summaryrefslogtreecommitdiff
path: root/Cryptlib/OpenSSL/crypto/ocsp
diff options
context:
space:
mode:
authorPeter Jones <pjones@redhat.com>2017-08-31 13:57:30 -0400
committerPeter Jones <pjones@redhat.com>2017-08-31 15:13:58 -0400
commit1d39ada8cb336d9e7c156be7526b674851fbdd40 (patch)
treedc497e33b1d4830bf58d79dedc3026087f31f044 /Cryptlib/OpenSSL/crypto/ocsp
parenteae64276ffe0361d2b4087c48390d12f157f65f0 (diff)
downloadefi-boot-shim-1d39ada8cb336d9e7c156be7526b674851fbdd40.tar.gz
efi-boot-shim-1d39ada8cb336d9e7c156be7526b674851fbdd40.zip
Revert lots of Cryptlib updates.
OpenSSL changes quite a bit of the key validation, and most of the keys I can find in the wild aren't marked as trusted by the new checker. Intel noticed this too: https://github.com/vathpela/edk2/commit/f536d7c3ed but instead of fixing the compatibility error, they switched their test data to match the bug. So that's pretty broken. For now, I'm reverting OpenSSL 1.1.0e, because we need those certs in the wild to work. This reverts commit 513cbe2aea689bf968f171f894f3d4cdb43524d5. This reverts commit e9cc33d6f2b7f35c6f5e349fd83fb9ae0bc66226. This reverts commit 80d49f758ead0180bfe6161931838e0578248303. This reverts commit 9bc647e2b23bcfd69a0077c0717fbc454c919a57. This reverts commit ae75df6232ad30f3e8736e9449692d58a7439260. This reverts commit e883479f35644d17db7efed710657c8543cfcb68. This reverts commit 97469449fda5ba933a64280917e776487301a127. This reverts commit e39692647f78e13d757ddbfdd36f440d5f526050. This reverts commit 0f3dfc01e2d5e7df882c963dd8dc4a0dfbfc96ad. This reverts commit 4da6ac819510c7cc4ba21d7a735d69b45daa5873. This reverts commit d064bd7eef201f26cb926450a76260b5187ac689. This reverts commit 9bc86cfd6f9387f0da9d5c0102b6aa5627e91c91. This reverts commit ab9a05a10f16b33f7ee1e9da360c7801eebdb9d2. Signed-off-by: Peter Jones <pjones@redhat.com>
Diffstat (limited to 'Cryptlib/OpenSSL/crypto/ocsp')
-rw-r--r--Cryptlib/OpenSSL/crypto/ocsp/ocsp_asn.c80
-rw-r--r--Cryptlib/OpenSSL/crypto/ocsp/ocsp_cl.c150
-rw-r--r--Cryptlib/OpenSSL/crypto/ocsp/ocsp_err.c90
-rw-r--r--Cryptlib/OpenSSL/crypto/ocsp/ocsp_ext.c220
-rw-r--r--Cryptlib/OpenSSL/crypto/ocsp/ocsp_ht.c86
-rw-r--r--Cryptlib/OpenSSL/crypto/ocsp/ocsp_lcl.h216
-rw-r--r--Cryptlib/OpenSSL/crypto/ocsp/ocsp_lib.c148
-rw-r--r--Cryptlib/OpenSSL/crypto/ocsp/ocsp_prn.c107
-rw-r--r--Cryptlib/OpenSSL/crypto/ocsp/ocsp_srv.c186
-rw-r--r--Cryptlib/OpenSSL/crypto/ocsp/ocsp_vfy.c214
-rw-r--r--Cryptlib/OpenSSL/crypto/ocsp/v3_ocsp.c264
11 files changed, 851 insertions, 910 deletions
diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_asn.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_asn.c
index 1e0b8279..e2e52e77 100644
--- a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_asn.c
+++ b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_asn.c
@@ -1,19 +1,67 @@
+/* ocsp_asn.c */
/*
- * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
*
- * Licensed under the OpenSSL license (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
*/
-
#include <openssl/asn1.h>
#include <openssl/asn1t.h>
#include <openssl/ocsp.h>
-#include "ocsp_lcl.h"
ASN1_SEQUENCE(OCSP_SIGNATURE) = {
- ASN1_EMBED(OCSP_SIGNATURE, signatureAlgorithm, X509_ALGOR),
+ ASN1_SIMPLE(OCSP_SIGNATURE, signatureAlgorithm, X509_ALGOR),
ASN1_SIMPLE(OCSP_SIGNATURE, signature, ASN1_BIT_STRING),
ASN1_EXP_SEQUENCE_OF_OPT(OCSP_SIGNATURE, certs, X509, 0)
} ASN1_SEQUENCE_END(OCSP_SIGNATURE)
@@ -21,10 +69,10 @@ ASN1_SEQUENCE(OCSP_SIGNATURE) = {
IMPLEMENT_ASN1_FUNCTIONS(OCSP_SIGNATURE)
ASN1_SEQUENCE(OCSP_CERTID) = {
- ASN1_EMBED(OCSP_CERTID, hashAlgorithm, X509_ALGOR),
- ASN1_EMBED(OCSP_CERTID, issuerNameHash, ASN1_OCTET_STRING),
- ASN1_EMBED(OCSP_CERTID, issuerKeyHash, ASN1_OCTET_STRING),
- ASN1_EMBED(OCSP_CERTID, serialNumber, ASN1_INTEGER)
+ ASN1_SIMPLE(OCSP_CERTID, hashAlgorithm, X509_ALGOR),
+ ASN1_SIMPLE(OCSP_CERTID, issuerNameHash, ASN1_OCTET_STRING),
+ ASN1_SIMPLE(OCSP_CERTID, issuerKeyHash, ASN1_OCTET_STRING),
+ ASN1_SIMPLE(OCSP_CERTID, serialNumber, ASN1_INTEGER)
} ASN1_SEQUENCE_END(OCSP_CERTID)
IMPLEMENT_ASN1_FUNCTIONS(OCSP_CERTID)
@@ -46,7 +94,7 @@ ASN1_SEQUENCE(OCSP_REQINFO) = {
IMPLEMENT_ASN1_FUNCTIONS(OCSP_REQINFO)
ASN1_SEQUENCE(OCSP_REQUEST) = {
- ASN1_EMBED(OCSP_REQUEST, tbsRequest, OCSP_REQINFO),
+ ASN1_SIMPLE(OCSP_REQUEST, tbsRequest, OCSP_REQINFO),
ASN1_EXP_OPT(OCSP_REQUEST, optionalSignature, OCSP_SIGNATURE, 0)
} ASN1_SEQUENCE_END(OCSP_REQUEST)
@@ -102,7 +150,7 @@ IMPLEMENT_ASN1_FUNCTIONS(OCSP_SINGLERESP)
ASN1_SEQUENCE(OCSP_RESPDATA) = {
ASN1_EXP_OPT(OCSP_RESPDATA, version, ASN1_INTEGER, 0),
- ASN1_EMBED(OCSP_RESPDATA, responderId, OCSP_RESPID),
+ ASN1_SIMPLE(OCSP_RESPDATA, responderId, OCSP_RESPID),
ASN1_SIMPLE(OCSP_RESPDATA, producedAt, ASN1_GENERALIZEDTIME),
ASN1_SEQUENCE_OF(OCSP_RESPDATA, responses, OCSP_SINGLERESP),
ASN1_EXP_SEQUENCE_OF_OPT(OCSP_RESPDATA, responseExtensions, X509_EXTENSION, 1)
@@ -111,8 +159,8 @@ ASN1_SEQUENCE(OCSP_RESPDATA) = {
IMPLEMENT_ASN1_FUNCTIONS(OCSP_RESPDATA)
ASN1_SEQUENCE(OCSP_BASICRESP) = {
- ASN1_EMBED(OCSP_BASICRESP, tbsResponseData, OCSP_RESPDATA),
- ASN1_EMBED(OCSP_BASICRESP, signatureAlgorithm, X509_ALGOR),
+ ASN1_SIMPLE(OCSP_BASICRESP, tbsResponseData, OCSP_RESPDATA),
+ ASN1_SIMPLE(OCSP_BASICRESP, signatureAlgorithm, X509_ALGOR),
ASN1_SIMPLE(OCSP_BASICRESP, signature, ASN1_BIT_STRING),
ASN1_EXP_SEQUENCE_OF_OPT(OCSP_BASICRESP, certs, X509, 0)
} ASN1_SEQUENCE_END(OCSP_BASICRESP)
diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_cl.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_cl.c
index a42b80fa..fca7db0b 100644
--- a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_cl.c
+++ b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_cl.c
@@ -1,21 +1,78 @@
+/* ocsp_cl.c */
/*
- * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
+ * project.
+ */
+
+/*
+ * History: This file was transfered to Richard Levitte from CertCo by Kathy
+ * Weinhold in mid-spring 2000 to be included in OpenSSL or released as a
+ * patch kit.
+ */
+
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
*
- * Licensed under the OpenSSL license (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
*/
#include <stdio.h>
#include <time.h>
-#include "internal/cryptlib.h"
+#include <cryptlib.h>
#include <openssl/objects.h>
+#include <openssl/rand.h>
#include <openssl/x509.h>
#include <openssl/pem.h>
#include <openssl/x509v3.h>
#include <openssl/ocsp.h>
-#include "ocsp_lcl.h"
/*
* Utility functions related to sending OCSP requests and extracting relevant
@@ -31,11 +88,12 @@ OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid)
{
OCSP_ONEREQ *one = NULL;
- if ((one = OCSP_ONEREQ_new()) == NULL)
- return NULL;
- OCSP_CERTID_free(one->reqCert);
+ if (!(one = OCSP_ONEREQ_new()))
+ goto err;
+ if (one->reqCert)
+ OCSP_CERTID_free(one->reqCert);
one->reqCert = cid;
- if (req && !sk_OCSP_ONEREQ_push(req->tbsRequest.requestList, one)) {
+ if (req && !sk_OCSP_ONEREQ_push(req->tbsRequest->requestList, one)) {
one->reqCert = NULL; /* do not free on error */
goto err;
}
@@ -50,7 +108,6 @@ OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid)
int OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm)
{
GENERAL_NAME *gen;
-
gen = GENERAL_NAME_new();
if (gen == NULL)
return 0;
@@ -59,8 +116,9 @@ int OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm)
return 0;
}
gen->type = GEN_DIRNAME;
- GENERAL_NAME_free(req->tbsRequest.requestorName);
- req->tbsRequest.requestorName = gen;
+ if (req->tbsRequest->requestorName)
+ GENERAL_NAME_free(req->tbsRequest->requestorName);
+ req->tbsRequest->requestorName = gen;
return 1;
}
@@ -69,25 +127,24 @@ int OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm)
int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert)
{
OCSP_SIGNATURE *sig;
- if (req->optionalSignature == NULL)
+ if (!req->optionalSignature)
req->optionalSignature = OCSP_SIGNATURE_new();
sig = req->optionalSignature;
- if (sig == NULL)
+ if (!sig)
return 0;
- if (cert == NULL)
+ if (!cert)
return 1;
- if (sig->certs == NULL
- && (sig->certs = sk_X509_new_null()) == NULL)
+ if (!sig->certs && !(sig->certs = sk_X509_new_null()))
return 0;
if (!sk_X509_push(sig->certs, cert))
return 0;
- X509_up_ref(cert);
+ CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
return 1;
}
/*
- * Sign an OCSP request set the requestorName to the subject name of an
+ * Sign an OCSP request set the requestorName to the subjec name of an
* optional signers certificate and include one or more optional certificates
* in the request. Behaves like PKCS7_sign().
*/
@@ -99,12 +156,13 @@ int OCSP_request_sign(OCSP_REQUEST *req,
STACK_OF(X509) *certs, unsigned long flags)
{
int i;
+ OCSP_SIGNATURE *sig;
X509 *x;
if (!OCSP_request_set1_name(req, X509_get_subject_name(signer)))
goto err;
- if ((req->optionalSignature = OCSP_SIGNATURE_new()) == NULL)
+ if (!(req->optionalSignature = sig = OCSP_SIGNATURE_new()))
goto err;
if (key) {
if (!X509_check_private_key(signer, key)) {
@@ -161,20 +219,15 @@ OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp)
return ASN1_item_unpack(rb->response, ASN1_ITEM_rptr(OCSP_BASICRESP));
}
-const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *bs)
-{
- return bs->signature;
-}
-
/*
- * Return number of OCSP_SINGLERESP responses present in a basic response.
+ * Return number of OCSP_SINGLERESP reponses present in a basic response.
*/
int OCSP_resp_count(OCSP_BASICRESP *bs)
{
if (!bs)
return -1;
- return sk_OCSP_SINGLERESP_num(bs->tbsResponseData.responses);
+ return sk_OCSP_SINGLERESP_num(bs->tbsResponseData->responses);
}
/* Extract an OCSP_SINGLERESP response with a given index */
@@ -183,35 +236,7 @@ OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx)
{
if (!bs)
return NULL;
- return sk_OCSP_SINGLERESP_value(bs->tbsResponseData.responses, idx);
-}
-
-const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at(const OCSP_BASICRESP* bs)
-{
- return bs->tbsResponseData.producedAt;
-}
-
-const STACK_OF(X509) *OCSP_resp_get0_certs(const OCSP_BASICRESP *bs)
-{
- return bs->certs;
-}
-
-int OCSP_resp_get0_id(const OCSP_BASICRESP *bs,
- const ASN1_OCTET_STRING **pid,
- const X509_NAME **pname)
-
-{
- const OCSP_RESPID *rid = &bs->tbsResponseData.responderId;
- if (rid->type == V_OCSP_RESPID_NAME) {
- *pname = rid->value.byName;
- *pid = NULL;
- } else if (rid->type == V_OCSP_RESPID_KEY) {
- *pid = rid->value.byKey;
- *pname = NULL;
- } else {
- return 0;
- }
- return 1;
+ return sk_OCSP_SINGLERESP_value(bs->tbsResponseData->responses, idx);
}
/* Look single response matching a given certificate ID */
@@ -227,7 +252,7 @@ int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last)
last = 0;
else
last++;
- sresp = bs->tbsResponseData.responses;
+ sresp = bs->tbsResponseData->responses;
for (i = last; i < sk_OCSP_SINGLERESP_num(sresp); i++) {
single = sk_OCSP_SINGLERESP_value(sresp, i);
if (!OCSP_id_cmp(id, single->certId))
@@ -297,7 +322,7 @@ int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
/*
* Check validity of thisUpdate and nextUpdate fields. It is possible that
- * the request will take a few seconds to process and/or the time won't be
+ * the request will take a few seconds to process and/or the time wont be
* totally accurate. Therefore to avoid rejecting otherwise valid time we
* allow the times to be within 'nsec' of the current time. Also to avoid
* accepting very old responses without a nextUpdate field an optional maxage
@@ -358,8 +383,3 @@ int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
return ret;
}
-
-const OCSP_CERTID *OCSP_SINGLERESP_get0_id(const OCSP_SINGLERESP *single)
-{
- return single->certId;
-}
diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_err.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_err.c
index a2d96e9c..722043c0 100644
--- a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_err.c
+++ b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_err.c
@@ -1,11 +1,62 @@
-/*
- * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/ocsp/ocsp_err.c */
+/* ====================================================================
+ * Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
*
- * Licensed under the OpenSSL license (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/*
+ * NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
*/
#include <stdio.h>
@@ -19,25 +70,30 @@
# define ERR_REASON(reason) ERR_PACK(ERR_LIB_OCSP,0,reason)
static ERR_STRING_DATA OCSP_str_functs[] = {
- {ERR_FUNC(OCSP_F_D2I_OCSP_NONCE), "d2i_ocsp_nonce"},
+ {ERR_FUNC(OCSP_F_ASN1_STRING_ENCODE), "ASN1_STRING_encode"},
+ {ERR_FUNC(OCSP_F_D2I_OCSP_NONCE), "D2I_OCSP_NONCE"},
{ERR_FUNC(OCSP_F_OCSP_BASIC_ADD1_STATUS), "OCSP_basic_add1_status"},
{ERR_FUNC(OCSP_F_OCSP_BASIC_SIGN), "OCSP_basic_sign"},
{ERR_FUNC(OCSP_F_OCSP_BASIC_VERIFY), "OCSP_basic_verify"},
{ERR_FUNC(OCSP_F_OCSP_CERT_ID_NEW), "OCSP_cert_id_new"},
- {ERR_FUNC(OCSP_F_OCSP_CHECK_DELEGATED), "ocsp_check_delegated"},
- {ERR_FUNC(OCSP_F_OCSP_CHECK_IDS), "ocsp_check_ids"},
- {ERR_FUNC(OCSP_F_OCSP_CHECK_ISSUER), "ocsp_check_issuer"},
+ {ERR_FUNC(OCSP_F_OCSP_CHECK_DELEGATED), "OCSP_CHECK_DELEGATED"},
+ {ERR_FUNC(OCSP_F_OCSP_CHECK_IDS), "OCSP_CHECK_IDS"},
+ {ERR_FUNC(OCSP_F_OCSP_CHECK_ISSUER), "OCSP_CHECK_ISSUER"},
{ERR_FUNC(OCSP_F_OCSP_CHECK_VALIDITY), "OCSP_check_validity"},
- {ERR_FUNC(OCSP_F_OCSP_MATCH_ISSUERID), "ocsp_match_issuerid"},
+ {ERR_FUNC(OCSP_F_OCSP_MATCH_ISSUERID), "OCSP_MATCH_ISSUERID"},
{ERR_FUNC(OCSP_F_OCSP_PARSE_URL), "OCSP_parse_url"},
{ERR_FUNC(OCSP_F_OCSP_REQUEST_SIGN), "OCSP_request_sign"},
{ERR_FUNC(OCSP_F_OCSP_REQUEST_VERIFY), "OCSP_request_verify"},
{ERR_FUNC(OCSP_F_OCSP_RESPONSE_GET1_BASIC), "OCSP_response_get1_basic"},
- {ERR_FUNC(OCSP_F_PARSE_HTTP_LINE1), "parse_http_line1"},
+ {ERR_FUNC(OCSP_F_OCSP_SENDREQ_BIO), "OCSP_sendreq_bio"},
+ {ERR_FUNC(OCSP_F_OCSP_SENDREQ_NBIO), "OCSP_sendreq_nbio"},
+ {ERR_FUNC(OCSP_F_PARSE_HTTP_LINE1), "PARSE_HTTP_LINE1"},
+ {ERR_FUNC(OCSP_F_REQUEST_VERIFY), "REQUEST_VERIFY"},
{0, NULL}
};
static ERR_STRING_DATA OCSP_str_reasons[] = {
+ {ERR_REASON(OCSP_R_BAD_DATA), "bad data"},
{ERR_REASON(OCSP_R_CERTIFICATE_VERIFY_ERROR), "certificate verify error"},
{ERR_REASON(OCSP_R_DIGEST_ERR), "digest err"},
{ERR_REASON(OCSP_R_ERROR_IN_NEXTUPDATE_FIELD),
@@ -51,18 +107,21 @@ static ERR_STRING_DATA OCSP_str_reasons[] = {
"nextupdate before thisupdate"},
{ERR_REASON(OCSP_R_NOT_BASIC_RESPONSE), "not basic response"},
{ERR_REASON(OCSP_R_NO_CERTIFICATES_IN_CHAIN), "no certificates in chain"},
+ {ERR_REASON(OCSP_R_NO_CONTENT), "no content"},
+ {ERR_REASON(OCSP_R_NO_PUBLIC_KEY), "no public key"},
{ERR_REASON(OCSP_R_NO_RESPONSE_DATA), "no response data"},
{ERR_REASON(OCSP_R_NO_REVOKED_TIME), "no revoked time"},
- {ERR_REASON(OCSP_R_NO_SIGNER_KEY), "no signer key"},
{ERR_REASON(OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE),
"private key does not match certificate"},
{ERR_REASON(OCSP_R_REQUEST_NOT_SIGNED), "request not signed"},
{ERR_REASON(OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA),
"response contains no revocation data"},
{ERR_REASON(OCSP_R_ROOT_CA_NOT_TRUSTED), "root ca not trusted"},
+ {ERR_REASON(OCSP_R_SERVER_READ_ERROR), "server read error"},
{ERR_REASON(OCSP_R_SERVER_RESPONSE_ERROR), "server response error"},
{ERR_REASON(OCSP_R_SERVER_RESPONSE_PARSE_ERROR),
"server response parse error"},
+ {ERR_REASON(OCSP_R_SERVER_WRITE_ERROR), "server write error"},
{ERR_REASON(OCSP_R_SIGNATURE_FAILURE), "signature failure"},
{ERR_REASON(OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND),
"signer certificate not found"},
@@ -78,7 +137,7 @@ static ERR_STRING_DATA OCSP_str_reasons[] = {
#endif
-int ERR_load_OCSP_strings(void)
+void ERR_load_OCSP_strings(void)
{
#ifndef OPENSSL_NO_ERR
@@ -87,5 +146,4 @@ int ERR_load_OCSP_strings(void)
ERR_load_strings(0, OCSP_str_reasons);
}
#endif
- return 1;
}
diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_ext.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_ext.c
index b829b2e4..55af31b5 100644
--- a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_ext.c
+++ b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_ext.c
@@ -1,18 +1,74 @@
+/* ocsp_ext.c */
/*
- * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
+ * project.
+ */
+
+/*
+ * History: This file was transfered to Richard Levitte from CertCo by Kathy
+ * Weinhold in mid-spring 2000 to be included in OpenSSL or released as a
+ * patch kit.
+ */
+
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
*
- * Licensed under the OpenSSL license (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
*/
#include <stdio.h>
-#include "internal/cryptlib.h"
+#include <cryptlib.h>
#include <openssl/objects.h>
#include <openssl/x509.h>
#include <openssl/ocsp.h>
-#include "ocsp_lcl.h"
#include <openssl/rand.h>
#include <openssl/x509v3.h>
@@ -22,53 +78,53 @@
int OCSP_REQUEST_get_ext_count(OCSP_REQUEST *x)
{
- return (X509v3_get_ext_count(x->tbsRequest.requestExtensions));
+ return (X509v3_get_ext_count(x->tbsRequest->requestExtensions));
}
int OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos)
{
return (X509v3_get_ext_by_NID
- (x->tbsRequest.requestExtensions, nid, lastpos));
+ (x->tbsRequest->requestExtensions, nid, lastpos));
}
-int OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, const ASN1_OBJECT *obj,
+int OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, ASN1_OBJECT *obj,
int lastpos)
{
return (X509v3_get_ext_by_OBJ
- (x->tbsRequest.requestExtensions, obj, lastpos));
+ (x->tbsRequest->requestExtensions, obj, lastpos));
}
int OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit, int lastpos)
{
return (X509v3_get_ext_by_critical
- (x->tbsRequest.requestExtensions, crit, lastpos));
+ (x->tbsRequest->requestExtensions, crit, lastpos));
}
X509_EXTENSION *OCSP_REQUEST_get_ext(OCSP_REQUEST *x, int loc)
{
- return (X509v3_get_ext(x->tbsRequest.requestExtensions, loc));
+ return (X509v3_get_ext(x->tbsRequest->requestExtensions, loc));
}
X509_EXTENSION *OCSP_REQUEST_delete_ext(OCSP_REQUEST *x, int loc)
{
- return (X509v3_delete_ext(x->tbsRequest.requestExtensions, loc));
+ return (X509v3_delete_ext(x->tbsRequest->requestExtensions, loc));
}
void *OCSP_REQUEST_get1_ext_d2i(OCSP_REQUEST *x, int nid, int *crit, int *idx)
{
- return X509V3_get_d2i(x->tbsRequest.requestExtensions, nid, crit, idx);
+ return X509V3_get_d2i(x->tbsRequest->requestExtensions, nid, crit, idx);
}
int OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST *x, int nid, void *value, int crit,
unsigned long flags)
{
- return X509V3_add1_i2d(&x->tbsRequest.requestExtensions, nid, value,
+ return X509V3_add1_i2d(&x->tbsRequest->requestExtensions, nid, value,
crit, flags);
}
int OCSP_REQUEST_add_ext(OCSP_REQUEST *x, X509_EXTENSION *ex, int loc)
{
- return (X509v3_add_ext(&(x->tbsRequest.requestExtensions), ex, loc) !=
+ return (X509v3_add_ext(&(x->tbsRequest->requestExtensions), ex, loc) !=
NULL);
}
@@ -84,8 +140,7 @@ int OCSP_ONEREQ_get_ext_by_NID(OCSP_ONEREQ *x, int nid, int lastpos)
return (X509v3_get_ext_by_NID(x->singleRequestExtensions, nid, lastpos));
}
-int OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, const ASN1_OBJECT *obj,
- int lastpos)
+int OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, ASN1_OBJECT *obj, int lastpos)
{
return (X509v3_get_ext_by_OBJ(x->singleRequestExtensions, obj, lastpos));
}
@@ -127,56 +182,56 @@ int OCSP_ONEREQ_add_ext(OCSP_ONEREQ *x, X509_EXTENSION *ex, int loc)
int OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *x)
{
- return (X509v3_get_ext_count(x->tbsResponseData.responseExtensions));
+ return (X509v3_get_ext_count(x->tbsResponseData->responseExtensions));
}
int OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos)
{
return (X509v3_get_ext_by_NID
- (x->tbsResponseData.responseExtensions, nid, lastpos));
+ (x->tbsResponseData->responseExtensions, nid, lastpos));
}
-int OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, const ASN1_OBJECT *obj,
+int OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, ASN1_OBJECT *obj,
int lastpos)
{
return (X509v3_get_ext_by_OBJ
- (x->tbsResponseData.responseExtensions, obj, lastpos));
+ (x->tbsResponseData->responseExtensions, obj, lastpos));
}
int OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit,
int lastpos)
{
return (X509v3_get_ext_by_critical
- (x->tbsResponseData.responseExtensions, crit, lastpos));
+ (x->tbsResponseData->responseExtensions, crit, lastpos));
}
X509_EXTENSION *OCSP_BASICRESP_get_ext(OCSP_BASICRESP *x, int loc)
{
- return (X509v3_get_ext(x->tbsResponseData.responseExtensions, loc));
+ return (X509v3_get_ext(x->tbsResponseData->responseExtensions, loc));
}
X509_EXTENSION *OCSP_BASICRESP_delete_ext(OCSP_BASICRESP *x, int loc)
{
- return (X509v3_delete_ext(x->tbsResponseData.responseExtensions, loc));
+ return (X509v3_delete_ext(x->tbsResponseData->responseExtensions, loc));
}
void *OCSP_BASICRESP_get1_ext_d2i(OCSP_BASICRESP *x, int nid, int *crit,
int *idx)
{
- return X509V3_get_d2i(x->tbsResponseData.responseExtensions, nid, crit,
+ return X509V3_get_d2i(x->tbsResponseData->responseExtensions, nid, crit,
idx);
}
int OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP *x, int nid, void *value,
int crit, unsigned long flags)
{
- return X509V3_add1_i2d(&x->tbsResponseData.responseExtensions, nid,
+ return X509V3_add1_i2d(&x->tbsResponseData->responseExtensions, nid,
value, crit, flags);
}
int OCSP_BASICRESP_add_ext(OCSP_BASICRESP *x, X509_EXTENSION *ex, int loc)
{
- return (X509v3_add_ext(&(x->tbsResponseData.responseExtensions), ex, loc)
+ return (X509v3_add_ext(&(x->tbsResponseData->responseExtensions), ex, loc)
!= NULL);
}
@@ -192,7 +247,7 @@ int OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid, int lastpos)
return (X509v3_get_ext_by_NID(x->singleExtensions, nid, lastpos));
}
-int OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, const ASN1_OBJECT *obj,
+int OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, ASN1_OBJECT *obj,
int lastpos)
{
return (X509v3_get_ext_by_OBJ(x->singleExtensions, obj, lastpos));
@@ -232,11 +287,54 @@ int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex, int loc)
}
/* also CRL Entry Extensions */
+#if 0
+ASN1_STRING *ASN1_STRING_encode(ASN1_STRING *s, i2d_of_void *i2d,
+ void *data, STACK_OF(ASN1_OBJECT) *sk)
+{
+ int i;
+ unsigned char *p, *b = NULL;
+
+ if (data) {
+ if ((i = i2d(data, NULL)) <= 0)
+ goto err;
+ if (!(b = p = OPENSSL_malloc((unsigned int)i)))
+ goto err;
+ if (i2d(data, &p) <= 0)
+ goto err;
+ } else if (sk) {
+ if ((i = i2d_ASN1_SET_OF_ASN1_OBJECT(sk, NULL,
+ (I2D_OF(ASN1_OBJECT)) i2d,
+ V_ASN1_SEQUENCE,
+ V_ASN1_UNIVERSAL,
+ IS_SEQUENCE)) <= 0)
+ goto err;
+ if (!(b = p = OPENSSL_malloc((unsigned int)i)))
+ goto err;
+ if (i2d_ASN1_SET_OF_ASN1_OBJECT(sk, &p, (I2D_OF(ASN1_OBJECT)) i2d,
+ V_ASN1_SEQUENCE,
+ V_ASN1_UNIVERSAL, IS_SEQUENCE) <= 0)
+ goto err;
+ } else {
+ OCSPerr(OCSP_F_ASN1_STRING_ENCODE, OCSP_R_BAD_DATA);
+ goto err;
+ }
+ if (!s && !(s = ASN1_STRING_new()))
+ goto err;
+ if (!(ASN1_STRING_set(s, b, i)))
+ goto err;
+ OPENSSL_free(b);
+ return s;
+ err:
+ if (b)
+ OPENSSL_free(b);
+ return NULL;
+}
+#endif
/* Nonce handling functions */
/*
- * Add a nonce to an extension stack. A nonce can be specified or if NULL a
+ * Add a nonce to an extension stack. A nonce can be specificed or if NULL a
* random nonce will be generated. Note: OpenSSL 0.9.7d and later create an
* OCTET STRING containing the nonce, previous versions used the raw nonce.
*/
@@ -256,9 +354,6 @@ static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts,
* relies on library internals.
*/
os.length = ASN1_object_size(0, len, V_ASN1_OCTET_STRING);
- if (os.length < 0)
- return 0;
-
os.data = OPENSSL_malloc(os.length);
if (os.data == NULL)
goto err;
@@ -273,7 +368,8 @@ static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts,
goto err;
ret = 1;
err:
- OPENSSL_free(os.data);
+ if (os.data)
+ OPENSSL_free(os.data);
return ret;
}
@@ -281,14 +377,14 @@ static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts,
int OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len)
{
- return ocsp_add1_nonce(&req->tbsRequest.requestExtensions, val, len);
+ return ocsp_add1_nonce(&req->tbsRequest->requestExtensions, val, len);
}
/* Same as above but for a response */
int OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len)
{
- return ocsp_add1_nonce(&resp->tbsResponseData.responseExtensions, val,
+ return ocsp_add1_nonce(&resp->tbsResponseData->responseExtensions, val,
len);
}
@@ -334,8 +430,7 @@ int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs)
*/
req_ext = OCSP_REQUEST_get_ext(req, req_idx);
resp_ext = OCSP_BASICRESP_get_ext(bs, resp_idx);
- if (ASN1_OCTET_STRING_cmp(X509_EXTENSION_get_data(req_ext),
- X509_EXTENSION_get_data(resp_ext)))
+ if (ASN1_OCTET_STRING_cmp(req_ext->value, resp_ext->value))
return 0;
return 1;
}
@@ -357,34 +452,35 @@ int OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req)
return OCSP_BASICRESP_add_ext(resp, req_ext, -1);
}
-X509_EXTENSION *OCSP_crlID_new(const char *url, long *n, char *tim)
+X509_EXTENSION *OCSP_crlID_new(char *url, long *n, char *tim)
{
X509_EXTENSION *x = NULL;
OCSP_CRLID *cid = NULL;
- if ((cid = OCSP_CRLID_new()) == NULL)
+ if (!(cid = OCSP_CRLID_new()))
goto err;
if (url) {
- if ((cid->crlUrl = ASN1_IA5STRING_new()) == NULL)
+ if (!(cid->crlUrl = ASN1_IA5STRING_new()))
goto err;
if (!(ASN1_STRING_set(cid->crlUrl, url, -1)))
goto err;
}
if (n) {
- if ((cid->crlNum = ASN1_INTEGER_new()) == NULL)
+ if (!(cid->crlNum = ASN1_INTEGER_new()))
goto err;
if (!(ASN1_INTEGER_set(cid->crlNum, *n)))
goto err;
}
if (tim) {
- if ((cid->crlTime = ASN1_GENERALIZEDTIME_new()) == NULL)
+ if (!(cid->crlTime = ASN1_GENERALIZEDTIME_new()))
goto err;
if (!(ASN1_GENERALIZEDTIME_set_string(cid->crlTime, tim)))
goto err;
}
x = X509V3_EXT_i2d(NID_id_pkix_OCSP_CrlID, 0, cid);
err:
- OCSP_CRLID_free(cid);
+ if (cid)
+ OCSP_CRLID_free(cid);
return x;
}
@@ -396,7 +492,7 @@ X509_EXTENSION *OCSP_accept_responses_new(char **oids)
ASN1_OBJECT *o = NULL;
X509_EXTENSION *x = NULL;
- if ((sk = sk_ASN1_OBJECT_new_null()) == NULL)
+ if (!(sk = sk_ASN1_OBJECT_new_null()))
goto err;
while (oids && *oids) {
if ((nid = OBJ_txt2nid(*oids)) != NID_undef && (o = OBJ_nid2obj(nid)))
@@ -405,7 +501,8 @@ X509_EXTENSION *OCSP_accept_responses_new(char **oids)
}
x = X509V3_EXT_i2d(NID_id_pkix_OCSP_acceptableResponses, 0, sk);
err:
- sk_ASN1_OBJECT_pop_free(sk, ASN1_OBJECT_free);
+ if (sk)
+ sk_ASN1_OBJECT_pop_free(sk, ASN1_OBJECT_free);
return x;
}
@@ -415,13 +512,14 @@ X509_EXTENSION *OCSP_archive_cutoff_new(char *tim)
X509_EXTENSION *x = NULL;
ASN1_GENERALIZEDTIME *gt = NULL;
- if ((gt = ASN1_GENERALIZEDTIME_new()) == NULL)
+ if (!(gt = ASN1_GENERALIZEDTIME_new()))
goto err;
if (!(ASN1_GENERALIZEDTIME_set_string(gt, tim)))
goto err;
x = X509V3_EXT_i2d(NID_id_pkix_OCSP_archiveCutoff, 0, gt);
err:
- ASN1_GENERALIZEDTIME_free(gt);
+ if (gt)
+ ASN1_GENERALIZEDTIME_free(gt);
return x;
}
@@ -430,43 +528,39 @@ X509_EXTENSION *OCSP_archive_cutoff_new(char *tim)
* two--NID_ad_ocsp, NID_id_ad_caIssuers--and GeneralName value. This method
* forces NID_ad_ocsp and uniformResourceLocator [6] IA5String.
*/
-X509_EXTENSION *OCSP_url_svcloc_new(X509_NAME *issuer, const char **urls)
+X509_EXTENSION *OCSP_url_svcloc_new(X509_NAME *issuer, char **urls)
{
X509_EXTENSION *x = NULL;
ASN1_IA5STRING *ia5 = NULL;
OCSP_SERVICELOC *sloc = NULL;
ACCESS_DESCRIPTION *ad = NULL;
- if ((sloc = OCSP_SERVICELOC_new()) == NULL)
+ if (!(sloc = OCSP_SERVICELOC_new()))
goto err;
- if ((sloc->issuer = X509_NAME_dup(issuer)) == NULL)
+ if (!(sloc->issuer = X509_NAME_dup(issuer)))
goto err;
- if (urls && *urls
- && (sloc->locator = sk_ACCESS_DESCRIPTION_new_null()) == NULL)
+ if (urls && *urls && !(sloc->locator = sk_ACCESS_DESCRIPTION_new_null()))
goto err;
while (urls && *urls) {
- if ((ad = ACCESS_DESCRIPTION_new()) == NULL)
+ if (!(ad = ACCESS_DESCRIPTION_new()))
goto err;
- if ((ad->method = OBJ_nid2obj(NID_ad_OCSP)) == NULL)
+ if (!(ad->method = OBJ_nid2obj(NID_ad_OCSP)))
goto err;
- if ((ad->location = GENERAL_NAME_new()) == NULL)
+ if (!(ad->location = GENERAL_NAME_new()))
goto err;
- if ((ia5 = ASN1_IA5STRING_new()) == NULL)
+ if (!(ia5 = ASN1_IA5STRING_new()))
goto err;
if (!ASN1_STRING_set((ASN1_STRING *)ia5, *urls, -1))
goto err;
ad->location->type = GEN_URI;
ad->location->d.ia5 = ia5;
- ia5 = NULL;
if (!sk_ACCESS_DESCRIPTION_push(sloc->locator, ad))
goto err;
- ad = NULL;
urls++;
}
x = X509V3_EXT_i2d(NID_id_pkix_OCSP_serviceLocator, 0, sloc);
err:
- ASN1_IA5STRING_free(ia5);
- ACCESS_DESCRIPTION_free(ad);
- OCSP_SERVICELOC_free(sloc);
+ if (sloc)
+ OCSP_SERVICELOC_free(sloc);
return x;
}
diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_ht.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_ht.c
index 680edfa5..88b26b38 100644
--- a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_ht.c
+++ b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_ht.c
@@ -1,10 +1,60 @@
+/* ocsp_ht.c */
/*
- * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2006.
+ */
+/* ====================================================================
+ * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
*
- * Licensed under the OpenSSL license (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
*/
#include <stdio.h>
@@ -16,6 +66,9 @@
#include <openssl/ocsp.h>
#include <openssl/err.h>
#include <openssl/buffer.h>
+#ifdef OPENSSL_SYS_SUNOS
+# define strtoul (unsigned long)strtol
+#endif /* OPENSSL_SYS_SUNOS */
/* Stateful OCSP request code, supporting non-blocking I/O */
@@ -63,20 +116,21 @@ static int parse_http_line1(char *line);
OCSP_REQ_CTX *OCSP_REQ_CTX_new(BIO *io, int maxline)
{
- OCSP_REQ_CTX *rctx = OPENSSL_zalloc(sizeof(*rctx));
-
- if (rctx == NULL)
+ OCSP_REQ_CTX *rctx;
+ rctx = OPENSSL_malloc(sizeof(OCSP_REQ_CTX));
+ if (!rctx)
return NULL;
rctx->state = OHS_ERROR;
rctx->max_resp_len = OCSP_MAX_RESP_LENGTH;
rctx->mem = BIO_new(BIO_s_mem());
rctx->io = io;
+ rctx->asn1_len = 0;
if (maxline > 0)
rctx->iobuflen = maxline;
else
rctx->iobuflen = OCSP_MAX_LINE_LEN;
rctx->iobuf = OPENSSL_malloc(rctx->iobuflen);
- if (rctx->iobuf == NULL || rctx->mem == NULL) {
+ if (!rctx->iobuf || !rctx->mem) {
OCSP_REQ_CTX_free(rctx);
return NULL;
}
@@ -85,10 +139,10 @@ OCSP_REQ_CTX *OCSP_REQ_CTX_new(BIO *io, int maxline)
void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx)
{
- if (!rctx)
- return;
- BIO_free(rctx->mem);
- OPENSSL_free(rctx->iobuf);
+ if (rctx->mem)
+ BIO_free(rctx->mem);
+ if (rctx->iobuf)
+ OPENSSL_free(rctx->iobuf);
OPENSSL_free(rctx);
}
@@ -182,7 +236,7 @@ OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, const char *path, OCSP_REQUEST *req,
OCSP_REQ_CTX *rctx = NULL;
rctx = OCSP_REQ_CTX_new(io, maxline);
- if (rctx == NULL)
+ if (!rctx)
return NULL;
if (!OCSP_REQ_CTX_http(rctx, "POST", path))
@@ -457,6 +511,8 @@ int OCSP_REQ_CTX_nbio(OCSP_REQ_CTX *rctx)
rctx->state = OHS_DONE;
return 1;
+ break;
+
case OHS_DONE:
return 1;
@@ -483,7 +539,7 @@ OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, const char *path, OCSP_REQUEST *req)
ctx = OCSP_sendreq_new(b, path, req, -1);
- if (ctx == NULL)
+ if (!ctx)
return NULL;
do {
diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_lcl.h b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_lcl.h
deleted file mode 100644
index f93a268e..00000000
--- a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_lcl.h
+++ /dev/null
@@ -1,216 +0,0 @@
-/*
- * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-/*- CertID ::= SEQUENCE {
- * hashAlgorithm AlgorithmIdentifier,
- * issuerNameHash OCTET STRING, -- Hash of Issuer's DN
- * issuerKeyHash OCTET STRING, -- Hash of Issuers public key (excluding the tag & length fields)
- * serialNumber CertificateSerialNumber }
- */
-struct ocsp_cert_id_st {
- X509_ALGOR hashAlgorithm;
- ASN1_OCTET_STRING issuerNameHash;
- ASN1_OCTET_STRING issuerKeyHash;
- ASN1_INTEGER serialNumber;
-};
-
-/*- Request ::= SEQUENCE {
- * reqCert CertID,
- * singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL }
- */
-struct ocsp_one_request_st {
- OCSP_CERTID *reqCert;
- STACK_OF(X509_EXTENSION) *singleRequestExtensions;
-};
-
-/*- TBSRequest ::= SEQUENCE {
- * version [0] EXPLICIT Version DEFAULT v1,
- * requestorName [1] EXPLICIT GeneralName OPTIONAL,
- * requestList SEQUENCE OF Request,
- * requestExtensions [2] EXPLICIT Extensions OPTIONAL }
- */
-struct ocsp_req_info_st {
- ASN1_INTEGER *version;
- GENERAL_NAME *requestorName;
- STACK_OF(OCSP_ONEREQ) *requestList;
- STACK_OF(X509_EXTENSION) *requestExtensions;
-};
-
-/*- Signature ::= SEQUENCE {
- * signatureAlgorithm AlgorithmIdentifier,
- * signature BIT STRING,
- * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
- */
-struct ocsp_signature_st {
- X509_ALGOR signatureAlgorithm;
- ASN1_BIT_STRING *signature;
- STACK_OF(X509) *certs;
-};
-
-/*- OCSPRequest ::= SEQUENCE {
- * tbsRequest TBSRequest,
- * optionalSignature [0] EXPLICIT Signature OPTIONAL }
- */
-struct ocsp_request_st {
- OCSP_REQINFO tbsRequest;
- OCSP_SIGNATURE *optionalSignature; /* OPTIONAL */
-};
-
-/*- OCSPResponseStatus ::= ENUMERATED {
- * successful (0), --Response has valid confirmations
- * malformedRequest (1), --Illegal confirmation request
- * internalError (2), --Internal error in issuer
- * tryLater (3), --Try again later
- * --(4) is not used
- * sigRequired (5), --Must sign the request
- * unauthorized (6) --Request unauthorized
- * }
- */
-
-/*- ResponseBytes ::= SEQUENCE {
- * responseType OBJECT IDENTIFIER,
- * response OCTET STRING }
- */
-struct ocsp_resp_bytes_st {
- ASN1_OBJECT *responseType;
- ASN1_OCTET_STRING *response;
-};
-
-/*- OCSPResponse ::= SEQUENCE {
- * responseStatus OCSPResponseStatus,
- * responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
- */
-struct ocsp_response_st {
- ASN1_ENUMERATED *responseStatus;
- OCSP_RESPBYTES *responseBytes;
-};
-
-/*- ResponderID ::= CHOICE {
- * byName [1] Name,
- * byKey [2] KeyHash }
- */
-struct ocsp_responder_id_st {
- int type;
- union {
- X509_NAME *byName;
- ASN1_OCTET_STRING *byKey;
- } value;
-};
-
-/*- KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
- * --(excluding the tag and length fields)
- */
-
-/*- RevokedInfo ::= SEQUENCE {
- * revocationTime GeneralizedTime,
- * revocationReason [0] EXPLICIT CRLReason OPTIONAL }
- */
-struct ocsp_revoked_info_st {
- ASN1_GENERALIZEDTIME *revocationTime;
- ASN1_ENUMERATED *revocationReason;
-};
-
-/*- CertStatus ::= CHOICE {
- * good [0] IMPLICIT NULL,
- * revoked [1] IMPLICIT RevokedInfo,
- * unknown [2] IMPLICIT UnknownInfo }
- */
-struct ocsp_cert_status_st {
- int type;
- union {
- ASN1_NULL *good;
- OCSP_REVOKEDINFO *revoked;
- ASN1_NULL *unknown;
- } value;
-};
-
-/*- SingleResponse ::= SEQUENCE {
- * certID CertID,
- * certStatus CertStatus,
- * thisUpdate GeneralizedTime,
- * nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
- * singleExtensions [1] EXPLICIT Extensions OPTIONAL }
- */
-struct ocsp_single_response_st {
- OCSP_CERTID *certId;
- OCSP_CERTSTATUS *certStatus;
- ASN1_GENERALIZEDTIME *thisUpdate;
- ASN1_GENERALIZEDTIME *nextUpdate;
- STACK_OF(X509_EXTENSION) *singleExtensions;
-};
-
-/*- ResponseData ::= SEQUENCE {
- * version [0] EXPLICIT Version DEFAULT v1,
- * responderID ResponderID,
- * producedAt GeneralizedTime,
- * responses SEQUENCE OF SingleResponse,
- * responseExtensions [1] EXPLICIT Extensions OPTIONAL }
- */
-struct ocsp_response_data_st {
- ASN1_INTEGER *version;
- OCSP_RESPID responderId;
- ASN1_GENERALIZEDTIME *producedAt;
- STACK_OF(OCSP_SINGLERESP) *responses;
- STACK_OF(X509_EXTENSION) *responseExtensions;
-};
-
-/*- BasicOCSPResponse ::= SEQUENCE {
- * tbsResponseData ResponseData,
- * signatureAlgorithm AlgorithmIdentifier,
- * signature BIT STRING,
- * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
- */
- /*
- * Note 1: The value for "signature" is specified in the OCSP rfc2560 as
- * follows: "The value for the signature SHALL be computed on the hash of
- * the DER encoding ResponseData." This means that you must hash the
- * DER-encoded tbsResponseData, and then run it through a crypto-signing
- * function, which will (at least w/RSA) do a hash-'n'-private-encrypt
- * operation. This seems a bit odd, but that's the spec. Also note that
- * the data structures do not leave anywhere to independently specify the
- * algorithm used for the initial hash. So, we look at the
- * signature-specification algorithm, and try to do something intelligent.
- * -- Kathy Weinhold, CertCo
- */
- /*
- * Note 2: It seems that the mentioned passage from RFC 2560 (section
- * 4.2.1) is open for interpretation. I've done tests against another
- * responder, and found that it doesn't do the double hashing that the RFC
- * seems to say one should. Therefore, all relevant functions take a flag
- * saying which variant should be used. -- Richard Levitte, OpenSSL team
- * and CeloCom
- */
-struct ocsp_basic_response_st {
- OCSP_RESPDATA tbsResponseData;
- X509_ALGOR signatureAlgorithm;
- ASN1_BIT_STRING *signature;
- STACK_OF(X509) *certs;
-};
-
-/*-
- * CrlID ::= SEQUENCE {
- * crlUrl [0] EXPLICIT IA5String OPTIONAL,
- * crlNum [1] EXPLICIT INTEGER OPTIONAL,
- * crlTime [2] EXPLICIT GeneralizedTime OPTIONAL }
- */
-struct ocsp_crl_id_st {
- ASN1_IA5STRING *crlUrl;
- ASN1_INTEGER *crlNum;
- ASN1_GENERALIZEDTIME *crlTime;
-};
-
-/*-
- * ServiceLocator ::= SEQUENCE {
- * issuer Name,
- * locator AuthorityInfoAccessSyntax OPTIONAL }
- */
-struct ocsp_service_locator_st {
- X509_NAME *issuer;
- STACK_OF(ACCESS_DESCRIPTION) *locator;
-};
diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_lib.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_lib.c
index 8edd70ac..ff781e56 100644
--- a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_lib.c
+++ b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_lib.c
@@ -1,35 +1,93 @@
+/* ocsp_lib.c */
/*
- * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
+ * project.
+ */
+
+/*
+ * History: This file was transfered to Richard Levitte from CertCo by Kathy
+ * Weinhold in mid-spring 2000 to be included in OpenSSL or released as a
+ * patch kit.
+ */
+
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
*
- * Licensed under the OpenSSL license (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
*/
#include <stdio.h>
-#include "internal/cryptlib.h"
+#include <cryptlib.h>
#include <openssl/objects.h>
+#include <openssl/rand.h>
#include <openssl/x509.h>
#include <openssl/pem.h>
#include <openssl/x509v3.h>
#include <openssl/ocsp.h>
-#include "ocsp_lcl.h"
#include <openssl/asn1t.h>
/* Convert a certificate and its issuer to an OCSP_CERTID */
-OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, const X509 *subject,
- const X509 *issuer)
+OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer)
{
X509_NAME *iname;
- const ASN1_INTEGER *serial;
+ ASN1_INTEGER *serial;
ASN1_BIT_STRING *ikey;
+#ifndef OPENSSL_NO_SHA1
if (!dgst)
dgst = EVP_sha1();
+#endif
if (subject) {
iname = X509_get_issuer_name(subject);
- serial = X509_get0_serialNumber(subject);
+ serial = X509_get_serialNumber(subject);
} else {
iname = X509_get_subject_name(issuer);
serial = NULL;
@@ -39,9 +97,9 @@ OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, const X509 *subject,
}
OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst,
- const X509_NAME *issuerName,
- const ASN1_BIT_STRING *issuerKey,
- const ASN1_INTEGER *serialNumber)
+ X509_NAME *issuerName,
+ ASN1_BIT_STRING *issuerKey,
+ ASN1_INTEGER *serialNumber)
{
int nid;
unsigned int i;
@@ -49,16 +107,17 @@ OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst,
OCSP_CERTID *cid = NULL;
unsigned char md[EVP_MAX_MD_SIZE];
- if ((cid = OCSP_CERTID_new()) == NULL)
+ if (!(cid = OCSP_CERTID_new()))
goto err;
- alg = &cid->hashAlgorithm;
- ASN1_OBJECT_free(alg->algorithm);
+ alg = cid->hashAlgorithm;
+ if (alg->algorithm != NULL)
+ ASN1_OBJECT_free(alg->algorithm);
if ((nid = EVP_MD_type(dgst)) == NID_undef) {
OCSPerr(OCSP_F_OCSP_CERT_ID_NEW, OCSP_R_UNKNOWN_NID);
goto err;
}
- if ((alg->algorithm = OBJ_nid2obj(nid)) == NULL)
+ if (!(alg->algorithm = OBJ_nid2obj(nid)))
goto err;
if ((alg->parameter = ASN1_TYPE_new()) == NULL)
goto err;
@@ -66,38 +125,40 @@ OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst,
if (!X509_NAME_digest(issuerName, dgst, md, &i))
goto digerr;
- if (!(ASN1_OCTET_STRING_set(&cid->issuerNameHash, md, i)))
+ if (!(ASN1_OCTET_STRING_set(cid->issuerNameHash, md, i)))
goto err;
/* Calculate the issuerKey hash, excluding tag and length */
if (!EVP_Digest(issuerKey->data, issuerKey->length, md, &i, dgst, NULL))
goto err;
- if (!(ASN1_OCTET_STRING_set(&cid->issuerKeyHash, md, i)))
+ if (!(ASN1_OCTET_STRING_set(cid->issuerKeyHash, md, i)))
goto err;
if (serialNumber) {
- if (ASN1_STRING_copy(&cid->serialNumber, serialNumber) == 0)
+ ASN1_INTEGER_free(cid->serialNumber);
+ if (!(cid->serialNumber = ASN1_INTEGER_dup(serialNumber)))
goto err;
}
return cid;
digerr:
OCSPerr(OCSP_F_OCSP_CERT_ID_NEW, OCSP_R_DIGEST_ERR);
err:
- OCSP_CERTID_free(cid);
+ if (cid)
+ OCSP_CERTID_free(cid);
return NULL;
}
int OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b)
{
int ret;
- ret = OBJ_cmp(a->hashAlgorithm.algorithm, b->hashAlgorithm.algorithm);
+ ret = OBJ_cmp(a->hashAlgorithm->algorithm, b->hashAlgorithm->algorithm);
if (ret)
return ret;
- ret = ASN1_OCTET_STRING_cmp(&a->issuerNameHash, &b->issuerNameHash);
+ ret = ASN1_OCTET_STRING_cmp(a->issuerNameHash, b->issuerNameHash);
if (ret)
return ret;
- return ASN1_OCTET_STRING_cmp(&a->issuerKeyHash, &b->issuerKeyHash);
+ return ASN1_OCTET_STRING_cmp(a->issuerKeyHash, b->issuerKeyHash);
}
int OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b)
@@ -106,7 +167,7 @@ int OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b)
ret = OCSP_id_issuer_cmp(a, b);
if (ret)
return ret;
- return ASN1_INTEGER_cmp(&a->serialNumber, &b->serialNumber);
+ return ASN1_INTEGER_cmp(a->serialNumber, b->serialNumber);
}
/*
@@ -126,7 +187,7 @@ int OCSP_parse_url(const char *url, char **phost, char **pport, char **ppath,
*ppath = NULL;
/* dup the buffer since we are going to mess with it */
- buf = OPENSSL_strdup(url);
+ buf = BUF_strdup(url);
if (!buf)
goto mem_err;
@@ -138,10 +199,10 @@ int OCSP_parse_url(const char *url, char **phost, char **pport, char **ppath,
*(p++) = '\0';
- if (strcmp(buf, "http") == 0) {
+ if (!strcmp(buf, "http")) {
*pssl = 0;
port = "80";
- } else if (strcmp(buf, "https") == 0) {
+ } else if (!strcmp(buf, "https")) {
*pssl = 1;
port = "443";
} else
@@ -160,9 +221,9 @@ int OCSP_parse_url(const char *url, char **phost, char **pport, char **ppath,
p = strchr(p, '/');
if (!p)
- *ppath = OPENSSL_strdup("/");
+ *ppath = BUF_strdup("/");
else {
- *ppath = OPENSSL_strdup(p);
+ *ppath = BUF_strdup(p);
/* Set start of path to 0 so hostname is valid */
*p = '\0';
}
@@ -187,11 +248,11 @@ int OCSP_parse_url(const char *url, char **phost, char **pport, char **ppath,
port = p + 1;
}
- *pport = OPENSSL_strdup(port);
+ *pport = BUF_strdup(port);
if (!*pport)
goto mem_err;
- *phost = OPENSSL_strdup(host);
+ *phost = BUF_strdup(host);
if (!*phost)
goto mem_err;
@@ -208,13 +269,20 @@ int OCSP_parse_url(const char *url, char **phost, char **pport, char **ppath,
OCSPerr(OCSP_F_OCSP_PARSE_URL, OCSP_R_ERROR_PARSING_URL);
err:
- OPENSSL_free(buf);
- OPENSSL_free(*ppath);
- *ppath = NULL;
- OPENSSL_free(*pport);
- *pport = NULL;
- OPENSSL_free(*phost);
- *phost = NULL;
+ if (buf)
+ OPENSSL_free(buf);
+ if (*ppath) {
+ OPENSSL_free(*ppath);
+ *ppath = NULL;
+ }
+ if (*pport) {
+ OPENSSL_free(*pport);
+ *pport = NULL;
+ }
+ if (*phost) {
+ OPENSSL_free(*phost);
+ *phost = NULL;
+ }
return 0;
}
diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_prn.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_prn.c
index 5605812e..47d5f83e 100644
--- a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_prn.c
+++ b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_prn.c
@@ -1,17 +1,72 @@
+/* ocsp_prn.c */
/*
- * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
+ * project.
+ */
+
+/*
+ * History: This file was originally part of ocsp.c and was transfered to
+ * Richard Levitte from CertCo by Kathy Weinhold in mid-spring 2000 to be
+ * included in OpenSSL or released as a patch kit.
+ */
+
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
*
- * Licensed under the OpenSSL license (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
*/
#include <openssl/bio.h>
#include <openssl/err.h>
#include <openssl/ocsp.h>
-#include "ocsp_lcl.h"
-#include "internal/cryptlib.h"
#include <openssl/pem.h>
static int ocsp_certid_print(BIO *bp, OCSP_CERTID *a, int indent)
@@ -19,13 +74,13 @@ static int ocsp_certid_print(BIO *bp, OCSP_CERTID *a, int indent)
BIO_printf(bp, "%*sCertificate ID:\n", indent, "");
indent += 2;
BIO_printf(bp, "%*sHash Algorithm: ", indent, "");
- i2a_ASN1_OBJECT(bp, a->hashAlgorithm.algorithm);
+ i2a_ASN1_OBJECT(bp, a->hashAlgorithm->algorithm);
BIO_printf(bp, "\n%*sIssuer Name Hash: ", indent, "");
- i2a_ASN1_STRING(bp, &a->issuerNameHash, 0);
+ i2a_ASN1_STRING(bp, a->issuerNameHash, V_ASN1_OCTET_STRING);
BIO_printf(bp, "\n%*sIssuer Key Hash: ", indent, "");
- i2a_ASN1_STRING(bp, &a->issuerKeyHash, 0);
+ i2a_ASN1_STRING(bp, a->issuerKeyHash, V_ASN1_OCTET_STRING);
BIO_printf(bp, "\n%*sSerial Number: ", indent, "");
- i2a_ASN1_INTEGER(bp, &a->serialNumber);
+ i2a_ASN1_INTEGER(bp, a->serialNumber);
BIO_printf(bp, "\n");
return 1;
}
@@ -35,17 +90,15 @@ typedef struct {
const char *m;
} OCSP_TBLSTR;
-static const char *do_table2string(long s, const OCSP_TBLSTR *ts, size_t len)
+static const char *table2string(long s, const OCSP_TBLSTR *ts, int len)
{
- size_t i;
- for (i = 0; i < len; i++, ts++)
- if (ts->t == s)
- return ts->m;
+ const OCSP_TBLSTR *p;
+ for (p = ts; p < ts + len; p++)
+ if (p->t == s)
+ return p->m;
return "(UNKNOWN)";
}
-#define table2string(s, tbl) do_table2string(s, tbl, OSSL_NELEM(tbl))
-
const char *OCSP_response_status_str(long s)
{
static const OCSP_TBLSTR rstat_tbl[] = {
@@ -56,7 +109,7 @@ const char *OCSP_response_status_str(long s)
{OCSP_RESPONSE_STATUS_SIGREQUIRED, "sigrequired"},
{OCSP_RESPONSE_STATUS_UNAUTHORIZED, "unauthorized"}
};
- return table2string(s, rstat_tbl);
+ return table2string(s, rstat_tbl, 6);
}
const char *OCSP_cert_status_str(long s)
@@ -66,7 +119,7 @@ const char *OCSP_cert_status_str(long s)
{V_OCSP_CERTSTATUS_REVOKED, "revoked"},
{V_OCSP_CERTSTATUS_UNKNOWN, "unknown"}
};
- return table2string(s, cstat_tbl);
+ return table2string(s, cstat_tbl, 3);
}
const char *OCSP_crl_reason_str(long s)
@@ -81,7 +134,7 @@ const char *OCSP_crl_reason_str(long s)
{OCSP_REVOKED_STATUS_CERTIFICATEHOLD, "certificateHold"},
{OCSP_REVOKED_STATUS_REMOVEFROMCRL, "removeFromCRL"}
};
- return table2string(s, reason_tbl);
+ return table2string(s, reason_tbl, 8);
}
int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST *o, unsigned long flags)
@@ -90,7 +143,7 @@ int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST *o, unsigned long flags)
long l;
OCSP_CERTID *cid = NULL;
OCSP_ONEREQ *one = NULL;
- OCSP_REQINFO *inf = &o->tbsRequest;
+ OCSP_REQINFO *inf = o->tbsRequest;
OCSP_SIGNATURE *sig = o->optionalSignature;
if (BIO_write(bp, "OCSP Request Data:\n", 19) <= 0)
@@ -118,7 +171,7 @@ int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST *o, unsigned long flags)
inf->requestExtensions, flags, 4))
goto err;
if (sig) {
- X509_signature_print(bp, &sig->signatureAlgorithm, sig->signature);
+ X509_signature_print(bp, sig->signatureAlgorithm, sig->signature);
for (i = 0; i < sk_X509_num(sig->certs); i++) {
X509_print(bp, sk_X509_value(sig->certs, i));
PEM_write_bio_X509(bp, sk_X509_value(sig->certs, i));
@@ -161,20 +214,20 @@ int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE *o, unsigned long flags)
if ((br = OCSP_response_get1_basic(o)) == NULL)
goto err;
- rd = &br->tbsResponseData;
+ rd = br->tbsResponseData;
l = ASN1_INTEGER_get(rd->version);
if (BIO_printf(bp, "\n Version: %lu (0x%lx)\n", l + 1, l) <= 0)
goto err;
if (BIO_puts(bp, " Responder Id: ") <= 0)
goto err;
- rid = &rd->responderId;
+ rid = rd->responderId;
switch (rid->type) {
case V_OCSP_RESPID_NAME:
X509_NAME_print_ex(bp, rid->value.byName, 0, XN_FLAG_ONELINE);
break;
case V_OCSP_RESPID_KEY:
- i2a_ASN1_STRING(bp, rid->value.byKey, 0);
+ i2a_ASN1_STRING(bp, rid->value.byKey, V_ASN1_OCTET_STRING);
break;
}
@@ -231,7 +284,7 @@ int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE *o, unsigned long flags)
if (!X509V3_extensions_print(bp, "Response Extensions",
rd->responseExtensions, flags, 4))
goto err;
- if (X509_signature_print(bp, &br->signatureAlgorithm, br->signature) <= 0)
+ if (X509_signature_print(bp, br->signatureAlgorithm, br->signature) <= 0)
goto err;
for (i = 0; i < sk_X509_num(br->certs); i++) {
diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_srv.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_srv.c
index 46a4bf78..2ec2c636 100644
--- a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_srv.c
+++ b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_srv.c
@@ -1,20 +1,70 @@
+/* ocsp_srv.c */
/*
- * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
*
- * Licensed under the OpenSSL license (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
*/
#include <stdio.h>
-#include "internal/cryptlib.h"
+#include <cryptlib.h>
#include <openssl/objects.h>
+#include <openssl/rand.h>
#include <openssl/x509.h>
#include <openssl/pem.h>
#include <openssl/x509v3.h>
#include <openssl/ocsp.h>
-#include "ocsp_lcl.h"
/*
* Utility functions related to sending OCSP responses and extracting
@@ -23,12 +73,12 @@
int OCSP_request_onereq_count(OCSP_REQUEST *req)
{
- return sk_OCSP_ONEREQ_num(req->tbsRequest.requestList);
+ return sk_OCSP_ONEREQ_num(req->tbsRequest->requestList);
}
OCSP_ONEREQ *OCSP_request_onereq_get0(OCSP_REQUEST *req, int i)
{
- return sk_OCSP_ONEREQ_value(req->tbsRequest.requestList, i);
+ return sk_OCSP_ONEREQ_value(req->tbsRequest->requestList, i);
}
OCSP_CERTID *OCSP_onereq_get0_id(OCSP_ONEREQ *one)
@@ -43,13 +93,13 @@ int OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd,
if (!cid)
return 0;
if (pmd)
- *pmd = cid->hashAlgorithm.algorithm;
+ *pmd = cid->hashAlgorithm->algorithm;
if (piNameHash)
- *piNameHash = &cid->issuerNameHash;
+ *piNameHash = cid->issuerNameHash;
if (pikeyHash)
- *pikeyHash = &cid->issuerKeyHash;
+ *pikeyHash = cid->issuerKeyHash;
if (pserial)
- *pserial = &cid->serialNumber;
+ *pserial = cid->serialNumber;
return 1;
}
@@ -65,13 +115,13 @@ OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs)
{
OCSP_RESPONSE *rsp = NULL;
- if ((rsp = OCSP_RESPONSE_new()) == NULL)
+ if (!(rsp = OCSP_RESPONSE_new()))
goto err;
if (!(ASN1_ENUMERATED_set(rsp->responseStatus, status)))
goto err;
if (!bs)
return rsp;
- if ((rsp->responseBytes = OCSP_RESPBYTES_new()) == NULL)
+ if (!(rsp->responseBytes = OCSP_RESPBYTES_new()))
goto err;
rsp->responseBytes->responseType = OBJ_nid2obj(NID_id_pkix_OCSP_basic);
if (!ASN1_item_pack
@@ -79,7 +129,8 @@ OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs)
goto err;
return rsp;
err:
- OCSP_RESPONSE_free(rsp);
+ if (rsp)
+ OCSP_RESPONSE_free(rsp);
return NULL;
}
@@ -94,12 +145,11 @@ OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp,
OCSP_CERTSTATUS *cs;
OCSP_REVOKEDINFO *ri;
- if (rsp->tbsResponseData.responses == NULL
- && (rsp->tbsResponseData.responses
- = sk_OCSP_SINGLERESP_new_null()) == NULL)
+ if (!rsp->tbsResponseData->responses &&
+ !(rsp->tbsResponseData->responses = sk_OCSP_SINGLERESP_new_null()))
goto err;
- if ((single = OCSP_SINGLERESP_new()) == NULL)
+ if (!(single = OCSP_SINGLERESP_new()))
goto err;
if (!ASN1_TIME_to_generalizedtime(thisupd, &single->thisUpdate))
@@ -110,7 +160,7 @@ OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp,
OCSP_CERTID_free(single->certId);
- if ((single->certId = OCSP_CERTID_dup(cid)) == NULL)
+ if (!(single->certId = OCSP_CERTID_dup(cid)))
goto err;
cs = single->certStatus;
@@ -120,12 +170,12 @@ OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp,
OCSPerr(OCSP_F_OCSP_BASIC_ADD1_STATUS, OCSP_R_NO_REVOKED_TIME);
goto err;
}
- if ((cs->value.revoked = ri = OCSP_REVOKEDINFO_new()) == NULL)
+ if (!(cs->value.revoked = ri = OCSP_REVOKEDINFO_new()))
goto err;
if (!ASN1_TIME_to_generalizedtime(revtime, &ri->revocationTime))
goto err;
if (reason != OCSP_REVOKED_STATUS_NOSTATUS) {
- if ((ri->revocationReason = ASN1_ENUMERATED_new()) == NULL)
+ if (!(ri->revocationReason = ASN1_ENUMERATED_new()))
goto err;
if (!(ASN1_ENUMERATED_set(ri->revocationReason, reason)))
goto err;
@@ -133,20 +183,18 @@ OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp,
break;
case V_OCSP_CERTSTATUS_GOOD:
- if ((cs->value.good = ASN1_NULL_new()) == NULL)
- goto err;
+ cs->value.good = ASN1_NULL_new();
break;
case V_OCSP_CERTSTATUS_UNKNOWN:
- if ((cs->value.unknown = ASN1_NULL_new()) == NULL)
- goto err;
+ cs->value.unknown = ASN1_NULL_new();
break;
default:
goto err;
}
- if (!(sk_OCSP_SINGLERESP_push(rsp->tbsResponseData.responses, single)))
+ if (!(sk_OCSP_SINGLERESP_push(rsp->tbsResponseData->responses, single)))
goto err;
return single;
err:
@@ -158,13 +206,12 @@ OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp,
int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert)
{
- if (resp->certs == NULL
- && (resp->certs = sk_X509_new_null()) == NULL)
+ if (!resp->certs && !(resp->certs = sk_X509_new_null()))
return 0;
if (!sk_X509_push(resp->certs, cert))
return 0;
- X509_up_ref(cert);
+ CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
return 1;
}
@@ -191,16 +238,23 @@ int OCSP_basic_sign(OCSP_BASICRESP *brsp,
}
}
- rid = &brsp->tbsResponseData.responderId;
+ rid = brsp->tbsResponseData->responderId;
if (flags & OCSP_RESPID_KEY) {
- if (!OCSP_RESPID_set_by_key(rid, signer))
+ unsigned char md[SHA_DIGEST_LENGTH];
+ X509_pubkey_digest(signer, EVP_sha1(), md, NULL);
+ if (!(rid->value.byKey = ASN1_OCTET_STRING_new()))
goto err;
- } else if (!OCSP_RESPID_set_by_name(rid, signer)) {
- goto err;
+ if (!(ASN1_OCTET_STRING_set(rid->value.byKey, md, SHA_DIGEST_LENGTH)))
+ goto err;
+ rid->type = V_OCSP_RESPID_KEY;
+ } else {
+ if (!X509_NAME_set(&rid->value.byName, X509_get_subject_name(signer)))
+ goto err;
+ rid->type = V_OCSP_RESPID_NAME;
}
if (!(flags & OCSP_NOTIME) &&
- !X509_gmtime_adj(brsp->tbsResponseData.producedAt, 0))
+ !X509_gmtime_adj(brsp->tbsResponseData->producedAt, 0))
goto err;
/*
@@ -215,63 +269,3 @@ int OCSP_basic_sign(OCSP_BASICRESP *brsp,
err:
return 0;
}
-
-int OCSP_RESPID_set_by_name(OCSP_RESPID *respid, X509 *cert)
-{
- if (!X509_NAME_set(&respid->value.byName, X509_get_subject_name(cert)))
- return 0;
-
- respid->type = V_OCSP_RESPID_NAME;
-
- return 1;
-}
-
-int OCSP_RESPID_set_by_key(OCSP_RESPID *respid, X509 *cert)
-{
- ASN1_OCTET_STRING *byKey = NULL;
- unsigned char md[SHA_DIGEST_LENGTH];
-
- /* RFC2560 requires SHA1 */
- if (!X509_pubkey_digest(cert, EVP_sha1(), md, NULL))
- return 0;
-
- byKey = ASN1_OCTET_STRING_new();
- if (byKey == NULL)
- return 0;
-
- if (!(ASN1_OCTET_STRING_set(byKey, md, SHA_DIGEST_LENGTH))) {
- ASN1_OCTET_STRING_free(byKey);
- return 0;
- }
-
- respid->type = V_OCSP_RESPID_KEY;
- respid->value.byKey = byKey;
-
- return 1;
-}
-
-int OCSP_RESPID_match(OCSP_RESPID *respid, X509 *cert)
-{
- if (respid->type == V_OCSP_RESPID_KEY) {
- unsigned char md[SHA_DIGEST_LENGTH];
-
- if (respid->value.byKey == NULL)
- return 0;
-
- /* RFC2560 requires SHA1 */
- if (!X509_pubkey_digest(cert, EVP_sha1(), md, NULL))
- return 0;
-
- return (ASN1_STRING_length(respid->value.byKey) == SHA_DIGEST_LENGTH)
- && (memcmp(ASN1_STRING_get0_data(respid->value.byKey), md,
- SHA_DIGEST_LENGTH) == 0);
- } else if(respid->type == V_OCSP_RESPID_NAME) {
- if (respid->value.byName == NULL)
- return 0;
-
- return X509_NAME_cmp(respid->value.byName,
- X509_get_subject_name(cert)) == 0;
- }
-
- return 0;
-}
diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_vfy.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_vfy.c
index e2cfa6dd..d4a257c3 100644
--- a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_vfy.c
+++ b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_vfy.c
@@ -1,29 +1,80 @@
+/* ocsp_vfy.c */
/*
- * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000-2004 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
*
- * Licensed under the OpenSSL license (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
*/
#include <openssl/ocsp.h>
-#include "ocsp_lcl.h"
#include <openssl/err.h>
#include <string.h>
static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs,
- STACK_OF(X509) *certs, unsigned long flags);
+ STACK_OF(X509) *certs, X509_STORE *st,
+ unsigned long flags);
static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id);
-static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain);
+static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain,
+ unsigned long flags);
static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp,
OCSP_CERTID **ret);
static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
STACK_OF(OCSP_SINGLERESP) *sresp);
-static int ocsp_check_delegated(X509 *x);
+static int ocsp_check_delegated(X509 *x, int flags);
static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req,
X509_NAME *nm, STACK_OF(X509) *certs,
- unsigned long flags);
+ X509_STORE *st, unsigned long flags);
/* Verify a basic response message */
@@ -33,30 +84,24 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
X509 *signer, *x;
STACK_OF(X509) *chain = NULL;
STACK_OF(X509) *untrusted = NULL;
- X509_STORE_CTX *ctx = NULL;
- int i, ret = ocsp_find_signer(&signer, bs, certs, flags);
-
+ X509_STORE_CTX ctx;
+ int i, ret = 0;
+ ret = ocsp_find_signer(&signer, bs, certs, st, flags);
if (!ret) {
OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,
OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
goto end;
}
- ctx = X509_STORE_CTX_new();
- if (ctx == NULL) {
- OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_MALLOC_FAILURE);
- goto f_err;
- }
if ((ret == 2) && (flags & OCSP_TRUSTOTHER))
flags |= OCSP_NOVERIFY;
if (!(flags & OCSP_NOSIGS)) {
EVP_PKEY *skey;
- skey = X509_get0_pubkey(signer);
- if (skey == NULL) {
- OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_NO_SIGNER_KEY);
- goto err;
+ skey = X509_get_pubkey(signer);
+ if (skey) {
+ ret = OCSP_BASICRESP_verify(bs, skey, 0);
+ EVP_PKEY_free(skey);
}
- ret = OCSP_BASICRESP_verify(bs, skey, 0);
- if (ret <= 0) {
+ if (!skey || ret <= 0) {
OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNATURE_FAILURE);
goto end;
}
@@ -70,23 +115,25 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
for (i = 0; i < sk_X509_num(certs); i++) {
if (!sk_X509_push(untrusted, sk_X509_value(certs, i))) {
OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_MALLOC_FAILURE);
- goto f_err;
+ goto end;
}
}
} else {
untrusted = bs->certs;
}
- init_res = X509_STORE_CTX_init(ctx, st, signer, untrusted);
+ init_res = X509_STORE_CTX_init(&ctx, st, signer, untrusted);
if (!init_res) {
+ ret = -1;
OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_X509_LIB);
- goto f_err;
+ goto end;
}
- X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_OCSP_HELPER);
- ret = X509_verify_cert(ctx);
- chain = X509_STORE_CTX_get1_chain(ctx);
+ X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER);
+ ret = X509_verify_cert(&ctx);
+ chain = X509_STORE_CTX_get1_chain(&ctx);
+ X509_STORE_CTX_cleanup(&ctx);
if (ret <= 0) {
- i = X509_STORE_CTX_get_error(ctx);
+ i = X509_STORE_CTX_get_error(&ctx);
OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,
OCSP_R_CERTIFICATE_VERIFY_ERROR);
ERR_add_error_data(2, "Verify error:",
@@ -101,7 +148,7 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
* At this point we have a valid certificate chain need to verify it
* against the OCSP issuer criteria.
*/
- ret = ocsp_check_issuer(bs, chain);
+ ret = ocsp_check_issuer(bs, chain, flags);
/* If fatal error or valid match then finish */
if (ret != 0)
@@ -117,30 +164,25 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
x = sk_X509_value(chain, sk_X509_num(chain) - 1);
if (X509_check_trust(x, NID_OCSP_sign, 0) != X509_TRUST_TRUSTED) {
OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_ROOT_CA_NOT_TRUSTED);
- goto err;
+ goto end;
}
ret = 1;
}
+
end:
- X509_STORE_CTX_free(ctx);
- sk_X509_pop_free(chain, X509_free);
+ if (chain)
+ sk_X509_pop_free(chain, X509_free);
if (bs->certs && certs)
sk_X509_free(untrusted);
return ret;
-
- err:
- ret = 0;
- goto end;
- f_err:
- ret = -1;
- goto end;
}
static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs,
- STACK_OF(X509) *certs, unsigned long flags)
+ STACK_OF(X509) *certs, X509_STORE *st,
+ unsigned long flags)
{
X509 *signer;
- OCSP_RESPID *rid = &bs->tbsResponseData.responderId;
+ OCSP_RESPID *rid = bs->tbsResponseData->responderId;
if ((signer = ocsp_find_signer_sk(certs, rid))) {
*psigner = signer;
return 2;
@@ -182,13 +224,14 @@ static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id)
return NULL;
}
-static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain)
+static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain,
+ unsigned long flags)
{
STACK_OF(OCSP_SINGLERESP) *sresp;
X509 *signer, *sca;
OCSP_CERTID *caid = NULL;
int i;
- sresp = bs->tbsResponseData.responses;
+ sresp = bs->tbsResponseData->responses;
if (sk_X509_num(chain) <= 0) {
OCSPerr(OCSP_F_OCSP_CHECK_ISSUER, OCSP_R_NO_CERTIFICATES_IN_CHAIN);
@@ -211,7 +254,7 @@ static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain)
return i;
if (i) {
/* We have a match, if extensions OK then success */
- if (ocsp_check_delegated(signer))
+ if (ocsp_check_delegated(signer, flags))
return 1;
return 0;
}
@@ -248,9 +291,9 @@ static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret)
tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId;
/* Check to see if IDs match */
if (OCSP_id_issuer_cmp(cid, tmpid)) {
- /* If algorithm mismatch let caller deal with it */
- if (OBJ_cmp(tmpid->hashAlgorithm.algorithm,
- cid->hashAlgorithm.algorithm))
+ /* If algoritm mismatch let caller deal with it */
+ if (OBJ_cmp(tmpid->hashAlgorithm->algorithm,
+ cid->hashAlgorithm->algorithm))
return 2;
/* Else mismatch */
return 0;
@@ -271,8 +314,7 @@ static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
X509_NAME *iname;
int mdlen;
unsigned char md[EVP_MAX_MD_SIZE];
- if ((dgst = EVP_get_digestbyobj(cid->hashAlgorithm.algorithm))
- == NULL) {
+ if (!(dgst = EVP_get_digestbyobj(cid->hashAlgorithm->algorithm))) {
OCSPerr(OCSP_F_OCSP_MATCH_ISSUERID,
OCSP_R_UNKNOWN_MESSAGE_DIGEST);
return -1;
@@ -281,16 +323,16 @@ static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
mdlen = EVP_MD_size(dgst);
if (mdlen < 0)
return -1;
- if ((cid->issuerNameHash.length != mdlen) ||
- (cid->issuerKeyHash.length != mdlen))
+ if ((cid->issuerNameHash->length != mdlen) ||
+ (cid->issuerKeyHash->length != mdlen))
return 0;
iname = X509_get_subject_name(cert);
if (!X509_NAME_digest(iname, dgst, md, NULL))
return -1;
- if (memcmp(md, cid->issuerNameHash.data, mdlen))
+ if (memcmp(md, cid->issuerNameHash->data, mdlen))
return 0;
X509_pubkey_digest(cert, dgst, md, NULL);
- if (memcmp(md, cid->issuerKeyHash.data, mdlen))
+ if (memcmp(md, cid->issuerKeyHash->data, mdlen))
return 0;
return 1;
@@ -310,10 +352,10 @@ static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
}
-static int ocsp_check_delegated(X509 *x)
+static int ocsp_check_delegated(X509 *x, int flags)
{
- if ((X509_get_extension_flags(x) & EXFLAG_XKUSAGE)
- && (X509_get_extended_key_usage(x) & XKU_OCSP_SIGN))
+ X509_check_purpose(x, -1, 0);
+ if ((x->ex_flags & EXFLAG_XKUSAGE) && (x->ex_xkusage & XKU_OCSP_SIGN))
return 1;
OCSPerr(OCSP_F_OCSP_CHECK_DELEGATED, OCSP_R_MISSING_OCSPSIGNING_USAGE);
return 0;
@@ -331,80 +373,68 @@ int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs,
X509 *signer;
X509_NAME *nm;
GENERAL_NAME *gen;
- int ret = 0;
- X509_STORE_CTX *ctx = X509_STORE_CTX_new();
-
- if (ctx == NULL) {
- OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, ERR_R_MALLOC_FAILURE);
- goto err;
- }
-
+ int ret;
+ X509_STORE_CTX ctx;
if (!req->optionalSignature) {
OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_REQUEST_NOT_SIGNED);
- goto err;
+ return 0;
}
- gen = req->tbsRequest.requestorName;
+ gen = req->tbsRequest->requestorName;
if (!gen || gen->type != GEN_DIRNAME) {
OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,
OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE);
- goto err;
+ return 0;
}
nm = gen->d.directoryName;
- ret = ocsp_req_find_signer(&signer, req, nm, certs, flags);
+ ret = ocsp_req_find_signer(&signer, req, nm, certs, store, flags);
if (ret <= 0) {
OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,
OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
- goto err;
+ return 0;
}
if ((ret == 2) && (flags & OCSP_TRUSTOTHER))
flags |= OCSP_NOVERIFY;
if (!(flags & OCSP_NOSIGS)) {
EVP_PKEY *skey;
- skey = X509_get0_pubkey(signer);
+ skey = X509_get_pubkey(signer);
ret = OCSP_REQUEST_verify(req, skey);
+ EVP_PKEY_free(skey);
if (ret <= 0) {
OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_SIGNATURE_FAILURE);
- goto err;
+ return 0;
}
}
if (!(flags & OCSP_NOVERIFY)) {
int init_res;
if (flags & OCSP_NOCHAIN)
- init_res = X509_STORE_CTX_init(ctx, store, signer, NULL);
+ init_res = X509_STORE_CTX_init(&ctx, store, signer, NULL);
else
- init_res = X509_STORE_CTX_init(ctx, store, signer,
+ init_res = X509_STORE_CTX_init(&ctx, store, signer,
req->optionalSignature->certs);
if (!init_res) {
OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, ERR_R_X509_LIB);
- goto err;
+ return 0;
}
- X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_OCSP_HELPER);
- X509_STORE_CTX_set_trust(ctx, X509_TRUST_OCSP_REQUEST);
- ret = X509_verify_cert(ctx);
+ X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER);
+ X509_STORE_CTX_set_trust(&ctx, X509_TRUST_OCSP_REQUEST);
+ ret = X509_verify_cert(&ctx);
+ X509_STORE_CTX_cleanup(&ctx);
if (ret <= 0) {
- ret = X509_STORE_CTX_get_error(ctx);
+ ret = X509_STORE_CTX_get_error(&ctx);
OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,
OCSP_R_CERTIFICATE_VERIFY_ERROR);
ERR_add_error_data(2, "Verify error:",
X509_verify_cert_error_string(ret));
- goto err;
+ return 0;
}
}
- ret = 1;
- goto end;
-
-err:
- ret = 0;
-end:
- X509_STORE_CTX_free(ctx);
- return ret;
-
+ return 1;
}
static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req,
X509_NAME *nm, STACK_OF(X509) *certs,
- unsigned long flags)
+ X509_STORE *st, unsigned long flags)
{
X509 *signer;
if (!(flags & OCSP_NOINTERN)) {
diff --git a/Cryptlib/OpenSSL/crypto/ocsp/v3_ocsp.c b/Cryptlib/OpenSSL/crypto/ocsp/v3_ocsp.c
deleted file mode 100644
index 2d425a89..00000000
--- a/Cryptlib/OpenSSL/crypto/ocsp/v3_ocsp.c
+++ /dev/null
@@ -1,264 +0,0 @@
-/*
- * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-# include <stdio.h>
-# include "internal/cryptlib.h"
-# include <openssl/conf.h>
-# include <openssl/asn1.h>
-# include <openssl/ocsp.h>
-# include "ocsp_lcl.h"
-# include <openssl/x509v3.h>
-# include "../x509v3/ext_dat.h"
-
-/*
- * OCSP extensions and a couple of CRL entry extensions
- */
-
-static int i2r_ocsp_crlid(const X509V3_EXT_METHOD *method, void *nonce,
- BIO *out, int indent);
-static int i2r_ocsp_acutoff(const X509V3_EXT_METHOD *method, void *nonce,
- BIO *out, int indent);
-static int i2r_object(const X509V3_EXT_METHOD *method, void *obj, BIO *out,
- int indent);
-
-static void *ocsp_nonce_new(void);
-static int i2d_ocsp_nonce(void *a, unsigned char **pp);
-static void *d2i_ocsp_nonce(void *a, const unsigned char **pp, long length);
-static void ocsp_nonce_free(void *a);
-static int i2r_ocsp_nonce(const X509V3_EXT_METHOD *method, void *nonce,
- BIO *out, int indent);
-
-static int i2r_ocsp_nocheck(const X509V3_EXT_METHOD *method,
- void *nocheck, BIO *out, int indent);
-static void *s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method,
- X509V3_CTX *ctx, const char *str);
-static int i2r_ocsp_serviceloc(const X509V3_EXT_METHOD *method, void *in,
- BIO *bp, int ind);
-
-const X509V3_EXT_METHOD v3_ocsp_crlid = {
- NID_id_pkix_OCSP_CrlID, 0, ASN1_ITEM_ref(OCSP_CRLID),
- 0, 0, 0, 0,
- 0, 0,
- 0, 0,
- i2r_ocsp_crlid, 0,
- NULL
-};
-
-const X509V3_EXT_METHOD v3_ocsp_acutoff = {
- NID_id_pkix_OCSP_archiveCutoff, 0, ASN1_ITEM_ref(ASN1_GENERALIZEDTIME),
- 0, 0, 0, 0,
- 0, 0,
- 0, 0,
- i2r_ocsp_acutoff, 0,
- NULL
-};
-
-const X509V3_EXT_METHOD v3_crl_invdate = {
- NID_invalidity_date, 0, ASN1_ITEM_ref(ASN1_GENERALIZEDTIME),
- 0, 0, 0, 0,
- 0, 0,
- 0, 0,
- i2r_ocsp_acutoff, 0,
- NULL
-};
-
-const X509V3_EXT_METHOD v3_crl_hold = {
- NID_hold_instruction_code, 0, ASN1_ITEM_ref(ASN1_OBJECT),
- 0, 0, 0, 0,
- 0, 0,
- 0, 0,
- i2r_object, 0,
- NULL
-};
-
-const X509V3_EXT_METHOD v3_ocsp_nonce = {
- NID_id_pkix_OCSP_Nonce, 0, NULL,
- ocsp_nonce_new,
- ocsp_nonce_free,
- d2i_ocsp_nonce,
- i2d_ocsp_nonce,
- 0, 0,
- 0, 0,
- i2r_ocsp_nonce, 0,
- NULL
-};
-
-const X509V3_EXT_METHOD v3_ocsp_nocheck = {
- NID_id_pkix_OCSP_noCheck, 0, ASN1_ITEM_ref(ASN1_NULL),
- 0, 0, 0, 0,
- 0, s2i_ocsp_nocheck,
- 0, 0,
- i2r_ocsp_nocheck, 0,
- NULL
-};
-
-const X509V3_EXT_METHOD v3_ocsp_serviceloc = {
- NID_id_pkix_OCSP_serviceLocator, 0, ASN1_ITEM_ref(OCSP_SERVICELOC),
- 0, 0, 0, 0,
- 0, 0,
- 0, 0,
- i2r_ocsp_serviceloc, 0,
- NULL
-};
-
-static int i2r_ocsp_crlid(const X509V3_EXT_METHOD *method, void *in, BIO *bp,
- int ind)
-{
- OCSP_CRLID *a = in;
- if (a->crlUrl) {
- if (BIO_printf(bp, "%*scrlUrl: ", ind, "") <= 0)
- goto err;
- if (!ASN1_STRING_print(bp, (ASN1_STRING *)a->crlUrl))
- goto err;
- if (BIO_write(bp, "\n", 1) <= 0)
- goto err;
- }
- if (a->crlNum) {
- if (BIO_printf(bp, "%*scrlNum: ", ind, "") <= 0)
- goto err;
- if (i2a_ASN1_INTEGER(bp, a->crlNum) <= 0)
- goto err;
- if (BIO_write(bp, "\n", 1) <= 0)
- goto err;
- }
- if (a->crlTime) {
- if (BIO_printf(bp, "%*scrlTime: ", ind, "") <= 0)
- goto err;
- if (!ASN1_GENERALIZEDTIME_print(bp, a->crlTime))
- goto err;
- if (BIO_write(bp, "\n", 1) <= 0)
- goto err;
- }
- return 1;
- err:
- return 0;
-}
-
-static int i2r_ocsp_acutoff(const X509V3_EXT_METHOD *method, void *cutoff,
- BIO *bp, int ind)
-{
- if (BIO_printf(bp, "%*s", ind, "") <= 0)
- return 0;
- if (!ASN1_GENERALIZEDTIME_print(bp, cutoff))
- return 0;
- return 1;
-}
-
-static int i2r_object(const X509V3_EXT_METHOD *method, void *oid, BIO *bp,
- int ind)
-{
- if (BIO_printf(bp, "%*s", ind, "") <= 0)
- return 0;
- if (i2a_ASN1_OBJECT(bp, oid) <= 0)
- return 0;
- return 1;
-}
-
-/*
- * OCSP nonce. This is needs special treatment because it doesn't have an
- * ASN1 encoding at all: it just contains arbitrary data.
- */
-
-static void *ocsp_nonce_new(void)
-{
- return ASN1_OCTET_STRING_new();
-}
-
-static int i2d_ocsp_nonce(void *a, unsigned char **pp)
-{
- ASN1_OCTET_STRING *os = a;
- if (pp) {
- memcpy(*pp, os->data, os->length);
- *pp += os->length;
- }
- return os->length;
-}
-
-static void *d2i_ocsp_nonce(void *a, const unsigned char **pp, long length)
-{
- ASN1_OCTET_STRING *os, **pos;
- pos = a;
- if (pos == NULL || *pos == NULL) {
- os = ASN1_OCTET_STRING_new();
- if (os == NULL)
- goto err;
- } else {
- os = *pos;
- }
- if (!ASN1_OCTET_STRING_set(os, *pp, length))
- goto err;
-
- *pp += length;
-
- if (pos)
- *pos = os;
- return os;
-
- err:
- if ((pos == NULL) || (*pos != os))
- ASN1_OCTET_STRING_free(os);
- OCSPerr(OCSP_F_D2I_OCSP_NONCE, ERR_R_MALLOC_FAILURE);
- return NULL;
-}
-
-static void ocsp_nonce_free(void *a)
-{
- ASN1_OCTET_STRING_free(a);
-}
-
-static int i2r_ocsp_nonce(const X509V3_EXT_METHOD *method, void *nonce,
- BIO *out, int indent)
-{
- if (BIO_printf(out, "%*s", indent, "") <= 0)
- return 0;
- if (i2a_ASN1_STRING(out, nonce, V_ASN1_OCTET_STRING) <= 0)
- return 0;
- return 1;
-}
-
-/* Nocheck is just a single NULL. Don't print anything and always set it */
-
-static int i2r_ocsp_nocheck(const X509V3_EXT_METHOD *method, void *nocheck,
- BIO *out, int indent)
-{
- return 1;
-}
-
-static void *s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method,
- X509V3_CTX *ctx, const char *str)
-{
- return ASN1_NULL_new();
-}
-
-static int i2r_ocsp_serviceloc(const X509V3_EXT_METHOD *method, void *in,
- BIO *bp, int ind)
-{
- int i;
- OCSP_SERVICELOC *a = in;
- ACCESS_DESCRIPTION *ad;
-
- if (BIO_printf(bp, "%*sIssuer: ", ind, "") <= 0)
- goto err;
- if (X509_NAME_print_ex(bp, a->issuer, 0, XN_FLAG_ONELINE) <= 0)
- goto err;
- for (i = 0; i < sk_ACCESS_DESCRIPTION_num(a->locator); i++) {
- ad = sk_ACCESS_DESCRIPTION_value(a->locator, i);
- if (BIO_printf(bp, "\n%*s", (2 * ind), "") <= 0)
- goto err;
- if (i2a_ASN1_OBJECT(bp, ad->method) <= 0)
- goto err;
- if (BIO_puts(bp, " - ") <= 0)
- goto err;
- if (GENERAL_NAME_print(bp, ad->location) <= 0)
- goto err;
- }
- return 1;
- err:
- return 0;
-}
generated by cgit v1.2.3 (git 2.39.1) at 2025-12-26 03:45:26 +0000