This commit was manufactured by cvs2git to create tag 'OPENBSD_5_7_BASE'.OPENBSD_5_7_BASE

author: cvs2svn <admin@example.com> 2015-03-08 16:48:48 +0000
committer: cvs2svn <admin@example.com> 2015-03-08 16:48:48 +0000
commit: da1a9ad3a4a867ba6569c05e6fca66d7f296c553 (patch)
tree: 44872802e872bdfd60730fa9cf01d9d5751251c1 /src/lib/libcrypto/ocsp/ocsp_srv.c
parent: 973703db67a8e73d70e63afa8f2cde19da09144d (diff)
download: openbsd-OPENBSD_5_7_BASE.tar.gz
openbsd-OPENBSD_5_7_BASE.tar.bz2
openbsd-OPENBSD_5_7_BASE.zip
1 files changed, 0 insertions, 276 deletions
diff --git a/src/lib/libcrypto/ocsp/ocsp_srv.c b/src/lib/libcrypto/ocsp/ocsp_srv.c
deleted file mode 100644
index 8f28916757..0000000000
--- a/src/lib/libcrypto/ocsp/ocsp_srv.c
+++ /dev/null
@@ -1,276 +0,0 @@
-/* $OpenBSD: ocsp_srv.c,v 1.7 2014/10/18 17:20:40 jsing Exp $ */
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * project 2001.
- */
-/* ====================================================================
- * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-#include <stdio.h>
-#include <openssl/err.h>
-#include <openssl/objects.h>
-#include <openssl/ocsp.h>
-#include <openssl/pem.h>
-#include <openssl/x509.h>
-#include <openssl/x509v3.h>
-/* Utility functions related to sending OCSP responses and extracting
- * relevant information from the request.
- */
-int
-OCSP_request_onereq_count(OCSP_REQUEST *req)
-{
-        return sk_OCSP_ONEREQ_num(req->tbsRequest->requestList);
-}
-OCSP_ONEREQ *
-OCSP_request_onereq_get0(OCSP_REQUEST *req, int i)
-{
-        return sk_OCSP_ONEREQ_value(req->tbsRequest->requestList, i);
-}
-OCSP_CERTID *
-OCSP_onereq_get0_id(OCSP_ONEREQ *one)
-{
-        return one->reqCert;
-}
-int
-OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd,
-    ASN1_OCTET_STRING **pikeyHash, ASN1_INTEGER **pserial, OCSP_CERTID *cid)
-{
-        if (!cid)
-                return 0;
-        if (pmd)
-                *pmd = cid->hashAlgorithm->algorithm;
-        if (piNameHash)
-                *piNameHash = cid->issuerNameHash;
-        if (pikeyHash)
-                *pikeyHash = cid->issuerKeyHash;
-        if (pserial)
-                *pserial = cid->serialNumber;
-        return 1;
-}
-int
-OCSP_request_is_signed(OCSP_REQUEST *req)
-{
-        if (req->optionalSignature)
-                return 1;
-        return 0;
-}
-/* Create an OCSP response and encode an optional basic response */
-OCSP_RESPONSE *
-OCSP_response_create(int status, OCSP_BASICRESP *bs)
-{
-        OCSP_RESPONSE *rsp = NULL;
-        if (!(rsp = OCSP_RESPONSE_new()))
-                goto err;
-        if (!(ASN1_ENUMERATED_set(rsp->responseStatus, status)))
-                goto err;
-        if (!bs)
-                return rsp;
-        if (!(rsp->responseBytes = OCSP_RESPBYTES_new()))
-                goto err;
-        rsp->responseBytes->responseType = OBJ_nid2obj(NID_id_pkix_OCSP_basic);
-        if (!ASN1_item_pack(bs, ASN1_ITEM_rptr(OCSP_BASICRESP),
-            &rsp->responseBytes->response))
-                goto err;
-        return rsp;
-err:
-        if (rsp)
-                OCSP_RESPONSE_free(rsp);
-        return NULL;
-}
-OCSP_SINGLERESP *
-OCSP_basic_add1_status(OCSP_BASICRESP *rsp, OCSP_CERTID *cid, int status,
-    int reason, ASN1_TIME *revtime, ASN1_TIME *thisupd, ASN1_TIME *nextupd)
-{
-        OCSP_SINGLERESP *single = NULL;
-        OCSP_CERTSTATUS *cs;
-        OCSP_REVOKEDINFO *ri;
-        if (!rsp->tbsResponseData->responses &&
-            !(rsp->tbsResponseData->responses = sk_OCSP_SINGLERESP_new_null()))
-                goto err;
-        if (!(single = OCSP_SINGLERESP_new()))
-                goto err;
-        if (!ASN1_TIME_to_generalizedtime(thisupd, &single->thisUpdate))
-                goto err;
-        if (nextupd &&
-            !ASN1_TIME_to_generalizedtime(nextupd, &single->nextUpdate))
-                goto err;
-        OCSP_CERTID_free(single->certId);
-        if (!(single->certId = OCSP_CERTID_dup(cid)))
-                goto err;
-        cs = single->certStatus;
-        switch (cs->type = status) {
-        case V_OCSP_CERTSTATUS_REVOKED:
-                if (!revtime) {
-                        OCSPerr(OCSP_F_OCSP_BASIC_ADD1_STATUS,
-                            OCSP_R_NO_REVOKED_TIME);
-                        goto err;
-                }
-                if (!(cs->value.revoked = ri = OCSP_REVOKEDINFO_new()))
-                        goto err;
-                if (!ASN1_TIME_to_generalizedtime(revtime, &ri->revocationTime))
-                        goto err;
-                if (reason != OCSP_REVOKED_STATUS_NOSTATUS) {
-                        if (!(ri->revocationReason = ASN1_ENUMERATED_new()))
-                                goto err;
-                        if (!(ASN1_ENUMERATED_set(ri->revocationReason,
-                            reason)))
-                                goto err;
-                }
-                break;
-        case V_OCSP_CERTSTATUS_GOOD:
-                cs->value.good = ASN1_NULL_new();
-                break;
-        case V_OCSP_CERTSTATUS_UNKNOWN:
-                cs->value.unknown = ASN1_NULL_new();
-                break;
-        default:
-                goto err;
-        }
-        if (!(sk_OCSP_SINGLERESP_push(rsp->tbsResponseData->responses, single)))
-                goto err;
-        return single;
-err:
-        OCSP_SINGLERESP_free(single);
-        return NULL;
-}
-/* Add a certificate to an OCSP request */
-int
-OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert)
-{
-        if (!resp->certs && !(resp->certs = sk_X509_new_null()))
-                return 0;
-        if (!sk_X509_push(resp->certs, cert))
-                return 0;
-        CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
-        return 1;
-}
-int
-OCSP_basic_sign(OCSP_BASICRESP *brsp, X509 *signer, EVP_PKEY *key,
-    const EVP_MD *dgst, STACK_OF(X509) *certs, unsigned long flags)
-{
-        int i;
-        OCSP_RESPID *rid;
-        if (!X509_check_private_key(signer, key)) {
-                OCSPerr(OCSP_F_OCSP_BASIC_SIGN,
-                    OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
-                goto err;
-        }
-        if (!(flags & OCSP_NOCERTS)) {
-                if (!OCSP_basic_add1_cert(brsp, signer))
-                        goto err;
-                for (i = 0; i < sk_X509_num(certs); i++) {
-                        X509 *tmpcert = sk_X509_value(certs, i);
-                        if (!OCSP_basic_add1_cert(brsp, tmpcert))
-                                goto err;
-                }
-        }
-        rid = brsp->tbsResponseData->responderId;
-        if (flags & OCSP_RESPID_KEY) {
-                unsigned char md[SHA_DIGEST_LENGTH];
-                X509_pubkey_digest(signer, EVP_sha1(), md, NULL);
-                if (!(rid->value.byKey = ASN1_OCTET_STRING_new()))
-                        goto err;
-                if (!(ASN1_OCTET_STRING_set(rid->value.byKey, md,
-                    SHA_DIGEST_LENGTH)))
-                        goto err;
-                rid->type = V_OCSP_RESPID_KEY;
-        } else {
-                if (!X509_NAME_set(&rid->value.byName,
-                    X509_get_subject_name(signer)))
-                        goto err;
-                rid->type = V_OCSP_RESPID_NAME;
-        }
-        if (!(flags & OCSP_NOTIME) &&
-            !X509_gmtime_adj(brsp->tbsResponseData->producedAt, 0))
-                goto err;
-        /* Right now, I think that not doing double hashing is the right
-           thing.       -- Richard Levitte */
-        if (!OCSP_BASICRESP_sign(brsp, key, dgst, 0))
-                goto err;
-        return 1;
-err:
-        return 0;
-}
author	cvs2svn <admin@example.com>	2015-03-08 16:48:48 +0000
committer	cvs2svn <admin@example.com>	2015-03-08 16:48:48 +0000
commit	da1a9ad3a4a867ba6569c05e6fca66d7f296c553 (patch)
tree	44872802e872bdfd60730fa9cf01d9d5751251c1 /src/lib/libcrypto/ocsp/ocsp_srv.c
parent	973703db67a8e73d70e63afa8f2cde19da09144d (diff)
download	openbsd-OPENBSD_5_7_BASE.tar.gz openbsd-OPENBSD_5_7_BASE.tar.bz2 openbsd-OPENBSD_5_7_BASE.zip

diff --git a/src/lib/libcrypto/ocsp/ocsp_srv.c b/src/lib/libcrypto/ocsp/ocsp_srv.c deleted file mode 100644 index 8f28916757..0000000000 --- a/src/lib/libcrypto/ocsp/ocsp_srv.c +++ /dev/null
@@ -1,276 +0,0 @@
1	/* $OpenBSD: ocsp_srv.c,v 1.7 2014/10/18 17:20:40 jsing Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project 2001.
4	*/
5	/* ====================================================================
6	* Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
7	*
8	* Redistribution and use in source and binary forms, with or without
9	* modification, are permitted provided that the following conditions
10	* are met:
11	*
12	* 1. Redistributions of source code must retain the above copyright
13	* notice, this list of conditions and the following disclaimer.
14	*
15	* 2. Redistributions in binary form must reproduce the above copyright
16	* notice, this list of conditions and the following disclaimer in
17	* the documentation and/or other materials provided with the
18	* distribution.
19	*
20	* 3. All advertising materials mentioning features or use of this
21	* software must display the following acknowledgment:
22	* "This product includes software developed by the OpenSSL Project
23	* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
24	*
25	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26	* endorse or promote products derived from this software without
27	* prior written permission. For written permission, please contact
28	* openssl-core@openssl.org.
29	*
30	* 5. Products derived from this software may not be called "OpenSSL"
31	* nor may "OpenSSL" appear in their names without prior written
32	* permission of the OpenSSL Project.
33	*
34	* 6. Redistributions of any form whatsoever must retain the following
35	* acknowledgment:
36	* "This product includes software developed by the OpenSSL Project
37	* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
38	*
39	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50	* OF THE POSSIBILITY OF SUCH DAMAGE.
51	* ====================================================================
52	*
53	* This product includes cryptographic software written by Eric Young
54	* (eay@cryptsoft.com). This product includes software written by Tim
55	* Hudson (tjh@cryptsoft.com).
56	*
57	*/
58
59	#include <stdio.h>
60
61	#include <openssl/err.h>
62	#include <openssl/objects.h>
63	#include <openssl/ocsp.h>
64	#include <openssl/pem.h>
65	#include <openssl/x509.h>
66	#include <openssl/x509v3.h>
67
68	/* Utility functions related to sending OCSP responses and extracting
69	* relevant information from the request.
70	*/
71
72	int
73	OCSP_request_onereq_count(OCSP_REQUEST *req)
74	{
75	return sk_OCSP_ONEREQ_num(req->tbsRequest->requestList);
76	}
77
78	OCSP_ONEREQ *
79	OCSP_request_onereq_get0(OCSP_REQUEST *req, int i)
80	{
81	return sk_OCSP_ONEREQ_value(req->tbsRequest->requestList, i);
82	}
83
84	OCSP_CERTID *
85	OCSP_onereq_get0_id(OCSP_ONEREQ *one)
86	{
87	return one->reqCert;
88	}
89
90	int
91	OCSP_id_get0_info(ASN1_OCTET_STRING piNameHash, ASN1_OBJECT pmd,
92	ASN1_OCTET_STRING pikeyHash, ASN1_INTEGER pserial, OCSP_CERTID *cid)
93	{
94	if (!cid)
95	return 0;
96	if (pmd)
97	*pmd = cid->hashAlgorithm->algorithm;
98	if (piNameHash)
99	*piNameHash = cid->issuerNameHash;
100	if (pikeyHash)
101	*pikeyHash = cid->issuerKeyHash;
102	if (pserial)
103	*pserial = cid->serialNumber;
104	return 1;
105	}
106
107	int
108	OCSP_request_is_signed(OCSP_REQUEST *req)
109	{
110	if (req->optionalSignature)
111	return 1;
112	return 0;
113	}
114
115	/* Create an OCSP response and encode an optional basic response */
116	OCSP_RESPONSE *
117	OCSP_response_create(int status, OCSP_BASICRESP *bs)
118	{
119	OCSP_RESPONSE *rsp = NULL;
120
121	if (!(rsp = OCSP_RESPONSE_new()))
122	goto err;
123	if (!(ASN1_ENUMERATED_set(rsp->responseStatus, status)))
124	goto err;
125	if (!bs)
126	return rsp;
127	if (!(rsp->responseBytes = OCSP_RESPBYTES_new()))
128	goto err;
129	rsp->responseBytes->responseType = OBJ_nid2obj(NID_id_pkix_OCSP_basic);
130	if (!ASN1_item_pack(bs, ASN1_ITEM_rptr(OCSP_BASICRESP),
131	&rsp->responseBytes->response))
132	goto err;
133	return rsp;
134
135	err:
136	if (rsp)
137	OCSP_RESPONSE_free(rsp);
138	return NULL;
139	}
140
141	OCSP_SINGLERESP *
142	OCSP_basic_add1_status(OCSP_BASICRESP rsp, OCSP_CERTID cid, int status,
143	int reason, ASN1_TIME revtime, ASN1_TIME thisupd, ASN1_TIME *nextupd)
144	{
145	OCSP_SINGLERESP *single = NULL;
146	OCSP_CERTSTATUS *cs;
147	OCSP_REVOKEDINFO *ri;
148
149	if (!rsp->tbsResponseData->responses &&
150	!(rsp->tbsResponseData->responses = sk_OCSP_SINGLERESP_new_null()))
151	goto err;
152
153	if (!(single = OCSP_SINGLERESP_new()))
154	goto err;
155
156	if (!ASN1_TIME_to_generalizedtime(thisupd, &single->thisUpdate))
157	goto err;
158	if (nextupd &&
159	!ASN1_TIME_to_generalizedtime(nextupd, &single->nextUpdate))
160	goto err;
161
162	OCSP_CERTID_free(single->certId);
163
164	if (!(single->certId = OCSP_CERTID_dup(cid)))
165	goto err;
166
167	cs = single->certStatus;
168	switch (cs->type = status) {
169	case V_OCSP_CERTSTATUS_REVOKED:
170	if (!revtime) {
171	OCSPerr(OCSP_F_OCSP_BASIC_ADD1_STATUS,
172	OCSP_R_NO_REVOKED_TIME);
173	goto err;
174	}
175	if (!(cs->value.revoked = ri = OCSP_REVOKEDINFO_new()))
176	goto err;
177	if (!ASN1_TIME_to_generalizedtime(revtime, &ri->revocationTime))
178	goto err;
179	if (reason != OCSP_REVOKED_STATUS_NOSTATUS) {
180	if (!(ri->revocationReason = ASN1_ENUMERATED_new()))
181	goto err;
182	if (!(ASN1_ENUMERATED_set(ri->revocationReason,
183	reason)))
184	goto err;
185	}
186	break;
187
188	case V_OCSP_CERTSTATUS_GOOD:
189	cs->value.good = ASN1_NULL_new();
190	break;
191
192	case V_OCSP_CERTSTATUS_UNKNOWN:
193	cs->value.unknown = ASN1_NULL_new();
194	break;
195
196	default:
197	goto err;
198	}
199	if (!(sk_OCSP_SINGLERESP_push(rsp->tbsResponseData->responses, single)))
200	goto err;
201	return single;
202
203	err:
204	OCSP_SINGLERESP_free(single);
205	return NULL;
206	}
207
208	/* Add a certificate to an OCSP request */
209	int
210	OCSP_basic_add1_cert(OCSP_BASICRESP resp, X509 cert)
211	{
212	if (!resp->certs && !(resp->certs = sk_X509_new_null()))
213	return 0;
214
215	if (!sk_X509_push(resp->certs, cert))
216	return 0;
217	CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
218	return 1;
219	}
220
221	int
222	OCSP_basic_sign(OCSP_BASICRESP brsp, X509 signer, EVP_PKEY *key,
223	const EVP_MD dgst, STACK_OF(X509) certs, unsigned long flags)
224	{
225	int i;
226	OCSP_RESPID *rid;
227
228	if (!X509_check_private_key(signer, key)) {
229	OCSPerr(OCSP_F_OCSP_BASIC_SIGN,
230	OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
231	goto err;
232	}
233
234	if (!(flags & OCSP_NOCERTS)) {
235	if (!OCSP_basic_add1_cert(brsp, signer))
236	goto err;
237	for (i = 0; i < sk_X509_num(certs); i++) {
238	X509 *tmpcert = sk_X509_value(certs, i);
239	if (!OCSP_basic_add1_cert(brsp, tmpcert))
240	goto err;
241	}
242	}
243
244	rid = brsp->tbsResponseData->responderId;
245	if (flags & OCSP_RESPID_KEY) {
246	unsigned char md[SHA_DIGEST_LENGTH];
247
248	X509_pubkey_digest(signer, EVP_sha1(), md, NULL);
249	if (!(rid->value.byKey = ASN1_OCTET_STRING_new()))
250	goto err;
251	if (!(ASN1_OCTET_STRING_set(rid->value.byKey, md,
252	SHA_DIGEST_LENGTH)))
253	goto err;
254	rid->type = V_OCSP_RESPID_KEY;
255	} else {
256	if (!X509_NAME_set(&rid->value.byName,
257	X509_get_subject_name(signer)))
258	goto err;
259	rid->type = V_OCSP_RESPID_NAME;
260	}
261
262	if (!(flags & OCSP_NOTIME) &&
263	!X509_gmtime_adj(brsp->tbsResponseData->producedAt, 0))
264	goto err;
265
266	/* Right now, I think that not doing double hashing is the right
267	thing. -- Richard Levitte */
268
269	if (!OCSP_BASICRESP_sign(brsp, key, dgst, 0))
270	goto err;
271
272	return 1;
273
274	err:
275	return 0;
276	}