summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/ocsp/ocsp_ht.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libcrypto/ocsp/ocsp_ht.c')
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_ht.c468
1 files changed, 85 insertions, 383 deletions
diff --git a/src/lib/libcrypto/ocsp/ocsp_ht.c b/src/lib/libcrypto/ocsp/ocsp_ht.c
index a8e569b74a..2c48171883 100644
--- a/src/lib/libcrypto/ocsp/ocsp_ht.c
+++ b/src/lib/libcrypto/ocsp/ocsp_ht.c
@@ -1,9 +1,9 @@
1/* ocsp_ht.c */ 1/* ocsp_ht.c */
2/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL 2/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
3 * project 2006. 3 * project 2000.
4 */ 4 */
5/* ==================================================================== 5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved. 6 * Copyright (c) 2000 The OpenSSL Project. All rights reserved.
7 * 7 *
8 * Redistribution and use in source and binary forms, with or without 8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions 9 * modification, are permitted provided that the following conditions
@@ -68,404 +68,106 @@
68#define strtoul (unsigned long)strtol 68#define strtoul (unsigned long)strtol
69#endif /* OPENSSL_SYS_SUNOS */ 69#endif /* OPENSSL_SYS_SUNOS */
70 70
71/* Stateful OCSP request code, supporting non-blocking I/O */ 71/* Quick and dirty HTTP OCSP request handler.
72 72 * Could make this a bit cleverer by adding
73/* Opaque OCSP request status structure */ 73 * support for non blocking BIOs and a few
74 74 * other refinements.
75struct ocsp_req_ctx_st { 75 */
76 int state; /* Current I/O state */
77 unsigned char *iobuf; /* Line buffer */
78 int iobuflen; /* Line buffer length */
79 BIO *io; /* BIO to perform I/O with */
80 BIO *mem; /* Memory BIO response is built into */
81 unsigned long asn1_len; /* ASN1 length of response */
82 };
83
84#define OCSP_MAX_REQUEST_LENGTH (100 * 1024)
85#define OCSP_MAX_LINE_LEN 4096;
86
87/* OCSP states */
88
89/* If set no reading should be performed */
90#define OHS_NOREAD 0x1000
91/* Error condition */
92#define OHS_ERROR (0 | OHS_NOREAD)
93/* First line being read */
94#define OHS_FIRSTLINE 1
95/* MIME headers being read */
96#define OHS_HEADERS 2
97/* OCSP initial header (tag + length) being read */
98#define OHS_ASN1_HEADER 3
99/* OCSP content octets being read */
100#define OHS_ASN1_CONTENT 4
101/* Request being sent */
102#define OHS_ASN1_WRITE (6 | OHS_NOREAD)
103/* Request being flushed */
104#define OHS_ASN1_FLUSH (7 | OHS_NOREAD)
105/* Completed */
106#define OHS_DONE (8 | OHS_NOREAD)
107
108
109static int parse_http_line1(char *line);
110 76
111void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx) 77OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req)
112 { 78{
113 if (rctx->mem) 79 BIO *mem = NULL;
114 BIO_free(rctx->mem); 80 char tmpbuf[1024];
115 if (rctx->iobuf) 81 OCSP_RESPONSE *resp = NULL;
116 OPENSSL_free(rctx->iobuf); 82 char *p, *q, *r;
117 OPENSSL_free(rctx); 83 int len, retcode;
84 static char req_txt[] =
85"POST %s HTTP/1.0\r\n\
86Content-Type: application/ocsp-request\r\n\
87Content-Length: %d\r\n\r\n";
88
89 len = i2d_OCSP_REQUEST(req, NULL);
90 if(BIO_printf(b, req_txt, path, len) < 0) {
91 OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_WRITE_ERROR);
92 goto err;
118 } 93 }
119 94 if(i2d_OCSP_REQUEST_bio(b, req) <= 0) {
120OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, char *path, OCSP_REQUEST *req, 95 OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_WRITE_ERROR);
121 int maxline) 96 goto err;
122 { 97 }
123 static char post_hdr[] = "POST %s HTTP/1.0\r\n" 98 if(!(mem = BIO_new(BIO_s_mem()))) goto err;
124 "Content-Type: application/ocsp-request\r\n" 99 /* Copy response to a memory BIO: socket bios can't do gets! */
125 "Content-Length: %d\r\n\r\n"; 100 while ((len = BIO_read(b, tmpbuf, sizeof tmpbuf))) {
126 101 if(len < 0) {
127 OCSP_REQ_CTX *rctx; 102 OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_READ_ERROR);
128 rctx = OPENSSL_malloc(sizeof(OCSP_REQ_CTX)); 103 goto err;
129 rctx->state = OHS_FIRSTLINE;
130 rctx->mem = BIO_new(BIO_s_mem());
131 rctx->io = io;
132 if (maxline > 0)
133 rctx->iobuflen = maxline;
134 else
135 rctx->iobuflen = OCSP_MAX_LINE_LEN;
136 rctx->iobuf = OPENSSL_malloc(rctx->iobuflen);
137 if (!path)
138 path = "/";
139
140 if (BIO_printf(rctx->mem, post_hdr, path,
141 i2d_OCSP_REQUEST(req, NULL)) <= 0)
142 {
143 rctx->state = OHS_ERROR;
144 return 0;
145 }
146 if (i2d_OCSP_REQUEST_bio(rctx->mem, req) <= 0)
147 {
148 rctx->state = OHS_ERROR;
149 return 0;
150 } 104 }
151 rctx->state = OHS_ASN1_WRITE; 105 BIO_write(mem, tmpbuf, len);
152 rctx->asn1_len = BIO_get_mem_data(rctx->mem, NULL);
153
154 return rctx;
155 } 106 }
107 if(BIO_gets(mem, tmpbuf, 512) <= 0) {
108 OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
109 goto err;
110 }
111 /* Parse the HTTP response. This will look like this:
112 * "HTTP/1.0 200 OK". We need to obtain the numeric code and
113 * (optional) informational message.
114 */
156 115
157/* Parse the HTTP response. This will look like this:
158 * "HTTP/1.0 200 OK". We need to obtain the numeric code and
159 * (optional) informational message.
160 */
161
162static int parse_http_line1(char *line)
163 {
164 int retcode;
165 char *p, *q, *r;
166 /* Skip to first white space (passed protocol info) */ 116 /* Skip to first white space (passed protocol info) */
167 117 for(p = tmpbuf; *p && !isspace((unsigned char)*p); p++) continue;
168 for(p = line; *p && !isspace((unsigned char)*p); p++) 118 if(!*p) {
169 continue; 119 OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
170 if(!*p) 120 goto err;
171 { 121 }
172 OCSPerr(OCSP_F_PARSE_HTTP_LINE1,
173 OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
174 return 0;
175 }
176
177 /* Skip past white space to start of response code */ 122 /* Skip past white space to start of response code */
178 while(*p && isspace((unsigned char)*p)) 123 while(isspace((unsigned char)*p)) p++;
179 p++; 124 if(!*p) {
180 125 OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
181 if(!*p) 126 goto err;
182 { 127 }
183 OCSPerr(OCSP_F_PARSE_HTTP_LINE1,
184 OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
185 return 0;
186 }
187
188 /* Find end of response code: first whitespace after start of code */ 128 /* Find end of response code: first whitespace after start of code */
189 for(q = p; *q && !isspace((unsigned char)*q); q++) 129 for(q = p; *q && !isspace((unsigned char)*q); q++) continue;
190 continue; 130 if(!*q) {
191 131 OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
192 if(!*q) 132 goto err;
193 { 133 }
194 OCSPerr(OCSP_F_PARSE_HTTP_LINE1,
195 OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
196 return 0;
197 }
198
199 /* Set end of response code and start of message */ 134 /* Set end of response code and start of message */
200 *q++ = 0; 135 *q++ = 0;
201
202 /* Attempt to parse numeric code */ 136 /* Attempt to parse numeric code */
203 retcode = strtoul(p, &r, 10); 137 retcode = strtoul(p, &r, 10);
204 138 if(*r) goto err;
205 if(*r)
206 return 0;
207
208 /* Skip over any leading white space in message */ 139 /* Skip over any leading white space in message */
209 while(*q && isspace((unsigned char)*q)) 140 while(isspace((unsigned char)*q)) q++;
210 q++; 141 if(*q) {
211 142 /* Finally zap any trailing white space in message (include CRLF) */
212 if(*q) 143 /* We know q has a non white space character so this is OK */
213 { 144 for(r = q + strlen(q) - 1; isspace((unsigned char)*r); r--) *r = 0;
214 /* Finally zap any trailing white space in message (include 145 }
215 * CRLF) */ 146 if(retcode != 200) {
216 147 OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_RESPONSE_ERROR);
217 /* We know q has a non white space character so this is OK */ 148 if(!*q) {
218 for(r = q + strlen(q) - 1; isspace((unsigned char)*r); r--)
219 *r = 0;
220 }
221 if(retcode != 200)
222 {
223 OCSPerr(OCSP_F_PARSE_HTTP_LINE1, OCSP_R_SERVER_RESPONSE_ERROR);
224 if(!*q)
225 ERR_add_error_data(2, "Code=", p); 149 ERR_add_error_data(2, "Code=", p);
226 else 150 }
151 else {
227 ERR_add_error_data(4, "Code=", p, ",Reason=", q); 152 ERR_add_error_data(4, "Code=", p, ",Reason=", q);
228 return 0;
229 } 153 }
230 154 goto err;
231
232 return 1;
233
234 } 155 }
235 156 /* Find blank line marking beginning of content */
236int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx) 157 while(BIO_gets(mem, tmpbuf, 512) > 0)
237 { 158 {
238 int i, n; 159 for(p = tmpbuf; isspace((unsigned char)*p); p++) continue;
239 const unsigned char *p; 160 if(!*p) break;
240 next_io:
241 if (!(rctx->state & OHS_NOREAD))
242 {
243 n = BIO_read(rctx->io, rctx->iobuf, rctx->iobuflen);
244
245 if (n <= 0)
246 {
247 if (BIO_should_retry(rctx->io))
248 return -1;
249 return 0;
250 }
251
252 /* Write data to memory BIO */
253
254 if (BIO_write(rctx->mem, rctx->iobuf, n) != n)
255 return 0;
256 }
257
258 switch(rctx->state)
259 {
260
261 case OHS_ASN1_WRITE:
262 n = BIO_get_mem_data(rctx->mem, &p);
263
264 i = BIO_write(rctx->io,
265 p + (n - rctx->asn1_len), rctx->asn1_len);
266
267 if (i <= 0)
268 {
269 if (BIO_should_retry(rctx->io))
270 return -1;
271 rctx->state = OHS_ERROR;
272 return 0;
273 }
274
275 rctx->asn1_len -= i;
276
277 if (rctx->asn1_len > 0)
278 goto next_io;
279
280 rctx->state = OHS_ASN1_FLUSH;
281
282 (void)BIO_reset(rctx->mem);
283
284 case OHS_ASN1_FLUSH:
285
286 i = BIO_flush(rctx->io);
287
288 if (i > 0)
289 {
290 rctx->state = OHS_FIRSTLINE;
291 goto next_io;
292 }
293
294 if (BIO_should_retry(rctx->io))
295 return -1;
296
297 rctx->state = OHS_ERROR;
298 return 0;
299
300 case OHS_ERROR:
301 return 0;
302
303 case OHS_FIRSTLINE:
304 case OHS_HEADERS:
305
306 /* Attempt to read a line in */
307
308 next_line:
309 /* Due to &%^*$" memory BIO behaviour with BIO_gets we
310 * have to check there's a complete line in there before
311 * calling BIO_gets or we'll just get a partial read.
312 */
313 n = BIO_get_mem_data(rctx->mem, &p);
314 if ((n <= 0) || !memchr(p, '\n', n))
315 {
316 if (n >= rctx->iobuflen)
317 {
318 rctx->state = OHS_ERROR;
319 return 0;
320 }
321 goto next_io;
322 }
323 n = BIO_gets(rctx->mem, (char *)rctx->iobuf, rctx->iobuflen);
324
325 if (n <= 0)
326 {
327 if (BIO_should_retry(rctx->mem))
328 goto next_io;
329 rctx->state = OHS_ERROR;
330 return 0;
331 }
332
333 /* Don't allow excessive lines */
334 if (n == rctx->iobuflen)
335 {
336 rctx->state = OHS_ERROR;
337 return 0;
338 }
339
340 /* First line */
341 if (rctx->state == OHS_FIRSTLINE)
342 {
343 if (parse_http_line1((char *)rctx->iobuf))
344 {
345 rctx->state = OHS_HEADERS;
346 goto next_line;
347 }
348 else
349 {
350 rctx->state = OHS_ERROR;
351 return 0;
352 }
353 }
354 else
355 {
356 /* Look for blank line: end of headers */
357 for (p = rctx->iobuf; *p; p++)
358 {
359 if ((*p != '\r') && (*p != '\n'))
360 break;
361 }
362 if (*p)
363 goto next_line;
364
365 rctx->state = OHS_ASN1_HEADER;
366
367 }
368
369 /* Fall thru */
370
371
372 case OHS_ASN1_HEADER:
373 /* Now reading ASN1 header: can read at least 6 bytes which
374 * is more than enough for any valid ASN1 SEQUENCE header
375 */
376 n = BIO_get_mem_data(rctx->mem, &p);
377 if (n < 6)
378 goto next_io;
379
380 /* Check it is an ASN1 SEQUENCE */
381 if (*p++ != (V_ASN1_SEQUENCE|V_ASN1_CONSTRUCTED))
382 {
383 rctx->state = OHS_ERROR;
384 return 0;
385 }
386
387 /* Check out length field */
388 if (*p & 0x80)
389 {
390 n = *p & 0x7F;
391 /* Not NDEF or excessive length */
392 if (!n || (n > 4))
393 {
394 rctx->state = OHS_ERROR;
395 return 0;
396 }
397 p++;
398 rctx->asn1_len = 0;
399 for (i = 0; i < n; i++)
400 {
401 rctx->asn1_len <<= 8;
402 rctx->asn1_len |= *p++;
403 }
404
405 if (rctx->asn1_len > OCSP_MAX_REQUEST_LENGTH)
406 {
407 rctx->state = OHS_ERROR;
408 return 0;
409 }
410
411 rctx->asn1_len += n + 2;
412 }
413 else
414 rctx->asn1_len = *p + 2;
415
416 rctx->state = OHS_ASN1_CONTENT;
417
418 /* Fall thru */
419
420 case OHS_ASN1_CONTENT:
421 n = BIO_get_mem_data(rctx->mem, &p);
422 if (n < (int)rctx->asn1_len)
423 goto next_io;
424
425
426 *presp = d2i_OCSP_RESPONSE(NULL, &p, rctx->asn1_len);
427 if (*presp)
428 {
429 rctx->state = OHS_DONE;
430 return 1;
431 }
432
433 rctx->state = OHS_ERROR;
434 return 0;
435
436 break;
437
438 case OHS_DONE:
439 return 1;
440
441 }
442
443
444
445 return 0;
446
447
448 } 161 }
449 162 if(*p) {
450/* Blocking OCSP request handler: now a special case of non-blocking I/O */ 163 OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_NO_CONTENT);
451 164 goto err;
452OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req) 165 }
453 { 166 if(!(resp = d2i_OCSP_RESPONSE_bio(mem, NULL))) {
454 OCSP_RESPONSE *resp = NULL; 167 OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,ERR_R_NESTED_ASN1_ERROR);
455 OCSP_REQ_CTX *ctx; 168 goto err;
456 int rv;
457
458 ctx = OCSP_sendreq_new(b, path, req, -1);
459
460 do
461 {
462 rv = OCSP_sendreq_nbio(&resp, ctx);
463 } while ((rv == -1) && BIO_should_retry(b));
464
465 OCSP_REQ_CTX_free(ctx);
466
467 if (rv)
468 return resp;
469
470 return NULL;
471 } 169 }
170 err:
171 BIO_free(mem);
172 return resp;
173}