"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "apps/ocsp.c" between
openssl-1.1.1f.tar.gz and openssl-1.1.1g.tar.gz

About: OpenSSL is a toolkit implementing the Transport Layer Security (TLS) protocols (including SSLv3) as well as a full-strength general purpose cryptographic library. Long Term Support (LTS) version (includes support for TLSv1.3).

ocsp.c  (openssl-1.1.1f):ocsp.c  (openssl-1.1.1g)
/* /*
* Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at * in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html * https://www.openssl.org/source/license.html
*/ */
#include <openssl/opensslconf.h> #include <openssl/opensslconf.h>
#ifdef OPENSSL_NO_OCSP #ifdef OPENSSL_SYS_VMS
NON_EMPTY_TRANSLATION_UNIT # define _XOPEN_SOURCE_EXTENDED/* So fd_set and friends get properly defined
#else
# ifdef OPENSSL_SYS_VMS
# define _XOPEN_SOURCE_EXTENDED/* So fd_set and friends get properly defined
* on OpenVMS */ * on OpenVMS */
# endif #endif
# include <stdio.h> #include <stdio.h>
# include <stdlib.h> #include <stdlib.h>
# include <string.h> #include <string.h>
# include <time.h> #include <time.h>
# include <ctype.h> #include <ctype.h>
/* Needs to be included before the openssl headers */ /* Needs to be included before the openssl headers */
# include "apps.h" #include "apps.h"
# include "progs.h" #include "progs.h"
# include "internal/sockets.h" #include "internal/sockets.h"
# include <openssl/e_os2.h> #include <openssl/e_os2.h>
# include <openssl/crypto.h> #include <openssl/crypto.h>
# include <openssl/err.h> #include <openssl/err.h>
# include <openssl/ssl.h> #include <openssl/ssl.h>
# include <openssl/evp.h> #include <openssl/evp.h>
# include <openssl/bn.h> #include <openssl/bn.h>
# include <openssl/x509v3.h> #include <openssl/x509v3.h>
# include <openssl/rand.h> #include <openssl/rand.h>
#ifndef HAVE_FORK #ifndef HAVE_FORK
# if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS) #if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS)
# define HAVE_FORK 0 # define HAVE_FORK 0
# else #else
# define HAVE_FORK 1 # define HAVE_FORK 1
# endif #endif
#endif #endif
#if HAVE_FORK #if HAVE_FORK
# undef NO_FORK #undef NO_FORK
#else #else
# define NO_FORK #define NO_FORK
#endif #endif
# if !defined(NO_FORK) && !defined(OPENSSL_NO_SOCK) \ #if !defined(NO_FORK) && !defined(OPENSSL_NO_SOCK) \
&& !defined(OPENSSL_NO_POSIX_IO) && !defined(OPENSSL_NO_POSIX_IO)
# define OCSP_DAEMON # define OCSP_DAEMON
# include <sys/types.h> # include <sys/types.h>
# include <sys/wait.h> # include <sys/wait.h>
# include <syslog.h> # include <syslog.h>
# include <signal.h> # include <signal.h>
# define MAXERRLEN 1000 /* limit error text sent to syslog to 1000 bytes */ # define MAXERRLEN 1000 /* limit error text sent to syslog to 1000 bytes */
# else #else
# undef LOG_INFO # undef LOG_INFO
# undef LOG_WARNING # undef LOG_WARNING
# undef LOG_ERR # undef LOG_ERR
# define LOG_INFO 0 # define LOG_INFO 0
# define LOG_WARNING 1 # define LOG_WARNING 1
# define LOG_ERR 2 # define LOG_ERR 2
# endif #endif
# if defined(OPENSSL_SYS_VXWORKS) #if defined(OPENSSL_SYS_VXWORKS)
/* not supported */ /* not supported */
int setpgid(pid_t pid, pid_t pgid) int setpgid(pid_t pid, pid_t pgid)
{ {
errno = ENOSYS; errno = ENOSYS;
return 0; return 0;
} }
/* not supported */ /* not supported */
pid_t fork(void) pid_t fork(void)
{ {
errno = ENOSYS; errno = ENOSYS;
return (pid_t) -1; return (pid_t) -1;
} }
# endif #endif
/* Maximum leeway in validity period: default 5 minutes */ /* Maximum leeway in validity period: default 5 minutes */
# define MAX_VALIDITY_PERIOD (5 * 60) #define MAX_VALIDITY_PERIOD (5 * 60)
static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert,
const EVP_MD *cert_id_md, X509 *issuer, const EVP_MD *cert_id_md, X509 *issuer,
STACK_OF(OCSP_CERTID) *ids); STACK_OF(OCSP_CERTID) *ids);
static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, static int add_ocsp_serial(OCSP_REQUEST **req, char *serial,
const EVP_MD *cert_id_md, X509 *issuer, const EVP_MD *cert_id_md, X509 *issuer,
STACK_OF(OCSP_CERTID) *ids); STACK_OF(OCSP_CERTID) *ids);
static void print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req, static void print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
STACK_OF(OPENSSL_STRING) *names, STACK_OF(OPENSSL_STRING) *names,
STACK_OF(OCSP_CERTID) *ids, long nsec, STACK_OF(OCSP_CERTID) *ids, long nsec,
skipping to change at line 112 skipping to change at line 109
int nmin, int ndays, int badsig); int nmin, int ndays, int badsig);
static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser); static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser);
static BIO *init_responder(const char *port); static BIO *init_responder(const char *port);
static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, int timeou t); static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, int timeou t);
static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp); static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp);
static void log_message(int level, const char *fmt, ...); static void log_message(int level, const char *fmt, ...);
static char *prog; static char *prog;
static int multi = 0; static int multi = 0;
# ifdef OCSP_DAEMON #ifdef OCSP_DAEMON
static int acfd = (int) INVALID_SOCKET; static int acfd = (int) INVALID_SOCKET;
static int index_changed(CA_DB *); static int index_changed(CA_DB *);
static void spawn_loop(void); static void spawn_loop(void);
static int print_syslog(const char *str, size_t len, void *levPtr); static int print_syslog(const char *str, size_t len, void *levPtr);
static void socket_timeout(int signum); static void socket_timeout(int signum);
# endif #endif
# ifndef OPENSSL_NO_SOCK #ifndef OPENSSL_NO_SOCK
static OCSP_RESPONSE *query_responder(BIO *cbio, const char *host, static OCSP_RESPONSE *query_responder(BIO *cbio, const char *host,
const char *path, const char *path,
const STACK_OF(CONF_VALUE) *headers, const STACK_OF(CONF_VALUE) *headers,
OCSP_REQUEST *req, int req_timeout); OCSP_REQUEST *req, int req_timeout);
# endif #endif
typedef enum OPTION_choice { typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
OPT_OUTFILE, OPT_TIMEOUT, OPT_URL, OPT_HOST, OPT_PORT, OPT_OUTFILE, OPT_TIMEOUT, OPT_URL, OPT_HOST, OPT_PORT,
OPT_IGNORE_ERR, OPT_NOVERIFY, OPT_NONCE, OPT_NO_NONCE, OPT_IGNORE_ERR, OPT_NOVERIFY, OPT_NONCE, OPT_NO_NONCE,
OPT_RESP_NO_CERTS, OPT_RESP_KEY_ID, OPT_NO_CERTS, OPT_RESP_NO_CERTS, OPT_RESP_KEY_ID, OPT_NO_CERTS,
OPT_NO_SIGNATURE_VERIFY, OPT_NO_CERT_VERIFY, OPT_NO_CHAIN, OPT_NO_SIGNATURE_VERIFY, OPT_NO_CERT_VERIFY, OPT_NO_CHAIN,
OPT_NO_CERT_CHECKS, OPT_NO_EXPLICIT, OPT_TRUST_OTHER, OPT_NO_CERT_CHECKS, OPT_NO_EXPLICIT, OPT_TRUST_OTHER,
OPT_NO_INTERN, OPT_BADSIG, OPT_TEXT, OPT_REQ_TEXT, OPT_RESP_TEXT, OPT_NO_INTERN, OPT_BADSIG, OPT_TEXT, OPT_REQ_TEXT, OPT_RESP_TEXT,
OPT_REQIN, OPT_RESPIN, OPT_SIGNER, OPT_VAFILE, OPT_SIGN_OTHER, OPT_REQIN, OPT_RESPIN, OPT_SIGNER, OPT_VAFILE, OPT_SIGN_OTHER,
skipping to change at line 163 skipping to change at line 160
{"port", OPT_PORT, 'p', "Port to run responder on"}, {"port", OPT_PORT, 'p', "Port to run responder on"},
{"ignore_err", OPT_IGNORE_ERR, '-', {"ignore_err", OPT_IGNORE_ERR, '-',
"Ignore error on OCSP request or response and continue running"}, "Ignore error on OCSP request or response and continue running"},
{"noverify", OPT_NOVERIFY, '-', "Don't verify response at all"}, {"noverify", OPT_NOVERIFY, '-', "Don't verify response at all"},
{"nonce", OPT_NONCE, '-', "Add OCSP nonce to request"}, {"nonce", OPT_NONCE, '-', "Add OCSP nonce to request"},
{"no_nonce", OPT_NO_NONCE, '-', "Don't add OCSP nonce to request"}, {"no_nonce", OPT_NO_NONCE, '-', "Don't add OCSP nonce to request"},
{"resp_no_certs", OPT_RESP_NO_CERTS, '-', {"resp_no_certs", OPT_RESP_NO_CERTS, '-',
"Don't include any certificates in response"}, "Don't include any certificates in response"},
{"resp_key_id", OPT_RESP_KEY_ID, '-', {"resp_key_id", OPT_RESP_KEY_ID, '-',
"Identify response by signing certificate key ID"}, "Identify response by signing certificate key ID"},
# ifdef OCSP_DAEMON #ifdef OCSP_DAEMON
{"multi", OPT_MULTI, 'p', "run multiple responder processes"}, {"multi", OPT_MULTI, 'p', "run multiple responder processes"},
# endif #endif
{"no_certs", OPT_NO_CERTS, '-', {"no_certs", OPT_NO_CERTS, '-',
"Don't include any certificates in signed request"}, "Don't include any certificates in signed request"},
{"no_signature_verify", OPT_NO_SIGNATURE_VERIFY, '-', {"no_signature_verify", OPT_NO_SIGNATURE_VERIFY, '-',
"Don't check signature on response"}, "Don't check signature on response"},
{"no_cert_verify", OPT_NO_CERT_VERIFY, '-', {"no_cert_verify", OPT_NO_CERT_VERIFY, '-',
"Don't check signing certificate"}, "Don't check signing certificate"},
{"no_chain", OPT_NO_CHAIN, '-', "Don't chain verify response"}, {"no_chain", OPT_NO_CHAIN, '-', "Don't chain verify response"},
{"no_cert_checks", OPT_NO_CERT_CHECKS, '-', {"no_cert_checks", OPT_NO_CERT_CHECKS, '-',
"Don't do additional checks on signing certificate"}, "Don't do additional checks on signing certificate"},
{"no_explicit", OPT_NO_EXPLICIT, '-', {"no_explicit", OPT_NO_EXPLICIT, '-',
skipping to change at line 514 skipping to change at line 511
BIO_printf(bio_err, BIO_printf(bio_err,
"%s: Digest must be before -cert or -serial\n", "%s: Digest must be before -cert or -serial\n",
prog); prog);
goto opthelp; goto opthelp;
} }
if (!opt_md(opt_unknown(), &cert_id_md)) if (!opt_md(opt_unknown(), &cert_id_md))
goto opthelp; goto opthelp;
trailing_md = 1; trailing_md = 1;
break; break;
case OPT_MULTI: case OPT_MULTI:
# ifdef OCSP_DAEMON #ifdef OCSP_DAEMON
multi = atoi(opt_arg()); multi = atoi(opt_arg());
# endif #endif
break; break;
} }
} }
if (trailing_md) { if (trailing_md) {
BIO_printf(bio_err, "%s: Digest must be before -cert or -serial\n", BIO_printf(bio_err, "%s: Digest must be before -cert or -serial\n",
prog); prog);
goto opthelp; goto opthelp;
} }
argc = opt_num_rest(); argc = opt_num_rest();
if (argc != 0) if (argc != 0)
skipping to change at line 596 skipping to change at line 593
} }
if (ridx_filename != NULL) { if (ridx_filename != NULL) {
rdb = load_index(ridx_filename, NULL); rdb = load_index(ridx_filename, NULL);
if (rdb == NULL || index_index(rdb) <= 0) { if (rdb == NULL || index_index(rdb) <= 0) {
ret = 1; ret = 1;
goto end; goto end;
} }
} }
# ifdef OCSP_DAEMON #ifdef OCSP_DAEMON
if (multi && acbio != NULL) if (multi && acbio != NULL)
spawn_loop(); spawn_loop();
if (acbio != NULL && req_timeout > 0) if (acbio != NULL && req_timeout > 0)
signal(SIGALRM, socket_timeout); signal(SIGALRM, socket_timeout);
#endif #endif
if (acbio != NULL) if (acbio != NULL)
log_message(LOG_INFO, "waiting for OCSP client connections..."); log_message(LOG_INFO, "waiting for OCSP client connections...");
redo_accept: redo_accept:
if (acbio != NULL) { if (acbio != NULL) {
# ifdef OCSP_DAEMON #ifdef OCSP_DAEMON
if (index_changed(rdb)) { if (index_changed(rdb)) {
CA_DB *newrdb = load_index(ridx_filename, NULL); CA_DB *newrdb = load_index(ridx_filename, NULL);
if (newrdb != NULL && index_index(newrdb) > 0) { if (newrdb != NULL && index_index(newrdb) > 0) {
free_index(rdb); free_index(rdb);
rdb = newrdb; rdb = newrdb;
} else { } else {
free_index(newrdb); free_index(newrdb);
log_message(LOG_ERR, "error reloading updated index: %s", log_message(LOG_ERR, "error reloading updated index: %s",
ridx_filename); ridx_filename);
} }
} }
# endif #endif
req = NULL; req = NULL;
if (!do_responder(&req, &cbio, acbio, req_timeout)) if (!do_responder(&req, &cbio, acbio, req_timeout))
goto redo_accept; goto redo_accept;
if (req == NULL) { if (req == NULL) {
resp = resp =
OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST,
NULL); NULL);
send_ocsp_response(cbio, resp); send_ocsp_response(cbio, resp);
skipping to change at line 691 skipping to change at line 688
i2d_OCSP_REQUEST_bio(derbio, req); i2d_OCSP_REQUEST_bio(derbio, req);
BIO_free(derbio); BIO_free(derbio);
} }
if (rdb != NULL) { if (rdb != NULL) {
make_ocsp_response(bio_err, &resp, req, rdb, rca_cert, rsigner, rkey, make_ocsp_response(bio_err, &resp, req, rdb, rca_cert, rsigner, rkey,
rsign_md, rsign_sigopts, rother, rflags, nmin, nd ays, badsig); rsign_md, rsign_sigopts, rother, rflags, nmin, nd ays, badsig);
if (cbio != NULL) if (cbio != NULL)
send_ocsp_response(cbio, resp); send_ocsp_response(cbio, resp);
} else if (host != NULL) { } else if (host != NULL) {
# ifndef OPENSSL_NO_SOCK #ifndef OPENSSL_NO_SOCK
resp = process_responder(req, host, path, resp = process_responder(req, host, path,
port, use_ssl, headers, req_timeout); port, use_ssl, headers, req_timeout);
if (resp == NULL) if (resp == NULL)
goto end; goto end;
# else #else
BIO_printf(bio_err, BIO_printf(bio_err,
"Error creating connect BIO - sockets not supported.\n"); "Error creating connect BIO - sockets not supported.\n");
goto end; goto end;
# endif #endif
} else if (respin != NULL) { } else if (respin != NULL) {
derbio = bio_open_default(respin, 'r', FORMAT_ASN1); derbio = bio_open_default(respin, 'r', FORMAT_ASN1);
if (derbio == NULL) if (derbio == NULL)
goto end; goto end;
resp = d2i_OCSP_RESPONSE_bio(derbio, NULL); resp = d2i_OCSP_RESPONSE_bio(derbio, NULL);
BIO_free(derbio); BIO_free(derbio);
if (resp == NULL) { if (resp == NULL) {
BIO_printf(bio_err, "Error reading OCSP response\n"); BIO_printf(bio_err, "Error reading OCSP response\n");
goto end; goto end;
} }
skipping to change at line 843 skipping to change at line 840
return ret; return ret;
} }
static void static void
log_message(int level, const char *fmt, ...) log_message(int level, const char *fmt, ...)
{ {
va_list ap; va_list ap;
va_start(ap, fmt); va_start(ap, fmt);
# ifdef OCSP_DAEMON #ifdef OCSP_DAEMON
if (multi) { if (multi) {
char buf[1024]; char buf[1024];
if (vsnprintf(buf, sizeof(buf), fmt, ap) > 0) { if (vsnprintf(buf, sizeof(buf), fmt, ap) > 0) {
syslog(level, "%s", buf); syslog(level, "%s", buf);
} }
if (level >= LOG_ERR) if (level >= LOG_ERR)
ERR_print_errors_cb(print_syslog, &level); ERR_print_errors_cb(print_syslog, &level);
} }
# endif #endif
if (!multi) { if (!multi) {
BIO_printf(bio_err, "%s: ", prog); BIO_printf(bio_err, "%s: ", prog);
BIO_vprintf(bio_err, fmt, ap); BIO_vprintf(bio_err, fmt, ap);
BIO_printf(bio_err, "\n"); BIO_printf(bio_err, "\n");
} }
va_end(ap); va_end(ap);
} }
# ifdef OCSP_DAEMON #ifdef OCSP_DAEMON
static int print_syslog(const char *str, size_t len, void *levPtr) static int print_syslog(const char *str, size_t len, void *levPtr)
{ {
int level = *(int *)levPtr; int level = *(int *)levPtr;
int ilen = (len > MAXERRLEN) ? MAXERRLEN : len; int ilen = (len > MAXERRLEN) ? MAXERRLEN : len;
syslog(level, "%.*s", ilen, str); syslog(level, "%.*s", ilen, str);
return ilen; return ilen;
} }
skipping to change at line 1014 skipping to change at line 1011
killall(1, kidpids); killall(1, kidpids);
} }
break; break;
} }
} }
/* The loop above can only break on termsig */ /* The loop above can only break on termsig */
syslog(LOG_INFO, "terminating on signal: %d", termsig); syslog(LOG_INFO, "terminating on signal: %d", termsig);
killall(0, kidpids); killall(0, kidpids);
} }
# endif #endif
static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert,
const EVP_MD *cert_id_md, X509 *issuer, const EVP_MD *cert_id_md, X509 *issuer,
STACK_OF(OCSP_CERTID) *ids) STACK_OF(OCSP_CERTID) *ids)
{ {
OCSP_CERTID *id; OCSP_CERTID *id;
if (issuer == NULL) { if (issuer == NULL) {
BIO_printf(bio_err, "No issuer certificate specified\n"); BIO_printf(bio_err, "No issuer certificate specified\n");
return 0; return 0;
skipping to change at line 1294 skipping to change at line 1291
BN_free(bn); BN_free(bn);
rrow = TXT_DB_get_by_index(db->db, DB_serial, row); rrow = TXT_DB_get_by_index(db->db, DB_serial, row);
OPENSSL_free(itmp); OPENSSL_free(itmp);
return rrow; return rrow;
} }
/* Quick and dirty OCSP server: read in and parse input request */ /* Quick and dirty OCSP server: read in and parse input request */
static BIO *init_responder(const char *port) static BIO *init_responder(const char *port)
{ {
# ifdef OPENSSL_NO_SOCK #ifdef OPENSSL_NO_SOCK
BIO_printf(bio_err, BIO_printf(bio_err,
"Error setting up accept BIO - sockets not supported.\n"); "Error setting up accept BIO - sockets not supported.\n");
return NULL; return NULL;
# else #else
BIO *acbio = NULL, *bufbio = NULL; BIO *acbio = NULL, *bufbio = NULL;
bufbio = BIO_new(BIO_f_buffer()); bufbio = BIO_new(BIO_f_buffer());
if (bufbio == NULL) if (bufbio == NULL)
goto err; goto err;
acbio = BIO_new(BIO_s_accept()); acbio = BIO_new(BIO_s_accept());
if (acbio == NULL if (acbio == NULL
|| BIO_set_bind_mode(acbio, BIO_BIND_REUSEADDR) < 0 || BIO_set_bind_mode(acbio, BIO_BIND_REUSEADDR) < 0
|| BIO_set_accept_port(acbio, port) < 0) { || BIO_set_accept_port(acbio, port) < 0) {
log_message(LOG_ERR, "Error setting up accept BIO"); log_message(LOG_ERR, "Error setting up accept BIO");
skipping to change at line 1325 skipping to change at line 1322
log_message(LOG_ERR, "Error starting accept"); log_message(LOG_ERR, "Error starting accept");
goto err; goto err;
} }
return acbio; return acbio;
err: err:
BIO_free_all(acbio); BIO_free_all(acbio);
BIO_free(bufbio); BIO_free(bufbio);
return NULL; return NULL;
# endif #endif
} }
# ifndef OPENSSL_NO_SOCK #ifndef OPENSSL_NO_SOCK
/* /*
* Decode %xx URL-decoding in-place. Ignores mal-formed sequences. * Decode %xx URL-decoding in-place. Ignores mal-formed sequences.
*/ */
static int urldecode(char *p) static int urldecode(char *p)
{ {
unsigned char *out = (unsigned char *)p; unsigned char *out = (unsigned char *)p;
unsigned char *save = out; unsigned char *save = out;
for (; *p; p++) { for (; *p; p++) {
if (*p != '%') if (*p != '%')
skipping to change at line 1352 skipping to change at line 1349
*out++ = (OPENSSL_hexchar2int(p[1]) << 4) *out++ = (OPENSSL_hexchar2int(p[1]) << 4)
| OPENSSL_hexchar2int(p[2]); | OPENSSL_hexchar2int(p[2]);
p += 2; p += 2;
} }
else else
return -1; return -1;
} }
*out = '\0'; *out = '\0';
return (int)(out - save); return (int)(out - save);
} }
# endif #endif
# ifdef OCSP_DAEMON #ifdef OCSP_DAEMON
static void socket_timeout(int signum) static void socket_timeout(int signum)
{ {
if (acfd != (int)INVALID_SOCKET) if (acfd != (int)INVALID_SOCKET)
(void)shutdown(acfd, SHUT_RD); (void)shutdown(acfd, SHUT_RD);
} }
# endif #endif
static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,
int timeout) int timeout)
{ {
# ifdef OPENSSL_NO_SOCK #ifdef OPENSSL_NO_SOCK
return 0; return 0;
# else #else
int len; int len;
OCSP_REQUEST *req = NULL; OCSP_REQUEST *req = NULL;
char inbuf[2048], reqbuf[2048]; char inbuf[2048], reqbuf[2048];
char *p, *q; char *p, *q;
BIO *cbio = NULL, *getbio = NULL, *b64 = NULL; BIO *cbio = NULL, *getbio = NULL, *b64 = NULL;
const char *client; const char *client;
*preq = NULL; *preq = NULL;
/* Connection loss before accept() is routine, ignore silently */ /* Connection loss before accept() is routine, ignore silently */
if (BIO_do_accept(acbio) <= 0) if (BIO_do_accept(acbio) <= 0)
return 0; return 0;
cbio = BIO_pop(acbio); cbio = BIO_pop(acbio);
*pcbio = cbio; *pcbio = cbio;
client = BIO_get_peer_name(cbio); client = BIO_get_peer_name(cbio);
# ifdef OCSP_DAEMON # ifdef OCSP_DAEMON
if (timeout > 0) { if (timeout > 0) {
(void) BIO_get_fd(cbio, &acfd); (void) BIO_get_fd(cbio, &acfd);
alarm(timeout); alarm(timeout);
} }
# endif # endif
/* Read the request line. */ /* Read the request line. */
len = BIO_gets(cbio, reqbuf, sizeof(reqbuf)); len = BIO_gets(cbio, reqbuf, sizeof(reqbuf));
if (len <= 0) if (len <= 0)
goto out; goto out;
if (strncmp(reqbuf, "GET ", 4) == 0) { if (strncmp(reqbuf, "GET ", 4) == 0) {
/* Expecting GET {sp} /URL {sp} HTTP/1.x */ /* Expecting GET {sp} /URL {sp} HTTP/1.x */
for (p = reqbuf + 4; *p == ' '; ++p) for (p = reqbuf + 4; *p == ' '; ++p)
continue; continue;
skipping to change at line 1453 skipping to change at line 1450
/* Read and skip past the headers. */ /* Read and skip past the headers. */
for (;;) { for (;;) {
len = BIO_gets(cbio, inbuf, sizeof(inbuf)); len = BIO_gets(cbio, inbuf, sizeof(inbuf));
if (len <= 0) if (len <= 0)
goto out; goto out;
if ((inbuf[0] == '\r') || (inbuf[0] == '\n')) if ((inbuf[0] == '\r') || (inbuf[0] == '\n'))
break; break;
} }
# ifdef OCSP_DAEMON # ifdef OCSP_DAEMON
/* Clear alarm before we close the client socket */ /* Clear alarm before we close the client socket */
alarm(0); alarm(0);
timeout = 0; timeout = 0;
# endif # endif
/* Try to read OCSP request */ /* Try to read OCSP request */
if (getbio != NULL) { if (getbio != NULL) {
req = d2i_OCSP_REQUEST_bio(getbio, NULL); req = d2i_OCSP_REQUEST_bio(getbio, NULL);
BIO_free_all(getbio); BIO_free_all(getbio);
} else { } else {
req = d2i_OCSP_REQUEST_bio(cbio, NULL); req = d2i_OCSP_REQUEST_bio(cbio, NULL);
} }
if (req == NULL) if (req == NULL)
log_message(LOG_ERR, "Error parsing OCSP request"); log_message(LOG_ERR, "Error parsing OCSP request");
*preq = req; *preq = req;
out: out:
# ifdef OCSP_DAEMON # ifdef OCSP_DAEMON
if (timeout > 0) if (timeout > 0)
alarm(0); alarm(0);
acfd = (int)INVALID_SOCKET; acfd = (int)INVALID_SOCKET;
# endif
return 1;
# endif # endif
return 1;
#endif
} }
static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp) static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp)
{ {
char http_resp[] = char http_resp[] =
"HTTP/1.0 200 OK\r\nContent-type: application/ocsp-response\r\n" "HTTP/1.0 200 OK\r\nContent-type: application/ocsp-response\r\n"
"Content-Length: %d\r\n\r\n"; "Content-Length: %d\r\n\r\n";
if (cbio == NULL) if (cbio == NULL)
return 0; return 0;
BIO_printf(cbio, http_resp, i2d_OCSP_RESPONSE(resp, NULL)); BIO_printf(cbio, http_resp, i2d_OCSP_RESPONSE(resp, NULL));
i2d_OCSP_RESPONSE_bio(cbio, resp); i2d_OCSP_RESPONSE_bio(cbio, resp);
(void)BIO_flush(cbio); (void)BIO_flush(cbio);
return 1; return 1;
} }
# ifndef OPENSSL_NO_SOCK #ifndef OPENSSL_NO_SOCK
static OCSP_RESPONSE *query_responder(BIO *cbio, const char *host, static OCSP_RESPONSE *query_responder(BIO *cbio, const char *host,
const char *path, const char *path,
const STACK_OF(CONF_VALUE) *headers, const STACK_OF(CONF_VALUE) *headers,
OCSP_REQUEST *req, int req_timeout) OCSP_REQUEST *req, int req_timeout)
{ {
int fd; int fd;
int rv; int rv;
int i; int i;
int add_host = 1; int add_host = 1;
OCSP_REQ_CTX *ctx = NULL; OCSP_REQ_CTX *ctx = NULL;
skipping to change at line 1626 skipping to change at line 1623
} }
resp = query_responder(cbio, host, path, headers, req, req_timeout); resp = query_responder(cbio, host, path, headers, req, req_timeout);
if (resp == NULL) if (resp == NULL)
BIO_printf(bio_err, "Error querying OCSP responder\n"); BIO_printf(bio_err, "Error querying OCSP responder\n");
end: end:
BIO_free_all(cbio); BIO_free_all(cbio);
SSL_CTX_free(ctx); SSL_CTX_free(ctx);
return resp; return resp;
} }
# endif
#endif #endif
 End of changes. 49 change blocks. 
85 lines changed or deleted 80 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)