summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/ocsp
diff options
context:
space:
mode:
authorcvs2svn <admin@example.com>2015-08-02 21:54:22 +0000
committercvs2svn <admin@example.com>2015-08-02 21:54:22 +0000
commited3760bf4be4a96a89233fb8f8b84a0d44725862 (patch)
tree5609c82060f75c53af0a7641d9b33a88574876cd /src/lib/libcrypto/ocsp
parentf8b563fb5ba1524c821d37308f4e6abfc866bc3f (diff)
downloadopenbsd-OPENBSD_5_8_BASE.tar.gz
openbsd-OPENBSD_5_8_BASE.tar.bz2
openbsd-OPENBSD_5_8_BASE.zip
This commit was manufactured by cvs2git to create tag 'OPENBSD_5_8_BASE'.OPENBSD_5_8_BASE
Diffstat (limited to '')
-rw-r--r--src/lib/libcrypto/ocsp/ocsp.h616
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_asn.c962
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_cl.c383
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_err.c142
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_ext.c607
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_ht.c463
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_lib.c282
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_prn.c312
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_srv.c276
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_vfy.c448
10 files changed, 0 insertions, 4491 deletions
diff --git a/src/lib/libcrypto/ocsp/ocsp.h b/src/lib/libcrypto/ocsp/ocsp.h
deleted file mode 100644
index b7e3115e8d..0000000000
--- a/src/lib/libcrypto/ocsp/ocsp.h
+++ /dev/null
@@ -1,616 +0,0 @@
1/* $OpenBSD: ocsp.h,v 1.6 2014/06/12 15:49:30 deraadt Exp $ */
2/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
3 * project. */
4
5/* History:
6 This file was transfered to Richard Levitte from CertCo by Kathy
7 Weinhold in mid-spring 2000 to be included in OpenSSL or released
8 as a patch kit. */
9
10/* ====================================================================
11 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 *
17 * 1. Redistributions of source code must retain the above copyright
18 * notice, this list of conditions and the following disclaimer.
19 *
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in
22 * the documentation and/or other materials provided with the
23 * distribution.
24 *
25 * 3. All advertising materials mentioning features or use of this
26 * software must display the following acknowledgment:
27 * "This product includes software developed by the OpenSSL Project
28 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
29 *
30 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
31 * endorse or promote products derived from this software without
32 * prior written permission. For written permission, please contact
33 * openssl-core@openssl.org.
34 *
35 * 5. Products derived from this software may not be called "OpenSSL"
36 * nor may "OpenSSL" appear in their names without prior written
37 * permission of the OpenSSL Project.
38 *
39 * 6. Redistributions of any form whatsoever must retain the following
40 * acknowledgment:
41 * "This product includes software developed by the OpenSSL Project
42 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
43 *
44 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
45 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
46 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
47 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
48 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
49 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
50 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
51 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
52 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
53 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
54 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
55 * OF THE POSSIBILITY OF SUCH DAMAGE.
56 * ====================================================================
57 *
58 * This product includes cryptographic software written by Eric Young
59 * (eay@cryptsoft.com). This product includes software written by Tim
60 * Hudson (tjh@cryptsoft.com).
61 *
62 */
63
64#ifndef HEADER_OCSP_H
65#define HEADER_OCSP_H
66
67#include <openssl/ossl_typ.h>
68#include <openssl/x509.h>
69#include <openssl/x509v3.h>
70#include <openssl/safestack.h>
71
72#ifdef __cplusplus
73extern "C" {
74#endif
75
76/* Various flags and values */
77
78#define OCSP_DEFAULT_NONCE_LENGTH 16
79
80#define OCSP_NOCERTS 0x1
81#define OCSP_NOINTERN 0x2
82#define OCSP_NOSIGS 0x4
83#define OCSP_NOCHAIN 0x8
84#define OCSP_NOVERIFY 0x10
85#define OCSP_NOEXPLICIT 0x20
86#define OCSP_NOCASIGN 0x40
87#define OCSP_NODELEGATED 0x80
88#define OCSP_NOCHECKS 0x100
89#define OCSP_TRUSTOTHER 0x200
90#define OCSP_RESPID_KEY 0x400
91#define OCSP_NOTIME 0x800
92
93/* CertID ::= SEQUENCE {
94 * hashAlgorithm AlgorithmIdentifier,
95 * issuerNameHash OCTET STRING, -- Hash of Issuer's DN
96 * issuerKeyHash OCTET STRING, -- Hash of Issuers public key (excluding the tag & length fields)
97 * serialNumber CertificateSerialNumber }
98 */
99typedef struct ocsp_cert_id_st {
100 X509_ALGOR *hashAlgorithm;
101 ASN1_OCTET_STRING *issuerNameHash;
102 ASN1_OCTET_STRING *issuerKeyHash;
103 ASN1_INTEGER *serialNumber;
104} OCSP_CERTID;
105
106DECLARE_STACK_OF(OCSP_CERTID)
107
108/* Request ::= SEQUENCE {
109 * reqCert CertID,
110 * singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL }
111 */
112typedef struct ocsp_one_request_st {
113 OCSP_CERTID *reqCert;
114 STACK_OF(X509_EXTENSION) *singleRequestExtensions;
115} OCSP_ONEREQ;
116
117DECLARE_STACK_OF(OCSP_ONEREQ)
118DECLARE_ASN1_SET_OF(OCSP_ONEREQ)
119
120
121/* TBSRequest ::= SEQUENCE {
122 * version [0] EXPLICIT Version DEFAULT v1,
123 * requestorName [1] EXPLICIT GeneralName OPTIONAL,
124 * requestList SEQUENCE OF Request,
125 * requestExtensions [2] EXPLICIT Extensions OPTIONAL }
126 */
127typedef struct ocsp_req_info_st {
128 ASN1_INTEGER *version;
129 GENERAL_NAME *requestorName;
130 STACK_OF(OCSP_ONEREQ) *requestList;
131 STACK_OF(X509_EXTENSION) *requestExtensions;
132} OCSP_REQINFO;
133
134/* Signature ::= SEQUENCE {
135 * signatureAlgorithm AlgorithmIdentifier,
136 * signature BIT STRING,
137 * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
138 */
139typedef struct ocsp_signature_st {
140 X509_ALGOR *signatureAlgorithm;
141 ASN1_BIT_STRING *signature;
142 STACK_OF(X509) *certs;
143} OCSP_SIGNATURE;
144
145/* OCSPRequest ::= SEQUENCE {
146 * tbsRequest TBSRequest,
147 * optionalSignature [0] EXPLICIT Signature OPTIONAL }
148 */
149typedef struct ocsp_request_st {
150 OCSP_REQINFO *tbsRequest;
151 OCSP_SIGNATURE *optionalSignature; /* OPTIONAL */
152} OCSP_REQUEST;
153
154/* OCSPResponseStatus ::= ENUMERATED {
155 * successful (0), --Response has valid confirmations
156 * malformedRequest (1), --Illegal confirmation request
157 * internalError (2), --Internal error in issuer
158 * tryLater (3), --Try again later
159 * --(4) is not used
160 * sigRequired (5), --Must sign the request
161 * unauthorized (6) --Request unauthorized
162 * }
163 */
164#define OCSP_RESPONSE_STATUS_SUCCESSFUL 0
165#define OCSP_RESPONSE_STATUS_MALFORMEDREQUEST 1
166#define OCSP_RESPONSE_STATUS_INTERNALERROR 2
167#define OCSP_RESPONSE_STATUS_TRYLATER 3
168#define OCSP_RESPONSE_STATUS_SIGREQUIRED 5
169#define OCSP_RESPONSE_STATUS_UNAUTHORIZED 6
170
171/* ResponseBytes ::= SEQUENCE {
172 * responseType OBJECT IDENTIFIER,
173 * response OCTET STRING }
174 */
175typedef struct ocsp_resp_bytes_st {
176 ASN1_OBJECT *responseType;
177 ASN1_OCTET_STRING *response;
178} OCSP_RESPBYTES;
179
180/* OCSPResponse ::= SEQUENCE {
181 * responseStatus OCSPResponseStatus,
182 * responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
183 */
184struct ocsp_response_st {
185 ASN1_ENUMERATED *responseStatus;
186 OCSP_RESPBYTES *responseBytes;
187};
188
189/* ResponderID ::= CHOICE {
190 * byName [1] Name,
191 * byKey [2] KeyHash }
192 */
193#define V_OCSP_RESPID_NAME 0
194#define V_OCSP_RESPID_KEY 1
195struct ocsp_responder_id_st {
196 int type;
197 union {
198 X509_NAME* byName;
199 ASN1_OCTET_STRING *byKey;
200 } value;
201};
202
203DECLARE_STACK_OF(OCSP_RESPID)
204DECLARE_ASN1_FUNCTIONS(OCSP_RESPID)
205
206/* KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
207 * --(excluding the tag and length fields)
208 */
209
210/* RevokedInfo ::= SEQUENCE {
211 * revocationTime GeneralizedTime,
212 * revocationReason [0] EXPLICIT CRLReason OPTIONAL }
213 */
214typedef struct ocsp_revoked_info_st {
215 ASN1_GENERALIZEDTIME *revocationTime;
216 ASN1_ENUMERATED *revocationReason;
217} OCSP_REVOKEDINFO;
218
219/* CertStatus ::= CHOICE {
220 * good [0] IMPLICIT NULL,
221 * revoked [1] IMPLICIT RevokedInfo,
222 * unknown [2] IMPLICIT UnknownInfo }
223 */
224#define V_OCSP_CERTSTATUS_GOOD 0
225#define V_OCSP_CERTSTATUS_REVOKED 1
226#define V_OCSP_CERTSTATUS_UNKNOWN 2
227typedef struct ocsp_cert_status_st {
228 int type;
229 union {
230 ASN1_NULL *good;
231 OCSP_REVOKEDINFO *revoked;
232 ASN1_NULL *unknown;
233 } value;
234} OCSP_CERTSTATUS;
235
236/* SingleResponse ::= SEQUENCE {
237 * certID CertID,
238 * certStatus CertStatus,
239 * thisUpdate GeneralizedTime,
240 * nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
241 * singleExtensions [1] EXPLICIT Extensions OPTIONAL }
242 */
243typedef struct ocsp_single_response_st {
244 OCSP_CERTID *certId;
245 OCSP_CERTSTATUS *certStatus;
246 ASN1_GENERALIZEDTIME *thisUpdate;
247 ASN1_GENERALIZEDTIME *nextUpdate;
248 STACK_OF(X509_EXTENSION) *singleExtensions;
249} OCSP_SINGLERESP;
250
251DECLARE_STACK_OF(OCSP_SINGLERESP)
252DECLARE_ASN1_SET_OF(OCSP_SINGLERESP)
253
254/* ResponseData ::= SEQUENCE {
255 * version [0] EXPLICIT Version DEFAULT v1,
256 * responderID ResponderID,
257 * producedAt GeneralizedTime,
258 * responses SEQUENCE OF SingleResponse,
259 * responseExtensions [1] EXPLICIT Extensions OPTIONAL }
260 */
261typedef struct ocsp_response_data_st {
262 ASN1_INTEGER *version;
263 OCSP_RESPID *responderId;
264 ASN1_GENERALIZEDTIME *producedAt;
265 STACK_OF(OCSP_SINGLERESP) *responses;
266 STACK_OF(X509_EXTENSION) *responseExtensions;
267} OCSP_RESPDATA;
268
269/* BasicOCSPResponse ::= SEQUENCE {
270 * tbsResponseData ResponseData,
271 * signatureAlgorithm AlgorithmIdentifier,
272 * signature BIT STRING,
273 * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
274 */
275 /* Note 1:
276 The value for "signature" is specified in the OCSP rfc2560 as follows:
277 "The value for the signature SHALL be computed on the hash of the DER
278 encoding ResponseData." This means that you must hash the DER-encoded
279 tbsResponseData, and then run it through a crypto-signing function, which
280 will (at least w/RSA) do a hash-'n'-private-encrypt operation. This seems
281 a bit odd, but that's the spec. Also note that the data structures do not
282 leave anywhere to independently specify the algorithm used for the initial
283 hash. So, we look at the signature-specification algorithm, and try to do
284 something intelligent. -- Kathy Weinhold, CertCo */
285 /* Note 2:
286 It seems that the mentioned passage from RFC 2560 (section 4.2.1) is open
287 for interpretation. I've done tests against another responder, and found
288 that it doesn't do the double hashing that the RFC seems to say one
289 should. Therefore, all relevant functions take a flag saying which
290 variant should be used. -- Richard Levitte, OpenSSL team and CeloCom */
291typedef struct ocsp_basic_response_st {
292 OCSP_RESPDATA *tbsResponseData;
293 X509_ALGOR *signatureAlgorithm;
294 ASN1_BIT_STRING *signature;
295 STACK_OF(X509) *certs;
296} OCSP_BASICRESP;
297
298/*
299 * CRLReason ::= ENUMERATED {
300 * unspecified (0),
301 * keyCompromise (1),
302 * cACompromise (2),
303 * affiliationChanged (3),
304 * superseded (4),
305 * cessationOfOperation (5),
306 * certificateHold (6),
307 * removeFromCRL (8) }
308 */
309#define OCSP_REVOKED_STATUS_NOSTATUS -1
310#define OCSP_REVOKED_STATUS_UNSPECIFIED 0
311#define OCSP_REVOKED_STATUS_KEYCOMPROMISE 1
312#define OCSP_REVOKED_STATUS_CACOMPROMISE 2
313#define OCSP_REVOKED_STATUS_AFFILIATIONCHANGED 3
314#define OCSP_REVOKED_STATUS_SUPERSEDED 4
315#define OCSP_REVOKED_STATUS_CESSATIONOFOPERATION 5
316#define OCSP_REVOKED_STATUS_CERTIFICATEHOLD 6
317#define OCSP_REVOKED_STATUS_REMOVEFROMCRL 8
318
319/* CrlID ::= SEQUENCE {
320 * crlUrl [0] EXPLICIT IA5String OPTIONAL,
321 * crlNum [1] EXPLICIT INTEGER OPTIONAL,
322 * crlTime [2] EXPLICIT GeneralizedTime OPTIONAL }
323 */
324typedef struct ocsp_crl_id_st {
325 ASN1_IA5STRING *crlUrl;
326 ASN1_INTEGER *crlNum;
327 ASN1_GENERALIZEDTIME *crlTime;
328} OCSP_CRLID;
329
330/* ServiceLocator ::= SEQUENCE {
331 * issuer Name,
332 * locator AuthorityInfoAccessSyntax OPTIONAL }
333 */
334typedef struct ocsp_service_locator_st {
335 X509_NAME* issuer;
336 STACK_OF(ACCESS_DESCRIPTION) *locator;
337} OCSP_SERVICELOC;
338
339#define PEM_STRING_OCSP_REQUEST "OCSP REQUEST"
340#define PEM_STRING_OCSP_RESPONSE "OCSP RESPONSE"
341
342#define d2i_OCSP_REQUEST_bio(bp,p) \
343 ASN1_d2i_bio_of(OCSP_REQUEST,OCSP_REQUEST_new,d2i_OCSP_REQUEST,bp,p)
344
345#define d2i_OCSP_RESPONSE_bio(bp,p) \
346 ASN1_d2i_bio_of(OCSP_RESPONSE,OCSP_RESPONSE_new,d2i_OCSP_RESPONSE,bp,p)
347
348#define PEM_read_bio_OCSP_REQUEST(bp,x,cb) \
349 (OCSP_REQUEST *)PEM_ASN1_read_bio((char *(*)())d2i_OCSP_REQUEST, \
350 PEM_STRING_OCSP_REQUEST,bp,(char **)x,cb,NULL)
351
352#define PEM_read_bio_OCSP_RESPONSE(bp,x,cb) \
353 (OCSP_RESPONSE *)PEM_ASN1_read_bio((char *(*)())d2i_OCSP_RESPONSE, \
354 PEM_STRING_OCSP_RESPONSE,bp,(char **)x,cb,NULL)
355
356#define PEM_write_bio_OCSP_REQUEST(bp,o) \
357 PEM_ASN1_write_bio((int (*)())i2d_OCSP_REQUEST,PEM_STRING_OCSP_REQUEST,\
358 bp,(char *)o, NULL,NULL,0,NULL,NULL)
359
360#define PEM_write_bio_OCSP_RESPONSE(bp,o) \
361 PEM_ASN1_write_bio((int (*)())i2d_OCSP_RESPONSE,PEM_STRING_OCSP_RESPONSE,\
362 bp,(char *)o, NULL,NULL,0,NULL,NULL)
363
364#define i2d_OCSP_RESPONSE_bio(bp,o) \
365 ASN1_i2d_bio_of(OCSP_RESPONSE,i2d_OCSP_RESPONSE,bp,o)
366
367#define i2d_OCSP_REQUEST_bio(bp,o) \
368 ASN1_i2d_bio_of(OCSP_REQUEST,i2d_OCSP_REQUEST,bp,o)
369
370#define OCSP_REQUEST_sign(o,pkey,md) \
371 ASN1_item_sign(ASN1_ITEM_rptr(OCSP_REQINFO), \
372 o->optionalSignature->signatureAlgorithm,NULL, \
373 o->optionalSignature->signature,o->tbsRequest,pkey,md)
374
375#define OCSP_BASICRESP_sign(o,pkey,md,d) \
376 ASN1_item_sign(ASN1_ITEM_rptr(OCSP_RESPDATA),o->signatureAlgorithm,NULL, \
377 o->signature,o->tbsResponseData,pkey,md)
378
379#define OCSP_REQUEST_verify(a,r) \
380 ASN1_item_verify(ASN1_ITEM_rptr(OCSP_REQINFO), \
381 a->optionalSignature->signatureAlgorithm, \
382 a->optionalSignature->signature,a->tbsRequest,r)
383
384#define OCSP_BASICRESP_verify(a,r,d) \
385 ASN1_item_verify(ASN1_ITEM_rptr(OCSP_RESPDATA), \
386 a->signatureAlgorithm,a->signature,a->tbsResponseData,r)
387
388#define ASN1_BIT_STRING_digest(data,type,md,len) \
389 ASN1_item_digest(ASN1_ITEM_rptr(ASN1_BIT_STRING),type,data,md,len)
390
391#define OCSP_CERTSTATUS_dup(cs)\
392 (OCSP_CERTSTATUS*)ASN1_dup((int(*)())i2d_OCSP_CERTSTATUS,\
393 (char *(*)())d2i_OCSP_CERTSTATUS,(char *)(cs))
394
395OCSP_CERTID *OCSP_CERTID_dup(OCSP_CERTID *id);
396
397OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req);
398OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, char *path, OCSP_REQUEST *req,
399 int maxline);
400int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx);
401void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx);
402int OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, OCSP_REQUEST *req);
403int OCSP_REQ_CTX_add1_header(OCSP_REQ_CTX *rctx, const char *name,
404 const char *value);
405
406OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer);
407
408OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst, X509_NAME *issuerName,
409 ASN1_BIT_STRING* issuerKey, ASN1_INTEGER *serialNumber);
410
411OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid);
412
413int OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len);
414int OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len);
415int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs);
416int OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req);
417
418int OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm);
419int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert);
420
421int OCSP_request_sign(OCSP_REQUEST *req, X509 *signer, EVP_PKEY *key,
422 const EVP_MD *dgst, STACK_OF(X509) *certs, unsigned long flags);
423
424int OCSP_response_status(OCSP_RESPONSE *resp);
425OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp);
426
427int OCSP_resp_count(OCSP_BASICRESP *bs);
428OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx);
429int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last);
430int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
431 ASN1_GENERALIZEDTIME **revtime, ASN1_GENERALIZEDTIME **thisupd,
432 ASN1_GENERALIZEDTIME **nextupd);
433int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
434 int *reason, ASN1_GENERALIZEDTIME **revtime,
435 ASN1_GENERALIZEDTIME **thisupd, ASN1_GENERALIZEDTIME **nextupd);
436int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
437 ASN1_GENERALIZEDTIME *nextupd, long sec, long maxsec);
438
439int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs,
440 X509_STORE *store, unsigned long flags);
441
442int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath,
443 int *pssl);
444
445int OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b);
446int OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b);
447
448int OCSP_request_onereq_count(OCSP_REQUEST *req);
449OCSP_ONEREQ *OCSP_request_onereq_get0(OCSP_REQUEST *req, int i);
450OCSP_CERTID *OCSP_onereq_get0_id(OCSP_ONEREQ *one);
451int OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd,
452 ASN1_OCTET_STRING **pikeyHash, ASN1_INTEGER **pserial,
453 OCSP_CERTID *cid);
454int OCSP_request_is_signed(OCSP_REQUEST *req);
455OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs);
456OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp, OCSP_CERTID *cid,
457 int status, int reason, ASN1_TIME *revtime, ASN1_TIME *thisupd,
458 ASN1_TIME *nextupd);
459int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert);
460int OCSP_basic_sign(OCSP_BASICRESP *brsp, X509 *signer, EVP_PKEY *key,
461 const EVP_MD *dgst, STACK_OF(X509) *certs, unsigned long flags);
462
463X509_EXTENSION *OCSP_crlID_new(char *url, long *n, char *tim);
464
465X509_EXTENSION *OCSP_accept_responses_new(char **oids);
466
467X509_EXTENSION *OCSP_archive_cutoff_new(char* tim);
468
469X509_EXTENSION *OCSP_url_svcloc_new(X509_NAME* issuer, char **urls);
470
471int OCSP_REQUEST_get_ext_count(OCSP_REQUEST *x);
472int OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos);
473int OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, ASN1_OBJECT *obj,
474 int lastpos);
475int OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit,
476 int lastpos);
477X509_EXTENSION *OCSP_REQUEST_get_ext(OCSP_REQUEST *x, int loc);
478X509_EXTENSION *OCSP_REQUEST_delete_ext(OCSP_REQUEST *x, int loc);
479void *OCSP_REQUEST_get1_ext_d2i(OCSP_REQUEST *x, int nid, int *crit, int *idx);
480int OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST *x, int nid, void *value,
481 int crit, unsigned long flags);
482int OCSP_REQUEST_add_ext(OCSP_REQUEST *x, X509_EXTENSION *ex, int loc);
483
484int OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *x);
485int OCSP_ONEREQ_get_ext_by_NID(OCSP_ONEREQ *x, int nid, int lastpos);
486int OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, ASN1_OBJECT *obj,
487 int lastpos);
488int OCSP_ONEREQ_get_ext_by_critical(OCSP_ONEREQ *x, int crit, int lastpos);
489X509_EXTENSION *OCSP_ONEREQ_get_ext(OCSP_ONEREQ *x, int loc);
490X509_EXTENSION *OCSP_ONEREQ_delete_ext(OCSP_ONEREQ *x, int loc);
491void *OCSP_ONEREQ_get1_ext_d2i(OCSP_ONEREQ *x, int nid, int *crit, int *idx);
492int OCSP_ONEREQ_add1_ext_i2d(OCSP_ONEREQ *x, int nid, void *value, int crit,
493 unsigned long flags);
494int OCSP_ONEREQ_add_ext(OCSP_ONEREQ *x, X509_EXTENSION *ex, int loc);
495
496int OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *x);
497int OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos);
498int OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, ASN1_OBJECT *obj,
499 int lastpos);
500int OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit,
501 int lastpos);
502X509_EXTENSION *OCSP_BASICRESP_get_ext(OCSP_BASICRESP *x, int loc);
503X509_EXTENSION *OCSP_BASICRESP_delete_ext(OCSP_BASICRESP *x, int loc);
504void *OCSP_BASICRESP_get1_ext_d2i(OCSP_BASICRESP *x, int nid, int *crit,
505 int *idx);
506int OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP *x, int nid, void *value,
507 int crit, unsigned long flags);
508int OCSP_BASICRESP_add_ext(OCSP_BASICRESP *x, X509_EXTENSION *ex, int loc);
509
510int OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *x);
511int OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid,
512 int lastpos);
513int OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, ASN1_OBJECT *obj,
514 int lastpos);
515int OCSP_SINGLERESP_get_ext_by_critical(OCSP_SINGLERESP *x, int crit,
516 int lastpos);
517X509_EXTENSION *OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP *x, int loc);
518X509_EXTENSION *OCSP_SINGLERESP_delete_ext(OCSP_SINGLERESP *x, int loc);
519void *OCSP_SINGLERESP_get1_ext_d2i(OCSP_SINGLERESP *x, int nid, int *crit,
520 int *idx);
521int OCSP_SINGLERESP_add1_ext_i2d(OCSP_SINGLERESP *x, int nid, void *value,
522 int crit, unsigned long flags);
523int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex,
524 int loc);
525
526DECLARE_ASN1_FUNCTIONS(OCSP_SINGLERESP)
527DECLARE_ASN1_FUNCTIONS(OCSP_CERTSTATUS)
528DECLARE_ASN1_FUNCTIONS(OCSP_REVOKEDINFO)
529DECLARE_ASN1_FUNCTIONS(OCSP_BASICRESP)
530DECLARE_ASN1_FUNCTIONS(OCSP_RESPDATA)
531DECLARE_ASN1_FUNCTIONS(OCSP_RESPID)
532DECLARE_ASN1_FUNCTIONS(OCSP_RESPONSE)
533DECLARE_ASN1_FUNCTIONS(OCSP_RESPBYTES)
534DECLARE_ASN1_FUNCTIONS(OCSP_ONEREQ)
535DECLARE_ASN1_FUNCTIONS(OCSP_CERTID)
536DECLARE_ASN1_FUNCTIONS(OCSP_REQUEST)
537DECLARE_ASN1_FUNCTIONS(OCSP_SIGNATURE)
538DECLARE_ASN1_FUNCTIONS(OCSP_REQINFO)
539DECLARE_ASN1_FUNCTIONS(OCSP_CRLID)
540DECLARE_ASN1_FUNCTIONS(OCSP_SERVICELOC)
541
542const char *OCSP_response_status_str(long s);
543const char *OCSP_cert_status_str(long s);
544const char *OCSP_crl_reason_str(long s);
545
546int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST* a, unsigned long flags);
547int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags);
548
549int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
550 X509_STORE *st, unsigned long flags);
551
552/* BEGIN ERROR CODES */
553/* The following lines are auto generated by the script mkerr.pl. Any changes
554 * made after this point may be overwritten when the script is next run.
555 */
556void ERR_load_OCSP_strings(void);
557
558/* Error codes for the OCSP functions. */
559
560/* Function codes. */
561#define OCSP_F_ASN1_STRING_ENCODE 100
562#define OCSP_F_D2I_OCSP_NONCE 102
563#define OCSP_F_OCSP_BASIC_ADD1_STATUS 103
564#define OCSP_F_OCSP_BASIC_SIGN 104
565#define OCSP_F_OCSP_BASIC_VERIFY 105
566#define OCSP_F_OCSP_CERT_ID_NEW 101
567#define OCSP_F_OCSP_CHECK_DELEGATED 106
568#define OCSP_F_OCSP_CHECK_IDS 107
569#define OCSP_F_OCSP_CHECK_ISSUER 108
570#define OCSP_F_OCSP_CHECK_VALIDITY 115
571#define OCSP_F_OCSP_MATCH_ISSUERID 109
572#define OCSP_F_OCSP_PARSE_URL 114
573#define OCSP_F_OCSP_REQUEST_SIGN 110
574#define OCSP_F_OCSP_REQUEST_VERIFY 116
575#define OCSP_F_OCSP_RESPONSE_GET1_BASIC 111
576#define OCSP_F_OCSP_SENDREQ_BIO 112
577#define OCSP_F_OCSP_SENDREQ_NBIO 117
578#define OCSP_F_PARSE_HTTP_LINE1 118
579#define OCSP_F_REQUEST_VERIFY 113
580
581/* Reason codes. */
582#define OCSP_R_BAD_DATA 100
583#define OCSP_R_CERTIFICATE_VERIFY_ERROR 101
584#define OCSP_R_DIGEST_ERR 102
585#define OCSP_R_ERROR_IN_NEXTUPDATE_FIELD 122
586#define OCSP_R_ERROR_IN_THISUPDATE_FIELD 123
587#define OCSP_R_ERROR_PARSING_URL 121
588#define OCSP_R_MISSING_OCSPSIGNING_USAGE 103
589#define OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE 124
590#define OCSP_R_NOT_BASIC_RESPONSE 104
591#define OCSP_R_NO_CERTIFICATES_IN_CHAIN 105
592#define OCSP_R_NO_CONTENT 106
593#define OCSP_R_NO_PUBLIC_KEY 107
594#define OCSP_R_NO_RESPONSE_DATA 108
595#define OCSP_R_NO_REVOKED_TIME 109
596#define OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE 110
597#define OCSP_R_REQUEST_NOT_SIGNED 128
598#define OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA 111
599#define OCSP_R_ROOT_CA_NOT_TRUSTED 112
600#define OCSP_R_SERVER_READ_ERROR 113
601#define OCSP_R_SERVER_RESPONSE_ERROR 114
602#define OCSP_R_SERVER_RESPONSE_PARSE_ERROR 115
603#define OCSP_R_SERVER_WRITE_ERROR 116
604#define OCSP_R_SIGNATURE_FAILURE 117
605#define OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND 118
606#define OCSP_R_STATUS_EXPIRED 125
607#define OCSP_R_STATUS_NOT_YET_VALID 126
608#define OCSP_R_STATUS_TOO_OLD 127
609#define OCSP_R_UNKNOWN_MESSAGE_DIGEST 119
610#define OCSP_R_UNKNOWN_NID 120
611#define OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE 129
612
613#ifdef __cplusplus
614}
615#endif
616#endif
diff --git a/src/lib/libcrypto/ocsp/ocsp_asn.c b/src/lib/libcrypto/ocsp/ocsp_asn.c
deleted file mode 100644
index 72e7638c75..0000000000
--- a/src/lib/libcrypto/ocsp/ocsp_asn.c
+++ /dev/null
@@ -1,962 +0,0 @@
1/* $OpenBSD: ocsp_asn.c,v 1.8 2015/07/25 14:52:47 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2000.
4 */
5/* ====================================================================
6 * Copyright (c) 2000 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58#include <openssl/asn1.h>
59#include <openssl/asn1t.h>
60#include <openssl/ocsp.h>
61
62static const ASN1_TEMPLATE OCSP_SIGNATURE_seq_tt[] = {
63 {
64 .flags = 0,
65 .tag = 0,
66 .offset = offsetof(OCSP_SIGNATURE, signatureAlgorithm),
67 .field_name = "signatureAlgorithm",
68 .item = &X509_ALGOR_it,
69 },
70 {
71 .flags = 0,
72 .tag = 0,
73 .offset = offsetof(OCSP_SIGNATURE, signature),
74 .field_name = "signature",
75 .item = &ASN1_BIT_STRING_it,
76 },
77 {
78 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
79 .tag = 0,
80 .offset = offsetof(OCSP_SIGNATURE, certs),
81 .field_name = "certs",
82 .item = &X509_it,
83 },
84};
85
86const ASN1_ITEM OCSP_SIGNATURE_it = {
87 .itype = ASN1_ITYPE_SEQUENCE,
88 .utype = V_ASN1_SEQUENCE,
89 .templates = OCSP_SIGNATURE_seq_tt,
90 .tcount = sizeof(OCSP_SIGNATURE_seq_tt) / sizeof(ASN1_TEMPLATE),
91 .funcs = NULL,
92 .size = sizeof(OCSP_SIGNATURE),
93 .sname = "OCSP_SIGNATURE",
94};
95
96
97OCSP_SIGNATURE *
98d2i_OCSP_SIGNATURE(OCSP_SIGNATURE **a, const unsigned char **in, long len)
99{
100 return (OCSP_SIGNATURE *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
101 &OCSP_SIGNATURE_it);
102}
103
104int
105i2d_OCSP_SIGNATURE(OCSP_SIGNATURE *a, unsigned char **out)
106{
107 return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_SIGNATURE_it);
108}
109
110OCSP_SIGNATURE *
111OCSP_SIGNATURE_new(void)
112{
113 return (OCSP_SIGNATURE *)ASN1_item_new(&OCSP_SIGNATURE_it);
114}
115
116void
117OCSP_SIGNATURE_free(OCSP_SIGNATURE *a)
118{
119 ASN1_item_free((ASN1_VALUE *)a, &OCSP_SIGNATURE_it);
120}
121
122static const ASN1_TEMPLATE OCSP_CERTID_seq_tt[] = {
123 {
124 .flags = 0,
125 .tag = 0,
126 .offset = offsetof(OCSP_CERTID, hashAlgorithm),
127 .field_name = "hashAlgorithm",
128 .item = &X509_ALGOR_it,
129 },
130 {
131 .flags = 0,
132 .tag = 0,
133 .offset = offsetof(OCSP_CERTID, issuerNameHash),
134 .field_name = "issuerNameHash",
135 .item = &ASN1_OCTET_STRING_it,
136 },
137 {
138 .flags = 0,
139 .tag = 0,
140 .offset = offsetof(OCSP_CERTID, issuerKeyHash),
141 .field_name = "issuerKeyHash",
142 .item = &ASN1_OCTET_STRING_it,
143 },
144 {
145 .flags = 0,
146 .tag = 0,
147 .offset = offsetof(OCSP_CERTID, serialNumber),
148 .field_name = "serialNumber",
149 .item = &ASN1_INTEGER_it,
150 },
151};
152
153const ASN1_ITEM OCSP_CERTID_it = {
154 .itype = ASN1_ITYPE_SEQUENCE,
155 .utype = V_ASN1_SEQUENCE,
156 .templates = OCSP_CERTID_seq_tt,
157 .tcount = sizeof(OCSP_CERTID_seq_tt) / sizeof(ASN1_TEMPLATE),
158 .funcs = NULL,
159 .size = sizeof(OCSP_CERTID),
160 .sname = "OCSP_CERTID",
161};
162
163
164OCSP_CERTID *
165d2i_OCSP_CERTID(OCSP_CERTID **a, const unsigned char **in, long len)
166{
167 return (OCSP_CERTID *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
168 &OCSP_CERTID_it);
169}
170
171int
172i2d_OCSP_CERTID(OCSP_CERTID *a, unsigned char **out)
173{
174 return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_CERTID_it);
175}
176
177OCSP_CERTID *
178OCSP_CERTID_new(void)
179{
180 return (OCSP_CERTID *)ASN1_item_new(&OCSP_CERTID_it);
181}
182
183void
184OCSP_CERTID_free(OCSP_CERTID *a)
185{
186 ASN1_item_free((ASN1_VALUE *)a, &OCSP_CERTID_it);
187}
188
189static const ASN1_TEMPLATE OCSP_ONEREQ_seq_tt[] = {
190 {
191 .flags = 0,
192 .tag = 0,
193 .offset = offsetof(OCSP_ONEREQ, reqCert),
194 .field_name = "reqCert",
195 .item = &OCSP_CERTID_it,
196 },
197 {
198 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
199 .tag = 0,
200 .offset = offsetof(OCSP_ONEREQ, singleRequestExtensions),
201 .field_name = "singleRequestExtensions",
202 .item = &X509_EXTENSION_it,
203 },
204};
205
206const ASN1_ITEM OCSP_ONEREQ_it = {
207 .itype = ASN1_ITYPE_SEQUENCE,
208 .utype = V_ASN1_SEQUENCE,
209 .templates = OCSP_ONEREQ_seq_tt,
210 .tcount = sizeof(OCSP_ONEREQ_seq_tt) / sizeof(ASN1_TEMPLATE),
211 .funcs = NULL,
212 .size = sizeof(OCSP_ONEREQ),
213 .sname = "OCSP_ONEREQ",
214};
215
216
217OCSP_ONEREQ *
218d2i_OCSP_ONEREQ(OCSP_ONEREQ **a, const unsigned char **in, long len)
219{
220 return (OCSP_ONEREQ *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
221 &OCSP_ONEREQ_it);
222}
223
224int
225i2d_OCSP_ONEREQ(OCSP_ONEREQ *a, unsigned char **out)
226{
227 return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_ONEREQ_it);
228}
229
230OCSP_ONEREQ *
231OCSP_ONEREQ_new(void)
232{
233 return (OCSP_ONEREQ *)ASN1_item_new(&OCSP_ONEREQ_it);
234}
235
236void
237OCSP_ONEREQ_free(OCSP_ONEREQ *a)
238{
239 ASN1_item_free((ASN1_VALUE *)a, &OCSP_ONEREQ_it);
240}
241
242static const ASN1_TEMPLATE OCSP_REQINFO_seq_tt[] = {
243 {
244 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
245 .tag = 0,
246 .offset = offsetof(OCSP_REQINFO, version),
247 .field_name = "version",
248 .item = &ASN1_INTEGER_it,
249 },
250 {
251 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
252 .tag = 1,
253 .offset = offsetof(OCSP_REQINFO, requestorName),
254 .field_name = "requestorName",
255 .item = &GENERAL_NAME_it,
256 },
257 {
258 .flags = ASN1_TFLG_SEQUENCE_OF,
259 .tag = 0,
260 .offset = offsetof(OCSP_REQINFO, requestList),
261 .field_name = "requestList",
262 .item = &OCSP_ONEREQ_it,
263 },
264 {
265 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
266 .tag = 2,
267 .offset = offsetof(OCSP_REQINFO, requestExtensions),
268 .field_name = "requestExtensions",
269 .item = &X509_EXTENSION_it,
270 },
271};
272
273const ASN1_ITEM OCSP_REQINFO_it = {
274 .itype = ASN1_ITYPE_SEQUENCE,
275 .utype = V_ASN1_SEQUENCE,
276 .templates = OCSP_REQINFO_seq_tt,
277 .tcount = sizeof(OCSP_REQINFO_seq_tt) / sizeof(ASN1_TEMPLATE),
278 .funcs = NULL,
279 .size = sizeof(OCSP_REQINFO),
280 .sname = "OCSP_REQINFO",
281};
282
283
284OCSP_REQINFO *
285d2i_OCSP_REQINFO(OCSP_REQINFO **a, const unsigned char **in, long len)
286{
287 return (OCSP_REQINFO *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
288 &OCSP_REQINFO_it);
289}
290
291int
292i2d_OCSP_REQINFO(OCSP_REQINFO *a, unsigned char **out)
293{
294 return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_REQINFO_it);
295}
296
297OCSP_REQINFO *
298OCSP_REQINFO_new(void)
299{
300 return (OCSP_REQINFO *)ASN1_item_new(&OCSP_REQINFO_it);
301}
302
303void
304OCSP_REQINFO_free(OCSP_REQINFO *a)
305{
306 ASN1_item_free((ASN1_VALUE *)a, &OCSP_REQINFO_it);
307}
308
309static const ASN1_TEMPLATE OCSP_REQUEST_seq_tt[] = {
310 {
311 .flags = 0,
312 .tag = 0,
313 .offset = offsetof(OCSP_REQUEST, tbsRequest),
314 .field_name = "tbsRequest",
315 .item = &OCSP_REQINFO_it,
316 },
317 {
318 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
319 .tag = 0,
320 .offset = offsetof(OCSP_REQUEST, optionalSignature),
321 .field_name = "optionalSignature",
322 .item = &OCSP_SIGNATURE_it,
323 },
324};
325
326const ASN1_ITEM OCSP_REQUEST_it = {
327 .itype = ASN1_ITYPE_SEQUENCE,
328 .utype = V_ASN1_SEQUENCE,
329 .templates = OCSP_REQUEST_seq_tt,
330 .tcount = sizeof(OCSP_REQUEST_seq_tt) / sizeof(ASN1_TEMPLATE),
331 .funcs = NULL,
332 .size = sizeof(OCSP_REQUEST),
333 .sname = "OCSP_REQUEST",
334};
335
336
337OCSP_REQUEST *
338d2i_OCSP_REQUEST(OCSP_REQUEST **a, const unsigned char **in, long len)
339{
340 return (OCSP_REQUEST *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
341 &OCSP_REQUEST_it);
342}
343
344int
345i2d_OCSP_REQUEST(OCSP_REQUEST *a, unsigned char **out)
346{
347 return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_REQUEST_it);
348}
349
350OCSP_REQUEST *
351OCSP_REQUEST_new(void)
352{
353 return (OCSP_REQUEST *)ASN1_item_new(&OCSP_REQUEST_it);
354}
355
356void
357OCSP_REQUEST_free(OCSP_REQUEST *a)
358{
359 ASN1_item_free((ASN1_VALUE *)a, &OCSP_REQUEST_it);
360}
361
362/* OCSP_RESPONSE templates */
363
364static const ASN1_TEMPLATE OCSP_RESPBYTES_seq_tt[] = {
365 {
366 .flags = 0,
367 .tag = 0,
368 .offset = offsetof(OCSP_RESPBYTES, responseType),
369 .field_name = "responseType",
370 .item = &ASN1_OBJECT_it,
371 },
372 {
373 .flags = 0,
374 .tag = 0,
375 .offset = offsetof(OCSP_RESPBYTES, response),
376 .field_name = "response",
377 .item = &ASN1_OCTET_STRING_it,
378 },
379};
380
381const ASN1_ITEM OCSP_RESPBYTES_it = {
382 .itype = ASN1_ITYPE_SEQUENCE,
383 .utype = V_ASN1_SEQUENCE,
384 .templates = OCSP_RESPBYTES_seq_tt,
385 .tcount = sizeof(OCSP_RESPBYTES_seq_tt) / sizeof(ASN1_TEMPLATE),
386 .funcs = NULL,
387 .size = sizeof(OCSP_RESPBYTES),
388 .sname = "OCSP_RESPBYTES",
389};
390
391
392OCSP_RESPBYTES *
393d2i_OCSP_RESPBYTES(OCSP_RESPBYTES **a, const unsigned char **in, long len)
394{
395 return (OCSP_RESPBYTES *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
396 &OCSP_RESPBYTES_it);
397}
398
399int
400i2d_OCSP_RESPBYTES(OCSP_RESPBYTES *a, unsigned char **out)
401{
402 return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_RESPBYTES_it);
403}
404
405OCSP_RESPBYTES *
406OCSP_RESPBYTES_new(void)
407{
408 return (OCSP_RESPBYTES *)ASN1_item_new(&OCSP_RESPBYTES_it);
409}
410
411void
412OCSP_RESPBYTES_free(OCSP_RESPBYTES *a)
413{
414 ASN1_item_free((ASN1_VALUE *)a, &OCSP_RESPBYTES_it);
415}
416
417static const ASN1_TEMPLATE OCSP_RESPONSE_seq_tt[] = {
418 {
419 .flags = 0,
420 .tag = 0,
421 .offset = offsetof(OCSP_RESPONSE, responseStatus),
422 .field_name = "responseStatus",
423 .item = &ASN1_ENUMERATED_it,
424 },
425 {
426 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
427 .tag = 0,
428 .offset = offsetof(OCSP_RESPONSE, responseBytes),
429 .field_name = "responseBytes",
430 .item = &OCSP_RESPBYTES_it,
431 },
432};
433
434const ASN1_ITEM OCSP_RESPONSE_it = {
435 .itype = ASN1_ITYPE_SEQUENCE,
436 .utype = V_ASN1_SEQUENCE,
437 .templates = OCSP_RESPONSE_seq_tt,
438 .tcount = sizeof(OCSP_RESPONSE_seq_tt) / sizeof(ASN1_TEMPLATE),
439 .funcs = NULL,
440 .size = sizeof(OCSP_RESPONSE),
441 .sname = "OCSP_RESPONSE",
442};
443
444
445OCSP_RESPONSE *
446d2i_OCSP_RESPONSE(OCSP_RESPONSE **a, const unsigned char **in, long len)
447{
448 return (OCSP_RESPONSE *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
449 &OCSP_RESPONSE_it);
450}
451
452int
453i2d_OCSP_RESPONSE(OCSP_RESPONSE *a, unsigned char **out)
454{
455 return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_RESPONSE_it);
456}
457
458OCSP_RESPONSE *
459OCSP_RESPONSE_new(void)
460{
461 return (OCSP_RESPONSE *)ASN1_item_new(&OCSP_RESPONSE_it);
462}
463
464void
465OCSP_RESPONSE_free(OCSP_RESPONSE *a)
466{
467 ASN1_item_free((ASN1_VALUE *)a, &OCSP_RESPONSE_it);
468}
469
470static const ASN1_TEMPLATE OCSP_RESPID_ch_tt[] = {
471 {
472 .flags = ASN1_TFLG_EXPLICIT,
473 .tag = 1,
474 .offset = offsetof(OCSP_RESPID, value.byName),
475 .field_name = "value.byName",
476 .item = &X509_NAME_it,
477 },
478 {
479 .flags = ASN1_TFLG_EXPLICIT,
480 .tag = 2,
481 .offset = offsetof(OCSP_RESPID, value.byKey),
482 .field_name = "value.byKey",
483 .item = &ASN1_OCTET_STRING_it,
484 },
485};
486
487const ASN1_ITEM OCSP_RESPID_it = {
488 .itype = ASN1_ITYPE_CHOICE,
489 .utype = offsetof(OCSP_RESPID, type),
490 .templates = OCSP_RESPID_ch_tt,
491 .tcount = sizeof(OCSP_RESPID_ch_tt) / sizeof(ASN1_TEMPLATE),
492 .funcs = NULL,
493 .size = sizeof(OCSP_RESPID),
494 .sname = "OCSP_RESPID",
495};
496
497
498OCSP_RESPID *
499d2i_OCSP_RESPID(OCSP_RESPID **a, const unsigned char **in, long len)
500{
501 return (OCSP_RESPID *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
502 &OCSP_RESPID_it);
503}
504
505int
506i2d_OCSP_RESPID(OCSP_RESPID *a, unsigned char **out)
507{
508 return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_RESPID_it);
509}
510
511OCSP_RESPID *
512OCSP_RESPID_new(void)
513{
514 return (OCSP_RESPID *)ASN1_item_new(&OCSP_RESPID_it);
515}
516
517void
518OCSP_RESPID_free(OCSP_RESPID *a)
519{
520 ASN1_item_free((ASN1_VALUE *)a, &OCSP_RESPID_it);
521}
522
523static const ASN1_TEMPLATE OCSP_REVOKEDINFO_seq_tt[] = {
524 {
525 .flags = 0,
526 .tag = 0,
527 .offset = offsetof(OCSP_REVOKEDINFO, revocationTime),
528 .field_name = "revocationTime",
529 .item = &ASN1_GENERALIZEDTIME_it,
530 },
531 {
532 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
533 .tag = 0,
534 .offset = offsetof(OCSP_REVOKEDINFO, revocationReason),
535 .field_name = "revocationReason",
536 .item = &ASN1_ENUMERATED_it,
537 },
538};
539
540const ASN1_ITEM OCSP_REVOKEDINFO_it = {
541 .itype = ASN1_ITYPE_SEQUENCE,
542 .utype = V_ASN1_SEQUENCE,
543 .templates = OCSP_REVOKEDINFO_seq_tt,
544 .tcount = sizeof(OCSP_REVOKEDINFO_seq_tt) / sizeof(ASN1_TEMPLATE),
545 .funcs = NULL,
546 .size = sizeof(OCSP_REVOKEDINFO),
547 .sname = "OCSP_REVOKEDINFO",
548};
549
550
551OCSP_REVOKEDINFO *
552d2i_OCSP_REVOKEDINFO(OCSP_REVOKEDINFO **a, const unsigned char **in, long len)
553{
554 return (OCSP_REVOKEDINFO *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
555 &OCSP_REVOKEDINFO_it);
556}
557
558int
559i2d_OCSP_REVOKEDINFO(OCSP_REVOKEDINFO *a, unsigned char **out)
560{
561 return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_REVOKEDINFO_it);
562}
563
564OCSP_REVOKEDINFO *
565OCSP_REVOKEDINFO_new(void)
566{
567 return (OCSP_REVOKEDINFO *)ASN1_item_new(&OCSP_REVOKEDINFO_it);
568}
569
570void
571OCSP_REVOKEDINFO_free(OCSP_REVOKEDINFO *a)
572{
573 ASN1_item_free((ASN1_VALUE *)a, &OCSP_REVOKEDINFO_it);
574}
575
576static const ASN1_TEMPLATE OCSP_CERTSTATUS_ch_tt[] = {
577 {
578 .flags = ASN1_TFLG_IMPLICIT,
579 .tag = 0,
580 .offset = offsetof(OCSP_CERTSTATUS, value.good),
581 .field_name = "value.good",
582 .item = &ASN1_NULL_it,
583 },
584 {
585 .flags = ASN1_TFLG_IMPLICIT,
586 .tag = 1,
587 .offset = offsetof(OCSP_CERTSTATUS, value.revoked),
588 .field_name = "value.revoked",
589 .item = &OCSP_REVOKEDINFO_it,
590 },
591 {
592 .flags = ASN1_TFLG_IMPLICIT,
593 .tag = 2,
594 .offset = offsetof(OCSP_CERTSTATUS, value.unknown),
595 .field_name = "value.unknown",
596 .item = &ASN1_NULL_it,
597 },
598};
599
600const ASN1_ITEM OCSP_CERTSTATUS_it = {
601 .itype = ASN1_ITYPE_CHOICE,
602 .utype = offsetof(OCSP_CERTSTATUS, type),
603 .templates = OCSP_CERTSTATUS_ch_tt,
604 .tcount = sizeof(OCSP_CERTSTATUS_ch_tt) / sizeof(ASN1_TEMPLATE),
605 .funcs = NULL,
606 .size = sizeof(OCSP_CERTSTATUS),
607 .sname = "OCSP_CERTSTATUS",
608};
609
610
611OCSP_CERTSTATUS *
612d2i_OCSP_CERTSTATUS(OCSP_CERTSTATUS **a, const unsigned char **in, long len)
613{
614 return (OCSP_CERTSTATUS *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
615 &OCSP_CERTSTATUS_it);
616}
617
618int
619i2d_OCSP_CERTSTATUS(OCSP_CERTSTATUS *a, unsigned char **out)
620{
621 return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_CERTSTATUS_it);
622}
623
624OCSP_CERTSTATUS *
625OCSP_CERTSTATUS_new(void)
626{
627 return (OCSP_CERTSTATUS *)ASN1_item_new(&OCSP_CERTSTATUS_it);
628}
629
630void
631OCSP_CERTSTATUS_free(OCSP_CERTSTATUS *a)
632{
633 ASN1_item_free((ASN1_VALUE *)a, &OCSP_CERTSTATUS_it);
634}
635
636static const ASN1_TEMPLATE OCSP_SINGLERESP_seq_tt[] = {
637 {
638 .flags = 0,
639 .tag = 0,
640 .offset = offsetof(OCSP_SINGLERESP, certId),
641 .field_name = "certId",
642 .item = &OCSP_CERTID_it,
643 },
644 {
645 .flags = 0,
646 .tag = 0,
647 .offset = offsetof(OCSP_SINGLERESP, certStatus),
648 .field_name = "certStatus",
649 .item = &OCSP_CERTSTATUS_it,
650 },
651 {
652 .flags = 0,
653 .tag = 0,
654 .offset = offsetof(OCSP_SINGLERESP, thisUpdate),
655 .field_name = "thisUpdate",
656 .item = &ASN1_GENERALIZEDTIME_it,
657 },
658 {
659 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
660 .tag = 0,
661 .offset = offsetof(OCSP_SINGLERESP, nextUpdate),
662 .field_name = "nextUpdate",
663 .item = &ASN1_GENERALIZEDTIME_it,
664 },
665 {
666 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
667 .tag = 1,
668 .offset = offsetof(OCSP_SINGLERESP, singleExtensions),
669 .field_name = "singleExtensions",
670 .item = &X509_EXTENSION_it,
671 },
672};
673
674const ASN1_ITEM OCSP_SINGLERESP_it = {
675 .itype = ASN1_ITYPE_SEQUENCE,
676 .utype = V_ASN1_SEQUENCE,
677 .templates = OCSP_SINGLERESP_seq_tt,
678 .tcount = sizeof(OCSP_SINGLERESP_seq_tt) / sizeof(ASN1_TEMPLATE),
679 .funcs = NULL,
680 .size = sizeof(OCSP_SINGLERESP),
681 .sname = "OCSP_SINGLERESP",
682};
683
684
685OCSP_SINGLERESP *
686d2i_OCSP_SINGLERESP(OCSP_SINGLERESP **a, const unsigned char **in, long len)
687{
688 return (OCSP_SINGLERESP *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
689 &OCSP_SINGLERESP_it);
690}
691
692int
693i2d_OCSP_SINGLERESP(OCSP_SINGLERESP *a, unsigned char **out)
694{
695 return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_SINGLERESP_it);
696}
697
698OCSP_SINGLERESP *
699OCSP_SINGLERESP_new(void)
700{
701 return (OCSP_SINGLERESP *)ASN1_item_new(&OCSP_SINGLERESP_it);
702}
703
704void
705OCSP_SINGLERESP_free(OCSP_SINGLERESP *a)
706{
707 ASN1_item_free((ASN1_VALUE *)a, &OCSP_SINGLERESP_it);
708}
709
710static const ASN1_TEMPLATE OCSP_RESPDATA_seq_tt[] = {
711 {
712 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
713 .tag = 0,
714 .offset = offsetof(OCSP_RESPDATA, version),
715 .field_name = "version",
716 .item = &ASN1_INTEGER_it,
717 },
718 {
719 .flags = 0,
720 .tag = 0,
721 .offset = offsetof(OCSP_RESPDATA, responderId),
722 .field_name = "responderId",
723 .item = &OCSP_RESPID_it,
724 },
725 {
726 .flags = 0,
727 .tag = 0,
728 .offset = offsetof(OCSP_RESPDATA, producedAt),
729 .field_name = "producedAt",
730 .item = &ASN1_GENERALIZEDTIME_it,
731 },
732 {
733 .flags = ASN1_TFLG_SEQUENCE_OF,
734 .tag = 0,
735 .offset = offsetof(OCSP_RESPDATA, responses),
736 .field_name = "responses",
737 .item = &OCSP_SINGLERESP_it,
738 },
739 {
740 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
741 .tag = 1,
742 .offset = offsetof(OCSP_RESPDATA, responseExtensions),
743 .field_name = "responseExtensions",
744 .item = &X509_EXTENSION_it,
745 },
746};
747
748const ASN1_ITEM OCSP_RESPDATA_it = {
749 .itype = ASN1_ITYPE_SEQUENCE,
750 .utype = V_ASN1_SEQUENCE,
751 .templates = OCSP_RESPDATA_seq_tt,
752 .tcount = sizeof(OCSP_RESPDATA_seq_tt) / sizeof(ASN1_TEMPLATE),
753 .funcs = NULL,
754 .size = sizeof(OCSP_RESPDATA),
755 .sname = "OCSP_RESPDATA",
756};
757
758
759OCSP_RESPDATA *
760d2i_OCSP_RESPDATA(OCSP_RESPDATA **a, const unsigned char **in, long len)
761{
762 return (OCSP_RESPDATA *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
763 &OCSP_RESPDATA_it);
764}
765
766int
767i2d_OCSP_RESPDATA(OCSP_RESPDATA *a, unsigned char **out)
768{
769 return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_RESPDATA_it);
770}
771
772OCSP_RESPDATA *
773OCSP_RESPDATA_new(void)
774{
775 return (OCSP_RESPDATA *)ASN1_item_new(&OCSP_RESPDATA_it);
776}
777
778void
779OCSP_RESPDATA_free(OCSP_RESPDATA *a)
780{
781 ASN1_item_free((ASN1_VALUE *)a, &OCSP_RESPDATA_it);
782}
783
784static const ASN1_TEMPLATE OCSP_BASICRESP_seq_tt[] = {
785 {
786 .flags = 0,
787 .tag = 0,
788 .offset = offsetof(OCSP_BASICRESP, tbsResponseData),
789 .field_name = "tbsResponseData",
790 .item = &OCSP_RESPDATA_it,
791 },
792 {
793 .flags = 0,
794 .tag = 0,
795 .offset = offsetof(OCSP_BASICRESP, signatureAlgorithm),
796 .field_name = "signatureAlgorithm",
797 .item = &X509_ALGOR_it,
798 },
799 {
800 .flags = 0,
801 .tag = 0,
802 .offset = offsetof(OCSP_BASICRESP, signature),
803 .field_name = "signature",
804 .item = &ASN1_BIT_STRING_it,
805 },
806 {
807 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
808 .tag = 0,
809 .offset = offsetof(OCSP_BASICRESP, certs),
810 .field_name = "certs",
811 .item = &X509_it,
812 },
813};
814
815const ASN1_ITEM OCSP_BASICRESP_it = {
816 .itype = ASN1_ITYPE_SEQUENCE,
817 .utype = V_ASN1_SEQUENCE,
818 .templates = OCSP_BASICRESP_seq_tt,
819 .tcount = sizeof(OCSP_BASICRESP_seq_tt) / sizeof(ASN1_TEMPLATE),
820 .funcs = NULL,
821 .size = sizeof(OCSP_BASICRESP),
822 .sname = "OCSP_BASICRESP",
823};
824
825
826OCSP_BASICRESP *
827d2i_OCSP_BASICRESP(OCSP_BASICRESP **a, const unsigned char **in, long len)
828{
829 return (OCSP_BASICRESP *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
830 &OCSP_BASICRESP_it);
831}
832
833int
834i2d_OCSP_BASICRESP(OCSP_BASICRESP *a, unsigned char **out)
835{
836 return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_BASICRESP_it);
837}
838
839OCSP_BASICRESP *
840OCSP_BASICRESP_new(void)
841{
842 return (OCSP_BASICRESP *)ASN1_item_new(&OCSP_BASICRESP_it);
843}
844
845void
846OCSP_BASICRESP_free(OCSP_BASICRESP *a)
847{
848 ASN1_item_free((ASN1_VALUE *)a, &OCSP_BASICRESP_it);
849}
850
851static const ASN1_TEMPLATE OCSP_CRLID_seq_tt[] = {
852 {
853 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
854 .tag = 0,
855 .offset = offsetof(OCSP_CRLID, crlUrl),
856 .field_name = "crlUrl",
857 .item = &ASN1_IA5STRING_it,
858 },
859 {
860 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
861 .tag = 1,
862 .offset = offsetof(OCSP_CRLID, crlNum),
863 .field_name = "crlNum",
864 .item = &ASN1_INTEGER_it,
865 },
866 {
867 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
868 .tag = 2,
869 .offset = offsetof(OCSP_CRLID, crlTime),
870 .field_name = "crlTime",
871 .item = &ASN1_GENERALIZEDTIME_it,
872 },
873};
874
875const ASN1_ITEM OCSP_CRLID_it = {
876 .itype = ASN1_ITYPE_SEQUENCE,
877 .utype = V_ASN1_SEQUENCE,
878 .templates = OCSP_CRLID_seq_tt,
879 .tcount = sizeof(OCSP_CRLID_seq_tt) / sizeof(ASN1_TEMPLATE),
880 .funcs = NULL,
881 .size = sizeof(OCSP_CRLID),
882 .sname = "OCSP_CRLID",
883};
884
885
886OCSP_CRLID *
887d2i_OCSP_CRLID(OCSP_CRLID **a, const unsigned char **in, long len)
888{
889 return (OCSP_CRLID *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
890 &OCSP_CRLID_it);
891}
892
893int
894i2d_OCSP_CRLID(OCSP_CRLID *a, unsigned char **out)
895{
896 return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_CRLID_it);
897}
898
899OCSP_CRLID *
900OCSP_CRLID_new(void)
901{
902 return (OCSP_CRLID *)ASN1_item_new(&OCSP_CRLID_it);
903}
904
905void
906OCSP_CRLID_free(OCSP_CRLID *a)
907{
908 ASN1_item_free((ASN1_VALUE *)a, &OCSP_CRLID_it);
909}
910
911static const ASN1_TEMPLATE OCSP_SERVICELOC_seq_tt[] = {
912 {
913 .flags = 0,
914 .tag = 0,
915 .offset = offsetof(OCSP_SERVICELOC, issuer),
916 .field_name = "issuer",
917 .item = &X509_NAME_it,
918 },
919 {
920 .flags = ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
921 .tag = 0,
922 .offset = offsetof(OCSP_SERVICELOC, locator),
923 .field_name = "locator",
924 .item = &ACCESS_DESCRIPTION_it,
925 },
926};
927
928const ASN1_ITEM OCSP_SERVICELOC_it = {
929 .itype = ASN1_ITYPE_SEQUENCE,
930 .utype = V_ASN1_SEQUENCE,
931 .templates = OCSP_SERVICELOC_seq_tt,
932 .tcount = sizeof(OCSP_SERVICELOC_seq_tt) / sizeof(ASN1_TEMPLATE),
933 .funcs = NULL,
934 .size = sizeof(OCSP_SERVICELOC),
935 .sname = "OCSP_SERVICELOC",
936};
937
938
939OCSP_SERVICELOC *
940d2i_OCSP_SERVICELOC(OCSP_SERVICELOC **a, const unsigned char **in, long len)
941{
942 return (OCSP_SERVICELOC *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
943 &OCSP_SERVICELOC_it);
944}
945
946int
947i2d_OCSP_SERVICELOC(OCSP_SERVICELOC *a, unsigned char **out)
948{
949 return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_SERVICELOC_it);
950}
951
952OCSP_SERVICELOC *
953OCSP_SERVICELOC_new(void)
954{
955 return (OCSP_SERVICELOC *)ASN1_item_new(&OCSP_SERVICELOC_it);
956}
957
958void
959OCSP_SERVICELOC_free(OCSP_SERVICELOC *a)
960{
961 ASN1_item_free((ASN1_VALUE *)a, &OCSP_SERVICELOC_it);
962}
diff --git a/src/lib/libcrypto/ocsp/ocsp_cl.c b/src/lib/libcrypto/ocsp/ocsp_cl.c
deleted file mode 100644
index a4320d9278..0000000000
--- a/src/lib/libcrypto/ocsp/ocsp_cl.c
+++ /dev/null
@@ -1,383 +0,0 @@
1/* $OpenBSD: ocsp_cl.c,v 1.8 2014/10/18 17:20:40 jsing Exp $ */
2/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
3 * project. */
4
5/* History:
6 This file was transfered to Richard Levitte from CertCo by Kathy
7 Weinhold in mid-spring 2000 to be included in OpenSSL or released
8 as a patch kit. */
9
10/* ====================================================================
11 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 *
17 * 1. Redistributions of source code must retain the above copyright
18 * notice, this list of conditions and the following disclaimer.
19 *
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in
22 * the documentation and/or other materials provided with the
23 * distribution.
24 *
25 * 3. All advertising materials mentioning features or use of this
26 * software must display the following acknowledgment:
27 * "This product includes software developed by the OpenSSL Project
28 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
29 *
30 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
31 * endorse or promote products derived from this software without
32 * prior written permission. For written permission, please contact
33 * openssl-core@openssl.org.
34 *
35 * 5. Products derived from this software may not be called "OpenSSL"
36 * nor may "OpenSSL" appear in their names without prior written
37 * permission of the OpenSSL Project.
38 *
39 * 6. Redistributions of any form whatsoever must retain the following
40 * acknowledgment:
41 * "This product includes software developed by the OpenSSL Project
42 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
43 *
44 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
45 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
46 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
47 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
48 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
49 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
50 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
51 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
52 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
53 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
54 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
55 * OF THE POSSIBILITY OF SUCH DAMAGE.
56 * ====================================================================
57 *
58 * This product includes cryptographic software written by Eric Young
59 * (eay@cryptsoft.com). This product includes software written by Tim
60 * Hudson (tjh@cryptsoft.com).
61 *
62 */
63
64#include <stdio.h>
65#include <time.h>
66
67#include <openssl/err.h>
68#include <openssl/ocsp.h>
69#include <openssl/objects.h>
70#include <openssl/pem.h>
71#include <openssl/x509.h>
72#include <openssl/x509v3.h>
73
74/* Utility functions related to sending OCSP requests and extracting
75 * relevant information from the response.
76 */
77
78/* Add an OCSP_CERTID to an OCSP request. Return new OCSP_ONEREQ
79 * pointer: useful if we want to add extensions.
80 */
81OCSP_ONEREQ *
82OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid)
83{
84 OCSP_ONEREQ *one = NULL;
85
86 if (!(one = OCSP_ONEREQ_new()))
87 goto err;
88 if (one->reqCert)
89 OCSP_CERTID_free(one->reqCert);
90 one->reqCert = cid;
91 if (req && !sk_OCSP_ONEREQ_push(req->tbsRequest->requestList, one))
92 goto err;
93 return one;
94
95err:
96 OCSP_ONEREQ_free(one);
97 return NULL;
98}
99
100/* Set requestorName from an X509_NAME structure */
101int
102OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm)
103{
104 GENERAL_NAME *gen;
105
106 gen = GENERAL_NAME_new();
107 if (gen == NULL)
108 return 0;
109 if (!X509_NAME_set(&gen->d.directoryName, nm)) {
110 GENERAL_NAME_free(gen);
111 return 0;
112 }
113 gen->type = GEN_DIRNAME;
114 if (req->tbsRequest->requestorName)
115 GENERAL_NAME_free(req->tbsRequest->requestorName);
116 req->tbsRequest->requestorName = gen;
117 return 1;
118}
119
120/* Add a certificate to an OCSP request */
121int
122OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert)
123{
124 OCSP_SIGNATURE *sig;
125
126 if (!req->optionalSignature)
127 req->optionalSignature = OCSP_SIGNATURE_new();
128 sig = req->optionalSignature;
129 if (!sig)
130 return 0;
131 if (!cert)
132 return 1;
133 if (!sig->certs && !(sig->certs = sk_X509_new_null()))
134 return 0;
135
136 if (!sk_X509_push(sig->certs, cert))
137 return 0;
138 CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
139 return 1;
140}
141
142/* Sign an OCSP request set the requestorName to the subjec
143 * name of an optional signers certificate and include one
144 * or more optional certificates in the request. Behaves
145 * like PKCS7_sign().
146 */
147int
148OCSP_request_sign(OCSP_REQUEST *req, X509 *signer, EVP_PKEY *key,
149 const EVP_MD *dgst, STACK_OF(X509) *certs, unsigned long flags)
150{
151 int i;
152 OCSP_SIGNATURE *sig;
153 X509 *x;
154
155 if (!OCSP_request_set1_name(req, X509_get_subject_name(signer)))
156 goto err;
157
158 if (!(req->optionalSignature = sig = OCSP_SIGNATURE_new()))
159 goto err;
160 if (key) {
161 if (!X509_check_private_key(signer, key)) {
162 OCSPerr(OCSP_F_OCSP_REQUEST_SIGN,
163 OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
164 goto err;
165 }
166 if (!OCSP_REQUEST_sign(req, key, dgst))
167 goto err;
168 }
169
170 if (!(flags & OCSP_NOCERTS)) {
171 if (!OCSP_request_add1_cert(req, signer))
172 goto err;
173 for (i = 0; i < sk_X509_num(certs); i++) {
174 x = sk_X509_value(certs, i);
175 if (!OCSP_request_add1_cert(req, x))
176 goto err;
177 }
178 }
179
180 return 1;
181
182err:
183 OCSP_SIGNATURE_free(req->optionalSignature);
184 req->optionalSignature = NULL;
185 return 0;
186}
187
188/* Get response status */
189int
190OCSP_response_status(OCSP_RESPONSE *resp)
191{
192 return ASN1_ENUMERATED_get(resp->responseStatus);
193}
194
195/* Extract basic response from OCSP_RESPONSE or NULL if
196 * no basic response present.
197 */
198OCSP_BASICRESP *
199OCSP_response_get1_basic(OCSP_RESPONSE *resp)
200{
201 OCSP_RESPBYTES *rb;
202
203 rb = resp->responseBytes;
204 if (!rb) {
205 OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC,
206 OCSP_R_NO_RESPONSE_DATA);
207 return NULL;
208 }
209 if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic) {
210 OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC,
211 OCSP_R_NOT_BASIC_RESPONSE);
212 return NULL;
213 }
214
215 return ASN1_item_unpack(rb->response, ASN1_ITEM_rptr(OCSP_BASICRESP));
216}
217
218/* Return number of OCSP_SINGLERESP reponses present in
219 * a basic response.
220 */
221int
222OCSP_resp_count(OCSP_BASICRESP *bs)
223{
224 if (!bs)
225 return -1;
226 return sk_OCSP_SINGLERESP_num(bs->tbsResponseData->responses);
227}
228
229/* Extract an OCSP_SINGLERESP response with a given index */
230OCSP_SINGLERESP *
231OCSP_resp_get0(OCSP_BASICRESP *bs, int idx)
232{
233 if (!bs)
234 return NULL;
235 return sk_OCSP_SINGLERESP_value(bs->tbsResponseData->responses, idx);
236}
237
238/* Look single response matching a given certificate ID */
239int
240OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last)
241{
242 int i;
243 STACK_OF(OCSP_SINGLERESP) *sresp;
244 OCSP_SINGLERESP *single;
245
246 if (!bs)
247 return -1;
248 if (last < 0)
249 last = 0;
250 else
251 last++;
252 sresp = bs->tbsResponseData->responses;
253 for (i = last; i < sk_OCSP_SINGLERESP_num(sresp); i++) {
254 single = sk_OCSP_SINGLERESP_value(sresp, i);
255 if (!OCSP_id_cmp(id, single->certId))
256 return i;
257 }
258 return -1;
259}
260
261/* Extract status information from an OCSP_SINGLERESP structure.
262 * Note: the revtime and reason values are only set if the
263 * certificate status is revoked. Returns numerical value of
264 * status.
265 */
266int
267OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
268 ASN1_GENERALIZEDTIME **revtime, ASN1_GENERALIZEDTIME **thisupd,
269 ASN1_GENERALIZEDTIME **nextupd)
270{
271 int ret;
272 OCSP_CERTSTATUS *cst;
273
274 if (!single)
275 return -1;
276 cst = single->certStatus;
277 ret = cst->type;
278 if (ret == V_OCSP_CERTSTATUS_REVOKED) {
279 OCSP_REVOKEDINFO *rev = cst->value.revoked;
280
281 if (revtime)
282 *revtime = rev->revocationTime;
283 if (reason) {
284 if (rev->revocationReason)
285 *reason = ASN1_ENUMERATED_get(
286 rev->revocationReason);
287 else
288 *reason = -1;
289 }
290 }
291 if (thisupd)
292 *thisupd = single->thisUpdate;
293 if (nextupd)
294 *nextupd = single->nextUpdate;
295 return ret;
296}
297
298/* This function combines the previous ones: look up a certificate ID and
299 * if found extract status information. Return 0 is successful.
300 */
301int
302OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
303 int *reason, ASN1_GENERALIZEDTIME **revtime, ASN1_GENERALIZEDTIME **thisupd,
304 ASN1_GENERALIZEDTIME **nextupd)
305{
306 int i;
307 OCSP_SINGLERESP *single;
308
309 i = OCSP_resp_find(bs, id, -1);
310 /* Maybe check for multiple responses and give an error? */
311 if (i < 0)
312 return 0;
313 single = OCSP_resp_get0(bs, i);
314 i = OCSP_single_get0_status(single, reason, revtime, thisupd, nextupd);
315 if (status)
316 *status = i;
317 return 1;
318}
319
320/* Check validity of thisUpdate and nextUpdate fields. It is possible that the request will
321 * take a few seconds to process and/or the time wont be totally accurate. Therefore to avoid
322 * rejecting otherwise valid time we allow the times to be within 'nsec' of the current time.
323 * Also to avoid accepting very old responses without a nextUpdate field an optional maxage
324 * parameter specifies the maximum age the thisUpdate field can be.
325 */
326int
327OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
328 ASN1_GENERALIZEDTIME *nextupd, long nsec, long maxsec)
329{
330 int ret = 1;
331 time_t t_now, t_tmp;
332
333 time(&t_now);
334 /* Check thisUpdate is valid and not more than nsec in the future */
335 if (!ASN1_GENERALIZEDTIME_check(thisupd)) {
336 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
337 OCSP_R_ERROR_IN_THISUPDATE_FIELD);
338 ret = 0;
339 } else {
340 t_tmp = t_now + nsec;
341 if (X509_cmp_time(thisupd, &t_tmp) > 0) {
342 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
343 OCSP_R_STATUS_NOT_YET_VALID);
344 ret = 0;
345 }
346
347 /* If maxsec specified check thisUpdate is not more than maxsec in the past */
348 if (maxsec >= 0) {
349 t_tmp = t_now - maxsec;
350 if (X509_cmp_time(thisupd, &t_tmp) < 0) {
351 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
352 OCSP_R_STATUS_TOO_OLD);
353 ret = 0;
354 }
355 }
356 }
357
358 if (!nextupd)
359 return ret;
360
361 /* Check nextUpdate is valid and not more than nsec in the past */
362 if (!ASN1_GENERALIZEDTIME_check(nextupd)) {
363 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
364 OCSP_R_ERROR_IN_NEXTUPDATE_FIELD);
365 ret = 0;
366 } else {
367 t_tmp = t_now - nsec;
368 if (X509_cmp_time(nextupd, &t_tmp) < 0) {
369 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
370 OCSP_R_STATUS_EXPIRED);
371 ret = 0;
372 }
373 }
374
375 /* Also don't allow nextUpdate to precede thisUpdate */
376 if (ASN1_STRING_cmp(nextupd, thisupd) < 0) {
377 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
378 OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE);
379 ret = 0;
380 }
381
382 return ret;
383}
diff --git a/src/lib/libcrypto/ocsp/ocsp_err.c b/src/lib/libcrypto/ocsp/ocsp_err.c
deleted file mode 100644
index af781074b6..0000000000
--- a/src/lib/libcrypto/ocsp/ocsp_err.c
+++ /dev/null
@@ -1,142 +0,0 @@
1/* $OpenBSD: ocsp_err.c,v 1.7 2014/07/10 22:45:57 jsing Exp $ */
2/* ====================================================================
3 * Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@OpenSSL.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 * This product includes cryptographic software written by Eric Young
51 * (eay@cryptsoft.com). This product includes software written by Tim
52 * Hudson (tjh@cryptsoft.com).
53 *
54 */
55
56/* NOTE: this file was auto generated by the mkerr.pl script: any changes
57 * made to it will be overwritten when the script next updates this file,
58 * only reason strings will be preserved.
59 */
60
61#include <stdio.h>
62
63#include <openssl/opensslconf.h>
64
65#include <openssl/err.h>
66#include <openssl/ocsp.h>
67
68/* BEGIN ERROR CODES */
69#ifndef OPENSSL_NO_ERR
70
71#define ERR_FUNC(func) ERR_PACK(ERR_LIB_OCSP,func,0)
72#define ERR_REASON(reason) ERR_PACK(ERR_LIB_OCSP,0,reason)
73
74static ERR_STRING_DATA OCSP_str_functs[]= {
75 {ERR_FUNC(OCSP_F_ASN1_STRING_ENCODE), "ASN1_STRING_encode"},
76 {ERR_FUNC(OCSP_F_D2I_OCSP_NONCE), "D2I_OCSP_NONCE"},
77 {ERR_FUNC(OCSP_F_OCSP_BASIC_ADD1_STATUS), "OCSP_basic_add1_status"},
78 {ERR_FUNC(OCSP_F_OCSP_BASIC_SIGN), "OCSP_basic_sign"},
79 {ERR_FUNC(OCSP_F_OCSP_BASIC_VERIFY), "OCSP_basic_verify"},
80 {ERR_FUNC(OCSP_F_OCSP_CERT_ID_NEW), "OCSP_cert_id_new"},
81 {ERR_FUNC(OCSP_F_OCSP_CHECK_DELEGATED), "OCSP_CHECK_DELEGATED"},
82 {ERR_FUNC(OCSP_F_OCSP_CHECK_IDS), "OCSP_CHECK_IDS"},
83 {ERR_FUNC(OCSP_F_OCSP_CHECK_ISSUER), "OCSP_CHECK_ISSUER"},
84 {ERR_FUNC(OCSP_F_OCSP_CHECK_VALIDITY), "OCSP_check_validity"},
85 {ERR_FUNC(OCSP_F_OCSP_MATCH_ISSUERID), "OCSP_MATCH_ISSUERID"},
86 {ERR_FUNC(OCSP_F_OCSP_PARSE_URL), "OCSP_parse_url"},
87 {ERR_FUNC(OCSP_F_OCSP_REQUEST_SIGN), "OCSP_request_sign"},
88 {ERR_FUNC(OCSP_F_OCSP_REQUEST_VERIFY), "OCSP_request_verify"},
89 {ERR_FUNC(OCSP_F_OCSP_RESPONSE_GET1_BASIC), "OCSP_response_get1_basic"},
90 {ERR_FUNC(OCSP_F_OCSP_SENDREQ_BIO), "OCSP_sendreq_bio"},
91 {ERR_FUNC(OCSP_F_OCSP_SENDREQ_NBIO), "OCSP_sendreq_nbio"},
92 {ERR_FUNC(OCSP_F_PARSE_HTTP_LINE1), "PARSE_HTTP_LINE1"},
93 {ERR_FUNC(OCSP_F_REQUEST_VERIFY), "REQUEST_VERIFY"},
94 {0, NULL}
95};
96
97static ERR_STRING_DATA OCSP_str_reasons[]= {
98 {ERR_REASON(OCSP_R_BAD_DATA) , "bad data"},
99 {ERR_REASON(OCSP_R_CERTIFICATE_VERIFY_ERROR), "certificate verify error"},
100 {ERR_REASON(OCSP_R_DIGEST_ERR) , "digest err"},
101 {ERR_REASON(OCSP_R_ERROR_IN_NEXTUPDATE_FIELD), "error in nextupdate field"},
102 {ERR_REASON(OCSP_R_ERROR_IN_THISUPDATE_FIELD), "error in thisupdate field"},
103 {ERR_REASON(OCSP_R_ERROR_PARSING_URL) , "error parsing url"},
104 {ERR_REASON(OCSP_R_MISSING_OCSPSIGNING_USAGE), "missing ocspsigning usage"},
105 {ERR_REASON(OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE), "nextupdate before thisupdate"},
106 {ERR_REASON(OCSP_R_NOT_BASIC_RESPONSE) , "not basic response"},
107 {ERR_REASON(OCSP_R_NO_CERTIFICATES_IN_CHAIN), "no certificates in chain"},
108 {ERR_REASON(OCSP_R_NO_CONTENT) , "no content"},
109 {ERR_REASON(OCSP_R_NO_PUBLIC_KEY) , "no public key"},
110 {ERR_REASON(OCSP_R_NO_RESPONSE_DATA) , "no response data"},
111 {ERR_REASON(OCSP_R_NO_REVOKED_TIME) , "no revoked time"},
112 {ERR_REASON(OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE), "private key does not match certificate"},
113 {ERR_REASON(OCSP_R_REQUEST_NOT_SIGNED) , "request not signed"},
114 {ERR_REASON(OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA), "response contains no revocation data"},
115 {ERR_REASON(OCSP_R_ROOT_CA_NOT_TRUSTED) , "root ca not trusted"},
116 {ERR_REASON(OCSP_R_SERVER_READ_ERROR) , "server read error"},
117 {ERR_REASON(OCSP_R_SERVER_RESPONSE_ERROR), "server response error"},
118 {ERR_REASON(OCSP_R_SERVER_RESPONSE_PARSE_ERROR), "server response parse error"},
119 {ERR_REASON(OCSP_R_SERVER_WRITE_ERROR) , "server write error"},
120 {ERR_REASON(OCSP_R_SIGNATURE_FAILURE) , "signature failure"},
121 {ERR_REASON(OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND), "signer certificate not found"},
122 {ERR_REASON(OCSP_R_STATUS_EXPIRED) , "status expired"},
123 {ERR_REASON(OCSP_R_STATUS_NOT_YET_VALID) , "status not yet valid"},
124 {ERR_REASON(OCSP_R_STATUS_TOO_OLD) , "status too old"},
125 {ERR_REASON(OCSP_R_UNKNOWN_MESSAGE_DIGEST), "unknown message digest"},
126 {ERR_REASON(OCSP_R_UNKNOWN_NID) , "unknown nid"},
127 {ERR_REASON(OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE), "unsupported requestorname type"},
128 {0, NULL}
129};
130
131#endif
132
133void
134ERR_load_OCSP_strings(void)
135{
136#ifndef OPENSSL_NO_ERR
137 if (ERR_func_error_string(OCSP_str_functs[0].error) == NULL) {
138 ERR_load_strings(0, OCSP_str_functs);
139 ERR_load_strings(0, OCSP_str_reasons);
140 }
141#endif
142}
diff --git a/src/lib/libcrypto/ocsp/ocsp_ext.c b/src/lib/libcrypto/ocsp/ocsp_ext.c
deleted file mode 100644
index edcf5bcca8..0000000000
--- a/src/lib/libcrypto/ocsp/ocsp_ext.c
+++ /dev/null
@@ -1,607 +0,0 @@
1/* $OpenBSD: ocsp_ext.c,v 1.14 2015/07/19 18:29:31 miod Exp $ */
2/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
3 * project. */
4
5/* History:
6 This file was transfered to Richard Levitte from CertCo by Kathy
7 Weinhold in mid-spring 2000 to be included in OpenSSL or released
8 as a patch kit. */
9
10/* ====================================================================
11 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 *
17 * 1. Redistributions of source code must retain the above copyright
18 * notice, this list of conditions and the following disclaimer.
19 *
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in
22 * the documentation and/or other materials provided with the
23 * distribution.
24 *
25 * 3. All advertising materials mentioning features or use of this
26 * software must display the following acknowledgment:
27 * "This product includes software developed by the OpenSSL Project
28 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
29 *
30 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
31 * endorse or promote products derived from this software without
32 * prior written permission. For written permission, please contact
33 * openssl-core@openssl.org.
34 *
35 * 5. Products derived from this software may not be called "OpenSSL"
36 * nor may "OpenSSL" appear in their names without prior written
37 * permission of the OpenSSL Project.
38 *
39 * 6. Redistributions of any form whatsoever must retain the following
40 * acknowledgment:
41 * "This product includes software developed by the OpenSSL Project
42 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
43 *
44 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
45 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
46 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
47 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
48 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
49 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
50 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
51 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
52 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
53 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
54 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
55 * OF THE POSSIBILITY OF SUCH DAMAGE.
56 * ====================================================================
57 *
58 * This product includes cryptographic software written by Eric Young
59 * (eay@cryptsoft.com). This product includes software written by Tim
60 * Hudson (tjh@cryptsoft.com).
61 *
62 */
63
64#include <stdio.h>
65#include <stdlib.h>
66#include <string.h>
67
68#include <openssl/objects.h>
69#include <openssl/ocsp.h>
70#include <openssl/x509.h>
71#include <openssl/x509v3.h>
72
73/* Standard wrapper functions for extensions */
74
75/* OCSP request extensions */
76
77int
78OCSP_REQUEST_get_ext_count(OCSP_REQUEST *x)
79{
80 return X509v3_get_ext_count(x->tbsRequest->requestExtensions);
81}
82
83int
84OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos)
85{
86 return X509v3_get_ext_by_NID(x->tbsRequest->requestExtensions, nid,
87 lastpos);
88}
89
90int
91OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, ASN1_OBJECT *obj, int lastpos)
92{
93 return X509v3_get_ext_by_OBJ(x->tbsRequest->requestExtensions, obj,
94 lastpos);
95}
96
97int
98OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit, int lastpos)
99{
100 return X509v3_get_ext_by_critical(x->tbsRequest->requestExtensions,
101 crit, lastpos);
102}
103
104X509_EXTENSION *
105OCSP_REQUEST_get_ext(OCSP_REQUEST *x, int loc)
106{
107 return X509v3_get_ext(x->tbsRequest->requestExtensions, loc);
108}
109
110X509_EXTENSION *
111OCSP_REQUEST_delete_ext(OCSP_REQUEST *x, int loc)
112{
113 return X509v3_delete_ext(x->tbsRequest->requestExtensions, loc);
114}
115
116void *
117OCSP_REQUEST_get1_ext_d2i(OCSP_REQUEST *x, int nid, int *crit, int *idx)
118{
119 return X509V3_get_d2i(x->tbsRequest->requestExtensions, nid, crit, idx);
120}
121
122int
123OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST *x, int nid, void *value, int crit,
124 unsigned long flags)
125{
126 return X509V3_add1_i2d(&x->tbsRequest->requestExtensions, nid, value,
127 crit, flags);
128}
129
130int
131OCSP_REQUEST_add_ext(OCSP_REQUEST *x, X509_EXTENSION *ex, int loc)
132{
133 return X509v3_add_ext(&(x->tbsRequest->requestExtensions), ex,
134 loc) != NULL;
135}
136
137/* Single extensions */
138
139int
140OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *x)
141{
142 return X509v3_get_ext_count(x->singleRequestExtensions);
143}
144
145int
146OCSP_ONEREQ_get_ext_by_NID(OCSP_ONEREQ *x, int nid, int lastpos)
147{
148 return X509v3_get_ext_by_NID(x->singleRequestExtensions, nid, lastpos);
149}
150
151int
152OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, ASN1_OBJECT *obj, int lastpos)
153{
154 return X509v3_get_ext_by_OBJ(x->singleRequestExtensions, obj, lastpos);
155}
156
157int
158OCSP_ONEREQ_get_ext_by_critical(OCSP_ONEREQ *x, int crit, int lastpos)
159{
160 return X509v3_get_ext_by_critical(x->singleRequestExtensions, crit,
161 lastpos);
162}
163
164X509_EXTENSION *
165OCSP_ONEREQ_get_ext(OCSP_ONEREQ *x, int loc)
166{
167 return X509v3_get_ext(x->singleRequestExtensions, loc);
168}
169
170X509_EXTENSION *
171OCSP_ONEREQ_delete_ext(OCSP_ONEREQ *x, int loc)
172{
173 return X509v3_delete_ext(x->singleRequestExtensions, loc);
174}
175
176void *
177OCSP_ONEREQ_get1_ext_d2i(OCSP_ONEREQ *x, int nid, int *crit, int *idx)
178{
179 return X509V3_get_d2i(x->singleRequestExtensions, nid, crit, idx);
180}
181
182int
183OCSP_ONEREQ_add1_ext_i2d(OCSP_ONEREQ *x, int nid, void *value, int crit,
184 unsigned long flags)
185{
186 return X509V3_add1_i2d(&x->singleRequestExtensions, nid, value, crit,
187 flags);
188}
189
190int
191OCSP_ONEREQ_add_ext(OCSP_ONEREQ *x, X509_EXTENSION *ex, int loc)
192{
193 return X509v3_add_ext(&(x->singleRequestExtensions), ex, loc) != NULL;
194}
195
196/* OCSP Basic response */
197
198int
199OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *x)
200{
201 return X509v3_get_ext_count(x->tbsResponseData->responseExtensions);
202}
203
204int
205OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos)
206{
207 return X509v3_get_ext_by_NID(x->tbsResponseData->responseExtensions,
208 nid, lastpos);
209}
210
211int
212OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, ASN1_OBJECT *obj, int lastpos)
213{
214 return X509v3_get_ext_by_OBJ(x->tbsResponseData->responseExtensions,
215 obj, lastpos);
216}
217
218int
219OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit, int lastpos)
220{
221 return X509v3_get_ext_by_critical(
222 x->tbsResponseData->responseExtensions, crit, lastpos);
223}
224
225X509_EXTENSION *
226OCSP_BASICRESP_get_ext(OCSP_BASICRESP *x, int loc)
227{
228 return X509v3_get_ext(x->tbsResponseData->responseExtensions, loc);
229}
230
231X509_EXTENSION *
232OCSP_BASICRESP_delete_ext(OCSP_BASICRESP *x, int loc)
233{
234 return X509v3_delete_ext(x->tbsResponseData->responseExtensions, loc);
235}
236
237void *
238OCSP_BASICRESP_get1_ext_d2i(OCSP_BASICRESP *x, int nid, int *crit, int *idx)
239{
240 return X509V3_get_d2i(x->tbsResponseData->responseExtensions, nid,
241 crit, idx);
242}
243
244int
245OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP *x, int nid, void *value, int crit,
246 unsigned long flags)
247{
248 return X509V3_add1_i2d(&x->tbsResponseData->responseExtensions, nid,
249 value, crit, flags);
250}
251
252int
253OCSP_BASICRESP_add_ext(OCSP_BASICRESP *x, X509_EXTENSION *ex, int loc)
254{
255 return X509v3_add_ext(&(x->tbsResponseData->responseExtensions), ex,
256 loc) != NULL;
257}
258
259/* OCSP single response extensions */
260
261int
262OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *x)
263{
264 return X509v3_get_ext_count(x->singleExtensions);
265}
266
267int
268OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid, int lastpos)
269{
270 return X509v3_get_ext_by_NID(x->singleExtensions, nid, lastpos);
271}
272
273int
274OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, ASN1_OBJECT *obj,
275 int lastpos)
276{
277 return X509v3_get_ext_by_OBJ(x->singleExtensions, obj, lastpos);
278}
279
280int
281OCSP_SINGLERESP_get_ext_by_critical(OCSP_SINGLERESP *x, int crit, int lastpos)
282{
283 return X509v3_get_ext_by_critical(x->singleExtensions, crit, lastpos);
284}
285
286X509_EXTENSION *
287OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP *x, int loc)
288{
289 return X509v3_get_ext(x->singleExtensions, loc);
290}
291
292X509_EXTENSION *
293OCSP_SINGLERESP_delete_ext(OCSP_SINGLERESP *x, int loc)
294{
295 return X509v3_delete_ext(x->singleExtensions, loc);
296}
297
298void *
299OCSP_SINGLERESP_get1_ext_d2i(OCSP_SINGLERESP *x, int nid, int *crit, int *idx)
300{
301 return X509V3_get_d2i(x->singleExtensions, nid, crit, idx);
302}
303
304int
305OCSP_SINGLERESP_add1_ext_i2d(OCSP_SINGLERESP *x, int nid, void *value, int crit,
306 unsigned long flags)
307{
308 return X509V3_add1_i2d(&x->singleExtensions, nid, value, crit, flags);
309}
310
311int
312OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex, int loc)
313{
314 return X509v3_add_ext(&(x->singleExtensions), ex, loc) != NULL;
315}
316
317/* also CRL Entry Extensions */
318#if 0
319ASN1_STRING *
320ASN1_STRING_encode(ASN1_STRING *s, i2d_of_void *i2d, void *data,
321 STACK_OF(ASN1_OBJECT) *sk)
322{
323 int i;
324 unsigned char *p, *b = NULL;
325
326 if (data) {
327 if ((i = i2d(data, NULL)) <= 0)
328 goto err;
329 if (!(b = p = malloc(i)))
330 goto err;
331 if (i2d(data, &p) <= 0)
332 goto err;
333 } else if (sk) {
334 if ((i = i2d_ASN1_SET_OF_ASN1_OBJECT(sk, NULL,
335 (I2D_OF(ASN1_OBJECT))i2d, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL,
336 IS_SEQUENCE)) <= 0)
337 goto err;
338 if (!(b = p = malloc(i)))
339 goto err;
340 if (i2d_ASN1_SET_OF_ASN1_OBJECT(sk, &p,
341 (I2D_OF(ASN1_OBJECT))i2d, V_ASN1_SEQUENCE,
342 V_ASN1_UNIVERSAL, IS_SEQUENCE) <= 0)
343 goto err;
344 } else {
345 OCSPerr(OCSP_F_ASN1_STRING_ENCODE, OCSP_R_BAD_DATA);
346 goto err;
347 }
348 if (!s && !(s = ASN1_STRING_new()))
349 goto err;
350 if (!(ASN1_STRING_set(s, b, i)))
351 goto err;
352 free(b);
353 return s;
354
355err:
356 free(b);
357 return NULL;
358}
359#endif
360
361/* Nonce handling functions */
362
363/* Add a nonce to an extension stack. A nonce can be specificed or if NULL
364 * a random nonce will be generated.
365 * Note: OpenSSL 0.9.7d and later create an OCTET STRING containing the
366 * nonce, previous versions used the raw nonce.
367 */
368
369static int
370ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, unsigned char *val, int len)
371{
372 unsigned char *tmpval;
373 ASN1_OCTET_STRING os;
374 int ret = 0;
375
376 if (len <= 0)
377 len = OCSP_DEFAULT_NONCE_LENGTH;
378 /* Create the OCTET STRING manually by writing out the header and
379 * appending the content octets. This avoids an extra memory allocation
380 * operation in some cases. Applications should *NOT* do this because
381 * it relies on library internals.
382 */
383 os.length = ASN1_object_size(0, len, V_ASN1_OCTET_STRING);
384 os.data = malloc(os.length);
385 if (os.data == NULL)
386 goto err;
387 tmpval = os.data;
388 ASN1_put_object(&tmpval, 0, len, V_ASN1_OCTET_STRING, V_ASN1_UNIVERSAL);
389 if (val)
390 memcpy(tmpval, val, len);
391 else
392 arc4random_buf(tmpval, len);
393 if (!X509V3_add1_i2d(exts, NID_id_pkix_OCSP_Nonce, &os, 0,
394 X509V3_ADD_REPLACE))
395 goto err;
396 ret = 1;
397
398err:
399 free(os.data);
400 return ret;
401}
402
403/* Add nonce to an OCSP request */
404int
405OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len)
406{
407 return ocsp_add1_nonce(&req->tbsRequest->requestExtensions, val, len);
408}
409
410/* Same as above but for a response */
411int
412OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len)
413{
414 return ocsp_add1_nonce(&resp->tbsResponseData->responseExtensions, val,
415 len);
416}
417
418/* Check nonce validity in a request and response.
419 * Return value reflects result:
420 * 1: nonces present and equal.
421 * 2: nonces both absent.
422 * 3: nonce present in response only.
423 * 0: nonces both present and not equal.
424 * -1: nonce in request only.
425 *
426 * For most responders clients can check return > 0.
427 * If responder doesn't handle nonces return != 0 may be
428 * necessary. return == 0 is always an error.
429 */
430int
431OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs)
432{
433 /*
434 * Since we are only interested in the presence or absence of
435 * the nonce and comparing its value there is no need to use
436 * the X509V3 routines: this way we can avoid them allocating an
437 * ASN1_OCTET_STRING structure for the value which would be
438 * freed immediately anyway.
439 */
440 int req_idx, resp_idx;
441 X509_EXTENSION *req_ext, *resp_ext;
442
443 req_idx = OCSP_REQUEST_get_ext_by_NID(req, NID_id_pkix_OCSP_Nonce, -1);
444 resp_idx = OCSP_BASICRESP_get_ext_by_NID(bs,
445 NID_id_pkix_OCSP_Nonce, -1);
446 /* Check both absent */
447 if (req_idx < 0 && resp_idx < 0)
448 return 2;
449 /* Check in request only */
450 if (req_idx >= 0 && resp_idx < 0)
451 return -1;
452 /* Check in response but not request */
453 if (req_idx < 0 && resp_idx >= 0)
454 return 3;
455 /* Otherwise nonce in request and response so retrieve the extensions */
456 req_ext = OCSP_REQUEST_get_ext(req, req_idx);
457 resp_ext = OCSP_BASICRESP_get_ext(bs, resp_idx);
458 if (ASN1_OCTET_STRING_cmp(req_ext->value, resp_ext->value))
459 return 0;
460 return 1;
461}
462
463/* Copy the nonce value (if any) from an OCSP request to
464 * a response.
465 */
466int
467OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req)
468{
469 X509_EXTENSION *req_ext;
470 int req_idx;
471
472 /* Check for nonce in request */
473 req_idx = OCSP_REQUEST_get_ext_by_NID(req, NID_id_pkix_OCSP_Nonce, -1);
474 /* If no nonce that's OK */
475 if (req_idx < 0)
476 return 2;
477 req_ext = OCSP_REQUEST_get_ext(req, req_idx);
478 return OCSP_BASICRESP_add_ext(resp, req_ext, -1);
479}
480
481X509_EXTENSION *
482OCSP_crlID_new(char *url, long *n, char *tim)
483{
484 X509_EXTENSION *x = NULL;
485 OCSP_CRLID *cid = NULL;
486
487 if (!(cid = OCSP_CRLID_new()))
488 goto err;
489 if (url) {
490 if (!(cid->crlUrl = ASN1_IA5STRING_new()))
491 goto err;
492 if (!(ASN1_STRING_set(cid->crlUrl, url, -1)))
493 goto err;
494 }
495 if (n) {
496 if (!(cid->crlNum = ASN1_INTEGER_new()))
497 goto err;
498 if (!(ASN1_INTEGER_set(cid->crlNum, *n)))
499 goto err;
500 }
501 if (tim) {
502 if (!(cid->crlTime = ASN1_GENERALIZEDTIME_new()))
503 goto err;
504 if (!(ASN1_GENERALIZEDTIME_set_string(cid->crlTime, tim)))
505 goto err;
506 }
507 x = X509V3_EXT_i2d(NID_id_pkix_OCSP_CrlID, 0, cid);
508
509err:
510 if (cid)
511 OCSP_CRLID_free(cid);
512 return x;
513}
514
515/* AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER */
516X509_EXTENSION *
517OCSP_accept_responses_new(char **oids)
518{
519 int nid;
520 STACK_OF(ASN1_OBJECT) *sk = NULL;
521 ASN1_OBJECT *o = NULL;
522 X509_EXTENSION *x = NULL;
523
524 if (!(sk = sk_ASN1_OBJECT_new_null()))
525 return NULL;
526 while (oids && *oids) {
527 if ((nid = OBJ_txt2nid(*oids)) != NID_undef &&
528 (o = OBJ_nid2obj(nid)))
529 if (sk_ASN1_OBJECT_push(sk, o) == 0) {
530 sk_ASN1_OBJECT_pop_free(sk, ASN1_OBJECT_free);
531 return NULL;
532 }
533 oids++;
534 }
535 x = X509V3_EXT_i2d(NID_id_pkix_OCSP_acceptableResponses, 0, sk);
536 sk_ASN1_OBJECT_pop_free(sk, ASN1_OBJECT_free);
537 return x;
538}
539
540/* ArchiveCutoff ::= GeneralizedTime */
541X509_EXTENSION *
542OCSP_archive_cutoff_new(char* tim)
543{
544 X509_EXTENSION *x = NULL;
545 ASN1_GENERALIZEDTIME *gt = NULL;
546
547 if (!(gt = ASN1_GENERALIZEDTIME_new()))
548 return NULL;
549 if (!(ASN1_GENERALIZEDTIME_set_string(gt, tim)))
550 goto err;
551 x = X509V3_EXT_i2d(NID_id_pkix_OCSP_archiveCutoff, 0, gt);
552
553err:
554 if (gt)
555 ASN1_GENERALIZEDTIME_free(gt);
556 return x;
557}
558
559/* per ACCESS_DESCRIPTION parameter are oids, of which there are currently
560 * two--NID_ad_ocsp, NID_id_ad_caIssuers--and GeneralName value. This
561 * method forces NID_ad_ocsp and uniformResourceLocator [6] IA5String.
562 */
563X509_EXTENSION *
564OCSP_url_svcloc_new(X509_NAME* issuer, char **urls)
565{
566 X509_EXTENSION *x = NULL;
567 ASN1_IA5STRING *ia5 = NULL;
568 OCSP_SERVICELOC *sloc = NULL;
569 ACCESS_DESCRIPTION *ad = NULL;
570
571 if (!(sloc = OCSP_SERVICELOC_new()))
572 goto err;
573 if (!(sloc->issuer = X509_NAME_dup(issuer)))
574 goto err;
575 if (urls && *urls &&
576 !(sloc->locator = sk_ACCESS_DESCRIPTION_new_null()))
577 goto err;
578 while (urls && *urls) {
579 if (!(ad = ACCESS_DESCRIPTION_new()))
580 goto err;
581 if (!(ad->method = OBJ_nid2obj(NID_ad_OCSP)))
582 goto err;
583 if (!(ad->location = GENERAL_NAME_new()))
584 goto err;
585 if (!(ia5 = ASN1_IA5STRING_new()))
586 goto err;
587 if (!ASN1_STRING_set((ASN1_STRING*)ia5, *urls, -1))
588 goto err;
589 ad->location->type = GEN_URI;
590 ad->location->d.ia5 = ia5;
591 ia5 = NULL;
592 if (!sk_ACCESS_DESCRIPTION_push(sloc->locator, ad))
593 goto err;
594 ad = NULL;
595 urls++;
596 }
597 x = X509V3_EXT_i2d(NID_id_pkix_OCSP_serviceLocator, 0, sloc);
598
599err:
600 if (ia5)
601 ASN1_IA5STRING_free(ia5);
602 if (ad)
603 ACCESS_DESCRIPTION_free(ad);
604 if (sloc)
605 OCSP_SERVICELOC_free(sloc);
606 return x;
607}
diff --git a/src/lib/libcrypto/ocsp/ocsp_ht.c b/src/lib/libcrypto/ocsp/ocsp_ht.c
deleted file mode 100644
index 4d21543396..0000000000
--- a/src/lib/libcrypto/ocsp/ocsp_ht.c
+++ /dev/null
@@ -1,463 +0,0 @@
1/* $OpenBSD: ocsp_ht.c,v 1.22 2014/10/03 06:02:38 doug Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2006.
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <stdlib.h>
61#include <ctype.h>
62#include <string.h>
63#include <openssl/asn1.h>
64#include <openssl/ocsp.h>
65#include <openssl/err.h>
66#include <openssl/buffer.h>
67
68/* Stateful OCSP request code, supporting non-blocking I/O */
69
70/* Opaque OCSP request status structure */
71
72struct ocsp_req_ctx_st {
73 int state; /* Current I/O state */
74 unsigned char *iobuf; /* Line buffer */
75 int iobuflen; /* Line buffer length */
76 BIO *io; /* BIO to perform I/O with */
77 BIO *mem; /* Memory BIO response is built into */
78 unsigned long asn1_len; /* ASN1 length of response */
79};
80
81#define OCSP_MAX_REQUEST_LENGTH (100 * 1024)
82#define OCSP_MAX_LINE_LEN 4096;
83
84/* OCSP states */
85
86/* If set no reading should be performed */
87#define OHS_NOREAD 0x1000
88/* Error condition */
89#define OHS_ERROR (0 | OHS_NOREAD)
90/* First line being read */
91#define OHS_FIRSTLINE 1
92/* MIME headers being read */
93#define OHS_HEADERS 2
94/* OCSP initial header (tag + length) being read */
95#define OHS_ASN1_HEADER 3
96/* OCSP content octets being read */
97#define OHS_ASN1_CONTENT 4
98/* Request being sent */
99#define OHS_ASN1_WRITE (6 | OHS_NOREAD)
100/* Request being flushed */
101#define OHS_ASN1_FLUSH (7 | OHS_NOREAD)
102/* Completed */
103#define OHS_DONE (8 | OHS_NOREAD)
104
105
106static int parse_http_line1(char *line);
107
108void
109OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx)
110{
111 if (rctx == NULL)
112 return;
113
114 BIO_free(rctx->mem);
115 free(rctx->iobuf);
116 free(rctx);
117}
118
119int
120OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, OCSP_REQUEST *req)
121{
122 if (BIO_printf(rctx->mem, "Content-Type: application/ocsp-request\r\n"
123 "Content-Length: %d\r\n\r\n", i2d_OCSP_REQUEST(req, NULL)) <= 0)
124 return 0;
125 if (i2d_OCSP_REQUEST_bio(rctx->mem, req) <= 0)
126 return 0;
127 rctx->state = OHS_ASN1_WRITE;
128 rctx->asn1_len = BIO_get_mem_data(rctx->mem, NULL);
129 return 1;
130}
131
132int
133OCSP_REQ_CTX_add1_header(OCSP_REQ_CTX *rctx, const char *name,
134 const char *value)
135{
136 if (!name)
137 return 0;
138 if (BIO_puts(rctx->mem, name) <= 0)
139 return 0;
140 if (value) {
141 if (BIO_write(rctx->mem, ": ", 2) != 2)
142 return 0;
143 if (BIO_puts(rctx->mem, value) <= 0)
144 return 0;
145 }
146 if (BIO_write(rctx->mem, "\r\n", 2) != 2)
147 return 0;
148 return 1;
149}
150
151OCSP_REQ_CTX *
152OCSP_sendreq_new(BIO *io, char *path, OCSP_REQUEST *req, int maxline)
153{
154 OCSP_REQ_CTX *rctx;
155
156 rctx = malloc(sizeof(OCSP_REQ_CTX));
157 if (rctx == NULL)
158 return NULL;
159 rctx->state = OHS_ERROR;
160 rctx->mem = BIO_new(BIO_s_mem());
161 rctx->io = io;
162 rctx->asn1_len = 0;
163 if (maxline > 0)
164 rctx->iobuflen = maxline;
165 else
166 rctx->iobuflen = OCSP_MAX_LINE_LEN;
167 rctx->iobuf = malloc(rctx->iobuflen);
168 if (!rctx->iobuf) {
169 BIO_free(rctx->mem);
170 free(rctx);
171 return NULL;
172 }
173 if (!path)
174 path = "/";
175
176 if (BIO_printf(rctx->mem, "POST %s HTTP/1.0\r\n", path) <= 0) {
177 free(rctx->iobuf);
178 BIO_free(rctx->mem);
179 free(rctx);
180 return NULL;
181 }
182
183 if (req && !OCSP_REQ_CTX_set1_req(rctx, req)) {
184 free(rctx->iobuf);
185 BIO_free(rctx->mem);
186 free(rctx);
187 return NULL;
188 }
189
190 return rctx;
191}
192
193/* Parse the HTTP response. This will look like this:
194 * "HTTP/1.0 200 OK". We need to obtain the numeric code and
195 * (optional) informational message.
196 */
197static int
198parse_http_line1(char *line)
199{
200 int retcode;
201 char *p, *q, *r;
202
203 /* Skip to first white space (passed protocol info) */
204 for (p = line; *p && !isspace((unsigned char)*p); p++)
205 continue;
206 if (!*p) {
207 OCSPerr(OCSP_F_PARSE_HTTP_LINE1,
208 OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
209 return 0;
210 }
211
212 /* Skip past white space to start of response code */
213 while (*p && isspace((unsigned char)*p))
214 p++;
215 if (!*p) {
216 OCSPerr(OCSP_F_PARSE_HTTP_LINE1,
217 OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
218 return 0;
219 }
220
221 /* Find end of response code: first whitespace after start of code */
222 for (q = p; *q && !isspace((unsigned char)*q); q++)
223 continue;
224 if (!*q) {
225 OCSPerr(OCSP_F_PARSE_HTTP_LINE1,
226 OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
227 return 0;
228 }
229
230 /* Set end of response code and start of message */
231 *q++ = 0;
232
233 /* Attempt to parse numeric code */
234 retcode = strtoul(p, &r, 10);
235
236 if (*r)
237 return 0;
238
239 /* Skip over any leading white space in message */
240 while (*q && isspace((unsigned char)*q))
241 q++;
242 if (*q) {
243 /* Finally zap any trailing white space in message (include
244 * CRLF) */
245
246 /* We know q has a non white space character so this is OK */
247 for (r = q + strlen(q) - 1; isspace((unsigned char)*r); r--)
248 *r = 0;
249 }
250 if (retcode != 200) {
251 OCSPerr(OCSP_F_PARSE_HTTP_LINE1, OCSP_R_SERVER_RESPONSE_ERROR);
252 if (!*q)
253 ERR_asprintf_error_data("Code=%s", p);
254 else
255 ERR_asprintf_error_data("Code=%s,Reason=%s", p, q);
256 return 0;
257 }
258
259 return 1;
260}
261
262int
263OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx)
264{
265 int i, n;
266 const unsigned char *p;
267
268next_io:
269 if (!(rctx->state & OHS_NOREAD)) {
270 n = BIO_read(rctx->io, rctx->iobuf, rctx->iobuflen);
271
272 if (n <= 0) {
273 if (BIO_should_retry(rctx->io))
274 return -1;
275 return 0;
276 }
277
278 /* Write data to memory BIO */
279 if (BIO_write(rctx->mem, rctx->iobuf, n) != n)
280 return 0;
281 }
282
283 switch (rctx->state) {
284 case OHS_ASN1_WRITE:
285 n = BIO_get_mem_data(rctx->mem, &p);
286 i = BIO_write(rctx->io,
287 p + (n - rctx->asn1_len), rctx->asn1_len);
288 if (i <= 0) {
289 if (BIO_should_retry(rctx->io))
290 return -1;
291 rctx->state = OHS_ERROR;
292 return 0;
293 }
294
295 rctx->asn1_len -= i;
296 if (rctx->asn1_len > 0)
297 goto next_io;
298
299 rctx->state = OHS_ASN1_FLUSH;
300
301 (void)BIO_reset(rctx->mem);
302 /* FALLTHROUGH */
303
304 case OHS_ASN1_FLUSH:
305 i = BIO_flush(rctx->io);
306 if (i > 0) {
307 rctx->state = OHS_FIRSTLINE;
308 goto next_io;
309 }
310
311 if (BIO_should_retry(rctx->io))
312 return -1;
313
314 rctx->state = OHS_ERROR;
315 return 0;
316
317 case OHS_ERROR:
318 return 0;
319
320 case OHS_FIRSTLINE:
321 case OHS_HEADERS:
322 /* Attempt to read a line in */
323next_line:
324 /* Due to &%^*$" memory BIO behaviour with BIO_gets we
325 * have to check there's a complete line in there before
326 * calling BIO_gets or we'll just get a partial read.
327 */
328 n = BIO_get_mem_data(rctx->mem, &p);
329 if ((n <= 0) || !memchr(p, '\n', n)) {
330 if (n >= rctx->iobuflen) {
331 rctx->state = OHS_ERROR;
332 return 0;
333 }
334 goto next_io;
335 }
336 n = BIO_gets(rctx->mem, (char *)rctx->iobuf, rctx->iobuflen);
337 if (n <= 0) {
338 if (BIO_should_retry(rctx->mem))
339 goto next_io;
340 rctx->state = OHS_ERROR;
341 return 0;
342 }
343
344 /* Don't allow excessive lines */
345 if (n == rctx->iobuflen) {
346 rctx->state = OHS_ERROR;
347 return 0;
348 }
349
350 /* First line */
351 if (rctx->state == OHS_FIRSTLINE) {
352 if (parse_http_line1((char *)rctx->iobuf)) {
353 rctx->state = OHS_HEADERS;
354 goto next_line;
355 } else {
356 rctx->state = OHS_ERROR;
357 return 0;
358 }
359 } else {
360 /* Look for blank line: end of headers */
361 for (p = rctx->iobuf; *p; p++) {
362 if ((*p != '\r') && (*p != '\n'))
363 break;
364 }
365 if (*p)
366 goto next_line;
367
368 rctx->state = OHS_ASN1_HEADER;
369 }
370 /* FALLTRHOUGH */
371
372 case OHS_ASN1_HEADER:
373 /* Now reading ASN1 header: can read at least 2 bytes which
374 * is enough for ASN1 SEQUENCE header and either length field
375 * or at least the length of the length field.
376 */
377 n = BIO_get_mem_data(rctx->mem, &p);
378 if (n < 2)
379 goto next_io;
380
381 /* Check it is an ASN1 SEQUENCE */
382 if (*p++ != (V_ASN1_SEQUENCE|V_ASN1_CONSTRUCTED)) {
383 rctx->state = OHS_ERROR;
384 return 0;
385 }
386
387 /* Check out length field */
388 if (*p & 0x80) {
389 /* If MSB set on initial length octet we can now
390 * always read 6 octets: make sure we have them.
391 */
392 if (n < 6)
393 goto next_io;
394 n = *p & 0x7F;
395 /* Not NDEF or excessive length */
396 if (!n || (n > 4)) {
397 rctx->state = OHS_ERROR;
398 return 0;
399 }
400 p++;
401 rctx->asn1_len = 0;
402 for (i = 0; i < n; i++) {
403 rctx->asn1_len <<= 8;
404 rctx->asn1_len |= *p++;
405 }
406
407 if (rctx->asn1_len > OCSP_MAX_REQUEST_LENGTH) {
408 rctx->state = OHS_ERROR;
409 return 0;
410 }
411
412 rctx->asn1_len += n + 2;
413 } else
414 rctx->asn1_len = *p + 2;
415
416 rctx->state = OHS_ASN1_CONTENT;
417
418 /* FALLTHROUGH */
419
420 case OHS_ASN1_CONTENT:
421 n = BIO_get_mem_data(rctx->mem, &p);
422 if (n < (int)rctx->asn1_len)
423 goto next_io;
424
425 *presp = d2i_OCSP_RESPONSE(NULL, &p, rctx->asn1_len);
426 if (*presp) {
427 rctx->state = OHS_DONE;
428 return 1;
429 }
430
431 rctx->state = OHS_ERROR;
432 return 0;
433
434 case OHS_DONE:
435 return 1;
436 }
437
438 return 0;
439}
440
441/* Blocking OCSP request handler: now a special case of non-blocking I/O */
442OCSP_RESPONSE *
443OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req)
444{
445 OCSP_RESPONSE *resp = NULL;
446 OCSP_REQ_CTX *ctx;
447 int rv;
448
449 ctx = OCSP_sendreq_new(b, path, req, -1);
450 if (ctx == NULL)
451 return NULL;
452
453 do {
454 rv = OCSP_sendreq_nbio(&resp, ctx);
455 } while ((rv == -1) && BIO_should_retry(b));
456
457 OCSP_REQ_CTX_free(ctx);
458
459 if (rv)
460 return resp;
461
462 return NULL;
463}
diff --git a/src/lib/libcrypto/ocsp/ocsp_lib.c b/src/lib/libcrypto/ocsp/ocsp_lib.c
deleted file mode 100644
index be5bf7dab5..0000000000
--- a/src/lib/libcrypto/ocsp/ocsp_lib.c
+++ /dev/null
@@ -1,282 +0,0 @@
1/* $OpenBSD: ocsp_lib.c,v 1.18 2015/02/10 05:25:45 jsing Exp $ */
2/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
3 * project. */
4
5/* History:
6 This file was transfered to Richard Levitte from CertCo by Kathy
7 Weinhold in mid-spring 2000 to be included in OpenSSL or released
8 as a patch kit. */
9
10/* ====================================================================
11 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 *
17 * 1. Redistributions of source code must retain the above copyright
18 * notice, this list of conditions and the following disclaimer.
19 *
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in
22 * the documentation and/or other materials provided with the
23 * distribution.
24 *
25 * 3. All advertising materials mentioning features or use of this
26 * software must display the following acknowledgment:
27 * "This product includes software developed by the OpenSSL Project
28 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
29 *
30 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
31 * endorse or promote products derived from this software without
32 * prior written permission. For written permission, please contact
33 * openssl-core@openssl.org.
34 *
35 * 5. Products derived from this software may not be called "OpenSSL"
36 * nor may "OpenSSL" appear in their names without prior written
37 * permission of the OpenSSL Project.
38 *
39 * 6. Redistributions of any form whatsoever must retain the following
40 * acknowledgment:
41 * "This product includes software developed by the OpenSSL Project
42 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
43 *
44 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
45 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
46 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
47 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
48 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
49 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
50 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
51 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
52 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
53 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
54 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
55 * OF THE POSSIBILITY OF SUCH DAMAGE.
56 * ====================================================================
57 *
58 * This product includes cryptographic software written by Eric Young
59 * (eay@cryptsoft.com). This product includes software written by Tim
60 * Hudson (tjh@cryptsoft.com).
61 *
62 */
63
64#include <stdio.h>
65#include <string.h>
66
67#include <openssl/opensslconf.h>
68
69#include <openssl/asn1t.h>
70#include <openssl/err.h>
71#include <openssl/objects.h>
72#include <openssl/ocsp.h>
73#include <openssl/pem.h>
74#include <openssl/x509.h>
75#include <openssl/x509v3.h>
76
77/* Convert a certificate and its issuer to an OCSP_CERTID */
78
79OCSP_CERTID *
80OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer)
81{
82 X509_NAME *iname;
83 ASN1_INTEGER *serial;
84 ASN1_BIT_STRING *ikey;
85
86#ifndef OPENSSL_NO_SHA1
87 if (!dgst)
88 dgst = EVP_sha1();
89#endif
90 if (subject) {
91 iname = X509_get_issuer_name(subject);
92 serial = X509_get_serialNumber(subject);
93 } else {
94 iname = X509_get_subject_name(issuer);
95 serial = NULL;
96 }
97 ikey = X509_get0_pubkey_bitstr(issuer);
98 return OCSP_cert_id_new(dgst, iname, ikey, serial);
99}
100
101OCSP_CERTID *
102OCSP_cert_id_new(const EVP_MD *dgst, X509_NAME *issuerName,
103 ASN1_BIT_STRING* issuerKey, ASN1_INTEGER *serialNumber)
104{
105 int nid;
106 unsigned int i;
107 X509_ALGOR *alg;
108 OCSP_CERTID *cid = NULL;
109 unsigned char md[EVP_MAX_MD_SIZE];
110
111 if (!(cid = OCSP_CERTID_new()))
112 goto err;
113
114 alg = cid->hashAlgorithm;
115 if (alg->algorithm != NULL)
116 ASN1_OBJECT_free(alg->algorithm);
117 if ((nid = EVP_MD_type(dgst)) == NID_undef) {
118 OCSPerr(OCSP_F_OCSP_CERT_ID_NEW, OCSP_R_UNKNOWN_NID);
119 goto err;
120 }
121 if (!(alg->algorithm = OBJ_nid2obj(nid)))
122 goto err;
123 if ((alg->parameter = ASN1_TYPE_new()) == NULL)
124 goto err;
125 alg->parameter->type = V_ASN1_NULL;
126
127 if (!X509_NAME_digest(issuerName, dgst, md, &i))
128 goto digerr;
129 if (!(ASN1_OCTET_STRING_set(cid->issuerNameHash, md, i)))
130 goto err;
131
132 /* Calculate the issuerKey hash, excluding tag and length */
133 if (!EVP_Digest(issuerKey->data, issuerKey->length, md, &i, dgst, NULL))
134 goto err;
135
136 if (!(ASN1_OCTET_STRING_set(cid->issuerKeyHash, md, i)))
137 goto err;
138
139 if (serialNumber) {
140 ASN1_INTEGER_free(cid->serialNumber);
141 if (!(cid->serialNumber = ASN1_INTEGER_dup(serialNumber)))
142 goto err;
143 }
144 return cid;
145
146digerr:
147 OCSPerr(OCSP_F_OCSP_CERT_ID_NEW, OCSP_R_DIGEST_ERR);
148err:
149 if (cid)
150 OCSP_CERTID_free(cid);
151 return NULL;
152}
153
154int
155OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b)
156{
157 int ret;
158
159 ret = OBJ_cmp(a->hashAlgorithm->algorithm, b->hashAlgorithm->algorithm);
160 if (ret)
161 return ret;
162 ret = ASN1_OCTET_STRING_cmp(a->issuerNameHash, b->issuerNameHash);
163 if (ret)
164 return ret;
165 return ASN1_OCTET_STRING_cmp(a->issuerKeyHash, b->issuerKeyHash);
166}
167
168int
169OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b)
170{
171 int ret;
172
173 ret = OCSP_id_issuer_cmp(a, b);
174 if (ret)
175 return ret;
176 return ASN1_INTEGER_cmp(a->serialNumber, b->serialNumber);
177}
178
179/* Parse a URL and split it up into host, port and path components and whether
180 * it is SSL.
181 */
182int
183OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pssl)
184{
185 char *p, *buf;
186 char *host, *port;
187
188 *phost = NULL;
189 *pport = NULL;
190 *ppath = NULL;
191
192 /* dup the buffer since we are going to mess with it */
193 buf = url ? strdup(url) : NULL;
194 if (!buf)
195 goto mem_err;
196
197 /* Check for initial colon */
198 p = strchr(buf, ':');
199 if (!p)
200 goto parse_err;
201
202 *(p++) = '\0';
203
204 if (!strcmp(buf, "http")) {
205 *pssl = 0;
206 port = "80";
207 } else if (!strcmp(buf, "https")) {
208 *pssl = 1;
209 port = "443";
210 } else
211 goto parse_err;
212
213 /* Check for double slash */
214 if ((p[0] != '/') || (p[1] != '/'))
215 goto parse_err;
216
217 p += 2;
218
219 host = p;
220
221 /* Check for trailing part of path */
222 p = strchr(p, '/');
223 if (!p)
224 *ppath = strdup("/");
225 else {
226 *ppath = strdup(p);
227 /* Set start of path to 0 so hostname is valid */
228 *p = '\0';
229 }
230
231 if (!*ppath)
232 goto mem_err;
233
234 /* Look for optional ':' for port number */
235 if ((p = strchr(host, ':'))) {
236 *p = 0;
237 port = p + 1;
238 } else {
239 /* Not found: set default port */
240 if (*pssl)
241 port = "443";
242 else
243 port = "80";
244 }
245
246 *pport = strdup(port);
247 if (!*pport)
248 goto mem_err;
249
250 *phost = strdup(host);
251
252 if (!*phost)
253 goto mem_err;
254
255 free(buf);
256
257 return 1;
258
259mem_err:
260 OCSPerr(OCSP_F_OCSP_PARSE_URL, ERR_R_MALLOC_FAILURE);
261 goto err;
262
263parse_err:
264 OCSPerr(OCSP_F_OCSP_PARSE_URL, OCSP_R_ERROR_PARSING_URL);
265
266err:
267 free(buf);
268 free(*ppath);
269 free(*pport);
270 free(*phost);
271 *phost = NULL;
272 *pport = NULL;
273 *ppath = NULL;
274 return 0;
275}
276
277
278OCSP_CERTID *
279OCSP_CERTID_dup(OCSP_CERTID *x)
280{
281 return ASN1_item_dup(&OCSP_CERTID_it, x);
282}
diff --git a/src/lib/libcrypto/ocsp/ocsp_prn.c b/src/lib/libcrypto/ocsp/ocsp_prn.c
deleted file mode 100644
index 37d033adb6..0000000000
--- a/src/lib/libcrypto/ocsp/ocsp_prn.c
+++ /dev/null
@@ -1,312 +0,0 @@
1/* $OpenBSD: ocsp_prn.c,v 1.8 2015/07/16 02:16:19 miod Exp $ */
2/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
3 * project. */
4
5/* History:
6 This file was originally part of ocsp.c and was transfered to Richard
7 Levitte from CertCo by Kathy Weinhold in mid-spring 2000 to be included
8 in OpenSSL or released as a patch kit. */
9
10/* ====================================================================
11 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 *
17 * 1. Redistributions of source code must retain the above copyright
18 * notice, this list of conditions and the following disclaimer.
19 *
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in
22 * the documentation and/or other materials provided with the
23 * distribution.
24 *
25 * 3. All advertising materials mentioning features or use of this
26 * software must display the following acknowledgment:
27 * "This product includes software developed by the OpenSSL Project
28 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
29 *
30 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
31 * endorse or promote products derived from this software without
32 * prior written permission. For written permission, please contact
33 * openssl-core@openssl.org.
34 *
35 * 5. Products derived from this software may not be called "OpenSSL"
36 * nor may "OpenSSL" appear in their names without prior written
37 * permission of the OpenSSL Project.
38 *
39 * 6. Redistributions of any form whatsoever must retain the following
40 * acknowledgment:
41 * "This product includes software developed by the OpenSSL Project
42 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
43 *
44 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
45 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
46 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
47 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
48 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
49 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
50 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
51 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
52 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
53 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
54 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
55 * OF THE POSSIBILITY OF SUCH DAMAGE.
56 * ====================================================================
57 *
58 * This product includes cryptographic software written by Eric Young
59 * (eay@cryptsoft.com). This product includes software written by Tim
60 * Hudson (tjh@cryptsoft.com).
61 *
62 */
63
64#include <openssl/bio.h>
65#include <openssl/err.h>
66#include <openssl/ocsp.h>
67#include <openssl/pem.h>
68
69static int
70ocsp_certid_print(BIO *bp, OCSP_CERTID* a, int indent)
71{
72 BIO_printf(bp, "%*sCertificate ID:\n", indent, "");
73 indent += 2;
74 BIO_printf(bp, "%*sHash Algorithm: ", indent, "");
75 i2a_ASN1_OBJECT(bp, a->hashAlgorithm->algorithm);
76 BIO_printf(bp, "\n%*sIssuer Name Hash: ", indent, "");
77 i2a_ASN1_STRING(bp, a->issuerNameHash, V_ASN1_OCTET_STRING);
78 BIO_printf(bp, "\n%*sIssuer Key Hash: ", indent, "");
79 i2a_ASN1_STRING(bp, a->issuerKeyHash, V_ASN1_OCTET_STRING);
80 BIO_printf(bp, "\n%*sSerial Number: ", indent, "");
81 i2a_ASN1_INTEGER(bp, a->serialNumber);
82 BIO_printf(bp, "\n");
83 return 1;
84}
85
86typedef struct {
87 long t;
88 const char *m;
89} OCSP_TBLSTR;
90
91static const char *
92table2string(long s, const OCSP_TBLSTR *ts, int len)
93{
94 const OCSP_TBLSTR *p;
95
96 for (p = ts; p < ts + len; p++)
97 if (p->t == s)
98 return p->m;
99 return "(UNKNOWN)";
100}
101
102const char *
103OCSP_response_status_str(long s)
104{
105 static const OCSP_TBLSTR rstat_tbl[] = {
106 { OCSP_RESPONSE_STATUS_SUCCESSFUL, "successful" },
107 { OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, "malformedrequest" },
108 { OCSP_RESPONSE_STATUS_INTERNALERROR, "internalerror" },
109 { OCSP_RESPONSE_STATUS_TRYLATER, "trylater" },
110 { OCSP_RESPONSE_STATUS_SIGREQUIRED, "sigrequired" },
111 { OCSP_RESPONSE_STATUS_UNAUTHORIZED, "unauthorized" }
112 };
113 return table2string(s, rstat_tbl, 6);
114}
115
116const char *
117OCSP_cert_status_str(long s)
118{
119 static const OCSP_TBLSTR cstat_tbl[] = {
120 { V_OCSP_CERTSTATUS_GOOD, "good" },
121 { V_OCSP_CERTSTATUS_REVOKED, "revoked" },
122 { V_OCSP_CERTSTATUS_UNKNOWN, "unknown" }
123 };
124 return table2string(s, cstat_tbl, 3);
125}
126
127const char *
128OCSP_crl_reason_str(long s)
129{
130 static const OCSP_TBLSTR reason_tbl[] = {
131 { OCSP_REVOKED_STATUS_UNSPECIFIED, "unspecified" },
132 { OCSP_REVOKED_STATUS_KEYCOMPROMISE, "keyCompromise" },
133 { OCSP_REVOKED_STATUS_CACOMPROMISE, "cACompromise" },
134 { OCSP_REVOKED_STATUS_AFFILIATIONCHANGED, "affiliationChanged" },
135 { OCSP_REVOKED_STATUS_SUPERSEDED, "superseded" },
136 { OCSP_REVOKED_STATUS_CESSATIONOFOPERATION, "cessationOfOperation" },
137 { OCSP_REVOKED_STATUS_CERTIFICATEHOLD, "certificateHold" },
138 { OCSP_REVOKED_STATUS_REMOVEFROMCRL, "removeFromCRL" }
139 };
140 return table2string(s, reason_tbl, 8);
141}
142
143int
144OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST* o, unsigned long flags)
145{
146 int i;
147 long l;
148 OCSP_CERTID* cid = NULL;
149 OCSP_ONEREQ *one = NULL;
150 OCSP_REQINFO *inf = o->tbsRequest;
151 OCSP_SIGNATURE *sig = o->optionalSignature;
152
153 if (BIO_write(bp, "OCSP Request Data:\n", 19) <= 0)
154 goto err;
155 l = ASN1_INTEGER_get(inf->version);
156 if (BIO_printf(bp, " Version: %lu (0x%lx)", l+1, l) <= 0)
157 goto err;
158 if (inf->requestorName != NULL) {
159 if (BIO_write(bp, "\n Requestor Name: ", 21) <= 0)
160 goto err;
161 GENERAL_NAME_print(bp, inf->requestorName);
162 }
163 if (BIO_write(bp, "\n Requestor List:\n", 21) <= 0)
164 goto err;
165 for (i = 0; i < sk_OCSP_ONEREQ_num(inf->requestList); i++) {
166 one = sk_OCSP_ONEREQ_value(inf->requestList, i);
167 cid = one->reqCert;
168 ocsp_certid_print(bp, cid, 8);
169 if (!X509V3_extensions_print(bp, "Request Single Extensions",
170 one->singleRequestExtensions, flags, 8))
171 goto err;
172 }
173 if (!X509V3_extensions_print(bp, "Request Extensions",
174 inf->requestExtensions, flags, 4))
175 goto err;
176 if (sig) {
177 if (X509_signature_print(bp, sig->signatureAlgorithm,
178 sig->signature) == 0)
179 goto err;
180 for (i = 0; i < sk_X509_num(sig->certs); i++) {
181 if (X509_print(bp, sk_X509_value(sig->certs, i)) == 0)
182 goto err;
183 if (PEM_write_bio_X509(bp,
184 sk_X509_value(sig->certs, i)) == 0)
185 goto err;
186 }
187 }
188 return 1;
189
190err:
191 return 0;
192}
193
194int
195OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags)
196{
197 int i, ret = 0;
198 long l;
199 OCSP_CERTID *cid = NULL;
200 OCSP_BASICRESP *br = NULL;
201 OCSP_RESPID *rid = NULL;
202 OCSP_RESPDATA *rd = NULL;
203 OCSP_CERTSTATUS *cst = NULL;
204 OCSP_REVOKEDINFO *rev = NULL;
205 OCSP_SINGLERESP *single = NULL;
206 OCSP_RESPBYTES *rb = o->responseBytes;
207
208 if (BIO_puts(bp, "OCSP Response Data:\n") <= 0)
209 goto err;
210 l = ASN1_ENUMERATED_get(o->responseStatus);
211 if (BIO_printf(bp, " OCSP Response Status: %s (0x%lx)\n",
212 OCSP_response_status_str(l), l) <= 0)
213 goto err;
214 if (rb == NULL)
215 return 1;
216 if (BIO_puts(bp, " Response Type: ") <= 0)
217 goto err;
218 if (i2a_ASN1_OBJECT(bp, rb->responseType) <= 0)
219 goto err;
220 if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic) {
221 BIO_puts(bp, " (unknown response type)\n");
222 return 1;
223 }
224
225 i = ASN1_STRING_length(rb->response);
226 if (!(br = OCSP_response_get1_basic(o)))
227 goto err;
228 rd = br->tbsResponseData;
229 l = ASN1_INTEGER_get(rd->version);
230 if (BIO_printf(bp, "\n Version: %lu (0x%lx)\n", l+1, l) <= 0)
231 goto err;
232 if (BIO_puts(bp, " Responder Id: ") <= 0)
233 goto err;
234
235 rid = rd->responderId;
236 switch (rid->type) {
237 case V_OCSP_RESPID_NAME:
238 X509_NAME_print_ex(bp, rid->value.byName, 0, XN_FLAG_ONELINE);
239 break;
240 case V_OCSP_RESPID_KEY:
241 i2a_ASN1_STRING(bp, rid->value.byKey, V_ASN1_OCTET_STRING);
242 break;
243 }
244
245 if (BIO_printf(bp, "\n Produced At: ")<=0)
246 goto err;
247 if (!ASN1_GENERALIZEDTIME_print(bp, rd->producedAt))
248 goto err;
249 if (BIO_printf(bp, "\n Responses:\n") <= 0)
250 goto err;
251 for (i = 0; i < sk_OCSP_SINGLERESP_num(rd->responses); i++) {
252 if (! sk_OCSP_SINGLERESP_value(rd->responses, i))
253 continue;
254 single = sk_OCSP_SINGLERESP_value(rd->responses, i);
255 cid = single->certId;
256 if (ocsp_certid_print(bp, cid, 4) <= 0)
257 goto err;
258 cst = single->certStatus;
259 if (BIO_printf(bp, " Cert Status: %s",
260 OCSP_cert_status_str(cst->type)) <= 0)
261 goto err;
262 if (cst->type == V_OCSP_CERTSTATUS_REVOKED) {
263 rev = cst->value.revoked;
264 if (BIO_printf(bp, "\n Revocation Time: ") <= 0)
265 goto err;
266 if (!ASN1_GENERALIZEDTIME_print(bp,
267 rev->revocationTime))
268 goto err;
269 if (rev->revocationReason) {
270 l = ASN1_ENUMERATED_get(rev->revocationReason);
271 if (BIO_printf(bp,
272 "\n Revocation Reason: %s (0x%lx)",
273 OCSP_crl_reason_str(l), l) <= 0)
274 goto err;
275 }
276 }
277 if (BIO_printf(bp, "\n This Update: ") <= 0)
278 goto err;
279 if (!ASN1_GENERALIZEDTIME_print(bp, single->thisUpdate))
280 goto err;
281 if (single->nextUpdate) {
282 if (BIO_printf(bp, "\n Next Update: ") <= 0)
283 goto err;
284 if (!ASN1_GENERALIZEDTIME_print(bp, single->nextUpdate))
285 goto err;
286 }
287 if (BIO_write(bp, "\n", 1) <= 0)
288 goto err;
289 if (!X509V3_extensions_print(bp, "Response Single Extensions",
290 single->singleExtensions, flags, 8))
291 goto err;
292 if (BIO_write(bp, "\n", 1) <= 0)
293 goto err;
294 }
295 if (!X509V3_extensions_print(bp, "Response Extensions",
296 rd->responseExtensions, flags, 4))
297 goto err;
298 if (X509_signature_print(bp, br->signatureAlgorithm, br->signature) <=
299 0)
300 goto err;
301
302 for (i = 0; i < sk_X509_num(br->certs); i++) {
303 X509_print(bp, sk_X509_value(br->certs, i));
304 PEM_write_bio_X509(bp, sk_X509_value(br->certs, i));
305 }
306
307 ret = 1;
308
309err:
310 OCSP_BASICRESP_free(br);
311 return ret;
312}
diff --git a/src/lib/libcrypto/ocsp/ocsp_srv.c b/src/lib/libcrypto/ocsp/ocsp_srv.c
deleted file mode 100644
index 8f28916757..0000000000
--- a/src/lib/libcrypto/ocsp/ocsp_srv.c
+++ /dev/null
@@ -1,276 +0,0 @@
1/* $OpenBSD: ocsp_srv.c,v 1.7 2014/10/18 17:20:40 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2001.
4 */
5/* ====================================================================
6 * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * openssl-core@openssl.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60
61#include <openssl/err.h>
62#include <openssl/objects.h>
63#include <openssl/ocsp.h>
64#include <openssl/pem.h>
65#include <openssl/x509.h>
66#include <openssl/x509v3.h>
67
68/* Utility functions related to sending OCSP responses and extracting
69 * relevant information from the request.
70 */
71
72int
73OCSP_request_onereq_count(OCSP_REQUEST *req)
74{
75 return sk_OCSP_ONEREQ_num(req->tbsRequest->requestList);
76}
77
78OCSP_ONEREQ *
79OCSP_request_onereq_get0(OCSP_REQUEST *req, int i)
80{
81 return sk_OCSP_ONEREQ_value(req->tbsRequest->requestList, i);
82}
83
84OCSP_CERTID *
85OCSP_onereq_get0_id(OCSP_ONEREQ *one)
86{
87 return one->reqCert;
88}
89
90int
91OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd,
92 ASN1_OCTET_STRING **pikeyHash, ASN1_INTEGER **pserial, OCSP_CERTID *cid)
93{
94 if (!cid)
95 return 0;
96 if (pmd)
97 *pmd = cid->hashAlgorithm->algorithm;
98 if (piNameHash)
99 *piNameHash = cid->issuerNameHash;
100 if (pikeyHash)
101 *pikeyHash = cid->issuerKeyHash;
102 if (pserial)
103 *pserial = cid->serialNumber;
104 return 1;
105}
106
107int
108OCSP_request_is_signed(OCSP_REQUEST *req)
109{
110 if (req->optionalSignature)
111 return 1;
112 return 0;
113}
114
115/* Create an OCSP response and encode an optional basic response */
116OCSP_RESPONSE *
117OCSP_response_create(int status, OCSP_BASICRESP *bs)
118{
119 OCSP_RESPONSE *rsp = NULL;
120
121 if (!(rsp = OCSP_RESPONSE_new()))
122 goto err;
123 if (!(ASN1_ENUMERATED_set(rsp->responseStatus, status)))
124 goto err;
125 if (!bs)
126 return rsp;
127 if (!(rsp->responseBytes = OCSP_RESPBYTES_new()))
128 goto err;
129 rsp->responseBytes->responseType = OBJ_nid2obj(NID_id_pkix_OCSP_basic);
130 if (!ASN1_item_pack(bs, ASN1_ITEM_rptr(OCSP_BASICRESP),
131 &rsp->responseBytes->response))
132 goto err;
133 return rsp;
134
135err:
136 if (rsp)
137 OCSP_RESPONSE_free(rsp);
138 return NULL;
139}
140
141OCSP_SINGLERESP *
142OCSP_basic_add1_status(OCSP_BASICRESP *rsp, OCSP_CERTID *cid, int status,
143 int reason, ASN1_TIME *revtime, ASN1_TIME *thisupd, ASN1_TIME *nextupd)
144{
145 OCSP_SINGLERESP *single = NULL;
146 OCSP_CERTSTATUS *cs;
147 OCSP_REVOKEDINFO *ri;
148
149 if (!rsp->tbsResponseData->responses &&
150 !(rsp->tbsResponseData->responses = sk_OCSP_SINGLERESP_new_null()))
151 goto err;
152
153 if (!(single = OCSP_SINGLERESP_new()))
154 goto err;
155
156 if (!ASN1_TIME_to_generalizedtime(thisupd, &single->thisUpdate))
157 goto err;
158 if (nextupd &&
159 !ASN1_TIME_to_generalizedtime(nextupd, &single->nextUpdate))
160 goto err;
161
162 OCSP_CERTID_free(single->certId);
163
164 if (!(single->certId = OCSP_CERTID_dup(cid)))
165 goto err;
166
167 cs = single->certStatus;
168 switch (cs->type = status) {
169 case V_OCSP_CERTSTATUS_REVOKED:
170 if (!revtime) {
171 OCSPerr(OCSP_F_OCSP_BASIC_ADD1_STATUS,
172 OCSP_R_NO_REVOKED_TIME);
173 goto err;
174 }
175 if (!(cs->value.revoked = ri = OCSP_REVOKEDINFO_new()))
176 goto err;
177 if (!ASN1_TIME_to_generalizedtime(revtime, &ri->revocationTime))
178 goto err;
179 if (reason != OCSP_REVOKED_STATUS_NOSTATUS) {
180 if (!(ri->revocationReason = ASN1_ENUMERATED_new()))
181 goto err;
182 if (!(ASN1_ENUMERATED_set(ri->revocationReason,
183 reason)))
184 goto err;
185 }
186 break;
187
188 case V_OCSP_CERTSTATUS_GOOD:
189 cs->value.good = ASN1_NULL_new();
190 break;
191
192 case V_OCSP_CERTSTATUS_UNKNOWN:
193 cs->value.unknown = ASN1_NULL_new();
194 break;
195
196 default:
197 goto err;
198 }
199 if (!(sk_OCSP_SINGLERESP_push(rsp->tbsResponseData->responses, single)))
200 goto err;
201 return single;
202
203err:
204 OCSP_SINGLERESP_free(single);
205 return NULL;
206}
207
208/* Add a certificate to an OCSP request */
209int
210OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert)
211{
212 if (!resp->certs && !(resp->certs = sk_X509_new_null()))
213 return 0;
214
215 if (!sk_X509_push(resp->certs, cert))
216 return 0;
217 CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
218 return 1;
219}
220
221int
222OCSP_basic_sign(OCSP_BASICRESP *brsp, X509 *signer, EVP_PKEY *key,
223 const EVP_MD *dgst, STACK_OF(X509) *certs, unsigned long flags)
224{
225 int i;
226 OCSP_RESPID *rid;
227
228 if (!X509_check_private_key(signer, key)) {
229 OCSPerr(OCSP_F_OCSP_BASIC_SIGN,
230 OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
231 goto err;
232 }
233
234 if (!(flags & OCSP_NOCERTS)) {
235 if (!OCSP_basic_add1_cert(brsp, signer))
236 goto err;
237 for (i = 0; i < sk_X509_num(certs); i++) {
238 X509 *tmpcert = sk_X509_value(certs, i);
239 if (!OCSP_basic_add1_cert(brsp, tmpcert))
240 goto err;
241 }
242 }
243
244 rid = brsp->tbsResponseData->responderId;
245 if (flags & OCSP_RESPID_KEY) {
246 unsigned char md[SHA_DIGEST_LENGTH];
247
248 X509_pubkey_digest(signer, EVP_sha1(), md, NULL);
249 if (!(rid->value.byKey = ASN1_OCTET_STRING_new()))
250 goto err;
251 if (!(ASN1_OCTET_STRING_set(rid->value.byKey, md,
252 SHA_DIGEST_LENGTH)))
253 goto err;
254 rid->type = V_OCSP_RESPID_KEY;
255 } else {
256 if (!X509_NAME_set(&rid->value.byName,
257 X509_get_subject_name(signer)))
258 goto err;
259 rid->type = V_OCSP_RESPID_NAME;
260 }
261
262 if (!(flags & OCSP_NOTIME) &&
263 !X509_gmtime_adj(brsp->tbsResponseData->producedAt, 0))
264 goto err;
265
266 /* Right now, I think that not doing double hashing is the right
267 thing. -- Richard Levitte */
268
269 if (!OCSP_BASICRESP_sign(brsp, key, dgst, 0))
270 goto err;
271
272 return 1;
273
274err:
275 return 0;
276}
diff --git a/src/lib/libcrypto/ocsp/ocsp_vfy.c b/src/lib/libcrypto/ocsp/ocsp_vfy.c
deleted file mode 100644
index b62394b765..0000000000
--- a/src/lib/libcrypto/ocsp/ocsp_vfy.c
+++ /dev/null
@@ -1,448 +0,0 @@
1/* $OpenBSD: ocsp_vfy.c,v 1.12 2014/07/09 19:08:10 tedu Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2000.
4 */
5/* ====================================================================
6 * Copyright (c) 2000-2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <openssl/ocsp.h>
60#include <openssl/err.h>
61#include <string.h>
62
63static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs,
64 STACK_OF(X509) *certs, X509_STORE *st, unsigned long flags);
65static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id);
66static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain,
67 unsigned long flags);
68static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret);
69static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
70 STACK_OF(OCSP_SINGLERESP) *sresp);
71static int ocsp_check_delegated(X509 *x, int flags);
72static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req,
73 X509_NAME *nm, STACK_OF(X509) *certs, X509_STORE *st,
74 unsigned long flags);
75
76/* Verify a basic response message */
77int
78OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st,
79 unsigned long flags)
80{
81 X509 *signer, *x;
82 STACK_OF(X509) *chain = NULL;
83 X509_STORE_CTX ctx;
84 int i, ret = 0;
85
86 ret = ocsp_find_signer(&signer, bs, certs, st, flags);
87 if (!ret) {
88 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,
89 OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
90 goto end;
91 }
92 if ((ret == 2) && (flags & OCSP_TRUSTOTHER))
93 flags |= OCSP_NOVERIFY;
94 if (!(flags & OCSP_NOSIGS)) {
95 EVP_PKEY *skey;
96
97 skey = X509_get_pubkey(signer);
98 if (skey) {
99 ret = OCSP_BASICRESP_verify(bs, skey, 0);
100 EVP_PKEY_free(skey);
101 }
102 if (!skey || ret <= 0) {
103 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,
104 OCSP_R_SIGNATURE_FAILURE);
105 goto end;
106 }
107 }
108 if (!(flags & OCSP_NOVERIFY)) {
109 int init_res;
110
111 if (flags & OCSP_NOCHAIN)
112 init_res = X509_STORE_CTX_init(&ctx, st, signer, NULL);
113 else
114 init_res = X509_STORE_CTX_init(&ctx, st, signer,
115 bs->certs);
116 if (!init_res) {
117 ret = -1;
118 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_X509_LIB);
119 goto end;
120 }
121
122 X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER);
123 ret = X509_verify_cert(&ctx);
124 chain = X509_STORE_CTX_get1_chain(&ctx);
125 X509_STORE_CTX_cleanup(&ctx);
126 if (ret <= 0) {
127 i = X509_STORE_CTX_get_error(&ctx);
128 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,
129 OCSP_R_CERTIFICATE_VERIFY_ERROR);
130 ERR_asprintf_error_data("Verify error:%s",
131 X509_verify_cert_error_string(i));
132 goto end;
133 }
134 if (flags & OCSP_NOCHECKS) {
135 ret = 1;
136 goto end;
137 }
138 /* At this point we have a valid certificate chain
139 * need to verify it against the OCSP issuer criteria.
140 */
141 ret = ocsp_check_issuer(bs, chain, flags);
142
143 /* If fatal error or valid match then finish */
144 if (ret != 0)
145 goto end;
146
147 /* Easy case: explicitly trusted. Get root CA and
148 * check for explicit trust
149 */
150 if (flags & OCSP_NOEXPLICIT)
151 goto end;
152
153 x = sk_X509_value(chain, sk_X509_num(chain) - 1);
154 if (X509_check_trust(x, NID_OCSP_sign, 0) !=
155 X509_TRUST_TRUSTED) {
156 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,
157 OCSP_R_ROOT_CA_NOT_TRUSTED);
158 goto end;
159 }
160 ret = 1;
161 }
162
163end:
164 if (chain)
165 sk_X509_pop_free(chain, X509_free);
166 return ret;
167}
168
169static int
170ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
171 X509_STORE *st, unsigned long flags)
172{
173 X509 *signer;
174 OCSP_RESPID *rid = bs->tbsResponseData->responderId;
175
176 if ((signer = ocsp_find_signer_sk(certs, rid))) {
177 *psigner = signer;
178 return 2;
179 }
180 if (!(flags & OCSP_NOINTERN) &&
181 (signer = ocsp_find_signer_sk(bs->certs, rid))) {
182 *psigner = signer;
183 return 1;
184 }
185 /* Maybe lookup from store if by subject name */
186
187 *psigner = NULL;
188 return 0;
189}
190
191static X509 *
192ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id)
193{
194 int i;
195 unsigned char tmphash[SHA_DIGEST_LENGTH], *keyhash;
196 X509 *x;
197
198 /* Easy if lookup by name */
199 if (id->type == V_OCSP_RESPID_NAME)
200 return X509_find_by_subject(certs, id->value.byName);
201
202 /* Lookup by key hash */
203
204 /* If key hash isn't SHA1 length then forget it */
205 if (id->value.byKey->length != SHA_DIGEST_LENGTH)
206 return NULL;
207 keyhash = id->value.byKey->data;
208 /* Calculate hash of each key and compare */
209 for (i = 0; i < sk_X509_num(certs); i++) {
210 x = sk_X509_value(certs, i);
211 X509_pubkey_digest(x, EVP_sha1(), tmphash, NULL);
212 if (!memcmp(keyhash, tmphash, SHA_DIGEST_LENGTH))
213 return x;
214 }
215 return NULL;
216}
217
218static int
219ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain,
220 unsigned long flags)
221{
222 STACK_OF(OCSP_SINGLERESP) *sresp;
223 X509 *signer, *sca;
224 OCSP_CERTID *caid = NULL;
225 int i;
226
227 sresp = bs->tbsResponseData->responses;
228
229 if (sk_X509_num(chain) <= 0) {
230 OCSPerr(OCSP_F_OCSP_CHECK_ISSUER,
231 OCSP_R_NO_CERTIFICATES_IN_CHAIN);
232 return -1;
233 }
234
235 /* See if the issuer IDs match. */
236 i = ocsp_check_ids(sresp, &caid);
237
238 /* If ID mismatch or other error then return */
239 if (i <= 0)
240 return i;
241
242 signer = sk_X509_value(chain, 0);
243 /* Check to see if OCSP responder CA matches request CA */
244 if (sk_X509_num(chain) > 1) {
245 sca = sk_X509_value(chain, 1);
246 i = ocsp_match_issuerid(sca, caid, sresp);
247 if (i < 0)
248 return i;
249 if (i) {
250 /* We have a match, if extensions OK then success */
251 if (ocsp_check_delegated(signer, flags))
252 return 1;
253 return 0;
254 }
255 }
256
257 /* Otherwise check if OCSP request signed directly by request CA */
258 return ocsp_match_issuerid(signer, caid, sresp);
259}
260
261/* Check the issuer certificate IDs for equality. If there is a mismatch with the same
262 * algorithm then there's no point trying to match any certificates against the issuer.
263 * If the issuer IDs all match then we just need to check equality against one of them.
264 */
265static int
266ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret)
267{
268 OCSP_CERTID *tmpid, *cid;
269 int i, idcount;
270
271 idcount = sk_OCSP_SINGLERESP_num(sresp);
272 if (idcount <= 0) {
273 OCSPerr(OCSP_F_OCSP_CHECK_IDS,
274 OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA);
275 return -1;
276 }
277
278 cid = sk_OCSP_SINGLERESP_value(sresp, 0)->certId;
279
280 *ret = NULL;
281
282 for (i = 1; i < idcount; i++) {
283 tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId;
284 /* Check to see if IDs match */
285 if (OCSP_id_issuer_cmp(cid, tmpid)) {
286 return 0;
287 }
288 }
289
290 /* All IDs match: only need to check one ID */
291 *ret = cid;
292 return 1;
293}
294
295static int
296ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
297 STACK_OF(OCSP_SINGLERESP) *sresp)
298{
299 /* If only one ID to match then do it */
300 if (cid) {
301 const EVP_MD *dgst;
302 X509_NAME *iname;
303 int mdlen;
304 unsigned char md[EVP_MAX_MD_SIZE];
305
306 if (!(dgst =
307 EVP_get_digestbyobj(cid->hashAlgorithm->algorithm))) {
308 OCSPerr(OCSP_F_OCSP_MATCH_ISSUERID,
309 OCSP_R_UNKNOWN_MESSAGE_DIGEST);
310 return -1;
311 }
312
313 mdlen = EVP_MD_size(dgst);
314 if (mdlen < 0)
315 return -1;
316 if (cid->issuerNameHash->length != mdlen ||
317 cid->issuerKeyHash->length != mdlen)
318 return 0;
319 iname = X509_get_subject_name(cert);
320 if (!X509_NAME_digest(iname, dgst, md, NULL))
321 return -1;
322 if (memcmp(md, cid->issuerNameHash->data, mdlen))
323 return 0;
324 X509_pubkey_digest(cert, dgst, md, NULL);
325 if (memcmp(md, cid->issuerKeyHash->data, mdlen))
326 return 0;
327
328 return 1;
329 } else {
330 /* We have to match the whole lot */
331 int i, ret;
332 OCSP_CERTID *tmpid;
333
334 for (i = 0; i < sk_OCSP_SINGLERESP_num(sresp); i++) {
335 tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId;
336 ret = ocsp_match_issuerid(cert, tmpid, NULL);
337 if (ret <= 0)
338 return ret;
339 }
340 return 1;
341 }
342}
343
344static int
345ocsp_check_delegated(X509 *x, int flags)
346{
347 X509_check_purpose(x, -1, 0);
348 if ((x->ex_flags & EXFLAG_XKUSAGE) && (x->ex_xkusage & XKU_OCSP_SIGN))
349 return 1;
350 OCSPerr(OCSP_F_OCSP_CHECK_DELEGATED, OCSP_R_MISSING_OCSPSIGNING_USAGE);
351 return 0;
352}
353
354/* Verify an OCSP request. This is fortunately much easier than OCSP
355 * response verify. Just find the signers certificate and verify it
356 * against a given trust value.
357 */
358int
359OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, X509_STORE *store,
360 unsigned long flags)
361{
362 X509 *signer;
363 X509_NAME *nm;
364 GENERAL_NAME *gen;
365 int ret;
366 X509_STORE_CTX ctx;
367
368 if (!req->optionalSignature) {
369 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_REQUEST_NOT_SIGNED);
370 return 0;
371 }
372 gen = req->tbsRequest->requestorName;
373 if (!gen || gen->type != GEN_DIRNAME) {
374 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,
375 OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE);
376 return 0;
377 }
378 nm = gen->d.directoryName;
379 ret = ocsp_req_find_signer(&signer, req, nm, certs, store, flags);
380 if (ret <= 0) {
381 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,
382 OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
383 return 0;
384 }
385 if ((ret == 2) && (flags & OCSP_TRUSTOTHER))
386 flags |= OCSP_NOVERIFY;
387 if (!(flags & OCSP_NOSIGS)) {
388 EVP_PKEY *skey;
389
390 skey = X509_get_pubkey(signer);
391 ret = OCSP_REQUEST_verify(req, skey);
392 EVP_PKEY_free(skey);
393 if (ret <= 0) {
394 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,
395 OCSP_R_SIGNATURE_FAILURE);
396 return 0;
397 }
398 }
399 if (!(flags & OCSP_NOVERIFY)) {
400 int init_res;
401
402 if (flags & OCSP_NOCHAIN)
403 init_res = X509_STORE_CTX_init(&ctx, store, signer,
404 NULL);
405 else
406 init_res = X509_STORE_CTX_init(&ctx, store, signer,
407 req->optionalSignature->certs);
408 if (!init_res) {
409 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, ERR_R_X509_LIB);
410 return 0;
411 }
412
413 X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER);
414 X509_STORE_CTX_set_trust(&ctx, X509_TRUST_OCSP_REQUEST);
415 ret = X509_verify_cert(&ctx);
416 X509_STORE_CTX_cleanup(&ctx);
417 if (ret <= 0) {
418 ret = X509_STORE_CTX_get_error(&ctx);
419 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,
420 OCSP_R_CERTIFICATE_VERIFY_ERROR);
421 ERR_asprintf_error_data("Verify error:%s",
422 X509_verify_cert_error_string(ret));
423 return 0;
424 }
425 }
426 return 1;
427}
428
429static int
430ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, X509_NAME *nm,
431 STACK_OF(X509) *certs, X509_STORE *st, unsigned long flags)
432{
433 X509 *signer;
434
435 if (!(flags & OCSP_NOINTERN)) {
436 signer =
437 X509_find_by_subject(req->optionalSignature->certs, nm);
438 *psigner = signer;
439 return 1;
440 }
441
442 signer = X509_find_by_subject(certs, nm);
443 if (signer) {
444 *psigner = signer;
445 return 2;
446 }
447 return 0;
448}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-09 03:12:37 +0000