Context Navigation

← Previous Revision
Latest Revision
Next Revision →
Blame
Revision Log

ocsp.c@ 331

Last change on this file since 331 was 331, checked in by coas-nagasima, 6 years ago
prototoolに関連するプロジェクトをnewlibからmuslを使うよう変更・更新 ntshellをnewlibの下位の実装から、muslのsyscallの実装に変更・更新以下のOSSをアップデート・mruby-1.3.0 ・musl-1.1.18 ・onigmo-6.1.3 ・tcc-0.9.27 以下のOSSを追加・openssl-1.1.0e ・curl-7.57.0 ・zlib-1.2.11 以下のmrbgemsを追加・iij/mruby-digest ・iij/mruby-env ・iij/mruby-errno ・iij/mruby-iijson ・iij/mruby-ipaddr ・iij/mruby-mock ・iij/mruby-require ・iij/mruby-tls-openssl
Property svn:eol-style set to `native` Property svn:mime-type set to `text/x-csrc`
File size: 39.9 KB

Line
1	/*
2	* Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
3	*
4	* Licensed under the OpenSSL license (the "License"). You may not use
5	* this file except in compliance with the License. You can obtain a copy
6	* in the file LICENSE in the source distribution or at
7	* https://www.openssl.org/source/license.html
8	*/
9
10	#include <openssl/opensslconf.h>
11
12	#ifdef OPENSSL_NO_OCSP
13	NON_EMPTY_TRANSLATION_UNIT
14	#else
15	# ifdef OPENSSL_SYS_VMS
16	# define _XOPEN_SOURCE_EXTENDED/* So fd_set and friends get properly defined
17	* on OpenVMS */
18	# endif
19
20	# define USE_SOCKETS
21
22	# include <stdio.h>
23	# include <stdlib.h>
24	# include <string.h>
25	# include <time.h>
26	# include <ctype.h>
27
28	/* Needs to be included before the openssl headers */
29	# include "apps.h"
30	# include <openssl/e_os2.h>
31	# include <openssl/crypto.h>
32	# include <openssl/err.h>
33	# include <openssl/ssl.h>
34	# include <openssl/evp.h>
35	# include <openssl/bn.h>
36	# include <openssl/x509v3.h>
37
38	# if defined(NETWARE_CLIB)
39	# ifdef NETWARE_BSDSOCK
40	# include <sys/socket.h>
41	# include <sys/bsdskt.h>
42	# else
43	# include <novsock2.h>
44	# endif
45	# elif defined(NETWARE_LIBC)
46	# ifdef NETWARE_BSDSOCK
47	# include <sys/select.h>
48	# else
49	# include <novsock2.h>
50	# endif
51	# endif
52
53	/* Maximum leeway in validity period: default 5 minutes */
54	# define MAX_VALIDITY_PERIOD (5 * 60)
55
56	static int add_ocsp_cert(OCSP_REQUEST *req, X509 cert,
57	const EVP_MD cert_id_md, X509 issuer,
58	STACK_OF(OCSP_CERTID) *ids);
59	static int add_ocsp_serial(OCSP_REQUEST *req, char serial,
60	const EVP_MD cert_id_md, X509 issuer,
61	STACK_OF(OCSP_CERTID) *ids);
62	static void print_ocsp_summary(BIO out, OCSP_BASICRESP bs, OCSP_REQUEST *req,
63	STACK_OF(OPENSSL_STRING) *names,
64	STACK_OF(OCSP_CERTID) *ids, long nsec,
65	long maxage);
66	static void make_ocsp_response(OCSP_RESPONSE *resp, OCSP_REQUEST req,
67	CA_DB db, X509 ca, X509 *rcert,
68	EVP_PKEY rkey, const EVP_MD md,
69	STACK_OF(X509) *rother, unsigned long flags,
70	int nmin, int ndays, int badsig);
71
72	static char *lookup_serial(CA_DB db, ASN1_INTEGER *ser);
73	static BIO init_responder(const char port);
74	static int do_responder(OCSP_REQUEST preq, BIO pcbio, BIO *acbio);
75	static int send_ocsp_response(BIO cbio, OCSP_RESPONSE resp);
76
77	# ifndef OPENSSL_NO_SOCK
78	static OCSP_RESPONSE query_responder(BIO cbio, const char *host,
79	const char *path,
80	const STACK_OF(CONF_VALUE) *headers,
81	OCSP_REQUEST *req, int req_timeout);
82	# endif
83
84	typedef enum OPTION_choice {
85	OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
86	OPT_OUTFILE, OPT_TIMEOUT, OPT_URL, OPT_HOST, OPT_PORT,
87	OPT_IGNORE_ERR, OPT_NOVERIFY, OPT_NONCE, OPT_NO_NONCE,
88	OPT_RESP_NO_CERTS, OPT_RESP_KEY_ID, OPT_NO_CERTS,
89	OPT_NO_SIGNATURE_VERIFY, OPT_NO_CERT_VERIFY, OPT_NO_CHAIN,
90	OPT_NO_CERT_CHECKS, OPT_NO_EXPLICIT, OPT_TRUST_OTHER,
91	OPT_NO_INTERN, OPT_BADSIG, OPT_TEXT, OPT_REQ_TEXT, OPT_RESP_TEXT,
92	OPT_REQIN, OPT_RESPIN, OPT_SIGNER, OPT_VAFILE, OPT_SIGN_OTHER,
93	OPT_VERIFY_OTHER, OPT_CAFILE, OPT_CAPATH, OPT_NOCAFILE, OPT_NOCAPATH,
94	OPT_VALIDITY_PERIOD, OPT_STATUS_AGE, OPT_SIGNKEY, OPT_REQOUT,
95	OPT_RESPOUT, OPT_PATH, OPT_ISSUER, OPT_CERT, OPT_SERIAL,
96	OPT_INDEX, OPT_CA, OPT_NMIN, OPT_REQUEST, OPT_NDAYS, OPT_RSIGNER,
97	OPT_RKEY, OPT_ROTHER, OPT_RMD, OPT_HEADER,
98	OPT_V_ENUM,
99	OPT_MD
100	} OPTION_CHOICE;
101
102	OPTIONS ocsp_options[] = {
103	{"help", OPT_HELP, '-', "Display this summary"},
104	{"out", OPT_OUTFILE, '>', "Output filename"},
105	{"timeout", OPT_TIMEOUT, 'p',
106	"Connection timeout (in seconds) to the OCSP responder"},
107	{"url", OPT_URL, 's', "Responder URL"},
108	{"host", OPT_HOST, 's', "TCP/IP hostname:port to connect to"},
109	{"port", OPT_PORT, 'p', "Port to run responder on"},
110	{"ignore_err", OPT_IGNORE_ERR, '-',
111	"Ignore Error response from OCSP responder, and retry "},
112	{"noverify", OPT_NOVERIFY, '-', "Don't verify response at all"},
113	{"nonce", OPT_NONCE, '-', "Add OCSP nonce to request"},
114	{"no_nonce", OPT_NO_NONCE, '-', "Don't add OCSP nonce to request"},
115	{"resp_no_certs", OPT_RESP_NO_CERTS, '-',
116	"Don't include any certificates in response"},
117	{"resp_key_id", OPT_RESP_KEY_ID, '-',
118	"Identify response by signing certificate key ID"},
119	{"no_certs", OPT_NO_CERTS, '-',
120	"Don't include any certificates in signed request"},
121	{"no_signature_verify", OPT_NO_SIGNATURE_VERIFY, '-',
122	"Don't check signature on response"},
123	{"no_cert_verify", OPT_NO_CERT_VERIFY, '-',
124	"Don't check signing certificate"},
125	{"no_chain", OPT_NO_CHAIN, '-', "Don't chain verify response"},
126	{"no_cert_checks", OPT_NO_CERT_CHECKS, '-',
127	"Don't do additional checks on signing certificate"},
128	{"no_explicit", OPT_NO_EXPLICIT, '-',
129	"Do not explicitly check the chain, just verify the root"},
130	{"trust_other", OPT_TRUST_OTHER, '-',
131	"Don't verify additional certificates"},
132	{"no_intern", OPT_NO_INTERN, '-',
133	"Don't search certificates contained in response for signer"},
134	{"badsig", OPT_BADSIG, '-',
135	"Corrupt last byte of loaded OSCP response signature (for test)"},
136	{"text", OPT_TEXT, '-', "Print text form of request and response"},
137	{"req_text", OPT_REQ_TEXT, '-', "Print text form of request"},
138	{"resp_text", OPT_RESP_TEXT, '-', "Print text form of response"},
139	{"reqin", OPT_REQIN, 's', "File with the DER-encoded request"},
140	{"respin", OPT_RESPIN, 's', "File with the DER-encoded response"},
141	{"signer", OPT_SIGNER, '<', "Certificate to sign OCSP request with"},
142	{"VAfile", OPT_VAFILE, '<', "Validator certificates file"},
143	{"sign_other", OPT_SIGN_OTHER, '<',
144	"Additional certificates to include in signed request"},
145	{"verify_other", OPT_VERIFY_OTHER, '<',
146	"Additional certificates to search for signer"},
147	{"CAfile", OPT_CAFILE, '<', "Trusted certificates file"},
148	{"CApath", OPT_CAPATH, '<', "Trusted certificates directory"},
149	{"no-CAfile", OPT_NOCAFILE, '-',
150	"Do not load the default certificates file"},
151	{"no-CApath", OPT_NOCAPATH, '-',
152	"Do not load certificates from the default certificates directory"},
153	{"validity_period", OPT_VALIDITY_PERIOD, 'u',
154	"Maximum validity discrepancy in seconds"},
155	{"status_age", OPT_STATUS_AGE, 'p', "Maximum status age in seconds"},
156	{"signkey", OPT_SIGNKEY, 's', "Private key to sign OCSP request with"},
157	{"reqout", OPT_REQOUT, 's', "Output file for the DER-encoded request"},
158	{"respout", OPT_RESPOUT, 's', "Output file for the DER-encoded response"},
159	{"path", OPT_PATH, 's', "Path to use in OCSP request"},
160	{"issuer", OPT_ISSUER, '<', "Issuer certificate"},
161	{"cert", OPT_CERT, '<', "Certificate to check"},
162	{"serial", OPT_SERIAL, 's', "Serial number to check"},
163	{"index", OPT_INDEX, '<', "Certificate status index file"},
164	{"CA", OPT_CA, '<', "CA certificate"},
165	{"nmin", OPT_NMIN, 'p', "Number of minutes before next update"},
166	{"nrequest", OPT_REQUEST, 'p',
167	"Number of requests to accept (default unlimited)"},
168	{"ndays", OPT_NDAYS, 'p', "Number of days before next update"},
169	{"rsigner", OPT_RSIGNER, '<',
170	"Responder certificate to sign responses with"},
171	{"rkey", OPT_RKEY, '<', "Responder key to sign responses with"},
172	{"rother", OPT_ROTHER, '<', "Other certificates to include in response"},
173	{"rmd", OPT_RMD, 's', "Digest Algorithm to use in signature of OCSP response"},
174	{"header", OPT_HEADER, 's', "key=value header to add"},
175	{"", OPT_MD, '-', "Any supported digest algorithm (sha1,sha256, ... )"},
176	OPT_V_OPTIONS,
177	{NULL}
178	};
179
180	int ocsp_main(int argc, char **argv)
181	{
182	BIO acbio = NULL, cbio = NULL, derbio = NULL, out = NULL;
183	const EVP_MD cert_id_md = NULL, rsign_md = NULL;
184	int trailing_md = 0;
185	CA_DB *rdb = NULL;
186	EVP_PKEY key = NULL, rkey = NULL;
187	OCSP_BASICRESP *bs = NULL;
188	OCSP_REQUEST *req = NULL;
189	OCSP_RESPONSE *resp = NULL;
190	STACK_OF(CONF_VALUE) *headers = NULL;
191	STACK_OF(OCSP_CERTID) *ids = NULL;
192	STACK_OF(OPENSSL_STRING) *reqnames = NULL;
193	STACK_OF(X509) sign_other = NULL, verify_other = NULL, *rother = NULL;
194	STACK_OF(X509) *issuers = NULL;
195	X509 issuer = NULL, cert = NULL, *rca_cert = NULL;
196	X509 signer = NULL, rsigner = NULL;
197	X509_STORE *store = NULL;
198	X509_VERIFY_PARAM *vpm = NULL;
199	const char CAfile = NULL, CApath = NULL;
200	char header, value;
201	char host = NULL, port = NULL, path = "/", outfile = NULL;
202	char rca_filename = NULL, reqin = NULL, *respin = NULL;
203	char reqout = NULL, respout = NULL, *ridx_filename = NULL;
204	char rsignfile = NULL, rkeyfile = NULL;
205	char sign_certfile = NULL, verify_certfile = NULL, *rcertfile = NULL;
206	char signfile = NULL, keyfile = NULL;
207	char thost = NULL, tport = NULL, *tpath = NULL;
208	int noCAfile = 0, noCApath = 0;
209	int accept_count = -1, add_nonce = 1, noverify = 0, use_ssl = -1;
210	int vpmtouched = 0, badsig = 0, i, ignore_err = 0, nmin = 0, ndays = -1;
211	int req_text = 0, resp_text = 0, ret = 1;
212	#ifndef OPENSSL_NO_SOCK
213	int req_timeout = -1;
214	#endif
215	long nsec = MAX_VALIDITY_PERIOD, maxage = -1;
216	unsigned long sign_flags = 0, verify_flags = 0, rflags = 0;
217	OPTION_CHOICE o;
218	char *prog;
219
220	reqnames = sk_OPENSSL_STRING_new_null();
221	if (!reqnames)
222	goto end;
223	ids = sk_OCSP_CERTID_new_null();
224	if (!ids)
225	goto end;
226	if ((vpm = X509_VERIFY_PARAM_new()) == NULL)
227	return 1;
228
229	prog = opt_init(argc, argv, ocsp_options);
230	while ((o = opt_next()) != OPT_EOF) {
231	switch (o) {
232	case OPT_EOF:
233	case OPT_ERR:
234	opthelp:
235	BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
236	goto end;
237	case OPT_HELP:
238	ret = 0;
239	opt_help(ocsp_options);
240	goto end;
241	case OPT_OUTFILE:
242	outfile = opt_arg();
243	break;
244	case OPT_TIMEOUT:
245	#ifndef OPENSSL_NO_SOCK
246	req_timeout = atoi(opt_arg());
247	#endif
248	break;
249	case OPT_URL:
250	OPENSSL_free(thost);
251	OPENSSL_free(tport);
252	OPENSSL_free(tpath);
253	thost = tport = tpath = NULL;
254	if (!OCSP_parse_url(opt_arg(), &host, &port, &path, &use_ssl)) {
255	BIO_printf(bio_err, "%s Error parsing URL\n", prog);
256	goto end;
257	}
258	thost = host;
259	tport = port;
260	tpath = path;
261	break;
262	case OPT_HOST:
263	host = opt_arg();
264	break;
265	case OPT_PORT:
266	port = opt_arg();
267	break;
268	case OPT_IGNORE_ERR:
269	ignore_err = 1;
270	break;
271	case OPT_NOVERIFY:
272	noverify = 1;
273	break;
274	case OPT_NONCE:
275	add_nonce = 2;
276	break;
277	case OPT_NO_NONCE:
278	add_nonce = 0;
279	break;
280	case OPT_RESP_NO_CERTS:
281	rflags \|= OCSP_NOCERTS;
282	break;
283	case OPT_RESP_KEY_ID:
284	rflags \|= OCSP_RESPID_KEY;
285	break;
286	case OPT_NO_CERTS:
287	sign_flags \|= OCSP_NOCERTS;
288	break;
289	case OPT_NO_SIGNATURE_VERIFY:
290	verify_flags \|= OCSP_NOSIGS;
291	break;
292	case OPT_NO_CERT_VERIFY:
293	verify_flags \|= OCSP_NOVERIFY;
294	break;
295	case OPT_NO_CHAIN:
296	verify_flags \|= OCSP_NOCHAIN;
297	break;
298	case OPT_NO_CERT_CHECKS:
299	verify_flags \|= OCSP_NOCHECKS;
300	break;
301	case OPT_NO_EXPLICIT:
302	verify_flags \|= OCSP_NOEXPLICIT;
303	break;
304	case OPT_TRUST_OTHER:
305	verify_flags \|= OCSP_TRUSTOTHER;
306	break;
307	case OPT_NO_INTERN:
308	verify_flags \|= OCSP_NOINTERN;
309	break;
310	case OPT_BADSIG:
311	badsig = 1;
312	break;
313	case OPT_TEXT:
314	req_text = resp_text = 1;
315	break;
316	case OPT_REQ_TEXT:
317	req_text = 1;
318	break;
319	case OPT_RESP_TEXT:
320	resp_text = 1;
321	break;
322	case OPT_REQIN:
323	reqin = opt_arg();
324	break;
325	case OPT_RESPIN:
326	respin = opt_arg();
327	break;
328	case OPT_SIGNER:
329	signfile = opt_arg();
330	break;
331	case OPT_VAFILE:
332	verify_certfile = opt_arg();
333	verify_flags \|= OCSP_TRUSTOTHER;
334	break;
335	case OPT_SIGN_OTHER:
336	sign_certfile = opt_arg();
337	break;
338	case OPT_VERIFY_OTHER:
339	verify_certfile = opt_arg();
340	break;
341	case OPT_CAFILE:
342	CAfile = opt_arg();
343	break;
344	case OPT_CAPATH:
345	CApath = opt_arg();
346	break;
347	case OPT_NOCAFILE:
348	noCAfile = 1;
349	break;
350	case OPT_NOCAPATH:
351	noCApath = 1;
352	break;
353	case OPT_V_CASES:
354	if (!opt_verify(o, vpm))
355	goto end;
356	vpmtouched++;
357	break;
358	case OPT_VALIDITY_PERIOD:
359	opt_long(opt_arg(), &nsec);
360	break;
361	case OPT_STATUS_AGE:
362	opt_long(opt_arg(), &maxage);
363	break;
364	case OPT_SIGNKEY:
365	keyfile = opt_arg();
366	break;
367	case OPT_REQOUT:
368	reqout = opt_arg();
369	break;
370	case OPT_RESPOUT:
371	respout = opt_arg();
372	break;
373	case OPT_PATH:
374	path = opt_arg();
375	break;
376	case OPT_ISSUER:
377	issuer = load_cert(opt_arg(), FORMAT_PEM, "issuer certificate");
378	if (issuer == NULL)
379	goto end;
380	if (issuers == NULL) {
381	if ((issuers = sk_X509_new_null()) == NULL)
382	goto end;
383	}
384	sk_X509_push(issuers, issuer);
385	break;
386	case OPT_CERT:
387	X509_free(cert);
388	cert = load_cert(opt_arg(), FORMAT_PEM, "certificate");
389	if (cert == NULL)
390	goto end;
391	if (cert_id_md == NULL)
392	cert_id_md = EVP_sha1();
393	if (!add_ocsp_cert(&req, cert, cert_id_md, issuer, ids))
394	goto end;
395	if (!sk_OPENSSL_STRING_push(reqnames, opt_arg()))
396	goto end;
397	trailing_md = 0;
398	break;
399	case OPT_SERIAL:
400	if (cert_id_md == NULL)
401	cert_id_md = EVP_sha1();
402	if (!add_ocsp_serial(&req, opt_arg(), cert_id_md, issuer, ids))
403	goto end;
404	if (!sk_OPENSSL_STRING_push(reqnames, opt_arg()))
405	goto end;
406	trailing_md = 0;
407	break;
408	case OPT_INDEX:
409	ridx_filename = opt_arg();
410	break;
411	case OPT_CA:
412	rca_filename = opt_arg();
413	break;
414	case OPT_NMIN:
415	opt_int(opt_arg(), &nmin);
416	if (ndays == -1)
417	ndays = 0;
418	break;
419	case OPT_REQUEST:
420	opt_int(opt_arg(), &accept_count);
421	break;
422	case OPT_NDAYS:
423	ndays = atoi(opt_arg());
424	break;
425	case OPT_RSIGNER:
426	rsignfile = opt_arg();
427	break;
428	case OPT_RKEY:
429	rkeyfile = opt_arg();
430	break;
431	case OPT_ROTHER:
432	rcertfile = opt_arg();
433	break;
434	case OPT_RMD: /* Response MessageDigest */
435	if (!opt_md(opt_arg(), &rsign_md))
436	goto end;
437	break;
438	case OPT_HEADER:
439	header = opt_arg();
440	value = strchr(header, '=');
441	if (value == NULL) {
442	BIO_printf(bio_err, "Missing = in header key=value\n");
443	goto opthelp;
444	}
445	*value++ = '\0';
446	if (!X509V3_add_value(header, value, &headers))
447	goto end;
448	break;
449	case OPT_MD:
450	if (trailing_md) {
451	BIO_printf(bio_err,
452	"%s: Digest must be before -cert or -serial\n",
453	prog);
454	goto opthelp;
455	}
456	if (!opt_md(opt_unknown(), &cert_id_md))
457	goto opthelp;
458	trailing_md = 1;
459	break;
460	}
461	}
462
463	if (trailing_md) {
464	BIO_printf(bio_err, "%s: Digest must be before -cert or -serial\n",
465	prog);
466	goto opthelp;
467	}
468	argc = opt_num_rest();
469	if (argc != 0)
470	goto opthelp;
471
472	/* Have we anything to do? */
473	if (!req && !reqin && !respin && !(port && ridx_filename))
474	goto opthelp;
475
476	out = bio_open_default(outfile, 'w', FORMAT_TEXT);
477	if (out == NULL)
478	goto end;
479
480	if (!req && (add_nonce != 2))
481	add_nonce = 0;
482
483	if (!req && reqin) {
484	derbio = bio_open_default(reqin, 'r', FORMAT_ASN1);
485	if (derbio == NULL)
486	goto end;
487	req = d2i_OCSP_REQUEST_bio(derbio, NULL);
488	BIO_free(derbio);
489	if (!req) {
490	BIO_printf(bio_err, "Error reading OCSP request\n");
491	goto end;
492	}
493	}
494
495	if (!req && port) {
496	acbio = init_responder(port);
497	if (!acbio)
498	goto end;
499	}
500
501	if (rsignfile) {
502	if (!rkeyfile)
503	rkeyfile = rsignfile;
504	rsigner = load_cert(rsignfile, FORMAT_PEM, "responder certificate");
505	if (!rsigner) {
506	BIO_printf(bio_err, "Error loading responder certificate\n");
507	goto end;
508	}
509	rca_cert = load_cert(rca_filename, FORMAT_PEM, "CA certificate");
510	if (rcertfile) {
511	if (!load_certs(rcertfile, &rother, FORMAT_PEM, NULL,
512	"responder other certificates"))
513	goto end;
514	}
515	rkey = load_key(rkeyfile, FORMAT_PEM, 0, NULL, NULL,
516	"responder private key");
517	if (!rkey)
518	goto end;
519	}
520	if (acbio)
521	BIO_printf(bio_err, "Waiting for OCSP client connections...\n");
522
523	redo_accept:
524
525	if (acbio) {
526	if (!do_responder(&req, &cbio, acbio))
527	goto end;
528	if (!req) {
529	resp =
530	OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST,
531	NULL);
532	send_ocsp_response(cbio, resp);
533	goto done_resp;
534	}
535	}
536
537	if (!req && (signfile \|\| reqout \|\| host \|\| add_nonce \|\| ridx_filename)) {
538	BIO_printf(bio_err, "Need an OCSP request for this operation!\n");
539	goto end;
540	}
541
542	if (req && add_nonce)
543	OCSP_request_add1_nonce(req, NULL, -1);
544
545	if (signfile) {
546	if (!keyfile)
547	keyfile = signfile;
548	signer = load_cert(signfile, FORMAT_PEM, "signer certificate");
549	if (!signer) {
550	BIO_printf(bio_err, "Error loading signer certificate\n");
551	goto end;
552	}
553	if (sign_certfile) {
554	if (!load_certs(sign_certfile, &sign_other, FORMAT_PEM, NULL,
555	"signer certificates"))
556	goto end;
557	}
558	key = load_key(keyfile, FORMAT_PEM, 0, NULL, NULL,
559	"signer private key");
560	if (!key)
561	goto end;
562
563	if (!OCSP_request_sign
564	(req, signer, key, NULL, sign_other, sign_flags)) {
565	BIO_printf(bio_err, "Error signing OCSP request\n");
566	goto end;
567	}
568	}
569
570	if (req_text && req)
571	OCSP_REQUEST_print(out, req, 0);
572
573	if (reqout) {
574	derbio = bio_open_default(reqout, 'w', FORMAT_ASN1);
575	if (derbio == NULL)
576	goto end;
577	i2d_OCSP_REQUEST_bio(derbio, req);
578	BIO_free(derbio);
579	}
580
581	if (ridx_filename && (!rkey \|\| !rsigner \|\| !rca_cert)) {
582	BIO_printf(bio_err,
583	"Need a responder certificate, key and CA for this operation!\n");
584	goto end;
585	}
586
587	if (ridx_filename && !rdb) {
588	rdb = load_index(ridx_filename, NULL);
589	if (!rdb)
590	goto end;
591	if (!index_index(rdb))
592	goto end;
593	}
594
595	if (rdb) {
596	make_ocsp_response(&resp, req, rdb, rca_cert, rsigner, rkey,
597	rsign_md, rother, rflags, nmin, ndays, badsig);
598	if (cbio)
599	send_ocsp_response(cbio, resp);
600	} else if (host) {
601	# ifndef OPENSSL_NO_SOCK
602	resp = process_responder(req, host, path,
603	port, use_ssl, headers, req_timeout);
604	if (!resp)
605	goto end;
606	# else
607	BIO_printf(bio_err,
608	"Error creating connect BIO - sockets not supported.\n");
609	goto end;
610	# endif
611	} else if (respin) {
612	derbio = bio_open_default(respin, 'r', FORMAT_ASN1);
613	if (derbio == NULL)
614	goto end;
615	resp = d2i_OCSP_RESPONSE_bio(derbio, NULL);
616	BIO_free(derbio);
617	if (!resp) {
618	BIO_printf(bio_err, "Error reading OCSP response\n");
619	goto end;
620	}
621	} else {
622	ret = 0;
623	goto end;
624	}
625
626	done_resp:
627
628	if (respout) {
629	derbio = bio_open_default(respout, 'w', FORMAT_ASN1);
630	if (derbio == NULL)
631	goto end;
632	i2d_OCSP_RESPONSE_bio(derbio, resp);
633	BIO_free(derbio);
634	}
635
636	i = OCSP_response_status(resp);
637	if (i != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
638	BIO_printf(out, "Responder Error: %s (%d)\n",
639	OCSP_response_status_str(i), i);
640	if (ignore_err)
641	goto redo_accept;
642	ret = 0;
643	goto end;
644	}
645
646	if (resp_text)
647	OCSP_RESPONSE_print(out, resp, 0);
648
649	/* If running as responder don't verify our own response */
650	if (cbio) {
651	/* If not unlimited, see if we took all we should. */
652	if (accept_count != -1 && --accept_count <= 0) {
653	ret = 0;
654	goto end;
655	}
656	BIO_free_all(cbio);
657	cbio = NULL;
658	OCSP_REQUEST_free(req);
659	req = NULL;
660	OCSP_RESPONSE_free(resp);
661	resp = NULL;
662	goto redo_accept;
663	}
664	if (ridx_filename) {
665	ret = 0;
666	goto end;
667	}
668
669	if (!store) {
670	store = setup_verify(CAfile, CApath, noCAfile, noCApath);
671	if (!store)
672	goto end;
673	}
674	if (vpmtouched)
675	X509_STORE_set1_param(store, vpm);
676	if (verify_certfile) {
677	if (!load_certs(verify_certfile, &verify_other, FORMAT_PEM, NULL,
678	"validator certificate"))
679	goto end;
680	}
681
682	bs = OCSP_response_get1_basic(resp);
683	if (!bs) {
684	BIO_printf(bio_err, "Error parsing response\n");
685	goto end;
686	}
687
688	ret = 0;
689
690	if (!noverify) {
691	if (req && ((i = OCSP_check_nonce(req, bs)) <= 0)) {
692	if (i == -1)
693	BIO_printf(bio_err, "WARNING: no nonce in response\n");
694	else {
695	BIO_printf(bio_err, "Nonce Verify error\n");
696	ret = 1;
697	goto end;
698	}
699	}
700
701	i = OCSP_basic_verify(bs, verify_other, store, verify_flags);
702	if (i <= 0 && issuers) {
703	i = OCSP_basic_verify(bs, issuers, store, OCSP_TRUSTOTHER);
704	if (i > 0)
705	ERR_clear_error();
706	}
707	if (i <= 0) {
708	BIO_printf(bio_err, "Response Verify Failure\n");
709	ERR_print_errors(bio_err);
710	ret = 1;
711	} else
712	BIO_printf(bio_err, "Response verify OK\n");
713
714	}
715
716	print_ocsp_summary(out, bs, req, reqnames, ids, nsec, maxage);
717
718	end:
719	ERR_print_errors(bio_err);
720	X509_free(signer);
721	X509_STORE_free(store);
722	X509_VERIFY_PARAM_free(vpm);
723	EVP_PKEY_free(key);
724	EVP_PKEY_free(rkey);
725	X509_free(cert);
726	sk_X509_pop_free(issuers, X509_free);
727	X509_free(rsigner);
728	X509_free(rca_cert);
729	free_index(rdb);
730	BIO_free_all(cbio);
731	BIO_free_all(acbio);
732	BIO_free(out);
733	OCSP_REQUEST_free(req);
734	OCSP_RESPONSE_free(resp);
735	OCSP_BASICRESP_free(bs);
736	sk_OPENSSL_STRING_free(reqnames);
737	sk_OCSP_CERTID_free(ids);
738	sk_X509_pop_free(sign_other, X509_free);
739	sk_X509_pop_free(verify_other, X509_free);
740	sk_CONF_VALUE_pop_free(headers, X509V3_conf_free);
741	OPENSSL_free(thost);
742	OPENSSL_free(tport);
743	OPENSSL_free(tpath);
744
745	return (ret);
746	}
747
748	static int add_ocsp_cert(OCSP_REQUEST *req, X509 cert,
749	const EVP_MD cert_id_md, X509 issuer,
750	STACK_OF(OCSP_CERTID) *ids)
751	{
752	OCSP_CERTID *id;
753	if (!issuer) {
754	BIO_printf(bio_err, "No issuer certificate specified\n");
755	return 0;
756	}
757	if (*req == NULL)
758	*req = OCSP_REQUEST_new();
759	if (*req == NULL)
760	goto err;
761	id = OCSP_cert_to_id(cert_id_md, cert, issuer);
762	if (!id \|\| !sk_OCSP_CERTID_push(ids, id))
763	goto err;
764	if (!OCSP_request_add0_id(*req, id))
765	goto err;
766	return 1;
767
768	err:
769	BIO_printf(bio_err, "Error Creating OCSP request\n");
770	return 0;
771	}
772
773	static int add_ocsp_serial(OCSP_REQUEST *req, char serial,
774	const EVP_MD cert_id_md, X509 issuer,
775	STACK_OF(OCSP_CERTID) *ids)
776	{
777	OCSP_CERTID *id;
778	X509_NAME *iname;
779	ASN1_BIT_STRING *ikey;
780	ASN1_INTEGER *sno;
781	if (!issuer) {
782	BIO_printf(bio_err, "No issuer certificate specified\n");
783	return 0;
784	}
785	if (*req == NULL)
786	*req = OCSP_REQUEST_new();
787	if (*req == NULL)
788	goto err;
789	iname = X509_get_subject_name(issuer);
790	ikey = X509_get0_pubkey_bitstr(issuer);
791	sno = s2i_ASN1_INTEGER(NULL, serial);
792	if (!sno) {
793	BIO_printf(bio_err, "Error converting serial number %s\n", serial);
794	return 0;
795	}
796	id = OCSP_cert_id_new(cert_id_md, iname, ikey, sno);
797	ASN1_INTEGER_free(sno);
798	if (id == NULL \|\| !sk_OCSP_CERTID_push(ids, id))
799	goto err;
800	if (!OCSP_request_add0_id(*req, id))
801	goto err;
802	return 1;
803
804	err:
805	BIO_printf(bio_err, "Error Creating OCSP request\n");
806	return 0;
807	}
808
809	static void print_ocsp_summary(BIO out, OCSP_BASICRESP bs, OCSP_REQUEST *req,
810	STACK_OF(OPENSSL_STRING) *names,
811	STACK_OF(OCSP_CERTID) *ids, long nsec,
812	long maxage)
813	{
814	OCSP_CERTID *id;
815	const char *name;
816	int i, status, reason;
817	ASN1_GENERALIZEDTIME rev, thisupd, *nextupd;
818
819	if (!bs \|\| !req \|\| !sk_OPENSSL_STRING_num(names)
820	\|\| !sk_OCSP_CERTID_num(ids))
821	return;
822
823	for (i = 0; i < sk_OCSP_CERTID_num(ids); i++) {
824	id = sk_OCSP_CERTID_value(ids, i);
825	name = sk_OPENSSL_STRING_value(names, i);
826	BIO_printf(out, "%s: ", name);
827
828	if (!OCSP_resp_find_status(bs, id, &status, &reason,
829	&rev, &thisupd, &nextupd)) {
830	BIO_puts(out, "ERROR: No Status found.\n");
831	continue;
832	}
833
834	/*
835	* Check validity: if invalid write to output BIO so we know which
836	* response this refers to.
837	*/
838	if (!OCSP_check_validity(thisupd, nextupd, nsec, maxage)) {
839	BIO_puts(out, "WARNING: Status times invalid.\n");
840	ERR_print_errors(out);
841	}
842	BIO_printf(out, "%s\n", OCSP_cert_status_str(status));
843
844	BIO_puts(out, "\tThis Update: ");
845	ASN1_GENERALIZEDTIME_print(out, thisupd);
846	BIO_puts(out, "\n");
847
848	if (nextupd) {
849	BIO_puts(out, "\tNext Update: ");
850	ASN1_GENERALIZEDTIME_print(out, nextupd);
851	BIO_puts(out, "\n");
852	}
853
854	if (status != V_OCSP_CERTSTATUS_REVOKED)
855	continue;
856
857	if (reason != -1)
858	BIO_printf(out, "\tReason: %s\n", OCSP_crl_reason_str(reason));
859
860	BIO_puts(out, "\tRevocation Time: ");
861	ASN1_GENERALIZEDTIME_print(out, rev);
862	BIO_puts(out, "\n");
863	}
864	}
865
866	static void make_ocsp_response(OCSP_RESPONSE *resp, OCSP_REQUEST req,
867	CA_DB db, X509 ca, X509 *rcert,
868	EVP_PKEY rkey, const EVP_MD rmd,
869	STACK_OF(X509) *rother, unsigned long flags,
870	int nmin, int ndays, int badsig)
871	{
872	ASN1_TIME thisupd = NULL, nextupd = NULL;
873	OCSP_CERTID cid, ca_id = NULL;
874	OCSP_BASICRESP *bs = NULL;
875	int i, id_count;
876
877	id_count = OCSP_request_onereq_count(req);
878
879	if (id_count <= 0) {
880	*resp =
881	OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL);
882	goto end;
883	}
884
885	bs = OCSP_BASICRESP_new();
886	thisupd = X509_gmtime_adj(NULL, 0);
887	if (ndays != -1)
888	nextupd = X509_time_adj_ex(NULL, ndays, nmin * 60, NULL);
889
890	/* Examine each certificate id in the request */
891	for (i = 0; i < id_count; i++) {
892	OCSP_ONEREQ *one;
893	ASN1_INTEGER *serial;
894	char **inf;
895	ASN1_OBJECT *cert_id_md_oid;
896	const EVP_MD *cert_id_md;
897	one = OCSP_request_onereq_get0(req, i);
898	cid = OCSP_onereq_get0_id(one);
899
900	OCSP_id_get0_info(NULL, &cert_id_md_oid, NULL, NULL, cid);
901
902	cert_id_md = EVP_get_digestbyobj(cert_id_md_oid);
903	if (!cert_id_md) {
904	*resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR,
905	NULL);
906	goto end;
907	}
908	OCSP_CERTID_free(ca_id);
909	ca_id = OCSP_cert_to_id(cert_id_md, NULL, ca);
910
911	/* Is this request about our CA? */
912	if (OCSP_id_issuer_cmp(ca_id, cid)) {
913	OCSP_basic_add1_status(bs, cid,
914	V_OCSP_CERTSTATUS_UNKNOWN,
915	0, NULL, thisupd, nextupd);
916	continue;
917	}
918	OCSP_id_get0_info(NULL, NULL, NULL, &serial, cid);
919	inf = lookup_serial(db, serial);
920	if (!inf)
921	OCSP_basic_add1_status(bs, cid,
922	V_OCSP_CERTSTATUS_UNKNOWN,
923	0, NULL, thisupd, nextupd);
924	else if (inf[DB_type][0] == DB_TYPE_VAL)
925	OCSP_basic_add1_status(bs, cid,
926	V_OCSP_CERTSTATUS_GOOD,
927	0, NULL, thisupd, nextupd);
928	else if (inf[DB_type][0] == DB_TYPE_REV) {
929	ASN1_OBJECT *inst = NULL;
930	ASN1_TIME *revtm = NULL;
931	ASN1_GENERALIZEDTIME *invtm = NULL;
932	OCSP_SINGLERESP *single;
933	int reason = -1;
934	unpack_revinfo(&revtm, &reason, &inst, &invtm, inf[DB_rev_date]);
935	single = OCSP_basic_add1_status(bs, cid,
936	V_OCSP_CERTSTATUS_REVOKED,
937	reason, revtm, thisupd, nextupd);
938	if (invtm)
939	OCSP_SINGLERESP_add1_ext_i2d(single, NID_invalidity_date,
940	invtm, 0, 0);
941	else if (inst)
942	OCSP_SINGLERESP_add1_ext_i2d(single,
943	NID_hold_instruction_code, inst,
944	0, 0);
945	ASN1_OBJECT_free(inst);
946	ASN1_TIME_free(revtm);
947	ASN1_GENERALIZEDTIME_free(invtm);
948	}
949	}
950
951	OCSP_copy_nonce(bs, req);
952
953	OCSP_basic_sign(bs, rcert, rkey, rmd, rother, flags);
954
955	if (badsig) {
956	const ASN1_OCTET_STRING *sig = OCSP_resp_get0_signature(bs);
957	corrupt_signature(sig);
958	}
959
960	*resp = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs);
961
962	end:
963	ASN1_TIME_free(thisupd);
964	ASN1_TIME_free(nextupd);
965	OCSP_CERTID_free(ca_id);
966	OCSP_BASICRESP_free(bs);
967	}
968
969	static char *lookup_serial(CA_DB db, ASN1_INTEGER *ser)
970	{
971	int i;
972	BIGNUM *bn = NULL;
973	char itmp, row[DB_NUMBER], **rrow;
974	for (i = 0; i < DB_NUMBER; i++)
975	row[i] = NULL;
976	bn = ASN1_INTEGER_to_BN(ser, NULL);
977	OPENSSL_assert(bn); /* FIXME: should report an error at this
978	* point and abort */
979	if (BN_is_zero(bn))
980	itmp = OPENSSL_strdup("00");
981	else
982	itmp = BN_bn2hex(bn);
983	row[DB_serial] = itmp;
984	BN_free(bn);
985	rrow = TXT_DB_get_by_index(db->db, DB_serial, row);
986	OPENSSL_free(itmp);
987	return rrow;
988	}
989
990	/* Quick and dirty OCSP server: read in and parse input request */
991
992	static BIO init_responder(const char port)
993	{
994	# ifdef OPENSSL_NO_SOCK
995	BIO_printf(bio_err,
996	"Error setting up accept BIO - sockets not supported.\n");
997	return NULL;
998	# else
999	BIO acbio = NULL, bufbio = NULL;
1000
1001	bufbio = BIO_new(BIO_f_buffer());
1002	if (bufbio == NULL)
1003	goto err;
1004	acbio = BIO_new(BIO_s_accept());
1005	if (acbio == NULL
1006	\|\| BIO_set_bind_mode(acbio, BIO_BIND_REUSEADDR) < 0
1007	\|\| BIO_set_accept_port(acbio, port) < 0) {
1008	BIO_printf(bio_err, "Error setting up accept BIO\n");
1009	ERR_print_errors(bio_err);
1010	goto err;
1011	}
1012
1013	BIO_set_accept_bios(acbio, bufbio);
1014	bufbio = NULL;
1015	if (BIO_do_accept(acbio) <= 0) {
1016	BIO_printf(bio_err, "Error starting accept\n");
1017	ERR_print_errors(bio_err);
1018	goto err;
1019	}
1020
1021	return acbio;
1022
1023	err:
1024	BIO_free_all(acbio);
1025	BIO_free(bufbio);
1026	return NULL;
1027	# endif
1028	}
1029
1030	# ifndef OPENSSL_NO_SOCK
1031	/*
1032	* Decode %xx URL-decoding in-place. Ignores mal-formed sequences.
1033	*/
1034	static int urldecode(char *p)
1035	{
1036	unsigned char out = (unsigned char )p;
1037	unsigned char *save = out;
1038
1039	for (; *p; p++) {
1040	if (*p != '%')
1041	out++ = p;
1042	else if (isxdigit(_UC(p[1])) && isxdigit(_UC(p[2]))) {
1043	/* Don't check, can't fail because of ixdigit() call. */
1044	*out++ = (OPENSSL_hexchar2int(p[1]) << 4)
1045	\| OPENSSL_hexchar2int(p[2]);
1046	p += 2;
1047	}
1048	else
1049	return -1;
1050	}
1051	*out = '\0';
1052	return (int)(out - save);
1053	}
1054	# endif
1055
1056	static int do_responder(OCSP_REQUEST preq, BIO pcbio, BIO *acbio)
1057	{
1058	# ifdef OPENSSL_NO_SOCK
1059	return 0;
1060	# else
1061	int len;
1062	OCSP_REQUEST *req = NULL;
1063	char inbuf[2048], reqbuf[2048];
1064	char p, q;
1065	BIO cbio = NULL, getbio = NULL, *b64 = NULL;
1066
1067	if (BIO_do_accept(acbio) <= 0) {
1068	BIO_printf(bio_err, "Error accepting connection\n");
1069	ERR_print_errors(bio_err);
1070	return 0;
1071	}
1072
1073	cbio = BIO_pop(acbio);
1074	*pcbio = cbio;
1075
1076	/* Read the request line. */
1077	len = BIO_gets(cbio, reqbuf, sizeof reqbuf);
1078	if (len <= 0)
1079	return 1;
1080	if (strncmp(reqbuf, "GET ", 4) == 0) {
1081	/* Expecting GET {sp} /URL {sp} HTTP/1.x */
1082	for (p = reqbuf + 4; *p == ' '; ++p)
1083	continue;
1084	if (*p != '/') {
1085	BIO_printf(bio_err, "Invalid request -- bad URL\n");
1086	return 1;
1087	}
1088	p++;
1089
1090	/* Splice off the HTTP version identifier. */
1091	for (q = p; *q; q++)
1092	if (*q == ' ')
1093	break;
1094	if (strncmp(q, " HTTP/1.", 8) != 0) {
1095	BIO_printf(bio_err, "Invalid request -- bad HTTP vesion\n");
1096	return 1;
1097	}
1098	*q = '\0';
1099	len = urldecode(p);
1100	if (len <= 0) {
1101	BIO_printf(bio_err, "Invalid request -- bad URL encoding\n");
1102	return 1;
1103	}
1104	if ((getbio = BIO_new_mem_buf(p, len)) == NULL
1105	\|\| (b64 = BIO_new(BIO_f_base64())) == NULL) {
1106	BIO_printf(bio_err, "Could not allocate memory\n");
1107	ERR_print_errors(bio_err);
1108	return 1;
1109	}
1110	BIO_set_flags(b64, BIO_FLAGS_BASE64_NO_NL);
1111	getbio = BIO_push(b64, getbio);
1112	} else if (strncmp(reqbuf, "POST ", 5) != 0) {
1113	BIO_printf(bio_err, "Invalid request -- bad HTTP verb\n");
1114	return 1;
1115	}
1116
1117	/* Read and skip past the headers. */
1118	for (;;) {
1119	len = BIO_gets(cbio, inbuf, sizeof inbuf);
1120	if (len <= 0)
1121	return 1;
1122	if ((inbuf[0] == '\r') \|\| (inbuf[0] == '\n'))
1123	break;
1124	}
1125
1126	/* Try to read OCSP request */
1127	if (getbio) {
1128	req = d2i_OCSP_REQUEST_bio(getbio, NULL);
1129	BIO_free_all(getbio);
1130	} else
1131	req = d2i_OCSP_REQUEST_bio(cbio, NULL);
1132
1133	if (!req) {
1134	BIO_printf(bio_err, "Error parsing OCSP request\n");
1135	ERR_print_errors(bio_err);
1136	}
1137
1138	*preq = req;
1139
1140	return 1;
1141	# endif
1142	}
1143
1144	static int send_ocsp_response(BIO cbio, OCSP_RESPONSE resp)
1145	{
1146	char http_resp[] =
1147	"HTTP/1.0 200 OK\r\nContent-type: application/ocsp-response\r\n"
1148	"Content-Length: %d\r\n\r\n";
1149	if (!cbio)
1150	return 0;
1151	BIO_printf(cbio, http_resp, i2d_OCSP_RESPONSE(resp, NULL));
1152	i2d_OCSP_RESPONSE_bio(cbio, resp);
1153	(void)BIO_flush(cbio);
1154	return 1;
1155	}
1156
1157	# ifndef OPENSSL_NO_SOCK
1158	static OCSP_RESPONSE query_responder(BIO cbio, const char *host,
1159	const char *path,
1160	const STACK_OF(CONF_VALUE) *headers,
1161	OCSP_REQUEST *req, int req_timeout)
1162	{
1163	int fd;
1164	int rv;
1165	int i;
1166	int add_host = 1;
1167	OCSP_REQ_CTX *ctx = NULL;
1168	OCSP_RESPONSE *rsp = NULL;
1169	fd_set confds;
1170	struct timeval tv;
1171
1172	if (req_timeout != -1)
1173	BIO_set_nbio(cbio, 1);
1174
1175	rv = BIO_do_connect(cbio);
1176
1177	if ((rv <= 0) && ((req_timeout == -1) \|\| !BIO_should_retry(cbio))) {
1178	BIO_puts(bio_err, "Error connecting BIO\n");
1179	return NULL;
1180	}
1181
1182	if (BIO_get_fd(cbio, &fd) < 0) {
1183	BIO_puts(bio_err, "Can't get connection fd\n");
1184	goto err;
1185	}
1186
1187	if (req_timeout != -1 && rv <= 0) {
1188	FD_ZERO(&confds);
1189	openssl_fdset(fd, &confds);
1190	tv.tv_usec = 0;
1191	tv.tv_sec = req_timeout;
1192	rv = select(fd + 1, NULL, (void *)&confds, NULL, &tv);
1193	if (rv == 0) {
1194	BIO_puts(bio_err, "Timeout on connect\n");
1195	return NULL;
1196	}
1197	}
1198
1199	ctx = OCSP_sendreq_new(cbio, path, NULL, -1);
1200	if (ctx == NULL)
1201	return NULL;
1202
1203	for (i = 0; i < sk_CONF_VALUE_num(headers); i++) {
1204	CONF_VALUE *hdr = sk_CONF_VALUE_value(headers, i);
1205	if (add_host == 1 && strcasecmp("host", hdr->name) == 0)
1206	add_host = 0;
1207	if (!OCSP_REQ_CTX_add1_header(ctx, hdr->name, hdr->value))
1208	goto err;
1209	}
1210
1211	if (add_host == 1 && OCSP_REQ_CTX_add1_header(ctx, "Host", host) == 0)
1212	goto err;
1213
1214	if (!OCSP_REQ_CTX_set1_req(ctx, req))
1215	goto err;
1216
1217	for (;;) {
1218	rv = OCSP_sendreq_nbio(&rsp, ctx);
1219	if (rv != -1)
1220	break;
1221	if (req_timeout == -1)
1222	continue;
1223	FD_ZERO(&confds);
1224	openssl_fdset(fd, &confds);
1225	tv.tv_usec = 0;
1226	tv.tv_sec = req_timeout;
1227	if (BIO_should_read(cbio))
1228	rv = select(fd + 1, (void *)&confds, NULL, NULL, &tv);
1229	else if (BIO_should_write(cbio))
1230	rv = select(fd + 1, NULL, (void *)&confds, NULL, &tv);
1231	else {
1232	BIO_puts(bio_err, "Unexpected retry condition\n");
1233	goto err;
1234	}
1235	if (rv == 0) {
1236	BIO_puts(bio_err, "Timeout on request\n");
1237	break;
1238	}
1239	if (rv == -1) {
1240	BIO_puts(bio_err, "Select error\n");
1241	break;
1242	}
1243
1244	}
1245	err:
1246	OCSP_REQ_CTX_free(ctx);
1247
1248	return rsp;
1249	}
1250
1251	OCSP_RESPONSE process_responder(OCSP_REQUEST req,
1252	const char host, const char path,
1253	const char *port, int use_ssl,
1254	STACK_OF(CONF_VALUE) *headers,
1255	int req_timeout)
1256	{
1257	BIO *cbio = NULL;
1258	SSL_CTX *ctx = NULL;
1259	OCSP_RESPONSE *resp = NULL;
1260
1261	cbio = BIO_new_connect(host);
1262	if (!cbio) {
1263	BIO_printf(bio_err, "Error creating connect BIO\n");
1264	goto end;
1265	}
1266	if (port)
1267	BIO_set_conn_port(cbio, port);
1268	if (use_ssl == 1) {
1269	BIO *sbio;
1270	ctx = SSL_CTX_new(TLS_client_method());
1271	if (ctx == NULL) {
1272	BIO_printf(bio_err, "Error creating SSL context.\n");
1273	goto end;
1274	}
1275	SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
1276	sbio = BIO_new_ssl(ctx, 1);
1277	cbio = BIO_push(sbio, cbio);
1278	}
1279
1280	resp = query_responder(cbio, host, path, headers, req, req_timeout);
1281	if (!resp)
1282	BIO_printf(bio_err, "Error querying OCSP responder\n");
1283	end:
1284	BIO_free_all(cbio);
1285	SSL_CTX_free(ctx);
1286	return resp;
1287	}
1288	# endif
1289
1290	#endif

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: EcnlProtoTool/trunk/openssl-1.1.0e/apps/ocsp.c@ 331

Download in other formats: