123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425 |
- /* ocsp.c
- *
- * Copyright (C) 2006-2023 wolfSSL Inc.
- *
- * This file is part of wolfSSL.
- *
- * wolfSSL is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * wolfSSL is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
- */
- /* Name change compatibility layer no longer needs to be included here */
- #ifdef HAVE_CONFIG_H
- #include <config.h>
- #endif
- #include <wolfssl/wolfcrypt/settings.h>
- #ifndef WOLFCRYPT_ONLY
- #ifdef HAVE_OCSP
- #include <wolfssl/error-ssl.h>
- #include <wolfssl/ocsp.h>
- #include <wolfssl/internal.h>
- #ifdef NO_INLINE
- #include <wolfssl/wolfcrypt/misc.h>
- #else
- #define WOLFSSL_MISC_INCLUDED
- #include <wolfcrypt/src/misc.c>
- #endif
- int InitOCSP(WOLFSSL_OCSP* ocsp, WOLFSSL_CERT_MANAGER* cm)
- {
- WOLFSSL_ENTER("InitOCSP");
- ForceZero(ocsp, sizeof(WOLFSSL_OCSP));
- if (wc_InitMutex(&ocsp->ocspLock) != 0)
- return BAD_MUTEX_E;
- ocsp->cm = cm;
- return 0;
- }
- static int InitOcspEntry(OcspEntry* entry, OcspRequest* request)
- {
- WOLFSSL_ENTER("InitOcspEntry");
- ForceZero(entry, sizeof(OcspEntry));
- XMEMCPY(entry->issuerHash, request->issuerHash, OCSP_DIGEST_SIZE);
- XMEMCPY(entry->issuerKeyHash, request->issuerKeyHash, OCSP_DIGEST_SIZE);
- return 0;
- }
- static void FreeOcspEntry(OcspEntry* entry, void* heap)
- {
- CertStatus *status, *next;
- if (entry == NULL || !entry->ownStatus)
- return;
- WOLFSSL_ENTER("FreeOcspEntry");
- for (status = entry->status; status; status = next) {
- next = status->next;
- if (status->rawOcspResponse)
- XFREE(status->rawOcspResponse, heap, DYNAMIC_TYPE_OCSP_STATUS);
- #ifdef OPENSSL_EXTRA
- if (status->serialInt) {
- if (status->serialInt->isDynamic) {
- XFREE(status->serialInt->data, NULL, DYNAMIC_TYPE_OPENSSL);
- }
- XFREE(status->serialInt, NULL, DYNAMIC_TYPE_OPENSSL);
- }
- status->serialInt = NULL;
- #endif
- XFREE(status, heap, DYNAMIC_TYPE_OCSP_STATUS);
- }
- (void)heap;
- }
- void FreeOCSP(WOLFSSL_OCSP* ocsp, int dynamic)
- {
- OcspEntry *entry, *next;
- WOLFSSL_ENTER("FreeOCSP");
- for (entry = ocsp->ocspList; entry; entry = next) {
- next = entry->next;
- FreeOcspEntry(entry, ocsp->cm->heap);
- XFREE(entry, ocsp->cm->heap, DYNAMIC_TYPE_OCSP_ENTRY);
- }
- wc_FreeMutex(&ocsp->ocspLock);
- if (dynamic)
- XFREE(ocsp, ocsp->cm->heap, DYNAMIC_TYPE_OCSP);
- }
- static int xstat2err(int st)
- {
- switch (st) {
- case CERT_GOOD:
- return 0;
- case CERT_REVOKED:
- return OCSP_CERT_REVOKED;
- default:
- return OCSP_CERT_UNKNOWN;
- }
- }
- int CheckCertOCSP_ex(WOLFSSL_OCSP* ocsp, DecodedCert* cert, buffer* responseBuffer, WOLFSSL* ssl)
- {
- int ret = OCSP_LOOKUP_FAIL;
- #ifdef WOLFSSL_SMALL_STACK
- OcspRequest* ocspRequest;
- #else
- OcspRequest ocspRequest[1];
- #endif
- WOLFSSL_ENTER("CheckCertOCSP");
- #ifdef WOLFSSL_SMALL_STACK
- ocspRequest = (OcspRequest*)XMALLOC(sizeof(OcspRequest), NULL,
- DYNAMIC_TYPE_TMP_BUFFER);
- if (ocspRequest == NULL) {
- WOLFSSL_LEAVE("CheckCertOCSP", MEMORY_ERROR);
- return MEMORY_E;
- }
- #endif
- if (InitOcspRequest(ocspRequest, cert, ocsp->cm->ocspSendNonce,
- ocsp->cm->heap) == 0) {
- ocspRequest->ssl = ssl;
- ret = CheckOcspRequest(ocsp, ocspRequest, responseBuffer);
- FreeOcspRequest(ocspRequest);
- }
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(ocspRequest, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- #endif
- WOLFSSL_LEAVE("CheckCertOCSP", ret);
- return ret;
- }
- int CheckCertOCSP(WOLFSSL_OCSP* ocsp, DecodedCert* cert, buffer* responseBuffer)
- {
- return CheckCertOCSP_ex(ocsp, cert, responseBuffer, NULL);
- }
- static int GetOcspEntry(WOLFSSL_OCSP* ocsp, OcspRequest* request,
- OcspEntry** entry)
- {
- WOLFSSL_ENTER("GetOcspEntry");
- *entry = NULL;
- if (wc_LockMutex(&ocsp->ocspLock) != 0) {
- WOLFSSL_LEAVE("CheckCertOCSP", BAD_MUTEX_E);
- return BAD_MUTEX_E;
- }
- for (*entry = ocsp->ocspList; *entry; *entry = (*entry)->next)
- if (XMEMCMP((*entry)->issuerHash, request->issuerHash,
- OCSP_DIGEST_SIZE) == 0
- && XMEMCMP((*entry)->issuerKeyHash, request->issuerKeyHash,
- OCSP_DIGEST_SIZE) == 0)
- break;
- if (*entry == NULL) {
- *entry = (OcspEntry*)XMALLOC(sizeof(OcspEntry),
- ocsp->cm->heap, DYNAMIC_TYPE_OCSP_ENTRY);
- if (*entry) {
- InitOcspEntry(*entry, request);
- (*entry)->next = ocsp->ocspList;
- ocsp->ocspList = *entry;
- }
- }
- wc_UnLockMutex(&ocsp->ocspLock);
- return *entry ? 0 : MEMORY_ERROR;
- }
- /* Mallocs responseBuffer->buffer and is up to caller to free on success
- *
- * Returns OCSP status
- */
- static int GetOcspStatus(WOLFSSL_OCSP* ocsp, OcspRequest* request,
- OcspEntry* entry, CertStatus** status, buffer* responseBuffer)
- {
- int ret = OCSP_INVALID_STATUS;
- WOLFSSL_ENTER("GetOcspStatus");
- *status = NULL;
- if (wc_LockMutex(&ocsp->ocspLock) != 0) {
- WOLFSSL_LEAVE("CheckCertOCSP", BAD_MUTEX_E);
- return BAD_MUTEX_E;
- }
- for (*status = entry->status; *status; *status = (*status)->next)
- if ((*status)->serialSz == request->serialSz
- && !XMEMCMP((*status)->serial, request->serial, (*status)->serialSz))
- break;
- if (responseBuffer && *status && !(*status)->rawOcspResponse) {
- /* force fetching again */
- ret = OCSP_INVALID_STATUS;
- }
- else if (*status) {
- #ifndef NO_ASN_TIME
- if (XVALIDATE_DATE((*status)->thisDate,
- (*status)->thisDateFormat, BEFORE)
- && ((*status)->nextDate[0] != 0)
- && XVALIDATE_DATE((*status)->nextDate,
- (*status)->nextDateFormat, AFTER))
- #endif
- {
- ret = xstat2err((*status)->status);
- if (responseBuffer) {
- responseBuffer->buffer = (byte*)XMALLOC(
- (*status)->rawOcspResponseSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- if (responseBuffer->buffer) {
- responseBuffer->length = (*status)->rawOcspResponseSz;
- XMEMCPY(responseBuffer->buffer,
- (*status)->rawOcspResponse,
- (*status)->rawOcspResponseSz);
- }
- }
- }
- }
- wc_UnLockMutex(&ocsp->ocspLock);
- return ret;
- }
- /* Check that the response for validity. Store result in status.
- *
- * ocsp Context object for OCSP status.
- * response OCSP response message data.
- * responseSz Length of OCSP response message data.
- * reponseBuffer Buffer object to return the response with.
- * status The certificate status object.
- * entry The OCSP entry for this certificate.
- * returns OCSP_LOOKUP_FAIL when the response is bad and 0 otherwise.
- */
- int CheckOcspResponse(WOLFSSL_OCSP *ocsp, byte *response, int responseSz,
- WOLFSSL_BUFFER_INFO *responseBuffer, CertStatus *status,
- OcspEntry *entry, OcspRequest *ocspRequest)
- {
- #ifdef WOLFSSL_SMALL_STACK
- CertStatus* newStatus;
- OcspEntry* newSingle;
- OcspResponse* ocspResponse;
- #else
- CertStatus newStatus[1];
- OcspEntry newSingle[1];
- OcspResponse ocspResponse[1];
- #endif
- int ret;
- int validated = 0; /* ocsp validation flag */
- #ifdef WOLFSSL_SMALL_STACK
- newStatus = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL,
- DYNAMIC_TYPE_OCSP_STATUS);
- newSingle = (OcspEntry*)XMALLOC(sizeof(OcspEntry), NULL,
- DYNAMIC_TYPE_OCSP_ENTRY);
- ocspResponse = (OcspResponse*)XMALLOC(sizeof(OcspResponse), NULL,
- DYNAMIC_TYPE_OCSP_REQUEST);
- if (newStatus == NULL || newSingle == NULL || ocspResponse == NULL) {
- if (newStatus) XFREE(newStatus, NULL, DYNAMIC_TYPE_OCSP_STATUS);
- if (newSingle) XFREE(newSingle, NULL, DYNAMIC_TYPE_OCSP_ENTRY);
- if (ocspResponse) XFREE(ocspResponse, NULL, DYNAMIC_TYPE_OCSP_REQUEST);
- WOLFSSL_LEAVE("CheckCertOCSP", MEMORY_ERROR);
- return MEMORY_E;
- }
- #endif
- InitOcspResponse(ocspResponse, newSingle, newStatus, response, responseSz,
- ocsp->cm->heap);
- ret = OcspResponseDecode(ocspResponse, ocsp->cm, ocsp->cm->heap, 0);
- if (ret != 0) {
- ocsp->error = ret;
- WOLFSSL_LEAVE("OcspResponseDecode failed", ocsp->error);
- goto end;
- }
- if (ocspResponse->responseStatus != OCSP_SUCCESSFUL) {
- WOLFSSL_MSG("OcspResponse status bad");
- goto end;
- }
- if (ocspRequest != NULL) {
- /* Has the chance to bubble up response changing ocspResponse->single to
- no longer be pointing at newSingle */
- ret = CompareOcspReqResp(ocspRequest, ocspResponse);
- if (ret != 0) {
- goto end;
- }
- }
- if (responseBuffer) {
- responseBuffer->buffer = (byte*)XMALLOC(responseSz, ocsp->cm->heap,
- DYNAMIC_TYPE_TMP_BUFFER);
- if (responseBuffer->buffer) {
- responseBuffer->length = responseSz;
- XMEMCPY(responseBuffer->buffer, response, responseSz);
- }
- }
- ret = xstat2err(ocspResponse->single->status->status);
- if (ret == 0) {
- validated = 1;
- }
- if (wc_LockMutex(&ocsp->ocspLock) != 0) {
- ret = BAD_MUTEX_E;
- goto end;
- }
- if (status != NULL) {
- if (status->rawOcspResponse) {
- XFREE(status->rawOcspResponse, ocsp->cm->heap,
- DYNAMIC_TYPE_OCSP_STATUS);
- }
- /* Replace existing certificate entry with updated */
- ocspResponse->single->status->next = status->next;
- XMEMCPY(status, ocspResponse->single->status, sizeof(CertStatus));
- }
- else {
- /* Save new certificate entry */
- status = (CertStatus*)XMALLOC(sizeof(CertStatus),
- ocsp->cm->heap, DYNAMIC_TYPE_OCSP_STATUS);
- if (status != NULL) {
- XMEMCPY(status, ocspResponse->single->status, sizeof(CertStatus));
- status->next = entry->status;
- entry->status = status;
- entry->ownStatus = 1;
- entry->totalStatus++;
- }
- }
- if (status && responseBuffer && responseBuffer->buffer) {
- status->rawOcspResponse = (byte*)XMALLOC(responseBuffer->length,
- ocsp->cm->heap,
- DYNAMIC_TYPE_OCSP_STATUS);
- if (status->rawOcspResponse) {
- status->rawOcspResponseSz = responseBuffer->length;
- XMEMCPY(status->rawOcspResponse, responseBuffer->buffer,
- responseBuffer->length);
- }
- }
- wc_UnLockMutex(&ocsp->ocspLock);
- end:
- if (ret == 0 && validated == 1) {
- WOLFSSL_MSG("New OcspResponse validated");
- } else if ((ret == ocsp->error) && (ocspResponse->single->status->status == CERT_UNKNOWN)) {
- WOLFSSL_MSG("OCSP unknown");
- ret = OCSP_CERT_UNKNOWN;
- } else if (ret != OCSP_CERT_REVOKED) {
- WOLFSSL_MSG("OCSP lookup failure");
- ret = OCSP_LOOKUP_FAIL;
- }
- FreeOcspResponse(ocspResponse);
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(newStatus, NULL, DYNAMIC_TYPE_OCSP_STATUS);
- XFREE(newSingle, NULL, DYNAMIC_TYPE_OCSP_ENTRY);
- XFREE(ocspResponse, NULL, DYNAMIC_TYPE_OCSP_REQUEST);
- #endif
- return ret;
- }
- /* 0 on success */
- /* allow user to override the maximum request size at build-time */
- #ifndef OCSP_MAX_REQUEST_SZ
- #define OCSP_MAX_REQUEST_SZ 2048
- #endif
- int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest,
- buffer* responseBuffer)
- {
- OcspEntry* entry = NULL;
- CertStatus* status = NULL;
- byte* request = NULL;
- int requestSz = OCSP_MAX_REQUEST_SZ;
- int responseSz = 0;
- byte* response = NULL;
- const char* url = NULL;
- int urlSz = 0;
- int ret = -1;
- WOLFSSL* ssl;
- void* ioCtx;
- WOLFSSL_ENTER("CheckOcspRequest");
- if (ocsp == NULL || ocspRequest == NULL)
- return BAD_FUNC_ARG;
- if (responseBuffer) {
- responseBuffer->buffer = NULL;
- responseBuffer->length = 0;
- }
- ret = GetOcspEntry(ocsp, ocspRequest, &entry);
- if (ret != 0)
- return ret;
- ret = GetOcspStatus(ocsp, ocspRequest, entry, &status, responseBuffer);
- if (ret != OCSP_INVALID_STATUS)
- return ret;
- /* get SSL and IOCtx */
- ssl = (WOLFSSL*)ocspRequest->ssl;
- ioCtx = (ssl && ssl->ocspIOCtx != NULL) ?
- ssl->ocspIOCtx : ocsp->cm->ocspIOCtx;
- #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
- if (ocsp->statusCb != NULL && ssl != NULL) {
- ret = ocsp->statusCb(ssl, ioCtx);
- if (ret == 0) {
- ret = wolfSSL_get_ocsp_response(ssl, &response);
- ret = CheckOcspResponse(ocsp, response, ret, responseBuffer, status,
- entry, NULL);
- if (response != NULL)
- XFREE(response, NULL, DYNAMIC_TYPE_OPENSSL);
- return ret;
- }
- WOLFSSL_LEAVE("CheckOcspRequest", ocsp->error);
- return ret;
- }
- #endif
- if (ocsp->cm->ocspUseOverrideURL) {
- url = ocsp->cm->ocspOverrideURL;
- if (url != NULL && url[0] != '\0')
- urlSz = (int)XSTRLEN(url);
- else
- return OCSP_NEED_URL;
- }
- else if (ocspRequest->urlSz != 0 && ocspRequest->url != NULL) {
- url = (const char *)ocspRequest->url;
- urlSz = ocspRequest->urlSz;
- }
- else {
- /* cert doesn't have extAuthInfo, assuming CERT_GOOD */
- WOLFSSL_MSG("Cert has no OCSP URL, assuming CERT_GOOD");
- return 0;
- }
- request = (byte*)XMALLOC(requestSz, ocsp->cm->heap, DYNAMIC_TYPE_OCSP);
- if (request == NULL) {
- WOLFSSL_LEAVE("CheckCertOCSP", MEMORY_ERROR);
- if (responseBuffer) {
- XFREE(responseBuffer->buffer, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- responseBuffer->buffer = NULL;
- }
- return MEMORY_ERROR;
- }
- requestSz = EncodeOcspRequest(ocspRequest, request, requestSz);
- if (requestSz > 0 && ocsp->cm->ocspIOCb) {
- responseSz = ocsp->cm->ocspIOCb(ioCtx, url, urlSz,
- request, requestSz, &response);
- }
- if (responseSz == WOLFSSL_CBIO_ERR_WANT_READ) {
- ret = OCSP_WANT_READ;
- }
- XFREE(request, ocsp->cm->heap, DYNAMIC_TYPE_OCSP);
- if (responseSz >= 0 && response) {
- ret = CheckOcspResponse(ocsp, response, responseSz, responseBuffer, status,
- entry, ocspRequest);
- }
- if (response != NULL && ocsp->cm->ocspRespFreeCb)
- ocsp->cm->ocspRespFreeCb(ioCtx, response);
- /* Keep responseBuffer in the case of getting to response check. Caller
- * should free responseBuffer after checking OCSP return value in "ret" */
- WOLFSSL_LEAVE("CheckOcspRequest", ret);
- return ret;
- }
- #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || \
- defined(WOLFSSL_APACHE_HTTPD) || defined(HAVE_LIGHTY)
- int wolfSSL_OCSP_resp_find_status(WOLFSSL_OCSP_BASICRESP *bs,
- WOLFSSL_OCSP_CERTID* id, int* status, int* reason,
- WOLFSSL_ASN1_TIME** revtime, WOLFSSL_ASN1_TIME** thisupd,
- WOLFSSL_ASN1_TIME** nextupd)
- {
- WOLFSSL_OCSP_SINGLERESP* single;
- if (bs == NULL || id == NULL)
- return WOLFSSL_FAILURE;
- single = bs->single;
- while (single != NULL) {
- if ((XMEMCMP(single->status->serial, id->status->serial, single->status->serialSz) == 0)
- && (XMEMCMP(single->issuerHash, id->issuerHash, OCSP_DIGEST_SIZE) == 0)
- && (XMEMCMP(single->issuerKeyHash, id->issuerKeyHash, OCSP_DIGEST_SIZE) == 0)) {
- break;
- }
- single = single->next;
- }
- if (single == NULL)
- return WOLFSSL_FAILURE;
- if (status != NULL)
- *status = single->status->status;
- if (thisupd != NULL)
- *thisupd = &single->status->thisDateParsed;
- if (nextupd != NULL)
- *nextupd = &single->status->nextDateParsed;
- /* TODO: Not needed for Nginx or httpd */
- if (reason != NULL)
- *reason = 0;
- if (revtime != NULL)
- *revtime = NULL;
- return WOLFSSL_SUCCESS;
- }
- const char *wolfSSL_OCSP_cert_status_str(long s)
- {
- switch (s) {
- case CERT_GOOD:
- return "good";
- case CERT_REVOKED:
- return "revoked";
- case CERT_UNKNOWN:
- return "unknown";
- default:
- return "(UNKNOWN)";
- }
- }
- int wolfSSL_OCSP_check_validity(WOLFSSL_ASN1_TIME* thisupd,
- WOLFSSL_ASN1_TIME* nextupd, long sec, long maxsec)
- {
- (void)thisupd;
- (void)nextupd;
- (void)sec;
- (void)maxsec;
- /* Dates validated in DecodeSingleResponse. */
- return WOLFSSL_SUCCESS;
- }
- void wolfSSL_OCSP_CERTID_free(WOLFSSL_OCSP_CERTID* certId)
- {
- FreeOcspEntry(certId, NULL);
- XFREE(certId, NULL, DYNAMIC_TYPE_OPENSSL);
- }
- WOLFSSL_OCSP_CERTID* wolfSSL_OCSP_cert_to_id(
- const WOLFSSL_EVP_MD *dgst, const WOLFSSL_X509 *subject,
- const WOLFSSL_X509 *issuer)
- {
- WOLFSSL_OCSP_CERTID* certId = NULL;
- CertStatus* certStatus = NULL;
- WOLFSSL_CERT_MANAGER* cm = NULL;
- int ret = -1;
- DerBuffer* derCert = NULL;
- #ifdef WOLFSSL_SMALL_STACK
- DecodedCert *cert = NULL;
- #else
- DecodedCert cert[1];
- #endif
- (void)dgst;
- cm = wolfSSL_CertManagerNew();
- if (cm == NULL
- || subject == NULL || subject->derCert == NULL
- || issuer == NULL || issuer->derCert == NULL)
- goto out;
- #ifdef WOLFSSL_SMALL_STACK
- cert = (DecodedCert *)XMALLOC(sizeof(*cert), cm->heap, DYNAMIC_TYPE_DCERT);
- if (cert == NULL)
- goto out;
- #endif
- ret = AllocDer(&derCert, issuer->derCert->length,
- issuer->derCert->type, NULL);
- if (ret == 0) {
- /* AddCA() frees the buffer. */
- XMEMCPY(derCert->buffer, issuer->derCert->buffer,
- issuer->derCert->length);
- ret = AddCA(cm, &derCert, WOLFSSL_USER_CA, 1);
- if (ret != WOLFSSL_SUCCESS) {
- goto out;
- }
- derCert = NULL;
- }
- ret = -1;
- certId = (WOLFSSL_OCSP_CERTID*)XMALLOC(sizeof(WOLFSSL_OCSP_CERTID),
- cm->heap, DYNAMIC_TYPE_OPENSSL);
- if (certId == NULL)
- goto out;
- certStatus = (CertStatus*)XMALLOC(sizeof(CertStatus), cm->heap,
- DYNAMIC_TYPE_OPENSSL);
- if (certStatus == NULL)
- goto out;
- XMEMSET(certId, 0, sizeof(WOLFSSL_OCSP_CERTID));
- XMEMSET(certStatus, 0, sizeof(CertStatus));
- certId->status = certStatus;
- certId->ownStatus = 1;
- InitDecodedCert(cert, subject->derCert->buffer,
- subject->derCert->length, NULL);
- if (ParseCertRelative(cert, CERT_TYPE, VERIFY_OCSP, cm) != 0) {
- goto out;
- }
- else {
- XMEMCPY(certId->issuerHash, cert->issuerHash, OCSP_DIGEST_SIZE);
- XMEMCPY(certId->issuerKeyHash, cert->issuerKeyHash, OCSP_DIGEST_SIZE);
- XMEMCPY(certId->status->serial, cert->serial, cert->serialSz);
- certId->status->serialSz = cert->serialSz;
- FreeDecodedCert(cert);
- }
- ret = 0;
- out:
- if (ret != 0) {
- if (derCert != NULL)
- FreeDer(&derCert);
- if (certId != NULL)
- XFREE(certId, cm->heap, DYNAMIC_TYPE_OPENSSL);
- if (certStatus)
- XFREE(certStatus, cm->heap, DYNAMIC_TYPE_OPENSSL);
- return NULL;
- }
- #ifdef WOLFSSL_SMALL_STACK
- if (cert != NULL)
- XFREE(cert, cm->heap, DYNAMIC_TYPE_DCERT);
- #endif
- if (cm != NULL)
- wolfSSL_CertManagerFree(cm);
- return certId;
- }
- void wolfSSL_OCSP_BASICRESP_free(WOLFSSL_OCSP_BASICRESP* basicResponse)
- {
- wolfSSL_OCSP_RESPONSE_free(basicResponse);
- }
- /* Signature verified in DecodeBasicOcspResponse.
- * But no store available to verify certificate. */
- int wolfSSL_OCSP_basic_verify(WOLFSSL_OCSP_BASICRESP *bs,
- WOLF_STACK_OF(WOLFSSL_X509) *certs, WOLFSSL_X509_STORE *st, unsigned long flags)
- {
- int ret;
- #ifdef WOLFSSL_SMALL_STACK
- DecodedCert *cert = (DecodedCert *)
- XMALLOC(sizeof(*cert), (st && st->cm) ? st->cm->heap : NULL,
- DYNAMIC_TYPE_DCERT);
- if (cert == NULL)
- return WOLFSSL_FAILURE;
- #else
- DecodedCert cert[1];
- #endif
- (void)certs;
- if (flags & OCSP_NOVERIFY) {
- ret = WOLFSSL_SUCCESS;
- goto out;
- }
- #ifdef OPENSSL_EXTRA
- if (bs->verifyError != OCSP_VERIFY_ERROR_NONE) {
- ret = WOLFSSL_FAILURE;
- goto out;
- }
- #endif
- ret = WOLFSSL_SUCCESS;
- InitDecodedCert(cert, bs->cert, bs->certSz, NULL);
- if (ParseCertRelative(cert, CERT_TYPE, VERIFY, st->cm) < 0)
- ret = WOLFSSL_FAILURE;
- FreeDecodedCert(cert);
- out:
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(cert, (st && st->cm) ? st->cm->heap : NULL, DYNAMIC_TYPE_DCERT);
- #endif
- return ret;
- }
- void wolfSSL_OCSP_RESPONSE_free(OcspResponse* response)
- {
- if (response == NULL)
- return;
- if (response->single != NULL) {
- FreeOcspEntry(response->single, NULL);
- XFREE(response->single, NULL, DYNAMIC_TYPE_OCSP_ENTRY);
- }
- if (response->source != NULL)
- XFREE(response->source, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- XFREE(response, NULL, DYNAMIC_TYPE_OCSP_REQUEST);
- }
- #ifndef NO_BIO
- OcspResponse* wolfSSL_d2i_OCSP_RESPONSE_bio(WOLFSSL_BIO* bio,
- OcspResponse** response)
- {
- byte* data;
- byte* p;
- int len;
- int dataAlloced = 0;
- OcspResponse* ret = NULL;
- if (bio == NULL)
- return NULL;
- if (bio->type == WOLFSSL_BIO_MEMORY) {
- len = wolfSSL_BIO_get_mem_data(bio, &data);
- if (len <= 0 || data == NULL) {
- return NULL;
- }
- }
- #ifndef NO_FILESYSTEM
- else if (bio->type == WOLFSSL_BIO_FILE) {
- long fcur;
- long flen;
- if (bio->ptr == NULL)
- return NULL;
- fcur = XFTELL((XFILE)bio->ptr);
- if (fcur < 0)
- return NULL;
- if(XFSEEK((XFILE)bio->ptr, 0, SEEK_END) != 0)
- return NULL;
- flen = XFTELL((XFILE)bio->ptr);
- if (flen < 0)
- return NULL;
- if (XFSEEK((XFILE)bio->ptr, fcur, SEEK_SET) != 0)
- return NULL;
- /* check calculated length */
- fcur = flen - fcur;
- if (fcur > MAX_WOLFSSL_FILE_SIZE || fcur <= 0)
- return NULL;
- data = (byte*)XMALLOC(fcur, 0, DYNAMIC_TYPE_TMP_BUFFER);
- if (data == NULL)
- return NULL;
- dataAlloced = 1;
- len = wolfSSL_BIO_read(bio, (char *)data, (int)flen);
- }
- #endif
- else
- return NULL;
- if (len > 0) {
- p = data;
- ret = wolfSSL_d2i_OCSP_RESPONSE(response, (const unsigned char **)&p,
- len);
- }
- if (dataAlloced)
- XFREE(data, 0, DYNAMIC_TYPE_TMP_BUFFER);
- return ret;
- }
- #endif /* !NO_BIO */
- OcspResponse* wolfSSL_d2i_OCSP_RESPONSE(OcspResponse** response,
- const unsigned char** data, int len)
- {
- OcspResponse *resp = NULL;
- word32 idx = 0;
- int length = 0;
- int ret;
- if (data == NULL)
- return NULL;
- if (response != NULL)
- resp = *response;
- if (resp == NULL) {
- resp = (OcspResponse*)XMALLOC(sizeof(OcspResponse), NULL,
- DYNAMIC_TYPE_OCSP_REQUEST);
- if (resp == NULL)
- return NULL;
- XMEMSET(resp, 0, sizeof(OcspResponse));
- }
- resp->source = (byte*)XMALLOC(len, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- if (resp->source == NULL) {
- XFREE(resp, NULL, DYNAMIC_TYPE_OCSP_REQUEST);
- return NULL;
- }
- resp->single = (OcspEntry*)XMALLOC(sizeof(OcspEntry), NULL,
- DYNAMIC_TYPE_OCSP_ENTRY);
- if (resp->single == NULL) {
- XFREE(resp->source, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- XFREE(resp, NULL, DYNAMIC_TYPE_OCSP_REQUEST);
- return NULL;
- }
- XMEMSET(resp->single, 0, sizeof(OcspEntry));
- resp->single->status = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL,
- DYNAMIC_TYPE_OCSP_STATUS);
- resp->single->ownStatus = 1;
- if (resp->single->status == NULL) {
- XFREE(resp->source, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- XFREE(resp->single, NULL, DYNAMIC_TYPE_OCSP_ENTRY);
- XFREE(resp, NULL, DYNAMIC_TYPE_OCSP_REQUEST);
- return NULL;
- }
- XMEMSET(resp->single->status, 0, sizeof(CertStatus));
- XMEMCPY(resp->source, *data, len);
- resp->maxIdx = len;
- ret = OcspResponseDecode(resp, NULL, NULL, 1);
- if (ret != 0 && ret != ASN_OCSP_CONFIRM_E) {
- /* for just converting from a DER to an internal structure the CA may
- * not yet be known to this function for signature verification */
- wolfSSL_OCSP_RESPONSE_free(resp);
- return NULL;
- }
- if (GetSequence(*data, &idx, &length, len) >= 0)
- (*data) += idx + length;
- return resp;
- }
- int wolfSSL_i2d_OCSP_RESPONSE(OcspResponse* response,
- unsigned char** data)
- {
- if (data == NULL)
- return response->maxIdx;
- XMEMCPY(*data, response->source, response->maxIdx);
- return response->maxIdx;
- }
- int wolfSSL_OCSP_response_status(OcspResponse *response)
- {
- return response->responseStatus;
- }
- const char *wolfSSL_OCSP_response_status_str(long s)
- {
- switch (s) {
- case OCSP_SUCCESSFUL:
- return "successful";
- case OCSP_MALFORMED_REQUEST:
- return "malformedrequest";
- case OCSP_INTERNAL_ERROR:
- return "internalerror";
- case OCSP_TRY_LATER:
- return "trylater";
- case OCSP_SIG_REQUIRED:
- return "sigrequired";
- case OCSP_UNAUTHORIZED:
- return "unauthorized";
- default:
- return "(UNKNOWN)";
- }
- }
- WOLFSSL_OCSP_BASICRESP* wolfSSL_OCSP_response_get1_basic(OcspResponse* response)
- {
- WOLFSSL_OCSP_BASICRESP* bs;
- bs = (WOLFSSL_OCSP_BASICRESP*)XMALLOC(sizeof(WOLFSSL_OCSP_BASICRESP), NULL,
- DYNAMIC_TYPE_OCSP_REQUEST);
- if (bs == NULL)
- return NULL;
- XMEMCPY(bs, response, sizeof(OcspResponse));
- bs->single = (OcspEntry*)XMALLOC(sizeof(OcspEntry), NULL,
- DYNAMIC_TYPE_OCSP_ENTRY);
- bs->source = (byte*)XMALLOC(bs->maxIdx, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- if (bs->single == NULL || bs->source == NULL) {
- if (bs->single) XFREE(bs->single, NULL, DYNAMIC_TYPE_OCSP_ENTRY);
- if (bs->source) XFREE(bs->source, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- wolfSSL_OCSP_RESPONSE_free(bs);
- bs = NULL;
- }
- else {
- XMEMCPY(bs->single, response->single, sizeof(OcspEntry));
- XMEMCPY(bs->source, response->source, response->maxIdx);
- bs->single->ownStatus = 0;
- }
- return bs;
- }
- OcspRequest* wolfSSL_OCSP_REQUEST_new(void)
- {
- OcspRequest* request;
- request = (OcspRequest*)XMALLOC(sizeof(OcspRequest), NULL,
- DYNAMIC_TYPE_OPENSSL);
- if (request != NULL)
- XMEMSET(request, 0, sizeof(OcspRequest));
- return request;
- }
- void wolfSSL_OCSP_REQUEST_free(OcspRequest* request)
- {
- FreeOcspRequest(request);
- XFREE(request, NULL, DYNAMIC_TYPE_OPENSSL);
- }
- int wolfSSL_i2d_OCSP_REQUEST(OcspRequest* request, unsigned char** data)
- {
- int size;
- size = EncodeOcspRequest(request, NULL, 0);
- if (size <= 0 || data == NULL)
- return size;
- return EncodeOcspRequest(request, *data, size);
- }
- WOLFSSL_OCSP_ONEREQ* wolfSSL_OCSP_request_add0_id(OcspRequest *req,
- WOLFSSL_OCSP_CERTID *cid)
- {
- if (req == NULL || cid == NULL || cid->status == NULL)
- return NULL;
- XMEMCPY(req->issuerHash, cid->issuerHash, KEYID_SIZE);
- XMEMCPY(req->issuerKeyHash, cid->issuerKeyHash, KEYID_SIZE);
- if (cid->status->serialSz > req->serialSz) {
- if (req->serial != NULL)
- XFREE(req->serial, req->heap, DYNAMIC_TYPE_OCSP);
- req->serial = (byte*)XMALLOC(cid->status->serialSz,
- req->heap, DYNAMIC_TYPE_OCSP_REQUEST);
- if (req->serial == NULL)
- return NULL;
- }
- XMEMCPY(req->serial, cid->status->serial, cid->status->serialSz);
- req->serialSz = cid->status->serialSz;
- return req;
- }
- WOLFSSL_OCSP_CERTID* wolfSSL_OCSP_CERTID_dup(WOLFSSL_OCSP_CERTID* id)
- {
- WOLFSSL_OCSP_CERTID* certId;
- if (id == NULL)
- return NULL;
- certId = (WOLFSSL_OCSP_CERTID*)XMALLOC(sizeof(WOLFSSL_OCSP_CERTID),
- NULL, DYNAMIC_TYPE_OPENSSL);
- if (certId) {
- XMEMCPY(certId, id, sizeof(WOLFSSL_OCSP_CERTID));
- }
- return certId;
- }
- #endif
- #if defined(OPENSSL_ALL) || defined(APACHE_HTTPD) || defined(WOLFSSL_HAPROXY)
- #ifndef NO_BIO
- int wolfSSL_i2d_OCSP_REQUEST_bio(WOLFSSL_BIO* out,
- WOLFSSL_OCSP_REQUEST *req)
- {
- int size = -1;
- unsigned char* data = NULL;
- WOLFSSL_ENTER("wolfSSL_i2d_OCSP_REQUEST_bio");
- if (out == NULL || req == NULL)
- return WOLFSSL_FAILURE;
- size = wolfSSL_i2d_OCSP_REQUEST(req, NULL);
- if (size > 0) {
- data = (unsigned char*) XMALLOC(size, out->heap,
- DYNAMIC_TYPE_TMP_BUFFER);
- }
- if (data != NULL) {
- size = wolfSSL_i2d_OCSP_REQUEST(req, &data);
- }
- if (size <= 0) {
- XFREE(data, out->heap, DYNAMIC_TYPE_TMP_BUFFER);
- return WOLFSSL_FAILURE;
- }
- if (wolfSSL_BIO_write(out, data, size) == (int)size) {
- XFREE(data, out->heap, DYNAMIC_TYPE_TMP_BUFFER);
- return WOLFSSL_SUCCESS;
- }
- XFREE(data, out->heap, DYNAMIC_TYPE_TMP_BUFFER);
- return WOLFSSL_FAILURE;
- }
- #endif /* !NO_BIO */
- int wolfSSL_i2d_OCSP_CERTID(WOLFSSL_OCSP_CERTID* id, unsigned char** data)
- {
- if (id == NULL || data == NULL)
- return WOLFSSL_FAILURE;
- if (*data != NULL) {
- XMEMCPY(*data, id->rawCertId, id->rawCertIdSize);
- *data = *data + id->rawCertIdSize;
- }
- else {
- *data = (unsigned char*)XMALLOC(id->rawCertIdSize, NULL, DYNAMIC_TYPE_OPENSSL);
- if (*data == NULL) {
- return WOLFSSL_FAILURE;
- }
- XMEMCPY(*data, id->rawCertId, id->rawCertIdSize);
- }
- return id->rawCertIdSize;
- }
- WOLFSSL_OCSP_CERTID* wolfSSL_d2i_OCSP_CERTID(WOLFSSL_OCSP_CERTID** cidOut,
- const unsigned char** derIn,
- int length)
- {
- WOLFSSL_OCSP_CERTID *cid = NULL;
- if ((cidOut != NULL) && (derIn != NULL) && (*derIn != NULL) &&
- (length > 0)) {
- cid = *cidOut;
- /* If a NULL is passed we allocate the memory for the caller. */
- if (cid == NULL) {
- cid = (WOLFSSL_OCSP_CERTID*)XMALLOC(sizeof(*cid), NULL,
- DYNAMIC_TYPE_OPENSSL);
- }
- else if (cid->rawCertId != NULL) {
- XFREE(cid->rawCertId, NULL, DYNAMIC_TYPE_OPENSSL);
- cid->rawCertId = NULL;
- cid->rawCertIdSize = 0;
- }
- if (cid != NULL) {
- cid->rawCertId = (byte*)XMALLOC(length + 1, NULL, DYNAMIC_TYPE_OPENSSL);
- if (cid->rawCertId != NULL) {
- XMEMCPY(cid->rawCertId, *derIn, length);
- cid->rawCertIdSize = length;
- /* Per spec. advance past the data that is being returned
- * to the caller. */
- *cidOut = cid;
- *derIn = *derIn + length;
- return cid;
- }
- }
- }
- if (cid && (!cidOut || cid != *cidOut)) {
- XFREE(cid, NULL, DYNAMIC_TYPE_OPENSSL);
- }
- return NULL;
- }
- const WOLFSSL_OCSP_CERTID* wolfSSL_OCSP_SINGLERESP_get0_id(const WOLFSSL_OCSP_SINGLERESP *single)
- {
- return single;
- }
- /**
- * Compare two WOLFSSL_OCSP_CERTID objects
- * @param a
- * @param b
- * @return 0 on success and when objects have the same id otherwise either
- * the id's don't match or an error occurred
- */
- int wolfSSL_OCSP_id_cmp(WOLFSSL_OCSP_CERTID *a, WOLFSSL_OCSP_CERTID *b)
- {
- int ret = 0;
- if (a == NULL || b == NULL)
- return WOLFSSL_FATAL_ERROR;
- ret = a->hashAlgoOID != b->hashAlgoOID;
- if (ret == 0)
- ret = XMEMCMP(a->issuerHash, b->issuerHash, OCSP_DIGEST_SIZE);
- if (ret == 0)
- ret = XMEMCMP(a->issuerKeyHash, b->issuerKeyHash, OCSP_DIGEST_SIZE);
- if (ret == 0) {
- if (a->status != NULL && b->status != NULL) {
- if (a->status->serialSz == b->status->serialSz)
- ret = XMEMCMP(a->status->serial, b->status->serial,
- a->status->serialSz);
- else
- ret = -1;
- }
- else if (a->status != b->status) {
- /* If either is not null then return non-zero */
- ret = -1;
- }
- }
- return ret;
- }
- int wolfSSL_OCSP_single_get0_status(WOLFSSL_OCSP_SINGLERESP *single,
- int *reason,
- WOLFSSL_ASN1_TIME **revtime,
- WOLFSSL_ASN1_TIME **thisupd,
- WOLFSSL_ASN1_TIME **nextupd)
- {
- if (single == NULL)
- return WOLFSSL_FAILURE;
- if (thisupd != NULL)
- *thisupd = &single->status->thisDateParsed;
- if (nextupd != NULL)
- *nextupd = &single->status->nextDateParsed;
- if (reason != NULL)
- *reason = 0;
- if (revtime != NULL)
- *revtime = NULL;
- return single->status->status;
- }
- int wolfSSL_OCSP_resp_count(WOLFSSL_OCSP_BASICRESP *bs)
- {
- WOLFSSL_OCSP_SINGLERESP* single;
- int count = 0;
- if (bs == NULL)
- return WOLFSSL_FAILURE;
- single = bs->single;
- while(single != NULL)
- {
- ++count;
- single = single->next;
- }
- return count;
- }
- WOLFSSL_OCSP_SINGLERESP* wolfSSL_OCSP_resp_get0(WOLFSSL_OCSP_BASICRESP *bs, int idx)
- {
- WOLFSSL_OCSP_SINGLERESP* single;
- int currIdx = 0;
- if (bs == NULL)
- return NULL;
- single = bs->single;
- while(single != NULL && currIdx != idx)
- {
- single = single->next;
- ++currIdx;
- }
- return single;
- }
- #endif /* OPENSSL_ALL || APACHE_HTTPD || WOLFSSL_HAPROXY */
- #ifdef OPENSSL_EXTRA
- #ifndef NO_WOLFSSL_STUB
- int wolfSSL_OCSP_REQUEST_add_ext(OcspRequest* req, WOLFSSL_X509_EXTENSION* ext,
- int idx)
- {
- WOLFSSL_STUB("wolfSSL_OCSP_REQUEST_add_ext");
- (void)req;
- (void)ext;
- (void)idx;
- return WOLFSSL_FATAL_ERROR;
- }
- #endif
- #ifndef NO_WOLFSSL_STUB
- OcspResponse* wolfSSL_OCSP_response_create(int status,
- WOLFSSL_OCSP_BASICRESP* bs)
- {
- WOLFSSL_STUB("wolfSSL_OCSP_response_create");
- (void)status;
- (void)bs;
- return NULL;
- }
- #endif
- #ifndef NO_WOLFSSL_STUB
- const char* wolfSSL_OCSP_crl_reason_str(long s)
- {
- WOLFSSL_STUB("wolfSSL_OCSP_crl_reason_str");
- (void)s;
- return NULL;
- }
- #endif
- /* Returns elements of an OCSP_CERTID struct. Currently only supports
- * returning the serial number, and returns an error if user requests
- * any of name, pmd, and/or keyHash.
- * Return 1 on success, 0 on failure */
- int wolfSSL_OCSP_id_get0_info(WOLFSSL_ASN1_STRING **name,
- WOLFSSL_ASN1_OBJECT **pmd, WOLFSSL_ASN1_STRING **keyHash,
- WOLFSSL_ASN1_INTEGER **serial, WOLFSSL_OCSP_CERTID *cid)
- {
- WOLFSSL_ENTER("wolfSSL_OCSP_id_get0_info");
- if (cid == NULL)
- return 0;
- /* build up ASN1_INTEGER for serial */
- if (serial != NULL) {
- int i = 0;
- WOLFSSL_ASN1_INTEGER* ser;
- ser = wolfSSL_ASN1_INTEGER_new();
- if (ser == NULL)
- return 0;
- if (cid->status->serialSz > (WOLFSSL_ASN1_INTEGER_MAX - 2)) {
- /* allocate data buffer, +2 for type and length */
- ser->data = (unsigned char*)XMALLOC(cid->status->serialSz + 2, NULL,
- DYNAMIC_TYPE_OPENSSL);
- if (ser->data == NULL) {
- wolfSSL_ASN1_INTEGER_free(ser);
- return 0;
- }
- ser->dataMax = cid->status->serialSz + 2;
- ser->isDynamic = 1;
- } else {
- /* Use array instead of dynamic memory */
- ser->data = ser->intData;
- ser->dataMax = WOLFSSL_ASN1_INTEGER_MAX;
- }
- #if defined(WOLFSSL_QT) || defined(WOLFSSL_HAPROXY)
- /* Serial number starts at 0 index of ser->data */
- XMEMCPY(&ser->data[i], cid->status->serial, cid->status->serialSz);
- ser->length = cid->status->serialSz;
- #else
- ser->data[i++] = ASN_INTEGER;
- i += SetLength(cid->status->serialSz, ser->data + i);
- XMEMCPY(&ser->data[i], cid->status->serial, cid->status->serialSz);
- ser->length = i + cid->status->serialSz;
- #endif
- cid->status->serialInt = ser;
- *serial = ser;
- }
- /* Not needed for Apache, return error if user is requesting */
- if (name != NULL || pmd != NULL || keyHash != NULL) {
- if (name != NULL)
- *name = NULL;
- if (pmd != NULL)
- *pmd = NULL;
- if (keyHash != NULL)
- *keyHash = NULL;
- return 0;
- }
- return 1;
- }
- int wolfSSL_OCSP_request_add1_nonce(OcspRequest* req, unsigned char* val,
- int sz)
- {
- WC_RNG rng;
- WOLFSSL_ENTER("wolfSSL_OCSP_request_add1_nonce");
- if (req == NULL || sz > MAX_OCSP_NONCE_SZ) {
- WOLFSSL_MSG("Bad parameter");
- return WOLFSSL_FAILURE;
- }
- if (sz <= 0)
- sz = MAX_OCSP_NONCE_SZ;
- if (val != NULL) {
- XMEMCPY(req->nonce, val, sz);
- }
- else {
- if (
- #ifndef HAVE_FIPS
- wc_InitRng_ex(&rng, req->heap, INVALID_DEVID)
- #else
- wc_InitRng(&rng)
- #endif
- != 0) {
- WOLFSSL_MSG("RNG init failed");
- return WOLFSSL_FAILURE;
- }
- if (wc_RNG_GenerateBlock(&rng, req->nonce, sz) != 0) {
- WOLFSSL_MSG("wc_RNG_GenerateBlock failed");
- wc_FreeRng(&rng);
- return WOLFSSL_FAILURE;
- }
- wc_FreeRng(&rng);
- }
- req->nonceSz = sz;
- return WOLFSSL_SUCCESS;
- }
- /* Returns result of OCSP nonce comparison. Return values:
- * 1 - nonces are both present and equal
- * 2 - both nonces are absent
- * 3 - nonce only present in response
- * -1 - nonce only present in request
- * 0 - both nonces present and equal
- */
- int wolfSSL_OCSP_check_nonce(OcspRequest* req, WOLFSSL_OCSP_BASICRESP* bs)
- {
- byte* reqNonce = NULL;
- byte* rspNonce = NULL;
- int reqNonceSz = 0;
- int rspNonceSz = 0;
- WOLFSSL_ENTER("wolfSSL_OCSP_check_nonce");
- if (req != NULL) {
- reqNonce = req->nonce;
- reqNonceSz = req->nonceSz;
- }
- if (bs != NULL) {
- rspNonce = bs->nonce;
- rspNonceSz = bs->nonceSz;
- }
- /* nonce absent in both req and rsp */
- if (reqNonce == NULL && rspNonce == NULL)
- return 2;
- /* nonce present in rsp only */
- if (reqNonce == NULL && rspNonce != NULL)
- return 3;
- /* nonce present in req only */
- if (reqNonce != NULL && rspNonce == NULL)
- return -1;
- /* nonces are present and equal, return 1. Extra NULL check for fixing
- scan-build warning. */
- if (reqNonceSz == rspNonceSz && reqNonce && rspNonce) {
- if (XMEMCMP(reqNonce, rspNonce, reqNonceSz) == 0)
- return 1;
- }
- /* nonces are present but not equal */
- return 0;
- }
- #endif /* OPENSSL_EXTRA */
- #else /* HAVE_OCSP */
- #ifdef _MSC_VER
- /* 4206 warning for blank file */
- #pragma warning(disable: 4206)
- #endif
- #endif /* HAVE_OCSP */
- #endif /* WOLFCRYPT_ONLY */
|