Context Navigation

source: rtems-libbsd/freebsd/crypto/openssl/apps/ocsp.c @ d1dac78

5

Last change on this file since d1dac78 was d1dac78, checked in by Christian Mauderer <christian.mauderer@…>, on 03/26/19 at 10:08:47
bin/openssl: Port to RTEMS.
Property mode set to `100644`
File size: 49.2 KB

Line
1	#include <machine/rtems-bsd-user-space.h>
2	#ifdef __rtems__
3	#include <machine/rtems-bsd-program.h>
4	#include "rtems-bsd-openssl-namespace.h"
5	#endif /* __rtems__ */
6
7	/*
8	* Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
9	*
10	* Licensed under the OpenSSL license (the "License"). You may not use
11	* this file except in compliance with the License. You can obtain a copy
12	* in the file LICENSE in the source distribution or at
13	* https://www.openssl.org/source/license.html
14	*/
15
16	#include <openssl/opensslconf.h>
17
18	#ifdef OPENSSL_NO_OCSP
19	NON_EMPTY_TRANSLATION_UNIT
20	#else
21	# ifdef OPENSSL_SYS_VMS
22	# define _XOPEN_SOURCE_EXTENDED/* So fd_set and friends get properly defined
23	* on OpenVMS */
24	# endif
25
26	# include <stdio.h>
27	# include <stdlib.h>
28	# include <string.h>
29	# include <time.h>
30	# include <ctype.h>
31
32	/* Needs to be included before the openssl headers */
33	# include "apps.h"
34	# include "progs.h"
35	# include "internal/sockets.h"
36	# include <openssl/e_os2.h>
37	# include <openssl/crypto.h>
38	# include <openssl/err.h>
39	# include <openssl/ssl.h>
40	# include <openssl/evp.h>
41	# include <openssl/bn.h>
42	# include <openssl/x509v3.h>
43	# include <openssl/rand.h>
44
45	# if defined(OPENSSL_SYS_UNIX) && !defined(OPENSSL_NO_SOCK) \
46	&& !defined(OPENSSL_NO_POSIX_IO)
47	# define OCSP_DAEMON
48	# include <sys/types.h>
49	# include <sys/wait.h>
50	# include <syslog.h>
51	# include <signal.h>
52	# define MAXERRLEN 1000 /* limit error text sent to syslog to 1000 bytes */
53	# else
54	# undef LOG_INFO
55	# undef LOG_WARNING
56	# undef LOG_ERR
57	# define LOG_INFO 0
58	# define LOG_WARNING 1
59	# define LOG_ERR 2
60	# endif
61
62	/* Maximum leeway in validity period: default 5 minutes */
63	# define MAX_VALIDITY_PERIOD (5 * 60)
64
65	static int add_ocsp_cert(OCSP_REQUEST *req, X509 cert,
66	const EVP_MD cert_id_md, X509 issuer,
67	STACK_OF(OCSP_CERTID) *ids);
68	static int add_ocsp_serial(OCSP_REQUEST *req, char serial,
69	const EVP_MD cert_id_md, X509 issuer,
70	STACK_OF(OCSP_CERTID) *ids);
71	static void print_ocsp_summary(BIO out, OCSP_BASICRESP bs, OCSP_REQUEST *req,
72	STACK_OF(OPENSSL_STRING) *names,
73	STACK_OF(OCSP_CERTID) *ids, long nsec,
74	long maxage);
75	static void make_ocsp_response(BIO err, OCSP_RESPONSE resp, OCSP_REQUEST req,
76	CA_DB db, STACK_OF(X509) ca, X509 *rcert,
77	EVP_PKEY rkey, const EVP_MD md,
78	STACK_OF(OPENSSL_STRING) *sigopts,
79	STACK_OF(X509) *rother, unsigned long flags,
80	int nmin, int ndays, int badsig);
81
82	static char *lookup_serial(CA_DB db, ASN1_INTEGER *ser);
83	static BIO init_responder(const char port);
84	static int do_responder(OCSP_REQUEST preq, BIO pcbio, BIO *acbio, int timeout);
85	static int send_ocsp_response(BIO cbio, OCSP_RESPONSE resp);
86	static void log_message(int level, const char *fmt, ...);
87	static char *prog;
88	static int multi = 0;
89
90	# ifdef OCSP_DAEMON
91	static int acfd = (int) INVALID_SOCKET;
92	static int index_changed(CA_DB *);
93	static void spawn_loop(void);
94	static int print_syslog(const char str, size_t len, void levPtr);
95	static void sock_timeout(int signum);
96	# endif
97
98	# ifndef OPENSSL_NO_SOCK
99	static OCSP_RESPONSE query_responder(BIO cbio, const char *host,
100	const char *path,
101	const STACK_OF(CONF_VALUE) *headers,
102	OCSP_REQUEST *req, int req_timeout);
103	# endif
104
105	typedef enum OPTION_choice {
106	OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
107	OPT_OUTFILE, OPT_TIMEOUT, OPT_URL, OPT_HOST, OPT_PORT,
108	OPT_IGNORE_ERR, OPT_NOVERIFY, OPT_NONCE, OPT_NO_NONCE,
109	OPT_RESP_NO_CERTS, OPT_RESP_KEY_ID, OPT_NO_CERTS,
110	OPT_NO_SIGNATURE_VERIFY, OPT_NO_CERT_VERIFY, OPT_NO_CHAIN,
111	OPT_NO_CERT_CHECKS, OPT_NO_EXPLICIT, OPT_TRUST_OTHER,
112	OPT_NO_INTERN, OPT_BADSIG, OPT_TEXT, OPT_REQ_TEXT, OPT_RESP_TEXT,
113	OPT_REQIN, OPT_RESPIN, OPT_SIGNER, OPT_VAFILE, OPT_SIGN_OTHER,
114	OPT_VERIFY_OTHER, OPT_CAFILE, OPT_CAPATH, OPT_NOCAFILE, OPT_NOCAPATH,
115	OPT_VALIDITY_PERIOD, OPT_STATUS_AGE, OPT_SIGNKEY, OPT_REQOUT,
116	OPT_RESPOUT, OPT_PATH, OPT_ISSUER, OPT_CERT, OPT_SERIAL,
117	OPT_INDEX, OPT_CA, OPT_NMIN, OPT_REQUEST, OPT_NDAYS, OPT_RSIGNER,
118	OPT_RKEY, OPT_ROTHER, OPT_RMD, OPT_RSIGOPT, OPT_HEADER,
119	OPT_V_ENUM,
120	OPT_MD,
121	OPT_MULTI
122	} OPTION_CHOICE;
123
124	const OPTIONS ocsp_options[] = {
125	{"help", OPT_HELP, '-', "Display this summary"},
126	{"out", OPT_OUTFILE, '>', "Output filename"},
127	{"timeout", OPT_TIMEOUT, 'p',
128	"Connection timeout (in seconds) to the OCSP responder"},
129	{"url", OPT_URL, 's', "Responder URL"},
130	{"host", OPT_HOST, 's', "TCP/IP hostname:port to connect to"},
131	{"port", OPT_PORT, 'p', "Port to run responder on"},
132	{"ignore_err", OPT_IGNORE_ERR, '-',
133	"Ignore error on OCSP request or response and continue running"},
134	{"noverify", OPT_NOVERIFY, '-', "Don't verify response at all"},
135	{"nonce", OPT_NONCE, '-', "Add OCSP nonce to request"},
136	{"no_nonce", OPT_NO_NONCE, '-', "Don't add OCSP nonce to request"},
137	{"resp_no_certs", OPT_RESP_NO_CERTS, '-',
138	"Don't include any certificates in response"},
139	{"resp_key_id", OPT_RESP_KEY_ID, '-',
140	"Identify response by signing certificate key ID"},
141	# ifdef OCSP_DAEMON
142	{"multi", OPT_MULTI, 'p', "run multiple responder processes"},
143	# endif
144	{"no_certs", OPT_NO_CERTS, '-',
145	"Don't include any certificates in signed request"},
146	{"no_signature_verify", OPT_NO_SIGNATURE_VERIFY, '-',
147	"Don't check signature on response"},
148	{"no_cert_verify", OPT_NO_CERT_VERIFY, '-',
149	"Don't check signing certificate"},
150	{"no_chain", OPT_NO_CHAIN, '-', "Don't chain verify response"},
151	{"no_cert_checks", OPT_NO_CERT_CHECKS, '-',
152	"Don't do additional checks on signing certificate"},
153	{"no_explicit", OPT_NO_EXPLICIT, '-',
154	"Do not explicitly check the chain, just verify the root"},
155	{"trust_other", OPT_TRUST_OTHER, '-',
156	"Don't verify additional certificates"},
157	{"no_intern", OPT_NO_INTERN, '-',
158	"Don't search certificates contained in response for signer"},
159	{"badsig", OPT_BADSIG, '-',
160	"Corrupt last byte of loaded OSCP response signature (for test)"},
161	{"text", OPT_TEXT, '-', "Print text form of request and response"},
162	{"req_text", OPT_REQ_TEXT, '-', "Print text form of request"},
163	{"resp_text", OPT_RESP_TEXT, '-', "Print text form of response"},
164	{"reqin", OPT_REQIN, 's', "File with the DER-encoded request"},
165	{"respin", OPT_RESPIN, 's', "File with the DER-encoded response"},
166	{"signer", OPT_SIGNER, '<', "Certificate to sign OCSP request with"},
167	{"VAfile", OPT_VAFILE, '<', "Validator certificates file"},
168	{"sign_other", OPT_SIGN_OTHER, '<',
169	"Additional certificates to include in signed request"},
170	{"verify_other", OPT_VERIFY_OTHER, '<',
171	"Additional certificates to search for signer"},
172	{"CAfile", OPT_CAFILE, '<', "Trusted certificates file"},
173	{"CApath", OPT_CAPATH, '<', "Trusted certificates directory"},
174	{"no-CAfile", OPT_NOCAFILE, '-',
175	"Do not load the default certificates file"},
176	{"no-CApath", OPT_NOCAPATH, '-',
177	"Do not load certificates from the default certificates directory"},
178	{"validity_period", OPT_VALIDITY_PERIOD, 'u',
179	"Maximum validity discrepancy in seconds"},
180	{"status_age", OPT_STATUS_AGE, 'p', "Maximum status age in seconds"},
181	{"signkey", OPT_SIGNKEY, 's', "Private key to sign OCSP request with"},
182	{"reqout", OPT_REQOUT, 's', "Output file for the DER-encoded request"},
183	{"respout", OPT_RESPOUT, 's', "Output file for the DER-encoded response"},
184	{"path", OPT_PATH, 's', "Path to use in OCSP request"},
185	{"issuer", OPT_ISSUER, '<', "Issuer certificate"},
186	{"cert", OPT_CERT, '<', "Certificate to check"},
187	{"serial", OPT_SERIAL, 's', "Serial number to check"},
188	{"index", OPT_INDEX, '<', "Certificate status index file"},
189	{"CA", OPT_CA, '<', "CA certificate"},
190	{"nmin", OPT_NMIN, 'p', "Number of minutes before next update"},
191	{"nrequest", OPT_REQUEST, 'p',
192	"Number of requests to accept (default unlimited)"},
193	{"ndays", OPT_NDAYS, 'p', "Number of days before next update"},
194	{"rsigner", OPT_RSIGNER, '<',
195	"Responder certificate to sign responses with"},
196	{"rkey", OPT_RKEY, '<', "Responder key to sign responses with"},
197	{"rother", OPT_ROTHER, '<', "Other certificates to include in response"},
198	{"rmd", OPT_RMD, 's', "Digest Algorithm to use in signature of OCSP response"},
199	{"rsigopt", OPT_RSIGOPT, 's', "OCSP response signature parameter in n:v form"},
200	{"header", OPT_HEADER, 's', "key=value header to add"},
201	{"", OPT_MD, '-', "Any supported digest algorithm (sha1,sha256, ... )"},
202	OPT_V_OPTIONS,
203	{NULL}
204	};
205
206	int ocsp_main(int argc, char **argv)
207	{
208	BIO acbio = NULL, cbio = NULL, derbio = NULL, out = NULL;
209	const EVP_MD cert_id_md = NULL, rsign_md = NULL;
210	STACK_OF(OPENSSL_STRING) *rsign_sigopts = NULL;
211	int trailing_md = 0;
212	CA_DB *rdb = NULL;
213	EVP_PKEY key = NULL, rkey = NULL;
214	OCSP_BASICRESP *bs = NULL;
215	OCSP_REQUEST *req = NULL;
216	OCSP_RESPONSE *resp = NULL;
217	STACK_OF(CONF_VALUE) *headers = NULL;
218	STACK_OF(OCSP_CERTID) *ids = NULL;
219	STACK_OF(OPENSSL_STRING) *reqnames = NULL;
220	STACK_OF(X509) sign_other = NULL, verify_other = NULL, *rother = NULL;
221	STACK_OF(X509) *issuers = NULL;
222	X509 issuer = NULL, cert = NULL;
223	STACK_OF(X509) *rca_cert = NULL;
224	X509 signer = NULL, rsigner = NULL;
225	X509_STORE *store = NULL;
226	X509_VERIFY_PARAM *vpm = NULL;
227	const char CAfile = NULL, CApath = NULL;
228	char header, value;
229	char host = NULL, port = NULL, path = "/", outfile = NULL;
230	char rca_filename = NULL, reqin = NULL, *respin = NULL;
231	char reqout = NULL, respout = NULL, *ridx_filename = NULL;
232	char rsignfile = NULL, rkeyfile = NULL;
233	char sign_certfile = NULL, verify_certfile = NULL, *rcertfile = NULL;
234	char signfile = NULL, keyfile = NULL;
235	char thost = NULL, tport = NULL, *tpath = NULL;
236	int noCAfile = 0, noCApath = 0;
237	int accept_count = -1, add_nonce = 1, noverify = 0, use_ssl = -1;
238	int vpmtouched = 0, badsig = 0, i, ignore_err = 0, nmin = 0, ndays = -1;
239	int req_text = 0, resp_text = 0, ret = 1;
240	int req_timeout = -1;
241	long nsec = MAX_VALIDITY_PERIOD, maxage = -1;
242	unsigned long sign_flags = 0, verify_flags = 0, rflags = 0;
243	OPTION_CHOICE o;
244
245	reqnames = sk_OPENSSL_STRING_new_null();
246	if (reqnames == NULL)
247	goto end;
248	ids = sk_OCSP_CERTID_new_null();
249	if (ids == NULL)
250	goto end;
251	if ((vpm = X509_VERIFY_PARAM_new()) == NULL)
252	return 1;
253
254	prog = opt_init(argc, argv, ocsp_options);
255	while ((o = opt_next()) != OPT_EOF) {
256	switch (o) {
257	case OPT_EOF:
258	case OPT_ERR:
259	opthelp:
260	BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
261	goto end;
262	case OPT_HELP:
263	ret = 0;
264	opt_help(ocsp_options);
265	goto end;
266	case OPT_OUTFILE:
267	outfile = opt_arg();
268	break;
269	case OPT_TIMEOUT:
270	#ifndef OPENSSL_NO_SOCK
271	req_timeout = atoi(opt_arg());
272	#endif
273	break;
274	case OPT_URL:
275	OPENSSL_free(thost);
276	OPENSSL_free(tport);
277	OPENSSL_free(tpath);
278	thost = tport = tpath = NULL;
279	if (!OCSP_parse_url(opt_arg(), &host, &port, &path, &use_ssl)) {
280	BIO_printf(bio_err, "%s Error parsing URL\n", prog);
281	goto end;
282	}
283	thost = host;
284	tport = port;
285	tpath = path;
286	break;
287	case OPT_HOST:
288	host = opt_arg();
289	break;
290	case OPT_PORT:
291	port = opt_arg();
292	break;
293	case OPT_IGNORE_ERR:
294	ignore_err = 1;
295	break;
296	case OPT_NOVERIFY:
297	noverify = 1;
298	break;
299	case OPT_NONCE:
300	add_nonce = 2;
301	break;
302	case OPT_NO_NONCE:
303	add_nonce = 0;
304	break;
305	case OPT_RESP_NO_CERTS:
306	rflags \|= OCSP_NOCERTS;
307	break;
308	case OPT_RESP_KEY_ID:
309	rflags \|= OCSP_RESPID_KEY;
310	break;
311	case OPT_NO_CERTS:
312	sign_flags \|= OCSP_NOCERTS;
313	break;
314	case OPT_NO_SIGNATURE_VERIFY:
315	verify_flags \|= OCSP_NOSIGS;
316	break;
317	case OPT_NO_CERT_VERIFY:
318	verify_flags \|= OCSP_NOVERIFY;
319	break;
320	case OPT_NO_CHAIN:
321	verify_flags \|= OCSP_NOCHAIN;
322	break;
323	case OPT_NO_CERT_CHECKS:
324	verify_flags \|= OCSP_NOCHECKS;
325	break;
326	case OPT_NO_EXPLICIT:
327	verify_flags \|= OCSP_NOEXPLICIT;
328	break;
329	case OPT_TRUST_OTHER:
330	verify_flags \|= OCSP_TRUSTOTHER;
331	break;
332	case OPT_NO_INTERN:
333	verify_flags \|= OCSP_NOINTERN;
334	break;
335	case OPT_BADSIG:
336	badsig = 1;
337	break;
338	case OPT_TEXT:
339	req_text = resp_text = 1;
340	break;
341	case OPT_REQ_TEXT:
342	req_text = 1;
343	break;
344	case OPT_RESP_TEXT:
345	resp_text = 1;
346	break;
347	case OPT_REQIN:
348	reqin = opt_arg();
349	break;
350	case OPT_RESPIN:
351	respin = opt_arg();
352	break;
353	case OPT_SIGNER:
354	signfile = opt_arg();
355	break;
356	case OPT_VAFILE:
357	verify_certfile = opt_arg();
358	verify_flags \|= OCSP_TRUSTOTHER;
359	break;
360	case OPT_SIGN_OTHER:
361	sign_certfile = opt_arg();
362	break;
363	case OPT_VERIFY_OTHER:
364	verify_certfile = opt_arg();
365	break;
366	case OPT_CAFILE:
367	CAfile = opt_arg();
368	break;
369	case OPT_CAPATH:
370	CApath = opt_arg();
371	break;
372	case OPT_NOCAFILE:
373	noCAfile = 1;
374	break;
375	case OPT_NOCAPATH:
376	noCApath = 1;
377	break;
378	case OPT_V_CASES:
379	if (!opt_verify(o, vpm))
380	goto end;
381	vpmtouched++;
382	break;
383	case OPT_VALIDITY_PERIOD:
384	opt_long(opt_arg(), &nsec);
385	break;
386	case OPT_STATUS_AGE:
387	opt_long(opt_arg(), &maxage);
388	break;
389	case OPT_SIGNKEY:
390	keyfile = opt_arg();
391	break;
392	case OPT_REQOUT:
393	reqout = opt_arg();
394	break;
395	case OPT_RESPOUT:
396	respout = opt_arg();
397	break;
398	case OPT_PATH:
399	path = opt_arg();
400	break;
401	case OPT_ISSUER:
402	issuer = load_cert(opt_arg(), FORMAT_PEM, "issuer certificate");
403	if (issuer == NULL)
404	goto end;
405	if (issuers == NULL) {
406	if ((issuers = sk_X509_new_null()) == NULL)
407	goto end;
408	}
409	sk_X509_push(issuers, issuer);
410	break;
411	case OPT_CERT:
412	X509_free(cert);
413	cert = load_cert(opt_arg(), FORMAT_PEM, "certificate");
414	if (cert == NULL)
415	goto end;
416	if (cert_id_md == NULL)
417	cert_id_md = EVP_sha1();
418	if (!add_ocsp_cert(&req, cert, cert_id_md, issuer, ids))
419	goto end;
420	if (!sk_OPENSSL_STRING_push(reqnames, opt_arg()))
421	goto end;
422	trailing_md = 0;
423	break;
424	case OPT_SERIAL:
425	if (cert_id_md == NULL)
426	cert_id_md = EVP_sha1();
427	if (!add_ocsp_serial(&req, opt_arg(), cert_id_md, issuer, ids))
428	goto end;
429	if (!sk_OPENSSL_STRING_push(reqnames, opt_arg()))
430	goto end;
431	trailing_md = 0;
432	break;
433	case OPT_INDEX:
434	ridx_filename = opt_arg();
435	break;
436	case OPT_CA:
437	rca_filename = opt_arg();
438	break;
439	case OPT_NMIN:
440	opt_int(opt_arg(), &nmin);
441	if (ndays == -1)
442	ndays = 0;
443	break;
444	case OPT_REQUEST:
445	opt_int(opt_arg(), &accept_count);
446	break;
447	case OPT_NDAYS:
448	ndays = atoi(opt_arg());
449	break;
450	case OPT_RSIGNER:
451	rsignfile = opt_arg();
452	break;
453	case OPT_RKEY:
454	rkeyfile = opt_arg();
455	break;
456	case OPT_ROTHER:
457	rcertfile = opt_arg();
458	break;
459	case OPT_RMD: /* Response MessageDigest */
460	if (!opt_md(opt_arg(), &rsign_md))
461	goto end;
462	break;
463	case OPT_RSIGOPT:
464	if (rsign_sigopts == NULL)
465	rsign_sigopts = sk_OPENSSL_STRING_new_null();
466	if (rsign_sigopts == NULL \|\| !sk_OPENSSL_STRING_push(rsign_sigopts, opt_arg()))
467	goto end;
468	break;
469	case OPT_HEADER:
470	header = opt_arg();
471	value = strchr(header, '=');
472	if (value == NULL) {
473	BIO_printf(bio_err, "Missing = in header key=value\n");
474	goto opthelp;
475	}
476	*value++ = '\0';
477	if (!X509V3_add_value(header, value, &headers))
478	goto end;
479	break;
480	case OPT_MD:
481	if (trailing_md) {
482	BIO_printf(bio_err,
483	"%s: Digest must be before -cert or -serial\n",
484	prog);
485	goto opthelp;
486	}
487	if (!opt_md(opt_unknown(), &cert_id_md))
488	goto opthelp;
489	trailing_md = 1;
490	break;
491	case OPT_MULTI:
492	# ifdef OCSP_DAEMON
493	multi = atoi(opt_arg());
494	# endif
495	break;
496	}
497	}
498	if (trailing_md) {
499	BIO_printf(bio_err, "%s: Digest must be before -cert or -serial\n",
500	prog);
501	goto opthelp;
502	}
503	argc = opt_num_rest();
504	if (argc != 0)
505	goto opthelp;
506
507	/* Have we anything to do? */
508	if (req == NULL && reqin == NULL
509	&& respin == NULL && !(port != NULL && ridx_filename != NULL))
510	goto opthelp;
511
512	out = bio_open_default(outfile, 'w', FORMAT_TEXT);
513	if (out == NULL)
514	goto end;
515
516	if (req == NULL && (add_nonce != 2))
517	add_nonce = 0;
518
519	if (req == NULL && reqin != NULL) {
520	derbio = bio_open_default(reqin, 'r', FORMAT_ASN1);
521	if (derbio == NULL)
522	goto end;
523	req = d2i_OCSP_REQUEST_bio(derbio, NULL);
524	BIO_free(derbio);
525	if (req == NULL) {
526	BIO_printf(bio_err, "Error reading OCSP request\n");
527	goto end;
528	}
529	}
530
531	if (req == NULL && port != NULL) {
532	acbio = init_responder(port);
533	if (acbio == NULL)
534	goto end;
535	}
536
537	if (rsignfile != NULL) {
538	if (rkeyfile == NULL)
539	rkeyfile = rsignfile;
540	rsigner = load_cert(rsignfile, FORMAT_PEM, "responder certificate");
541	if (rsigner == NULL) {
542	BIO_printf(bio_err, "Error loading responder certificate\n");
543	goto end;
544	}
545	if (!load_certs(rca_filename, &rca_cert, FORMAT_PEM,
546	NULL, "CA certificate"))
547	goto end;
548	if (rcertfile != NULL) {
549	if (!load_certs(rcertfile, &rother, FORMAT_PEM, NULL,
550	"responder other certificates"))
551	goto end;
552	}
553	rkey = load_key(rkeyfile, FORMAT_PEM, 0, NULL, NULL,
554	"responder private key");
555	if (rkey == NULL)
556	goto end;
557	}
558
559	if (ridx_filename != NULL
560	&& (rkey == NULL \|\| rsigner == NULL \|\| rca_cert == NULL)) {
561	BIO_printf(bio_err,
562	"Responder mode requires certificate, key, and CA.\n");
563	goto end;
564	}
565
566	if (ridx_filename != NULL) {
567	rdb = load_index(ridx_filename, NULL);
568	if (rdb == NULL \|\| index_index(rdb) <= 0) {
569	ret = 1;
570	goto end;
571	}
572	}
573
574	# ifdef OCSP_DAEMON
575	if (multi && acbio != NULL)
576	spawn_loop();
577	if (acbio != NULL && req_timeout > 0)
578	signal(SIGALRM, sock_timeout);
579	#endif
580
581	if (acbio != NULL)
582	log_message(LOG_INFO, "waiting for OCSP client connections...");
583
584	redo_accept:
585
586	if (acbio != NULL) {
587	# ifdef OCSP_DAEMON
588	if (index_changed(rdb)) {
589	CA_DB *newrdb = load_index(ridx_filename, NULL);
590
591	if (newrdb != NULL && index_index(newrdb) > 0) {
592	free_index(rdb);
593	rdb = newrdb;
594	} else {
595	free_index(newrdb);
596	log_message(LOG_ERR, "error reloading updated index: %s",
597	ridx_filename);
598	}
599	}
600	# endif
601
602	req = NULL;
603	if (!do_responder(&req, &cbio, acbio, req_timeout))
604	goto redo_accept;
605
606	if (req == NULL) {
607	resp =
608	OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST,
609	NULL);
610	send_ocsp_response(cbio, resp);
611	goto done_resp;
612	}
613	}
614
615	if (req == NULL
616	&& (signfile != NULL \|\| reqout != NULL
617	\|\| host != NULL \|\| add_nonce \|\| ridx_filename != NULL)) {
618	BIO_printf(bio_err, "Need an OCSP request for this operation!\n");
619	goto end;
620	}
621
622	if (req != NULL && add_nonce)
623	OCSP_request_add1_nonce(req, NULL, -1);
624
625	if (signfile != NULL) {
626	if (keyfile == NULL)
627	keyfile = signfile;
628	signer = load_cert(signfile, FORMAT_PEM, "signer certificate");
629	if (signer == NULL) {
630	BIO_printf(bio_err, "Error loading signer certificate\n");
631	goto end;
632	}
633	if (sign_certfile != NULL) {
634	if (!load_certs(sign_certfile, &sign_other, FORMAT_PEM, NULL,
635	"signer certificates"))
636	goto end;
637	}
638	key = load_key(keyfile, FORMAT_PEM, 0, NULL, NULL,
639	"signer private key");
640	if (key == NULL)
641	goto end;
642
643	if (!OCSP_request_sign
644	(req, signer, key, NULL, sign_other, sign_flags)) {
645	BIO_printf(bio_err, "Error signing OCSP request\n");
646	goto end;
647	}
648	}
649
650	if (req_text && req != NULL)
651	OCSP_REQUEST_print(out, req, 0);
652
653	if (reqout != NULL) {
654	derbio = bio_open_default(reqout, 'w', FORMAT_ASN1);
655	if (derbio == NULL)
656	goto end;
657	i2d_OCSP_REQUEST_bio(derbio, req);
658	BIO_free(derbio);
659	}
660
661	if (rdb != NULL) {
662	make_ocsp_response(bio_err, &resp, req, rdb, rca_cert, rsigner, rkey,
663	rsign_md, rsign_sigopts, rother, rflags, nmin, ndays, badsig);
664	if (cbio != NULL)
665	send_ocsp_response(cbio, resp);
666	} else if (host != NULL) {
667	# ifndef OPENSSL_NO_SOCK
668	resp = process_responder(req, host, path,
669	port, use_ssl, headers, req_timeout);
670	if (resp == NULL)
671	goto end;
672	# else
673	BIO_printf(bio_err,
674	"Error creating connect BIO - sockets not supported.\n");
675	goto end;
676	# endif
677	} else if (respin != NULL) {
678	derbio = bio_open_default(respin, 'r', FORMAT_ASN1);
679	if (derbio == NULL)
680	goto end;
681	resp = d2i_OCSP_RESPONSE_bio(derbio, NULL);
682	BIO_free(derbio);
683	if (resp == NULL) {
684	BIO_printf(bio_err, "Error reading OCSP response\n");
685	goto end;
686	}
687	} else {
688	ret = 0;
689	goto end;
690	}
691
692	done_resp:
693
694	if (respout != NULL) {
695	derbio = bio_open_default(respout, 'w', FORMAT_ASN1);
696	if (derbio == NULL)
697	goto end;
698	i2d_OCSP_RESPONSE_bio(derbio, resp);
699	BIO_free(derbio);
700	}
701
702	i = OCSP_response_status(resp);
703	if (i != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
704	BIO_printf(out, "Responder Error: %s (%d)\n",
705	OCSP_response_status_str(i), i);
706	if (!ignore_err)
707	goto end;
708	}
709
710	if (resp_text)
711	OCSP_RESPONSE_print(out, resp, 0);
712
713	/* If running as responder don't verify our own response */
714	if (cbio != NULL) {
715	/* If not unlimited, see if we took all we should. */
716	if (accept_count != -1 && --accept_count <= 0) {
717	ret = 0;
718	goto end;
719	}
720	BIO_free_all(cbio);
721	cbio = NULL;
722	OCSP_REQUEST_free(req);
723	req = NULL;
724	OCSP_RESPONSE_free(resp);
725	resp = NULL;
726	goto redo_accept;
727	}
728	if (ridx_filename != NULL) {
729	ret = 0;
730	goto end;
731	}
732
733	if (store == NULL) {
734	store = setup_verify(CAfile, CApath, noCAfile, noCApath);
735	if (!store)
736	goto end;
737	}
738	if (vpmtouched)
739	X509_STORE_set1_param(store, vpm);
740	if (verify_certfile != NULL) {
741	if (!load_certs(verify_certfile, &verify_other, FORMAT_PEM, NULL,
742	"validator certificate"))
743	goto end;
744	}
745
746	bs = OCSP_response_get1_basic(resp);
747	if (bs == NULL) {
748	BIO_printf(bio_err, "Error parsing response\n");
749	goto end;
750	}
751
752	ret = 0;
753
754	if (!noverify) {
755	if (req != NULL && ((i = OCSP_check_nonce(req, bs)) <= 0)) {
756	if (i == -1)
757	BIO_printf(bio_err, "WARNING: no nonce in response\n");
758	else {
759	BIO_printf(bio_err, "Nonce Verify error\n");
760	ret = 1;
761	goto end;
762	}
763	}
764
765	i = OCSP_basic_verify(bs, verify_other, store, verify_flags);
766	if (i <= 0 && issuers) {
767	i = OCSP_basic_verify(bs, issuers, store, OCSP_TRUSTOTHER);
768	if (i > 0)
769	ERR_clear_error();
770	}
771	if (i <= 0) {
772	BIO_printf(bio_err, "Response Verify Failure\n");
773	ERR_print_errors(bio_err);
774	ret = 1;
775	} else {
776	BIO_printf(bio_err, "Response verify OK\n");
777	}
778	}
779
780	print_ocsp_summary(out, bs, req, reqnames, ids, nsec, maxage);
781
782	end:
783	ERR_print_errors(bio_err);
784	X509_free(signer);
785	X509_STORE_free(store);
786	X509_VERIFY_PARAM_free(vpm);
787	sk_OPENSSL_STRING_free(rsign_sigopts);
788	EVP_PKEY_free(key);
789	EVP_PKEY_free(rkey);
790	X509_free(cert);
791	sk_X509_pop_free(issuers, X509_free);
792	X509_free(rsigner);
793	sk_X509_pop_free(rca_cert, X509_free);
794	free_index(rdb);
795	BIO_free_all(cbio);
796	BIO_free_all(acbio);
797	BIO_free_all(out);
798	OCSP_REQUEST_free(req);
799	OCSP_RESPONSE_free(resp);
800	OCSP_BASICRESP_free(bs);
801	sk_OPENSSL_STRING_free(reqnames);
802	sk_OCSP_CERTID_free(ids);
803	sk_X509_pop_free(sign_other, X509_free);
804	sk_X509_pop_free(verify_other, X509_free);
805	sk_CONF_VALUE_pop_free(headers, X509V3_conf_free);
806	OPENSSL_free(thost);
807	OPENSSL_free(tport);
808	OPENSSL_free(tpath);
809
810	return ret;
811	}
812
813	static void
814	log_message(int level, const char *fmt, ...)
815	{
816	va_list ap;
817
818	va_start(ap, fmt);
819	# ifdef OCSP_DAEMON
820	if (multi) {
821	char buf[1024];
822	if (vsnprintf(buf, sizeof(buf), fmt, ap) > 0) {
823	syslog(level, "%s", buf);
824	}
825	if (level >= LOG_ERR)
826	ERR_print_errors_cb(print_syslog, &level);
827	}
828	# endif
829	if (!multi) {
830	BIO_printf(bio_err, "%s: ", prog);
831	BIO_vprintf(bio_err, fmt, ap);
832	BIO_printf(bio_err, "\n");
833	}
834	va_end(ap);
835	}
836
837	# ifdef OCSP_DAEMON
838
839	static int print_syslog(const char str, size_t len, void levPtr)
840	{
841	int level = (int )levPtr;
842	int ilen = (len > MAXERRLEN) ? MAXERRLEN : len;
843
844	syslog(level, "%.*s", ilen, str);
845
846	return ilen;
847	}
848
849	static int index_changed(CA_DB *rdb)
850	{
851	struct stat sb;
852
853	if (rdb != NULL && stat(rdb->dbfname, &sb) != -1) {
854	if (rdb->dbst.st_mtime != sb.st_mtime
855	\|\| rdb->dbst.st_ctime != sb.st_ctime
856	\|\| rdb->dbst.st_ino != sb.st_ino
857	\|\| rdb->dbst.st_dev != sb.st_dev) {
858	syslog(LOG_INFO, "index file changed, reloading");
859	return 1;
860	}
861	}
862	return 0;
863	}
864
865	static void killall(int ret, pid_t *kidpids)
866	{
867	int i;
868
869	for (i = 0; i < multi; ++i)
870	if (kidpids[i] != 0)
871	(void)kill(kidpids[i], SIGTERM);
872	sleep(1);
873	exit(ret);
874	}
875
876	static int termsig = 0;
877
878	static void noteterm (int sig)
879	{
880	termsig = sig;
881	}
882
883	/*
884	* Loop spawning up to `multi` child processes, only child processes return
885	* from this function. The parent process loops until receiving a termination
886	* signal, kills extant children and exits without returning.
887	*/
888	static void spawn_loop(void)
889	{
890	pid_t *kidpids = NULL;
891	int status;
892	int procs = 0;
893	int i;
894
895	openlog(prog, LOG_PID, LOG_DAEMON);
896
897	if (setpgid(0, 0)) {
898	syslog(LOG_ERR, "fatal: error detaching from parent process group: %s",
899	strerror(errno));
900	exit(1);
901	}
902	kidpids = app_malloc(multi * sizeof(*kidpids), "child PID array");
903	for (i = 0; i < multi; ++i)
904	kidpids[i] = 0;
905
906	signal(SIGINT, noteterm);
907	signal(SIGTERM, noteterm);
908
909	while (termsig == 0) {
910	pid_t fpid;
911
912	/*
913	* Wait for a child to replace when we're at the limit.
914	* Slow down if a child exited abnormally or waitpid() < 0
915	*/
916	while (termsig == 0 && procs >= multi) {
917	if ((fpid = waitpid(-1, &status, 0)) > 0) {
918	for (i = 0; i < procs; ++i) {
919	if (kidpids[i] == fpid) {
920	kidpids[i] = 0;
921	--procs;
922	break;
923	}
924	}
925	if (i >= multi) {
926	syslog(LOG_ERR, "fatal: internal error: "
927	"no matching child slot for pid: %ld",
928	(long) fpid);
929	killall(1, kidpids);
930	}
931	if (status != 0) {
932	if (WIFEXITED(status))
933	syslog(LOG_WARNING, "child process: %ld, exit status: %d",
934	(long)fpid, WEXITSTATUS(status));
935	else if (WIFSIGNALED(status))
936	syslog(LOG_WARNING, "child process: %ld, term signal %d%s",
937	(long)fpid, WTERMSIG(status),
938	#ifdef WCOREDUMP
939	WCOREDUMP(status) ? " (core dumped)" :
940	#endif
941	"");
942	sleep(1);
943	}
944	break;
945	} else if (errno != EINTR) {
946	syslog(LOG_ERR, "fatal: waitpid(): %s", strerror(errno));
947	killall(1, kidpids);
948	}
949	}
950	if (termsig)
951	break;
952
953	switch(fpid = fork()) {
954	case -1: /* error */
955	/* System critically low on memory, pause and try again later */
956	sleep(30);
957	break;
958	case 0: /* child */
959	OPENSSL_free(kidpids);
960	signal(SIGINT, SIG_DFL);
961	signal(SIGTERM, SIG_DFL);
962	if (termsig)
963	_exit(0);
964	if (RAND_poll() <= 0) {
965	syslog(LOG_ERR, "fatal: RAND_poll() failed");
966	_exit(1);
967	}
968	return;
969	default: /* parent */
970	for (i = 0; i < multi; ++i) {
971	if (kidpids[i] == 0) {
972	kidpids[i] = fpid;
973	procs++;
974	break;
975	}
976	}
977	if (i >= multi) {
978	syslog(LOG_ERR, "fatal: internal error: no free child slots");
979	killall(1, kidpids);
980	}
981	break;
982	}
983	}
984
985	/* The loop above can only break on termsig */
986	OPENSSL_free(kidpids);
987	syslog(LOG_INFO, "terminating on signal: %d", termsig);
988	killall(0, kidpids);
989	}
990	# endif
991
992	static int add_ocsp_cert(OCSP_REQUEST *req, X509 cert,
993	const EVP_MD cert_id_md, X509 issuer,
994	STACK_OF(OCSP_CERTID) *ids)
995	{
996	OCSP_CERTID *id;
997
998	if (issuer == NULL) {
999	BIO_printf(bio_err, "No issuer certificate specified\n");
1000	return 0;
1001	}
1002	if (*req == NULL)
1003	*req = OCSP_REQUEST_new();
1004	if (*req == NULL)
1005	goto err;
1006	id = OCSP_cert_to_id(cert_id_md, cert, issuer);
1007	if (id == NULL \|\| !sk_OCSP_CERTID_push(ids, id))
1008	goto err;
1009	if (!OCSP_request_add0_id(*req, id))
1010	goto err;
1011	return 1;
1012
1013	err:
1014	BIO_printf(bio_err, "Error Creating OCSP request\n");
1015	return 0;
1016	}
1017
1018	static int add_ocsp_serial(OCSP_REQUEST *req, char serial,
1019	const EVP_MD cert_id_md, X509 issuer,
1020	STACK_OF(OCSP_CERTID) *ids)
1021	{
1022	OCSP_CERTID *id;
1023	X509_NAME *iname;
1024	ASN1_BIT_STRING *ikey;
1025	ASN1_INTEGER *sno;
1026
1027	if (issuer == NULL) {
1028	BIO_printf(bio_err, "No issuer certificate specified\n");
1029	return 0;
1030	}
1031	if (*req == NULL)
1032	*req = OCSP_REQUEST_new();
1033	if (*req == NULL)
1034	goto err;
1035	iname = X509_get_subject_name(issuer);
1036	ikey = X509_get0_pubkey_bitstr(issuer);
1037	sno = s2i_ASN1_INTEGER(NULL, serial);
1038	if (sno == NULL) {
1039	BIO_printf(bio_err, "Error converting serial number %s\n", serial);
1040	return 0;
1041	}
1042	id = OCSP_cert_id_new(cert_id_md, iname, ikey, sno);
1043	ASN1_INTEGER_free(sno);
1044	if (id == NULL \|\| !sk_OCSP_CERTID_push(ids, id))
1045	goto err;
1046	if (!OCSP_request_add0_id(*req, id))
1047	goto err;
1048	return 1;
1049
1050	err:
1051	BIO_printf(bio_err, "Error Creating OCSP request\n");
1052	return 0;
1053	}
1054
1055	static void print_ocsp_summary(BIO out, OCSP_BASICRESP bs, OCSP_REQUEST *req,
1056	STACK_OF(OPENSSL_STRING) *names,
1057	STACK_OF(OCSP_CERTID) *ids, long nsec,
1058	long maxage)
1059	{
1060	OCSP_CERTID *id;
1061	const char *name;
1062	int i, status, reason;
1063	ASN1_GENERALIZEDTIME rev, thisupd, *nextupd;
1064
1065	if (bs == NULL \|\| req == NULL \|\| !sk_OPENSSL_STRING_num(names)
1066	\|\| !sk_OCSP_CERTID_num(ids))
1067	return;
1068
1069	for (i = 0; i < sk_OCSP_CERTID_num(ids); i++) {
1070	id = sk_OCSP_CERTID_value(ids, i);
1071	name = sk_OPENSSL_STRING_value(names, i);
1072	BIO_printf(out, "%s: ", name);
1073
1074	if (!OCSP_resp_find_status(bs, id, &status, &reason,
1075	&rev, &thisupd, &nextupd)) {
1076	BIO_puts(out, "ERROR: No Status found.\n");
1077	continue;
1078	}
1079
1080	/*
1081	* Check validity: if invalid write to output BIO so we know which
1082	* response this refers to.
1083	*/
1084	if (!OCSP_check_validity(thisupd, nextupd, nsec, maxage)) {
1085	BIO_puts(out, "WARNING: Status times invalid.\n");
1086	ERR_print_errors(out);
1087	}
1088	BIO_printf(out, "%s\n", OCSP_cert_status_str(status));
1089
1090	BIO_puts(out, "\tThis Update: ");
1091	ASN1_GENERALIZEDTIME_print(out, thisupd);
1092	BIO_puts(out, "\n");
1093
1094	if (nextupd) {
1095	BIO_puts(out, "\tNext Update: ");
1096	ASN1_GENERALIZEDTIME_print(out, nextupd);
1097	BIO_puts(out, "\n");
1098	}
1099
1100	if (status != V_OCSP_CERTSTATUS_REVOKED)
1101	continue;
1102
1103	if (reason != -1)
1104	BIO_printf(out, "\tReason: %s\n", OCSP_crl_reason_str(reason));
1105
1106	BIO_puts(out, "\tRevocation Time: ");
1107	ASN1_GENERALIZEDTIME_print(out, rev);
1108	BIO_puts(out, "\n");
1109	}
1110	}
1111
1112	static void make_ocsp_response(BIO err, OCSP_RESPONSE resp, OCSP_REQUEST req,
1113	CA_DB db, STACK_OF(X509) ca, X509 *rcert,
1114	EVP_PKEY rkey, const EVP_MD rmd,
1115	STACK_OF(OPENSSL_STRING) *sigopts,
1116	STACK_OF(X509) *rother, unsigned long flags,
1117	int nmin, int ndays, int badsig)
1118	{
1119	ASN1_TIME thisupd = NULL, nextupd = NULL;
1120	OCSP_CERTID *cid;
1121	OCSP_BASICRESP *bs = NULL;
1122	int i, id_count;
1123	EVP_MD_CTX *mctx = NULL;
1124	EVP_PKEY_CTX *pkctx = NULL;
1125
1126	id_count = OCSP_request_onereq_count(req);
1127
1128	if (id_count <= 0) {
1129	*resp =
1130	OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL);
1131	goto end;
1132	}
1133
1134	bs = OCSP_BASICRESP_new();
1135	thisupd = X509_gmtime_adj(NULL, 0);
1136	if (ndays != -1)
1137	nextupd = X509_time_adj_ex(NULL, ndays, nmin * 60, NULL);
1138
1139	/* Examine each certificate id in the request */
1140	for (i = 0; i < id_count; i++) {
1141	OCSP_ONEREQ *one;
1142	ASN1_INTEGER *serial;
1143	char **inf;
1144	int jj;
1145	int found = 0;
1146	ASN1_OBJECT *cert_id_md_oid;
1147	const EVP_MD *cert_id_md;
1148	one = OCSP_request_onereq_get0(req, i);
1149	cid = OCSP_onereq_get0_id(one);
1150
1151	OCSP_id_get0_info(NULL, &cert_id_md_oid, NULL, NULL, cid);
1152
1153	cert_id_md = EVP_get_digestbyobj(cert_id_md_oid);
1154	if (cert_id_md == NULL) {
1155	*resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR,
1156	NULL);
1157	goto end;
1158	}
1159	for (jj = 0; jj < sk_X509_num(ca) && !found; jj++) {
1160	X509 *ca_cert = sk_X509_value(ca, jj);
1161	OCSP_CERTID *ca_id = OCSP_cert_to_id(cert_id_md, NULL, ca_cert);
1162
1163	if (OCSP_id_issuer_cmp(ca_id, cid) == 0)
1164	found = 1;
1165
1166	OCSP_CERTID_free(ca_id);
1167	}
1168
1169	if (!found) {
1170	OCSP_basic_add1_status(bs, cid,
1171	V_OCSP_CERTSTATUS_UNKNOWN,
1172	0, NULL, thisupd, nextupd);
1173	continue;
1174	}
1175	OCSP_id_get0_info(NULL, NULL, NULL, &serial, cid);
1176	inf = lookup_serial(db, serial);
1177	if (inf == NULL) {
1178	OCSP_basic_add1_status(bs, cid,
1179	V_OCSP_CERTSTATUS_UNKNOWN,
1180	0, NULL, thisupd, nextupd);
1181	} else if (inf[DB_type][0] == DB_TYPE_VAL) {
1182	OCSP_basic_add1_status(bs, cid,
1183	V_OCSP_CERTSTATUS_GOOD,
1184	0, NULL, thisupd, nextupd);
1185	} else if (inf[DB_type][0] == DB_TYPE_REV) {
1186	ASN1_OBJECT *inst = NULL;
1187	ASN1_TIME *revtm = NULL;
1188	ASN1_GENERALIZEDTIME *invtm = NULL;
1189	OCSP_SINGLERESP *single;
1190	int reason = -1;
1191	unpack_revinfo(&revtm, &reason, &inst, &invtm, inf[DB_rev_date]);
1192	single = OCSP_basic_add1_status(bs, cid,
1193	V_OCSP_CERTSTATUS_REVOKED,
1194	reason, revtm, thisupd, nextupd);
1195	if (invtm != NULL)
1196	OCSP_SINGLERESP_add1_ext_i2d(single, NID_invalidity_date,
1197	invtm, 0, 0);
1198	else if (inst != NULL)
1199	OCSP_SINGLERESP_add1_ext_i2d(single,
1200	NID_hold_instruction_code, inst,
1201	0, 0);
1202	ASN1_OBJECT_free(inst);
1203	ASN1_TIME_free(revtm);
1204	ASN1_GENERALIZEDTIME_free(invtm);
1205	}
1206	}
1207
1208	OCSP_copy_nonce(bs, req);
1209
1210	mctx = EVP_MD_CTX_new();
1211	if ( mctx == NULL \|\| !EVP_DigestSignInit(mctx, &pkctx, rmd, NULL, rkey)) {
1212	*resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR, NULL);
1213	goto end;
1214	}
1215	for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++) {
1216	char *sigopt = sk_OPENSSL_STRING_value(sigopts, i);
1217
1218	if (pkey_ctrl_string(pkctx, sigopt) <= 0) {
1219	BIO_printf(err, "parameter error \"%s\"\n", sigopt);
1220	ERR_print_errors(bio_err);
1221	*resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR,
1222	NULL);
1223	goto end;
1224	}
1225	}
1226	OCSP_basic_sign_ctx(bs, rcert, mctx, rother, flags);
1227
1228	if (badsig) {
1229	const ASN1_OCTET_STRING *sig = OCSP_resp_get0_signature(bs);
1230	corrupt_signature(sig);
1231	}
1232
1233	*resp = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs);
1234
1235	end:
1236	EVP_MD_CTX_free(mctx);
1237	ASN1_TIME_free(thisupd);
1238	ASN1_TIME_free(nextupd);
1239	OCSP_BASICRESP_free(bs);
1240	}
1241
1242	static char *lookup_serial(CA_DB db, ASN1_INTEGER *ser)
1243	{
1244	int i;
1245	BIGNUM *bn = NULL;
1246	char itmp, row[DB_NUMBER], **rrow;
1247	for (i = 0; i < DB_NUMBER; i++)
1248	row[i] = NULL;
1249	bn = ASN1_INTEGER_to_BN(ser, NULL);
1250	OPENSSL_assert(bn); /* FIXME: should report an error at this
1251	* point and abort */
1252	if (BN_is_zero(bn))
1253	itmp = OPENSSL_strdup("00");
1254	else
1255	itmp = BN_bn2hex(bn);
1256	row[DB_serial] = itmp;
1257	BN_free(bn);
1258	rrow = TXT_DB_get_by_index(db->db, DB_serial, row);
1259	OPENSSL_free(itmp);
1260	return rrow;
1261	}
1262
1263	/* Quick and dirty OCSP server: read in and parse input request */
1264
1265	static BIO init_responder(const char port)
1266	{
1267	# ifdef OPENSSL_NO_SOCK
1268	BIO_printf(bio_err,
1269	"Error setting up accept BIO - sockets not supported.\n");
1270	return NULL;
1271	# else
1272	BIO acbio = NULL, bufbio = NULL;
1273
1274	bufbio = BIO_new(BIO_f_buffer());
1275	if (bufbio == NULL)
1276	goto err;
1277	acbio = BIO_new(BIO_s_accept());
1278	if (acbio == NULL
1279	\|\| BIO_set_bind_mode(acbio, BIO_BIND_REUSEADDR) < 0
1280	\|\| BIO_set_accept_port(acbio, port) < 0) {
1281	log_message(LOG_ERR, "Error setting up accept BIO");
1282	goto err;
1283	}
1284
1285	BIO_set_accept_bios(acbio, bufbio);
1286	bufbio = NULL;
1287	if (BIO_do_accept(acbio) <= 0) {
1288	log_message(LOG_ERR, "Error starting accept");
1289	goto err;
1290	}
1291
1292	return acbio;
1293
1294	err:
1295	BIO_free_all(acbio);
1296	BIO_free(bufbio);
1297	return NULL;
1298	# endif
1299	}
1300
1301	# ifndef OPENSSL_NO_SOCK
1302	/*
1303	* Decode %xx URL-decoding in-place. Ignores mal-formed sequences.
1304	*/
1305	static int urldecode(char *p)
1306	{
1307	unsigned char out = (unsigned char )p;
1308	unsigned char *save = out;
1309
1310	for (; *p; p++) {
1311	if (*p != '%')
1312	out++ = p;
1313	else if (isxdigit(_UC(p[1])) && isxdigit(_UC(p[2]))) {
1314	/* Don't check, can't fail because of ixdigit() call. */
1315	*out++ = (OPENSSL_hexchar2int(p[1]) << 4)
1316	\| OPENSSL_hexchar2int(p[2]);
1317	p += 2;
1318	}
1319	else
1320	return -1;
1321	}
1322	*out = '\0';
1323	return (int)(out - save);
1324	}
1325	# endif
1326
1327	# ifdef OCSP_DAEMON
1328	static void sock_timeout(int signum)
1329	{
1330	if (acfd != (int)INVALID_SOCKET)
1331	(void)shutdown(acfd, SHUT_RD);
1332	}
1333	# endif
1334
1335	static int do_responder(OCSP_REQUEST preq, BIO pcbio, BIO *acbio,
1336	int timeout)
1337	{
1338	# ifdef OPENSSL_NO_SOCK
1339	return 0;
1340	# else
1341	int len;
1342	OCSP_REQUEST *req = NULL;
1343	char inbuf[2048], reqbuf[2048];
1344	char p, q;
1345	BIO cbio = NULL, getbio = NULL, *b64 = NULL;
1346	const char *client;
1347
1348	*preq = NULL;
1349
1350	/* Connection loss before accept() is routine, ignore silently */
1351	if (BIO_do_accept(acbio) <= 0)
1352	return 0;
1353
1354	cbio = BIO_pop(acbio);
1355	*pcbio = cbio;
1356	client = BIO_get_peer_name(cbio);
1357
1358	# ifdef OCSP_DAEMON
1359	if (timeout > 0) {
1360	(void) BIO_get_fd(cbio, &acfd);
1361	alarm(timeout);
1362	}
1363	# endif
1364
1365	/* Read the request line. */
1366	len = BIO_gets(cbio, reqbuf, sizeof(reqbuf));
1367	if (len <= 0)
1368	goto out;
1369
1370	if (strncmp(reqbuf, "GET ", 4) == 0) {
1371	/* Expecting GET {sp} /URL {sp} HTTP/1.x */
1372	for (p = reqbuf + 4; *p == ' '; ++p)
1373	continue;
1374	if (*p != '/') {
1375	log_message(LOG_INFO, "Invalid request -- bad URL: %s", client);
1376	goto out;
1377	}
1378	p++;
1379
1380	/* Splice off the HTTP version identifier. */
1381	for (q = p; *q; q++)
1382	if (*q == ' ')
1383	break;
1384	if (strncmp(q, " HTTP/1.", 8) != 0) {
1385	log_message(LOG_INFO,
1386	"Invalid request -- bad HTTP version: %s", client);
1387	goto out;
1388	}
1389	*q = '\0';
1390
1391	/*
1392	* Skip "GET / HTTP..." requests often used by load-balancers
1393	*/
1394	if (p[1] == '\0')
1395	goto out;
1396
1397	len = urldecode(p);
1398	if (len <= 0) {
1399	log_message(LOG_INFO,
1400	"Invalid request -- bad URL encoding: %s", client);
1401	goto out;
1402	}
1403	if ((getbio = BIO_new_mem_buf(p, len)) == NULL
1404	\|\| (b64 = BIO_new(BIO_f_base64())) == NULL) {
1405	log_message(LOG_ERR, "Could not allocate base64 bio: %s", client);
1406	goto out;
1407	}
1408	BIO_set_flags(b64, BIO_FLAGS_BASE64_NO_NL);
1409	getbio = BIO_push(b64, getbio);
1410	} else if (strncmp(reqbuf, "POST ", 5) != 0) {
1411	log_message(LOG_INFO, "Invalid request -- bad HTTP verb: %s", client);
1412	goto out;
1413	}
1414
1415	/* Read and skip past the headers. */
1416	for (;;) {
1417	len = BIO_gets(cbio, inbuf, sizeof(inbuf));
1418	if (len <= 0)
1419	goto out;
1420	if ((inbuf[0] == '\r') \|\| (inbuf[0] == '\n'))
1421	break;
1422	}
1423
1424	# ifdef OCSP_DAEMON
1425	/* Clear alarm before we close the client socket */
1426	alarm(0);
1427	timeout = 0;
1428	# endif
1429
1430	/* Try to read OCSP request */
1431	if (getbio != NULL) {
1432	req = d2i_OCSP_REQUEST_bio(getbio, NULL);
1433	BIO_free_all(getbio);
1434	} else {
1435	req = d2i_OCSP_REQUEST_bio(cbio, NULL);
1436	}
1437
1438	if (req == NULL)
1439	log_message(LOG_ERR, "Error parsing OCSP request");
1440
1441	*preq = req;
1442
1443	out:
1444	# ifdef OCSP_DAEMON
1445	if (timeout > 0)
1446	alarm(0);
1447	acfd = (int)INVALID_SOCKET;
1448	# endif
1449	return 1;
1450	# endif
1451	}
1452
1453	static int send_ocsp_response(BIO cbio, OCSP_RESPONSE resp)
1454	{
1455	char http_resp[] =
1456	"HTTP/1.0 200 OK\r\nContent-type: application/ocsp-response\r\n"
1457	"Content-Length: %d\r\n\r\n";
1458	if (cbio == NULL)
1459	return 0;
1460	BIO_printf(cbio, http_resp, i2d_OCSP_RESPONSE(resp, NULL));
1461	i2d_OCSP_RESPONSE_bio(cbio, resp);
1462	(void)BIO_flush(cbio);
1463	return 1;
1464	}
1465
1466	# ifndef OPENSSL_NO_SOCK
1467	static OCSP_RESPONSE query_responder(BIO cbio, const char *host,
1468	const char *path,
1469	const STACK_OF(CONF_VALUE) *headers,
1470	OCSP_REQUEST *req, int req_timeout)
1471	{
1472	int fd;
1473	int rv;
1474	int i;
1475	int add_host = 1;
1476	OCSP_REQ_CTX *ctx = NULL;
1477	OCSP_RESPONSE *rsp = NULL;
1478	fd_set confds;
1479	struct timeval tv;
1480
1481	if (req_timeout != -1)
1482	BIO_set_nbio(cbio, 1);
1483
1484	rv = BIO_do_connect(cbio);
1485
1486	if ((rv <= 0) && ((req_timeout == -1) \|\| !BIO_should_retry(cbio))) {
1487	BIO_puts(bio_err, "Error connecting BIO\n");
1488	return NULL;
1489	}
1490
1491	if (BIO_get_fd(cbio, &fd) < 0) {
1492	BIO_puts(bio_err, "Can't get connection fd\n");
1493	goto err;
1494	}
1495
1496	if (req_timeout != -1 && rv <= 0) {
1497	FD_ZERO(&confds);
1498	openssl_fdset(fd, &confds);
1499	tv.tv_usec = 0;
1500	tv.tv_sec = req_timeout;
1501	rv = select(fd + 1, NULL, (void *)&confds, NULL, &tv);
1502	if (rv == 0) {
1503	BIO_puts(bio_err, "Timeout on connect\n");
1504	return NULL;
1505	}
1506	}
1507
1508	ctx = OCSP_sendreq_new(cbio, path, NULL, -1);
1509	if (ctx == NULL)
1510	return NULL;
1511
1512	for (i = 0; i < sk_CONF_VALUE_num(headers); i++) {
1513	CONF_VALUE *hdr = sk_CONF_VALUE_value(headers, i);
1514	if (add_host == 1 && strcasecmp("host", hdr->name) == 0)
1515	add_host = 0;
1516	if (!OCSP_REQ_CTX_add1_header(ctx, hdr->name, hdr->value))
1517	goto err;
1518	}
1519
1520	if (add_host == 1 && OCSP_REQ_CTX_add1_header(ctx, "Host", host) == 0)
1521	goto err;
1522
1523	if (!OCSP_REQ_CTX_set1_req(ctx, req))
1524	goto err;
1525
1526	for (;;) {
1527	rv = OCSP_sendreq_nbio(&rsp, ctx);
1528	if (rv != -1)
1529	break;
1530	if (req_timeout == -1)
1531	continue;
1532	FD_ZERO(&confds);
1533	openssl_fdset(fd, &confds);
1534	tv.tv_usec = 0;
1535	tv.tv_sec = req_timeout;
1536	if (BIO_should_read(cbio)) {
1537	rv = select(fd + 1, (void *)&confds, NULL, NULL, &tv);
1538	} else if (BIO_should_write(cbio)) {
1539	rv = select(fd + 1, NULL, (void *)&confds, NULL, &tv);
1540	} else {
1541	BIO_puts(bio_err, "Unexpected retry condition\n");
1542	goto err;
1543	}
1544	if (rv == 0) {
1545	BIO_puts(bio_err, "Timeout on request\n");
1546	break;
1547	}
1548	if (rv == -1) {
1549	BIO_puts(bio_err, "Select error\n");
1550	break;
1551	}
1552
1553	}
1554	err:
1555	OCSP_REQ_CTX_free(ctx);
1556
1557	return rsp;
1558	}
1559
1560	OCSP_RESPONSE process_responder(OCSP_REQUEST req,
1561	const char host, const char path,
1562	const char *port, int use_ssl,
1563	STACK_OF(CONF_VALUE) *headers,
1564	int req_timeout)
1565	{
1566	BIO *cbio = NULL;
1567	SSL_CTX *ctx = NULL;
1568	OCSP_RESPONSE *resp = NULL;
1569
1570	cbio = BIO_new_connect(host);
1571	if (cbio == NULL) {
1572	BIO_printf(bio_err, "Error creating connect BIO\n");
1573	goto end;
1574	}
1575	if (port != NULL)
1576	BIO_set_conn_port(cbio, port);
1577	if (use_ssl == 1) {
1578	BIO *sbio;
1579	ctx = SSL_CTX_new(TLS_client_method());
1580	if (ctx == NULL) {
1581	BIO_printf(bio_err, "Error creating SSL context.\n");
1582	goto end;
1583	}
1584	SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
1585	sbio = BIO_new_ssl(ctx, 1);
1586	cbio = BIO_push(sbio, cbio);
1587	}
1588
1589	resp = query_responder(cbio, host, path, headers, req, req_timeout);
1590	if (resp == NULL)
1591	BIO_printf(bio_err, "Error querying OCSP responder\n");
1592	end:
1593	BIO_free_all(cbio);
1594	SSL_CTX_free(ctx);
1595	return resp;
1596	}
1597	# endif
1598
1599	#endif
1600	#ifdef __rtems__
1601	#include "rtems-bsd-openssl-ocsp-data.h"
1602	#endif /* __rtems__ */

Note: See TracBrowser for help on using the repository browser.

Download in other formats: