summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/usr.bin/openssl/ocsp.c211
1 files changed, 118 insertions, 93 deletions
diff --git a/src/usr.bin/openssl/ocsp.c b/src/usr.bin/openssl/ocsp.c
index fc2e08bed4..8eac2dcd11 100644
--- a/src/usr.bin/openssl/ocsp.c
+++ b/src/usr.bin/openssl/ocsp.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ocsp.c,v 1.18 2020/09/09 13:08:38 inoguchi Exp $ */ 1/* $OpenBSD: ocsp.c,v 1.19 2020/09/09 13:57:36 inoguchi Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2000. 3 * project 2000.
4 */ 4 */
@@ -79,28 +79,25 @@
79/* Maximum leeway in validity period: default 5 minutes */ 79/* Maximum leeway in validity period: default 5 minutes */
80#define MAX_VALIDITY_PERIOD (5 * 60) 80#define MAX_VALIDITY_PERIOD (5 * 60)
81 81
82static int 82static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert,
83add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, const EVP_MD *cert_id_md, X509 *issuer, 83 const EVP_MD *cert_id_md, X509 *issuer, STACK_OF(OCSP_CERTID) *ids);
84 STACK_OF(OCSP_CERTID) *ids); 84static int add_ocsp_serial(OCSP_REQUEST **req, char *serial,
85static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, const EVP_MD *cert_id_md, X509 *issuer, 85 const EVP_MD *cert_id_md, X509 *issuer, STACK_OF(OCSP_CERTID) *ids);
86 STACK_OF(OCSP_CERTID) *ids);
87static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req, 86static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
88 STACK_OF(OPENSSL_STRING) *names, 87 STACK_OF(OPENSSL_STRING) *names, STACK_OF(OCSP_CERTID) *ids, long nsec,
89 STACK_OF(OCSP_CERTID) *ids, long nsec,
90 long maxage); 88 long maxage);
91 89
92static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db, 90static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req,
93 X509 *ca, X509 *rcert, EVP_PKEY *rkey, 91 CA_DB *db, X509 *ca, X509 *rcert, EVP_PKEY *rkey, STACK_OF(X509) *rother,
94 STACK_OF(X509) *rother, unsigned long flags, 92 unsigned long flags, int nmin, int ndays);
95 int nmin, int ndays);
96 93
97static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser); 94static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser);
98static BIO *init_responder(char *port); 95static BIO *init_responder(char *port);
99static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, char *port); 96static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,
97 char *port);
100static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp); 98static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp);
101static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path, 99static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path,
102 STACK_OF(CONF_VALUE) *headers, 100 STACK_OF(CONF_VALUE) *headers, OCSP_REQUEST *req, int req_timeout);
103 OCSP_REQUEST *req, int req_timeout);
104 101
105static struct { 102static struct {
106 int accept_count; 103 int accept_count;
@@ -780,7 +777,8 @@ ocsp_main(int argc, char **argv)
780 } 777 }
781 778
782 /* Have we anything to do? */ 779 /* Have we anything to do? */
783 if (!ocsp_config.req && !ocsp_config.reqin && !ocsp_config.respin && !(ocsp_config.port && ocsp_config.ridx_filename)) 780 if (!ocsp_config.req && !ocsp_config.reqin && !ocsp_config.respin &&
781 !(ocsp_config.port && ocsp_config.ridx_filename))
784 badarg = 1; 782 badarg = 1;
785 783
786 if (badarg) { 784 if (badarg) {
@@ -802,7 +800,8 @@ ocsp_main(int argc, char **argv)
802 if (!ocsp_config.req && ocsp_config.reqin) { 800 if (!ocsp_config.req && ocsp_config.reqin) {
803 derbio = BIO_new_file(ocsp_config.reqin, "rb"); 801 derbio = BIO_new_file(ocsp_config.reqin, "rb");
804 if (!derbio) { 802 if (!derbio) {
805 BIO_printf(bio_err, "Error Opening OCSP request file\n"); 803 BIO_printf(bio_err,
804 "Error Opening OCSP request file\n");
806 goto end; 805 goto end;
807 } 806 }
808 ocsp_config.req = d2i_OCSP_REQUEST_bio(derbio, NULL); 807 ocsp_config.req = d2i_OCSP_REQUEST_bio(derbio, NULL);
@@ -823,38 +822,44 @@ ocsp_main(int argc, char **argv)
823 rsigner = load_cert(bio_err, ocsp_config.rsignfile, FORMAT_PEM, 822 rsigner = load_cert(bio_err, ocsp_config.rsignfile, FORMAT_PEM,
824 NULL, "responder certificate"); 823 NULL, "responder certificate");
825 if (!rsigner) { 824 if (!rsigner) {
826 BIO_printf(bio_err, "Error loading responder certificate\n"); 825 BIO_printf(bio_err,
826 "Error loading responder certificate\n");
827 goto end; 827 goto end;
828 } 828 }
829 rca_cert = load_cert(bio_err, ocsp_config.rca_filename, FORMAT_PEM, 829 rca_cert = load_cert(bio_err, ocsp_config.rca_filename,
830 NULL, "CA certificate"); 830 FORMAT_PEM, NULL, "CA certificate");
831 if (ocsp_config.rcertfile) { 831 if (ocsp_config.rcertfile) {
832 rother = load_certs(bio_err, ocsp_config.rcertfile, FORMAT_PEM, 832 rother = load_certs(bio_err, ocsp_config.rcertfile,
833 NULL, "responder other certificates"); 833 FORMAT_PEM, NULL, "responder other certificates");
834 if (!rother) 834 if (!rother)
835 goto end; 835 goto end;
836 } 836 }
837 rkey = load_key(bio_err, ocsp_config.rkeyfile, FORMAT_PEM, 0, NULL, 837 rkey = load_key(bio_err, ocsp_config.rkeyfile, FORMAT_PEM, 0,
838 "responder private key"); 838 NULL, "responder private key");
839 if (!rkey) 839 if (!rkey)
840 goto end; 840 goto end;
841 } 841 }
842 if (acbio) 842 if (acbio)
843 BIO_printf(bio_err, "Waiting for OCSP client connections...\n"); 843 BIO_printf(bio_err, "Waiting for OCSP client connections...\n");
844 844
845redo_accept: 845 redo_accept:
846 846
847 if (acbio) { 847 if (acbio) {
848 if (!do_responder(&ocsp_config.req, &cbio, acbio, ocsp_config.port)) 848 if (!do_responder(&ocsp_config.req, &cbio, acbio,
849 ocsp_config.port))
849 goto end; 850 goto end;
850 if (!ocsp_config.req) { 851 if (!ocsp_config.req) {
851 resp = OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL); 852 resp = OCSP_response_create(
853 OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL);
852 send_ocsp_response(cbio, resp); 854 send_ocsp_response(cbio, resp);
853 goto done_resp; 855 goto done_resp;
854 } 856 }
855 } 857 }
856 if (!ocsp_config.req && (ocsp_config.signfile || ocsp_config.reqout || ocsp_config.host || ocsp_config.add_nonce || ocsp_config.ridx_filename)) { 858 if (!ocsp_config.req &&
857 BIO_printf(bio_err, "Need an OCSP request for this operation!\n"); 859 (ocsp_config.signfile || ocsp_config.reqout || ocsp_config.host ||
860 ocsp_config.add_nonce || ocsp_config.ridx_filename)) {
861 BIO_printf(bio_err,
862 "Need an OCSP request for this operation!\n");
858 goto end; 863 goto end;
859 } 864 }
860 if (ocsp_config.req && ocsp_config.add_nonce) 865 if (ocsp_config.req && ocsp_config.add_nonce)
@@ -866,21 +871,24 @@ redo_accept:
866 signer = load_cert(bio_err, ocsp_config.signfile, FORMAT_PEM, 871 signer = load_cert(bio_err, ocsp_config.signfile, FORMAT_PEM,
867 NULL, "signer certificate"); 872 NULL, "signer certificate");
868 if (!signer) { 873 if (!signer) {
869 BIO_printf(bio_err, "Error loading signer certificate\n"); 874 BIO_printf(bio_err,
875 "Error loading signer certificate\n");
870 goto end; 876 goto end;
871 } 877 }
872 if (ocsp_config.sign_certfile) { 878 if (ocsp_config.sign_certfile) {
873 sign_other = load_certs(bio_err, ocsp_config.sign_certfile, FORMAT_PEM, 879 sign_other = load_certs(bio_err,
874 NULL, "signer certificates"); 880 ocsp_config.sign_certfile, FORMAT_PEM, NULL,
881 "signer certificates");
875 if (!sign_other) 882 if (!sign_other)
876 goto end; 883 goto end;
877 } 884 }
878 key = load_key(bio_err, ocsp_config.keyfile, FORMAT_PEM, 0, NULL, 885 key = load_key(bio_err, ocsp_config.keyfile, FORMAT_PEM, 0,
879 "signer private key"); 886 NULL, "signer private key");
880 if (!key) 887 if (!key)
881 goto end; 888 goto end;
882 889
883 if (!OCSP_request_sign(ocsp_config.req, signer, key, NULL, sign_other, ocsp_config.sign_flags)) { 890 if (!OCSP_request_sign(ocsp_config.req, signer, key, NULL,
891 sign_other, ocsp_config.sign_flags)) {
884 BIO_printf(bio_err, "Error signing OCSP request\n"); 892 BIO_printf(bio_err, "Error signing OCSP request\n");
885 goto end; 893 goto end;
886 } 894 }
@@ -891,14 +899,16 @@ redo_accept:
891 if (ocsp_config.reqout) { 899 if (ocsp_config.reqout) {
892 derbio = BIO_new_file(ocsp_config.reqout, "wb"); 900 derbio = BIO_new_file(ocsp_config.reqout, "wb");
893 if (!derbio) { 901 if (!derbio) {
894 BIO_printf(bio_err, "Error opening file %s\n", ocsp_config.reqout); 902 BIO_printf(bio_err, "Error opening file %s\n",
903 ocsp_config.reqout);
895 goto end; 904 goto end;
896 } 905 }
897 i2d_OCSP_REQUEST_bio(derbio, ocsp_config.req); 906 i2d_OCSP_REQUEST_bio(derbio, ocsp_config.req);
898 BIO_free(derbio); 907 BIO_free(derbio);
899 } 908 }
900 if (ocsp_config.ridx_filename && (!rkey || !rsigner || !rca_cert)) { 909 if (ocsp_config.ridx_filename && (!rkey || !rsigner || !rca_cert)) {
901 BIO_printf(bio_err, "Need a responder certificate, key and CA for this operation!\n"); 910 BIO_printf(bio_err,
911 "Need a responder certificate, key and CA for this operation!\n");
902 goto end; 912 goto end;
903 } 913 }
904 if (ocsp_config.ridx_filename && !rdb) { 914 if (ocsp_config.ridx_filename && !rdb) {
@@ -909,18 +919,24 @@ redo_accept:
909 goto end; 919 goto end;
910 } 920 }
911 if (rdb) { 921 if (rdb) {
912 i = make_ocsp_response(&resp, ocsp_config.req, rdb, rca_cert, rsigner, rkey, rother, ocsp_config.rflags, ocsp_config.nmin, ocsp_config.ndays); 922 i = make_ocsp_response(&resp, ocsp_config.req, rdb, rca_cert,
923 rsigner, rkey, rother, ocsp_config.rflags,
924 ocsp_config.nmin, ocsp_config.ndays);
913 if (cbio) 925 if (cbio)
914 send_ocsp_response(cbio, resp); 926 send_ocsp_response(cbio, resp);
915 } else if (ocsp_config.host) { 927 } else if (ocsp_config.host) {
916 resp = process_responder(bio_err, ocsp_config.req, ocsp_config.host, ocsp_config.path ? ocsp_config.path : "/", 928 resp = process_responder(bio_err, ocsp_config.req,
917 ocsp_config.port, ocsp_config.use_ssl, ocsp_config.headers, ocsp_config.req_timeout); 929 ocsp_config.host,
930 ocsp_config.path ? ocsp_config.path : "/",
931 ocsp_config.port, ocsp_config.use_ssl, ocsp_config.headers,
932 ocsp_config.req_timeout);
918 if (!resp) 933 if (!resp)
919 goto end; 934 goto end;
920 } else if (ocsp_config.respin) { 935 } else if (ocsp_config.respin) {
921 derbio = BIO_new_file(ocsp_config.respin, "rb"); 936 derbio = BIO_new_file(ocsp_config.respin, "rb");
922 if (!derbio) { 937 if (!derbio) {
923 BIO_printf(bio_err, "Error Opening OCSP response file\n"); 938 BIO_printf(bio_err,
939 "Error Opening OCSP response file\n");
924 goto end; 940 goto end;
925 } 941 }
926 resp = d2i_OCSP_RESPONSE_bio(derbio, NULL); 942 resp = d2i_OCSP_RESPONSE_bio(derbio, NULL);
@@ -934,12 +950,13 @@ redo_accept:
934 goto end; 950 goto end;
935 } 951 }
936 952
937done_resp: 953 done_resp:
938 954
939 if (ocsp_config.respout) { 955 if (ocsp_config.respout) {
940 derbio = BIO_new_file(ocsp_config.respout, "wb"); 956 derbio = BIO_new_file(ocsp_config.respout, "wb");
941 if (!derbio) { 957 if (!derbio) {
942 BIO_printf(bio_err, "Error opening file %s\n", ocsp_config.respout); 958 BIO_printf(bio_err, "Error opening file %s\n",
959 ocsp_config.respout);
943 goto end; 960 goto end;
944 } 961 }
945 i2d_OCSP_RESPONSE_bio(derbio, resp); 962 i2d_OCSP_RESPONSE_bio(derbio, resp);
@@ -975,12 +992,13 @@ done_resp:
975 goto end; 992 goto end;
976 } 993 }
977 if (!store) 994 if (!store)
978 store = setup_verify(bio_err, ocsp_config.CAfile, ocsp_config.CApath); 995 store = setup_verify(bio_err, ocsp_config.CAfile,
996 ocsp_config.CApath);
979 if (!store) 997 if (!store)
980 goto end; 998 goto end;
981 if (ocsp_config.verify_certfile) { 999 if (ocsp_config.verify_certfile) {
982 verify_other = load_certs(bio_err, ocsp_config.verify_certfile, FORMAT_PEM, 1000 verify_other = load_certs(bio_err, ocsp_config.verify_certfile,
983 NULL, "validator certificate"); 1001 FORMAT_PEM, NULL, "validator certificate");
984 if (!verify_other) 1002 if (!verify_other)
985 goto end; 1003 goto end;
986 } 1004 }
@@ -991,26 +1009,30 @@ done_resp:
991 goto end; 1009 goto end;
992 } 1010 }
993 if (!ocsp_config.noverify) { 1011 if (!ocsp_config.noverify) {
994 if (ocsp_config.req && ((i = OCSP_check_nonce(ocsp_config.req, bs)) <= 0)) { 1012 if (ocsp_config.req &&
995 if (i == -1) 1013 ((i = OCSP_check_nonce(ocsp_config.req, bs)) <= 0)) {
996 BIO_printf(bio_err, "WARNING: no nonce in response\n"); 1014 if (i == -1) {
997 else { 1015 BIO_printf(bio_err,
1016 "WARNING: no nonce in response\n");
1017 } else {
998 BIO_printf(bio_err, "Nonce Verify error\n"); 1018 BIO_printf(bio_err, "Nonce Verify error\n");
999 goto end; 1019 goto end;
1000 } 1020 }
1001 } 1021 }
1002 i = OCSP_basic_verify(bs, verify_other, store, ocsp_config.verify_flags); 1022 i = OCSP_basic_verify(bs, verify_other, store,
1023 ocsp_config.verify_flags);
1003 if (i < 0) 1024 if (i < 0)
1004 i = OCSP_basic_verify(bs, NULL, store, 0); 1025 i = OCSP_basic_verify(bs, NULL, store, 0);
1005 1026
1006 if (i <= 0) { 1027 if (i <= 0) {
1007 BIO_printf(bio_err, "Response Verify Failure\n"); 1028 BIO_printf(bio_err, "Response Verify Failure\n");
1008 ERR_print_errors(bio_err); 1029 ERR_print_errors(bio_err);
1009 } else 1030 } else {
1010 BIO_printf(bio_err, "Response verify OK\n"); 1031 BIO_printf(bio_err, "Response verify OK\n");
1011 1032 }
1012 } 1033 }
1013 if (!print_ocsp_summary(out, bs, ocsp_config.req, ocsp_config.reqnames, ocsp_config.ids, ocsp_config.nsec, ocsp_config.maxage)) 1034 if (!print_ocsp_summary(out, bs, ocsp_config.req, ocsp_config.reqnames,
1035 ocsp_config.ids, ocsp_config.nsec, ocsp_config.maxage))
1014 goto end; 1036 goto end;
1015 1037
1016 ret = 0; 1038 ret = 0;
@@ -1047,10 +1069,11 @@ done_resp:
1047} 1069}
1048 1070
1049static int 1071static int
1050add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, const EVP_MD *cert_id_md, X509 *issuer, 1072add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, const EVP_MD *cert_id_md,
1051 STACK_OF(OCSP_CERTID) *ids) 1073 X509 *issuer, STACK_OF(OCSP_CERTID) *ids)
1052{ 1074{
1053 OCSP_CERTID *id; 1075 OCSP_CERTID *id;
1076
1054 if (!issuer) { 1077 if (!issuer) {
1055 BIO_printf(bio_err, "No issuer certificate specified\n"); 1078 BIO_printf(bio_err, "No issuer certificate specified\n");
1056 return 0; 1079 return 0;
@@ -1072,13 +1095,14 @@ add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, const EVP_MD *cert_id_md, X509 *is
1072} 1095}
1073 1096
1074static int 1097static int
1075add_ocsp_serial(OCSP_REQUEST **req, char *serial, const EVP_MD *cert_id_md, X509 *issuer, 1098add_ocsp_serial(OCSP_REQUEST **req, char *serial, const EVP_MD *cert_id_md,
1076 STACK_OF(OCSP_CERTID) *ids) 1099 X509 *issuer, STACK_OF(OCSP_CERTID) *ids)
1077{ 1100{
1078 OCSP_CERTID *id; 1101 OCSP_CERTID *id;
1079 X509_NAME *iname; 1102 X509_NAME *iname;
1080 ASN1_BIT_STRING *ikey; 1103 ASN1_BIT_STRING *ikey;
1081 ASN1_INTEGER *sno; 1104 ASN1_INTEGER *sno;
1105
1082 if (!issuer) { 1106 if (!issuer) {
1083 BIO_printf(bio_err, "No issuer certificate specified\n"); 1107 BIO_printf(bio_err, "No issuer certificate specified\n");
1084 return 0; 1108 return 0;
@@ -1091,7 +1115,8 @@ add_ocsp_serial(OCSP_REQUEST **req, char *serial, const EVP_MD *cert_id_md, X509
1091 ikey = X509_get0_pubkey_bitstr(issuer); 1115 ikey = X509_get0_pubkey_bitstr(issuer);
1092 sno = s2i_ASN1_INTEGER(NULL, serial); 1116 sno = s2i_ASN1_INTEGER(NULL, serial);
1093 if (!sno) { 1117 if (!sno) {
1094 BIO_printf(bio_err, "Error converting serial number %s\n", serial); 1118 BIO_printf(bio_err, "Error converting serial number %s\n",
1119 serial);
1095 return 0; 1120 return 0;
1096 } 1121 }
1097 id = OCSP_cert_id_new(cert_id_md, iname, ikey, sno); 1122 id = OCSP_cert_id_new(cert_id_md, iname, ikey, sno);
@@ -1109,19 +1134,18 @@ add_ocsp_serial(OCSP_REQUEST **req, char *serial, const EVP_MD *cert_id_md, X509
1109 1134
1110static int 1135static int
1111print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req, 1136print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
1112 STACK_OF(OPENSSL_STRING) *names, 1137 STACK_OF(OPENSSL_STRING) *names, STACK_OF(OCSP_CERTID) *ids, long nsec,
1113 STACK_OF(OCSP_CERTID) *ids, long nsec,
1114 long maxage) 1138 long maxage)
1115{ 1139{
1116 OCSP_CERTID *id; 1140 OCSP_CERTID *id;
1117 char *name; 1141 char *name;
1118 int i; 1142 int i;
1119
1120 int status, reason; 1143 int status, reason;
1121 1144
1122 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd; 1145 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
1123 1146
1124 if (!bs || !req || !sk_OPENSSL_STRING_num(names) || !sk_OCSP_CERTID_num(ids)) 1147 if (!bs || !req || !sk_OPENSSL_STRING_num(names) ||
1148 !sk_OCSP_CERTID_num(ids))
1125 return 1; 1149 return 1;
1126 1150
1127 for (i = 0; i < sk_OCSP_CERTID_num(ids); i++) { 1151 for (i = 0; i < sk_OCSP_CERTID_num(ids); i++) {
@@ -1171,9 +1195,8 @@ print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
1171 1195
1172static int 1196static int
1173make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db, 1197make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db,
1174 X509 *ca, X509 *rcert, EVP_PKEY *rkey, 1198 X509 *ca, X509 *rcert, EVP_PKEY *rkey, STACK_OF(X509) *rother,
1175 STACK_OF(X509) *rother, unsigned long flags, 1199 unsigned long flags, int nmin, int ndays)
1176 int nmin, int ndays)
1177{ 1200{
1178 ASN1_TIME *thisupd = NULL, *nextupd = NULL; 1201 ASN1_TIME *thisupd = NULL, *nextupd = NULL;
1179 OCSP_CERTID *cid, *ca_id = NULL; 1202 OCSP_CERTID *cid, *ca_id = NULL;
@@ -1183,7 +1206,8 @@ make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db,
1183 id_count = OCSP_request_onereq_count(req); 1206 id_count = OCSP_request_onereq_count(req);
1184 1207
1185 if (id_count <= 0) { 1208 if (id_count <= 0) {
1186 *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL); 1209 *resp = OCSP_response_create(
1210 OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL);
1187 goto end; 1211 goto end;
1188 } 1212 }
1189 bs = OCSP_BASICRESP_new(); 1213 bs = OCSP_BASICRESP_new();
@@ -1205,8 +1229,8 @@ make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db,
1205 1229
1206 cert_id_md = EVP_get_digestbyobj(cert_id_md_oid); 1230 cert_id_md = EVP_get_digestbyobj(cert_id_md_oid);
1207 if (!cert_id_md) { 1231 if (!cert_id_md) {
1208 *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR, 1232 *resp = OCSP_response_create(
1209 NULL); 1233 OCSP_RESPONSE_STATUS_INTERNALERROR, NULL);
1210 goto end; 1234 goto end;
1211 } 1235 }
1212 OCSP_CERTID_free(ca_id); 1236 OCSP_CERTID_free(ca_id);
@@ -1215,38 +1239,39 @@ make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db,
1215 /* Is this request about our CA? */ 1239 /* Is this request about our CA? */
1216 if (OCSP_id_issuer_cmp(ca_id, cid)) { 1240 if (OCSP_id_issuer_cmp(ca_id, cid)) {
1217 OCSP_basic_add1_status(bs, cid, 1241 OCSP_basic_add1_status(bs, cid,
1218 V_OCSP_CERTSTATUS_UNKNOWN, 1242 V_OCSP_CERTSTATUS_UNKNOWN, 0, NULL,
1219 0, NULL,
1220 thisupd, nextupd); 1243 thisupd, nextupd);
1221 continue; 1244 continue;
1222 } 1245 }
1223 OCSP_id_get0_info(NULL, NULL, NULL, &serial, cid); 1246 OCSP_id_get0_info(NULL, NULL, NULL, &serial, cid);
1224 inf = lookup_serial(db, serial); 1247 inf = lookup_serial(db, serial);
1225 if (!inf) 1248 if (!inf) {
1226 OCSP_basic_add1_status(bs, cid, 1249 OCSP_basic_add1_status(bs, cid,
1227 V_OCSP_CERTSTATUS_UNKNOWN, 1250 V_OCSP_CERTSTATUS_UNKNOWN, 0, NULL,
1228 0, NULL,
1229 thisupd, nextupd); 1251 thisupd, nextupd);
1230 else if (inf[DB_type][0] == DB_TYPE_VAL) 1252 } else if (inf[DB_type][0] == DB_TYPE_VAL) {
1231 OCSP_basic_add1_status(bs, cid, 1253 OCSP_basic_add1_status(bs, cid,
1232 V_OCSP_CERTSTATUS_GOOD, 1254 V_OCSP_CERTSTATUS_GOOD, 0, NULL,
1233 0, NULL,
1234 thisupd, nextupd); 1255 thisupd, nextupd);
1235 else if (inf[DB_type][0] == DB_TYPE_REV) { 1256 } else if (inf[DB_type][0] == DB_TYPE_REV) {
1236 ASN1_OBJECT *inst = NULL; 1257 ASN1_OBJECT *inst = NULL;
1237 ASN1_TIME *revtm = NULL; 1258 ASN1_TIME *revtm = NULL;
1238 ASN1_GENERALIZEDTIME *invtm = NULL; 1259 ASN1_GENERALIZEDTIME *invtm = NULL;
1239 OCSP_SINGLERESP *single; 1260 OCSP_SINGLERESP *single;
1240 int reason = -1; 1261 int reason = -1;
1241 unpack_revinfo(&revtm, &reason, &inst, &invtm, inf[DB_rev_date]); 1262
1263 unpack_revinfo(&revtm, &reason, &inst, &invtm,
1264 inf[DB_rev_date]);
1242 single = OCSP_basic_add1_status(bs, cid, 1265 single = OCSP_basic_add1_status(bs, cid,
1243 V_OCSP_CERTSTATUS_REVOKED, 1266 V_OCSP_CERTSTATUS_REVOKED,
1244 reason, revtm, 1267 reason, revtm,
1245 thisupd, nextupd); 1268 thisupd, nextupd);
1246 if (invtm) 1269 if (invtm)
1247 OCSP_SINGLERESP_add1_ext_i2d(single, NID_invalidity_date, invtm, 0, 0); 1270 OCSP_SINGLERESP_add1_ext_i2d(single,
1271 NID_invalidity_date, invtm, 0, 0);
1248 else if (inst) 1272 else if (inst)
1249 OCSP_SINGLERESP_add1_ext_i2d(single, NID_hold_instruction_code, inst, 0, 0); 1273 OCSP_SINGLERESP_add1_ext_i2d(single,
1274 NID_hold_instruction_code, inst, 0, 0);
1250 ASN1_OBJECT_free(inst); 1275 ASN1_OBJECT_free(inst);
1251 ASN1_TIME_free(revtm); 1276 ASN1_TIME_free(revtm);
1252 ASN1_GENERALIZEDTIME_free(invtm); 1277 ASN1_GENERALIZEDTIME_free(invtm);
@@ -1265,7 +1290,6 @@ make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db,
1265 OCSP_CERTID_free(ca_id); 1290 OCSP_CERTID_free(ca_id);
1266 OCSP_BASICRESP_free(bs); 1291 OCSP_BASICRESP_free(bs);
1267 return ret; 1292 return ret;
1268
1269} 1293}
1270 1294
1271static char ** 1295static char **
@@ -1274,6 +1298,7 @@ lookup_serial(CA_DB *db, ASN1_INTEGER *ser)
1274 int i; 1298 int i;
1275 BIGNUM *bn = NULL; 1299 BIGNUM *bn = NULL;
1276 char *itmp, *row[DB_NUMBER], **rrow; 1300 char *itmp, *row[DB_NUMBER], **rrow;
1301
1277 for (i = 0; i < DB_NUMBER; i++) 1302 for (i = 0; i < DB_NUMBER; i++)
1278 row[i] = NULL; 1303 row[i] = NULL;
1279 bn = ASN1_INTEGER_to_BN(ser, NULL); 1304 bn = ASN1_INTEGER_to_BN(ser, NULL);
@@ -1296,6 +1321,7 @@ static BIO *
1296init_responder(char *port) 1321init_responder(char *port)
1297{ 1322{
1298 BIO *acbio = NULL, *bufbio = NULL; 1323 BIO *acbio = NULL, *bufbio = NULL;
1324
1299 bufbio = BIO_new(BIO_f_buffer()); 1325 bufbio = BIO_new(BIO_f_buffer());
1300 if (!bufbio) 1326 if (!bufbio)
1301 goto err; 1327 goto err;
@@ -1362,7 +1388,6 @@ do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, char *port)
1362 *preq = req; 1388 *preq = req;
1363 1389
1364 return 1; 1390 return 1;
1365
1366} 1391}
1367 1392
1368static int 1393static int
@@ -1371,6 +1396,7 @@ send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp)
1371 static const char http_resp[] = 1396 static const char http_resp[] =
1372 "HTTP/1.0 200 OK\r\nContent-type: application/ocsp-response\r\n" 1397 "HTTP/1.0 200 OK\r\nContent-type: application/ocsp-response\r\n"
1373 "Content-Length: %d\r\n\r\n"; 1398 "Content-Length: %d\r\n\r\n";
1399
1374 if (!cbio) 1400 if (!cbio)
1375 return 0; 1401 return 0;
1376 BIO_printf(cbio, http_resp, i2d_OCSP_RESPONSE(resp, NULL)); 1402 BIO_printf(cbio, http_resp, i2d_OCSP_RESPONSE(resp, NULL));
@@ -1380,8 +1406,7 @@ send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp)
1380} 1406}
1381 1407
1382static OCSP_RESPONSE * 1408static OCSP_RESPONSE *
1383query_responder(BIO *err, BIO *cbio, char *path, 1409query_responder(BIO *err, BIO *cbio, char *path, STACK_OF(CONF_VALUE) *headers,
1384 STACK_OF(CONF_VALUE) *headers,
1385 OCSP_REQUEST *req, int req_timeout) 1410 OCSP_REQUEST *req, int req_timeout)
1386{ 1411{
1387 int fd; 1412 int fd;
@@ -1437,11 +1462,11 @@ query_responder(BIO *err, BIO *cbio, char *path,
1437 if (req_timeout == -1) 1462 if (req_timeout == -1)
1438 continue; 1463 continue;
1439 pfd[0].fd = fd; 1464 pfd[0].fd = fd;
1440 if (BIO_should_read(cbio)) 1465 if (BIO_should_read(cbio)) {
1441 pfd[0].events = POLLIN; 1466 pfd[0].events = POLLIN;
1442 else if (BIO_should_write(cbio)) 1467 } else if (BIO_should_write(cbio)) {
1443 pfd[0].events = POLLOUT; 1468 pfd[0].events = POLLOUT;
1444 else { 1469 } else {
1445 BIO_puts(err, "Unexpected retry condition\n"); 1470 BIO_puts(err, "Unexpected retry condition\n");
1446 goto err; 1471 goto err;
1447 } 1472 }
@@ -1455,21 +1480,20 @@ query_responder(BIO *err, BIO *cbio, char *path,
1455 break; 1480 break;
1456 } 1481 }
1457 } 1482 }
1483
1458 err: 1484 err:
1459 OCSP_REQ_CTX_free(ctx); 1485 OCSP_REQ_CTX_free(ctx);
1460
1461 return rsp; 1486 return rsp;
1462} 1487}
1463 1488
1464OCSP_RESPONSE * 1489OCSP_RESPONSE *
1465process_responder(BIO *err, OCSP_REQUEST *req, 1490process_responder(BIO *err, OCSP_REQUEST *req, char *host, char *path,
1466 char *host, char *path, char *port, int use_ssl, 1491 char *port, int use_ssl, STACK_OF(CONF_VALUE) *headers, int req_timeout)
1467 STACK_OF(CONF_VALUE) *headers,
1468 int req_timeout)
1469{ 1492{
1470 BIO *cbio = NULL; 1493 BIO *cbio = NULL;
1471 SSL_CTX *ctx = NULL; 1494 SSL_CTX *ctx = NULL;
1472 OCSP_RESPONSE *resp = NULL; 1495 OCSP_RESPONSE *resp = NULL;
1496
1473 cbio = BIO_new_connect(host); 1497 cbio = BIO_new_connect(host);
1474 if (!cbio) { 1498 if (!cbio) {
1475 BIO_printf(err, "Error creating connect BIO\n"); 1499 BIO_printf(err, "Error creating connect BIO\n");
@@ -1491,6 +1515,7 @@ process_responder(BIO *err, OCSP_REQUEST *req,
1491 resp = query_responder(err, cbio, path, headers, req, req_timeout); 1515 resp = query_responder(err, cbio, path, headers, req, req_timeout);
1492 if (!resp) 1516 if (!resp)
1493 BIO_printf(bio_err, "Error querying OCSP responder\n"); 1517 BIO_printf(bio_err, "Error querying OCSP responder\n");
1518
1494 end: 1519 end:
1495 BIO_free_all(cbio); 1520 BIO_free_all(cbio);
1496 SSL_CTX_free(ctx); 1521 SSL_CTX_free(ctx);
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-11-20 20:52:25 +0000