From 67fcb4ef3942fb3a0f1e18f8ebbe7464120d485a Mon Sep 17 00:00:00 2001 From: cvs2svn Date: Sun, 2 Aug 2015 21:54:23 +0000 Subject: This commit was manufactured by cvs2git to create branch 'OPENBSD_5_8'. --- src/lib/libcrypto/ocsp/ocsp.h | 616 ------------------------ src/lib/libcrypto/ocsp/ocsp_asn.c | 962 -------------------------------------- src/lib/libcrypto/ocsp/ocsp_cl.c | 383 --------------- src/lib/libcrypto/ocsp/ocsp_err.c | 142 ------ src/lib/libcrypto/ocsp/ocsp_ext.c | 607 ------------------------ src/lib/libcrypto/ocsp/ocsp_ht.c | 463 ------------------ src/lib/libcrypto/ocsp/ocsp_lib.c | 282 ----------- src/lib/libcrypto/ocsp/ocsp_prn.c | 312 ------------- src/lib/libcrypto/ocsp/ocsp_srv.c | 276 ----------- src/lib/libcrypto/ocsp/ocsp_vfy.c | 448 ------------------ 10 files changed, 4491 deletions(-) delete mode 100644 src/lib/libcrypto/ocsp/ocsp.h delete mode 100644 src/lib/libcrypto/ocsp/ocsp_asn.c delete mode 100644 src/lib/libcrypto/ocsp/ocsp_cl.c delete mode 100644 src/lib/libcrypto/ocsp/ocsp_err.c delete mode 100644 src/lib/libcrypto/ocsp/ocsp_ext.c delete mode 100644 src/lib/libcrypto/ocsp/ocsp_ht.c delete mode 100644 src/lib/libcrypto/ocsp/ocsp_lib.c delete mode 100644 src/lib/libcrypto/ocsp/ocsp_prn.c delete mode 100644 src/lib/libcrypto/ocsp/ocsp_srv.c delete mode 100644 src/lib/libcrypto/ocsp/ocsp_vfy.c (limited to 'src/lib/libcrypto/ocsp') diff --git a/src/lib/libcrypto/ocsp/ocsp.h b/src/lib/libcrypto/ocsp/ocsp.h deleted file mode 100644 index b7e3115e8d..0000000000 --- a/src/lib/libcrypto/ocsp/ocsp.h +++ /dev/null @@ -1,616 +0,0 @@ -/* $OpenBSD: ocsp.h,v 1.6 2014/06/12 15:49:30 deraadt Exp $ */ -/* Written by Tom Titchener for the OpenSSL - * project. */ - -/* History: - This file was transfered to Richard Levitte from CertCo by Kathy - Weinhold in mid-spring 2000 to be included in OpenSSL or released - as a patch kit. */ - -/* ==================================================================== - * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#ifndef HEADER_OCSP_H -#define HEADER_OCSP_H - -#include -#include -#include -#include - -#ifdef __cplusplus -extern "C" { -#endif - -/* Various flags and values */ - -#define OCSP_DEFAULT_NONCE_LENGTH 16 - -#define OCSP_NOCERTS 0x1 -#define OCSP_NOINTERN 0x2 -#define OCSP_NOSIGS 0x4 -#define OCSP_NOCHAIN 0x8 -#define OCSP_NOVERIFY 0x10 -#define OCSP_NOEXPLICIT 0x20 -#define OCSP_NOCASIGN 0x40 -#define OCSP_NODELEGATED 0x80 -#define OCSP_NOCHECKS 0x100 -#define OCSP_TRUSTOTHER 0x200 -#define OCSP_RESPID_KEY 0x400 -#define OCSP_NOTIME 0x800 - -/* CertID ::= SEQUENCE { - * hashAlgorithm AlgorithmIdentifier, - * issuerNameHash OCTET STRING, -- Hash of Issuer's DN - * issuerKeyHash OCTET STRING, -- Hash of Issuers public key (excluding the tag & length fields) - * serialNumber CertificateSerialNumber } - */ -typedef struct ocsp_cert_id_st { - X509_ALGOR *hashAlgorithm; - ASN1_OCTET_STRING *issuerNameHash; - ASN1_OCTET_STRING *issuerKeyHash; - ASN1_INTEGER *serialNumber; -} OCSP_CERTID; - -DECLARE_STACK_OF(OCSP_CERTID) - -/* Request ::= SEQUENCE { - * reqCert CertID, - * singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL } - */ -typedef struct ocsp_one_request_st { - OCSP_CERTID *reqCert; - STACK_OF(X509_EXTENSION) *singleRequestExtensions; -} OCSP_ONEREQ; - -DECLARE_STACK_OF(OCSP_ONEREQ) -DECLARE_ASN1_SET_OF(OCSP_ONEREQ) - - -/* TBSRequest ::= SEQUENCE { - * version [0] EXPLICIT Version DEFAULT v1, - * requestorName [1] EXPLICIT GeneralName OPTIONAL, - * requestList SEQUENCE OF Request, - * requestExtensions [2] EXPLICIT Extensions OPTIONAL } - */ -typedef struct ocsp_req_info_st { - ASN1_INTEGER *version; - GENERAL_NAME *requestorName; - STACK_OF(OCSP_ONEREQ) *requestList; - STACK_OF(X509_EXTENSION) *requestExtensions; -} OCSP_REQINFO; - -/* Signature ::= SEQUENCE { - * signatureAlgorithm AlgorithmIdentifier, - * signature BIT STRING, - * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } - */ -typedef struct ocsp_signature_st { - X509_ALGOR *signatureAlgorithm; - ASN1_BIT_STRING *signature; - STACK_OF(X509) *certs; -} OCSP_SIGNATURE; - -/* OCSPRequest ::= SEQUENCE { - * tbsRequest TBSRequest, - * optionalSignature [0] EXPLICIT Signature OPTIONAL } - */ -typedef struct ocsp_request_st { - OCSP_REQINFO *tbsRequest; - OCSP_SIGNATURE *optionalSignature; /* OPTIONAL */ -} OCSP_REQUEST; - -/* OCSPResponseStatus ::= ENUMERATED { - * successful (0), --Response has valid confirmations - * malformedRequest (1), --Illegal confirmation request - * internalError (2), --Internal error in issuer - * tryLater (3), --Try again later - * --(4) is not used - * sigRequired (5), --Must sign the request - * unauthorized (6) --Request unauthorized - * } - */ -#define OCSP_RESPONSE_STATUS_SUCCESSFUL 0 -#define OCSP_RESPONSE_STATUS_MALFORMEDREQUEST 1 -#define OCSP_RESPONSE_STATUS_INTERNALERROR 2 -#define OCSP_RESPONSE_STATUS_TRYLATER 3 -#define OCSP_RESPONSE_STATUS_SIGREQUIRED 5 -#define OCSP_RESPONSE_STATUS_UNAUTHORIZED 6 - -/* ResponseBytes ::= SEQUENCE { - * responseType OBJECT IDENTIFIER, - * response OCTET STRING } - */ -typedef struct ocsp_resp_bytes_st { - ASN1_OBJECT *responseType; - ASN1_OCTET_STRING *response; -} OCSP_RESPBYTES; - -/* OCSPResponse ::= SEQUENCE { - * responseStatus OCSPResponseStatus, - * responseBytes [0] EXPLICIT ResponseBytes OPTIONAL } - */ -struct ocsp_response_st { - ASN1_ENUMERATED *responseStatus; - OCSP_RESPBYTES *responseBytes; -}; - -/* ResponderID ::= CHOICE { - * byName [1] Name, - * byKey [2] KeyHash } - */ -#define V_OCSP_RESPID_NAME 0 -#define V_OCSP_RESPID_KEY 1 -struct ocsp_responder_id_st { - int type; - union { - X509_NAME* byName; - ASN1_OCTET_STRING *byKey; - } value; -}; - -DECLARE_STACK_OF(OCSP_RESPID) -DECLARE_ASN1_FUNCTIONS(OCSP_RESPID) - -/* KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key - * --(excluding the tag and length fields) - */ - -/* RevokedInfo ::= SEQUENCE { - * revocationTime GeneralizedTime, - * revocationReason [0] EXPLICIT CRLReason OPTIONAL } - */ -typedef struct ocsp_revoked_info_st { - ASN1_GENERALIZEDTIME *revocationTime; - ASN1_ENUMERATED *revocationReason; -} OCSP_REVOKEDINFO; - -/* CertStatus ::= CHOICE { - * good [0] IMPLICIT NULL, - * revoked [1] IMPLICIT RevokedInfo, - * unknown [2] IMPLICIT UnknownInfo } - */ -#define V_OCSP_CERTSTATUS_GOOD 0 -#define V_OCSP_CERTSTATUS_REVOKED 1 -#define V_OCSP_CERTSTATUS_UNKNOWN 2 -typedef struct ocsp_cert_status_st { - int type; - union { - ASN1_NULL *good; - OCSP_REVOKEDINFO *revoked; - ASN1_NULL *unknown; - } value; -} OCSP_CERTSTATUS; - -/* SingleResponse ::= SEQUENCE { - * certID CertID, - * certStatus CertStatus, - * thisUpdate GeneralizedTime, - * nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL, - * singleExtensions [1] EXPLICIT Extensions OPTIONAL } - */ -typedef struct ocsp_single_response_st { - OCSP_CERTID *certId; - OCSP_CERTSTATUS *certStatus; - ASN1_GENERALIZEDTIME *thisUpdate; - ASN1_GENERALIZEDTIME *nextUpdate; - STACK_OF(X509_EXTENSION) *singleExtensions; -} OCSP_SINGLERESP; - -DECLARE_STACK_OF(OCSP_SINGLERESP) -DECLARE_ASN1_SET_OF(OCSP_SINGLERESP) - -/* ResponseData ::= SEQUENCE { - * version [0] EXPLICIT Version DEFAULT v1, - * responderID ResponderID, - * producedAt GeneralizedTime, - * responses SEQUENCE OF SingleResponse, - * responseExtensions [1] EXPLICIT Extensions OPTIONAL } - */ -typedef struct ocsp_response_data_st { - ASN1_INTEGER *version; - OCSP_RESPID *responderId; - ASN1_GENERALIZEDTIME *producedAt; - STACK_OF(OCSP_SINGLERESP) *responses; - STACK_OF(X509_EXTENSION) *responseExtensions; -} OCSP_RESPDATA; - -/* BasicOCSPResponse ::= SEQUENCE { - * tbsResponseData ResponseData, - * signatureAlgorithm AlgorithmIdentifier, - * signature BIT STRING, - * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } - */ - /* Note 1: - The value for "signature" is specified in the OCSP rfc2560 as follows: - "The value for the signature SHALL be computed on the hash of the DER - encoding ResponseData." This means that you must hash the DER-encoded - tbsResponseData, and then run it through a crypto-signing function, which - will (at least w/RSA) do a hash-'n'-private-encrypt operation. This seems - a bit odd, but that's the spec. Also note that the data structures do not - leave anywhere to independently specify the algorithm used for the initial - hash. So, we look at the signature-specification algorithm, and try to do - something intelligent. -- Kathy Weinhold, CertCo */ - /* Note 2: - It seems that the mentioned passage from RFC 2560 (section 4.2.1) is open - for interpretation. I've done tests against another responder, and found - that it doesn't do the double hashing that the RFC seems to say one - should. Therefore, all relevant functions take a flag saying which - variant should be used. -- Richard Levitte, OpenSSL team and CeloCom */ -typedef struct ocsp_basic_response_st { - OCSP_RESPDATA *tbsResponseData; - X509_ALGOR *signatureAlgorithm; - ASN1_BIT_STRING *signature; - STACK_OF(X509) *certs; -} OCSP_BASICRESP; - -/* - * CRLReason ::= ENUMERATED { - * unspecified (0), - * keyCompromise (1), - * cACompromise (2), - * affiliationChanged (3), - * superseded (4), - * cessationOfOperation (5), - * certificateHold (6), - * removeFromCRL (8) } - */ -#define OCSP_REVOKED_STATUS_NOSTATUS -1 -#define OCSP_REVOKED_STATUS_UNSPECIFIED 0 -#define OCSP_REVOKED_STATUS_KEYCOMPROMISE 1 -#define OCSP_REVOKED_STATUS_CACOMPROMISE 2 -#define OCSP_REVOKED_STATUS_AFFILIATIONCHANGED 3 -#define OCSP_REVOKED_STATUS_SUPERSEDED 4 -#define OCSP_REVOKED_STATUS_CESSATIONOFOPERATION 5 -#define OCSP_REVOKED_STATUS_CERTIFICATEHOLD 6 -#define OCSP_REVOKED_STATUS_REMOVEFROMCRL 8 - -/* CrlID ::= SEQUENCE { - * crlUrl [0] EXPLICIT IA5String OPTIONAL, - * crlNum [1] EXPLICIT INTEGER OPTIONAL, - * crlTime [2] EXPLICIT GeneralizedTime OPTIONAL } - */ -typedef struct ocsp_crl_id_st { - ASN1_IA5STRING *crlUrl; - ASN1_INTEGER *crlNum; - ASN1_GENERALIZEDTIME *crlTime; -} OCSP_CRLID; - -/* ServiceLocator ::= SEQUENCE { - * issuer Name, - * locator AuthorityInfoAccessSyntax OPTIONAL } - */ -typedef struct ocsp_service_locator_st { - X509_NAME* issuer; - STACK_OF(ACCESS_DESCRIPTION) *locator; -} OCSP_SERVICELOC; - -#define PEM_STRING_OCSP_REQUEST "OCSP REQUEST" -#define PEM_STRING_OCSP_RESPONSE "OCSP RESPONSE" - -#define d2i_OCSP_REQUEST_bio(bp,p) \ - ASN1_d2i_bio_of(OCSP_REQUEST,OCSP_REQUEST_new,d2i_OCSP_REQUEST,bp,p) - -#define d2i_OCSP_RESPONSE_bio(bp,p) \ - ASN1_d2i_bio_of(OCSP_RESPONSE,OCSP_RESPONSE_new,d2i_OCSP_RESPONSE,bp,p) - -#define PEM_read_bio_OCSP_REQUEST(bp,x,cb) \ - (OCSP_REQUEST *)PEM_ASN1_read_bio((char *(*)())d2i_OCSP_REQUEST, \ - PEM_STRING_OCSP_REQUEST,bp,(char **)x,cb,NULL) - -#define PEM_read_bio_OCSP_RESPONSE(bp,x,cb) \ - (OCSP_RESPONSE *)PEM_ASN1_read_bio((char *(*)())d2i_OCSP_RESPONSE, \ - PEM_STRING_OCSP_RESPONSE,bp,(char **)x,cb,NULL) - -#define PEM_write_bio_OCSP_REQUEST(bp,o) \ - PEM_ASN1_write_bio((int (*)())i2d_OCSP_REQUEST,PEM_STRING_OCSP_REQUEST,\ - bp,(char *)o, NULL,NULL,0,NULL,NULL) - -#define PEM_write_bio_OCSP_RESPONSE(bp,o) \ - PEM_ASN1_write_bio((int (*)())i2d_OCSP_RESPONSE,PEM_STRING_OCSP_RESPONSE,\ - bp,(char *)o, NULL,NULL,0,NULL,NULL) - -#define i2d_OCSP_RESPONSE_bio(bp,o) \ - ASN1_i2d_bio_of(OCSP_RESPONSE,i2d_OCSP_RESPONSE,bp,o) - -#define i2d_OCSP_REQUEST_bio(bp,o) \ - ASN1_i2d_bio_of(OCSP_REQUEST,i2d_OCSP_REQUEST,bp,o) - -#define OCSP_REQUEST_sign(o,pkey,md) \ - ASN1_item_sign(ASN1_ITEM_rptr(OCSP_REQINFO), \ - o->optionalSignature->signatureAlgorithm,NULL, \ - o->optionalSignature->signature,o->tbsRequest,pkey,md) - -#define OCSP_BASICRESP_sign(o,pkey,md,d) \ - ASN1_item_sign(ASN1_ITEM_rptr(OCSP_RESPDATA),o->signatureAlgorithm,NULL, \ - o->signature,o->tbsResponseData,pkey,md) - -#define OCSP_REQUEST_verify(a,r) \ - ASN1_item_verify(ASN1_ITEM_rptr(OCSP_REQINFO), \ - a->optionalSignature->signatureAlgorithm, \ - a->optionalSignature->signature,a->tbsRequest,r) - -#define OCSP_BASICRESP_verify(a,r,d) \ - ASN1_item_verify(ASN1_ITEM_rptr(OCSP_RESPDATA), \ - a->signatureAlgorithm,a->signature,a->tbsResponseData,r) - -#define ASN1_BIT_STRING_digest(data,type,md,len) \ - ASN1_item_digest(ASN1_ITEM_rptr(ASN1_BIT_STRING),type,data,md,len) - -#define OCSP_CERTSTATUS_dup(cs)\ - (OCSP_CERTSTATUS*)ASN1_dup((int(*)())i2d_OCSP_CERTSTATUS,\ - (char *(*)())d2i_OCSP_CERTSTATUS,(char *)(cs)) - -OCSP_CERTID *OCSP_CERTID_dup(OCSP_CERTID *id); - -OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req); -OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, char *path, OCSP_REQUEST *req, - int maxline); -int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx); -void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx); -int OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, OCSP_REQUEST *req); -int OCSP_REQ_CTX_add1_header(OCSP_REQ_CTX *rctx, const char *name, - const char *value); - -OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer); - -OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst, X509_NAME *issuerName, - ASN1_BIT_STRING* issuerKey, ASN1_INTEGER *serialNumber); - -OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid); - -int OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len); -int OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len); -int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs); -int OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req); - -int OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm); -int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert); - -int OCSP_request_sign(OCSP_REQUEST *req, X509 *signer, EVP_PKEY *key, - const EVP_MD *dgst, STACK_OF(X509) *certs, unsigned long flags); - -int OCSP_response_status(OCSP_RESPONSE *resp); -OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp); - -int OCSP_resp_count(OCSP_BASICRESP *bs); -OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx); -int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last); -int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason, - ASN1_GENERALIZEDTIME **revtime, ASN1_GENERALIZEDTIME **thisupd, - ASN1_GENERALIZEDTIME **nextupd); -int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status, - int *reason, ASN1_GENERALIZEDTIME **revtime, - ASN1_GENERALIZEDTIME **thisupd, ASN1_GENERALIZEDTIME **nextupd); -int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd, - ASN1_GENERALIZEDTIME *nextupd, long sec, long maxsec); - -int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, - X509_STORE *store, unsigned long flags); - -int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, - int *pssl); - -int OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b); -int OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b); - -int OCSP_request_onereq_count(OCSP_REQUEST *req); -OCSP_ONEREQ *OCSP_request_onereq_get0(OCSP_REQUEST *req, int i); -OCSP_CERTID *OCSP_onereq_get0_id(OCSP_ONEREQ *one); -int OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd, - ASN1_OCTET_STRING **pikeyHash, ASN1_INTEGER **pserial, - OCSP_CERTID *cid); -int OCSP_request_is_signed(OCSP_REQUEST *req); -OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs); -OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp, OCSP_CERTID *cid, - int status, int reason, ASN1_TIME *revtime, ASN1_TIME *thisupd, - ASN1_TIME *nextupd); -int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert); -int OCSP_basic_sign(OCSP_BASICRESP *brsp, X509 *signer, EVP_PKEY *key, - const EVP_MD *dgst, STACK_OF(X509) *certs, unsigned long flags); - -X509_EXTENSION *OCSP_crlID_new(char *url, long *n, char *tim); - -X509_EXTENSION *OCSP_accept_responses_new(char **oids); - -X509_EXTENSION *OCSP_archive_cutoff_new(char* tim); - -X509_EXTENSION *OCSP_url_svcloc_new(X509_NAME* issuer, char **urls); - -int OCSP_REQUEST_get_ext_count(OCSP_REQUEST *x); -int OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos); -int OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, ASN1_OBJECT *obj, - int lastpos); -int OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit, - int lastpos); -X509_EXTENSION *OCSP_REQUEST_get_ext(OCSP_REQUEST *x, int loc); -X509_EXTENSION *OCSP_REQUEST_delete_ext(OCSP_REQUEST *x, int loc); -void *OCSP_REQUEST_get1_ext_d2i(OCSP_REQUEST *x, int nid, int *crit, int *idx); -int OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST *x, int nid, void *value, - int crit, unsigned long flags); -int OCSP_REQUEST_add_ext(OCSP_REQUEST *x, X509_EXTENSION *ex, int loc); - -int OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *x); -int OCSP_ONEREQ_get_ext_by_NID(OCSP_ONEREQ *x, int nid, int lastpos); -int OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, ASN1_OBJECT *obj, - int lastpos); -int OCSP_ONEREQ_get_ext_by_critical(OCSP_ONEREQ *x, int crit, int lastpos); -X509_EXTENSION *OCSP_ONEREQ_get_ext(OCSP_ONEREQ *x, int loc); -X509_EXTENSION *OCSP_ONEREQ_delete_ext(OCSP_ONEREQ *x, int loc); -void *OCSP_ONEREQ_get1_ext_d2i(OCSP_ONEREQ *x, int nid, int *crit, int *idx); -int OCSP_ONEREQ_add1_ext_i2d(OCSP_ONEREQ *x, int nid, void *value, int crit, - unsigned long flags); -int OCSP_ONEREQ_add_ext(OCSP_ONEREQ *x, X509_EXTENSION *ex, int loc); - -int OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *x); -int OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos); -int OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, ASN1_OBJECT *obj, - int lastpos); -int OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit, - int lastpos); -X509_EXTENSION *OCSP_BASICRESP_get_ext(OCSP_BASICRESP *x, int loc); -X509_EXTENSION *OCSP_BASICRESP_delete_ext(OCSP_BASICRESP *x, int loc); -void *OCSP_BASICRESP_get1_ext_d2i(OCSP_BASICRESP *x, int nid, int *crit, - int *idx); -int OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP *x, int nid, void *value, - int crit, unsigned long flags); -int OCSP_BASICRESP_add_ext(OCSP_BASICRESP *x, X509_EXTENSION *ex, int loc); - -int OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *x); -int OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid, - int lastpos); -int OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, ASN1_OBJECT *obj, - int lastpos); -int OCSP_SINGLERESP_get_ext_by_critical(OCSP_SINGLERESP *x, int crit, - int lastpos); -X509_EXTENSION *OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP *x, int loc); -X509_EXTENSION *OCSP_SINGLERESP_delete_ext(OCSP_SINGLERESP *x, int loc); -void *OCSP_SINGLERESP_get1_ext_d2i(OCSP_SINGLERESP *x, int nid, int *crit, - int *idx); -int OCSP_SINGLERESP_add1_ext_i2d(OCSP_SINGLERESP *x, int nid, void *value, - int crit, unsigned long flags); -int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex, - int loc); - -DECLARE_ASN1_FUNCTIONS(OCSP_SINGLERESP) -DECLARE_ASN1_FUNCTIONS(OCSP_CERTSTATUS) -DECLARE_ASN1_FUNCTIONS(OCSP_REVOKEDINFO) -DECLARE_ASN1_FUNCTIONS(OCSP_BASICRESP) -DECLARE_ASN1_FUNCTIONS(OCSP_RESPDATA) -DECLARE_ASN1_FUNCTIONS(OCSP_RESPID) -DECLARE_ASN1_FUNCTIONS(OCSP_RESPONSE) -DECLARE_ASN1_FUNCTIONS(OCSP_RESPBYTES) -DECLARE_ASN1_FUNCTIONS(OCSP_ONEREQ) -DECLARE_ASN1_FUNCTIONS(OCSP_CERTID) -DECLARE_ASN1_FUNCTIONS(OCSP_REQUEST) -DECLARE_ASN1_FUNCTIONS(OCSP_SIGNATURE) -DECLARE_ASN1_FUNCTIONS(OCSP_REQINFO) -DECLARE_ASN1_FUNCTIONS(OCSP_CRLID) -DECLARE_ASN1_FUNCTIONS(OCSP_SERVICELOC) - -const char *OCSP_response_status_str(long s); -const char *OCSP_cert_status_str(long s); -const char *OCSP_crl_reason_str(long s); - -int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST* a, unsigned long flags); -int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags); - -int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, - X509_STORE *st, unsigned long flags); - -/* BEGIN ERROR CODES */ -/* The following lines are auto generated by the script mkerr.pl. Any changes - * made after this point may be overwritten when the script is next run. - */ -void ERR_load_OCSP_strings(void); - -/* Error codes for the OCSP functions. */ - -/* Function codes. */ -#define OCSP_F_ASN1_STRING_ENCODE 100 -#define OCSP_F_D2I_OCSP_NONCE 102 -#define OCSP_F_OCSP_BASIC_ADD1_STATUS 103 -#define OCSP_F_OCSP_BASIC_SIGN 104 -#define OCSP_F_OCSP_BASIC_VERIFY 105 -#define OCSP_F_OCSP_CERT_ID_NEW 101 -#define OCSP_F_OCSP_CHECK_DELEGATED 106 -#define OCSP_F_OCSP_CHECK_IDS 107 -#define OCSP_F_OCSP_CHECK_ISSUER 108 -#define OCSP_F_OCSP_CHECK_VALIDITY 115 -#define OCSP_F_OCSP_MATCH_ISSUERID 109 -#define OCSP_F_OCSP_PARSE_URL 114 -#define OCSP_F_OCSP_REQUEST_SIGN 110 -#define OCSP_F_OCSP_REQUEST_VERIFY 116 -#define OCSP_F_OCSP_RESPONSE_GET1_BASIC 111 -#define OCSP_F_OCSP_SENDREQ_BIO 112 -#define OCSP_F_OCSP_SENDREQ_NBIO 117 -#define OCSP_F_PARSE_HTTP_LINE1 118 -#define OCSP_F_REQUEST_VERIFY 113 - -/* Reason codes. */ -#define OCSP_R_BAD_DATA 100 -#define OCSP_R_CERTIFICATE_VERIFY_ERROR 101 -#define OCSP_R_DIGEST_ERR 102 -#define OCSP_R_ERROR_IN_NEXTUPDATE_FIELD 122 -#define OCSP_R_ERROR_IN_THISUPDATE_FIELD 123 -#define OCSP_R_ERROR_PARSING_URL 121 -#define OCSP_R_MISSING_OCSPSIGNING_USAGE 103 -#define OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE 124 -#define OCSP_R_NOT_BASIC_RESPONSE 104 -#define OCSP_R_NO_CERTIFICATES_IN_CHAIN 105 -#define OCSP_R_NO_CONTENT 106 -#define OCSP_R_NO_PUBLIC_KEY 107 -#define OCSP_R_NO_RESPONSE_DATA 108 -#define OCSP_R_NO_REVOKED_TIME 109 -#define OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE 110 -#define OCSP_R_REQUEST_NOT_SIGNED 128 -#define OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA 111 -#define OCSP_R_ROOT_CA_NOT_TRUSTED 112 -#define OCSP_R_SERVER_READ_ERROR 113 -#define OCSP_R_SERVER_RESPONSE_ERROR 114 -#define OCSP_R_SERVER_RESPONSE_PARSE_ERROR 115 -#define OCSP_R_SERVER_WRITE_ERROR 116 -#define OCSP_R_SIGNATURE_FAILURE 117 -#define OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND 118 -#define OCSP_R_STATUS_EXPIRED 125 -#define OCSP_R_STATUS_NOT_YET_VALID 126 -#define OCSP_R_STATUS_TOO_OLD 127 -#define OCSP_R_UNKNOWN_MESSAGE_DIGEST 119 -#define OCSP_R_UNKNOWN_NID 120 -#define OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE 129 - -#ifdef __cplusplus -} -#endif -#endif diff --git a/src/lib/libcrypto/ocsp/ocsp_asn.c b/src/lib/libcrypto/ocsp/ocsp_asn.c deleted file mode 100644 index 72e7638c75..0000000000 --- a/src/lib/libcrypto/ocsp/ocsp_asn.c +++ /dev/null @@ -1,962 +0,0 @@ -/* $OpenBSD: ocsp_asn.c,v 1.8 2015/07/25 14:52:47 jsing Exp $ */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 2000. - */ -/* ==================================================================== - * Copyright (c) 2000 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ -#include -#include -#include - -static const ASN1_TEMPLATE OCSP_SIGNATURE_seq_tt[] = { - { - .flags = 0, - .tag = 0, - .offset = offsetof(OCSP_SIGNATURE, signatureAlgorithm), - .field_name = "signatureAlgorithm", - .item = &X509_ALGOR_it, - }, - { - .flags = 0, - .tag = 0, - .offset = offsetof(OCSP_SIGNATURE, signature), - .field_name = "signature", - .item = &ASN1_BIT_STRING_it, - }, - { - .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL, - .tag = 0, - .offset = offsetof(OCSP_SIGNATURE, certs), - .field_name = "certs", - .item = &X509_it, - }, -}; - -const ASN1_ITEM OCSP_SIGNATURE_it = { - .itype = ASN1_ITYPE_SEQUENCE, - .utype = V_ASN1_SEQUENCE, - .templates = OCSP_SIGNATURE_seq_tt, - .tcount = sizeof(OCSP_SIGNATURE_seq_tt) / sizeof(ASN1_TEMPLATE), - .funcs = NULL, - .size = sizeof(OCSP_SIGNATURE), - .sname = "OCSP_SIGNATURE", -}; - - -OCSP_SIGNATURE * -d2i_OCSP_SIGNATURE(OCSP_SIGNATURE **a, const unsigned char **in, long len) -{ - return (OCSP_SIGNATURE *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, - &OCSP_SIGNATURE_it); -} - -int -i2d_OCSP_SIGNATURE(OCSP_SIGNATURE *a, unsigned char **out) -{ - return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_SIGNATURE_it); -} - -OCSP_SIGNATURE * -OCSP_SIGNATURE_new(void) -{ - return (OCSP_SIGNATURE *)ASN1_item_new(&OCSP_SIGNATURE_it); -} - -void -OCSP_SIGNATURE_free(OCSP_SIGNATURE *a) -{ - ASN1_item_free((ASN1_VALUE *)a, &OCSP_SIGNATURE_it); -} - -static const ASN1_TEMPLATE OCSP_CERTID_seq_tt[] = { - { - .flags = 0, - .tag = 0, - .offset = offsetof(OCSP_CERTID, hashAlgorithm), - .field_name = "hashAlgorithm", - .item = &X509_ALGOR_it, - }, - { - .flags = 0, - .tag = 0, - .offset = offsetof(OCSP_CERTID, issuerNameHash), - .field_name = "issuerNameHash", - .item = &ASN1_OCTET_STRING_it, - }, - { - .flags = 0, - .tag = 0, - .offset = offsetof(OCSP_CERTID, issuerKeyHash), - .field_name = "issuerKeyHash", - .item = &ASN1_OCTET_STRING_it, - }, - { - .flags = 0, - .tag = 0, - .offset = offsetof(OCSP_CERTID, serialNumber), - .field_name = "serialNumber", - .item = &ASN1_INTEGER_it, - }, -}; - -const ASN1_ITEM OCSP_CERTID_it = { - .itype = ASN1_ITYPE_SEQUENCE, - .utype = V_ASN1_SEQUENCE, - .templates = OCSP_CERTID_seq_tt, - .tcount = sizeof(OCSP_CERTID_seq_tt) / sizeof(ASN1_TEMPLATE), - .funcs = NULL, - .size = sizeof(OCSP_CERTID), - .sname = "OCSP_CERTID", -}; - - -OCSP_CERTID * -d2i_OCSP_CERTID(OCSP_CERTID **a, const unsigned char **in, long len) -{ - return (OCSP_CERTID *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, - &OCSP_CERTID_it); -} - -int -i2d_OCSP_CERTID(OCSP_CERTID *a, unsigned char **out) -{ - return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_CERTID_it); -} - -OCSP_CERTID * -OCSP_CERTID_new(void) -{ - return (OCSP_CERTID *)ASN1_item_new(&OCSP_CERTID_it); -} - -void -OCSP_CERTID_free(OCSP_CERTID *a) -{ - ASN1_item_free((ASN1_VALUE *)a, &OCSP_CERTID_it); -} - -static const ASN1_TEMPLATE OCSP_ONEREQ_seq_tt[] = { - { - .flags = 0, - .tag = 0, - .offset = offsetof(OCSP_ONEREQ, reqCert), - .field_name = "reqCert", - .item = &OCSP_CERTID_it, - }, - { - .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL, - .tag = 0, - .offset = offsetof(OCSP_ONEREQ, singleRequestExtensions), - .field_name = "singleRequestExtensions", - .item = &X509_EXTENSION_it, - }, -}; - -const ASN1_ITEM OCSP_ONEREQ_it = { - .itype = ASN1_ITYPE_SEQUENCE, - .utype = V_ASN1_SEQUENCE, - .templates = OCSP_ONEREQ_seq_tt, - .tcount = sizeof(OCSP_ONEREQ_seq_tt) / sizeof(ASN1_TEMPLATE), - .funcs = NULL, - .size = sizeof(OCSP_ONEREQ), - .sname = "OCSP_ONEREQ", -}; - - -OCSP_ONEREQ * -d2i_OCSP_ONEREQ(OCSP_ONEREQ **a, const unsigned char **in, long len) -{ - return (OCSP_ONEREQ *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, - &OCSP_ONEREQ_it); -} - -int -i2d_OCSP_ONEREQ(OCSP_ONEREQ *a, unsigned char **out) -{ - return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_ONEREQ_it); -} - -OCSP_ONEREQ * -OCSP_ONEREQ_new(void) -{ - return (OCSP_ONEREQ *)ASN1_item_new(&OCSP_ONEREQ_it); -} - -void -OCSP_ONEREQ_free(OCSP_ONEREQ *a) -{ - ASN1_item_free((ASN1_VALUE *)a, &OCSP_ONEREQ_it); -} - -static const ASN1_TEMPLATE OCSP_REQINFO_seq_tt[] = { - { - .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL, - .tag = 0, - .offset = offsetof(OCSP_REQINFO, version), - .field_name = "version", - .item = &ASN1_INTEGER_it, - }, - { - .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL, - .tag = 1, - .offset = offsetof(OCSP_REQINFO, requestorName), - .field_name = "requestorName", - .item = &GENERAL_NAME_it, - }, - { - .flags = ASN1_TFLG_SEQUENCE_OF, - .tag = 0, - .offset = offsetof(OCSP_REQINFO, requestList), - .field_name = "requestList", - .item = &OCSP_ONEREQ_it, - }, - { - .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL, - .tag = 2, - .offset = offsetof(OCSP_REQINFO, requestExtensions), - .field_name = "requestExtensions", - .item = &X509_EXTENSION_it, - }, -}; - -const ASN1_ITEM OCSP_REQINFO_it = { - .itype = ASN1_ITYPE_SEQUENCE, - .utype = V_ASN1_SEQUENCE, - .templates = OCSP_REQINFO_seq_tt, - .tcount = sizeof(OCSP_REQINFO_seq_tt) / sizeof(ASN1_TEMPLATE), - .funcs = NULL, - .size = sizeof(OCSP_REQINFO), - .sname = "OCSP_REQINFO", -}; - - -OCSP_REQINFO * -d2i_OCSP_REQINFO(OCSP_REQINFO **a, const unsigned char **in, long len) -{ - return (OCSP_REQINFO *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, - &OCSP_REQINFO_it); -} - -int -i2d_OCSP_REQINFO(OCSP_REQINFO *a, unsigned char **out) -{ - return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_REQINFO_it); -} - -OCSP_REQINFO * -OCSP_REQINFO_new(void) -{ - return (OCSP_REQINFO *)ASN1_item_new(&OCSP_REQINFO_it); -} - -void -OCSP_REQINFO_free(OCSP_REQINFO *a) -{ - ASN1_item_free((ASN1_VALUE *)a, &OCSP_REQINFO_it); -} - -static const ASN1_TEMPLATE OCSP_REQUEST_seq_tt[] = { - { - .flags = 0, - .tag = 0, - .offset = offsetof(OCSP_REQUEST, tbsRequest), - .field_name = "tbsRequest", - .item = &OCSP_REQINFO_it, - }, - { - .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL, - .tag = 0, - .offset = offsetof(OCSP_REQUEST, optionalSignature), - .field_name = "optionalSignature", - .item = &OCSP_SIGNATURE_it, - }, -}; - -const ASN1_ITEM OCSP_REQUEST_it = { - .itype = ASN1_ITYPE_SEQUENCE, - .utype = V_ASN1_SEQUENCE, - .templates = OCSP_REQUEST_seq_tt, - .tcount = sizeof(OCSP_REQUEST_seq_tt) / sizeof(ASN1_TEMPLATE), - .funcs = NULL, - .size = sizeof(OCSP_REQUEST), - .sname = "OCSP_REQUEST", -}; - - -OCSP_REQUEST * -d2i_OCSP_REQUEST(OCSP_REQUEST **a, const unsigned char **in, long len) -{ - return (OCSP_REQUEST *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, - &OCSP_REQUEST_it); -} - -int -i2d_OCSP_REQUEST(OCSP_REQUEST *a, unsigned char **out) -{ - return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_REQUEST_it); -} - -OCSP_REQUEST * -OCSP_REQUEST_new(void) -{ - return (OCSP_REQUEST *)ASN1_item_new(&OCSP_REQUEST_it); -} - -void -OCSP_REQUEST_free(OCSP_REQUEST *a) -{ - ASN1_item_free((ASN1_VALUE *)a, &OCSP_REQUEST_it); -} - -/* OCSP_RESPONSE templates */ - -static const ASN1_TEMPLATE OCSP_RESPBYTES_seq_tt[] = { - { - .flags = 0, - .tag = 0, - .offset = offsetof(OCSP_RESPBYTES, responseType), - .field_name = "responseType", - .item = &ASN1_OBJECT_it, - }, - { - .flags = 0, - .tag = 0, - .offset = offsetof(OCSP_RESPBYTES, response), - .field_name = "response", - .item = &ASN1_OCTET_STRING_it, - }, -}; - -const ASN1_ITEM OCSP_RESPBYTES_it = { - .itype = ASN1_ITYPE_SEQUENCE, - .utype = V_ASN1_SEQUENCE, - .templates = OCSP_RESPBYTES_seq_tt, - .tcount = sizeof(OCSP_RESPBYTES_seq_tt) / sizeof(ASN1_TEMPLATE), - .funcs = NULL, - .size = sizeof(OCSP_RESPBYTES), - .sname = "OCSP_RESPBYTES", -}; - - -OCSP_RESPBYTES * -d2i_OCSP_RESPBYTES(OCSP_RESPBYTES **a, const unsigned char **in, long len) -{ - return (OCSP_RESPBYTES *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, - &OCSP_RESPBYTES_it); -} - -int -i2d_OCSP_RESPBYTES(OCSP_RESPBYTES *a, unsigned char **out) -{ - return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_RESPBYTES_it); -} - -OCSP_RESPBYTES * -OCSP_RESPBYTES_new(void) -{ - return (OCSP_RESPBYTES *)ASN1_item_new(&OCSP_RESPBYTES_it); -} - -void -OCSP_RESPBYTES_free(OCSP_RESPBYTES *a) -{ - ASN1_item_free((ASN1_VALUE *)a, &OCSP_RESPBYTES_it); -} - -static const ASN1_TEMPLATE OCSP_RESPONSE_seq_tt[] = { - { - .flags = 0, - .tag = 0, - .offset = offsetof(OCSP_RESPONSE, responseStatus), - .field_name = "responseStatus", - .item = &ASN1_ENUMERATED_it, - }, - { - .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL, - .tag = 0, - .offset = offsetof(OCSP_RESPONSE, responseBytes), - .field_name = "responseBytes", - .item = &OCSP_RESPBYTES_it, - }, -}; - -const ASN1_ITEM OCSP_RESPONSE_it = { - .itype = ASN1_ITYPE_SEQUENCE, - .utype = V_ASN1_SEQUENCE, - .templates = OCSP_RESPONSE_seq_tt, - .tcount = sizeof(OCSP_RESPONSE_seq_tt) / sizeof(ASN1_TEMPLATE), - .funcs = NULL, - .size = sizeof(OCSP_RESPONSE), - .sname = "OCSP_RESPONSE", -}; - - -OCSP_RESPONSE * -d2i_OCSP_RESPONSE(OCSP_RESPONSE **a, const unsigned char **in, long len) -{ - return (OCSP_RESPONSE *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, - &OCSP_RESPONSE_it); -} - -int -i2d_OCSP_RESPONSE(OCSP_RESPONSE *a, unsigned char **out) -{ - return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_RESPONSE_it); -} - -OCSP_RESPONSE * -OCSP_RESPONSE_new(void) -{ - return (OCSP_RESPONSE *)ASN1_item_new(&OCSP_RESPONSE_it); -} - -void -OCSP_RESPONSE_free(OCSP_RESPONSE *a) -{ - ASN1_item_free((ASN1_VALUE *)a, &OCSP_RESPONSE_it); -} - -static const ASN1_TEMPLATE OCSP_RESPID_ch_tt[] = { - { - .flags = ASN1_TFLG_EXPLICIT, - .tag = 1, - .offset = offsetof(OCSP_RESPID, value.byName), - .field_name = "value.byName", - .item = &X509_NAME_it, - }, - { - .flags = ASN1_TFLG_EXPLICIT, - .tag = 2, - .offset = offsetof(OCSP_RESPID, value.byKey), - .field_name = "value.byKey", - .item = &ASN1_OCTET_STRING_it, - }, -}; - -const ASN1_ITEM OCSP_RESPID_it = { - .itype = ASN1_ITYPE_CHOICE, - .utype = offsetof(OCSP_RESPID, type), - .templates = OCSP_RESPID_ch_tt, - .tcount = sizeof(OCSP_RESPID_ch_tt) / sizeof(ASN1_TEMPLATE), - .funcs = NULL, - .size = sizeof(OCSP_RESPID), - .sname = "OCSP_RESPID", -}; - - -OCSP_RESPID * -d2i_OCSP_RESPID(OCSP_RESPID **a, const unsigned char **in, long len) -{ - return (OCSP_RESPID *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, - &OCSP_RESPID_it); -} - -int -i2d_OCSP_RESPID(OCSP_RESPID *a, unsigned char **out) -{ - return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_RESPID_it); -} - -OCSP_RESPID * -OCSP_RESPID_new(void) -{ - return (OCSP_RESPID *)ASN1_item_new(&OCSP_RESPID_it); -} - -void -OCSP_RESPID_free(OCSP_RESPID *a) -{ - ASN1_item_free((ASN1_VALUE *)a, &OCSP_RESPID_it); -} - -static const ASN1_TEMPLATE OCSP_REVOKEDINFO_seq_tt[] = { - { - .flags = 0, - .tag = 0, - .offset = offsetof(OCSP_REVOKEDINFO, revocationTime), - .field_name = "revocationTime", - .item = &ASN1_GENERALIZEDTIME_it, - }, - { - .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL, - .tag = 0, - .offset = offsetof(OCSP_REVOKEDINFO, revocationReason), - .field_name = "revocationReason", - .item = &ASN1_ENUMERATED_it, - }, -}; - -const ASN1_ITEM OCSP_REVOKEDINFO_it = { - .itype = ASN1_ITYPE_SEQUENCE, - .utype = V_ASN1_SEQUENCE, - .templates = OCSP_REVOKEDINFO_seq_tt, - .tcount = sizeof(OCSP_REVOKEDINFO_seq_tt) / sizeof(ASN1_TEMPLATE), - .funcs = NULL, - .size = sizeof(OCSP_REVOKEDINFO), - .sname = "OCSP_REVOKEDINFO", -}; - - -OCSP_REVOKEDINFO * -d2i_OCSP_REVOKEDINFO(OCSP_REVOKEDINFO **a, const unsigned char **in, long len) -{ - return (OCSP_REVOKEDINFO *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, - &OCSP_REVOKEDINFO_it); -} - -int -i2d_OCSP_REVOKEDINFO(OCSP_REVOKEDINFO *a, unsigned char **out) -{ - return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_REVOKEDINFO_it); -} - -OCSP_REVOKEDINFO * -OCSP_REVOKEDINFO_new(void) -{ - return (OCSP_REVOKEDINFO *)ASN1_item_new(&OCSP_REVOKEDINFO_it); -} - -void -OCSP_REVOKEDINFO_free(OCSP_REVOKEDINFO *a) -{ - ASN1_item_free((ASN1_VALUE *)a, &OCSP_REVOKEDINFO_it); -} - -static const ASN1_TEMPLATE OCSP_CERTSTATUS_ch_tt[] = { - { - .flags = ASN1_TFLG_IMPLICIT, - .tag = 0, - .offset = offsetof(OCSP_CERTSTATUS, value.good), - .field_name = "value.good", - .item = &ASN1_NULL_it, - }, - { - .flags = ASN1_TFLG_IMPLICIT, - .tag = 1, - .offset = offsetof(OCSP_CERTSTATUS, value.revoked), - .field_name = "value.revoked", - .item = &OCSP_REVOKEDINFO_it, - }, - { - .flags = ASN1_TFLG_IMPLICIT, - .tag = 2, - .offset = offsetof(OCSP_CERTSTATUS, value.unknown), - .field_name = "value.unknown", - .item = &ASN1_NULL_it, - }, -}; - -const ASN1_ITEM OCSP_CERTSTATUS_it = { - .itype = ASN1_ITYPE_CHOICE, - .utype = offsetof(OCSP_CERTSTATUS, type), - .templates = OCSP_CERTSTATUS_ch_tt, - .tcount = sizeof(OCSP_CERTSTATUS_ch_tt) / sizeof(ASN1_TEMPLATE), - .funcs = NULL, - .size = sizeof(OCSP_CERTSTATUS), - .sname = "OCSP_CERTSTATUS", -}; - - -OCSP_CERTSTATUS * -d2i_OCSP_CERTSTATUS(OCSP_CERTSTATUS **a, const unsigned char **in, long len) -{ - return (OCSP_CERTSTATUS *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, - &OCSP_CERTSTATUS_it); -} - -int -i2d_OCSP_CERTSTATUS(OCSP_CERTSTATUS *a, unsigned char **out) -{ - return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_CERTSTATUS_it); -} - -OCSP_CERTSTATUS * -OCSP_CERTSTATUS_new(void) -{ - return (OCSP_CERTSTATUS *)ASN1_item_new(&OCSP_CERTSTATUS_it); -} - -void -OCSP_CERTSTATUS_free(OCSP_CERTSTATUS *a) -{ - ASN1_item_free((ASN1_VALUE *)a, &OCSP_CERTSTATUS_it); -} - -static const ASN1_TEMPLATE OCSP_SINGLERESP_seq_tt[] = { - { - .flags = 0, - .tag = 0, - .offset = offsetof(OCSP_SINGLERESP, certId), - .field_name = "certId", - .item = &OCSP_CERTID_it, - }, - { - .flags = 0, - .tag = 0, - .offset = offsetof(OCSP_SINGLERESP, certStatus), - .field_name = "certStatus", - .item = &OCSP_CERTSTATUS_it, - }, - { - .flags = 0, - .tag = 0, - .offset = offsetof(OCSP_SINGLERESP, thisUpdate), - .field_name = "thisUpdate", - .item = &ASN1_GENERALIZEDTIME_it, - }, - { - .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL, - .tag = 0, - .offset = offsetof(OCSP_SINGLERESP, nextUpdate), - .field_name = "nextUpdate", - .item = &ASN1_GENERALIZEDTIME_it, - }, - { - .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL, - .tag = 1, - .offset = offsetof(OCSP_SINGLERESP, singleExtensions), - .field_name = "singleExtensions", - .item = &X509_EXTENSION_it, - }, -}; - -const ASN1_ITEM OCSP_SINGLERESP_it = { - .itype = ASN1_ITYPE_SEQUENCE, - .utype = V_ASN1_SEQUENCE, - .templates = OCSP_SINGLERESP_seq_tt, - .tcount = sizeof(OCSP_SINGLERESP_seq_tt) / sizeof(ASN1_TEMPLATE), - .funcs = NULL, - .size = sizeof(OCSP_SINGLERESP), - .sname = "OCSP_SINGLERESP", -}; - - -OCSP_SINGLERESP * -d2i_OCSP_SINGLERESP(OCSP_SINGLERESP **a, const unsigned char **in, long len) -{ - return (OCSP_SINGLERESP *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, - &OCSP_SINGLERESP_it); -} - -int -i2d_OCSP_SINGLERESP(OCSP_SINGLERESP *a, unsigned char **out) -{ - return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_SINGLERESP_it); -} - -OCSP_SINGLERESP * -OCSP_SINGLERESP_new(void) -{ - return (OCSP_SINGLERESP *)ASN1_item_new(&OCSP_SINGLERESP_it); -} - -void -OCSP_SINGLERESP_free(OCSP_SINGLERESP *a) -{ - ASN1_item_free((ASN1_VALUE *)a, &OCSP_SINGLERESP_it); -} - -static const ASN1_TEMPLATE OCSP_RESPDATA_seq_tt[] = { - { - .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL, - .tag = 0, - .offset = offsetof(OCSP_RESPDATA, version), - .field_name = "version", - .item = &ASN1_INTEGER_it, - }, - { - .flags = 0, - .tag = 0, - .offset = offsetof(OCSP_RESPDATA, responderId), - .field_name = "responderId", - .item = &OCSP_RESPID_it, - }, - { - .flags = 0, - .tag = 0, - .offset = offsetof(OCSP_RESPDATA, producedAt), - .field_name = "producedAt", - .item = &ASN1_GENERALIZEDTIME_it, - }, - { - .flags = ASN1_TFLG_SEQUENCE_OF, - .tag = 0, - .offset = offsetof(OCSP_RESPDATA, responses), - .field_name = "responses", - .item = &OCSP_SINGLERESP_it, - }, - { - .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL, - .tag = 1, - .offset = offsetof(OCSP_RESPDATA, responseExtensions), - .field_name = "responseExtensions", - .item = &X509_EXTENSION_it, - }, -}; - -const ASN1_ITEM OCSP_RESPDATA_it = { - .itype = ASN1_ITYPE_SEQUENCE, - .utype = V_ASN1_SEQUENCE, - .templates = OCSP_RESPDATA_seq_tt, - .tcount = sizeof(OCSP_RESPDATA_seq_tt) / sizeof(ASN1_TEMPLATE), - .funcs = NULL, - .size = sizeof(OCSP_RESPDATA), - .sname = "OCSP_RESPDATA", -}; - - -OCSP_RESPDATA * -d2i_OCSP_RESPDATA(OCSP_RESPDATA **a, const unsigned char **in, long len) -{ - return (OCSP_RESPDATA *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, - &OCSP_RESPDATA_it); -} - -int -i2d_OCSP_RESPDATA(OCSP_RESPDATA *a, unsigned char **out) -{ - return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_RESPDATA_it); -} - -OCSP_RESPDATA * -OCSP_RESPDATA_new(void) -{ - return (OCSP_RESPDATA *)ASN1_item_new(&OCSP_RESPDATA_it); -} - -void -OCSP_RESPDATA_free(OCSP_RESPDATA *a) -{ - ASN1_item_free((ASN1_VALUE *)a, &OCSP_RESPDATA_it); -} - -static const ASN1_TEMPLATE OCSP_BASICRESP_seq_tt[] = { - { - .flags = 0, - .tag = 0, - .offset = offsetof(OCSP_BASICRESP, tbsResponseData), - .field_name = "tbsResponseData", - .item = &OCSP_RESPDATA_it, - }, - { - .flags = 0, - .tag = 0, - .offset = offsetof(OCSP_BASICRESP, signatureAlgorithm), - .field_name = "signatureAlgorithm", - .item = &X509_ALGOR_it, - }, - { - .flags = 0, - .tag = 0, - .offset = offsetof(OCSP_BASICRESP, signature), - .field_name = "signature", - .item = &ASN1_BIT_STRING_it, - }, - { - .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL, - .tag = 0, - .offset = offsetof(OCSP_BASICRESP, certs), - .field_name = "certs", - .item = &X509_it, - }, -}; - -const ASN1_ITEM OCSP_BASICRESP_it = { - .itype = ASN1_ITYPE_SEQUENCE, - .utype = V_ASN1_SEQUENCE, - .templates = OCSP_BASICRESP_seq_tt, - .tcount = sizeof(OCSP_BASICRESP_seq_tt) / sizeof(ASN1_TEMPLATE), - .funcs = NULL, - .size = sizeof(OCSP_BASICRESP), - .sname = "OCSP_BASICRESP", -}; - - -OCSP_BASICRESP * -d2i_OCSP_BASICRESP(OCSP_BASICRESP **a, const unsigned char **in, long len) -{ - return (OCSP_BASICRESP *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, - &OCSP_BASICRESP_it); -} - -int -i2d_OCSP_BASICRESP(OCSP_BASICRESP *a, unsigned char **out) -{ - return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_BASICRESP_it); -} - -OCSP_BASICRESP * -OCSP_BASICRESP_new(void) -{ - return (OCSP_BASICRESP *)ASN1_item_new(&OCSP_BASICRESP_it); -} - -void -OCSP_BASICRESP_free(OCSP_BASICRESP *a) -{ - ASN1_item_free((ASN1_VALUE *)a, &OCSP_BASICRESP_it); -} - -static const ASN1_TEMPLATE OCSP_CRLID_seq_tt[] = { - { - .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL, - .tag = 0, - .offset = offsetof(OCSP_CRLID, crlUrl), - .field_name = "crlUrl", - .item = &ASN1_IA5STRING_it, - }, - { - .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL, - .tag = 1, - .offset = offsetof(OCSP_CRLID, crlNum), - .field_name = "crlNum", - .item = &ASN1_INTEGER_it, - }, - { - .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL, - .tag = 2, - .offset = offsetof(OCSP_CRLID, crlTime), - .field_name = "crlTime", - .item = &ASN1_GENERALIZEDTIME_it, - }, -}; - -const ASN1_ITEM OCSP_CRLID_it = { - .itype = ASN1_ITYPE_SEQUENCE, - .utype = V_ASN1_SEQUENCE, - .templates = OCSP_CRLID_seq_tt, - .tcount = sizeof(OCSP_CRLID_seq_tt) / sizeof(ASN1_TEMPLATE), - .funcs = NULL, - .size = sizeof(OCSP_CRLID), - .sname = "OCSP_CRLID", -}; - - -OCSP_CRLID * -d2i_OCSP_CRLID(OCSP_CRLID **a, const unsigned char **in, long len) -{ - return (OCSP_CRLID *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, - &OCSP_CRLID_it); -} - -int -i2d_OCSP_CRLID(OCSP_CRLID *a, unsigned char **out) -{ - return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_CRLID_it); -} - -OCSP_CRLID * -OCSP_CRLID_new(void) -{ - return (OCSP_CRLID *)ASN1_item_new(&OCSP_CRLID_it); -} - -void -OCSP_CRLID_free(OCSP_CRLID *a) -{ - ASN1_item_free((ASN1_VALUE *)a, &OCSP_CRLID_it); -} - -static const ASN1_TEMPLATE OCSP_SERVICELOC_seq_tt[] = { - { - .flags = 0, - .tag = 0, - .offset = offsetof(OCSP_SERVICELOC, issuer), - .field_name = "issuer", - .item = &X509_NAME_it, - }, - { - .flags = ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL, - .tag = 0, - .offset = offsetof(OCSP_SERVICELOC, locator), - .field_name = "locator", - .item = &ACCESS_DESCRIPTION_it, - }, -}; - -const ASN1_ITEM OCSP_SERVICELOC_it = { - .itype = ASN1_ITYPE_SEQUENCE, - .utype = V_ASN1_SEQUENCE, - .templates = OCSP_SERVICELOC_seq_tt, - .tcount = sizeof(OCSP_SERVICELOC_seq_tt) / sizeof(ASN1_TEMPLATE), - .funcs = NULL, - .size = sizeof(OCSP_SERVICELOC), - .sname = "OCSP_SERVICELOC", -}; - - -OCSP_SERVICELOC * -d2i_OCSP_SERVICELOC(OCSP_SERVICELOC **a, const unsigned char **in, long len) -{ - return (OCSP_SERVICELOC *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, - &OCSP_SERVICELOC_it); -} - -int -i2d_OCSP_SERVICELOC(OCSP_SERVICELOC *a, unsigned char **out) -{ - return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_SERVICELOC_it); -} - -OCSP_SERVICELOC * -OCSP_SERVICELOC_new(void) -{ - return (OCSP_SERVICELOC *)ASN1_item_new(&OCSP_SERVICELOC_it); -} - -void -OCSP_SERVICELOC_free(OCSP_SERVICELOC *a) -{ - ASN1_item_free((ASN1_VALUE *)a, &OCSP_SERVICELOC_it); -} diff --git a/src/lib/libcrypto/ocsp/ocsp_cl.c b/src/lib/libcrypto/ocsp/ocsp_cl.c deleted file mode 100644 index a4320d9278..0000000000 --- a/src/lib/libcrypto/ocsp/ocsp_cl.c +++ /dev/null @@ -1,383 +0,0 @@ -/* $OpenBSD: ocsp_cl.c,v 1.8 2014/10/18 17:20:40 jsing Exp $ */ -/* Written by Tom Titchener for the OpenSSL - * project. */ - -/* History: - This file was transfered to Richard Levitte from CertCo by Kathy - Weinhold in mid-spring 2000 to be included in OpenSSL or released - as a patch kit. */ - -/* ==================================================================== - * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include -#include - -#include -#include -#include -#include -#include -#include - -/* Utility functions related to sending OCSP requests and extracting - * relevant information from the response. - */ - -/* Add an OCSP_CERTID to an OCSP request. Return new OCSP_ONEREQ - * pointer: useful if we want to add extensions. - */ -OCSP_ONEREQ * -OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid) -{ - OCSP_ONEREQ *one = NULL; - - if (!(one = OCSP_ONEREQ_new())) - goto err; - if (one->reqCert) - OCSP_CERTID_free(one->reqCert); - one->reqCert = cid; - if (req && !sk_OCSP_ONEREQ_push(req->tbsRequest->requestList, one)) - goto err; - return one; - -err: - OCSP_ONEREQ_free(one); - return NULL; -} - -/* Set requestorName from an X509_NAME structure */ -int -OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm) -{ - GENERAL_NAME *gen; - - gen = GENERAL_NAME_new(); - if (gen == NULL) - return 0; - if (!X509_NAME_set(&gen->d.directoryName, nm)) { - GENERAL_NAME_free(gen); - return 0; - } - gen->type = GEN_DIRNAME; - if (req->tbsRequest->requestorName) - GENERAL_NAME_free(req->tbsRequest->requestorName); - req->tbsRequest->requestorName = gen; - return 1; -} - -/* Add a certificate to an OCSP request */ -int -OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert) -{ - OCSP_SIGNATURE *sig; - - if (!req->optionalSignature) - req->optionalSignature = OCSP_SIGNATURE_new(); - sig = req->optionalSignature; - if (!sig) - return 0; - if (!cert) - return 1; - if (!sig->certs && !(sig->certs = sk_X509_new_null())) - return 0; - - if (!sk_X509_push(sig->certs, cert)) - return 0; - CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509); - return 1; -} - -/* Sign an OCSP request set the requestorName to the subjec - * name of an optional signers certificate and include one - * or more optional certificates in the request. Behaves - * like PKCS7_sign(). - */ -int -OCSP_request_sign(OCSP_REQUEST *req, X509 *signer, EVP_PKEY *key, - const EVP_MD *dgst, STACK_OF(X509) *certs, unsigned long flags) -{ - int i; - OCSP_SIGNATURE *sig; - X509 *x; - - if (!OCSP_request_set1_name(req, X509_get_subject_name(signer))) - goto err; - - if (!(req->optionalSignature = sig = OCSP_SIGNATURE_new())) - goto err; - if (key) { - if (!X509_check_private_key(signer, key)) { - OCSPerr(OCSP_F_OCSP_REQUEST_SIGN, - OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE); - goto err; - } - if (!OCSP_REQUEST_sign(req, key, dgst)) - goto err; - } - - if (!(flags & OCSP_NOCERTS)) { - if (!OCSP_request_add1_cert(req, signer)) - goto err; - for (i = 0; i < sk_X509_num(certs); i++) { - x = sk_X509_value(certs, i); - if (!OCSP_request_add1_cert(req, x)) - goto err; - } - } - - return 1; - -err: - OCSP_SIGNATURE_free(req->optionalSignature); - req->optionalSignature = NULL; - return 0; -} - -/* Get response status */ -int -OCSP_response_status(OCSP_RESPONSE *resp) -{ - return ASN1_ENUMERATED_get(resp->responseStatus); -} - -/* Extract basic response from OCSP_RESPONSE or NULL if - * no basic response present. - */ -OCSP_BASICRESP * -OCSP_response_get1_basic(OCSP_RESPONSE *resp) -{ - OCSP_RESPBYTES *rb; - - rb = resp->responseBytes; - if (!rb) { - OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC, - OCSP_R_NO_RESPONSE_DATA); - return NULL; - } - if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic) { - OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC, - OCSP_R_NOT_BASIC_RESPONSE); - return NULL; - } - - return ASN1_item_unpack(rb->response, ASN1_ITEM_rptr(OCSP_BASICRESP)); -} - -/* Return number of OCSP_SINGLERESP reponses present in - * a basic response. - */ -int -OCSP_resp_count(OCSP_BASICRESP *bs) -{ - if (!bs) - return -1; - return sk_OCSP_SINGLERESP_num(bs->tbsResponseData->responses); -} - -/* Extract an OCSP_SINGLERESP response with a given index */ -OCSP_SINGLERESP * -OCSP_resp_get0(OCSP_BASICRESP *bs, int idx) -{ - if (!bs) - return NULL; - return sk_OCSP_SINGLERESP_value(bs->tbsResponseData->responses, idx); -} - -/* Look single response matching a given certificate ID */ -int -OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last) -{ - int i; - STACK_OF(OCSP_SINGLERESP) *sresp; - OCSP_SINGLERESP *single; - - if (!bs) - return -1; - if (last < 0) - last = 0; - else - last++; - sresp = bs->tbsResponseData->responses; - for (i = last; i < sk_OCSP_SINGLERESP_num(sresp); i++) { - single = sk_OCSP_SINGLERESP_value(sresp, i); - if (!OCSP_id_cmp(id, single->certId)) - return i; - } - return -1; -} - -/* Extract status information from an OCSP_SINGLERESP structure. - * Note: the revtime and reason values are only set if the - * certificate status is revoked. Returns numerical value of - * status. - */ -int -OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason, - ASN1_GENERALIZEDTIME **revtime, ASN1_GENERALIZEDTIME **thisupd, - ASN1_GENERALIZEDTIME **nextupd) -{ - int ret; - OCSP_CERTSTATUS *cst; - - if (!single) - return -1; - cst = single->certStatus; - ret = cst->type; - if (ret == V_OCSP_CERTSTATUS_REVOKED) { - OCSP_REVOKEDINFO *rev = cst->value.revoked; - - if (revtime) - *revtime = rev->revocationTime; - if (reason) { - if (rev->revocationReason) - *reason = ASN1_ENUMERATED_get( - rev->revocationReason); - else - *reason = -1; - } - } - if (thisupd) - *thisupd = single->thisUpdate; - if (nextupd) - *nextupd = single->nextUpdate; - return ret; -} - -/* This function combines the previous ones: look up a certificate ID and - * if found extract status information. Return 0 is successful. - */ -int -OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status, - int *reason, ASN1_GENERALIZEDTIME **revtime, ASN1_GENERALIZEDTIME **thisupd, - ASN1_GENERALIZEDTIME **nextupd) -{ - int i; - OCSP_SINGLERESP *single; - - i = OCSP_resp_find(bs, id, -1); - /* Maybe check for multiple responses and give an error? */ - if (i < 0) - return 0; - single = OCSP_resp_get0(bs, i); - i = OCSP_single_get0_status(single, reason, revtime, thisupd, nextupd); - if (status) - *status = i; - return 1; -} - -/* Check validity of thisUpdate and nextUpdate fields. It is possible that the request will - * take a few seconds to process and/or the time wont be totally accurate. Therefore to avoid - * rejecting otherwise valid time we allow the times to be within 'nsec' of the current time. - * Also to avoid accepting very old responses without a nextUpdate field an optional maxage - * parameter specifies the maximum age the thisUpdate field can be. - */ -int -OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd, - ASN1_GENERALIZEDTIME *nextupd, long nsec, long maxsec) -{ - int ret = 1; - time_t t_now, t_tmp; - - time(&t_now); - /* Check thisUpdate is valid and not more than nsec in the future */ - if (!ASN1_GENERALIZEDTIME_check(thisupd)) { - OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, - OCSP_R_ERROR_IN_THISUPDATE_FIELD); - ret = 0; - } else { - t_tmp = t_now + nsec; - if (X509_cmp_time(thisupd, &t_tmp) > 0) { - OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, - OCSP_R_STATUS_NOT_YET_VALID); - ret = 0; - } - - /* If maxsec specified check thisUpdate is not more than maxsec in the past */ - if (maxsec >= 0) { - t_tmp = t_now - maxsec; - if (X509_cmp_time(thisupd, &t_tmp) < 0) { - OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, - OCSP_R_STATUS_TOO_OLD); - ret = 0; - } - } - } - - if (!nextupd) - return ret; - - /* Check nextUpdate is valid and not more than nsec in the past */ - if (!ASN1_GENERALIZEDTIME_check(nextupd)) { - OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, - OCSP_R_ERROR_IN_NEXTUPDATE_FIELD); - ret = 0; - } else { - t_tmp = t_now - nsec; - if (X509_cmp_time(nextupd, &t_tmp) < 0) { - OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, - OCSP_R_STATUS_EXPIRED); - ret = 0; - } - } - - /* Also don't allow nextUpdate to precede thisUpdate */ - if (ASN1_STRING_cmp(nextupd, thisupd) < 0) { - OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, - OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE); - ret = 0; - } - - return ret; -} diff --git a/src/lib/libcrypto/ocsp/ocsp_err.c b/src/lib/libcrypto/ocsp/ocsp_err.c deleted file mode 100644 index af781074b6..0000000000 --- a/src/lib/libcrypto/ocsp/ocsp_err.c +++ /dev/null @@ -1,142 +0,0 @@ -/* $OpenBSD: ocsp_err.c,v 1.7 2014/07/10 22:45:57 jsing Exp $ */ -/* ==================================================================== - * Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -/* NOTE: this file was auto generated by the mkerr.pl script: any changes - * made to it will be overwritten when the script next updates this file, - * only reason strings will be preserved. - */ - -#include - -#include - -#include -#include - -/* BEGIN ERROR CODES */ -#ifndef OPENSSL_NO_ERR - -#define ERR_FUNC(func) ERR_PACK(ERR_LIB_OCSP,func,0) -#define ERR_REASON(reason) ERR_PACK(ERR_LIB_OCSP,0,reason) - -static ERR_STRING_DATA OCSP_str_functs[]= { - {ERR_FUNC(OCSP_F_ASN1_STRING_ENCODE), "ASN1_STRING_encode"}, - {ERR_FUNC(OCSP_F_D2I_OCSP_NONCE), "D2I_OCSP_NONCE"}, - {ERR_FUNC(OCSP_F_OCSP_BASIC_ADD1_STATUS), "OCSP_basic_add1_status"}, - {ERR_FUNC(OCSP_F_OCSP_BASIC_SIGN), "OCSP_basic_sign"}, - {ERR_FUNC(OCSP_F_OCSP_BASIC_VERIFY), "OCSP_basic_verify"}, - {ERR_FUNC(OCSP_F_OCSP_CERT_ID_NEW), "OCSP_cert_id_new"}, - {ERR_FUNC(OCSP_F_OCSP_CHECK_DELEGATED), "OCSP_CHECK_DELEGATED"}, - {ERR_FUNC(OCSP_F_OCSP_CHECK_IDS), "OCSP_CHECK_IDS"}, - {ERR_FUNC(OCSP_F_OCSP_CHECK_ISSUER), "OCSP_CHECK_ISSUER"}, - {ERR_FUNC(OCSP_F_OCSP_CHECK_VALIDITY), "OCSP_check_validity"}, - {ERR_FUNC(OCSP_F_OCSP_MATCH_ISSUERID), "OCSP_MATCH_ISSUERID"}, - {ERR_FUNC(OCSP_F_OCSP_PARSE_URL), "OCSP_parse_url"}, - {ERR_FUNC(OCSP_F_OCSP_REQUEST_SIGN), "OCSP_request_sign"}, - {ERR_FUNC(OCSP_F_OCSP_REQUEST_VERIFY), "OCSP_request_verify"}, - {ERR_FUNC(OCSP_F_OCSP_RESPONSE_GET1_BASIC), "OCSP_response_get1_basic"}, - {ERR_FUNC(OCSP_F_OCSP_SENDREQ_BIO), "OCSP_sendreq_bio"}, - {ERR_FUNC(OCSP_F_OCSP_SENDREQ_NBIO), "OCSP_sendreq_nbio"}, - {ERR_FUNC(OCSP_F_PARSE_HTTP_LINE1), "PARSE_HTTP_LINE1"}, - {ERR_FUNC(OCSP_F_REQUEST_VERIFY), "REQUEST_VERIFY"}, - {0, NULL} -}; - -static ERR_STRING_DATA OCSP_str_reasons[]= { - {ERR_REASON(OCSP_R_BAD_DATA) , "bad data"}, - {ERR_REASON(OCSP_R_CERTIFICATE_VERIFY_ERROR), "certificate verify error"}, - {ERR_REASON(OCSP_R_DIGEST_ERR) , "digest err"}, - {ERR_REASON(OCSP_R_ERROR_IN_NEXTUPDATE_FIELD), "error in nextupdate field"}, - {ERR_REASON(OCSP_R_ERROR_IN_THISUPDATE_FIELD), "error in thisupdate field"}, - {ERR_REASON(OCSP_R_ERROR_PARSING_URL) , "error parsing url"}, - {ERR_REASON(OCSP_R_MISSING_OCSPSIGNING_USAGE), "missing ocspsigning usage"}, - {ERR_REASON(OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE), "nextupdate before thisupdate"}, - {ERR_REASON(OCSP_R_NOT_BASIC_RESPONSE) , "not basic response"}, - {ERR_REASON(OCSP_R_NO_CERTIFICATES_IN_CHAIN), "no certificates in chain"}, - {ERR_REASON(OCSP_R_NO_CONTENT) , "no content"}, - {ERR_REASON(OCSP_R_NO_PUBLIC_KEY) , "no public key"}, - {ERR_REASON(OCSP_R_NO_RESPONSE_DATA) , "no response data"}, - {ERR_REASON(OCSP_R_NO_REVOKED_TIME) , "no revoked time"}, - {ERR_REASON(OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE), "private key does not match certificate"}, - {ERR_REASON(OCSP_R_REQUEST_NOT_SIGNED) , "request not signed"}, - {ERR_REASON(OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA), "response contains no revocation data"}, - {ERR_REASON(OCSP_R_ROOT_CA_NOT_TRUSTED) , "root ca not trusted"}, - {ERR_REASON(OCSP_R_SERVER_READ_ERROR) , "server read error"}, - {ERR_REASON(OCSP_R_SERVER_RESPONSE_ERROR), "server response error"}, - {ERR_REASON(OCSP_R_SERVER_RESPONSE_PARSE_ERROR), "server response parse error"}, - {ERR_REASON(OCSP_R_SERVER_WRITE_ERROR) , "server write error"}, - {ERR_REASON(OCSP_R_SIGNATURE_FAILURE) , "signature failure"}, - {ERR_REASON(OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND), "signer certificate not found"}, - {ERR_REASON(OCSP_R_STATUS_EXPIRED) , "status expired"}, - {ERR_REASON(OCSP_R_STATUS_NOT_YET_VALID) , "status not yet valid"}, - {ERR_REASON(OCSP_R_STATUS_TOO_OLD) , "status too old"}, - {ERR_REASON(OCSP_R_UNKNOWN_MESSAGE_DIGEST), "unknown message digest"}, - {ERR_REASON(OCSP_R_UNKNOWN_NID) , "unknown nid"}, - {ERR_REASON(OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE), "unsupported requestorname type"}, - {0, NULL} -}; - -#endif - -void -ERR_load_OCSP_strings(void) -{ -#ifndef OPENSSL_NO_ERR - if (ERR_func_error_string(OCSP_str_functs[0].error) == NULL) { - ERR_load_strings(0, OCSP_str_functs); - ERR_load_strings(0, OCSP_str_reasons); - } -#endif -} diff --git a/src/lib/libcrypto/ocsp/ocsp_ext.c b/src/lib/libcrypto/ocsp/ocsp_ext.c deleted file mode 100644 index edcf5bcca8..0000000000 --- a/src/lib/libcrypto/ocsp/ocsp_ext.c +++ /dev/null @@ -1,607 +0,0 @@ -/* $OpenBSD: ocsp_ext.c,v 1.14 2015/07/19 18:29:31 miod Exp $ */ -/* Written by Tom Titchener for the OpenSSL - * project. */ - -/* History: - This file was transfered to Richard Levitte from CertCo by Kathy - Weinhold in mid-spring 2000 to be included in OpenSSL or released - as a patch kit. */ - -/* ==================================================================== - * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include -#include -#include - -#include -#include -#include -#include - -/* Standard wrapper functions for extensions */ - -/* OCSP request extensions */ - -int -OCSP_REQUEST_get_ext_count(OCSP_REQUEST *x) -{ - return X509v3_get_ext_count(x->tbsRequest->requestExtensions); -} - -int -OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos) -{ - return X509v3_get_ext_by_NID(x->tbsRequest->requestExtensions, nid, - lastpos); -} - -int -OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, ASN1_OBJECT *obj, int lastpos) -{ - return X509v3_get_ext_by_OBJ(x->tbsRequest->requestExtensions, obj, - lastpos); -} - -int -OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit, int lastpos) -{ - return X509v3_get_ext_by_critical(x->tbsRequest->requestExtensions, - crit, lastpos); -} - -X509_EXTENSION * -OCSP_REQUEST_get_ext(OCSP_REQUEST *x, int loc) -{ - return X509v3_get_ext(x->tbsRequest->requestExtensions, loc); -} - -X509_EXTENSION * -OCSP_REQUEST_delete_ext(OCSP_REQUEST *x, int loc) -{ - return X509v3_delete_ext(x->tbsRequest->requestExtensions, loc); -} - -void * -OCSP_REQUEST_get1_ext_d2i(OCSP_REQUEST *x, int nid, int *crit, int *idx) -{ - return X509V3_get_d2i(x->tbsRequest->requestExtensions, nid, crit, idx); -} - -int -OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST *x, int nid, void *value, int crit, - unsigned long flags) -{ - return X509V3_add1_i2d(&x->tbsRequest->requestExtensions, nid, value, - crit, flags); -} - -int -OCSP_REQUEST_add_ext(OCSP_REQUEST *x, X509_EXTENSION *ex, int loc) -{ - return X509v3_add_ext(&(x->tbsRequest->requestExtensions), ex, - loc) != NULL; -} - -/* Single extensions */ - -int -OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *x) -{ - return X509v3_get_ext_count(x->singleRequestExtensions); -} - -int -OCSP_ONEREQ_get_ext_by_NID(OCSP_ONEREQ *x, int nid, int lastpos) -{ - return X509v3_get_ext_by_NID(x->singleRequestExtensions, nid, lastpos); -} - -int -OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, ASN1_OBJECT *obj, int lastpos) -{ - return X509v3_get_ext_by_OBJ(x->singleRequestExtensions, obj, lastpos); -} - -int -OCSP_ONEREQ_get_ext_by_critical(OCSP_ONEREQ *x, int crit, int lastpos) -{ - return X509v3_get_ext_by_critical(x->singleRequestExtensions, crit, - lastpos); -} - -X509_EXTENSION * -OCSP_ONEREQ_get_ext(OCSP_ONEREQ *x, int loc) -{ - return X509v3_get_ext(x->singleRequestExtensions, loc); -} - -X509_EXTENSION * -OCSP_ONEREQ_delete_ext(OCSP_ONEREQ *x, int loc) -{ - return X509v3_delete_ext(x->singleRequestExtensions, loc); -} - -void * -OCSP_ONEREQ_get1_ext_d2i(OCSP_ONEREQ *x, int nid, int *crit, int *idx) -{ - return X509V3_get_d2i(x->singleRequestExtensions, nid, crit, idx); -} - -int -OCSP_ONEREQ_add1_ext_i2d(OCSP_ONEREQ *x, int nid, void *value, int crit, - unsigned long flags) -{ - return X509V3_add1_i2d(&x->singleRequestExtensions, nid, value, crit, - flags); -} - -int -OCSP_ONEREQ_add_ext(OCSP_ONEREQ *x, X509_EXTENSION *ex, int loc) -{ - return X509v3_add_ext(&(x->singleRequestExtensions), ex, loc) != NULL; -} - -/* OCSP Basic response */ - -int -OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *x) -{ - return X509v3_get_ext_count(x->tbsResponseData->responseExtensions); -} - -int -OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos) -{ - return X509v3_get_ext_by_NID(x->tbsResponseData->responseExtensions, - nid, lastpos); -} - -int -OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, ASN1_OBJECT *obj, int lastpos) -{ - return X509v3_get_ext_by_OBJ(x->tbsResponseData->responseExtensions, - obj, lastpos); -} - -int -OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit, int lastpos) -{ - return X509v3_get_ext_by_critical( - x->tbsResponseData->responseExtensions, crit, lastpos); -} - -X509_EXTENSION * -OCSP_BASICRESP_get_ext(OCSP_BASICRESP *x, int loc) -{ - return X509v3_get_ext(x->tbsResponseData->responseExtensions, loc); -} - -X509_EXTENSION * -OCSP_BASICRESP_delete_ext(OCSP_BASICRESP *x, int loc) -{ - return X509v3_delete_ext(x->tbsResponseData->responseExtensions, loc); -} - -void * -OCSP_BASICRESP_get1_ext_d2i(OCSP_BASICRESP *x, int nid, int *crit, int *idx) -{ - return X509V3_get_d2i(x->tbsResponseData->responseExtensions, nid, - crit, idx); -} - -int -OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP *x, int nid, void *value, int crit, - unsigned long flags) -{ - return X509V3_add1_i2d(&x->tbsResponseData->responseExtensions, nid, - value, crit, flags); -} - -int -OCSP_BASICRESP_add_ext(OCSP_BASICRESP *x, X509_EXTENSION *ex, int loc) -{ - return X509v3_add_ext(&(x->tbsResponseData->responseExtensions), ex, - loc) != NULL; -} - -/* OCSP single response extensions */ - -int -OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *x) -{ - return X509v3_get_ext_count(x->singleExtensions); -} - -int -OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid, int lastpos) -{ - return X509v3_get_ext_by_NID(x->singleExtensions, nid, lastpos); -} - -int -OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, ASN1_OBJECT *obj, - int lastpos) -{ - return X509v3_get_ext_by_OBJ(x->singleExtensions, obj, lastpos); -} - -int -OCSP_SINGLERESP_get_ext_by_critical(OCSP_SINGLERESP *x, int crit, int lastpos) -{ - return X509v3_get_ext_by_critical(x->singleExtensions, crit, lastpos); -} - -X509_EXTENSION * -OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP *x, int loc) -{ - return X509v3_get_ext(x->singleExtensions, loc); -} - -X509_EXTENSION * -OCSP_SINGLERESP_delete_ext(OCSP_SINGLERESP *x, int loc) -{ - return X509v3_delete_ext(x->singleExtensions, loc); -} - -void * -OCSP_SINGLERESP_get1_ext_d2i(OCSP_SINGLERESP *x, int nid, int *crit, int *idx) -{ - return X509V3_get_d2i(x->singleExtensions, nid, crit, idx); -} - -int -OCSP_SINGLERESP_add1_ext_i2d(OCSP_SINGLERESP *x, int nid, void *value, int crit, - unsigned long flags) -{ - return X509V3_add1_i2d(&x->singleExtensions, nid, value, crit, flags); -} - -int -OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex, int loc) -{ - return X509v3_add_ext(&(x->singleExtensions), ex, loc) != NULL; -} - -/* also CRL Entry Extensions */ -#if 0 -ASN1_STRING * -ASN1_STRING_encode(ASN1_STRING *s, i2d_of_void *i2d, void *data, - STACK_OF(ASN1_OBJECT) *sk) -{ - int i; - unsigned char *p, *b = NULL; - - if (data) { - if ((i = i2d(data, NULL)) <= 0) - goto err; - if (!(b = p = malloc(i))) - goto err; - if (i2d(data, &p) <= 0) - goto err; - } else if (sk) { - if ((i = i2d_ASN1_SET_OF_ASN1_OBJECT(sk, NULL, - (I2D_OF(ASN1_OBJECT))i2d, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL, - IS_SEQUENCE)) <= 0) - goto err; - if (!(b = p = malloc(i))) - goto err; - if (i2d_ASN1_SET_OF_ASN1_OBJECT(sk, &p, - (I2D_OF(ASN1_OBJECT))i2d, V_ASN1_SEQUENCE, - V_ASN1_UNIVERSAL, IS_SEQUENCE) <= 0) - goto err; - } else { - OCSPerr(OCSP_F_ASN1_STRING_ENCODE, OCSP_R_BAD_DATA); - goto err; - } - if (!s && !(s = ASN1_STRING_new())) - goto err; - if (!(ASN1_STRING_set(s, b, i))) - goto err; - free(b); - return s; - -err: - free(b); - return NULL; -} -#endif - -/* Nonce handling functions */ - -/* Add a nonce to an extension stack. A nonce can be specificed or if NULL - * a random nonce will be generated. - * Note: OpenSSL 0.9.7d and later create an OCTET STRING containing the - * nonce, previous versions used the raw nonce. - */ - -static int -ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, unsigned char *val, int len) -{ - unsigned char *tmpval; - ASN1_OCTET_STRING os; - int ret = 0; - - if (len <= 0) - len = OCSP_DEFAULT_NONCE_LENGTH; - /* Create the OCTET STRING manually by writing out the header and - * appending the content octets. This avoids an extra memory allocation - * operation in some cases. Applications should *NOT* do this because - * it relies on library internals. - */ - os.length = ASN1_object_size(0, len, V_ASN1_OCTET_STRING); - os.data = malloc(os.length); - if (os.data == NULL) - goto err; - tmpval = os.data; - ASN1_put_object(&tmpval, 0, len, V_ASN1_OCTET_STRING, V_ASN1_UNIVERSAL); - if (val) - memcpy(tmpval, val, len); - else - arc4random_buf(tmpval, len); - if (!X509V3_add1_i2d(exts, NID_id_pkix_OCSP_Nonce, &os, 0, - X509V3_ADD_REPLACE)) - goto err; - ret = 1; - -err: - free(os.data); - return ret; -} - -/* Add nonce to an OCSP request */ -int -OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len) -{ - return ocsp_add1_nonce(&req->tbsRequest->requestExtensions, val, len); -} - -/* Same as above but for a response */ -int -OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len) -{ - return ocsp_add1_nonce(&resp->tbsResponseData->responseExtensions, val, - len); -} - -/* Check nonce validity in a request and response. - * Return value reflects result: - * 1: nonces present and equal. - * 2: nonces both absent. - * 3: nonce present in response only. - * 0: nonces both present and not equal. - * -1: nonce in request only. - * - * For most responders clients can check return > 0. - * If responder doesn't handle nonces return != 0 may be - * necessary. return == 0 is always an error. - */ -int -OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs) -{ - /* - * Since we are only interested in the presence or absence of - * the nonce and comparing its value there is no need to use - * the X509V3 routines: this way we can avoid them allocating an - * ASN1_OCTET_STRING structure for the value which would be - * freed immediately anyway. - */ - int req_idx, resp_idx; - X509_EXTENSION *req_ext, *resp_ext; - - req_idx = OCSP_REQUEST_get_ext_by_NID(req, NID_id_pkix_OCSP_Nonce, -1); - resp_idx = OCSP_BASICRESP_get_ext_by_NID(bs, - NID_id_pkix_OCSP_Nonce, -1); - /* Check both absent */ - if (req_idx < 0 && resp_idx < 0) - return 2; - /* Check in request only */ - if (req_idx >= 0 && resp_idx < 0) - return -1; - /* Check in response but not request */ - if (req_idx < 0 && resp_idx >= 0) - return 3; - /* Otherwise nonce in request and response so retrieve the extensions */ - req_ext = OCSP_REQUEST_get_ext(req, req_idx); - resp_ext = OCSP_BASICRESP_get_ext(bs, resp_idx); - if (ASN1_OCTET_STRING_cmp(req_ext->value, resp_ext->value)) - return 0; - return 1; -} - -/* Copy the nonce value (if any) from an OCSP request to - * a response. - */ -int -OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req) -{ - X509_EXTENSION *req_ext; - int req_idx; - - /* Check for nonce in request */ - req_idx = OCSP_REQUEST_get_ext_by_NID(req, NID_id_pkix_OCSP_Nonce, -1); - /* If no nonce that's OK */ - if (req_idx < 0) - return 2; - req_ext = OCSP_REQUEST_get_ext(req, req_idx); - return OCSP_BASICRESP_add_ext(resp, req_ext, -1); -} - -X509_EXTENSION * -OCSP_crlID_new(char *url, long *n, char *tim) -{ - X509_EXTENSION *x = NULL; - OCSP_CRLID *cid = NULL; - - if (!(cid = OCSP_CRLID_new())) - goto err; - if (url) { - if (!(cid->crlUrl = ASN1_IA5STRING_new())) - goto err; - if (!(ASN1_STRING_set(cid->crlUrl, url, -1))) - goto err; - } - if (n) { - if (!(cid->crlNum = ASN1_INTEGER_new())) - goto err; - if (!(ASN1_INTEGER_set(cid->crlNum, *n))) - goto err; - } - if (tim) { - if (!(cid->crlTime = ASN1_GENERALIZEDTIME_new())) - goto err; - if (!(ASN1_GENERALIZEDTIME_set_string(cid->crlTime, tim))) - goto err; - } - x = X509V3_EXT_i2d(NID_id_pkix_OCSP_CrlID, 0, cid); - -err: - if (cid) - OCSP_CRLID_free(cid); - return x; -} - -/* AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER */ -X509_EXTENSION * -OCSP_accept_responses_new(char **oids) -{ - int nid; - STACK_OF(ASN1_OBJECT) *sk = NULL; - ASN1_OBJECT *o = NULL; - X509_EXTENSION *x = NULL; - - if (!(sk = sk_ASN1_OBJECT_new_null())) - return NULL; - while (oids && *oids) { - if ((nid = OBJ_txt2nid(*oids)) != NID_undef && - (o = OBJ_nid2obj(nid))) - if (sk_ASN1_OBJECT_push(sk, o) == 0) { - sk_ASN1_OBJECT_pop_free(sk, ASN1_OBJECT_free); - return NULL; - } - oids++; - } - x = X509V3_EXT_i2d(NID_id_pkix_OCSP_acceptableResponses, 0, sk); - sk_ASN1_OBJECT_pop_free(sk, ASN1_OBJECT_free); - return x; -} - -/* ArchiveCutoff ::= GeneralizedTime */ -X509_EXTENSION * -OCSP_archive_cutoff_new(char* tim) -{ - X509_EXTENSION *x = NULL; - ASN1_GENERALIZEDTIME *gt = NULL; - - if (!(gt = ASN1_GENERALIZEDTIME_new())) - return NULL; - if (!(ASN1_GENERALIZEDTIME_set_string(gt, tim))) - goto err; - x = X509V3_EXT_i2d(NID_id_pkix_OCSP_archiveCutoff, 0, gt); - -err: - if (gt) - ASN1_GENERALIZEDTIME_free(gt); - return x; -} - -/* per ACCESS_DESCRIPTION parameter are oids, of which there are currently - * two--NID_ad_ocsp, NID_id_ad_caIssuers--and GeneralName value. This - * method forces NID_ad_ocsp and uniformResourceLocator [6] IA5String. - */ -X509_EXTENSION * -OCSP_url_svcloc_new(X509_NAME* issuer, char **urls) -{ - X509_EXTENSION *x = NULL; - ASN1_IA5STRING *ia5 = NULL; - OCSP_SERVICELOC *sloc = NULL; - ACCESS_DESCRIPTION *ad = NULL; - - if (!(sloc = OCSP_SERVICELOC_new())) - goto err; - if (!(sloc->issuer = X509_NAME_dup(issuer))) - goto err; - if (urls && *urls && - !(sloc->locator = sk_ACCESS_DESCRIPTION_new_null())) - goto err; - while (urls && *urls) { - if (!(ad = ACCESS_DESCRIPTION_new())) - goto err; - if (!(ad->method = OBJ_nid2obj(NID_ad_OCSP))) - goto err; - if (!(ad->location = GENERAL_NAME_new())) - goto err; - if (!(ia5 = ASN1_IA5STRING_new())) - goto err; - if (!ASN1_STRING_set((ASN1_STRING*)ia5, *urls, -1)) - goto err; - ad->location->type = GEN_URI; - ad->location->d.ia5 = ia5; - ia5 = NULL; - if (!sk_ACCESS_DESCRIPTION_push(sloc->locator, ad)) - goto err; - ad = NULL; - urls++; - } - x = X509V3_EXT_i2d(NID_id_pkix_OCSP_serviceLocator, 0, sloc); - -err: - if (ia5) - ASN1_IA5STRING_free(ia5); - if (ad) - ACCESS_DESCRIPTION_free(ad); - if (sloc) - OCSP_SERVICELOC_free(sloc); - return x; -} diff --git a/src/lib/libcrypto/ocsp/ocsp_ht.c b/src/lib/libcrypto/ocsp/ocsp_ht.c deleted file mode 100644 index 4d21543396..0000000000 --- a/src/lib/libcrypto/ocsp/ocsp_ht.c +++ /dev/null @@ -1,463 +0,0 @@ -/* $OpenBSD: ocsp_ht.c,v 1.22 2014/10/03 06:02:38 doug Exp $ */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 2006. - */ -/* ==================================================================== - * Copyright (c) 2006 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include -#include -#include -#include -#include -#include -#include -#include - -/* Stateful OCSP request code, supporting non-blocking I/O */ - -/* Opaque OCSP request status structure */ - -struct ocsp_req_ctx_st { - int state; /* Current I/O state */ - unsigned char *iobuf; /* Line buffer */ - int iobuflen; /* Line buffer length */ - BIO *io; /* BIO to perform I/O with */ - BIO *mem; /* Memory BIO response is built into */ - unsigned long asn1_len; /* ASN1 length of response */ -}; - -#define OCSP_MAX_REQUEST_LENGTH (100 * 1024) -#define OCSP_MAX_LINE_LEN 4096; - -/* OCSP states */ - -/* If set no reading should be performed */ -#define OHS_NOREAD 0x1000 -/* Error condition */ -#define OHS_ERROR (0 | OHS_NOREAD) -/* First line being read */ -#define OHS_FIRSTLINE 1 -/* MIME headers being read */ -#define OHS_HEADERS 2 -/* OCSP initial header (tag + length) being read */ -#define OHS_ASN1_HEADER 3 -/* OCSP content octets being read */ -#define OHS_ASN1_CONTENT 4 -/* Request being sent */ -#define OHS_ASN1_WRITE (6 | OHS_NOREAD) -/* Request being flushed */ -#define OHS_ASN1_FLUSH (7 | OHS_NOREAD) -/* Completed */ -#define OHS_DONE (8 | OHS_NOREAD) - - -static int parse_http_line1(char *line); - -void -OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx) -{ - if (rctx == NULL) - return; - - BIO_free(rctx->mem); - free(rctx->iobuf); - free(rctx); -} - -int -OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, OCSP_REQUEST *req) -{ - if (BIO_printf(rctx->mem, "Content-Type: application/ocsp-request\r\n" - "Content-Length: %d\r\n\r\n", i2d_OCSP_REQUEST(req, NULL)) <= 0) - return 0; - if (i2d_OCSP_REQUEST_bio(rctx->mem, req) <= 0) - return 0; - rctx->state = OHS_ASN1_WRITE; - rctx->asn1_len = BIO_get_mem_data(rctx->mem, NULL); - return 1; -} - -int -OCSP_REQ_CTX_add1_header(OCSP_REQ_CTX *rctx, const char *name, - const char *value) -{ - if (!name) - return 0; - if (BIO_puts(rctx->mem, name) <= 0) - return 0; - if (value) { - if (BIO_write(rctx->mem, ": ", 2) != 2) - return 0; - if (BIO_puts(rctx->mem, value) <= 0) - return 0; - } - if (BIO_write(rctx->mem, "\r\n", 2) != 2) - return 0; - return 1; -} - -OCSP_REQ_CTX * -OCSP_sendreq_new(BIO *io, char *path, OCSP_REQUEST *req, int maxline) -{ - OCSP_REQ_CTX *rctx; - - rctx = malloc(sizeof(OCSP_REQ_CTX)); - if (rctx == NULL) - return NULL; - rctx->state = OHS_ERROR; - rctx->mem = BIO_new(BIO_s_mem()); - rctx->io = io; - rctx->asn1_len = 0; - if (maxline > 0) - rctx->iobuflen = maxline; - else - rctx->iobuflen = OCSP_MAX_LINE_LEN; - rctx->iobuf = malloc(rctx->iobuflen); - if (!rctx->iobuf) { - BIO_free(rctx->mem); - free(rctx); - return NULL; - } - if (!path) - path = "/"; - - if (BIO_printf(rctx->mem, "POST %s HTTP/1.0\r\n", path) <= 0) { - free(rctx->iobuf); - BIO_free(rctx->mem); - free(rctx); - return NULL; - } - - if (req && !OCSP_REQ_CTX_set1_req(rctx, req)) { - free(rctx->iobuf); - BIO_free(rctx->mem); - free(rctx); - return NULL; - } - - return rctx; -} - -/* Parse the HTTP response. This will look like this: - * "HTTP/1.0 200 OK". We need to obtain the numeric code and - * (optional) informational message. - */ -static int -parse_http_line1(char *line) -{ - int retcode; - char *p, *q, *r; - - /* Skip to first white space (passed protocol info) */ - for (p = line; *p && !isspace((unsigned char)*p); p++) - continue; - if (!*p) { - OCSPerr(OCSP_F_PARSE_HTTP_LINE1, - OCSP_R_SERVER_RESPONSE_PARSE_ERROR); - return 0; - } - - /* Skip past white space to start of response code */ - while (*p && isspace((unsigned char)*p)) - p++; - if (!*p) { - OCSPerr(OCSP_F_PARSE_HTTP_LINE1, - OCSP_R_SERVER_RESPONSE_PARSE_ERROR); - return 0; - } - - /* Find end of response code: first whitespace after start of code */ - for (q = p; *q && !isspace((unsigned char)*q); q++) - continue; - if (!*q) { - OCSPerr(OCSP_F_PARSE_HTTP_LINE1, - OCSP_R_SERVER_RESPONSE_PARSE_ERROR); - return 0; - } - - /* Set end of response code and start of message */ - *q++ = 0; - - /* Attempt to parse numeric code */ - retcode = strtoul(p, &r, 10); - - if (*r) - return 0; - - /* Skip over any leading white space in message */ - while (*q && isspace((unsigned char)*q)) - q++; - if (*q) { - /* Finally zap any trailing white space in message (include - * CRLF) */ - - /* We know q has a non white space character so this is OK */ - for (r = q + strlen(q) - 1; isspace((unsigned char)*r); r--) - *r = 0; - } - if (retcode != 200) { - OCSPerr(OCSP_F_PARSE_HTTP_LINE1, OCSP_R_SERVER_RESPONSE_ERROR); - if (!*q) - ERR_asprintf_error_data("Code=%s", p); - else - ERR_asprintf_error_data("Code=%s,Reason=%s", p, q); - return 0; - } - - return 1; -} - -int -OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx) -{ - int i, n; - const unsigned char *p; - -next_io: - if (!(rctx->state & OHS_NOREAD)) { - n = BIO_read(rctx->io, rctx->iobuf, rctx->iobuflen); - - if (n <= 0) { - if (BIO_should_retry(rctx->io)) - return -1; - return 0; - } - - /* Write data to memory BIO */ - if (BIO_write(rctx->mem, rctx->iobuf, n) != n) - return 0; - } - - switch (rctx->state) { - case OHS_ASN1_WRITE: - n = BIO_get_mem_data(rctx->mem, &p); - i = BIO_write(rctx->io, - p + (n - rctx->asn1_len), rctx->asn1_len); - if (i <= 0) { - if (BIO_should_retry(rctx->io)) - return -1; - rctx->state = OHS_ERROR; - return 0; - } - - rctx->asn1_len -= i; - if (rctx->asn1_len > 0) - goto next_io; - - rctx->state = OHS_ASN1_FLUSH; - - (void)BIO_reset(rctx->mem); - /* FALLTHROUGH */ - - case OHS_ASN1_FLUSH: - i = BIO_flush(rctx->io); - if (i > 0) { - rctx->state = OHS_FIRSTLINE; - goto next_io; - } - - if (BIO_should_retry(rctx->io)) - return -1; - - rctx->state = OHS_ERROR; - return 0; - - case OHS_ERROR: - return 0; - - case OHS_FIRSTLINE: - case OHS_HEADERS: - /* Attempt to read a line in */ -next_line: - /* Due to &%^*$" memory BIO behaviour with BIO_gets we - * have to check there's a complete line in there before - * calling BIO_gets or we'll just get a partial read. - */ - n = BIO_get_mem_data(rctx->mem, &p); - if ((n <= 0) || !memchr(p, '\n', n)) { - if (n >= rctx->iobuflen) { - rctx->state = OHS_ERROR; - return 0; - } - goto next_io; - } - n = BIO_gets(rctx->mem, (char *)rctx->iobuf, rctx->iobuflen); - if (n <= 0) { - if (BIO_should_retry(rctx->mem)) - goto next_io; - rctx->state = OHS_ERROR; - return 0; - } - - /* Don't allow excessive lines */ - if (n == rctx->iobuflen) { - rctx->state = OHS_ERROR; - return 0; - } - - /* First line */ - if (rctx->state == OHS_FIRSTLINE) { - if (parse_http_line1((char *)rctx->iobuf)) { - rctx->state = OHS_HEADERS; - goto next_line; - } else { - rctx->state = OHS_ERROR; - return 0; - } - } else { - /* Look for blank line: end of headers */ - for (p = rctx->iobuf; *p; p++) { - if ((*p != '\r') && (*p != '\n')) - break; - } - if (*p) - goto next_line; - - rctx->state = OHS_ASN1_HEADER; - } - /* FALLTRHOUGH */ - - case OHS_ASN1_HEADER: - /* Now reading ASN1 header: can read at least 2 bytes which - * is enough for ASN1 SEQUENCE header and either length field - * or at least the length of the length field. - */ - n = BIO_get_mem_data(rctx->mem, &p); - if (n < 2) - goto next_io; - - /* Check it is an ASN1 SEQUENCE */ - if (*p++ != (V_ASN1_SEQUENCE|V_ASN1_CONSTRUCTED)) { - rctx->state = OHS_ERROR; - return 0; - } - - /* Check out length field */ - if (*p & 0x80) { - /* If MSB set on initial length octet we can now - * always read 6 octets: make sure we have them. - */ - if (n < 6) - goto next_io; - n = *p & 0x7F; - /* Not NDEF or excessive length */ - if (!n || (n > 4)) { - rctx->state = OHS_ERROR; - return 0; - } - p++; - rctx->asn1_len = 0; - for (i = 0; i < n; i++) { - rctx->asn1_len <<= 8; - rctx->asn1_len |= *p++; - } - - if (rctx->asn1_len > OCSP_MAX_REQUEST_LENGTH) { - rctx->state = OHS_ERROR; - return 0; - } - - rctx->asn1_len += n + 2; - } else - rctx->asn1_len = *p + 2; - - rctx->state = OHS_ASN1_CONTENT; - - /* FALLTHROUGH */ - - case OHS_ASN1_CONTENT: - n = BIO_get_mem_data(rctx->mem, &p); - if (n < (int)rctx->asn1_len) - goto next_io; - - *presp = d2i_OCSP_RESPONSE(NULL, &p, rctx->asn1_len); - if (*presp) { - rctx->state = OHS_DONE; - return 1; - } - - rctx->state = OHS_ERROR; - return 0; - - case OHS_DONE: - return 1; - } - - return 0; -} - -/* Blocking OCSP request handler: now a special case of non-blocking I/O */ -OCSP_RESPONSE * -OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req) -{ - OCSP_RESPONSE *resp = NULL; - OCSP_REQ_CTX *ctx; - int rv; - - ctx = OCSP_sendreq_new(b, path, req, -1); - if (ctx == NULL) - return NULL; - - do { - rv = OCSP_sendreq_nbio(&resp, ctx); - } while ((rv == -1) && BIO_should_retry(b)); - - OCSP_REQ_CTX_free(ctx); - - if (rv) - return resp; - - return NULL; -} diff --git a/src/lib/libcrypto/ocsp/ocsp_lib.c b/src/lib/libcrypto/ocsp/ocsp_lib.c deleted file mode 100644 index be5bf7dab5..0000000000 --- a/src/lib/libcrypto/ocsp/ocsp_lib.c +++ /dev/null @@ -1,282 +0,0 @@ -/* $OpenBSD: ocsp_lib.c,v 1.18 2015/02/10 05:25:45 jsing Exp $ */ -/* Written by Tom Titchener for the OpenSSL - * project. */ - -/* History: - This file was transfered to Richard Levitte from CertCo by Kathy - Weinhold in mid-spring 2000 to be included in OpenSSL or released - as a patch kit. */ - -/* ==================================================================== - * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include -#include - -#include - -#include -#include -#include -#include -#include -#include -#include - -/* Convert a certificate and its issuer to an OCSP_CERTID */ - -OCSP_CERTID * -OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer) -{ - X509_NAME *iname; - ASN1_INTEGER *serial; - ASN1_BIT_STRING *ikey; - -#ifndef OPENSSL_NO_SHA1 - if (!dgst) - dgst = EVP_sha1(); -#endif - if (subject) { - iname = X509_get_issuer_name(subject); - serial = X509_get_serialNumber(subject); - } else { - iname = X509_get_subject_name(issuer); - serial = NULL; - } - ikey = X509_get0_pubkey_bitstr(issuer); - return OCSP_cert_id_new(dgst, iname, ikey, serial); -} - -OCSP_CERTID * -OCSP_cert_id_new(const EVP_MD *dgst, X509_NAME *issuerName, - ASN1_BIT_STRING* issuerKey, ASN1_INTEGER *serialNumber) -{ - int nid; - unsigned int i; - X509_ALGOR *alg; - OCSP_CERTID *cid = NULL; - unsigned char md[EVP_MAX_MD_SIZE]; - - if (!(cid = OCSP_CERTID_new())) - goto err; - - alg = cid->hashAlgorithm; - if (alg->algorithm != NULL) - ASN1_OBJECT_free(alg->algorithm); - if ((nid = EVP_MD_type(dgst)) == NID_undef) { - OCSPerr(OCSP_F_OCSP_CERT_ID_NEW, OCSP_R_UNKNOWN_NID); - goto err; - } - if (!(alg->algorithm = OBJ_nid2obj(nid))) - goto err; - if ((alg->parameter = ASN1_TYPE_new()) == NULL) - goto err; - alg->parameter->type = V_ASN1_NULL; - - if (!X509_NAME_digest(issuerName, dgst, md, &i)) - goto digerr; - if (!(ASN1_OCTET_STRING_set(cid->issuerNameHash, md, i))) - goto err; - - /* Calculate the issuerKey hash, excluding tag and length */ - if (!EVP_Digest(issuerKey->data, issuerKey->length, md, &i, dgst, NULL)) - goto err; - - if (!(ASN1_OCTET_STRING_set(cid->issuerKeyHash, md, i))) - goto err; - - if (serialNumber) { - ASN1_INTEGER_free(cid->serialNumber); - if (!(cid->serialNumber = ASN1_INTEGER_dup(serialNumber))) - goto err; - } - return cid; - -digerr: - OCSPerr(OCSP_F_OCSP_CERT_ID_NEW, OCSP_R_DIGEST_ERR); -err: - if (cid) - OCSP_CERTID_free(cid); - return NULL; -} - -int -OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b) -{ - int ret; - - ret = OBJ_cmp(a->hashAlgorithm->algorithm, b->hashAlgorithm->algorithm); - if (ret) - return ret; - ret = ASN1_OCTET_STRING_cmp(a->issuerNameHash, b->issuerNameHash); - if (ret) - return ret; - return ASN1_OCTET_STRING_cmp(a->issuerKeyHash, b->issuerKeyHash); -} - -int -OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b) -{ - int ret; - - ret = OCSP_id_issuer_cmp(a, b); - if (ret) - return ret; - return ASN1_INTEGER_cmp(a->serialNumber, b->serialNumber); -} - -/* Parse a URL and split it up into host, port and path components and whether - * it is SSL. - */ -int -OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pssl) -{ - char *p, *buf; - char *host, *port; - - *phost = NULL; - *pport = NULL; - *ppath = NULL; - - /* dup the buffer since we are going to mess with it */ - buf = url ? strdup(url) : NULL; - if (!buf) - goto mem_err; - - /* Check for initial colon */ - p = strchr(buf, ':'); - if (!p) - goto parse_err; - - *(p++) = '\0'; - - if (!strcmp(buf, "http")) { - *pssl = 0; - port = "80"; - } else if (!strcmp(buf, "https")) { - *pssl = 1; - port = "443"; - } else - goto parse_err; - - /* Check for double slash */ - if ((p[0] != '/') || (p[1] != '/')) - goto parse_err; - - p += 2; - - host = p; - - /* Check for trailing part of path */ - p = strchr(p, '/'); - if (!p) - *ppath = strdup("/"); - else { - *ppath = strdup(p); - /* Set start of path to 0 so hostname is valid */ - *p = '\0'; - } - - if (!*ppath) - goto mem_err; - - /* Look for optional ':' for port number */ - if ((p = strchr(host, ':'))) { - *p = 0; - port = p + 1; - } else { - /* Not found: set default port */ - if (*pssl) - port = "443"; - else - port = "80"; - } - - *pport = strdup(port); - if (!*pport) - goto mem_err; - - *phost = strdup(host); - - if (!*phost) - goto mem_err; - - free(buf); - - return 1; - -mem_err: - OCSPerr(OCSP_F_OCSP_PARSE_URL, ERR_R_MALLOC_FAILURE); - goto err; - -parse_err: - OCSPerr(OCSP_F_OCSP_PARSE_URL, OCSP_R_ERROR_PARSING_URL); - -err: - free(buf); - free(*ppath); - free(*pport); - free(*phost); - *phost = NULL; - *pport = NULL; - *ppath = NULL; - return 0; -} - - -OCSP_CERTID * -OCSP_CERTID_dup(OCSP_CERTID *x) -{ - return ASN1_item_dup(&OCSP_CERTID_it, x); -} diff --git a/src/lib/libcrypto/ocsp/ocsp_prn.c b/src/lib/libcrypto/ocsp/ocsp_prn.c deleted file mode 100644 index 37d033adb6..0000000000 --- a/src/lib/libcrypto/ocsp/ocsp_prn.c +++ /dev/null @@ -1,312 +0,0 @@ -/* $OpenBSD: ocsp_prn.c,v 1.8 2015/07/16 02:16:19 miod Exp $ */ -/* Written by Tom Titchener for the OpenSSL - * project. */ - -/* History: - This file was originally part of ocsp.c and was transfered to Richard - Levitte from CertCo by Kathy Weinhold in mid-spring 2000 to be included - in OpenSSL or released as a patch kit. */ - -/* ==================================================================== - * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include -#include -#include -#include - -static int -ocsp_certid_print(BIO *bp, OCSP_CERTID* a, int indent) -{ - BIO_printf(bp, "%*sCertificate ID:\n", indent, ""); - indent += 2; - BIO_printf(bp, "%*sHash Algorithm: ", indent, ""); - i2a_ASN1_OBJECT(bp, a->hashAlgorithm->algorithm); - BIO_printf(bp, "\n%*sIssuer Name Hash: ", indent, ""); - i2a_ASN1_STRING(bp, a->issuerNameHash, V_ASN1_OCTET_STRING); - BIO_printf(bp, "\n%*sIssuer Key Hash: ", indent, ""); - i2a_ASN1_STRING(bp, a->issuerKeyHash, V_ASN1_OCTET_STRING); - BIO_printf(bp, "\n%*sSerial Number: ", indent, ""); - i2a_ASN1_INTEGER(bp, a->serialNumber); - BIO_printf(bp, "\n"); - return 1; -} - -typedef struct { - long t; - const char *m; -} OCSP_TBLSTR; - -static const char * -table2string(long s, const OCSP_TBLSTR *ts, int len) -{ - const OCSP_TBLSTR *p; - - for (p = ts; p < ts + len; p++) - if (p->t == s) - return p->m; - return "(UNKNOWN)"; -} - -const char * -OCSP_response_status_str(long s) -{ - static const OCSP_TBLSTR rstat_tbl[] = { - { OCSP_RESPONSE_STATUS_SUCCESSFUL, "successful" }, - { OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, "malformedrequest" }, - { OCSP_RESPONSE_STATUS_INTERNALERROR, "internalerror" }, - { OCSP_RESPONSE_STATUS_TRYLATER, "trylater" }, - { OCSP_RESPONSE_STATUS_SIGREQUIRED, "sigrequired" }, - { OCSP_RESPONSE_STATUS_UNAUTHORIZED, "unauthorized" } - }; - return table2string(s, rstat_tbl, 6); -} - -const char * -OCSP_cert_status_str(long s) -{ - static const OCSP_TBLSTR cstat_tbl[] = { - { V_OCSP_CERTSTATUS_GOOD, "good" }, - { V_OCSP_CERTSTATUS_REVOKED, "revoked" }, - { V_OCSP_CERTSTATUS_UNKNOWN, "unknown" } - }; - return table2string(s, cstat_tbl, 3); -} - -const char * -OCSP_crl_reason_str(long s) -{ - static const OCSP_TBLSTR reason_tbl[] = { - { OCSP_REVOKED_STATUS_UNSPECIFIED, "unspecified" }, - { OCSP_REVOKED_STATUS_KEYCOMPROMISE, "keyCompromise" }, - { OCSP_REVOKED_STATUS_CACOMPROMISE, "cACompromise" }, - { OCSP_REVOKED_STATUS_AFFILIATIONCHANGED, "affiliationChanged" }, - { OCSP_REVOKED_STATUS_SUPERSEDED, "superseded" }, - { OCSP_REVOKED_STATUS_CESSATIONOFOPERATION, "cessationOfOperation" }, - { OCSP_REVOKED_STATUS_CERTIFICATEHOLD, "certificateHold" }, - { OCSP_REVOKED_STATUS_REMOVEFROMCRL, "removeFromCRL" } - }; - return table2string(s, reason_tbl, 8); -} - -int -OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST* o, unsigned long flags) -{ - int i; - long l; - OCSP_CERTID* cid = NULL; - OCSP_ONEREQ *one = NULL; - OCSP_REQINFO *inf = o->tbsRequest; - OCSP_SIGNATURE *sig = o->optionalSignature; - - if (BIO_write(bp, "OCSP Request Data:\n", 19) <= 0) - goto err; - l = ASN1_INTEGER_get(inf->version); - if (BIO_printf(bp, " Version: %lu (0x%lx)", l+1, l) <= 0) - goto err; - if (inf->requestorName != NULL) { - if (BIO_write(bp, "\n Requestor Name: ", 21) <= 0) - goto err; - GENERAL_NAME_print(bp, inf->requestorName); - } - if (BIO_write(bp, "\n Requestor List:\n", 21) <= 0) - goto err; - for (i = 0; i < sk_OCSP_ONEREQ_num(inf->requestList); i++) { - one = sk_OCSP_ONEREQ_value(inf->requestList, i); - cid = one->reqCert; - ocsp_certid_print(bp, cid, 8); - if (!X509V3_extensions_print(bp, "Request Single Extensions", - one->singleRequestExtensions, flags, 8)) - goto err; - } - if (!X509V3_extensions_print(bp, "Request Extensions", - inf->requestExtensions, flags, 4)) - goto err; - if (sig) { - if (X509_signature_print(bp, sig->signatureAlgorithm, - sig->signature) == 0) - goto err; - for (i = 0; i < sk_X509_num(sig->certs); i++) { - if (X509_print(bp, sk_X509_value(sig->certs, i)) == 0) - goto err; - if (PEM_write_bio_X509(bp, - sk_X509_value(sig->certs, i)) == 0) - goto err; - } - } - return 1; - -err: - return 0; -} - -int -OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags) -{ - int i, ret = 0; - long l; - OCSP_CERTID *cid = NULL; - OCSP_BASICRESP *br = NULL; - OCSP_RESPID *rid = NULL; - OCSP_RESPDATA *rd = NULL; - OCSP_CERTSTATUS *cst = NULL; - OCSP_REVOKEDINFO *rev = NULL; - OCSP_SINGLERESP *single = NULL; - OCSP_RESPBYTES *rb = o->responseBytes; - - if (BIO_puts(bp, "OCSP Response Data:\n") <= 0) - goto err; - l = ASN1_ENUMERATED_get(o->responseStatus); - if (BIO_printf(bp, " OCSP Response Status: %s (0x%lx)\n", - OCSP_response_status_str(l), l) <= 0) - goto err; - if (rb == NULL) - return 1; - if (BIO_puts(bp, " Response Type: ") <= 0) - goto err; - if (i2a_ASN1_OBJECT(bp, rb->responseType) <= 0) - goto err; - if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic) { - BIO_puts(bp, " (unknown response type)\n"); - return 1; - } - - i = ASN1_STRING_length(rb->response); - if (!(br = OCSP_response_get1_basic(o))) - goto err; - rd = br->tbsResponseData; - l = ASN1_INTEGER_get(rd->version); - if (BIO_printf(bp, "\n Version: %lu (0x%lx)\n", l+1, l) <= 0) - goto err; - if (BIO_puts(bp, " Responder Id: ") <= 0) - goto err; - - rid = rd->responderId; - switch (rid->type) { - case V_OCSP_RESPID_NAME: - X509_NAME_print_ex(bp, rid->value.byName, 0, XN_FLAG_ONELINE); - break; - case V_OCSP_RESPID_KEY: - i2a_ASN1_STRING(bp, rid->value.byKey, V_ASN1_OCTET_STRING); - break; - } - - if (BIO_printf(bp, "\n Produced At: ")<=0) - goto err; - if (!ASN1_GENERALIZEDTIME_print(bp, rd->producedAt)) - goto err; - if (BIO_printf(bp, "\n Responses:\n") <= 0) - goto err; - for (i = 0; i < sk_OCSP_SINGLERESP_num(rd->responses); i++) { - if (! sk_OCSP_SINGLERESP_value(rd->responses, i)) - continue; - single = sk_OCSP_SINGLERESP_value(rd->responses, i); - cid = single->certId; - if (ocsp_certid_print(bp, cid, 4) <= 0) - goto err; - cst = single->certStatus; - if (BIO_printf(bp, " Cert Status: %s", - OCSP_cert_status_str(cst->type)) <= 0) - goto err; - if (cst->type == V_OCSP_CERTSTATUS_REVOKED) { - rev = cst->value.revoked; - if (BIO_printf(bp, "\n Revocation Time: ") <= 0) - goto err; - if (!ASN1_GENERALIZEDTIME_print(bp, - rev->revocationTime)) - goto err; - if (rev->revocationReason) { - l = ASN1_ENUMERATED_get(rev->revocationReason); - if (BIO_printf(bp, - "\n Revocation Reason: %s (0x%lx)", - OCSP_crl_reason_str(l), l) <= 0) - goto err; - } - } - if (BIO_printf(bp, "\n This Update: ") <= 0) - goto err; - if (!ASN1_GENERALIZEDTIME_print(bp, single->thisUpdate)) - goto err; - if (single->nextUpdate) { - if (BIO_printf(bp, "\n Next Update: ") <= 0) - goto err; - if (!ASN1_GENERALIZEDTIME_print(bp, single->nextUpdate)) - goto err; - } - if (BIO_write(bp, "\n", 1) <= 0) - goto err; - if (!X509V3_extensions_print(bp, "Response Single Extensions", - single->singleExtensions, flags, 8)) - goto err; - if (BIO_write(bp, "\n", 1) <= 0) - goto err; - } - if (!X509V3_extensions_print(bp, "Response Extensions", - rd->responseExtensions, flags, 4)) - goto err; - if (X509_signature_print(bp, br->signatureAlgorithm, br->signature) <= - 0) - goto err; - - for (i = 0; i < sk_X509_num(br->certs); i++) { - X509_print(bp, sk_X509_value(br->certs, i)); - PEM_write_bio_X509(bp, sk_X509_value(br->certs, i)); - } - - ret = 1; - -err: - OCSP_BASICRESP_free(br); - return ret; -} diff --git a/src/lib/libcrypto/ocsp/ocsp_srv.c b/src/lib/libcrypto/ocsp/ocsp_srv.c deleted file mode 100644 index 8f28916757..0000000000 --- a/src/lib/libcrypto/ocsp/ocsp_srv.c +++ /dev/null @@ -1,276 +0,0 @@ -/* $OpenBSD: ocsp_srv.c,v 1.7 2014/10/18 17:20:40 jsing Exp $ */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 2001. - */ -/* ==================================================================== - * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include - -#include -#include -#include -#include -#include -#include - -/* Utility functions related to sending OCSP responses and extracting - * relevant information from the request. - */ - -int -OCSP_request_onereq_count(OCSP_REQUEST *req) -{ - return sk_OCSP_ONEREQ_num(req->tbsRequest->requestList); -} - -OCSP_ONEREQ * -OCSP_request_onereq_get0(OCSP_REQUEST *req, int i) -{ - return sk_OCSP_ONEREQ_value(req->tbsRequest->requestList, i); -} - -OCSP_CERTID * -OCSP_onereq_get0_id(OCSP_ONEREQ *one) -{ - return one->reqCert; -} - -int -OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd, - ASN1_OCTET_STRING **pikeyHash, ASN1_INTEGER **pserial, OCSP_CERTID *cid) -{ - if (!cid) - return 0; - if (pmd) - *pmd = cid->hashAlgorithm->algorithm; - if (piNameHash) - *piNameHash = cid->issuerNameHash; - if (pikeyHash) - *pikeyHash = cid->issuerKeyHash; - if (pserial) - *pserial = cid->serialNumber; - return 1; -} - -int -OCSP_request_is_signed(OCSP_REQUEST *req) -{ - if (req->optionalSignature) - return 1; - return 0; -} - -/* Create an OCSP response and encode an optional basic response */ -OCSP_RESPONSE * -OCSP_response_create(int status, OCSP_BASICRESP *bs) -{ - OCSP_RESPONSE *rsp = NULL; - - if (!(rsp = OCSP_RESPONSE_new())) - goto err; - if (!(ASN1_ENUMERATED_set(rsp->responseStatus, status))) - goto err; - if (!bs) - return rsp; - if (!(rsp->responseBytes = OCSP_RESPBYTES_new())) - goto err; - rsp->responseBytes->responseType = OBJ_nid2obj(NID_id_pkix_OCSP_basic); - if (!ASN1_item_pack(bs, ASN1_ITEM_rptr(OCSP_BASICRESP), - &rsp->responseBytes->response)) - goto err; - return rsp; - -err: - if (rsp) - OCSP_RESPONSE_free(rsp); - return NULL; -} - -OCSP_SINGLERESP * -OCSP_basic_add1_status(OCSP_BASICRESP *rsp, OCSP_CERTID *cid, int status, - int reason, ASN1_TIME *revtime, ASN1_TIME *thisupd, ASN1_TIME *nextupd) -{ - OCSP_SINGLERESP *single = NULL; - OCSP_CERTSTATUS *cs; - OCSP_REVOKEDINFO *ri; - - if (!rsp->tbsResponseData->responses && - !(rsp->tbsResponseData->responses = sk_OCSP_SINGLERESP_new_null())) - goto err; - - if (!(single = OCSP_SINGLERESP_new())) - goto err; - - if (!ASN1_TIME_to_generalizedtime(thisupd, &single->thisUpdate)) - goto err; - if (nextupd && - !ASN1_TIME_to_generalizedtime(nextupd, &single->nextUpdate)) - goto err; - - OCSP_CERTID_free(single->certId); - - if (!(single->certId = OCSP_CERTID_dup(cid))) - goto err; - - cs = single->certStatus; - switch (cs->type = status) { - case V_OCSP_CERTSTATUS_REVOKED: - if (!revtime) { - OCSPerr(OCSP_F_OCSP_BASIC_ADD1_STATUS, - OCSP_R_NO_REVOKED_TIME); - goto err; - } - if (!(cs->value.revoked = ri = OCSP_REVOKEDINFO_new())) - goto err; - if (!ASN1_TIME_to_generalizedtime(revtime, &ri->revocationTime)) - goto err; - if (reason != OCSP_REVOKED_STATUS_NOSTATUS) { - if (!(ri->revocationReason = ASN1_ENUMERATED_new())) - goto err; - if (!(ASN1_ENUMERATED_set(ri->revocationReason, - reason))) - goto err; - } - break; - - case V_OCSP_CERTSTATUS_GOOD: - cs->value.good = ASN1_NULL_new(); - break; - - case V_OCSP_CERTSTATUS_UNKNOWN: - cs->value.unknown = ASN1_NULL_new(); - break; - - default: - goto err; - } - if (!(sk_OCSP_SINGLERESP_push(rsp->tbsResponseData->responses, single))) - goto err; - return single; - -err: - OCSP_SINGLERESP_free(single); - return NULL; -} - -/* Add a certificate to an OCSP request */ -int -OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert) -{ - if (!resp->certs && !(resp->certs = sk_X509_new_null())) - return 0; - - if (!sk_X509_push(resp->certs, cert)) - return 0; - CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509); - return 1; -} - -int -OCSP_basic_sign(OCSP_BASICRESP *brsp, X509 *signer, EVP_PKEY *key, - const EVP_MD *dgst, STACK_OF(X509) *certs, unsigned long flags) -{ - int i; - OCSP_RESPID *rid; - - if (!X509_check_private_key(signer, key)) { - OCSPerr(OCSP_F_OCSP_BASIC_SIGN, - OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE); - goto err; - } - - if (!(flags & OCSP_NOCERTS)) { - if (!OCSP_basic_add1_cert(brsp, signer)) - goto err; - for (i = 0; i < sk_X509_num(certs); i++) { - X509 *tmpcert = sk_X509_value(certs, i); - if (!OCSP_basic_add1_cert(brsp, tmpcert)) - goto err; - } - } - - rid = brsp->tbsResponseData->responderId; - if (flags & OCSP_RESPID_KEY) { - unsigned char md[SHA_DIGEST_LENGTH]; - - X509_pubkey_digest(signer, EVP_sha1(), md, NULL); - if (!(rid->value.byKey = ASN1_OCTET_STRING_new())) - goto err; - if (!(ASN1_OCTET_STRING_set(rid->value.byKey, md, - SHA_DIGEST_LENGTH))) - goto err; - rid->type = V_OCSP_RESPID_KEY; - } else { - if (!X509_NAME_set(&rid->value.byName, - X509_get_subject_name(signer))) - goto err; - rid->type = V_OCSP_RESPID_NAME; - } - - if (!(flags & OCSP_NOTIME) && - !X509_gmtime_adj(brsp->tbsResponseData->producedAt, 0)) - goto err; - - /* Right now, I think that not doing double hashing is the right - thing. -- Richard Levitte */ - - if (!OCSP_BASICRESP_sign(brsp, key, dgst, 0)) - goto err; - - return 1; - -err: - return 0; -} diff --git a/src/lib/libcrypto/ocsp/ocsp_vfy.c b/src/lib/libcrypto/ocsp/ocsp_vfy.c deleted file mode 100644 index b62394b765..0000000000 --- a/src/lib/libcrypto/ocsp/ocsp_vfy.c +++ /dev/null @@ -1,448 +0,0 @@ -/* $OpenBSD: ocsp_vfy.c,v 1.12 2014/07/09 19:08:10 tedu Exp $ */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 2000. - */ -/* ==================================================================== - * Copyright (c) 2000-2004 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include -#include -#include - -static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, - STACK_OF(X509) *certs, X509_STORE *st, unsigned long flags); -static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id); -static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain, - unsigned long flags); -static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret); -static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, - STACK_OF(OCSP_SINGLERESP) *sresp); -static int ocsp_check_delegated(X509 *x, int flags); -static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, - X509_NAME *nm, STACK_OF(X509) *certs, X509_STORE *st, - unsigned long flags); - -/* Verify a basic response message */ -int -OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st, - unsigned long flags) -{ - X509 *signer, *x; - STACK_OF(X509) *chain = NULL; - X509_STORE_CTX ctx; - int i, ret = 0; - - ret = ocsp_find_signer(&signer, bs, certs, st, flags); - if (!ret) { - OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, - OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND); - goto end; - } - if ((ret == 2) && (flags & OCSP_TRUSTOTHER)) - flags |= OCSP_NOVERIFY; - if (!(flags & OCSP_NOSIGS)) { - EVP_PKEY *skey; - - skey = X509_get_pubkey(signer); - if (skey) { - ret = OCSP_BASICRESP_verify(bs, skey, 0); - EVP_PKEY_free(skey); - } - if (!skey || ret <= 0) { - OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, - OCSP_R_SIGNATURE_FAILURE); - goto end; - } - } - if (!(flags & OCSP_NOVERIFY)) { - int init_res; - - if (flags & OCSP_NOCHAIN) - init_res = X509_STORE_CTX_init(&ctx, st, signer, NULL); - else - init_res = X509_STORE_CTX_init(&ctx, st, signer, - bs->certs); - if (!init_res) { - ret = -1; - OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_X509_LIB); - goto end; - } - - X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER); - ret = X509_verify_cert(&ctx); - chain = X509_STORE_CTX_get1_chain(&ctx); - X509_STORE_CTX_cleanup(&ctx); - if (ret <= 0) { - i = X509_STORE_CTX_get_error(&ctx); - OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, - OCSP_R_CERTIFICATE_VERIFY_ERROR); - ERR_asprintf_error_data("Verify error:%s", - X509_verify_cert_error_string(i)); - goto end; - } - if (flags & OCSP_NOCHECKS) { - ret = 1; - goto end; - } - /* At this point we have a valid certificate chain - * need to verify it against the OCSP issuer criteria. - */ - ret = ocsp_check_issuer(bs, chain, flags); - - /* If fatal error or valid match then finish */ - if (ret != 0) - goto end; - - /* Easy case: explicitly trusted. Get root CA and - * check for explicit trust - */ - if (flags & OCSP_NOEXPLICIT) - goto end; - - x = sk_X509_value(chain, sk_X509_num(chain) - 1); - if (X509_check_trust(x, NID_OCSP_sign, 0) != - X509_TRUST_TRUSTED) { - OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, - OCSP_R_ROOT_CA_NOT_TRUSTED); - goto end; - } - ret = 1; - } - -end: - if (chain) - sk_X509_pop_free(chain, X509_free); - return ret; -} - -static int -ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs, - X509_STORE *st, unsigned long flags) -{ - X509 *signer; - OCSP_RESPID *rid = bs->tbsResponseData->responderId; - - if ((signer = ocsp_find_signer_sk(certs, rid))) { - *psigner = signer; - return 2; - } - if (!(flags & OCSP_NOINTERN) && - (signer = ocsp_find_signer_sk(bs->certs, rid))) { - *psigner = signer; - return 1; - } - /* Maybe lookup from store if by subject name */ - - *psigner = NULL; - return 0; -} - -static X509 * -ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id) -{ - int i; - unsigned char tmphash[SHA_DIGEST_LENGTH], *keyhash; - X509 *x; - - /* Easy if lookup by name */ - if (id->type == V_OCSP_RESPID_NAME) - return X509_find_by_subject(certs, id->value.byName); - - /* Lookup by key hash */ - - /* If key hash isn't SHA1 length then forget it */ - if (id->value.byKey->length != SHA_DIGEST_LENGTH) - return NULL; - keyhash = id->value.byKey->data; - /* Calculate hash of each key and compare */ - for (i = 0; i < sk_X509_num(certs); i++) { - x = sk_X509_value(certs, i); - X509_pubkey_digest(x, EVP_sha1(), tmphash, NULL); - if (!memcmp(keyhash, tmphash, SHA_DIGEST_LENGTH)) - return x; - } - return NULL; -} - -static int -ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain, - unsigned long flags) -{ - STACK_OF(OCSP_SINGLERESP) *sresp; - X509 *signer, *sca; - OCSP_CERTID *caid = NULL; - int i; - - sresp = bs->tbsResponseData->responses; - - if (sk_X509_num(chain) <= 0) { - OCSPerr(OCSP_F_OCSP_CHECK_ISSUER, - OCSP_R_NO_CERTIFICATES_IN_CHAIN); - return -1; - } - - /* See if the issuer IDs match. */ - i = ocsp_check_ids(sresp, &caid); - - /* If ID mismatch or other error then return */ - if (i <= 0) - return i; - - signer = sk_X509_value(chain, 0); - /* Check to see if OCSP responder CA matches request CA */ - if (sk_X509_num(chain) > 1) { - sca = sk_X509_value(chain, 1); - i = ocsp_match_issuerid(sca, caid, sresp); - if (i < 0) - return i; - if (i) { - /* We have a match, if extensions OK then success */ - if (ocsp_check_delegated(signer, flags)) - return 1; - return 0; - } - } - - /* Otherwise check if OCSP request signed directly by request CA */ - return ocsp_match_issuerid(signer, caid, sresp); -} - -/* Check the issuer certificate IDs for equality. If there is a mismatch with the same - * algorithm then there's no point trying to match any certificates against the issuer. - * If the issuer IDs all match then we just need to check equality against one of them. - */ -static int -ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret) -{ - OCSP_CERTID *tmpid, *cid; - int i, idcount; - - idcount = sk_OCSP_SINGLERESP_num(sresp); - if (idcount <= 0) { - OCSPerr(OCSP_F_OCSP_CHECK_IDS, - OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA); - return -1; - } - - cid = sk_OCSP_SINGLERESP_value(sresp, 0)->certId; - - *ret = NULL; - - for (i = 1; i < idcount; i++) { - tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId; - /* Check to see if IDs match */ - if (OCSP_id_issuer_cmp(cid, tmpid)) { - return 0; - } - } - - /* All IDs match: only need to check one ID */ - *ret = cid; - return 1; -} - -static int -ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, - STACK_OF(OCSP_SINGLERESP) *sresp) -{ - /* If only one ID to match then do it */ - if (cid) { - const EVP_MD *dgst; - X509_NAME *iname; - int mdlen; - unsigned char md[EVP_MAX_MD_SIZE]; - - if (!(dgst = - EVP_get_digestbyobj(cid->hashAlgorithm->algorithm))) { - OCSPerr(OCSP_F_OCSP_MATCH_ISSUERID, - OCSP_R_UNKNOWN_MESSAGE_DIGEST); - return -1; - } - - mdlen = EVP_MD_size(dgst); - if (mdlen < 0) - return -1; - if (cid->issuerNameHash->length != mdlen || - cid->issuerKeyHash->length != mdlen) - return 0; - iname = X509_get_subject_name(cert); - if (!X509_NAME_digest(iname, dgst, md, NULL)) - return -1; - if (memcmp(md, cid->issuerNameHash->data, mdlen)) - return 0; - X509_pubkey_digest(cert, dgst, md, NULL); - if (memcmp(md, cid->issuerKeyHash->data, mdlen)) - return 0; - - return 1; - } else { - /* We have to match the whole lot */ - int i, ret; - OCSP_CERTID *tmpid; - - for (i = 0; i < sk_OCSP_SINGLERESP_num(sresp); i++) { - tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId; - ret = ocsp_match_issuerid(cert, tmpid, NULL); - if (ret <= 0) - return ret; - } - return 1; - } -} - -static int -ocsp_check_delegated(X509 *x, int flags) -{ - X509_check_purpose(x, -1, 0); - if ((x->ex_flags & EXFLAG_XKUSAGE) && (x->ex_xkusage & XKU_OCSP_SIGN)) - return 1; - OCSPerr(OCSP_F_OCSP_CHECK_DELEGATED, OCSP_R_MISSING_OCSPSIGNING_USAGE); - return 0; -} - -/* Verify an OCSP request. This is fortunately much easier than OCSP - * response verify. Just find the signers certificate and verify it - * against a given trust value. - */ -int -OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, X509_STORE *store, - unsigned long flags) -{ - X509 *signer; - X509_NAME *nm; - GENERAL_NAME *gen; - int ret; - X509_STORE_CTX ctx; - - if (!req->optionalSignature) { - OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_REQUEST_NOT_SIGNED); - return 0; - } - gen = req->tbsRequest->requestorName; - if (!gen || gen->type != GEN_DIRNAME) { - OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, - OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE); - return 0; - } - nm = gen->d.directoryName; - ret = ocsp_req_find_signer(&signer, req, nm, certs, store, flags); - if (ret <= 0) { - OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, - OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND); - return 0; - } - if ((ret == 2) && (flags & OCSP_TRUSTOTHER)) - flags |= OCSP_NOVERIFY; - if (!(flags & OCSP_NOSIGS)) { - EVP_PKEY *skey; - - skey = X509_get_pubkey(signer); - ret = OCSP_REQUEST_verify(req, skey); - EVP_PKEY_free(skey); - if (ret <= 0) { - OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, - OCSP_R_SIGNATURE_FAILURE); - return 0; - } - } - if (!(flags & OCSP_NOVERIFY)) { - int init_res; - - if (flags & OCSP_NOCHAIN) - init_res = X509_STORE_CTX_init(&ctx, store, signer, - NULL); - else - init_res = X509_STORE_CTX_init(&ctx, store, signer, - req->optionalSignature->certs); - if (!init_res) { - OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, ERR_R_X509_LIB); - return 0; - } - - X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER); - X509_STORE_CTX_set_trust(&ctx, X509_TRUST_OCSP_REQUEST); - ret = X509_verify_cert(&ctx); - X509_STORE_CTX_cleanup(&ctx); - if (ret <= 0) { - ret = X509_STORE_CTX_get_error(&ctx); - OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, - OCSP_R_CERTIFICATE_VERIFY_ERROR); - ERR_asprintf_error_data("Verify error:%s", - X509_verify_cert_error_string(ret)); - return 0; - } - } - return 1; -} - -static int -ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, X509_NAME *nm, - STACK_OF(X509) *certs, X509_STORE *st, unsigned long flags) -{ - X509 *signer; - - if (!(flags & OCSP_NOINTERN)) { - signer = - X509_find_by_subject(req->optionalSignature->certs, nm); - *psigner = signer; - return 1; - } - - signer = X509_find_by_subject(certs, nm); - if (signer) { - *psigner = signer; - return 2; - } - return 0; -} -- cgit v1.2.3-55-g6feb