summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--lib/libssl/src/crypto/ocsp/ocsp.h357
-rw-r--r--lib/libssl/src/crypto/ocsp/ocsp_cl.c315
-rw-r--r--lib/libssl/src/crypto/ocsp/ocsp_ext.c655
-rw-r--r--lib/libssl/src/crypto/ocsp/ocsp_ht.c275
-rw-r--r--lib/libssl/src/crypto/ocsp/ocsp_lib.c170
-rw-r--r--lib/libssl/src/crypto/ocsp/ocsp_prn.c278
-rw-r--r--lib/libssl/src/crypto/ocsp/ocsp_srv.c199
-rw-r--r--lib/libssl/src/crypto/ocsp/ocsp_vfy.c357
8 files changed, 1332 insertions, 1274 deletions
diff --git a/lib/libssl/src/crypto/ocsp/ocsp.h b/lib/libssl/src/crypto/ocsp/ocsp.h
index 31e45744bac..9401f7db2f4 100644
--- a/lib/libssl/src/crypto/ocsp/ocsp.h
+++ b/lib/libssl/src/crypto/ocsp/ocsp.h
@@ -96,13 +96,12 @@ extern "C" {
* issuerKeyHash OCTET STRING, -- Hash of Issuers public key (excluding the tag & length fields)
* serialNumber CertificateSerialNumber }
*/
-typedef struct ocsp_cert_id_st
- {
+typedef struct ocsp_cert_id_st {
X509_ALGOR *hashAlgorithm;
ASN1_OCTET_STRING *issuerNameHash;
ASN1_OCTET_STRING *issuerKeyHash;
ASN1_INTEGER *serialNumber;
- } OCSP_CERTID;
+} OCSP_CERTID;
DECLARE_STACK_OF(OCSP_CERTID)
@@ -110,11 +109,10 @@ DECLARE_STACK_OF(OCSP_CERTID)
* reqCert CertID,
* singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL }
*/
-typedef struct ocsp_one_request_st
- {
+typedef struct ocsp_one_request_st {
OCSP_CERTID *reqCert;
STACK_OF(X509_EXTENSION) *singleRequestExtensions;
- } OCSP_ONEREQ;
+} OCSP_ONEREQ;
DECLARE_STACK_OF(OCSP_ONEREQ)
DECLARE_ASN1_SET_OF(OCSP_ONEREQ)
@@ -126,35 +124,32 @@ DECLARE_ASN1_SET_OF(OCSP_ONEREQ)
* requestList SEQUENCE OF Request,
* requestExtensions [2] EXPLICIT Extensions OPTIONAL }
*/
-typedef struct ocsp_req_info_st
- {
+typedef struct ocsp_req_info_st {
ASN1_INTEGER *version;
GENERAL_NAME *requestorName;
STACK_OF(OCSP_ONEREQ) *requestList;
STACK_OF(X509_EXTENSION) *requestExtensions;
- } OCSP_REQINFO;
+} OCSP_REQINFO;
/* Signature ::= SEQUENCE {
* signatureAlgorithm AlgorithmIdentifier,
* signature BIT STRING,
* certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
*/
-typedef struct ocsp_signature_st
- {
+typedef struct ocsp_signature_st {
X509_ALGOR *signatureAlgorithm;
ASN1_BIT_STRING *signature;
STACK_OF(X509) *certs;
- } OCSP_SIGNATURE;
+} OCSP_SIGNATURE;
/* OCSPRequest ::= SEQUENCE {
* tbsRequest TBSRequest,
* optionalSignature [0] EXPLICIT Signature OPTIONAL }
*/
-typedef struct ocsp_request_st
- {
+typedef struct ocsp_request_st {
OCSP_REQINFO *tbsRequest;
OCSP_SIGNATURE *optionalSignature; /* OPTIONAL */
- } OCSP_REQUEST;
+} OCSP_REQUEST;
/* OCSPResponseStatus ::= ENUMERATED {
* successful (0), --Response has valid confirmations
@@ -166,32 +161,30 @@ typedef struct ocsp_request_st
* unauthorized (6) --Request unauthorized
* }
*/
-#define OCSP_RESPONSE_STATUS_SUCCESSFUL 0
-#define OCSP_RESPONSE_STATUS_MALFORMEDREQUEST 1
-#define OCSP_RESPONSE_STATUS_INTERNALERROR 2
-#define OCSP_RESPONSE_STATUS_TRYLATER 3
-#define OCSP_RESPONSE_STATUS_SIGREQUIRED 5
-#define OCSP_RESPONSE_STATUS_UNAUTHORIZED 6
+#define OCSP_RESPONSE_STATUS_SUCCESSFUL 0
+#define OCSP_RESPONSE_STATUS_MALFORMEDREQUEST 1
+#define OCSP_RESPONSE_STATUS_INTERNALERROR 2
+#define OCSP_RESPONSE_STATUS_TRYLATER 3
+#define OCSP_RESPONSE_STATUS_SIGREQUIRED 5
+#define OCSP_RESPONSE_STATUS_UNAUTHORIZED 6
/* ResponseBytes ::= SEQUENCE {
* responseType OBJECT IDENTIFIER,
* response OCTET STRING }
*/
-typedef struct ocsp_resp_bytes_st
- {
+typedef struct ocsp_resp_bytes_st {
ASN1_OBJECT *responseType;
ASN1_OCTET_STRING *response;
- } OCSP_RESPBYTES;
+} OCSP_RESPBYTES;
/* OCSPResponse ::= SEQUENCE {
* responseStatus OCSPResponseStatus,
* responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
*/
-struct ocsp_response_st
- {
+struct ocsp_response_st {
ASN1_ENUMERATED *responseStatus;
OCSP_RESPBYTES *responseBytes;
- };
+};
/* ResponderID ::= CHOICE {
* byName [1] Name,
@@ -199,14 +192,13 @@ struct ocsp_response_st
*/
#define V_OCSP_RESPID_NAME 0
#define V_OCSP_RESPID_KEY 1
-struct ocsp_responder_id_st
- {
+struct ocsp_responder_id_st {
int type;
- union {
+ union {
X509_NAME* byName;
- ASN1_OCTET_STRING *byKey;
- } value;
- };
+ ASN1_OCTET_STRING *byKey;
+ } value;
+};
DECLARE_STACK_OF(OCSP_RESPID)
DECLARE_ASN1_FUNCTIONS(OCSP_RESPID)
@@ -219,11 +211,10 @@ DECLARE_ASN1_FUNCTIONS(OCSP_RESPID)
* revocationTime GeneralizedTime,
* revocationReason [0] EXPLICIT CRLReason OPTIONAL }
*/
-typedef struct ocsp_revoked_info_st
- {
+typedef struct ocsp_revoked_info_st {
ASN1_GENERALIZEDTIME *revocationTime;
ASN1_ENUMERATED *revocationReason;
- } OCSP_REVOKEDINFO;
+} OCSP_REVOKEDINFO;
/* CertStatus ::= CHOICE {
* good [0] IMPLICIT NULL,
@@ -233,15 +224,14 @@ typedef struct ocsp_revoked_info_st
#define V_OCSP_CERTSTATUS_GOOD 0
#define V_OCSP_CERTSTATUS_REVOKED 1
#define V_OCSP_CERTSTATUS_UNKNOWN 2
-typedef struct ocsp_cert_status_st
- {
+typedef struct ocsp_cert_status_st {
int type;
- union {
+ union {
ASN1_NULL *good;
OCSP_REVOKEDINFO *revoked;
ASN1_NULL *unknown;
- } value;
- } OCSP_CERTSTATUS;
+ } value;
+} OCSP_CERTSTATUS;
/* SingleResponse ::= SEQUENCE {
* certID CertID,
@@ -250,14 +240,13 @@ typedef struct ocsp_cert_status_st
* nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
* singleExtensions [1] EXPLICIT Extensions OPTIONAL }
*/
-typedef struct ocsp_single_response_st
- {
+typedef struct ocsp_single_response_st {
OCSP_CERTID *certId;
OCSP_CERTSTATUS *certStatus;
ASN1_GENERALIZEDTIME *thisUpdate;
ASN1_GENERALIZEDTIME *nextUpdate;
STACK_OF(X509_EXTENSION) *singleExtensions;
- } OCSP_SINGLERESP;
+} OCSP_SINGLERESP;
DECLARE_STACK_OF(OCSP_SINGLERESP)
DECLARE_ASN1_SET_OF(OCSP_SINGLERESP)
@@ -269,14 +258,13 @@ DECLARE_ASN1_SET_OF(OCSP_SINGLERESP)
* responses SEQUENCE OF SingleResponse,
* responseExtensions [1] EXPLICIT Extensions OPTIONAL }
*/
-typedef struct ocsp_response_data_st
- {
+typedef struct ocsp_response_data_st {
ASN1_INTEGER *version;
OCSP_RESPID *responderId;
ASN1_GENERALIZEDTIME *producedAt;
STACK_OF(OCSP_SINGLERESP) *responses;
STACK_OF(X509_EXTENSION) *responseExtensions;
- } OCSP_RESPDATA;
+} OCSP_RESPDATA;
/* BasicOCSPResponse ::= SEQUENCE {
* tbsResponseData ResponseData,
@@ -300,13 +288,12 @@ typedef struct ocsp_response_data_st
that it doesn't do the double hashing that the RFC seems to say one
should. Therefore, all relevant functions take a flag saying which
variant should be used. -- Richard Levitte, OpenSSL team and CeloCom */
-typedef struct ocsp_basic_response_st
- {
+typedef struct ocsp_basic_response_st {
OCSP_RESPDATA *tbsResponseData;
X509_ALGOR *signatureAlgorithm;
ASN1_BIT_STRING *signature;
STACK_OF(X509) *certs;
- } OCSP_BASICRESP;
+} OCSP_BASICRESP;
/*
* CRLReason ::= ENUMERATED {
@@ -319,164 +306,159 @@ typedef struct ocsp_basic_response_st
* certificateHold (6),
* removeFromCRL (8) }
*/
-#define OCSP_REVOKED_STATUS_NOSTATUS -1
-#define OCSP_REVOKED_STATUS_UNSPECIFIED 0
-#define OCSP_REVOKED_STATUS_KEYCOMPROMISE 1
-#define OCSP_REVOKED_STATUS_CACOMPROMISE 2
-#define OCSP_REVOKED_STATUS_AFFILIATIONCHANGED 3
-#define OCSP_REVOKED_STATUS_SUPERSEDED 4
-#define OCSP_REVOKED_STATUS_CESSATIONOFOPERATION 5
-#define OCSP_REVOKED_STATUS_CERTIFICATEHOLD 6
-#define OCSP_REVOKED_STATUS_REMOVEFROMCRL 8
+#define OCSP_REVOKED_STATUS_NOSTATUS -1
+#define OCSP_REVOKED_STATUS_UNSPECIFIED 0
+#define OCSP_REVOKED_STATUS_KEYCOMPROMISE 1
+#define OCSP_REVOKED_STATUS_CACOMPROMISE 2
+#define OCSP_REVOKED_STATUS_AFFILIATIONCHANGED 3
+#define OCSP_REVOKED_STATUS_SUPERSEDED 4
+#define OCSP_REVOKED_STATUS_CESSATIONOFOPERATION 5
+#define OCSP_REVOKED_STATUS_CERTIFICATEHOLD 6
+#define OCSP_REVOKED_STATUS_REMOVEFROMCRL 8
/* CrlID ::= SEQUENCE {
* crlUrl [0] EXPLICIT IA5String OPTIONAL,
* crlNum [1] EXPLICIT INTEGER OPTIONAL,
* crlTime [2] EXPLICIT GeneralizedTime OPTIONAL }
*/
-typedef struct ocsp_crl_id_st
- {
+typedef struct ocsp_crl_id_st {
ASN1_IA5STRING *crlUrl;
ASN1_INTEGER *crlNum;
ASN1_GENERALIZEDTIME *crlTime;
- } OCSP_CRLID;
+} OCSP_CRLID;
/* ServiceLocator ::= SEQUENCE {
* issuer Name,
* locator AuthorityInfoAccessSyntax OPTIONAL }
*/
-typedef struct ocsp_service_locator_st
- {
+typedef struct ocsp_service_locator_st {
X509_NAME* issuer;
STACK_OF(ACCESS_DESCRIPTION) *locator;
- } OCSP_SERVICELOC;
+} OCSP_SERVICELOC;
#define PEM_STRING_OCSP_REQUEST "OCSP REQUEST"
#define PEM_STRING_OCSP_RESPONSE "OCSP RESPONSE"
-#define d2i_OCSP_REQUEST_bio(bp,p) ASN1_d2i_bio_of(OCSP_REQUEST,OCSP_REQUEST_new,d2i_OCSP_REQUEST,bp,p)
+#define d2i_OCSP_REQUEST_bio(bp,p) \
+ ASN1_d2i_bio_of(OCSP_REQUEST,OCSP_REQUEST_new,d2i_OCSP_REQUEST,bp,p)
-#define d2i_OCSP_RESPONSE_bio(bp,p) ASN1_d2i_bio_of(OCSP_RESPONSE,OCSP_RESPONSE_new,d2i_OCSP_RESPONSE,bp,p)
+#define d2i_OCSP_RESPONSE_bio(bp,p) \
+ ASN1_d2i_bio_of(OCSP_RESPONSE,OCSP_RESPONSE_new,d2i_OCSP_RESPONSE,bp,p)
-#define PEM_read_bio_OCSP_REQUEST(bp,x,cb) (OCSP_REQUEST *)PEM_ASN1_read_bio( \
- (char *(*)())d2i_OCSP_REQUEST,PEM_STRING_OCSP_REQUEST,bp,(char **)x,cb,NULL)
+#define PEM_read_bio_OCSP_REQUEST(bp,x,cb) \
+ (OCSP_REQUEST *)PEM_ASN1_read_bio((char *(*)())d2i_OCSP_REQUEST, \
+ PEM_STRING_OCSP_REQUEST,bp,(char **)x,cb,NULL)
-#define PEM_read_bio_OCSP_RESPONSE(bp,x,cb)(OCSP_RESPONSE *)PEM_ASN1_read_bio(\
- (char *(*)())d2i_OCSP_RESPONSE,PEM_STRING_OCSP_RESPONSE,bp,(char **)x,cb,NULL)
+#define PEM_read_bio_OCSP_RESPONSE(bp,x,cb) \
+ (OCSP_RESPONSE *)PEM_ASN1_read_bio((char *(*)())d2i_OCSP_RESPONSE, \
+ PEM_STRING_OCSP_RESPONSE,bp,(char **)x,cb,NULL)
#define PEM_write_bio_OCSP_REQUEST(bp,o) \
PEM_ASN1_write_bio((int (*)())i2d_OCSP_REQUEST,PEM_STRING_OCSP_REQUEST,\
- bp,(char *)o, NULL,NULL,0,NULL,NULL)
+ bp,(char *)o, NULL,NULL,0,NULL,NULL)
#define PEM_write_bio_OCSP_RESPONSE(bp,o) \
PEM_ASN1_write_bio((int (*)())i2d_OCSP_RESPONSE,PEM_STRING_OCSP_RESPONSE,\
- bp,(char *)o, NULL,NULL,0,NULL,NULL)
+ bp,(char *)o, NULL,NULL,0,NULL,NULL)
-#define i2d_OCSP_RESPONSE_bio(bp,o) ASN1_i2d_bio_of(OCSP_RESPONSE,i2d_OCSP_RESPONSE,bp,o)
+#define i2d_OCSP_RESPONSE_bio(bp,o) \
+ ASN1_i2d_bio_of(OCSP_RESPONSE,i2d_OCSP_RESPONSE,bp,o)
-#define i2d_OCSP_REQUEST_bio(bp,o) ASN1_i2d_bio_of(OCSP_REQUEST,i2d_OCSP_REQUEST,bp,o)
+#define i2d_OCSP_REQUEST_bio(bp,o) \
+ ASN1_i2d_bio_of(OCSP_REQUEST,i2d_OCSP_REQUEST,bp,o)
#define OCSP_REQUEST_sign(o,pkey,md) \
- ASN1_item_sign(ASN1_ITEM_rptr(OCSP_REQINFO),\
- o->optionalSignature->signatureAlgorithm,NULL,\
- o->optionalSignature->signature,o->tbsRequest,pkey,md)
+ ASN1_item_sign(ASN1_ITEM_rptr(OCSP_REQINFO), \
+ o->optionalSignature->signatureAlgorithm,NULL, \
+ o->optionalSignature->signature,o->tbsRequest,pkey,md)
#define OCSP_BASICRESP_sign(o,pkey,md,d) \
- ASN1_item_sign(ASN1_ITEM_rptr(OCSP_RESPDATA),o->signatureAlgorithm,NULL,\
- o->signature,o->tbsResponseData,pkey,md)
+ ASN1_item_sign(ASN1_ITEM_rptr(OCSP_RESPDATA),o->signatureAlgorithm,NULL, \
+ o->signature,o->tbsResponseData,pkey,md)
-#define OCSP_REQUEST_verify(a,r) ASN1_item_verify(ASN1_ITEM_rptr(OCSP_REQINFO),\
- a->optionalSignature->signatureAlgorithm,\
+#define OCSP_REQUEST_verify(a,r) \
+ ASN1_item_verify(ASN1_ITEM_rptr(OCSP_REQINFO), \
+ a->optionalSignature->signatureAlgorithm, \
a->optionalSignature->signature,a->tbsRequest,r)
-#define OCSP_BASICRESP_verify(a,r,d) ASN1_item_verify(ASN1_ITEM_rptr(OCSP_RESPDATA),\
+#define OCSP_BASICRESP_verify(a,r,d) \
+ ASN1_item_verify(ASN1_ITEM_rptr(OCSP_RESPDATA), \
a->signatureAlgorithm,a->signature,a->tbsResponseData,r)
#define ASN1_BIT_STRING_digest(data,type,md,len) \
- ASN1_item_digest(ASN1_ITEM_rptr(ASN1_BIT_STRING),type,data,md,len)
+ ASN1_item_digest(ASN1_ITEM_rptr(ASN1_BIT_STRING),type,data,md,len)
#define OCSP_CERTSTATUS_dup(cs)\
- (OCSP_CERTSTATUS*)ASN1_dup((int(*)())i2d_OCSP_CERTSTATUS,\
- (char *(*)())d2i_OCSP_CERTSTATUS,(char *)(cs))
+ (OCSP_CERTSTATUS*)ASN1_dup((int(*)())i2d_OCSP_CERTSTATUS,\
+ (char *(*)())d2i_OCSP_CERTSTATUS,(char *)(cs))
OCSP_CERTID *OCSP_CERTID_dup(OCSP_CERTID *id);
OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req);
OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, char *path, OCSP_REQUEST *req,
- int maxline);
-int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx);
-void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx);
-int OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, OCSP_REQUEST *req);
-int OCSP_REQ_CTX_add1_header(OCSP_REQ_CTX *rctx,
- const char *name, const char *value);
+ int maxline);
+int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx);
+void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx);
+int OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, OCSP_REQUEST *req);
+int OCSP_REQ_CTX_add1_header(OCSP_REQ_CTX *rctx, const char *name,
+ const char *value);
OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer);
-OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst,
- X509_NAME *issuerName,
- ASN1_BIT_STRING* issuerKey,
- ASN1_INTEGER *serialNumber);
+OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst, X509_NAME *issuerName,
+ ASN1_BIT_STRING* issuerKey, ASN1_INTEGER *serialNumber);
OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid);
-int OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len);
-int OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len);
-int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs);
-int OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req);
+int OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len);
+int OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len);
+int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs);
+int OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req);
-int OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm);
-int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert);
+int OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm);
+int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert);
-int OCSP_request_sign(OCSP_REQUEST *req,
- X509 *signer,
- EVP_PKEY *key,
- const EVP_MD *dgst,
- STACK_OF(X509) *certs,
- unsigned long flags);
+int OCSP_request_sign(OCSP_REQUEST *req, X509 *signer, EVP_PKEY *key,
+ const EVP_MD *dgst, STACK_OF(X509) *certs, unsigned long flags);
-int OCSP_response_status(OCSP_RESPONSE *resp);
+int OCSP_response_status(OCSP_RESPONSE *resp);
OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp);
-int OCSP_resp_count(OCSP_BASICRESP *bs);
+int OCSP_resp_count(OCSP_BASICRESP *bs);
OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx);
-int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last);
-int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
- ASN1_GENERALIZEDTIME **revtime,
- ASN1_GENERALIZEDTIME **thisupd,
- ASN1_GENERALIZEDTIME **nextupd);
-int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
- int *reason,
- ASN1_GENERALIZEDTIME **revtime,
- ASN1_GENERALIZEDTIME **thisupd,
- ASN1_GENERALIZEDTIME **nextupd);
-int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
- ASN1_GENERALIZEDTIME *nextupd,
- long sec, long maxsec);
-
-int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, X509_STORE *store, unsigned long flags);
-
-int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pssl);
-
-int OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b);
-int OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b);
-
-int OCSP_request_onereq_count(OCSP_REQUEST *req);
+int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last);
+int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
+ ASN1_GENERALIZEDTIME **revtime, ASN1_GENERALIZEDTIME **thisupd,
+ ASN1_GENERALIZEDTIME **nextupd);
+int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
+ int *reason, ASN1_GENERALIZEDTIME **revtime,
+ ASN1_GENERALIZEDTIME **thisupd, ASN1_GENERALIZEDTIME **nextupd);
+int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
+ ASN1_GENERALIZEDTIME *nextupd, long sec, long maxsec);
+
+int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs,
+ X509_STORE *store, unsigned long flags);
+
+int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath,
+ int *pssl);
+
+int OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b);
+int OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b);
+
+int OCSP_request_onereq_count(OCSP_REQUEST *req);
OCSP_ONEREQ *OCSP_request_onereq_get0(OCSP_REQUEST *req, int i);
OCSP_CERTID *OCSP_onereq_get0_id(OCSP_ONEREQ *one);
-int OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd,
- ASN1_OCTET_STRING **pikeyHash,
- ASN1_INTEGER **pserial, OCSP_CERTID *cid);
-int OCSP_request_is_signed(OCSP_REQUEST *req);
+int OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd,
+ ASN1_OCTET_STRING **pikeyHash, ASN1_INTEGER **pserial,
+ OCSP_CERTID *cid);
+int OCSP_request_is_signed(OCSP_REQUEST *req);
OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs);
-OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp,
- OCSP_CERTID *cid,
- int status, int reason,
- ASN1_TIME *revtime,
- ASN1_TIME *thisupd, ASN1_TIME *nextupd);
-int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert);
-int OCSP_basic_sign(OCSP_BASICRESP *brsp,
- X509 *signer, EVP_PKEY *key, const EVP_MD *dgst,
- STACK_OF(X509) *certs, unsigned long flags);
+OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp, OCSP_CERTID *cid,
+ int status, int reason, ASN1_TIME *revtime, ASN1_TIME *thisupd,
+ ASN1_TIME *nextupd);
+int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert);
+int OCSP_basic_sign(OCSP_BASICRESP *brsp, X509 *signer, EVP_PKEY *key,
+ const EVP_MD *dgst, STACK_OF(X509) *certs, unsigned long flags);
X509_EXTENSION *OCSP_crlID_new(char *url, long *n, char *tim);
@@ -486,49 +468,60 @@ X509_EXTENSION *OCSP_archive_cutoff_new(char* tim);
X509_EXTENSION *OCSP_url_svcloc_new(X509_NAME* issuer, char **urls);
-int OCSP_REQUEST_get_ext_count(OCSP_REQUEST *x);
-int OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos);
-int OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, ASN1_OBJECT *obj, int lastpos);
-int OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit, int lastpos);
+int OCSP_REQUEST_get_ext_count(OCSP_REQUEST *x);
+int OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos);
+int OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, ASN1_OBJECT *obj,
+ int lastpos);
+int OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit,
+ int lastpos);
X509_EXTENSION *OCSP_REQUEST_get_ext(OCSP_REQUEST *x, int loc);
X509_EXTENSION *OCSP_REQUEST_delete_ext(OCSP_REQUEST *x, int loc);
void *OCSP_REQUEST_get1_ext_d2i(OCSP_REQUEST *x, int nid, int *crit, int *idx);
-int OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST *x, int nid, void *value, int crit,
- unsigned long flags);
-int OCSP_REQUEST_add_ext(OCSP_REQUEST *x, X509_EXTENSION *ex, int loc);
-
-int OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *x);
-int OCSP_ONEREQ_get_ext_by_NID(OCSP_ONEREQ *x, int nid, int lastpos);
-int OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, ASN1_OBJECT *obj, int lastpos);
-int OCSP_ONEREQ_get_ext_by_critical(OCSP_ONEREQ *x, int crit, int lastpos);
+int OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST *x, int nid, void *value,
+ int crit, unsigned long flags);
+int OCSP_REQUEST_add_ext(OCSP_REQUEST *x, X509_EXTENSION *ex, int loc);
+
+int OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *x);
+int OCSP_ONEREQ_get_ext_by_NID(OCSP_ONEREQ *x, int nid, int lastpos);
+int OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, ASN1_OBJECT *obj,
+ int lastpos);
+int OCSP_ONEREQ_get_ext_by_critical(OCSP_ONEREQ *x, int crit, int lastpos);
X509_EXTENSION *OCSP_ONEREQ_get_ext(OCSP_ONEREQ *x, int loc);
X509_EXTENSION *OCSP_ONEREQ_delete_ext(OCSP_ONEREQ *x, int loc);
void *OCSP_ONEREQ_get1_ext_d2i(OCSP_ONEREQ *x, int nid, int *crit, int *idx);
-int OCSP_ONEREQ_add1_ext_i2d(OCSP_ONEREQ *x, int nid, void *value, int crit,
- unsigned long flags);
-int OCSP_ONEREQ_add_ext(OCSP_ONEREQ *x, X509_EXTENSION *ex, int loc);
-
-int OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *x);
-int OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos);
-int OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, ASN1_OBJECT *obj, int lastpos);
-int OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit, int lastpos);
+int OCSP_ONEREQ_add1_ext_i2d(OCSP_ONEREQ *x, int nid, void *value, int crit,
+ unsigned long flags);
+int OCSP_ONEREQ_add_ext(OCSP_ONEREQ *x, X509_EXTENSION *ex, int loc);
+
+int OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *x);
+int OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos);
+int OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, ASN1_OBJECT *obj,
+ int lastpos);
+int OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit,
+ int lastpos);
X509_EXTENSION *OCSP_BASICRESP_get_ext(OCSP_BASICRESP *x, int loc);
X509_EXTENSION *OCSP_BASICRESP_delete_ext(OCSP_BASICRESP *x, int loc);
-void *OCSP_BASICRESP_get1_ext_d2i(OCSP_BASICRESP *x, int nid, int *crit, int *idx);
-int OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP *x, int nid, void *value, int crit,
- unsigned long flags);
-int OCSP_BASICRESP_add_ext(OCSP_BASICRESP *x, X509_EXTENSION *ex, int loc);
-
-int OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *x);
-int OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid, int lastpos);
-int OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, ASN1_OBJECT *obj, int lastpos);
-int OCSP_SINGLERESP_get_ext_by_critical(OCSP_SINGLERESP *x, int crit, int lastpos);
+void *OCSP_BASICRESP_get1_ext_d2i(OCSP_BASICRESP *x, int nid, int *crit,
+ int *idx);
+int OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP *x, int nid, void *value,
+ int crit, unsigned long flags);
+int OCSP_BASICRESP_add_ext(OCSP_BASICRESP *x, X509_EXTENSION *ex, int loc);
+
+int OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *x);
+int OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid,
+ int lastpos);
+int OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, ASN1_OBJECT *obj,
+ int lastpos);
+int OCSP_SINGLERESP_get_ext_by_critical(OCSP_SINGLERESP *x, int crit,
+ int lastpos);
X509_EXTENSION *OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP *x, int loc);
X509_EXTENSION *OCSP_SINGLERESP_delete_ext(OCSP_SINGLERESP *x, int loc);
-void *OCSP_SINGLERESP_get1_ext_d2i(OCSP_SINGLERESP *x, int nid, int *crit, int *idx);
-int OCSP_SINGLERESP_add1_ext_i2d(OCSP_SINGLERESP *x, int nid, void *value, int crit,
- unsigned long flags);
-int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex, int loc);
+void *OCSP_SINGLERESP_get1_ext_d2i(OCSP_SINGLERESP *x, int nid, int *crit,
+ int *idx);
+int OCSP_SINGLERESP_add1_ext_i2d(OCSP_SINGLERESP *x, int nid, void *value,
+ int crit, unsigned long flags);
+int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex,
+ int loc);
DECLARE_ASN1_FUNCTIONS(OCSP_SINGLERESP)
DECLARE_ASN1_FUNCTIONS(OCSP_CERTSTATUS)
@@ -550,11 +543,11 @@ const char *OCSP_response_status_str(long s);
const char *OCSP_cert_status_str(long s);
const char *OCSP_crl_reason_str(long s);
-int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST* a, unsigned long flags);
-int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags);
+int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST* a, unsigned long flags);
+int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags);
-int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
- X509_STORE *st, unsigned long flags);
+int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
+ X509_STORE *st, unsigned long flags);
/* BEGIN ERROR CODES */
/* The following lines are auto generated by the script mkerr.pl. Any changes
diff --git a/lib/libssl/src/crypto/ocsp/ocsp_cl.c b/lib/libssl/src/crypto/ocsp/ocsp_cl.c
index 9c14d9da273..716513d2f99 100644
--- a/lib/libssl/src/crypto/ocsp/ocsp_cl.c
+++ b/lib/libssl/src/crypto/ocsp/ocsp_cl.c
@@ -78,229 +78,241 @@
/* Add an OCSP_CERTID to an OCSP request. Return new OCSP_ONEREQ
* pointer: useful if we want to add extensions.
*/
-
-OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid)
- {
+OCSP_ONEREQ *
+OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid)
+{
OCSP_ONEREQ *one = NULL;
- if (!(one = OCSP_ONEREQ_new())) goto err;
- if (one->reqCert) OCSP_CERTID_free(one->reqCert);
+ if (!(one = OCSP_ONEREQ_new()))
+ goto err;
+ if (one->reqCert)
+ OCSP_CERTID_free(one->reqCert);
one->reqCert = cid;
- if (req &&
- !sk_OCSP_ONEREQ_push(req->tbsRequest->requestList, one))
- goto err;
+ if (req && !sk_OCSP_ONEREQ_push(req->tbsRequest->requestList, one))
+ goto err;
return one;
err:
OCSP_ONEREQ_free(one);
return NULL;
- }
+}
/* Set requestorName from an X509_NAME structure */
-
-int OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm)
- {
+int
+OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm)
+{
GENERAL_NAME *gen;
+
gen = GENERAL_NAME_new();
if (gen == NULL)
return 0;
- if (!X509_NAME_set(&gen->d.directoryName, nm))
- {
+ if (!X509_NAME_set(&gen->d.directoryName, nm)) {
GENERAL_NAME_free(gen);
return 0;
- }
+ }
gen->type = GEN_DIRNAME;
if (req->tbsRequest->requestorName)
GENERAL_NAME_free(req->tbsRequest->requestorName);
req->tbsRequest->requestorName = gen;
return 1;
- }
+}
-
/* Add a certificate to an OCSP request */
-
-int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert)
- {
+int
+OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert)
+{
OCSP_SIGNATURE *sig;
+
if (!req->optionalSignature)
req->optionalSignature = OCSP_SIGNATURE_new();
sig = req->optionalSignature;
- if (!sig) return 0;
- if (!cert) return 1;
+ if (!sig)
+ return 0;
+ if (!cert)
+ return 1;
if (!sig->certs && !(sig->certs = sk_X509_new_null()))
return 0;
- if(!sk_X509_push(sig->certs, cert)) return 0;
+ if(!sk_X509_push(sig->certs, cert))
+ return 0;
CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
return 1;
- }
+}
/* Sign an OCSP request set the requestorName to the subjec
* name of an optional signers certificate and include one
* or more optional certificates in the request. Behaves
* like PKCS7_sign().
*/
-
-int OCSP_request_sign(OCSP_REQUEST *req,
- X509 *signer,
- EVP_PKEY *key,
- const EVP_MD *dgst,
- STACK_OF(X509) *certs,
- unsigned long flags)
- {
+int
+OCSP_request_sign(OCSP_REQUEST *req, X509 *signer, EVP_PKEY *key,
+ const EVP_MD *dgst, STACK_OF(X509) *certs, unsigned long flags)
+{
int i;
OCSP_SIGNATURE *sig;
X509 *x;
if (!OCSP_request_set1_name(req, X509_get_subject_name(signer)))
+ goto err;
+
+ if (!(req->optionalSignature = sig = OCSP_SIGNATURE_new()))
+ goto err;
+ if (key) {
+ if (!X509_check_private_key(signer, key)) {
+ OCSPerr(OCSP_F_OCSP_REQUEST_SIGN,
+ OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
goto err;
-
- if (!(req->optionalSignature = sig = OCSP_SIGNATURE_new())) goto err;
- if (key)
- {
- if (!X509_check_private_key(signer, key))
- {
- OCSPerr(OCSP_F_OCSP_REQUEST_SIGN, OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
- goto err;
- }
- if (!OCSP_REQUEST_sign(req, key, dgst)) goto err;
}
+ if (!OCSP_REQUEST_sign(req, key, dgst))
+ goto err;
+ }
- if (!(flags & OCSP_NOCERTS))
- {
- if(!OCSP_request_add1_cert(req, signer)) goto err;
- for (i = 0; i < sk_X509_num(certs); i++)
- {
+ if (!(flags & OCSP_NOCERTS)) {
+ if(!OCSP_request_add1_cert(req, signer))
+ goto err;
+ for (i = 0; i < sk_X509_num(certs); i++) {
x = sk_X509_value(certs, i);
- if (!OCSP_request_add1_cert(req, x)) goto err;
- }
+ if (!OCSP_request_add1_cert(req, x))
+ goto err;
}
+ }
return 1;
err:
OCSP_SIGNATURE_free(req->optionalSignature);
req->optionalSignature = NULL;
return 0;
- }
+}
/* Get response status */
-
-int OCSP_response_status(OCSP_RESPONSE *resp)
- {
+int
+OCSP_response_status(OCSP_RESPONSE *resp)
+{
return ASN1_ENUMERATED_get(resp->responseStatus);
- }
+}
/* Extract basic response from OCSP_RESPONSE or NULL if
* no basic response present.
*/
-
-
-OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp)
- {
+OCSP_BASICRESP *
+OCSP_response_get1_basic(OCSP_RESPONSE *resp)
+{
OCSP_RESPBYTES *rb;
+
rb = resp->responseBytes;
- if (!rb)
- {
- OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC, OCSP_R_NO_RESPONSE_DATA);
+ if (!rb) {
+ OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC,
+ OCSP_R_NO_RESPONSE_DATA);
return NULL;
- }
- if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic)
- {
- OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC, OCSP_R_NOT_BASIC_RESPONSE);
+ }
+ if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic) {
+ OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC,
+ OCSP_R_NOT_BASIC_RESPONSE);
return NULL;
- }
+ }
return ASN1_item_unpack(rb->response, ASN1_ITEM_rptr(OCSP_BASICRESP));
- }
+}
/* Return number of OCSP_SINGLERESP reponses present in
* a basic response.
*/
-
-int OCSP_resp_count(OCSP_BASICRESP *bs)
- {
- if (!bs) return -1;
+int
+OCSP_resp_count(OCSP_BASICRESP *bs)
+{
+ if (!bs)
+ return -1;
return sk_OCSP_SINGLERESP_num(bs->tbsResponseData->responses);
- }
+}
/* Extract an OCSP_SINGLERESP response with a given index */
-
-OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx)
- {
- if (!bs) return NULL;
+OCSP_SINGLERESP *
+OCSP_resp_get0(OCSP_BASICRESP *bs, int idx)
+{
+ if (!bs)
+ return NULL;
return sk_OCSP_SINGLERESP_value(bs->tbsResponseData->responses, idx);
- }
+}
/* Look single response matching a given certificate ID */
-
-int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last)
- {
+int
+OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last)
+{
int i;
STACK_OF(OCSP_SINGLERESP) *sresp;
OCSP_SINGLERESP *single;
- if (!bs) return -1;
- if (last < 0) last = 0;
- else last++;
+
+ if (!bs)
+ return -1;
+ if (last < 0)
+ last = 0;
+ else
+ last++;
sresp = bs->tbsResponseData->responses;
- for (i = last; i < sk_OCSP_SINGLERESP_num(sresp); i++)
- {
+ for (i = last; i < sk_OCSP_SINGLERESP_num(sresp); i++) {
single = sk_OCSP_SINGLERESP_value(sresp, i);
- if (!OCSP_id_cmp(id, single->certId)) return i;
- }
- return -1;
+ if (!OCSP_id_cmp(id, single->certId))
+ return i;
}
+ return -1;
+}
/* Extract status information from an OCSP_SINGLERESP structure.
* Note: the revtime and reason values are only set if the
* certificate status is revoked. Returns numerical value of
* status.
*/
-
-int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
- ASN1_GENERALIZEDTIME **revtime,
- ASN1_GENERALIZEDTIME **thisupd,
- ASN1_GENERALIZEDTIME **nextupd)
- {
+int
+OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
+ ASN1_GENERALIZEDTIME **revtime, ASN1_GENERALIZEDTIME **thisupd,
+ ASN1_GENERALIZEDTIME **nextupd)
+{
int ret;
OCSP_CERTSTATUS *cst;
- if(!single) return -1;
+
+ if (!single)
+ return -1;
cst = single->certStatus;
ret = cst->type;
- if (ret == V_OCSP_CERTSTATUS_REVOKED)
- {
+ if (ret == V_OCSP_CERTSTATUS_REVOKED) {
OCSP_REVOKEDINFO *rev = cst->value.revoked;
- if (revtime) *revtime = rev->revocationTime;
- if (reason)
- {
- if(rev->revocationReason)
+
+ if (revtime)
+ *revtime = rev->revocationTime;
+ if (reason) {
+ if (rev->revocationReason)
*reason = ASN1_ENUMERATED_get(rev->revocationReason);
- else *reason = -1;
- }
+ else
+ *reason = -1;
}
- if(thisupd) *thisupd = single->thisUpdate;
- if(nextupd) *nextupd = single->nextUpdate;
- return ret;
}
+ if (thisupd)
+ *thisupd = single->thisUpdate;
+ if (nextupd)
+ *nextupd = single->nextUpdate;
+ return ret;
+}
/* This function combines the previous ones: look up a certificate ID and
* if found extract status information. Return 0 is successful.
*/
-
-int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
- int *reason,
- ASN1_GENERALIZEDTIME **revtime,
- ASN1_GENERALIZEDTIME **thisupd,
- ASN1_GENERALIZEDTIME **nextupd)
- {
+int
+OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
+ int *reason, ASN1_GENERALIZEDTIME **revtime, ASN1_GENERALIZEDTIME **thisupd,
+ ASN1_GENERALIZEDTIME **nextupd)
+{
int i;
OCSP_SINGLERESP *single;
+
i = OCSP_resp_find(bs, id, -1);
/* Maybe check for multiple responses and give an error? */
- if(i < 0) return 0;
+ if (i < 0)
+ return 0;
single = OCSP_resp_get0(bs, i);
i = OCSP_single_get0_status(single, reason, revtime, thisupd, nextupd);
- if(status) *status = i;
+ if (status)
+ *status = i;
return 1;
- }
+}
/* Check validity of thisUpdate and nextUpdate fields. It is possible that the request will
* take a few seconds to process and/or the time wont be totally accurate. Therefore to avoid
@@ -308,64 +320,61 @@ int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
* Also to avoid accepting very old responses without a nextUpdate field an optional maxage
* parameter specifies the maximum age the thisUpdate field can be.
*/
-
-int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd, ASN1_GENERALIZEDTIME *nextupd, long nsec, long maxsec)
- {
+int
+OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
+ ASN1_GENERALIZEDTIME *nextupd, long nsec, long maxsec)
+{
int ret = 1;
time_t t_now, t_tmp;
+
time(&t_now);
/* Check thisUpdate is valid and not more than nsec in the future */
- if (!ASN1_GENERALIZEDTIME_check(thisupd))
- {
- OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_ERROR_IN_THISUPDATE_FIELD);
+ if (!ASN1_GENERALIZEDTIME_check(thisupd)) {
+ OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
+ OCSP_R_ERROR_IN_THISUPDATE_FIELD);
ret = 0;
- }
- else
- {
- t_tmp = t_now + nsec;
- if (X509_cmp_time(thisupd, &t_tmp) > 0)
- {
- OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_NOT_YET_VALID);
+ } else {
+ t_tmp = t_now + nsec;
+ if (X509_cmp_time(thisupd, &t_tmp) > 0) {
+ OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
+ OCSP_R_STATUS_NOT_YET_VALID);
ret = 0;
- }
+ }
/* If maxsec specified check thisUpdate is not more than maxsec in the past */
- if (maxsec >= 0)
- {
+ if (maxsec >= 0) {
t_tmp = t_now - maxsec;
- if (X509_cmp_time(thisupd, &t_tmp) < 0)
- {
- OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_TOO_OLD);
+ if (X509_cmp_time(thisupd, &t_tmp) < 0) {
+ OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
+ OCSP_R_STATUS_TOO_OLD);
ret = 0;
- }
}
}
-
+ }
- if (!nextupd) return ret;
+ if (!nextupd)
+ return ret;
/* Check nextUpdate is valid and not more than nsec in the past */
- if (!ASN1_GENERALIZEDTIME_check(nextupd))
- {
- OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_ERROR_IN_NEXTUPDATE_FIELD);
+ if (!ASN1_GENERALIZEDTIME_check(nextupd)) {
+ OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
+ OCSP_R_ERROR_IN_NEXTUPDATE_FIELD);
ret = 0;
- }
- else
- {
+ } else {
t_tmp = t_now - nsec;
- if (X509_cmp_time(nextupd, &t_tmp) < 0)
- {
- OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_EXPIRED);
+ if (X509_cmp_time(nextupd, &t_tmp) < 0) {
+ OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
+ OCSP_R_STATUS_EXPIRED);
ret = 0;
- }
}
+ }
/* Also don't allow nextUpdate to precede thisUpdate */
- if (ASN1_STRING_cmp(nextupd, thisupd) < 0)
- {
- OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE);
+ if (ASN1_STRING_cmp(nextupd, thisupd) < 0) {
+ OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
+ OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE);
ret = 0;
- }
+ }
return ret;
- }
+}
diff --git a/lib/libssl/src/crypto/ocsp/ocsp_ext.c b/lib/libssl/src/crypto/ocsp/ocsp_ext.c
index 9c7832b3011..6ec8ca4adf6 100644
--- a/lib/libssl/src/crypto/ocsp/ocsp_ext.c
+++ b/lib/libssl/src/crypto/ocsp/ocsp_ext.c
@@ -73,238 +73,285 @@
/* OCSP request extensions */
-int OCSP_REQUEST_get_ext_count(OCSP_REQUEST *x)
- {
- return(X509v3_get_ext_count(x->tbsRequest->requestExtensions));
- }
-
-int OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos)
- {
- return(X509v3_get_ext_by_NID(x->tbsRequest->requestExtensions,nid,lastpos));
- }
-
-int OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, ASN1_OBJECT *obj, int lastpos)
- {
- return(X509v3_get_ext_by_OBJ(x->tbsRequest->requestExtensions,obj,lastpos));
- }
-
-int OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit, int lastpos)
- {
- return(X509v3_get_ext_by_critical(x->tbsRequest->requestExtensions,crit,lastpos));
- }
-
-X509_EXTENSION *OCSP_REQUEST_get_ext(OCSP_REQUEST *x, int loc)
- {
- return(X509v3_get_ext(x->tbsRequest->requestExtensions,loc));
- }
-
-X509_EXTENSION *OCSP_REQUEST_delete_ext(OCSP_REQUEST *x, int loc)
- {
- return(X509v3_delete_ext(x->tbsRequest->requestExtensions,loc));
- }
-
-void *OCSP_REQUEST_get1_ext_d2i(OCSP_REQUEST *x, int nid, int *crit, int *idx)
- {
+int
+OCSP_REQUEST_get_ext_count(OCSP_REQUEST *x)
+{
+ return X509v3_get_ext_count(x->tbsRequest->requestExtensions);
+}
+
+int
+OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos)
+{
+ return X509v3_get_ext_by_NID(x->tbsRequest->requestExtensions, nid,
+ lastpos);
+}
+
+int
+OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, ASN1_OBJECT *obj, int lastpos)
+{
+ return X509v3_get_ext_by_OBJ(x->tbsRequest->requestExtensions, obj,
+ lastpos);
+}
+
+int
+OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit, int lastpos)
+{
+ return X509v3_get_ext_by_critical(x->tbsRequest->requestExtensions,
+ crit, lastpos);
+}
+
+X509_EXTENSION *
+OCSP_REQUEST_get_ext(OCSP_REQUEST *x, int loc)
+{
+ return X509v3_get_ext(x->tbsRequest->requestExtensions, loc);
+}
+
+X509_EXTENSION *
+OCSP_REQUEST_delete_ext(OCSP_REQUEST *x, int loc)
+{
+ return X509v3_delete_ext(x->tbsRequest->requestExtensions, loc);
+}
+
+void *
+OCSP_REQUEST_get1_ext_d2i(OCSP_REQUEST *x, int nid, int *crit, int *idx)
+{
return X509V3_get_d2i(x->tbsRequest->requestExtensions, nid, crit, idx);
- }
-
-int OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST *x, int nid, void *value, int crit,
- unsigned long flags)
- {
- return X509V3_add1_i2d(&x->tbsRequest->requestExtensions, nid, value, crit, flags);
- }
-
-int OCSP_REQUEST_add_ext(OCSP_REQUEST *x, X509_EXTENSION *ex, int loc)
- {
- return(X509v3_add_ext(&(x->tbsRequest->requestExtensions),ex,loc) != NULL);
- }
+}
+
+int
+OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST *x, int nid, void *value, int crit,
+ unsigned long flags)
+{
+ return X509V3_add1_i2d(&x->tbsRequest->requestExtensions, nid, value,
+ crit, flags);
+}
+
+int
+OCSP_REQUEST_add_ext(OCSP_REQUEST *x, X509_EXTENSION *ex, int loc)
+{
+ return X509v3_add_ext(&(x->tbsRequest->requestExtensions), ex, loc) !=
+ NULL;
+}
/* Single extensions */
-int OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *x)
- {
- return(X509v3_get_ext_count(x->singleRequestExtensions));
- }
-
-int OCSP_ONEREQ_get_ext_by_NID(OCSP_ONEREQ *x, int nid, int lastpos)
- {
- return(X509v3_get_ext_by_NID(x->singleRequestExtensions,nid,lastpos));
- }
-
-int OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, ASN1_OBJECT *obj, int lastpos)
- {
- return(X509v3_get_ext_by_OBJ(x->singleRequestExtensions,obj,lastpos));
- }
-
-int OCSP_ONEREQ_get_ext_by_critical(OCSP_ONEREQ *x, int crit, int lastpos)
- {
- return(X509v3_get_ext_by_critical(x->singleRequestExtensions,crit,lastpos));
- }
-
-X509_EXTENSION *OCSP_ONEREQ_get_ext(OCSP_ONEREQ *x, int loc)
- {
- return(X509v3_get_ext(x->singleRequestExtensions,loc));
- }
-
-X509_EXTENSION *OCSP_ONEREQ_delete_ext(OCSP_ONEREQ *x, int loc)
- {
- return(X509v3_delete_ext(x->singleRequestExtensions,loc));
- }
+int
+OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *x)
+{
+ return X509v3_get_ext_count(x->singleRequestExtensions);
+}
+
+int
+OCSP_ONEREQ_get_ext_by_NID(OCSP_ONEREQ *x, int nid, int lastpos)
+{
+ return X509v3_get_ext_by_NID(x->singleRequestExtensions, nid, lastpos);
+}
+
+int
+OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, ASN1_OBJECT *obj, int lastpos)
+{
+ return X509v3_get_ext_by_OBJ(x->singleRequestExtensions, obj, lastpos);
+}
+
+int
+OCSP_ONEREQ_get_ext_by_critical(OCSP_ONEREQ *x, int crit, int lastpos)
+{
+ return X509v3_get_ext_by_critical(x->singleRequestExtensions, crit,
+ lastpos);
+}
+
+X509_EXTENSION *
+OCSP_ONEREQ_get_ext(OCSP_ONEREQ *x, int loc)
+{
+ return X509v3_get_ext(x->singleRequestExtensions, loc);
+}
+
+X509_EXTENSION *
+OCSP_ONEREQ_delete_ext(OCSP_ONEREQ *x, int loc)
+{
+ return X509v3_delete_ext(x->singleRequestExtensions, loc);
+}
void *OCSP_ONEREQ_get1_ext_d2i(OCSP_ONEREQ *x, int nid, int *crit, int *idx)
- {
+{
return X509V3_get_d2i(x->singleRequestExtensions, nid, crit, idx);
- }
-
-int OCSP_ONEREQ_add1_ext_i2d(OCSP_ONEREQ *x, int nid, void *value, int crit,
- unsigned long flags)
- {
- return X509V3_add1_i2d(&x->singleRequestExtensions, nid, value, crit, flags);
- }
-
-int OCSP_ONEREQ_add_ext(OCSP_ONEREQ *x, X509_EXTENSION *ex, int loc)
- {
- return(X509v3_add_ext(&(x->singleRequestExtensions),ex,loc) != NULL);
- }
+}
+
+int
+OCSP_ONEREQ_add1_ext_i2d(OCSP_ONEREQ *x, int nid, void *value, int crit,
+ unsigned long flags)
+{
+ return X509V3_add1_i2d(&x->singleRequestExtensions, nid, value, crit,
+ flags);
+}
+
+int
+OCSP_ONEREQ_add_ext(OCSP_ONEREQ *x, X509_EXTENSION *ex, int loc)
+{
+ return X509v3_add_ext(&(x->singleRequestExtensions), ex, loc) != NULL;
+}
/* OCSP Basic response */
-int OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *x)
- {
- return(X509v3_get_ext_count(x->tbsResponseData->responseExtensions));
- }
-
-int OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos)
- {
- return(X509v3_get_ext_by_NID(x->tbsResponseData->responseExtensions,nid,lastpos));
- }
-
-int OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, ASN1_OBJECT *obj, int lastpos)
- {
- return(X509v3_get_ext_by_OBJ(x->tbsResponseData->responseExtensions,obj,lastpos));
- }
-
-int OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit, int lastpos)
- {
- return(X509v3_get_ext_by_critical(x->tbsResponseData->responseExtensions,crit,lastpos));
- }
-
-X509_EXTENSION *OCSP_BASICRESP_get_ext(OCSP_BASICRESP *x, int loc)
- {
- return(X509v3_get_ext(x->tbsResponseData->responseExtensions,loc));
- }
-
-X509_EXTENSION *OCSP_BASICRESP_delete_ext(OCSP_BASICRESP *x, int loc)
- {
- return(X509v3_delete_ext(x->tbsResponseData->responseExtensions,loc));
- }
-
-void *OCSP_BASICRESP_get1_ext_d2i(OCSP_BASICRESP *x, int nid, int *crit, int *idx)
- {
- return X509V3_get_d2i(x->tbsResponseData->responseExtensions, nid, crit, idx);
- }
-
-int OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP *x, int nid, void *value, int crit,
- unsigned long flags)
- {
- return X509V3_add1_i2d(&x->tbsResponseData->responseExtensions, nid, value, crit, flags);
- }
-
-int OCSP_BASICRESP_add_ext(OCSP_BASICRESP *x, X509_EXTENSION *ex, int loc)
- {
- return(X509v3_add_ext(&(x->tbsResponseData->responseExtensions),ex,loc) != NULL);
- }
+int
+OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *x)
+{
+ return X509v3_get_ext_count(x->tbsResponseData->responseExtensions);
+}
+
+int
+OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos)
+{
+ return X509v3_get_ext_by_NID(x->tbsResponseData->responseExtensions,
+ nid ,lastpos);
+}
+
+int
+OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, ASN1_OBJECT *obj, int lastpos)
+{
+ return X509v3_get_ext_by_OBJ(x->tbsResponseData->responseExtensions,
+ obj, lastpos);
+}
+
+int
+OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit, int lastpos)
+{
+ return X509v3_get_ext_by_critical(x->tbsResponseData->responseExtensions,
+ crit, lastpos);
+}
+
+X509_EXTENSION *
+OCSP_BASICRESP_get_ext(OCSP_BASICRESP *x, int loc)
+{
+ return X509v3_get_ext(x->tbsResponseData->responseExtensions, loc);
+}
+
+X509_EXTENSION *
+OCSP_BASICRESP_delete_ext(OCSP_BASICRESP *x, int loc)
+{
+ return X509v3_delete_ext(x->tbsResponseData->responseExtensions, loc);
+}
+
+void *
+OCSP_BASICRESP_get1_ext_d2i(OCSP_BASICRESP *x, int nid, int *crit, int *idx)
+{
+ return X509V3_get_d2i(x->tbsResponseData->responseExtensions, nid,
+ crit, idx);
+}
+
+int
+OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP *x, int nid, void *value, int crit,
+ unsigned long flags)
+{
+ return X509V3_add1_i2d(&x->tbsResponseData->responseExtensions, nid,
+ value, crit, flags);
+}
+
+int
+OCSP_BASICRESP_add_ext(OCSP_BASICRESP *x, X509_EXTENSION *ex, int loc)
+{
+ return X509v3_add_ext(&(x->tbsResponseData->responseExtensions), ex,
+ loc) != NULL;
+}
/* OCSP single response extensions */
-int OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *x)
- {
- return(X509v3_get_ext_count(x->singleExtensions));
- }
-
-int OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid, int lastpos)
- {
- return(X509v3_get_ext_by_NID(x->singleExtensions,nid,lastpos));
- }
-
-int OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, ASN1_OBJECT *obj, int lastpos)
- {
- return(X509v3_get_ext_by_OBJ(x->singleExtensions,obj,lastpos));
- }
-
-int OCSP_SINGLERESP_get_ext_by_critical(OCSP_SINGLERESP *x, int crit, int lastpos)
- {
- return(X509v3_get_ext_by_critical(x->singleExtensions,crit,lastpos));
- }
-
-X509_EXTENSION *OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP *x, int loc)
- {
- return(X509v3_get_ext(x->singleExtensions,loc));
- }
-
-X509_EXTENSION *OCSP_SINGLERESP_delete_ext(OCSP_SINGLERESP *x, int loc)
- {
- return(X509v3_delete_ext(x->singleExtensions,loc));
- }
-
-void *OCSP_SINGLERESP_get1_ext_d2i(OCSP_SINGLERESP *x, int nid, int *crit, int *idx)
- {
+int
+OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *x)
+{
+ return X509v3_get_ext_count(x->singleExtensions);
+}
+
+int
+OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid, int lastpos)
+{
+ return X509v3_get_ext_by_NID(x->singleExtensions, nid, lastpos);
+}
+
+int
+OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, ASN1_OBJECT *obj,
+ int lastpos)
+{
+ return X509v3_get_ext_by_OBJ(x->singleExtensions, obj, lastpos);
+}
+
+int
+OCSP_SINGLERESP_get_ext_by_critical(OCSP_SINGLERESP *x, int crit, int lastpos)
+{
+ return X509v3_get_ext_by_critical(x->singleExtensions, crit, lastpos);
+}
+
+X509_EXTENSION *
+OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP *x, int loc)
+{
+ return X509v3_get_ext(x->singleExtensions, loc);
+}
+
+X509_EXTENSION *
+OCSP_SINGLERESP_delete_ext(OCSP_SINGLERESP *x, int loc)
+{
+ return X509v3_delete_ext(x->singleExtensions, loc);
+}
+
+void *
+OCSP_SINGLERESP_get1_ext_d2i(OCSP_SINGLERESP *x, int nid, int *crit, int *idx)
+{
return X509V3_get_d2i(x->singleExtensions, nid, crit, idx);
- }
+}
-int OCSP_SINGLERESP_add1_ext_i2d(OCSP_SINGLERESP *x, int nid, void *value, int crit,
- unsigned long flags)
- {
+int
+OCSP_SINGLERESP_add1_ext_i2d(OCSP_SINGLERESP *x, int nid, void *value, int crit,
+ unsigned long flags)
+{
return X509V3_add1_i2d(&x->singleExtensions, nid, value, crit, flags);
- }
+}
-int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex, int loc)
- {
- return(X509v3_add_ext(&(x->singleExtensions),ex,loc) != NULL);
- }
+int
+OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex, int loc)
+{
+ return X509v3_add_ext(&(x->singleExtensions), ex, loc) != NULL;
+}
/* also CRL Entry Extensions */
#if 0
-ASN1_STRING *ASN1_STRING_encode(ASN1_STRING *s, i2d_of_void *i2d,
- void *data, STACK_OF(ASN1_OBJECT) *sk)
- {
+ASN1_STRING *
+ASN1_STRING_encode(ASN1_STRING *s, i2d_of_void *i2d, void *data,
+ STACK_OF(ASN1_OBJECT) *sk)
+{
int i;
unsigned char *p, *b = NULL;
- if (data)
- {
- if ((i=i2d(data,NULL)) <= 0) goto err;
- if (!(b=p=malloc((unsigned int)i)))
+ if (data) {
+ if ((i = i2d(data, NULL)) <= 0)
goto err;
- if (i2d(data, &p) <= 0) goto err;
- }
- else if (sk)
- {
- if ((i=i2d_ASN1_SET_OF_ASN1_OBJECT(sk,NULL,
- (I2D_OF(ASN1_OBJECT))i2d,
- V_ASN1_SEQUENCE,
- V_ASN1_UNIVERSAL,
- IS_SEQUENCE))<=0) goto err;
- if (!(b=p=malloc((unsigned int)i)))
+ if (!(b = p = malloc((unsigned int)i)))
+ goto err;
+ if (i2d(data, &p) <= 0)
+ goto err;
+ } else if (sk) {
+ if ((i = i2d_ASN1_SET_OF_ASN1_OBJECT(sk,NULL,
+ (I2D_OF(ASN1_OBJECT))i2d, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL,
+ IS_SEQUENCE)) <= 0)
+ goto err;
+ if (!(b = p = malloc((unsigned int)i)))
goto err;
if (i2d_ASN1_SET_OF_ASN1_OBJECT(sk,&p,(I2D_OF(ASN1_OBJECT))i2d,
- V_ASN1_SEQUENCE,
- V_ASN1_UNIVERSAL,
- IS_SEQUENCE)<=0) goto err;
- }
- else
- {
- OCSPerr(OCSP_F_ASN1_STRING_ENCODE,OCSP_R_BAD_DATA);
+ V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL, IS_SEQUENCE) <= 0)
+ goto err;
+ } else {
+ OCSPerr(OCSP_F_ASN1_STRING_ENCODE, OCSP_R_BAD_DATA);
+ goto err;
+ }
+ if (!s && !(s = ASN1_STRING_new()))
+ goto err;
+ if (!(ASN1_STRING_set(s, b, i)))
goto err;
- }
- if (!s && !(s = ASN1_STRING_new())) goto err;
- if (!(ASN1_STRING_set(s, b, i))) goto err;
free(b);
return s;
err:
- if (b) free(b);
+ free(b);
return NULL;
- }
+}
#endif
/* Nonce handling functions */
@@ -315,16 +362,19 @@ err:
* nonce, previous versions used the raw nonce.
*/
-static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, unsigned char *val, int len)
- {
+static int
+ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, unsigned char *val, int len)
+{
unsigned char *tmpval;
ASN1_OCTET_STRING os;
int ret = 0;
- if (len <= 0) len = OCSP_DEFAULT_NONCE_LENGTH;
+
+ if (len <= 0)
+ len = OCSP_DEFAULT_NONCE_LENGTH;
/* Create the OCTET STRING manually by writing out the header and
* appending the content octets. This avoids an extra memory allocation
* operation in some cases. Applications should *NOT* do this because
- * it relies on library internals.
+ * it relies on library internals.
*/
os.length = ASN1_object_size(0, len, V_ASN1_OCTET_STRING);
os.data = malloc(os.length);
@@ -336,30 +386,29 @@ static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, unsigned char *val,
memcpy(tmpval, val, len);
else
RAND_pseudo_bytes(tmpval, len);
- if(!X509V3_add1_i2d(exts, NID_id_pkix_OCSP_Nonce,
- &os, 0, X509V3_ADD_REPLACE))
- goto err;
+ if (!X509V3_add1_i2d(exts, NID_id_pkix_OCSP_Nonce, &os, 0,
+ X509V3_ADD_REPLACE))
+ goto err;
ret = 1;
- err:
- if (os.data)
- free(os.data);
+err:
+ free(os.data);
return ret;
- }
-
+}
/* Add nonce to an OCSP request */
-
-int OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len)
- {
+int
+OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len)
+{
return ocsp_add1_nonce(&req->tbsRequest->requestExtensions, val, len);
- }
+}
/* Same as above but for a response */
-
-int OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len)
- {
- return ocsp_add1_nonce(&resp->tbsResponseData->responseExtensions, val, len);
- }
+int
+OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len)
+{
+ return ocsp_add1_nonce(&resp->tbsResponseData->responseExtensions, val,
+ len);
+}
/* Check nonce validity in a request and response.
* Return value reflects result:
@@ -373,9 +422,9 @@ int OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len)
* If responder doesn't handle nonces return != 0 may be
* necessary. return == 0 is always an error.
*/
-
-int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs)
- {
+int
+OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs)
+{
/*
* Since we are only interested in the presence or absence of
* the nonce and comparing its value there is no need to use
@@ -383,136 +432,160 @@ int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs)
* ASN1_OCTET_STRING structure for the value which would be
* freed immediately anyway.
*/
-
int req_idx, resp_idx;
X509_EXTENSION *req_ext, *resp_ext;
+
req_idx = OCSP_REQUEST_get_ext_by_NID(req, NID_id_pkix_OCSP_Nonce, -1);
resp_idx = OCSP_BASICRESP_get_ext_by_NID(bs, NID_id_pkix_OCSP_Nonce, -1);
/* Check both absent */
- if((req_idx < 0) && (resp_idx < 0))
+ if (req_idx < 0 && resp_idx < 0)
return 2;
/* Check in request only */
- if((req_idx >= 0) && (resp_idx < 0))
+ if (req_idx >= 0 && resp_idx < 0)
return -1;
/* Check in response but not request */
- if((req_idx < 0) && (resp_idx >= 0))
+ if (req_idx < 0 && resp_idx >= 0)
return 3;
/* Otherwise nonce in request and response so retrieve the extensions */
req_ext = OCSP_REQUEST_get_ext(req, req_idx);
resp_ext = OCSP_BASICRESP_get_ext(bs, resp_idx);
- if(ASN1_OCTET_STRING_cmp(req_ext->value, resp_ext->value))
+ if (ASN1_OCTET_STRING_cmp(req_ext->value, resp_ext->value))
return 0;
return 1;
- }
+}
/* Copy the nonce value (if any) from an OCSP request to
* a response.
*/
-
-int OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req)
- {
+int
+OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req)
+{
X509_EXTENSION *req_ext;
int req_idx;
+
/* Check for nonce in request */
req_idx = OCSP_REQUEST_get_ext_by_NID(req, NID_id_pkix_OCSP_Nonce, -1);
/* If no nonce that's OK */
- if (req_idx < 0) return 2;
+ if (req_idx < 0)
+ return 2;
req_ext = OCSP_REQUEST_get_ext(req, req_idx);
return OCSP_BASICRESP_add_ext(resp, req_ext, -1);
- }
+}
-X509_EXTENSION *OCSP_crlID_new(char *url, long *n, char *tim)
- {
+X509_EXTENSION *
+OCSP_crlID_new(char *url, long *n, char *tim)
+{
X509_EXTENSION *x = NULL;
OCSP_CRLID *cid = NULL;
- if (!(cid = OCSP_CRLID_new())) goto err;
- if (url)
- {
- if (!(cid->crlUrl = ASN1_IA5STRING_new())) goto err;
- if (!(ASN1_STRING_set(cid->crlUrl, url, -1))) goto err;
- }
- if (n)
- {
- if (!(cid->crlNum = ASN1_INTEGER_new())) goto err;
- if (!(ASN1_INTEGER_set(cid->crlNum, *n))) goto err;
- }
- if (tim)
- {
- if (!(cid->crlTime = ASN1_GENERALIZEDTIME_new())) goto err;
+ if (!(cid = OCSP_CRLID_new()))
+ goto err;
+ if (url) {
+ if (!(cid->crlUrl = ASN1_IA5STRING_new()))
+ goto err;
+ if (!(ASN1_STRING_set(cid->crlUrl, url, -1)))
+ goto err;
+ }
+ if (n) {
+ if (!(cid->crlNum = ASN1_INTEGER_new()))
+ goto err;
+ if (!(ASN1_INTEGER_set(cid->crlNum, *n)))
+ goto err;
+ }
+ if (tim) {
+ if (!(cid->crlTime = ASN1_GENERALIZEDTIME_new()))
+ goto err;
if (!(ASN1_GENERALIZEDTIME_set_string(cid->crlTime, tim)))
- goto err;
- }
+ goto err;
+ }
x = X509V3_EXT_i2d(NID_id_pkix_OCSP_CrlID, 0, cid);
err:
- if (cid) OCSP_CRLID_free(cid);
+ if (cid)
+ OCSP_CRLID_free(cid);
return x;
- }
+}
/* AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER */
-X509_EXTENSION *OCSP_accept_responses_new(char **oids)
- {
+X509_EXTENSION *
+OCSP_accept_responses_new(char **oids)
+{
int nid;
STACK_OF(ASN1_OBJECT) *sk = NULL;
ASN1_OBJECT *o = NULL;
- X509_EXTENSION *x = NULL;
+ X509_EXTENSION *x = NULL;
- if (!(sk = sk_ASN1_OBJECT_new_null())) goto err;
- while (oids && *oids)
- {
- if ((nid=OBJ_txt2nid(*oids))!=NID_undef&&(o=OBJ_nid2obj(nid)))
- sk_ASN1_OBJECT_push(sk, o);
+ if (!(sk = sk_ASN1_OBJECT_new_null()))
+ goto err;
+ while (oids && *oids) {
+ if ((nid = OBJ_txt2nid(*oids)) != NID_undef &&
+ (o = OBJ_nid2obj(nid)))
+ sk_ASN1_OBJECT_push(sk, o);
oids++;
- }
+ }
x = X509V3_EXT_i2d(NID_id_pkix_OCSP_acceptableResponses, 0, sk);
err:
- if (sk) sk_ASN1_OBJECT_pop_free(sk, ASN1_OBJECT_free);
+ if (sk)
+ sk_ASN1_OBJECT_pop_free(sk, ASN1_OBJECT_free);
return x;
- }
+}
/* ArchiveCutoff ::= GeneralizedTime */
-X509_EXTENSION *OCSP_archive_cutoff_new(char* tim)
- {
- X509_EXTENSION *x=NULL;
+X509_EXTENSION *
+OCSP_archive_cutoff_new(char* tim)
+{
+ X509_EXTENSION *x = NULL;
ASN1_GENERALIZEDTIME *gt = NULL;
- if (!(gt = ASN1_GENERALIZEDTIME_new())) goto err;
- if (!(ASN1_GENERALIZEDTIME_set_string(gt, tim))) goto err;
+ if (!(gt = ASN1_GENERALIZEDTIME_new()))
+ goto err;
+ if (!(ASN1_GENERALIZEDTIME_set_string(gt, tim)))
+ goto err;
x = X509V3_EXT_i2d(NID_id_pkix_OCSP_archiveCutoff, 0, gt);
err:
- if (gt) ASN1_GENERALIZEDTIME_free(gt);
+ if (gt)
+ ASN1_GENERALIZEDTIME_free(gt);
return x;
- }
+}
/* per ACCESS_DESCRIPTION parameter are oids, of which there are currently
* two--NID_ad_ocsp, NID_id_ad_caIssuers--and GeneralName value. This
* method forces NID_ad_ocsp and uniformResourceLocator [6] IA5String.
*/
-X509_EXTENSION *OCSP_url_svcloc_new(X509_NAME* issuer, char **urls)
- {
+X509_EXTENSION *
+OCSP_url_svcloc_new(X509_NAME* issuer, char **urls)
+{
X509_EXTENSION *x = NULL;
ASN1_IA5STRING *ia5 = NULL;
OCSP_SERVICELOC *sloc = NULL;
ACCESS_DESCRIPTION *ad = NULL;
- if (!(sloc = OCSP_SERVICELOC_new())) goto err;
- if (!(sloc->issuer = X509_NAME_dup(issuer))) goto err;
- if (urls && *urls && !(sloc->locator = sk_ACCESS_DESCRIPTION_new_null())) goto err;
- while (urls && *urls)
- {
- if (!(ad = ACCESS_DESCRIPTION_new())) goto err;
- if (!(ad->method=OBJ_nid2obj(NID_ad_OCSP))) goto err;
- if (!(ad->location = GENERAL_NAME_new())) goto err;
- if (!(ia5 = ASN1_IA5STRING_new())) goto err;
- if (!ASN1_STRING_set((ASN1_STRING*)ia5, *urls, -1)) goto err;
+ if (!(sloc = OCSP_SERVICELOC_new()))
+ goto err;
+ if (!(sloc->issuer = X509_NAME_dup(issuer)))
+ goto err;
+ if (urls && *urls &&
+ !(sloc->locator = sk_ACCESS_DESCRIPTION_new_null()))
+ goto err;
+ while (urls && *urls) {
+ if (!(ad = ACCESS_DESCRIPTION_new()))
+ goto err;
+ if (!(ad->method = OBJ_nid2obj(NID_ad_OCSP)))
+ goto err;
+ if (!(ad->location = GENERAL_NAME_new()))
+ goto err;
+ if (!(ia5 = ASN1_IA5STRING_new()))
+ goto err;
+ if (!ASN1_STRING_set((ASN1_STRING*)ia5, *urls, -1))
+ goto err;
ad->location->type = GEN_URI;
ad->location->d.ia5 = ia5;
- if (!sk_ACCESS_DESCRIPTION_push(sloc->locator, ad)) goto err;
+ if (!sk_ACCESS_DESCRIPTION_push(sloc->locator, ad))
+ goto err;
urls++;
- }
+ }
x = X509V3_EXT_i2d(NID_id_pkix_OCSP_serviceLocator, 0, sloc);
err:
- if (sloc) OCSP_SERVICELOC_free(sloc);
+ if (sloc)
+ OCSP_SERVICELOC_free(sloc);
return x;
- }
-
+}
diff --git a/lib/libssl/src/crypto/ocsp/ocsp_ht.c b/lib/libssl/src/crypto/ocsp/ocsp_ht.c
index b45eaf6767a..fe4a7a1a72d 100644
--- a/lib/libssl/src/crypto/ocsp/ocsp_ht.c
+++ b/lib/libssl/src/crypto/ocsp/ocsp_ht.c
@@ -79,7 +79,7 @@ struct ocsp_req_ctx_st {
BIO *io; /* BIO to perform I/O with */
BIO *mem; /* Memory BIO response is built into */
unsigned long asn1_len; /* ASN1 length of response */
- };
+};
#define OCSP_MAX_REQUEST_LENGTH (100 * 1024)
#define OCSP_MAX_LINE_LEN 4096;
@@ -108,54 +108,57 @@ struct ocsp_req_ctx_st {
static int parse_http_line1(char *line);
-void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx)
- {
+void
+OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx)
+{
if (rctx->mem)
BIO_free(rctx->mem);
if (rctx->iobuf)
free(rctx->iobuf);
free(rctx);
- }
+}
-int OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, OCSP_REQUEST *req)
- {
+int
+OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, OCSP_REQUEST *req)
+{
static const char req_hdr[] =
- "Content-Type: application/ocsp-request\r\n"
- "Content-Length: %d\r\n\r\n";
- if (BIO_printf(rctx->mem, req_hdr, i2d_OCSP_REQUEST(req, NULL)) <= 0)
+ "Content-Type: application/ocsp-request\r\n"
+ "Content-Length: %d\r\n\r\n";
+
+ if (BIO_printf(rctx->mem, req_hdr, i2d_OCSP_REQUEST(req, NULL)) <= 0)
return 0;
- if (i2d_OCSP_REQUEST_bio(rctx->mem, req) <= 0)
+ if (i2d_OCSP_REQUEST_bio(rctx->mem, req) <= 0)
return 0;
rctx->state = OHS_ASN1_WRITE;
rctx->asn1_len = BIO_get_mem_data(rctx->mem, NULL);
return 1;
- }
+}
-int OCSP_REQ_CTX_add1_header(OCSP_REQ_CTX *rctx,
- const char *name, const char *value)
- {
+int
+OCSP_REQ_CTX_add1_header(OCSP_REQ_CTX *rctx, const char *name,
+ const char *value)
+{
if (!name)
return 0;
if (BIO_puts(rctx->mem, name) <= 0)
return 0;
- if (value)
- {
+ if (value) {
if (BIO_write(rctx->mem, ": ", 2) != 2)
return 0;
if (BIO_puts(rctx->mem, value) <= 0)
return 0;
- }
+ }
if (BIO_write(rctx->mem, "\r\n", 2) != 2)
return 0;
return 1;
- }
+}
-OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, char *path, OCSP_REQUEST *req,
- int maxline)
- {
+OCSP_REQ_CTX *
+OCSP_sendreq_new(BIO *io, char *path, OCSP_REQUEST *req, int maxline)
+{
static const char post_hdr[] = "POST %s HTTP/1.0\r\n";
-
OCSP_REQ_CTX *rctx;
+
rctx = malloc(sizeof(OCSP_REQ_CTX));
rctx->state = OHS_ERROR;
rctx->mem = BIO_new(BIO_s_mem());
@@ -174,7 +177,7 @@ OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, char *path, OCSP_REQUEST *req,
if (!path)
path = "/";
- if (BIO_printf(rctx->mem, post_hdr, path) <= 0) {
+ if (BIO_printf(rctx->mem, post_hdr, path) <= 0) {
free(rctx->iobuf);
BIO_free(rctx->mem);
free(rctx);
@@ -189,49 +192,44 @@ OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, char *path, OCSP_REQUEST *req,
}
return rctx;
- }
+}
/* Parse the HTTP response. This will look like this:
* "HTTP/1.0 200 OK". We need to obtain the numeric code and
* (optional) informational message.
*/
-
-static int parse_http_line1(char *line)
- {
+static int
+parse_http_line1(char *line)
+{
int retcode;
char *p, *q, *r;
- /* Skip to first white space (passed protocol info) */
- for(p = line; *p && !isspace((unsigned char)*p); p++)
+ /* Skip to first white space (passed protocol info) */
+ for (p = line; *p && !isspace((unsigned char)*p); p++)
continue;
- if(!*p)
- {
+ if (!*p) {
OCSPerr(OCSP_F_PARSE_HTTP_LINE1,
- OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
+ OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
return 0;
- }
+ }
/* Skip past white space to start of response code */
- while(*p && isspace((unsigned char)*p))
+ while (*p && isspace((unsigned char)*p))
p++;
-
- if(!*p)
- {
+ if (!*p) {
OCSPerr(OCSP_F_PARSE_HTTP_LINE1,
- OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
+ OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
return 0;
- }
+ }
/* Find end of response code: first whitespace after start of code */
- for(q = p; *q && !isspace((unsigned char)*q); q++)
+ for (q = p; *q && !isspace((unsigned char)*q); q++)
continue;
-
- if(!*q)
- {
+ if (!*q) {
OCSPerr(OCSP_F_PARSE_HTTP_LINE1,
- OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
+ OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
return 0;
- }
+ }
/* Set end of response code and start of message */
*q++ = 0;
@@ -239,94 +237,80 @@ static int parse_http_line1(char *line)
/* Attempt to parse numeric code */
retcode = strtoul(p, &r, 10);
- if(*r)
+ if (*r)
return 0;
/* Skip over any leading white space in message */
- while(*q && isspace((unsigned char)*q))
+ while (*q && isspace((unsigned char)*q))
q++;
-
- if(*q)
- {
+ if (*q) {
/* Finally zap any trailing white space in message (include
* CRLF) */
/* We know q has a non white space character so this is OK */
- for(r = q + strlen(q) - 1; isspace((unsigned char)*r); r--)
+ for (r = q + strlen(q) - 1; isspace((unsigned char)*r); r--)
*r = 0;
- }
- if(retcode != 200)
- {
+ }
+ if (retcode != 200) {
OCSPerr(OCSP_F_PARSE_HTTP_LINE1, OCSP_R_SERVER_RESPONSE_ERROR);
- if(!*q)
+ if (!*q)
ERR_asprintf_error_data("Code=%s", p);
else
ERR_asprintf_error_data("Code=%s,Reason=%s", p, q);
return 0;
- }
-
+ }
return 1;
+}
- }
-
-int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx)
- {
+int
+OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx)
+{
int i, n;
const unsigned char *p;
- next_io:
- if (!(rctx->state & OHS_NOREAD))
- {
+
+next_io:
+ if (!(rctx->state & OHS_NOREAD)) {
n = BIO_read(rctx->io, rctx->iobuf, rctx->iobuflen);
- if (n <= 0)
- {
+ if (n <= 0) {
if (BIO_should_retry(rctx->io))
return -1;
return 0;
- }
+ }
/* Write data to memory BIO */
-
if (BIO_write(rctx->mem, rctx->iobuf, n) != n)
return 0;
- }
-
- switch(rctx->state)
- {
+ }
- case OHS_ASN1_WRITE:
+ switch (rctx->state) {
+ case OHS_ASN1_WRITE:
n = BIO_get_mem_data(rctx->mem, &p);
-
i = BIO_write(rctx->io,
p + (n - rctx->asn1_len), rctx->asn1_len);
-
- if (i <= 0)
- {
+ if (i <= 0) {
if (BIO_should_retry(rctx->io))
return -1;
rctx->state = OHS_ERROR;
return 0;
- }
+ }
rctx->asn1_len -= i;
-
if (rctx->asn1_len > 0)
goto next_io;
rctx->state = OHS_ASN1_FLUSH;
(void)BIO_reset(rctx->mem);
+ /* FALLTHROUGH */
- case OHS_ASN1_FLUSH:
-
+ case OHS_ASN1_FLUSH:
i = BIO_flush(rctx->io);
-
- if (i > 0)
- {
+ if (i > 0) {
rctx->state = OHS_FIRSTLINE;
goto next_io;
- }
+ }
if (BIO_should_retry(rctx->io))
return -1;
@@ -334,79 +318,62 @@ int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx)
rctx->state = OHS_ERROR;
return 0;
- case OHS_ERROR:
+ case OHS_ERROR:
return 0;
- case OHS_FIRSTLINE:
- case OHS_HEADERS:
-
+ case OHS_FIRSTLINE:
+ case OHS_HEADERS:
/* Attempt to read a line in */
-
- next_line:
+next_line:
/* Due to &%^*$" memory BIO behaviour with BIO_gets we
* have to check there's a complete line in there before
* calling BIO_gets or we'll just get a partial read.
*/
n = BIO_get_mem_data(rctx->mem, &p);
- if ((n <= 0) || !memchr(p, '\n', n))
- {
- if (n >= rctx->iobuflen)
- {
+ if ((n <= 0) || !memchr(p, '\n', n)) {
+ if (n >= rctx->iobuflen) {
rctx->state = OHS_ERROR;
return 0;
- }
- goto next_io;
}
+ goto next_io;
+ }
n = BIO_gets(rctx->mem, (char *)rctx->iobuf, rctx->iobuflen);
-
- if (n <= 0)
- {
+ if (n <= 0) {
if (BIO_should_retry(rctx->mem))
goto next_io;
rctx->state = OHS_ERROR;
return 0;
- }
+ }
/* Don't allow excessive lines */
- if (n == rctx->iobuflen)
- {
+ if (n == rctx->iobuflen) {
rctx->state = OHS_ERROR;
return 0;
- }
+ }
/* First line */
- if (rctx->state == OHS_FIRSTLINE)
- {
- if (parse_http_line1((char *)rctx->iobuf))
- {
+ if (rctx->state == OHS_FIRSTLINE) {
+ if (parse_http_line1((char *)rctx->iobuf)) {
rctx->state = OHS_HEADERS;
goto next_line;
- }
- else
- {
+ } else {
rctx->state = OHS_ERROR;
return 0;
- }
}
- else
- {
+ } else {
/* Look for blank line: end of headers */
- for (p = rctx->iobuf; *p; p++)
- {
+ for (p = rctx->iobuf; *p; p++) {
if ((*p != '\r') && (*p != '\n'))
break;
- }
+ }
if (*p)
goto next_line;
rctx->state = OHS_ASN1_HEADER;
+ }
+ /* FALLTRHOUGH */
- }
-
- /* Fall thru */
-
-
- case OHS_ASN1_HEADER:
+ case OHS_ASN1_HEADER:
/* Now reading ASN1 header: can read at least 2 bytes which
* is enough for ASN1 SEQUENCE header and either length field
* or at least the length of the length field.
@@ -416,15 +383,13 @@ int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx)
goto next_io;
/* Check it is an ASN1 SEQUENCE */
- if (*p++ != (V_ASN1_SEQUENCE|V_ASN1_CONSTRUCTED))
- {
+ if (*p++ != (V_ASN1_SEQUENCE|V_ASN1_CONSTRUCTED)) {
rctx->state = OHS_ERROR;
return 0;
- }
+ }
/* Check out length field */
- if (*p & 0x80)
- {
+ if (*p & 0x80) {
/* If MSB set on initial length octet we can now
* always read 6 octets: make sure we have them.
*/
@@ -432,78 +397,64 @@ int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx)
goto next_io;
n = *p & 0x7F;
/* Not NDEF or excessive length */
- if (!n || (n > 4))
- {
+ if (!n || (n > 4)) {
rctx->state = OHS_ERROR;
return 0;
- }
+ }
p++;
rctx->asn1_len = 0;
- for (i = 0; i < n; i++)
- {
+ for (i = 0; i < n; i++) {
rctx->asn1_len <<= 8;
rctx->asn1_len |= *p++;
- }
+ }
- if (rctx->asn1_len > OCSP_MAX_REQUEST_LENGTH)
- {
+ if (rctx->asn1_len > OCSP_MAX_REQUEST_LENGTH) {
rctx->state = OHS_ERROR;
return 0;
- }
+ }
rctx->asn1_len += n + 2;
- }
- else
+ } else
rctx->asn1_len = *p + 2;
rctx->state = OHS_ASN1_CONTENT;
- /* Fall thru */
+ /* FALLTHROUGH */
- case OHS_ASN1_CONTENT:
+ case OHS_ASN1_CONTENT:
n = BIO_get_mem_data(rctx->mem, &p);
if (n < (int)rctx->asn1_len)
goto next_io;
-
*presp = d2i_OCSP_RESPONSE(NULL, &p, rctx->asn1_len);
- if (*presp)
- {
+ if (*presp) {
rctx->state = OHS_DONE;
return 1;
- }
+ }
rctx->state = OHS_ERROR;
return 0;
- break;
-
- case OHS_DONE:
+ case OHS_DONE:
return 1;
-
- }
-
-
+ }
return 0;
-
-
- }
+}
/* Blocking OCSP request handler: now a special case of non-blocking I/O */
-
-OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req)
- {
+OCSP_RESPONSE *
+OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req)
+{
OCSP_RESPONSE *resp = NULL;
OCSP_REQ_CTX *ctx;
int rv;
ctx = OCSP_sendreq_new(b, path, req, -1);
- do
- {
+ do {
rv = OCSP_sendreq_nbio(&resp, ctx);
- } while ((rv == -1) && BIO_should_retry(b));
+ } while ((rv == -1) && BIO_should_retry(b));
OCSP_REQ_CTX_free(ctx);
@@ -511,4 +462,4 @@ OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req)
return resp;
return NULL;
- }
+}
diff --git a/lib/libssl/src/crypto/ocsp/ocsp_lib.c b/lib/libssl/src/crypto/ocsp/ocsp_lib.c
index 514cdabf2d6..056bd276650 100644
--- a/lib/libssl/src/crypto/ocsp/ocsp_lib.c
+++ b/lib/libssl/src/crypto/ocsp/ocsp_lib.c
@@ -73,102 +73,112 @@
/* Convert a certificate and its issuer to an OCSP_CERTID */
-OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer)
+OCSP_CERTID *
+OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer)
{
X509_NAME *iname;
ASN1_INTEGER *serial;
ASN1_BIT_STRING *ikey;
+
#ifndef OPENSSL_NO_SHA1
- if(!dgst) dgst = EVP_sha1();
+ if (!dgst)
+ dgst = EVP_sha1();
#endif
- if (subject)
- {
+ if (subject) {
iname = X509_get_issuer_name(subject);
serial = X509_get_serialNumber(subject);
- }
- else
- {
+ } else {
iname = X509_get_subject_name(issuer);
serial = NULL;
- }
+ }
ikey = X509_get0_pubkey_bitstr(issuer);
return OCSP_cert_id_new(dgst, iname, ikey, serial);
}
-
-OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst,
- X509_NAME *issuerName,
- ASN1_BIT_STRING* issuerKey,
- ASN1_INTEGER *serialNumber)
- {
+OCSP_CERTID *
+OCSP_cert_id_new(const EVP_MD *dgst, X509_NAME *issuerName,
+ ASN1_BIT_STRING* issuerKey, ASN1_INTEGER *serialNumber)
+{
int nid;
- unsigned int i;
+ unsigned int i;
X509_ALGOR *alg;
OCSP_CERTID *cid = NULL;
unsigned char md[EVP_MAX_MD_SIZE];
- if (!(cid = OCSP_CERTID_new())) goto err;
+ if (!(cid = OCSP_CERTID_new()))
+ goto err;
alg = cid->hashAlgorithm;
- if (alg->algorithm != NULL) ASN1_OBJECT_free(alg->algorithm);
- if ((nid = EVP_MD_type(dgst)) == NID_undef)
- {
- OCSPerr(OCSP_F_OCSP_CERT_ID_NEW,OCSP_R_UNKNOWN_NID);
+ if (alg->algorithm != NULL)
+ ASN1_OBJECT_free(alg->algorithm);
+ if ((nid = EVP_MD_type(dgst)) == NID_undef) {
+ OCSPerr(OCSP_F_OCSP_CERT_ID_NEW, OCSP_R_UNKNOWN_NID);
+ goto err;
+ }
+ if (!(alg->algorithm=OBJ_nid2obj(nid)))
+ goto err;
+ if ((alg->parameter=ASN1_TYPE_new()) == NULL)
goto err;
- }
- if (!(alg->algorithm=OBJ_nid2obj(nid))) goto err;
- if ((alg->parameter=ASN1_TYPE_new()) == NULL) goto err;
alg->parameter->type=V_ASN1_NULL;
- if (!X509_NAME_digest(issuerName, dgst, md, &i)) goto digerr;
- if (!(ASN1_OCTET_STRING_set(cid->issuerNameHash, md, i))) goto err;
+ if (!X509_NAME_digest(issuerName, dgst, md, &i))
+ goto digerr;
+ if (!(ASN1_OCTET_STRING_set(cid->issuerNameHash, md, i)))
+ goto err;
/* Calculate the issuerKey hash, excluding tag and length */
if (!EVP_Digest(issuerKey->data, issuerKey->length, md, &i, dgst, NULL))
goto err;
- if (!(ASN1_OCTET_STRING_set(cid->issuerKeyHash, md, i))) goto err;
+ if (!(ASN1_OCTET_STRING_set(cid->issuerKeyHash, md, i)))
+ goto err;
- if (serialNumber)
- {
+ if (serialNumber) {
ASN1_INTEGER_free(cid->serialNumber);
- if (!(cid->serialNumber = ASN1_INTEGER_dup(serialNumber))) goto err;
- }
+ if (!(cid->serialNumber = ASN1_INTEGER_dup(serialNumber)))
+ goto err;
+ }
return cid;
digerr:
- OCSPerr(OCSP_F_OCSP_CERT_ID_NEW,OCSP_R_DIGEST_ERR);
+ OCSPerr(OCSP_F_OCSP_CERT_ID_NEW, OCSP_R_DIGEST_ERR);
err:
- if (cid) OCSP_CERTID_free(cid);
+ if (cid)
+ OCSP_CERTID_free(cid);
return NULL;
- }
+}
-int OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b)
- {
+int
+OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b)
+{
int ret;
+
ret = OBJ_cmp(a->hashAlgorithm->algorithm, b->hashAlgorithm->algorithm);
- if (ret) return ret;
+ if (ret)
+ return ret;
ret = ASN1_OCTET_STRING_cmp(a->issuerNameHash, b->issuerNameHash);
- if (ret) return ret;
+ if (ret)
+ return ret;
return ASN1_OCTET_STRING_cmp(a->issuerKeyHash, b->issuerKeyHash);
- }
+}
-int OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b)
- {
+int
+OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b)
+{
int ret;
+
ret = OCSP_id_issuer_cmp(a, b);
- if (ret) return ret;
+ if (ret)
+ return ret;
return ASN1_INTEGER_cmp(a->serialNumber, b->serialNumber);
- }
-
+}
/* Parse a URL and split it up into host, port and path components and whether
* it is SSL.
*/
-
-int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pssl)
- {
+int
+OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pssl)
+{
char *p, *buf;
-
char *host, *port;
*phost = NULL;
@@ -177,26 +187,23 @@ int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pss
/* dup the buffer since we are going to mess with it */
buf = BUF_strdup(url);
- if (!buf) goto mem_err;
+ if (!buf)
+ goto mem_err;
/* Check for initial colon */
p = strchr(buf, ':');
-
- if (!p) goto parse_err;
+ if (!p)
+ goto parse_err;
*(p++) = '\0';
- if (!strcmp(buf, "http"))
- {
+ if (!strcmp(buf, "http")) {
*pssl = 0;
port = "80";
- }
- else if (!strcmp(buf, "https"))
- {
+ } else if (!strcmp(buf, "https")) {
*pssl = 1;
port = "443";
- }
- else
+ } else
goto parse_err;
/* Check for double slash */
@@ -208,59 +215,56 @@ int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pss
host = p;
/* Check for trailing part of path */
-
p = strchr(p, '/');
-
if (!p)
*ppath = BUF_strdup("/");
- else
- {
+ else {
*ppath = BUF_strdup(p);
/* Set start of path to 0 so hostname is valid */
*p = '\0';
- }
+ }
- if (!*ppath) goto mem_err;
+ if (!*ppath)
+ goto mem_err;
/* Look for optional ':' for port number */
- if ((p = strchr(host, ':')))
- {
+ if ((p = strchr(host, ':'))) {
*p = 0;
port = p + 1;
- }
- else
- {
+ } else {
/* Not found: set default port */
- if (*pssl) port = "443";
- else port = "80";
- }
+ if (*pssl)
+ port = "443";
+ else
+ port = "80";
+ }
*pport = BUF_strdup(port);
- if (!*pport) goto mem_err;
+ if (!*pport)
+ goto mem_err;
*phost = BUF_strdup(host);
- if (!*phost) goto mem_err;
+ if (!*phost)
+ goto mem_err;
free(buf);
return 1;
- mem_err:
+mem_err:
OCSPerr(OCSP_F_OCSP_PARSE_URL, ERR_R_MALLOC_FAILURE);
goto err;
- parse_err:
+parse_err:
OCSPerr(OCSP_F_OCSP_PARSE_URL, OCSP_R_ERROR_PARSING_URL);
-
- err:
- if (buf) free(buf);
- if (*ppath) free(*ppath);
- if (*pport) free(*pport);
- if (*phost) free(*phost);
+err:
+ free(buf);
+ free(*ppath);
+ free(*pport);
+ free(*phost);
return 0;
-
- }
+}
IMPLEMENT_ASN1_DUP_FUNCTION(OCSP_CERTID)
diff --git a/lib/libssl/src/crypto/ocsp/ocsp_prn.c b/lib/libssl/src/crypto/ocsp/ocsp_prn.c
index 87608ff399b..9e4b81f0610 100644
--- a/lib/libssl/src/crypto/ocsp/ocsp_prn.c
+++ b/lib/libssl/src/crypto/ocsp/ocsp_prn.c
@@ -66,8 +66,9 @@
#include <openssl/ocsp.h>
#include <openssl/pem.h>
-static int ocsp_certid_print(BIO *bp, OCSP_CERTID* a, int indent)
- {
+static int
+ocsp_certid_print(BIO *bp, OCSP_CERTID* a, int indent)
+{
BIO_printf(bp, "%*sCertificate ID:\n", indent, "");
indent += 2;
BIO_printf(bp, "%*sHash Algorithm: ", indent, "");
@@ -80,60 +81,68 @@ static int ocsp_certid_print(BIO *bp, OCSP_CERTID* a, int indent)
i2a_ASN1_INTEGER(bp, a->serialNumber);
BIO_printf(bp, "\n");
return 1;
- }
+}
-typedef struct
- {
+typedef struct {
long t;
const char *m;
- } OCSP_TBLSTR;
+} OCSP_TBLSTR;
-static const char *table2string(long s, const OCSP_TBLSTR *ts, int len)
+static const char *
+table2string(long s, const OCSP_TBLSTR *ts, int len)
{
const OCSP_TBLSTR *p;
+
for (p=ts; p < ts + len; p++)
- if (p->t == s)
- return p->m;
+ if (p->t == s)
+ return p->m;
return "(UNKNOWN)";
}
-const char *OCSP_response_status_str(long s)
- {
+const char *
+OCSP_response_status_str(long s)
+{
static const OCSP_TBLSTR rstat_tbl[] = {
- { OCSP_RESPONSE_STATUS_SUCCESSFUL, "successful" },
- { OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, "malformedrequest" },
- { OCSP_RESPONSE_STATUS_INTERNALERROR, "internalerror" },
- { OCSP_RESPONSE_STATUS_TRYLATER, "trylater" },
- { OCSP_RESPONSE_STATUS_SIGREQUIRED, "sigrequired" },
- { OCSP_RESPONSE_STATUS_UNAUTHORIZED, "unauthorized" } };
+ { OCSP_RESPONSE_STATUS_SUCCESSFUL, "successful" },
+ { OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, "malformedrequest" },
+ { OCSP_RESPONSE_STATUS_INTERNALERROR, "internalerror" },
+ { OCSP_RESPONSE_STATUS_TRYLATER, "trylater" },
+ { OCSP_RESPONSE_STATUS_SIGREQUIRED, "sigrequired" },
+ { OCSP_RESPONSE_STATUS_UNAUTHORIZED, "unauthorized" }
+ };
return table2string(s, rstat_tbl, 6);
- }
+}
-const char *OCSP_cert_status_str(long s)
- {
+const char *
+OCSP_cert_status_str(long s)
+{
static const OCSP_TBLSTR cstat_tbl[] = {
- { V_OCSP_CERTSTATUS_GOOD, "good" },
- { V_OCSP_CERTSTATUS_REVOKED, "revoked" },
- { V_OCSP_CERTSTATUS_UNKNOWN, "unknown" } };
+ { V_OCSP_CERTSTATUS_GOOD, "good" },
+ { V_OCSP_CERTSTATUS_REVOKED, "revoked" },
+ { V_OCSP_CERTSTATUS_UNKNOWN, "unknown" }
+ };
return table2string(s, cstat_tbl, 3);
- }
+}
-const char *OCSP_crl_reason_str(long s)
- {
+const char *
+OCSP_crl_reason_str(long s)
+{
static const OCSP_TBLSTR reason_tbl[] = {
- { OCSP_REVOKED_STATUS_UNSPECIFIED, "unspecified" },
- { OCSP_REVOKED_STATUS_KEYCOMPROMISE, "keyCompromise" },
- { OCSP_REVOKED_STATUS_CACOMPROMISE, "cACompromise" },
- { OCSP_REVOKED_STATUS_AFFILIATIONCHANGED, "affiliationChanged" },
- { OCSP_REVOKED_STATUS_SUPERSEDED, "superseded" },
- { OCSP_REVOKED_STATUS_CESSATIONOFOPERATION, "cessationOfOperation" },
- { OCSP_REVOKED_STATUS_CERTIFICATEHOLD, "certificateHold" },
- { OCSP_REVOKED_STATUS_REMOVEFROMCRL, "removeFromCRL" } };
+ { OCSP_REVOKED_STATUS_UNSPECIFIED, "unspecified" },
+ { OCSP_REVOKED_STATUS_KEYCOMPROMISE, "keyCompromise" },
+ { OCSP_REVOKED_STATUS_CACOMPROMISE, "cACompromise" },
+ { OCSP_REVOKED_STATUS_AFFILIATIONCHANGED, "affiliationChanged" },
+ { OCSP_REVOKED_STATUS_SUPERSEDED, "superseded" },
+ { OCSP_REVOKED_STATUS_CESSATIONOFOPERATION, "cessationOfOperation" },
+ { OCSP_REVOKED_STATUS_CERTIFICATEHOLD, "certificateHold" },
+ { OCSP_REVOKED_STATUS_REMOVEFROMCRL, "removeFromCRL" }
+ };
return table2string(s, reason_tbl, 8);
- }
+}
-int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST* o, unsigned long flags)
- {
+int
+OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST* o, unsigned long flags)
+{
int i;
long l;
OCSP_CERTID* cid = NULL;
@@ -141,45 +150,45 @@ int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST* o, unsigned long flags)
OCSP_REQINFO *inf = o->tbsRequest;
OCSP_SIGNATURE *sig = o->optionalSignature;
- if (BIO_write(bp,"OCSP Request Data:\n",19) <= 0) goto err;
- l=ASN1_INTEGER_get(inf->version);
- if (BIO_printf(bp," Version: %lu (0x%lx)",l+1,l) <= 0) goto err;
- if (inf->requestorName != NULL)
- {
+ if (BIO_write(bp,"OCSP Request Data:\n",19) <= 0)
+ goto err;
+ l = ASN1_INTEGER_get(inf->version);
+ if (BIO_printf(bp," Version: %lu (0x%lx)",l+1,l) <= 0)
+ goto err;
+ if (inf->requestorName != NULL) {
if (BIO_write(bp,"\n Requestor Name: ",21) <= 0)
- goto err;
+ goto err;
GENERAL_NAME_print(bp, inf->requestorName);
- }
- if (BIO_write(bp,"\n Requestor List:\n",21) <= 0) goto err;
- for (i = 0; i < sk_OCSP_ONEREQ_num(inf->requestList); i++)
- {
+ }
+ if (BIO_write(bp,"\n Requestor List:\n",21) <= 0)
+ goto err;
+ for (i = 0; i < sk_OCSP_ONEREQ_num(inf->requestList); i++) {
one = sk_OCSP_ONEREQ_value(inf->requestList, i);
cid = one->reqCert;
ocsp_certid_print(bp, cid, 8);
- if (!X509V3_extensions_print(bp,
- "Request Single Extensions",
- one->singleRequestExtensions, flags, 8))
- goto err;
- }
+ if (!X509V3_extensions_print(bp, "Request Single Extensions",
+ one->singleRequestExtensions, flags, 8))
+ goto err;
+ }
if (!X509V3_extensions_print(bp, "Request Extensions",
- inf->requestExtensions, flags, 4))
- goto err;
- if (sig)
- {
- X509_signature_print(bp, sig->signatureAlgorithm, sig->signature);
- for (i=0; i<sk_X509_num(sig->certs); i++)
- {
+ inf->requestExtensions, flags, 4))
+ goto err;
+ if (sig) {
+ X509_signature_print(bp, sig->signatureAlgorithm,
+ sig->signature);
+ for (i=0; i<sk_X509_num(sig->certs); i++) {
X509_print(bp, sk_X509_value(sig->certs,i));
PEM_write_bio_X509(bp,sk_X509_value(sig->certs,i));
- }
}
+ }
return 1;
err:
return 0;
- }
+}
-int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags)
- {
+int
+OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags)
+{
int i, ret = 0;
long l;
OCSP_CERTID *cid = NULL;
@@ -191,100 +200,107 @@ int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags)
OCSP_SINGLERESP *single = NULL;
OCSP_RESPBYTES *rb = o->responseBytes;
- if (BIO_puts(bp,"OCSP Response Data:\n") <= 0) goto err;
- l=ASN1_ENUMERATED_get(o->responseStatus);
+ if (BIO_puts(bp,"OCSP Response Data:\n") <= 0)
+ goto err;
+ l = ASN1_ENUMERATED_get(o->responseStatus);
if (BIO_printf(bp," OCSP Response Status: %s (0x%lx)\n",
- OCSP_response_status_str(l), l) <= 0) goto err;
- if (rb == NULL) return 1;
- if (BIO_puts(bp," Response Type: ") <= 0)
- goto err;
+ OCSP_response_status_str(l), l) <= 0)
+ goto err;
+ if (rb == NULL)
+ return 1;
+ if (BIO_puts(bp," Response Type: ") <= 0)
+ goto err;
if(i2a_ASN1_OBJECT(bp, rb->responseType) <= 0)
- goto err;
- if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic)
- {
+ goto err;
+ if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic) {
BIO_puts(bp," (unknown response type)\n");
return 1;
- }
+ }
i = ASN1_STRING_length(rb->response);
- if (!(br = OCSP_response_get1_basic(o))) goto err;
+ if (!(br = OCSP_response_get1_basic(o)))
+ goto err;
rd = br->tbsResponseData;
- l=ASN1_INTEGER_get(rd->version);
- if (BIO_printf(bp,"\n Version: %lu (0x%lx)\n",
- l+1,l) <= 0) goto err;
- if (BIO_puts(bp," Responder Id: ") <= 0) goto err;
+ l = ASN1_INTEGER_get(rd->version);
+ if (BIO_printf(bp,"\n Version: %lu (0x%lx)\n", l+1,l) <= 0)
+ goto err;
+ if (BIO_puts(bp," Responder Id: ") <= 0)
+ goto err;
rid = rd->responderId;
- switch (rid->type)
- {
- case V_OCSP_RESPID_NAME:
- X509_NAME_print_ex(bp, rid->value.byName, 0, XN_FLAG_ONELINE);
- break;
- case V_OCSP_RESPID_KEY:
- i2a_ASN1_STRING(bp, rid->value.byKey, V_ASN1_OCTET_STRING);
- break;
- }
+ switch (rid->type) {
+ case V_OCSP_RESPID_NAME:
+ X509_NAME_print_ex(bp, rid->value.byName, 0, XN_FLAG_ONELINE);
+ break;
+ case V_OCSP_RESPID_KEY:
+ i2a_ASN1_STRING(bp, rid->value.byKey, V_ASN1_OCTET_STRING);
+ break;
+ }
- if (BIO_printf(bp,"\n Produced At: ")<=0) goto err;
- if (!ASN1_GENERALIZEDTIME_print(bp, rd->producedAt)) goto err;
- if (BIO_printf(bp,"\n Responses:\n") <= 0) goto err;
- for (i = 0; i < sk_OCSP_SINGLERESP_num(rd->responses); i++)
- {
- if (! sk_OCSP_SINGLERESP_value(rd->responses, i)) continue;
+ if (BIO_printf(bp,"\n Produced At: ")<=0)
+ goto err;
+ if (!ASN1_GENERALIZEDTIME_print(bp, rd->producedAt))
+ goto err;
+ if (BIO_printf(bp,"\n Responses:\n") <= 0)
+ goto err;
+ for (i = 0; i < sk_OCSP_SINGLERESP_num(rd->responses); i++) {
+ if (! sk_OCSP_SINGLERESP_value(rd->responses, i))
+ continue;
single = sk_OCSP_SINGLERESP_value(rd->responses, i);
cid = single->certId;
- if(ocsp_certid_print(bp, cid, 4) <= 0) goto err;
+ if (ocsp_certid_print(bp, cid, 4) <= 0)
+ goto err;
cst = single->certStatus;
if (BIO_printf(bp," Cert Status: %s",
- OCSP_cert_status_str(cst->type)) <= 0)
- goto err;
- if (cst->type == V_OCSP_CERTSTATUS_REVOKED)
- {
- rev = cst->value.revoked;
+ OCSP_cert_status_str(cst->type)) <= 0)
+ goto err;
+ if (cst->type == V_OCSP_CERTSTATUS_REVOKED) {
+ rev = cst->value.revoked;
if (BIO_printf(bp, "\n Revocation Time: ") <= 0)
- goto err;
- if (!ASN1_GENERALIZEDTIME_print(bp,
- rev->revocationTime))
goto err;
- if (rev->revocationReason)
- {
- l=ASN1_ENUMERATED_get(rev->revocationReason);
- if (BIO_printf(bp,
- "\n Revocation Reason: %s (0x%lx)",
- OCSP_crl_reason_str(l), l) <= 0)
- goto err;
- }
+ if (!ASN1_GENERALIZEDTIME_print(bp,
+ rev->revocationTime))
+ goto err;
+ if (rev->revocationReason) {
+ l = ASN1_ENUMERATED_get(rev->revocationReason);
+ if (BIO_printf(bp,
+ "\n Revocation Reason: %s (0x%lx)",
+ OCSP_crl_reason_str(l), l) <= 0)
+ goto err;
}
- if (BIO_printf(bp,"\n This Update: ") <= 0) goto err;
+ }
+ if (BIO_printf(bp,"\n This Update: ") <= 0)
+ goto err;
if (!ASN1_GENERALIZEDTIME_print(bp, single->thisUpdate))
goto err;
- if (single->nextUpdate)
- {
- if (BIO_printf(bp,"\n Next Update: ") <= 0)goto err;
+ if (single->nextUpdate) {
+ if (BIO_printf(bp,"\n Next Update: ") <= 0)
+ goto err;
if (!ASN1_GENERALIZEDTIME_print(bp,single->nextUpdate))
goto err;
- }
- if (BIO_write(bp,"\n",1) <= 0) goto err;
- if (!X509V3_extensions_print(bp,
- "Response Single Extensions",
- single->singleExtensions, flags, 8))
- goto err;
- if (BIO_write(bp,"\n",1) <= 0) goto err;
}
+ if (BIO_write(bp,"\n",1) <= 0)
+ goto err;
+ if (!X509V3_extensions_print(bp, "Response Single Extensions",
+ single->singleExtensions, flags, 8))
+ goto err;
+ if (BIO_write(bp,"\n",1) <= 0)
+ goto err;
+ }
if (!X509V3_extensions_print(bp, "Response Extensions",
- rd->responseExtensions, flags, 4))
- goto err;
- if(X509_signature_print(bp, br->signatureAlgorithm, br->signature) <= 0)
- goto err;
+ rd->responseExtensions, flags, 4))
+ goto err;
+ if (X509_signature_print(bp, br->signatureAlgorithm, br->signature) <=
+ 0)
+ goto err;
- for (i=0; i<sk_X509_num(br->certs); i++)
- {
- X509_print(bp, sk_X509_value(br->certs,i));
- PEM_write_bio_X509(bp,sk_X509_value(br->certs,i));
- }
+ for (i = 0; i < sk_X509_num(br->certs); i++) {
+ X509_print(bp, sk_X509_value(br->certs, i));
+ PEM_write_bio_X509(bp,sk_X509_value(br->certs, i));
+ }
ret = 1;
err:
OCSP_BASICRESP_free(br);
return ret;
- }
+}
diff --git a/lib/libssl/src/crypto/ocsp/ocsp_srv.c b/lib/libssl/src/crypto/ocsp/ocsp_srv.c
index 1c606dd0b61..c14e8e2bc35 100644
--- a/lib/libssl/src/crypto/ocsp/ocsp_srv.c
+++ b/lib/libssl/src/crypto/ocsp/ocsp_srv.c
@@ -69,107 +69,118 @@
* relevant information from the request.
*/
-int OCSP_request_onereq_count(OCSP_REQUEST *req)
- {
+int
+OCSP_request_onereq_count(OCSP_REQUEST *req)
+{
return sk_OCSP_ONEREQ_num(req->tbsRequest->requestList);
- }
+}
-OCSP_ONEREQ *OCSP_request_onereq_get0(OCSP_REQUEST *req, int i)
- {
+OCSP_ONEREQ *
+OCSP_request_onereq_get0(OCSP_REQUEST *req, int i)
+{
return sk_OCSP_ONEREQ_value(req->tbsRequest->requestList, i);
- }
+}
-OCSP_CERTID *OCSP_onereq_get0_id(OCSP_ONEREQ *one)
- {
+OCSP_CERTID *
+OCSP_onereq_get0_id(OCSP_ONEREQ *one)
+{
return one->reqCert;
- }
+}
-int OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd,
- ASN1_OCTET_STRING **pikeyHash,
- ASN1_INTEGER **pserial, OCSP_CERTID *cid)
- {
- if (!cid) return 0;
- if (pmd) *pmd = cid->hashAlgorithm->algorithm;
- if(piNameHash) *piNameHash = cid->issuerNameHash;
- if (pikeyHash) *pikeyHash = cid->issuerKeyHash;
- if (pserial) *pserial = cid->serialNumber;
+int
+OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd,
+ ASN1_OCTET_STRING **pikeyHash, ASN1_INTEGER **pserial, OCSP_CERTID *cid)
+{
+ if (!cid)
+ return 0;
+ if (pmd)
+ *pmd = cid->hashAlgorithm->algorithm;
+ if (piNameHash)
+ *piNameHash = cid->issuerNameHash;
+ if (pikeyHash)
+ *pikeyHash = cid->issuerKeyHash;
+ if (pserial)
+ *pserial = cid->serialNumber;
return 1;
- }
+}
-int OCSP_request_is_signed(OCSP_REQUEST *req)
- {
- if(req->optionalSignature) return 1;
+int
+OCSP_request_is_signed(OCSP_REQUEST *req)
+{
+ if (req->optionalSignature)
+ return 1;
return 0;
- }
+}
/* Create an OCSP response and encode an optional basic response */
-OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs)
- {
- OCSP_RESPONSE *rsp = NULL;
+OCSP_RESPONSE *
+OCSP_response_create(int status, OCSP_BASICRESP *bs)
+{
+ OCSP_RESPONSE *rsp = NULL;
- if (!(rsp = OCSP_RESPONSE_new())) goto err;
- if (!(ASN1_ENUMERATED_set(rsp->responseStatus, status))) goto err;
- if (!bs) return rsp;
- if (!(rsp->responseBytes = OCSP_RESPBYTES_new())) goto err;
+ if (!(rsp = OCSP_RESPONSE_new()))
+ goto err;
+ if (!(ASN1_ENUMERATED_set(rsp->responseStatus, status)))
+ goto err;
+ if (!bs)
+ return rsp;
+ if (!(rsp->responseBytes = OCSP_RESPBYTES_new()))
+ goto err;
rsp->responseBytes->responseType = OBJ_nid2obj(NID_id_pkix_OCSP_basic);
- if (!ASN1_item_pack(bs, ASN1_ITEM_rptr(OCSP_BASICRESP), &rsp->responseBytes->response))
- goto err;
+ if (!ASN1_item_pack(bs, ASN1_ITEM_rptr(OCSP_BASICRESP),
+ &rsp->responseBytes->response))
+ goto err;
return rsp;
err:
- if (rsp) OCSP_RESPONSE_free(rsp);
+ if (rsp)
+ OCSP_RESPONSE_free(rsp);
return NULL;
- }
-
+}
-OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp,
- OCSP_CERTID *cid,
- int status, int reason,
- ASN1_TIME *revtime,
- ASN1_TIME *thisupd, ASN1_TIME *nextupd)
- {
+OCSP_SINGLERESP *
+OCSP_basic_add1_status(OCSP_BASICRESP *rsp, OCSP_CERTID *cid, int status,
+ int reason, ASN1_TIME *revtime, ASN1_TIME *thisupd, ASN1_TIME *nextupd)
+{
OCSP_SINGLERESP *single = NULL;
OCSP_CERTSTATUS *cs;
OCSP_REVOKEDINFO *ri;
- if(!rsp->tbsResponseData->responses &&
+ if (!rsp->tbsResponseData->responses &&
!(rsp->tbsResponseData->responses = sk_OCSP_SINGLERESP_new_null()))
goto err;
if (!(single = OCSP_SINGLERESP_new()))
goto err;
-
-
if (!ASN1_TIME_to_generalizedtime(thisupd, &single->thisUpdate))
goto err;
if (nextupd &&
- !ASN1_TIME_to_generalizedtime(nextupd, &single->nextUpdate))
+ !ASN1_TIME_to_generalizedtime(nextupd, &single->nextUpdate))
goto err;
OCSP_CERTID_free(single->certId);
- if(!(single->certId = OCSP_CERTID_dup(cid)))
+ if (!(single->certId = OCSP_CERTID_dup(cid)))
goto err;
cs = single->certStatus;
- switch(cs->type = status)
- {
+ switch(cs->type = status) {
case V_OCSP_CERTSTATUS_REVOKED:
- if (!revtime)
- {
- OCSPerr(OCSP_F_OCSP_BASIC_ADD1_STATUS,OCSP_R_NO_REVOKED_TIME);
+ if (!revtime) {
+ OCSPerr(OCSP_F_OCSP_BASIC_ADD1_STATUS,
+ OCSP_R_NO_REVOKED_TIME);
+ goto err;
+ }
+ if (!(cs->value.revoked = ri = OCSP_REVOKEDINFO_new()))
goto err;
- }
- if (!(cs->value.revoked = ri = OCSP_REVOKEDINFO_new())) goto err;
if (!ASN1_TIME_to_generalizedtime(revtime, &ri->revocationTime))
goto err;
- if (reason != OCSP_REVOKED_STATUS_NOSTATUS)
- {
+ if (reason != OCSP_REVOKED_STATUS_NOSTATUS) {
if (!(ri->revocationReason = ASN1_ENUMERATED_new()))
- goto err;
- if (!(ASN1_ENUMERATED_set(ri->revocationReason,
- reason)))
- goto err;
+ goto err;
+ if (!(ASN1_ENUMERATED_set(ri->revocationReason,
+ reason)))
+ goto err;
}
break;
@@ -183,82 +194,80 @@ OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp,
default:
goto err;
-
- }
+ }
if (!(sk_OCSP_SINGLERESP_push(rsp->tbsResponseData->responses, single)))
goto err;
return single;
err:
OCSP_SINGLERESP_free(single);
return NULL;
- }
+}
/* Add a certificate to an OCSP request */
-
-int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert)
- {
+int
+OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert)
+{
if (!resp->certs && !(resp->certs = sk_X509_new_null()))
return 0;
- if(!sk_X509_push(resp->certs, cert)) return 0;
+ if (!sk_X509_push(resp->certs, cert))
+ return 0;
CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
return 1;
- }
+}
-int OCSP_basic_sign(OCSP_BASICRESP *brsp,
- X509 *signer, EVP_PKEY *key, const EVP_MD *dgst,
- STACK_OF(X509) *certs, unsigned long flags)
- {
+int
+OCSP_basic_sign(OCSP_BASICRESP *brsp, X509 *signer, EVP_PKEY *key,
+ const EVP_MD *dgst, STACK_OF(X509) *certs, unsigned long flags)
+{
int i;
OCSP_RESPID *rid;
- if (!X509_check_private_key(signer, key))
- {
- OCSPerr(OCSP_F_OCSP_BASIC_SIGN, OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
+ if (!X509_check_private_key(signer, key)) {
+ OCSPerr(OCSP_F_OCSP_BASIC_SIGN,
+ OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
goto err;
- }
+ }
- if(!(flags & OCSP_NOCERTS))
- {
- if(!OCSP_basic_add1_cert(brsp, signer))
+ if (!(flags & OCSP_NOCERTS)) {
+ if (!OCSP_basic_add1_cert(brsp, signer))
goto err;
- for (i = 0; i < sk_X509_num(certs); i++)
- {
+ for (i = 0; i < sk_X509_num(certs); i++) {
X509 *tmpcert = sk_X509_value(certs, i);
- if(!OCSP_basic_add1_cert(brsp, tmpcert))
+ if (!OCSP_basic_add1_cert(brsp, tmpcert))
goto err;
- }
}
+ }
rid = brsp->tbsResponseData->responderId;
- if (flags & OCSP_RESPID_KEY)
- {
+ if (flags & OCSP_RESPID_KEY) {
unsigned char md[SHA_DIGEST_LENGTH];
+
X509_pubkey_digest(signer, EVP_sha1(), md, NULL);
if (!(rid->value.byKey = ASN1_OCTET_STRING_new()))
goto err;
- if (!(ASN1_OCTET_STRING_set(rid->value.byKey, md, SHA_DIGEST_LENGTH)))
- goto err;
+ if (!(ASN1_OCTET_STRING_set(rid->value.byKey, md,
+ SHA_DIGEST_LENGTH)))
+ goto err;
rid->type = V_OCSP_RESPID_KEY;
- }
- else
- {
+ } else {
if (!X509_NAME_set(&rid->value.byName,
- X509_get_subject_name(signer)))
- goto err;
+ X509_get_subject_name(signer)))
+ goto err;
rid->type = V_OCSP_RESPID_NAME;
- }
+ }
if (!(flags & OCSP_NOTIME) &&
- !X509_gmtime_adj(brsp->tbsResponseData->producedAt, 0))
+ !X509_gmtime_adj(brsp->tbsResponseData->producedAt, 0))
goto err;
/* Right now, I think that not doing double hashing is the right
thing. -- Richard Levitte */
- if (!OCSP_BASICRESP_sign(brsp, key, dgst, 0)) goto err;
+ if (!OCSP_BASICRESP_sign(brsp, key, dgst, 0))
+ goto err;
return 1;
err:
return 0;
- }
+}
diff --git a/lib/libssl/src/crypto/ocsp/ocsp_vfy.c b/lib/libssl/src/crypto/ocsp/ocsp_vfy.c
index 0b181d5abef..aede155871a 100644
--- a/lib/libssl/src/crypto/ocsp/ocsp_vfy.c
+++ b/lib/libssl/src/crypto/ocsp/ocsp_vfy.c
@@ -60,134 +60,137 @@
#include <openssl/err.h>
#include <string.h>
-static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
- X509_STORE *st, unsigned long flags);
+static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs,
+ STACK_OF(X509) *certs, X509_STORE *st, unsigned long flags);
static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id);
-static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain, unsigned long flags);
+static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain,
+ unsigned long flags);
static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret);
-static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, STACK_OF(OCSP_SINGLERESP) *sresp);
+static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
+ STACK_OF(OCSP_SINGLERESP) *sresp);
static int ocsp_check_delegated(X509 *x, int flags);
-static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, X509_NAME *nm, STACK_OF(X509) *certs,
- X509_STORE *st, unsigned long flags);
+static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req,
+ X509_NAME *nm, STACK_OF(X509) *certs, X509_STORE *st,
+ unsigned long flags);
/* Verify a basic response message */
-
-int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
- X509_STORE *st, unsigned long flags)
- {
+int
+OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st,
+ unsigned long flags)
+{
X509 *signer, *x;
STACK_OF(X509) *chain = NULL;
X509_STORE_CTX ctx;
int i, ret = 0;
+
ret = ocsp_find_signer(&signer, bs, certs, st, flags);
- if (!ret)
- {
- OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
+ if (!ret) {
+ OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,
+ OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
goto end;
- }
+ }
if ((ret == 2) && (flags & OCSP_TRUSTOTHER))
flags |= OCSP_NOVERIFY;
- if (!(flags & OCSP_NOSIGS))
- {
+ if (!(flags & OCSP_NOSIGS)) {
EVP_PKEY *skey;
+
skey = X509_get_pubkey(signer);
- if (skey)
- {
+ if (skey) {
ret = OCSP_BASICRESP_verify(bs, skey, 0);
EVP_PKEY_free(skey);
- }
- if(!skey || ret <= 0)
- {
- OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNATURE_FAILURE);
+ }
+ if (!skey || ret <= 0) {
+ OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,
+ OCSP_R_SIGNATURE_FAILURE);
goto end;
- }
}
- if (!(flags & OCSP_NOVERIFY))
- {
+ }
+ if (!(flags & OCSP_NOVERIFY)) {
int init_res;
+
if(flags & OCSP_NOCHAIN)
init_res = X509_STORE_CTX_init(&ctx, st, signer, NULL);
else
- init_res = X509_STORE_CTX_init(&ctx, st, signer, bs->certs);
- if(!init_res)
- {
+ init_res = X509_STORE_CTX_init(&ctx, st, signer,
+ bs->certs);
+ if (!init_res) {
ret = -1;
OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,ERR_R_X509_LIB);
goto end;
- }
+ }
X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER);
ret = X509_verify_cert(&ctx);
chain = X509_STORE_CTX_get1_chain(&ctx);
X509_STORE_CTX_cleanup(&ctx);
- if (ret <= 0)
- {
+ if (ret <= 0) {
i = X509_STORE_CTX_get_error(&ctx);
- OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,OCSP_R_CERTIFICATE_VERIFY_ERROR);
+ OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,
+ OCSP_R_CERTIFICATE_VERIFY_ERROR);
ERR_asprintf_error_data("Verify error:%s",
- X509_verify_cert_error_string(i));
- goto end;
- }
- if(flags & OCSP_NOCHECKS)
- {
+ X509_verify_cert_error_string(i));
+ goto end;
+ }
+ if(flags & OCSP_NOCHECKS) {
ret = 1;
goto end;
- }
+ }
/* At this point we have a valid certificate chain
* need to verify it against the OCSP issuer criteria.
*/
ret = ocsp_check_issuer(bs, chain, flags);
/* If fatal error or valid match then finish */
- if (ret != 0) goto end;
+ if (ret != 0)
+ goto end;
/* Easy case: explicitly trusted. Get root CA and
* check for explicit trust
*/
- if(flags & OCSP_NOEXPLICIT) goto end;
+ if (flags & OCSP_NOEXPLICIT)
+ goto end;
x = sk_X509_value(chain, sk_X509_num(chain) - 1);
- if(X509_check_trust(x, NID_OCSP_sign, 0) != X509_TRUST_TRUSTED)
- {
- OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,OCSP_R_ROOT_CA_NOT_TRUSTED);
+ if (X509_check_trust(x, NID_OCSP_sign, 0) !=
+ X509_TRUST_TRUSTED) {
+ OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,
+ OCSP_R_ROOT_CA_NOT_TRUSTED);
goto end;
- }
- ret = 1;
}
-
-
-
- end:
- if(chain) sk_X509_pop_free(chain, X509_free);
- return ret;
+ ret = 1;
}
+end:
+ if (chain)
+ sk_X509_pop_free(chain, X509_free);
+ return ret;
+}
-static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
- X509_STORE *st, unsigned long flags)
- {
+static int
+ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
+ X509_STORE *st, unsigned long flags)
+{
X509 *signer;
OCSP_RESPID *rid = bs->tbsResponseData->responderId;
- if ((signer = ocsp_find_signer_sk(certs, rid)))
- {
+
+ if ((signer = ocsp_find_signer_sk(certs, rid))) {
*psigner = signer;
return 2;
- }
- if(!(flags & OCSP_NOINTERN) &&
- (signer = ocsp_find_signer_sk(bs->certs, rid)))
- {
+ }
+ if (!(flags & OCSP_NOINTERN) &&
+ (signer = ocsp_find_signer_sk(bs->certs, rid))) {
*psigner = signer;
return 1;
- }
+ }
/* Maybe lookup from store if by subject name */
*psigner = NULL;
return 0;
- }
-
+}
-static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id)
- {
+static X509 *
+ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id)
+{
int i;
unsigned char tmphash[SHA_DIGEST_LENGTH], *keyhash;
X509 *x;
@@ -199,123 +202,124 @@ static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id)
/* Lookup by key hash */
/* If key hash isn't SHA1 length then forget it */
- if (id->value.byKey->length != SHA_DIGEST_LENGTH) return NULL;
+ if (id->value.byKey->length != SHA_DIGEST_LENGTH)
+ return NULL;
keyhash = id->value.byKey->data;
/* Calculate hash of each key and compare */
- for (i = 0; i < sk_X509_num(certs); i++)
- {
+ for (i = 0; i < sk_X509_num(certs); i++) {
x = sk_X509_value(certs, i);
X509_pubkey_digest(x, EVP_sha1(), tmphash, NULL);
- if(!memcmp(keyhash, tmphash, SHA_DIGEST_LENGTH))
+ if (!memcmp(keyhash, tmphash, SHA_DIGEST_LENGTH))
return x;
- }
- return NULL;
}
+ return NULL;
+}
-
-static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain, unsigned long flags)
- {
+static int
+ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain,
+ unsigned long flags)
+{
STACK_OF(OCSP_SINGLERESP) *sresp;
X509 *signer, *sca;
OCSP_CERTID *caid = NULL;
int i;
+
sresp = bs->tbsResponseData->responses;
- if (sk_X509_num(chain) <= 0)
- {
- OCSPerr(OCSP_F_OCSP_CHECK_ISSUER, OCSP_R_NO_CERTIFICATES_IN_CHAIN);
+ if (sk_X509_num(chain) <= 0) {
+ OCSPerr(OCSP_F_OCSP_CHECK_ISSUER,
+ OCSP_R_NO_CERTIFICATES_IN_CHAIN);
return -1;
- }
+ }
/* See if the issuer IDs match. */
i = ocsp_check_ids(sresp, &caid);
/* If ID mismatch or other error then return */
- if (i <= 0) return i;
+ if (i <= 0)
+ return i;
signer = sk_X509_value(chain, 0);
/* Check to see if OCSP responder CA matches request CA */
- if (sk_X509_num(chain) > 1)
- {
+ if (sk_X509_num(chain) > 1) {
sca = sk_X509_value(chain, 1);
i = ocsp_match_issuerid(sca, caid, sresp);
- if (i < 0) return i;
- if (i)
- {
+ if (i < 0)
+ return i;
+ if (i) {
/* We have a match, if extensions OK then success */
- if (ocsp_check_delegated(signer, flags)) return 1;
+ if (ocsp_check_delegated(signer, flags))
+ return 1;
return 0;
- }
}
+ }
/* Otherwise check if OCSP request signed directly by request CA */
return ocsp_match_issuerid(signer, caid, sresp);
- }
-
+}
/* Check the issuer certificate IDs for equality. If there is a mismatch with the same
* algorithm then there's no point trying to match any certificates against the issuer.
* If the issuer IDs all match then we just need to check equality against one of them.
*/
-
-static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret)
- {
+static int
+ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret)
+{
OCSP_CERTID *tmpid, *cid;
int i, idcount;
idcount = sk_OCSP_SINGLERESP_num(sresp);
- if (idcount <= 0)
- {
- OCSPerr(OCSP_F_OCSP_CHECK_IDS, OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA);
+ if (idcount <= 0) {
+ OCSPerr(OCSP_F_OCSP_CHECK_IDS,
+ OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA);
return -1;
- }
+ }
cid = sk_OCSP_SINGLERESP_value(sresp, 0)->certId;
*ret = NULL;
- for (i = 1; i < idcount; i++)
- {
+ for (i = 1; i < idcount; i++) {
tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId;
/* Check to see if IDs match */
- if (OCSP_id_issuer_cmp(cid, tmpid))
- {
+ if (OCSP_id_issuer_cmp(cid, tmpid)) {
/* If algoritm mismatch let caller deal with it */
if (OBJ_cmp(tmpid->hashAlgorithm->algorithm,
- cid->hashAlgorithm->algorithm))
- return 2;
+ cid->hashAlgorithm->algorithm))
+ return 2;
/* Else mismatch */
return 0;
- }
}
+ }
/* All IDs match: only need to check one ID */
*ret = cid;
return 1;
- }
+}
-
-static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
- STACK_OF(OCSP_SINGLERESP) *sresp)
- {
+static int
+ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
+ STACK_OF(OCSP_SINGLERESP) *sresp)
+{
/* If only one ID to match then do it */
- if(cid)
- {
+ if (cid) {
const EVP_MD *dgst;
X509_NAME *iname;
int mdlen;
unsigned char md[EVP_MAX_MD_SIZE];
- if (!(dgst = EVP_get_digestbyobj(cid->hashAlgorithm->algorithm)))
- {
- OCSPerr(OCSP_F_OCSP_MATCH_ISSUERID, OCSP_R_UNKNOWN_MESSAGE_DIGEST);
+
+ if (!(dgst =
+ EVP_get_digestbyobj(cid->hashAlgorithm->algorithm))) {
+ OCSPerr(OCSP_F_OCSP_MATCH_ISSUERID,
+ OCSP_R_UNKNOWN_MESSAGE_DIGEST);
return -1;
- }
+ }
mdlen = EVP_MD_size(dgst);
if (mdlen < 0)
- return -1;
- if ((cid->issuerNameHash->length != mdlen) ||
- (cid->issuerKeyHash->length != mdlen))
+ return -1;
+ if (cid->issuerNameHash->length != mdlen ||
+ cid->issuerKeyHash->length != mdlen)
return 0;
iname = X509_get_subject_name(cert);
if (!X509_NAME_digest(iname, dgst, md, NULL))
@@ -327,124 +331,123 @@ static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
return 0;
return 1;
-
- }
- else
- {
+ } else {
/* We have to match the whole lot */
int i, ret;
OCSP_CERTID *tmpid;
- for (i = 0; i < sk_OCSP_SINGLERESP_num(sresp); i++)
- {
+
+ for (i = 0; i < sk_OCSP_SINGLERESP_num(sresp); i++) {
tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId;
ret = ocsp_match_issuerid(cert, tmpid, NULL);
- if (ret <= 0) return ret;
- }
- return 1;
+ if (ret <= 0)
+ return ret;
}
-
+ return 1;
}
+}
-static int ocsp_check_delegated(X509 *x, int flags)
- {
+static int
+ocsp_check_delegated(X509 *x, int flags)
+{
X509_check_purpose(x, -1, 0);
- if ((x->ex_flags & EXFLAG_XKUSAGE) &&
- (x->ex_xkusage & XKU_OCSP_SIGN))
+ if ((x->ex_flags & EXFLAG_XKUSAGE) && (x->ex_xkusage & XKU_OCSP_SIGN))
return 1;
OCSPerr(OCSP_F_OCSP_CHECK_DELEGATED, OCSP_R_MISSING_OCSPSIGNING_USAGE);
return 0;
- }
+}
/* Verify an OCSP request. This is fortunately much easier than OCSP
* response verify. Just find the signers certificate and verify it
* against a given trust value.
*/
-
-int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, X509_STORE *store, unsigned long flags)
- {
+int
+OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, X509_STORE *store,
+ unsigned long flags)
+{
X509 *signer;
X509_NAME *nm;
GENERAL_NAME *gen;
int ret;
X509_STORE_CTX ctx;
- if (!req->optionalSignature)
- {
+
+ if (!req->optionalSignature) {
OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_REQUEST_NOT_SIGNED);
return 0;
- }
+ }
gen = req->tbsRequest->requestorName;
- if (!gen || gen->type != GEN_DIRNAME)
- {
- OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE);
+ if (!gen || gen->type != GEN_DIRNAME) {
+ OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,
+ OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE);
return 0;
- }
+ }
nm = gen->d.directoryName;
ret = ocsp_req_find_signer(&signer, req, nm, certs, store, flags);
- if (ret <= 0)
- {
- OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
+ if (ret <= 0) {
+ OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,
+ OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
return 0;
- }
+ }
if ((ret == 2) && (flags & OCSP_TRUSTOTHER))
flags |= OCSP_NOVERIFY;
- if (!(flags & OCSP_NOSIGS))
- {
+ if (!(flags & OCSP_NOSIGS)) {
EVP_PKEY *skey;
+
skey = X509_get_pubkey(signer);
ret = OCSP_REQUEST_verify(req, skey);
EVP_PKEY_free(skey);
- if(ret <= 0)
- {
- OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_SIGNATURE_FAILURE);
+ if (ret <= 0) {
+ OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,
+ OCSP_R_SIGNATURE_FAILURE);
return 0;
- }
}
- if (!(flags & OCSP_NOVERIFY))
- {
+ }
+ if (!(flags & OCSP_NOVERIFY)) {
int init_res;
- if(flags & OCSP_NOCHAIN)
- init_res = X509_STORE_CTX_init(&ctx, store, signer, NULL);
+
+ if (flags & OCSP_NOCHAIN)
+ init_res = X509_STORE_CTX_init(&ctx, store, signer,
+ NULL);
else
init_res = X509_STORE_CTX_init(&ctx, store, signer,
- req->optionalSignature->certs);
- if(!init_res)
- {
+ req->optionalSignature->certs);
+ if (!init_res) {
OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,ERR_R_X509_LIB);
return 0;
- }
+ }
X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER);
X509_STORE_CTX_set_trust(&ctx, X509_TRUST_OCSP_REQUEST);
ret = X509_verify_cert(&ctx);
X509_STORE_CTX_cleanup(&ctx);
- if (ret <= 0)
- {
+ if (ret <= 0) {
ret = X509_STORE_CTX_get_error(&ctx);
- OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,OCSP_R_CERTIFICATE_VERIFY_ERROR);
+ OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,
+ OCSP_R_CERTIFICATE_VERIFY_ERROR);
ERR_asprintf_error_data("Verify error:%s",
- X509_verify_cert_error_string(ret));
- return 0;
- }
+ X509_verify_cert_error_string(ret));
+ return 0;
}
+ }
return 1;
- }
+}
-static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, X509_NAME *nm, STACK_OF(X509) *certs,
- X509_STORE *st, unsigned long flags)
- {
+static int
+ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, X509_NAME *nm,
+ STACK_OF(X509) *certs, X509_STORE *st, unsigned long flags)
+{
X509 *signer;
- if(!(flags & OCSP_NOINTERN))
- {
- signer = X509_find_by_subject(req->optionalSignature->certs, nm);
+
+ if (!(flags & OCSP_NOINTERN)) {
+ signer =
+ X509_find_by_subject(req->optionalSignature->certs, nm);
*psigner = signer;
return 1;
- }
+ }
signer = X509_find_by_subject(certs, nm);
- if (signer)
- {
+ if (signer) {
*psigner = signer;
return 2;
- }
- return 0;
}
+ return 0;
+}