diff options
| author | miod <> | 2014-05-17 19:56:35 +0000 |
|---|---|---|
| committer | miod <> | 2014-05-17 19:56:35 +0000 |
| commit | 0800c7660118a9e5105bd591666d930d899d0b8c (patch) | |
| tree | f2d366a23c3131d80591bf9c5de711d2e70b4b6e /src/lib/libcrypto/ocsp/ocsp_srv.c | |
| parent | e9f9678d1aba19f14521109f545f7847365c2f85 (diff) | |
| download | openbsd-0800c7660118a9e5105bd591666d930d899d0b8c.tar.gz openbsd-0800c7660118a9e5105bd591666d930d899d0b8c.tar.bz2 openbsd-0800c7660118a9e5105bd591666d930d899d0b8c.zip | |
KNF
Diffstat (limited to '')
| -rw-r--r-- | src/lib/libcrypto/ocsp/ocsp_srv.c | 199 |
1 files changed, 104 insertions, 95 deletions
diff --git a/src/lib/libcrypto/ocsp/ocsp_srv.c b/src/lib/libcrypto/ocsp/ocsp_srv.c index 1c606dd0b6..c14e8e2bc3 100644 --- a/src/lib/libcrypto/ocsp/ocsp_srv.c +++ b/src/lib/libcrypto/ocsp/ocsp_srv.c | |||
| @@ -69,107 +69,118 @@ | |||
| 69 | * relevant information from the request. | 69 | * relevant information from the request. |
| 70 | */ | 70 | */ |
| 71 | 71 | ||
| 72 | int OCSP_request_onereq_count(OCSP_REQUEST *req) | 72 | int |
| 73 | { | 73 | OCSP_request_onereq_count(OCSP_REQUEST *req) |
| 74 | { | ||
| 74 | return sk_OCSP_ONEREQ_num(req->tbsRequest->requestList); | 75 | return sk_OCSP_ONEREQ_num(req->tbsRequest->requestList); |
| 75 | } | 76 | } |
| 76 | 77 | ||
| 77 | OCSP_ONEREQ *OCSP_request_onereq_get0(OCSP_REQUEST *req, int i) | 78 | OCSP_ONEREQ * |
| 78 | { | 79 | OCSP_request_onereq_get0(OCSP_REQUEST *req, int i) |
| 80 | { | ||
| 79 | return sk_OCSP_ONEREQ_value(req->tbsRequest->requestList, i); | 81 | return sk_OCSP_ONEREQ_value(req->tbsRequest->requestList, i); |
| 80 | } | 82 | } |
| 81 | 83 | ||
| 82 | OCSP_CERTID *OCSP_onereq_get0_id(OCSP_ONEREQ *one) | 84 | OCSP_CERTID * |
| 83 | { | 85 | OCSP_onereq_get0_id(OCSP_ONEREQ *one) |
| 86 | { | ||
| 84 | return one->reqCert; | 87 | return one->reqCert; |
| 85 | } | 88 | } |
| 86 | 89 | ||
| 87 | int OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd, | 90 | int |
| 88 | ASN1_OCTET_STRING **pikeyHash, | 91 | OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd, |
| 89 | ASN1_INTEGER **pserial, OCSP_CERTID *cid) | 92 | ASN1_OCTET_STRING **pikeyHash, ASN1_INTEGER **pserial, OCSP_CERTID *cid) |
| 90 | { | 93 | { |
| 91 | if (!cid) return 0; | 94 | if (!cid) |
| 92 | if (pmd) *pmd = cid->hashAlgorithm->algorithm; | 95 | return 0; |
| 93 | if(piNameHash) *piNameHash = cid->issuerNameHash; | 96 | if (pmd) |
| 94 | if (pikeyHash) *pikeyHash = cid->issuerKeyHash; | 97 | *pmd = cid->hashAlgorithm->algorithm; |
| 95 | if (pserial) *pserial = cid->serialNumber; | 98 | if (piNameHash) |
| 99 | *piNameHash = cid->issuerNameHash; | ||
| 100 | if (pikeyHash) | ||
| 101 | *pikeyHash = cid->issuerKeyHash; | ||
| 102 | if (pserial) | ||
| 103 | *pserial = cid->serialNumber; | ||
| 96 | return 1; | 104 | return 1; |
| 97 | } | 105 | } |
| 98 | 106 | ||
| 99 | int OCSP_request_is_signed(OCSP_REQUEST *req) | 107 | int |
| 100 | { | 108 | OCSP_request_is_signed(OCSP_REQUEST *req) |
| 101 | if(req->optionalSignature) return 1; | 109 | { |
| 110 | if (req->optionalSignature) | ||
| 111 | return 1; | ||
| 102 | return 0; | 112 | return 0; |
| 103 | } | 113 | } |
| 104 | 114 | ||
| 105 | /* Create an OCSP response and encode an optional basic response */ | 115 | /* Create an OCSP response and encode an optional basic response */ |
| 106 | OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs) | 116 | OCSP_RESPONSE * |
| 107 | { | 117 | OCSP_response_create(int status, OCSP_BASICRESP *bs) |
| 108 | OCSP_RESPONSE *rsp = NULL; | 118 | { |
| 119 | OCSP_RESPONSE *rsp = NULL; | ||
| 109 | 120 | ||
| 110 | if (!(rsp = OCSP_RESPONSE_new())) goto err; | 121 | if (!(rsp = OCSP_RESPONSE_new())) |
| 111 | if (!(ASN1_ENUMERATED_set(rsp->responseStatus, status))) goto err; | 122 | goto err; |
| 112 | if (!bs) return rsp; | 123 | if (!(ASN1_ENUMERATED_set(rsp->responseStatus, status))) |
| 113 | if (!(rsp->responseBytes = OCSP_RESPBYTES_new())) goto err; | 124 | goto err; |
| 125 | if (!bs) | ||
| 126 | return rsp; | ||
| 127 | if (!(rsp->responseBytes = OCSP_RESPBYTES_new())) | ||
| 128 | goto err; | ||
| 114 | rsp->responseBytes->responseType = OBJ_nid2obj(NID_id_pkix_OCSP_basic); | 129 | rsp->responseBytes->responseType = OBJ_nid2obj(NID_id_pkix_OCSP_basic); |
| 115 | if (!ASN1_item_pack(bs, ASN1_ITEM_rptr(OCSP_BASICRESP), &rsp->responseBytes->response)) | 130 | if (!ASN1_item_pack(bs, ASN1_ITEM_rptr(OCSP_BASICRESP), |
| 116 | goto err; | 131 | &rsp->responseBytes->response)) |
| 132 | goto err; | ||
| 117 | return rsp; | 133 | return rsp; |
| 118 | err: | 134 | err: |
| 119 | if (rsp) OCSP_RESPONSE_free(rsp); | 135 | if (rsp) |
| 136 | OCSP_RESPONSE_free(rsp); | ||
| 120 | return NULL; | 137 | return NULL; |
| 121 | } | 138 | } |
| 122 | |||
| 123 | 139 | ||
| 124 | OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp, | 140 | OCSP_SINGLERESP * |
| 125 | OCSP_CERTID *cid, | 141 | OCSP_basic_add1_status(OCSP_BASICRESP *rsp, OCSP_CERTID *cid, int status, |
| 126 | int status, int reason, | 142 | int reason, ASN1_TIME *revtime, ASN1_TIME *thisupd, ASN1_TIME *nextupd) |
| 127 | ASN1_TIME *revtime, | 143 | { |
| 128 | ASN1_TIME *thisupd, ASN1_TIME *nextupd) | ||
| 129 | { | ||
| 130 | OCSP_SINGLERESP *single = NULL; | 144 | OCSP_SINGLERESP *single = NULL; |
| 131 | OCSP_CERTSTATUS *cs; | 145 | OCSP_CERTSTATUS *cs; |
| 132 | OCSP_REVOKEDINFO *ri; | 146 | OCSP_REVOKEDINFO *ri; |
| 133 | 147 | ||
| 134 | if(!rsp->tbsResponseData->responses && | 148 | if (!rsp->tbsResponseData->responses && |
| 135 | !(rsp->tbsResponseData->responses = sk_OCSP_SINGLERESP_new_null())) | 149 | !(rsp->tbsResponseData->responses = sk_OCSP_SINGLERESP_new_null())) |
| 136 | goto err; | 150 | goto err; |
| 137 | 151 | ||
| 138 | if (!(single = OCSP_SINGLERESP_new())) | 152 | if (!(single = OCSP_SINGLERESP_new())) |
| 139 | goto err; | 153 | goto err; |
| 140 | 154 | ||
| 141 | |||
| 142 | |||
| 143 | if (!ASN1_TIME_to_generalizedtime(thisupd, &single->thisUpdate)) | 155 | if (!ASN1_TIME_to_generalizedtime(thisupd, &single->thisUpdate)) |
| 144 | goto err; | 156 | goto err; |
| 145 | if (nextupd && | 157 | if (nextupd && |
| 146 | !ASN1_TIME_to_generalizedtime(nextupd, &single->nextUpdate)) | 158 | !ASN1_TIME_to_generalizedtime(nextupd, &single->nextUpdate)) |
| 147 | goto err; | 159 | goto err; |
| 148 | 160 | ||
| 149 | OCSP_CERTID_free(single->certId); | 161 | OCSP_CERTID_free(single->certId); |
| 150 | 162 | ||
| 151 | if(!(single->certId = OCSP_CERTID_dup(cid))) | 163 | if (!(single->certId = OCSP_CERTID_dup(cid))) |
| 152 | goto err; | 164 | goto err; |
| 153 | 165 | ||
| 154 | cs = single->certStatus; | 166 | cs = single->certStatus; |
| 155 | switch(cs->type = status) | 167 | switch(cs->type = status) { |
| 156 | { | ||
| 157 | case V_OCSP_CERTSTATUS_REVOKED: | 168 | case V_OCSP_CERTSTATUS_REVOKED: |
| 158 | if (!revtime) | 169 | if (!revtime) { |
| 159 | { | 170 | OCSPerr(OCSP_F_OCSP_BASIC_ADD1_STATUS, |
| 160 | OCSPerr(OCSP_F_OCSP_BASIC_ADD1_STATUS,OCSP_R_NO_REVOKED_TIME); | 171 | OCSP_R_NO_REVOKED_TIME); |
| 172 | goto err; | ||
| 173 | } | ||
| 174 | if (!(cs->value.revoked = ri = OCSP_REVOKEDINFO_new())) | ||
| 161 | goto err; | 175 | goto err; |
| 162 | } | ||
| 163 | if (!(cs->value.revoked = ri = OCSP_REVOKEDINFO_new())) goto err; | ||
| 164 | if (!ASN1_TIME_to_generalizedtime(revtime, &ri->revocationTime)) | 176 | if (!ASN1_TIME_to_generalizedtime(revtime, &ri->revocationTime)) |
| 165 | goto err; | 177 | goto err; |
| 166 | if (reason != OCSP_REVOKED_STATUS_NOSTATUS) | 178 | if (reason != OCSP_REVOKED_STATUS_NOSTATUS) { |
| 167 | { | ||
| 168 | if (!(ri->revocationReason = ASN1_ENUMERATED_new())) | 179 | if (!(ri->revocationReason = ASN1_ENUMERATED_new())) |
| 169 | goto err; | 180 | goto err; |
| 170 | if (!(ASN1_ENUMERATED_set(ri->revocationReason, | 181 | if (!(ASN1_ENUMERATED_set(ri->revocationReason, |
| 171 | reason))) | 182 | reason))) |
| 172 | goto err; | 183 | goto err; |
| 173 | } | 184 | } |
| 174 | break; | 185 | break; |
| 175 | 186 | ||
| @@ -183,82 +194,80 @@ OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp, | |||
| 183 | 194 | ||
| 184 | default: | 195 | default: |
| 185 | goto err; | 196 | goto err; |
| 186 | 197 | } | |
| 187 | } | ||
| 188 | if (!(sk_OCSP_SINGLERESP_push(rsp->tbsResponseData->responses, single))) | 198 | if (!(sk_OCSP_SINGLERESP_push(rsp->tbsResponseData->responses, single))) |
| 189 | goto err; | 199 | goto err; |
| 190 | return single; | 200 | return single; |
| 191 | err: | 201 | err: |
| 192 | OCSP_SINGLERESP_free(single); | 202 | OCSP_SINGLERESP_free(single); |
| 193 | return NULL; | 203 | return NULL; |
| 194 | } | 204 | } |
| 195 | 205 | ||
| 196 | /* Add a certificate to an OCSP request */ | 206 | /* Add a certificate to an OCSP request */ |
| 197 | 207 | int | |
| 198 | int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert) | 208 | OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert) |
| 199 | { | 209 | { |
| 200 | if (!resp->certs && !(resp->certs = sk_X509_new_null())) | 210 | if (!resp->certs && !(resp->certs = sk_X509_new_null())) |
| 201 | return 0; | 211 | return 0; |
| 202 | 212 | ||
| 203 | if(!sk_X509_push(resp->certs, cert)) return 0; | 213 | if (!sk_X509_push(resp->certs, cert)) |
| 214 | return 0; | ||
| 204 | CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509); | 215 | CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509); |
| 205 | return 1; | 216 | return 1; |
| 206 | } | 217 | } |
| 207 | 218 | ||
| 208 | int OCSP_basic_sign(OCSP_BASICRESP *brsp, | 219 | int |
| 209 | X509 *signer, EVP_PKEY *key, const EVP_MD *dgst, | 220 | OCSP_basic_sign(OCSP_BASICRESP *brsp, X509 *signer, EVP_PKEY *key, |
| 210 | STACK_OF(X509) *certs, unsigned long flags) | 221 | const EVP_MD *dgst, STACK_OF(X509) *certs, unsigned long flags) |
| 211 | { | 222 | { |
| 212 | int i; | 223 | int i; |
| 213 | OCSP_RESPID *rid; | 224 | OCSP_RESPID *rid; |
| 214 | 225 | ||
| 215 | if (!X509_check_private_key(signer, key)) | 226 | if (!X509_check_private_key(signer, key)) { |
| 216 | { | 227 | OCSPerr(OCSP_F_OCSP_BASIC_SIGN, |
| 217 | OCSPerr(OCSP_F_OCSP_BASIC_SIGN, OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE); | 228 | OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE); |
| 218 | goto err; | 229 | goto err; |
| 219 | } | 230 | } |
| 220 | 231 | ||
| 221 | if(!(flags & OCSP_NOCERTS)) | 232 | if (!(flags & OCSP_NOCERTS)) { |
| 222 | { | 233 | if (!OCSP_basic_add1_cert(brsp, signer)) |
| 223 | if(!OCSP_basic_add1_cert(brsp, signer)) | ||
| 224 | goto err; | 234 | goto err; |
| 225 | for (i = 0; i < sk_X509_num(certs); i++) | 235 | for (i = 0; i < sk_X509_num(certs); i++) { |
| 226 | { | ||
| 227 | X509 *tmpcert = sk_X509_value(certs, i); | 236 | X509 *tmpcert = sk_X509_value(certs, i); |
| 228 | if(!OCSP_basic_add1_cert(brsp, tmpcert)) | 237 | if (!OCSP_basic_add1_cert(brsp, tmpcert)) |
| 229 | goto err; | 238 | goto err; |
| 230 | } | ||
| 231 | } | 239 | } |
| 240 | } | ||
| 232 | 241 | ||
| 233 | rid = brsp->tbsResponseData->responderId; | 242 | rid = brsp->tbsResponseData->responderId; |
| 234 | if (flags & OCSP_RESPID_KEY) | 243 | if (flags & OCSP_RESPID_KEY) { |
| 235 | { | ||
| 236 | unsigned char md[SHA_DIGEST_LENGTH]; | 244 | unsigned char md[SHA_DIGEST_LENGTH]; |
| 245 | |||
| 237 | X509_pubkey_digest(signer, EVP_sha1(), md, NULL); | 246 | X509_pubkey_digest(signer, EVP_sha1(), md, NULL); |
| 238 | if (!(rid->value.byKey = ASN1_OCTET_STRING_new())) | 247 | if (!(rid->value.byKey = ASN1_OCTET_STRING_new())) |
| 239 | goto err; | 248 | goto err; |
| 240 | if (!(ASN1_OCTET_STRING_set(rid->value.byKey, md, SHA_DIGEST_LENGTH))) | 249 | if (!(ASN1_OCTET_STRING_set(rid->value.byKey, md, |
| 241 | goto err; | 250 | SHA_DIGEST_LENGTH))) |
| 251 | goto err; | ||
| 242 | rid->type = V_OCSP_RESPID_KEY; | 252 | rid->type = V_OCSP_RESPID_KEY; |
| 243 | } | 253 | } else { |
| 244 | else | ||
| 245 | { | ||
| 246 | if (!X509_NAME_set(&rid->value.byName, | 254 | if (!X509_NAME_set(&rid->value.byName, |
| 247 | X509_get_subject_name(signer))) | 255 | X509_get_subject_name(signer))) |
| 248 | goto err; | 256 | goto err; |
| 249 | rid->type = V_OCSP_RESPID_NAME; | 257 | rid->type = V_OCSP_RESPID_NAME; |
| 250 | } | 258 | } |
| 251 | 259 | ||
| 252 | if (!(flags & OCSP_NOTIME) && | 260 | if (!(flags & OCSP_NOTIME) && |
| 253 | !X509_gmtime_adj(brsp->tbsResponseData->producedAt, 0)) | 261 | !X509_gmtime_adj(brsp->tbsResponseData->producedAt, 0)) |
| 254 | goto err; | 262 | goto err; |
| 255 | 263 | ||
| 256 | /* Right now, I think that not doing double hashing is the right | 264 | /* Right now, I think that not doing double hashing is the right |
| 257 | thing. -- Richard Levitte */ | 265 | thing. -- Richard Levitte */ |
| 258 | 266 | ||
| 259 | if (!OCSP_BASICRESP_sign(brsp, key, dgst, 0)) goto err; | 267 | if (!OCSP_BASICRESP_sign(brsp, key, dgst, 0)) |
| 268 | goto err; | ||
| 260 | 269 | ||
| 261 | return 1; | 270 | return 1; |
| 262 | err: | 271 | err: |
| 263 | return 0; | 272 | return 0; |
| 264 | } | 273 | } |