KNF

author: miod <> 2014-05-17 19:56:35 +0000
committer: miod <> 2014-05-17 19:56:35 +0000
commit: 0800c7660118a9e5105bd591666d930d899d0b8c (patch)
tree: f2d366a23c3131d80591bf9c5de711d2e70b4b6e /src/lib/libcrypto/ocsp/ocsp_cl.c
parent: e9f9678d1aba19f14521109f545f7847365c2f85 (diff)
download: openbsd-0800c7660118a9e5105bd591666d930d899d0b8c.tar.gz
openbsd-0800c7660118a9e5105bd591666d930d899d0b8c.tar.bz2
openbsd-0800c7660118a9e5105bd591666d930d899d0b8c.zip
1 files changed, 162 insertions, 153 deletions
diff --git a/src/lib/libcrypto/ocsp/ocsp_cl.c b/src/lib/libcrypto/ocsp/ocsp_cl.c
index 9c14d9da27..716513d2f9 100644
--- a/src/lib/libcrypto/ocsp/ocsp_cl.c
+++ b/src/lib/libcrypto/ocsp/ocsp_cl.c
@@ -78,229 +78,241 @@
 /* Add an OCSP_CERTID to an OCSP request. Return new OCSP_ONEREQ 
 * pointer: useful if we want to add extensions.
 */
+OCSP_ONEREQ *
-OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid)
+OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid)
-        {
+{
        OCSP_ONEREQ *one = NULL;
-        if (!(one = OCSP_ONEREQ_new())) goto err;
+        if (!(one = OCSP_ONEREQ_new()))
-        if (one->reqCert) OCSP_CERTID_free(one->reqCert);
+                goto err;
+        if (one->reqCert)
+                OCSP_CERTID_free(one->reqCert);
        one->reqCert = cid;
-        if (req &&
+        if (req && !sk_OCSP_ONEREQ_push(req->tbsRequest->requestList, one))
-                !sk_OCSP_ONEREQ_push(req->tbsRequest->requestList, one))
+                goto err;
-                                goto err;
        return one;
 err:
        OCSP_ONEREQ_free(one);
        return NULL;
-        }
+}
 /* Set requestorName from an X509_NAME structure */
+int
-int OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm)
+OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm)
-        {
+{
        GENERAL_NAME *gen;
        gen = GENERAL_NAME_new();
        if (gen == NULL)
                return 0;
-        if (!X509_NAME_set(&gen->d.directoryName, nm))
+        if (!X509_NAME_set(&gen->d.directoryName, nm)) {
-                {
                GENERAL_NAME_free(gen);
                return 0;
-                }
+        }
        gen->type = GEN_DIRNAME;
        if (req->tbsRequest->requestorName)
                GENERAL_NAME_free(req->tbsRequest->requestorName);
        req->tbsRequest->requestorName = gen;
        return 1;
-        }
+}
        
 /* Add a certificate to an OCSP request */
+int
-int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert)
+OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert)
-        {
+{
        OCSP_SIGNATURE *sig;
        if (!req->optionalSignature)
                req->optionalSignature = OCSP_SIGNATURE_new();
        sig = req->optionalSignature;
-        if (!sig) return 0;
+        if (!sig)
-        if (!cert) return 1;
+                return 0;
+        if (!cert)
+                return 1;
        if (!sig->certs && !(sig->certs = sk_X509_new_null()))
                return 0;
-        if(!sk_X509_push(sig->certs, cert)) return 0;
+        if(!sk_X509_push(sig->certs, cert))
+                return 0;
        CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
        return 1;
-        }
+}
 /* Sign an OCSP request set the requestorName to the subjec
 * name of an optional signers certificate and include one
 * or more optional certificates in the request. Behaves
 * like PKCS7_sign().
 */
+int
-int OCSP_request_sign(OCSP_REQUEST   *req,
+OCSP_request_sign(OCSP_REQUEST *req, X509 *signer, EVP_PKEY *key,
-                      X509           *signer,
+    const EVP_MD *dgst, STACK_OF(X509) *certs, unsigned long flags)
-                      EVP_PKEY       *key,
+{
-                      const EVP_MD   *dgst,
-                      STACK_OF(X509) *certs,
-                      unsigned long flags)
-        {
        int i;
        OCSP_SIGNATURE *sig;
        X509 *x;
        if (!OCSP_request_set1_name(req, X509_get_subject_name(signer)))
+                goto err;
+        if (!(req->optionalSignature = sig = OCSP_SIGNATURE_new()))
+                goto err;
+        if (key) {
+                if (!X509_check_private_key(signer, key)) {
+                        OCSPerr(OCSP_F_OCSP_REQUEST_SIGN,
+                            OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
                        goto err;
-        if (!(req->optionalSignature = sig = OCSP_SIGNATURE_new())) goto err;
-        if (key)
-                {
-                if (!X509_check_private_key(signer, key))
-                        {
-                        OCSPerr(OCSP_F_OCSP_REQUEST_SIGN, OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
-                        goto err;
-                        }
-                if (!OCSP_REQUEST_sign(req, key, dgst)) goto err;
                }
+                if (!OCSP_REQUEST_sign(req, key, dgst))
+                        goto err;
+        }
-        if (!(flags & OCSP_NOCERTS))
+        if (!(flags & OCSP_NOCERTS)) {
-                {
+                if(!OCSP_request_add1_cert(req, signer))
-                if(!OCSP_request_add1_cert(req, signer)) goto err;
+                        goto err;
-                for (i = 0; i < sk_X509_num(certs); i++)
+                for (i = 0; i < sk_X509_num(certs); i++) {
-                        {
                        x = sk_X509_value(certs, i);
-                        if (!OCSP_request_add1_cert(req, x)) goto err;
+                        if (!OCSP_request_add1_cert(req, x))
-                        }
+                                goto err;
                }
+        }
        return 1;
 err:
        OCSP_SIGNATURE_free(req->optionalSignature);
        req->optionalSignature = NULL;
        return 0;
-        }
+}
 /* Get response status */
+int
-int OCSP_response_status(OCSP_RESPONSE *resp)
+OCSP_response_status(OCSP_RESPONSE *resp)
-        {
+{
        return ASN1_ENUMERATED_get(resp->responseStatus);
-        }
+}
 /* Extract basic response from OCSP_RESPONSE or NULL if
 * no basic response present.
 */
- 
+OCSP_BASICRESP *
+OCSP_response_get1_basic(OCSP_RESPONSE *resp)
-OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp)
+{
-        {
        OCSP_RESPBYTES *rb;
        rb = resp->responseBytes;
-        if (!rb)
+        if (!rb) {
-                {
+                OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC,
-                OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC, OCSP_R_NO_RESPONSE_DATA);
+                    OCSP_R_NO_RESPONSE_DATA);
                return NULL;
-                }
+        }
-        if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic)
+        if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic) {
-                {
+                OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC,
-                OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC, OCSP_R_NOT_BASIC_RESPONSE);
+                    OCSP_R_NOT_BASIC_RESPONSE);
                return NULL;
-                }
+        }
        return ASN1_item_unpack(rb->response, ASN1_ITEM_rptr(OCSP_BASICRESP));
-        }
+}
 /* Return number of OCSP_SINGLERESP reponses present in
 * a basic response.
 */
+int
-int OCSP_resp_count(OCSP_BASICRESP *bs)
+OCSP_resp_count(OCSP_BASICRESP *bs)
-        {
+{
-        if (!bs) return -1;
+        if (!bs)
+                return -1;
        return sk_OCSP_SINGLERESP_num(bs->tbsResponseData->responses);
-        }
+}
 /* Extract an OCSP_SINGLERESP response with a given index */
+OCSP_SINGLERESP *
-OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx)
+OCSP_resp_get0(OCSP_BASICRESP *bs, int idx)
-        {
+{
-        if (!bs) return NULL;
+        if (!bs)
+                return NULL;
        return sk_OCSP_SINGLERESP_value(bs->tbsResponseData->responses, idx);
-        }
+}
 /* Look single response matching a given certificate ID */
+int
-int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last)
+OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last)
-        {
+{
        int i;
        STACK_OF(OCSP_SINGLERESP) *sresp;
        OCSP_SINGLERESP *single;
-        if (!bs) return -1;
-        if (last < 0) last = 0;
+        if (!bs)
-        else last++;
+                return -1;
+        if (last < 0)
+                last = 0;
+        else
+                last++;
        sresp = bs->tbsResponseData->responses;
-        for (i = last; i < sk_OCSP_SINGLERESP_num(sresp); i++)
+        for (i = last; i < sk_OCSP_SINGLERESP_num(sresp); i++) {
-                {
                single = sk_OCSP_SINGLERESP_value(sresp, i);
-                if (!OCSP_id_cmp(id, single->certId)) return i;
+                if (!OCSP_id_cmp(id, single->certId))
-                }
+                        return i;
-        return -1;
        }
+        return -1;
+}
 /* Extract status information from an OCSP_SINGLERESP structure.
 * Note: the revtime and reason values are only set if the 
 * certificate status is revoked. Returns numerical value of
 * status.
 */
+int
-int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
+OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
-                                ASN1_GENERALIZEDTIME **revtime,
+    ASN1_GENERALIZEDTIME **revtime, ASN1_GENERALIZEDTIME **thisupd,
-                                ASN1_GENERALIZEDTIME **thisupd,
+    ASN1_GENERALIZEDTIME **nextupd)
-                                ASN1_GENERALIZEDTIME **nextupd)
+{
-        {
        int ret;
        OCSP_CERTSTATUS *cst;
-        if(!single) return -1;
+        if (!single)
+                return -1;
        cst = single->certStatus;
        ret = cst->type;
-        if (ret == V_OCSP_CERTSTATUS_REVOKED)
+        if (ret == V_OCSP_CERTSTATUS_REVOKED) {
-                {
                OCSP_REVOKEDINFO *rev = cst->value.revoked;
-                if (revtime) *revtime = rev->revocationTime;
-                if (reason) 
+                if (revtime)
-                        {
+                        *revtime = rev->revocationTime;
-                        if(rev->revocationReason)
+                if (reason) {
+                        if (rev->revocationReason)
                                *reason = ASN1_ENUMERATED_get(rev->revocationReason);
-                        else *reason = -1;
+                        else
-                        }
+                                *reason = -1;
                }
-        if(thisupd) *thisupd = single->thisUpdate;
-        if(nextupd) *nextupd = single->nextUpdate;
-        return ret;
        }
+        if (thisupd)
+                *thisupd = single->thisUpdate;
+        if (nextupd)
+                *nextupd = single->nextUpdate;
+        return ret;
+}
 /* This function combines the previous ones: look up a certificate ID and
 * if found extract status information. Return 0 is successful.
 */
+int
-int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
+OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
-                                int *reason,
+    int *reason, ASN1_GENERALIZEDTIME **revtime, ASN1_GENERALIZEDTIME **thisupd,
-                                ASN1_GENERALIZEDTIME **revtime,
+    ASN1_GENERALIZEDTIME **nextupd)
-                                ASN1_GENERALIZEDTIME **thisupd,
+{
-                                ASN1_GENERALIZEDTIME **nextupd)
-        {
        int i;
        OCSP_SINGLERESP *single;
        i = OCSP_resp_find(bs, id, -1);
        /* Maybe check for multiple responses and give an error? */
-        if(i < 0) return 0;
+        if (i < 0)
+                return 0;
        single = OCSP_resp_get0(bs, i);
        i = OCSP_single_get0_status(single, reason, revtime, thisupd, nextupd);
-        if(status) *status = i;
+        if (status)
+                *status = i;
        return 1;
-        }
+}
 /* Check validity of thisUpdate and nextUpdate fields. It is possible that the request will
 * take a few seconds to process and/or the time wont be totally accurate. Therefore to avoid
@@ -308,64 +320,61 @@ int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
 * Also to avoid accepting very old responses without a nextUpdate field an optional maxage
 * parameter specifies the maximum age the thisUpdate field can be.
 */
+int
-int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd, ASN1_GENERALIZEDTIME *nextupd, long nsec, long maxsec)
+OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
-        {
+    ASN1_GENERALIZEDTIME *nextupd, long nsec, long maxsec)
+{
        int ret = 1;
        time_t t_now, t_tmp;
        time(&t_now);
        /* Check thisUpdate is valid and not more than nsec in the future */
-        if (!ASN1_GENERALIZEDTIME_check(thisupd))
+        if (!ASN1_GENERALIZEDTIME_check(thisupd)) {
-                {
+                OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
-                OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_ERROR_IN_THISUPDATE_FIELD);
+                    OCSP_R_ERROR_IN_THISUPDATE_FIELD);
                ret = 0;
-                }
+        } else {
-        else 
+                t_tmp = t_now + nsec;
-                {
+                if (X509_cmp_time(thisupd, &t_tmp) > 0) {
-                        t_tmp = t_now + nsec;
+                        OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
-                        if (X509_cmp_time(thisupd, &t_tmp) > 0)
+                            OCSP_R_STATUS_NOT_YET_VALID);
-                        {
-                        OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_NOT_YET_VALID);
                        ret = 0;
-                        }
+                }
                /* If maxsec specified check thisUpdate is not more than maxsec in the past */
-                if (maxsec >= 0)
+                if (maxsec >= 0) {
-                        {
                        t_tmp = t_now - maxsec;
-                        if (X509_cmp_time(thisupd, &t_tmp) < 0)
+                        if (X509_cmp_time(thisupd, &t_tmp) < 0) {
-                                {
+                                OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
-                                OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_TOO_OLD);
+                                    OCSP_R_STATUS_TOO_OLD);
                                ret = 0;
-                                }
                        }
                }
-                
+        }
-        if (!nextupd) return ret;
+        if (!nextupd)
+                return ret;
        /* Check nextUpdate is valid and not more than nsec in the past */
-        if (!ASN1_GENERALIZEDTIME_check(nextupd))
+        if (!ASN1_GENERALIZEDTIME_check(nextupd)) {
-                {
+                OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
-                OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_ERROR_IN_NEXTUPDATE_FIELD);
+                    OCSP_R_ERROR_IN_NEXTUPDATE_FIELD);
                ret = 0;
-                }
+        } else {
-        else 
-                {
                t_tmp = t_now - nsec;
-                if (X509_cmp_time(nextupd, &t_tmp) < 0)
+                if (X509_cmp_time(nextupd, &t_tmp) < 0) {
-                        {
+                        OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
-                        OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_EXPIRED);
+                            OCSP_R_STATUS_EXPIRED);
                        ret = 0;
-                        }
                }
+        }
        /* Also don't allow nextUpdate to precede thisUpdate */
-        if (ASN1_STRING_cmp(nextupd, thisupd) < 0)
+        if (ASN1_STRING_cmp(nextupd, thisupd) < 0) {
-                {
+                OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
-                OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE);
+                    OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE);
                ret = 0;
-                }
+        }
        return ret;
-        }
+}
author	miod <>	2014-05-17 19:56:35 +0000
committer	miod <>	2014-05-17 19:56:35 +0000
commit	0800c7660118a9e5105bd591666d930d899d0b8c (patch)
tree	f2d366a23c3131d80591bf9c5de711d2e70b4b6e /src/lib/libcrypto/ocsp/ocsp_cl.c
parent	e9f9678d1aba19f14521109f545f7847365c2f85 (diff)
download	openbsd-0800c7660118a9e5105bd591666d930d899d0b8c.tar.gz openbsd-0800c7660118a9e5105bd591666d930d899d0b8c.tar.bz2 openbsd-0800c7660118a9e5105bd591666d930d899d0b8c.zip

diff --git a/src/lib/libcrypto/ocsp/ocsp_cl.c b/src/lib/libcrypto/ocsp/ocsp_cl.c index 9c14d9da27..716513d2f9 100644 --- a/src/lib/libcrypto/ocsp/ocsp_cl.c +++ b/src/lib/libcrypto/ocsp/ocsp_cl.c
@@ -78,229 +78,241 @@
78	/* Add an OCSP_CERTID to an OCSP request. Return new OCSP_ONEREQ	78	/* Add an OCSP_CERTID to an OCSP request. Return new OCSP_ONEREQ
79	* pointer: useful if we want to add extensions.	79	* pointer: useful if we want to add extensions.
80	*/	80	*/
81		81	OCSP_ONEREQ *
82	OCSP_ONEREQ OCSP_request_add0_id(OCSP_REQUEST req, OCSP_CERTID *cid)	82	OCSP_request_add0_id(OCSP_REQUEST req, OCSP_CERTID cid)
83	{	83	{
84	OCSP_ONEREQ *one = NULL;	84	OCSP_ONEREQ *one = NULL;
85		85
86	if (!(one = OCSP_ONEREQ_new())) goto err;	86	if (!(one = OCSP_ONEREQ_new()))
87	if (one->reqCert) OCSP_CERTID_free(one->reqCert);	87	goto err;
		88	if (one->reqCert)
		89	OCSP_CERTID_free(one->reqCert);
88	one->reqCert = cid;	90	one->reqCert = cid;
89	if (req &&	91	if (req && !sk_OCSP_ONEREQ_push(req->tbsRequest->requestList, one))
90	!sk_OCSP_ONEREQ_push(req->tbsRequest->requestList, one))	92	goto err;
91	goto err;
92	return one;	93	return one;
93	err:	94	err:
94	OCSP_ONEREQ_free(one);	95	OCSP_ONEREQ_free(one);
95	return NULL;	96	return NULL;
96	}	97	}
97		98
98	/* Set requestorName from an X509_NAME structure */	99	/* Set requestorName from an X509_NAME structure */
99		100	int
100	int OCSP_request_set1_name(OCSP_REQUEST req, X509_NAME nm)	101	OCSP_request_set1_name(OCSP_REQUEST req, X509_NAME nm)
101	{	102	{
102	GENERAL_NAME *gen;	103	GENERAL_NAME *gen;
		104
103	gen = GENERAL_NAME_new();	105	gen = GENERAL_NAME_new();
104	if (gen == NULL)	106	if (gen == NULL)
105	return 0;	107	return 0;
106	if (!X509_NAME_set(&gen->d.directoryName, nm))	108	if (!X509_NAME_set(&gen->d.directoryName, nm)) {
107	{
108	GENERAL_NAME_free(gen);	109	GENERAL_NAME_free(gen);
109	return 0;	110	return 0;
110	}	111	}
111	gen->type = GEN_DIRNAME;	112	gen->type = GEN_DIRNAME;
112	if (req->tbsRequest->requestorName)	113	if (req->tbsRequest->requestorName)
113	GENERAL_NAME_free(req->tbsRequest->requestorName);	114	GENERAL_NAME_free(req->tbsRequest->requestorName);
114	req->tbsRequest->requestorName = gen;	115	req->tbsRequest->requestorName = gen;
115	return 1;	116	return 1;
116	}	117	}
117		118
118
119	/* Add a certificate to an OCSP request */	119	/* Add a certificate to an OCSP request */
120		120	int
121	int OCSP_request_add1_cert(OCSP_REQUEST req, X509 cert)	121	OCSP_request_add1_cert(OCSP_REQUEST req, X509 cert)
122	{	122	{
123	OCSP_SIGNATURE *sig;	123	OCSP_SIGNATURE *sig;
		124
124	if (!req->optionalSignature)	125	if (!req->optionalSignature)
125	req->optionalSignature = OCSP_SIGNATURE_new();	126	req->optionalSignature = OCSP_SIGNATURE_new();
126	sig = req->optionalSignature;	127	sig = req->optionalSignature;
127	if (!sig) return 0;	128	if (!sig)
128	if (!cert) return 1;	129	return 0;
		130	if (!cert)
		131	return 1;
129	if (!sig->certs && !(sig->certs = sk_X509_new_null()))	132	if (!sig->certs && !(sig->certs = sk_X509_new_null()))
130	return 0;	133	return 0;
131		134
132	if(!sk_X509_push(sig->certs, cert)) return 0;	135	if(!sk_X509_push(sig->certs, cert))
		136	return 0;
133	CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);	137	CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
134	return 1;	138	return 1;
135	}	139	}
136		140
137	/* Sign an OCSP request set the requestorName to the subjec	141	/* Sign an OCSP request set the requestorName to the subjec
138	* name of an optional signers certificate and include one	142	* name of an optional signers certificate and include one
139	* or more optional certificates in the request. Behaves	143	* or more optional certificates in the request. Behaves
140	* like PKCS7_sign().	144	* like PKCS7_sign().
141	*/	145	*/
142		146	int
143	int OCSP_request_sign(OCSP_REQUEST *req,	147	OCSP_request_sign(OCSP_REQUEST req, X509 signer, EVP_PKEY *key,
144	X509 *signer,	148	const EVP_MD dgst, STACK_OF(X509) certs, unsigned long flags)
145	EVP_PKEY *key,	149	{
146	const EVP_MD *dgst,
147	STACK_OF(X509) *certs,
148	unsigned long flags)
149	{
150	int i;	150	int i;
151	OCSP_SIGNATURE *sig;	151	OCSP_SIGNATURE *sig;
152	X509 *x;	152	X509 *x;
153		153
154	if (!OCSP_request_set1_name(req, X509_get_subject_name(signer)))	154	if (!OCSP_request_set1_name(req, X509_get_subject_name(signer)))
		155	goto err;
		156
		157	if (!(req->optionalSignature = sig = OCSP_SIGNATURE_new()))
		158	goto err;
		159	if (key) {
		160	if (!X509_check_private_key(signer, key)) {
		161	OCSPerr(OCSP_F_OCSP_REQUEST_SIGN,
		162	OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
155	goto err;	163	goto err;
156
157	if (!(req->optionalSignature = sig = OCSP_SIGNATURE_new())) goto err;
158	if (key)
159	{
160	if (!X509_check_private_key(signer, key))
161	{
162	OCSPerr(OCSP_F_OCSP_REQUEST_SIGN, OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
163	goto err;
164	}
165	if (!OCSP_REQUEST_sign(req, key, dgst)) goto err;
166	}	164	}
		165	if (!OCSP_REQUEST_sign(req, key, dgst))
		166	goto err;
		167	}
167		168
168	if (!(flags & OCSP_NOCERTS))	169	if (!(flags & OCSP_NOCERTS)) {
169	{	170	if(!OCSP_request_add1_cert(req, signer))
170	if(!OCSP_request_add1_cert(req, signer)) goto err;	171	goto err;
171	for (i = 0; i < sk_X509_num(certs); i++)	172	for (i = 0; i < sk_X509_num(certs); i++) {
172	{
173	x = sk_X509_value(certs, i);	173	x = sk_X509_value(certs, i);
174	if (!OCSP_request_add1_cert(req, x)) goto err;	174	if (!OCSP_request_add1_cert(req, x))
175	}	175	goto err;
176	}	176	}
		177	}
177		178
178	return 1;	179	return 1;
179	err:	180	err:
180	OCSP_SIGNATURE_free(req->optionalSignature);	181	OCSP_SIGNATURE_free(req->optionalSignature);
181	req->optionalSignature = NULL;	182	req->optionalSignature = NULL;
182	return 0;	183	return 0;
183	}	184	}
184		185
185	/* Get response status */	186	/* Get response status */
186		187	int
187	int OCSP_response_status(OCSP_RESPONSE *resp)	188	OCSP_response_status(OCSP_RESPONSE *resp)
188	{	189	{
189	return ASN1_ENUMERATED_get(resp->responseStatus);	190	return ASN1_ENUMERATED_get(resp->responseStatus);
190	}	191	}
191		192
192	/* Extract basic response from OCSP_RESPONSE or NULL if	193	/* Extract basic response from OCSP_RESPONSE or NULL if
193	* no basic response present.	194	* no basic response present.
194	*/	195	*/
195		196	OCSP_BASICRESP *
196		197	OCSP_response_get1_basic(OCSP_RESPONSE *resp)
197	OCSP_BASICRESP OCSP_response_get1_basic(OCSP_RESPONSE resp)	198	{
198	{
199	OCSP_RESPBYTES *rb;	199	OCSP_RESPBYTES *rb;
		200
200	rb = resp->responseBytes;	201	rb = resp->responseBytes;
201	if (!rb)	202	if (!rb) {
202	{	203	OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC,
203	OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC, OCSP_R_NO_RESPONSE_DATA);	204	OCSP_R_NO_RESPONSE_DATA);
204	return NULL;	205	return NULL;
205	}	206	}
206	if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic)	207	if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic) {
207	{	208	OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC,
208	OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC, OCSP_R_NOT_BASIC_RESPONSE);	209	OCSP_R_NOT_BASIC_RESPONSE);
209	return NULL;	210	return NULL;
210	}	211	}
211		212
212	return ASN1_item_unpack(rb->response, ASN1_ITEM_rptr(OCSP_BASICRESP));	213	return ASN1_item_unpack(rb->response, ASN1_ITEM_rptr(OCSP_BASICRESP));
213	}	214	}
214		215
215	/* Return number of OCSP_SINGLERESP reponses present in	216	/* Return number of OCSP_SINGLERESP reponses present in
216	* a basic response.	217	* a basic response.
217	*/	218	*/
218		219	int
219	int OCSP_resp_count(OCSP_BASICRESP *bs)	220	OCSP_resp_count(OCSP_BASICRESP *bs)
220	{	221	{
221	if (!bs) return -1;	222	if (!bs)
		223	return -1;
222	return sk_OCSP_SINGLERESP_num(bs->tbsResponseData->responses);	224	return sk_OCSP_SINGLERESP_num(bs->tbsResponseData->responses);
223	}	225	}
224		226
225	/* Extract an OCSP_SINGLERESP response with a given index */	227	/* Extract an OCSP_SINGLERESP response with a given index */
226		228	OCSP_SINGLERESP *
227	OCSP_SINGLERESP OCSP_resp_get0(OCSP_BASICRESP bs, int idx)	229	OCSP_resp_get0(OCSP_BASICRESP *bs, int idx)
228	{	230	{
229	if (!bs) return NULL;	231	if (!bs)
		232	return NULL;
230	return sk_OCSP_SINGLERESP_value(bs->tbsResponseData->responses, idx);	233	return sk_OCSP_SINGLERESP_value(bs->tbsResponseData->responses, idx);
231	}	234	}
232		235
233	/* Look single response matching a given certificate ID */	236	/* Look single response matching a given certificate ID */
234		237	int
235	int OCSP_resp_find(OCSP_BASICRESP bs, OCSP_CERTID id, int last)	238	OCSP_resp_find(OCSP_BASICRESP bs, OCSP_CERTID id, int last)
236	{	239	{
237	int i;	240	int i;
238	STACK_OF(OCSP_SINGLERESP) *sresp;	241	STACK_OF(OCSP_SINGLERESP) *sresp;
239	OCSP_SINGLERESP *single;	242	OCSP_SINGLERESP *single;
240	if (!bs) return -1;	243
241	if (last < 0) last = 0;	244	if (!bs)
242	else last++;	245	return -1;
		246	if (last < 0)
		247	last = 0;
		248	else
		249	last++;
243	sresp = bs->tbsResponseData->responses;	250	sresp = bs->tbsResponseData->responses;
244	for (i = last; i < sk_OCSP_SINGLERESP_num(sresp); i++)	251	for (i = last; i < sk_OCSP_SINGLERESP_num(sresp); i++) {
245	{
246	single = sk_OCSP_SINGLERESP_value(sresp, i);	252	single = sk_OCSP_SINGLERESP_value(sresp, i);
247	if (!OCSP_id_cmp(id, single->certId)) return i;	253	if (!OCSP_id_cmp(id, single->certId))
248	}	254	return i;
249	return -1;
250	}	255	}
		256	return -1;
		257	}
251		258
252	/* Extract status information from an OCSP_SINGLERESP structure.	259	/* Extract status information from an OCSP_SINGLERESP structure.
253	* Note: the revtime and reason values are only set if the	260	* Note: the revtime and reason values are only set if the
254	* certificate status is revoked. Returns numerical value of	261	* certificate status is revoked. Returns numerical value of
255	* status.	262	* status.
256	*/	263	*/
257		264	int
258	int OCSP_single_get0_status(OCSP_SINGLERESP single, int reason,	265	OCSP_single_get0_status(OCSP_SINGLERESP single, int reason,
259	ASN1_GENERALIZEDTIME **revtime,	266	ASN1_GENERALIZEDTIME revtime, ASN1_GENERALIZEDTIME thisupd,
260	ASN1_GENERALIZEDTIME **thisupd,	267	ASN1_GENERALIZEDTIME **nextupd)
261	ASN1_GENERALIZEDTIME **nextupd)	268	{
262	{
263	int ret;	269	int ret;
264	OCSP_CERTSTATUS *cst;	270	OCSP_CERTSTATUS *cst;
265	if(!single) return -1;	271
		272	if (!single)
		273	return -1;
266	cst = single->certStatus;	274	cst = single->certStatus;
267	ret = cst->type;	275	ret = cst->type;
268	if (ret == V_OCSP_CERTSTATUS_REVOKED)	276	if (ret == V_OCSP_CERTSTATUS_REVOKED) {
269	{
270	OCSP_REVOKEDINFO *rev = cst->value.revoked;	277	OCSP_REVOKEDINFO *rev = cst->value.revoked;
271	if (revtime) *revtime = rev->revocationTime;	278
272	if (reason)	279	if (revtime)
273	{	280	*revtime = rev->revocationTime;
274	if(rev->revocationReason)	281	if (reason) {
		282	if (rev->revocationReason)
275	*reason = ASN1_ENUMERATED_get(rev->revocationReason);	283	*reason = ASN1_ENUMERATED_get(rev->revocationReason);
276	else *reason = -1;	284	else
277	}	285	*reason = -1;
278	}	286	}
279	if(thisupd) *thisupd = single->thisUpdate;
280	if(nextupd) *nextupd = single->nextUpdate;
281	return ret;
282	}	287	}
		288	if (thisupd)
		289	*thisupd = single->thisUpdate;
		290	if (nextupd)
		291	*nextupd = single->nextUpdate;
		292	return ret;
		293	}
283		294
284	/* This function combines the previous ones: look up a certificate ID and	295	/* This function combines the previous ones: look up a certificate ID and
285	* if found extract status information. Return 0 is successful.	296	* if found extract status information. Return 0 is successful.
286	*/	297	*/
287		298	int
288	int OCSP_resp_find_status(OCSP_BASICRESP bs, OCSP_CERTID id, int *status,	299	OCSP_resp_find_status(OCSP_BASICRESP bs, OCSP_CERTID id, int *status,
289	int *reason,	300	int reason, ASN1_GENERALIZEDTIME revtime, ASN1_GENERALIZEDTIME *thisupd,
290	ASN1_GENERALIZEDTIME **revtime,	301	ASN1_GENERALIZEDTIME **nextupd)
291	ASN1_GENERALIZEDTIME **thisupd,	302	{
292	ASN1_GENERALIZEDTIME **nextupd)
293	{
294	int i;	303	int i;
295	OCSP_SINGLERESP *single;	304	OCSP_SINGLERESP *single;
		305
296	i = OCSP_resp_find(bs, id, -1);	306	i = OCSP_resp_find(bs, id, -1);
297	/* Maybe check for multiple responses and give an error? */	307	/* Maybe check for multiple responses and give an error? */
298	if(i < 0) return 0;	308	if (i < 0)
		309	return 0;
299	single = OCSP_resp_get0(bs, i);	310	single = OCSP_resp_get0(bs, i);
300	i = OCSP_single_get0_status(single, reason, revtime, thisupd, nextupd);	311	i = OCSP_single_get0_status(single, reason, revtime, thisupd, nextupd);
301	if(status) *status = i;	312	if (status)
		313	*status = i;
302	return 1;	314	return 1;
303	}	315	}
304		316
305	/* Check validity of thisUpdate and nextUpdate fields. It is possible that the request will	317	/* Check validity of thisUpdate and nextUpdate fields. It is possible that the request will
306	* take a few seconds to process and/or the time wont be totally accurate. Therefore to avoid	318	* take a few seconds to process and/or the time wont be totally accurate. Therefore to avoid
@@ -308,64 +320,61 @@ int OCSP_resp_find_status(OCSP_BASICRESP bs, OCSP_CERTID id, int *status,
308	* Also to avoid accepting very old responses without a nextUpdate field an optional maxage	320	* Also to avoid accepting very old responses without a nextUpdate field an optional maxage
309	* parameter specifies the maximum age the thisUpdate field can be.	321	* parameter specifies the maximum age the thisUpdate field can be.
310	*/	322	*/
311		323	int
312	int OCSP_check_validity(ASN1_GENERALIZEDTIME thisupd, ASN1_GENERALIZEDTIME nextupd, long nsec, long maxsec)	324	OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
313	{	325	ASN1_GENERALIZEDTIME *nextupd, long nsec, long maxsec)
		326	{
314	int ret = 1;	327	int ret = 1;
315	time_t t_now, t_tmp;	328	time_t t_now, t_tmp;
		329
316	time(&t_now);	330	time(&t_now);
317	/* Check thisUpdate is valid and not more than nsec in the future */	331	/* Check thisUpdate is valid and not more than nsec in the future */
318	if (!ASN1_GENERALIZEDTIME_check(thisupd))	332	if (!ASN1_GENERALIZEDTIME_check(thisupd)) {
319	{	333	OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
320	OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_ERROR_IN_THISUPDATE_FIELD);	334	OCSP_R_ERROR_IN_THISUPDATE_FIELD);
321	ret = 0;	335	ret = 0;
322	}	336	} else {
323	else	337	t_tmp = t_now + nsec;
324	{	338	if (X509_cmp_time(thisupd, &t_tmp) > 0) {
325	t_tmp = t_now + nsec;	339	OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
326	if (X509_cmp_time(thisupd, &t_tmp) > 0)	340	OCSP_R_STATUS_NOT_YET_VALID);
327	{
328	OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_NOT_YET_VALID);
329	ret = 0;	341	ret = 0;
330	}	342	}
331		343
332	/* If maxsec specified check thisUpdate is not more than maxsec in the past */	344	/* If maxsec specified check thisUpdate is not more than maxsec in the past */
333	if (maxsec >= 0)	345	if (maxsec >= 0) {
334	{
335	t_tmp = t_now - maxsec;	346	t_tmp = t_now - maxsec;
336	if (X509_cmp_time(thisupd, &t_tmp) < 0)	347	if (X509_cmp_time(thisupd, &t_tmp) < 0) {
337	{	348	OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
338	OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_TOO_OLD);	349	OCSP_R_STATUS_TOO_OLD);
339	ret = 0;	350	ret = 0;
340	}
341	}	351	}
342	}	352	}
343		353	}
344		354
345	if (!nextupd) return ret;	355	if (!nextupd)
		356	return ret;
346		357
347	/* Check nextUpdate is valid and not more than nsec in the past */	358	/* Check nextUpdate is valid and not more than nsec in the past */
348	if (!ASN1_GENERALIZEDTIME_check(nextupd))	359	if (!ASN1_GENERALIZEDTIME_check(nextupd)) {
349	{	360	OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
350	OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_ERROR_IN_NEXTUPDATE_FIELD);	361	OCSP_R_ERROR_IN_NEXTUPDATE_FIELD);
351	ret = 0;	362	ret = 0;
352	}	363	} else {
353	else
354	{
355	t_tmp = t_now - nsec;	364	t_tmp = t_now - nsec;
356	if (X509_cmp_time(nextupd, &t_tmp) < 0)	365	if (X509_cmp_time(nextupd, &t_tmp) < 0) {
357	{	366	OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
358	OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_EXPIRED);	367	OCSP_R_STATUS_EXPIRED);
359	ret = 0;	368	ret = 0;
360	}
361	}	369	}
		370	}
362		371
363	/* Also don't allow nextUpdate to precede thisUpdate */	372	/* Also don't allow nextUpdate to precede thisUpdate */
364	if (ASN1_STRING_cmp(nextupd, thisupd) < 0)	373	if (ASN1_STRING_cmp(nextupd, thisupd) < 0) {
365	{	374	OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
366	OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE);	375	OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE);
367	ret = 0;	376	ret = 0;
368	}	377	}
369		378
370	return ret;	379	return ret;
371	}	380	}