diff options
-rw-r--r-- | lib/libssl/src/crypto/ocsp/ocsp.h | 357 | ||||
-rw-r--r-- | lib/libssl/src/crypto/ocsp/ocsp_cl.c | 315 | ||||
-rw-r--r-- | lib/libssl/src/crypto/ocsp/ocsp_ext.c | 655 | ||||
-rw-r--r-- | lib/libssl/src/crypto/ocsp/ocsp_ht.c | 275 | ||||
-rw-r--r-- | lib/libssl/src/crypto/ocsp/ocsp_lib.c | 170 | ||||
-rw-r--r-- | lib/libssl/src/crypto/ocsp/ocsp_prn.c | 278 | ||||
-rw-r--r-- | lib/libssl/src/crypto/ocsp/ocsp_srv.c | 199 | ||||
-rw-r--r-- | lib/libssl/src/crypto/ocsp/ocsp_vfy.c | 357 |
8 files changed, 1332 insertions, 1274 deletions
diff --git a/lib/libssl/src/crypto/ocsp/ocsp.h b/lib/libssl/src/crypto/ocsp/ocsp.h index 31e45744bac..9401f7db2f4 100644 --- a/lib/libssl/src/crypto/ocsp/ocsp.h +++ b/lib/libssl/src/crypto/ocsp/ocsp.h @@ -96,13 +96,12 @@ extern "C" { * issuerKeyHash OCTET STRING, -- Hash of Issuers public key (excluding the tag & length fields) * serialNumber CertificateSerialNumber } */ -typedef struct ocsp_cert_id_st - { +typedef struct ocsp_cert_id_st { X509_ALGOR *hashAlgorithm; ASN1_OCTET_STRING *issuerNameHash; ASN1_OCTET_STRING *issuerKeyHash; ASN1_INTEGER *serialNumber; - } OCSP_CERTID; +} OCSP_CERTID; DECLARE_STACK_OF(OCSP_CERTID) @@ -110,11 +109,10 @@ DECLARE_STACK_OF(OCSP_CERTID) * reqCert CertID, * singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL } */ -typedef struct ocsp_one_request_st - { +typedef struct ocsp_one_request_st { OCSP_CERTID *reqCert; STACK_OF(X509_EXTENSION) *singleRequestExtensions; - } OCSP_ONEREQ; +} OCSP_ONEREQ; DECLARE_STACK_OF(OCSP_ONEREQ) DECLARE_ASN1_SET_OF(OCSP_ONEREQ) @@ -126,35 +124,32 @@ DECLARE_ASN1_SET_OF(OCSP_ONEREQ) * requestList SEQUENCE OF Request, * requestExtensions [2] EXPLICIT Extensions OPTIONAL } */ -typedef struct ocsp_req_info_st - { +typedef struct ocsp_req_info_st { ASN1_INTEGER *version; GENERAL_NAME *requestorName; STACK_OF(OCSP_ONEREQ) *requestList; STACK_OF(X509_EXTENSION) *requestExtensions; - } OCSP_REQINFO; +} OCSP_REQINFO; /* Signature ::= SEQUENCE { * signatureAlgorithm AlgorithmIdentifier, * signature BIT STRING, * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } */ -typedef struct ocsp_signature_st - { +typedef struct ocsp_signature_st { X509_ALGOR *signatureAlgorithm; ASN1_BIT_STRING *signature; STACK_OF(X509) *certs; - } OCSP_SIGNATURE; +} OCSP_SIGNATURE; /* OCSPRequest ::= SEQUENCE { * tbsRequest TBSRequest, * optionalSignature [0] EXPLICIT Signature OPTIONAL } */ -typedef struct ocsp_request_st - { +typedef struct ocsp_request_st { OCSP_REQINFO *tbsRequest; OCSP_SIGNATURE *optionalSignature; /* OPTIONAL */ - } OCSP_REQUEST; +} OCSP_REQUEST; /* OCSPResponseStatus ::= ENUMERATED { * successful (0), --Response has valid confirmations @@ -166,32 +161,30 @@ typedef struct ocsp_request_st * unauthorized (6) --Request unauthorized * } */ -#define OCSP_RESPONSE_STATUS_SUCCESSFUL 0 -#define OCSP_RESPONSE_STATUS_MALFORMEDREQUEST 1 -#define OCSP_RESPONSE_STATUS_INTERNALERROR 2 -#define OCSP_RESPONSE_STATUS_TRYLATER 3 -#define OCSP_RESPONSE_STATUS_SIGREQUIRED 5 -#define OCSP_RESPONSE_STATUS_UNAUTHORIZED 6 +#define OCSP_RESPONSE_STATUS_SUCCESSFUL 0 +#define OCSP_RESPONSE_STATUS_MALFORMEDREQUEST 1 +#define OCSP_RESPONSE_STATUS_INTERNALERROR 2 +#define OCSP_RESPONSE_STATUS_TRYLATER 3 +#define OCSP_RESPONSE_STATUS_SIGREQUIRED 5 +#define OCSP_RESPONSE_STATUS_UNAUTHORIZED 6 /* ResponseBytes ::= SEQUENCE { * responseType OBJECT IDENTIFIER, * response OCTET STRING } */ -typedef struct ocsp_resp_bytes_st - { +typedef struct ocsp_resp_bytes_st { ASN1_OBJECT *responseType; ASN1_OCTET_STRING *response; - } OCSP_RESPBYTES; +} OCSP_RESPBYTES; /* OCSPResponse ::= SEQUENCE { * responseStatus OCSPResponseStatus, * responseBytes [0] EXPLICIT ResponseBytes OPTIONAL } */ -struct ocsp_response_st - { +struct ocsp_response_st { ASN1_ENUMERATED *responseStatus; OCSP_RESPBYTES *responseBytes; - }; +}; /* ResponderID ::= CHOICE { * byName [1] Name, @@ -199,14 +192,13 @@ struct ocsp_response_st */ #define V_OCSP_RESPID_NAME 0 #define V_OCSP_RESPID_KEY 1 -struct ocsp_responder_id_st - { +struct ocsp_responder_id_st { int type; - union { + union { X509_NAME* byName; - ASN1_OCTET_STRING *byKey; - } value; - }; + ASN1_OCTET_STRING *byKey; + } value; +}; DECLARE_STACK_OF(OCSP_RESPID) DECLARE_ASN1_FUNCTIONS(OCSP_RESPID) @@ -219,11 +211,10 @@ DECLARE_ASN1_FUNCTIONS(OCSP_RESPID) * revocationTime GeneralizedTime, * revocationReason [0] EXPLICIT CRLReason OPTIONAL } */ -typedef struct ocsp_revoked_info_st - { +typedef struct ocsp_revoked_info_st { ASN1_GENERALIZEDTIME *revocationTime; ASN1_ENUMERATED *revocationReason; - } OCSP_REVOKEDINFO; +} OCSP_REVOKEDINFO; /* CertStatus ::= CHOICE { * good [0] IMPLICIT NULL, @@ -233,15 +224,14 @@ typedef struct ocsp_revoked_info_st #define V_OCSP_CERTSTATUS_GOOD 0 #define V_OCSP_CERTSTATUS_REVOKED 1 #define V_OCSP_CERTSTATUS_UNKNOWN 2 -typedef struct ocsp_cert_status_st - { +typedef struct ocsp_cert_status_st { int type; - union { + union { ASN1_NULL *good; OCSP_REVOKEDINFO *revoked; ASN1_NULL *unknown; - } value; - } OCSP_CERTSTATUS; + } value; +} OCSP_CERTSTATUS; /* SingleResponse ::= SEQUENCE { * certID CertID, @@ -250,14 +240,13 @@ typedef struct ocsp_cert_status_st * nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL, * singleExtensions [1] EXPLICIT Extensions OPTIONAL } */ -typedef struct ocsp_single_response_st - { +typedef struct ocsp_single_response_st { OCSP_CERTID *certId; OCSP_CERTSTATUS *certStatus; ASN1_GENERALIZEDTIME *thisUpdate; ASN1_GENERALIZEDTIME *nextUpdate; STACK_OF(X509_EXTENSION) *singleExtensions; - } OCSP_SINGLERESP; +} OCSP_SINGLERESP; DECLARE_STACK_OF(OCSP_SINGLERESP) DECLARE_ASN1_SET_OF(OCSP_SINGLERESP) @@ -269,14 +258,13 @@ DECLARE_ASN1_SET_OF(OCSP_SINGLERESP) * responses SEQUENCE OF SingleResponse, * responseExtensions [1] EXPLICIT Extensions OPTIONAL } */ -typedef struct ocsp_response_data_st - { +typedef struct ocsp_response_data_st { ASN1_INTEGER *version; OCSP_RESPID *responderId; ASN1_GENERALIZEDTIME *producedAt; STACK_OF(OCSP_SINGLERESP) *responses; STACK_OF(X509_EXTENSION) *responseExtensions; - } OCSP_RESPDATA; +} OCSP_RESPDATA; /* BasicOCSPResponse ::= SEQUENCE { * tbsResponseData ResponseData, @@ -300,13 +288,12 @@ typedef struct ocsp_response_data_st that it doesn't do the double hashing that the RFC seems to say one should. Therefore, all relevant functions take a flag saying which variant should be used. -- Richard Levitte, OpenSSL team and CeloCom */ -typedef struct ocsp_basic_response_st - { +typedef struct ocsp_basic_response_st { OCSP_RESPDATA *tbsResponseData; X509_ALGOR *signatureAlgorithm; ASN1_BIT_STRING *signature; STACK_OF(X509) *certs; - } OCSP_BASICRESP; +} OCSP_BASICRESP; /* * CRLReason ::= ENUMERATED { @@ -319,164 +306,159 @@ typedef struct ocsp_basic_response_st * certificateHold (6), * removeFromCRL (8) } */ -#define OCSP_REVOKED_STATUS_NOSTATUS -1 -#define OCSP_REVOKED_STATUS_UNSPECIFIED 0 -#define OCSP_REVOKED_STATUS_KEYCOMPROMISE 1 -#define OCSP_REVOKED_STATUS_CACOMPROMISE 2 -#define OCSP_REVOKED_STATUS_AFFILIATIONCHANGED 3 -#define OCSP_REVOKED_STATUS_SUPERSEDED 4 -#define OCSP_REVOKED_STATUS_CESSATIONOFOPERATION 5 -#define OCSP_REVOKED_STATUS_CERTIFICATEHOLD 6 -#define OCSP_REVOKED_STATUS_REMOVEFROMCRL 8 +#define OCSP_REVOKED_STATUS_NOSTATUS -1 +#define OCSP_REVOKED_STATUS_UNSPECIFIED 0 +#define OCSP_REVOKED_STATUS_KEYCOMPROMISE 1 +#define OCSP_REVOKED_STATUS_CACOMPROMISE 2 +#define OCSP_REVOKED_STATUS_AFFILIATIONCHANGED 3 +#define OCSP_REVOKED_STATUS_SUPERSEDED 4 +#define OCSP_REVOKED_STATUS_CESSATIONOFOPERATION 5 +#define OCSP_REVOKED_STATUS_CERTIFICATEHOLD 6 +#define OCSP_REVOKED_STATUS_REMOVEFROMCRL 8 /* CrlID ::= SEQUENCE { * crlUrl [0] EXPLICIT IA5String OPTIONAL, * crlNum [1] EXPLICIT INTEGER OPTIONAL, * crlTime [2] EXPLICIT GeneralizedTime OPTIONAL } */ -typedef struct ocsp_crl_id_st - { +typedef struct ocsp_crl_id_st { ASN1_IA5STRING *crlUrl; ASN1_INTEGER *crlNum; ASN1_GENERALIZEDTIME *crlTime; - } OCSP_CRLID; +} OCSP_CRLID; /* ServiceLocator ::= SEQUENCE { * issuer Name, * locator AuthorityInfoAccessSyntax OPTIONAL } */ -typedef struct ocsp_service_locator_st - { +typedef struct ocsp_service_locator_st { X509_NAME* issuer; STACK_OF(ACCESS_DESCRIPTION) *locator; - } OCSP_SERVICELOC; +} OCSP_SERVICELOC; #define PEM_STRING_OCSP_REQUEST "OCSP REQUEST" #define PEM_STRING_OCSP_RESPONSE "OCSP RESPONSE" -#define d2i_OCSP_REQUEST_bio(bp,p) ASN1_d2i_bio_of(OCSP_REQUEST,OCSP_REQUEST_new,d2i_OCSP_REQUEST,bp,p) +#define d2i_OCSP_REQUEST_bio(bp,p) \ + ASN1_d2i_bio_of(OCSP_REQUEST,OCSP_REQUEST_new,d2i_OCSP_REQUEST,bp,p) -#define d2i_OCSP_RESPONSE_bio(bp,p) ASN1_d2i_bio_of(OCSP_RESPONSE,OCSP_RESPONSE_new,d2i_OCSP_RESPONSE,bp,p) +#define d2i_OCSP_RESPONSE_bio(bp,p) \ + ASN1_d2i_bio_of(OCSP_RESPONSE,OCSP_RESPONSE_new,d2i_OCSP_RESPONSE,bp,p) -#define PEM_read_bio_OCSP_REQUEST(bp,x,cb) (OCSP_REQUEST *)PEM_ASN1_read_bio( \ - (char *(*)())d2i_OCSP_REQUEST,PEM_STRING_OCSP_REQUEST,bp,(char **)x,cb,NULL) +#define PEM_read_bio_OCSP_REQUEST(bp,x,cb) \ + (OCSP_REQUEST *)PEM_ASN1_read_bio((char *(*)())d2i_OCSP_REQUEST, \ + PEM_STRING_OCSP_REQUEST,bp,(char **)x,cb,NULL) -#define PEM_read_bio_OCSP_RESPONSE(bp,x,cb)(OCSP_RESPONSE *)PEM_ASN1_read_bio(\ - (char *(*)())d2i_OCSP_RESPONSE,PEM_STRING_OCSP_RESPONSE,bp,(char **)x,cb,NULL) +#define PEM_read_bio_OCSP_RESPONSE(bp,x,cb) \ + (OCSP_RESPONSE *)PEM_ASN1_read_bio((char *(*)())d2i_OCSP_RESPONSE, \ + PEM_STRING_OCSP_RESPONSE,bp,(char **)x,cb,NULL) #define PEM_write_bio_OCSP_REQUEST(bp,o) \ PEM_ASN1_write_bio((int (*)())i2d_OCSP_REQUEST,PEM_STRING_OCSP_REQUEST,\ - bp,(char *)o, NULL,NULL,0,NULL,NULL) + bp,(char *)o, NULL,NULL,0,NULL,NULL) #define PEM_write_bio_OCSP_RESPONSE(bp,o) \ PEM_ASN1_write_bio((int (*)())i2d_OCSP_RESPONSE,PEM_STRING_OCSP_RESPONSE,\ - bp,(char *)o, NULL,NULL,0,NULL,NULL) + bp,(char *)o, NULL,NULL,0,NULL,NULL) -#define i2d_OCSP_RESPONSE_bio(bp,o) ASN1_i2d_bio_of(OCSP_RESPONSE,i2d_OCSP_RESPONSE,bp,o) +#define i2d_OCSP_RESPONSE_bio(bp,o) \ + ASN1_i2d_bio_of(OCSP_RESPONSE,i2d_OCSP_RESPONSE,bp,o) -#define i2d_OCSP_REQUEST_bio(bp,o) ASN1_i2d_bio_of(OCSP_REQUEST,i2d_OCSP_REQUEST,bp,o) +#define i2d_OCSP_REQUEST_bio(bp,o) \ + ASN1_i2d_bio_of(OCSP_REQUEST,i2d_OCSP_REQUEST,bp,o) #define OCSP_REQUEST_sign(o,pkey,md) \ - ASN1_item_sign(ASN1_ITEM_rptr(OCSP_REQINFO),\ - o->optionalSignature->signatureAlgorithm,NULL,\ - o->optionalSignature->signature,o->tbsRequest,pkey,md) + ASN1_item_sign(ASN1_ITEM_rptr(OCSP_REQINFO), \ + o->optionalSignature->signatureAlgorithm,NULL, \ + o->optionalSignature->signature,o->tbsRequest,pkey,md) #define OCSP_BASICRESP_sign(o,pkey,md,d) \ - ASN1_item_sign(ASN1_ITEM_rptr(OCSP_RESPDATA),o->signatureAlgorithm,NULL,\ - o->signature,o->tbsResponseData,pkey,md) + ASN1_item_sign(ASN1_ITEM_rptr(OCSP_RESPDATA),o->signatureAlgorithm,NULL, \ + o->signature,o->tbsResponseData,pkey,md) -#define OCSP_REQUEST_verify(a,r) ASN1_item_verify(ASN1_ITEM_rptr(OCSP_REQINFO),\ - a->optionalSignature->signatureAlgorithm,\ +#define OCSP_REQUEST_verify(a,r) \ + ASN1_item_verify(ASN1_ITEM_rptr(OCSP_REQINFO), \ + a->optionalSignature->signatureAlgorithm, \ a->optionalSignature->signature,a->tbsRequest,r) -#define OCSP_BASICRESP_verify(a,r,d) ASN1_item_verify(ASN1_ITEM_rptr(OCSP_RESPDATA),\ +#define OCSP_BASICRESP_verify(a,r,d) \ + ASN1_item_verify(ASN1_ITEM_rptr(OCSP_RESPDATA), \ a->signatureAlgorithm,a->signature,a->tbsResponseData,r) #define ASN1_BIT_STRING_digest(data,type,md,len) \ - ASN1_item_digest(ASN1_ITEM_rptr(ASN1_BIT_STRING),type,data,md,len) + ASN1_item_digest(ASN1_ITEM_rptr(ASN1_BIT_STRING),type,data,md,len) #define OCSP_CERTSTATUS_dup(cs)\ - (OCSP_CERTSTATUS*)ASN1_dup((int(*)())i2d_OCSP_CERTSTATUS,\ - (char *(*)())d2i_OCSP_CERTSTATUS,(char *)(cs)) + (OCSP_CERTSTATUS*)ASN1_dup((int(*)())i2d_OCSP_CERTSTATUS,\ + (char *(*)())d2i_OCSP_CERTSTATUS,(char *)(cs)) OCSP_CERTID *OCSP_CERTID_dup(OCSP_CERTID *id); OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req); OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, char *path, OCSP_REQUEST *req, - int maxline); -int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx); -void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx); -int OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, OCSP_REQUEST *req); -int OCSP_REQ_CTX_add1_header(OCSP_REQ_CTX *rctx, - const char *name, const char *value); + int maxline); +int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx); +void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx); +int OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, OCSP_REQUEST *req); +int OCSP_REQ_CTX_add1_header(OCSP_REQ_CTX *rctx, const char *name, + const char *value); OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer); -OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst, - X509_NAME *issuerName, - ASN1_BIT_STRING* issuerKey, - ASN1_INTEGER *serialNumber); +OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst, X509_NAME *issuerName, + ASN1_BIT_STRING* issuerKey, ASN1_INTEGER *serialNumber); OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid); -int OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len); -int OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len); -int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs); -int OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req); +int OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len); +int OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len); +int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs); +int OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req); -int OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm); -int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert); +int OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm); +int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert); -int OCSP_request_sign(OCSP_REQUEST *req, - X509 *signer, - EVP_PKEY *key, - const EVP_MD *dgst, - STACK_OF(X509) *certs, - unsigned long flags); +int OCSP_request_sign(OCSP_REQUEST *req, X509 *signer, EVP_PKEY *key, + const EVP_MD *dgst, STACK_OF(X509) *certs, unsigned long flags); -int OCSP_response_status(OCSP_RESPONSE *resp); +int OCSP_response_status(OCSP_RESPONSE *resp); OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp); -int OCSP_resp_count(OCSP_BASICRESP *bs); +int OCSP_resp_count(OCSP_BASICRESP *bs); OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx); -int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last); -int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason, - ASN1_GENERALIZEDTIME **revtime, - ASN1_GENERALIZEDTIME **thisupd, - ASN1_GENERALIZEDTIME **nextupd); -int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status, - int *reason, - ASN1_GENERALIZEDTIME **revtime, - ASN1_GENERALIZEDTIME **thisupd, - ASN1_GENERALIZEDTIME **nextupd); -int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd, - ASN1_GENERALIZEDTIME *nextupd, - long sec, long maxsec); - -int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, X509_STORE *store, unsigned long flags); - -int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pssl); - -int OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b); -int OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b); - -int OCSP_request_onereq_count(OCSP_REQUEST *req); +int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last); +int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason, + ASN1_GENERALIZEDTIME **revtime, ASN1_GENERALIZEDTIME **thisupd, + ASN1_GENERALIZEDTIME **nextupd); +int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status, + int *reason, ASN1_GENERALIZEDTIME **revtime, + ASN1_GENERALIZEDTIME **thisupd, ASN1_GENERALIZEDTIME **nextupd); +int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd, + ASN1_GENERALIZEDTIME *nextupd, long sec, long maxsec); + +int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, + X509_STORE *store, unsigned long flags); + +int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, + int *pssl); + +int OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b); +int OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b); + +int OCSP_request_onereq_count(OCSP_REQUEST *req); OCSP_ONEREQ *OCSP_request_onereq_get0(OCSP_REQUEST *req, int i); OCSP_CERTID *OCSP_onereq_get0_id(OCSP_ONEREQ *one); -int OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd, - ASN1_OCTET_STRING **pikeyHash, - ASN1_INTEGER **pserial, OCSP_CERTID *cid); -int OCSP_request_is_signed(OCSP_REQUEST *req); +int OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd, + ASN1_OCTET_STRING **pikeyHash, ASN1_INTEGER **pserial, + OCSP_CERTID *cid); +int OCSP_request_is_signed(OCSP_REQUEST *req); OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs); -OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp, - OCSP_CERTID *cid, - int status, int reason, - ASN1_TIME *revtime, - ASN1_TIME *thisupd, ASN1_TIME *nextupd); -int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert); -int OCSP_basic_sign(OCSP_BASICRESP *brsp, - X509 *signer, EVP_PKEY *key, const EVP_MD *dgst, - STACK_OF(X509) *certs, unsigned long flags); +OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp, OCSP_CERTID *cid, + int status, int reason, ASN1_TIME *revtime, ASN1_TIME *thisupd, + ASN1_TIME *nextupd); +int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert); +int OCSP_basic_sign(OCSP_BASICRESP *brsp, X509 *signer, EVP_PKEY *key, + const EVP_MD *dgst, STACK_OF(X509) *certs, unsigned long flags); X509_EXTENSION *OCSP_crlID_new(char *url, long *n, char *tim); @@ -486,49 +468,60 @@ X509_EXTENSION *OCSP_archive_cutoff_new(char* tim); X509_EXTENSION *OCSP_url_svcloc_new(X509_NAME* issuer, char **urls); -int OCSP_REQUEST_get_ext_count(OCSP_REQUEST *x); -int OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos); -int OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, ASN1_OBJECT *obj, int lastpos); -int OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit, int lastpos); +int OCSP_REQUEST_get_ext_count(OCSP_REQUEST *x); +int OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos); +int OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, ASN1_OBJECT *obj, + int lastpos); +int OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit, + int lastpos); X509_EXTENSION *OCSP_REQUEST_get_ext(OCSP_REQUEST *x, int loc); X509_EXTENSION *OCSP_REQUEST_delete_ext(OCSP_REQUEST *x, int loc); void *OCSP_REQUEST_get1_ext_d2i(OCSP_REQUEST *x, int nid, int *crit, int *idx); -int OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST *x, int nid, void *value, int crit, - unsigned long flags); -int OCSP_REQUEST_add_ext(OCSP_REQUEST *x, X509_EXTENSION *ex, int loc); - -int OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *x); -int OCSP_ONEREQ_get_ext_by_NID(OCSP_ONEREQ *x, int nid, int lastpos); -int OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, ASN1_OBJECT *obj, int lastpos); -int OCSP_ONEREQ_get_ext_by_critical(OCSP_ONEREQ *x, int crit, int lastpos); +int OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST *x, int nid, void *value, + int crit, unsigned long flags); +int OCSP_REQUEST_add_ext(OCSP_REQUEST *x, X509_EXTENSION *ex, int loc); + +int OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *x); +int OCSP_ONEREQ_get_ext_by_NID(OCSP_ONEREQ *x, int nid, int lastpos); +int OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, ASN1_OBJECT *obj, + int lastpos); +int OCSP_ONEREQ_get_ext_by_critical(OCSP_ONEREQ *x, int crit, int lastpos); X509_EXTENSION *OCSP_ONEREQ_get_ext(OCSP_ONEREQ *x, int loc); X509_EXTENSION *OCSP_ONEREQ_delete_ext(OCSP_ONEREQ *x, int loc); void *OCSP_ONEREQ_get1_ext_d2i(OCSP_ONEREQ *x, int nid, int *crit, int *idx); -int OCSP_ONEREQ_add1_ext_i2d(OCSP_ONEREQ *x, int nid, void *value, int crit, - unsigned long flags); -int OCSP_ONEREQ_add_ext(OCSP_ONEREQ *x, X509_EXTENSION *ex, int loc); - -int OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *x); -int OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos); -int OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, ASN1_OBJECT *obj, int lastpos); -int OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit, int lastpos); +int OCSP_ONEREQ_add1_ext_i2d(OCSP_ONEREQ *x, int nid, void *value, int crit, + unsigned long flags); +int OCSP_ONEREQ_add_ext(OCSP_ONEREQ *x, X509_EXTENSION *ex, int loc); + +int OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *x); +int OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos); +int OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, ASN1_OBJECT *obj, + int lastpos); +int OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit, + int lastpos); X509_EXTENSION *OCSP_BASICRESP_get_ext(OCSP_BASICRESP *x, int loc); X509_EXTENSION *OCSP_BASICRESP_delete_ext(OCSP_BASICRESP *x, int loc); -void *OCSP_BASICRESP_get1_ext_d2i(OCSP_BASICRESP *x, int nid, int *crit, int *idx); -int OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP *x, int nid, void *value, int crit, - unsigned long flags); -int OCSP_BASICRESP_add_ext(OCSP_BASICRESP *x, X509_EXTENSION *ex, int loc); - -int OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *x); -int OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid, int lastpos); -int OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, ASN1_OBJECT *obj, int lastpos); -int OCSP_SINGLERESP_get_ext_by_critical(OCSP_SINGLERESP *x, int crit, int lastpos); +void *OCSP_BASICRESP_get1_ext_d2i(OCSP_BASICRESP *x, int nid, int *crit, + int *idx); +int OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP *x, int nid, void *value, + int crit, unsigned long flags); +int OCSP_BASICRESP_add_ext(OCSP_BASICRESP *x, X509_EXTENSION *ex, int loc); + +int OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *x); +int OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid, + int lastpos); +int OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, ASN1_OBJECT *obj, + int lastpos); +int OCSP_SINGLERESP_get_ext_by_critical(OCSP_SINGLERESP *x, int crit, + int lastpos); X509_EXTENSION *OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP *x, int loc); X509_EXTENSION *OCSP_SINGLERESP_delete_ext(OCSP_SINGLERESP *x, int loc); -void *OCSP_SINGLERESP_get1_ext_d2i(OCSP_SINGLERESP *x, int nid, int *crit, int *idx); -int OCSP_SINGLERESP_add1_ext_i2d(OCSP_SINGLERESP *x, int nid, void *value, int crit, - unsigned long flags); -int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex, int loc); +void *OCSP_SINGLERESP_get1_ext_d2i(OCSP_SINGLERESP *x, int nid, int *crit, + int *idx); +int OCSP_SINGLERESP_add1_ext_i2d(OCSP_SINGLERESP *x, int nid, void *value, + int crit, unsigned long flags); +int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex, + int loc); DECLARE_ASN1_FUNCTIONS(OCSP_SINGLERESP) DECLARE_ASN1_FUNCTIONS(OCSP_CERTSTATUS) @@ -550,11 +543,11 @@ const char *OCSP_response_status_str(long s); const char *OCSP_cert_status_str(long s); const char *OCSP_crl_reason_str(long s); -int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST* a, unsigned long flags); -int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags); +int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST* a, unsigned long flags); +int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags); -int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, - X509_STORE *st, unsigned long flags); +int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, + X509_STORE *st, unsigned long flags); /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes diff --git a/lib/libssl/src/crypto/ocsp/ocsp_cl.c b/lib/libssl/src/crypto/ocsp/ocsp_cl.c index 9c14d9da273..716513d2f99 100644 --- a/lib/libssl/src/crypto/ocsp/ocsp_cl.c +++ b/lib/libssl/src/crypto/ocsp/ocsp_cl.c @@ -78,229 +78,241 @@ /* Add an OCSP_CERTID to an OCSP request. Return new OCSP_ONEREQ * pointer: useful if we want to add extensions. */ - -OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid) - { +OCSP_ONEREQ * +OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid) +{ OCSP_ONEREQ *one = NULL; - if (!(one = OCSP_ONEREQ_new())) goto err; - if (one->reqCert) OCSP_CERTID_free(one->reqCert); + if (!(one = OCSP_ONEREQ_new())) + goto err; + if (one->reqCert) + OCSP_CERTID_free(one->reqCert); one->reqCert = cid; - if (req && - !sk_OCSP_ONEREQ_push(req->tbsRequest->requestList, one)) - goto err; + if (req && !sk_OCSP_ONEREQ_push(req->tbsRequest->requestList, one)) + goto err; return one; err: OCSP_ONEREQ_free(one); return NULL; - } +} /* Set requestorName from an X509_NAME structure */ - -int OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm) - { +int +OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm) +{ GENERAL_NAME *gen; + gen = GENERAL_NAME_new(); if (gen == NULL) return 0; - if (!X509_NAME_set(&gen->d.directoryName, nm)) - { + if (!X509_NAME_set(&gen->d.directoryName, nm)) { GENERAL_NAME_free(gen); return 0; - } + } gen->type = GEN_DIRNAME; if (req->tbsRequest->requestorName) GENERAL_NAME_free(req->tbsRequest->requestorName); req->tbsRequest->requestorName = gen; return 1; - } +} - /* Add a certificate to an OCSP request */ - -int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert) - { +int +OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert) +{ OCSP_SIGNATURE *sig; + if (!req->optionalSignature) req->optionalSignature = OCSP_SIGNATURE_new(); sig = req->optionalSignature; - if (!sig) return 0; - if (!cert) return 1; + if (!sig) + return 0; + if (!cert) + return 1; if (!sig->certs && !(sig->certs = sk_X509_new_null())) return 0; - if(!sk_X509_push(sig->certs, cert)) return 0; + if(!sk_X509_push(sig->certs, cert)) + return 0; CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509); return 1; - } +} /* Sign an OCSP request set the requestorName to the subjec * name of an optional signers certificate and include one * or more optional certificates in the request. Behaves * like PKCS7_sign(). */ - -int OCSP_request_sign(OCSP_REQUEST *req, - X509 *signer, - EVP_PKEY *key, - const EVP_MD *dgst, - STACK_OF(X509) *certs, - unsigned long flags) - { +int +OCSP_request_sign(OCSP_REQUEST *req, X509 *signer, EVP_PKEY *key, + const EVP_MD *dgst, STACK_OF(X509) *certs, unsigned long flags) +{ int i; OCSP_SIGNATURE *sig; X509 *x; if (!OCSP_request_set1_name(req, X509_get_subject_name(signer))) + goto err; + + if (!(req->optionalSignature = sig = OCSP_SIGNATURE_new())) + goto err; + if (key) { + if (!X509_check_private_key(signer, key)) { + OCSPerr(OCSP_F_OCSP_REQUEST_SIGN, + OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE); goto err; - - if (!(req->optionalSignature = sig = OCSP_SIGNATURE_new())) goto err; - if (key) - { - if (!X509_check_private_key(signer, key)) - { - OCSPerr(OCSP_F_OCSP_REQUEST_SIGN, OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE); - goto err; - } - if (!OCSP_REQUEST_sign(req, key, dgst)) goto err; } + if (!OCSP_REQUEST_sign(req, key, dgst)) + goto err; + } - if (!(flags & OCSP_NOCERTS)) - { - if(!OCSP_request_add1_cert(req, signer)) goto err; - for (i = 0; i < sk_X509_num(certs); i++) - { + if (!(flags & OCSP_NOCERTS)) { + if(!OCSP_request_add1_cert(req, signer)) + goto err; + for (i = 0; i < sk_X509_num(certs); i++) { x = sk_X509_value(certs, i); - if (!OCSP_request_add1_cert(req, x)) goto err; - } + if (!OCSP_request_add1_cert(req, x)) + goto err; } + } return 1; err: OCSP_SIGNATURE_free(req->optionalSignature); req->optionalSignature = NULL; return 0; - } +} /* Get response status */ - -int OCSP_response_status(OCSP_RESPONSE *resp) - { +int +OCSP_response_status(OCSP_RESPONSE *resp) +{ return ASN1_ENUMERATED_get(resp->responseStatus); - } +} /* Extract basic response from OCSP_RESPONSE or NULL if * no basic response present. */ - - -OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp) - { +OCSP_BASICRESP * +OCSP_response_get1_basic(OCSP_RESPONSE *resp) +{ OCSP_RESPBYTES *rb; + rb = resp->responseBytes; - if (!rb) - { - OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC, OCSP_R_NO_RESPONSE_DATA); + if (!rb) { + OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC, + OCSP_R_NO_RESPONSE_DATA); return NULL; - } - if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic) - { - OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC, OCSP_R_NOT_BASIC_RESPONSE); + } + if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic) { + OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC, + OCSP_R_NOT_BASIC_RESPONSE); return NULL; - } + } return ASN1_item_unpack(rb->response, ASN1_ITEM_rptr(OCSP_BASICRESP)); - } +} /* Return number of OCSP_SINGLERESP reponses present in * a basic response. */ - -int OCSP_resp_count(OCSP_BASICRESP *bs) - { - if (!bs) return -1; +int +OCSP_resp_count(OCSP_BASICRESP *bs) +{ + if (!bs) + return -1; return sk_OCSP_SINGLERESP_num(bs->tbsResponseData->responses); - } +} /* Extract an OCSP_SINGLERESP response with a given index */ - -OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx) - { - if (!bs) return NULL; +OCSP_SINGLERESP * +OCSP_resp_get0(OCSP_BASICRESP *bs, int idx) +{ + if (!bs) + return NULL; return sk_OCSP_SINGLERESP_value(bs->tbsResponseData->responses, idx); - } +} /* Look single response matching a given certificate ID */ - -int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last) - { +int +OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last) +{ int i; STACK_OF(OCSP_SINGLERESP) *sresp; OCSP_SINGLERESP *single; - if (!bs) return -1; - if (last < 0) last = 0; - else last++; + + if (!bs) + return -1; + if (last < 0) + last = 0; + else + last++; sresp = bs->tbsResponseData->responses; - for (i = last; i < sk_OCSP_SINGLERESP_num(sresp); i++) - { + for (i = last; i < sk_OCSP_SINGLERESP_num(sresp); i++) { single = sk_OCSP_SINGLERESP_value(sresp, i); - if (!OCSP_id_cmp(id, single->certId)) return i; - } - return -1; + if (!OCSP_id_cmp(id, single->certId)) + return i; } + return -1; +} /* Extract status information from an OCSP_SINGLERESP structure. * Note: the revtime and reason values are only set if the * certificate status is revoked. Returns numerical value of * status. */ - -int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason, - ASN1_GENERALIZEDTIME **revtime, - ASN1_GENERALIZEDTIME **thisupd, - ASN1_GENERALIZEDTIME **nextupd) - { +int +OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason, + ASN1_GENERALIZEDTIME **revtime, ASN1_GENERALIZEDTIME **thisupd, + ASN1_GENERALIZEDTIME **nextupd) +{ int ret; OCSP_CERTSTATUS *cst; - if(!single) return -1; + + if (!single) + return -1; cst = single->certStatus; ret = cst->type; - if (ret == V_OCSP_CERTSTATUS_REVOKED) - { + if (ret == V_OCSP_CERTSTATUS_REVOKED) { OCSP_REVOKEDINFO *rev = cst->value.revoked; - if (revtime) *revtime = rev->revocationTime; - if (reason) - { - if(rev->revocationReason) + + if (revtime) + *revtime = rev->revocationTime; + if (reason) { + if (rev->revocationReason) *reason = ASN1_ENUMERATED_get(rev->revocationReason); - else *reason = -1; - } + else + *reason = -1; } - if(thisupd) *thisupd = single->thisUpdate; - if(nextupd) *nextupd = single->nextUpdate; - return ret; } + if (thisupd) + *thisupd = single->thisUpdate; + if (nextupd) + *nextupd = single->nextUpdate; + return ret; +} /* This function combines the previous ones: look up a certificate ID and * if found extract status information. Return 0 is successful. */ - -int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status, - int *reason, - ASN1_GENERALIZEDTIME **revtime, - ASN1_GENERALIZEDTIME **thisupd, - ASN1_GENERALIZEDTIME **nextupd) - { +int +OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status, + int *reason, ASN1_GENERALIZEDTIME **revtime, ASN1_GENERALIZEDTIME **thisupd, + ASN1_GENERALIZEDTIME **nextupd) +{ int i; OCSP_SINGLERESP *single; + i = OCSP_resp_find(bs, id, -1); /* Maybe check for multiple responses and give an error? */ - if(i < 0) return 0; + if (i < 0) + return 0; single = OCSP_resp_get0(bs, i); i = OCSP_single_get0_status(single, reason, revtime, thisupd, nextupd); - if(status) *status = i; + if (status) + *status = i; return 1; - } +} /* Check validity of thisUpdate and nextUpdate fields. It is possible that the request will * take a few seconds to process and/or the time wont be totally accurate. Therefore to avoid @@ -308,64 +320,61 @@ int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status, * Also to avoid accepting very old responses without a nextUpdate field an optional maxage * parameter specifies the maximum age the thisUpdate field can be. */ - -int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd, ASN1_GENERALIZEDTIME *nextupd, long nsec, long maxsec) - { +int +OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd, + ASN1_GENERALIZEDTIME *nextupd, long nsec, long maxsec) +{ int ret = 1; time_t t_now, t_tmp; + time(&t_now); /* Check thisUpdate is valid and not more than nsec in the future */ - if (!ASN1_GENERALIZEDTIME_check(thisupd)) - { - OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_ERROR_IN_THISUPDATE_FIELD); + if (!ASN1_GENERALIZEDTIME_check(thisupd)) { + OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, + OCSP_R_ERROR_IN_THISUPDATE_FIELD); ret = 0; - } - else - { - t_tmp = t_now + nsec; - if (X509_cmp_time(thisupd, &t_tmp) > 0) - { - OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_NOT_YET_VALID); + } else { + t_tmp = t_now + nsec; + if (X509_cmp_time(thisupd, &t_tmp) > 0) { + OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, + OCSP_R_STATUS_NOT_YET_VALID); ret = 0; - } + } /* If maxsec specified check thisUpdate is not more than maxsec in the past */ - if (maxsec >= 0) - { + if (maxsec >= 0) { t_tmp = t_now - maxsec; - if (X509_cmp_time(thisupd, &t_tmp) < 0) - { - OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_TOO_OLD); + if (X509_cmp_time(thisupd, &t_tmp) < 0) { + OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, + OCSP_R_STATUS_TOO_OLD); ret = 0; - } } } - + } - if (!nextupd) return ret; + if (!nextupd) + return ret; /* Check nextUpdate is valid and not more than nsec in the past */ - if (!ASN1_GENERALIZEDTIME_check(nextupd)) - { - OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_ERROR_IN_NEXTUPDATE_FIELD); + if (!ASN1_GENERALIZEDTIME_check(nextupd)) { + OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, + OCSP_R_ERROR_IN_NEXTUPDATE_FIELD); ret = 0; - } - else - { + } else { t_tmp = t_now - nsec; - if (X509_cmp_time(nextupd, &t_tmp) < 0) - { - OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_EXPIRED); + if (X509_cmp_time(nextupd, &t_tmp) < 0) { + OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, + OCSP_R_STATUS_EXPIRED); ret = 0; - } } + } /* Also don't allow nextUpdate to precede thisUpdate */ - if (ASN1_STRING_cmp(nextupd, thisupd) < 0) - { - OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE); + if (ASN1_STRING_cmp(nextupd, thisupd) < 0) { + OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, + OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE); ret = 0; - } + } return ret; - } +} diff --git a/lib/libssl/src/crypto/ocsp/ocsp_ext.c b/lib/libssl/src/crypto/ocsp/ocsp_ext.c index 9c7832b3011..6ec8ca4adf6 100644 --- a/lib/libssl/src/crypto/ocsp/ocsp_ext.c +++ b/lib/libssl/src/crypto/ocsp/ocsp_ext.c @@ -73,238 +73,285 @@ /* OCSP request extensions */ -int OCSP_REQUEST_get_ext_count(OCSP_REQUEST *x) - { - return(X509v3_get_ext_count(x->tbsRequest->requestExtensions)); - } - -int OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos) - { - return(X509v3_get_ext_by_NID(x->tbsRequest->requestExtensions,nid,lastpos)); - } - -int OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, ASN1_OBJECT *obj, int lastpos) - { - return(X509v3_get_ext_by_OBJ(x->tbsRequest->requestExtensions,obj,lastpos)); - } - -int OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit, int lastpos) - { - return(X509v3_get_ext_by_critical(x->tbsRequest->requestExtensions,crit,lastpos)); - } - -X509_EXTENSION *OCSP_REQUEST_get_ext(OCSP_REQUEST *x, int loc) - { - return(X509v3_get_ext(x->tbsRequest->requestExtensions,loc)); - } - -X509_EXTENSION *OCSP_REQUEST_delete_ext(OCSP_REQUEST *x, int loc) - { - return(X509v3_delete_ext(x->tbsRequest->requestExtensions,loc)); - } - -void *OCSP_REQUEST_get1_ext_d2i(OCSP_REQUEST *x, int nid, int *crit, int *idx) - { +int +OCSP_REQUEST_get_ext_count(OCSP_REQUEST *x) +{ + return X509v3_get_ext_count(x->tbsRequest->requestExtensions); +} + +int +OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos) +{ + return X509v3_get_ext_by_NID(x->tbsRequest->requestExtensions, nid, + lastpos); +} + +int +OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, ASN1_OBJECT *obj, int lastpos) +{ + return X509v3_get_ext_by_OBJ(x->tbsRequest->requestExtensions, obj, + lastpos); +} + +int +OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit, int lastpos) +{ + return X509v3_get_ext_by_critical(x->tbsRequest->requestExtensions, + crit, lastpos); +} + +X509_EXTENSION * +OCSP_REQUEST_get_ext(OCSP_REQUEST *x, int loc) +{ + return X509v3_get_ext(x->tbsRequest->requestExtensions, loc); +} + +X509_EXTENSION * +OCSP_REQUEST_delete_ext(OCSP_REQUEST *x, int loc) +{ + return X509v3_delete_ext(x->tbsRequest->requestExtensions, loc); +} + +void * +OCSP_REQUEST_get1_ext_d2i(OCSP_REQUEST *x, int nid, int *crit, int *idx) +{ return X509V3_get_d2i(x->tbsRequest->requestExtensions, nid, crit, idx); - } - -int OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST *x, int nid, void *value, int crit, - unsigned long flags) - { - return X509V3_add1_i2d(&x->tbsRequest->requestExtensions, nid, value, crit, flags); - } - -int OCSP_REQUEST_add_ext(OCSP_REQUEST *x, X509_EXTENSION *ex, int loc) - { - return(X509v3_add_ext(&(x->tbsRequest->requestExtensions),ex,loc) != NULL); - } +} + +int +OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST *x, int nid, void *value, int crit, + unsigned long flags) +{ + return X509V3_add1_i2d(&x->tbsRequest->requestExtensions, nid, value, + crit, flags); +} + +int +OCSP_REQUEST_add_ext(OCSP_REQUEST *x, X509_EXTENSION *ex, int loc) +{ + return X509v3_add_ext(&(x->tbsRequest->requestExtensions), ex, loc) != + NULL; +} /* Single extensions */ -int OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *x) - { - return(X509v3_get_ext_count(x->singleRequestExtensions)); - } - -int OCSP_ONEREQ_get_ext_by_NID(OCSP_ONEREQ *x, int nid, int lastpos) - { - return(X509v3_get_ext_by_NID(x->singleRequestExtensions,nid,lastpos)); - } - -int OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, ASN1_OBJECT *obj, int lastpos) - { - return(X509v3_get_ext_by_OBJ(x->singleRequestExtensions,obj,lastpos)); - } - -int OCSP_ONEREQ_get_ext_by_critical(OCSP_ONEREQ *x, int crit, int lastpos) - { - return(X509v3_get_ext_by_critical(x->singleRequestExtensions,crit,lastpos)); - } - -X509_EXTENSION *OCSP_ONEREQ_get_ext(OCSP_ONEREQ *x, int loc) - { - return(X509v3_get_ext(x->singleRequestExtensions,loc)); - } - -X509_EXTENSION *OCSP_ONEREQ_delete_ext(OCSP_ONEREQ *x, int loc) - { - return(X509v3_delete_ext(x->singleRequestExtensions,loc)); - } +int +OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *x) +{ + return X509v3_get_ext_count(x->singleRequestExtensions); +} + +int +OCSP_ONEREQ_get_ext_by_NID(OCSP_ONEREQ *x, int nid, int lastpos) +{ + return X509v3_get_ext_by_NID(x->singleRequestExtensions, nid, lastpos); +} + +int +OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, ASN1_OBJECT *obj, int lastpos) +{ + return X509v3_get_ext_by_OBJ(x->singleRequestExtensions, obj, lastpos); +} + +int +OCSP_ONEREQ_get_ext_by_critical(OCSP_ONEREQ *x, int crit, int lastpos) +{ + return X509v3_get_ext_by_critical(x->singleRequestExtensions, crit, + lastpos); +} + +X509_EXTENSION * +OCSP_ONEREQ_get_ext(OCSP_ONEREQ *x, int loc) +{ + return X509v3_get_ext(x->singleRequestExtensions, loc); +} + +X509_EXTENSION * +OCSP_ONEREQ_delete_ext(OCSP_ONEREQ *x, int loc) +{ + return X509v3_delete_ext(x->singleRequestExtensions, loc); +} void *OCSP_ONEREQ_get1_ext_d2i(OCSP_ONEREQ *x, int nid, int *crit, int *idx) - { +{ return X509V3_get_d2i(x->singleRequestExtensions, nid, crit, idx); - } - -int OCSP_ONEREQ_add1_ext_i2d(OCSP_ONEREQ *x, int nid, void *value, int crit, - unsigned long flags) - { - return X509V3_add1_i2d(&x->singleRequestExtensions, nid, value, crit, flags); - } - -int OCSP_ONEREQ_add_ext(OCSP_ONEREQ *x, X509_EXTENSION *ex, int loc) - { - return(X509v3_add_ext(&(x->singleRequestExtensions),ex,loc) != NULL); - } +} + +int +OCSP_ONEREQ_add1_ext_i2d(OCSP_ONEREQ *x, int nid, void *value, int crit, + unsigned long flags) +{ + return X509V3_add1_i2d(&x->singleRequestExtensions, nid, value, crit, + flags); +} + +int +OCSP_ONEREQ_add_ext(OCSP_ONEREQ *x, X509_EXTENSION *ex, int loc) +{ + return X509v3_add_ext(&(x->singleRequestExtensions), ex, loc) != NULL; +} /* OCSP Basic response */ -int OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *x) - { - return(X509v3_get_ext_count(x->tbsResponseData->responseExtensions)); - } - -int OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos) - { - return(X509v3_get_ext_by_NID(x->tbsResponseData->responseExtensions,nid,lastpos)); - } - -int OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, ASN1_OBJECT *obj, int lastpos) - { - return(X509v3_get_ext_by_OBJ(x->tbsResponseData->responseExtensions,obj,lastpos)); - } - -int OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit, int lastpos) - { - return(X509v3_get_ext_by_critical(x->tbsResponseData->responseExtensions,crit,lastpos)); - } - -X509_EXTENSION *OCSP_BASICRESP_get_ext(OCSP_BASICRESP *x, int loc) - { - return(X509v3_get_ext(x->tbsResponseData->responseExtensions,loc)); - } - -X509_EXTENSION *OCSP_BASICRESP_delete_ext(OCSP_BASICRESP *x, int loc) - { - return(X509v3_delete_ext(x->tbsResponseData->responseExtensions,loc)); - } - -void *OCSP_BASICRESP_get1_ext_d2i(OCSP_BASICRESP *x, int nid, int *crit, int *idx) - { - return X509V3_get_d2i(x->tbsResponseData->responseExtensions, nid, crit, idx); - } - -int OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP *x, int nid, void *value, int crit, - unsigned long flags) - { - return X509V3_add1_i2d(&x->tbsResponseData->responseExtensions, nid, value, crit, flags); - } - -int OCSP_BASICRESP_add_ext(OCSP_BASICRESP *x, X509_EXTENSION *ex, int loc) - { - return(X509v3_add_ext(&(x->tbsResponseData->responseExtensions),ex,loc) != NULL); - } +int +OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *x) +{ + return X509v3_get_ext_count(x->tbsResponseData->responseExtensions); +} + +int +OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos) +{ + return X509v3_get_ext_by_NID(x->tbsResponseData->responseExtensions, + nid ,lastpos); +} + +int +OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, ASN1_OBJECT *obj, int lastpos) +{ + return X509v3_get_ext_by_OBJ(x->tbsResponseData->responseExtensions, + obj, lastpos); +} + +int +OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit, int lastpos) +{ + return X509v3_get_ext_by_critical(x->tbsResponseData->responseExtensions, + crit, lastpos); +} + +X509_EXTENSION * +OCSP_BASICRESP_get_ext(OCSP_BASICRESP *x, int loc) +{ + return X509v3_get_ext(x->tbsResponseData->responseExtensions, loc); +} + +X509_EXTENSION * +OCSP_BASICRESP_delete_ext(OCSP_BASICRESP *x, int loc) +{ + return X509v3_delete_ext(x->tbsResponseData->responseExtensions, loc); +} + +void * +OCSP_BASICRESP_get1_ext_d2i(OCSP_BASICRESP *x, int nid, int *crit, int *idx) +{ + return X509V3_get_d2i(x->tbsResponseData->responseExtensions, nid, + crit, idx); +} + +int +OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP *x, int nid, void *value, int crit, + unsigned long flags) +{ + return X509V3_add1_i2d(&x->tbsResponseData->responseExtensions, nid, + value, crit, flags); +} + +int +OCSP_BASICRESP_add_ext(OCSP_BASICRESP *x, X509_EXTENSION *ex, int loc) +{ + return X509v3_add_ext(&(x->tbsResponseData->responseExtensions), ex, + loc) != NULL; +} /* OCSP single response extensions */ -int OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *x) - { - return(X509v3_get_ext_count(x->singleExtensions)); - } - -int OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid, int lastpos) - { - return(X509v3_get_ext_by_NID(x->singleExtensions,nid,lastpos)); - } - -int OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, ASN1_OBJECT *obj, int lastpos) - { - return(X509v3_get_ext_by_OBJ(x->singleExtensions,obj,lastpos)); - } - -int OCSP_SINGLERESP_get_ext_by_critical(OCSP_SINGLERESP *x, int crit, int lastpos) - { - return(X509v3_get_ext_by_critical(x->singleExtensions,crit,lastpos)); - } - -X509_EXTENSION *OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP *x, int loc) - { - return(X509v3_get_ext(x->singleExtensions,loc)); - } - -X509_EXTENSION *OCSP_SINGLERESP_delete_ext(OCSP_SINGLERESP *x, int loc) - { - return(X509v3_delete_ext(x->singleExtensions,loc)); - } - -void *OCSP_SINGLERESP_get1_ext_d2i(OCSP_SINGLERESP *x, int nid, int *crit, int *idx) - { +int +OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *x) +{ + return X509v3_get_ext_count(x->singleExtensions); +} + +int +OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid, int lastpos) +{ + return X509v3_get_ext_by_NID(x->singleExtensions, nid, lastpos); +} + +int +OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, ASN1_OBJECT *obj, + int lastpos) +{ + return X509v3_get_ext_by_OBJ(x->singleExtensions, obj, lastpos); +} + +int +OCSP_SINGLERESP_get_ext_by_critical(OCSP_SINGLERESP *x, int crit, int lastpos) +{ + return X509v3_get_ext_by_critical(x->singleExtensions, crit, lastpos); +} + +X509_EXTENSION * +OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP *x, int loc) +{ + return X509v3_get_ext(x->singleExtensions, loc); +} + +X509_EXTENSION * +OCSP_SINGLERESP_delete_ext(OCSP_SINGLERESP *x, int loc) +{ + return X509v3_delete_ext(x->singleExtensions, loc); +} + +void * +OCSP_SINGLERESP_get1_ext_d2i(OCSP_SINGLERESP *x, int nid, int *crit, int *idx) +{ return X509V3_get_d2i(x->singleExtensions, nid, crit, idx); - } +} -int OCSP_SINGLERESP_add1_ext_i2d(OCSP_SINGLERESP *x, int nid, void *value, int crit, - unsigned long flags) - { +int +OCSP_SINGLERESP_add1_ext_i2d(OCSP_SINGLERESP *x, int nid, void *value, int crit, + unsigned long flags) +{ return X509V3_add1_i2d(&x->singleExtensions, nid, value, crit, flags); - } +} -int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex, int loc) - { - return(X509v3_add_ext(&(x->singleExtensions),ex,loc) != NULL); - } +int +OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex, int loc) +{ + return X509v3_add_ext(&(x->singleExtensions), ex, loc) != NULL; +} /* also CRL Entry Extensions */ #if 0 -ASN1_STRING *ASN1_STRING_encode(ASN1_STRING *s, i2d_of_void *i2d, - void *data, STACK_OF(ASN1_OBJECT) *sk) - { +ASN1_STRING * +ASN1_STRING_encode(ASN1_STRING *s, i2d_of_void *i2d, void *data, + STACK_OF(ASN1_OBJECT) *sk) +{ int i; unsigned char *p, *b = NULL; - if (data) - { - if ((i=i2d(data,NULL)) <= 0) goto err; - if (!(b=p=malloc((unsigned int)i))) + if (data) { + if ((i = i2d(data, NULL)) <= 0) goto err; - if (i2d(data, &p) <= 0) goto err; - } - else if (sk) - { - if ((i=i2d_ASN1_SET_OF_ASN1_OBJECT(sk,NULL, - (I2D_OF(ASN1_OBJECT))i2d, - V_ASN1_SEQUENCE, - V_ASN1_UNIVERSAL, - IS_SEQUENCE))<=0) goto err; - if (!(b=p=malloc((unsigned int)i))) + if (!(b = p = malloc((unsigned int)i))) + goto err; + if (i2d(data, &p) <= 0) + goto err; + } else if (sk) { + if ((i = i2d_ASN1_SET_OF_ASN1_OBJECT(sk,NULL, + (I2D_OF(ASN1_OBJECT))i2d, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL, + IS_SEQUENCE)) <= 0) + goto err; + if (!(b = p = malloc((unsigned int)i))) goto err; if (i2d_ASN1_SET_OF_ASN1_OBJECT(sk,&p,(I2D_OF(ASN1_OBJECT))i2d, - V_ASN1_SEQUENCE, - V_ASN1_UNIVERSAL, - IS_SEQUENCE)<=0) goto err; - } - else - { - OCSPerr(OCSP_F_ASN1_STRING_ENCODE,OCSP_R_BAD_DATA); + V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL, IS_SEQUENCE) <= 0) + goto err; + } else { + OCSPerr(OCSP_F_ASN1_STRING_ENCODE, OCSP_R_BAD_DATA); + goto err; + } + if (!s && !(s = ASN1_STRING_new())) + goto err; + if (!(ASN1_STRING_set(s, b, i))) goto err; - } - if (!s && !(s = ASN1_STRING_new())) goto err; - if (!(ASN1_STRING_set(s, b, i))) goto err; free(b); return s; err: - if (b) free(b); + free(b); return NULL; - } +} #endif /* Nonce handling functions */ @@ -315,16 +362,19 @@ err: * nonce, previous versions used the raw nonce. */ -static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, unsigned char *val, int len) - { +static int +ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, unsigned char *val, int len) +{ unsigned char *tmpval; ASN1_OCTET_STRING os; int ret = 0; - if (len <= 0) len = OCSP_DEFAULT_NONCE_LENGTH; + + if (len <= 0) + len = OCSP_DEFAULT_NONCE_LENGTH; /* Create the OCTET STRING manually by writing out the header and * appending the content octets. This avoids an extra memory allocation * operation in some cases. Applications should *NOT* do this because - * it relies on library internals. + * it relies on library internals. */ os.length = ASN1_object_size(0, len, V_ASN1_OCTET_STRING); os.data = malloc(os.length); @@ -336,30 +386,29 @@ static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, unsigned char *val, memcpy(tmpval, val, len); else RAND_pseudo_bytes(tmpval, len); - if(!X509V3_add1_i2d(exts, NID_id_pkix_OCSP_Nonce, - &os, 0, X509V3_ADD_REPLACE)) - goto err; + if (!X509V3_add1_i2d(exts, NID_id_pkix_OCSP_Nonce, &os, 0, + X509V3_ADD_REPLACE)) + goto err; ret = 1; - err: - if (os.data) - free(os.data); +err: + free(os.data); return ret; - } - +} /* Add nonce to an OCSP request */ - -int OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len) - { +int +OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len) +{ return ocsp_add1_nonce(&req->tbsRequest->requestExtensions, val, len); - } +} /* Same as above but for a response */ - -int OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len) - { - return ocsp_add1_nonce(&resp->tbsResponseData->responseExtensions, val, len); - } +int +OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len) +{ + return ocsp_add1_nonce(&resp->tbsResponseData->responseExtensions, val, + len); +} /* Check nonce validity in a request and response. * Return value reflects result: @@ -373,9 +422,9 @@ int OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len) * If responder doesn't handle nonces return != 0 may be * necessary. return == 0 is always an error. */ - -int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs) - { +int +OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs) +{ /* * Since we are only interested in the presence or absence of * the nonce and comparing its value there is no need to use @@ -383,136 +432,160 @@ int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs) * ASN1_OCTET_STRING structure for the value which would be * freed immediately anyway. */ - int req_idx, resp_idx; X509_EXTENSION *req_ext, *resp_ext; + req_idx = OCSP_REQUEST_get_ext_by_NID(req, NID_id_pkix_OCSP_Nonce, -1); resp_idx = OCSP_BASICRESP_get_ext_by_NID(bs, NID_id_pkix_OCSP_Nonce, -1); /* Check both absent */ - if((req_idx < 0) && (resp_idx < 0)) + if (req_idx < 0 && resp_idx < 0) return 2; /* Check in request only */ - if((req_idx >= 0) && (resp_idx < 0)) + if (req_idx >= 0 && resp_idx < 0) return -1; /* Check in response but not request */ - if((req_idx < 0) && (resp_idx >= 0)) + if (req_idx < 0 && resp_idx >= 0) return 3; /* Otherwise nonce in request and response so retrieve the extensions */ req_ext = OCSP_REQUEST_get_ext(req, req_idx); resp_ext = OCSP_BASICRESP_get_ext(bs, resp_idx); - if(ASN1_OCTET_STRING_cmp(req_ext->value, resp_ext->value)) + if (ASN1_OCTET_STRING_cmp(req_ext->value, resp_ext->value)) return 0; return 1; - } +} /* Copy the nonce value (if any) from an OCSP request to * a response. */ - -int OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req) - { +int +OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req) +{ X509_EXTENSION *req_ext; int req_idx; + /* Check for nonce in request */ req_idx = OCSP_REQUEST_get_ext_by_NID(req, NID_id_pkix_OCSP_Nonce, -1); /* If no nonce that's OK */ - if (req_idx < 0) return 2; + if (req_idx < 0) + return 2; req_ext = OCSP_REQUEST_get_ext(req, req_idx); return OCSP_BASICRESP_add_ext(resp, req_ext, -1); - } +} -X509_EXTENSION *OCSP_crlID_new(char *url, long *n, char *tim) - { +X509_EXTENSION * +OCSP_crlID_new(char *url, long *n, char *tim) +{ X509_EXTENSION *x = NULL; OCSP_CRLID *cid = NULL; - if (!(cid = OCSP_CRLID_new())) goto err; - if (url) - { - if (!(cid->crlUrl = ASN1_IA5STRING_new())) goto err; - if (!(ASN1_STRING_set(cid->crlUrl, url, -1))) goto err; - } - if (n) - { - if (!(cid->crlNum = ASN1_INTEGER_new())) goto err; - if (!(ASN1_INTEGER_set(cid->crlNum, *n))) goto err; - } - if (tim) - { - if (!(cid->crlTime = ASN1_GENERALIZEDTIME_new())) goto err; + if (!(cid = OCSP_CRLID_new())) + goto err; + if (url) { + if (!(cid->crlUrl = ASN1_IA5STRING_new())) + goto err; + if (!(ASN1_STRING_set(cid->crlUrl, url, -1))) + goto err; + } + if (n) { + if (!(cid->crlNum = ASN1_INTEGER_new())) + goto err; + if (!(ASN1_INTEGER_set(cid->crlNum, *n))) + goto err; + } + if (tim) { + if (!(cid->crlTime = ASN1_GENERALIZEDTIME_new())) + goto err; if (!(ASN1_GENERALIZEDTIME_set_string(cid->crlTime, tim))) - goto err; - } + goto err; + } x = X509V3_EXT_i2d(NID_id_pkix_OCSP_CrlID, 0, cid); err: - if (cid) OCSP_CRLID_free(cid); + if (cid) + OCSP_CRLID_free(cid); return x; - } +} /* AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER */ -X509_EXTENSION *OCSP_accept_responses_new(char **oids) - { +X509_EXTENSION * +OCSP_accept_responses_new(char **oids) +{ int nid; STACK_OF(ASN1_OBJECT) *sk = NULL; ASN1_OBJECT *o = NULL; - X509_EXTENSION *x = NULL; + X509_EXTENSION *x = NULL; - if (!(sk = sk_ASN1_OBJECT_new_null())) goto err; - while (oids && *oids) - { - if ((nid=OBJ_txt2nid(*oids))!=NID_undef&&(o=OBJ_nid2obj(nid))) - sk_ASN1_OBJECT_push(sk, o); + if (!(sk = sk_ASN1_OBJECT_new_null())) + goto err; + while (oids && *oids) { + if ((nid = OBJ_txt2nid(*oids)) != NID_undef && + (o = OBJ_nid2obj(nid))) + sk_ASN1_OBJECT_push(sk, o); oids++; - } + } x = X509V3_EXT_i2d(NID_id_pkix_OCSP_acceptableResponses, 0, sk); err: - if (sk) sk_ASN1_OBJECT_pop_free(sk, ASN1_OBJECT_free); + if (sk) + sk_ASN1_OBJECT_pop_free(sk, ASN1_OBJECT_free); return x; - } +} /* ArchiveCutoff ::= GeneralizedTime */ -X509_EXTENSION *OCSP_archive_cutoff_new(char* tim) - { - X509_EXTENSION *x=NULL; +X509_EXTENSION * +OCSP_archive_cutoff_new(char* tim) +{ + X509_EXTENSION *x = NULL; ASN1_GENERALIZEDTIME *gt = NULL; - if (!(gt = ASN1_GENERALIZEDTIME_new())) goto err; - if (!(ASN1_GENERALIZEDTIME_set_string(gt, tim))) goto err; + if (!(gt = ASN1_GENERALIZEDTIME_new())) + goto err; + if (!(ASN1_GENERALIZEDTIME_set_string(gt, tim))) + goto err; x = X509V3_EXT_i2d(NID_id_pkix_OCSP_archiveCutoff, 0, gt); err: - if (gt) ASN1_GENERALIZEDTIME_free(gt); + if (gt) + ASN1_GENERALIZEDTIME_free(gt); return x; - } +} /* per ACCESS_DESCRIPTION parameter are oids, of which there are currently * two--NID_ad_ocsp, NID_id_ad_caIssuers--and GeneralName value. This * method forces NID_ad_ocsp and uniformResourceLocator [6] IA5String. */ -X509_EXTENSION *OCSP_url_svcloc_new(X509_NAME* issuer, char **urls) - { +X509_EXTENSION * +OCSP_url_svcloc_new(X509_NAME* issuer, char **urls) +{ X509_EXTENSION *x = NULL; ASN1_IA5STRING *ia5 = NULL; OCSP_SERVICELOC *sloc = NULL; ACCESS_DESCRIPTION *ad = NULL; - if (!(sloc = OCSP_SERVICELOC_new())) goto err; - if (!(sloc->issuer = X509_NAME_dup(issuer))) goto err; - if (urls && *urls && !(sloc->locator = sk_ACCESS_DESCRIPTION_new_null())) goto err; - while (urls && *urls) - { - if (!(ad = ACCESS_DESCRIPTION_new())) goto err; - if (!(ad->method=OBJ_nid2obj(NID_ad_OCSP))) goto err; - if (!(ad->location = GENERAL_NAME_new())) goto err; - if (!(ia5 = ASN1_IA5STRING_new())) goto err; - if (!ASN1_STRING_set((ASN1_STRING*)ia5, *urls, -1)) goto err; + if (!(sloc = OCSP_SERVICELOC_new())) + goto err; + if (!(sloc->issuer = X509_NAME_dup(issuer))) + goto err; + if (urls && *urls && + !(sloc->locator = sk_ACCESS_DESCRIPTION_new_null())) + goto err; + while (urls && *urls) { + if (!(ad = ACCESS_DESCRIPTION_new())) + goto err; + if (!(ad->method = OBJ_nid2obj(NID_ad_OCSP))) + goto err; + if (!(ad->location = GENERAL_NAME_new())) + goto err; + if (!(ia5 = ASN1_IA5STRING_new())) + goto err; + if (!ASN1_STRING_set((ASN1_STRING*)ia5, *urls, -1)) + goto err; ad->location->type = GEN_URI; ad->location->d.ia5 = ia5; - if (!sk_ACCESS_DESCRIPTION_push(sloc->locator, ad)) goto err; + if (!sk_ACCESS_DESCRIPTION_push(sloc->locator, ad)) + goto err; urls++; - } + } x = X509V3_EXT_i2d(NID_id_pkix_OCSP_serviceLocator, 0, sloc); err: - if (sloc) OCSP_SERVICELOC_free(sloc); + if (sloc) + OCSP_SERVICELOC_free(sloc); return x; - } - +} diff --git a/lib/libssl/src/crypto/ocsp/ocsp_ht.c b/lib/libssl/src/crypto/ocsp/ocsp_ht.c index b45eaf6767a..fe4a7a1a72d 100644 --- a/lib/libssl/src/crypto/ocsp/ocsp_ht.c +++ b/lib/libssl/src/crypto/ocsp/ocsp_ht.c @@ -79,7 +79,7 @@ struct ocsp_req_ctx_st { BIO *io; /* BIO to perform I/O with */ BIO *mem; /* Memory BIO response is built into */ unsigned long asn1_len; /* ASN1 length of response */ - }; +}; #define OCSP_MAX_REQUEST_LENGTH (100 * 1024) #define OCSP_MAX_LINE_LEN 4096; @@ -108,54 +108,57 @@ struct ocsp_req_ctx_st { static int parse_http_line1(char *line); -void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx) - { +void +OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx) +{ if (rctx->mem) BIO_free(rctx->mem); if (rctx->iobuf) free(rctx->iobuf); free(rctx); - } +} -int OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, OCSP_REQUEST *req) - { +int +OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, OCSP_REQUEST *req) +{ static const char req_hdr[] = - "Content-Type: application/ocsp-request\r\n" - "Content-Length: %d\r\n\r\n"; - if (BIO_printf(rctx->mem, req_hdr, i2d_OCSP_REQUEST(req, NULL)) <= 0) + "Content-Type: application/ocsp-request\r\n" + "Content-Length: %d\r\n\r\n"; + + if (BIO_printf(rctx->mem, req_hdr, i2d_OCSP_REQUEST(req, NULL)) <= 0) return 0; - if (i2d_OCSP_REQUEST_bio(rctx->mem, req) <= 0) + if (i2d_OCSP_REQUEST_bio(rctx->mem, req) <= 0) return 0; rctx->state = OHS_ASN1_WRITE; rctx->asn1_len = BIO_get_mem_data(rctx->mem, NULL); return 1; - } +} -int OCSP_REQ_CTX_add1_header(OCSP_REQ_CTX *rctx, - const char *name, const char *value) - { +int +OCSP_REQ_CTX_add1_header(OCSP_REQ_CTX *rctx, const char *name, + const char *value) +{ if (!name) return 0; if (BIO_puts(rctx->mem, name) <= 0) return 0; - if (value) - { + if (value) { if (BIO_write(rctx->mem, ": ", 2) != 2) return 0; if (BIO_puts(rctx->mem, value) <= 0) return 0; - } + } if (BIO_write(rctx->mem, "\r\n", 2) != 2) return 0; return 1; - } +} -OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, char *path, OCSP_REQUEST *req, - int maxline) - { +OCSP_REQ_CTX * +OCSP_sendreq_new(BIO *io, char *path, OCSP_REQUEST *req, int maxline) +{ static const char post_hdr[] = "POST %s HTTP/1.0\r\n"; - OCSP_REQ_CTX *rctx; + rctx = malloc(sizeof(OCSP_REQ_CTX)); rctx->state = OHS_ERROR; rctx->mem = BIO_new(BIO_s_mem()); @@ -174,7 +177,7 @@ OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, char *path, OCSP_REQUEST *req, if (!path) path = "/"; - if (BIO_printf(rctx->mem, post_hdr, path) <= 0) { + if (BIO_printf(rctx->mem, post_hdr, path) <= 0) { free(rctx->iobuf); BIO_free(rctx->mem); free(rctx); @@ -189,49 +192,44 @@ OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, char *path, OCSP_REQUEST *req, } return rctx; - } +} /* Parse the HTTP response. This will look like this: * "HTTP/1.0 200 OK". We need to obtain the numeric code and * (optional) informational message. */ - -static int parse_http_line1(char *line) - { +static int +parse_http_line1(char *line) +{ int retcode; char *p, *q, *r; - /* Skip to first white space (passed protocol info) */ - for(p = line; *p && !isspace((unsigned char)*p); p++) + /* Skip to first white space (passed protocol info) */ + for (p = line; *p && !isspace((unsigned char)*p); p++) continue; - if(!*p) - { + if (!*p) { OCSPerr(OCSP_F_PARSE_HTTP_LINE1, - OCSP_R_SERVER_RESPONSE_PARSE_ERROR); + OCSP_R_SERVER_RESPONSE_PARSE_ERROR); return 0; - } + } /* Skip past white space to start of response code */ - while(*p && isspace((unsigned char)*p)) + while (*p && isspace((unsigned char)*p)) p++; - - if(!*p) - { + if (!*p) { OCSPerr(OCSP_F_PARSE_HTTP_LINE1, - OCSP_R_SERVER_RESPONSE_PARSE_ERROR); + OCSP_R_SERVER_RESPONSE_PARSE_ERROR); return 0; - } + } /* Find end of response code: first whitespace after start of code */ - for(q = p; *q && !isspace((unsigned char)*q); q++) + for (q = p; *q && !isspace((unsigned char)*q); q++) continue; - - if(!*q) - { + if (!*q) { OCSPerr(OCSP_F_PARSE_HTTP_LINE1, - OCSP_R_SERVER_RESPONSE_PARSE_ERROR); + OCSP_R_SERVER_RESPONSE_PARSE_ERROR); return 0; - } + } /* Set end of response code and start of message */ *q++ = 0; @@ -239,94 +237,80 @@ static int parse_http_line1(char *line) /* Attempt to parse numeric code */ retcode = strtoul(p, &r, 10); - if(*r) + if (*r) return 0; /* Skip over any leading white space in message */ - while(*q && isspace((unsigned char)*q)) + while (*q && isspace((unsigned char)*q)) q++; - - if(*q) - { + if (*q) { /* Finally zap any trailing white space in message (include * CRLF) */ /* We know q has a non white space character so this is OK */ - for(r = q + strlen(q) - 1; isspace((unsigned char)*r); r--) + for (r = q + strlen(q) - 1; isspace((unsigned char)*r); r--) *r = 0; - } - if(retcode != 200) - { + } + if (retcode != 200) { OCSPerr(OCSP_F_PARSE_HTTP_LINE1, OCSP_R_SERVER_RESPONSE_ERROR); - if(!*q) + if (!*q) ERR_asprintf_error_data("Code=%s", p); else ERR_asprintf_error_data("Code=%s,Reason=%s", p, q); return 0; - } - + } return 1; +} - } - -int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx) - { +int +OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx) +{ int i, n; const unsigned char *p; - next_io: - if (!(rctx->state & OHS_NOREAD)) - { + +next_io: + if (!(rctx->state & OHS_NOREAD)) { n = BIO_read(rctx->io, rctx->iobuf, rctx->iobuflen); - if (n <= 0) - { + if (n <= 0) { if (BIO_should_retry(rctx->io)) return -1; return 0; - } + } /* Write data to memory BIO */ - if (BIO_write(rctx->mem, rctx->iobuf, n) != n) return 0; - } - - switch(rctx->state) - { + } - case OHS_ASN1_WRITE: + switch (rctx->state) { + case OHS_ASN1_WRITE: n = BIO_get_mem_data(rctx->mem, &p); - i = BIO_write(rctx->io, p + (n - rctx->asn1_len), rctx->asn1_len); - - if (i <= 0) - { + if (i <= 0) { if (BIO_should_retry(rctx->io)) return -1; rctx->state = OHS_ERROR; return 0; - } + } rctx->asn1_len -= i; - if (rctx->asn1_len > 0) goto next_io; rctx->state = OHS_ASN1_FLUSH; (void)BIO_reset(rctx->mem); + /* FALLTHROUGH */ - case OHS_ASN1_FLUSH: - + case OHS_ASN1_FLUSH: i = BIO_flush(rctx->io); - - if (i > 0) - { + if (i > 0) { rctx->state = OHS_FIRSTLINE; goto next_io; - } + } if (BIO_should_retry(rctx->io)) return -1; @@ -334,79 +318,62 @@ int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx) rctx->state = OHS_ERROR; return 0; - case OHS_ERROR: + case OHS_ERROR: return 0; - case OHS_FIRSTLINE: - case OHS_HEADERS: - + case OHS_FIRSTLINE: + case OHS_HEADERS: /* Attempt to read a line in */ - - next_line: +next_line: /* Due to &%^*$" memory BIO behaviour with BIO_gets we * have to check there's a complete line in there before * calling BIO_gets or we'll just get a partial read. */ n = BIO_get_mem_data(rctx->mem, &p); - if ((n <= 0) || !memchr(p, '\n', n)) - { - if (n >= rctx->iobuflen) - { + if ((n <= 0) || !memchr(p, '\n', n)) { + if (n >= rctx->iobuflen) { rctx->state = OHS_ERROR; return 0; - } - goto next_io; } + goto next_io; + } n = BIO_gets(rctx->mem, (char *)rctx->iobuf, rctx->iobuflen); - - if (n <= 0) - { + if (n <= 0) { if (BIO_should_retry(rctx->mem)) goto next_io; rctx->state = OHS_ERROR; return 0; - } + } /* Don't allow excessive lines */ - if (n == rctx->iobuflen) - { + if (n == rctx->iobuflen) { rctx->state = OHS_ERROR; return 0; - } + } /* First line */ - if (rctx->state == OHS_FIRSTLINE) - { - if (parse_http_line1((char *)rctx->iobuf)) - { + if (rctx->state == OHS_FIRSTLINE) { + if (parse_http_line1((char *)rctx->iobuf)) { rctx->state = OHS_HEADERS; goto next_line; - } - else - { + } else { rctx->state = OHS_ERROR; return 0; - } } - else - { + } else { /* Look for blank line: end of headers */ - for (p = rctx->iobuf; *p; p++) - { + for (p = rctx->iobuf; *p; p++) { if ((*p != '\r') && (*p != '\n')) break; - } + } if (*p) goto next_line; rctx->state = OHS_ASN1_HEADER; + } + /* FALLTRHOUGH */ - } - - /* Fall thru */ - - - case OHS_ASN1_HEADER: + case OHS_ASN1_HEADER: /* Now reading ASN1 header: can read at least 2 bytes which * is enough for ASN1 SEQUENCE header and either length field * or at least the length of the length field. @@ -416,15 +383,13 @@ int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx) goto next_io; /* Check it is an ASN1 SEQUENCE */ - if (*p++ != (V_ASN1_SEQUENCE|V_ASN1_CONSTRUCTED)) - { + if (*p++ != (V_ASN1_SEQUENCE|V_ASN1_CONSTRUCTED)) { rctx->state = OHS_ERROR; return 0; - } + } /* Check out length field */ - if (*p & 0x80) - { + if (*p & 0x80) { /* If MSB set on initial length octet we can now * always read 6 octets: make sure we have them. */ @@ -432,78 +397,64 @@ int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx) goto next_io; n = *p & 0x7F; /* Not NDEF or excessive length */ - if (!n || (n > 4)) - { + if (!n || (n > 4)) { rctx->state = OHS_ERROR; return 0; - } + } p++; rctx->asn1_len = 0; - for (i = 0; i < n; i++) - { + for (i = 0; i < n; i++) { rctx->asn1_len <<= 8; rctx->asn1_len |= *p++; - } + } - if (rctx->asn1_len > OCSP_MAX_REQUEST_LENGTH) - { + if (rctx->asn1_len > OCSP_MAX_REQUEST_LENGTH) { rctx->state = OHS_ERROR; return 0; - } + } rctx->asn1_len += n + 2; - } - else + } else rctx->asn1_len = *p + 2; rctx->state = OHS_ASN1_CONTENT; - /* Fall thru */ + /* FALLTHROUGH */ - case OHS_ASN1_CONTENT: + case OHS_ASN1_CONTENT: n = BIO_get_mem_data(rctx->mem, &p); if (n < (int)rctx->asn1_len) goto next_io; - *presp = d2i_OCSP_RESPONSE(NULL, &p, rctx->asn1_len); - if (*presp) - { + if (*presp) { rctx->state = OHS_DONE; return 1; - } + } rctx->state = OHS_ERROR; return 0; - break; - - case OHS_DONE: + case OHS_DONE: return 1; - - } - - + } return 0; - - - } +} /* Blocking OCSP request handler: now a special case of non-blocking I/O */ - -OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req) - { +OCSP_RESPONSE * +OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req) +{ OCSP_RESPONSE *resp = NULL; OCSP_REQ_CTX *ctx; int rv; ctx = OCSP_sendreq_new(b, path, req, -1); - do - { + do { rv = OCSP_sendreq_nbio(&resp, ctx); - } while ((rv == -1) && BIO_should_retry(b)); + } while ((rv == -1) && BIO_should_retry(b)); OCSP_REQ_CTX_free(ctx); @@ -511,4 +462,4 @@ OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req) return resp; return NULL; - } +} diff --git a/lib/libssl/src/crypto/ocsp/ocsp_lib.c b/lib/libssl/src/crypto/ocsp/ocsp_lib.c index 514cdabf2d6..056bd276650 100644 --- a/lib/libssl/src/crypto/ocsp/ocsp_lib.c +++ b/lib/libssl/src/crypto/ocsp/ocsp_lib.c @@ -73,102 +73,112 @@ /* Convert a certificate and its issuer to an OCSP_CERTID */ -OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer) +OCSP_CERTID * +OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer) { X509_NAME *iname; ASN1_INTEGER *serial; ASN1_BIT_STRING *ikey; + #ifndef OPENSSL_NO_SHA1 - if(!dgst) dgst = EVP_sha1(); + if (!dgst) + dgst = EVP_sha1(); #endif - if (subject) - { + if (subject) { iname = X509_get_issuer_name(subject); serial = X509_get_serialNumber(subject); - } - else - { + } else { iname = X509_get_subject_name(issuer); serial = NULL; - } + } ikey = X509_get0_pubkey_bitstr(issuer); return OCSP_cert_id_new(dgst, iname, ikey, serial); } - -OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst, - X509_NAME *issuerName, - ASN1_BIT_STRING* issuerKey, - ASN1_INTEGER *serialNumber) - { +OCSP_CERTID * +OCSP_cert_id_new(const EVP_MD *dgst, X509_NAME *issuerName, + ASN1_BIT_STRING* issuerKey, ASN1_INTEGER *serialNumber) +{ int nid; - unsigned int i; + unsigned int i; X509_ALGOR *alg; OCSP_CERTID *cid = NULL; unsigned char md[EVP_MAX_MD_SIZE]; - if (!(cid = OCSP_CERTID_new())) goto err; + if (!(cid = OCSP_CERTID_new())) + goto err; alg = cid->hashAlgorithm; - if (alg->algorithm != NULL) ASN1_OBJECT_free(alg->algorithm); - if ((nid = EVP_MD_type(dgst)) == NID_undef) - { - OCSPerr(OCSP_F_OCSP_CERT_ID_NEW,OCSP_R_UNKNOWN_NID); + if (alg->algorithm != NULL) + ASN1_OBJECT_free(alg->algorithm); + if ((nid = EVP_MD_type(dgst)) == NID_undef) { + OCSPerr(OCSP_F_OCSP_CERT_ID_NEW, OCSP_R_UNKNOWN_NID); + goto err; + } + if (!(alg->algorithm=OBJ_nid2obj(nid))) + goto err; + if ((alg->parameter=ASN1_TYPE_new()) == NULL) goto err; - } - if (!(alg->algorithm=OBJ_nid2obj(nid))) goto err; - if ((alg->parameter=ASN1_TYPE_new()) == NULL) goto err; alg->parameter->type=V_ASN1_NULL; - if (!X509_NAME_digest(issuerName, dgst, md, &i)) goto digerr; - if (!(ASN1_OCTET_STRING_set(cid->issuerNameHash, md, i))) goto err; + if (!X509_NAME_digest(issuerName, dgst, md, &i)) + goto digerr; + if (!(ASN1_OCTET_STRING_set(cid->issuerNameHash, md, i))) + goto err; /* Calculate the issuerKey hash, excluding tag and length */ if (!EVP_Digest(issuerKey->data, issuerKey->length, md, &i, dgst, NULL)) goto err; - if (!(ASN1_OCTET_STRING_set(cid->issuerKeyHash, md, i))) goto err; + if (!(ASN1_OCTET_STRING_set(cid->issuerKeyHash, md, i))) + goto err; - if (serialNumber) - { + if (serialNumber) { ASN1_INTEGER_free(cid->serialNumber); - if (!(cid->serialNumber = ASN1_INTEGER_dup(serialNumber))) goto err; - } + if (!(cid->serialNumber = ASN1_INTEGER_dup(serialNumber))) + goto err; + } return cid; digerr: - OCSPerr(OCSP_F_OCSP_CERT_ID_NEW,OCSP_R_DIGEST_ERR); + OCSPerr(OCSP_F_OCSP_CERT_ID_NEW, OCSP_R_DIGEST_ERR); err: - if (cid) OCSP_CERTID_free(cid); + if (cid) + OCSP_CERTID_free(cid); return NULL; - } +} -int OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b) - { +int +OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b) +{ int ret; + ret = OBJ_cmp(a->hashAlgorithm->algorithm, b->hashAlgorithm->algorithm); - if (ret) return ret; + if (ret) + return ret; ret = ASN1_OCTET_STRING_cmp(a->issuerNameHash, b->issuerNameHash); - if (ret) return ret; + if (ret) + return ret; return ASN1_OCTET_STRING_cmp(a->issuerKeyHash, b->issuerKeyHash); - } +} -int OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b) - { +int +OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b) +{ int ret; + ret = OCSP_id_issuer_cmp(a, b); - if (ret) return ret; + if (ret) + return ret; return ASN1_INTEGER_cmp(a->serialNumber, b->serialNumber); - } - +} /* Parse a URL and split it up into host, port and path components and whether * it is SSL. */ - -int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pssl) - { +int +OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pssl) +{ char *p, *buf; - char *host, *port; *phost = NULL; @@ -177,26 +187,23 @@ int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pss /* dup the buffer since we are going to mess with it */ buf = BUF_strdup(url); - if (!buf) goto mem_err; + if (!buf) + goto mem_err; /* Check for initial colon */ p = strchr(buf, ':'); - - if (!p) goto parse_err; + if (!p) + goto parse_err; *(p++) = '\0'; - if (!strcmp(buf, "http")) - { + if (!strcmp(buf, "http")) { *pssl = 0; port = "80"; - } - else if (!strcmp(buf, "https")) - { + } else if (!strcmp(buf, "https")) { *pssl = 1; port = "443"; - } - else + } else goto parse_err; /* Check for double slash */ @@ -208,59 +215,56 @@ int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pss host = p; /* Check for trailing part of path */ - p = strchr(p, '/'); - if (!p) *ppath = BUF_strdup("/"); - else - { + else { *ppath = BUF_strdup(p); /* Set start of path to 0 so hostname is valid */ *p = '\0'; - } + } - if (!*ppath) goto mem_err; + if (!*ppath) + goto mem_err; /* Look for optional ':' for port number */ - if ((p = strchr(host, ':'))) - { + if ((p = strchr(host, ':'))) { *p = 0; port = p + 1; - } - else - { + } else { /* Not found: set default port */ - if (*pssl) port = "443"; - else port = "80"; - } + if (*pssl) + port = "443"; + else + port = "80"; + } *pport = BUF_strdup(port); - if (!*pport) goto mem_err; + if (!*pport) + goto mem_err; *phost = BUF_strdup(host); - if (!*phost) goto mem_err; + if (!*phost) + goto mem_err; free(buf); return 1; - mem_err: +mem_err: OCSPerr(OCSP_F_OCSP_PARSE_URL, ERR_R_MALLOC_FAILURE); goto err; - parse_err: +parse_err: OCSPerr(OCSP_F_OCSP_PARSE_URL, OCSP_R_ERROR_PARSING_URL); - - err: - if (buf) free(buf); - if (*ppath) free(*ppath); - if (*pport) free(*pport); - if (*phost) free(*phost); +err: + free(buf); + free(*ppath); + free(*pport); + free(*phost); return 0; - - } +} IMPLEMENT_ASN1_DUP_FUNCTION(OCSP_CERTID) diff --git a/lib/libssl/src/crypto/ocsp/ocsp_prn.c b/lib/libssl/src/crypto/ocsp/ocsp_prn.c index 87608ff399b..9e4b81f0610 100644 --- a/lib/libssl/src/crypto/ocsp/ocsp_prn.c +++ b/lib/libssl/src/crypto/ocsp/ocsp_prn.c @@ -66,8 +66,9 @@ #include <openssl/ocsp.h> #include <openssl/pem.h> -static int ocsp_certid_print(BIO *bp, OCSP_CERTID* a, int indent) - { +static int +ocsp_certid_print(BIO *bp, OCSP_CERTID* a, int indent) +{ BIO_printf(bp, "%*sCertificate ID:\n", indent, ""); indent += 2; BIO_printf(bp, "%*sHash Algorithm: ", indent, ""); @@ -80,60 +81,68 @@ static int ocsp_certid_print(BIO *bp, OCSP_CERTID* a, int indent) i2a_ASN1_INTEGER(bp, a->serialNumber); BIO_printf(bp, "\n"); return 1; - } +} -typedef struct - { +typedef struct { long t; const char *m; - } OCSP_TBLSTR; +} OCSP_TBLSTR; -static const char *table2string(long s, const OCSP_TBLSTR *ts, int len) +static const char * +table2string(long s, const OCSP_TBLSTR *ts, int len) { const OCSP_TBLSTR *p; + for (p=ts; p < ts + len; p++) - if (p->t == s) - return p->m; + if (p->t == s) + return p->m; return "(UNKNOWN)"; } -const char *OCSP_response_status_str(long s) - { +const char * +OCSP_response_status_str(long s) +{ static const OCSP_TBLSTR rstat_tbl[] = { - { OCSP_RESPONSE_STATUS_SUCCESSFUL, "successful" }, - { OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, "malformedrequest" }, - { OCSP_RESPONSE_STATUS_INTERNALERROR, "internalerror" }, - { OCSP_RESPONSE_STATUS_TRYLATER, "trylater" }, - { OCSP_RESPONSE_STATUS_SIGREQUIRED, "sigrequired" }, - { OCSP_RESPONSE_STATUS_UNAUTHORIZED, "unauthorized" } }; + { OCSP_RESPONSE_STATUS_SUCCESSFUL, "successful" }, + { OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, "malformedrequest" }, + { OCSP_RESPONSE_STATUS_INTERNALERROR, "internalerror" }, + { OCSP_RESPONSE_STATUS_TRYLATER, "trylater" }, + { OCSP_RESPONSE_STATUS_SIGREQUIRED, "sigrequired" }, + { OCSP_RESPONSE_STATUS_UNAUTHORIZED, "unauthorized" } + }; return table2string(s, rstat_tbl, 6); - } +} -const char *OCSP_cert_status_str(long s) - { +const char * +OCSP_cert_status_str(long s) +{ static const OCSP_TBLSTR cstat_tbl[] = { - { V_OCSP_CERTSTATUS_GOOD, "good" }, - { V_OCSP_CERTSTATUS_REVOKED, "revoked" }, - { V_OCSP_CERTSTATUS_UNKNOWN, "unknown" } }; + { V_OCSP_CERTSTATUS_GOOD, "good" }, + { V_OCSP_CERTSTATUS_REVOKED, "revoked" }, + { V_OCSP_CERTSTATUS_UNKNOWN, "unknown" } + }; return table2string(s, cstat_tbl, 3); - } +} -const char *OCSP_crl_reason_str(long s) - { +const char * +OCSP_crl_reason_str(long s) +{ static const OCSP_TBLSTR reason_tbl[] = { - { OCSP_REVOKED_STATUS_UNSPECIFIED, "unspecified" }, - { OCSP_REVOKED_STATUS_KEYCOMPROMISE, "keyCompromise" }, - { OCSP_REVOKED_STATUS_CACOMPROMISE, "cACompromise" }, - { OCSP_REVOKED_STATUS_AFFILIATIONCHANGED, "affiliationChanged" }, - { OCSP_REVOKED_STATUS_SUPERSEDED, "superseded" }, - { OCSP_REVOKED_STATUS_CESSATIONOFOPERATION, "cessationOfOperation" }, - { OCSP_REVOKED_STATUS_CERTIFICATEHOLD, "certificateHold" }, - { OCSP_REVOKED_STATUS_REMOVEFROMCRL, "removeFromCRL" } }; + { OCSP_REVOKED_STATUS_UNSPECIFIED, "unspecified" }, + { OCSP_REVOKED_STATUS_KEYCOMPROMISE, "keyCompromise" }, + { OCSP_REVOKED_STATUS_CACOMPROMISE, "cACompromise" }, + { OCSP_REVOKED_STATUS_AFFILIATIONCHANGED, "affiliationChanged" }, + { OCSP_REVOKED_STATUS_SUPERSEDED, "superseded" }, + { OCSP_REVOKED_STATUS_CESSATIONOFOPERATION, "cessationOfOperation" }, + { OCSP_REVOKED_STATUS_CERTIFICATEHOLD, "certificateHold" }, + { OCSP_REVOKED_STATUS_REMOVEFROMCRL, "removeFromCRL" } + }; return table2string(s, reason_tbl, 8); - } +} -int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST* o, unsigned long flags) - { +int +OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST* o, unsigned long flags) +{ int i; long l; OCSP_CERTID* cid = NULL; @@ -141,45 +150,45 @@ int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST* o, unsigned long flags) OCSP_REQINFO *inf = o->tbsRequest; OCSP_SIGNATURE *sig = o->optionalSignature; - if (BIO_write(bp,"OCSP Request Data:\n",19) <= 0) goto err; - l=ASN1_INTEGER_get(inf->version); - if (BIO_printf(bp," Version: %lu (0x%lx)",l+1,l) <= 0) goto err; - if (inf->requestorName != NULL) - { + if (BIO_write(bp,"OCSP Request Data:\n",19) <= 0) + goto err; + l = ASN1_INTEGER_get(inf->version); + if (BIO_printf(bp," Version: %lu (0x%lx)",l+1,l) <= 0) + goto err; + if (inf->requestorName != NULL) { if (BIO_write(bp,"\n Requestor Name: ",21) <= 0) - goto err; + goto err; GENERAL_NAME_print(bp, inf->requestorName); - } - if (BIO_write(bp,"\n Requestor List:\n",21) <= 0) goto err; - for (i = 0; i < sk_OCSP_ONEREQ_num(inf->requestList); i++) - { + } + if (BIO_write(bp,"\n Requestor List:\n",21) <= 0) + goto err; + for (i = 0; i < sk_OCSP_ONEREQ_num(inf->requestList); i++) { one = sk_OCSP_ONEREQ_value(inf->requestList, i); cid = one->reqCert; ocsp_certid_print(bp, cid, 8); - if (!X509V3_extensions_print(bp, - "Request Single Extensions", - one->singleRequestExtensions, flags, 8)) - goto err; - } + if (!X509V3_extensions_print(bp, "Request Single Extensions", + one->singleRequestExtensions, flags, 8)) + goto err; + } if (!X509V3_extensions_print(bp, "Request Extensions", - inf->requestExtensions, flags, 4)) - goto err; - if (sig) - { - X509_signature_print(bp, sig->signatureAlgorithm, sig->signature); - for (i=0; i<sk_X509_num(sig->certs); i++) - { + inf->requestExtensions, flags, 4)) + goto err; + if (sig) { + X509_signature_print(bp, sig->signatureAlgorithm, + sig->signature); + for (i=0; i<sk_X509_num(sig->certs); i++) { X509_print(bp, sk_X509_value(sig->certs,i)); PEM_write_bio_X509(bp,sk_X509_value(sig->certs,i)); - } } + } return 1; err: return 0; - } +} -int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags) - { +int +OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags) +{ int i, ret = 0; long l; OCSP_CERTID *cid = NULL; @@ -191,100 +200,107 @@ int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags) OCSP_SINGLERESP *single = NULL; OCSP_RESPBYTES *rb = o->responseBytes; - if (BIO_puts(bp,"OCSP Response Data:\n") <= 0) goto err; - l=ASN1_ENUMERATED_get(o->responseStatus); + if (BIO_puts(bp,"OCSP Response Data:\n") <= 0) + goto err; + l = ASN1_ENUMERATED_get(o->responseStatus); if (BIO_printf(bp," OCSP Response Status: %s (0x%lx)\n", - OCSP_response_status_str(l), l) <= 0) goto err; - if (rb == NULL) return 1; - if (BIO_puts(bp," Response Type: ") <= 0) - goto err; + OCSP_response_status_str(l), l) <= 0) + goto err; + if (rb == NULL) + return 1; + if (BIO_puts(bp," Response Type: ") <= 0) + goto err; if(i2a_ASN1_OBJECT(bp, rb->responseType) <= 0) - goto err; - if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic) - { + goto err; + if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic) { BIO_puts(bp," (unknown response type)\n"); return 1; - } + } i = ASN1_STRING_length(rb->response); - if (!(br = OCSP_response_get1_basic(o))) goto err; + if (!(br = OCSP_response_get1_basic(o))) + goto err; rd = br->tbsResponseData; - l=ASN1_INTEGER_get(rd->version); - if (BIO_printf(bp,"\n Version: %lu (0x%lx)\n", - l+1,l) <= 0) goto err; - if (BIO_puts(bp," Responder Id: ") <= 0) goto err; + l = ASN1_INTEGER_get(rd->version); + if (BIO_printf(bp,"\n Version: %lu (0x%lx)\n", l+1,l) <= 0) + goto err; + if (BIO_puts(bp," Responder Id: ") <= 0) + goto err; rid = rd->responderId; - switch (rid->type) - { - case V_OCSP_RESPID_NAME: - X509_NAME_print_ex(bp, rid->value.byName, 0, XN_FLAG_ONELINE); - break; - case V_OCSP_RESPID_KEY: - i2a_ASN1_STRING(bp, rid->value.byKey, V_ASN1_OCTET_STRING); - break; - } + switch (rid->type) { + case V_OCSP_RESPID_NAME: + X509_NAME_print_ex(bp, rid->value.byName, 0, XN_FLAG_ONELINE); + break; + case V_OCSP_RESPID_KEY: + i2a_ASN1_STRING(bp, rid->value.byKey, V_ASN1_OCTET_STRING); + break; + } - if (BIO_printf(bp,"\n Produced At: ")<=0) goto err; - if (!ASN1_GENERALIZEDTIME_print(bp, rd->producedAt)) goto err; - if (BIO_printf(bp,"\n Responses:\n") <= 0) goto err; - for (i = 0; i < sk_OCSP_SINGLERESP_num(rd->responses); i++) - { - if (! sk_OCSP_SINGLERESP_value(rd->responses, i)) continue; + if (BIO_printf(bp,"\n Produced At: ")<=0) + goto err; + if (!ASN1_GENERALIZEDTIME_print(bp, rd->producedAt)) + goto err; + if (BIO_printf(bp,"\n Responses:\n") <= 0) + goto err; + for (i = 0; i < sk_OCSP_SINGLERESP_num(rd->responses); i++) { + if (! sk_OCSP_SINGLERESP_value(rd->responses, i)) + continue; single = sk_OCSP_SINGLERESP_value(rd->responses, i); cid = single->certId; - if(ocsp_certid_print(bp, cid, 4) <= 0) goto err; + if (ocsp_certid_print(bp, cid, 4) <= 0) + goto err; cst = single->certStatus; if (BIO_printf(bp," Cert Status: %s", - OCSP_cert_status_str(cst->type)) <= 0) - goto err; - if (cst->type == V_OCSP_CERTSTATUS_REVOKED) - { - rev = cst->value.revoked; + OCSP_cert_status_str(cst->type)) <= 0) + goto err; + if (cst->type == V_OCSP_CERTSTATUS_REVOKED) { + rev = cst->value.revoked; if (BIO_printf(bp, "\n Revocation Time: ") <= 0) - goto err; - if (!ASN1_GENERALIZEDTIME_print(bp, - rev->revocationTime)) goto err; - if (rev->revocationReason) - { - l=ASN1_ENUMERATED_get(rev->revocationReason); - if (BIO_printf(bp, - "\n Revocation Reason: %s (0x%lx)", - OCSP_crl_reason_str(l), l) <= 0) - goto err; - } + if (!ASN1_GENERALIZEDTIME_print(bp, + rev->revocationTime)) + goto err; + if (rev->revocationReason) { + l = ASN1_ENUMERATED_get(rev->revocationReason); + if (BIO_printf(bp, + "\n Revocation Reason: %s (0x%lx)", + OCSP_crl_reason_str(l), l) <= 0) + goto err; } - if (BIO_printf(bp,"\n This Update: ") <= 0) goto err; + } + if (BIO_printf(bp,"\n This Update: ") <= 0) + goto err; if (!ASN1_GENERALIZEDTIME_print(bp, single->thisUpdate)) goto err; - if (single->nextUpdate) - { - if (BIO_printf(bp,"\n Next Update: ") <= 0)goto err; + if (single->nextUpdate) { + if (BIO_printf(bp,"\n Next Update: ") <= 0) + goto err; if (!ASN1_GENERALIZEDTIME_print(bp,single->nextUpdate)) goto err; - } - if (BIO_write(bp,"\n",1) <= 0) goto err; - if (!X509V3_extensions_print(bp, - "Response Single Extensions", - single->singleExtensions, flags, 8)) - goto err; - if (BIO_write(bp,"\n",1) <= 0) goto err; } + if (BIO_write(bp,"\n",1) <= 0) + goto err; + if (!X509V3_extensions_print(bp, "Response Single Extensions", + single->singleExtensions, flags, 8)) + goto err; + if (BIO_write(bp,"\n",1) <= 0) + goto err; + } if (!X509V3_extensions_print(bp, "Response Extensions", - rd->responseExtensions, flags, 4)) - goto err; - if(X509_signature_print(bp, br->signatureAlgorithm, br->signature) <= 0) - goto err; + rd->responseExtensions, flags, 4)) + goto err; + if (X509_signature_print(bp, br->signatureAlgorithm, br->signature) <= + 0) + goto err; - for (i=0; i<sk_X509_num(br->certs); i++) - { - X509_print(bp, sk_X509_value(br->certs,i)); - PEM_write_bio_X509(bp,sk_X509_value(br->certs,i)); - } + for (i = 0; i < sk_X509_num(br->certs); i++) { + X509_print(bp, sk_X509_value(br->certs, i)); + PEM_write_bio_X509(bp,sk_X509_value(br->certs, i)); + } ret = 1; err: OCSP_BASICRESP_free(br); return ret; - } +} diff --git a/lib/libssl/src/crypto/ocsp/ocsp_srv.c b/lib/libssl/src/crypto/ocsp/ocsp_srv.c index 1c606dd0b61..c14e8e2bc35 100644 --- a/lib/libssl/src/crypto/ocsp/ocsp_srv.c +++ b/lib/libssl/src/crypto/ocsp/ocsp_srv.c @@ -69,107 +69,118 @@ * relevant information from the request. */ -int OCSP_request_onereq_count(OCSP_REQUEST *req) - { +int +OCSP_request_onereq_count(OCSP_REQUEST *req) +{ return sk_OCSP_ONEREQ_num(req->tbsRequest->requestList); - } +} -OCSP_ONEREQ *OCSP_request_onereq_get0(OCSP_REQUEST *req, int i) - { +OCSP_ONEREQ * +OCSP_request_onereq_get0(OCSP_REQUEST *req, int i) +{ return sk_OCSP_ONEREQ_value(req->tbsRequest->requestList, i); - } +} -OCSP_CERTID *OCSP_onereq_get0_id(OCSP_ONEREQ *one) - { +OCSP_CERTID * +OCSP_onereq_get0_id(OCSP_ONEREQ *one) +{ return one->reqCert; - } +} -int OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd, - ASN1_OCTET_STRING **pikeyHash, - ASN1_INTEGER **pserial, OCSP_CERTID *cid) - { - if (!cid) return 0; - if (pmd) *pmd = cid->hashAlgorithm->algorithm; - if(piNameHash) *piNameHash = cid->issuerNameHash; - if (pikeyHash) *pikeyHash = cid->issuerKeyHash; - if (pserial) *pserial = cid->serialNumber; +int +OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd, + ASN1_OCTET_STRING **pikeyHash, ASN1_INTEGER **pserial, OCSP_CERTID *cid) +{ + if (!cid) + return 0; + if (pmd) + *pmd = cid->hashAlgorithm->algorithm; + if (piNameHash) + *piNameHash = cid->issuerNameHash; + if (pikeyHash) + *pikeyHash = cid->issuerKeyHash; + if (pserial) + *pserial = cid->serialNumber; return 1; - } +} -int OCSP_request_is_signed(OCSP_REQUEST *req) - { - if(req->optionalSignature) return 1; +int +OCSP_request_is_signed(OCSP_REQUEST *req) +{ + if (req->optionalSignature) + return 1; return 0; - } +} /* Create an OCSP response and encode an optional basic response */ -OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs) - { - OCSP_RESPONSE *rsp = NULL; +OCSP_RESPONSE * +OCSP_response_create(int status, OCSP_BASICRESP *bs) +{ + OCSP_RESPONSE *rsp = NULL; - if (!(rsp = OCSP_RESPONSE_new())) goto err; - if (!(ASN1_ENUMERATED_set(rsp->responseStatus, status))) goto err; - if (!bs) return rsp; - if (!(rsp->responseBytes = OCSP_RESPBYTES_new())) goto err; + if (!(rsp = OCSP_RESPONSE_new())) + goto err; + if (!(ASN1_ENUMERATED_set(rsp->responseStatus, status))) + goto err; + if (!bs) + return rsp; + if (!(rsp->responseBytes = OCSP_RESPBYTES_new())) + goto err; rsp->responseBytes->responseType = OBJ_nid2obj(NID_id_pkix_OCSP_basic); - if (!ASN1_item_pack(bs, ASN1_ITEM_rptr(OCSP_BASICRESP), &rsp->responseBytes->response)) - goto err; + if (!ASN1_item_pack(bs, ASN1_ITEM_rptr(OCSP_BASICRESP), + &rsp->responseBytes->response)) + goto err; return rsp; err: - if (rsp) OCSP_RESPONSE_free(rsp); + if (rsp) + OCSP_RESPONSE_free(rsp); return NULL; - } - +} -OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp, - OCSP_CERTID *cid, - int status, int reason, - ASN1_TIME *revtime, - ASN1_TIME *thisupd, ASN1_TIME *nextupd) - { +OCSP_SINGLERESP * +OCSP_basic_add1_status(OCSP_BASICRESP *rsp, OCSP_CERTID *cid, int status, + int reason, ASN1_TIME *revtime, ASN1_TIME *thisupd, ASN1_TIME *nextupd) +{ OCSP_SINGLERESP *single = NULL; OCSP_CERTSTATUS *cs; OCSP_REVOKEDINFO *ri; - if(!rsp->tbsResponseData->responses && + if (!rsp->tbsResponseData->responses && !(rsp->tbsResponseData->responses = sk_OCSP_SINGLERESP_new_null())) goto err; if (!(single = OCSP_SINGLERESP_new())) goto err; - - if (!ASN1_TIME_to_generalizedtime(thisupd, &single->thisUpdate)) goto err; if (nextupd && - !ASN1_TIME_to_generalizedtime(nextupd, &single->nextUpdate)) + !ASN1_TIME_to_generalizedtime(nextupd, &single->nextUpdate)) goto err; OCSP_CERTID_free(single->certId); - if(!(single->certId = OCSP_CERTID_dup(cid))) + if (!(single->certId = OCSP_CERTID_dup(cid))) goto err; cs = single->certStatus; - switch(cs->type = status) - { + switch(cs->type = status) { case V_OCSP_CERTSTATUS_REVOKED: - if (!revtime) - { - OCSPerr(OCSP_F_OCSP_BASIC_ADD1_STATUS,OCSP_R_NO_REVOKED_TIME); + if (!revtime) { + OCSPerr(OCSP_F_OCSP_BASIC_ADD1_STATUS, + OCSP_R_NO_REVOKED_TIME); + goto err; + } + if (!(cs->value.revoked = ri = OCSP_REVOKEDINFO_new())) goto err; - } - if (!(cs->value.revoked = ri = OCSP_REVOKEDINFO_new())) goto err; if (!ASN1_TIME_to_generalizedtime(revtime, &ri->revocationTime)) goto err; - if (reason != OCSP_REVOKED_STATUS_NOSTATUS) - { + if (reason != OCSP_REVOKED_STATUS_NOSTATUS) { if (!(ri->revocationReason = ASN1_ENUMERATED_new())) - goto err; - if (!(ASN1_ENUMERATED_set(ri->revocationReason, - reason))) - goto err; + goto err; + if (!(ASN1_ENUMERATED_set(ri->revocationReason, + reason))) + goto err; } break; @@ -183,82 +194,80 @@ OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp, default: goto err; - - } + } if (!(sk_OCSP_SINGLERESP_push(rsp->tbsResponseData->responses, single))) goto err; return single; err: OCSP_SINGLERESP_free(single); return NULL; - } +} /* Add a certificate to an OCSP request */ - -int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert) - { +int +OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert) +{ if (!resp->certs && !(resp->certs = sk_X509_new_null())) return 0; - if(!sk_X509_push(resp->certs, cert)) return 0; + if (!sk_X509_push(resp->certs, cert)) + return 0; CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509); return 1; - } +} -int OCSP_basic_sign(OCSP_BASICRESP *brsp, - X509 *signer, EVP_PKEY *key, const EVP_MD *dgst, - STACK_OF(X509) *certs, unsigned long flags) - { +int +OCSP_basic_sign(OCSP_BASICRESP *brsp, X509 *signer, EVP_PKEY *key, + const EVP_MD *dgst, STACK_OF(X509) *certs, unsigned long flags) +{ int i; OCSP_RESPID *rid; - if (!X509_check_private_key(signer, key)) - { - OCSPerr(OCSP_F_OCSP_BASIC_SIGN, OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE); + if (!X509_check_private_key(signer, key)) { + OCSPerr(OCSP_F_OCSP_BASIC_SIGN, + OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE); goto err; - } + } - if(!(flags & OCSP_NOCERTS)) - { - if(!OCSP_basic_add1_cert(brsp, signer)) + if (!(flags & OCSP_NOCERTS)) { + if (!OCSP_basic_add1_cert(brsp, signer)) goto err; - for (i = 0; i < sk_X509_num(certs); i++) - { + for (i = 0; i < sk_X509_num(certs); i++) { X509 *tmpcert = sk_X509_value(certs, i); - if(!OCSP_basic_add1_cert(brsp, tmpcert)) + if (!OCSP_basic_add1_cert(brsp, tmpcert)) goto err; - } } + } rid = brsp->tbsResponseData->responderId; - if (flags & OCSP_RESPID_KEY) - { + if (flags & OCSP_RESPID_KEY) { unsigned char md[SHA_DIGEST_LENGTH]; + X509_pubkey_digest(signer, EVP_sha1(), md, NULL); if (!(rid->value.byKey = ASN1_OCTET_STRING_new())) goto err; - if (!(ASN1_OCTET_STRING_set(rid->value.byKey, md, SHA_DIGEST_LENGTH))) - goto err; + if (!(ASN1_OCTET_STRING_set(rid->value.byKey, md, + SHA_DIGEST_LENGTH))) + goto err; rid->type = V_OCSP_RESPID_KEY; - } - else - { + } else { if (!X509_NAME_set(&rid->value.byName, - X509_get_subject_name(signer))) - goto err; + X509_get_subject_name(signer))) + goto err; rid->type = V_OCSP_RESPID_NAME; - } + } if (!(flags & OCSP_NOTIME) && - !X509_gmtime_adj(brsp->tbsResponseData->producedAt, 0)) + !X509_gmtime_adj(brsp->tbsResponseData->producedAt, 0)) goto err; /* Right now, I think that not doing double hashing is the right thing. -- Richard Levitte */ - if (!OCSP_BASICRESP_sign(brsp, key, dgst, 0)) goto err; + if (!OCSP_BASICRESP_sign(brsp, key, dgst, 0)) + goto err; return 1; err: return 0; - } +} diff --git a/lib/libssl/src/crypto/ocsp/ocsp_vfy.c b/lib/libssl/src/crypto/ocsp/ocsp_vfy.c index 0b181d5abef..aede155871a 100644 --- a/lib/libssl/src/crypto/ocsp/ocsp_vfy.c +++ b/lib/libssl/src/crypto/ocsp/ocsp_vfy.c @@ -60,134 +60,137 @@ #include <openssl/err.h> #include <string.h> -static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs, - X509_STORE *st, unsigned long flags); +static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, + STACK_OF(X509) *certs, X509_STORE *st, unsigned long flags); static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id); -static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain, unsigned long flags); +static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain, + unsigned long flags); static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret); -static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, STACK_OF(OCSP_SINGLERESP) *sresp); +static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, + STACK_OF(OCSP_SINGLERESP) *sresp); static int ocsp_check_delegated(X509 *x, int flags); -static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, X509_NAME *nm, STACK_OF(X509) *certs, - X509_STORE *st, unsigned long flags); +static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, + X509_NAME *nm, STACK_OF(X509) *certs, X509_STORE *st, + unsigned long flags); /* Verify a basic response message */ - -int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, - X509_STORE *st, unsigned long flags) - { +int +OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st, + unsigned long flags) +{ X509 *signer, *x; STACK_OF(X509) *chain = NULL; X509_STORE_CTX ctx; int i, ret = 0; + ret = ocsp_find_signer(&signer, bs, certs, st, flags); - if (!ret) - { - OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND); + if (!ret) { + OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, + OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND); goto end; - } + } if ((ret == 2) && (flags & OCSP_TRUSTOTHER)) flags |= OCSP_NOVERIFY; - if (!(flags & OCSP_NOSIGS)) - { + if (!(flags & OCSP_NOSIGS)) { EVP_PKEY *skey; + skey = X509_get_pubkey(signer); - if (skey) - { + if (skey) { ret = OCSP_BASICRESP_verify(bs, skey, 0); EVP_PKEY_free(skey); - } - if(!skey || ret <= 0) - { - OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNATURE_FAILURE); + } + if (!skey || ret <= 0) { + OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, + OCSP_R_SIGNATURE_FAILURE); goto end; - } } - if (!(flags & OCSP_NOVERIFY)) - { + } + if (!(flags & OCSP_NOVERIFY)) { int init_res; + if(flags & OCSP_NOCHAIN) init_res = X509_STORE_CTX_init(&ctx, st, signer, NULL); else - init_res = X509_STORE_CTX_init(&ctx, st, signer, bs->certs); - if(!init_res) - { + init_res = X509_STORE_CTX_init(&ctx, st, signer, + bs->certs); + if (!init_res) { ret = -1; OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,ERR_R_X509_LIB); goto end; - } + } X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER); ret = X509_verify_cert(&ctx); chain = X509_STORE_CTX_get1_chain(&ctx); X509_STORE_CTX_cleanup(&ctx); - if (ret <= 0) - { + if (ret <= 0) { i = X509_STORE_CTX_get_error(&ctx); - OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,OCSP_R_CERTIFICATE_VERIFY_ERROR); + OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, + OCSP_R_CERTIFICATE_VERIFY_ERROR); ERR_asprintf_error_data("Verify error:%s", - X509_verify_cert_error_string(i)); - goto end; - } - if(flags & OCSP_NOCHECKS) - { + X509_verify_cert_error_string(i)); + goto end; + } + if(flags & OCSP_NOCHECKS) { ret = 1; goto end; - } + } /* At this point we have a valid certificate chain * need to verify it against the OCSP issuer criteria. */ ret = ocsp_check_issuer(bs, chain, flags); /* If fatal error or valid match then finish */ - if (ret != 0) goto end; + if (ret != 0) + goto end; /* Easy case: explicitly trusted. Get root CA and * check for explicit trust */ - if(flags & OCSP_NOEXPLICIT) goto end; + if (flags & OCSP_NOEXPLICIT) + goto end; x = sk_X509_value(chain, sk_X509_num(chain) - 1); - if(X509_check_trust(x, NID_OCSP_sign, 0) != X509_TRUST_TRUSTED) - { - OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,OCSP_R_ROOT_CA_NOT_TRUSTED); + if (X509_check_trust(x, NID_OCSP_sign, 0) != + X509_TRUST_TRUSTED) { + OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, + OCSP_R_ROOT_CA_NOT_TRUSTED); goto end; - } - ret = 1; } - - - - end: - if(chain) sk_X509_pop_free(chain, X509_free); - return ret; + ret = 1; } +end: + if (chain) + sk_X509_pop_free(chain, X509_free); + return ret; +} -static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs, - X509_STORE *st, unsigned long flags) - { +static int +ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs, + X509_STORE *st, unsigned long flags) +{ X509 *signer; OCSP_RESPID *rid = bs->tbsResponseData->responderId; - if ((signer = ocsp_find_signer_sk(certs, rid))) - { + + if ((signer = ocsp_find_signer_sk(certs, rid))) { *psigner = signer; return 2; - } - if(!(flags & OCSP_NOINTERN) && - (signer = ocsp_find_signer_sk(bs->certs, rid))) - { + } + if (!(flags & OCSP_NOINTERN) && + (signer = ocsp_find_signer_sk(bs->certs, rid))) { *psigner = signer; return 1; - } + } /* Maybe lookup from store if by subject name */ *psigner = NULL; return 0; - } - +} -static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id) - { +static X509 * +ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id) +{ int i; unsigned char tmphash[SHA_DIGEST_LENGTH], *keyhash; X509 *x; @@ -199,123 +202,124 @@ static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id) /* Lookup by key hash */ /* If key hash isn't SHA1 length then forget it */ - if (id->value.byKey->length != SHA_DIGEST_LENGTH) return NULL; + if (id->value.byKey->length != SHA_DIGEST_LENGTH) + return NULL; keyhash = id->value.byKey->data; /* Calculate hash of each key and compare */ - for (i = 0; i < sk_X509_num(certs); i++) - { + for (i = 0; i < sk_X509_num(certs); i++) { x = sk_X509_value(certs, i); X509_pubkey_digest(x, EVP_sha1(), tmphash, NULL); - if(!memcmp(keyhash, tmphash, SHA_DIGEST_LENGTH)) + if (!memcmp(keyhash, tmphash, SHA_DIGEST_LENGTH)) return x; - } - return NULL; } + return NULL; +} - -static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain, unsigned long flags) - { +static int +ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain, + unsigned long flags) +{ STACK_OF(OCSP_SINGLERESP) *sresp; X509 *signer, *sca; OCSP_CERTID *caid = NULL; int i; + sresp = bs->tbsResponseData->responses; - if (sk_X509_num(chain) <= 0) - { - OCSPerr(OCSP_F_OCSP_CHECK_ISSUER, OCSP_R_NO_CERTIFICATES_IN_CHAIN); + if (sk_X509_num(chain) <= 0) { + OCSPerr(OCSP_F_OCSP_CHECK_ISSUER, + OCSP_R_NO_CERTIFICATES_IN_CHAIN); return -1; - } + } /* See if the issuer IDs match. */ i = ocsp_check_ids(sresp, &caid); /* If ID mismatch or other error then return */ - if (i <= 0) return i; + if (i <= 0) + return i; signer = sk_X509_value(chain, 0); /* Check to see if OCSP responder CA matches request CA */ - if (sk_X509_num(chain) > 1) - { + if (sk_X509_num(chain) > 1) { sca = sk_X509_value(chain, 1); i = ocsp_match_issuerid(sca, caid, sresp); - if (i < 0) return i; - if (i) - { + if (i < 0) + return i; + if (i) { /* We have a match, if extensions OK then success */ - if (ocsp_check_delegated(signer, flags)) return 1; + if (ocsp_check_delegated(signer, flags)) + return 1; return 0; - } } + } /* Otherwise check if OCSP request signed directly by request CA */ return ocsp_match_issuerid(signer, caid, sresp); - } - +} /* Check the issuer certificate IDs for equality. If there is a mismatch with the same * algorithm then there's no point trying to match any certificates against the issuer. * If the issuer IDs all match then we just need to check equality against one of them. */ - -static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret) - { +static int +ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret) +{ OCSP_CERTID *tmpid, *cid; int i, idcount; idcount = sk_OCSP_SINGLERESP_num(sresp); - if (idcount <= 0) - { - OCSPerr(OCSP_F_OCSP_CHECK_IDS, OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA); + if (idcount <= 0) { + OCSPerr(OCSP_F_OCSP_CHECK_IDS, + OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA); return -1; - } + } cid = sk_OCSP_SINGLERESP_value(sresp, 0)->certId; *ret = NULL; - for (i = 1; i < idcount; i++) - { + for (i = 1; i < idcount; i++) { tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId; /* Check to see if IDs match */ - if (OCSP_id_issuer_cmp(cid, tmpid)) - { + if (OCSP_id_issuer_cmp(cid, tmpid)) { /* If algoritm mismatch let caller deal with it */ if (OBJ_cmp(tmpid->hashAlgorithm->algorithm, - cid->hashAlgorithm->algorithm)) - return 2; + cid->hashAlgorithm->algorithm)) + return 2; /* Else mismatch */ return 0; - } } + } /* All IDs match: only need to check one ID */ *ret = cid; return 1; - } +} - -static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, - STACK_OF(OCSP_SINGLERESP) *sresp) - { +static int +ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, + STACK_OF(OCSP_SINGLERESP) *sresp) +{ /* If only one ID to match then do it */ - if(cid) - { + if (cid) { const EVP_MD *dgst; X509_NAME *iname; int mdlen; unsigned char md[EVP_MAX_MD_SIZE]; - if (!(dgst = EVP_get_digestbyobj(cid->hashAlgorithm->algorithm))) - { - OCSPerr(OCSP_F_OCSP_MATCH_ISSUERID, OCSP_R_UNKNOWN_MESSAGE_DIGEST); + + if (!(dgst = + EVP_get_digestbyobj(cid->hashAlgorithm->algorithm))) { + OCSPerr(OCSP_F_OCSP_MATCH_ISSUERID, + OCSP_R_UNKNOWN_MESSAGE_DIGEST); return -1; - } + } mdlen = EVP_MD_size(dgst); if (mdlen < 0) - return -1; - if ((cid->issuerNameHash->length != mdlen) || - (cid->issuerKeyHash->length != mdlen)) + return -1; + if (cid->issuerNameHash->length != mdlen || + cid->issuerKeyHash->length != mdlen) return 0; iname = X509_get_subject_name(cert); if (!X509_NAME_digest(iname, dgst, md, NULL)) @@ -327,124 +331,123 @@ static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, return 0; return 1; - - } - else - { + } else { /* We have to match the whole lot */ int i, ret; OCSP_CERTID *tmpid; - for (i = 0; i < sk_OCSP_SINGLERESP_num(sresp); i++) - { + + for (i = 0; i < sk_OCSP_SINGLERESP_num(sresp); i++) { tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId; ret = ocsp_match_issuerid(cert, tmpid, NULL); - if (ret <= 0) return ret; - } - return 1; + if (ret <= 0) + return ret; } - + return 1; } +} -static int ocsp_check_delegated(X509 *x, int flags) - { +static int +ocsp_check_delegated(X509 *x, int flags) +{ X509_check_purpose(x, -1, 0); - if ((x->ex_flags & EXFLAG_XKUSAGE) && - (x->ex_xkusage & XKU_OCSP_SIGN)) + if ((x->ex_flags & EXFLAG_XKUSAGE) && (x->ex_xkusage & XKU_OCSP_SIGN)) return 1; OCSPerr(OCSP_F_OCSP_CHECK_DELEGATED, OCSP_R_MISSING_OCSPSIGNING_USAGE); return 0; - } +} /* Verify an OCSP request. This is fortunately much easier than OCSP * response verify. Just find the signers certificate and verify it * against a given trust value. */ - -int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, X509_STORE *store, unsigned long flags) - { +int +OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, X509_STORE *store, + unsigned long flags) +{ X509 *signer; X509_NAME *nm; GENERAL_NAME *gen; int ret; X509_STORE_CTX ctx; - if (!req->optionalSignature) - { + + if (!req->optionalSignature) { OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_REQUEST_NOT_SIGNED); return 0; - } + } gen = req->tbsRequest->requestorName; - if (!gen || gen->type != GEN_DIRNAME) - { - OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE); + if (!gen || gen->type != GEN_DIRNAME) { + OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, + OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE); return 0; - } + } nm = gen->d.directoryName; ret = ocsp_req_find_signer(&signer, req, nm, certs, store, flags); - if (ret <= 0) - { - OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND); + if (ret <= 0) { + OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, + OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND); return 0; - } + } if ((ret == 2) && (flags & OCSP_TRUSTOTHER)) flags |= OCSP_NOVERIFY; - if (!(flags & OCSP_NOSIGS)) - { + if (!(flags & OCSP_NOSIGS)) { EVP_PKEY *skey; + skey = X509_get_pubkey(signer); ret = OCSP_REQUEST_verify(req, skey); EVP_PKEY_free(skey); - if(ret <= 0) - { - OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_SIGNATURE_FAILURE); + if (ret <= 0) { + OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, + OCSP_R_SIGNATURE_FAILURE); return 0; - } } - if (!(flags & OCSP_NOVERIFY)) - { + } + if (!(flags & OCSP_NOVERIFY)) { int init_res; - if(flags & OCSP_NOCHAIN) - init_res = X509_STORE_CTX_init(&ctx, store, signer, NULL); + + if (flags & OCSP_NOCHAIN) + init_res = X509_STORE_CTX_init(&ctx, store, signer, + NULL); else init_res = X509_STORE_CTX_init(&ctx, store, signer, - req->optionalSignature->certs); - if(!init_res) - { + req->optionalSignature->certs); + if (!init_res) { OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,ERR_R_X509_LIB); return 0; - } + } X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER); X509_STORE_CTX_set_trust(&ctx, X509_TRUST_OCSP_REQUEST); ret = X509_verify_cert(&ctx); X509_STORE_CTX_cleanup(&ctx); - if (ret <= 0) - { + if (ret <= 0) { ret = X509_STORE_CTX_get_error(&ctx); - OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,OCSP_R_CERTIFICATE_VERIFY_ERROR); + OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, + OCSP_R_CERTIFICATE_VERIFY_ERROR); ERR_asprintf_error_data("Verify error:%s", - X509_verify_cert_error_string(ret)); - return 0; - } + X509_verify_cert_error_string(ret)); + return 0; } + } return 1; - } +} -static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, X509_NAME *nm, STACK_OF(X509) *certs, - X509_STORE *st, unsigned long flags) - { +static int +ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, X509_NAME *nm, + STACK_OF(X509) *certs, X509_STORE *st, unsigned long flags) +{ X509 *signer; - if(!(flags & OCSP_NOINTERN)) - { - signer = X509_find_by_subject(req->optionalSignature->certs, nm); + + if (!(flags & OCSP_NOINTERN)) { + signer = + X509_find_by_subject(req->optionalSignature->certs, nm); *psigner = signer; return 1; - } + } signer = X509_find_by_subject(certs, nm); - if (signer) - { + if (signer) { *psigner = signer; return 2; - } - return 0; } + return 0; +} |