Strona główna Odkrywaj Pomoc
Zaloguj się
OWEALs
/
openssl
kopia lustrzana git://git.openssl.org/openssl.git
2
0
Forkuj 0
Pliki Problemy 1 Wiki
Drzewo: 953a1665e2
Gałęzie Tagi
openssl
/
apps
/
ocsp.c

ocsp.c 44 KB
Historia Czysty

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367 
  1. /* ocsp.c */
    2. 

  2. /*
    3. 

  3.  * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
    4. 

  4.  * 2000.
    5. 

  5.  */
    6. 

  6. /* ====================================================================
    7. 

  7.  * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
    8. 

  8.  *
    9. 

  9.  * Redistribution and use in source and binary forms, with or without
    10. 

  10.  * modification, are permitted provided that the following conditions
    11. 

  11.  * are met:
    12. 

  12.  *
    13. 

  13.  * 1. Redistributions of source code must retain the above copyright
    14. 

  14.  *    notice, this list of conditions and the following disclaimer.
    15. 

  15.  *
    16. 

  16.  * 2. Redistributions in binary form must reproduce the above copyright
    17. 

  17.  *    notice, this list of conditions and the following disclaimer in
    18. 

  18.  *    the documentation and/or other materials provided with the
    19. 

  19.  *    distribution.
    20. 

  20.  *
    21. 

  21.  * 3. All advertising materials mentioning features or use of this
    22. 

  22.  *    software must display the following acknowledgment:
    23. 

  23.  *    "This product includes software developed by the OpenSSL Project
    24. 

  24.  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
    25. 

  25.  *
    26. 

  26.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
    27. 

  27.  *    endorse or promote products derived from this software without
    28. 

  28.  *    prior written permission. For written permission, please contact
    29. 

  29.  *    licensing@OpenSSL.org.
    30. 

  30.  *
    31. 

  31.  * 5. Products derived from this software may not be called "OpenSSL"
    32. 

  32.  *    nor may "OpenSSL" appear in their names without prior written
    33. 

  33.  *    permission of the OpenSSL Project.
    34. 

  34.  *
    35. 

  35.  * 6. Redistributions of any form whatsoever must retain the following
    36. 

  36.  *    acknowledgment:
    37. 

  37.  *    "This product includes software developed by the OpenSSL Project
    38. 

  38.  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
    39. 

  39.  *
    40. 

  40.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
    41. 

  41.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
    42. 

  42.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    43. 

  43.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
    44. 

  44.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
    45. 

  45.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
    46. 

  46.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
    47. 

  47.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
    48. 

  48.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
    49. 

  49.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
    50. 

  50.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
    51. 

  51.  * OF THE POSSIBILITY OF SUCH DAMAGE.
    52. 

  52.  * ====================================================================
    53. 

  53.  *
    54. 

  54.  * This product includes cryptographic software written by Eric Young
    55. 

  55.  * (eay@cryptsoft.com).  This product includes software written by Tim
    56. 

  56.  * Hudson (tjh@cryptsoft.com).
    57. 

  57.  *
    58. 

  58.  */
    59. 

  59. #ifndef OPENSSL_NO_OCSP
    60. 

  60. 

  61. # ifdef OPENSSL_SYS_VMS
    62. 

  62. #  define _XOPEN_SOURCE_EXTENDED/* So fd_set and friends get properly defined
    63. 

  63.                                  * on OpenVMS */
    64. 

  64. # endif
    65. 

  65. 

  66. # define USE_SOCKETS
    67. 

  67. 

  68. # include <stdio.h>
    69. 

  69. # include <stdlib.h>
    70. 

  70. # include <string.h>
    71. 

  71. # include <time.h>
    72. 

  72. # include "apps.h"              /* needs to be included before the openssl
    73. 

  73.                                  * headers! */
    74. 

  74. # include <openssl/e_os2.h>
    75. 

  75. # include <openssl/crypto.h>
    76. 

  76. # include <openssl/err.h>
    77. 

  77. # include <openssl/ssl.h>
    78. 

  78. # include <openssl/evp.h>
    79. 

  79. # include <openssl/bn.h>
    80. 

  80. # include <openssl/x509v3.h>
    81. 

  81. 

  82. # if defined(NETWARE_CLIB)
    83. 

  83. #  ifdef NETWARE_BSDSOCK
    84. 

  84. #   include <sys/socket.h>
    85. 

  85. #   include <sys/bsdskt.h>
    86. 

  86. #  else
    87. 

  87. #   include <novsock2.h>
    88. 

  88. #  endif
    89. 

  89. # elif defined(NETWARE_LIBC)
    90. 

  90. #  ifdef NETWARE_BSDSOCK
    91. 

  91. #   include <sys/select.h>
    92. 

  92. #  else
    93. 

  93. #   include <novsock2.h>
    94. 

  94. #  endif
    95. 

  95. # endif
    96. 

  96. 

  97. /* Maximum leeway in validity period: default 5 minutes */
    98. 

  98. # define MAX_VALIDITY_PERIOD     (5 * 60)
    99. 

  99. 

  100. static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert,
    101. 

  101.                          const EVP_MD *cert_id_md, X509 *issuer,
    102. 

  102.                          STACK_OF(OCSP_CERTID) *ids);
    103. 

  103. static int add_ocsp_serial(OCSP_REQUEST **req, char *serial,
    104. 

  104.                            const EVP_MD *cert_id_md, X509 *issuer,
    105. 

  105.                            STACK_OF(OCSP_CERTID) *ids);
    106. 

  106. static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
    107. 

  107.                               STACK_OF(OPENSSL_STRING) *names,
    108. 

  108.                               STACK_OF(OCSP_CERTID) *ids, long nsec,
    109. 

  109.                               long maxage);
    110. 

  110. 

  111. static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req,
    112. 

  112.                               CA_DB *db, X509 *ca, X509 *rcert,
    113. 

  113.                               EVP_PKEY *rkey, const EVP_MD *md,
    114. 

  114.                               STACK_OF(X509) *rother, unsigned long flags,
    115. 

  115.                               int nmin, int ndays, int badsig);
    116. 

  116. 

  117. static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser);
    118. 

  118. static BIO *init_responder(const char *port);
    119. 

  119. static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,
    120. 

  120.                         const char *port);
    121. 

  121. static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp);
    122. 

  122. static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, const char *path,
    123. 

  123.                                       const STACK_OF(CONF_VALUE) *headers,
    124. 

  124.                                       OCSP_REQUEST *req, int req_timeout);
    125. 

  125. 

  126. # undef PROG
    127. 

  127. # define PROG ocsp_main
    128. 

  128. 

  129. int MAIN(int, char **);
    130. 

  130. 

  131. int MAIN(int argc, char **argv)
    132. 

  132. {
    133. 

  133.     ENGINE *e = NULL;
    134. 

  134.     char **args;
    135. 

  135.     char *host = NULL, *port = NULL, *path = "/";
    136. 

  136.     char *thost = NULL, *tport = NULL, *tpath = NULL;
    137. 

  137.     char *reqin = NULL, *respin = NULL;
    138. 

  138.     char *reqout = NULL, *respout = NULL;
    139. 

  139.     char *signfile = NULL, *keyfile = NULL;
    140. 

  140.     char *rsignfile = NULL, *rkeyfile = NULL;
    141. 

  141.     char *outfile = NULL;
    142. 

  142.     int add_nonce = 1, noverify = 0, use_ssl = -1;
    143. 

  143.     STACK_OF(CONF_VALUE) *headers = NULL;
    144. 

  144.     OCSP_REQUEST *req = NULL;
    145. 

  145.     OCSP_RESPONSE *resp = NULL;
    146. 

  146.     OCSP_BASICRESP *bs = NULL;
    147. 

  147.     X509 *issuer = NULL, *cert = NULL;
    148. 

  148.     X509 *signer = NULL, *rsigner = NULL;
    149. 

  149.     EVP_PKEY *key = NULL, *rkey = NULL;
    150. 

  150.     BIO *acbio = NULL, *cbio = NULL;
    151. 

  151.     BIO *derbio = NULL;
    152. 

  152.     BIO *out = NULL;
    153. 

  153.     int req_timeout = -1;
    154. 

  154.     int req_text = 0, resp_text = 0;
    155. 

  155.     long nsec = MAX_VALIDITY_PERIOD, maxage = -1;
    156. 

  156.     char *CAfile = NULL, *CApath = NULL;
    157. 

  157.     X509_STORE *store = NULL;
    158. 

  158.     X509_VERIFY_PARAM *vpm = NULL;
    159. 

  159.     STACK_OF(X509) *sign_other = NULL, *verify_other = NULL, *rother = NULL;
    160. 

  160.     char *sign_certfile = NULL, *verify_certfile = NULL, *rcertfile = NULL;
    161. 

  161.     unsigned long sign_flags = 0, verify_flags = 0, rflags = 0;
    162. 

  162.     int ret = 1;
    163. 

  163.     int accept_count = -1;
    164. 

  164.     int badarg = 0;
    165. 

  165.     int badsig = 0;
    166. 

  166.     int i;
    167. 

  167.     int ignore_err = 0;
    168. 

  168.     STACK_OF(OPENSSL_STRING) *reqnames = NULL;
    169. 

  169.     STACK_OF(OCSP_CERTID) *ids = NULL;
    170. 

  170. 

  171.     X509 *rca_cert = NULL;
    172. 

  172.     char *ridx_filename = NULL;
    173. 

  173.     char *rca_filename = NULL;
    174. 

  174.     CA_DB *rdb = NULL;
    175. 

  175.     int nmin = 0, ndays = -1;
    176. 

  176.     const EVP_MD *cert_id_md = NULL, *rsign_md = NULL;
    177. 

  177. 

  178.     if (bio_err == NULL)
    179. 

  179.         bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
    180. 

  180. 

  181.     if (!load_config(bio_err, NULL))
    182. 

  182.         goto end;
    183. 

  183.     SSL_load_error_strings();
    184. 

  184.     OpenSSL_add_ssl_algorithms();
    185. 

  185.     args = argv + 1;
    186. 

  186.     reqnames = sk_OPENSSL_STRING_new_null();
    187. 

  187.     ids = sk_OCSP_CERTID_new_null();
    188. 

  188.     while (!badarg && *args && *args[0] == '-') {
    189. 

  189.         if (!strcmp(*args, "-out")) {
    190. 

  190.             if (args[1]) {
    191. 

  191.                 args++;
    192. 

  192.                 outfile = *args;
    193. 

  193.             } else
    194. 

  194.                 badarg = 1;
    195. 

  195.         } else if (!strcmp(*args, "-timeout")) {
    196. 

  196.             if (args[1]) {
    197. 

  197.                 args++;
    198. 

  198.                 req_timeout = atol(*args);
    199. 

  199.                 if (req_timeout < 0) {
    200. 

  200.                     BIO_printf(bio_err, "Illegal timeout value %s\n", *args);
    201. 

  201.                     badarg = 1;
    202. 

  202.                 }
    203. 

  203.             } else
    204. 

  204.                 badarg = 1;
    205. 

  205.         } else if (!strcmp(*args, "-url")) {
    206. 

  206.             if (thost)
    207. 

  207.                 OPENSSL_free(thost);
    208. 

  208.             if (tport)
    209. 

  209.                 OPENSSL_free(tport);
    210. 

  210.             if (tpath)
    211. 

  211.                 OPENSSL_free(tpath);
    212. 

  212.             thost = tport = tpath = NULL;
    213. 

  213.             if (args[1]) {
    214. 

  214.                 args++;
    215. 

  215.                 if (!OCSP_parse_url(*args, &host, &port, &path, &use_ssl)) {
    216. 

  216.                     BIO_printf(bio_err, "Error parsing URL\n");
    217. 

  217.                     badarg = 1;
    218. 

  218.                 }
    219. 

  219.                 thost = host;
    220. 

  220.                 tport = port;
    221. 

  221.                 tpath = path;
    222. 

  222.             } else
    223. 

  223.                 badarg = 1;
    224. 

  224.         } else if (!strcmp(*args, "-host")) {
    225. 

  225.             if (args[1]) {
    226. 

  226.                 args++;
    227. 

  227.                 host = *args;
    228. 

  228.             } else
    229. 

  229.                 badarg = 1;
    230. 

  230.         } else if (!strcmp(*args, "-port")) {
    231. 

  231.             if (args[1]) {
    232. 

  232.                 args++;
    233. 

  233.                 port = *args;
    234. 

  234.             } else
    235. 

  235.                 badarg = 1;
    236. 

  236.         } else if (!strcmp(*args, "-header")) {
    237. 

  237.             if (args[1] && args[2]) {
    238. 

  238.                 if (!X509V3_add_value(args[1], args[2], &headers))
    239. 

  239.                     goto end;
    240. 

  240.                 args += 2;
    241. 

  241.             } else
    242. 

  242.                 badarg = 1;
    243. 

  243.         } else if (!strcmp(*args, "-ignore_err"))
    244. 

  244.             ignore_err = 1;
    245. 

  245.         else if (!strcmp(*args, "-noverify"))
    246. 

  246.             noverify = 1;
    247. 

  247.         else if (!strcmp(*args, "-nonce"))
    248. 

  248.             add_nonce = 2;
    249. 

  249.         else if (!strcmp(*args, "-no_nonce"))
    250. 

  250.             add_nonce = 0;
    251. 

  251.         else if (!strcmp(*args, "-resp_no_certs"))
    252. 

  252.             rflags |= OCSP_NOCERTS;
    253. 

  253.         else if (!strcmp(*args, "-resp_key_id"))
    254. 

  254.             rflags |= OCSP_RESPID_KEY;
    255. 

  255.         else if (!strcmp(*args, "-no_certs"))
    256. 

  256.             sign_flags |= OCSP_NOCERTS;
    257. 

  257.         else if (!strcmp(*args, "-no_signature_verify"))
    258. 

  258.             verify_flags |= OCSP_NOSIGS;
    259. 

  259.         else if (!strcmp(*args, "-no_cert_verify"))
    260. 

  260.             verify_flags |= OCSP_NOVERIFY;
    261. 

  261.         else if (!strcmp(*args, "-no_chain"))
    262. 

  262.             verify_flags |= OCSP_NOCHAIN;
    263. 

  263.         else if (!strcmp(*args, "-no_cert_checks"))
    264. 

  264.             verify_flags |= OCSP_NOCHECKS;
    265. 

  265.         else if (!strcmp(*args, "-no_explicit"))
    266. 

  266.             verify_flags |= OCSP_NOEXPLICIT;
    267. 

  267.         else if (!strcmp(*args, "-trust_other"))
    268. 

  268.             verify_flags |= OCSP_TRUSTOTHER;
    269. 

  269.         else if (!strcmp(*args, "-no_intern"))
    270. 

  270.             verify_flags |= OCSP_NOINTERN;
    271. 

  271.         else if (!strcmp(*args, "-badsig"))
    272. 

  272.             badsig = 1;
    273. 

  273.         else if (!strcmp(*args, "-text")) {
    274. 

  274.             req_text = 1;
    275. 

  275.             resp_text = 1;
    276. 

  276.         } else if (!strcmp(*args, "-req_text"))
    277. 

  277.             req_text = 1;
    278. 

  278.         else if (!strcmp(*args, "-resp_text"))
    279. 

  279.             resp_text = 1;
    280. 

  280.         else if (!strcmp(*args, "-reqin")) {
    281. 

  281.             if (args[1]) {
    282. 

  282.                 args++;
    283. 

  283.                 reqin = *args;
    284. 

  284.             } else
    285. 

  285.                 badarg = 1;
    286. 

  286.         } else if (!strcmp(*args, "-respin")) {
    287. 

  287.             if (args[1]) {
    288. 

  288.                 args++;
    289. 

  289.                 respin = *args;
    290. 

  290.             } else
    291. 

  291.                 badarg = 1;
    292. 

  292.         } else if (!strcmp(*args, "-signer")) {
    293. 

  293.             if (args[1]) {
    294. 

  294.                 args++;
    295. 

  295.                 signfile = *args;
    296. 

  296.             } else
    297. 

  297.                 badarg = 1;
    298. 

  298.         } else if (!strcmp(*args, "-VAfile")) {
    299. 

  299.             if (args[1]) {
    300. 

  300.                 args++;
    301. 

  301.                 verify_certfile = *args;
    302. 

  302.                 verify_flags |= OCSP_TRUSTOTHER;
    303. 

  303.             } else
    304. 

  304.                 badarg = 1;
    305. 

  305.         } else if (!strcmp(*args, "-sign_other")) {
    306. 

  306.             if (args[1]) {
    307. 

  307.                 args++;
    308. 

  308.                 sign_certfile = *args;
    309. 

  309.             } else
    310. 

  310.                 badarg = 1;
    311. 

  311.         } else if (!strcmp(*args, "-verify_other")) {
    312. 

  312.             if (args[1]) {
    313. 

  313.                 args++;
    314. 

  314.                 verify_certfile = *args;
    315. 

  315.             } else
    316. 

  316.                 badarg = 1;
    317. 

  317.         } else if (!strcmp(*args, "-CAfile")) {
    318. 

  318.             if (args[1]) {
    319. 

  319.                 args++;
    320. 

  320.                 CAfile = *args;
    321. 

  321.             } else
    322. 

  322.                 badarg = 1;
    323. 

  323.         } else if (!strcmp(*args, "-CApath")) {
    324. 

  324.             if (args[1]) {
    325. 

  325.                 args++;
    326. 

  326.                 CApath = *args;
    327. 

  327.             } else
    328. 

  328.                 badarg = 1;
    329. 

  329.         } else if (args_verify(&args, NULL, &badarg, bio_err, &vpm)) {
    330. 

  330.             if (badarg)
    331. 

  331.                 goto end;
    332. 

  332.             continue;
    333. 

  333.         } else if (!strcmp(*args, "-validity_period")) {
    334. 

  334.             if (args[1]) {
    335. 

  335.                 args++;
    336. 

  336.                 nsec = atol(*args);
    337. 

  337.                 if (nsec < 0) {
    338. 

  338.                     BIO_printf(bio_err,
    339. 

  339.                                "Illegal validity period %s\n", *args);
    340. 

  340.                     badarg = 1;
    341. 

  341.                 }
    342. 

  342.             } else
    343. 

  343.                 badarg = 1;
    344. 

  344.         } else if (!strcmp(*args, "-status_age")) {
    345. 

  345.             if (args[1]) {
    346. 

  346.                 args++;
    347. 

  347.                 maxage = atol(*args);
    348. 

  348.                 if (maxage < 0) {
    349. 

  349.                     BIO_printf(bio_err, "Illegal validity age %s\n", *args);
    350. 

  350.                     badarg = 1;
    351. 

  351.                 }
    352. 

  352.             } else
    353. 

  353.                 badarg = 1;
    354. 

  354.         } else if (!strcmp(*args, "-signkey")) {
    355. 

  355.             if (args[1]) {
    356. 

  356.                 args++;
    357. 

  357.                 keyfile = *args;
    358. 

  358.             } else
    359. 

  359.                 badarg = 1;
    360. 

  360.         } else if (!strcmp(*args, "-reqout")) {
    361. 

  361.             if (args[1]) {
    362. 

  362.                 args++;
    363. 

  363.                 reqout = *args;
    364. 

  364.             } else
    365. 

  365.                 badarg = 1;
    366. 

  366.         } else if (!strcmp(*args, "-respout")) {
    367. 

  367.             if (args[1]) {
    368. 

  368.                 args++;
    369. 

  369.                 respout = *args;
    370. 

  370.             } else
    371. 

  371.                 badarg = 1;
    372. 

  372.         } else if (!strcmp(*args, "-path")) {
    373. 

  373.             if (args[1]) {
    374. 

  374.                 args++;
    375. 

  375.                 path = *args;
    376. 

  376.             } else
    377. 

  377.                 badarg = 1;
    378. 

  378.         } else if (!strcmp(*args, "-issuer")) {
    379. 

  379.             if (args[1]) {
    380. 

  380.                 args++;
    381. 

  381.                 X509_free(issuer);
    382. 

  382.                 issuer = load_cert(bio_err, *args, FORMAT_PEM,
    383. 

  383.                                    NULL, e, "issuer certificate");
    384. 

  384.                 if (!issuer)
    385. 

  385.                     goto end;
    386. 

  386.             } else
    387. 

  387.                 badarg = 1;
    388. 

  388.         } else if (!strcmp(*args, "-cert")) {
    389. 

  389.             if (args[1]) {
    390. 

  390.                 args++;
    391. 

  391.                 X509_free(cert);
    392. 

  392.                 cert = load_cert(bio_err, *args, FORMAT_PEM,
    393. 

  393.                                  NULL, e, "certificate");
    394. 

  394.                 if (!cert)
    395. 

  395.                     goto end;
    396. 

  396.                 if (!cert_id_md)
    397. 

  397.                     cert_id_md = EVP_sha1();
    398. 

  398.                 if (!add_ocsp_cert(&req, cert, cert_id_md, issuer, ids))
    399. 

  399.                     goto end;
    400. 

  400.                 if (!sk_OPENSSL_STRING_push(reqnames, *args))
    401. 

  401.                     goto end;
    402. 

  402.             } else
    403. 

  403.                 badarg = 1;
    404. 

  404.         } else if (!strcmp(*args, "-serial")) {
    405. 

  405.             if (args[1]) {
    406. 

  406.                 args++;
    407. 

  407.                 if (!cert_id_md)
    408. 

  408.                     cert_id_md = EVP_sha1();
    409. 

  409.                 if (!add_ocsp_serial(&req, *args, cert_id_md, issuer, ids))
    410. 

  410.                     goto end;
    411. 

  411.                 if (!sk_OPENSSL_STRING_push(reqnames, *args))
    412. 

  412.                     goto end;
    413. 

  413.             } else
    414. 

  414.                 badarg = 1;
    415. 

  415.         } else if (!strcmp(*args, "-index")) {
    416. 

  416.             if (args[1]) {
    417. 

  417.                 args++;
    418. 

  418.                 ridx_filename = *args;
    419. 

  419.             } else
    420. 

  420.                 badarg = 1;
    421. 

  421.         } else if (!strcmp(*args, "-CA")) {
    422. 

  422.             if (args[1]) {
    423. 

  423.                 args++;
    424. 

  424.                 rca_filename = *args;
    425. 

  425.             } else
    426. 

  426.                 badarg = 1;
    427. 

  427.         } else if (!strcmp(*args, "-nmin")) {
    428. 

  428.             if (args[1]) {
    429. 

  429.                 args++;
    430. 

  430.                 nmin = atol(*args);
    431. 

  431.                 if (nmin < 0) {
    432. 

  432.                     BIO_printf(bio_err, "Illegal update period %s\n", *args);
    433. 

  433.                     badarg = 1;
    434. 

  434.                 }
    435. 

  435.             }
    436. 

  436.             if (ndays == -1)
    437. 

  437.                 ndays = 0;
    438. 

  438.             else
    439. 

  439.                 badarg = 1;
    440. 

  440.         } else if (!strcmp(*args, "-nrequest")) {
    441. 

  441.             if (args[1]) {
    442. 

  442.                 args++;
    443. 

  443.                 accept_count = atol(*args);
    444. 

  444.                 if (accept_count < 0) {
    445. 

  445.                     BIO_printf(bio_err, "Illegal accept count %s\n", *args);
    446. 

  446.                     badarg = 1;
    447. 

  447.                 }
    448. 

  448.             } else
    449. 

  449.                 badarg = 1;
    450. 

  450.         } else if (!strcmp(*args, "-ndays")) {
    451. 

  451.             if (args[1]) {
    452. 

  452.                 args++;
    453. 

  453.                 ndays = atol(*args);
    454. 

  454.                 if (ndays < 0) {
    455. 

  455.                     BIO_printf(bio_err, "Illegal update period %s\n", *args);
    456. 

  456.                     badarg = 1;
    457. 

  457.                 }
    458. 

  458.             } else
    459. 

  459.                 badarg = 1;
    460. 

  460.         } else if (!strcmp(*args, "-rsigner")) {
    461. 

  461.             if (args[1]) {
    462. 

  462.                 args++;
    463. 

  463.                 rsignfile = *args;
    464. 

  464.             } else
    465. 

  465.                 badarg = 1;
    466. 

  466.         } else if (!strcmp(*args, "-rkey")) {
    467. 

  467.             if (args[1]) {
    468. 

  468.                 args++;
    469. 

  469.                 rkeyfile = *args;
    470. 

  470.             } else
    471. 

  471.                 badarg = 1;
    472. 

  472.         } else if (!strcmp(*args, "-rother")) {
    473. 

  473.             if (args[1]) {
    474. 

  474.                 args++;
    475. 

  475.                 rcertfile = *args;
    476. 

  476.             } else
    477. 

  477.                 badarg = 1;
    478. 

  478.         } else if (!strcmp(*args, "-rmd")) {
    479. 

  479.             if (args[1]) {
    480. 

  480.                 args++;
    481. 

  481.                 rsign_md = EVP_get_digestbyname(*args);
    482. 

  482.                 if (!rsign_md)
    483. 

  483.                     badarg = 1;
    484. 

  484.             } else
    485. 

  485.                 badarg = 1;
    486. 

  486.         } else if ((cert_id_md = EVP_get_digestbyname((*args) + 1)) == NULL) {
    487. 

  487.             badarg = 1;
    488. 

  488.         }
    489. 

  489.         args++;
    490. 

  490.     }
    491. 

  491. 

  492.     /* Have we anything to do? */
    493. 

  493.     if (!req && !reqin && !respin && !(port && ridx_filename))
    494. 

  494.         badarg = 1;
    495. 

  495. 

  496.     if (badarg) {
    497. 

  497.         BIO_printf(bio_err, "OCSP utility\n");
    498. 

  498.         BIO_printf(bio_err, "Usage ocsp [options]\n");
    499. 

  499.         BIO_printf(bio_err, "where options are\n");
    500. 

  500.         BIO_printf(bio_err, "-out file            output filename\n");
    501. 

  501.         BIO_printf(bio_err, "-issuer file         issuer certificate\n");
    502. 

  502.         BIO_printf(bio_err, "-cert file           certificate to check\n");
    503. 

  503.         BIO_printf(bio_err, "-serial n            serial number to check\n");
    504. 

  504.         BIO_printf(bio_err,
    505. 

  505.                    "-signer file         certificate to sign OCSP request with\n");
    506. 

  506.         BIO_printf(bio_err,
    507. 

  507.                    "-signkey file        private key to sign OCSP request with\n");
    508. 

  508.         BIO_printf(bio_err,
    509. 

  509.                    "-sign_other file     additional certificates to include in signed request\n");
    510. 

  510.         BIO_printf(bio_err,
    511. 

  511.                    "-no_certs            don't include any certificates in signed request\n");
    512. 

  512.         BIO_printf(bio_err,
    513. 

  513.                    "-req_text            print text form of request\n");
    514. 

  514.         BIO_printf(bio_err,
    515. 

  515.                    "-resp_text           print text form of response\n");
    516. 

  516.         BIO_printf(bio_err,
    517. 

  517.                    "-text                print text form of request and response\n");
    518. 

  518.         BIO_printf(bio_err,
    519. 

  519.                    "-reqout file         write DER encoded OCSP request to \"file\"\n");
    520. 

  520.         BIO_printf(bio_err,
    521. 

  521.                    "-respout file        write DER encoded OCSP reponse to \"file\"\n");
    522. 

  522.         BIO_printf(bio_err,
    523. 

  523.                    "-reqin file          read DER encoded OCSP request from \"file\"\n");
    524. 

  524.         BIO_printf(bio_err,
    525. 

  525.                    "-respin file         read DER encoded OCSP reponse from \"file\"\n");
    526. 

  526.         BIO_printf(bio_err,
    527. 

  527.                    "-nonce               add OCSP nonce to request\n");
    528. 

  528.         BIO_printf(bio_err,
    529. 

  529.                    "-no_nonce            don't add OCSP nonce to request\n");
    530. 

  530.         BIO_printf(bio_err, "-url URL             OCSP responder URL\n");
    531. 

  531.         BIO_printf(bio_err,
    532. 

  532.                    "-host host:n         send OCSP request to host on port n\n");
    533. 

  533.         BIO_printf(bio_err,
    534. 

  534.                    "-path                path to use in OCSP request\n");
    535. 

  535.         BIO_printf(bio_err,
    536. 

  536.                    "-CApath dir          trusted certificates directory\n");
    537. 

  537.         BIO_printf(bio_err,
    538. 

  538.                    "-CAfile file         trusted certificates file\n");
    539. 

  539.         BIO_printf(bio_err,
    540. 

  540.                    "-no_alt_chains       only ever use the first certificate chain found\n");
    541. 

  541.         BIO_printf(bio_err,
    542. 

  542.                    "-VAfile file         validator certificates file\n");
    543. 

  543.         BIO_printf(bio_err,
    544. 

  544.                    "-validity_period n   maximum validity discrepancy in seconds\n");
    545. 

  545.         BIO_printf(bio_err,
    546. 

  546.                    "-status_age n        maximum status age in seconds\n");
    547. 

  547.         BIO_printf(bio_err,
    548. 

  548.                    "-noverify            don't verify response at all\n");
    549. 

  549.         BIO_printf(bio_err,
    550. 

  550.                    "-verify_other file   additional certificates to search for signer\n");
    551. 

  551.         BIO_printf(bio_err,
    552. 

  552.                    "-trust_other         don't verify additional certificates\n");
    553. 

  553.         BIO_printf(bio_err,
    554. 

  554.                    "-no_intern           don't search certificates contained in response for signer\n");
    555. 

  555.         BIO_printf(bio_err,
    556. 

  556.                    "-no_signature_verify don't check signature on response\n");
    557. 

  557.         BIO_printf(bio_err,
    558. 

  558.                    "-no_cert_verify      don't check signing certificate\n");
    559. 

  559.         BIO_printf(bio_err,
    560. 

  560.                    "-no_chain            don't chain verify response\n");
    561. 

  561.         BIO_printf(bio_err,
    562. 

  562.                    "-no_cert_checks      don't do additional checks on signing certificate\n");
    563. 

  563.         BIO_printf(bio_err,
    564. 

  564.                    "-port num            port to run responder on\n");
    565. 

  565.         BIO_printf(bio_err,
    566. 

  566.                    "-index file          certificate status index file\n");
    567. 

  567.         BIO_printf(bio_err, "-CA file             CA certificate\n");
    568. 

  568.         BIO_printf(bio_err,
    569. 

  569.                    "-rsigner file        responder certificate to sign responses with\n");
    570. 

  570.         BIO_printf(bio_err,
    571. 

  571.                    "-rkey file           responder key to sign responses with\n");
    572. 

  572.         BIO_printf(bio_err,
    573. 

  573.                    "-rother file         other certificates to include in response\n");
    574. 

  574.         BIO_printf(bio_err,
    575. 

  575.                    "-resp_no_certs       don't include any certificates in response\n");
    576. 

  576.         BIO_printf(bio_err,
    577. 

  577.                    "-nmin n              number of minutes before next update\n");
    578. 

  578.         BIO_printf(bio_err,
    579. 

  579.                    "-ndays n             number of days before next update\n");
    580. 

  580.         BIO_printf(bio_err,
    581. 

  581.                    "-resp_key_id         identify reponse by signing certificate key ID\n");
    582. 

  582.         BIO_printf(bio_err,
    583. 

  583.                    "-nrequest n          number of requests to accept (default unlimited)\n");
    584. 

  584.         BIO_printf(bio_err,
    585. 

  585.                    "-<dgst alg>          use specified digest in the request\n");
    586. 

  586.         BIO_printf(bio_err,
    587. 

  587.                    "-timeout n           timeout connection to OCSP responder after n seconds\n");
    588. 

  588.         goto end;
    589. 

  589.     }
    590. 

  590. 

  591.     if (outfile)
    592. 

  592.         out = BIO_new_file(outfile, "w");
    593. 

  593.     else
    594. 

  594.         out = BIO_new_fp(stdout, BIO_NOCLOSE);
    595. 

  595. 

  596.     if (!out) {
    597. 

  597.         BIO_printf(bio_err, "Error opening output file\n");
    598. 

  598.         goto end;
    599. 

  599.     }
    600. 

  600. 

  601.     if (!req && (add_nonce != 2))
    602. 

  602.         add_nonce = 0;
    603. 

  603. 

  604.     if (!req && reqin) {
    605. 

  605.         if (!strcmp(reqin, "-"))
    606. 

  606.             derbio = BIO_new_fp(stdin, BIO_NOCLOSE);
    607. 

  607.         else
    608. 

  608.             derbio = BIO_new_file(reqin, "rb");
    609. 

  609.         if (!derbio) {
    610. 

  610.             BIO_printf(bio_err, "Error Opening OCSP request file\n");
    611. 

  611.             goto end;
    612. 

  612.         }
    613. 

  613.         req = d2i_OCSP_REQUEST_bio(derbio, NULL);
    614. 

  614.         BIO_free(derbio);
    615. 

  615.         if (!req) {
    616. 

  616.             BIO_printf(bio_err, "Error reading OCSP request\n");
    617. 

  617.             goto end;
    618. 

  618.         }
    619. 

  619.     }
    620. 

  620. 

  621.     if (!req && port) {
    622. 

  622.         acbio = init_responder(port);
    623. 

  623.         if (!acbio)
    624. 

  624.             goto end;
    625. 

  625.     }
    626. 

  626. 

  627.     if (rsignfile && !rdb) {
    628. 

  628.         if (!rkeyfile)
    629. 

  629.             rkeyfile = rsignfile;
    630. 

  630.         rsigner = load_cert(bio_err, rsignfile, FORMAT_PEM,
    631. 

  631.                             NULL, e, "responder certificate");
    632. 

  632.         if (!rsigner) {
    633. 

  633.             BIO_printf(bio_err, "Error loading responder certificate\n");
    634. 

  634.             goto end;
    635. 

  635.         }
    636. 

  636.         rca_cert = load_cert(bio_err, rca_filename, FORMAT_PEM,
    637. 

  637.                              NULL, e, "CA certificate");
    638. 

  638.         if (rcertfile) {
    639. 

  639.             rother = load_certs(bio_err, rcertfile, FORMAT_PEM,
    640. 

  640.                                 NULL, e, "responder other certificates");
    641. 

  641.             if (!rother)
    642. 

  642.                 goto end;
    643. 

  643.         }
    644. 

  644.         rkey = load_key(bio_err, rkeyfile, FORMAT_PEM, 0, NULL, NULL,
    645. 

  645.                         "responder private key");
    646. 

  646.         if (!rkey)
    647. 

  647.             goto end;
    648. 

  648.     }
    649. 

  649.     if (acbio)
    650. 

  650.         BIO_printf(bio_err, "Waiting for OCSP client connections...\n");
    651. 

  651. 

  652.  redo_accept:
    653. 

  653. 

  654.     if (acbio) {
    655. 

  655.         if (!do_responder(&req, &cbio, acbio, port))
    656. 

  656.             goto end;
    657. 

  657.         if (!req) {
    658. 

  658.             resp =
    659. 

  659.                 OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST,
    660. 

  660.                                      NULL);
    661. 

  661.             send_ocsp_response(cbio, resp);
    662. 

  662.             goto done_resp;
    663. 

  663.         }
    664. 

  664.     }
    665. 

  665. 

  666.     if (!req && (signfile || reqout || host || add_nonce || ridx_filename)) {
    667. 

  667.         BIO_printf(bio_err, "Need an OCSP request for this operation!\n");
    668. 

  668.         goto end;
    669. 

  669.     }
    670. 

  670. 

  671.     if (req && add_nonce)
    672. 

  672.         OCSP_request_add1_nonce(req, NULL, -1);
    673. 

  673. 

  674.     if (signfile) {
    675. 

  675.         if (!keyfile)
    676. 

  676.             keyfile = signfile;
    677. 

  677.         signer = load_cert(bio_err, signfile, FORMAT_PEM,
    678. 

  678.                            NULL, e, "signer certificate");
    679. 

  679.         if (!signer) {
    680. 

  680.             BIO_printf(bio_err, "Error loading signer certificate\n");
    681. 

  681.             goto end;
    682. 

  682.         }
    683. 

  683.         if (sign_certfile) {
    684. 

  684.             sign_other = load_certs(bio_err, sign_certfile, FORMAT_PEM,
    685. 

  685.                                     NULL, e, "signer certificates");
    686. 

  686.             if (!sign_other)
    687. 

  687.                 goto end;
    688. 

  688.         }
    689. 

  689.         key = load_key(bio_err, keyfile, FORMAT_PEM, 0, NULL, NULL,
    690. 

  690.                        "signer private key");
    691. 

  691.         if (!key)
    692. 

  692.             goto end;
    693. 

  693. 

  694.         if (!OCSP_request_sign
    695. 

  695.             (req, signer, key, NULL, sign_other, sign_flags)) {
    696. 

  696.             BIO_printf(bio_err, "Error signing OCSP request\n");
    697. 

  697.             goto end;
    698. 

  698.         }
    699. 

  699.     }
    700. 

  700. 

  701.     if (req_text && req)
    702. 

  702.         OCSP_REQUEST_print(out, req, 0);
    703. 

  703. 

  704.     if (reqout) {
    705. 

  705.         if (!strcmp(reqout, "-"))
    706. 

  706.             derbio = BIO_new_fp(stdout, BIO_NOCLOSE);
    707. 

  707.         else
    708. 

  708.             derbio = BIO_new_file(reqout, "wb");
    709. 

  709.         if (!derbio) {
    710. 

  710.             BIO_printf(bio_err, "Error opening file %s\n", reqout);
    711. 

  711.             goto end;
    712. 

  712.         }
    713. 

  713.         i2d_OCSP_REQUEST_bio(derbio, req);
    714. 

  714.         BIO_free(derbio);
    715. 

  715.     }
    716. 

  716. 

  717.     if (ridx_filename && (!rkey || !rsigner || !rca_cert)) {
    718. 

  718.         BIO_printf(bio_err,
    719. 

  719.                    "Need a responder certificate, key and CA for this operation!\n");
    720. 

  720.         goto end;
    721. 

  721.     }
    722. 

  722. 

  723.     if (ridx_filename && !rdb) {
    724. 

  724.         rdb = load_index(ridx_filename, NULL);
    725. 

  725.         if (!rdb)
    726. 

  726.             goto end;
    727. 

  727.         if (!index_index(rdb))
    728. 

  728.             goto end;
    729. 

  729.     }
    730. 

  730. 

  731.     if (rdb) {
    732. 

  732.         i = make_ocsp_response(&resp, req, rdb, rca_cert, rsigner, rkey,
    733. 

  733.                                rsign_md, rother, rflags, nmin, ndays, badsig);
    734. 

  734.         if (cbio)
    735. 

  735.             send_ocsp_response(cbio, resp);
    736. 

  736.     } else if (host) {
    737. 

  737. # ifndef OPENSSL_NO_SOCK
    738. 

  738.         resp = process_responder(bio_err, req, host, path,
    739. 

  739.                                  port, use_ssl, headers, req_timeout);
    740. 

  740.         if (!resp)
    741. 

  741.             goto end;
    742. 

  742. # else
    743. 

  743.         BIO_printf(bio_err,
    744. 

  744.                    "Error creating connect BIO - sockets not supported.\n");
    745. 

  745.         goto end;
    746. 

  746. # endif
    747. 

  747.     } else if (respin) {
    748. 

  748.         if (!strcmp(respin, "-"))
    749. 

  749.             derbio = BIO_new_fp(stdin, BIO_NOCLOSE);
    750. 

  750.         else
    751. 

  751.             derbio = BIO_new_file(respin, "rb");
    752. 

  752.         if (!derbio) {
    753. 

  753.             BIO_printf(bio_err, "Error Opening OCSP response file\n");
    754. 

  754.             goto end;
    755. 

  755.         }
    756. 

  756.         resp = d2i_OCSP_RESPONSE_bio(derbio, NULL);
    757. 

  757.         BIO_free(derbio);
    758. 

  758.         if (!resp) {
    759. 

  759.             BIO_printf(bio_err, "Error reading OCSP response\n");
    760. 

  760.             goto end;
    761. 

  761.         }
    762. 

  762. 

  763.     } else {
    764. 

  764.         ret = 0;
    765. 

  765.         goto end;
    766. 

  766.     }
    767. 

  767. 

  768.  done_resp:
    769. 

  769. 

  770.     if (respout) {
    771. 

  771.         if (!strcmp(respout, "-"))
    772. 

  772.             derbio = BIO_new_fp(stdout, BIO_NOCLOSE);
    773. 

  773.         else
    774. 

  774.             derbio = BIO_new_file(respout, "wb");
    775. 

  775.         if (!derbio) {
    776. 

  776.             BIO_printf(bio_err, "Error opening file %s\n", respout);
    777. 

  777.             goto end;
    778. 

  778.         }
    779. 

  779.         i2d_OCSP_RESPONSE_bio(derbio, resp);
    780. 

  780.         BIO_free(derbio);
    781. 

  781.     }
    782. 

  782. 

  783.     i = OCSP_response_status(resp);
    784. 

  784. 

  785.     if (i != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
    786. 

  786.         BIO_printf(out, "Responder Error: %s (%d)\n",
    787. 

  787.                    OCSP_response_status_str(i), i);
    788. 

  788.         if (ignore_err)
    789. 

  789.             goto redo_accept;
    790. 

  790.         ret = 0;
    791. 

  791.         goto end;
    792. 

  792.     }
    793. 

  793. 

  794.     if (resp_text)
    795. 

  795.         OCSP_RESPONSE_print(out, resp, 0);
    796. 

  796. 

  797.     /* If running as responder don't verify our own response */
    798. 

  798.     if (cbio) {
    799. 

  799.         if (accept_count > 0)
    800. 

  800.             accept_count--;
    801. 

  801.         /* Redo if more connections needed */
    802. 

  802.         if (accept_count) {
    803. 

  803.             BIO_free_all(cbio);
    804. 

  804.             cbio = NULL;
    805. 

  805.             OCSP_REQUEST_free(req);
    806. 

  806.             req = NULL;
    807. 

  807.             OCSP_RESPONSE_free(resp);
    808. 

  808.             resp = NULL;
    809. 

  809.             goto redo_accept;
    810. 

  810.         }
    811. 

  811.         ret = 0;
    812. 

  812.         goto end;
    813. 

  813.     } else if (ridx_filename) {
    814. 

  814.         ret = 0;
    815. 

  815.         goto end;
    816. 

  816.     }
    817. 

  817. 

  818.     if (!store)
    819. 

  819.         store = setup_verify(bio_err, CAfile, CApath);
    820. 

  820.     if (!store)
    821. 

  821.         goto end;
    822. 

  822.     if (vpm)
    823. 

  823.         X509_STORE_set1_param(store, vpm);
    824. 

  824.     if (verify_certfile) {
    825. 

  825.         verify_other = load_certs(bio_err, verify_certfile, FORMAT_PEM,
    826. 

  826.                                   NULL, e, "validator certificate");
    827. 

  827.         if (!verify_other)
    828. 

  828.             goto end;
    829. 

  829.     }
    830. 

  830. 

  831.     bs = OCSP_response_get1_basic(resp);
    832. 

  832. 

  833.     if (!bs) {
    834. 

  834.         BIO_printf(bio_err, "Error parsing response\n");
    835. 

  835.         goto end;
    836. 

  836.     }
    837. 

  837. 

  838.     ret = 0;
    839. 

  839. 

  840.     if (!noverify) {
    841. 

  841.         if (req && ((i = OCSP_check_nonce(req, bs)) <= 0)) {
    842. 

  842.             if (i == -1)
    843. 

  843.                 BIO_printf(bio_err, "WARNING: no nonce in response\n");
    844. 

  844.             else {
    845. 

  845.                 BIO_printf(bio_err, "Nonce Verify error\n");
    846. 

  846.                 ret = 1;
    847. 

  847.                 goto end;
    848. 

  848.             }
    849. 

  849.         }
    850. 

  850. 

  851.         i = OCSP_basic_verify(bs, verify_other, store, verify_flags);
    852. 

  852.         if (i <= 0) {
    853. 

  853.             BIO_printf(bio_err, "Response Verify Failure\n");
    854. 

  854.             ERR_print_errors(bio_err);
    855. 

  855.             ret = 1;
    856. 

  856.         } else
    857. 

  857.             BIO_printf(bio_err, "Response verify OK\n");
    858. 

  858. 

  859.     }
    860. 

  860. 

  861.     if (!print_ocsp_summary(out, bs, req, reqnames, ids, nsec, maxage))
    862. 

  862.         ret = 1;
    863. 

  863. 

  864.  end:
    865. 

  865.     ERR_print_errors(bio_err);
    866. 

  866.     X509_free(signer);
    867. 

  867.     X509_STORE_free(store);
    868. 

  868.     if (vpm)
    869. 

  869.         X509_VERIFY_PARAM_free(vpm);
    870. 

  870.     EVP_PKEY_free(key);
    871. 

  871.     EVP_PKEY_free(rkey);
    872. 

  872.     X509_free(issuer);
    873. 

  873.     X509_free(cert);
    874. 

  874.     X509_free(rsigner);
    875. 

  875.     X509_free(rca_cert);
    876. 

  876.     free_index(rdb);
    877. 

  877.     BIO_free_all(cbio);
    878. 

  878.     BIO_free_all(acbio);
    879. 

  879.     BIO_free(out);
    880. 

  880.     OCSP_REQUEST_free(req);
    881. 

  881.     OCSP_RESPONSE_free(resp);
    882. 

  882.     OCSP_BASICRESP_free(bs);
    883. 

  883.     sk_OPENSSL_STRING_free(reqnames);
    884. 

  884.     sk_OCSP_CERTID_free(ids);
    885. 

  885.     sk_X509_pop_free(sign_other, X509_free);
    886. 

  886.     sk_X509_pop_free(verify_other, X509_free);
    887. 

  887.     sk_CONF_VALUE_pop_free(headers, X509V3_conf_free);
    888. 

  888. 

  889.     if (thost)
    890. 

  890.         OPENSSL_free(thost);
    891. 

  891.     if (tport)
    892. 

  892.         OPENSSL_free(tport);
    893. 

  893.     if (tpath)
    894. 

  894.         OPENSSL_free(tpath);
    895. 

  895. 

  896.     OPENSSL_EXIT(ret);
    897. 

  897. }
    898. 

  898. 

  899. static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert,
    900. 

  900.                          const EVP_MD *cert_id_md, X509 *issuer,
    901. 

  901.                          STACK_OF(OCSP_CERTID) *ids)
    902. 

  902. {
    903. 

  903.     OCSP_CERTID *id;
    904. 

  904.     if (!issuer) {
    905. 

  905.         BIO_printf(bio_err, "No issuer certificate specified\n");
    906. 

  906.         return 0;
    907. 

  907.     }
    908. 

  908.     if (!*req)
    909. 

  909.         *req = OCSP_REQUEST_new();
    910. 

  910.     if (!*req)
    911. 

  911.         goto err;
    912. 

  912.     id = OCSP_cert_to_id(cert_id_md, cert, issuer);
    913. 

  913.     if (!id || !sk_OCSP_CERTID_push(ids, id))
    914. 

  914.         goto err;
    915. 

  915.     if (!OCSP_request_add0_id(*req, id))
    916. 

  916.         goto err;
    917. 

  917.     return 1;
    918. 

  918. 

  919.  err:
    920. 

  920.     BIO_printf(bio_err, "Error Creating OCSP request\n");
    921. 

  921.     return 0;
    922. 

  922. }
    923. 

  923. 

  924. static int add_ocsp_serial(OCSP_REQUEST **req, char *serial,
    925. 

  925.                            const EVP_MD *cert_id_md, X509 *issuer,
    926. 

  926.                            STACK_OF(OCSP_CERTID) *ids)
    927. 

  927. {
    928. 

  928.     OCSP_CERTID *id;
    929. 

  929.     X509_NAME *iname;
    930. 

  930.     ASN1_BIT_STRING *ikey;
    931. 

  931.     ASN1_INTEGER *sno;
    932. 

  932.     if (!issuer) {
    933. 

  933.         BIO_printf(bio_err, "No issuer certificate specified\n");
    934. 

  934.         return 0;
    935. 

  935.     }
    936. 

  936.     if (!*req)
    937. 

  937.         *req = OCSP_REQUEST_new();
    938. 

  938.     if (!*req)
    939. 

  939.         goto err;
    940. 

  940.     iname = X509_get_subject_name(issuer);
    941. 

  941.     ikey = X509_get0_pubkey_bitstr(issuer);
    942. 

  942.     sno = s2i_ASN1_INTEGER(NULL, serial);
    943. 

  943.     if (!sno) {
    944. 

  944.         BIO_printf(bio_err, "Error converting serial number %s\n", serial);
    945. 

  945.         return 0;
    946. 

  946.     }
    947. 

  947.     id = OCSP_cert_id_new(cert_id_md, iname, ikey, sno);
    948. 

  948.     ASN1_INTEGER_free(sno);
    949. 

  949.     if (!id || !sk_OCSP_CERTID_push(ids, id))
    950. 

  950.         goto err;
    951. 

  951.     if (!OCSP_request_add0_id(*req, id))
    952. 

  952.         goto err;
    953. 

  953.     return 1;
    954. 

  954. 

  955.  err:
    956. 

  956.     BIO_printf(bio_err, "Error Creating OCSP request\n");
    957. 

  957.     return 0;
    958. 

  958. }
    959. 

  959. 

  960. static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
    961. 

  961.                               STACK_OF(OPENSSL_STRING) *names,
    962. 

  962.                               STACK_OF(OCSP_CERTID) *ids, long nsec,
    963. 

  963.                               long maxage)
    964. 

  964. {
    965. 

  965.     OCSP_CERTID *id;
    966. 

  966.     char *name;
    967. 

  967.     int i;
    968. 

  968. 

  969.     int status, reason;
    970. 

  970. 

  971.     ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
    972. 

  972. 

  973.     if (!bs || !req || !sk_OPENSSL_STRING_num(names)
    974. 

  974.         || !sk_OCSP_CERTID_num(ids))
    975. 

  975.         return 1;
    976. 

  976. 

  977.     for (i = 0; i < sk_OCSP_CERTID_num(ids); i++) {
    978. 

  978.         id = sk_OCSP_CERTID_value(ids, i);
    979. 

  979.         name = sk_OPENSSL_STRING_value(names, i);
    980. 

  980.         BIO_printf(out, "%s: ", name);
    981. 

  981. 

  982.         if (!OCSP_resp_find_status(bs, id, &status, &reason,
    983. 

  983.                                    &rev, &thisupd, &nextupd)) {
    984. 

  984.             BIO_puts(out, "ERROR: No Status found.\n");
    985. 

  985.             continue;
    986. 

  986.         }
    987. 

  987. 

  988.         /*
    989. 

  989.          * Check validity: if invalid write to output BIO so we know which
    990. 

  990.          * response this refers to.
    991. 

  991.          */
    992. 

  992.         if (!OCSP_check_validity(thisupd, nextupd, nsec, maxage)) {
    993. 

  993.             BIO_puts(out, "WARNING: Status times invalid.\n");
    994. 

  994.             ERR_print_errors(out);
    995. 

  995.         }
    996. 

  996.         BIO_printf(out, "%s\n", OCSP_cert_status_str(status));
    997. 

  997. 

  998.         BIO_puts(out, "\tThis Update: ");
    999. 

  999.         ASN1_GENERALIZEDTIME_print(out, thisupd);
    1000. 

  1000.         BIO_puts(out, "\n");
    1001. 

  1001. 

  1002.         if (nextupd) {
    1003. 

  1003.             BIO_puts(out, "\tNext Update: ");
    1004. 

  1004.             ASN1_GENERALIZEDTIME_print(out, nextupd);
    1005. 

  1005.             BIO_puts(out, "\n");
    1006. 

  1006.         }
    1007. 

  1007. 

  1008.         if (status != V_OCSP_CERTSTATUS_REVOKED)
    1009. 

  1009.             continue;
    1010. 

  1010. 

  1011.         if (reason != -1)
    1012. 

  1012.             BIO_printf(out, "\tReason: %s\n", OCSP_crl_reason_str(reason));
    1013. 

  1013. 

  1014.         BIO_puts(out, "\tRevocation Time: ");
    1015. 

  1015.         ASN1_GENERALIZEDTIME_print(out, rev);
    1016. 

  1016.         BIO_puts(out, "\n");
    1017. 

  1017.     }
    1018. 

  1018. 

  1019.     return 1;
    1020. 

  1020. }
    1021. 

  1021. 

  1022. static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req,
    1023. 

  1023.                               CA_DB *db, X509 *ca, X509 *rcert,
    1024. 

  1024.                               EVP_PKEY *rkey, const EVP_MD *rmd,
    1025. 

  1025.                               STACK_OF(X509) *rother, unsigned long flags,
    1026. 

  1026.                               int nmin, int ndays, int badsig)
    1027. 

  1027. {
    1028. 

  1028.     ASN1_TIME *thisupd = NULL, *nextupd = NULL;
    1029. 

  1029.     OCSP_CERTID *cid, *ca_id = NULL;
    1030. 

  1030.     OCSP_BASICRESP *bs = NULL;
    1031. 

  1031.     int i, id_count, ret = 1;
    1032. 

  1032. 

  1033.     id_count = OCSP_request_onereq_count(req);
    1034. 

  1034. 

  1035.     if (id_count <= 0) {
    1036. 

  1036.         *resp =
    1037. 

  1037.             OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL);
    1038. 

  1038.         goto end;
    1039. 

  1039.     }
    1040. 

  1040. 

  1041.     bs = OCSP_BASICRESP_new();
    1042. 

  1042.     thisupd = X509_gmtime_adj(NULL, 0);
    1043. 

  1043.     if (ndays != -1)
    1044. 

  1044.         nextupd = X509_time_adj_ex(NULL, ndays, nmin * 60, NULL);
    1045. 

  1045. 

  1046.     /* Examine each certificate id in the request */
    1047. 

  1047.     for (i = 0; i < id_count; i++) {
    1048. 

  1048.         OCSP_ONEREQ *one;
    1049. 

  1049.         ASN1_INTEGER *serial;
    1050. 

  1050.         char **inf;
    1051. 

  1051.         ASN1_OBJECT *cert_id_md_oid;
    1052. 

  1052.         const EVP_MD *cert_id_md;
    1053. 

  1053.         one = OCSP_request_onereq_get0(req, i);
    1054. 

  1054.         cid = OCSP_onereq_get0_id(one);
    1055. 

  1055. 

  1056.         OCSP_id_get0_info(NULL, &cert_id_md_oid, NULL, NULL, cid);
    1057. 

  1057. 

  1058.         cert_id_md = EVP_get_digestbyobj(cert_id_md_oid);
    1059. 

  1059.         if (!cert_id_md) {
    1060. 

  1060.             *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR,
    1061. 

  1061.                                          NULL);
    1062. 

  1062.             goto end;
    1063. 

  1063.         }
    1064. 

  1064.         if (ca_id)
    1065. 

  1065.             OCSP_CERTID_free(ca_id);
    1066. 

  1066.         ca_id = OCSP_cert_to_id(cert_id_md, NULL, ca);
    1067. 

  1067. 

  1068.         /* Is this request about our CA? */
    1069. 

  1069.         if (OCSP_id_issuer_cmp(ca_id, cid)) {
    1070. 

  1070.             OCSP_basic_add1_status(bs, cid,
    1071. 

  1071.                                    V_OCSP_CERTSTATUS_UNKNOWN,
    1072. 

  1072.                                    0, NULL, thisupd, nextupd);
    1073. 

  1073.             continue;
    1074. 

  1074.         }
    1075. 

  1075.         OCSP_id_get0_info(NULL, NULL, NULL, &serial, cid);
    1076. 

  1076.         inf = lookup_serial(db, serial);
    1077. 

  1077.         if (!inf)
    1078. 

  1078.             OCSP_basic_add1_status(bs, cid,
    1079. 

  1079.                                    V_OCSP_CERTSTATUS_UNKNOWN,
    1080. 

  1080.                                    0, NULL, thisupd, nextupd);
    1081. 

  1081.         else if (inf[DB_type][0] == DB_TYPE_VAL)
    1082. 

  1082.             OCSP_basic_add1_status(bs, cid,
    1083. 

  1083.                                    V_OCSP_CERTSTATUS_GOOD,
    1084. 

  1084.                                    0, NULL, thisupd, nextupd);
    1085. 

  1085.         else if (inf[DB_type][0] == DB_TYPE_REV) {
    1086. 

  1086.             ASN1_OBJECT *inst = NULL;
    1087. 

  1087.             ASN1_TIME *revtm = NULL;
    1088. 

  1088.             ASN1_GENERALIZEDTIME *invtm = NULL;
    1089. 

  1089.             OCSP_SINGLERESP *single;
    1090. 

  1090.             int reason = -1;
    1091. 

  1091.             unpack_revinfo(&revtm, &reason, &inst, &invtm, inf[DB_rev_date]);
    1092. 

  1092.             single = OCSP_basic_add1_status(bs, cid,
    1093. 

  1093.                                             V_OCSP_CERTSTATUS_REVOKED,
    1094. 

  1094.                                             reason, revtm, thisupd, nextupd);
    1095. 

  1095.             if (invtm)
    1096. 

  1096.                 OCSP_SINGLERESP_add1_ext_i2d(single, NID_invalidity_date,
    1097. 

  1097.                                              invtm, 0, 0);
    1098. 

  1098.             else if (inst)
    1099. 

  1099.                 OCSP_SINGLERESP_add1_ext_i2d(single,
    1100. 

  1100.                                              NID_hold_instruction_code, inst,
    1101. 

  1101.                                              0, 0);
    1102. 

  1102.             ASN1_OBJECT_free(inst);
    1103. 

  1103.             ASN1_TIME_free(revtm);
    1104. 

  1104.             ASN1_GENERALIZEDTIME_free(invtm);
    1105. 

  1105.         }
    1106. 

  1106.     }
    1107. 

  1107. 

  1108.     OCSP_copy_nonce(bs, req);
    1109. 

  1109. 

  1110.     OCSP_basic_sign(bs, rcert, rkey, rmd, rother, flags);
    1111. 

  1111. 

  1112.     if (badsig)
    1113. 

  1113.         bs->signature->data[bs->signature->length - 1] ^= 0x1;
    1114. 

  1114. 

  1115.     *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs);
    1116. 

  1116. 

  1117.  end:
    1118. 

  1118.     ASN1_TIME_free(thisupd);
    1119. 

  1119.     ASN1_TIME_free(nextupd);
    1120. 

  1120.     OCSP_CERTID_free(ca_id);
    1121. 

  1121.     OCSP_BASICRESP_free(bs);
    1122. 

  1122.     return ret;
    1123. 

  1123. 

  1124. }
    1125. 

  1125. 

  1126. static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser)
    1127. 

  1127. {
    1128. 

  1128.     int i;
    1129. 

  1129.     BIGNUM *bn = NULL;
    1130. 

  1130.     char *itmp, *row[DB_NUMBER], **rrow;
    1131. 

  1131.     for (i = 0; i < DB_NUMBER; i++)
    1132. 

  1132.         row[i] = NULL;
    1133. 

  1133.     bn = ASN1_INTEGER_to_BN(ser, NULL);
    1134. 

  1134.     OPENSSL_assert(bn);         /* FIXME: should report an error at this
    1135. 

  1135.                                  * point and abort */
    1136. 

  1136.     if (BN_is_zero(bn))
    1137. 

  1137.         itmp = BUF_strdup("00");
    1138. 

  1138.     else
    1139. 

  1139.         itmp = BN_bn2hex(bn);
    1140. 

  1140.     row[DB_serial] = itmp;
    1141. 

  1141.     BN_free(bn);
    1142. 

  1142.     rrow = TXT_DB_get_by_index(db->db, DB_serial, row);
    1143. 

  1143.     OPENSSL_free(itmp);
    1144. 

  1144.     return rrow;
    1145. 

  1145. }
    1146. 

  1146. 

  1147. /* Quick and dirty OCSP server: read in and parse input request */
    1148. 

  1148. 

  1149. static BIO *init_responder(const char *port)
    1150. 

  1150. {
    1151. 

  1151.     BIO *acbio = NULL, *bufbio = NULL;
    1152. 

  1152.     bufbio = BIO_new(BIO_f_buffer());
    1153. 

  1153.     if (!bufbio)
    1154. 

  1154.         goto err;
    1155. 

  1155. # ifndef OPENSSL_NO_SOCK
    1156. 

  1156.     acbio = BIO_new_accept(port);
    1157. 

  1157. # else
    1158. 

  1158.     BIO_printf(bio_err,
    1159. 

  1159.                "Error setting up accept BIO - sockets not supported.\n");
    1160. 

  1160. # endif
    1161. 

  1161.     if (!acbio)
    1162. 

  1162.         goto err;
    1163. 

  1163.     BIO_set_accept_bios(acbio, bufbio);
    1164. 

  1164.     bufbio = NULL;
    1165. 

  1165. 

  1166.     if (BIO_do_accept(acbio) <= 0) {
    1167. 

  1167.         BIO_printf(bio_err, "Error setting up accept BIO\n");
    1168. 

  1168.         ERR_print_errors(bio_err);
    1169. 

  1169.         goto err;
    1170. 

  1170.     }
    1171. 

  1171. 

  1172.     return acbio;
    1173. 

  1173. 

  1174.  err:
    1175. 

  1175.     BIO_free_all(acbio);
    1176. 

  1176.     BIO_free(bufbio);
    1177. 

  1177.     return NULL;
    1178. 

  1178. }
    1179. 

  1179. 

  1180. static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,
    1181. 

  1181.                         const char *port)
    1182. 

  1182. {
    1183. 

  1183.     int have_post = 0, len;
    1184. 

  1184.     OCSP_REQUEST *req = NULL;
    1185. 

  1185.     char inbuf[1024];
    1186. 

  1186.     BIO *cbio = NULL;
    1187. 

  1187. 

  1188.     if (BIO_do_accept(acbio) <= 0) {
    1189. 

  1189.         BIO_printf(bio_err, "Error accepting connection\n");
    1190. 

  1190.         ERR_print_errors(bio_err);
    1191. 

  1191.         return 0;
    1192. 

  1192.     }
    1193. 

  1193. 

  1194.     cbio = BIO_pop(acbio);
    1195. 

  1195.     *pcbio = cbio;
    1196. 

  1196. 

  1197.     for (;;) {
    1198. 

  1198.         len = BIO_gets(cbio, inbuf, sizeof inbuf);
    1199. 

  1199.         if (len <= 0)
    1200. 

  1200.             return 1;
    1201. 

  1201.         /* Look for "POST" signalling start of query */
    1202. 

  1202.         if (!have_post) {
    1203. 

  1203.             if (strncmp(inbuf, "POST", 4)) {
    1204. 

  1204.                 BIO_printf(bio_err, "Invalid request\n");
    1205. 

  1205.                 return 1;
    1206. 

  1206.             }
    1207. 

  1207.             have_post = 1;
    1208. 

  1208.         }
    1209. 

  1209.         /* Look for end of headers */
    1210. 

  1210.         if ((inbuf[0] == '\r') || (inbuf[0] == '\n'))
    1211. 

  1211.             break;
    1212. 

  1212.     }
    1213. 

  1213. 

  1214.     /* Try to read OCSP request */
    1215. 

  1215. 

  1216.     req = d2i_OCSP_REQUEST_bio(cbio, NULL);
    1217. 

  1217. 

  1218.     if (!req) {
    1219. 

  1219.         BIO_printf(bio_err, "Error parsing OCSP request\n");
    1220. 

  1220.         ERR_print_errors(bio_err);
    1221. 

  1221.     }
    1222. 

  1222. 

  1223.     *preq = req;
    1224. 

  1224. 

  1225.     return 1;
    1226. 

  1226. 

  1227. }
    1228. 

  1228. 

  1229. static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp)
    1230. 

  1230. {
    1231. 

  1231.     char http_resp[] =
    1232. 

  1232.         "HTTP/1.0 200 OK\r\nContent-type: application/ocsp-response\r\n"
    1233. 

  1233.         "Content-Length: %d\r\n\r\n";
    1234. 

  1234.     if (!cbio)
    1235. 

  1235.         return 0;
    1236. 

  1236.     BIO_printf(cbio, http_resp, i2d_OCSP_RESPONSE(resp, NULL));
    1237. 

  1237.     i2d_OCSP_RESPONSE_bio(cbio, resp);
    1238. 

  1238.     (void)BIO_flush(cbio);
    1239. 

  1239.     return 1;
    1240. 

  1240. }
    1241. 

  1241. 

  1242. static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, const char *path,
    1243. 

  1243.                                       const STACK_OF(CONF_VALUE) *headers,
    1244. 

  1244.                                       OCSP_REQUEST *req, int req_timeout)
    1245. 

  1245. {
    1246. 

  1246.     int fd;
    1247. 

  1247.     int rv;
    1248. 

  1248.     int i;
    1249. 

  1249.     OCSP_REQ_CTX *ctx = NULL;
    1250. 

  1250.     OCSP_RESPONSE *rsp = NULL;
    1251. 

  1251.     fd_set confds;
    1252. 

  1252.     struct timeval tv;
    1253. 

  1253. 

  1254.     if (req_timeout != -1)
    1255. 

  1255.         BIO_set_nbio(cbio, 1);
    1256. 

  1256. 

  1257.     rv = BIO_do_connect(cbio);
    1258. 

  1258. 

  1259.     if ((rv <= 0) && ((req_timeout == -1) || !BIO_should_retry(cbio))) {
    1260. 

  1260.         BIO_puts(err, "Error connecting BIO\n");
    1261. 

  1261.         return NULL;
    1262. 

  1262.     }
    1263. 

  1263. 

  1264.     if (BIO_get_fd(cbio, &fd) < 0) {
    1265. 

  1265.         BIO_puts(bio_err, "Can't get connection fd\n");
    1266. 

  1266.         goto err;
    1267. 

  1267.     }
    1268. 

  1268. 

  1269.     if (req_timeout != -1 && rv <= 0) {
    1270. 

  1270.         FD_ZERO(&confds);
    1271. 

  1271.         openssl_fdset(fd, &confds);
    1272. 

  1272.         tv.tv_usec = 0;
    1273. 

  1273.         tv.tv_sec = req_timeout;
    1274. 

  1274.         rv = select(fd + 1, NULL, (void *)&confds, NULL, &tv);
    1275. 

  1275.         if (rv == 0) {
    1276. 

  1276.             BIO_puts(err, "Timeout on connect\n");
    1277. 

  1277.             return NULL;
    1278. 

  1278.         }
    1279. 

  1279.     }
    1280. 

  1280. 

  1281.     ctx = OCSP_sendreq_new(cbio, path, NULL, -1);
    1282. 

  1282.     if (!ctx)
    1283. 

  1283.         return NULL;
    1284. 

  1284. 

  1285.     for (i = 0; i < sk_CONF_VALUE_num(headers); i++) {
    1286. 

  1286.         CONF_VALUE *hdr = sk_CONF_VALUE_value(headers, i);
    1287. 

  1287.         if (!OCSP_REQ_CTX_add1_header(ctx, hdr->name, hdr->value))
    1288. 

  1288.             goto err;
    1289. 

  1289.     }
    1290. 

  1290. 

  1291.     if (!OCSP_REQ_CTX_set1_req(ctx, req))
    1292. 

  1292.         goto err;
    1293. 

  1293. 

  1294.     for (;;) {
    1295. 

  1295.         rv = OCSP_sendreq_nbio(&rsp, ctx);
    1296. 

  1296.         if (rv != -1)
    1297. 

  1297.             break;
    1298. 

  1298.         if (req_timeout == -1)
    1299. 

  1299.             continue;
    1300. 

  1300.         FD_ZERO(&confds);
    1301. 

  1301.         openssl_fdset(fd, &confds);
    1302. 

  1302.         tv.tv_usec = 0;
    1303. 

  1303.         tv.tv_sec = req_timeout;
    1304. 

  1304.         if (BIO_should_read(cbio))
    1305. 

  1305.             rv = select(fd + 1, (void *)&confds, NULL, NULL, &tv);
    1306. 

  1306.         else if (BIO_should_write(cbio))
    1307. 

  1307.             rv = select(fd + 1, NULL, (void *)&confds, NULL, &tv);
    1308. 

  1308.         else {
    1309. 

  1309.             BIO_puts(err, "Unexpected retry condition\n");
    1310. 

  1310.             goto err;
    1311. 

  1311.         }
    1312. 

  1312.         if (rv == 0) {
    1313. 

  1313.             BIO_puts(err, "Timeout on request\n");
    1314. 

  1314.             break;
    1315. 

  1315.         }
    1316. 

  1316.         if (rv == -1) {
    1317. 

  1317.             BIO_puts(err, "Select error\n");
    1318. 

  1318.             break;
    1319. 

  1319.         }
    1320. 

  1320. 

  1321.     }
    1322. 

  1322.  err:
    1323. 

  1323.     if (ctx)
    1324. 

  1324.         OCSP_REQ_CTX_free(ctx);
    1325. 

  1325. 

  1326.     return rsp;
    1327. 

  1327. }
    1328. 

  1328. 

  1329. OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req,
    1330. 

  1330.                                  const char *host, const char *path,
    1331. 

  1331.                                  const char *port, int use_ssl,
    1332. 

  1332.                                  const STACK_OF(CONF_VALUE) *headers,
    1333. 

  1333.                                  int req_timeout)
    1334. 

  1334. {
    1335. 

  1335.     BIO *cbio = NULL;
    1336. 

  1336.     SSL_CTX *ctx = NULL;
    1337. 

  1337.     OCSP_RESPONSE *resp = NULL;
    1338. 

  1338.     cbio = BIO_new_connect(host);
    1339. 

  1339.     if (!cbio) {
    1340. 

  1340.         BIO_printf(err, "Error creating connect BIO\n");
    1341. 

  1341.         goto end;
    1342. 

  1342.     }
    1343. 

  1343.     if (port)
    1344. 

  1344.         BIO_set_conn_port(cbio, port);
    1345. 

  1345.     if (use_ssl == 1) {
    1346. 

  1346.         BIO *sbio;
    1347. 

  1347.         ctx = SSL_CTX_new(SSLv23_client_method());
    1348. 

  1348.         if (ctx == NULL) {
    1349. 

  1349.             BIO_printf(err, "Error creating SSL context.\n");
    1350. 

  1350.             goto end;
    1351. 

  1351.         }
    1352. 

  1352.         SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
    1353. 

  1353.         sbio = BIO_new_ssl(ctx, 1);
    1354. 

  1354.         cbio = BIO_push(sbio, cbio);
    1355. 

  1355.     }
    1356. 

  1356.     resp = query_responder(err, cbio, path, headers, req, req_timeout);
    1357. 

  1357.     if (!resp)
    1358. 

  1358.         BIO_printf(bio_err, "Error querying OCSP responder\n");
    1359. 

  1359.  end:
    1360. 

  1360.     if (cbio)
    1361. 

  1361.         BIO_free_all(cbio);
    1362. 

  1362.     if (ctx)
    1363. 

  1363.         SSL_CTX_free(ctx);
    1364. 

  1364.     return resp;
    1365. 

  1365. }
    1366. 

  1366. 

  1367. #endif
    1368.