diff options
Diffstat (limited to 'src/lib/libcrypto/ocsp/ocsp_ht.c')
-rw-r--r-- | src/lib/libcrypto/ocsp/ocsp_ht.c | 468 |
1 files changed, 85 insertions, 383 deletions
diff --git a/src/lib/libcrypto/ocsp/ocsp_ht.c b/src/lib/libcrypto/ocsp/ocsp_ht.c index a8e569b74a..2c48171883 100644 --- a/src/lib/libcrypto/ocsp/ocsp_ht.c +++ b/src/lib/libcrypto/ocsp/ocsp_ht.c | |||
@@ -1,9 +1,9 @@ | |||
1 | /* ocsp_ht.c */ | 1 | /* ocsp_ht.c */ |
2 | /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL | 2 | /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL |
3 | * project 2006. | 3 | * project 2000. |
4 | */ | 4 | */ |
5 | /* ==================================================================== | 5 | /* ==================================================================== |
6 | * Copyright (c) 2006 The OpenSSL Project. All rights reserved. | 6 | * Copyright (c) 2000 The OpenSSL Project. All rights reserved. |
7 | * | 7 | * |
8 | * Redistribution and use in source and binary forms, with or without | 8 | * Redistribution and use in source and binary forms, with or without |
9 | * modification, are permitted provided that the following conditions | 9 | * modification, are permitted provided that the following conditions |
@@ -68,404 +68,106 @@ | |||
68 | #define strtoul (unsigned long)strtol | 68 | #define strtoul (unsigned long)strtol |
69 | #endif /* OPENSSL_SYS_SUNOS */ | 69 | #endif /* OPENSSL_SYS_SUNOS */ |
70 | 70 | ||
71 | /* Stateful OCSP request code, supporting non-blocking I/O */ | 71 | /* Quick and dirty HTTP OCSP request handler. |
72 | 72 | * Could make this a bit cleverer by adding | |
73 | /* Opaque OCSP request status structure */ | 73 | * support for non blocking BIOs and a few |
74 | 74 | * other refinements. | |
75 | struct ocsp_req_ctx_st { | 75 | */ |
76 | int state; /* Current I/O state */ | ||
77 | unsigned char *iobuf; /* Line buffer */ | ||
78 | int iobuflen; /* Line buffer length */ | ||
79 | BIO *io; /* BIO to perform I/O with */ | ||
80 | BIO *mem; /* Memory BIO response is built into */ | ||
81 | unsigned long asn1_len; /* ASN1 length of response */ | ||
82 | }; | ||
83 | |||
84 | #define OCSP_MAX_REQUEST_LENGTH (100 * 1024) | ||
85 | #define OCSP_MAX_LINE_LEN 4096; | ||
86 | |||
87 | /* OCSP states */ | ||
88 | |||
89 | /* If set no reading should be performed */ | ||
90 | #define OHS_NOREAD 0x1000 | ||
91 | /* Error condition */ | ||
92 | #define OHS_ERROR (0 | OHS_NOREAD) | ||
93 | /* First line being read */ | ||
94 | #define OHS_FIRSTLINE 1 | ||
95 | /* MIME headers being read */ | ||
96 | #define OHS_HEADERS 2 | ||
97 | /* OCSP initial header (tag + length) being read */ | ||
98 | #define OHS_ASN1_HEADER 3 | ||
99 | /* OCSP content octets being read */ | ||
100 | #define OHS_ASN1_CONTENT 4 | ||
101 | /* Request being sent */ | ||
102 | #define OHS_ASN1_WRITE (6 | OHS_NOREAD) | ||
103 | /* Request being flushed */ | ||
104 | #define OHS_ASN1_FLUSH (7 | OHS_NOREAD) | ||
105 | /* Completed */ | ||
106 | #define OHS_DONE (8 | OHS_NOREAD) | ||
107 | |||
108 | |||
109 | static int parse_http_line1(char *line); | ||
110 | 76 | ||
111 | void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx) | 77 | OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req) |
112 | { | 78 | { |
113 | if (rctx->mem) | 79 | BIO *mem = NULL; |
114 | BIO_free(rctx->mem); | 80 | char tmpbuf[1024]; |
115 | if (rctx->iobuf) | 81 | OCSP_RESPONSE *resp = NULL; |
116 | OPENSSL_free(rctx->iobuf); | 82 | char *p, *q, *r; |
117 | OPENSSL_free(rctx); | 83 | int len, retcode; |
84 | static char req_txt[] = | ||
85 | "POST %s HTTP/1.0\r\n\ | ||
86 | Content-Type: application/ocsp-request\r\n\ | ||
87 | Content-Length: %d\r\n\r\n"; | ||
88 | |||
89 | len = i2d_OCSP_REQUEST(req, NULL); | ||
90 | if(BIO_printf(b, req_txt, path, len) < 0) { | ||
91 | OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_WRITE_ERROR); | ||
92 | goto err; | ||
118 | } | 93 | } |
119 | 94 | if(i2d_OCSP_REQUEST_bio(b, req) <= 0) { | |
120 | OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, char *path, OCSP_REQUEST *req, | 95 | OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_WRITE_ERROR); |
121 | int maxline) | 96 | goto err; |
122 | { | 97 | } |
123 | static char post_hdr[] = "POST %s HTTP/1.0\r\n" | 98 | if(!(mem = BIO_new(BIO_s_mem()))) goto err; |
124 | "Content-Type: application/ocsp-request\r\n" | 99 | /* Copy response to a memory BIO: socket bios can't do gets! */ |
125 | "Content-Length: %d\r\n\r\n"; | 100 | while ((len = BIO_read(b, tmpbuf, sizeof tmpbuf))) { |
126 | 101 | if(len < 0) { | |
127 | OCSP_REQ_CTX *rctx; | 102 | OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_READ_ERROR); |
128 | rctx = OPENSSL_malloc(sizeof(OCSP_REQ_CTX)); | 103 | goto err; |
129 | rctx->state = OHS_FIRSTLINE; | ||
130 | rctx->mem = BIO_new(BIO_s_mem()); | ||
131 | rctx->io = io; | ||
132 | if (maxline > 0) | ||
133 | rctx->iobuflen = maxline; | ||
134 | else | ||
135 | rctx->iobuflen = OCSP_MAX_LINE_LEN; | ||
136 | rctx->iobuf = OPENSSL_malloc(rctx->iobuflen); | ||
137 | if (!path) | ||
138 | path = "/"; | ||
139 | |||
140 | if (BIO_printf(rctx->mem, post_hdr, path, | ||
141 | i2d_OCSP_REQUEST(req, NULL)) <= 0) | ||
142 | { | ||
143 | rctx->state = OHS_ERROR; | ||
144 | return 0; | ||
145 | } | ||
146 | if (i2d_OCSP_REQUEST_bio(rctx->mem, req) <= 0) | ||
147 | { | ||
148 | rctx->state = OHS_ERROR; | ||
149 | return 0; | ||
150 | } | 104 | } |
151 | rctx->state = OHS_ASN1_WRITE; | 105 | BIO_write(mem, tmpbuf, len); |
152 | rctx->asn1_len = BIO_get_mem_data(rctx->mem, NULL); | ||
153 | |||
154 | return rctx; | ||
155 | } | 106 | } |
107 | if(BIO_gets(mem, tmpbuf, 512) <= 0) { | ||
108 | OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_RESPONSE_PARSE_ERROR); | ||
109 | goto err; | ||
110 | } | ||
111 | /* Parse the HTTP response. This will look like this: | ||
112 | * "HTTP/1.0 200 OK". We need to obtain the numeric code and | ||
113 | * (optional) informational message. | ||
114 | */ | ||
156 | 115 | ||
157 | /* Parse the HTTP response. This will look like this: | ||
158 | * "HTTP/1.0 200 OK". We need to obtain the numeric code and | ||
159 | * (optional) informational message. | ||
160 | */ | ||
161 | |||
162 | static int parse_http_line1(char *line) | ||
163 | { | ||
164 | int retcode; | ||
165 | char *p, *q, *r; | ||
166 | /* Skip to first white space (passed protocol info) */ | 116 | /* Skip to first white space (passed protocol info) */ |
167 | 117 | for(p = tmpbuf; *p && !isspace((unsigned char)*p); p++) continue; | |
168 | for(p = line; *p && !isspace((unsigned char)*p); p++) | 118 | if(!*p) { |
169 | continue; | 119 | OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_RESPONSE_PARSE_ERROR); |
170 | if(!*p) | 120 | goto err; |
171 | { | 121 | } |
172 | OCSPerr(OCSP_F_PARSE_HTTP_LINE1, | ||
173 | OCSP_R_SERVER_RESPONSE_PARSE_ERROR); | ||
174 | return 0; | ||
175 | } | ||
176 | |||
177 | /* Skip past white space to start of response code */ | 122 | /* Skip past white space to start of response code */ |
178 | while(*p && isspace((unsigned char)*p)) | 123 | while(isspace((unsigned char)*p)) p++; |
179 | p++; | 124 | if(!*p) { |
180 | 125 | OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_RESPONSE_PARSE_ERROR); | |
181 | if(!*p) | 126 | goto err; |
182 | { | 127 | } |
183 | OCSPerr(OCSP_F_PARSE_HTTP_LINE1, | ||
184 | OCSP_R_SERVER_RESPONSE_PARSE_ERROR); | ||
185 | return 0; | ||
186 | } | ||
187 | |||
188 | /* Find end of response code: first whitespace after start of code */ | 128 | /* Find end of response code: first whitespace after start of code */ |
189 | for(q = p; *q && !isspace((unsigned char)*q); q++) | 129 | for(q = p; *q && !isspace((unsigned char)*q); q++) continue; |
190 | continue; | 130 | if(!*q) { |
191 | 131 | OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_RESPONSE_PARSE_ERROR); | |
192 | if(!*q) | 132 | goto err; |
193 | { | 133 | } |
194 | OCSPerr(OCSP_F_PARSE_HTTP_LINE1, | ||
195 | OCSP_R_SERVER_RESPONSE_PARSE_ERROR); | ||
196 | return 0; | ||
197 | } | ||
198 | |||
199 | /* Set end of response code and start of message */ | 134 | /* Set end of response code and start of message */ |
200 | *q++ = 0; | 135 | *q++ = 0; |
201 | |||
202 | /* Attempt to parse numeric code */ | 136 | /* Attempt to parse numeric code */ |
203 | retcode = strtoul(p, &r, 10); | 137 | retcode = strtoul(p, &r, 10); |
204 | 138 | if(*r) goto err; | |
205 | if(*r) | ||
206 | return 0; | ||
207 | |||
208 | /* Skip over any leading white space in message */ | 139 | /* Skip over any leading white space in message */ |
209 | while(*q && isspace((unsigned char)*q)) | 140 | while(isspace((unsigned char)*q)) q++; |
210 | q++; | 141 | if(*q) { |
211 | 142 | /* Finally zap any trailing white space in message (include CRLF) */ | |
212 | if(*q) | 143 | /* We know q has a non white space character so this is OK */ |
213 | { | 144 | for(r = q + strlen(q) - 1; isspace((unsigned char)*r); r--) *r = 0; |
214 | /* Finally zap any trailing white space in message (include | 145 | } |
215 | * CRLF) */ | 146 | if(retcode != 200) { |
216 | 147 | OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_RESPONSE_ERROR); | |
217 | /* We know q has a non white space character so this is OK */ | 148 | if(!*q) { |
218 | for(r = q + strlen(q) - 1; isspace((unsigned char)*r); r--) | ||
219 | *r = 0; | ||
220 | } | ||
221 | if(retcode != 200) | ||
222 | { | ||
223 | OCSPerr(OCSP_F_PARSE_HTTP_LINE1, OCSP_R_SERVER_RESPONSE_ERROR); | ||
224 | if(!*q) | ||
225 | ERR_add_error_data(2, "Code=", p); | 149 | ERR_add_error_data(2, "Code=", p); |
226 | else | 150 | } |
151 | else { | ||
227 | ERR_add_error_data(4, "Code=", p, ",Reason=", q); | 152 | ERR_add_error_data(4, "Code=", p, ",Reason=", q); |
228 | return 0; | ||
229 | } | 153 | } |
230 | 154 | goto err; | |
231 | |||
232 | return 1; | ||
233 | |||
234 | } | 155 | } |
235 | 156 | /* Find blank line marking beginning of content */ | |
236 | int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx) | 157 | while(BIO_gets(mem, tmpbuf, 512) > 0) |
237 | { | 158 | { |
238 | int i, n; | 159 | for(p = tmpbuf; isspace((unsigned char)*p); p++) continue; |
239 | const unsigned char *p; | 160 | if(!*p) break; |
240 | next_io: | ||
241 | if (!(rctx->state & OHS_NOREAD)) | ||
242 | { | ||
243 | n = BIO_read(rctx->io, rctx->iobuf, rctx->iobuflen); | ||
244 | |||
245 | if (n <= 0) | ||
246 | { | ||
247 | if (BIO_should_retry(rctx->io)) | ||
248 | return -1; | ||
249 | return 0; | ||
250 | } | ||
251 | |||
252 | /* Write data to memory BIO */ | ||
253 | |||
254 | if (BIO_write(rctx->mem, rctx->iobuf, n) != n) | ||
255 | return 0; | ||
256 | } | ||
257 | |||
258 | switch(rctx->state) | ||
259 | { | ||
260 | |||
261 | case OHS_ASN1_WRITE: | ||
262 | n = BIO_get_mem_data(rctx->mem, &p); | ||
263 | |||
264 | i = BIO_write(rctx->io, | ||
265 | p + (n - rctx->asn1_len), rctx->asn1_len); | ||
266 | |||
267 | if (i <= 0) | ||
268 | { | ||
269 | if (BIO_should_retry(rctx->io)) | ||
270 | return -1; | ||
271 | rctx->state = OHS_ERROR; | ||
272 | return 0; | ||
273 | } | ||
274 | |||
275 | rctx->asn1_len -= i; | ||
276 | |||
277 | if (rctx->asn1_len > 0) | ||
278 | goto next_io; | ||
279 | |||
280 | rctx->state = OHS_ASN1_FLUSH; | ||
281 | |||
282 | (void)BIO_reset(rctx->mem); | ||
283 | |||
284 | case OHS_ASN1_FLUSH: | ||
285 | |||
286 | i = BIO_flush(rctx->io); | ||
287 | |||
288 | if (i > 0) | ||
289 | { | ||
290 | rctx->state = OHS_FIRSTLINE; | ||
291 | goto next_io; | ||
292 | } | ||
293 | |||
294 | if (BIO_should_retry(rctx->io)) | ||
295 | return -1; | ||
296 | |||
297 | rctx->state = OHS_ERROR; | ||
298 | return 0; | ||
299 | |||
300 | case OHS_ERROR: | ||
301 | return 0; | ||
302 | |||
303 | case OHS_FIRSTLINE: | ||
304 | case OHS_HEADERS: | ||
305 | |||
306 | /* Attempt to read a line in */ | ||
307 | |||
308 | next_line: | ||
309 | /* Due to &%^*$" memory BIO behaviour with BIO_gets we | ||
310 | * have to check there's a complete line in there before | ||
311 | * calling BIO_gets or we'll just get a partial read. | ||
312 | */ | ||
313 | n = BIO_get_mem_data(rctx->mem, &p); | ||
314 | if ((n <= 0) || !memchr(p, '\n', n)) | ||
315 | { | ||
316 | if (n >= rctx->iobuflen) | ||
317 | { | ||
318 | rctx->state = OHS_ERROR; | ||
319 | return 0; | ||
320 | } | ||
321 | goto next_io; | ||
322 | } | ||
323 | n = BIO_gets(rctx->mem, (char *)rctx->iobuf, rctx->iobuflen); | ||
324 | |||
325 | if (n <= 0) | ||
326 | { | ||
327 | if (BIO_should_retry(rctx->mem)) | ||
328 | goto next_io; | ||
329 | rctx->state = OHS_ERROR; | ||
330 | return 0; | ||
331 | } | ||
332 | |||
333 | /* Don't allow excessive lines */ | ||
334 | if (n == rctx->iobuflen) | ||
335 | { | ||
336 | rctx->state = OHS_ERROR; | ||
337 | return 0; | ||
338 | } | ||
339 | |||
340 | /* First line */ | ||
341 | if (rctx->state == OHS_FIRSTLINE) | ||
342 | { | ||
343 | if (parse_http_line1((char *)rctx->iobuf)) | ||
344 | { | ||
345 | rctx->state = OHS_HEADERS; | ||
346 | goto next_line; | ||
347 | } | ||
348 | else | ||
349 | { | ||
350 | rctx->state = OHS_ERROR; | ||
351 | return 0; | ||
352 | } | ||
353 | } | ||
354 | else | ||
355 | { | ||
356 | /* Look for blank line: end of headers */ | ||
357 | for (p = rctx->iobuf; *p; p++) | ||
358 | { | ||
359 | if ((*p != '\r') && (*p != '\n')) | ||
360 | break; | ||
361 | } | ||
362 | if (*p) | ||
363 | goto next_line; | ||
364 | |||
365 | rctx->state = OHS_ASN1_HEADER; | ||
366 | |||
367 | } | ||
368 | |||
369 | /* Fall thru */ | ||
370 | |||
371 | |||
372 | case OHS_ASN1_HEADER: | ||
373 | /* Now reading ASN1 header: can read at least 6 bytes which | ||
374 | * is more than enough for any valid ASN1 SEQUENCE header | ||
375 | */ | ||
376 | n = BIO_get_mem_data(rctx->mem, &p); | ||
377 | if (n < 6) | ||
378 | goto next_io; | ||
379 | |||
380 | /* Check it is an ASN1 SEQUENCE */ | ||
381 | if (*p++ != (V_ASN1_SEQUENCE|V_ASN1_CONSTRUCTED)) | ||
382 | { | ||
383 | rctx->state = OHS_ERROR; | ||
384 | return 0; | ||
385 | } | ||
386 | |||
387 | /* Check out length field */ | ||
388 | if (*p & 0x80) | ||
389 | { | ||
390 | n = *p & 0x7F; | ||
391 | /* Not NDEF or excessive length */ | ||
392 | if (!n || (n > 4)) | ||
393 | { | ||
394 | rctx->state = OHS_ERROR; | ||
395 | return 0; | ||
396 | } | ||
397 | p++; | ||
398 | rctx->asn1_len = 0; | ||
399 | for (i = 0; i < n; i++) | ||
400 | { | ||
401 | rctx->asn1_len <<= 8; | ||
402 | rctx->asn1_len |= *p++; | ||
403 | } | ||
404 | |||
405 | if (rctx->asn1_len > OCSP_MAX_REQUEST_LENGTH) | ||
406 | { | ||
407 | rctx->state = OHS_ERROR; | ||
408 | return 0; | ||
409 | } | ||
410 | |||
411 | rctx->asn1_len += n + 2; | ||
412 | } | ||
413 | else | ||
414 | rctx->asn1_len = *p + 2; | ||
415 | |||
416 | rctx->state = OHS_ASN1_CONTENT; | ||
417 | |||
418 | /* Fall thru */ | ||
419 | |||
420 | case OHS_ASN1_CONTENT: | ||
421 | n = BIO_get_mem_data(rctx->mem, &p); | ||
422 | if (n < (int)rctx->asn1_len) | ||
423 | goto next_io; | ||
424 | |||
425 | |||
426 | *presp = d2i_OCSP_RESPONSE(NULL, &p, rctx->asn1_len); | ||
427 | if (*presp) | ||
428 | { | ||
429 | rctx->state = OHS_DONE; | ||
430 | return 1; | ||
431 | } | ||
432 | |||
433 | rctx->state = OHS_ERROR; | ||
434 | return 0; | ||
435 | |||
436 | break; | ||
437 | |||
438 | case OHS_DONE: | ||
439 | return 1; | ||
440 | |||
441 | } | ||
442 | |||
443 | |||
444 | |||
445 | return 0; | ||
446 | |||
447 | |||
448 | } | 161 | } |
449 | 162 | if(*p) { | |
450 | /* Blocking OCSP request handler: now a special case of non-blocking I/O */ | 163 | OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_NO_CONTENT); |
451 | 164 | goto err; | |
452 | OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req) | 165 | } |
453 | { | 166 | if(!(resp = d2i_OCSP_RESPONSE_bio(mem, NULL))) { |
454 | OCSP_RESPONSE *resp = NULL; | 167 | OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,ERR_R_NESTED_ASN1_ERROR); |
455 | OCSP_REQ_CTX *ctx; | 168 | goto err; |
456 | int rv; | ||
457 | |||
458 | ctx = OCSP_sendreq_new(b, path, req, -1); | ||
459 | |||
460 | do | ||
461 | { | ||
462 | rv = OCSP_sendreq_nbio(&resp, ctx); | ||
463 | } while ((rv == -1) && BIO_should_retry(b)); | ||
464 | |||
465 | OCSP_REQ_CTX_free(ctx); | ||
466 | |||
467 | if (rv) | ||
468 | return resp; | ||
469 | |||
470 | return NULL; | ||
471 | } | 169 | } |
170 | err: | ||
171 | BIO_free(mem); | ||
172 | return resp; | ||
173 | } | ||