summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/ocsp
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libcrypto/ocsp')
-rw-r--r--src/lib/libcrypto/ocsp/ocsp.h616
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_asn.c542
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_cl.c383
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_err.c142
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_ext.c607
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_ht.c463
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_lib.c282
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_prn.c308
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_srv.c276
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_vfy.c448
10 files changed, 0 insertions, 4067 deletions
diff --git a/src/lib/libcrypto/ocsp/ocsp.h b/src/lib/libcrypto/ocsp/ocsp.h
deleted file mode 100644
index b7e3115e8d..0000000000
--- a/src/lib/libcrypto/ocsp/ocsp.h
+++ /dev/null
@@ -1,616 +0,0 @@
1/* $OpenBSD: ocsp.h,v 1.6 2014/06/12 15:49:30 deraadt Exp $ */
2/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
3 * project. */
4
5/* History:
6 This file was transfered to Richard Levitte from CertCo by Kathy
7 Weinhold in mid-spring 2000 to be included in OpenSSL or released
8 as a patch kit. */
9
10/* ====================================================================
11 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 *
17 * 1. Redistributions of source code must retain the above copyright
18 * notice, this list of conditions and the following disclaimer.
19 *
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in
22 * the documentation and/or other materials provided with the
23 * distribution.
24 *
25 * 3. All advertising materials mentioning features or use of this
26 * software must display the following acknowledgment:
27 * "This product includes software developed by the OpenSSL Project
28 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
29 *
30 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
31 * endorse or promote products derived from this software without
32 * prior written permission. For written permission, please contact
33 * openssl-core@openssl.org.
34 *
35 * 5. Products derived from this software may not be called "OpenSSL"
36 * nor may "OpenSSL" appear in their names without prior written
37 * permission of the OpenSSL Project.
38 *
39 * 6. Redistributions of any form whatsoever must retain the following
40 * acknowledgment:
41 * "This product includes software developed by the OpenSSL Project
42 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
43 *
44 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
45 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
46 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
47 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
48 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
49 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
50 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
51 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
52 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
53 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
54 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
55 * OF THE POSSIBILITY OF SUCH DAMAGE.
56 * ====================================================================
57 *
58 * This product includes cryptographic software written by Eric Young
59 * (eay@cryptsoft.com). This product includes software written by Tim
60 * Hudson (tjh@cryptsoft.com).
61 *
62 */
63
64#ifndef HEADER_OCSP_H
65#define HEADER_OCSP_H
66
67#include <openssl/ossl_typ.h>
68#include <openssl/x509.h>
69#include <openssl/x509v3.h>
70#include <openssl/safestack.h>
71
72#ifdef __cplusplus
73extern "C" {
74#endif
75
76/* Various flags and values */
77
78#define OCSP_DEFAULT_NONCE_LENGTH 16
79
80#define OCSP_NOCERTS 0x1
81#define OCSP_NOINTERN 0x2
82#define OCSP_NOSIGS 0x4
83#define OCSP_NOCHAIN 0x8
84#define OCSP_NOVERIFY 0x10
85#define OCSP_NOEXPLICIT 0x20
86#define OCSP_NOCASIGN 0x40
87#define OCSP_NODELEGATED 0x80
88#define OCSP_NOCHECKS 0x100
89#define OCSP_TRUSTOTHER 0x200
90#define OCSP_RESPID_KEY 0x400
91#define OCSP_NOTIME 0x800
92
93/* CertID ::= SEQUENCE {
94 * hashAlgorithm AlgorithmIdentifier,
95 * issuerNameHash OCTET STRING, -- Hash of Issuer's DN
96 * issuerKeyHash OCTET STRING, -- Hash of Issuers public key (excluding the tag & length fields)
97 * serialNumber CertificateSerialNumber }
98 */
99typedef struct ocsp_cert_id_st {
100 X509_ALGOR *hashAlgorithm;
101 ASN1_OCTET_STRING *issuerNameHash;
102 ASN1_OCTET_STRING *issuerKeyHash;
103 ASN1_INTEGER *serialNumber;
104} OCSP_CERTID;
105
106DECLARE_STACK_OF(OCSP_CERTID)
107
108/* Request ::= SEQUENCE {
109 * reqCert CertID,
110 * singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL }
111 */
112typedef struct ocsp_one_request_st {
113 OCSP_CERTID *reqCert;
114 STACK_OF(X509_EXTENSION) *singleRequestExtensions;
115} OCSP_ONEREQ;
116
117DECLARE_STACK_OF(OCSP_ONEREQ)
118DECLARE_ASN1_SET_OF(OCSP_ONEREQ)
119
120
121/* TBSRequest ::= SEQUENCE {
122 * version [0] EXPLICIT Version DEFAULT v1,
123 * requestorName [1] EXPLICIT GeneralName OPTIONAL,
124 * requestList SEQUENCE OF Request,
125 * requestExtensions [2] EXPLICIT Extensions OPTIONAL }
126 */
127typedef struct ocsp_req_info_st {
128 ASN1_INTEGER *version;
129 GENERAL_NAME *requestorName;
130 STACK_OF(OCSP_ONEREQ) *requestList;
131 STACK_OF(X509_EXTENSION) *requestExtensions;
132} OCSP_REQINFO;
133
134/* Signature ::= SEQUENCE {
135 * signatureAlgorithm AlgorithmIdentifier,
136 * signature BIT STRING,
137 * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
138 */
139typedef struct ocsp_signature_st {
140 X509_ALGOR *signatureAlgorithm;
141 ASN1_BIT_STRING *signature;
142 STACK_OF(X509) *certs;
143} OCSP_SIGNATURE;
144
145/* OCSPRequest ::= SEQUENCE {
146 * tbsRequest TBSRequest,
147 * optionalSignature [0] EXPLICIT Signature OPTIONAL }
148 */
149typedef struct ocsp_request_st {
150 OCSP_REQINFO *tbsRequest;
151 OCSP_SIGNATURE *optionalSignature; /* OPTIONAL */
152} OCSP_REQUEST;
153
154/* OCSPResponseStatus ::= ENUMERATED {
155 * successful (0), --Response has valid confirmations
156 * malformedRequest (1), --Illegal confirmation request
157 * internalError (2), --Internal error in issuer
158 * tryLater (3), --Try again later
159 * --(4) is not used
160 * sigRequired (5), --Must sign the request
161 * unauthorized (6) --Request unauthorized
162 * }
163 */
164#define OCSP_RESPONSE_STATUS_SUCCESSFUL 0
165#define OCSP_RESPONSE_STATUS_MALFORMEDREQUEST 1
166#define OCSP_RESPONSE_STATUS_INTERNALERROR 2
167#define OCSP_RESPONSE_STATUS_TRYLATER 3
168#define OCSP_RESPONSE_STATUS_SIGREQUIRED 5
169#define OCSP_RESPONSE_STATUS_UNAUTHORIZED 6
170
171/* ResponseBytes ::= SEQUENCE {
172 * responseType OBJECT IDENTIFIER,
173 * response OCTET STRING }
174 */
175typedef struct ocsp_resp_bytes_st {
176 ASN1_OBJECT *responseType;
177 ASN1_OCTET_STRING *response;
178} OCSP_RESPBYTES;
179
180/* OCSPResponse ::= SEQUENCE {
181 * responseStatus OCSPResponseStatus,
182 * responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
183 */
184struct ocsp_response_st {
185 ASN1_ENUMERATED *responseStatus;
186 OCSP_RESPBYTES *responseBytes;
187};
188
189/* ResponderID ::= CHOICE {
190 * byName [1] Name,
191 * byKey [2] KeyHash }
192 */
193#define V_OCSP_RESPID_NAME 0
194#define V_OCSP_RESPID_KEY 1
195struct ocsp_responder_id_st {
196 int type;
197 union {
198 X509_NAME* byName;
199 ASN1_OCTET_STRING *byKey;
200 } value;
201};
202
203DECLARE_STACK_OF(OCSP_RESPID)
204DECLARE_ASN1_FUNCTIONS(OCSP_RESPID)
205
206/* KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
207 * --(excluding the tag and length fields)
208 */
209
210/* RevokedInfo ::= SEQUENCE {
211 * revocationTime GeneralizedTime,
212 * revocationReason [0] EXPLICIT CRLReason OPTIONAL }
213 */
214typedef struct ocsp_revoked_info_st {
215 ASN1_GENERALIZEDTIME *revocationTime;
216 ASN1_ENUMERATED *revocationReason;
217} OCSP_REVOKEDINFO;
218
219/* CertStatus ::= CHOICE {
220 * good [0] IMPLICIT NULL,
221 * revoked [1] IMPLICIT RevokedInfo,
222 * unknown [2] IMPLICIT UnknownInfo }
223 */
224#define V_OCSP_CERTSTATUS_GOOD 0
225#define V_OCSP_CERTSTATUS_REVOKED 1
226#define V_OCSP_CERTSTATUS_UNKNOWN 2
227typedef struct ocsp_cert_status_st {
228 int type;
229 union {
230 ASN1_NULL *good;
231 OCSP_REVOKEDINFO *revoked;
232 ASN1_NULL *unknown;
233 } value;
234} OCSP_CERTSTATUS;
235
236/* SingleResponse ::= SEQUENCE {
237 * certID CertID,
238 * certStatus CertStatus,
239 * thisUpdate GeneralizedTime,
240 * nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
241 * singleExtensions [1] EXPLICIT Extensions OPTIONAL }
242 */
243typedef struct ocsp_single_response_st {
244 OCSP_CERTID *certId;
245 OCSP_CERTSTATUS *certStatus;
246 ASN1_GENERALIZEDTIME *thisUpdate;
247 ASN1_GENERALIZEDTIME *nextUpdate;
248 STACK_OF(X509_EXTENSION) *singleExtensions;
249} OCSP_SINGLERESP;
250
251DECLARE_STACK_OF(OCSP_SINGLERESP)
252DECLARE_ASN1_SET_OF(OCSP_SINGLERESP)
253
254/* ResponseData ::= SEQUENCE {
255 * version [0] EXPLICIT Version DEFAULT v1,
256 * responderID ResponderID,
257 * producedAt GeneralizedTime,
258 * responses SEQUENCE OF SingleResponse,
259 * responseExtensions [1] EXPLICIT Extensions OPTIONAL }
260 */
261typedef struct ocsp_response_data_st {
262 ASN1_INTEGER *version;
263 OCSP_RESPID *responderId;
264 ASN1_GENERALIZEDTIME *producedAt;
265 STACK_OF(OCSP_SINGLERESP) *responses;
266 STACK_OF(X509_EXTENSION) *responseExtensions;
267} OCSP_RESPDATA;
268
269/* BasicOCSPResponse ::= SEQUENCE {
270 * tbsResponseData ResponseData,
271 * signatureAlgorithm AlgorithmIdentifier,
272 * signature BIT STRING,
273 * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
274 */
275 /* Note 1:
276 The value for "signature" is specified in the OCSP rfc2560 as follows:
277 "The value for the signature SHALL be computed on the hash of the DER
278 encoding ResponseData." This means that you must hash the DER-encoded
279 tbsResponseData, and then run it through a crypto-signing function, which
280 will (at least w/RSA) do a hash-'n'-private-encrypt operation. This seems
281 a bit odd, but that's the spec. Also note that the data structures do not
282 leave anywhere to independently specify the algorithm used for the initial
283 hash. So, we look at the signature-specification algorithm, and try to do
284 something intelligent. -- Kathy Weinhold, CertCo */
285 /* Note 2:
286 It seems that the mentioned passage from RFC 2560 (section 4.2.1) is open
287 for interpretation. I've done tests against another responder, and found
288 that it doesn't do the double hashing that the RFC seems to say one
289 should. Therefore, all relevant functions take a flag saying which
290 variant should be used. -- Richard Levitte, OpenSSL team and CeloCom */
291typedef struct ocsp_basic_response_st {
292 OCSP_RESPDATA *tbsResponseData;
293 X509_ALGOR *signatureAlgorithm;
294 ASN1_BIT_STRING *signature;
295 STACK_OF(X509) *certs;
296} OCSP_BASICRESP;
297
298/*
299 * CRLReason ::= ENUMERATED {
300 * unspecified (0),
301 * keyCompromise (1),
302 * cACompromise (2),
303 * affiliationChanged (3),
304 * superseded (4),
305 * cessationOfOperation (5),
306 * certificateHold (6),
307 * removeFromCRL (8) }
308 */
309#define OCSP_REVOKED_STATUS_NOSTATUS -1
310#define OCSP_REVOKED_STATUS_UNSPECIFIED 0
311#define OCSP_REVOKED_STATUS_KEYCOMPROMISE 1
312#define OCSP_REVOKED_STATUS_CACOMPROMISE 2
313#define OCSP_REVOKED_STATUS_AFFILIATIONCHANGED 3
314#define OCSP_REVOKED_STATUS_SUPERSEDED 4
315#define OCSP_REVOKED_STATUS_CESSATIONOFOPERATION 5
316#define OCSP_REVOKED_STATUS_CERTIFICATEHOLD 6
317#define OCSP_REVOKED_STATUS_REMOVEFROMCRL 8
318
319/* CrlID ::= SEQUENCE {
320 * crlUrl [0] EXPLICIT IA5String OPTIONAL,
321 * crlNum [1] EXPLICIT INTEGER OPTIONAL,
322 * crlTime [2] EXPLICIT GeneralizedTime OPTIONAL }
323 */
324typedef struct ocsp_crl_id_st {
325 ASN1_IA5STRING *crlUrl;
326 ASN1_INTEGER *crlNum;
327 ASN1_GENERALIZEDTIME *crlTime;
328} OCSP_CRLID;
329
330/* ServiceLocator ::= SEQUENCE {
331 * issuer Name,
332 * locator AuthorityInfoAccessSyntax OPTIONAL }
333 */
334typedef struct ocsp_service_locator_st {
335 X509_NAME* issuer;
336 STACK_OF(ACCESS_DESCRIPTION) *locator;
337} OCSP_SERVICELOC;
338
339#define PEM_STRING_OCSP_REQUEST "OCSP REQUEST"
340#define PEM_STRING_OCSP_RESPONSE "OCSP RESPONSE"
341
342#define d2i_OCSP_REQUEST_bio(bp,p) \
343 ASN1_d2i_bio_of(OCSP_REQUEST,OCSP_REQUEST_new,d2i_OCSP_REQUEST,bp,p)
344
345#define d2i_OCSP_RESPONSE_bio(bp,p) \
346 ASN1_d2i_bio_of(OCSP_RESPONSE,OCSP_RESPONSE_new,d2i_OCSP_RESPONSE,bp,p)
347
348#define PEM_read_bio_OCSP_REQUEST(bp,x,cb) \
349 (OCSP_REQUEST *)PEM_ASN1_read_bio((char *(*)())d2i_OCSP_REQUEST, \
350 PEM_STRING_OCSP_REQUEST,bp,(char **)x,cb,NULL)
351
352#define PEM_read_bio_OCSP_RESPONSE(bp,x,cb) \
353 (OCSP_RESPONSE *)PEM_ASN1_read_bio((char *(*)())d2i_OCSP_RESPONSE, \
354 PEM_STRING_OCSP_RESPONSE,bp,(char **)x,cb,NULL)
355
356#define PEM_write_bio_OCSP_REQUEST(bp,o) \
357 PEM_ASN1_write_bio((int (*)())i2d_OCSP_REQUEST,PEM_STRING_OCSP_REQUEST,\
358 bp,(char *)o, NULL,NULL,0,NULL,NULL)
359
360#define PEM_write_bio_OCSP_RESPONSE(bp,o) \
361 PEM_ASN1_write_bio((int (*)())i2d_OCSP_RESPONSE,PEM_STRING_OCSP_RESPONSE,\
362 bp,(char *)o, NULL,NULL,0,NULL,NULL)
363
364#define i2d_OCSP_RESPONSE_bio(bp,o) \
365 ASN1_i2d_bio_of(OCSP_RESPONSE,i2d_OCSP_RESPONSE,bp,o)
366
367#define i2d_OCSP_REQUEST_bio(bp,o) \
368 ASN1_i2d_bio_of(OCSP_REQUEST,i2d_OCSP_REQUEST,bp,o)
369
370#define OCSP_REQUEST_sign(o,pkey,md) \
371 ASN1_item_sign(ASN1_ITEM_rptr(OCSP_REQINFO), \
372 o->optionalSignature->signatureAlgorithm,NULL, \
373 o->optionalSignature->signature,o->tbsRequest,pkey,md)
374
375#define OCSP_BASICRESP_sign(o,pkey,md,d) \
376 ASN1_item_sign(ASN1_ITEM_rptr(OCSP_RESPDATA),o->signatureAlgorithm,NULL, \
377 o->signature,o->tbsResponseData,pkey,md)
378
379#define OCSP_REQUEST_verify(a,r) \
380 ASN1_item_verify(ASN1_ITEM_rptr(OCSP_REQINFO), \
381 a->optionalSignature->signatureAlgorithm, \
382 a->optionalSignature->signature,a->tbsRequest,r)
383
384#define OCSP_BASICRESP_verify(a,r,d) \
385 ASN1_item_verify(ASN1_ITEM_rptr(OCSP_RESPDATA), \
386 a->signatureAlgorithm,a->signature,a->tbsResponseData,r)
387
388#define ASN1_BIT_STRING_digest(data,type,md,len) \
389 ASN1_item_digest(ASN1_ITEM_rptr(ASN1_BIT_STRING),type,data,md,len)
390
391#define OCSP_CERTSTATUS_dup(cs)\
392 (OCSP_CERTSTATUS*)ASN1_dup((int(*)())i2d_OCSP_CERTSTATUS,\
393 (char *(*)())d2i_OCSP_CERTSTATUS,(char *)(cs))
394
395OCSP_CERTID *OCSP_CERTID_dup(OCSP_CERTID *id);
396
397OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req);
398OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, char *path, OCSP_REQUEST *req,
399 int maxline);
400int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx);
401void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx);
402int OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, OCSP_REQUEST *req);
403int OCSP_REQ_CTX_add1_header(OCSP_REQ_CTX *rctx, const char *name,
404 const char *value);
405
406OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer);
407
408OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst, X509_NAME *issuerName,
409 ASN1_BIT_STRING* issuerKey, ASN1_INTEGER *serialNumber);
410
411OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid);
412
413int OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len);
414int OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len);
415int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs);
416int OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req);
417
418int OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm);
419int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert);
420
421int OCSP_request_sign(OCSP_REQUEST *req, X509 *signer, EVP_PKEY *key,
422 const EVP_MD *dgst, STACK_OF(X509) *certs, unsigned long flags);
423
424int OCSP_response_status(OCSP_RESPONSE *resp);
425OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp);
426
427int OCSP_resp_count(OCSP_BASICRESP *bs);
428OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx);
429int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last);
430int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
431 ASN1_GENERALIZEDTIME **revtime, ASN1_GENERALIZEDTIME **thisupd,
432 ASN1_GENERALIZEDTIME **nextupd);
433int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
434 int *reason, ASN1_GENERALIZEDTIME **revtime,
435 ASN1_GENERALIZEDTIME **thisupd, ASN1_GENERALIZEDTIME **nextupd);
436int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
437 ASN1_GENERALIZEDTIME *nextupd, long sec, long maxsec);
438
439int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs,
440 X509_STORE *store, unsigned long flags);
441
442int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath,
443 int *pssl);
444
445int OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b);
446int OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b);
447
448int OCSP_request_onereq_count(OCSP_REQUEST *req);
449OCSP_ONEREQ *OCSP_request_onereq_get0(OCSP_REQUEST *req, int i);
450OCSP_CERTID *OCSP_onereq_get0_id(OCSP_ONEREQ *one);
451int OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd,
452 ASN1_OCTET_STRING **pikeyHash, ASN1_INTEGER **pserial,
453 OCSP_CERTID *cid);
454int OCSP_request_is_signed(OCSP_REQUEST *req);
455OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs);
456OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp, OCSP_CERTID *cid,
457 int status, int reason, ASN1_TIME *revtime, ASN1_TIME *thisupd,
458 ASN1_TIME *nextupd);
459int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert);
460int OCSP_basic_sign(OCSP_BASICRESP *brsp, X509 *signer, EVP_PKEY *key,
461 const EVP_MD *dgst, STACK_OF(X509) *certs, unsigned long flags);
462
463X509_EXTENSION *OCSP_crlID_new(char *url, long *n, char *tim);
464
465X509_EXTENSION *OCSP_accept_responses_new(char **oids);
466
467X509_EXTENSION *OCSP_archive_cutoff_new(char* tim);
468
469X509_EXTENSION *OCSP_url_svcloc_new(X509_NAME* issuer, char **urls);
470
471int OCSP_REQUEST_get_ext_count(OCSP_REQUEST *x);
472int OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos);
473int OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, ASN1_OBJECT *obj,
474 int lastpos);
475int OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit,
476 int lastpos);
477X509_EXTENSION *OCSP_REQUEST_get_ext(OCSP_REQUEST *x, int loc);
478X509_EXTENSION *OCSP_REQUEST_delete_ext(OCSP_REQUEST *x, int loc);
479void *OCSP_REQUEST_get1_ext_d2i(OCSP_REQUEST *x, int nid, int *crit, int *idx);
480int OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST *x, int nid, void *value,
481 int crit, unsigned long flags);
482int OCSP_REQUEST_add_ext(OCSP_REQUEST *x, X509_EXTENSION *ex, int loc);
483
484int OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *x);
485int OCSP_ONEREQ_get_ext_by_NID(OCSP_ONEREQ *x, int nid, int lastpos);
486int OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, ASN1_OBJECT *obj,
487 int lastpos);
488int OCSP_ONEREQ_get_ext_by_critical(OCSP_ONEREQ *x, int crit, int lastpos);
489X509_EXTENSION *OCSP_ONEREQ_get_ext(OCSP_ONEREQ *x, int loc);
490X509_EXTENSION *OCSP_ONEREQ_delete_ext(OCSP_ONEREQ *x, int loc);
491void *OCSP_ONEREQ_get1_ext_d2i(OCSP_ONEREQ *x, int nid, int *crit, int *idx);
492int OCSP_ONEREQ_add1_ext_i2d(OCSP_ONEREQ *x, int nid, void *value, int crit,
493 unsigned long flags);
494int OCSP_ONEREQ_add_ext(OCSP_ONEREQ *x, X509_EXTENSION *ex, int loc);
495
496int OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *x);
497int OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos);
498int OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, ASN1_OBJECT *obj,
499 int lastpos);
500int OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit,
501 int lastpos);
502X509_EXTENSION *OCSP_BASICRESP_get_ext(OCSP_BASICRESP *x, int loc);
503X509_EXTENSION *OCSP_BASICRESP_delete_ext(OCSP_BASICRESP *x, int loc);
504void *OCSP_BASICRESP_get1_ext_d2i(OCSP_BASICRESP *x, int nid, int *crit,
505 int *idx);
506int OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP *x, int nid, void *value,
507 int crit, unsigned long flags);
508int OCSP_BASICRESP_add_ext(OCSP_BASICRESP *x, X509_EXTENSION *ex, int loc);
509
510int OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *x);
511int OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid,
512 int lastpos);
513int OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, ASN1_OBJECT *obj,
514 int lastpos);
515int OCSP_SINGLERESP_get_ext_by_critical(OCSP_SINGLERESP *x, int crit,
516 int lastpos);
517X509_EXTENSION *OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP *x, int loc);
518X509_EXTENSION *OCSP_SINGLERESP_delete_ext(OCSP_SINGLERESP *x, int loc);
519void *OCSP_SINGLERESP_get1_ext_d2i(OCSP_SINGLERESP *x, int nid, int *crit,
520 int *idx);
521int OCSP_SINGLERESP_add1_ext_i2d(OCSP_SINGLERESP *x, int nid, void *value,
522 int crit, unsigned long flags);
523int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex,
524 int loc);
525
526DECLARE_ASN1_FUNCTIONS(OCSP_SINGLERESP)
527DECLARE_ASN1_FUNCTIONS(OCSP_CERTSTATUS)
528DECLARE_ASN1_FUNCTIONS(OCSP_REVOKEDINFO)
529DECLARE_ASN1_FUNCTIONS(OCSP_BASICRESP)
530DECLARE_ASN1_FUNCTIONS(OCSP_RESPDATA)
531DECLARE_ASN1_FUNCTIONS(OCSP_RESPID)
532DECLARE_ASN1_FUNCTIONS(OCSP_RESPONSE)
533DECLARE_ASN1_FUNCTIONS(OCSP_RESPBYTES)
534DECLARE_ASN1_FUNCTIONS(OCSP_ONEREQ)
535DECLARE_ASN1_FUNCTIONS(OCSP_CERTID)
536DECLARE_ASN1_FUNCTIONS(OCSP_REQUEST)
537DECLARE_ASN1_FUNCTIONS(OCSP_SIGNATURE)
538DECLARE_ASN1_FUNCTIONS(OCSP_REQINFO)
539DECLARE_ASN1_FUNCTIONS(OCSP_CRLID)
540DECLARE_ASN1_FUNCTIONS(OCSP_SERVICELOC)
541
542const char *OCSP_response_status_str(long s);
543const char *OCSP_cert_status_str(long s);
544const char *OCSP_crl_reason_str(long s);
545
546int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST* a, unsigned long flags);
547int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags);
548
549int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
550 X509_STORE *st, unsigned long flags);
551
552/* BEGIN ERROR CODES */
553/* The following lines are auto generated by the script mkerr.pl. Any changes
554 * made after this point may be overwritten when the script is next run.
555 */
556void ERR_load_OCSP_strings(void);
557
558/* Error codes for the OCSP functions. */
559
560/* Function codes. */
561#define OCSP_F_ASN1_STRING_ENCODE 100
562#define OCSP_F_D2I_OCSP_NONCE 102
563#define OCSP_F_OCSP_BASIC_ADD1_STATUS 103
564#define OCSP_F_OCSP_BASIC_SIGN 104
565#define OCSP_F_OCSP_BASIC_VERIFY 105
566#define OCSP_F_OCSP_CERT_ID_NEW 101
567#define OCSP_F_OCSP_CHECK_DELEGATED 106
568#define OCSP_F_OCSP_CHECK_IDS 107
569#define OCSP_F_OCSP_CHECK_ISSUER 108
570#define OCSP_F_OCSP_CHECK_VALIDITY 115
571#define OCSP_F_OCSP_MATCH_ISSUERID 109
572#define OCSP_F_OCSP_PARSE_URL 114
573#define OCSP_F_OCSP_REQUEST_SIGN 110
574#define OCSP_F_OCSP_REQUEST_VERIFY 116
575#define OCSP_F_OCSP_RESPONSE_GET1_BASIC 111
576#define OCSP_F_OCSP_SENDREQ_BIO 112
577#define OCSP_F_OCSP_SENDREQ_NBIO 117
578#define OCSP_F_PARSE_HTTP_LINE1 118
579#define OCSP_F_REQUEST_VERIFY 113
580
581/* Reason codes. */
582#define OCSP_R_BAD_DATA 100
583#define OCSP_R_CERTIFICATE_VERIFY_ERROR 101
584#define OCSP_R_DIGEST_ERR 102
585#define OCSP_R_ERROR_IN_NEXTUPDATE_FIELD 122
586#define OCSP_R_ERROR_IN_THISUPDATE_FIELD 123
587#define OCSP_R_ERROR_PARSING_URL 121
588#define OCSP_R_MISSING_OCSPSIGNING_USAGE 103
589#define OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE 124
590#define OCSP_R_NOT_BASIC_RESPONSE 104
591#define OCSP_R_NO_CERTIFICATES_IN_CHAIN 105
592#define OCSP_R_NO_CONTENT 106
593#define OCSP_R_NO_PUBLIC_KEY 107
594#define OCSP_R_NO_RESPONSE_DATA 108
595#define OCSP_R_NO_REVOKED_TIME 109
596#define OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE 110
597#define OCSP_R_REQUEST_NOT_SIGNED 128
598#define OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA 111
599#define OCSP_R_ROOT_CA_NOT_TRUSTED 112
600#define OCSP_R_SERVER_READ_ERROR 113
601#define OCSP_R_SERVER_RESPONSE_ERROR 114
602#define OCSP_R_SERVER_RESPONSE_PARSE_ERROR 115
603#define OCSP_R_SERVER_WRITE_ERROR 116
604#define OCSP_R_SIGNATURE_FAILURE 117
605#define OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND 118
606#define OCSP_R_STATUS_EXPIRED 125
607#define OCSP_R_STATUS_NOT_YET_VALID 126
608#define OCSP_R_STATUS_TOO_OLD 127
609#define OCSP_R_UNKNOWN_MESSAGE_DIGEST 119
610#define OCSP_R_UNKNOWN_NID 120
611#define OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE 129
612
613#ifdef __cplusplus
614}
615#endif
616#endif
diff --git a/src/lib/libcrypto/ocsp/ocsp_asn.c b/src/lib/libcrypto/ocsp/ocsp_asn.c
deleted file mode 100644
index 6ca21af89a..0000000000
--- a/src/lib/libcrypto/ocsp/ocsp_asn.c
+++ /dev/null
@@ -1,542 +0,0 @@
1/* $OpenBSD: ocsp_asn.c,v 1.7 2015/02/09 16:04:46 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2000.
4 */
5/* ====================================================================
6 * Copyright (c) 2000 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58#include <openssl/asn1.h>
59#include <openssl/asn1t.h>
60#include <openssl/ocsp.h>
61
62ASN1_SEQUENCE(OCSP_SIGNATURE) = {
63 ASN1_SIMPLE(OCSP_SIGNATURE, signatureAlgorithm, X509_ALGOR),
64 ASN1_SIMPLE(OCSP_SIGNATURE, signature, ASN1_BIT_STRING),
65 ASN1_EXP_SEQUENCE_OF_OPT(OCSP_SIGNATURE, certs, X509, 0)
66} ASN1_SEQUENCE_END(OCSP_SIGNATURE)
67
68
69OCSP_SIGNATURE *
70d2i_OCSP_SIGNATURE(OCSP_SIGNATURE **a, const unsigned char **in, long len)
71{
72 return (OCSP_SIGNATURE *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
73 &OCSP_SIGNATURE_it);
74}
75
76int
77i2d_OCSP_SIGNATURE(OCSP_SIGNATURE *a, unsigned char **out)
78{
79 return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_SIGNATURE_it);
80}
81
82OCSP_SIGNATURE *
83OCSP_SIGNATURE_new(void)
84{
85 return (OCSP_SIGNATURE *)ASN1_item_new(&OCSP_SIGNATURE_it);
86}
87
88void
89OCSP_SIGNATURE_free(OCSP_SIGNATURE *a)
90{
91 ASN1_item_free((ASN1_VALUE *)a, &OCSP_SIGNATURE_it);
92}
93
94ASN1_SEQUENCE(OCSP_CERTID) = {
95 ASN1_SIMPLE(OCSP_CERTID, hashAlgorithm, X509_ALGOR),
96 ASN1_SIMPLE(OCSP_CERTID, issuerNameHash, ASN1_OCTET_STRING),
97 ASN1_SIMPLE(OCSP_CERTID, issuerKeyHash, ASN1_OCTET_STRING),
98 ASN1_SIMPLE(OCSP_CERTID, serialNumber, ASN1_INTEGER)
99} ASN1_SEQUENCE_END(OCSP_CERTID)
100
101
102OCSP_CERTID *
103d2i_OCSP_CERTID(OCSP_CERTID **a, const unsigned char **in, long len)
104{
105 return (OCSP_CERTID *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
106 &OCSP_CERTID_it);
107}
108
109int
110i2d_OCSP_CERTID(OCSP_CERTID *a, unsigned char **out)
111{
112 return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_CERTID_it);
113}
114
115OCSP_CERTID *
116OCSP_CERTID_new(void)
117{
118 return (OCSP_CERTID *)ASN1_item_new(&OCSP_CERTID_it);
119}
120
121void
122OCSP_CERTID_free(OCSP_CERTID *a)
123{
124 ASN1_item_free((ASN1_VALUE *)a, &OCSP_CERTID_it);
125}
126
127ASN1_SEQUENCE(OCSP_ONEREQ) = {
128 ASN1_SIMPLE(OCSP_ONEREQ, reqCert, OCSP_CERTID),
129 ASN1_EXP_SEQUENCE_OF_OPT(OCSP_ONEREQ, singleRequestExtensions, X509_EXTENSION, 0)
130} ASN1_SEQUENCE_END(OCSP_ONEREQ)
131
132
133OCSP_ONEREQ *
134d2i_OCSP_ONEREQ(OCSP_ONEREQ **a, const unsigned char **in, long len)
135{
136 return (OCSP_ONEREQ *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
137 &OCSP_ONEREQ_it);
138}
139
140int
141i2d_OCSP_ONEREQ(OCSP_ONEREQ *a, unsigned char **out)
142{
143 return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_ONEREQ_it);
144}
145
146OCSP_ONEREQ *
147OCSP_ONEREQ_new(void)
148{
149 return (OCSP_ONEREQ *)ASN1_item_new(&OCSP_ONEREQ_it);
150}
151
152void
153OCSP_ONEREQ_free(OCSP_ONEREQ *a)
154{
155 ASN1_item_free((ASN1_VALUE *)a, &OCSP_ONEREQ_it);
156}
157
158ASN1_SEQUENCE(OCSP_REQINFO) = {
159 ASN1_EXP_OPT(OCSP_REQINFO, version, ASN1_INTEGER, 0),
160 ASN1_EXP_OPT(OCSP_REQINFO, requestorName, GENERAL_NAME, 1),
161 ASN1_SEQUENCE_OF(OCSP_REQINFO, requestList, OCSP_ONEREQ),
162 ASN1_EXP_SEQUENCE_OF_OPT(OCSP_REQINFO, requestExtensions, X509_EXTENSION, 2)
163} ASN1_SEQUENCE_END(OCSP_REQINFO)
164
165
166OCSP_REQINFO *
167d2i_OCSP_REQINFO(OCSP_REQINFO **a, const unsigned char **in, long len)
168{
169 return (OCSP_REQINFO *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
170 &OCSP_REQINFO_it);
171}
172
173int
174i2d_OCSP_REQINFO(OCSP_REQINFO *a, unsigned char **out)
175{
176 return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_REQINFO_it);
177}
178
179OCSP_REQINFO *
180OCSP_REQINFO_new(void)
181{
182 return (OCSP_REQINFO *)ASN1_item_new(&OCSP_REQINFO_it);
183}
184
185void
186OCSP_REQINFO_free(OCSP_REQINFO *a)
187{
188 ASN1_item_free((ASN1_VALUE *)a, &OCSP_REQINFO_it);
189}
190
191ASN1_SEQUENCE(OCSP_REQUEST) = {
192 ASN1_SIMPLE(OCSP_REQUEST, tbsRequest, OCSP_REQINFO),
193 ASN1_EXP_OPT(OCSP_REQUEST, optionalSignature, OCSP_SIGNATURE, 0)
194} ASN1_SEQUENCE_END(OCSP_REQUEST)
195
196
197OCSP_REQUEST *
198d2i_OCSP_REQUEST(OCSP_REQUEST **a, const unsigned char **in, long len)
199{
200 return (OCSP_REQUEST *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
201 &OCSP_REQUEST_it);
202}
203
204int
205i2d_OCSP_REQUEST(OCSP_REQUEST *a, unsigned char **out)
206{
207 return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_REQUEST_it);
208}
209
210OCSP_REQUEST *
211OCSP_REQUEST_new(void)
212{
213 return (OCSP_REQUEST *)ASN1_item_new(&OCSP_REQUEST_it);
214}
215
216void
217OCSP_REQUEST_free(OCSP_REQUEST *a)
218{
219 ASN1_item_free((ASN1_VALUE *)a, &OCSP_REQUEST_it);
220}
221
222/* OCSP_RESPONSE templates */
223
224ASN1_SEQUENCE(OCSP_RESPBYTES) = {
225 ASN1_SIMPLE(OCSP_RESPBYTES, responseType, ASN1_OBJECT),
226 ASN1_SIMPLE(OCSP_RESPBYTES, response, ASN1_OCTET_STRING)
227} ASN1_SEQUENCE_END(OCSP_RESPBYTES)
228
229
230OCSP_RESPBYTES *
231d2i_OCSP_RESPBYTES(OCSP_RESPBYTES **a, const unsigned char **in, long len)
232{
233 return (OCSP_RESPBYTES *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
234 &OCSP_RESPBYTES_it);
235}
236
237int
238i2d_OCSP_RESPBYTES(OCSP_RESPBYTES *a, unsigned char **out)
239{
240 return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_RESPBYTES_it);
241}
242
243OCSP_RESPBYTES *
244OCSP_RESPBYTES_new(void)
245{
246 return (OCSP_RESPBYTES *)ASN1_item_new(&OCSP_RESPBYTES_it);
247}
248
249void
250OCSP_RESPBYTES_free(OCSP_RESPBYTES *a)
251{
252 ASN1_item_free((ASN1_VALUE *)a, &OCSP_RESPBYTES_it);
253}
254
255ASN1_SEQUENCE(OCSP_RESPONSE) = {
256 ASN1_SIMPLE(OCSP_RESPONSE, responseStatus, ASN1_ENUMERATED),
257 ASN1_EXP_OPT(OCSP_RESPONSE, responseBytes, OCSP_RESPBYTES, 0)
258} ASN1_SEQUENCE_END(OCSP_RESPONSE)
259
260
261OCSP_RESPONSE *
262d2i_OCSP_RESPONSE(OCSP_RESPONSE **a, const unsigned char **in, long len)
263{
264 return (OCSP_RESPONSE *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
265 &OCSP_RESPONSE_it);
266}
267
268int
269i2d_OCSP_RESPONSE(OCSP_RESPONSE *a, unsigned char **out)
270{
271 return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_RESPONSE_it);
272}
273
274OCSP_RESPONSE *
275OCSP_RESPONSE_new(void)
276{
277 return (OCSP_RESPONSE *)ASN1_item_new(&OCSP_RESPONSE_it);
278}
279
280void
281OCSP_RESPONSE_free(OCSP_RESPONSE *a)
282{
283 ASN1_item_free((ASN1_VALUE *)a, &OCSP_RESPONSE_it);
284}
285
286ASN1_CHOICE(OCSP_RESPID) = {
287 ASN1_EXP(OCSP_RESPID, value.byName, X509_NAME, 1),
288 ASN1_EXP(OCSP_RESPID, value.byKey, ASN1_OCTET_STRING, 2)
289} ASN1_CHOICE_END(OCSP_RESPID)
290
291
292OCSP_RESPID *
293d2i_OCSP_RESPID(OCSP_RESPID **a, const unsigned char **in, long len)
294{
295 return (OCSP_RESPID *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
296 &OCSP_RESPID_it);
297}
298
299int
300i2d_OCSP_RESPID(OCSP_RESPID *a, unsigned char **out)
301{
302 return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_RESPID_it);
303}
304
305OCSP_RESPID *
306OCSP_RESPID_new(void)
307{
308 return (OCSP_RESPID *)ASN1_item_new(&OCSP_RESPID_it);
309}
310
311void
312OCSP_RESPID_free(OCSP_RESPID *a)
313{
314 ASN1_item_free((ASN1_VALUE *)a, &OCSP_RESPID_it);
315}
316
317ASN1_SEQUENCE(OCSP_REVOKEDINFO) = {
318 ASN1_SIMPLE(OCSP_REVOKEDINFO, revocationTime, ASN1_GENERALIZEDTIME),
319 ASN1_EXP_OPT(OCSP_REVOKEDINFO, revocationReason, ASN1_ENUMERATED, 0)
320} ASN1_SEQUENCE_END(OCSP_REVOKEDINFO)
321
322
323OCSP_REVOKEDINFO *
324d2i_OCSP_REVOKEDINFO(OCSP_REVOKEDINFO **a, const unsigned char **in, long len)
325{
326 return (OCSP_REVOKEDINFO *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
327 &OCSP_REVOKEDINFO_it);
328}
329
330int
331i2d_OCSP_REVOKEDINFO(OCSP_REVOKEDINFO *a, unsigned char **out)
332{
333 return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_REVOKEDINFO_it);
334}
335
336OCSP_REVOKEDINFO *
337OCSP_REVOKEDINFO_new(void)
338{
339 return (OCSP_REVOKEDINFO *)ASN1_item_new(&OCSP_REVOKEDINFO_it);
340}
341
342void
343OCSP_REVOKEDINFO_free(OCSP_REVOKEDINFO *a)
344{
345 ASN1_item_free((ASN1_VALUE *)a, &OCSP_REVOKEDINFO_it);
346}
347
348ASN1_CHOICE(OCSP_CERTSTATUS) = {
349 ASN1_IMP(OCSP_CERTSTATUS, value.good, ASN1_NULL, 0),
350 ASN1_IMP(OCSP_CERTSTATUS, value.revoked, OCSP_REVOKEDINFO, 1),
351 ASN1_IMP(OCSP_CERTSTATUS, value.unknown, ASN1_NULL, 2)
352} ASN1_CHOICE_END(OCSP_CERTSTATUS)
353
354
355OCSP_CERTSTATUS *
356d2i_OCSP_CERTSTATUS(OCSP_CERTSTATUS **a, const unsigned char **in, long len)
357{
358 return (OCSP_CERTSTATUS *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
359 &OCSP_CERTSTATUS_it);
360}
361
362int
363i2d_OCSP_CERTSTATUS(OCSP_CERTSTATUS *a, unsigned char **out)
364{
365 return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_CERTSTATUS_it);
366}
367
368OCSP_CERTSTATUS *
369OCSP_CERTSTATUS_new(void)
370{
371 return (OCSP_CERTSTATUS *)ASN1_item_new(&OCSP_CERTSTATUS_it);
372}
373
374void
375OCSP_CERTSTATUS_free(OCSP_CERTSTATUS *a)
376{
377 ASN1_item_free((ASN1_VALUE *)a, &OCSP_CERTSTATUS_it);
378}
379
380ASN1_SEQUENCE(OCSP_SINGLERESP) = {
381 ASN1_SIMPLE(OCSP_SINGLERESP, certId, OCSP_CERTID),
382 ASN1_SIMPLE(OCSP_SINGLERESP, certStatus, OCSP_CERTSTATUS),
383 ASN1_SIMPLE(OCSP_SINGLERESP, thisUpdate, ASN1_GENERALIZEDTIME),
384 ASN1_EXP_OPT(OCSP_SINGLERESP, nextUpdate, ASN1_GENERALIZEDTIME, 0),
385 ASN1_EXP_SEQUENCE_OF_OPT(OCSP_SINGLERESP, singleExtensions, X509_EXTENSION, 1)
386} ASN1_SEQUENCE_END(OCSP_SINGLERESP)
387
388
389OCSP_SINGLERESP *
390d2i_OCSP_SINGLERESP(OCSP_SINGLERESP **a, const unsigned char **in, long len)
391{
392 return (OCSP_SINGLERESP *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
393 &OCSP_SINGLERESP_it);
394}
395
396int
397i2d_OCSP_SINGLERESP(OCSP_SINGLERESP *a, unsigned char **out)
398{
399 return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_SINGLERESP_it);
400}
401
402OCSP_SINGLERESP *
403OCSP_SINGLERESP_new(void)
404{
405 return (OCSP_SINGLERESP *)ASN1_item_new(&OCSP_SINGLERESP_it);
406}
407
408void
409OCSP_SINGLERESP_free(OCSP_SINGLERESP *a)
410{
411 ASN1_item_free((ASN1_VALUE *)a, &OCSP_SINGLERESP_it);
412}
413
414ASN1_SEQUENCE(OCSP_RESPDATA) = {
415 ASN1_EXP_OPT(OCSP_RESPDATA, version, ASN1_INTEGER, 0),
416 ASN1_SIMPLE(OCSP_RESPDATA, responderId, OCSP_RESPID),
417 ASN1_SIMPLE(OCSP_RESPDATA, producedAt, ASN1_GENERALIZEDTIME),
418 ASN1_SEQUENCE_OF(OCSP_RESPDATA, responses, OCSP_SINGLERESP),
419 ASN1_EXP_SEQUENCE_OF_OPT(OCSP_RESPDATA, responseExtensions, X509_EXTENSION, 1)
420} ASN1_SEQUENCE_END(OCSP_RESPDATA)
421
422
423OCSP_RESPDATA *
424d2i_OCSP_RESPDATA(OCSP_RESPDATA **a, const unsigned char **in, long len)
425{
426 return (OCSP_RESPDATA *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
427 &OCSP_RESPDATA_it);
428}
429
430int
431i2d_OCSP_RESPDATA(OCSP_RESPDATA *a, unsigned char **out)
432{
433 return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_RESPDATA_it);
434}
435
436OCSP_RESPDATA *
437OCSP_RESPDATA_new(void)
438{
439 return (OCSP_RESPDATA *)ASN1_item_new(&OCSP_RESPDATA_it);
440}
441
442void
443OCSP_RESPDATA_free(OCSP_RESPDATA *a)
444{
445 ASN1_item_free((ASN1_VALUE *)a, &OCSP_RESPDATA_it);
446}
447
448ASN1_SEQUENCE(OCSP_BASICRESP) = {
449 ASN1_SIMPLE(OCSP_BASICRESP, tbsResponseData, OCSP_RESPDATA),
450 ASN1_SIMPLE(OCSP_BASICRESP, signatureAlgorithm, X509_ALGOR),
451 ASN1_SIMPLE(OCSP_BASICRESP, signature, ASN1_BIT_STRING),
452 ASN1_EXP_SEQUENCE_OF_OPT(OCSP_BASICRESP, certs, X509, 0)
453} ASN1_SEQUENCE_END(OCSP_BASICRESP)
454
455
456OCSP_BASICRESP *
457d2i_OCSP_BASICRESP(OCSP_BASICRESP **a, const unsigned char **in, long len)
458{
459 return (OCSP_BASICRESP *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
460 &OCSP_BASICRESP_it);
461}
462
463int
464i2d_OCSP_BASICRESP(OCSP_BASICRESP *a, unsigned char **out)
465{
466 return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_BASICRESP_it);
467}
468
469OCSP_BASICRESP *
470OCSP_BASICRESP_new(void)
471{
472 return (OCSP_BASICRESP *)ASN1_item_new(&OCSP_BASICRESP_it);
473}
474
475void
476OCSP_BASICRESP_free(OCSP_BASICRESP *a)
477{
478 ASN1_item_free((ASN1_VALUE *)a, &OCSP_BASICRESP_it);
479}
480
481ASN1_SEQUENCE(OCSP_CRLID) = {
482 ASN1_EXP_OPT(OCSP_CRLID, crlUrl, ASN1_IA5STRING, 0),
483 ASN1_EXP_OPT(OCSP_CRLID, crlNum, ASN1_INTEGER, 1),
484 ASN1_EXP_OPT(OCSP_CRLID, crlTime, ASN1_GENERALIZEDTIME, 2)
485} ASN1_SEQUENCE_END(OCSP_CRLID)
486
487
488OCSP_CRLID *
489d2i_OCSP_CRLID(OCSP_CRLID **a, const unsigned char **in, long len)
490{
491 return (OCSP_CRLID *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
492 &OCSP_CRLID_it);
493}
494
495int
496i2d_OCSP_CRLID(OCSP_CRLID *a, unsigned char **out)
497{
498 return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_CRLID_it);
499}
500
501OCSP_CRLID *
502OCSP_CRLID_new(void)
503{
504 return (OCSP_CRLID *)ASN1_item_new(&OCSP_CRLID_it);
505}
506
507void
508OCSP_CRLID_free(OCSP_CRLID *a)
509{
510 ASN1_item_free((ASN1_VALUE *)a, &OCSP_CRLID_it);
511}
512
513ASN1_SEQUENCE(OCSP_SERVICELOC) = {
514 ASN1_SIMPLE(OCSP_SERVICELOC, issuer, X509_NAME),
515 ASN1_SEQUENCE_OF_OPT(OCSP_SERVICELOC, locator, ACCESS_DESCRIPTION)
516} ASN1_SEQUENCE_END(OCSP_SERVICELOC)
517
518
519OCSP_SERVICELOC *
520d2i_OCSP_SERVICELOC(OCSP_SERVICELOC **a, const unsigned char **in, long len)
521{
522 return (OCSP_SERVICELOC *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
523 &OCSP_SERVICELOC_it);
524}
525
526int
527i2d_OCSP_SERVICELOC(OCSP_SERVICELOC *a, unsigned char **out)
528{
529 return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_SERVICELOC_it);
530}
531
532OCSP_SERVICELOC *
533OCSP_SERVICELOC_new(void)
534{
535 return (OCSP_SERVICELOC *)ASN1_item_new(&OCSP_SERVICELOC_it);
536}
537
538void
539OCSP_SERVICELOC_free(OCSP_SERVICELOC *a)
540{
541 ASN1_item_free((ASN1_VALUE *)a, &OCSP_SERVICELOC_it);
542}
diff --git a/src/lib/libcrypto/ocsp/ocsp_cl.c b/src/lib/libcrypto/ocsp/ocsp_cl.c
deleted file mode 100644
index a4320d9278..0000000000
--- a/src/lib/libcrypto/ocsp/ocsp_cl.c
+++ /dev/null
@@ -1,383 +0,0 @@
1/* $OpenBSD: ocsp_cl.c,v 1.8 2014/10/18 17:20:40 jsing Exp $ */
2/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
3 * project. */
4
5/* History:
6 This file was transfered to Richard Levitte from CertCo by Kathy
7 Weinhold in mid-spring 2000 to be included in OpenSSL or released
8 as a patch kit. */
9
10/* ====================================================================
11 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 *
17 * 1. Redistributions of source code must retain the above copyright
18 * notice, this list of conditions and the following disclaimer.
19 *
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in
22 * the documentation and/or other materials provided with the
23 * distribution.
24 *
25 * 3. All advertising materials mentioning features or use of this
26 * software must display the following acknowledgment:
27 * "This product includes software developed by the OpenSSL Project
28 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
29 *
30 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
31 * endorse or promote products derived from this software without
32 * prior written permission. For written permission, please contact
33 * openssl-core@openssl.org.
34 *
35 * 5. Products derived from this software may not be called "OpenSSL"
36 * nor may "OpenSSL" appear in their names without prior written
37 * permission of the OpenSSL Project.
38 *
39 * 6. Redistributions of any form whatsoever must retain the following
40 * acknowledgment:
41 * "This product includes software developed by the OpenSSL Project
42 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
43 *
44 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
45 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
46 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
47 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
48 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
49 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
50 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
51 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
52 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
53 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
54 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
55 * OF THE POSSIBILITY OF SUCH DAMAGE.
56 * ====================================================================
57 *
58 * This product includes cryptographic software written by Eric Young
59 * (eay@cryptsoft.com). This product includes software written by Tim
60 * Hudson (tjh@cryptsoft.com).
61 *
62 */
63
64#include <stdio.h>
65#include <time.h>
66
67#include <openssl/err.h>
68#include <openssl/ocsp.h>
69#include <openssl/objects.h>
70#include <openssl/pem.h>
71#include <openssl/x509.h>
72#include <openssl/x509v3.h>
73
74/* Utility functions related to sending OCSP requests and extracting
75 * relevant information from the response.
76 */
77
78/* Add an OCSP_CERTID to an OCSP request. Return new OCSP_ONEREQ
79 * pointer: useful if we want to add extensions.
80 */
81OCSP_ONEREQ *
82OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid)
83{
84 OCSP_ONEREQ *one = NULL;
85
86 if (!(one = OCSP_ONEREQ_new()))
87 goto err;
88 if (one->reqCert)
89 OCSP_CERTID_free(one->reqCert);
90 one->reqCert = cid;
91 if (req && !sk_OCSP_ONEREQ_push(req->tbsRequest->requestList, one))
92 goto err;
93 return one;
94
95err:
96 OCSP_ONEREQ_free(one);
97 return NULL;
98}
99
100/* Set requestorName from an X509_NAME structure */
101int
102OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm)
103{
104 GENERAL_NAME *gen;
105
106 gen = GENERAL_NAME_new();
107 if (gen == NULL)
108 return 0;
109 if (!X509_NAME_set(&gen->d.directoryName, nm)) {
110 GENERAL_NAME_free(gen);
111 return 0;
112 }
113 gen->type = GEN_DIRNAME;
114 if (req->tbsRequest->requestorName)
115 GENERAL_NAME_free(req->tbsRequest->requestorName);
116 req->tbsRequest->requestorName = gen;
117 return 1;
118}
119
120/* Add a certificate to an OCSP request */
121int
122OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert)
123{
124 OCSP_SIGNATURE *sig;
125
126 if (!req->optionalSignature)
127 req->optionalSignature = OCSP_SIGNATURE_new();
128 sig = req->optionalSignature;
129 if (!sig)
130 return 0;
131 if (!cert)
132 return 1;
133 if (!sig->certs && !(sig->certs = sk_X509_new_null()))
134 return 0;
135
136 if (!sk_X509_push(sig->certs, cert))
137 return 0;
138 CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
139 return 1;
140}
141
142/* Sign an OCSP request set the requestorName to the subjec
143 * name of an optional signers certificate and include one
144 * or more optional certificates in the request. Behaves
145 * like PKCS7_sign().
146 */
147int
148OCSP_request_sign(OCSP_REQUEST *req, X509 *signer, EVP_PKEY *key,
149 const EVP_MD *dgst, STACK_OF(X509) *certs, unsigned long flags)
150{
151 int i;
152 OCSP_SIGNATURE *sig;
153 X509 *x;
154
155 if (!OCSP_request_set1_name(req, X509_get_subject_name(signer)))
156 goto err;
157
158 if (!(req->optionalSignature = sig = OCSP_SIGNATURE_new()))
159 goto err;
160 if (key) {
161 if (!X509_check_private_key(signer, key)) {
162 OCSPerr(OCSP_F_OCSP_REQUEST_SIGN,
163 OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
164 goto err;
165 }
166 if (!OCSP_REQUEST_sign(req, key, dgst))
167 goto err;
168 }
169
170 if (!(flags & OCSP_NOCERTS)) {
171 if (!OCSP_request_add1_cert(req, signer))
172 goto err;
173 for (i = 0; i < sk_X509_num(certs); i++) {
174 x = sk_X509_value(certs, i);
175 if (!OCSP_request_add1_cert(req, x))
176 goto err;
177 }
178 }
179
180 return 1;
181
182err:
183 OCSP_SIGNATURE_free(req->optionalSignature);
184 req->optionalSignature = NULL;
185 return 0;
186}
187
188/* Get response status */
189int
190OCSP_response_status(OCSP_RESPONSE *resp)
191{
192 return ASN1_ENUMERATED_get(resp->responseStatus);
193}
194
195/* Extract basic response from OCSP_RESPONSE or NULL if
196 * no basic response present.
197 */
198OCSP_BASICRESP *
199OCSP_response_get1_basic(OCSP_RESPONSE *resp)
200{
201 OCSP_RESPBYTES *rb;
202
203 rb = resp->responseBytes;
204 if (!rb) {
205 OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC,
206 OCSP_R_NO_RESPONSE_DATA);
207 return NULL;
208 }
209 if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic) {
210 OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC,
211 OCSP_R_NOT_BASIC_RESPONSE);
212 return NULL;
213 }
214
215 return ASN1_item_unpack(rb->response, ASN1_ITEM_rptr(OCSP_BASICRESP));
216}
217
218/* Return number of OCSP_SINGLERESP reponses present in
219 * a basic response.
220 */
221int
222OCSP_resp_count(OCSP_BASICRESP *bs)
223{
224 if (!bs)
225 return -1;
226 return sk_OCSP_SINGLERESP_num(bs->tbsResponseData->responses);
227}
228
229/* Extract an OCSP_SINGLERESP response with a given index */
230OCSP_SINGLERESP *
231OCSP_resp_get0(OCSP_BASICRESP *bs, int idx)
232{
233 if (!bs)
234 return NULL;
235 return sk_OCSP_SINGLERESP_value(bs->tbsResponseData->responses, idx);
236}
237
238/* Look single response matching a given certificate ID */
239int
240OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last)
241{
242 int i;
243 STACK_OF(OCSP_SINGLERESP) *sresp;
244 OCSP_SINGLERESP *single;
245
246 if (!bs)
247 return -1;
248 if (last < 0)
249 last = 0;
250 else
251 last++;
252 sresp = bs->tbsResponseData->responses;
253 for (i = last; i < sk_OCSP_SINGLERESP_num(sresp); i++) {
254 single = sk_OCSP_SINGLERESP_value(sresp, i);
255 if (!OCSP_id_cmp(id, single->certId))
256 return i;
257 }
258 return -1;
259}
260
261/* Extract status information from an OCSP_SINGLERESP structure.
262 * Note: the revtime and reason values are only set if the
263 * certificate status is revoked. Returns numerical value of
264 * status.
265 */
266int
267OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
268 ASN1_GENERALIZEDTIME **revtime, ASN1_GENERALIZEDTIME **thisupd,
269 ASN1_GENERALIZEDTIME **nextupd)
270{
271 int ret;
272 OCSP_CERTSTATUS *cst;
273
274 if (!single)
275 return -1;
276 cst = single->certStatus;
277 ret = cst->type;
278 if (ret == V_OCSP_CERTSTATUS_REVOKED) {
279 OCSP_REVOKEDINFO *rev = cst->value.revoked;
280
281 if (revtime)
282 *revtime = rev->revocationTime;
283 if (reason) {
284 if (rev->revocationReason)
285 *reason = ASN1_ENUMERATED_get(
286 rev->revocationReason);
287 else
288 *reason = -1;
289 }
290 }
291 if (thisupd)
292 *thisupd = single->thisUpdate;
293 if (nextupd)
294 *nextupd = single->nextUpdate;
295 return ret;
296}
297
298/* This function combines the previous ones: look up a certificate ID and
299 * if found extract status information. Return 0 is successful.
300 */
301int
302OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
303 int *reason, ASN1_GENERALIZEDTIME **revtime, ASN1_GENERALIZEDTIME **thisupd,
304 ASN1_GENERALIZEDTIME **nextupd)
305{
306 int i;
307 OCSP_SINGLERESP *single;
308
309 i = OCSP_resp_find(bs, id, -1);
310 /* Maybe check for multiple responses and give an error? */
311 if (i < 0)
312 return 0;
313 single = OCSP_resp_get0(bs, i);
314 i = OCSP_single_get0_status(single, reason, revtime, thisupd, nextupd);
315 if (status)
316 *status = i;
317 return 1;
318}
319
320/* Check validity of thisUpdate and nextUpdate fields. It is possible that the request will
321 * take a few seconds to process and/or the time wont be totally accurate. Therefore to avoid
322 * rejecting otherwise valid time we allow the times to be within 'nsec' of the current time.
323 * Also to avoid accepting very old responses without a nextUpdate field an optional maxage
324 * parameter specifies the maximum age the thisUpdate field can be.
325 */
326int
327OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
328 ASN1_GENERALIZEDTIME *nextupd, long nsec, long maxsec)
329{
330 int ret = 1;
331 time_t t_now, t_tmp;
332
333 time(&t_now);
334 /* Check thisUpdate is valid and not more than nsec in the future */
335 if (!ASN1_GENERALIZEDTIME_check(thisupd)) {
336 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
337 OCSP_R_ERROR_IN_THISUPDATE_FIELD);
338 ret = 0;
339 } else {
340 t_tmp = t_now + nsec;
341 if (X509_cmp_time(thisupd, &t_tmp) > 0) {
342 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
343 OCSP_R_STATUS_NOT_YET_VALID);
344 ret = 0;
345 }
346
347 /* If maxsec specified check thisUpdate is not more than maxsec in the past */
348 if (maxsec >= 0) {
349 t_tmp = t_now - maxsec;
350 if (X509_cmp_time(thisupd, &t_tmp) < 0) {
351 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
352 OCSP_R_STATUS_TOO_OLD);
353 ret = 0;
354 }
355 }
356 }
357
358 if (!nextupd)
359 return ret;
360
361 /* Check nextUpdate is valid and not more than nsec in the past */
362 if (!ASN1_GENERALIZEDTIME_check(nextupd)) {
363 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
364 OCSP_R_ERROR_IN_NEXTUPDATE_FIELD);
365 ret = 0;
366 } else {
367 t_tmp = t_now - nsec;
368 if (X509_cmp_time(nextupd, &t_tmp) < 0) {
369 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
370 OCSP_R_STATUS_EXPIRED);
371 ret = 0;
372 }
373 }
374
375 /* Also don't allow nextUpdate to precede thisUpdate */
376 if (ASN1_STRING_cmp(nextupd, thisupd) < 0) {
377 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
378 OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE);
379 ret = 0;
380 }
381
382 return ret;
383}
diff --git a/src/lib/libcrypto/ocsp/ocsp_err.c b/src/lib/libcrypto/ocsp/ocsp_err.c
deleted file mode 100644
index af781074b6..0000000000
--- a/src/lib/libcrypto/ocsp/ocsp_err.c
+++ /dev/null
@@ -1,142 +0,0 @@
1/* $OpenBSD: ocsp_err.c,v 1.7 2014/07/10 22:45:57 jsing Exp $ */
2/* ====================================================================
3 * Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@OpenSSL.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 * This product includes cryptographic software written by Eric Young
51 * (eay@cryptsoft.com). This product includes software written by Tim
52 * Hudson (tjh@cryptsoft.com).
53 *
54 */
55
56/* NOTE: this file was auto generated by the mkerr.pl script: any changes
57 * made to it will be overwritten when the script next updates this file,
58 * only reason strings will be preserved.
59 */
60
61#include <stdio.h>
62
63#include <openssl/opensslconf.h>
64
65#include <openssl/err.h>
66#include <openssl/ocsp.h>
67
68/* BEGIN ERROR CODES */
69#ifndef OPENSSL_NO_ERR
70
71#define ERR_FUNC(func) ERR_PACK(ERR_LIB_OCSP,func,0)
72#define ERR_REASON(reason) ERR_PACK(ERR_LIB_OCSP,0,reason)
73
74static ERR_STRING_DATA OCSP_str_functs[]= {
75 {ERR_FUNC(OCSP_F_ASN1_STRING_ENCODE), "ASN1_STRING_encode"},
76 {ERR_FUNC(OCSP_F_D2I_OCSP_NONCE), "D2I_OCSP_NONCE"},
77 {ERR_FUNC(OCSP_F_OCSP_BASIC_ADD1_STATUS), "OCSP_basic_add1_status"},
78 {ERR_FUNC(OCSP_F_OCSP_BASIC_SIGN), "OCSP_basic_sign"},
79 {ERR_FUNC(OCSP_F_OCSP_BASIC_VERIFY), "OCSP_basic_verify"},
80 {ERR_FUNC(OCSP_F_OCSP_CERT_ID_NEW), "OCSP_cert_id_new"},
81 {ERR_FUNC(OCSP_F_OCSP_CHECK_DELEGATED), "OCSP_CHECK_DELEGATED"},
82 {ERR_FUNC(OCSP_F_OCSP_CHECK_IDS), "OCSP_CHECK_IDS"},
83 {ERR_FUNC(OCSP_F_OCSP_CHECK_ISSUER), "OCSP_CHECK_ISSUER"},
84 {ERR_FUNC(OCSP_F_OCSP_CHECK_VALIDITY), "OCSP_check_validity"},
85 {ERR_FUNC(OCSP_F_OCSP_MATCH_ISSUERID), "OCSP_MATCH_ISSUERID"},
86 {ERR_FUNC(OCSP_F_OCSP_PARSE_URL), "OCSP_parse_url"},
87 {ERR_FUNC(OCSP_F_OCSP_REQUEST_SIGN), "OCSP_request_sign"},
88 {ERR_FUNC(OCSP_F_OCSP_REQUEST_VERIFY), "OCSP_request_verify"},
89 {ERR_FUNC(OCSP_F_OCSP_RESPONSE_GET1_BASIC), "OCSP_response_get1_basic"},
90 {ERR_FUNC(OCSP_F_OCSP_SENDREQ_BIO), "OCSP_sendreq_bio"},
91 {ERR_FUNC(OCSP_F_OCSP_SENDREQ_NBIO), "OCSP_sendreq_nbio"},
92 {ERR_FUNC(OCSP_F_PARSE_HTTP_LINE1), "PARSE_HTTP_LINE1"},
93 {ERR_FUNC(OCSP_F_REQUEST_VERIFY), "REQUEST_VERIFY"},
94 {0, NULL}
95};
96
97static ERR_STRING_DATA OCSP_str_reasons[]= {
98 {ERR_REASON(OCSP_R_BAD_DATA) , "bad data"},
99 {ERR_REASON(OCSP_R_CERTIFICATE_VERIFY_ERROR), "certificate verify error"},
100 {ERR_REASON(OCSP_R_DIGEST_ERR) , "digest err"},
101 {ERR_REASON(OCSP_R_ERROR_IN_NEXTUPDATE_FIELD), "error in nextupdate field"},
102 {ERR_REASON(OCSP_R_ERROR_IN_THISUPDATE_FIELD), "error in thisupdate field"},
103 {ERR_REASON(OCSP_R_ERROR_PARSING_URL) , "error parsing url"},
104 {ERR_REASON(OCSP_R_MISSING_OCSPSIGNING_USAGE), "missing ocspsigning usage"},
105 {ERR_REASON(OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE), "nextupdate before thisupdate"},
106 {ERR_REASON(OCSP_R_NOT_BASIC_RESPONSE) , "not basic response"},
107 {ERR_REASON(OCSP_R_NO_CERTIFICATES_IN_CHAIN), "no certificates in chain"},
108 {ERR_REASON(OCSP_R_NO_CONTENT) , "no content"},
109 {ERR_REASON(OCSP_R_NO_PUBLIC_KEY) , "no public key"},
110 {ERR_REASON(OCSP_R_NO_RESPONSE_DATA) , "no response data"},
111 {ERR_REASON(OCSP_R_NO_REVOKED_TIME) , "no revoked time"},
112 {ERR_REASON(OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE), "private key does not match certificate"},
113 {ERR_REASON(OCSP_R_REQUEST_NOT_SIGNED) , "request not signed"},
114 {ERR_REASON(OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA), "response contains no revocation data"},
115 {ERR_REASON(OCSP_R_ROOT_CA_NOT_TRUSTED) , "root ca not trusted"},
116 {ERR_REASON(OCSP_R_SERVER_READ_ERROR) , "server read error"},
117 {ERR_REASON(OCSP_R_SERVER_RESPONSE_ERROR), "server response error"},
118 {ERR_REASON(OCSP_R_SERVER_RESPONSE_PARSE_ERROR), "server response parse error"},
119 {ERR_REASON(OCSP_R_SERVER_WRITE_ERROR) , "server write error"},
120 {ERR_REASON(OCSP_R_SIGNATURE_FAILURE) , "signature failure"},
121 {ERR_REASON(OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND), "signer certificate not found"},
122 {ERR_REASON(OCSP_R_STATUS_EXPIRED) , "status expired"},
123 {ERR_REASON(OCSP_R_STATUS_NOT_YET_VALID) , "status not yet valid"},
124 {ERR_REASON(OCSP_R_STATUS_TOO_OLD) , "status too old"},
125 {ERR_REASON(OCSP_R_UNKNOWN_MESSAGE_DIGEST), "unknown message digest"},
126 {ERR_REASON(OCSP_R_UNKNOWN_NID) , "unknown nid"},
127 {ERR_REASON(OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE), "unsupported requestorname type"},
128 {0, NULL}
129};
130
131#endif
132
133void
134ERR_load_OCSP_strings(void)
135{
136#ifndef OPENSSL_NO_ERR
137 if (ERR_func_error_string(OCSP_str_functs[0].error) == NULL) {
138 ERR_load_strings(0, OCSP_str_functs);
139 ERR_load_strings(0, OCSP_str_reasons);
140 }
141#endif
142}
diff --git a/src/lib/libcrypto/ocsp/ocsp_ext.c b/src/lib/libcrypto/ocsp/ocsp_ext.c
deleted file mode 100644
index 7e69ad4fe0..0000000000
--- a/src/lib/libcrypto/ocsp/ocsp_ext.c
+++ /dev/null
@@ -1,607 +0,0 @@
1/* $OpenBSD: ocsp_ext.c,v 1.13 2014/10/28 05:46:56 miod Exp $ */
2/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
3 * project. */
4
5/* History:
6 This file was transfered to Richard Levitte from CertCo by Kathy
7 Weinhold in mid-spring 2000 to be included in OpenSSL or released
8 as a patch kit. */
9
10/* ====================================================================
11 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 *
17 * 1. Redistributions of source code must retain the above copyright
18 * notice, this list of conditions and the following disclaimer.
19 *
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in
22 * the documentation and/or other materials provided with the
23 * distribution.
24 *
25 * 3. All advertising materials mentioning features or use of this
26 * software must display the following acknowledgment:
27 * "This product includes software developed by the OpenSSL Project
28 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
29 *
30 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
31 * endorse or promote products derived from this software without
32 * prior written permission. For written permission, please contact
33 * openssl-core@openssl.org.
34 *
35 * 5. Products derived from this software may not be called "OpenSSL"
36 * nor may "OpenSSL" appear in their names without prior written
37 * permission of the OpenSSL Project.
38 *
39 * 6. Redistributions of any form whatsoever must retain the following
40 * acknowledgment:
41 * "This product includes software developed by the OpenSSL Project
42 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
43 *
44 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
45 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
46 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
47 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
48 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
49 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
50 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
51 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
52 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
53 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
54 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
55 * OF THE POSSIBILITY OF SUCH DAMAGE.
56 * ====================================================================
57 *
58 * This product includes cryptographic software written by Eric Young
59 * (eay@cryptsoft.com). This product includes software written by Tim
60 * Hudson (tjh@cryptsoft.com).
61 *
62 */
63
64#include <stdio.h>
65#include <stdlib.h>
66#include <string.h>
67
68#include <openssl/objects.h>
69#include <openssl/ocsp.h>
70#include <openssl/x509.h>
71#include <openssl/x509v3.h>
72
73/* Standard wrapper functions for extensions */
74
75/* OCSP request extensions */
76
77int
78OCSP_REQUEST_get_ext_count(OCSP_REQUEST *x)
79{
80 return X509v3_get_ext_count(x->tbsRequest->requestExtensions);
81}
82
83int
84OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos)
85{
86 return X509v3_get_ext_by_NID(x->tbsRequest->requestExtensions, nid,
87 lastpos);
88}
89
90int
91OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, ASN1_OBJECT *obj, int lastpos)
92{
93 return X509v3_get_ext_by_OBJ(x->tbsRequest->requestExtensions, obj,
94 lastpos);
95}
96
97int
98OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit, int lastpos)
99{
100 return X509v3_get_ext_by_critical(x->tbsRequest->requestExtensions,
101 crit, lastpos);
102}
103
104X509_EXTENSION *
105OCSP_REQUEST_get_ext(OCSP_REQUEST *x, int loc)
106{
107 return X509v3_get_ext(x->tbsRequest->requestExtensions, loc);
108}
109
110X509_EXTENSION *
111OCSP_REQUEST_delete_ext(OCSP_REQUEST *x, int loc)
112{
113 return X509v3_delete_ext(x->tbsRequest->requestExtensions, loc);
114}
115
116void *
117OCSP_REQUEST_get1_ext_d2i(OCSP_REQUEST *x, int nid, int *crit, int *idx)
118{
119 return X509V3_get_d2i(x->tbsRequest->requestExtensions, nid, crit, idx);
120}
121
122int
123OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST *x, int nid, void *value, int crit,
124 unsigned long flags)
125{
126 return X509V3_add1_i2d(&x->tbsRequest->requestExtensions, nid, value,
127 crit, flags);
128}
129
130int
131OCSP_REQUEST_add_ext(OCSP_REQUEST *x, X509_EXTENSION *ex, int loc)
132{
133 return X509v3_add_ext(&(x->tbsRequest->requestExtensions), ex,
134 loc) != NULL;
135}
136
137/* Single extensions */
138
139int
140OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *x)
141{
142 return X509v3_get_ext_count(x->singleRequestExtensions);
143}
144
145int
146OCSP_ONEREQ_get_ext_by_NID(OCSP_ONEREQ *x, int nid, int lastpos)
147{
148 return X509v3_get_ext_by_NID(x->singleRequestExtensions, nid, lastpos);
149}
150
151int
152OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, ASN1_OBJECT *obj, int lastpos)
153{
154 return X509v3_get_ext_by_OBJ(x->singleRequestExtensions, obj, lastpos);
155}
156
157int
158OCSP_ONEREQ_get_ext_by_critical(OCSP_ONEREQ *x, int crit, int lastpos)
159{
160 return X509v3_get_ext_by_critical(x->singleRequestExtensions, crit,
161 lastpos);
162}
163
164X509_EXTENSION *
165OCSP_ONEREQ_get_ext(OCSP_ONEREQ *x, int loc)
166{
167 return X509v3_get_ext(x->singleRequestExtensions, loc);
168}
169
170X509_EXTENSION *
171OCSP_ONEREQ_delete_ext(OCSP_ONEREQ *x, int loc)
172{
173 return X509v3_delete_ext(x->singleRequestExtensions, loc);
174}
175
176void *
177OCSP_ONEREQ_get1_ext_d2i(OCSP_ONEREQ *x, int nid, int *crit, int *idx)
178{
179 return X509V3_get_d2i(x->singleRequestExtensions, nid, crit, idx);
180}
181
182int
183OCSP_ONEREQ_add1_ext_i2d(OCSP_ONEREQ *x, int nid, void *value, int crit,
184 unsigned long flags)
185{
186 return X509V3_add1_i2d(&x->singleRequestExtensions, nid, value, crit,
187 flags);
188}
189
190int
191OCSP_ONEREQ_add_ext(OCSP_ONEREQ *x, X509_EXTENSION *ex, int loc)
192{
193 return X509v3_add_ext(&(x->singleRequestExtensions), ex, loc) != NULL;
194}
195
196/* OCSP Basic response */
197
198int
199OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *x)
200{
201 return X509v3_get_ext_count(x->tbsResponseData->responseExtensions);
202}
203
204int
205OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos)
206{
207 return X509v3_get_ext_by_NID(x->tbsResponseData->responseExtensions,
208 nid, lastpos);
209}
210
211int
212OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, ASN1_OBJECT *obj, int lastpos)
213{
214 return X509v3_get_ext_by_OBJ(x->tbsResponseData->responseExtensions,
215 obj, lastpos);
216}
217
218int
219OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit, int lastpos)
220{
221 return X509v3_get_ext_by_critical(
222 x->tbsResponseData->responseExtensions, crit, lastpos);
223}
224
225X509_EXTENSION *
226OCSP_BASICRESP_get_ext(OCSP_BASICRESP *x, int loc)
227{
228 return X509v3_get_ext(x->tbsResponseData->responseExtensions, loc);
229}
230
231X509_EXTENSION *
232OCSP_BASICRESP_delete_ext(OCSP_BASICRESP *x, int loc)
233{
234 return X509v3_delete_ext(x->tbsResponseData->responseExtensions, loc);
235}
236
237void *
238OCSP_BASICRESP_get1_ext_d2i(OCSP_BASICRESP *x, int nid, int *crit, int *idx)
239{
240 return X509V3_get_d2i(x->tbsResponseData->responseExtensions, nid,
241 crit, idx);
242}
243
244int
245OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP *x, int nid, void *value, int crit,
246 unsigned long flags)
247{
248 return X509V3_add1_i2d(&x->tbsResponseData->responseExtensions, nid,
249 value, crit, flags);
250}
251
252int
253OCSP_BASICRESP_add_ext(OCSP_BASICRESP *x, X509_EXTENSION *ex, int loc)
254{
255 return X509v3_add_ext(&(x->tbsResponseData->responseExtensions), ex,
256 loc) != NULL;
257}
258
259/* OCSP single response extensions */
260
261int
262OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *x)
263{
264 return X509v3_get_ext_count(x->singleExtensions);
265}
266
267int
268OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid, int lastpos)
269{
270 return X509v3_get_ext_by_NID(x->singleExtensions, nid, lastpos);
271}
272
273int
274OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, ASN1_OBJECT *obj,
275 int lastpos)
276{
277 return X509v3_get_ext_by_OBJ(x->singleExtensions, obj, lastpos);
278}
279
280int
281OCSP_SINGLERESP_get_ext_by_critical(OCSP_SINGLERESP *x, int crit, int lastpos)
282{
283 return X509v3_get_ext_by_critical(x->singleExtensions, crit, lastpos);
284}
285
286X509_EXTENSION *
287OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP *x, int loc)
288{
289 return X509v3_get_ext(x->singleExtensions, loc);
290}
291
292X509_EXTENSION *
293OCSP_SINGLERESP_delete_ext(OCSP_SINGLERESP *x, int loc)
294{
295 return X509v3_delete_ext(x->singleExtensions, loc);
296}
297
298void *
299OCSP_SINGLERESP_get1_ext_d2i(OCSP_SINGLERESP *x, int nid, int *crit, int *idx)
300{
301 return X509V3_get_d2i(x->singleExtensions, nid, crit, idx);
302}
303
304int
305OCSP_SINGLERESP_add1_ext_i2d(OCSP_SINGLERESP *x, int nid, void *value, int crit,
306 unsigned long flags)
307{
308 return X509V3_add1_i2d(&x->singleExtensions, nid, value, crit, flags);
309}
310
311int
312OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex, int loc)
313{
314 return X509v3_add_ext(&(x->singleExtensions), ex, loc) != NULL;
315}
316
317/* also CRL Entry Extensions */
318#if 0
319ASN1_STRING *
320ASN1_STRING_encode(ASN1_STRING *s, i2d_of_void *i2d, void *data,
321 STACK_OF(ASN1_OBJECT) *sk)
322{
323 int i;
324 unsigned char *p, *b = NULL;
325
326 if (data) {
327 if ((i = i2d(data, NULL)) <= 0)
328 goto err;
329 if (!(b = p = malloc((unsigned int)i)))
330 goto err;
331 if (i2d(data, &p) <= 0)
332 goto err;
333 } else if (sk) {
334 if ((i = i2d_ASN1_SET_OF_ASN1_OBJECT(sk, NULL,
335 (I2D_OF(ASN1_OBJECT))i2d, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL,
336 IS_SEQUENCE)) <= 0)
337 goto err;
338 if (!(b = p = malloc((unsigned int)i)))
339 goto err;
340 if (i2d_ASN1_SET_OF_ASN1_OBJECT(sk, &p,
341 (I2D_OF(ASN1_OBJECT))i2d, V_ASN1_SEQUENCE,
342 V_ASN1_UNIVERSAL, IS_SEQUENCE) <= 0)
343 goto err;
344 } else {
345 OCSPerr(OCSP_F_ASN1_STRING_ENCODE, OCSP_R_BAD_DATA);
346 goto err;
347 }
348 if (!s && !(s = ASN1_STRING_new()))
349 goto err;
350 if (!(ASN1_STRING_set(s, b, i)))
351 goto err;
352 free(b);
353 return s;
354
355err:
356 free(b);
357 return NULL;
358}
359#endif
360
361/* Nonce handling functions */
362
363/* Add a nonce to an extension stack. A nonce can be specificed or if NULL
364 * a random nonce will be generated.
365 * Note: OpenSSL 0.9.7d and later create an OCTET STRING containing the
366 * nonce, previous versions used the raw nonce.
367 */
368
369static int
370ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, unsigned char *val, int len)
371{
372 unsigned char *tmpval;
373 ASN1_OCTET_STRING os;
374 int ret = 0;
375
376 if (len <= 0)
377 len = OCSP_DEFAULT_NONCE_LENGTH;
378 /* Create the OCTET STRING manually by writing out the header and
379 * appending the content octets. This avoids an extra memory allocation
380 * operation in some cases. Applications should *NOT* do this because
381 * it relies on library internals.
382 */
383 os.length = ASN1_object_size(0, len, V_ASN1_OCTET_STRING);
384 os.data = malloc(os.length);
385 if (os.data == NULL)
386 goto err;
387 tmpval = os.data;
388 ASN1_put_object(&tmpval, 0, len, V_ASN1_OCTET_STRING, V_ASN1_UNIVERSAL);
389 if (val)
390 memcpy(tmpval, val, len);
391 else
392 arc4random_buf(tmpval, len);
393 if (!X509V3_add1_i2d(exts, NID_id_pkix_OCSP_Nonce, &os, 0,
394 X509V3_ADD_REPLACE))
395 goto err;
396 ret = 1;
397
398err:
399 free(os.data);
400 return ret;
401}
402
403/* Add nonce to an OCSP request */
404int
405OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len)
406{
407 return ocsp_add1_nonce(&req->tbsRequest->requestExtensions, val, len);
408}
409
410/* Same as above but for a response */
411int
412OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len)
413{
414 return ocsp_add1_nonce(&resp->tbsResponseData->responseExtensions, val,
415 len);
416}
417
418/* Check nonce validity in a request and response.
419 * Return value reflects result:
420 * 1: nonces present and equal.
421 * 2: nonces both absent.
422 * 3: nonce present in response only.
423 * 0: nonces both present and not equal.
424 * -1: nonce in request only.
425 *
426 * For most responders clients can check return > 0.
427 * If responder doesn't handle nonces return != 0 may be
428 * necessary. return == 0 is always an error.
429 */
430int
431OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs)
432{
433 /*
434 * Since we are only interested in the presence or absence of
435 * the nonce and comparing its value there is no need to use
436 * the X509V3 routines: this way we can avoid them allocating an
437 * ASN1_OCTET_STRING structure for the value which would be
438 * freed immediately anyway.
439 */
440 int req_idx, resp_idx;
441 X509_EXTENSION *req_ext, *resp_ext;
442
443 req_idx = OCSP_REQUEST_get_ext_by_NID(req, NID_id_pkix_OCSP_Nonce, -1);
444 resp_idx = OCSP_BASICRESP_get_ext_by_NID(bs,
445 NID_id_pkix_OCSP_Nonce, -1);
446 /* Check both absent */
447 if (req_idx < 0 && resp_idx < 0)
448 return 2;
449 /* Check in request only */
450 if (req_idx >= 0 && resp_idx < 0)
451 return -1;
452 /* Check in response but not request */
453 if (req_idx < 0 && resp_idx >= 0)
454 return 3;
455 /* Otherwise nonce in request and response so retrieve the extensions */
456 req_ext = OCSP_REQUEST_get_ext(req, req_idx);
457 resp_ext = OCSP_BASICRESP_get_ext(bs, resp_idx);
458 if (ASN1_OCTET_STRING_cmp(req_ext->value, resp_ext->value))
459 return 0;
460 return 1;
461}
462
463/* Copy the nonce value (if any) from an OCSP request to
464 * a response.
465 */
466int
467OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req)
468{
469 X509_EXTENSION *req_ext;
470 int req_idx;
471
472 /* Check for nonce in request */
473 req_idx = OCSP_REQUEST_get_ext_by_NID(req, NID_id_pkix_OCSP_Nonce, -1);
474 /* If no nonce that's OK */
475 if (req_idx < 0)
476 return 2;
477 req_ext = OCSP_REQUEST_get_ext(req, req_idx);
478 return OCSP_BASICRESP_add_ext(resp, req_ext, -1);
479}
480
481X509_EXTENSION *
482OCSP_crlID_new(char *url, long *n, char *tim)
483{
484 X509_EXTENSION *x = NULL;
485 OCSP_CRLID *cid = NULL;
486
487 if (!(cid = OCSP_CRLID_new()))
488 goto err;
489 if (url) {
490 if (!(cid->crlUrl = ASN1_IA5STRING_new()))
491 goto err;
492 if (!(ASN1_STRING_set(cid->crlUrl, url, -1)))
493 goto err;
494 }
495 if (n) {
496 if (!(cid->crlNum = ASN1_INTEGER_new()))
497 goto err;
498 if (!(ASN1_INTEGER_set(cid->crlNum, *n)))
499 goto err;
500 }
501 if (tim) {
502 if (!(cid->crlTime = ASN1_GENERALIZEDTIME_new()))
503 goto err;
504 if (!(ASN1_GENERALIZEDTIME_set_string(cid->crlTime, tim)))
505 goto err;
506 }
507 x = X509V3_EXT_i2d(NID_id_pkix_OCSP_CrlID, 0, cid);
508
509err:
510 if (cid)
511 OCSP_CRLID_free(cid);
512 return x;
513}
514
515/* AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER */
516X509_EXTENSION *
517OCSP_accept_responses_new(char **oids)
518{
519 int nid;
520 STACK_OF(ASN1_OBJECT) *sk = NULL;
521 ASN1_OBJECT *o = NULL;
522 X509_EXTENSION *x = NULL;
523
524 if (!(sk = sk_ASN1_OBJECT_new_null()))
525 return NULL;
526 while (oids && *oids) {
527 if ((nid = OBJ_txt2nid(*oids)) != NID_undef &&
528 (o = OBJ_nid2obj(nid)))
529 if (sk_ASN1_OBJECT_push(sk, o) == 0) {
530 sk_ASN1_OBJECT_pop_free(sk, ASN1_OBJECT_free);
531 return NULL;
532 }
533 oids++;
534 }
535 x = X509V3_EXT_i2d(NID_id_pkix_OCSP_acceptableResponses, 0, sk);
536 sk_ASN1_OBJECT_pop_free(sk, ASN1_OBJECT_free);
537 return x;
538}
539
540/* ArchiveCutoff ::= GeneralizedTime */
541X509_EXTENSION *
542OCSP_archive_cutoff_new(char* tim)
543{
544 X509_EXTENSION *x = NULL;
545 ASN1_GENERALIZEDTIME *gt = NULL;
546
547 if (!(gt = ASN1_GENERALIZEDTIME_new()))
548 return NULL;
549 if (!(ASN1_GENERALIZEDTIME_set_string(gt, tim)))
550 goto err;
551 x = X509V3_EXT_i2d(NID_id_pkix_OCSP_archiveCutoff, 0, gt);
552
553err:
554 if (gt)
555 ASN1_GENERALIZEDTIME_free(gt);
556 return x;
557}
558
559/* per ACCESS_DESCRIPTION parameter are oids, of which there are currently
560 * two--NID_ad_ocsp, NID_id_ad_caIssuers--and GeneralName value. This
561 * method forces NID_ad_ocsp and uniformResourceLocator [6] IA5String.
562 */
563X509_EXTENSION *
564OCSP_url_svcloc_new(X509_NAME* issuer, char **urls)
565{
566 X509_EXTENSION *x = NULL;
567 ASN1_IA5STRING *ia5 = NULL;
568 OCSP_SERVICELOC *sloc = NULL;
569 ACCESS_DESCRIPTION *ad = NULL;
570
571 if (!(sloc = OCSP_SERVICELOC_new()))
572 goto err;
573 if (!(sloc->issuer = X509_NAME_dup(issuer)))
574 goto err;
575 if (urls && *urls &&
576 !(sloc->locator = sk_ACCESS_DESCRIPTION_new_null()))
577 goto err;
578 while (urls && *urls) {
579 if (!(ad = ACCESS_DESCRIPTION_new()))
580 goto err;
581 if (!(ad->method = OBJ_nid2obj(NID_ad_OCSP)))
582 goto err;
583 if (!(ad->location = GENERAL_NAME_new()))
584 goto err;
585 if (!(ia5 = ASN1_IA5STRING_new()))
586 goto err;
587 if (!ASN1_STRING_set((ASN1_STRING*)ia5, *urls, -1))
588 goto err;
589 ad->location->type = GEN_URI;
590 ad->location->d.ia5 = ia5;
591 ia5 = NULL;
592 if (!sk_ACCESS_DESCRIPTION_push(sloc->locator, ad))
593 goto err;
594 ad = NULL;
595 urls++;
596 }
597 x = X509V3_EXT_i2d(NID_id_pkix_OCSP_serviceLocator, 0, sloc);
598
599err:
600 if (ia5)
601 ASN1_IA5STRING_free(ia5);
602 if (ad)
603 ACCESS_DESCRIPTION_free(ad);
604 if (sloc)
605 OCSP_SERVICELOC_free(sloc);
606 return x;
607}
diff --git a/src/lib/libcrypto/ocsp/ocsp_ht.c b/src/lib/libcrypto/ocsp/ocsp_ht.c
deleted file mode 100644
index 4d21543396..0000000000
--- a/src/lib/libcrypto/ocsp/ocsp_ht.c
+++ /dev/null
@@ -1,463 +0,0 @@
1/* $OpenBSD: ocsp_ht.c,v 1.22 2014/10/03 06:02:38 doug Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2006.
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <stdlib.h>
61#include <ctype.h>
62#include <string.h>
63#include <openssl/asn1.h>
64#include <openssl/ocsp.h>
65#include <openssl/err.h>
66#include <openssl/buffer.h>
67
68/* Stateful OCSP request code, supporting non-blocking I/O */
69
70/* Opaque OCSP request status structure */
71
72struct ocsp_req_ctx_st {
73 int state; /* Current I/O state */
74 unsigned char *iobuf; /* Line buffer */
75 int iobuflen; /* Line buffer length */
76 BIO *io; /* BIO to perform I/O with */
77 BIO *mem; /* Memory BIO response is built into */
78 unsigned long asn1_len; /* ASN1 length of response */
79};
80
81#define OCSP_MAX_REQUEST_LENGTH (100 * 1024)
82#define OCSP_MAX_LINE_LEN 4096;
83
84/* OCSP states */
85
86/* If set no reading should be performed */
87#define OHS_NOREAD 0x1000
88/* Error condition */
89#define OHS_ERROR (0 | OHS_NOREAD)
90/* First line being read */
91#define OHS_FIRSTLINE 1
92/* MIME headers being read */
93#define OHS_HEADERS 2
94/* OCSP initial header (tag + length) being read */
95#define OHS_ASN1_HEADER 3
96/* OCSP content octets being read */
97#define OHS_ASN1_CONTENT 4
98/* Request being sent */
99#define OHS_ASN1_WRITE (6 | OHS_NOREAD)
100/* Request being flushed */
101#define OHS_ASN1_FLUSH (7 | OHS_NOREAD)
102/* Completed */
103#define OHS_DONE (8 | OHS_NOREAD)
104
105
106static int parse_http_line1(char *line);
107
108void
109OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx)
110{
111 if (rctx == NULL)
112 return;
113
114 BIO_free(rctx->mem);
115 free(rctx->iobuf);
116 free(rctx);
117}
118
119int
120OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, OCSP_REQUEST *req)
121{
122 if (BIO_printf(rctx->mem, "Content-Type: application/ocsp-request\r\n"
123 "Content-Length: %d\r\n\r\n", i2d_OCSP_REQUEST(req, NULL)) <= 0)
124 return 0;
125 if (i2d_OCSP_REQUEST_bio(rctx->mem, req) <= 0)
126 return 0;
127 rctx->state = OHS_ASN1_WRITE;
128 rctx->asn1_len = BIO_get_mem_data(rctx->mem, NULL);
129 return 1;
130}
131
132int
133OCSP_REQ_CTX_add1_header(OCSP_REQ_CTX *rctx, const char *name,
134 const char *value)
135{
136 if (!name)
137 return 0;
138 if (BIO_puts(rctx->mem, name) <= 0)
139 return 0;
140 if (value) {
141 if (BIO_write(rctx->mem, ": ", 2) != 2)
142 return 0;
143 if (BIO_puts(rctx->mem, value) <= 0)
144 return 0;
145 }
146 if (BIO_write(rctx->mem, "\r\n", 2) != 2)
147 return 0;
148 return 1;
149}
150
151OCSP_REQ_CTX *
152OCSP_sendreq_new(BIO *io, char *path, OCSP_REQUEST *req, int maxline)
153{
154 OCSP_REQ_CTX *rctx;
155
156 rctx = malloc(sizeof(OCSP_REQ_CTX));
157 if (rctx == NULL)
158 return NULL;
159 rctx->state = OHS_ERROR;
160 rctx->mem = BIO_new(BIO_s_mem());
161 rctx->io = io;
162 rctx->asn1_len = 0;
163 if (maxline > 0)
164 rctx->iobuflen = maxline;
165 else
166 rctx->iobuflen = OCSP_MAX_LINE_LEN;
167 rctx->iobuf = malloc(rctx->iobuflen);
168 if (!rctx->iobuf) {
169 BIO_free(rctx->mem);
170 free(rctx);
171 return NULL;
172 }
173 if (!path)
174 path = "/";
175
176 if (BIO_printf(rctx->mem, "POST %s HTTP/1.0\r\n", path) <= 0) {
177 free(rctx->iobuf);
178 BIO_free(rctx->mem);
179 free(rctx);
180 return NULL;
181 }
182
183 if (req && !OCSP_REQ_CTX_set1_req(rctx, req)) {
184 free(rctx->iobuf);
185 BIO_free(rctx->mem);
186 free(rctx);
187 return NULL;
188 }
189
190 return rctx;
191}
192
193/* Parse the HTTP response. This will look like this:
194 * "HTTP/1.0 200 OK". We need to obtain the numeric code and
195 * (optional) informational message.
196 */
197static int
198parse_http_line1(char *line)
199{
200 int retcode;
201 char *p, *q, *r;
202
203 /* Skip to first white space (passed protocol info) */
204 for (p = line; *p && !isspace((unsigned char)*p); p++)
205 continue;
206 if (!*p) {
207 OCSPerr(OCSP_F_PARSE_HTTP_LINE1,
208 OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
209 return 0;
210 }
211
212 /* Skip past white space to start of response code */
213 while (*p && isspace((unsigned char)*p))
214 p++;
215 if (!*p) {
216 OCSPerr(OCSP_F_PARSE_HTTP_LINE1,
217 OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
218 return 0;
219 }
220
221 /* Find end of response code: first whitespace after start of code */
222 for (q = p; *q && !isspace((unsigned char)*q); q++)
223 continue;
224 if (!*q) {
225 OCSPerr(OCSP_F_PARSE_HTTP_LINE1,
226 OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
227 return 0;
228 }
229
230 /* Set end of response code and start of message */
231 *q++ = 0;
232
233 /* Attempt to parse numeric code */
234 retcode = strtoul(p, &r, 10);
235
236 if (*r)
237 return 0;
238
239 /* Skip over any leading white space in message */
240 while (*q && isspace((unsigned char)*q))
241 q++;
242 if (*q) {
243 /* Finally zap any trailing white space in message (include
244 * CRLF) */
245
246 /* We know q has a non white space character so this is OK */
247 for (r = q + strlen(q) - 1; isspace((unsigned char)*r); r--)
248 *r = 0;
249 }
250 if (retcode != 200) {
251 OCSPerr(OCSP_F_PARSE_HTTP_LINE1, OCSP_R_SERVER_RESPONSE_ERROR);
252 if (!*q)
253 ERR_asprintf_error_data("Code=%s", p);
254 else
255 ERR_asprintf_error_data("Code=%s,Reason=%s", p, q);
256 return 0;
257 }
258
259 return 1;
260}
261
262int
263OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx)
264{
265 int i, n;
266 const unsigned char *p;
267
268next_io:
269 if (!(rctx->state & OHS_NOREAD)) {
270 n = BIO_read(rctx->io, rctx->iobuf, rctx->iobuflen);
271
272 if (n <= 0) {
273 if (BIO_should_retry(rctx->io))
274 return -1;
275 return 0;
276 }
277
278 /* Write data to memory BIO */
279 if (BIO_write(rctx->mem, rctx->iobuf, n) != n)
280 return 0;
281 }
282
283 switch (rctx->state) {
284 case OHS_ASN1_WRITE:
285 n = BIO_get_mem_data(rctx->mem, &p);
286 i = BIO_write(rctx->io,
287 p + (n - rctx->asn1_len), rctx->asn1_len);
288 if (i <= 0) {
289 if (BIO_should_retry(rctx->io))
290 return -1;
291 rctx->state = OHS_ERROR;
292 return 0;
293 }
294
295 rctx->asn1_len -= i;
296 if (rctx->asn1_len > 0)
297 goto next_io;
298
299 rctx->state = OHS_ASN1_FLUSH;
300
301 (void)BIO_reset(rctx->mem);
302 /* FALLTHROUGH */
303
304 case OHS_ASN1_FLUSH:
305 i = BIO_flush(rctx->io);
306 if (i > 0) {
307 rctx->state = OHS_FIRSTLINE;
308 goto next_io;
309 }
310
311 if (BIO_should_retry(rctx->io))
312 return -1;
313
314 rctx->state = OHS_ERROR;
315 return 0;
316
317 case OHS_ERROR:
318 return 0;
319
320 case OHS_FIRSTLINE:
321 case OHS_HEADERS:
322 /* Attempt to read a line in */
323next_line:
324 /* Due to &%^*$" memory BIO behaviour with BIO_gets we
325 * have to check there's a complete line in there before
326 * calling BIO_gets or we'll just get a partial read.
327 */
328 n = BIO_get_mem_data(rctx->mem, &p);
329 if ((n <= 0) || !memchr(p, '\n', n)) {
330 if (n >= rctx->iobuflen) {
331 rctx->state = OHS_ERROR;
332 return 0;
333 }
334 goto next_io;
335 }
336 n = BIO_gets(rctx->mem, (char *)rctx->iobuf, rctx->iobuflen);
337 if (n <= 0) {
338 if (BIO_should_retry(rctx->mem))
339 goto next_io;
340 rctx->state = OHS_ERROR;
341 return 0;
342 }
343
344 /* Don't allow excessive lines */
345 if (n == rctx->iobuflen) {
346 rctx->state = OHS_ERROR;
347 return 0;
348 }
349
350 /* First line */
351 if (rctx->state == OHS_FIRSTLINE) {
352 if (parse_http_line1((char *)rctx->iobuf)) {
353 rctx->state = OHS_HEADERS;
354 goto next_line;
355 } else {
356 rctx->state = OHS_ERROR;
357 return 0;
358 }
359 } else {
360 /* Look for blank line: end of headers */
361 for (p = rctx->iobuf; *p; p++) {
362 if ((*p != '\r') && (*p != '\n'))
363 break;
364 }
365 if (*p)
366 goto next_line;
367
368 rctx->state = OHS_ASN1_HEADER;
369 }
370 /* FALLTRHOUGH */
371
372 case OHS_ASN1_HEADER:
373 /* Now reading ASN1 header: can read at least 2 bytes which
374 * is enough for ASN1 SEQUENCE header and either length field
375 * or at least the length of the length field.
376 */
377 n = BIO_get_mem_data(rctx->mem, &p);
378 if (n < 2)
379 goto next_io;
380
381 /* Check it is an ASN1 SEQUENCE */
382 if (*p++ != (V_ASN1_SEQUENCE|V_ASN1_CONSTRUCTED)) {
383 rctx->state = OHS_ERROR;
384 return 0;
385 }
386
387 /* Check out length field */
388 if (*p & 0x80) {
389 /* If MSB set on initial length octet we can now
390 * always read 6 octets: make sure we have them.
391 */
392 if (n < 6)
393 goto next_io;
394 n = *p & 0x7F;
395 /* Not NDEF or excessive length */
396 if (!n || (n > 4)) {
397 rctx->state = OHS_ERROR;
398 return 0;
399 }
400 p++;
401 rctx->asn1_len = 0;
402 for (i = 0; i < n; i++) {
403 rctx->asn1_len <<= 8;
404 rctx->asn1_len |= *p++;
405 }
406
407 if (rctx->asn1_len > OCSP_MAX_REQUEST_LENGTH) {
408 rctx->state = OHS_ERROR;
409 return 0;
410 }
411
412 rctx->asn1_len += n + 2;
413 } else
414 rctx->asn1_len = *p + 2;
415
416 rctx->state = OHS_ASN1_CONTENT;
417
418 /* FALLTHROUGH */
419
420 case OHS_ASN1_CONTENT:
421 n = BIO_get_mem_data(rctx->mem, &p);
422 if (n < (int)rctx->asn1_len)
423 goto next_io;
424
425 *presp = d2i_OCSP_RESPONSE(NULL, &p, rctx->asn1_len);
426 if (*presp) {
427 rctx->state = OHS_DONE;
428 return 1;
429 }
430
431 rctx->state = OHS_ERROR;
432 return 0;
433
434 case OHS_DONE:
435 return 1;
436 }
437
438 return 0;
439}
440
441/* Blocking OCSP request handler: now a special case of non-blocking I/O */
442OCSP_RESPONSE *
443OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req)
444{
445 OCSP_RESPONSE *resp = NULL;
446 OCSP_REQ_CTX *ctx;
447 int rv;
448
449 ctx = OCSP_sendreq_new(b, path, req, -1);
450 if (ctx == NULL)
451 return NULL;
452
453 do {
454 rv = OCSP_sendreq_nbio(&resp, ctx);
455 } while ((rv == -1) && BIO_should_retry(b));
456
457 OCSP_REQ_CTX_free(ctx);
458
459 if (rv)
460 return resp;
461
462 return NULL;
463}
diff --git a/src/lib/libcrypto/ocsp/ocsp_lib.c b/src/lib/libcrypto/ocsp/ocsp_lib.c
deleted file mode 100644
index be5bf7dab5..0000000000
--- a/src/lib/libcrypto/ocsp/ocsp_lib.c
+++ /dev/null
@@ -1,282 +0,0 @@
1/* $OpenBSD: ocsp_lib.c,v 1.18 2015/02/10 05:25:45 jsing Exp $ */
2/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
3 * project. */
4
5/* History:
6 This file was transfered to Richard Levitte from CertCo by Kathy
7 Weinhold in mid-spring 2000 to be included in OpenSSL or released
8 as a patch kit. */
9
10/* ====================================================================
11 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 *
17 * 1. Redistributions of source code must retain the above copyright
18 * notice, this list of conditions and the following disclaimer.
19 *
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in
22 * the documentation and/or other materials provided with the
23 * distribution.
24 *
25 * 3. All advertising materials mentioning features or use of this
26 * software must display the following acknowledgment:
27 * "This product includes software developed by the OpenSSL Project
28 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
29 *
30 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
31 * endorse or promote products derived from this software without
32 * prior written permission. For written permission, please contact
33 * openssl-core@openssl.org.
34 *
35 * 5. Products derived from this software may not be called "OpenSSL"
36 * nor may "OpenSSL" appear in their names without prior written
37 * permission of the OpenSSL Project.
38 *
39 * 6. Redistributions of any form whatsoever must retain the following
40 * acknowledgment:
41 * "This product includes software developed by the OpenSSL Project
42 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
43 *
44 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
45 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
46 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
47 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
48 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
49 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
50 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
51 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
52 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
53 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
54 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
55 * OF THE POSSIBILITY OF SUCH DAMAGE.
56 * ====================================================================
57 *
58 * This product includes cryptographic software written by Eric Young
59 * (eay@cryptsoft.com). This product includes software written by Tim
60 * Hudson (tjh@cryptsoft.com).
61 *
62 */
63
64#include <stdio.h>
65#include <string.h>
66
67#include <openssl/opensslconf.h>
68
69#include <openssl/asn1t.h>
70#include <openssl/err.h>
71#include <openssl/objects.h>
72#include <openssl/ocsp.h>
73#include <openssl/pem.h>
74#include <openssl/x509.h>
75#include <openssl/x509v3.h>
76
77/* Convert a certificate and its issuer to an OCSP_CERTID */
78
79OCSP_CERTID *
80OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer)
81{
82 X509_NAME *iname;
83 ASN1_INTEGER *serial;
84 ASN1_BIT_STRING *ikey;
85
86#ifndef OPENSSL_NO_SHA1
87 if (!dgst)
88 dgst = EVP_sha1();
89#endif
90 if (subject) {
91 iname = X509_get_issuer_name(subject);
92 serial = X509_get_serialNumber(subject);
93 } else {
94 iname = X509_get_subject_name(issuer);
95 serial = NULL;
96 }
97 ikey = X509_get0_pubkey_bitstr(issuer);
98 return OCSP_cert_id_new(dgst, iname, ikey, serial);
99}
100
101OCSP_CERTID *
102OCSP_cert_id_new(const EVP_MD *dgst, X509_NAME *issuerName,
103 ASN1_BIT_STRING* issuerKey, ASN1_INTEGER *serialNumber)
104{
105 int nid;
106 unsigned int i;
107 X509_ALGOR *alg;
108 OCSP_CERTID *cid = NULL;
109 unsigned char md[EVP_MAX_MD_SIZE];
110
111 if (!(cid = OCSP_CERTID_new()))
112 goto err;
113
114 alg = cid->hashAlgorithm;
115 if (alg->algorithm != NULL)
116 ASN1_OBJECT_free(alg->algorithm);
117 if ((nid = EVP_MD_type(dgst)) == NID_undef) {
118 OCSPerr(OCSP_F_OCSP_CERT_ID_NEW, OCSP_R_UNKNOWN_NID);
119 goto err;
120 }
121 if (!(alg->algorithm = OBJ_nid2obj(nid)))
122 goto err;
123 if ((alg->parameter = ASN1_TYPE_new()) == NULL)
124 goto err;
125 alg->parameter->type = V_ASN1_NULL;
126
127 if (!X509_NAME_digest(issuerName, dgst, md, &i))
128 goto digerr;
129 if (!(ASN1_OCTET_STRING_set(cid->issuerNameHash, md, i)))
130 goto err;
131
132 /* Calculate the issuerKey hash, excluding tag and length */
133 if (!EVP_Digest(issuerKey->data, issuerKey->length, md, &i, dgst, NULL))
134 goto err;
135
136 if (!(ASN1_OCTET_STRING_set(cid->issuerKeyHash, md, i)))
137 goto err;
138
139 if (serialNumber) {
140 ASN1_INTEGER_free(cid->serialNumber);
141 if (!(cid->serialNumber = ASN1_INTEGER_dup(serialNumber)))
142 goto err;
143 }
144 return cid;
145
146digerr:
147 OCSPerr(OCSP_F_OCSP_CERT_ID_NEW, OCSP_R_DIGEST_ERR);
148err:
149 if (cid)
150 OCSP_CERTID_free(cid);
151 return NULL;
152}
153
154int
155OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b)
156{
157 int ret;
158
159 ret = OBJ_cmp(a->hashAlgorithm->algorithm, b->hashAlgorithm->algorithm);
160 if (ret)
161 return ret;
162 ret = ASN1_OCTET_STRING_cmp(a->issuerNameHash, b->issuerNameHash);
163 if (ret)
164 return ret;
165 return ASN1_OCTET_STRING_cmp(a->issuerKeyHash, b->issuerKeyHash);
166}
167
168int
169OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b)
170{
171 int ret;
172
173 ret = OCSP_id_issuer_cmp(a, b);
174 if (ret)
175 return ret;
176 return ASN1_INTEGER_cmp(a->serialNumber, b->serialNumber);
177}
178
179/* Parse a URL and split it up into host, port and path components and whether
180 * it is SSL.
181 */
182int
183OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pssl)
184{
185 char *p, *buf;
186 char *host, *port;
187
188 *phost = NULL;
189 *pport = NULL;
190 *ppath = NULL;
191
192 /* dup the buffer since we are going to mess with it */
193 buf = url ? strdup(url) : NULL;
194 if (!buf)
195 goto mem_err;
196
197 /* Check for initial colon */
198 p = strchr(buf, ':');
199 if (!p)
200 goto parse_err;
201
202 *(p++) = '\0';
203
204 if (!strcmp(buf, "http")) {
205 *pssl = 0;
206 port = "80";
207 } else if (!strcmp(buf, "https")) {
208 *pssl = 1;
209 port = "443";
210 } else
211 goto parse_err;
212
213 /* Check for double slash */
214 if ((p[0] != '/') || (p[1] != '/'))
215 goto parse_err;
216
217 p += 2;
218
219 host = p;
220
221 /* Check for trailing part of path */
222 p = strchr(p, '/');
223 if (!p)
224 *ppath = strdup("/");
225 else {
226 *ppath = strdup(p);
227 /* Set start of path to 0 so hostname is valid */
228 *p = '\0';
229 }
230
231 if (!*ppath)
232 goto mem_err;
233
234 /* Look for optional ':' for port number */
235 if ((p = strchr(host, ':'))) {
236 *p = 0;
237 port = p + 1;
238 } else {
239 /* Not found: set default port */
240 if (*pssl)
241 port = "443";
242 else
243 port = "80";
244 }
245
246 *pport = strdup(port);
247 if (!*pport)
248 goto mem_err;
249
250 *phost = strdup(host);
251
252 if (!*phost)
253 goto mem_err;
254
255 free(buf);
256
257 return 1;
258
259mem_err:
260 OCSPerr(OCSP_F_OCSP_PARSE_URL, ERR_R_MALLOC_FAILURE);
261 goto err;
262
263parse_err:
264 OCSPerr(OCSP_F_OCSP_PARSE_URL, OCSP_R_ERROR_PARSING_URL);
265
266err:
267 free(buf);
268 free(*ppath);
269 free(*pport);
270 free(*phost);
271 *phost = NULL;
272 *pport = NULL;
273 *ppath = NULL;
274 return 0;
275}
276
277
278OCSP_CERTID *
279OCSP_CERTID_dup(OCSP_CERTID *x)
280{
281 return ASN1_item_dup(&OCSP_CERTID_it, x);
282}
diff --git a/src/lib/libcrypto/ocsp/ocsp_prn.c b/src/lib/libcrypto/ocsp/ocsp_prn.c
deleted file mode 100644
index 362d480926..0000000000
--- a/src/lib/libcrypto/ocsp/ocsp_prn.c
+++ /dev/null
@@ -1,308 +0,0 @@
1/* $OpenBSD: ocsp_prn.c,v 1.7 2014/06/12 15:49:30 deraadt Exp $ */
2/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
3 * project. */
4
5/* History:
6 This file was originally part of ocsp.c and was transfered to Richard
7 Levitte from CertCo by Kathy Weinhold in mid-spring 2000 to be included
8 in OpenSSL or released as a patch kit. */
9
10/* ====================================================================
11 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 *
17 * 1. Redistributions of source code must retain the above copyright
18 * notice, this list of conditions and the following disclaimer.
19 *
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in
22 * the documentation and/or other materials provided with the
23 * distribution.
24 *
25 * 3. All advertising materials mentioning features or use of this
26 * software must display the following acknowledgment:
27 * "This product includes software developed by the OpenSSL Project
28 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
29 *
30 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
31 * endorse or promote products derived from this software without
32 * prior written permission. For written permission, please contact
33 * openssl-core@openssl.org.
34 *
35 * 5. Products derived from this software may not be called "OpenSSL"
36 * nor may "OpenSSL" appear in their names without prior written
37 * permission of the OpenSSL Project.
38 *
39 * 6. Redistributions of any form whatsoever must retain the following
40 * acknowledgment:
41 * "This product includes software developed by the OpenSSL Project
42 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
43 *
44 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
45 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
46 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
47 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
48 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
49 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
50 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
51 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
52 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
53 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
54 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
55 * OF THE POSSIBILITY OF SUCH DAMAGE.
56 * ====================================================================
57 *
58 * This product includes cryptographic software written by Eric Young
59 * (eay@cryptsoft.com). This product includes software written by Tim
60 * Hudson (tjh@cryptsoft.com).
61 *
62 */
63
64#include <openssl/bio.h>
65#include <openssl/err.h>
66#include <openssl/ocsp.h>
67#include <openssl/pem.h>
68
69static int
70ocsp_certid_print(BIO *bp, OCSP_CERTID* a, int indent)
71{
72 BIO_printf(bp, "%*sCertificate ID:\n", indent, "");
73 indent += 2;
74 BIO_printf(bp, "%*sHash Algorithm: ", indent, "");
75 i2a_ASN1_OBJECT(bp, a->hashAlgorithm->algorithm);
76 BIO_printf(bp, "\n%*sIssuer Name Hash: ", indent, "");
77 i2a_ASN1_STRING(bp, a->issuerNameHash, V_ASN1_OCTET_STRING);
78 BIO_printf(bp, "\n%*sIssuer Key Hash: ", indent, "");
79 i2a_ASN1_STRING(bp, a->issuerKeyHash, V_ASN1_OCTET_STRING);
80 BIO_printf(bp, "\n%*sSerial Number: ", indent, "");
81 i2a_ASN1_INTEGER(bp, a->serialNumber);
82 BIO_printf(bp, "\n");
83 return 1;
84}
85
86typedef struct {
87 long t;
88 const char *m;
89} OCSP_TBLSTR;
90
91static const char *
92table2string(long s, const OCSP_TBLSTR *ts, int len)
93{
94 const OCSP_TBLSTR *p;
95
96 for (p = ts; p < ts + len; p++)
97 if (p->t == s)
98 return p->m;
99 return "(UNKNOWN)";
100}
101
102const char *
103OCSP_response_status_str(long s)
104{
105 static const OCSP_TBLSTR rstat_tbl[] = {
106 { OCSP_RESPONSE_STATUS_SUCCESSFUL, "successful" },
107 { OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, "malformedrequest" },
108 { OCSP_RESPONSE_STATUS_INTERNALERROR, "internalerror" },
109 { OCSP_RESPONSE_STATUS_TRYLATER, "trylater" },
110 { OCSP_RESPONSE_STATUS_SIGREQUIRED, "sigrequired" },
111 { OCSP_RESPONSE_STATUS_UNAUTHORIZED, "unauthorized" }
112 };
113 return table2string(s, rstat_tbl, 6);
114}
115
116const char *
117OCSP_cert_status_str(long s)
118{
119 static const OCSP_TBLSTR cstat_tbl[] = {
120 { V_OCSP_CERTSTATUS_GOOD, "good" },
121 { V_OCSP_CERTSTATUS_REVOKED, "revoked" },
122 { V_OCSP_CERTSTATUS_UNKNOWN, "unknown" }
123 };
124 return table2string(s, cstat_tbl, 3);
125}
126
127const char *
128OCSP_crl_reason_str(long s)
129{
130 static const OCSP_TBLSTR reason_tbl[] = {
131 { OCSP_REVOKED_STATUS_UNSPECIFIED, "unspecified" },
132 { OCSP_REVOKED_STATUS_KEYCOMPROMISE, "keyCompromise" },
133 { OCSP_REVOKED_STATUS_CACOMPROMISE, "cACompromise" },
134 { OCSP_REVOKED_STATUS_AFFILIATIONCHANGED, "affiliationChanged" },
135 { OCSP_REVOKED_STATUS_SUPERSEDED, "superseded" },
136 { OCSP_REVOKED_STATUS_CESSATIONOFOPERATION, "cessationOfOperation" },
137 { OCSP_REVOKED_STATUS_CERTIFICATEHOLD, "certificateHold" },
138 { OCSP_REVOKED_STATUS_REMOVEFROMCRL, "removeFromCRL" }
139 };
140 return table2string(s, reason_tbl, 8);
141}
142
143int
144OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST* o, unsigned long flags)
145{
146 int i;
147 long l;
148 OCSP_CERTID* cid = NULL;
149 OCSP_ONEREQ *one = NULL;
150 OCSP_REQINFO *inf = o->tbsRequest;
151 OCSP_SIGNATURE *sig = o->optionalSignature;
152
153 if (BIO_write(bp, "OCSP Request Data:\n", 19) <= 0)
154 goto err;
155 l = ASN1_INTEGER_get(inf->version);
156 if (BIO_printf(bp, " Version: %lu (0x%lx)", l+1, l) <= 0)
157 goto err;
158 if (inf->requestorName != NULL) {
159 if (BIO_write(bp, "\n Requestor Name: ", 21) <= 0)
160 goto err;
161 GENERAL_NAME_print(bp, inf->requestorName);
162 }
163 if (BIO_write(bp, "\n Requestor List:\n", 21) <= 0)
164 goto err;
165 for (i = 0; i < sk_OCSP_ONEREQ_num(inf->requestList); i++) {
166 one = sk_OCSP_ONEREQ_value(inf->requestList, i);
167 cid = one->reqCert;
168 ocsp_certid_print(bp, cid, 8);
169 if (!X509V3_extensions_print(bp, "Request Single Extensions",
170 one->singleRequestExtensions, flags, 8))
171 goto err;
172 }
173 if (!X509V3_extensions_print(bp, "Request Extensions",
174 inf->requestExtensions, flags, 4))
175 goto err;
176 if (sig) {
177 X509_signature_print(bp, sig->signatureAlgorithm,
178 sig->signature);
179 for (i = 0; i < sk_X509_num(sig->certs); i++) {
180 X509_print(bp, sk_X509_value(sig->certs, i));
181 PEM_write_bio_X509(bp, sk_X509_value(sig->certs, i));
182 }
183 }
184 return 1;
185
186err:
187 return 0;
188}
189
190int
191OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags)
192{
193 int i, ret = 0;
194 long l;
195 OCSP_CERTID *cid = NULL;
196 OCSP_BASICRESP *br = NULL;
197 OCSP_RESPID *rid = NULL;
198 OCSP_RESPDATA *rd = NULL;
199 OCSP_CERTSTATUS *cst = NULL;
200 OCSP_REVOKEDINFO *rev = NULL;
201 OCSP_SINGLERESP *single = NULL;
202 OCSP_RESPBYTES *rb = o->responseBytes;
203
204 if (BIO_puts(bp, "OCSP Response Data:\n") <= 0)
205 goto err;
206 l = ASN1_ENUMERATED_get(o->responseStatus);
207 if (BIO_printf(bp, " OCSP Response Status: %s (0x%lx)\n",
208 OCSP_response_status_str(l), l) <= 0)
209 goto err;
210 if (rb == NULL)
211 return 1;
212 if (BIO_puts(bp, " Response Type: ") <= 0)
213 goto err;
214 if (i2a_ASN1_OBJECT(bp, rb->responseType) <= 0)
215 goto err;
216 if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic) {
217 BIO_puts(bp, " (unknown response type)\n");
218 return 1;
219 }
220
221 i = ASN1_STRING_length(rb->response);
222 if (!(br = OCSP_response_get1_basic(o)))
223 goto err;
224 rd = br->tbsResponseData;
225 l = ASN1_INTEGER_get(rd->version);
226 if (BIO_printf(bp, "\n Version: %lu (0x%lx)\n", l+1, l) <= 0)
227 goto err;
228 if (BIO_puts(bp, " Responder Id: ") <= 0)
229 goto err;
230
231 rid = rd->responderId;
232 switch (rid->type) {
233 case V_OCSP_RESPID_NAME:
234 X509_NAME_print_ex(bp, rid->value.byName, 0, XN_FLAG_ONELINE);
235 break;
236 case V_OCSP_RESPID_KEY:
237 i2a_ASN1_STRING(bp, rid->value.byKey, V_ASN1_OCTET_STRING);
238 break;
239 }
240
241 if (BIO_printf(bp, "\n Produced At: ")<=0)
242 goto err;
243 if (!ASN1_GENERALIZEDTIME_print(bp, rd->producedAt))
244 goto err;
245 if (BIO_printf(bp, "\n Responses:\n") <= 0)
246 goto err;
247 for (i = 0; i < sk_OCSP_SINGLERESP_num(rd->responses); i++) {
248 if (! sk_OCSP_SINGLERESP_value(rd->responses, i))
249 continue;
250 single = sk_OCSP_SINGLERESP_value(rd->responses, i);
251 cid = single->certId;
252 if (ocsp_certid_print(bp, cid, 4) <= 0)
253 goto err;
254 cst = single->certStatus;
255 if (BIO_printf(bp, " Cert Status: %s",
256 OCSP_cert_status_str(cst->type)) <= 0)
257 goto err;
258 if (cst->type == V_OCSP_CERTSTATUS_REVOKED) {
259 rev = cst->value.revoked;
260 if (BIO_printf(bp, "\n Revocation Time: ") <= 0)
261 goto err;
262 if (!ASN1_GENERALIZEDTIME_print(bp,
263 rev->revocationTime))
264 goto err;
265 if (rev->revocationReason) {
266 l = ASN1_ENUMERATED_get(rev->revocationReason);
267 if (BIO_printf(bp,
268 "\n Revocation Reason: %s (0x%lx)",
269 OCSP_crl_reason_str(l), l) <= 0)
270 goto err;
271 }
272 }
273 if (BIO_printf(bp, "\n This Update: ") <= 0)
274 goto err;
275 if (!ASN1_GENERALIZEDTIME_print(bp, single->thisUpdate))
276 goto err;
277 if (single->nextUpdate) {
278 if (BIO_printf(bp, "\n Next Update: ") <= 0)
279 goto err;
280 if (!ASN1_GENERALIZEDTIME_print(bp, single->nextUpdate))
281 goto err;
282 }
283 if (BIO_write(bp, "\n", 1) <= 0)
284 goto err;
285 if (!X509V3_extensions_print(bp, "Response Single Extensions",
286 single->singleExtensions, flags, 8))
287 goto err;
288 if (BIO_write(bp, "\n", 1) <= 0)
289 goto err;
290 }
291 if (!X509V3_extensions_print(bp, "Response Extensions",
292 rd->responseExtensions, flags, 4))
293 goto err;
294 if (X509_signature_print(bp, br->signatureAlgorithm, br->signature) <=
295 0)
296 goto err;
297
298 for (i = 0; i < sk_X509_num(br->certs); i++) {
299 X509_print(bp, sk_X509_value(br->certs, i));
300 PEM_write_bio_X509(bp, sk_X509_value(br->certs, i));
301 }
302
303 ret = 1;
304
305err:
306 OCSP_BASICRESP_free(br);
307 return ret;
308}
diff --git a/src/lib/libcrypto/ocsp/ocsp_srv.c b/src/lib/libcrypto/ocsp/ocsp_srv.c
deleted file mode 100644
index 8f28916757..0000000000
--- a/src/lib/libcrypto/ocsp/ocsp_srv.c
+++ /dev/null
@@ -1,276 +0,0 @@
1/* $OpenBSD: ocsp_srv.c,v 1.7 2014/10/18 17:20:40 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2001.
4 */
5/* ====================================================================
6 * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * openssl-core@openssl.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60
61#include <openssl/err.h>
62#include <openssl/objects.h>
63#include <openssl/ocsp.h>
64#include <openssl/pem.h>
65#include <openssl/x509.h>
66#include <openssl/x509v3.h>
67
68/* Utility functions related to sending OCSP responses and extracting
69 * relevant information from the request.
70 */
71
72int
73OCSP_request_onereq_count(OCSP_REQUEST *req)
74{
75 return sk_OCSP_ONEREQ_num(req->tbsRequest->requestList);
76}
77
78OCSP_ONEREQ *
79OCSP_request_onereq_get0(OCSP_REQUEST *req, int i)
80{
81 return sk_OCSP_ONEREQ_value(req->tbsRequest->requestList, i);
82}
83
84OCSP_CERTID *
85OCSP_onereq_get0_id(OCSP_ONEREQ *one)
86{
87 return one->reqCert;
88}
89
90int
91OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd,
92 ASN1_OCTET_STRING **pikeyHash, ASN1_INTEGER **pserial, OCSP_CERTID *cid)
93{
94 if (!cid)
95 return 0;
96 if (pmd)
97 *pmd = cid->hashAlgorithm->algorithm;
98 if (piNameHash)
99 *piNameHash = cid->issuerNameHash;
100 if (pikeyHash)
101 *pikeyHash = cid->issuerKeyHash;
102 if (pserial)
103 *pserial = cid->serialNumber;
104 return 1;
105}
106
107int
108OCSP_request_is_signed(OCSP_REQUEST *req)
109{
110 if (req->optionalSignature)
111 return 1;
112 return 0;
113}
114
115/* Create an OCSP response and encode an optional basic response */
116OCSP_RESPONSE *
117OCSP_response_create(int status, OCSP_BASICRESP *bs)
118{
119 OCSP_RESPONSE *rsp = NULL;
120
121 if (!(rsp = OCSP_RESPONSE_new()))
122 goto err;
123 if (!(ASN1_ENUMERATED_set(rsp->responseStatus, status)))
124 goto err;
125 if (!bs)
126 return rsp;
127 if (!(rsp->responseBytes = OCSP_RESPBYTES_new()))
128 goto err;
129 rsp->responseBytes->responseType = OBJ_nid2obj(NID_id_pkix_OCSP_basic);
130 if (!ASN1_item_pack(bs, ASN1_ITEM_rptr(OCSP_BASICRESP),
131 &rsp->responseBytes->response))
132 goto err;
133 return rsp;
134
135err:
136 if (rsp)
137 OCSP_RESPONSE_free(rsp);
138 return NULL;
139}
140
141OCSP_SINGLERESP *
142OCSP_basic_add1_status(OCSP_BASICRESP *rsp, OCSP_CERTID *cid, int status,
143 int reason, ASN1_TIME *revtime, ASN1_TIME *thisupd, ASN1_TIME *nextupd)
144{
145 OCSP_SINGLERESP *single = NULL;
146 OCSP_CERTSTATUS *cs;
147 OCSP_REVOKEDINFO *ri;
148
149 if (!rsp->tbsResponseData->responses &&
150 !(rsp->tbsResponseData->responses = sk_OCSP_SINGLERESP_new_null()))
151 goto err;
152
153 if (!(single = OCSP_SINGLERESP_new()))
154 goto err;
155
156 if (!ASN1_TIME_to_generalizedtime(thisupd, &single->thisUpdate))
157 goto err;
158 if (nextupd &&
159 !ASN1_TIME_to_generalizedtime(nextupd, &single->nextUpdate))
160 goto err;
161
162 OCSP_CERTID_free(single->certId);
163
164 if (!(single->certId = OCSP_CERTID_dup(cid)))
165 goto err;
166
167 cs = single->certStatus;
168 switch (cs->type = status) {
169 case V_OCSP_CERTSTATUS_REVOKED:
170 if (!revtime) {
171 OCSPerr(OCSP_F_OCSP_BASIC_ADD1_STATUS,
172 OCSP_R_NO_REVOKED_TIME);
173 goto err;
174 }
175 if (!(cs->value.revoked = ri = OCSP_REVOKEDINFO_new()))
176 goto err;
177 if (!ASN1_TIME_to_generalizedtime(revtime, &ri->revocationTime))
178 goto err;
179 if (reason != OCSP_REVOKED_STATUS_NOSTATUS) {
180 if (!(ri->revocationReason = ASN1_ENUMERATED_new()))
181 goto err;
182 if (!(ASN1_ENUMERATED_set(ri->revocationReason,
183 reason)))
184 goto err;
185 }
186 break;
187
188 case V_OCSP_CERTSTATUS_GOOD:
189 cs->value.good = ASN1_NULL_new();
190 break;
191
192 case V_OCSP_CERTSTATUS_UNKNOWN:
193 cs->value.unknown = ASN1_NULL_new();
194 break;
195
196 default:
197 goto err;
198 }
199 if (!(sk_OCSP_SINGLERESP_push(rsp->tbsResponseData->responses, single)))
200 goto err;
201 return single;
202
203err:
204 OCSP_SINGLERESP_free(single);
205 return NULL;
206}
207
208/* Add a certificate to an OCSP request */
209int
210OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert)
211{
212 if (!resp->certs && !(resp->certs = sk_X509_new_null()))
213 return 0;
214
215 if (!sk_X509_push(resp->certs, cert))
216 return 0;
217 CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
218 return 1;
219}
220
221int
222OCSP_basic_sign(OCSP_BASICRESP *brsp, X509 *signer, EVP_PKEY *key,
223 const EVP_MD *dgst, STACK_OF(X509) *certs, unsigned long flags)
224{
225 int i;
226 OCSP_RESPID *rid;
227
228 if (!X509_check_private_key(signer, key)) {
229 OCSPerr(OCSP_F_OCSP_BASIC_SIGN,
230 OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
231 goto err;
232 }
233
234 if (!(flags & OCSP_NOCERTS)) {
235 if (!OCSP_basic_add1_cert(brsp, signer))
236 goto err;
237 for (i = 0; i < sk_X509_num(certs); i++) {
238 X509 *tmpcert = sk_X509_value(certs, i);
239 if (!OCSP_basic_add1_cert(brsp, tmpcert))
240 goto err;
241 }
242 }
243
244 rid = brsp->tbsResponseData->responderId;
245 if (flags & OCSP_RESPID_KEY) {
246 unsigned char md[SHA_DIGEST_LENGTH];
247
248 X509_pubkey_digest(signer, EVP_sha1(), md, NULL);
249 if (!(rid->value.byKey = ASN1_OCTET_STRING_new()))
250 goto err;
251 if (!(ASN1_OCTET_STRING_set(rid->value.byKey, md,
252 SHA_DIGEST_LENGTH)))
253 goto err;
254 rid->type = V_OCSP_RESPID_KEY;
255 } else {
256 if (!X509_NAME_set(&rid->value.byName,
257 X509_get_subject_name(signer)))
258 goto err;
259 rid->type = V_OCSP_RESPID_NAME;
260 }
261
262 if (!(flags & OCSP_NOTIME) &&
263 !X509_gmtime_adj(brsp->tbsResponseData->producedAt, 0))
264 goto err;
265
266 /* Right now, I think that not doing double hashing is the right
267 thing. -- Richard Levitte */
268
269 if (!OCSP_BASICRESP_sign(brsp, key, dgst, 0))
270 goto err;
271
272 return 1;
273
274err:
275 return 0;
276}
diff --git a/src/lib/libcrypto/ocsp/ocsp_vfy.c b/src/lib/libcrypto/ocsp/ocsp_vfy.c
deleted file mode 100644
index b62394b765..0000000000
--- a/src/lib/libcrypto/ocsp/ocsp_vfy.c
+++ /dev/null
@@ -1,448 +0,0 @@
1/* $OpenBSD: ocsp_vfy.c,v 1.12 2014/07/09 19:08:10 tedu Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2000.
4 */
5/* ====================================================================
6 * Copyright (c) 2000-2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <openssl/ocsp.h>
60#include <openssl/err.h>
61#include <string.h>
62
63static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs,
64 STACK_OF(X509) *certs, X509_STORE *st, unsigned long flags);
65static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id);
66static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain,
67 unsigned long flags);
68static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret);
69static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
70 STACK_OF(OCSP_SINGLERESP) *sresp);
71static int ocsp_check_delegated(X509 *x, int flags);
72static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req,
73 X509_NAME *nm, STACK_OF(X509) *certs, X509_STORE *st,
74 unsigned long flags);
75
76/* Verify a basic response message */
77int
78OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st,
79 unsigned long flags)
80{
81 X509 *signer, *x;
82 STACK_OF(X509) *chain = NULL;
83 X509_STORE_CTX ctx;
84 int i, ret = 0;
85
86 ret = ocsp_find_signer(&signer, bs, certs, st, flags);
87 if (!ret) {
88 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,
89 OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
90 goto end;
91 }
92 if ((ret == 2) && (flags & OCSP_TRUSTOTHER))
93 flags |= OCSP_NOVERIFY;
94 if (!(flags & OCSP_NOSIGS)) {
95 EVP_PKEY *skey;
96
97 skey = X509_get_pubkey(signer);
98 if (skey) {
99 ret = OCSP_BASICRESP_verify(bs, skey, 0);
100 EVP_PKEY_free(skey);
101 }
102 if (!skey || ret <= 0) {
103 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,
104 OCSP_R_SIGNATURE_FAILURE);
105 goto end;
106 }
107 }
108 if (!(flags & OCSP_NOVERIFY)) {
109 int init_res;
110
111 if (flags & OCSP_NOCHAIN)
112 init_res = X509_STORE_CTX_init(&ctx, st, signer, NULL);
113 else
114 init_res = X509_STORE_CTX_init(&ctx, st, signer,
115 bs->certs);
116 if (!init_res) {
117 ret = -1;
118 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_X509_LIB);
119 goto end;
120 }
121
122 X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER);
123 ret = X509_verify_cert(&ctx);
124 chain = X509_STORE_CTX_get1_chain(&ctx);
125 X509_STORE_CTX_cleanup(&ctx);
126 if (ret <= 0) {
127 i = X509_STORE_CTX_get_error(&ctx);
128 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,
129 OCSP_R_CERTIFICATE_VERIFY_ERROR);
130 ERR_asprintf_error_data("Verify error:%s",
131 X509_verify_cert_error_string(i));
132 goto end;
133 }
134 if (flags & OCSP_NOCHECKS) {
135 ret = 1;
136 goto end;
137 }
138 /* At this point we have a valid certificate chain
139 * need to verify it against the OCSP issuer criteria.
140 */
141 ret = ocsp_check_issuer(bs, chain, flags);
142
143 /* If fatal error or valid match then finish */
144 if (ret != 0)
145 goto end;
146
147 /* Easy case: explicitly trusted. Get root CA and
148 * check for explicit trust
149 */
150 if (flags & OCSP_NOEXPLICIT)
151 goto end;
152
153 x = sk_X509_value(chain, sk_X509_num(chain) - 1);
154 if (X509_check_trust(x, NID_OCSP_sign, 0) !=
155 X509_TRUST_TRUSTED) {
156 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,
157 OCSP_R_ROOT_CA_NOT_TRUSTED);
158 goto end;
159 }
160 ret = 1;
161 }
162
163end:
164 if (chain)
165 sk_X509_pop_free(chain, X509_free);
166 return ret;
167}
168
169static int
170ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
171 X509_STORE *st, unsigned long flags)
172{
173 X509 *signer;
174 OCSP_RESPID *rid = bs->tbsResponseData->responderId;
175
176 if ((signer = ocsp_find_signer_sk(certs, rid))) {
177 *psigner = signer;
178 return 2;
179 }
180 if (!(flags & OCSP_NOINTERN) &&
181 (signer = ocsp_find_signer_sk(bs->certs, rid))) {
182 *psigner = signer;
183 return 1;
184 }
185 /* Maybe lookup from store if by subject name */
186
187 *psigner = NULL;
188 return 0;
189}
190
191static X509 *
192ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id)
193{
194 int i;
195 unsigned char tmphash[SHA_DIGEST_LENGTH], *keyhash;
196 X509 *x;
197
198 /* Easy if lookup by name */
199 if (id->type == V_OCSP_RESPID_NAME)
200 return X509_find_by_subject(certs, id->value.byName);
201
202 /* Lookup by key hash */
203
204 /* If key hash isn't SHA1 length then forget it */
205 if (id->value.byKey->length != SHA_DIGEST_LENGTH)
206 return NULL;
207 keyhash = id->value.byKey->data;
208 /* Calculate hash of each key and compare */
209 for (i = 0; i < sk_X509_num(certs); i++) {
210 x = sk_X509_value(certs, i);
211 X509_pubkey_digest(x, EVP_sha1(), tmphash, NULL);
212 if (!memcmp(keyhash, tmphash, SHA_DIGEST_LENGTH))
213 return x;
214 }
215 return NULL;
216}
217
218static int
219ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain,
220 unsigned long flags)
221{
222 STACK_OF(OCSP_SINGLERESP) *sresp;
223 X509 *signer, *sca;
224 OCSP_CERTID *caid = NULL;
225 int i;
226
227 sresp = bs->tbsResponseData->responses;
228
229 if (sk_X509_num(chain) <= 0) {
230 OCSPerr(OCSP_F_OCSP_CHECK_ISSUER,
231 OCSP_R_NO_CERTIFICATES_IN_CHAIN);
232 return -1;
233 }
234
235 /* See if the issuer IDs match. */
236 i = ocsp_check_ids(sresp, &caid);
237
238 /* If ID mismatch or other error then return */
239 if (i <= 0)
240 return i;
241
242 signer = sk_X509_value(chain, 0);
243 /* Check to see if OCSP responder CA matches request CA */
244 if (sk_X509_num(chain) > 1) {
245 sca = sk_X509_value(chain, 1);
246 i = ocsp_match_issuerid(sca, caid, sresp);
247 if (i < 0)
248 return i;
249 if (i) {
250 /* We have a match, if extensions OK then success */
251 if (ocsp_check_delegated(signer, flags))
252 return 1;
253 return 0;
254 }
255 }
256
257 /* Otherwise check if OCSP request signed directly by request CA */
258 return ocsp_match_issuerid(signer, caid, sresp);
259}
260
261/* Check the issuer certificate IDs for equality. If there is a mismatch with the same
262 * algorithm then there's no point trying to match any certificates against the issuer.
263 * If the issuer IDs all match then we just need to check equality against one of them.
264 */
265static int
266ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret)
267{
268 OCSP_CERTID *tmpid, *cid;
269 int i, idcount;
270
271 idcount = sk_OCSP_SINGLERESP_num(sresp);
272 if (idcount <= 0) {
273 OCSPerr(OCSP_F_OCSP_CHECK_IDS,
274 OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA);
275 return -1;
276 }
277
278 cid = sk_OCSP_SINGLERESP_value(sresp, 0)->certId;
279
280 *ret = NULL;
281
282 for (i = 1; i < idcount; i++) {
283 tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId;
284 /* Check to see if IDs match */
285 if (OCSP_id_issuer_cmp(cid, tmpid)) {
286 return 0;
287 }
288 }
289
290 /* All IDs match: only need to check one ID */
291 *ret = cid;
292 return 1;
293}
294
295static int
296ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
297 STACK_OF(OCSP_SINGLERESP) *sresp)
298{
299 /* If only one ID to match then do it */
300 if (cid) {
301 const EVP_MD *dgst;
302 X509_NAME *iname;
303 int mdlen;
304 unsigned char md[EVP_MAX_MD_SIZE];
305
306 if (!(dgst =
307 EVP_get_digestbyobj(cid->hashAlgorithm->algorithm))) {
308 OCSPerr(OCSP_F_OCSP_MATCH_ISSUERID,
309 OCSP_R_UNKNOWN_MESSAGE_DIGEST);
310 return -1;
311 }
312
313 mdlen = EVP_MD_size(dgst);
314 if (mdlen < 0)
315 return -1;
316 if (cid->issuerNameHash->length != mdlen ||
317 cid->issuerKeyHash->length != mdlen)
318 return 0;
319 iname = X509_get_subject_name(cert);
320 if (!X509_NAME_digest(iname, dgst, md, NULL))
321 return -1;
322 if (memcmp(md, cid->issuerNameHash->data, mdlen))
323 return 0;
324 X509_pubkey_digest(cert, dgst, md, NULL);
325 if (memcmp(md, cid->issuerKeyHash->data, mdlen))
326 return 0;
327
328 return 1;
329 } else {
330 /* We have to match the whole lot */
331 int i, ret;
332 OCSP_CERTID *tmpid;
333
334 for (i = 0; i < sk_OCSP_SINGLERESP_num(sresp); i++) {
335 tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId;
336 ret = ocsp_match_issuerid(cert, tmpid, NULL);
337 if (ret <= 0)
338 return ret;
339 }
340 return 1;
341 }
342}
343
344static int
345ocsp_check_delegated(X509 *x, int flags)
346{
347 X509_check_purpose(x, -1, 0);
348 if ((x->ex_flags & EXFLAG_XKUSAGE) && (x->ex_xkusage & XKU_OCSP_SIGN))
349 return 1;
350 OCSPerr(OCSP_F_OCSP_CHECK_DELEGATED, OCSP_R_MISSING_OCSPSIGNING_USAGE);
351 return 0;
352}
353
354/* Verify an OCSP request. This is fortunately much easier than OCSP
355 * response verify. Just find the signers certificate and verify it
356 * against a given trust value.
357 */
358int
359OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, X509_STORE *store,
360 unsigned long flags)
361{
362 X509 *signer;
363 X509_NAME *nm;
364 GENERAL_NAME *gen;
365 int ret;
366 X509_STORE_CTX ctx;
367
368 if (!req->optionalSignature) {
369 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_REQUEST_NOT_SIGNED);
370 return 0;
371 }
372 gen = req->tbsRequest->requestorName;
373 if (!gen || gen->type != GEN_DIRNAME) {
374 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,
375 OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE);
376 return 0;
377 }
378 nm = gen->d.directoryName;
379 ret = ocsp_req_find_signer(&signer, req, nm, certs, store, flags);
380 if (ret <= 0) {
381 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,
382 OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
383 return 0;
384 }
385 if ((ret == 2) && (flags & OCSP_TRUSTOTHER))
386 flags |= OCSP_NOVERIFY;
387 if (!(flags & OCSP_NOSIGS)) {
388 EVP_PKEY *skey;
389
390 skey = X509_get_pubkey(signer);
391 ret = OCSP_REQUEST_verify(req, skey);
392 EVP_PKEY_free(skey);
393 if (ret <= 0) {
394 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,
395 OCSP_R_SIGNATURE_FAILURE);
396 return 0;
397 }
398 }
399 if (!(flags & OCSP_NOVERIFY)) {
400 int init_res;
401
402 if (flags & OCSP_NOCHAIN)
403 init_res = X509_STORE_CTX_init(&ctx, store, signer,
404 NULL);
405 else
406 init_res = X509_STORE_CTX_init(&ctx, store, signer,
407 req->optionalSignature->certs);
408 if (!init_res) {
409 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, ERR_R_X509_LIB);
410 return 0;
411 }
412
413 X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER);
414 X509_STORE_CTX_set_trust(&ctx, X509_TRUST_OCSP_REQUEST);
415 ret = X509_verify_cert(&ctx);
416 X509_STORE_CTX_cleanup(&ctx);
417 if (ret <= 0) {
418 ret = X509_STORE_CTX_get_error(&ctx);
419 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,
420 OCSP_R_CERTIFICATE_VERIFY_ERROR);
421 ERR_asprintf_error_data("Verify error:%s",
422 X509_verify_cert_error_string(ret));
423 return 0;
424 }
425 }
426 return 1;
427}
428
429static int
430ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, X509_NAME *nm,
431 STACK_OF(X509) *certs, X509_STORE *st, unsigned long flags)
432{
433 X509 *signer;
434
435 if (!(flags & OCSP_NOINTERN)) {
436 signer =
437 X509_find_by_subject(req->optionalSignature->certs, nm);
438 *psigner = signer;
439 return 1;
440 }
441
442 signer = X509_find_by_subject(certs, nm);
443 if (signer) {
444 *psigner = signer;
445 return 2;
446 }
447 return 0;
448}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-15 01:04:10 +0000