diff options
Diffstat (limited to 'Cryptlib/OpenSSL/crypto/ocsp')
| -rw-r--r-- | Cryptlib/OpenSSL/crypto/ocsp/ocsp_asn.c | 80 | ||||
| -rw-r--r-- | Cryptlib/OpenSSL/crypto/ocsp/ocsp_cl.c | 150 | ||||
| -rw-r--r-- | Cryptlib/OpenSSL/crypto/ocsp/ocsp_err.c | 90 | ||||
| -rw-r--r-- | Cryptlib/OpenSSL/crypto/ocsp/ocsp_ext.c | 220 | ||||
| -rw-r--r-- | Cryptlib/OpenSSL/crypto/ocsp/ocsp_ht.c | 86 | ||||
| -rw-r--r-- | Cryptlib/OpenSSL/crypto/ocsp/ocsp_lcl.h | 216 | ||||
| -rw-r--r-- | Cryptlib/OpenSSL/crypto/ocsp/ocsp_lib.c | 148 | ||||
| -rw-r--r-- | Cryptlib/OpenSSL/crypto/ocsp/ocsp_prn.c | 107 | ||||
| -rw-r--r-- | Cryptlib/OpenSSL/crypto/ocsp/ocsp_srv.c | 186 | ||||
| -rw-r--r-- | Cryptlib/OpenSSL/crypto/ocsp/ocsp_vfy.c | 214 | ||||
| -rw-r--r-- | Cryptlib/OpenSSL/crypto/ocsp/v3_ocsp.c | 264 |
11 files changed, 851 insertions, 910 deletions
diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_asn.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_asn.c index 1e0b8279..e2e52e77 100644 --- a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_asn.c +++ b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_asn.c @@ -1,19 +1,67 @@ +/* ocsp_asn.c */ /* - * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. + * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project + * 2000. + */ +/* ==================================================================== + * Copyright (c) 2000 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html */ - #include <openssl/asn1.h> #include <openssl/asn1t.h> #include <openssl/ocsp.h> -#include "ocsp_lcl.h" ASN1_SEQUENCE(OCSP_SIGNATURE) = { - ASN1_EMBED(OCSP_SIGNATURE, signatureAlgorithm, X509_ALGOR), + ASN1_SIMPLE(OCSP_SIGNATURE, signatureAlgorithm, X509_ALGOR), ASN1_SIMPLE(OCSP_SIGNATURE, signature, ASN1_BIT_STRING), ASN1_EXP_SEQUENCE_OF_OPT(OCSP_SIGNATURE, certs, X509, 0) } ASN1_SEQUENCE_END(OCSP_SIGNATURE) @@ -21,10 +69,10 @@ ASN1_SEQUENCE(OCSP_SIGNATURE) = { IMPLEMENT_ASN1_FUNCTIONS(OCSP_SIGNATURE) ASN1_SEQUENCE(OCSP_CERTID) = { - ASN1_EMBED(OCSP_CERTID, hashAlgorithm, X509_ALGOR), - ASN1_EMBED(OCSP_CERTID, issuerNameHash, ASN1_OCTET_STRING), - ASN1_EMBED(OCSP_CERTID, issuerKeyHash, ASN1_OCTET_STRING), - ASN1_EMBED(OCSP_CERTID, serialNumber, ASN1_INTEGER) + ASN1_SIMPLE(OCSP_CERTID, hashAlgorithm, X509_ALGOR), + ASN1_SIMPLE(OCSP_CERTID, issuerNameHash, ASN1_OCTET_STRING), + ASN1_SIMPLE(OCSP_CERTID, issuerKeyHash, ASN1_OCTET_STRING), + ASN1_SIMPLE(OCSP_CERTID, serialNumber, ASN1_INTEGER) } ASN1_SEQUENCE_END(OCSP_CERTID) IMPLEMENT_ASN1_FUNCTIONS(OCSP_CERTID) @@ -46,7 +94,7 @@ ASN1_SEQUENCE(OCSP_REQINFO) = { IMPLEMENT_ASN1_FUNCTIONS(OCSP_REQINFO) ASN1_SEQUENCE(OCSP_REQUEST) = { - ASN1_EMBED(OCSP_REQUEST, tbsRequest, OCSP_REQINFO), + ASN1_SIMPLE(OCSP_REQUEST, tbsRequest, OCSP_REQINFO), ASN1_EXP_OPT(OCSP_REQUEST, optionalSignature, OCSP_SIGNATURE, 0) } ASN1_SEQUENCE_END(OCSP_REQUEST) @@ -102,7 +150,7 @@ IMPLEMENT_ASN1_FUNCTIONS(OCSP_SINGLERESP) ASN1_SEQUENCE(OCSP_RESPDATA) = { ASN1_EXP_OPT(OCSP_RESPDATA, version, ASN1_INTEGER, 0), - ASN1_EMBED(OCSP_RESPDATA, responderId, OCSP_RESPID), + ASN1_SIMPLE(OCSP_RESPDATA, responderId, OCSP_RESPID), ASN1_SIMPLE(OCSP_RESPDATA, producedAt, ASN1_GENERALIZEDTIME), ASN1_SEQUENCE_OF(OCSP_RESPDATA, responses, OCSP_SINGLERESP), ASN1_EXP_SEQUENCE_OF_OPT(OCSP_RESPDATA, responseExtensions, X509_EXTENSION, 1) @@ -111,8 +159,8 @@ ASN1_SEQUENCE(OCSP_RESPDATA) = { IMPLEMENT_ASN1_FUNCTIONS(OCSP_RESPDATA) ASN1_SEQUENCE(OCSP_BASICRESP) = { - ASN1_EMBED(OCSP_BASICRESP, tbsResponseData, OCSP_RESPDATA), - ASN1_EMBED(OCSP_BASICRESP, signatureAlgorithm, X509_ALGOR), + ASN1_SIMPLE(OCSP_BASICRESP, tbsResponseData, OCSP_RESPDATA), + ASN1_SIMPLE(OCSP_BASICRESP, signatureAlgorithm, X509_ALGOR), ASN1_SIMPLE(OCSP_BASICRESP, signature, ASN1_BIT_STRING), ASN1_EXP_SEQUENCE_OF_OPT(OCSP_BASICRESP, certs, X509, 0) } ASN1_SEQUENCE_END(OCSP_BASICRESP) diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_cl.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_cl.c index a42b80fa..fca7db0b 100644 --- a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_cl.c +++ b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_cl.c @@ -1,21 +1,78 @@ +/* ocsp_cl.c */ /* - * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. + * Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL + * project. + */ + +/* + * History: This file was transfered to Richard Levitte from CertCo by Kathy + * Weinhold in mid-spring 2000 to be included in OpenSSL or released as a + * patch kit. + */ + +/* ==================================================================== + * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html */ #include <stdio.h> #include <time.h> -#include "internal/cryptlib.h" +#include <cryptlib.h> #include <openssl/objects.h> +#include <openssl/rand.h> #include <openssl/x509.h> #include <openssl/pem.h> #include <openssl/x509v3.h> #include <openssl/ocsp.h> -#include "ocsp_lcl.h" /* * Utility functions related to sending OCSP requests and extracting relevant @@ -31,11 +88,12 @@ OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid) { OCSP_ONEREQ *one = NULL; - if ((one = OCSP_ONEREQ_new()) == NULL) - return NULL; - OCSP_CERTID_free(one->reqCert); + if (!(one = OCSP_ONEREQ_new())) + goto err; + if (one->reqCert) + OCSP_CERTID_free(one->reqCert); one->reqCert = cid; - if (req && !sk_OCSP_ONEREQ_push(req->tbsRequest.requestList, one)) { + if (req && !sk_OCSP_ONEREQ_push(req->tbsRequest->requestList, one)) { one->reqCert = NULL; /* do not free on error */ goto err; } @@ -50,7 +108,6 @@ OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid) int OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm) { GENERAL_NAME *gen; - gen = GENERAL_NAME_new(); if (gen == NULL) return 0; @@ -59,8 +116,9 @@ int OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm) return 0; } gen->type = GEN_DIRNAME; - GENERAL_NAME_free(req->tbsRequest.requestorName); - req->tbsRequest.requestorName = gen; + if (req->tbsRequest->requestorName) + GENERAL_NAME_free(req->tbsRequest->requestorName); + req->tbsRequest->requestorName = gen; return 1; } @@ -69,25 +127,24 @@ int OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm) int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert) { OCSP_SIGNATURE *sig; - if (req->optionalSignature == NULL) + if (!req->optionalSignature) req->optionalSignature = OCSP_SIGNATURE_new(); sig = req->optionalSignature; - if (sig == NULL) + if (!sig) return 0; - if (cert == NULL) + if (!cert) return 1; - if (sig->certs == NULL - && (sig->certs = sk_X509_new_null()) == NULL) + if (!sig->certs && !(sig->certs = sk_X509_new_null())) return 0; if (!sk_X509_push(sig->certs, cert)) return 0; - X509_up_ref(cert); + CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509); return 1; } /* - * Sign an OCSP request set the requestorName to the subject name of an + * Sign an OCSP request set the requestorName to the subjec name of an * optional signers certificate and include one or more optional certificates * in the request. Behaves like PKCS7_sign(). */ @@ -99,12 +156,13 @@ int OCSP_request_sign(OCSP_REQUEST *req, STACK_OF(X509) *certs, unsigned long flags) { int i; + OCSP_SIGNATURE *sig; X509 *x; if (!OCSP_request_set1_name(req, X509_get_subject_name(signer))) goto err; - if ((req->optionalSignature = OCSP_SIGNATURE_new()) == NULL) + if (!(req->optionalSignature = sig = OCSP_SIGNATURE_new())) goto err; if (key) { if (!X509_check_private_key(signer, key)) { @@ -161,20 +219,15 @@ OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp) return ASN1_item_unpack(rb->response, ASN1_ITEM_rptr(OCSP_BASICRESP)); } -const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *bs) -{ - return bs->signature; -} - /* - * Return number of OCSP_SINGLERESP responses present in a basic response. + * Return number of OCSP_SINGLERESP reponses present in a basic response. */ int OCSP_resp_count(OCSP_BASICRESP *bs) { if (!bs) return -1; - return sk_OCSP_SINGLERESP_num(bs->tbsResponseData.responses); + return sk_OCSP_SINGLERESP_num(bs->tbsResponseData->responses); } /* Extract an OCSP_SINGLERESP response with a given index */ @@ -183,35 +236,7 @@ OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx) { if (!bs) return NULL; - return sk_OCSP_SINGLERESP_value(bs->tbsResponseData.responses, idx); -} - -const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at(const OCSP_BASICRESP* bs) -{ - return bs->tbsResponseData.producedAt; -} - -const STACK_OF(X509) *OCSP_resp_get0_certs(const OCSP_BASICRESP *bs) -{ - return bs->certs; -} - -int OCSP_resp_get0_id(const OCSP_BASICRESP *bs, - const ASN1_OCTET_STRING **pid, - const X509_NAME **pname) - -{ - const OCSP_RESPID *rid = &bs->tbsResponseData.responderId; - if (rid->type == V_OCSP_RESPID_NAME) { - *pname = rid->value.byName; - *pid = NULL; - } else if (rid->type == V_OCSP_RESPID_KEY) { - *pid = rid->value.byKey; - *pname = NULL; - } else { - return 0; - } - return 1; + return sk_OCSP_SINGLERESP_value(bs->tbsResponseData->responses, idx); } /* Look single response matching a given certificate ID */ @@ -227,7 +252,7 @@ int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last) last = 0; else last++; - sresp = bs->tbsResponseData.responses; + sresp = bs->tbsResponseData->responses; for (i = last; i < sk_OCSP_SINGLERESP_num(sresp); i++) { single = sk_OCSP_SINGLERESP_value(sresp, i); if (!OCSP_id_cmp(id, single->certId)) @@ -297,7 +322,7 @@ int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status, /* * Check validity of thisUpdate and nextUpdate fields. It is possible that - * the request will take a few seconds to process and/or the time won't be + * the request will take a few seconds to process and/or the time wont be * totally accurate. Therefore to avoid rejecting otherwise valid time we * allow the times to be within 'nsec' of the current time. Also to avoid * accepting very old responses without a nextUpdate field an optional maxage @@ -358,8 +383,3 @@ int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd, return ret; } - -const OCSP_CERTID *OCSP_SINGLERESP_get0_id(const OCSP_SINGLERESP *single) -{ - return single->certId; -} diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_err.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_err.c index a2d96e9c..722043c0 100644 --- a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_err.c +++ b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_err.c @@ -1,11 +1,62 @@ -/* - * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. +/* crypto/ocsp/ocsp_err.c */ +/* ==================================================================== + * Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + +/* + * NOTE: this file was auto generated by the mkerr.pl script: any changes + * made to it will be overwritten when the script next updates this file, + * only reason strings will be preserved. */ #include <stdio.h> @@ -19,25 +70,30 @@ # define ERR_REASON(reason) ERR_PACK(ERR_LIB_OCSP,0,reason) static ERR_STRING_DATA OCSP_str_functs[] = { - {ERR_FUNC(OCSP_F_D2I_OCSP_NONCE), "d2i_ocsp_nonce"}, + {ERR_FUNC(OCSP_F_ASN1_STRING_ENCODE), "ASN1_STRING_encode"}, + {ERR_FUNC(OCSP_F_D2I_OCSP_NONCE), "D2I_OCSP_NONCE"}, {ERR_FUNC(OCSP_F_OCSP_BASIC_ADD1_STATUS), "OCSP_basic_add1_status"}, {ERR_FUNC(OCSP_F_OCSP_BASIC_SIGN), "OCSP_basic_sign"}, {ERR_FUNC(OCSP_F_OCSP_BASIC_VERIFY), "OCSP_basic_verify"}, {ERR_FUNC(OCSP_F_OCSP_CERT_ID_NEW), "OCSP_cert_id_new"}, - {ERR_FUNC(OCSP_F_OCSP_CHECK_DELEGATED), "ocsp_check_delegated"}, - {ERR_FUNC(OCSP_F_OCSP_CHECK_IDS), "ocsp_check_ids"}, - {ERR_FUNC(OCSP_F_OCSP_CHECK_ISSUER), "ocsp_check_issuer"}, + {ERR_FUNC(OCSP_F_OCSP_CHECK_DELEGATED), "OCSP_CHECK_DELEGATED"}, + {ERR_FUNC(OCSP_F_OCSP_CHECK_IDS), "OCSP_CHECK_IDS"}, + {ERR_FUNC(OCSP_F_OCSP_CHECK_ISSUER), "OCSP_CHECK_ISSUER"}, {ERR_FUNC(OCSP_F_OCSP_CHECK_VALIDITY), "OCSP_check_validity"}, - {ERR_FUNC(OCSP_F_OCSP_MATCH_ISSUERID), "ocsp_match_issuerid"}, + {ERR_FUNC(OCSP_F_OCSP_MATCH_ISSUERID), "OCSP_MATCH_ISSUERID"}, {ERR_FUNC(OCSP_F_OCSP_PARSE_URL), "OCSP_parse_url"}, {ERR_FUNC(OCSP_F_OCSP_REQUEST_SIGN), "OCSP_request_sign"}, {ERR_FUNC(OCSP_F_OCSP_REQUEST_VERIFY), "OCSP_request_verify"}, {ERR_FUNC(OCSP_F_OCSP_RESPONSE_GET1_BASIC), "OCSP_response_get1_basic"}, - {ERR_FUNC(OCSP_F_PARSE_HTTP_LINE1), "parse_http_line1"}, + {ERR_FUNC(OCSP_F_OCSP_SENDREQ_BIO), "OCSP_sendreq_bio"}, + {ERR_FUNC(OCSP_F_OCSP_SENDREQ_NBIO), "OCSP_sendreq_nbio"}, + {ERR_FUNC(OCSP_F_PARSE_HTTP_LINE1), "PARSE_HTTP_LINE1"}, + {ERR_FUNC(OCSP_F_REQUEST_VERIFY), "REQUEST_VERIFY"}, {0, NULL} }; static ERR_STRING_DATA OCSP_str_reasons[] = { + {ERR_REASON(OCSP_R_BAD_DATA), "bad data"}, {ERR_REASON(OCSP_R_CERTIFICATE_VERIFY_ERROR), "certificate verify error"}, {ERR_REASON(OCSP_R_DIGEST_ERR), "digest err"}, {ERR_REASON(OCSP_R_ERROR_IN_NEXTUPDATE_FIELD), @@ -51,18 +107,21 @@ static ERR_STRING_DATA OCSP_str_reasons[] = { "nextupdate before thisupdate"}, {ERR_REASON(OCSP_R_NOT_BASIC_RESPONSE), "not basic response"}, {ERR_REASON(OCSP_R_NO_CERTIFICATES_IN_CHAIN), "no certificates in chain"}, + {ERR_REASON(OCSP_R_NO_CONTENT), "no content"}, + {ERR_REASON(OCSP_R_NO_PUBLIC_KEY), "no public key"}, {ERR_REASON(OCSP_R_NO_RESPONSE_DATA), "no response data"}, {ERR_REASON(OCSP_R_NO_REVOKED_TIME), "no revoked time"}, - {ERR_REASON(OCSP_R_NO_SIGNER_KEY), "no signer key"}, {ERR_REASON(OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE), "private key does not match certificate"}, {ERR_REASON(OCSP_R_REQUEST_NOT_SIGNED), "request not signed"}, {ERR_REASON(OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA), "response contains no revocation data"}, {ERR_REASON(OCSP_R_ROOT_CA_NOT_TRUSTED), "root ca not trusted"}, + {ERR_REASON(OCSP_R_SERVER_READ_ERROR), "server read error"}, {ERR_REASON(OCSP_R_SERVER_RESPONSE_ERROR), "server response error"}, {ERR_REASON(OCSP_R_SERVER_RESPONSE_PARSE_ERROR), "server response parse error"}, + {ERR_REASON(OCSP_R_SERVER_WRITE_ERROR), "server write error"}, {ERR_REASON(OCSP_R_SIGNATURE_FAILURE), "signature failure"}, {ERR_REASON(OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND), "signer certificate not found"}, @@ -78,7 +137,7 @@ static ERR_STRING_DATA OCSP_str_reasons[] = { #endif -int ERR_load_OCSP_strings(void) +void ERR_load_OCSP_strings(void) { #ifndef OPENSSL_NO_ERR @@ -87,5 +146,4 @@ int ERR_load_OCSP_strings(void) ERR_load_strings(0, OCSP_str_reasons); } #endif - return 1; } diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_ext.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_ext.c index b829b2e4..55af31b5 100644 --- a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_ext.c +++ b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_ext.c @@ -1,18 +1,74 @@ +/* ocsp_ext.c */ /* - * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. + * Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL + * project. + */ + +/* + * History: This file was transfered to Richard Levitte from CertCo by Kathy + * Weinhold in mid-spring 2000 to be included in OpenSSL or released as a + * patch kit. + */ + +/* ==================================================================== + * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html */ #include <stdio.h> -#include "internal/cryptlib.h" +#include <cryptlib.h> #include <openssl/objects.h> #include <openssl/x509.h> #include <openssl/ocsp.h> -#include "ocsp_lcl.h" #include <openssl/rand.h> #include <openssl/x509v3.h> @@ -22,53 +78,53 @@ int OCSP_REQUEST_get_ext_count(OCSP_REQUEST *x) { - return (X509v3_get_ext_count(x->tbsRequest.requestExtensions)); + return (X509v3_get_ext_count(x->tbsRequest->requestExtensions)); } int OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos) { return (X509v3_get_ext_by_NID - (x->tbsRequest.requestExtensions, nid, lastpos)); + (x->tbsRequest->requestExtensions, nid, lastpos)); } -int OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, const ASN1_OBJECT *obj, +int OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, ASN1_OBJECT *obj, int lastpos) { return (X509v3_get_ext_by_OBJ - (x->tbsRequest.requestExtensions, obj, lastpos)); + (x->tbsRequest->requestExtensions, obj, lastpos)); } int OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit, int lastpos) { return (X509v3_get_ext_by_critical - (x->tbsRequest.requestExtensions, crit, lastpos)); + (x->tbsRequest->requestExtensions, crit, lastpos)); } X509_EXTENSION *OCSP_REQUEST_get_ext(OCSP_REQUEST *x, int loc) { - return (X509v3_get_ext(x->tbsRequest.requestExtensions, loc)); + return (X509v3_get_ext(x->tbsRequest->requestExtensions, loc)); } X509_EXTENSION *OCSP_REQUEST_delete_ext(OCSP_REQUEST *x, int loc) { - return (X509v3_delete_ext(x->tbsRequest.requestExtensions, loc)); + return (X509v3_delete_ext(x->tbsRequest->requestExtensions, loc)); } void *OCSP_REQUEST_get1_ext_d2i(OCSP_REQUEST *x, int nid, int *crit, int *idx) { - return X509V3_get_d2i(x->tbsRequest.requestExtensions, nid, crit, idx); + return X509V3_get_d2i(x->tbsRequest->requestExtensions, nid, crit, idx); } int OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST *x, int nid, void *value, int crit, unsigned long flags) { - return X509V3_add1_i2d(&x->tbsRequest.requestExtensions, nid, value, + return X509V3_add1_i2d(&x->tbsRequest->requestExtensions, nid, value, crit, flags); } int OCSP_REQUEST_add_ext(OCSP_REQUEST *x, X509_EXTENSION *ex, int loc) { - return (X509v3_add_ext(&(x->tbsRequest.requestExtensions), ex, loc) != + return (X509v3_add_ext(&(x->tbsRequest->requestExtensions), ex, loc) != NULL); } @@ -84,8 +140,7 @@ int OCSP_ONEREQ_get_ext_by_NID(OCSP_ONEREQ *x, int nid, int lastpos) return (X509v3_get_ext_by_NID(x->singleRequestExtensions, nid, lastpos)); } -int OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, const ASN1_OBJECT *obj, - int lastpos) +int OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, ASN1_OBJECT *obj, int lastpos) { return (X509v3_get_ext_by_OBJ(x->singleRequestExtensions, obj, lastpos)); } @@ -127,56 +182,56 @@ int OCSP_ONEREQ_add_ext(OCSP_ONEREQ *x, X509_EXTENSION *ex, int loc) int OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *x) { - return (X509v3_get_ext_count(x->tbsResponseData.responseExtensions)); + return (X509v3_get_ext_count(x->tbsResponseData->responseExtensions)); } int OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos) { return (X509v3_get_ext_by_NID - (x->tbsResponseData.responseExtensions, nid, lastpos)); + (x->tbsResponseData->responseExtensions, nid, lastpos)); } -int OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, const ASN1_OBJECT *obj, +int OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, ASN1_OBJECT *obj, int lastpos) { return (X509v3_get_ext_by_OBJ - (x->tbsResponseData.responseExtensions, obj, lastpos)); + (x->tbsResponseData->responseExtensions, obj, lastpos)); } int OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit, int lastpos) { return (X509v3_get_ext_by_critical - (x->tbsResponseData.responseExtensions, crit, lastpos)); + (x->tbsResponseData->responseExtensions, crit, lastpos)); } X509_EXTENSION *OCSP_BASICRESP_get_ext(OCSP_BASICRESP *x, int loc) { - return (X509v3_get_ext(x->tbsResponseData.responseExtensions, loc)); + return (X509v3_get_ext(x->tbsResponseData->responseExtensions, loc)); } X509_EXTENSION *OCSP_BASICRESP_delete_ext(OCSP_BASICRESP *x, int loc) { - return (X509v3_delete_ext(x->tbsResponseData.responseExtensions, loc)); + return (X509v3_delete_ext(x->tbsResponseData->responseExtensions, loc)); } void *OCSP_BASICRESP_get1_ext_d2i(OCSP_BASICRESP *x, int nid, int *crit, int *idx) { - return X509V3_get_d2i(x->tbsResponseData.responseExtensions, nid, crit, + return X509V3_get_d2i(x->tbsResponseData->responseExtensions, nid, crit, idx); } int OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP *x, int nid, void *value, int crit, unsigned long flags) { - return X509V3_add1_i2d(&x->tbsResponseData.responseExtensions, nid, + return X509V3_add1_i2d(&x->tbsResponseData->responseExtensions, nid, value, crit, flags); } int OCSP_BASICRESP_add_ext(OCSP_BASICRESP *x, X509_EXTENSION *ex, int loc) { - return (X509v3_add_ext(&(x->tbsResponseData.responseExtensions), ex, loc) + return (X509v3_add_ext(&(x->tbsResponseData->responseExtensions), ex, loc) != NULL); } @@ -192,7 +247,7 @@ int OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid, int lastpos) return (X509v3_get_ext_by_NID(x->singleExtensions, nid, lastpos)); } -int OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, const ASN1_OBJECT *obj, +int OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, ASN1_OBJECT *obj, int lastpos) { return (X509v3_get_ext_by_OBJ(x->singleExtensions, obj, lastpos)); @@ -232,11 +287,54 @@ int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex, int loc) } /* also CRL Entry Extensions */ +#if 0 +ASN1_STRING *ASN1_STRING_encode(ASN1_STRING *s, i2d_of_void *i2d, + void *data, STACK_OF(ASN1_OBJECT) *sk) +{ + int i; + unsigned char *p, *b = NULL; + + if (data) { + if ((i = i2d(data, NULL)) <= 0) + goto err; + if (!(b = p = OPENSSL_malloc((unsigned int)i))) + goto err; + if (i2d(data, &p) <= 0) + goto err; + } else if (sk) { + if ((i = i2d_ASN1_SET_OF_ASN1_OBJECT(sk, NULL, + (I2D_OF(ASN1_OBJECT)) i2d, + V_ASN1_SEQUENCE, + V_ASN1_UNIVERSAL, + IS_SEQUENCE)) <= 0) + goto err; + if (!(b = p = OPENSSL_malloc((unsigned int)i))) + goto err; + if (i2d_ASN1_SET_OF_ASN1_OBJECT(sk, &p, (I2D_OF(ASN1_OBJECT)) i2d, + V_ASN1_SEQUENCE, + V_ASN1_UNIVERSAL, IS_SEQUENCE) <= 0) + goto err; + } else { + OCSPerr(OCSP_F_ASN1_STRING_ENCODE, OCSP_R_BAD_DATA); + goto err; + } + if (!s && !(s = ASN1_STRING_new())) + goto err; + if (!(ASN1_STRING_set(s, b, i))) + goto err; + OPENSSL_free(b); + return s; + err: + if (b) + OPENSSL_free(b); + return NULL; +} +#endif /* Nonce handling functions */ /* - * Add a nonce to an extension stack. A nonce can be specified or if NULL a + * Add a nonce to an extension stack. A nonce can be specificed or if NULL a * random nonce will be generated. Note: OpenSSL 0.9.7d and later create an * OCTET STRING containing the nonce, previous versions used the raw nonce. */ @@ -256,9 +354,6 @@ static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, * relies on library internals. */ os.length = ASN1_object_size(0, len, V_ASN1_OCTET_STRING); - if (os.length < 0) - return 0; - os.data = OPENSSL_malloc(os.length); if (os.data == NULL) goto err; @@ -273,7 +368,8 @@ static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, goto err; ret = 1; err: - OPENSSL_free(os.data); + if (os.data) + OPENSSL_free(os.data); return ret; } @@ -281,14 +377,14 @@ static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, int OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len) { - return ocsp_add1_nonce(&req->tbsRequest.requestExtensions, val, len); + return ocsp_add1_nonce(&req->tbsRequest->requestExtensions, val, len); } /* Same as above but for a response */ int OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len) { - return ocsp_add1_nonce(&resp->tbsResponseData.responseExtensions, val, + return ocsp_add1_nonce(&resp->tbsResponseData->responseExtensions, val, len); } @@ -334,8 +430,7 @@ int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs) */ req_ext = OCSP_REQUEST_get_ext(req, req_idx); resp_ext = OCSP_BASICRESP_get_ext(bs, resp_idx); - if (ASN1_OCTET_STRING_cmp(X509_EXTENSION_get_data(req_ext), - X509_EXTENSION_get_data(resp_ext))) + if (ASN1_OCTET_STRING_cmp(req_ext->value, resp_ext->value)) return 0; return 1; } @@ -357,34 +452,35 @@ int OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req) return OCSP_BASICRESP_add_ext(resp, req_ext, -1); } -X509_EXTENSION *OCSP_crlID_new(const char *url, long *n, char *tim) +X509_EXTENSION *OCSP_crlID_new(char *url, long *n, char *tim) { X509_EXTENSION *x = NULL; OCSP_CRLID *cid = NULL; - if ((cid = OCSP_CRLID_new()) == NULL) + if (!(cid = OCSP_CRLID_new())) goto err; if (url) { - if ((cid->crlUrl = ASN1_IA5STRING_new()) == NULL) + if (!(cid->crlUrl = ASN1_IA5STRING_new())) goto err; if (!(ASN1_STRING_set(cid->crlUrl, url, -1))) goto err; } if (n) { - if ((cid->crlNum = ASN1_INTEGER_new()) == NULL) + if (!(cid->crlNum = ASN1_INTEGER_new())) goto err; if (!(ASN1_INTEGER_set(cid->crlNum, *n))) goto err; } if (tim) { - if ((cid->crlTime = ASN1_GENERALIZEDTIME_new()) == NULL) + if (!(cid->crlTime = ASN1_GENERALIZEDTIME_new())) goto err; if (!(ASN1_GENERALIZEDTIME_set_string(cid->crlTime, tim))) goto err; } x = X509V3_EXT_i2d(NID_id_pkix_OCSP_CrlID, 0, cid); err: - OCSP_CRLID_free(cid); + if (cid) + OCSP_CRLID_free(cid); return x; } @@ -396,7 +492,7 @@ X509_EXTENSION *OCSP_accept_responses_new(char **oids) ASN1_OBJECT *o = NULL; X509_EXTENSION *x = NULL; - if ((sk = sk_ASN1_OBJECT_new_null()) == NULL) + if (!(sk = sk_ASN1_OBJECT_new_null())) goto err; while (oids && *oids) { if ((nid = OBJ_txt2nid(*oids)) != NID_undef && (o = OBJ_nid2obj(nid))) @@ -405,7 +501,8 @@ X509_EXTENSION *OCSP_accept_responses_new(char **oids) } x = X509V3_EXT_i2d(NID_id_pkix_OCSP_acceptableResponses, 0, sk); err: - sk_ASN1_OBJECT_pop_free(sk, ASN1_OBJECT_free); + if (sk) + sk_ASN1_OBJECT_pop_free(sk, ASN1_OBJECT_free); return x; } @@ -415,13 +512,14 @@ X509_EXTENSION *OCSP_archive_cutoff_new(char *tim) X509_EXTENSION *x = NULL; ASN1_GENERALIZEDTIME *gt = NULL; - if ((gt = ASN1_GENERALIZEDTIME_new()) == NULL) + if (!(gt = ASN1_GENERALIZEDTIME_new())) goto err; if (!(ASN1_GENERALIZEDTIME_set_string(gt, tim))) goto err; x = X509V3_EXT_i2d(NID_id_pkix_OCSP_archiveCutoff, 0, gt); err: - ASN1_GENERALIZEDTIME_free(gt); + if (gt) + ASN1_GENERALIZEDTIME_free(gt); return x; } @@ -430,43 +528,39 @@ X509_EXTENSION *OCSP_archive_cutoff_new(char *tim) * two--NID_ad_ocsp, NID_id_ad_caIssuers--and GeneralName value. This method * forces NID_ad_ocsp and uniformResourceLocator [6] IA5String. */ -X509_EXTENSION *OCSP_url_svcloc_new(X509_NAME *issuer, const char **urls) +X509_EXTENSION *OCSP_url_svcloc_new(X509_NAME *issuer, char **urls) { X509_EXTENSION *x = NULL; ASN1_IA5STRING *ia5 = NULL; OCSP_SERVICELOC *sloc = NULL; ACCESS_DESCRIPTION *ad = NULL; - if ((sloc = OCSP_SERVICELOC_new()) == NULL) + if (!(sloc = OCSP_SERVICELOC_new())) goto err; - if ((sloc->issuer = X509_NAME_dup(issuer)) == NULL) + if (!(sloc->issuer = X509_NAME_dup(issuer))) goto err; - if (urls && *urls - && (sloc->locator = sk_ACCESS_DESCRIPTION_new_null()) == NULL) + if (urls && *urls && !(sloc->locator = sk_ACCESS_DESCRIPTION_new_null())) goto err; while (urls && *urls) { - if ((ad = ACCESS_DESCRIPTION_new()) == NULL) + if (!(ad = ACCESS_DESCRIPTION_new())) goto err; - if ((ad->method = OBJ_nid2obj(NID_ad_OCSP)) == NULL) + if (!(ad->method = OBJ_nid2obj(NID_ad_OCSP))) goto err; - if ((ad->location = GENERAL_NAME_new()) == NULL) + if (!(ad->location = GENERAL_NAME_new())) goto err; - if ((ia5 = ASN1_IA5STRING_new()) == NULL) + if (!(ia5 = ASN1_IA5STRING_new())) goto err; if (!ASN1_STRING_set((ASN1_STRING *)ia5, *urls, -1)) goto err; ad->location->type = GEN_URI; ad->location->d.ia5 = ia5; - ia5 = NULL; if (!sk_ACCESS_DESCRIPTION_push(sloc->locator, ad)) goto err; - ad = NULL; urls++; } x = X509V3_EXT_i2d(NID_id_pkix_OCSP_serviceLocator, 0, sloc); err: - ASN1_IA5STRING_free(ia5); - ACCESS_DESCRIPTION_free(ad); - OCSP_SERVICELOC_free(sloc); + if (sloc) + OCSP_SERVICELOC_free(sloc); return x; } diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_ht.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_ht.c index 680edfa5..88b26b38 100644 --- a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_ht.c +++ b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_ht.c @@ -1,10 +1,60 @@ +/* ocsp_ht.c */ /* - * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. + * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project + * 2006. + */ +/* ==================================================================== + * Copyright (c) 2006 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html */ #include <stdio.h> @@ -16,6 +66,9 @@ #include <openssl/ocsp.h> #include <openssl/err.h> #include <openssl/buffer.h> +#ifdef OPENSSL_SYS_SUNOS +# define strtoul (unsigned long)strtol +#endif /* OPENSSL_SYS_SUNOS */ /* Stateful OCSP request code, supporting non-blocking I/O */ @@ -63,20 +116,21 @@ static int parse_http_line1(char *line); OCSP_REQ_CTX *OCSP_REQ_CTX_new(BIO *io, int maxline) { - OCSP_REQ_CTX *rctx = OPENSSL_zalloc(sizeof(*rctx)); - - if (rctx == NULL) + OCSP_REQ_CTX *rctx; + rctx = OPENSSL_malloc(sizeof(OCSP_REQ_CTX)); + if (!rctx) return NULL; rctx->state = OHS_ERROR; rctx->max_resp_len = OCSP_MAX_RESP_LENGTH; rctx->mem = BIO_new(BIO_s_mem()); rctx->io = io; + rctx->asn1_len = 0; if (maxline > 0) rctx->iobuflen = maxline; else rctx->iobuflen = OCSP_MAX_LINE_LEN; rctx->iobuf = OPENSSL_malloc(rctx->iobuflen); - if (rctx->iobuf == NULL || rctx->mem == NULL) { + if (!rctx->iobuf || !rctx->mem) { OCSP_REQ_CTX_free(rctx); return NULL; } @@ -85,10 +139,10 @@ OCSP_REQ_CTX *OCSP_REQ_CTX_new(BIO *io, int maxline) void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx) { - if (!rctx) - return; - BIO_free(rctx->mem); - OPENSSL_free(rctx->iobuf); + if (rctx->mem) + BIO_free(rctx->mem); + if (rctx->iobuf) + OPENSSL_free(rctx->iobuf); OPENSSL_free(rctx); } @@ -182,7 +236,7 @@ OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, const char *path, OCSP_REQUEST *req, OCSP_REQ_CTX *rctx = NULL; rctx = OCSP_REQ_CTX_new(io, maxline); - if (rctx == NULL) + if (!rctx) return NULL; if (!OCSP_REQ_CTX_http(rctx, "POST", path)) @@ -457,6 +511,8 @@ int OCSP_REQ_CTX_nbio(OCSP_REQ_CTX *rctx) rctx->state = OHS_DONE; return 1; + break; + case OHS_DONE: return 1; @@ -483,7 +539,7 @@ OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, const char *path, OCSP_REQUEST *req) ctx = OCSP_sendreq_new(b, path, req, -1); - if (ctx == NULL) + if (!ctx) return NULL; do { diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_lcl.h b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_lcl.h deleted file mode 100644 index f93a268e..00000000 --- a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_lcl.h +++ /dev/null @@ -1,216 +0,0 @@ -/* - * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html - */ - -/*- CertID ::= SEQUENCE { - * hashAlgorithm AlgorithmIdentifier, - * issuerNameHash OCTET STRING, -- Hash of Issuer's DN - * issuerKeyHash OCTET STRING, -- Hash of Issuers public key (excluding the tag & length fields) - * serialNumber CertificateSerialNumber } - */ -struct ocsp_cert_id_st { - X509_ALGOR hashAlgorithm; - ASN1_OCTET_STRING issuerNameHash; - ASN1_OCTET_STRING issuerKeyHash; - ASN1_INTEGER serialNumber; -}; - -/*- Request ::= SEQUENCE { - * reqCert CertID, - * singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL } - */ -struct ocsp_one_request_st { - OCSP_CERTID *reqCert; - STACK_OF(X509_EXTENSION) *singleRequestExtensions; -}; - -/*- TBSRequest ::= SEQUENCE { - * version [0] EXPLICIT Version DEFAULT v1, - * requestorName [1] EXPLICIT GeneralName OPTIONAL, - * requestList SEQUENCE OF Request, - * requestExtensions [2] EXPLICIT Extensions OPTIONAL } - */ -struct ocsp_req_info_st { - ASN1_INTEGER *version; - GENERAL_NAME *requestorName; - STACK_OF(OCSP_ONEREQ) *requestList; - STACK_OF(X509_EXTENSION) *requestExtensions; -}; - -/*- Signature ::= SEQUENCE { - * signatureAlgorithm AlgorithmIdentifier, - * signature BIT STRING, - * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } - */ -struct ocsp_signature_st { - X509_ALGOR signatureAlgorithm; - ASN1_BIT_STRING *signature; - STACK_OF(X509) *certs; -}; - -/*- OCSPRequest ::= SEQUENCE { - * tbsRequest TBSRequest, - * optionalSignature [0] EXPLICIT Signature OPTIONAL } - */ -struct ocsp_request_st { - OCSP_REQINFO tbsRequest; - OCSP_SIGNATURE *optionalSignature; /* OPTIONAL */ -}; - -/*- OCSPResponseStatus ::= ENUMERATED { - * successful (0), --Response has valid confirmations - * malformedRequest (1), --Illegal confirmation request - * internalError (2), --Internal error in issuer - * tryLater (3), --Try again later - * --(4) is not used - * sigRequired (5), --Must sign the request - * unauthorized (6) --Request unauthorized - * } - */ - -/*- ResponseBytes ::= SEQUENCE { - * responseType OBJECT IDENTIFIER, - * response OCTET STRING } - */ -struct ocsp_resp_bytes_st { - ASN1_OBJECT *responseType; - ASN1_OCTET_STRING *response; -}; - -/*- OCSPResponse ::= SEQUENCE { - * responseStatus OCSPResponseStatus, - * responseBytes [0] EXPLICIT ResponseBytes OPTIONAL } - */ -struct ocsp_response_st { - ASN1_ENUMERATED *responseStatus; - OCSP_RESPBYTES *responseBytes; -}; - -/*- ResponderID ::= CHOICE { - * byName [1] Name, - * byKey [2] KeyHash } - */ -struct ocsp_responder_id_st { - int type; - union { - X509_NAME *byName; - ASN1_OCTET_STRING *byKey; - } value; -}; - -/*- KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key - * --(excluding the tag and length fields) - */ - -/*- RevokedInfo ::= SEQUENCE { - * revocationTime GeneralizedTime, - * revocationReason [0] EXPLICIT CRLReason OPTIONAL } - */ -struct ocsp_revoked_info_st { - ASN1_GENERALIZEDTIME *revocationTime; - ASN1_ENUMERATED *revocationReason; -}; - -/*- CertStatus ::= CHOICE { - * good [0] IMPLICIT NULL, - * revoked [1] IMPLICIT RevokedInfo, - * unknown [2] IMPLICIT UnknownInfo } - */ -struct ocsp_cert_status_st { - int type; - union { - ASN1_NULL *good; - OCSP_REVOKEDINFO *revoked; - ASN1_NULL *unknown; - } value; -}; - -/*- SingleResponse ::= SEQUENCE { - * certID CertID, - * certStatus CertStatus, - * thisUpdate GeneralizedTime, - * nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL, - * singleExtensions [1] EXPLICIT Extensions OPTIONAL } - */ -struct ocsp_single_response_st { - OCSP_CERTID *certId; - OCSP_CERTSTATUS *certStatus; - ASN1_GENERALIZEDTIME *thisUpdate; - ASN1_GENERALIZEDTIME *nextUpdate; - STACK_OF(X509_EXTENSION) *singleExtensions; -}; - -/*- ResponseData ::= SEQUENCE { - * version [0] EXPLICIT Version DEFAULT v1, - * responderID ResponderID, - * producedAt GeneralizedTime, - * responses SEQUENCE OF SingleResponse, - * responseExtensions [1] EXPLICIT Extensions OPTIONAL } - */ -struct ocsp_response_data_st { - ASN1_INTEGER *version; - OCSP_RESPID responderId; - ASN1_GENERALIZEDTIME *producedAt; - STACK_OF(OCSP_SINGLERESP) *responses; - STACK_OF(X509_EXTENSION) *responseExtensions; -}; - -/*- BasicOCSPResponse ::= SEQUENCE { - * tbsResponseData ResponseData, - * signatureAlgorithm AlgorithmIdentifier, - * signature BIT STRING, - * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } - */ - /* - * Note 1: The value for "signature" is specified in the OCSP rfc2560 as - * follows: "The value for the signature SHALL be computed on the hash of - * the DER encoding ResponseData." This means that you must hash the - * DER-encoded tbsResponseData, and then run it through a crypto-signing - * function, which will (at least w/RSA) do a hash-'n'-private-encrypt - * operation. This seems a bit odd, but that's the spec. Also note that - * the data structures do not leave anywhere to independently specify the - * algorithm used for the initial hash. So, we look at the - * signature-specification algorithm, and try to do something intelligent. - * -- Kathy Weinhold, CertCo - */ - /* - * Note 2: It seems that the mentioned passage from RFC 2560 (section - * 4.2.1) is open for interpretation. I've done tests against another - * responder, and found that it doesn't do the double hashing that the RFC - * seems to say one should. Therefore, all relevant functions take a flag - * saying which variant should be used. -- Richard Levitte, OpenSSL team - * and CeloCom - */ -struct ocsp_basic_response_st { - OCSP_RESPDATA tbsResponseData; - X509_ALGOR signatureAlgorithm; - ASN1_BIT_STRING *signature; - STACK_OF(X509) *certs; -}; - -/*- - * CrlID ::= SEQUENCE { - * crlUrl [0] EXPLICIT IA5String OPTIONAL, - * crlNum [1] EXPLICIT INTEGER OPTIONAL, - * crlTime [2] EXPLICIT GeneralizedTime OPTIONAL } - */ -struct ocsp_crl_id_st { - ASN1_IA5STRING *crlUrl; - ASN1_INTEGER *crlNum; - ASN1_GENERALIZEDTIME *crlTime; -}; - -/*- - * ServiceLocator ::= SEQUENCE { - * issuer Name, - * locator AuthorityInfoAccessSyntax OPTIONAL } - */ -struct ocsp_service_locator_st { - X509_NAME *issuer; - STACK_OF(ACCESS_DESCRIPTION) *locator; -}; diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_lib.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_lib.c index 8edd70ac..ff781e56 100644 --- a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_lib.c +++ b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_lib.c @@ -1,35 +1,93 @@ +/* ocsp_lib.c */ /* - * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. + * Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL + * project. + */ + +/* + * History: This file was transfered to Richard Levitte from CertCo by Kathy + * Weinhold in mid-spring 2000 to be included in OpenSSL or released as a + * patch kit. + */ + +/* ==================================================================== + * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html */ #include <stdio.h> -#include "internal/cryptlib.h" +#include <cryptlib.h> #include <openssl/objects.h> +#include <openssl/rand.h> #include <openssl/x509.h> #include <openssl/pem.h> #include <openssl/x509v3.h> #include <openssl/ocsp.h> -#include "ocsp_lcl.h" #include <openssl/asn1t.h> /* Convert a certificate and its issuer to an OCSP_CERTID */ -OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, const X509 *subject, - const X509 *issuer) +OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer) { X509_NAME *iname; - const ASN1_INTEGER *serial; + ASN1_INTEGER *serial; ASN1_BIT_STRING *ikey; +#ifndef OPENSSL_NO_SHA1 if (!dgst) dgst = EVP_sha1(); +#endif if (subject) { iname = X509_get_issuer_name(subject); - serial = X509_get0_serialNumber(subject); + serial = X509_get_serialNumber(subject); } else { iname = X509_get_subject_name(issuer); serial = NULL; @@ -39,9 +97,9 @@ OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, const X509 *subject, } OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst, - const X509_NAME *issuerName, - const ASN1_BIT_STRING *issuerKey, - const ASN1_INTEGER *serialNumber) + X509_NAME *issuerName, + ASN1_BIT_STRING *issuerKey, + ASN1_INTEGER *serialNumber) { int nid; unsigned int i; @@ -49,16 +107,17 @@ OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst, OCSP_CERTID *cid = NULL; unsigned char md[EVP_MAX_MD_SIZE]; - if ((cid = OCSP_CERTID_new()) == NULL) + if (!(cid = OCSP_CERTID_new())) goto err; - alg = &cid->hashAlgorithm; - ASN1_OBJECT_free(alg->algorithm); + alg = cid->hashAlgorithm; + if (alg->algorithm != NULL) + ASN1_OBJECT_free(alg->algorithm); if ((nid = EVP_MD_type(dgst)) == NID_undef) { OCSPerr(OCSP_F_OCSP_CERT_ID_NEW, OCSP_R_UNKNOWN_NID); goto err; } - if ((alg->algorithm = OBJ_nid2obj(nid)) == NULL) + if (!(alg->algorithm = OBJ_nid2obj(nid))) goto err; if ((alg->parameter = ASN1_TYPE_new()) == NULL) goto err; @@ -66,38 +125,40 @@ OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst, if (!X509_NAME_digest(issuerName, dgst, md, &i)) goto digerr; - if (!(ASN1_OCTET_STRING_set(&cid->issuerNameHash, md, i))) + if (!(ASN1_OCTET_STRING_set(cid->issuerNameHash, md, i))) goto err; /* Calculate the issuerKey hash, excluding tag and length */ if (!EVP_Digest(issuerKey->data, issuerKey->length, md, &i, dgst, NULL)) goto err; - if (!(ASN1_OCTET_STRING_set(&cid->issuerKeyHash, md, i))) + if (!(ASN1_OCTET_STRING_set(cid->issuerKeyHash, md, i))) goto err; if (serialNumber) { - if (ASN1_STRING_copy(&cid->serialNumber, serialNumber) == 0) + ASN1_INTEGER_free(cid->serialNumber); + if (!(cid->serialNumber = ASN1_INTEGER_dup(serialNumber))) goto err; } return cid; digerr: OCSPerr(OCSP_F_OCSP_CERT_ID_NEW, OCSP_R_DIGEST_ERR); err: - OCSP_CERTID_free(cid); + if (cid) + OCSP_CERTID_free(cid); return NULL; } int OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b) { int ret; - ret = OBJ_cmp(a->hashAlgorithm.algorithm, b->hashAlgorithm.algorithm); + ret = OBJ_cmp(a->hashAlgorithm->algorithm, b->hashAlgorithm->algorithm); if (ret) return ret; - ret = ASN1_OCTET_STRING_cmp(&a->issuerNameHash, &b->issuerNameHash); + ret = ASN1_OCTET_STRING_cmp(a->issuerNameHash, b->issuerNameHash); if (ret) return ret; - return ASN1_OCTET_STRING_cmp(&a->issuerKeyHash, &b->issuerKeyHash); + return ASN1_OCTET_STRING_cmp(a->issuerKeyHash, b->issuerKeyHash); } int OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b) @@ -106,7 +167,7 @@ int OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b) ret = OCSP_id_issuer_cmp(a, b); if (ret) return ret; - return ASN1_INTEGER_cmp(&a->serialNumber, &b->serialNumber); + return ASN1_INTEGER_cmp(a->serialNumber, b->serialNumber); } /* @@ -126,7 +187,7 @@ int OCSP_parse_url(const char *url, char **phost, char **pport, char **ppath, *ppath = NULL; /* dup the buffer since we are going to mess with it */ - buf = OPENSSL_strdup(url); + buf = BUF_strdup(url); if (!buf) goto mem_err; @@ -138,10 +199,10 @@ int OCSP_parse_url(const char *url, char **phost, char **pport, char **ppath, *(p++) = '\0'; - if (strcmp(buf, "http") == 0) { + if (!strcmp(buf, "http")) { *pssl = 0; port = "80"; - } else if (strcmp(buf, "https") == 0) { + } else if (!strcmp(buf, "https")) { *pssl = 1; port = "443"; } else @@ -160,9 +221,9 @@ int OCSP_parse_url(const char *url, char **phost, char **pport, char **ppath, p = strchr(p, '/'); if (!p) - *ppath = OPENSSL_strdup("/"); + *ppath = BUF_strdup("/"); else { - *ppath = OPENSSL_strdup(p); + *ppath = BUF_strdup(p); /* Set start of path to 0 so hostname is valid */ *p = '\0'; } @@ -187,11 +248,11 @@ int OCSP_parse_url(const char *url, char **phost, char **pport, char **ppath, port = p + 1; } - *pport = OPENSSL_strdup(port); + *pport = BUF_strdup(port); if (!*pport) goto mem_err; - *phost = OPENSSL_strdup(host); + *phost = BUF_strdup(host); if (!*phost) goto mem_err; @@ -208,13 +269,20 @@ int OCSP_parse_url(const char *url, char **phost, char **pport, char **ppath, OCSPerr(OCSP_F_OCSP_PARSE_URL, OCSP_R_ERROR_PARSING_URL); err: - OPENSSL_free(buf); - OPENSSL_free(*ppath); - *ppath = NULL; - OPENSSL_free(*pport); - *pport = NULL; - OPENSSL_free(*phost); - *phost = NULL; + if (buf) + OPENSSL_free(buf); + if (*ppath) { + OPENSSL_free(*ppath); + *ppath = NULL; + } + if (*pport) { + OPENSSL_free(*pport); + *pport = NULL; + } + if (*phost) { + OPENSSL_free(*phost); + *phost = NULL; + } return 0; } diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_prn.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_prn.c index 5605812e..47d5f83e 100644 --- a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_prn.c +++ b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_prn.c @@ -1,17 +1,72 @@ +/* ocsp_prn.c */ /* - * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. + * Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL + * project. + */ + +/* + * History: This file was originally part of ocsp.c and was transfered to + * Richard Levitte from CertCo by Kathy Weinhold in mid-spring 2000 to be + * included in OpenSSL or released as a patch kit. + */ + +/* ==================================================================== + * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html */ #include <openssl/bio.h> #include <openssl/err.h> #include <openssl/ocsp.h> -#include "ocsp_lcl.h" -#include "internal/cryptlib.h" #include <openssl/pem.h> static int ocsp_certid_print(BIO *bp, OCSP_CERTID *a, int indent) @@ -19,13 +74,13 @@ static int ocsp_certid_print(BIO *bp, OCSP_CERTID *a, int indent) BIO_printf(bp, "%*sCertificate ID:\n", indent, ""); indent += 2; BIO_printf(bp, "%*sHash Algorithm: ", indent, ""); - i2a_ASN1_OBJECT(bp, a->hashAlgorithm.algorithm); + i2a_ASN1_OBJECT(bp, a->hashAlgorithm->algorithm); BIO_printf(bp, "\n%*sIssuer Name Hash: ", indent, ""); - i2a_ASN1_STRING(bp, &a->issuerNameHash, 0); + i2a_ASN1_STRING(bp, a->issuerNameHash, V_ASN1_OCTET_STRING); BIO_printf(bp, "\n%*sIssuer Key Hash: ", indent, ""); - i2a_ASN1_STRING(bp, &a->issuerKeyHash, 0); + i2a_ASN1_STRING(bp, a->issuerKeyHash, V_ASN1_OCTET_STRING); BIO_printf(bp, "\n%*sSerial Number: ", indent, ""); - i2a_ASN1_INTEGER(bp, &a->serialNumber); + i2a_ASN1_INTEGER(bp, a->serialNumber); BIO_printf(bp, "\n"); return 1; } @@ -35,17 +90,15 @@ typedef struct { const char *m; } OCSP_TBLSTR; -static const char *do_table2string(long s, const OCSP_TBLSTR *ts, size_t len) +static const char *table2string(long s, const OCSP_TBLSTR *ts, int len) { - size_t i; - for (i = 0; i < len; i++, ts++) - if (ts->t == s) - return ts->m; + const OCSP_TBLSTR *p; + for (p = ts; p < ts + len; p++) + if (p->t == s) + return p->m; return "(UNKNOWN)"; } -#define table2string(s, tbl) do_table2string(s, tbl, OSSL_NELEM(tbl)) - const char *OCSP_response_status_str(long s) { static const OCSP_TBLSTR rstat_tbl[] = { @@ -56,7 +109,7 @@ const char *OCSP_response_status_str(long s) {OCSP_RESPONSE_STATUS_SIGREQUIRED, "sigrequired"}, {OCSP_RESPONSE_STATUS_UNAUTHORIZED, "unauthorized"} }; - return table2string(s, rstat_tbl); + return table2string(s, rstat_tbl, 6); } const char *OCSP_cert_status_str(long s) @@ -66,7 +119,7 @@ const char *OCSP_cert_status_str(long s) {V_OCSP_CERTSTATUS_REVOKED, "revoked"}, {V_OCSP_CERTSTATUS_UNKNOWN, "unknown"} }; - return table2string(s, cstat_tbl); + return table2string(s, cstat_tbl, 3); } const char *OCSP_crl_reason_str(long s) @@ -81,7 +134,7 @@ const char *OCSP_crl_reason_str(long s) {OCSP_REVOKED_STATUS_CERTIFICATEHOLD, "certificateHold"}, {OCSP_REVOKED_STATUS_REMOVEFROMCRL, "removeFromCRL"} }; - return table2string(s, reason_tbl); + return table2string(s, reason_tbl, 8); } int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST *o, unsigned long flags) @@ -90,7 +143,7 @@ int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST *o, unsigned long flags) long l; OCSP_CERTID *cid = NULL; OCSP_ONEREQ *one = NULL; - OCSP_REQINFO *inf = &o->tbsRequest; + OCSP_REQINFO *inf = o->tbsRequest; OCSP_SIGNATURE *sig = o->optionalSignature; if (BIO_write(bp, "OCSP Request Data:\n", 19) <= 0) @@ -118,7 +171,7 @@ int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST *o, unsigned long flags) inf->requestExtensions, flags, 4)) goto err; if (sig) { - X509_signature_print(bp, &sig->signatureAlgorithm, sig->signature); + X509_signature_print(bp, sig->signatureAlgorithm, sig->signature); for (i = 0; i < sk_X509_num(sig->certs); i++) { X509_print(bp, sk_X509_value(sig->certs, i)); PEM_write_bio_X509(bp, sk_X509_value(sig->certs, i)); @@ -161,20 +214,20 @@ int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE *o, unsigned long flags) if ((br = OCSP_response_get1_basic(o)) == NULL) goto err; - rd = &br->tbsResponseData; + rd = br->tbsResponseData; l = ASN1_INTEGER_get(rd->version); if (BIO_printf(bp, "\n Version: %lu (0x%lx)\n", l + 1, l) <= 0) goto err; if (BIO_puts(bp, " Responder Id: ") <= 0) goto err; - rid = &rd->responderId; + rid = rd->responderId; switch (rid->type) { case V_OCSP_RESPID_NAME: X509_NAME_print_ex(bp, rid->value.byName, 0, XN_FLAG_ONELINE); break; case V_OCSP_RESPID_KEY: - i2a_ASN1_STRING(bp, rid->value.byKey, 0); + i2a_ASN1_STRING(bp, rid->value.byKey, V_ASN1_OCTET_STRING); break; } @@ -231,7 +284,7 @@ int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE *o, unsigned long flags) if (!X509V3_extensions_print(bp, "Response Extensions", rd->responseExtensions, flags, 4)) goto err; - if (X509_signature_print(bp, &br->signatureAlgorithm, br->signature) <= 0) + if (X509_signature_print(bp, br->signatureAlgorithm, br->signature) <= 0) goto err; for (i = 0; i < sk_X509_num(br->certs); i++) { diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_srv.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_srv.c index 46a4bf78..2ec2c636 100644 --- a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_srv.c +++ b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_srv.c @@ -1,20 +1,70 @@ +/* ocsp_srv.c */ /* - * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. + * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project + * 2001. + */ +/* ==================================================================== + * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html */ #include <stdio.h> -#include "internal/cryptlib.h" +#include <cryptlib.h> #include <openssl/objects.h> +#include <openssl/rand.h> #include <openssl/x509.h> #include <openssl/pem.h> #include <openssl/x509v3.h> #include <openssl/ocsp.h> -#include "ocsp_lcl.h" /* * Utility functions related to sending OCSP responses and extracting @@ -23,12 +73,12 @@ int OCSP_request_onereq_count(OCSP_REQUEST *req) { - return sk_OCSP_ONEREQ_num(req->tbsRequest.requestList); + return sk_OCSP_ONEREQ_num(req->tbsRequest->requestList); } OCSP_ONEREQ *OCSP_request_onereq_get0(OCSP_REQUEST *req, int i) { - return sk_OCSP_ONEREQ_value(req->tbsRequest.requestList, i); + return sk_OCSP_ONEREQ_value(req->tbsRequest->requestList, i); } OCSP_CERTID *OCSP_onereq_get0_id(OCSP_ONEREQ *one) @@ -43,13 +93,13 @@ int OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd, if (!cid) return 0; if (pmd) - *pmd = cid->hashAlgorithm.algorithm; + *pmd = cid->hashAlgorithm->algorithm; if (piNameHash) - *piNameHash = &cid->issuerNameHash; + *piNameHash = cid->issuerNameHash; if (pikeyHash) - *pikeyHash = &cid->issuerKeyHash; + *pikeyHash = cid->issuerKeyHash; if (pserial) - *pserial = &cid->serialNumber; + *pserial = cid->serialNumber; return 1; } @@ -65,13 +115,13 @@ OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs) { OCSP_RESPONSE *rsp = NULL; - if ((rsp = OCSP_RESPONSE_new()) == NULL) + if (!(rsp = OCSP_RESPONSE_new())) goto err; if (!(ASN1_ENUMERATED_set(rsp->responseStatus, status))) goto err; if (!bs) return rsp; - if ((rsp->responseBytes = OCSP_RESPBYTES_new()) == NULL) + if (!(rsp->responseBytes = OCSP_RESPBYTES_new())) goto err; rsp->responseBytes->responseType = OBJ_nid2obj(NID_id_pkix_OCSP_basic); if (!ASN1_item_pack @@ -79,7 +129,8 @@ OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs) goto err; return rsp; err: - OCSP_RESPONSE_free(rsp); + if (rsp) + OCSP_RESPONSE_free(rsp); return NULL; } @@ -94,12 +145,11 @@ OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp, OCSP_CERTSTATUS *cs; OCSP_REVOKEDINFO *ri; - if (rsp->tbsResponseData.responses == NULL - && (rsp->tbsResponseData.responses - = sk_OCSP_SINGLERESP_new_null()) == NULL) + if (!rsp->tbsResponseData->responses && + !(rsp->tbsResponseData->responses = sk_OCSP_SINGLERESP_new_null())) goto err; - if ((single = OCSP_SINGLERESP_new()) == NULL) + if (!(single = OCSP_SINGLERESP_new())) goto err; if (!ASN1_TIME_to_generalizedtime(thisupd, &single->thisUpdate)) @@ -110,7 +160,7 @@ OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp, OCSP_CERTID_free(single->certId); - if ((single->certId = OCSP_CERTID_dup(cid)) == NULL) + if (!(single->certId = OCSP_CERTID_dup(cid))) goto err; cs = single->certStatus; @@ -120,12 +170,12 @@ OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp, OCSPerr(OCSP_F_OCSP_BASIC_ADD1_STATUS, OCSP_R_NO_REVOKED_TIME); goto err; } - if ((cs->value.revoked = ri = OCSP_REVOKEDINFO_new()) == NULL) + if (!(cs->value.revoked = ri = OCSP_REVOKEDINFO_new())) goto err; if (!ASN1_TIME_to_generalizedtime(revtime, &ri->revocationTime)) goto err; if (reason != OCSP_REVOKED_STATUS_NOSTATUS) { - if ((ri->revocationReason = ASN1_ENUMERATED_new()) == NULL) + if (!(ri->revocationReason = ASN1_ENUMERATED_new())) goto err; if (!(ASN1_ENUMERATED_set(ri->revocationReason, reason))) goto err; @@ -133,20 +183,18 @@ OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp, break; case V_OCSP_CERTSTATUS_GOOD: - if ((cs->value.good = ASN1_NULL_new()) == NULL) - goto err; + cs->value.good = ASN1_NULL_new(); break; case V_OCSP_CERTSTATUS_UNKNOWN: - if ((cs->value.unknown = ASN1_NULL_new()) == NULL) - goto err; + cs->value.unknown = ASN1_NULL_new(); break; default: goto err; } - if (!(sk_OCSP_SINGLERESP_push(rsp->tbsResponseData.responses, single))) + if (!(sk_OCSP_SINGLERESP_push(rsp->tbsResponseData->responses, single))) goto err; return single; err: @@ -158,13 +206,12 @@ OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp, int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert) { - if (resp->certs == NULL - && (resp->certs = sk_X509_new_null()) == NULL) + if (!resp->certs && !(resp->certs = sk_X509_new_null())) return 0; if (!sk_X509_push(resp->certs, cert)) return 0; - X509_up_ref(cert); + CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509); return 1; } @@ -191,16 +238,23 @@ int OCSP_basic_sign(OCSP_BASICRESP *brsp, } } - rid = &brsp->tbsResponseData.responderId; + rid = brsp->tbsResponseData->responderId; if (flags & OCSP_RESPID_KEY) { - if (!OCSP_RESPID_set_by_key(rid, signer)) + unsigned char md[SHA_DIGEST_LENGTH]; + X509_pubkey_digest(signer, EVP_sha1(), md, NULL); + if (!(rid->value.byKey = ASN1_OCTET_STRING_new())) goto err; - } else if (!OCSP_RESPID_set_by_name(rid, signer)) { - goto err; + if (!(ASN1_OCTET_STRING_set(rid->value.byKey, md, SHA_DIGEST_LENGTH))) + goto err; + rid->type = V_OCSP_RESPID_KEY; + } else { + if (!X509_NAME_set(&rid->value.byName, X509_get_subject_name(signer))) + goto err; + rid->type = V_OCSP_RESPID_NAME; } if (!(flags & OCSP_NOTIME) && - !X509_gmtime_adj(brsp->tbsResponseData.producedAt, 0)) + !X509_gmtime_adj(brsp->tbsResponseData->producedAt, 0)) goto err; /* @@ -215,63 +269,3 @@ int OCSP_basic_sign(OCSP_BASICRESP *brsp, err: return 0; } - -int OCSP_RESPID_set_by_name(OCSP_RESPID *respid, X509 *cert) -{ - if (!X509_NAME_set(&respid->value.byName, X509_get_subject_name(cert))) - return 0; - - respid->type = V_OCSP_RESPID_NAME; - - return 1; -} - -int OCSP_RESPID_set_by_key(OCSP_RESPID *respid, X509 *cert) -{ - ASN1_OCTET_STRING *byKey = NULL; - unsigned char md[SHA_DIGEST_LENGTH]; - - /* RFC2560 requires SHA1 */ - if (!X509_pubkey_digest(cert, EVP_sha1(), md, NULL)) - return 0; - - byKey = ASN1_OCTET_STRING_new(); - if (byKey == NULL) - return 0; - - if (!(ASN1_OCTET_STRING_set(byKey, md, SHA_DIGEST_LENGTH))) { - ASN1_OCTET_STRING_free(byKey); - return 0; - } - - respid->type = V_OCSP_RESPID_KEY; - respid->value.byKey = byKey; - - return 1; -} - -int OCSP_RESPID_match(OCSP_RESPID *respid, X509 *cert) -{ - if (respid->type == V_OCSP_RESPID_KEY) { - unsigned char md[SHA_DIGEST_LENGTH]; - - if (respid->value.byKey == NULL) - return 0; - - /* RFC2560 requires SHA1 */ - if (!X509_pubkey_digest(cert, EVP_sha1(), md, NULL)) - return 0; - - return (ASN1_STRING_length(respid->value.byKey) == SHA_DIGEST_LENGTH) - && (memcmp(ASN1_STRING_get0_data(respid->value.byKey), md, - SHA_DIGEST_LENGTH) == 0); - } else if(respid->type == V_OCSP_RESPID_NAME) { - if (respid->value.byName == NULL) - return 0; - - return X509_NAME_cmp(respid->value.byName, - X509_get_subject_name(cert)) == 0; - } - - return 0; -} diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_vfy.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_vfy.c index e2cfa6dd..d4a257c3 100644 --- a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_vfy.c +++ b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_vfy.c @@ -1,29 +1,80 @@ +/* ocsp_vfy.c */ /* - * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. + * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project + * 2000. + */ +/* ==================================================================== + * Copyright (c) 2000-2004 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html */ #include <openssl/ocsp.h> -#include "ocsp_lcl.h" #include <openssl/err.h> #include <string.h> static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, - STACK_OF(X509) *certs, unsigned long flags); + STACK_OF(X509) *certs, X509_STORE *st, + unsigned long flags); static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id); -static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain); +static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain, + unsigned long flags); static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret); static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, STACK_OF(OCSP_SINGLERESP) *sresp); -static int ocsp_check_delegated(X509 *x); +static int ocsp_check_delegated(X509 *x, int flags); static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, X509_NAME *nm, STACK_OF(X509) *certs, - unsigned long flags); + X509_STORE *st, unsigned long flags); /* Verify a basic response message */ @@ -33,30 +84,24 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509 *signer, *x; STACK_OF(X509) *chain = NULL; STACK_OF(X509) *untrusted = NULL; - X509_STORE_CTX *ctx = NULL; - int i, ret = ocsp_find_signer(&signer, bs, certs, flags); - + X509_STORE_CTX ctx; + int i, ret = 0; + ret = ocsp_find_signer(&signer, bs, certs, st, flags); if (!ret) { OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND); goto end; } - ctx = X509_STORE_CTX_new(); - if (ctx == NULL) { - OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_MALLOC_FAILURE); - goto f_err; - } if ((ret == 2) && (flags & OCSP_TRUSTOTHER)) flags |= OCSP_NOVERIFY; if (!(flags & OCSP_NOSIGS)) { EVP_PKEY *skey; - skey = X509_get0_pubkey(signer); - if (skey == NULL) { - OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_NO_SIGNER_KEY); - goto err; + skey = X509_get_pubkey(signer); + if (skey) { + ret = OCSP_BASICRESP_verify(bs, skey, 0); + EVP_PKEY_free(skey); } - ret = OCSP_BASICRESP_verify(bs, skey, 0); - if (ret <= 0) { + if (!skey || ret <= 0) { OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNATURE_FAILURE); goto end; } @@ -70,23 +115,25 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, for (i = 0; i < sk_X509_num(certs); i++) { if (!sk_X509_push(untrusted, sk_X509_value(certs, i))) { OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_MALLOC_FAILURE); - goto f_err; + goto end; } } } else { untrusted = bs->certs; } - init_res = X509_STORE_CTX_init(ctx, st, signer, untrusted); + init_res = X509_STORE_CTX_init(&ctx, st, signer, untrusted); if (!init_res) { + ret = -1; OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_X509_LIB); - goto f_err; + goto end; } - X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_OCSP_HELPER); - ret = X509_verify_cert(ctx); - chain = X509_STORE_CTX_get1_chain(ctx); + X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER); + ret = X509_verify_cert(&ctx); + chain = X509_STORE_CTX_get1_chain(&ctx); + X509_STORE_CTX_cleanup(&ctx); if (ret <= 0) { - i = X509_STORE_CTX_get_error(ctx); + i = X509_STORE_CTX_get_error(&ctx); OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_CERTIFICATE_VERIFY_ERROR); ERR_add_error_data(2, "Verify error:", @@ -101,7 +148,7 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, * At this point we have a valid certificate chain need to verify it * against the OCSP issuer criteria. */ - ret = ocsp_check_issuer(bs, chain); + ret = ocsp_check_issuer(bs, chain, flags); /* If fatal error or valid match then finish */ if (ret != 0) @@ -117,30 +164,25 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, x = sk_X509_value(chain, sk_X509_num(chain) - 1); if (X509_check_trust(x, NID_OCSP_sign, 0) != X509_TRUST_TRUSTED) { OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_ROOT_CA_NOT_TRUSTED); - goto err; + goto end; } ret = 1; } + end: - X509_STORE_CTX_free(ctx); - sk_X509_pop_free(chain, X509_free); + if (chain) + sk_X509_pop_free(chain, X509_free); if (bs->certs && certs) sk_X509_free(untrusted); return ret; - - err: - ret = 0; - goto end; - f_err: - ret = -1; - goto end; } static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, - STACK_OF(X509) *certs, unsigned long flags) + STACK_OF(X509) *certs, X509_STORE *st, + unsigned long flags) { X509 *signer; - OCSP_RESPID *rid = &bs->tbsResponseData.responderId; + OCSP_RESPID *rid = bs->tbsResponseData->responderId; if ((signer = ocsp_find_signer_sk(certs, rid))) { *psigner = signer; return 2; @@ -182,13 +224,14 @@ static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id) return NULL; } -static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain) +static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain, + unsigned long flags) { STACK_OF(OCSP_SINGLERESP) *sresp; X509 *signer, *sca; OCSP_CERTID *caid = NULL; int i; - sresp = bs->tbsResponseData.responses; + sresp = bs->tbsResponseData->responses; if (sk_X509_num(chain) <= 0) { OCSPerr(OCSP_F_OCSP_CHECK_ISSUER, OCSP_R_NO_CERTIFICATES_IN_CHAIN); @@ -211,7 +254,7 @@ static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain) return i; if (i) { /* We have a match, if extensions OK then success */ - if (ocsp_check_delegated(signer)) + if (ocsp_check_delegated(signer, flags)) return 1; return 0; } @@ -248,9 +291,9 @@ static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret) tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId; /* Check to see if IDs match */ if (OCSP_id_issuer_cmp(cid, tmpid)) { - /* If algorithm mismatch let caller deal with it */ - if (OBJ_cmp(tmpid->hashAlgorithm.algorithm, - cid->hashAlgorithm.algorithm)) + /* If algoritm mismatch let caller deal with it */ + if (OBJ_cmp(tmpid->hashAlgorithm->algorithm, + cid->hashAlgorithm->algorithm)) return 2; /* Else mismatch */ return 0; @@ -271,8 +314,7 @@ static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, X509_NAME *iname; int mdlen; unsigned char md[EVP_MAX_MD_SIZE]; - if ((dgst = EVP_get_digestbyobj(cid->hashAlgorithm.algorithm)) - == NULL) { + if (!(dgst = EVP_get_digestbyobj(cid->hashAlgorithm->algorithm))) { OCSPerr(OCSP_F_OCSP_MATCH_ISSUERID, OCSP_R_UNKNOWN_MESSAGE_DIGEST); return -1; @@ -281,16 +323,16 @@ static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, mdlen = EVP_MD_size(dgst); if (mdlen < 0) return -1; - if ((cid->issuerNameHash.length != mdlen) || - (cid->issuerKeyHash.length != mdlen)) + if ((cid->issuerNameHash->length != mdlen) || + (cid->issuerKeyHash->length != mdlen)) return 0; iname = X509_get_subject_name(cert); if (!X509_NAME_digest(iname, dgst, md, NULL)) return -1; - if (memcmp(md, cid->issuerNameHash.data, mdlen)) + if (memcmp(md, cid->issuerNameHash->data, mdlen)) return 0; X509_pubkey_digest(cert, dgst, md, NULL); - if (memcmp(md, cid->issuerKeyHash.data, mdlen)) + if (memcmp(md, cid->issuerKeyHash->data, mdlen)) return 0; return 1; @@ -310,10 +352,10 @@ static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, } -static int ocsp_check_delegated(X509 *x) +static int ocsp_check_delegated(X509 *x, int flags) { - if ((X509_get_extension_flags(x) & EXFLAG_XKUSAGE) - && (X509_get_extended_key_usage(x) & XKU_OCSP_SIGN)) + X509_check_purpose(x, -1, 0); + if ((x->ex_flags & EXFLAG_XKUSAGE) && (x->ex_xkusage & XKU_OCSP_SIGN)) return 1; OCSPerr(OCSP_F_OCSP_CHECK_DELEGATED, OCSP_R_MISSING_OCSPSIGNING_USAGE); return 0; @@ -331,80 +373,68 @@ int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, X509 *signer; X509_NAME *nm; GENERAL_NAME *gen; - int ret = 0; - X509_STORE_CTX *ctx = X509_STORE_CTX_new(); - - if (ctx == NULL) { - OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, ERR_R_MALLOC_FAILURE); - goto err; - } - + int ret; + X509_STORE_CTX ctx; if (!req->optionalSignature) { OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_REQUEST_NOT_SIGNED); - goto err; + return 0; } - gen = req->tbsRequest.requestorName; + gen = req->tbsRequest->requestorName; if (!gen || gen->type != GEN_DIRNAME) { OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE); - goto err; + return 0; } nm = gen->d.directoryName; - ret = ocsp_req_find_signer(&signer, req, nm, certs, flags); + ret = ocsp_req_find_signer(&signer, req, nm, certs, store, flags); if (ret <= 0) { OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND); - goto err; + return 0; } if ((ret == 2) && (flags & OCSP_TRUSTOTHER)) flags |= OCSP_NOVERIFY; if (!(flags & OCSP_NOSIGS)) { EVP_PKEY *skey; - skey = X509_get0_pubkey(signer); + skey = X509_get_pubkey(signer); ret = OCSP_REQUEST_verify(req, skey); + EVP_PKEY_free(skey); if (ret <= 0) { OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_SIGNATURE_FAILURE); - goto err; + return 0; } } if (!(flags & OCSP_NOVERIFY)) { int init_res; if (flags & OCSP_NOCHAIN) - init_res = X509_STORE_CTX_init(ctx, store, signer, NULL); + init_res = X509_STORE_CTX_init(&ctx, store, signer, NULL); else - init_res = X509_STORE_CTX_init(ctx, store, signer, + init_res = X509_STORE_CTX_init(&ctx, store, signer, req->optionalSignature->certs); if (!init_res) { OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, ERR_R_X509_LIB); - goto err; + return 0; } - X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_OCSP_HELPER); - X509_STORE_CTX_set_trust(ctx, X509_TRUST_OCSP_REQUEST); - ret = X509_verify_cert(ctx); + X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER); + X509_STORE_CTX_set_trust(&ctx, X509_TRUST_OCSP_REQUEST); + ret = X509_verify_cert(&ctx); + X509_STORE_CTX_cleanup(&ctx); if (ret <= 0) { - ret = X509_STORE_CTX_get_error(ctx); + ret = X509_STORE_CTX_get_error(&ctx); OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_CERTIFICATE_VERIFY_ERROR); ERR_add_error_data(2, "Verify error:", X509_verify_cert_error_string(ret)); - goto err; + return 0; } } - ret = 1; - goto end; - -err: - ret = 0; -end: - X509_STORE_CTX_free(ctx); - return ret; - + return 1; } static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, X509_NAME *nm, STACK_OF(X509) *certs, - unsigned long flags) + X509_STORE *st, unsigned long flags) { X509 *signer; if (!(flags & OCSP_NOINTERN)) { diff --git a/Cryptlib/OpenSSL/crypto/ocsp/v3_ocsp.c b/Cryptlib/OpenSSL/crypto/ocsp/v3_ocsp.c deleted file mode 100644 index 2d425a89..00000000 --- a/Cryptlib/OpenSSL/crypto/ocsp/v3_ocsp.c +++ /dev/null @@ -1,264 +0,0 @@ -/* - * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html - */ - -# include <stdio.h> -# include "internal/cryptlib.h" -# include <openssl/conf.h> -# include <openssl/asn1.h> -# include <openssl/ocsp.h> -# include "ocsp_lcl.h" -# include <openssl/x509v3.h> -# include "../x509v3/ext_dat.h" - -/* - * OCSP extensions and a couple of CRL entry extensions - */ - -static int i2r_ocsp_crlid(const X509V3_EXT_METHOD *method, void *nonce, - BIO *out, int indent); -static int i2r_ocsp_acutoff(const X509V3_EXT_METHOD *method, void *nonce, - BIO *out, int indent); -static int i2r_object(const X509V3_EXT_METHOD *method, void *obj, BIO *out, - int indent); - -static void *ocsp_nonce_new(void); -static int i2d_ocsp_nonce(void *a, unsigned char **pp); -static void *d2i_ocsp_nonce(void *a, const unsigned char **pp, long length); -static void ocsp_nonce_free(void *a); -static int i2r_ocsp_nonce(const X509V3_EXT_METHOD *method, void *nonce, - BIO *out, int indent); - -static int i2r_ocsp_nocheck(const X509V3_EXT_METHOD *method, - void *nocheck, BIO *out, int indent); -static void *s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method, - X509V3_CTX *ctx, const char *str); -static int i2r_ocsp_serviceloc(const X509V3_EXT_METHOD *method, void *in, - BIO *bp, int ind); - -const X509V3_EXT_METHOD v3_ocsp_crlid = { - NID_id_pkix_OCSP_CrlID, 0, ASN1_ITEM_ref(OCSP_CRLID), - 0, 0, 0, 0, - 0, 0, - 0, 0, - i2r_ocsp_crlid, 0, - NULL -}; - -const X509V3_EXT_METHOD v3_ocsp_acutoff = { - NID_id_pkix_OCSP_archiveCutoff, 0, ASN1_ITEM_ref(ASN1_GENERALIZEDTIME), - 0, 0, 0, 0, - 0, 0, - 0, 0, - i2r_ocsp_acutoff, 0, - NULL -}; - -const X509V3_EXT_METHOD v3_crl_invdate = { - NID_invalidity_date, 0, ASN1_ITEM_ref(ASN1_GENERALIZEDTIME), - 0, 0, 0, 0, - 0, 0, - 0, 0, - i2r_ocsp_acutoff, 0, - NULL -}; - -const X509V3_EXT_METHOD v3_crl_hold = { - NID_hold_instruction_code, 0, ASN1_ITEM_ref(ASN1_OBJECT), - 0, 0, 0, 0, - 0, 0, - 0, 0, - i2r_object, 0, - NULL -}; - -const X509V3_EXT_METHOD v3_ocsp_nonce = { - NID_id_pkix_OCSP_Nonce, 0, NULL, - ocsp_nonce_new, - ocsp_nonce_free, - d2i_ocsp_nonce, - i2d_ocsp_nonce, - 0, 0, - 0, 0, - i2r_ocsp_nonce, 0, - NULL -}; - -const X509V3_EXT_METHOD v3_ocsp_nocheck = { - NID_id_pkix_OCSP_noCheck, 0, ASN1_ITEM_ref(ASN1_NULL), - 0, 0, 0, 0, - 0, s2i_ocsp_nocheck, - 0, 0, - i2r_ocsp_nocheck, 0, - NULL -}; - -const X509V3_EXT_METHOD v3_ocsp_serviceloc = { - NID_id_pkix_OCSP_serviceLocator, 0, ASN1_ITEM_ref(OCSP_SERVICELOC), - 0, 0, 0, 0, - 0, 0, - 0, 0, - i2r_ocsp_serviceloc, 0, - NULL -}; - -static int i2r_ocsp_crlid(const X509V3_EXT_METHOD *method, void *in, BIO *bp, - int ind) -{ - OCSP_CRLID *a = in; - if (a->crlUrl) { - if (BIO_printf(bp, "%*scrlUrl: ", ind, "") <= 0) - goto err; - if (!ASN1_STRING_print(bp, (ASN1_STRING *)a->crlUrl)) - goto err; - if (BIO_write(bp, "\n", 1) <= 0) - goto err; - } - if (a->crlNum) { - if (BIO_printf(bp, "%*scrlNum: ", ind, "") <= 0) - goto err; - if (i2a_ASN1_INTEGER(bp, a->crlNum) <= 0) - goto err; - if (BIO_write(bp, "\n", 1) <= 0) - goto err; - } - if (a->crlTime) { - if (BIO_printf(bp, "%*scrlTime: ", ind, "") <= 0) - goto err; - if (!ASN1_GENERALIZEDTIME_print(bp, a->crlTime)) - goto err; - if (BIO_write(bp, "\n", 1) <= 0) - goto err; - } - return 1; - err: - return 0; -} - -static int i2r_ocsp_acutoff(const X509V3_EXT_METHOD *method, void *cutoff, - BIO *bp, int ind) -{ - if (BIO_printf(bp, "%*s", ind, "") <= 0) - return 0; - if (!ASN1_GENERALIZEDTIME_print(bp, cutoff)) - return 0; - return 1; -} - -static int i2r_object(const X509V3_EXT_METHOD *method, void *oid, BIO *bp, - int ind) -{ - if (BIO_printf(bp, "%*s", ind, "") <= 0) - return 0; - if (i2a_ASN1_OBJECT(bp, oid) <= 0) - return 0; - return 1; -} - -/* - * OCSP nonce. This is needs special treatment because it doesn't have an - * ASN1 encoding at all: it just contains arbitrary data. - */ - -static void *ocsp_nonce_new(void) -{ - return ASN1_OCTET_STRING_new(); -} - -static int i2d_ocsp_nonce(void *a, unsigned char **pp) -{ - ASN1_OCTET_STRING *os = a; - if (pp) { - memcpy(*pp, os->data, os->length); - *pp += os->length; - } - return os->length; -} - -static void *d2i_ocsp_nonce(void *a, const unsigned char **pp, long length) -{ - ASN1_OCTET_STRING *os, **pos; - pos = a; - if (pos == NULL || *pos == NULL) { - os = ASN1_OCTET_STRING_new(); - if (os == NULL) - goto err; - } else { - os = *pos; - } - if (!ASN1_OCTET_STRING_set(os, *pp, length)) - goto err; - - *pp += length; - - if (pos) - *pos = os; - return os; - - err: - if ((pos == NULL) || (*pos != os)) - ASN1_OCTET_STRING_free(os); - OCSPerr(OCSP_F_D2I_OCSP_NONCE, ERR_R_MALLOC_FAILURE); - return NULL; -} - -static void ocsp_nonce_free(void *a) -{ - ASN1_OCTET_STRING_free(a); -} - -static int i2r_ocsp_nonce(const X509V3_EXT_METHOD *method, void *nonce, - BIO *out, int indent) -{ - if (BIO_printf(out, "%*s", indent, "") <= 0) - return 0; - if (i2a_ASN1_STRING(out, nonce, V_ASN1_OCTET_STRING) <= 0) - return 0; - return 1; -} - -/* Nocheck is just a single NULL. Don't print anything and always set it */ - -static int i2r_ocsp_nocheck(const X509V3_EXT_METHOD *method, void *nocheck, - BIO *out, int indent) -{ - return 1; -} - -static void *s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method, - X509V3_CTX *ctx, const char *str) -{ - return ASN1_NULL_new(); -} - -static int i2r_ocsp_serviceloc(const X509V3_EXT_METHOD *method, void *in, - BIO *bp, int ind) -{ - int i; - OCSP_SERVICELOC *a = in; - ACCESS_DESCRIPTION *ad; - - if (BIO_printf(bp, "%*sIssuer: ", ind, "") <= 0) - goto err; - if (X509_NAME_print_ex(bp, a->issuer, 0, XN_FLAG_ONELINE) <= 0) - goto err; - for (i = 0; i < sk_ACCESS_DESCRIPTION_num(a->locator); i++) { - ad = sk_ACCESS_DESCRIPTION_value(a->locator, i); - if (BIO_printf(bp, "\n%*s", (2 * ind), "") <= 0) - goto err; - if (i2a_ASN1_OBJECT(bp, ad->method) <= 0) - goto err; - if (BIO_puts(bp, " - ") <= 0) - goto err; - if (GENERAL_NAME_print(bp, ad->location) <= 0) - goto err; - } - return 1; - err: - return 0; -} |