP_VERIFY_SIGNATURE), "TS_RESP_verify_signature"},
112{ERR_FUNC(TS_F_TS_RESP_VERIFY_SIGNATURE), "TS_RESP_verify_signature"}, 112 {ERR_FUNC(TS_F_TS_RESP_VERIFY_TOKEN), "TS_RESP_verify_token"},
113{ERR_FUNC(TS_F_TS_RESP_VERIFY_TOKEN), "TS_RESP_verify_token"}, 113 {ERR_FUNC(TS_F_TS_TST_INFO_SET_ACCURACY), "TS_TST_INFO_set_accuracy"},
114{ERR_FUNC(TS_F_TS_TST_INFO_SET_ACCURACY), "TS_TST_INFO_set_accuracy"}, 114 {ERR_FUNC(TS_F_TS_TST_INFO_SET_MSG_IMPRINT), "TS_TST_INFO_set_msg_imprint"},
115{ERR_FUNC(TS_F_TS_TST_INFO_SET_MSG_IMPRINT), "TS_TST_INFO_set_msg_imprint"}, 115 {ERR_FUNC(TS_F_TS_TST_INFO_SET_NONCE), "TS_TST_INFO_set_nonce"},
116{ERR_FUNC(TS_F_TS_TST_INFO_SET_NONCE), "TS_TST_INFO_set_nonce"}, 116 {ERR_FUNC(TS_F_TS_TST_INFO_SET_POLICY_ID), "TS_TST_INFO_set_policy_id"},
117{ERR_FUNC(TS_F_TS_TST_INFO_SET_POLICY_ID), "TS_TST_INFO_set_policy_id"}, 117 {ERR_FUNC(TS_F_TS_TST_INFO_SET_SERIAL), "TS_TST_INFO_set_serial"},
118{ERR_FUNC(TS_F_TS_TST_INFO_SET_SERIAL), "TS_TST_INFO_set_serial"}, 118 {ERR_FUNC(TS_F_TS_TST_INFO_SET_TIME), "TS_TST_INFO_set_time"},
119{ERR_FUNC(TS_F_TS_TST_INFO_SET_TIME), "TS_TST_INFO_set_time"}, 119 {ERR_FUNC(TS_F_TS_TST_INFO_SET_TSA), "TS_TST_INFO_set_tsa"},
120{ERR_FUNC(TS_F_TS_TST_INFO_SET_TSA), "TS_TST_INFO_set_tsa"}, 120 {ERR_FUNC(TS_F_TS_VERIFY), "TS_VERIFY"},
121{ERR_FUNC(TS_F_TS_VERIFY), "TS_VERIFY"}, 121 {ERR_FUNC(TS_F_TS_VERIFY_CERT), "TS_VERIFY_CERT"},
122{ERR_FUNC(TS_F_TS_VERIFY_CERT), "TS_VERIFY_CERT"}, 122 {ERR_FUNC(TS_F_TS_VERIFY_CTX_NEW), "TS_VERIFY_CTX_new"},
123{ERR_FUNC(TS_F_TS_VERIFY_CTX_NEW), "TS_VERIFY_CTX_new"}, 123 {0, NULL}
124{0,NULL} 124};
125 };
126 125
127static ERR_STRING_DATA TS_str_reasons[]= 126static ERR_STRING_DATA TS_str_reasons[]= {
128 { 127 {ERR_REASON(TS_R_BAD_PKCS7_TYPE) , "bad pkcs7 type"},
129{ERR_REASON(TS_R_BAD_PKCS7_TYPE) ,"bad pkcs7 type"}, 128 {ERR_REASON(TS_R_BAD_TYPE) , "bad type"},
130{ERR_REASON(TS_R_BAD_TYPE) ,"bad type"}, 129 {ERR_REASON(TS_R_CERTIFICATE_VERIFY_ERROR), "certificate verify error"},
131{ERR_REASON(TS_R_CERTIFICATE_VERIFY_ERROR),"certificate verify error"}, 130 {ERR_REASON(TS_R_COULD_NOT_SET_ENGINE) , "could not set engine"},
132{ERR_REASON(TS_R_COULD_NOT_SET_ENGINE) ,"could not set engine"}, 131 {ERR_REASON(TS_R_COULD_NOT_SET_TIME) , "could not set time"},
133{ERR_REASON(TS_R_COULD_NOT_SET_TIME) ,"could not set time"}, 132 {ERR_REASON(TS_R_D2I_TS_RESP_INT_FAILED) , "d2i ts resp int failed"},
134{ERR_REASON(TS_R_D2I_TS_RESP_INT_FAILED) ,"d2i ts resp int failed"}, 133 {ERR_REASON(TS_R_DETACHED_CONTENT) , "detached content"},
135{ERR_REASON(TS_R_DETACHED_CONTENT) ,"detached content"}, 134 {ERR_REASON(TS_R_ESS_ADD_SIGNING_CERT_ERROR), "ess add signing cert error"},
136{ERR_REASON(TS_R_ESS_ADD_SIGNING_CERT_ERROR),"ess add signing cert error"}, 135 {ERR_REASON(TS_R_ESS_SIGNING_CERTIFICATE_ERROR), "ess signing certificate error"},
137{ERR_REASON(TS_R_ESS_SIGNING_CERTIFICATE_ERROR),"ess signing certificate error"}, 136 {ERR_REASON(TS_R_INVALID_NULL_POINTER) , "invalid null pointer"},
138{ERR_REASON(TS_R_INVALID_NULL_POINTER) ,"invalid null pointer"}, 137 {ERR_REASON(TS_R_INVALID_SIGNER_CERTIFICATE_PURPOSE), "invalid signer certificate purpose"},
139{ERR_REASON(TS_R_INVALID_SIGNER_CERTIFICATE_PURPOSE),"invalid signer certificate purpose"}, 138 {ERR_REASON(TS_R_MESSAGE_IMPRINT_MISMATCH), "message imprint mismatch"},
140{ERR_REASON(TS_R_MESSAGE_IMPRINT_MISMATCH),"message imprint mismatch"}, 139 {ERR_REASON(TS_R_NONCE_MISMATCH) , "nonce mismatch"},
141{ERR_REASON(TS_R_NONCE_MISMATCH) ,"nonce mismatch"}, 140 {ERR_REASON(TS_R_NONCE_NOT_RETURNED) , "nonce not returned"},
142{ERR_REASON(TS_R_NONCE_NOT_RETURNED) ,"nonce not returned"}, 141 {ERR_REASON(TS_R_NO_CONTENT) , "no content"},
143{ERR_REASON(TS_R_NO_CONTENT) ,"no content"}, 142 {ERR_REASON(TS_R_NO_TIME_STAMP_TOKEN) , "no time stamp token"},
144{ERR_REASON(TS_R_NO_TIME_STAMP_TOKEN) ,"no time stamp token"}, 143 {ERR_REASON(TS_R_PKCS7_ADD_SIGNATURE_ERROR), "pkcs7 add signature error"},
145{ERR_REASON(TS_R_PKCS7_ADD_SIGNATURE_ERROR),"pkcs7 add signature error"}, 144 {ERR_REASON(TS_R_PKCS7_ADD_SIGNED_ATTR_ERROR), "pkcs7 add signed attr error"},
146{ERR_REASON(TS_R_PKCS7_ADD_SIGNED_ATTR_ERROR),"pkcs7 add signed attr error"}, 145 {ERR_REASON(TS_R_PKCS7_TO_TS_TST_INFO_FAILED), "pkcs7 to ts tst info failed"},
147{ERR_REASON(TS_R_PKCS7_TO_TS_TST_INFO_FAILED),"pkcs7 to ts tst info failed"}, 146 {ERR_REASON(TS_R_POLICY_MISMATCH) , "policy mismatch"},
148{ERR_REASON(TS_R_POLICY_MISMATCH) ,"policy mismatch"}, 147 {ERR_REASON(TS_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE), "private key does not match certificate"},
149{ERR_REASON(TS_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE),"private key does not match certificate"}, 148 {ERR_REASON(TS_R_RESPONSE_SETUP_ERROR) , "response setup error"},
150{ERR_REASON(TS_R_RESPONSE_SETUP_ERROR) ,"response setup error"}, 149 {ERR_REASON(TS_R_SIGNATURE_FAILURE) , "signature failure"},
151{ERR_REASON(TS_R_SIGNATURE_FAILURE) ,"signature failure"}, 150 {ERR_REASON(TS_R_THERE_MUST_BE_ONE_SIGNER), "there must be one signer"},
152{ERR_REASON(TS_R_THERE_MUST_BE_ONE_SIGNER),"there must be one signer"}, 151 {ERR_REASON(TS_R_TIME_SYSCALL_ERROR) , "time syscall error"},
153{ERR_REASON(TS_R_TIME_SYSCALL_ERROR) ,"time syscall error"}, 152 {ERR_REASON(TS_R_TOKEN_NOT_PRESENT) , "token not present"},
154{ERR_REASON(TS_R_TOKEN_NOT_PRESENT) ,"token not present"}, 153 {ERR_REASON(TS_R_TOKEN_PRESENT) , "token present"},
155{ERR_REASON(TS_R_TOKEN_PRESENT) ,"token present"}, 154 {ERR_REASON(TS_R_TSA_NAME_MISMATCH) , "tsa name mismatch"},
156{ERR_REASON(TS_R_TSA_NAME_MISMATCH) ,"tsa name mismatch"}, 155 {ERR_REASON(TS_R_TSA_UNTRUSTED) , "tsa untrusted"},
157{ERR_REASON(TS_R_TSA_UNTRUSTED) ,"tsa untrusted"}, 156 {ERR_REASON(TS_R_TST_INFO_SETUP_ERROR) , "tst info setup error"},
158{ERR_REASON(TS_R_TST_INFO_SETUP_ERROR) ,"tst info setup error"}, 157 {ERR_REASON(TS_R_TS_DATASIGN) , "ts datasign"},
159{ERR_REASON(TS_R_TS_DATASIGN) ,"ts datasign"}, 158 {ERR_REASON(TS_R_UNACCEPTABLE_POLICY) , "unacceptable policy"},
160{ERR_REASON(TS_R_UNACCEPTABLE_POLICY) ,"unacceptable policy"}, 159 {ERR_REASON(TS_R_UNSUPPORTED_MD_ALGORITHM), "unsupported md algorithm"},
161{ERR_REASON(TS_R_UNSUPPORTED_MD_ALGORITHM),"unsupported md algorithm"}, 160 {ERR_REASON(TS_R_UNSUPPORTED_VERSION) , "unsupported version"},
162{ERR_REASON(TS_R_UNSUPPORTED_VERSION) ,"unsupported version"}, 161 {ERR_REASON(TS_R_WRONG_CONTENT_TYPE) , "wrong content type"},
163{ERR_REASON(TS_R_WRONG_CONTENT_TYPE) ,"wrong content type"}, 162 {0, NULL}
164{0,NULL} 163};
165 };
166 164
167#endif 165#endif
168 166
169void ERR_load_TS_strings(void) 167void
170 { 168ERR_load_TS_strings(void)
169{
171#ifndef OPENSSL_NO_ERR 170#ifndef OPENSSL_NO_ERR
172 171 if (ERR_func_error_string(TS_str_functs[0].error) == NULL) {
173 if (ERR_func_error_string(TS_str_functs[0].error) == NULL) 172 ERR_load_strings(0, TS_str_functs);
174 { 173 ERR_load_strings(0, TS_str_reasons);
175 ERR_load_strings(0,TS_str_functs);
176 ERR_load_strings(0,TS_str_reasons);
177 }
178#endif
179 } 174 }
175#endif
176}
diff --git a/src/lib/libssl/src/crypto/ts/ts_lib.c b/src/lib/libssl/src/crypto/ts/ts_lib.c
index a8de801e28..81a5f23cd5 100644
--- a/src/lib/libssl/src/crypto/ts/ts_lib.c
+++ b/src/lib/libssl/src/crypto/ts/ts_lib.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -67,27 +67,28 @@
67 67
68/* Function definitions. */ 68/* Function definitions. */
69 69
70int TS_ASN1_INTEGER_print_bio(BIO *bio, const ASN1_INTEGER *num) 70int
71 { 71TS_ASN1_INTEGER_print_bio(BIO *bio, const ASN1_INTEGER *num)
72{
72 BIGNUM num_bn; 73 BIGNUM num_bn;
73 int result = 0; 74 int result = 0;
74 char *hex; 75 char *hex;
75 76
76 BN_init(&num_bn); 77 BN_init(&num_bn);
77 ASN1_INTEGER_to_BN(num, &num_bn); 78 ASN1_INTEGER_to_BN(num, &num_bn);
78 if ((hex = BN_bn2hex(&num_bn))) 79 if ((hex = BN_bn2hex(&num_bn))) {
79 {
80 result = BIO_write(bio, "0x", 2) > 0; 80 result = BIO_write(bio, "0x", 2) > 0;
81 result = result && BIO_write(bio, hex, strlen(hex)) > 0; 81 result = result && BIO_write(bio, hex, strlen(hex)) > 0;
82 free(hex); 82 free(hex);
83 } 83 }
84 BN_free(&num_bn); 84 BN_free(&num_bn);
85 85
86 return result; 86 return result;
87 } 87}
88 88
89int TS_OBJ_print_bio(BIO *bio, const ASN1_OBJECT *obj) 89int
90 { 90TS_OBJ_print_bio(BIO *bio, const ASN1_OBJECT *obj)
91{
91 char obj_txt[128]; 92 char obj_txt[128];
92 93
93 int len = OBJ_obj2txt(obj_txt, sizeof(obj_txt), obj, 0); 94 int len = OBJ_obj2txt(obj_txt, sizeof(obj_txt), obj, 0);
@@ -95,51 +96,53 @@ int TS_OBJ_print_bio(BIO *bio, const ASN1_OBJECT *obj)
95 BIO_write(bio, "\n", 1); 96 BIO_write(bio, "\n", 1);
96 97
97 return 1; 98 return 1;
98 } 99}
99 100
100int TS_ext_print_bio(BIO *bio, const STACK_OF(X509_EXTENSION) *extensions) 101int
101 { 102TS_ext_print_bio(BIO *bio, const STACK_OF(X509_EXTENSION) *extensions)
103{
102 int i, critical, n; 104 int i, critical, n;
103 X509_EXTENSION *ex; 105 X509_EXTENSION *ex;
104 ASN1_OBJECT *obj; 106 ASN1_OBJECT *obj;
105 107
106 BIO_printf(bio, "Extensions:\n"); 108 BIO_printf(bio, "Extensions:\n");
107 n = X509v3_get_ext_count(extensions); 109 n = X509v3_get_ext_count(extensions);
108 for (i = 0; i < n; i++) 110 for (i = 0; i < n; i++) {
109 {
110 ex = X509v3_get_ext(extensions, i); 111 ex = X509v3_get_ext(extensions, i);
111 obj = X509_EXTENSION_get_object(ex); 112 obj = X509_EXTENSION_get_object(ex);
112 i2a_ASN1_OBJECT(bio, obj); 113 i2a_ASN1_OBJECT(bio, obj);
113 critical = X509_EXTENSION_get_critical(ex); 114 critical = X509_EXTENSION_get_critical(ex);
114 BIO_printf(bio, ": %s\n", critical ? "critical" : ""); 115 BIO_printf(bio, ": %s\n", critical ? "critical" : "");
115 if (!X509V3_EXT_print(bio, ex, 0, 4)) 116 if (!X509V3_EXT_print(bio, ex, 0, 4)) {
116 {
117 BIO_printf(bio, "%4s", ""); 117 BIO_printf(bio, "%4s", "");
118 M_ASN1_OCTET_STRING_print(bio, ex->value); 118 M_ASN1_OCTET_STRING_print(bio, ex->value);
119 }
120 BIO_write(bio, "\n", 1);
121 } 119 }
120 BIO_write(bio, "\n", 1);
121 }
122 122
123 return 1; 123 return 1;
124 } 124}
125 125
126int TS_X509_ALGOR_print_bio(BIO *bio, const X509_ALGOR *alg) 126int
127 { 127TS_X509_ALGOR_print_bio(BIO *bio, const X509_ALGOR *alg)
128{
128 int i = OBJ_obj2nid(alg->algorithm); 129 int i = OBJ_obj2nid(alg->algorithm);
130
129 return BIO_printf(bio, "Hash Algorithm: %s\n", 131 return BIO_printf(bio, "Hash Algorithm: %s\n",
130 (i == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(i)); 132 (i == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(i));
131 } 133}
132 134
133int TS_MSG_IMPRINT_print_bio(BIO *bio, TS_MSG_IMPRINT *a) 135int
134 { 136TS_MSG_IMPRINT_print_bio(BIO *bio, TS_MSG_IMPRINT *a)
137{
135 const ASN1_OCTET_STRING *msg; 138 const ASN1_OCTET_STRING *msg;
136 139
137 TS_X509_ALGOR_print_bio(bio, TS_MSG_IMPRINT_get_algo(a)); 140 TS_X509_ALGOR_print_bio(bio, TS_MSG_IMPRINT_get_algo(a));
138 141
139 BIO_printf(bio, "Message data:\n"); 142 BIO_printf(bio, "Message data:\n");
140 msg = TS_MSG_IMPRINT_get_msg(a); 143 msg = TS_MSG_IMPRINT_get_msg(a);
141 BIO_dump_indent(bio, (const char *)M_ASN1_STRING_data(msg), 144 BIO_dump_indent(bio, (const char *)M_ASN1_STRING_data(msg),
142 M_ASN1_STRING_length(msg), 4); 145 M_ASN1_STRING_length(msg), 4);
143 146
144 return 1; 147 return 1;
145 } 148}
diff --git a/src/lib/libssl/src/crypto/ts/ts_req_print.c b/src/lib/libssl/src/crypto/ts/ts_req_print.c
index eba12c3824..53bf0c8eb8 100644
--- a/src/lib/libssl/src/crypto/ts/ts_req_print.c
+++ b/src/lib/libssl/src/crypto/ts/ts_req_print.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -65,13 +65,15 @@
65 65
66/* Function definitions. */ 66/* Function definitions. */
67 67
68int TS_REQ_print_bio(BIO *bio, TS_REQ *a) 68int
69 { 69TS_REQ_print_bio(BIO *bio, TS_REQ *a)
70{
70 int v; 71 int v;
71 ASN1_OBJECT *policy_id; 72 ASN1_OBJECT *policy_id;
72 const ASN1_INTEGER *nonce; 73 const ASN1_INTEGER *nonce;
73 74
74 if (a == NULL) return 0; 75 if (a == NULL)
76 return 0;
75 77
76 v = TS_REQ_get_version(a); 78 v = TS_REQ_get_version(a);
77 BIO_printf(bio, "Version: %d\n", v); 79 BIO_printf(bio, "Version: %d\n", v);
@@ -82,7 +84,7 @@ int TS_REQ_print_bio(BIO *bio, TS_REQ *a)
82 policy_id = TS_REQ_get_policy_id(a); 84 policy_id = TS_REQ_get_policy_id(a);
83 if (policy_id == NULL) 85 if (policy_id == NULL)
84 BIO_printf(bio, "unspecified\n"); 86 BIO_printf(bio, "unspecified\n");
85 else 87 else
86 TS_OBJ_print_bio(bio, policy_id); 88 TS_OBJ_print_bio(bio, policy_id);
87 89
88 BIO_printf(bio, "Nonce: "); 90 BIO_printf(bio, "Nonce: ");
@@ -93,10 +95,10 @@ int TS_REQ_print_bio(BIO *bio, TS_REQ *a)
93 TS_ASN1_INTEGER_print_bio(bio, nonce); 95 TS_ASN1_INTEGER_print_bio(bio, nonce);
94 BIO_write(bio, "\n", 1); 96 BIO_write(bio, "\n", 1);
95 97
96 BIO_printf(bio, "Certificate required: %s\n", 98 BIO_printf(bio, "Certificate required: %s\n",
97 TS_REQ_get_cert_req(a) ? "yes" : "no"); 99 TS_REQ_get_cert_req(a) ? "yes" : "no");
98 100
99 TS_ext_print_bio(bio, TS_REQ_get_exts(a)); 101 TS_ext_print_bio(bio, TS_REQ_get_exts(a));
100 102
101 return 1; 103 return 1;
102 } 104}
diff --git a/src/lib/libssl/src/crypto/ts/ts_req_utils.c b/src/lib/libssl/src/crypto/ts/ts_req_utils.c
index 43280c1587..7518d7ab78 100644
--- a/src/lib/libssl/src/crypto/ts/ts_req_utils.c
+++ b/src/lib/libssl/src/crypto/ts/ts_req_utils.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -62,173 +62,193 @@
62#include <openssl/x509v3.h> 62#include <openssl/x509v3.h>
63#include <openssl/ts.h> 63#include <openssl/ts.h>
64 64
65int TS_REQ_set_version(TS_REQ *a, long version) 65int
66 { 66TS_REQ_set_version(TS_REQ *a, long version)
67{
67 return ASN1_INTEGER_set(a->version, version); 68 return ASN1_INTEGER_set(a->version, version);
68 } 69}
69 70
70long TS_REQ_get_version(const TS_REQ *a) 71long
71 { 72TS_REQ_get_version(const TS_REQ *a)
73{
72 return ASN1_INTEGER_get(a->version); 74 return ASN1_INTEGER_get(a->version);
73 } 75}
74 76
75int TS_REQ_set_msg_imprint(TS_REQ *a, TS_MSG_IMPRINT *msg_imprint) 77int
76 { 78TS_REQ_set_msg_imprint(TS_REQ *a, TS_MSG_IMPRINT *msg_imprint)
79{
77 TS_MSG_IMPRINT *new_msg_imprint; 80 TS_MSG_IMPRINT *new_msg_imprint;
78 81
79 if (a->msg_imprint == msg_imprint) 82 if (a->msg_imprint == msg_imprint)
80 return 1; 83 return 1;
81 new_msg_imprint = TS_MSG_IMPRINT_dup(msg_imprint); 84 new_msg_imprint = TS_MSG_IMPRINT_dup(msg_imprint);
82 if (new_msg_imprint == NULL) 85 if (new_msg_imprint == NULL) {
83 {
84 TSerr(TS_F_TS_REQ_SET_MSG_IMPRINT, ERR_R_MALLOC_FAILURE); 86 TSerr(TS_F_TS_REQ_SET_MSG_IMPRINT, ERR_R_MALLOC_FAILURE);
85 return 0; 87 return 0;
86 } 88 }
87 TS_MSG_IMPRINT_free(a->msg_imprint); 89 TS_MSG_IMPRINT_free(a->msg_imprint);
88 a->msg_imprint = new_msg_imprint; 90 a->msg_imprint = new_msg_imprint;
89 return 1; 91 return 1;
90 } 92}
91 93
92TS_MSG_IMPRINT *TS_REQ_get_msg_imprint(TS_REQ *a) 94TS_MSG_IMPRINT *
93 { 95TS_REQ_get_msg_imprint(TS_REQ *a)
96{
94 return a->msg_imprint; 97 return a->msg_imprint;
95 } 98}
96 99
97int TS_MSG_IMPRINT_set_algo(TS_MSG_IMPRINT *a, X509_ALGOR *alg) 100int
98 { 101TS_MSG_IMPRINT_set_algo(TS_MSG_IMPRINT *a, X509_ALGOR *alg)
102{
99 X509_ALGOR *new_alg; 103 X509_ALGOR *new_alg;
100 104
101 if (a->hash_algo == alg) 105 if (a->hash_algo == alg)
102 return 1; 106 return 1;
103 new_alg = X509_ALGOR_dup(alg); 107 new_alg = X509_ALGOR_dup(alg);
104 if (new_alg == NULL) 108 if (new_alg == NULL) {
105 {
106 TSerr(TS_F_TS_MSG_IMPRINT_SET_ALGO, ERR_R_MALLOC_FAILURE); 109 TSerr(TS_F_TS_MSG_IMPRINT_SET_ALGO, ERR_R_MALLOC_FAILURE);
107 return 0; 110 return 0;
108 } 111 }
109 X509_ALGOR_free(a->hash_algo); 112 X509_ALGOR_free(a->hash_algo);
110 a->hash_algo = new_alg; 113 a->hash_algo = new_alg;
111 return 1; 114 return 1;
112 } 115}
113 116
114X509_ALGOR *TS_MSG_IMPRINT_get_algo(TS_MSG_IMPRINT *a) 117X509_ALGOR *
115 { 118TS_MSG_IMPRINT_get_algo(TS_MSG_IMPRINT *a)
119{
116 return a->hash_algo; 120 return a->hash_algo;
117 } 121}
118 122
119int TS_MSG_IMPRINT_set_msg(TS_MSG_IMPRINT *a, unsigned char *d, int len) 123int
120 { 124TS_MSG_IMPRINT_set_msg(TS_MSG_IMPRINT *a, unsigned char *d, int len)
125{
121 return ASN1_OCTET_STRING_set(a->hashed_msg, d, len); 126 return ASN1_OCTET_STRING_set(a->hashed_msg, d, len);
122 } 127}
123 128
124ASN1_OCTET_STRING *TS_MSG_IMPRINT_get_msg(TS_MSG_IMPRINT *a) 129ASN1_OCTET_STRING *
125 { 130TS_MSG_IMPRINT_get_msg(TS_MSG_IMPRINT *a)
131{
126 return a->hashed_msg; 132 return a->hashed_msg;
127 } 133}
128 134
129int TS_REQ_set_policy_id(TS_REQ *a, ASN1_OBJECT *policy) 135int
130 { 136TS_REQ_set_policy_id(TS_REQ *a, ASN1_OBJECT *policy)
137{
131 ASN1_OBJECT *new_policy; 138 ASN1_OBJECT *new_policy;
132 139
133 if (a->policy_id == policy) 140 if (a->policy_id == policy)
134 return 1; 141 return 1;
135 new_policy = OBJ_dup(policy); 142 new_policy = OBJ_dup(policy);
136 if (new_policy == NULL) 143 if (new_policy == NULL) {
137 {
138 TSerr(TS_F_TS_REQ_SET_POLICY_ID, ERR_R_MALLOC_FAILURE); 144 TSerr(TS_F_TS_REQ_SET_POLICY_ID, ERR_R_MALLOC_FAILURE);
139 return 0; 145 return 0;
140 } 146 }
141 ASN1_OBJECT_free(a->policy_id); 147 ASN1_OBJECT_free(a->policy_id);
142 a->policy_id = new_policy; 148 a->policy_id = new_policy;
143 return 1; 149 return 1;
144 } 150}
145 151
146ASN1_OBJECT *TS_REQ_get_policy_id(TS_REQ *a) 152ASN1_OBJECT *
147 { 153TS_REQ_get_policy_id(TS_REQ *a)
154{
148 return a->policy_id; 155 return a->policy_id;
149 } 156}
150 157
151int TS_REQ_set_nonce(TS_REQ *a, const ASN1_INTEGER *nonce) 158int
152 { 159TS_REQ_set_nonce(TS_REQ *a, const ASN1_INTEGER *nonce)
160{
153 ASN1_INTEGER *new_nonce; 161 ASN1_INTEGER *new_nonce;
154 162
155 if (a->nonce == nonce) 163 if (a->nonce == nonce)
156 return 1; 164 return 1;
157 new_nonce = ASN1_INTEGER_dup(nonce); 165 new_nonce = ASN1_INTEGER_dup(nonce);
158 if (new_nonce == NULL) 166 if (new_nonce == NULL) {
159 {
160 TSerr(TS_F_TS_REQ_SET_NONCE, ERR_R_MALLOC_FAILURE); 167 TSerr(TS_F_TS_REQ_SET_NONCE, ERR_R_MALLOC_FAILURE);
161 return 0; 168 return 0;
162 } 169 }
163 ASN1_INTEGER_free(a->nonce); 170 ASN1_INTEGER_free(a->nonce);
164 a->nonce = new_nonce; 171 a->nonce = new_nonce;
165 return 1; 172 return 1;
166 } 173}
167 174
168const ASN1_INTEGER *TS_REQ_get_nonce(const TS_REQ *a) 175const ASN1_INTEGER *
169 { 176TS_REQ_get_nonce(const TS_REQ *a)
177{
170 return a->nonce; 178 return a->nonce;
171 } 179}
172 180
173int TS_REQ_set_cert_req(TS_REQ *a, int cert_req) 181int
174 { 182TS_REQ_set_cert_req(TS_REQ *a, int cert_req)
183{
175 a->cert_req = cert_req ? 0xFF : 0x00; 184 a->cert_req = cert_req ? 0xFF : 0x00;
176 return 1; 185 return 1;
177 } 186}
178 187
179int TS_REQ_get_cert_req(const TS_REQ *a) 188int
180 { 189TS_REQ_get_cert_req(const TS_REQ *a)
190{
181 return a->cert_req ? 1 : 0; 191 return a->cert_req ? 1 : 0;
182 } 192}
183 193
184STACK_OF(X509_EXTENSION) *TS_REQ_get_exts(TS_REQ *a) 194STACK_OF(X509_EXTENSION) *TS_REQ_get_exts(TS_REQ *a)
185 { 195{
186 return a->extensions; 196 return a->extensions;
187 } 197}
188 198
189void TS_REQ_ext_free(TS_REQ *a) 199void
190 { 200TS_REQ_ext_free(TS_REQ *a)
191 if (!a) return; 201{
202 if (!a)
203 return;
192 sk_X509_EXTENSION_pop_free(a->extensions, X509_EXTENSION_free); 204 sk_X509_EXTENSION_pop_free(a->extensions, X509_EXTENSION_free);
193 a->extensions = NULL; 205 a->extensions = NULL;
194 } 206}
195 207
196int TS_REQ_get_ext_count(TS_REQ *a) 208int
197 { 209TS_REQ_get_ext_count(TS_REQ *a)
210{
198 return X509v3_get_ext_count(a->extensions); 211 return X509v3_get_ext_count(a->extensions);
199 } 212}
200 213
201int TS_REQ_get_ext_by_NID(TS_REQ *a, int nid, int lastpos) 214int
202 { 215TS_REQ_get_ext_by_NID(TS_REQ *a, int nid, int lastpos)
216{
203 return X509v3_get_ext_by_NID(a->extensions, nid, lastpos); 217 return X509v3_get_ext_by_NID(a->extensions, nid, lastpos);
204 } 218}
205 219
206int TS_REQ_get_ext_by_OBJ(TS_REQ *a, ASN1_OBJECT *obj, int lastpos) 220int
207 { 221TS_REQ_get_ext_by_OBJ(TS_REQ *a, ASN1_OBJECT *obj, int lastpos)
222{
208 return X509v3_get_ext_by_OBJ(a->extensions, obj, lastpos); 223 return X509v3_get_ext_by_OBJ(a->extensions, obj, lastpos);
209 } 224}
210 225
211int TS_REQ_get_ext_by_critical(TS_REQ *a, int crit, int lastpos) 226int
212 { 227TS_REQ_get_ext_by_critical(TS_REQ *a, int crit, int lastpos)
228{
213 return X509v3_get_ext_by_critical(a->extensions, crit, lastpos); 229 return X509v3_get_ext_by_critical(a->extensions, crit, lastpos);
214 } 230}
215 231
216X509_EXTENSION *TS_REQ_get_ext(TS_REQ *a, int loc) 232X509_EXTENSION *
217 { 233TS_REQ_get_ext(TS_REQ *a, int loc)
218 return X509v3_get_ext(a->extensions,loc); 234{
219 } 235 return X509v3_get_ext(a->extensions, loc);
220 236}
221X509_EXTENSION *TS_REQ_delete_ext(TS_REQ *a, int loc) 237
222 { 238X509_EXTENSION *
223 return X509v3_delete_ext(a->extensions,loc); 239TS_REQ_delete_ext(TS_REQ *a, int loc)
224 } 240{
225 241 return X509v3_delete_ext(a->extensions, loc);
226int TS_REQ_add_ext(TS_REQ *a, X509_EXTENSION *ex, int loc) 242}
227 { 243
228 return X509v3_add_ext(&a->extensions,ex,loc) != NULL; 244int
229 } 245TS_REQ_add_ext(TS_REQ *a, X509_EXTENSION *ex, int loc)
230 246{
231void *TS_REQ_get_ext_d2i(TS_REQ *a, int nid, int *crit, int *idx) 247 return X509v3_add_ext(&a->extensions, ex, loc) != NULL;
232 { 248}
249
250void *
251TS_REQ_get_ext_d2i(TS_REQ *a, int nid, int *crit, int *idx)
252{
233 return X509V3_get_d2i(a->extensions, nid, crit, idx); 253 return X509V3_get_d2i(a->extensions, nid, crit, idx);
234 } 254}
diff --git a/src/lib/libssl/src/crypto/ts/ts_rsp_print.c b/src/lib/libssl/src/crypto/ts/ts_rsp_print.c
index 21062517ba..248674f4e5 100644
--- a/src/lib/libssl/src/crypto/ts/ts_rsp_print.c
+++ b/src/lib/libssl/src/crypto/ts/ts_rsp_print.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -63,22 +63,22 @@
63#include <openssl/x509v3.h> 63#include <openssl/x509v3.h>
64#include "ts.h" 64#include "ts.h"
65 65
66struct status_map_st 66struct status_map_st {
67 {
68 int bit; 67 int bit;
69 const char *text; 68 const char *text;
70 }; 69};
71 70
72/* Local function declarations. */ 71/* Local function declarations. */
73 72
74static int TS_status_map_print(BIO *bio, struct status_map_st *a, 73static int TS_status_map_print(BIO *bio, struct status_map_st *a,
75 ASN1_BIT_STRING *v); 74 ASN1_BIT_STRING *v);
76static int TS_ACCURACY_print_bio(BIO *bio, const TS_ACCURACY *accuracy); 75static int TS_ACCURACY_print_bio(BIO *bio, const TS_ACCURACY *accuracy);
77 76
78/* Function definitions. */ 77/* Function definitions. */
79 78
80int TS_RESP_print_bio(BIO *bio, TS_RESP *a) 79int
81 { 80TS_RESP_print_bio(BIO *bio, TS_RESP *a)
81{
82 TS_TST_INFO *tst_info; 82 TS_TST_INFO *tst_info;
83 83
84 BIO_printf(bio, "Status info:\n"); 84 BIO_printf(bio, "Status info:\n");
@@ -90,98 +90,111 @@ int TS_RESP_print_bio(BIO *bio, TS_RESP *a)
90 TS_TST_INFO_print_bio(bio, TS_RESP_get_tst_info(a)); 90 TS_TST_INFO_print_bio(bio, TS_RESP_get_tst_info(a));
91 else 91 else
92 BIO_printf(bio, "Not included.\n"); 92 BIO_printf(bio, "Not included.\n");
93 93
94 return 1; 94 return 1;
95 } 95}
96 96
97int TS_STATUS_INFO_print_bio(BIO *bio, TS_STATUS_INFO *a) 97int
98 { 98TS_STATUS_INFO_print_bio(BIO *bio, TS_STATUS_INFO *a)
99 static const char *status_map[] = 99{
100 { 100 static const char *status_map[] = {
101 "Granted.", 101 "Granted.",
102 "Granted with modifications.", 102 "Granted with modifications.",
103 "Rejected.", 103 "Rejected.",
104 "Waiting.", 104 "Waiting.",
105 "Revocation warning.", 105 "Revocation warning.",
106 "Revoked." 106 "Revoked."
107 }; 107 };
108 static struct status_map_st failure_map[] = 108 static struct status_map_st failure_map[] = {
109 {
110 TS_INFO_BAD_ALG,
111 "unrecognized or unsupported algorithm identifier"
112 },
113 {
114 TS_INFO_BAD_REQUEST,
115 "transaction not permitted or supported"
116 },
109 { 117 {
110 { TS_INFO_BAD_ALG, 118 TS_INFO_BAD_DATA_FORMAT,
111 "unrecognized or unsupported algorithm identifier" }, 119 "the data submitted has the wrong format"
112 { TS_INFO_BAD_REQUEST, 120 },
113 "transaction not permitted or supported" }, 121 {
114 { TS_INFO_BAD_DATA_FORMAT, 122 TS_INFO_TIME_NOT_AVAILABLE,
115 "the data submitted has the wrong format" }, 123 "the TSA's time source is not available"
116 { TS_INFO_TIME_NOT_AVAILABLE, 124 },
117 "the TSA's time source is not available" }, 125 {
118 { TS_INFO_UNACCEPTED_POLICY, 126 TS_INFO_UNACCEPTED_POLICY,
119 "the requested TSA policy is not supported by the TSA" }, 127 "the requested TSA policy is not supported by the TSA"
120 { TS_INFO_UNACCEPTED_EXTENSION, 128 },
121 "the requested extension is not supported by the TSA" }, 129 {
122 { TS_INFO_ADD_INFO_NOT_AVAILABLE, 130 TS_INFO_UNACCEPTED_EXTENSION,
123 "the additional information requested could not be understood " 131 "the requested extension is not supported by the TSA"
124 "or is not available" }, 132 },
125 { TS_INFO_SYSTEM_FAILURE, 133 {
126 "the request cannot be handled due to system failure" }, 134 TS_INFO_ADD_INFO_NOT_AVAILABLE,
135 "the additional information requested could not be understood "
136 "or is not available"
137 },
138 {
139 TS_INFO_SYSTEM_FAILURE,
140 "the request cannot be handled due to system failure"
141 },
127 { -1, NULL } 142 { -1, NULL }
128 }; 143 };
129 long status; 144 long status;
130 int i, lines = 0; 145 int i, lines = 0;
131 146
132 /* Printing status code. */ 147 /* Printing status code. */
133 BIO_printf(bio, "Status: "); 148 BIO_printf(bio, "Status: ");
134 status = ASN1_INTEGER_get(a->status); 149 status = ASN1_INTEGER_get(a->status);
135 if (0 <= status && status < (long)(sizeof(status_map)/sizeof(status_map[0]))) 150 if (0 <= status &&
151 status < (long)(sizeof(status_map) / sizeof(status_map[0])))
136 BIO_printf(bio, "%s\n", status_map[status]); 152 BIO_printf(bio, "%s\n", status_map[status]);
137 else 153 else
138 BIO_printf(bio, "out of bounds\n"); 154 BIO_printf(bio, "out of bounds\n");
139 155
140 /* Printing status description. */ 156 /* Printing status description. */
141 BIO_printf(bio, "Status description: "); 157 BIO_printf(bio, "Status description: ");
142 for (i = 0; i < sk_ASN1_UTF8STRING_num(a->text); ++i) 158 for (i = 0; i < sk_ASN1_UTF8STRING_num(a->text); ++i) {
143 {
144 if (i > 0) 159 if (i > 0)
145 BIO_puts(bio, "\t"); 160 BIO_puts(bio, "\t");
146 ASN1_STRING_print_ex(bio, sk_ASN1_UTF8STRING_value(a->text, i), 161 ASN1_STRING_print_ex(bio, sk_ASN1_UTF8STRING_value(a->text, i),
147 0); 162 0);
148 BIO_puts(bio, "\n"); 163 BIO_puts(bio, "\n");
149 } 164 }
150 if (i == 0) 165 if (i == 0)
151 BIO_printf(bio, "unspecified\n"); 166 BIO_printf(bio, "unspecified\n");
152 167
153 /* Printing failure information. */ 168 /* Printing failure information. */
154 BIO_printf(bio, "Failure info: "); 169 BIO_printf(bio, "Failure info: ");
155 if (a->failure_info != NULL) 170 if (a->failure_info != NULL)
156 lines = TS_status_map_print(bio, failure_map, 171 lines = TS_status_map_print(bio, failure_map, a->failure_info);
157 a->failure_info);
158 if (lines == 0) 172 if (lines == 0)
159 BIO_printf(bio, "unspecified"); 173 BIO_printf(bio, "unspecified");
160 BIO_printf(bio, "\n"); 174 BIO_printf(bio, "\n");
161 175
162 return 1; 176 return 1;
163 } 177}
164 178
165static int TS_status_map_print(BIO *bio, struct status_map_st *a, 179static int
166 ASN1_BIT_STRING *v) 180TS_status_map_print(BIO *bio, struct status_map_st *a, ASN1_BIT_STRING *v)
167 { 181{
168 int lines = 0; 182 int lines = 0;
169 183
170 for (; a->bit >= 0; ++a) 184 for (; a->bit >= 0; ++a) {
171 { 185 if (ASN1_BIT_STRING_get_bit(v, a->bit)) {
172 if (ASN1_BIT_STRING_get_bit(v, a->bit))
173 {
174 if (++lines > 1) 186 if (++lines > 1)
175 BIO_printf(bio, ", "); 187 BIO_printf(bio, ", ");
176 BIO_printf(bio, "%s", a->text); 188 BIO_printf(bio, "%s", a->text);
177 }
178 } 189 }
190 }
179 191
180 return lines; 192 return lines;
181 } 193}
182 194
183int TS_TST_INFO_print_bio(BIO *bio, TS_TST_INFO *a) 195int
184 { 196TS_TST_INFO_print_bio(BIO *bio, TS_TST_INFO *a)
197{
185 int v; 198 int v;
186 ASN1_OBJECT *policy_id; 199 ASN1_OBJECT *policy_id;
187 const ASN1_INTEGER *serial; 200 const ASN1_INTEGER *serial;
@@ -190,7 +203,8 @@ int TS_TST_INFO_print_bio(BIO *bio, TS_TST_INFO *a)
190 const ASN1_INTEGER *nonce; 203 const ASN1_INTEGER *nonce;
191 GENERAL_NAME *tsa_name; 204 GENERAL_NAME *tsa_name;
192 205
193 if (a == NULL) return 0; 206 if (a == NULL)
207 return 0;
194 208
195 /* Print version. */ 209 /* Print version. */
196 v = TS_TST_INFO_get_version(a); 210 v = TS_TST_INFO_get_version(a);
@@ -229,8 +243,8 @@ int TS_TST_INFO_print_bio(BIO *bio, TS_TST_INFO *a)
229 BIO_write(bio, "\n", 1); 243 BIO_write(bio, "\n", 1);
230 244
231 /* Print ordering. */ 245 /* Print ordering. */
232 BIO_printf(bio, "Ordering: %s\n", 246 BIO_printf(bio, "Ordering: %s\n",
233 TS_TST_INFO_get_ordering(a) ? "yes" : "no"); 247 TS_TST_INFO_get_ordering(a) ? "yes" : "no");
234 248
235 /* Print nonce. */ 249 /* Print nonce. */
236 BIO_printf(bio, "Nonce: "); 250 BIO_printf(bio, "Nonce: ");
@@ -246,23 +260,23 @@ int TS_TST_INFO_print_bio(BIO *bio, TS_TST_INFO *a)
246 tsa_name = TS_TST_INFO_get_tsa(a); 260 tsa_name = TS_TST_INFO_get_tsa(a);
247 if (tsa_name == NULL) 261 if (tsa_name == NULL)
248 BIO_printf(bio, "unspecified"); 262 BIO_printf(bio, "unspecified");
249 else 263 else {
250 {
251 STACK_OF(CONF_VALUE) *nval; 264 STACK_OF(CONF_VALUE) *nval;
252 if ((nval = i2v_GENERAL_NAME(NULL, tsa_name, NULL))) 265 if ((nval = i2v_GENERAL_NAME(NULL, tsa_name, NULL)))
253 X509V3_EXT_val_prn(bio, nval, 0, 0); 266 X509V3_EXT_val_prn(bio, nval, 0, 0);
254 sk_CONF_VALUE_pop_free(nval, X509V3_conf_free); 267 sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
255 } 268 }
256 BIO_write(bio, "\n", 1); 269 BIO_write(bio, "\n", 1);
257 270
258 /* Print extensions. */ 271 /* Print extensions. */
259 TS_ext_print_bio(bio, TS_TST_INFO_get_exts(a)); 272 TS_ext_print_bio(bio, TS_TST_INFO_get_exts(a));
260 273
261 return 1; 274 return 1;
262 } 275}
263 276
264static int TS_ACCURACY_print_bio(BIO *bio, const TS_ACCURACY *accuracy) 277static int
265 { 278TS_ACCURACY_print_bio(BIO *bio, const TS_ACCURACY *accuracy)
279{
266 const ASN1_INTEGER *seconds = TS_ACCURACY_get_seconds(accuracy); 280 const ASN1_INTEGER *seconds = TS_ACCURACY_get_seconds(accuracy);
267 const ASN1_INTEGER *millis = TS_ACCURACY_get_millis(accuracy); 281 const ASN1_INTEGER *millis = TS_ACCURACY_get_millis(accuracy);
268 const ASN1_INTEGER *micros = TS_ACCURACY_get_micros(accuracy); 282 const ASN1_INTEGER *micros = TS_ACCURACY_get_micros(accuracy);
@@ -284,4 +298,4 @@ static int TS_ACCURACY_print_bio(BIO *bio, const TS_ACCURACY *accuracy)
284 BIO_printf(bio, " micros"); 298 BIO_printf(bio, " micros");
285 299
286 return 1; 300 return 1;
287 } 301}
diff --git a/src/lib/libssl/src/crypto/ts/ts_rsp_sign.c b/src/lib/libssl/src/crypto/ts/ts_rsp_sign.c
index 17f81b4a35..71530d7f24 100644
--- a/src/lib/libssl/src/crypto/ts/ts_rsp_sign.c
+++ b/src/lib/libssl/src/crypto/ts/ts_rsp_sign.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -76,102 +76,107 @@ static void TS_RESP_CTX_init(TS_RESP_CTX *ctx);
76static void TS_RESP_CTX_cleanup(TS_RESP_CTX *ctx); 76static void TS_RESP_CTX_cleanup(TS_RESP_CTX *ctx);
77static int TS_RESP_check_request(TS_RESP_CTX *ctx); 77static int TS_RESP_check_request(TS_RESP_CTX *ctx);
78static ASN1_OBJECT *TS_RESP_get_policy(TS_RESP_CTX *ctx); 78static ASN1_OBJECT *TS_RESP_get_policy(TS_RESP_CTX *ctx);
79static TS_TST_INFO *TS_RESP_create_tst_info(TS_RESP_CTX *ctx, 79static TS_TST_INFO *TS_RESP_create_tst_info(TS_RESP_CTX *ctx,
80 ASN1_OBJECT *policy); 80 ASN1_OBJECT *policy);
81static int TS_RESP_process_extensions(TS_RESP_CTX *ctx); 81static int TS_RESP_process_extensions(TS_RESP_CTX *ctx);
82static int TS_RESP_sign(TS_RESP_CTX *ctx); 82static int TS_RESP_sign(TS_RESP_CTX *ctx);
83 83
84static ESS_SIGNING_CERT *ESS_SIGNING_CERT_new_init(X509 *signcert, 84static ESS_SIGNING_CERT *ESS_SIGNING_CERT_new_init(X509 *signcert,
85 STACK_OF(X509) *certs); 85 STACK_OF(X509) *certs);
86static ESS_CERT_ID *ESS_CERT_ID_new_init(X509 *cert, int issuer_needed); 86static ESS_CERT_ID *ESS_CERT_ID_new_init(X509 *cert, int issuer_needed);
87static int TS_TST_INFO_content_new(PKCS7 *p7); 87static int TS_TST_INFO_content_new(PKCS7 *p7);
88static int ESS_add_signing_cert(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc); 88static int ESS_add_signing_cert(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc);
89 89
90static ASN1_GENERALIZEDTIME *TS_RESP_set_genTime_with_precision( 90static ASN1_GENERALIZEDTIME *TS_RESP_set_genTime_with_precision(
91 ASN1_GENERALIZEDTIME *, long, long, unsigned); 91 ASN1_GENERALIZEDTIME *, long, long, unsigned);
92 92
93/* Default callbacks for response generation. */ 93/* Default callbacks for response generation. */
94 94
95static ASN1_INTEGER *def_serial_cb(struct TS_resp_ctx *ctx, void *data) 95static ASN1_INTEGER *
96 { 96def_serial_cb(struct TS_resp_ctx *ctx, void *data)
97{
97 ASN1_INTEGER *serial = ASN1_INTEGER_new(); 98 ASN1_INTEGER *serial = ASN1_INTEGER_new();
98 if (!serial) goto err; 99
99 if (!ASN1_INTEGER_set(serial, 1)) goto err; 100 if (!serial)
101 goto err;
102 if (!ASN1_INTEGER_set(serial, 1))
103 goto err;
100 return serial; 104 return serial;
101 err: 105
106err:
102 TSerr(TS_F_DEF_SERIAL_CB, ERR_R_MALLOC_FAILURE); 107 TSerr(TS_F_DEF_SERIAL_CB, ERR_R_MALLOC_FAILURE);
103 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION, 108 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
104 "Error during serial number generation."); 109 "Error during serial number generation.");
105 return NULL; 110 return NULL;
106 } 111}
107 112
108#if defined(OPENSSL_SYS_UNIX) 113#if defined(OPENSSL_SYS_UNIX)
109 114
110/* Use the gettimeofday function call. */ 115/* Use the gettimeofday function call. */
111static int def_time_cb(struct TS_resp_ctx *ctx, void *data, 116static int
112 long *sec, long *usec) 117def_time_cb(struct TS_resp_ctx *ctx, void *data, long *sec, long *usec)
113 { 118{
114 struct timeval tv; 119 struct timeval tv;
115 if (gettimeofday(&tv, NULL) != 0) 120
116 { 121 if (gettimeofday(&tv, NULL) != 0) {
117 TSerr(TS_F_DEF_TIME_CB, TS_R_TIME_SYSCALL_ERROR); 122 TSerr(TS_F_DEF_TIME_CB, TS_R_TIME_SYSCALL_ERROR);
118 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION, 123 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
119 "Time is not available."); 124 "Time is not available.");
120 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_TIME_NOT_AVAILABLE); 125 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_TIME_NOT_AVAILABLE);
121 return 0; 126 return 0;
122 } 127 }
123 /* Return time to caller. */ 128 /* Return time to caller. */
124 *sec = tv.tv_sec; 129 *sec = tv.tv_sec;
125 *usec = tv.tv_usec; 130 *usec = tv.tv_usec;
126 131
127 return 1; 132 return 1;
128 } 133}
129 134
130#else 135#else
131 136
132/* Use the time function call that provides only seconds precision. */ 137/* Use the time function call that provides only seconds precision. */
133static int def_time_cb(struct TS_resp_ctx *ctx, void *data, 138static int
134 long *sec, long *usec) 139def_time_cb(struct TS_resp_ctx *ctx, void *data, long *sec, long *usec)
135 { 140{
136 time_t t; 141 time_t t;
137 if (time(&t) == (time_t) -1) 142
138 { 143 if (time(&t) == (time_t) - 1) {
139 TSerr(TS_F_DEF_TIME_CB, TS_R_TIME_SYSCALL_ERROR); 144 TSerr(TS_F_DEF_TIME_CB, TS_R_TIME_SYSCALL_ERROR);
140 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION, 145 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
141 "Time is not available."); 146 "Time is not available.");
142 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_TIME_NOT_AVAILABLE); 147 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_TIME_NOT_AVAILABLE);
143 return 0; 148 return 0;
144 } 149 }
145 /* Return time to caller, only second precision. */ 150 /* Return time to caller, only second precision. */
146 *sec = (long) t; 151 *sec = (long) t;
147 *usec = 0; 152 *usec = 0;
148 153
149 return 1; 154 return 1;
150 } 155}
151 156
152#endif 157#endif
153 158
154static int def_extension_cb(struct TS_resp_ctx *ctx, X509_EXTENSION *ext, 159static int
155 void *data) 160def_extension_cb(struct TS_resp_ctx *ctx, X509_EXTENSION *ext, void *data)
156 { 161{
157 /* No extensions are processed here. */ 162 /* No extensions are processed here. */
158 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION, 163 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
159 "Unsupported extension."); 164 "Unsupported extension.");
160 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_UNACCEPTED_EXTENSION); 165 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_UNACCEPTED_EXTENSION);
161 return 0; 166 return 0;
162 } 167}
163 168
164/* TS_RESP_CTX management functions. */ 169/* TS_RESP_CTX management functions. */
165 170
166TS_RESP_CTX *TS_RESP_CTX_new() 171TS_RESP_CTX *
167 { 172TS_RESP_CTX_new()
173{
168 TS_RESP_CTX *ctx; 174 TS_RESP_CTX *ctx;
169 175
170 if (!(ctx = (TS_RESP_CTX *) malloc(sizeof(TS_RESP_CTX)))) 176 if (!(ctx = (TS_RESP_CTX *) malloc(sizeof(TS_RESP_CTX)))) {
171 {
172 TSerr(TS_F_TS_RESP_CTX_NEW, ERR_R_MALLOC_FAILURE); 177 TSerr(TS_F_TS_RESP_CTX_NEW, ERR_R_MALLOC_FAILURE);
173 return NULL; 178 return NULL;
174 } 179 }
175 memset(ctx, 0, sizeof(TS_RESP_CTX)); 180 memset(ctx, 0, sizeof(TS_RESP_CTX));
176 181
177 /* Setting default callbacks. */ 182 /* Setting default callbacks. */
@@ -180,11 +185,13 @@ TS_RESP_CTX *TS_RESP_CTX_new()
180 ctx->extension_cb = def_extension_cb; 185 ctx->extension_cb = def_extension_cb;
181 186
182 return ctx; 187 return ctx;
183 } 188}
184 189
185void TS_RESP_CTX_free(TS_RESP_CTX *ctx) 190void
186 { 191TS_RESP_CTX_free(TS_RESP_CTX *ctx)
187 if (!ctx) return; 192{
193 if (!ctx)
194 return;
188 195
189 X509_free(ctx->signer_cert); 196 X509_free(ctx->signer_cert);
190 EVP_PKEY_free(ctx->signer_key); 197 EVP_PKEY_free(ctx->signer_key);
@@ -196,95 +203,108 @@ void TS_RESP_CTX_free(TS_RESP_CTX *ctx)
196 ASN1_INTEGER_free(ctx->millis); 203 ASN1_INTEGER_free(ctx->millis);
197 ASN1_INTEGER_free(ctx->micros); 204 ASN1_INTEGER_free(ctx->micros);
198 free(ctx); 205 free(ctx);
199 } 206}
200 207
201int TS_RESP_CTX_set_signer_cert(TS_RESP_CTX *ctx, X509 *signer) 208int
202 { 209TS_RESP_CTX_set_signer_cert(TS_RESP_CTX *ctx, X509 *signer)
203 if (X509_check_purpose(signer, X509_PURPOSE_TIMESTAMP_SIGN, 0) != 1) 210{
204 { 211 if (X509_check_purpose(signer, X509_PURPOSE_TIMESTAMP_SIGN, 0) != 1) {
205 TSerr(TS_F_TS_RESP_CTX_SET_SIGNER_CERT, 212 TSerr(TS_F_TS_RESP_CTX_SET_SIGNER_CERT,
206 TS_R_INVALID_SIGNER_CERTIFICATE_PURPOSE); 213 TS_R_INVALID_SIGNER_CERTIFICATE_PURPOSE);
207 return 0; 214 return 0;
208 } 215 }
209 if (ctx->signer_cert) X509_free(ctx->signer_cert); 216 if (ctx->signer_cert)
217 X509_free(ctx->signer_cert);
210 ctx->signer_cert = signer; 218 ctx->signer_cert = signer;
211 CRYPTO_add(&ctx->signer_cert->references, +1, CRYPTO_LOCK_X509); 219 CRYPTO_add(&ctx->signer_cert->references, +1, CRYPTO_LOCK_X509);
212 return 1; 220 return 1;
213 } 221}
214 222
215int TS_RESP_CTX_set_signer_key(TS_RESP_CTX *ctx, EVP_PKEY *key) 223int
216 { 224TS_RESP_CTX_set_signer_key(TS_RESP_CTX *ctx, EVP_PKEY *key)
217 if (ctx->signer_key) EVP_PKEY_free(ctx->signer_key); 225{
226 if (ctx->signer_key)
227 EVP_PKEY_free(ctx->signer_key);
218 ctx->signer_key = key; 228 ctx->signer_key = key;
219 CRYPTO_add(&ctx->signer_key->references, +1, CRYPTO_LOCK_EVP_PKEY); 229 CRYPTO_add(&ctx->signer_key->references, +1, CRYPTO_LOCK_EVP_PKEY);
220 230
221 return 1; 231 return 1;
222 } 232}
223 233
224int TS_RESP_CTX_set_def_policy(TS_RESP_CTX *ctx, ASN1_OBJECT *def_policy) 234int
225 { 235TS_RESP_CTX_set_def_policy(TS_RESP_CTX *ctx, ASN1_OBJECT *def_policy)
226 if (ctx->default_policy) ASN1_OBJECT_free(ctx->default_policy); 236{
227 if (!(ctx->default_policy = OBJ_dup(def_policy))) goto err; 237 if (ctx->default_policy)
238 ASN1_OBJECT_free(ctx->default_policy);
239 if (!(ctx->default_policy = OBJ_dup(def_policy)))
240 goto err;
228 return 1; 241 return 1;
229 err: 242
243err:
230 TSerr(TS_F_TS_RESP_CTX_SET_DEF_POLICY, ERR_R_MALLOC_FAILURE); 244 TSerr(TS_F_TS_RESP_CTX_SET_DEF_POLICY, ERR_R_MALLOC_FAILURE);
231 return 0; 245 return 0;
232 } 246}
233 247
234int TS_RESP_CTX_set_certs(TS_RESP_CTX *ctx, STACK_OF(X509) *certs) 248int
235 { 249TS_RESP_CTX_set_certs(TS_RESP_CTX *ctx, STACK_OF(X509) *certs)
250{
236 int i; 251 int i;
237 252
238 if (ctx->certs) 253 if (ctx->certs) {
239 {
240 sk_X509_pop_free(ctx->certs, X509_free); 254 sk_X509_pop_free(ctx->certs, X509_free);
241 ctx->certs = NULL; 255 ctx->certs = NULL;
242 } 256 }
243 if (!certs) return 1; 257 if (!certs)
244 if (!(ctx->certs = sk_X509_dup(certs))) 258 return 1;
245 { 259 if (!(ctx->certs = sk_X509_dup(certs))) {
246 TSerr(TS_F_TS_RESP_CTX_SET_CERTS, ERR_R_MALLOC_FAILURE); 260 TSerr(TS_F_TS_RESP_CTX_SET_CERTS, ERR_R_MALLOC_FAILURE);
247 return 0; 261 return 0;
248 } 262 }
249 for (i = 0; i < sk_X509_num(ctx->certs); ++i) 263 for (i = 0; i < sk_X509_num(ctx->certs); ++i) {
250 {
251 X509 *cert = sk_X509_value(ctx->certs, i); 264 X509 *cert = sk_X509_value(ctx->certs, i);
252 CRYPTO_add(&cert->references, +1, CRYPTO_LOCK_X509); 265 CRYPTO_add(&cert->references, +1, CRYPTO_LOCK_X509);
253 } 266 }
254 267
255 return 1; 268 return 1;
256 } 269}
257 270
258int TS_RESP_CTX_add_policy(TS_RESP_CTX *ctx, ASN1_OBJECT *policy) 271int
259 { 272TS_RESP_CTX_add_policy(TS_RESP_CTX *ctx, ASN1_OBJECT *policy)
273{
260 ASN1_OBJECT *copy = NULL; 274 ASN1_OBJECT *copy = NULL;
261 275
262 /* Create new policy stack if necessary. */ 276 /* Create new policy stack if necessary. */
263 if (!ctx->policies && !(ctx->policies = sk_ASN1_OBJECT_new_null())) 277 if (!ctx->policies && !(ctx->policies = sk_ASN1_OBJECT_new_null()))
278 goto err;
279 if (!(copy = OBJ_dup(policy)))
280 goto err;
281 if (!sk_ASN1_OBJECT_push(ctx->policies, copy))
264 goto err; 282 goto err;
265 if (!(copy = OBJ_dup(policy))) goto err;
266 if (!sk_ASN1_OBJECT_push(ctx->policies, copy)) goto err;
267 283
268 return 1; 284 return 1;
269 err: 285
286err:
270 TSerr(TS_F_TS_RESP_CTX_ADD_POLICY, ERR_R_MALLOC_FAILURE); 287 TSerr(TS_F_TS_RESP_CTX_ADD_POLICY, ERR_R_MALLOC_FAILURE);
271 ASN1_OBJECT_free(copy); 288 ASN1_OBJECT_free(copy);
272 return 0; 289 return 0;
273 } 290}
274 291
275int TS_RESP_CTX_add_md(TS_RESP_CTX *ctx, const EVP_MD *md) 292int
276 { 293TS_RESP_CTX_add_md(TS_RESP_CTX *ctx, const EVP_MD *md)
294{
277 /* Create new md stack if necessary. */ 295 /* Create new md stack if necessary. */
278 if (!ctx->mds && !(ctx->mds = sk_EVP_MD_new_null())) 296 if (!ctx->mds && !(ctx->mds = sk_EVP_MD_new_null()))
279 goto err; 297 goto err;
280 /* Add the shared md, no copy needed. */ 298 /* Add the shared md, no copy needed. */
281 if (!sk_EVP_MD_push(ctx->mds, (EVP_MD *)md)) goto err; 299 if (!sk_EVP_MD_push(ctx->mds, (EVP_MD *)md))
300 goto err;
282 301
283 return 1; 302 return 1;
284 err: 303
304err:
285 TSerr(TS_F_TS_RESP_CTX_ADD_MD, ERR_R_MALLOC_FAILURE); 305 TSerr(TS_F_TS_RESP_CTX_ADD_MD, ERR_R_MALLOC_FAILURE);
286 return 0; 306 return 0;
287 } 307}
288 308
289#define TS_RESP_CTX_accuracy_free(ctx) \ 309#define TS_RESP_CTX_accuracy_free(ctx) \
290 ASN1_INTEGER_free(ctx->seconds); \ 310 ASN1_INTEGER_free(ctx->seconds); \
@@ -294,129 +314,142 @@ int TS_RESP_CTX_add_md(TS_RESP_CTX *ctx, const EVP_MD *md)
294 ASN1_INTEGER_free(ctx->micros); \ 314 ASN1_INTEGER_free(ctx->micros); \
295 ctx->micros = NULL; 315 ctx->micros = NULL;
296 316
297int TS_RESP_CTX_set_accuracy(TS_RESP_CTX *ctx, 317int
298 int secs, int millis, int micros) 318TS_RESP_CTX_set_accuracy(TS_RESP_CTX *ctx, int secs, int millis, int micros)
299 { 319{
300
301 TS_RESP_CTX_accuracy_free(ctx); 320 TS_RESP_CTX_accuracy_free(ctx);
302 if (secs && (!(ctx->seconds = ASN1_INTEGER_new()) 321 if (secs && (!(ctx->seconds = ASN1_INTEGER_new()) ||
303 || !ASN1_INTEGER_set(ctx->seconds, secs))) 322 !ASN1_INTEGER_set(ctx->seconds, secs)))
304 goto err; 323 goto err;
305 if (millis && (!(ctx->millis = ASN1_INTEGER_new()) 324 if (millis && (!(ctx->millis = ASN1_INTEGER_new()) ||
306 || !ASN1_INTEGER_set(ctx->millis, millis))) 325 !ASN1_INTEGER_set(ctx->millis, millis)))
307 goto err; 326 goto err;
308 if (micros && (!(ctx->micros = ASN1_INTEGER_new()) 327 if (micros && (!(ctx->micros = ASN1_INTEGER_new()) ||
309 || !ASN1_INTEGER_set(ctx->micros, micros))) 328 !ASN1_INTEGER_set(ctx->micros, micros)))
310 goto err; 329 goto err;
311 330
312 return 1; 331 return 1;
313 err: 332
333err:
314 TS_RESP_CTX_accuracy_free(ctx); 334 TS_RESP_CTX_accuracy_free(ctx);
315 TSerr(TS_F_TS_RESP_CTX_SET_ACCURACY, ERR_R_MALLOC_FAILURE); 335 TSerr(TS_F_TS_RESP_CTX_SET_ACCURACY, ERR_R_MALLOC_FAILURE);
316 return 0; 336 return 0;
317 } 337}
318 338
319void TS_RESP_CTX_add_flags(TS_RESP_CTX *ctx, int flags) 339void
320 { 340TS_RESP_CTX_add_flags(TS_RESP_CTX *ctx, int flags)
341{
321 ctx->flags |= flags; 342 ctx->flags |= flags;
322 } 343}
323 344
324void TS_RESP_CTX_set_serial_cb(TS_RESP_CTX *ctx, TS_serial_cb cb, void *data) 345void
325 { 346TS_RESP_CTX_set_serial_cb(TS_RESP_CTX *ctx, TS_serial_cb cb, void *data)
347{
326 ctx->serial_cb = cb; 348 ctx->serial_cb = cb;
327 ctx->serial_cb_data = data; 349 ctx->serial_cb_data = data;
328 } 350}
329 351
330void TS_RESP_CTX_set_time_cb(TS_RESP_CTX *ctx, TS_time_cb cb, void *data) 352void
331 { 353TS_RESP_CTX_set_time_cb(TS_RESP_CTX *ctx, TS_time_cb cb, void *data)
354{
332 ctx->time_cb = cb; 355 ctx->time_cb = cb;
333 ctx->time_cb_data = data; 356 ctx->time_cb_data = data;
334 } 357}
335 358
336void TS_RESP_CTX_set_extension_cb(TS_RESP_CTX *ctx, 359void
337 TS_extension_cb cb, void *data) 360TS_RESP_CTX_set_extension_cb(TS_RESP_CTX *ctx, TS_extension_cb cb, void *data)
338 { 361{
339 ctx->extension_cb = cb; 362 ctx->extension_cb = cb;
340 ctx->extension_cb_data = data; 363 ctx->extension_cb_data = data;
341 } 364}
342 365
343int TS_RESP_CTX_set_status_info(TS_RESP_CTX *ctx, 366int
344 int status, const char *text) 367TS_RESP_CTX_set_status_info(TS_RESP_CTX *ctx, int status, const char *text)
345 { 368{
346 TS_STATUS_INFO *si = NULL; 369 TS_STATUS_INFO *si = NULL;
347 ASN1_UTF8STRING *utf8_text = NULL; 370 ASN1_UTF8STRING *utf8_text = NULL;
348 int ret = 0; 371 int ret = 0;
349 372
350 if (!(si = TS_STATUS_INFO_new())) goto err; 373 if (!(si = TS_STATUS_INFO_new()))
351 if (!ASN1_INTEGER_set(si->status, status)) goto err; 374 goto err;
352 if (text) 375 if (!ASN1_INTEGER_set(si->status, status))
353 { 376 goto err;
354 if (!(utf8_text = ASN1_UTF8STRING_new()) 377 if (text) {
355 || !ASN1_STRING_set(utf8_text, text, strlen(text))) 378 if (!(utf8_text = ASN1_UTF8STRING_new()) ||
379 !ASN1_STRING_set(utf8_text, text, strlen(text)))
356 goto err; 380 goto err;
357 if (!si->text && !(si->text = sk_ASN1_UTF8STRING_new_null())) 381 if (!si->text && !(si->text = sk_ASN1_UTF8STRING_new_null()))
358 goto err; 382 goto err;
359 if (!sk_ASN1_UTF8STRING_push(si->text, utf8_text)) goto err; 383 if (!sk_ASN1_UTF8STRING_push(si->text, utf8_text))
384 goto err;
360 utf8_text = NULL; /* Ownership is lost. */ 385 utf8_text = NULL; /* Ownership is lost. */
361 } 386 }
362 if (!TS_RESP_set_status_info(ctx->response, si)) goto err; 387 if (!TS_RESP_set_status_info(ctx->response, si))
388 goto err;
363 ret = 1; 389 ret = 1;
364 err: 390
391err:
365 if (!ret) 392 if (!ret)
366 TSerr(TS_F_TS_RESP_CTX_SET_STATUS_INFO, ERR_R_MALLOC_FAILURE); 393 TSerr(TS_F_TS_RESP_CTX_SET_STATUS_INFO, ERR_R_MALLOC_FAILURE);
367 TS_STATUS_INFO_free(si); 394 TS_STATUS_INFO_free(si);
368 ASN1_UTF8STRING_free(utf8_text); 395 ASN1_UTF8STRING_free(utf8_text);
369 return ret; 396 return ret;
370 } 397}
371 398
372int TS_RESP_CTX_set_status_info_cond(TS_RESP_CTX *ctx, 399int
373 int status, const char *text) 400TS_RESP_CTX_set_status_info_cond(TS_RESP_CTX *ctx, int status, const char *text)
374 { 401{
375 int ret = 1; 402 int ret = 1;
376 TS_STATUS_INFO *si = TS_RESP_get_status_info(ctx->response); 403 TS_STATUS_INFO *si = TS_RESP_get_status_info(ctx->response);
377 404
378 if (ASN1_INTEGER_get(si->status) == TS_STATUS_GRANTED) 405 if (ASN1_INTEGER_get(si->status) == TS_STATUS_GRANTED) {
379 {
380 /* Status has not been set, set it now. */ 406 /* Status has not been set, set it now. */
381 ret = TS_RESP_CTX_set_status_info(ctx, status, text); 407 ret = TS_RESP_CTX_set_status_info(ctx, status, text);
382 }
383 return ret;
384 } 408 }
409 return ret;
410}
385 411
386int TS_RESP_CTX_add_failure_info(TS_RESP_CTX *ctx, int failure) 412int
387 { 413TS_RESP_CTX_add_failure_info(TS_RESP_CTX *ctx, int failure)
414{
388 TS_STATUS_INFO *si = TS_RESP_get_status_info(ctx->response); 415 TS_STATUS_INFO *si = TS_RESP_get_status_info(ctx->response);
416
389 if (!si->failure_info && !(si->failure_info = ASN1_BIT_STRING_new())) 417 if (!si->failure_info && !(si->failure_info = ASN1_BIT_STRING_new()))
390 goto err; 418 goto err;
391 if (!ASN1_BIT_STRING_set_bit(si->failure_info, failure, 1)) 419 if (!ASN1_BIT_STRING_set_bit(si->failure_info, failure, 1))
392 goto err; 420 goto err;
393 return 1; 421 return 1;
394 err: 422
423err:
395 TSerr(TS_F_TS_RESP_CTX_ADD_FAILURE_INFO, ERR_R_MALLOC_FAILURE); 424 TSerr(TS_F_TS_RESP_CTX_ADD_FAILURE_INFO, ERR_R_MALLOC_FAILURE);
396 return 0; 425 return 0;
397 } 426}
398 427
399TS_REQ *TS_RESP_CTX_get_request(TS_RESP_CTX *ctx) 428TS_REQ *
400 { 429TS_RESP_CTX_get_request(TS_RESP_CTX *ctx)
430{
401 return ctx->request; 431 return ctx->request;
402 } 432}
403 433
404TS_TST_INFO *TS_RESP_CTX_get_tst_info(TS_RESP_CTX *ctx) 434TS_TST_INFO *
405 { 435TS_RESP_CTX_get_tst_info(TS_RESP_CTX *ctx)
436{
406 return ctx->tst_info; 437 return ctx->tst_info;
407 } 438}
408 439
409int TS_RESP_CTX_set_clock_precision_digits(TS_RESP_CTX *ctx, unsigned precision) 440int
410 { 441TS_RESP_CTX_set_clock_precision_digits(TS_RESP_CTX *ctx, unsigned precision)
411 if (precision > TS_MAX_CLOCK_PRECISION_DIGITS) 442{
412 return 0; 443 if (precision > TS_MAX_CLOCK_PRECISION_DIGITS)
413 ctx->clock_precision_digits = precision; 444 return 0;
414 return 1; 445 ctx->clock_precision_digits = precision;
415 } 446 return 1;
447}
416 448
417/* Main entry method of the response generation. */ 449/* Main entry method of the response generation. */
418TS_RESP *TS_RESP_create_response(TS_RESP_CTX *ctx, BIO *req_bio) 450TS_RESP *
419 { 451TS_RESP_create_response(TS_RESP_CTX *ctx, BIO *req_bio)
452{
420 ASN1_OBJECT *policy; 453 ASN1_OBJECT *policy;
421 TS_RESP *response; 454 TS_RESP *response;
422 int result = 0; 455 int result = 0;
@@ -424,87 +457,90 @@ TS_RESP *TS_RESP_create_response(TS_RESP_CTX *ctx, BIO *req_bio)
424 TS_RESP_CTX_init(ctx); 457 TS_RESP_CTX_init(ctx);
425 458
426 /* Creating the response object. */ 459 /* Creating the response object. */
427 if (!(ctx->response = TS_RESP_new())) 460 if (!(ctx->response = TS_RESP_new())) {
428 {
429 TSerr(TS_F_TS_RESP_CREATE_RESPONSE, ERR_R_MALLOC_FAILURE); 461 TSerr(TS_F_TS_RESP_CREATE_RESPONSE, ERR_R_MALLOC_FAILURE);
430 goto end; 462 goto end;
431 } 463 }
432 464
433 /* Parsing DER request. */ 465 /* Parsing DER request. */
434 if (!(ctx->request = d2i_TS_REQ_bio(req_bio, NULL))) 466 if (!(ctx->request = d2i_TS_REQ_bio(req_bio, NULL))) {
435 {
436 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION, 467 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
437 "Bad request format or " 468 "Bad request format or "
438 "system error."); 469 "system error.");
439 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_BAD_DATA_FORMAT); 470 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_BAD_DATA_FORMAT);
440 goto end; 471 goto end;
441 } 472 }
442 473
443 /* Setting default status info. */ 474 /* Setting default status info. */
444 if (!TS_RESP_CTX_set_status_info(ctx, TS_STATUS_GRANTED, NULL)) 475 if (!TS_RESP_CTX_set_status_info(ctx, TS_STATUS_GRANTED, NULL))
445 goto end; 476 goto end;
446 477
447 /* Checking the request format. */ 478 /* Checking the request format. */
448 if (!TS_RESP_check_request(ctx)) goto end; 479 if (!TS_RESP_check_request(ctx))
480 goto end;
449 481
450 /* Checking acceptable policies. */ 482 /* Checking acceptable policies. */
451 if (!(policy = TS_RESP_get_policy(ctx))) goto end; 483 if (!(policy = TS_RESP_get_policy(ctx)))
484 goto end;
452 485
453 /* Creating the TS_TST_INFO object. */ 486 /* Creating the TS_TST_INFO object. */
454 if (!(ctx->tst_info = TS_RESP_create_tst_info(ctx, policy))) 487 if (!(ctx->tst_info = TS_RESP_create_tst_info(ctx, policy)))
455 goto end; 488 goto end;
456 489
457 /* Processing extensions. */ 490 /* Processing extensions. */
458 if (!TS_RESP_process_extensions(ctx)) goto end; 491 if (!TS_RESP_process_extensions(ctx))
492 goto end;
459 493
460 /* Generating the signature. */ 494 /* Generating the signature. */
461 if (!TS_RESP_sign(ctx)) goto end; 495 if (!TS_RESP_sign(ctx))
496 goto end;
462 497
463 /* Everything was successful. */ 498 /* Everything was successful. */
464 result = 1; 499 result = 1;
465 end: 500
466 if (!result) 501end:
467 { 502 if (!result) {
468 TSerr(TS_F_TS_RESP_CREATE_RESPONSE, TS_R_RESPONSE_SETUP_ERROR); 503 TSerr(TS_F_TS_RESP_CREATE_RESPONSE, TS_R_RESPONSE_SETUP_ERROR);
469 if (ctx->response != NULL) 504 if (ctx->response != NULL) {
470 {
471 if (TS_RESP_CTX_set_status_info_cond(ctx, 505 if (TS_RESP_CTX_set_status_info_cond(ctx,
472 TS_STATUS_REJECTION, "Error during response " 506 TS_STATUS_REJECTION, "Error during response "
473 "generation.") == 0) 507 "generation.") == 0) {
474 {
475 TS_RESP_free(ctx->response); 508 TS_RESP_free(ctx->response);
476 ctx->response = NULL; 509 ctx->response = NULL;
477 }
478 } 510 }
479 } 511 }
512 }
480 response = ctx->response; 513 response = ctx->response;
481 ctx->response = NULL; /* Ownership will be returned to caller. */ 514 ctx->response = NULL; /* Ownership will be returned to caller. */
482 TS_RESP_CTX_cleanup(ctx); 515 TS_RESP_CTX_cleanup(ctx);
483 return response; 516 return response;
484 } 517}
485 518
486/* Initializes the variable part of the context. */ 519/* Initializes the variable part of the context. */
487static void TS_RESP_CTX_init(TS_RESP_CTX *ctx) 520static void
488 { 521TS_RESP_CTX_init(TS_RESP_CTX *ctx)
522{
489 ctx->request = NULL; 523 ctx->request = NULL;
490 ctx->response = NULL; 524 ctx->response = NULL;
491 ctx->tst_info = NULL; 525 ctx->tst_info = NULL;
492 } 526}
493 527
494/* Cleans up the variable part of the context. */ 528/* Cleans up the variable part of the context. */
495static void TS_RESP_CTX_cleanup(TS_RESP_CTX *ctx) 529static void
496 { 530TS_RESP_CTX_cleanup(TS_RESP_CTX *ctx)
531{
497 TS_REQ_free(ctx->request); 532 TS_REQ_free(ctx->request);
498 ctx->request = NULL; 533 ctx->request = NULL;
499 TS_RESP_free(ctx->response); 534 TS_RESP_free(ctx->response);
500 ctx->response = NULL; 535 ctx->response = NULL;
501 TS_TST_INFO_free(ctx->tst_info); 536 TS_TST_INFO_free(ctx->tst_info);
502 ctx->tst_info = NULL; 537 ctx->tst_info = NULL;
503 } 538}
504 539
505/* Checks the format and content of the request. */ 540/* Checks the format and content of the request. */
506static int TS_RESP_check_request(TS_RESP_CTX *ctx) 541static int
507 { 542TS_RESP_check_request(TS_RESP_CTX *ctx)
543{
508 TS_REQ *request = ctx->request; 544 TS_REQ *request = ctx->request;
509 TS_MSG_IMPRINT *msg_imprint; 545 TS_MSG_IMPRINT *msg_imprint;
510 X509_ALGOR *md_alg; 546 X509_ALGOR *md_alg;
@@ -514,95 +550,88 @@ static int TS_RESP_check_request(TS_RESP_CTX *ctx)
514 int i; 550 int i;
515 551
516 /* Checking request version. */ 552 /* Checking request version. */
517 if (TS_REQ_get_version(request) != 1) 553 if (TS_REQ_get_version(request) != 1) {
518 {
519 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION, 554 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
520 "Bad request version."); 555 "Bad request version.");
521 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_BAD_REQUEST); 556 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_BAD_REQUEST);
522 return 0; 557 return 0;
523 } 558 }
524 559
525 /* Checking message digest algorithm. */ 560 /* Checking message digest algorithm. */
526 msg_imprint = TS_REQ_get_msg_imprint(request); 561 msg_imprint = TS_REQ_get_msg_imprint(request);
527 md_alg = TS_MSG_IMPRINT_get_algo(msg_imprint); 562 md_alg = TS_MSG_IMPRINT_get_algo(msg_imprint);
528 md_alg_id = OBJ_obj2nid(md_alg->algorithm); 563 md_alg_id = OBJ_obj2nid(md_alg->algorithm);
529 for (i = 0; !md && i < sk_EVP_MD_num(ctx->mds); ++i) 564 for (i = 0; !md && i < sk_EVP_MD_num(ctx->mds); ++i) {
530 {
531 EVP_MD *current_md = sk_EVP_MD_value(ctx->mds, i); 565 EVP_MD *current_md = sk_EVP_MD_value(ctx->mds, i);
532 if (md_alg_id == EVP_MD_type(current_md)) 566 if (md_alg_id == EVP_MD_type(current_md))
533 md = current_md; 567 md = current_md;
534 } 568 }
535 if (!md) 569 if (!md) {
536 {
537 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION, 570 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
538 "Message digest algorithm is " 571 "Message digest algorithm is "
539 "not supported."); 572 "not supported.");
540 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_BAD_ALG); 573 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_BAD_ALG);
541 return 0; 574 return 0;
542 } 575 }
543 576
544 /* No message digest takes parameter. */ 577 /* No message digest takes parameter. */
545 if (md_alg->parameter 578 if (md_alg->parameter &&
546 && ASN1_TYPE_get(md_alg->parameter) != V_ASN1_NULL) 579 ASN1_TYPE_get(md_alg->parameter) != V_ASN1_NULL) {
547 {
548 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION, 580 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
549 "Superfluous message digest " 581 "Superfluous message digest "
550 "parameter."); 582 "parameter.");
551 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_BAD_ALG); 583 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_BAD_ALG);
552 return 0; 584 return 0;
553 } 585 }
554 /* Checking message digest size. */ 586 /* Checking message digest size. */
555 digest = TS_MSG_IMPRINT_get_msg(msg_imprint); 587 digest = TS_MSG_IMPRINT_get_msg(msg_imprint);
556 if (digest->length != EVP_MD_size(md)) 588 if (digest->length != EVP_MD_size(md)) {
557 {
558 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION, 589 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
559 "Bad message digest."); 590 "Bad message digest.");
560 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_BAD_DATA_FORMAT); 591 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_BAD_DATA_FORMAT);
561 return 0; 592 return 0;
562 } 593 }
563 594
564 return 1; 595 return 1;
565 } 596}
566 597
567/* Returns the TSA policy based on the requested and acceptable policies. */ 598/* Returns the TSA policy based on the requested and acceptable policies. */
568static ASN1_OBJECT *TS_RESP_get_policy(TS_RESP_CTX *ctx) 599static ASN1_OBJECT *
569 { 600TS_RESP_get_policy(TS_RESP_CTX *ctx)
601{
570 ASN1_OBJECT *requested = TS_REQ_get_policy_id(ctx->request); 602 ASN1_OBJECT *requested = TS_REQ_get_policy_id(ctx->request);
571 ASN1_OBJECT *policy = NULL; 603 ASN1_OBJECT *policy = NULL;
572 int i; 604 int i;
573 605
574 if (ctx->default_policy == NULL) 606 if (ctx->default_policy == NULL) {
575 {
576 TSerr(TS_F_TS_RESP_GET_POLICY, TS_R_INVALID_NULL_POINTER); 607 TSerr(TS_F_TS_RESP_GET_POLICY, TS_R_INVALID_NULL_POINTER);
577 return NULL; 608 return NULL;
578 } 609 }
579 /* Return the default policy if none is requested or the default is 610 /* Return the default policy if none is requested or the default is
580 requested. */ 611 requested. */
581 if (!requested || !OBJ_cmp(requested, ctx->default_policy)) 612 if (!requested || !OBJ_cmp(requested, ctx->default_policy))
582 policy = ctx->default_policy; 613 policy = ctx->default_policy;
583 614
584 /* Check if the policy is acceptable. */ 615 /* Check if the policy is acceptable. */
585 for (i = 0; !policy && i < sk_ASN1_OBJECT_num(ctx->policies); ++i) 616 for (i = 0; !policy && i < sk_ASN1_OBJECT_num(ctx->policies); ++i) {
586 {
587 ASN1_OBJECT *current = sk_ASN1_OBJECT_value(ctx->policies, i); 617 ASN1_OBJECT *current = sk_ASN1_OBJECT_value(ctx->policies, i);
588 if (!OBJ_cmp(requested, current)) 618 if (!OBJ_cmp(requested, current))
589 policy = current; 619 policy = current;
590 } 620 }
591 if (!policy) 621 if (!policy) {
592 {
593 TSerr(TS_F_TS_RESP_GET_POLICY, TS_R_UNACCEPTABLE_POLICY); 622 TSerr(TS_F_TS_RESP_GET_POLICY, TS_R_UNACCEPTABLE_POLICY);
594 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION, 623 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
595 "Requested policy is not " 624 "Requested policy is not "
596 "supported."); 625 "supported.");
597 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_UNACCEPTED_POLICY); 626 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_UNACCEPTED_POLICY);
598 }
599 return policy;
600 } 627 }
628 return policy;
629}
601 630
602/* Creates the TS_TST_INFO object based on the settings of the context. */ 631/* Creates the TS_TST_INFO object based on the settings of the context. */
603static TS_TST_INFO *TS_RESP_create_tst_info(TS_RESP_CTX *ctx, 632static TS_TST_INFO *
604 ASN1_OBJECT *policy) 633TS_RESP_create_tst_info(TS_RESP_CTX *ctx, ASN1_OBJECT *policy)
605 { 634{
606 int result = 0; 635 int result = 0;
607 TS_TST_INFO *tst_info = NULL; 636 TS_TST_INFO *tst_info = NULL;
608 ASN1_INTEGER *serial = NULL; 637 ASN1_INTEGER *serial = NULL;
@@ -612,24 +641,26 @@ static TS_TST_INFO *TS_RESP_create_tst_info(TS_RESP_CTX *ctx,
612 const ASN1_INTEGER *nonce; 641 const ASN1_INTEGER *nonce;
613 GENERAL_NAME *tsa_name = NULL; 642 GENERAL_NAME *tsa_name = NULL;
614 643
615 if (!(tst_info = TS_TST_INFO_new())) goto end; 644 if (!(tst_info = TS_TST_INFO_new()))
616 if (!TS_TST_INFO_set_version(tst_info, 1)) goto end; 645 goto end;
617 if (!TS_TST_INFO_set_policy_id(tst_info, policy)) goto end; 646 if (!TS_TST_INFO_set_version(tst_info, 1))
647 goto end;
648 if (!TS_TST_INFO_set_policy_id(tst_info, policy))
649 goto end;
618 if (!TS_TST_INFO_set_msg_imprint(tst_info, ctx->request->msg_imprint)) 650 if (!TS_TST_INFO_set_msg_imprint(tst_info, ctx->request->msg_imprint))
619 goto end; 651 goto end;
620 if (!(serial = (*ctx->serial_cb)(ctx, ctx->serial_cb_data)) 652 if (!(serial = (*ctx->serial_cb)(ctx, ctx->serial_cb_data)) ||
621 || !TS_TST_INFO_set_serial(tst_info, serial)) 653 !TS_TST_INFO_set_serial(tst_info, serial))
622 goto end; 654 goto end;
623 if (!(*ctx->time_cb)(ctx, ctx->time_cb_data, &sec, &usec) 655 if (!(*ctx->time_cb)(ctx, ctx->time_cb_data, &sec, &usec) ||
624 || !(asn1_time = TS_RESP_set_genTime_with_precision(NULL, 656 !(asn1_time = TS_RESP_set_genTime_with_precision(NULL, sec, usec,
625 sec, usec, 657 ctx->clock_precision_digits)) ||
626 ctx->clock_precision_digits)) 658 !TS_TST_INFO_set_time(tst_info, asn1_time))
627 || !TS_TST_INFO_set_time(tst_info, asn1_time))
628 goto end; 659 goto end;
629 660
630 /* Setting accuracy if needed. */ 661 /* Setting accuracy if needed. */
631 if ((ctx->seconds || ctx->millis || ctx->micros) 662 if ((ctx->seconds || ctx->millis || ctx->micros) &&
632 && !(accuracy = TS_ACCURACY_new())) 663 !(accuracy = TS_ACCURACY_new()))
633 goto end; 664 goto end;
634 665
635 if (ctx->seconds && !TS_ACCURACY_set_seconds(accuracy, ctx->seconds)) 666 if (ctx->seconds && !TS_ACCURACY_set_seconds(accuracy, ctx->seconds))
@@ -638,58 +669,60 @@ static TS_TST_INFO *TS_RESP_create_tst_info(TS_RESP_CTX *ctx,
638 goto end; 669 goto end;
639 if (ctx->micros && !TS_ACCURACY_set_micros(accuracy, ctx->micros)) 670 if (ctx->micros && !TS_ACCURACY_set_micros(accuracy, ctx->micros))
640 goto end; 671 goto end;
641 if (accuracy && !TS_TST_INFO_set_accuracy(tst_info, accuracy)) 672 if (accuracy && !TS_TST_INFO_set_accuracy(tst_info, accuracy))
642 goto end; 673 goto end;
643 674
644 /* Setting ordering. */ 675 /* Setting ordering. */
645 if ((ctx->flags & TS_ORDERING) 676 if ((ctx->flags & TS_ORDERING) &&
646 && !TS_TST_INFO_set_ordering(tst_info, 1)) 677 !TS_TST_INFO_set_ordering(tst_info, 1))
647 goto end; 678 goto end;
648 679
649 /* Setting nonce if needed. */ 680 /* Setting nonce if needed. */
650 if ((nonce = TS_REQ_get_nonce(ctx->request)) != NULL 681 if ((nonce = TS_REQ_get_nonce(ctx->request)) != NULL &&
651 && !TS_TST_INFO_set_nonce(tst_info, nonce)) 682 !TS_TST_INFO_set_nonce(tst_info, nonce))
652 goto end; 683 goto end;
653 684
654 /* Setting TSA name to subject of signer certificate. */ 685 /* Setting TSA name to subject of signer certificate. */
655 if (ctx->flags & TS_TSA_NAME) 686 if (ctx->flags & TS_TSA_NAME) {
656 { 687 if (!(tsa_name = GENERAL_NAME_new()))
657 if (!(tsa_name = GENERAL_NAME_new())) goto end; 688 goto end;
658 tsa_name->type = GEN_DIRNAME; 689 tsa_name->type = GEN_DIRNAME;
659 tsa_name->d.dirn = 690 tsa_name->d.dirn =
660 X509_NAME_dup(ctx->signer_cert->cert_info->subject); 691 X509_NAME_dup(ctx->signer_cert->cert_info->subject);
661 if (!tsa_name->d.dirn) goto end; 692 if (!tsa_name->d.dirn)
662 if (!TS_TST_INFO_set_tsa(tst_info, tsa_name)) goto end; 693 goto end;
663 } 694 if (!TS_TST_INFO_set_tsa(tst_info, tsa_name))
695 goto end;
696 }
664 697
665 result = 1; 698 result = 1;
666 end: 699
667 if (!result) 700end:
668 { 701 if (!result) {
669 TS_TST_INFO_free(tst_info); 702 TS_TST_INFO_free(tst_info);
670 tst_info = NULL; 703 tst_info = NULL;
671 TSerr(TS_F_TS_RESP_CREATE_TST_INFO, TS_R_TST_INFO_SETUP_ERROR); 704 TSerr(TS_F_TS_RESP_CREATE_TST_INFO, TS_R_TST_INFO_SETUP_ERROR);
672 TS_RESP_CTX_set_status_info_cond(ctx, TS_STATUS_REJECTION, 705 TS_RESP_CTX_set_status_info_cond(ctx, TS_STATUS_REJECTION,
673 "Error during TSTInfo " 706 "Error during TSTInfo "
674 "generation."); 707 "generation.");
675 } 708 }
676 GENERAL_NAME_free(tsa_name); 709 GENERAL_NAME_free(tsa_name);
677 TS_ACCURACY_free(accuracy); 710 TS_ACCURACY_free(accuracy);
678 ASN1_GENERALIZEDTIME_free(asn1_time); 711 ASN1_GENERALIZEDTIME_free(asn1_time);
679 ASN1_INTEGER_free(serial); 712 ASN1_INTEGER_free(serial);
680 713
681 return tst_info; 714 return tst_info;
682 } 715}
683 716
684/* Processing the extensions of the request. */ 717/* Processing the extensions of the request. */
685static int TS_RESP_process_extensions(TS_RESP_CTX *ctx) 718static int
686 { 719TS_RESP_process_extensions(TS_RESP_CTX *ctx)
720{
687 STACK_OF(X509_EXTENSION) *exts = TS_REQ_get_exts(ctx->request); 721 STACK_OF(X509_EXTENSION) *exts = TS_REQ_get_exts(ctx->request);
688 int i; 722 int i;
689 int ok = 1; 723 int ok = 1;
690 724
691 for (i = 0; ok && i < sk_X509_EXTENSION_num(exts); ++i) 725 for (i = 0; ok && i < sk_X509_EXTENSION_num(exts); ++i) {
692 {
693 X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i); 726 X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i);
694 /* XXXXX The last argument was previously 727 /* XXXXX The last argument was previously
695 (void *)ctx->extension_cb, but ISO C doesn't permit 728 (void *)ctx->extension_cb, but ISO C doesn't permit
@@ -699,14 +732,15 @@ static int TS_RESP_process_extensions(TS_RESP_CTX *ctx)
699 anyway... 732 anyway...
700 */ 733 */
701 ok = (*ctx->extension_cb)(ctx, ext, NULL); 734 ok = (*ctx->extension_cb)(ctx, ext, NULL);
702 } 735 }
703 736
704 return ok; 737 return ok;
705 } 738}
706 739
707/* Functions for signing the TS_TST_INFO structure of the context. */ 740/* Functions for signing the TS_TST_INFO structure of the context. */
708static int TS_RESP_sign(TS_RESP_CTX *ctx) 741static int
709 { 742TS_RESP_sign(TS_RESP_CTX *ctx)
743{
710 int ret = 0; 744 int ret = 0;
711 PKCS7 *p7 = NULL; 745 PKCS7 *p7 = NULL;
712 PKCS7_SIGNER_INFO *si; 746 PKCS7_SIGNER_INFO *si;
@@ -718,9 +752,9 @@ static int TS_RESP_sign(TS_RESP_CTX *ctx)
718 752
719 /* Check if signcert and pkey match. */ 753 /* Check if signcert and pkey match. */
720 if (!X509_check_private_key(ctx->signer_cert, ctx->signer_key)) { 754 if (!X509_check_private_key(ctx->signer_cert, ctx->signer_key)) {
721 TSerr(TS_F_TS_RESP_SIGN, 755 TSerr(TS_F_TS_RESP_SIGN,
722 TS_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE); 756 TS_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
723 goto err; 757 goto err;
724 } 758 }
725 759
726 /* Create a new PKCS7 signed object. */ 760 /* Create a new PKCS7 signed object. */
@@ -728,57 +762,54 @@ static int TS_RESP_sign(TS_RESP_CTX *ctx)
728 TSerr(TS_F_TS_RESP_SIGN, ERR_R_MALLOC_FAILURE); 762 TSerr(TS_F_TS_RESP_SIGN, ERR_R_MALLOC_FAILURE);
729 goto err; 763 goto err;
730 } 764 }
731 if (!PKCS7_set_type(p7, NID_pkcs7_signed)) goto err; 765 if (!PKCS7_set_type(p7, NID_pkcs7_signed))
766 goto err;
732 767
733 /* Force SignedData version to be 3 instead of the default 1. */ 768 /* Force SignedData version to be 3 instead of the default 1. */
734 if (!ASN1_INTEGER_set(p7->d.sign->version, 3)) goto err; 769 if (!ASN1_INTEGER_set(p7->d.sign->version, 3))
770 goto err;
735 771
736 /* Add signer certificate and optional certificate chain. */ 772 /* Add signer certificate and optional certificate chain. */
737 if (TS_REQ_get_cert_req(ctx->request)) 773 if (TS_REQ_get_cert_req(ctx->request)) {
738 {
739 PKCS7_add_certificate(p7, ctx->signer_cert); 774 PKCS7_add_certificate(p7, ctx->signer_cert);
740 if (ctx->certs) 775 if (ctx->certs) {
741 { 776 for (i = 0; i < sk_X509_num(ctx->certs); ++i) {
742 for(i = 0; i < sk_X509_num(ctx->certs); ++i)
743 {
744 X509 *cert = sk_X509_value(ctx->certs, i); 777 X509 *cert = sk_X509_value(ctx->certs, i);
745 PKCS7_add_certificate(p7, cert); 778 PKCS7_add_certificate(p7, cert);
746 }
747 } 779 }
748 } 780 }
781 }
749 782
750 /* Add a new signer info. */ 783 /* Add a new signer info. */
751 if (!(si = PKCS7_add_signature(p7, ctx->signer_cert, 784 if (!(si = PKCS7_add_signature(p7, ctx->signer_cert,
752 ctx->signer_key, EVP_sha1()))) 785 ctx->signer_key, EVP_sha1()))) {
753 {
754 TSerr(TS_F_TS_RESP_SIGN, TS_R_PKCS7_ADD_SIGNATURE_ERROR); 786 TSerr(TS_F_TS_RESP_SIGN, TS_R_PKCS7_ADD_SIGNATURE_ERROR);
755 goto err; 787 goto err;
756 } 788 }
757 789
758 /* Add content type signed attribute to the signer info. */ 790 /* Add content type signed attribute to the signer info. */
759 oid = OBJ_nid2obj(NID_id_smime_ct_TSTInfo); 791 oid = OBJ_nid2obj(NID_id_smime_ct_TSTInfo);
760 if (!PKCS7_add_signed_attribute(si, NID_pkcs9_contentType, 792 if (!PKCS7_add_signed_attribute(si, NID_pkcs9_contentType,
761 V_ASN1_OBJECT, oid)) 793 V_ASN1_OBJECT, oid)) {
762 {
763 TSerr(TS_F_TS_RESP_SIGN, TS_R_PKCS7_ADD_SIGNED_ATTR_ERROR); 794 TSerr(TS_F_TS_RESP_SIGN, TS_R_PKCS7_ADD_SIGNED_ATTR_ERROR);
764 goto err; 795 goto err;
765 } 796 }
766 797
767 /* Create the ESS SigningCertificate attribute which contains 798 /* Create the ESS SigningCertificate attribute which contains
768 the signer certificate id and optionally the certificate chain. */ 799 the signer certificate id and optionally the certificate chain. */
769 certs = ctx->flags & TS_ESS_CERT_ID_CHAIN ? ctx->certs : NULL; 800 certs = ctx->flags & TS_ESS_CERT_ID_CHAIN ? ctx->certs : NULL;
770 if (!(sc = ESS_SIGNING_CERT_new_init(ctx->signer_cert, certs))) 801 if (!(sc = ESS_SIGNING_CERT_new_init(ctx->signer_cert, certs)))
771 goto err; 802 goto err;
772 803
773 /* Add SigningCertificate signed attribute to the signer info. */ 804 /* Add SigningCertificate signed attribute to the signer info. */
774 if (!ESS_add_signing_cert(si, sc)) 805 if (!ESS_add_signing_cert(si, sc)) {
775 {
776 TSerr(TS_F_TS_RESP_SIGN, TS_R_ESS_ADD_SIGNING_CERT_ERROR); 806 TSerr(TS_F_TS_RESP_SIGN, TS_R_ESS_ADD_SIGNING_CERT_ERROR);
777 goto err; 807 goto err;
778 } 808 }
779 809
780 /* Add a new empty NID_id_smime_ct_TSTInfo encapsulated content. */ 810 /* Add a new empty NID_id_smime_ct_TSTInfo encapsulated content. */
781 if (!TS_TST_INFO_content_new(p7)) goto err; 811 if (!TS_TST_INFO_content_new(p7))
812 goto err;
782 813
783 /* Add the DER encoded tst_info to the PKCS7 structure. */ 814 /* Add the DER encoded tst_info to the PKCS7 structure. */
784 if (!(p7bio = PKCS7_dataInit(p7, NULL))) { 815 if (!(p7bio = PKCS7_dataInit(p7, NULL))) {
@@ -787,18 +818,16 @@ static int TS_RESP_sign(TS_RESP_CTX *ctx)
787 } 818 }
788 819
789 /* Convert tst_info to DER. */ 820 /* Convert tst_info to DER. */
790 if (!i2d_TS_TST_INFO_bio(p7bio, ctx->tst_info)) 821 if (!i2d_TS_TST_INFO_bio(p7bio, ctx->tst_info)) {
791 {
792 TSerr(TS_F_TS_RESP_SIGN, TS_R_TS_DATASIGN); 822 TSerr(TS_F_TS_RESP_SIGN, TS_R_TS_DATASIGN);
793 goto err; 823 goto err;
794 } 824 }
795 825
796 /* Create the signature and add it to the signer info. */ 826 /* Create the signature and add it to the signer info. */
797 if (!PKCS7_dataFinal(p7, p7bio)) 827 if (!PKCS7_dataFinal(p7, p7bio)) {
798 {
799 TSerr(TS_F_TS_RESP_SIGN, TS_R_TS_DATASIGN); 828 TSerr(TS_F_TS_RESP_SIGN, TS_R_TS_DATASIGN);
800 goto err; 829 goto err;
801 } 830 }
802 831
803 /* Set new PKCS7 and TST_INFO objects. */ 832 /* Set new PKCS7 and TST_INFO objects. */
804 TS_RESP_set_tst_info(ctx->response, p7, ctx->tst_info); 833 TS_RESP_set_tst_info(ctx->response, p7, ctx->tst_info);
@@ -806,152 +835,163 @@ static int TS_RESP_sign(TS_RESP_CTX *ctx)
806 ctx->tst_info = NULL; /* Ownership is lost. */ 835 ctx->tst_info = NULL; /* Ownership is lost. */
807 836
808 ret = 1; 837 ret = 1;
809 err: 838
839err:
810 if (!ret) 840 if (!ret)
811 TS_RESP_CTX_set_status_info_cond(ctx, TS_STATUS_REJECTION, 841 TS_RESP_CTX_set_status_info_cond(ctx, TS_STATUS_REJECTION,
812 "Error during signature " 842 "Error during signature "
813 "generation."); 843 "generation.");
814 BIO_free_all(p7bio); 844 BIO_free_all(p7bio);
815 ESS_SIGNING_CERT_free(sc); 845 ESS_SIGNING_CERT_free(sc);
816 PKCS7_free(p7); 846 PKCS7_free(p7);
817 return ret; 847 return ret;
818 } 848}
819 849
820static ESS_SIGNING_CERT *ESS_SIGNING_CERT_new_init(X509 *signcert, 850static ESS_SIGNING_CERT *
821 STACK_OF(X509) *certs) 851ESS_SIGNING_CERT_new_init(X509 *signcert, STACK_OF(X509) *certs)
822 { 852{
823 ESS_CERT_ID *cid; 853 ESS_CERT_ID *cid;
824 ESS_SIGNING_CERT *sc = NULL; 854 ESS_SIGNING_CERT *sc = NULL;
825 int i; 855 int i;
826 856
827 /* Creating the ESS_CERT_ID stack. */ 857 /* Creating the ESS_CERT_ID stack. */
828 if (!(sc = ESS_SIGNING_CERT_new())) goto err; 858 if (!(sc = ESS_SIGNING_CERT_new()))
859 goto err;
829 if (!sc->cert_ids && !(sc->cert_ids = sk_ESS_CERT_ID_new_null())) 860 if (!sc->cert_ids && !(sc->cert_ids = sk_ESS_CERT_ID_new_null()))
830 goto err; 861 goto err;
831 862
832 /* Adding the signing certificate id. */ 863 /* Adding the signing certificate id. */
833 if (!(cid = ESS_CERT_ID_new_init(signcert, 0)) 864 if (!(cid = ESS_CERT_ID_new_init(signcert, 0)) ||
834 || !sk_ESS_CERT_ID_push(sc->cert_ids, cid)) 865 !sk_ESS_CERT_ID_push(sc->cert_ids, cid))
835 goto err; 866 goto err;
836 /* Adding the certificate chain ids. */ 867 /* Adding the certificate chain ids. */
837 for (i = 0; i < sk_X509_num(certs); ++i) 868 for (i = 0; i < sk_X509_num(certs); ++i) {
838 {
839 X509 *cert = sk_X509_value(certs, i); 869 X509 *cert = sk_X509_value(certs, i);
840 if (!(cid = ESS_CERT_ID_new_init(cert, 1)) 870 if (!(cid = ESS_CERT_ID_new_init(cert, 1)) ||
841 || !sk_ESS_CERT_ID_push(sc->cert_ids, cid)) 871 !sk_ESS_CERT_ID_push(sc->cert_ids, cid))
842 goto err; 872 goto err;
843 } 873 }
844 874
845 return sc; 875 return sc;
876
846err: 877err:
847 ESS_SIGNING_CERT_free(sc); 878 ESS_SIGNING_CERT_free(sc);
848 TSerr(TS_F_ESS_SIGNING_CERT_NEW_INIT, ERR_R_MALLOC_FAILURE); 879 TSerr(TS_F_ESS_SIGNING_CERT_NEW_INIT, ERR_R_MALLOC_FAILURE);
849 return NULL; 880 return NULL;
850 } 881}
851 882
852static ESS_CERT_ID *ESS_CERT_ID_new_init(X509 *cert, int issuer_needed) 883static ESS_CERT_ID *
853 { 884ESS_CERT_ID_new_init(X509 *cert, int issuer_needed)
885{
854 ESS_CERT_ID *cid = NULL; 886 ESS_CERT_ID *cid = NULL;
855 GENERAL_NAME *name = NULL; 887 GENERAL_NAME *name = NULL;
856 888
857 /* Recompute SHA1 hash of certificate if necessary (side effect). */ 889 /* Recompute SHA1 hash of certificate if necessary (side effect). */
858 X509_check_purpose(cert, -1, 0); 890 X509_check_purpose(cert, -1, 0);
859 891
860 if (!(cid = ESS_CERT_ID_new())) goto err; 892 if (!(cid = ESS_CERT_ID_new()))
893 goto err;
861 if (!ASN1_OCTET_STRING_set(cid->hash, cert->sha1_hash, 894 if (!ASN1_OCTET_STRING_set(cid->hash, cert->sha1_hash,
862 sizeof(cert->sha1_hash))) 895 sizeof(cert->sha1_hash)))
863 goto err; 896 goto err;
864 897
865 /* Setting the issuer/serial if requested. */ 898 /* Setting the issuer/serial if requested. */
866 if (issuer_needed) 899 if (issuer_needed) {
867 {
868 /* Creating issuer/serial structure. */ 900 /* Creating issuer/serial structure. */
869 if (!cid->issuer_serial 901 if (!cid->issuer_serial &&
870 && !(cid->issuer_serial = ESS_ISSUER_SERIAL_new())) 902 !(cid->issuer_serial = ESS_ISSUER_SERIAL_new()))
871 goto err; 903 goto err;
872 /* Creating general name from the certificate issuer. */ 904 /* Creating general name from the certificate issuer. */
873 if (!(name = GENERAL_NAME_new())) goto err; 905 if (!(name = GENERAL_NAME_new()))
906 goto err;
874 name->type = GEN_DIRNAME; 907 name->type = GEN_DIRNAME;
875 if (!(name->d.dirn = X509_NAME_dup(cert->cert_info->issuer))) 908 if (!(name->d.dirn = X509_NAME_dup(cert->cert_info->issuer)))
876 goto err; 909 goto err;
877 if (!sk_GENERAL_NAME_push(cid->issuer_serial->issuer, name)) 910 if (!sk_GENERAL_NAME_push(cid->issuer_serial->issuer, name))
878 goto err; 911 goto err;
879 name = NULL; /* Ownership is lost. */ 912 name = NULL; /* Ownership is lost. */
880 /* Setting the serial number. */ 913 /* Setting the serial number. */
881 ASN1_INTEGER_free(cid->issuer_serial->serial); 914 ASN1_INTEGER_free(cid->issuer_serial->serial);
882 if (!(cid->issuer_serial->serial = 915 if (!(cid->issuer_serial->serial =
883 ASN1_INTEGER_dup(cert->cert_info->serialNumber))) 916 ASN1_INTEGER_dup(cert->cert_info->serialNumber)))
884 goto err; 917 goto err;
885 } 918 }
886 919
887 return cid; 920 return cid;
921
888err: 922err:
889 GENERAL_NAME_free(name); 923 GENERAL_NAME_free(name);
890 ESS_CERT_ID_free(cid); 924 ESS_CERT_ID_free(cid);
891 TSerr(TS_F_ESS_CERT_ID_NEW_INIT, ERR_R_MALLOC_FAILURE); 925 TSerr(TS_F_ESS_CERT_ID_NEW_INIT, ERR_R_MALLOC_FAILURE);
892 return NULL; 926 return NULL;
893 } 927}
894 928
895static int TS_TST_INFO_content_new(PKCS7 *p7) 929static int
896 { 930TS_TST_INFO_content_new(PKCS7 *p7)
931{
897 PKCS7 *ret = NULL; 932 PKCS7 *ret = NULL;
898 ASN1_OCTET_STRING *octet_string = NULL; 933 ASN1_OCTET_STRING *octet_string = NULL;
899 934
900 /* Create new encapsulated NID_id_smime_ct_TSTInfo content. */ 935 /* Create new encapsulated NID_id_smime_ct_TSTInfo content. */
901 if (!(ret = PKCS7_new())) goto err; 936 if (!(ret = PKCS7_new()))
902 if (!(ret->d.other = ASN1_TYPE_new())) goto err; 937 goto err;
938 if (!(ret->d.other = ASN1_TYPE_new()))
939 goto err;
903 ret->type = OBJ_nid2obj(NID_id_smime_ct_TSTInfo); 940 ret->type = OBJ_nid2obj(NID_id_smime_ct_TSTInfo);
904 if (!(octet_string = ASN1_OCTET_STRING_new())) goto err; 941 if (!(octet_string = ASN1_OCTET_STRING_new()))
942 goto err;
905 ASN1_TYPE_set(ret->d.other, V_ASN1_OCTET_STRING, octet_string); 943 ASN1_TYPE_set(ret->d.other, V_ASN1_OCTET_STRING, octet_string);
906 octet_string = NULL; 944 octet_string = NULL;
907 945
908 /* Add encapsulated content to signed PKCS7 structure. */ 946 /* Add encapsulated content to signed PKCS7 structure. */
909 if (!PKCS7_set_content(p7, ret)) goto err; 947 if (!PKCS7_set_content(p7, ret))
948 goto err;
910 949
911 return 1; 950 return 1;
912 err: 951
952err:
913 ASN1_OCTET_STRING_free(octet_string); 953 ASN1_OCTET_STRING_free(octet_string);
914 PKCS7_free(ret); 954 PKCS7_free(ret);
915 return 0; 955 return 0;
916 } 956}
917 957
918static int ESS_add_signing_cert(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc) 958static int
919 { 959ESS_add_signing_cert(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc)
960{
920 ASN1_STRING *seq = NULL; 961 ASN1_STRING *seq = NULL;
921 unsigned char *p, *pp = NULL; 962 unsigned char *p, *pp = NULL;
922 int len; 963 int len;
923 964
924 len = i2d_ESS_SIGNING_CERT(sc, NULL); 965 len = i2d_ESS_SIGNING_CERT(sc, NULL);
925 if (!(pp = (unsigned char *) malloc(len))) 966 if (!(pp = (unsigned char *) malloc(len))) {
926 {
927 TSerr(TS_F_ESS_ADD_SIGNING_CERT, ERR_R_MALLOC_FAILURE); 967 TSerr(TS_F_ESS_ADD_SIGNING_CERT, ERR_R_MALLOC_FAILURE);
928 goto err; 968 goto err;
929 } 969 }
930 p = pp; 970 p = pp;
931 i2d_ESS_SIGNING_CERT(sc, &p); 971 i2d_ESS_SIGNING_CERT(sc, &p);
932 if (!(seq = ASN1_STRING_new()) || !ASN1_STRING_set(seq, pp, len)) 972 if (!(seq = ASN1_STRING_new()) || !ASN1_STRING_set(seq, pp, len)) {
933 {
934 TSerr(TS_F_ESS_ADD_SIGNING_CERT, ERR_R_MALLOC_FAILURE); 973 TSerr(TS_F_ESS_ADD_SIGNING_CERT, ERR_R_MALLOC_FAILURE);
935 goto err; 974 goto err;
936 } 975 }
937 free(pp); pp = NULL; 976 free(pp);
938 return PKCS7_add_signed_attribute(si, 977 pp = NULL;
939 NID_id_smime_aa_signingCertificate, 978 return PKCS7_add_signed_attribute(si,
940 V_ASN1_SEQUENCE, seq); 979 NID_id_smime_aa_signingCertificate, V_ASN1_SEQUENCE, seq);
941 err: 980
981err:
942 ASN1_STRING_free(seq); 982 ASN1_STRING_free(seq);
943 free(pp); 983 free(pp);
944 984
945 return 0; 985 return 0;
946 } 986}
947 987
948 988
949static ASN1_GENERALIZEDTIME * 989static ASN1_GENERALIZEDTIME *
950TS_RESP_set_genTime_with_precision(ASN1_GENERALIZEDTIME *asn1_time, 990TS_RESP_set_genTime_with_precision(ASN1_GENERALIZEDTIME *asn1_time,
951 long sec, long usec, unsigned precision) 991 long sec, long usec, unsigned precision)
952 { 992{
953 time_t time_sec = (time_t) sec; 993 time_t time_sec = (time_t) sec;
954 struct tm *tm = NULL; 994 struct tm *tm = NULL;
955 char genTime_str[17 + TS_MAX_CLOCK_PRECISION_DIGITS]; 995 char genTime_str[17 + TS_MAX_CLOCK_PRECISION_DIGITS];
956 char usecstr[TS_MAX_CLOCK_PRECISION_DIGITS + 2]; 996 char usecstr[TS_MAX_CLOCK_PRECISION_DIGITS + 2];
957 char *p; 997 char *p;
@@ -960,26 +1000,25 @@ TS_RESP_set_genTime_with_precision(ASN1_GENERALIZEDTIME *asn1_time,
960 if (precision > TS_MAX_CLOCK_PRECISION_DIGITS) 1000 if (precision > TS_MAX_CLOCK_PRECISION_DIGITS)
961 goto err; 1001 goto err;
962 1002
963
964 if (!(tm = gmtime(&time_sec))) 1003 if (!(tm = gmtime(&time_sec)))
965 goto err; 1004 goto err;
966 1005
967 /* 1006 /*
968 * Put "genTime_str" in GeneralizedTime format. We work around the 1007 * Put "genTime_str" in GeneralizedTime format. We work around the
969 * restrictions imposed by rfc3280 (i.e. "GeneralizedTime values MUST 1008 * restrictions imposed by rfc3280 (i.e. "GeneralizedTime values MUST
970 * NOT include fractional seconds") and OpenSSL related functions to 1009 * NOT include fractional seconds") and OpenSSL related functions to
971 * meet the rfc3161 requirement: "GeneralizedTime syntax can include 1010 * meet the rfc3161 requirement: "GeneralizedTime syntax can include
972 * fraction-of-second details". 1011 * fraction-of-second details".
973 */ 1012 */
974 if (precision > 0) { 1013 if (precision > 0) {
975 /* To make things a bit harder, X.690 | ISO/IEC 8825-1 provides 1014 /* To make things a bit harder, X.690 | ISO/IEC 8825-1 provides
976 the following restrictions for a DER-encoding, which OpenSSL 1015 the following restrictions for a DER-encoding, which OpenSSL
977 (specifically ASN1_GENERALIZEDTIME_check() function) doesn't 1016 (specifically ASN1_GENERALIZEDTIME_check() function) doesn't
978 support: 1017 support:
979 "The encoding MUST terminate with a "Z" (which means "Zulu" 1018 "The encoding MUST terminate with a "Z" (which means "Zulu"
980 time). The decimal point element, if present, MUST be the 1019 time). The decimal point element, if present, MUST be the
981 point option ".". The fractional-seconds elements, 1020 point option ".". The fractional-seconds elements,
982 if present, MUST omit all trailing 0's; 1021 if present, MUST omit all trailing 0's;
983 if the elements correspond to 0, they MUST be wholly 1022 if the elements correspond to 0, they MUST be wholly
984 omitted, and the decimal point element also MUST be 1023 omitted, and the decimal point element also MUST be
985 omitted." */ 1024 omitted." */
@@ -999,7 +1038,7 @@ TS_RESP_set_genTime_with_precision(ASN1_GENERALIZEDTIME *asn1_time,
999 } 1038 }
1000 rv = snprintf(genTime_str, sizeof(genTime_str), 1039 rv = snprintf(genTime_str, sizeof(genTime_str),
1001 "%04d%02d%02d%02d%02d%02d%sZ", 1040 "%04d%02d%02d%02d%02d%02d%sZ",
1002 tm->tm_year + 1900, tm->tm_mon + 1, tm->tm_mday, 1041 tm->tm_year + 1900, tm->tm_mon + 1, tm->tm_mday,
1003 tm->tm_hour, tm->tm_min, tm->tm_sec, usecstr); 1042 tm->tm_hour, tm->tm_min, tm->tm_sec, usecstr);
1004 if (rv == -1 || rv >= sizeof(genTime_str)) 1043 if (rv == -1 || rv >= sizeof(genTime_str))
1005 goto err; 1044 goto err;
@@ -1007,14 +1046,14 @@ TS_RESP_set_genTime_with_precision(ASN1_GENERALIZEDTIME *asn1_time,
1007 /* Now call OpenSSL to check and set our genTime value */ 1046 /* Now call OpenSSL to check and set our genTime value */
1008 if (!asn1_time && !(asn1_time = M_ASN1_GENERALIZEDTIME_new())) 1047 if (!asn1_time && !(asn1_time = M_ASN1_GENERALIZEDTIME_new()))
1009 goto err; 1048 goto err;
1010 if (!ASN1_GENERALIZEDTIME_set_string(asn1_time, genTime_str)) 1049 if (!ASN1_GENERALIZEDTIME_set_string(asn1_time, genTime_str)) {
1011 {
1012 ASN1_GENERALIZEDTIME_free(asn1_time); 1050 ASN1_GENERALIZEDTIME_free(asn1_time);
1013 goto err; 1051 goto err;
1014 } 1052 }
1015 1053
1016 return asn1_time; 1054 return asn1_time;
1017 err: 1055
1056err:
1018 TSerr(TS_F_TS_RESP_SET_GENTIME_WITH_PRECISION, TS_R_COULD_NOT_SET_TIME); 1057 TSerr(TS_F_TS_RESP_SET_GENTIME_WITH_PRECISION, TS_R_COULD_NOT_SET_TIME);
1019 return NULL; 1058 return NULL;
1020 } 1059}
diff --git a/src/lib/libssl/src/crypto/ts/ts_rsp_utils.c b/src/lib/libssl/src/crypto/ts/ts_rsp_utils.c
index 401c1fdc51..89c3e8f63c 100644
--- a/src/lib/libssl/src/crypto/ts/ts_rsp_utils.c
+++ b/src/lib/libssl/src/crypto/ts/ts_rsp_utils.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -64,346 +64,372 @@
64 64
65/* Function definitions. */ 65/* Function definitions. */
66 66
67int TS_RESP_set_status_info(TS_RESP *a, TS_STATUS_INFO *status_info) 67int
68 { 68TS_RESP_set_status_info(TS_RESP *a, TS_STATUS_INFO *status_info)
69{
69 TS_STATUS_INFO *new_status_info; 70 TS_STATUS_INFO *new_status_info;
70 71
71 if (a->status_info == status_info) 72 if (a->status_info == status_info)
72 return 1; 73 return 1;
73 new_status_info = TS_STATUS_INFO_dup(status_info); 74 new_status_info = TS_STATUS_INFO_dup(status_info);
74 if (new_status_info == NULL) 75 if (new_status_info == NULL) {
75 {
76 TSerr(TS_F_TS_RESP_SET_STATUS_INFO, ERR_R_MALLOC_FAILURE); 76 TSerr(TS_F_TS_RESP_SET_STATUS_INFO, ERR_R_MALLOC_FAILURE);
77 return 0; 77 return 0;
78 } 78 }
79 TS_STATUS_INFO_free(a->status_info); 79 TS_STATUS_INFO_free(a->status_info);
80 a->status_info = new_status_info; 80 a->status_info = new_status_info;
81 81
82 return 1; 82 return 1;
83 } 83}
84 84
85TS_STATUS_INFO *TS_RESP_get_status_info(TS_RESP *a) 85TS_STATUS_INFO *
86 { 86TS_RESP_get_status_info(TS_RESP *a)
87{
87 return a->status_info; 88 return a->status_info;
88 } 89}
89 90
90/* Caller loses ownership of PKCS7 and TS_TST_INFO objects. */ 91/* Caller loses ownership of PKCS7 and TS_TST_INFO objects. */
91void TS_RESP_set_tst_info(TS_RESP *a, PKCS7 *p7, TS_TST_INFO *tst_info) 92void
92 { 93TS_RESP_set_tst_info(TS_RESP *a, PKCS7 *p7, TS_TST_INFO *tst_info)
94{
93 /* Set new PKCS7 and TST_INFO objects. */ 95 /* Set new PKCS7 and TST_INFO objects. */
94 PKCS7_free(a->token); 96 PKCS7_free(a->token);
95 a->token = p7; 97 a->token = p7;
96 TS_TST_INFO_free(a->tst_info); 98 TS_TST_INFO_free(a->tst_info);
97 a->tst_info = tst_info; 99 a->tst_info = tst_info;
98 } 100}
99 101
100PKCS7 *TS_RESP_get_token(TS_RESP *a) 102PKCS7 *
101 { 103TS_RESP_get_token(TS_RESP *a)
104{
102 return a->token; 105 return a->token;
103 } 106}
104 107
105TS_TST_INFO *TS_RESP_get_tst_info(TS_RESP *a) 108TS_TST_INFO *
106 { 109TS_RESP_get_tst_info(TS_RESP *a)
110{
107 return a->tst_info; 111 return a->tst_info;
108 } 112}
109 113
110int TS_TST_INFO_set_version(TS_TST_INFO *a, long version) 114int
111 { 115TS_TST_INFO_set_version(TS_TST_INFO *a, long version)
116{
112 return ASN1_INTEGER_set(a->version, version); 117 return ASN1_INTEGER_set(a->version, version);
113 } 118}
114 119
115long TS_TST_INFO_get_version(const TS_TST_INFO *a) 120long
116 { 121TS_TST_INFO_get_version(const TS_TST_INFO *a)
122{
117 return ASN1_INTEGER_get(a->version); 123 return ASN1_INTEGER_get(a->version);
118 } 124}
119 125
120int TS_TST_INFO_set_policy_id(TS_TST_INFO *a, ASN1_OBJECT *policy) 126int
121 { 127TS_TST_INFO_set_policy_id(TS_TST_INFO *a, ASN1_OBJECT *policy)
128{
122 ASN1_OBJECT *new_policy; 129 ASN1_OBJECT *new_policy;
123 130
124 if (a->policy_id == policy) 131 if (a->policy_id == policy)
125 return 1; 132 return 1;
126 new_policy = OBJ_dup(policy); 133 new_policy = OBJ_dup(policy);
127 if (new_policy == NULL) 134 if (new_policy == NULL) {
128 {
129 TSerr(TS_F_TS_TST_INFO_SET_POLICY_ID, ERR_R_MALLOC_FAILURE); 135 TSerr(TS_F_TS_TST_INFO_SET_POLICY_ID, ERR_R_MALLOC_FAILURE);
130 return 0; 136 return 0;
131 } 137 }
132 ASN1_OBJECT_free(a->policy_id); 138 ASN1_OBJECT_free(a->policy_id);
133 a->policy_id = new_policy; 139 a->policy_id = new_policy;
134 return 1; 140 return 1;
135 } 141}
136 142
137ASN1_OBJECT *TS_TST_INFO_get_policy_id(TS_TST_INFO *a) 143ASN1_OBJECT *
138 { 144TS_TST_INFO_get_policy_id(TS_TST_INFO *a)
145{
139 return a->policy_id; 146 return a->policy_id;
140 } 147}
141 148
142int TS_TST_INFO_set_msg_imprint(TS_TST_INFO *a, TS_MSG_IMPRINT *msg_imprint) 149int
143 { 150TS_TST_INFO_set_msg_imprint(TS_TST_INFO *a, TS_MSG_IMPRINT *msg_imprint)
151{
144 TS_MSG_IMPRINT *new_msg_imprint; 152 TS_MSG_IMPRINT *new_msg_imprint;
145 153
146 if (a->msg_imprint == msg_imprint) 154 if (a->msg_imprint == msg_imprint)
147 return 1; 155 return 1;
148 new_msg_imprint = TS_MSG_IMPRINT_dup(msg_imprint); 156 new_msg_imprint = TS_MSG_IMPRINT_dup(msg_imprint);
149 if (new_msg_imprint == NULL) 157 if (new_msg_imprint == NULL) {
150 {
151 TSerr(TS_F_TS_TST_INFO_SET_MSG_IMPRINT, ERR_R_MALLOC_FAILURE); 158 TSerr(TS_F_TS_TST_INFO_SET_MSG_IMPRINT, ERR_R_MALLOC_FAILURE);
152 return 0; 159 return 0;
153 } 160 }
154 TS_MSG_IMPRINT_free(a->msg_imprint); 161 TS_MSG_IMPRINT_free(a->msg_imprint);
155 a->msg_imprint = new_msg_imprint; 162 a->msg_imprint = new_msg_imprint;
156 return 1; 163 return 1;
157 } 164}
158 165
159TS_MSG_IMPRINT *TS_TST_INFO_get_msg_imprint(TS_TST_INFO *a) 166TS_MSG_IMPRINT *
160 { 167TS_TST_INFO_get_msg_imprint(TS_TST_INFO *a)
168{
161 return a->msg_imprint; 169 return a->msg_imprint;
162 } 170}
163 171
164int TS_TST_INFO_set_serial(TS_TST_INFO *a, const ASN1_INTEGER *serial) 172int
165 { 173TS_TST_INFO_set_serial(TS_TST_INFO *a, const ASN1_INTEGER *serial)
174{
166 ASN1_INTEGER *new_serial; 175 ASN1_INTEGER *new_serial;
167 176
168 if (a->serial == serial) 177 if (a->serial == serial)
169 return 1; 178 return 1;
170 new_serial = ASN1_INTEGER_dup(serial); 179 new_serial = ASN1_INTEGER_dup(serial);
171 if (new_serial == NULL) 180 if (new_serial == NULL) {
172 {
173 TSerr(TS_F_TS_TST_INFO_SET_SERIAL, ERR_R_MALLOC_FAILURE); 181 TSerr(TS_F_TS_TST_INFO_SET_SERIAL, ERR_R_MALLOC_FAILURE);
174 return 0; 182 return 0;
175 } 183 }
176 ASN1_INTEGER_free(a->serial); 184 ASN1_INTEGER_free(a->serial);
177 a->serial = new_serial; 185 a->serial = new_serial;
178 return 1; 186 return 1;
179 } 187}
180 188
181const ASN1_INTEGER *TS_TST_INFO_get_serial(const TS_TST_INFO *a) 189const ASN1_INTEGER *
182 { 190TS_TST_INFO_get_serial(const TS_TST_INFO *a)
191{
183 return a->serial; 192 return a->serial;
184 } 193}
185 194
186int TS_TST_INFO_set_time(TS_TST_INFO *a, const ASN1_GENERALIZEDTIME *gtime) 195int
187 { 196TS_TST_INFO_set_time(TS_TST_INFO *a, const ASN1_GENERALIZEDTIME *gtime)
197{
188 ASN1_GENERALIZEDTIME *new_time; 198 ASN1_GENERALIZEDTIME *new_time;
189 199
190 if (a->time == gtime) 200 if (a->time == gtime)
191 return 1; 201 return 1;
192 new_time = M_ASN1_GENERALIZEDTIME_dup(gtime); 202 new_time = M_ASN1_GENERALIZEDTIME_dup(gtime);
193 if (new_time == NULL) 203 if (new_time == NULL) {
194 {
195 TSerr(TS_F_TS_TST_INFO_SET_TIME, ERR_R_MALLOC_FAILURE); 204 TSerr(TS_F_TS_TST_INFO_SET_TIME, ERR_R_MALLOC_FAILURE);
196 return 0; 205 return 0;
197 } 206 }
198 ASN1_GENERALIZEDTIME_free(a->time); 207 ASN1_GENERALIZEDTIME_free(a->time);
199 a->time = new_time; 208 a->time = new_time;
200 return 1; 209 return 1;
201 } 210}
202 211
203const ASN1_GENERALIZEDTIME *TS_TST_INFO_get_time(const TS_TST_INFO *a) 212const ASN1_GENERALIZEDTIME *
204 { 213TS_TST_INFO_get_time(const TS_TST_INFO *a)
214{
205 return a->time; 215 return a->time;
206 } 216}
207 217
208int TS_TST_INFO_set_accuracy(TS_TST_INFO *a, TS_ACCURACY *accuracy) 218int
209 { 219TS_TST_INFO_set_accuracy(TS_TST_INFO *a, TS_ACCURACY *accuracy)
220{
210 TS_ACCURACY *new_accuracy; 221 TS_ACCURACY *new_accuracy;
211 222
212 if (a->accuracy == accuracy) 223 if (a->accuracy == accuracy)
213 return 1; 224 return 1;
214 new_accuracy = TS_ACCURACY_dup(accuracy); 225 new_accuracy = TS_ACCURACY_dup(accuracy);
215 if (new_accuracy == NULL) 226 if (new_accuracy == NULL) {
216 {
217 TSerr(TS_F_TS_TST_INFO_SET_ACCURACY, ERR_R_MALLOC_FAILURE); 227 TSerr(TS_F_TS_TST_INFO_SET_ACCURACY, ERR_R_MALLOC_FAILURE);
218 return 0; 228 return 0;
219 } 229 }
220 TS_ACCURACY_free(a->accuracy); 230 TS_ACCURACY_free(a->accuracy);
221 a->accuracy = new_accuracy; 231 a->accuracy = new_accuracy;
222 return 1; 232 return 1;
223 } 233}
224 234
225TS_ACCURACY *TS_TST_INFO_get_accuracy(TS_TST_INFO *a) 235TS_ACCURACY *
226 { 236TS_TST_INFO_get_accuracy(TS_TST_INFO *a)
237{
227 return a->accuracy; 238 return a->accuracy;
228 } 239}
229 240
230int TS_ACCURACY_set_seconds(TS_ACCURACY *a, const ASN1_INTEGER *seconds) 241int
231 { 242TS_ACCURACY_set_seconds(TS_ACCURACY *a, const ASN1_INTEGER *seconds)
243{
232 ASN1_INTEGER *new_seconds; 244 ASN1_INTEGER *new_seconds;
233 245
234 if (a->seconds == seconds) 246 if (a->seconds == seconds)
235 return 1; 247 return 1;
236 new_seconds = ASN1_INTEGER_dup(seconds); 248 new_seconds = ASN1_INTEGER_dup(seconds);
237 if (new_seconds == NULL) 249 if (new_seconds == NULL) {
238 {
239 TSerr(TS_F_TS_ACCURACY_SET_SECONDS, ERR_R_MALLOC_FAILURE); 250 TSerr(TS_F_TS_ACCURACY_SET_SECONDS, ERR_R_MALLOC_FAILURE);
240 return 0; 251 return 0;
241 } 252 }
242 ASN1_INTEGER_free(a->seconds); 253 ASN1_INTEGER_free(a->seconds);
243 a->seconds = new_seconds; 254 a->seconds = new_seconds;
244 return 1; 255 return 1;
245 } 256}
246 257
247const ASN1_INTEGER *TS_ACCURACY_get_seconds(const TS_ACCURACY *a) 258const ASN1_INTEGER *
248 { 259TS_ACCURACY_get_seconds(const TS_ACCURACY *a)
260{
249 return a->seconds; 261 return a->seconds;
250 } 262}
251 263
252int TS_ACCURACY_set_millis(TS_ACCURACY *a, const ASN1_INTEGER *millis) 264int
253 { 265TS_ACCURACY_set_millis(TS_ACCURACY *a, const ASN1_INTEGER *millis)
266{
254 ASN1_INTEGER *new_millis = NULL; 267 ASN1_INTEGER *new_millis = NULL;
255 268
256 if (a->millis == millis) 269 if (a->millis == millis)
257 return 1; 270 return 1;
258 if (millis != NULL) 271 if (millis != NULL) {
259 {
260 new_millis = ASN1_INTEGER_dup(millis); 272 new_millis = ASN1_INTEGER_dup(millis);
261 if (new_millis == NULL) 273 if (new_millis == NULL) {
262 { 274 TSerr(TS_F_TS_ACCURACY_SET_MILLIS,
263 TSerr(TS_F_TS_ACCURACY_SET_MILLIS, 275 ERR_R_MALLOC_FAILURE);
264 ERR_R_MALLOC_FAILURE);
265 return 0; 276 return 0;
266 }
267 } 277 }
278 }
268 ASN1_INTEGER_free(a->millis); 279 ASN1_INTEGER_free(a->millis);
269 a->millis = new_millis; 280 a->millis = new_millis;
270 return 1; 281 return 1;
271 } 282}
272 283
273const ASN1_INTEGER *TS_ACCURACY_get_millis(const TS_ACCURACY *a) 284const ASN1_INTEGER *
274 { 285TS_ACCURACY_get_millis(const TS_ACCURACY *a)
286{
275 return a->millis; 287 return a->millis;
276 } 288}
277 289
278int TS_ACCURACY_set_micros(TS_ACCURACY *a, const ASN1_INTEGER *micros) 290int
279 { 291TS_ACCURACY_set_micros(TS_ACCURACY *a, const ASN1_INTEGER *micros)
292{
280 ASN1_INTEGER *new_micros = NULL; 293 ASN1_INTEGER *new_micros = NULL;
281 294
282 if (a->micros == micros) 295 if (a->micros == micros)
283 return 1; 296 return 1;
284 if (micros != NULL) 297 if (micros != NULL) {
285 {
286 new_micros = ASN1_INTEGER_dup(micros); 298 new_micros = ASN1_INTEGER_dup(micros);
287 if (new_micros == NULL) 299 if (new_micros == NULL) {
288 { 300 TSerr(TS_F_TS_ACCURACY_SET_MICROS,
289 TSerr(TS_F_TS_ACCURACY_SET_MICROS, 301 ERR_R_MALLOC_FAILURE);
290 ERR_R_MALLOC_FAILURE);
291 return 0; 302 return 0;
292 }
293 } 303 }
304 }
294 ASN1_INTEGER_free(a->micros); 305 ASN1_INTEGER_free(a->micros);
295 a->micros = new_micros; 306 a->micros = new_micros;
296 return 1; 307 return 1;
297 } 308}
298 309
299const ASN1_INTEGER *TS_ACCURACY_get_micros(const TS_ACCURACY *a) 310const ASN1_INTEGER *
300 { 311TS_ACCURACY_get_micros(const TS_ACCURACY *a)
312{
301 return a->micros; 313 return a->micros;
302 } 314}
303 315
304int TS_TST_INFO_set_ordering(TS_TST_INFO *a, int ordering) 316int
305 { 317TS_TST_INFO_set_ordering(TS_TST_INFO *a, int ordering)
318{
306 a->ordering = ordering ? 0xFF : 0x00; 319 a->ordering = ordering ? 0xFF : 0x00;
307 return 1; 320 return 1;
308 } 321}
309 322
310int TS_TST_INFO_get_ordering(const TS_TST_INFO *a) 323int
311 { 324TS_TST_INFO_get_ordering(const TS_TST_INFO *a)
325{
312 return a->ordering ? 1 : 0; 326 return a->ordering ? 1 : 0;
313 } 327}
314 328
315int TS_TST_INFO_set_nonce(TS_TST_INFO *a, const ASN1_INTEGER *nonce) 329int
316 { 330TS_TST_INFO_set_nonce(TS_TST_INFO *a, const ASN1_INTEGER *nonce)
331{
317 ASN1_INTEGER *new_nonce; 332 ASN1_INTEGER *new_nonce;
318 333
319 if (a->nonce == nonce) 334 if (a->nonce == nonce)
320 return 1; 335 return 1;
321 new_nonce = ASN1_INTEGER_dup(nonce); 336 new_nonce = ASN1_INTEGER_dup(nonce);
322 if (new_nonce == NULL) 337 if (new_nonce == NULL) {
323 {
324 TSerr(TS_F_TS_TST_INFO_SET_NONCE, ERR_R_MALLOC_FAILURE); 338 TSerr(TS_F_TS_TST_INFO_SET_NONCE, ERR_R_MALLOC_FAILURE);
325 return 0; 339 return 0;
326 } 340 }
327 ASN1_INTEGER_free(a->nonce); 341 ASN1_INTEGER_free(a->nonce);
328 a->nonce = new_nonce; 342 a->nonce = new_nonce;
329 return 1; 343 return 1;
330 } 344}
331 345
332const ASN1_INTEGER *TS_TST_INFO_get_nonce(const TS_TST_INFO *a) 346const ASN1_INTEGER *
333 { 347TS_TST_INFO_get_nonce(const TS_TST_INFO *a)
348{
334 return a->nonce; 349 return a->nonce;
335 } 350}
336 351
337int TS_TST_INFO_set_tsa(TS_TST_INFO *a, GENERAL_NAME *tsa) 352int
338 { 353TS_TST_INFO_set_tsa(TS_TST_INFO *a, GENERAL_NAME *tsa)
354{
339 GENERAL_NAME *new_tsa; 355 GENERAL_NAME *new_tsa;
340 356
341 if (a->tsa == tsa) 357 if (a->tsa == tsa)
342 return 1; 358 return 1;
343 new_tsa = GENERAL_NAME_dup(tsa); 359 new_tsa = GENERAL_NAME_dup(tsa);
344 if (new_tsa == NULL) 360 if (new_tsa == NULL) {
345 {
346 TSerr(TS_F_TS_TST_INFO_SET_TSA, ERR_R_MALLOC_FAILURE); 361 TSerr(TS_F_TS_TST_INFO_SET_TSA, ERR_R_MALLOC_FAILURE);
347 return 0; 362 return 0;
348 } 363 }
349 GENERAL_NAME_free(a->tsa); 364 GENERAL_NAME_free(a->tsa);
350 a->tsa = new_tsa; 365 a->tsa = new_tsa;
351 return 1; 366 return 1;
352 } 367}
353 368
354GENERAL_NAME *TS_TST_INFO_get_tsa(TS_TST_INFO *a) 369GENERAL_NAME *
355 { 370TS_TST_INFO_get_tsa(TS_TST_INFO *a)
371{
356 return a->tsa; 372 return a->tsa;
357 } 373}
358 374
359STACK_OF(X509_EXTENSION) *TS_TST_INFO_get_exts(TS_TST_INFO *a) 375STACK_OF(X509_EXTENSION) *TS_TST_INFO_get_exts(TS_TST_INFO *a)
360 { 376{
361 return a->extensions; 377 return a->extensions;
362 } 378}
363 379
364void TS_TST_INFO_ext_free(TS_TST_INFO *a) 380void
365 { 381TS_TST_INFO_ext_free(TS_TST_INFO *a)
366 if (!a) return; 382{
383 if (!a)
384 return;
367 sk_X509_EXTENSION_pop_free(a->extensions, X509_EXTENSION_free); 385 sk_X509_EXTENSION_pop_free(a->extensions, X509_EXTENSION_free);
368 a->extensions = NULL; 386 a->extensions = NULL;
369 } 387}
370 388
371int TS_TST_INFO_get_ext_count(TS_TST_INFO *a) 389int
372 { 390TS_TST_INFO_get_ext_count(TS_TST_INFO *a)
391{
373 return X509v3_get_ext_count(a->extensions); 392 return X509v3_get_ext_count(a->extensions);
374 } 393}
375 394
376int TS_TST_INFO_get_ext_by_NID(TS_TST_INFO *a, int nid, int lastpos) 395int
377 { 396TS_TST_INFO_get_ext_by_NID(TS_TST_INFO *a, int nid, int lastpos)
397{
378 return X509v3_get_ext_by_NID(a->extensions, nid, lastpos); 398 return X509v3_get_ext_by_NID(a->extensions, nid, lastpos);
379 } 399}
380 400
381int TS_TST_INFO_get_ext_by_OBJ(TS_TST_INFO *a, ASN1_OBJECT *obj, int lastpos) 401int
382 { 402TS_TST_INFO_get_ext_by_OBJ(TS_TST_INFO *a, ASN1_OBJECT *obj, int lastpos)
403{
383 return X509v3_get_ext_by_OBJ(a->extensions, obj, lastpos); 404 return X509v3_get_ext_by_OBJ(a->extensions, obj, lastpos);
384 } 405}
385 406
386int TS_TST_INFO_get_ext_by_critical(TS_TST_INFO *a, int crit, int lastpos) 407int
387 { 408TS_TST_INFO_get_ext_by_critical(TS_TST_INFO *a, int crit, int lastpos)
409{
388 return X509v3_get_ext_by_critical(a->extensions, crit, lastpos); 410 return X509v3_get_ext_by_critical(a->extensions, crit, lastpos);
389 } 411}
390 412
391X509_EXTENSION *TS_TST_INFO_get_ext(TS_TST_INFO *a, int loc) 413X509_EXTENSION *
392 { 414TS_TST_INFO_get_ext(TS_TST_INFO *a, int loc)
393 return X509v3_get_ext(a->extensions,loc); 415{
394 } 416 return X509v3_get_ext(a->extensions, loc);
395 417}
396X509_EXTENSION *TS_TST_INFO_delete_ext(TS_TST_INFO *a, int loc) 418
397 { 419X509_EXTENSION *
398 return X509v3_delete_ext(a->extensions,loc); 420TS_TST_INFO_delete_ext(TS_TST_INFO *a, int loc)
399 } 421{
400 422 return X509v3_delete_ext(a->extensions, loc);
401int TS_TST_INFO_add_ext(TS_TST_INFO *a, X509_EXTENSION *ex, int loc) 423}
402 { 424
403 return X509v3_add_ext(&a->extensions,ex,loc) != NULL; 425int
404 } 426TS_TST_INFO_add_ext(TS_TST_INFO *a, X509_EXTENSION *ex, int loc)
405 427{
406void *TS_TST_INFO_get_ext_d2i(TS_TST_INFO *a, int nid, int *crit, int *idx) 428 return X509v3_add_ext(&a->extensions, ex, loc) != NULL;
407 { 429}
430
431void *
432TS_TST_INFO_get_ext_d2i(TS_TST_INFO *a, int nid, int *crit, int *idx)
433{
408 return X509V3_get_d2i(a->extensions, nid, crit, idx); 434 return X509V3_get_d2i(a->extensions, nid, crit, idx);
409 } 435}
diff --git a/src/lib/libssl/src/crypto/ts/ts_rsp_verify.c b/src/lib/libssl/src/crypto/ts/ts_rsp_verify.c
index 7484b10d60..66e35dab3a 100644
--- a/src/lib/libssl/src/crypto/ts/ts_rsp_verify.c
+++ b/src/lib/libssl/src/crypto/ts/ts_rsp_verify.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -65,38 +65,39 @@
65/* Private function declarations. */ 65/* Private function declarations. */
66 66
67static int TS_verify_cert(X509_STORE *store, STACK_OF(X509) *untrusted, 67static int TS_verify_cert(X509_STORE *store, STACK_OF(X509) *untrusted,
68 X509 *signer, STACK_OF(X509) **chain); 68 X509 *signer, STACK_OF(X509) **chain);
69static int TS_check_signing_certs(PKCS7_SIGNER_INFO *si, STACK_OF(X509) *chain); 69static int TS_check_signing_certs(PKCS7_SIGNER_INFO *si, STACK_OF(X509) *chain);
70static ESS_SIGNING_CERT *ESS_get_signing_cert(PKCS7_SIGNER_INFO *si); 70static ESS_SIGNING_CERT *ESS_get_signing_cert(PKCS7_SIGNER_INFO *si);
71static int TS_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert); 71static int TS_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert);
72static int TS_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509_CINF *cinfo); 72static int TS_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509_CINF *cinfo);
73static int int_TS_RESP_verify_token(TS_VERIFY_CTX *ctx, 73static int int_TS_RESP_verify_token(TS_VERIFY_CTX *ctx,
74 PKCS7 *token, TS_TST_INFO *tst_info); 74 PKCS7 *token, TS_TST_INFO *tst_info);
75static int TS_check_status_info(TS_RESP *response); 75static int TS_check_status_info(TS_RESP *response);
76static char *TS_get_status_text(STACK_OF(ASN1_UTF8STRING) *text); 76static char *TS_get_status_text(STACK_OF(ASN1_UTF8STRING) *text);
77static int TS_check_policy(ASN1_OBJECT *req_oid, TS_TST_INFO *tst_info); 77static int TS_check_policy(ASN1_OBJECT *req_oid, TS_TST_INFO *tst_info);
78static int TS_compute_imprint(BIO *data, TS_TST_INFO *tst_info, 78static int TS_compute_imprint(BIO *data, TS_TST_INFO *tst_info,
79 X509_ALGOR **md_alg, 79 X509_ALGOR **md_alg,
80 unsigned char **imprint, unsigned *imprint_len); 80 unsigned char **imprint, unsigned *imprint_len);
81static int TS_check_imprints(X509_ALGOR *algor_a, 81static int TS_check_imprints(X509_ALGOR *algor_a,
82 unsigned char *imprint_a, unsigned len_a, 82 unsigned char *imprint_a, unsigned len_a,
83 TS_TST_INFO *tst_info); 83 TS_TST_INFO *tst_info);
84static int TS_check_nonces(const ASN1_INTEGER *a, TS_TST_INFO *tst_info); 84static int TS_check_nonces(const ASN1_INTEGER *a, TS_TST_INFO *tst_info);
85static int TS_check_signer_name(GENERAL_NAME *tsa_name, X509 *signer); 85static int TS_check_signer_name(GENERAL_NAME *tsa_name, X509 *signer);
86static int TS_find_name(STACK_OF(GENERAL_NAME) *gen_names, GENERAL_NAME *name); 86static int TS_find_name(STACK_OF(GENERAL_NAME) *gen_names, GENERAL_NAME *name);
87 87
88/* 88/*
89 * Local mapping between response codes and descriptions. 89 * Local mapping between response codes and descriptions.
90 * Don't forget to change TS_STATUS_BUF_SIZE when modifying 90 * Don't forget to change TS_STATUS_BUF_SIZE when modifying
91 * the elements of this array. 91 * the elements of this array.
92 */ 92 */
93static const char *TS_status_text[] = 93static const char *TS_status_text[] = {
94 { "granted", 94 "granted",
95 "grantedWithMods", 95 "grantedWithMods",
96 "rejection", 96 "rejection",
97 "waiting", 97 "waiting",
98 "revocationWarning", 98 "revocationWarning",
99 "revocationNotification" }; 99 "revocationNotification"
100};
100 101
101#define TS_STATUS_TEXT_SIZE (sizeof(TS_status_text)/sizeof(*TS_status_text)) 102#define TS_STATUS_TEXT_SIZE (sizeof(TS_status_text)/sizeof(*TS_status_text))
102 103
@@ -106,19 +107,19 @@ static const char *TS_status_text[] =
106 */ 107 */
107#define TS_STATUS_BUF_SIZE 256 108#define TS_STATUS_BUF_SIZE 256
108 109
109static struct 110static struct {
110 {
111 int code; 111 int code;
112 const char *text; 112 const char *text;
113 } TS_failure_info[] = 113} TS_failure_info[] = {
114 { { TS_INFO_BAD_ALG, "badAlg" }, 114 { TS_INFO_BAD_ALG, "badAlg" },
115 { TS_INFO_BAD_REQUEST, "badRequest" }, 115 { TS_INFO_BAD_REQUEST, "badRequest" },
116 { TS_INFO_BAD_DATA_FORMAT, "badDataFormat" }, 116 { TS_INFO_BAD_DATA_FORMAT, "badDataFormat" },
117 { TS_INFO_TIME_NOT_AVAILABLE, "timeNotAvailable" }, 117 { TS_INFO_TIME_NOT_AVAILABLE, "timeNotAvailable" },
118 { TS_INFO_UNACCEPTED_POLICY, "unacceptedPolicy" }, 118 { TS_INFO_UNACCEPTED_POLICY, "unacceptedPolicy" },
119 { TS_INFO_UNACCEPTED_EXTENSION, "unacceptedExtension" }, 119 { TS_INFO_UNACCEPTED_EXTENSION, "unacceptedExtension" },
120 { TS_INFO_ADD_INFO_NOT_AVAILABLE, "addInfoNotAvailable" }, 120 { TS_INFO_ADD_INFO_NOT_AVAILABLE, "addInfoNotAvailable" },
121 { TS_INFO_SYSTEM_FAILURE, "systemFailure" } }; 121 { TS_INFO_SYSTEM_FAILURE, "systemFailure" }
122};
122 123
123#define TS_FAILURE_INFO_SIZE (sizeof(TS_failure_info) / \ 124#define TS_FAILURE_INFO_SIZE (sizeof(TS_failure_info) / \
124 sizeof(*TS_failure_info)) 125 sizeof(*TS_failure_info))
@@ -137,9 +138,10 @@ static struct
137 * - Verify the signature value. 138 * - Verify the signature value.
138 * - Returns the signer certificate in 'signer', if 'signer' is not NULL. 139 * - Returns the signer certificate in 'signer', if 'signer' is not NULL.
139 */ 140 */
140int TS_RESP_verify_signature(PKCS7 *token, STACK_OF(X509) *certs, 141int
141 X509_STORE *store, X509 **signer_out) 142TS_RESP_verify_signature(PKCS7 *token, STACK_OF(X509) *certs,
142 { 143 X509_STORE *store, X509 **signer_out)
144{
143 STACK_OF(PKCS7_SIGNER_INFO) *sinfos = NULL; 145 STACK_OF(PKCS7_SIGNER_INFO) *sinfos = NULL;
144 PKCS7_SIGNER_INFO *si; 146 PKCS7_SIGNER_INFO *si;
145 STACK_OF(X509) *signers = NULL; 147 STACK_OF(X509) *signers = NULL;
@@ -150,87 +152,86 @@ int TS_RESP_verify_signature(PKCS7 *token, STACK_OF(X509) *certs,
150 BIO *p7bio = NULL; 152 BIO *p7bio = NULL;
151 153
152 /* Some sanity checks first. */ 154 /* Some sanity checks first. */
153 if (!token) 155 if (!token) {
154 {
155 TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE, TS_R_INVALID_NULL_POINTER); 156 TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE, TS_R_INVALID_NULL_POINTER);
156 goto err; 157 goto err;
157 } 158 }
158 159
159 /* Check for the correct content type */ 160 /* Check for the correct content type */
160 if(!PKCS7_type_is_signed(token)) 161 if (!PKCS7_type_is_signed(token)) {
161 {
162 TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE, TS_R_WRONG_CONTENT_TYPE); 162 TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE, TS_R_WRONG_CONTENT_TYPE);
163 goto err; 163 goto err;
164 } 164 }
165 165
166 /* Check if there is one and only one signer. */ 166 /* Check if there is one and only one signer. */
167 sinfos = PKCS7_get_signer_info(token); 167 sinfos = PKCS7_get_signer_info(token);
168 if (!sinfos || sk_PKCS7_SIGNER_INFO_num(sinfos) != 1) 168 if (!sinfos || sk_PKCS7_SIGNER_INFO_num(sinfos) != 1) {
169 {
170 TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE, 169 TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE,
171 TS_R_THERE_MUST_BE_ONE_SIGNER); 170 TS_R_THERE_MUST_BE_ONE_SIGNER);
172 goto err; 171 goto err;
173 } 172 }
174 si = sk_PKCS7_SIGNER_INFO_value(sinfos, 0); 173 si = sk_PKCS7_SIGNER_INFO_value(sinfos, 0);
175 174
176 /* Check for no content: no data to verify signature. */ 175 /* Check for no content: no data to verify signature. */
177 if (PKCS7_get_detached(token)) 176 if (PKCS7_get_detached(token)) {
178 {
179 TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE, TS_R_NO_CONTENT); 177 TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE, TS_R_NO_CONTENT);
180 goto err; 178 goto err;
181 } 179 }
182 180
183 /* Get hold of the signer certificate, search only internal 181 /* Get hold of the signer certificate, search only internal
184 certificates if it was requested. */ 182 certificates if it was requested. */
185 signers = PKCS7_get0_signers(token, certs, 0); 183 signers = PKCS7_get0_signers(token, certs, 0);
186 if (!signers || sk_X509_num(signers) != 1) goto err; 184 if (!signers || sk_X509_num(signers) != 1)
185 goto err;
187 signer = sk_X509_value(signers, 0); 186 signer = sk_X509_value(signers, 0);
188 187
189 /* Now verify the certificate. */ 188 /* Now verify the certificate. */
190 if (!TS_verify_cert(store, certs, signer, &chain)) goto err; 189 if (!TS_verify_cert(store, certs, signer, &chain))
190 goto err;
191 191
192 /* Check if the signer certificate is consistent with the 192 /* Check if the signer certificate is consistent with the
193 ESS extension. */ 193 ESS extension. */
194 if (!TS_check_signing_certs(si, chain)) goto err; 194 if (!TS_check_signing_certs(si, chain))
195 goto err;
195 196
196 /* Creating the message digest. */ 197 /* Creating the message digest. */
197 p7bio = PKCS7_dataInit(token, NULL); 198 p7bio = PKCS7_dataInit(token, NULL);
198 199
199 /* We now have to 'read' from p7bio to calculate digests etc. */ 200 /* We now have to 'read' from p7bio to calculate digests etc. */
200 while ((i = BIO_read(p7bio,buf,sizeof(buf))) > 0); 201 while ((i = BIO_read(p7bio, buf, sizeof(buf))) > 0)
202 ;
201 203
202 /* Verifying the signature. */ 204 /* Verifying the signature. */
203 j = PKCS7_signatureVerify(p7bio, token, si, signer); 205 j = PKCS7_signatureVerify(p7bio, token, si, signer);
204 if (j <= 0) 206 if (j <= 0) {
205 {
206 TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE, TS_R_SIGNATURE_FAILURE); 207 TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE, TS_R_SIGNATURE_FAILURE);
207 goto err; 208 goto err;
208 } 209 }
209 210
210 /* Return the signer certificate if needed. */ 211 /* Return the signer certificate if needed. */
211 if (signer_out) 212 if (signer_out) {
212 {
213 *signer_out = signer; 213 *signer_out = signer;
214 CRYPTO_add(&signer->references, 1, CRYPTO_LOCK_X509); 214 CRYPTO_add(&signer->references, 1, CRYPTO_LOCK_X509);
215 } 215 }
216 216
217 ret = 1; 217 ret = 1;
218 218
219 err: 219err:
220 BIO_free_all(p7bio); 220 BIO_free_all(p7bio);
221 sk_X509_pop_free(chain, X509_free); 221 sk_X509_pop_free(chain, X509_free);
222 sk_X509_free(signers); 222 sk_X509_free(signers);
223 223
224 return ret; 224 return ret;
225 } 225}
226 226
227/* 227/*
228 * The certificate chain is returned in chain. Caller is responsible for 228 * The certificate chain is returned in chain. Caller is responsible for
229 * freeing the vector. 229 * freeing the vector.
230 */ 230 */
231static int TS_verify_cert(X509_STORE *store, STACK_OF(X509) *untrusted, 231static int
232 X509 *signer, STACK_OF(X509) **chain) 232TS_verify_cert(X509_STORE *store, STACK_OF(X509) *untrusted, X509 *signer,
233 { 233 STACK_OF(X509) **chain)
234{
234 X509_STORE_CTX cert_ctx; 235 X509_STORE_CTX cert_ctx;
235 int i; 236 int i;
236 int ret = 1; 237 int ret = 1;
@@ -240,110 +241,115 @@ static int TS_verify_cert(X509_STORE *store, STACK_OF(X509) *untrusted,
240 X509_STORE_CTX_init(&cert_ctx, store, signer, untrusted); 241 X509_STORE_CTX_init(&cert_ctx, store, signer, untrusted);
241 X509_STORE_CTX_set_purpose(&cert_ctx, X509_PURPOSE_TIMESTAMP_SIGN); 242 X509_STORE_CTX_set_purpose(&cert_ctx, X509_PURPOSE_TIMESTAMP_SIGN);
242 i = X509_verify_cert(&cert_ctx); 243 i = X509_verify_cert(&cert_ctx);
243 if (i <= 0) 244 if (i <= 0) {
244 {
245 int j = X509_STORE_CTX_get_error(&cert_ctx); 245 int j = X509_STORE_CTX_get_error(&cert_ctx);
246 TSerr(TS_F_TS_VERIFY_CERT, TS_R_CERTIFICATE_VERIFY_ERROR); 246 TSerr(TS_F_TS_VERIFY_CERT, TS_R_CERTIFICATE_VERIFY_ERROR);
247 ERR_add_error_data(2, "Verify error:", 247 ERR_add_error_data(2, "Verify error:",
248 X509_verify_cert_error_string(j)); 248 X509_verify_cert_error_string(j));
249 ret = 0; 249 ret = 0;
250 } 250 } else {
251 else
252 {
253 /* Get a copy of the certificate chain. */ 251 /* Get a copy of the certificate chain. */
254 *chain = X509_STORE_CTX_get1_chain(&cert_ctx); 252 *chain = X509_STORE_CTX_get1_chain(&cert_ctx);
255 } 253 }
256 254
257 X509_STORE_CTX_cleanup(&cert_ctx); 255 X509_STORE_CTX_cleanup(&cert_ctx);
258 256
259 return ret; 257 return ret;
260 } 258}
261 259
262static int TS_check_signing_certs(PKCS7_SIGNER_INFO *si, STACK_OF(X509) *chain) 260static int
263 { 261TS_check_signing_certs(PKCS7_SIGNER_INFO *si, STACK_OF(X509) *chain)
262{
264 ESS_SIGNING_CERT *ss = ESS_get_signing_cert(si); 263 ESS_SIGNING_CERT *ss = ESS_get_signing_cert(si);
265 STACK_OF(ESS_CERT_ID) *cert_ids = NULL; 264 STACK_OF(ESS_CERT_ID) *cert_ids = NULL;
266 X509 *cert; 265 X509 *cert;
267 int i = 0; 266 int i = 0;
268 int ret = 0; 267 int ret = 0;
269 268
270 if (!ss) goto err; 269 if (!ss)
270 goto err;
271 cert_ids = ss->cert_ids; 271 cert_ids = ss->cert_ids;
272 /* The signer certificate must be the first in cert_ids. */ 272 /* The signer certificate must be the first in cert_ids. */
273 cert = sk_X509_value(chain, 0); 273 cert = sk_X509_value(chain, 0);
274 if (TS_find_cert(cert_ids, cert) != 0) goto err; 274 if (TS_find_cert(cert_ids, cert) != 0)
275 275 goto err;
276
276 /* Check the other certificates of the chain if there are more 277 /* Check the other certificates of the chain if there are more
277 than one certificate ids in cert_ids. */ 278 than one certificate ids in cert_ids. */
278 if (sk_ESS_CERT_ID_num(cert_ids) > 1) 279 if (sk_ESS_CERT_ID_num(cert_ids) > 1) {
279 {
280 /* All the certificates of the chain must be in cert_ids. */ 280 /* All the certificates of the chain must be in cert_ids. */
281 for (i = 1; i < sk_X509_num(chain); ++i) 281 for (i = 1; i < sk_X509_num(chain); ++i) {
282 {
283 cert = sk_X509_value(chain, i); 282 cert = sk_X509_value(chain, i);
284 if (TS_find_cert(cert_ids, cert) < 0) goto err; 283 if (TS_find_cert(cert_ids, cert) < 0)
285 } 284 goto err;
286 } 285 }
286 }
287 ret = 1; 287 ret = 1;
288 err: 288
289err:
289 if (!ret) 290 if (!ret)
290 TSerr(TS_F_TS_CHECK_SIGNING_CERTS, 291 TSerr(TS_F_TS_CHECK_SIGNING_CERTS,
291 TS_R_ESS_SIGNING_CERTIFICATE_ERROR); 292 TS_R_ESS_SIGNING_CERTIFICATE_ERROR);
292 ESS_SIGNING_CERT_free(ss); 293 ESS_SIGNING_CERT_free(ss);
293 return ret; 294 return ret;
294 } 295}
295 296
296static ESS_SIGNING_CERT *ESS_get_signing_cert(PKCS7_SIGNER_INFO *si) 297static ESS_SIGNING_CERT *
297 { 298ESS_get_signing_cert(PKCS7_SIGNER_INFO *si)
299{
298 ASN1_TYPE *attr; 300 ASN1_TYPE *attr;
299 const unsigned char *p; 301 const unsigned char *p;
300 attr = PKCS7_get_signed_attribute(si, 302
301 NID_id_smime_aa_signingCertificate); 303 attr = PKCS7_get_signed_attribute(si,
302 if (!attr) return NULL; 304 NID_id_smime_aa_signingCertificate);
305 if (!attr)
306 return NULL;
303 p = attr->value.sequence->data; 307 p = attr->value.sequence->data;
304 return d2i_ESS_SIGNING_CERT(NULL, &p, attr->value.sequence->length); 308 return d2i_ESS_SIGNING_CERT(NULL, &p, attr->value.sequence->length);
305 } 309}
306 310
307/* Returns < 0 if certificate is not found, certificate index otherwise. */ 311/* Returns < 0 if certificate is not found, certificate index otherwise. */
308static int TS_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert) 312static int
309 { 313TS_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert)
314{
310 int i; 315 int i;
311 316
312 if (!cert_ids || !cert) return -1; 317 if (!cert_ids || !cert)
318 return -1;
313 319
314 /* Recompute SHA1 hash of certificate if necessary (side effect). */ 320 /* Recompute SHA1 hash of certificate if necessary (side effect). */
315 X509_check_purpose(cert, -1, 0); 321 X509_check_purpose(cert, -1, 0);
316 322
317 /* Look for cert in the cert_ids vector. */ 323 /* Look for cert in the cert_ids vector. */
318 for (i = 0; i < sk_ESS_CERT_ID_num(cert_ids); ++i) 324 for (i = 0; i < sk_ESS_CERT_ID_num(cert_ids); ++i) {
319 {
320 ESS_CERT_ID *cid = sk_ESS_CERT_ID_value(cert_ids, i); 325 ESS_CERT_ID *cid = sk_ESS_CERT_ID_value(cert_ids, i);
321 326
322 /* Check the SHA-1 hash first. */ 327 /* Check the SHA-1 hash first. */
323 if (cid->hash->length == sizeof(cert->sha1_hash) 328 if (cid->hash->length == sizeof(cert->sha1_hash) &&
324 && !memcmp(cid->hash->data, cert->sha1_hash, 329 !memcmp(cid->hash->data, cert->sha1_hash,
325 sizeof(cert->sha1_hash))) 330 sizeof(cert->sha1_hash))) {
326 {
327 /* Check the issuer/serial as well if specified. */ 331 /* Check the issuer/serial as well if specified. */
328 ESS_ISSUER_SERIAL *is = cid->issuer_serial; 332 ESS_ISSUER_SERIAL *is = cid->issuer_serial;
329 if (!is || !TS_issuer_serial_cmp(is, cert->cert_info)) 333 if (!is || !TS_issuer_serial_cmp(is, cert->cert_info))
330 return i; 334 return i;
331 }
332 } 335 }
333
334 return -1;
335 } 336 }
336 337
337static int TS_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509_CINF *cinfo) 338 return -1;
338 { 339}
340
341static int
342TS_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509_CINF *cinfo)
343{
339 GENERAL_NAME *issuer; 344 GENERAL_NAME *issuer;
340 345
341 if (!is || !cinfo || sk_GENERAL_NAME_num(is->issuer) != 1) return -1; 346 if (!is || !cinfo || sk_GENERAL_NAME_num(is->issuer) != 1)
347 return -1;
342 348
343 /* Check the issuer first. It must be a directory name. */ 349 /* Check the issuer first. It must be a directory name. */
344 issuer = sk_GENERAL_NAME_value(is->issuer, 0); 350 issuer = sk_GENERAL_NAME_value(is->issuer, 0);
345 if (issuer->type != GEN_DIRNAME 351 if (issuer->type != GEN_DIRNAME ||
346 || X509_NAME_cmp(issuer->d.dirn, cinfo->issuer)) 352 X509_NAME_cmp(issuer->d.dirn, cinfo->issuer))
347 return -1; 353 return -1;
348 354
349 /* Check the serial number, too. */ 355 /* Check the serial number, too. */
@@ -351,50 +357,54 @@ static int TS_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509_CINF *cinfo)
351 return -1; 357 return -1;
352 358
353 return 0; 359 return 0;
354 } 360}
355 361
356/* 362/*
357 * Verifies whether 'response' contains a valid response with regards 363 * Verifies whether 'response' contains a valid response with regards
358 * to the settings of the context: 364 * to the settings of the context:
359 * - Gives an error message if the TS_TST_INFO is not present. 365 * - Gives an error message if the TS_TST_INFO is not present.
360 * - Calls _TS_RESP_verify_token to verify the token content. 366 * - Calls _TS_RESP_verify_token to verify the token content.
361 */ 367 */
362int TS_RESP_verify_response(TS_VERIFY_CTX *ctx, TS_RESP *response) 368int
363 { 369TS_RESP_verify_response(TS_VERIFY_CTX *ctx, TS_RESP *response)
370{
364 PKCS7 *token = TS_RESP_get_token(response); 371 PKCS7 *token = TS_RESP_get_token(response);
365 TS_TST_INFO *tst_info = TS_RESP_get_tst_info(response); 372 TS_TST_INFO *tst_info = TS_RESP_get_tst_info(response);
366 int ret = 0; 373 int ret = 0;
367 374
368 /* Check if we have a successful TS_TST_INFO object in place. */ 375 /* Check if we have a successful TS_TST_INFO object in place. */
369 if (!TS_check_status_info(response)) goto err; 376 if (!TS_check_status_info(response))
377 goto err;
370 378
371 /* Check the contents of the time stamp token. */ 379 /* Check the contents of the time stamp token. */
372 if (!int_TS_RESP_verify_token(ctx, token, tst_info)) 380 if (!int_TS_RESP_verify_token(ctx, token, tst_info))
373 goto err; 381 goto err;
374 382
375 ret = 1; 383 ret = 1;
376 err: 384
385err:
377 return ret; 386 return ret;
378 } 387}
379 388
380/* 389/*
381 * Tries to extract a TS_TST_INFO structure from the PKCS7 token and 390 * Tries to extract a TS_TST_INFO structure from the PKCS7 token and
382 * calls the internal int_TS_RESP_verify_token function for verifying it. 391 * calls the internal int_TS_RESP_verify_token function for verifying it.
383 */ 392 */
384int TS_RESP_verify_token(TS_VERIFY_CTX *ctx, PKCS7 *token) 393int
385 { 394TS_RESP_verify_token(TS_VERIFY_CTX *ctx, PKCS7 *token)
395{
386 TS_TST_INFO *tst_info = PKCS7_to_TS_TST_INFO(token); 396 TS_TST_INFO *tst_info = PKCS7_to_TS_TST_INFO(token);
387 int ret = 0; 397 int ret = 0;
388 if (tst_info) 398
389 { 399 if (tst_info) {
390 ret = int_TS_RESP_verify_token(ctx, token, tst_info); 400 ret = int_TS_RESP_verify_token(ctx, token, tst_info);
391 TS_TST_INFO_free(tst_info); 401 TS_TST_INFO_free(tst_info);
392 }
393 return ret;
394 } 402 }
403 return ret;
404}
395 405
396/* 406/*
397 * Verifies whether the 'token' contains a valid time stamp token 407 * Verifies whether the 'token' contains a valid time stamp token
398 * with regards to the settings of the context. Only those checks are 408 * with regards to the settings of the context. Only those checks are
399 * carried out that are specified in the context: 409 * carried out that are specified in the context:
400 * - Verifies the signature of the TS_TST_INFO. 410 * - Verifies the signature of the TS_TST_INFO.
@@ -405,9 +415,10 @@ int TS_RESP_verify_token(TS_VERIFY_CTX *ctx, PKCS7 *token)
405 * - Check if the TSA name matches the signer. 415 * - Check if the TSA name matches the signer.
406 * - Check if the TSA name is the expected TSA. 416 * - Check if the TSA name is the expected TSA.
407 */ 417 */
408static int int_TS_RESP_verify_token(TS_VERIFY_CTX *ctx, 418static int
409 PKCS7 *token, TS_TST_INFO *tst_info) 419int_TS_RESP_verify_token(TS_VERIFY_CTX *ctx, PKCS7 *token,
410 { 420 TS_TST_INFO *tst_info)
421{
411 X509 *signer = NULL; 422 X509 *signer = NULL;
412 GENERAL_NAME *tsa_name = TS_TST_INFO_get_tsa(tst_info); 423 GENERAL_NAME *tsa_name = TS_TST_INFO_get_tsa(tst_info);
413 X509_ALGOR *md_alg = NULL; 424 X509_ALGOR *md_alg = NULL;
@@ -416,68 +427,66 @@ static int int_TS_RESP_verify_token(TS_VERIFY_CTX *ctx,
416 int ret = 0; 427 int ret = 0;
417 428
418 /* Verify the signature. */ 429 /* Verify the signature. */
419 if ((ctx->flags & TS_VFY_SIGNATURE) 430 if ((ctx->flags & TS_VFY_SIGNATURE) &&
420 && !TS_RESP_verify_signature(token, ctx->certs, ctx->store, 431 !TS_RESP_verify_signature(token, ctx->certs, ctx->store, &signer))
421 &signer))
422 goto err; 432 goto err;
423 433
424 /* Check version number of response. */ 434 /* Check version number of response. */
425 if ((ctx->flags & TS_VFY_VERSION) 435 if ((ctx->flags & TS_VFY_VERSION) &&
426 && TS_TST_INFO_get_version(tst_info) != 1) 436 TS_TST_INFO_get_version(tst_info) != 1) {
427 {
428 TSerr(TS_F_INT_TS_RESP_VERIFY_TOKEN, TS_R_UNSUPPORTED_VERSION); 437 TSerr(TS_F_INT_TS_RESP_VERIFY_TOKEN, TS_R_UNSUPPORTED_VERSION);
429 goto err; 438 goto err;
430 } 439 }
431 440
432 /* Check policies. */ 441 /* Check policies. */
433 if ((ctx->flags & TS_VFY_POLICY) 442 if ((ctx->flags & TS_VFY_POLICY) &&
434 && !TS_check_policy(ctx->policy, tst_info)) 443 !TS_check_policy(ctx->policy, tst_info))
435 goto err; 444 goto err;
436 445
437 /* Check message imprints. */ 446 /* Check message imprints. */
438 if ((ctx->flags & TS_VFY_IMPRINT) 447 if ((ctx->flags & TS_VFY_IMPRINT) &&
439 && !TS_check_imprints(ctx->md_alg, ctx->imprint, ctx->imprint_len, 448 !TS_check_imprints(ctx->md_alg, ctx->imprint, ctx->imprint_len,
440 tst_info)) 449 tst_info))
441 goto err; 450 goto err;
442 451
443 /* Compute and check message imprints. */ 452 /* Compute and check message imprints. */
444 if ((ctx->flags & TS_VFY_DATA) 453 if ((ctx->flags & TS_VFY_DATA) &&
445 && (!TS_compute_imprint(ctx->data, tst_info, 454 (!TS_compute_imprint(ctx->data, tst_info,
446 &md_alg, &imprint, &imprint_len) 455 &md_alg, &imprint, &imprint_len) ||
447 || !TS_check_imprints(md_alg, imprint, imprint_len, tst_info))) 456 !TS_check_imprints(md_alg, imprint, imprint_len, tst_info)))
448 goto err; 457 goto err;
449 458
450 /* Check nonces. */ 459 /* Check nonces. */
451 if ((ctx->flags & TS_VFY_NONCE) 460 if ((ctx->flags & TS_VFY_NONCE) &&
452 && !TS_check_nonces(ctx->nonce, tst_info)) 461 !TS_check_nonces(ctx->nonce, tst_info))
453 goto err; 462 goto err;
454 463
455 /* Check whether TSA name and signer certificate match. */ 464 /* Check whether TSA name and signer certificate match. */
456 if ((ctx->flags & TS_VFY_SIGNER) 465 if ((ctx->flags & TS_VFY_SIGNER) &&
457 && tsa_name && !TS_check_signer_name(tsa_name, signer)) 466 tsa_name && !TS_check_signer_name(tsa_name, signer)) {
458 {
459 TSerr(TS_F_INT_TS_RESP_VERIFY_TOKEN, TS_R_TSA_NAME_MISMATCH); 467 TSerr(TS_F_INT_TS_RESP_VERIFY_TOKEN, TS_R_TSA_NAME_MISMATCH);
460 goto err; 468 goto err;
461 } 469 }
462 470
463 /* Check whether the TSA is the expected one. */ 471 /* Check whether the TSA is the expected one. */
464 if ((ctx->flags & TS_VFY_TSA_NAME) 472 if ((ctx->flags & TS_VFY_TSA_NAME) &&
465 && !TS_check_signer_name(ctx->tsa_name, signer)) 473 !TS_check_signer_name(ctx->tsa_name, signer)) {
466 {
467 TSerr(TS_F_INT_TS_RESP_VERIFY_TOKEN, TS_R_TSA_UNTRUSTED); 474 TSerr(TS_F_INT_TS_RESP_VERIFY_TOKEN, TS_R_TSA_UNTRUSTED);
468 goto err; 475 goto err;
469 } 476 }
470 477
471 ret = 1; 478 ret = 1;
472 err: 479
480err:
473 X509_free(signer); 481 X509_free(signer);
474 X509_ALGOR_free(md_alg); 482 X509_ALGOR_free(md_alg);
475 free(imprint); 483 free(imprint);
476 return ret; 484 return ret;
477 } 485}
478 486
479static int TS_check_status_info(TS_RESP *response) 487static int
480 { 488TS_check_status_info(TS_RESP *response)
489{
481 TS_STATUS_INFO *info = TS_RESP_get_status_info(response); 490 TS_STATUS_INFO *info = TS_RESP_get_status_info(response);
482 long status = ASN1_INTEGER_get(info->status); 491 long status = ASN1_INTEGER_get(info->status);
483 const char *status_text = NULL; 492 const char *status_text = NULL;
@@ -485,7 +494,8 @@ static int TS_check_status_info(TS_RESP *response)
485 char failure_text[TS_STATUS_BUF_SIZE] = ""; 494 char failure_text[TS_STATUS_BUF_SIZE] = "";
486 495
487 /* Check if everything went fine. */ 496 /* Check if everything went fine. */
488 if (status == 0 || status == 1) return 1; 497 if (status == 0 || status == 1)
498 return 1;
489 499
490 /* There was an error, get the description in status_text. */ 500 /* There was an error, get the description in status_text. */
491 if (0 <= status && status < (long)TS_STATUS_TEXT_SIZE) 501 if (0 <= status && status < (long)TS_STATUS_TEXT_SIZE)
@@ -494,93 +504,88 @@ static int TS_check_status_info(TS_RESP *response)
494 status_text = "unknown code"; 504 status_text = "unknown code";
495 505
496 /* Set the embedded_status_text to the returned description. */ 506 /* Set the embedded_status_text to the returned description. */
497 if (sk_ASN1_UTF8STRING_num(info->text) > 0 507 if (sk_ASN1_UTF8STRING_num(info->text) > 0 &&
498 && !(embedded_status_text = TS_get_status_text(info->text))) 508 !(embedded_status_text = TS_get_status_text(info->text)))
499 return 0; 509 return 0;
500 510
501 /* Filling in failure_text with the failure information. */ 511 /* Filling in failure_text with the failure information. */
502 if (info->failure_info) 512 if (info->failure_info) {
503 {
504 int i; 513 int i;
505 int first = 1; 514 int first = 1;
506 for (i = 0; i < (int)TS_FAILURE_INFO_SIZE; ++i) 515 for (i = 0; i < (int)TS_FAILURE_INFO_SIZE; ++i) {
507 {
508 if (ASN1_BIT_STRING_get_bit(info->failure_info, 516 if (ASN1_BIT_STRING_get_bit(info->failure_info,
509 TS_failure_info[i].code)) 517 TS_failure_info[i].code)) {
510 {
511 if (!first) 518 if (!first)
512 strlcat(failure_text, ",", 519 strlcat(failure_text, ",",
513 TS_STATUS_BUF_SIZE); 520 TS_STATUS_BUF_SIZE);
514 else 521 else
515 first = 0; 522 first = 0;
516 strlcat(failure_text, TS_failure_info[i].text, 523 strlcat(failure_text, TS_failure_info[i].text,
517 TS_STATUS_BUF_SIZE); 524 TS_STATUS_BUF_SIZE);
518 }
519 } 525 }
520 } 526 }
527 }
521 if (failure_text[0] == '\0') 528 if (failure_text[0] == '\0')
522 strlcpy(failure_text, "unspecified", TS_STATUS_BUF_SIZE); 529 strlcpy(failure_text, "unspecified", TS_STATUS_BUF_SIZE);
523 530
524 /* Making up the error string. */ 531 /* Making up the error string. */
525 TSerr(TS_F_TS_CHECK_STATUS_INFO, TS_R_NO_TIME_STAMP_TOKEN); 532 TSerr(TS_F_TS_CHECK_STATUS_INFO, TS_R_NO_TIME_STAMP_TOKEN);
526 ERR_add_error_data(6, 533 ERR_add_error_data(6,
527 "status code: ", status_text, 534 "status code: ", status_text,
528 ", status text: ", embedded_status_text ? 535 ", status text: ", embedded_status_text ?
529 embedded_status_text : "unspecified", 536 embedded_status_text : "unspecified",
530 ", failure codes: ", failure_text); 537 ", failure codes: ", failure_text);
531 free(embedded_status_text); 538 free(embedded_status_text);
532 539
533 return 0; 540 return 0;
534 } 541}
535 542
536static char *TS_get_status_text(STACK_OF(ASN1_UTF8STRING) *text) 543static char *
537 { 544TS_get_status_text(STACK_OF(ASN1_UTF8STRING) *text)
545{
538 int i; 546 int i;
539 unsigned int length = 0; 547 unsigned int length = 0;
540 char *result = NULL; 548 char *result = NULL;
541 549
542 /* Determine length first. */ 550 /* Determine length first. */
543 for (i = 0; i < sk_ASN1_UTF8STRING_num(text); ++i) 551 for (i = 0; i < sk_ASN1_UTF8STRING_num(text); ++i) {
544 {
545 ASN1_UTF8STRING *current = sk_ASN1_UTF8STRING_value(text, i); 552 ASN1_UTF8STRING *current = sk_ASN1_UTF8STRING_value(text, i);
546 length += ASN1_STRING_length(current); 553 length += ASN1_STRING_length(current);
547 length += 1; /* separator character */ 554 length += 1; /* separator character */
548 } 555 }
549 /* Allocate memory (closing '\0' included). */ 556 /* Allocate memory (closing '\0' included). */
550 if (!(result = malloc(length))) 557 if (!(result = malloc(length))) {
551 {
552 TSerr(TS_F_TS_GET_STATUS_TEXT, ERR_R_MALLOC_FAILURE); 558 TSerr(TS_F_TS_GET_STATUS_TEXT, ERR_R_MALLOC_FAILURE);
553 return NULL; 559 return NULL;
554 } 560 }
555 /* Concatenate the descriptions. */ 561 /* Concatenate the descriptions. */
556 result[0] = '\0'; 562 result[0] = '\0';
557 for (i = 0; i < sk_ASN1_UTF8STRING_num(text); ++i) 563 for (i = 0; i < sk_ASN1_UTF8STRING_num(text); ++i) {
558 {
559 ASN1_UTF8STRING *current = sk_ASN1_UTF8STRING_value(text, i); 564 ASN1_UTF8STRING *current = sk_ASN1_UTF8STRING_value(text, i);
560 if (i > 0) 565 if (i > 0)
561 strlcat(result, "/", length); 566 strlcat(result, "/", length);
562 strlcat(result, ASN1_STRING_data(current), length); 567 strlcat(result, ASN1_STRING_data(current), length);
563 }
564 return result;
565 } 568 }
569 return result;
570}
566 571
567static int TS_check_policy(ASN1_OBJECT *req_oid, TS_TST_INFO *tst_info) 572static int
568 { 573TS_check_policy(ASN1_OBJECT *req_oid, TS_TST_INFO *tst_info)
574{
569 ASN1_OBJECT *resp_oid = TS_TST_INFO_get_policy_id(tst_info); 575 ASN1_OBJECT *resp_oid = TS_TST_INFO_get_policy_id(tst_info);
570 576
571 if (OBJ_cmp(req_oid, resp_oid) != 0) 577 if (OBJ_cmp(req_oid, resp_oid) != 0) {
572 {
573 TSerr(TS_F_TS_CHECK_POLICY, TS_R_POLICY_MISMATCH); 578 TSerr(TS_F_TS_CHECK_POLICY, TS_R_POLICY_MISMATCH);
574 return 0; 579 return 0;
575 } 580 }
576 581
577 return 1; 582 return 1;
578 } 583}
579 584
580static int TS_compute_imprint(BIO *data, TS_TST_INFO *tst_info, 585static int
581 X509_ALGOR **md_alg, 586TS_compute_imprint(BIO *data, TS_TST_INFO *tst_info, X509_ALGOR **md_alg,
582 unsigned char **imprint, unsigned *imprint_len) 587 unsigned char **imprint, unsigned *imprint_len)
583 { 588{
584 TS_MSG_IMPRINT *msg_imprint = TS_TST_INFO_get_msg_imprint(tst_info); 589 TS_MSG_IMPRINT *msg_imprint = TS_TST_INFO_get_msg_imprint(tst_info);
585 X509_ALGOR *md_alg_resp = TS_MSG_IMPRINT_get_algo(msg_imprint); 590 X509_ALGOR *md_alg_resp = TS_MSG_IMPRINT_get_algo(msg_imprint);
586 const EVP_MD *md; 591 const EVP_MD *md;
@@ -592,136 +597,136 @@ static int TS_compute_imprint(BIO *data, TS_TST_INFO *tst_info,
592 *imprint = NULL; 597 *imprint = NULL;
593 598
594 /* Return the MD algorithm of the response. */ 599 /* Return the MD algorithm of the response. */
595 if (!(*md_alg = X509_ALGOR_dup(md_alg_resp))) goto err; 600 if (!(*md_alg = X509_ALGOR_dup(md_alg_resp)))
601 goto err;
596 602
597 /* Getting the MD object. */ 603 /* Getting the MD object. */
598 if (!(md = EVP_get_digestbyobj((*md_alg)->algorithm))) 604 if (!(md = EVP_get_digestbyobj((*md_alg)->algorithm))) {
599 {
600 TSerr(TS_F_TS_COMPUTE_IMPRINT, TS_R_UNSUPPORTED_MD_ALGORITHM); 605 TSerr(TS_F_TS_COMPUTE_IMPRINT, TS_R_UNSUPPORTED_MD_ALGORITHM);
601 goto err; 606 goto err;
602 } 607 }
603 608
604 /* Compute message digest. */ 609 /* Compute message digest. */
605 length = EVP_MD_size(md); 610 length = EVP_MD_size(md);
606 if (length < 0) 611 if (length < 0)
607 goto err; 612 goto err;
608 *imprint_len = length; 613 *imprint_len = length;
609 if (!(*imprint = malloc(*imprint_len))) 614 if (!(*imprint = malloc(*imprint_len))) {
610 {
611 TSerr(TS_F_TS_COMPUTE_IMPRINT, ERR_R_MALLOC_FAILURE); 615 TSerr(TS_F_TS_COMPUTE_IMPRINT, ERR_R_MALLOC_FAILURE);
612 goto err; 616 goto err;
613 } 617 }
614 618
615 if (!EVP_DigestInit(&md_ctx, md)) 619 if (!EVP_DigestInit(&md_ctx, md))
616 goto err; 620 goto err;
617 while ((length = BIO_read(data, buffer, sizeof(buffer))) > 0) 621 while ((length = BIO_read(data, buffer, sizeof(buffer))) > 0) {
618 {
619 if (!EVP_DigestUpdate(&md_ctx, buffer, length)) 622 if (!EVP_DigestUpdate(&md_ctx, buffer, length))
620 goto err; 623 goto err;
621 } 624 }
622 if (!EVP_DigestFinal(&md_ctx, *imprint, NULL)) 625 if (!EVP_DigestFinal(&md_ctx, *imprint, NULL))
623 goto err; 626 goto err;
624 627
625 return 1; 628 return 1;
626 err: 629
630err:
627 X509_ALGOR_free(*md_alg); 631 X509_ALGOR_free(*md_alg);
628 free(*imprint); 632 free(*imprint);
629 *imprint = NULL; 633 *imprint = NULL;
630 *imprint_len = 0; 634 *imprint_len = 0;
631 return 0; 635 return 0;
632 } 636}
633 637
634static int TS_check_imprints(X509_ALGOR *algor_a, 638static int
635 unsigned char *imprint_a, unsigned len_a, 639TS_check_imprints(X509_ALGOR *algor_a, unsigned char *imprint_a, unsigned len_a,
636 TS_TST_INFO *tst_info) 640 TS_TST_INFO *tst_info)
637 { 641{
638 TS_MSG_IMPRINT *b = TS_TST_INFO_get_msg_imprint(tst_info); 642 TS_MSG_IMPRINT *b = TS_TST_INFO_get_msg_imprint(tst_info);
639 X509_ALGOR *algor_b = TS_MSG_IMPRINT_get_algo(b); 643 X509_ALGOR *algor_b = TS_MSG_IMPRINT_get_algo(b);
640 int ret = 0; 644 int ret = 0;
641 645
642 /* algor_a is optional. */ 646 /* algor_a is optional. */
643 if (algor_a) 647 if (algor_a) {
644 {
645 /* Compare algorithm OIDs. */ 648 /* Compare algorithm OIDs. */
646 if (OBJ_cmp(algor_a->algorithm, algor_b->algorithm)) goto err; 649 if (OBJ_cmp(algor_a->algorithm, algor_b->algorithm))
650 goto err;
647 651
648 /* The parameter must be NULL in both. */ 652 /* The parameter must be NULL in both. */
649 if ((algor_a->parameter 653 if ((algor_a->parameter &&
650 && ASN1_TYPE_get(algor_a->parameter) != V_ASN1_NULL) 654 ASN1_TYPE_get(algor_a->parameter) != V_ASN1_NULL) ||
651 || (algor_b->parameter 655 (algor_b->parameter &&
652 && ASN1_TYPE_get(algor_b->parameter) != V_ASN1_NULL)) 656 ASN1_TYPE_get(algor_b->parameter) != V_ASN1_NULL))
653 goto err; 657 goto err;
654 } 658 }
655 659
656 /* Compare octet strings. */ 660 /* Compare octet strings. */
657 ret = len_a == (unsigned) ASN1_STRING_length(b->hashed_msg) && 661 ret = len_a == (unsigned) ASN1_STRING_length(b->hashed_msg) &&
658 memcmp(imprint_a, ASN1_STRING_data(b->hashed_msg), len_a) == 0; 662 memcmp(imprint_a, ASN1_STRING_data(b->hashed_msg), len_a) == 0;
659 err: 663
664err:
660 if (!ret) 665 if (!ret)
661 TSerr(TS_F_TS_CHECK_IMPRINTS, TS_R_MESSAGE_IMPRINT_MISMATCH); 666 TSerr(TS_F_TS_CHECK_IMPRINTS, TS_R_MESSAGE_IMPRINT_MISMATCH);
662 return ret; 667 return ret;
663 } 668}
664 669
665static int TS_check_nonces(const ASN1_INTEGER *a, TS_TST_INFO *tst_info) 670static int
666 { 671TS_check_nonces(const ASN1_INTEGER *a, TS_TST_INFO *tst_info)
672{
667 const ASN1_INTEGER *b = TS_TST_INFO_get_nonce(tst_info); 673 const ASN1_INTEGER *b = TS_TST_INFO_get_nonce(tst_info);
668 674
669 /* Error if nonce is missing. */ 675 /* Error if nonce is missing. */
670 if (!b) 676 if (!b) {
671 {
672 TSerr(TS_F_TS_CHECK_NONCES, TS_R_NONCE_NOT_RETURNED); 677 TSerr(TS_F_TS_CHECK_NONCES, TS_R_NONCE_NOT_RETURNED);
673 return 0; 678 return 0;
674 } 679 }
675 680
676 /* No error if a nonce is returned without being requested. */ 681 /* No error if a nonce is returned without being requested. */
677 if (ASN1_INTEGER_cmp(a, b) != 0) 682 if (ASN1_INTEGER_cmp(a, b) != 0) {
678 {
679 TSerr(TS_F_TS_CHECK_NONCES, TS_R_NONCE_MISMATCH); 683 TSerr(TS_F_TS_CHECK_NONCES, TS_R_NONCE_MISMATCH);
680 return 0; 684 return 0;
681 } 685 }
682 686
683 return 1; 687 return 1;
684 } 688}
685 689
686/* Check if the specified TSA name matches either the subject 690/* Check if the specified TSA name matches either the subject
687 or one of the subject alternative names of the TSA certificate. */ 691 or one of the subject alternative names of the TSA certificate. */
688static int TS_check_signer_name(GENERAL_NAME *tsa_name, X509 *signer) 692static int
689 { 693TS_check_signer_name(GENERAL_NAME *tsa_name, X509 *signer)
694{
690 STACK_OF(GENERAL_NAME) *gen_names = NULL; 695 STACK_OF(GENERAL_NAME) *gen_names = NULL;
691 int idx = -1; 696 int idx = -1;
692 int found = 0; 697 int found = 0;
693 698
694 /* Check the subject name first. */ 699 /* Check the subject name first. */
695 if (tsa_name->type == GEN_DIRNAME 700 if (tsa_name->type == GEN_DIRNAME &&
696 && X509_name_cmp(tsa_name->d.dirn, signer->cert_info->subject) == 0) 701 X509_name_cmp(tsa_name->d.dirn, signer->cert_info->subject) == 0)
697 return 1; 702 return 1;
698 703
699 /* Check all the alternative names. */ 704 /* Check all the alternative names. */
700 gen_names = X509_get_ext_d2i(signer, NID_subject_alt_name, 705 gen_names = X509_get_ext_d2i(signer, NID_subject_alt_name,
701 NULL, &idx); 706 NULL, &idx);
702 while (gen_names != NULL 707 while (gen_names != NULL &&
703 && !(found = TS_find_name(gen_names, tsa_name) >= 0)) 708 !(found = TS_find_name(gen_names, tsa_name) >= 0)) {
704 {
705 /* Get the next subject alternative name, 709 /* Get the next subject alternative name,
706 although there should be no more than one. */ 710 although there should be no more than one. */
707 GENERAL_NAMES_free(gen_names); 711 GENERAL_NAMES_free(gen_names);
708 gen_names = X509_get_ext_d2i(signer, NID_subject_alt_name, 712 gen_names = X509_get_ext_d2i(signer, NID_subject_alt_name,
709 NULL, &idx); 713 NULL, &idx);
710 }
711 if (gen_names) GENERAL_NAMES_free(gen_names);
712
713 return found;
714 } 714 }
715 if (gen_names)
716 GENERAL_NAMES_free(gen_names);
717
718 return found;
719}
715 720
716/* Returns 1 if name is in gen_names, 0 otherwise. */ 721/* Returns 1 if name is in gen_names, 0 otherwise. */
717static int TS_find_name(STACK_OF(GENERAL_NAME) *gen_names, GENERAL_NAME *name) 722static int
718 { 723TS_find_name(STACK_OF(GENERAL_NAME) *gen_names, GENERAL_NAME *name)
724{
719 int i, found; 725 int i, found;
720 for (i = 0, found = 0; !found && i < sk_GENERAL_NAME_num(gen_names); 726 for (i = 0, found = 0; !found && i < sk_GENERAL_NAME_num(gen_names);
721 ++i) 727 ++i) {
722 {
723 GENERAL_NAME *current = sk_GENERAL_NAME_value(gen_names, i); 728 GENERAL_NAME *current = sk_GENERAL_NAME_value(gen_names, i);
724 found = GENERAL_NAME_cmp(current, name) == 0; 729 found = GENERAL_NAME_cmp(current, name) == 0;
725 }
726 return found ? i - 1 : -1;
727 } 730 }
731 return found ? i - 1 : -1;
732}
diff --git a/src/lib/libssl/src/crypto/ts/ts_verify_ctx.c b/src/lib/libssl/src/crypto/ts/ts_verify_ctx.c
index 629107aeec..3fc772678c 100644
--- a/src/lib/libssl/src/crypto/ts/ts_verify_ctx.c
+++ b/src/lib/libssl/src/crypto/ts/ts_verify_ctx.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -60,34 +60,40 @@
60#include <openssl/objects.h> 60#include <openssl/objects.h>
61#include <openssl/ts.h> 61#include <openssl/ts.h>
62 62
63TS_VERIFY_CTX *TS_VERIFY_CTX_new(void) 63TS_VERIFY_CTX *
64 { 64TS_VERIFY_CTX_new(void)
65 TS_VERIFY_CTX *ctx = 65{
66 (TS_VERIFY_CTX *) malloc(sizeof(TS_VERIFY_CTX)); 66 TS_VERIFY_CTX *ctx = (TS_VERIFY_CTX *) malloc(sizeof(TS_VERIFY_CTX));
67
67 if (ctx) 68 if (ctx)
68 memset(ctx, 0, sizeof(TS_VERIFY_CTX)); 69 memset(ctx, 0, sizeof(TS_VERIFY_CTX));
69 else 70 else
70 TSerr(TS_F_TS_VERIFY_CTX_NEW, ERR_R_MALLOC_FAILURE); 71 TSerr(TS_F_TS_VERIFY_CTX_NEW, ERR_R_MALLOC_FAILURE);
71 return ctx; 72 return ctx;
72 } 73}
73 74
74void TS_VERIFY_CTX_init(TS_VERIFY_CTX *ctx) 75void
75 { 76TS_VERIFY_CTX_init(TS_VERIFY_CTX *ctx)
77{
76 OPENSSL_assert(ctx != NULL); 78 OPENSSL_assert(ctx != NULL);
77 memset(ctx, 0, sizeof(TS_VERIFY_CTX)); 79 memset(ctx, 0, sizeof(TS_VERIFY_CTX));
78 } 80}
79 81
80void TS_VERIFY_CTX_free(TS_VERIFY_CTX *ctx) 82void
81 { 83TS_VERIFY_CTX_free(TS_VERIFY_CTX *ctx)
82 if (!ctx) return; 84{
85 if (!ctx)
86 return;
83 87
84 TS_VERIFY_CTX_cleanup(ctx); 88 TS_VERIFY_CTX_cleanup(ctx);
85 free(ctx); 89 free(ctx);
86 } 90}
87 91
88void TS_VERIFY_CTX_cleanup(TS_VERIFY_CTX *ctx) 92void
89 { 93TS_VERIFY_CTX_cleanup(TS_VERIFY_CTX *ctx)
90 if (!ctx) return; 94{
95 if (!ctx)
96 return;
91 97
92 X509_STORE_free(ctx->store); 98 X509_STORE_free(ctx->store);
93 sk_X509_pop_free(ctx->certs, X509_free); 99 sk_X509_pop_free(ctx->certs, X509_free);
@@ -96,7 +102,7 @@ void TS_VERIFY_CTX_cleanup(TS_VERIFY_CTX *ctx)
96 102
97 X509_ALGOR_free(ctx->md_alg); 103 X509_ALGOR_free(ctx->md_alg);
98 free(ctx->imprint); 104 free(ctx->imprint);
99 105
100 BIO_free_all(ctx->data); 106 BIO_free_all(ctx->data);
101 107
102 ASN1_INTEGER_free(ctx->nonce); 108 ASN1_INTEGER_free(ctx->nonce);
@@ -104,10 +110,11 @@ void TS_VERIFY_CTX_cleanup(TS_VERIFY_CTX *ctx)
104 GENERAL_NAME_free(ctx->tsa_name); 110 GENERAL_NAME_free(ctx->tsa_name);
105 111
106 TS_VERIFY_CTX_init(ctx); 112 TS_VERIFY_CTX_init(ctx);
107 } 113}
108 114
109TS_VERIFY_CTX *TS_REQ_to_TS_VERIFY_CTX(TS_REQ *req, TS_VERIFY_CTX *ctx) 115TS_VERIFY_CTX *
110 { 116TS_REQ_to_TS_VERIFY_CTX(TS_REQ *req, TS_VERIFY_CTX *ctx)
117{
111 TS_VERIFY_CTX *ret = ctx; 118 TS_VERIFY_CTX *ret = ctx;
112 ASN1_OBJECT *policy; 119 ASN1_OBJECT *policy;
113 TS_MSG_IMPRINT *imprint; 120 TS_MSG_IMPRINT *imprint;
@@ -118,42 +125,43 @@ TS_VERIFY_CTX *TS_REQ_to_TS_VERIFY_CTX(TS_REQ *req, TS_VERIFY_CTX *ctx)
118 OPENSSL_assert(req != NULL); 125 OPENSSL_assert(req != NULL);
119 if (ret) 126 if (ret)
120 TS_VERIFY_CTX_cleanup(ret); 127 TS_VERIFY_CTX_cleanup(ret);
121 else 128 else if (!(ret = TS_VERIFY_CTX_new()))
122 if (!(ret = TS_VERIFY_CTX_new())) return NULL; 129 return NULL;
123 130
124 /* Setting flags. */ 131 /* Setting flags. */
125 ret->flags = TS_VFY_ALL_IMPRINT & ~(TS_VFY_TSA_NAME | TS_VFY_SIGNATURE); 132 ret->flags = TS_VFY_ALL_IMPRINT & ~(TS_VFY_TSA_NAME | TS_VFY_SIGNATURE);
126 133
127 /* Setting policy. */ 134 /* Setting policy. */
128 if ((policy = TS_REQ_get_policy_id(req)) != NULL) 135 if ((policy = TS_REQ_get_policy_id(req)) != NULL) {
129 { 136 if (!(ret->policy = OBJ_dup(policy)))
130 if (!(ret->policy = OBJ_dup(policy))) goto err; 137 goto err;
131 } 138 } else
132 else
133 ret->flags &= ~TS_VFY_POLICY; 139 ret->flags &= ~TS_VFY_POLICY;
134 140
135 /* Setting md_alg, imprint and imprint_len. */ 141 /* Setting md_alg, imprint and imprint_len. */
136 imprint = TS_REQ_get_msg_imprint(req); 142 imprint = TS_REQ_get_msg_imprint(req);
137 md_alg = TS_MSG_IMPRINT_get_algo(imprint); 143 md_alg = TS_MSG_IMPRINT_get_algo(imprint);
138 if (!(ret->md_alg = X509_ALGOR_dup(md_alg))) goto err; 144 if (!(ret->md_alg = X509_ALGOR_dup(md_alg)))
145 goto err;
139 msg = TS_MSG_IMPRINT_get_msg(imprint); 146 msg = TS_MSG_IMPRINT_get_msg(imprint);
140 ret->imprint_len = ASN1_STRING_length(msg); 147 ret->imprint_len = ASN1_STRING_length(msg);
141 if (!(ret->imprint = malloc(ret->imprint_len))) goto err; 148 if (!(ret->imprint = malloc(ret->imprint_len)))
149 goto err;
142 memcpy(ret->imprint, ASN1_STRING_data(msg), ret->imprint_len); 150 memcpy(ret->imprint, ASN1_STRING_data(msg), ret->imprint_len);
143 151
144 /* Setting nonce. */ 152 /* Setting nonce. */
145 if ((nonce = TS_REQ_get_nonce(req)) != NULL) 153 if ((nonce = TS_REQ_get_nonce(req)) != NULL) {
146 { 154 if (!(ret->nonce = ASN1_INTEGER_dup(nonce)))
147 if (!(ret->nonce = ASN1_INTEGER_dup(nonce))) goto err; 155 goto err;
148 } 156 } else
149 else
150 ret->flags &= ~TS_VFY_NONCE; 157 ret->flags &= ~TS_VFY_NONCE;
151 158
152 return ret; 159 return ret;
153 err: 160
161err:
154 if (ctx) 162 if (ctx)
155 TS_VERIFY_CTX_cleanup(ctx); 163 TS_VERIFY_CTX_cleanup(ctx);
156 else 164 else
157 TS_VERIFY_CTX_free(ret); 165 TS_VERIFY_CTX_free(ret);
158 return NULL; 166 return NULL;
159 } 167}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-20 05:37:30 +0000