1 | #include <machine/rtems-bsd-user-space.h> |
---|
2 | #ifdef __rtems__ |
---|
3 | #include <machine/rtems-bsd-program.h> |
---|
4 | #include "rtems-bsd-openssl-namespace.h" |
---|
5 | #endif /* __rtems__ */ |
---|
6 | |
---|
7 | /* |
---|
8 | * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. |
---|
9 | * |
---|
10 | * Licensed under the OpenSSL license (the "License"). You may not use |
---|
11 | * this file except in compliance with the License. You can obtain a copy |
---|
12 | * in the file LICENSE in the source distribution or at |
---|
13 | * https://www.openssl.org/source/license.html |
---|
14 | */ |
---|
15 | |
---|
16 | #include <openssl/opensslconf.h> |
---|
17 | |
---|
18 | #ifdef OPENSSL_NO_OCSP |
---|
19 | NON_EMPTY_TRANSLATION_UNIT |
---|
20 | #else |
---|
21 | # ifdef OPENSSL_SYS_VMS |
---|
22 | # define _XOPEN_SOURCE_EXTENDED/* So fd_set and friends get properly defined |
---|
23 | * on OpenVMS */ |
---|
24 | # endif |
---|
25 | |
---|
26 | # include <stdio.h> |
---|
27 | # include <stdlib.h> |
---|
28 | # include <string.h> |
---|
29 | # include <time.h> |
---|
30 | # include <ctype.h> |
---|
31 | |
---|
32 | /* Needs to be included before the openssl headers */ |
---|
33 | # include "apps.h" |
---|
34 | # include "progs.h" |
---|
35 | # include "internal/sockets.h" |
---|
36 | # include <openssl/e_os2.h> |
---|
37 | # include <openssl/crypto.h> |
---|
38 | # include <openssl/err.h> |
---|
39 | # include <openssl/ssl.h> |
---|
40 | # include <openssl/evp.h> |
---|
41 | # include <openssl/bn.h> |
---|
42 | # include <openssl/x509v3.h> |
---|
43 | # include <openssl/rand.h> |
---|
44 | |
---|
45 | # if defined(OPENSSL_SYS_UNIX) && !defined(OPENSSL_NO_SOCK) \ |
---|
46 | && !defined(OPENSSL_NO_POSIX_IO) |
---|
47 | # define OCSP_DAEMON |
---|
48 | # include <sys/types.h> |
---|
49 | # include <sys/wait.h> |
---|
50 | # include <syslog.h> |
---|
51 | # include <signal.h> |
---|
52 | # define MAXERRLEN 1000 /* limit error text sent to syslog to 1000 bytes */ |
---|
53 | # else |
---|
54 | # undef LOG_INFO |
---|
55 | # undef LOG_WARNING |
---|
56 | # undef LOG_ERR |
---|
57 | # define LOG_INFO 0 |
---|
58 | # define LOG_WARNING 1 |
---|
59 | # define LOG_ERR 2 |
---|
60 | # endif |
---|
61 | |
---|
62 | /* Maximum leeway in validity period: default 5 minutes */ |
---|
63 | # define MAX_VALIDITY_PERIOD (5 * 60) |
---|
64 | |
---|
65 | static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, |
---|
66 | const EVP_MD *cert_id_md, X509 *issuer, |
---|
67 | STACK_OF(OCSP_CERTID) *ids); |
---|
68 | static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, |
---|
69 | const EVP_MD *cert_id_md, X509 *issuer, |
---|
70 | STACK_OF(OCSP_CERTID) *ids); |
---|
71 | static void print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req, |
---|
72 | STACK_OF(OPENSSL_STRING) *names, |
---|
73 | STACK_OF(OCSP_CERTID) *ids, long nsec, |
---|
74 | long maxage); |
---|
75 | static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST *req, |
---|
76 | CA_DB *db, STACK_OF(X509) *ca, X509 *rcert, |
---|
77 | EVP_PKEY *rkey, const EVP_MD *md, |
---|
78 | STACK_OF(OPENSSL_STRING) *sigopts, |
---|
79 | STACK_OF(X509) *rother, unsigned long flags, |
---|
80 | int nmin, int ndays, int badsig); |
---|
81 | |
---|
82 | static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser); |
---|
83 | static BIO *init_responder(const char *port); |
---|
84 | static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, int timeout); |
---|
85 | static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp); |
---|
86 | static void log_message(int level, const char *fmt, ...); |
---|
87 | static char *prog; |
---|
88 | static int multi = 0; |
---|
89 | |
---|
90 | # ifdef OCSP_DAEMON |
---|
91 | static int acfd = (int) INVALID_SOCKET; |
---|
92 | static int index_changed(CA_DB *); |
---|
93 | static void spawn_loop(void); |
---|
94 | static int print_syslog(const char *str, size_t len, void *levPtr); |
---|
95 | static void sock_timeout(int signum); |
---|
96 | # endif |
---|
97 | |
---|
98 | # ifndef OPENSSL_NO_SOCK |
---|
99 | static OCSP_RESPONSE *query_responder(BIO *cbio, const char *host, |
---|
100 | const char *path, |
---|
101 | const STACK_OF(CONF_VALUE) *headers, |
---|
102 | OCSP_REQUEST *req, int req_timeout); |
---|
103 | # endif |
---|
104 | |
---|
105 | typedef enum OPTION_choice { |
---|
106 | OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, |
---|
107 | OPT_OUTFILE, OPT_TIMEOUT, OPT_URL, OPT_HOST, OPT_PORT, |
---|
108 | OPT_IGNORE_ERR, OPT_NOVERIFY, OPT_NONCE, OPT_NO_NONCE, |
---|
109 | OPT_RESP_NO_CERTS, OPT_RESP_KEY_ID, OPT_NO_CERTS, |
---|
110 | OPT_NO_SIGNATURE_VERIFY, OPT_NO_CERT_VERIFY, OPT_NO_CHAIN, |
---|
111 | OPT_NO_CERT_CHECKS, OPT_NO_EXPLICIT, OPT_TRUST_OTHER, |
---|
112 | OPT_NO_INTERN, OPT_BADSIG, OPT_TEXT, OPT_REQ_TEXT, OPT_RESP_TEXT, |
---|
113 | OPT_REQIN, OPT_RESPIN, OPT_SIGNER, OPT_VAFILE, OPT_SIGN_OTHER, |
---|
114 | OPT_VERIFY_OTHER, OPT_CAFILE, OPT_CAPATH, OPT_NOCAFILE, OPT_NOCAPATH, |
---|
115 | OPT_VALIDITY_PERIOD, OPT_STATUS_AGE, OPT_SIGNKEY, OPT_REQOUT, |
---|
116 | OPT_RESPOUT, OPT_PATH, OPT_ISSUER, OPT_CERT, OPT_SERIAL, |
---|
117 | OPT_INDEX, OPT_CA, OPT_NMIN, OPT_REQUEST, OPT_NDAYS, OPT_RSIGNER, |
---|
118 | OPT_RKEY, OPT_ROTHER, OPT_RMD, OPT_RSIGOPT, OPT_HEADER, |
---|
119 | OPT_V_ENUM, |
---|
120 | OPT_MD, |
---|
121 | OPT_MULTI |
---|
122 | } OPTION_CHOICE; |
---|
123 | |
---|
124 | const OPTIONS ocsp_options[] = { |
---|
125 | {"help", OPT_HELP, '-', "Display this summary"}, |
---|
126 | {"out", OPT_OUTFILE, '>', "Output filename"}, |
---|
127 | {"timeout", OPT_TIMEOUT, 'p', |
---|
128 | "Connection timeout (in seconds) to the OCSP responder"}, |
---|
129 | {"url", OPT_URL, 's', "Responder URL"}, |
---|
130 | {"host", OPT_HOST, 's', "TCP/IP hostname:port to connect to"}, |
---|
131 | {"port", OPT_PORT, 'p', "Port to run responder on"}, |
---|
132 | {"ignore_err", OPT_IGNORE_ERR, '-', |
---|
133 | "Ignore error on OCSP request or response and continue running"}, |
---|
134 | {"noverify", OPT_NOVERIFY, '-', "Don't verify response at all"}, |
---|
135 | {"nonce", OPT_NONCE, '-', "Add OCSP nonce to request"}, |
---|
136 | {"no_nonce", OPT_NO_NONCE, '-', "Don't add OCSP nonce to request"}, |
---|
137 | {"resp_no_certs", OPT_RESP_NO_CERTS, '-', |
---|
138 | "Don't include any certificates in response"}, |
---|
139 | {"resp_key_id", OPT_RESP_KEY_ID, '-', |
---|
140 | "Identify response by signing certificate key ID"}, |
---|
141 | # ifdef OCSP_DAEMON |
---|
142 | {"multi", OPT_MULTI, 'p', "run multiple responder processes"}, |
---|
143 | # endif |
---|
144 | {"no_certs", OPT_NO_CERTS, '-', |
---|
145 | "Don't include any certificates in signed request"}, |
---|
146 | {"no_signature_verify", OPT_NO_SIGNATURE_VERIFY, '-', |
---|
147 | "Don't check signature on response"}, |
---|
148 | {"no_cert_verify", OPT_NO_CERT_VERIFY, '-', |
---|
149 | "Don't check signing certificate"}, |
---|
150 | {"no_chain", OPT_NO_CHAIN, '-', "Don't chain verify response"}, |
---|
151 | {"no_cert_checks", OPT_NO_CERT_CHECKS, '-', |
---|
152 | "Don't do additional checks on signing certificate"}, |
---|
153 | {"no_explicit", OPT_NO_EXPLICIT, '-', |
---|
154 | "Do not explicitly check the chain, just verify the root"}, |
---|
155 | {"trust_other", OPT_TRUST_OTHER, '-', |
---|
156 | "Don't verify additional certificates"}, |
---|
157 | {"no_intern", OPT_NO_INTERN, '-', |
---|
158 | "Don't search certificates contained in response for signer"}, |
---|
159 | {"badsig", OPT_BADSIG, '-', |
---|
160 | "Corrupt last byte of loaded OSCP response signature (for test)"}, |
---|
161 | {"text", OPT_TEXT, '-', "Print text form of request and response"}, |
---|
162 | {"req_text", OPT_REQ_TEXT, '-', "Print text form of request"}, |
---|
163 | {"resp_text", OPT_RESP_TEXT, '-', "Print text form of response"}, |
---|
164 | {"reqin", OPT_REQIN, 's', "File with the DER-encoded request"}, |
---|
165 | {"respin", OPT_RESPIN, 's', "File with the DER-encoded response"}, |
---|
166 | {"signer", OPT_SIGNER, '<', "Certificate to sign OCSP request with"}, |
---|
167 | {"VAfile", OPT_VAFILE, '<', "Validator certificates file"}, |
---|
168 | {"sign_other", OPT_SIGN_OTHER, '<', |
---|
169 | "Additional certificates to include in signed request"}, |
---|
170 | {"verify_other", OPT_VERIFY_OTHER, '<', |
---|
171 | "Additional certificates to search for signer"}, |
---|
172 | {"CAfile", OPT_CAFILE, '<', "Trusted certificates file"}, |
---|
173 | {"CApath", OPT_CAPATH, '<', "Trusted certificates directory"}, |
---|
174 | {"no-CAfile", OPT_NOCAFILE, '-', |
---|
175 | "Do not load the default certificates file"}, |
---|
176 | {"no-CApath", OPT_NOCAPATH, '-', |
---|
177 | "Do not load certificates from the default certificates directory"}, |
---|
178 | {"validity_period", OPT_VALIDITY_PERIOD, 'u', |
---|
179 | "Maximum validity discrepancy in seconds"}, |
---|
180 | {"status_age", OPT_STATUS_AGE, 'p', "Maximum status age in seconds"}, |
---|
181 | {"signkey", OPT_SIGNKEY, 's', "Private key to sign OCSP request with"}, |
---|
182 | {"reqout", OPT_REQOUT, 's', "Output file for the DER-encoded request"}, |
---|
183 | {"respout", OPT_RESPOUT, 's', "Output file for the DER-encoded response"}, |
---|
184 | {"path", OPT_PATH, 's', "Path to use in OCSP request"}, |
---|
185 | {"issuer", OPT_ISSUER, '<', "Issuer certificate"}, |
---|
186 | {"cert", OPT_CERT, '<', "Certificate to check"}, |
---|
187 | {"serial", OPT_SERIAL, 's', "Serial number to check"}, |
---|
188 | {"index", OPT_INDEX, '<', "Certificate status index file"}, |
---|
189 | {"CA", OPT_CA, '<', "CA certificate"}, |
---|
190 | {"nmin", OPT_NMIN, 'p', "Number of minutes before next update"}, |
---|
191 | {"nrequest", OPT_REQUEST, 'p', |
---|
192 | "Number of requests to accept (default unlimited)"}, |
---|
193 | {"ndays", OPT_NDAYS, 'p', "Number of days before next update"}, |
---|
194 | {"rsigner", OPT_RSIGNER, '<', |
---|
195 | "Responder certificate to sign responses with"}, |
---|
196 | {"rkey", OPT_RKEY, '<', "Responder key to sign responses with"}, |
---|
197 | {"rother", OPT_ROTHER, '<', "Other certificates to include in response"}, |
---|
198 | {"rmd", OPT_RMD, 's', "Digest Algorithm to use in signature of OCSP response"}, |
---|
199 | {"rsigopt", OPT_RSIGOPT, 's', "OCSP response signature parameter in n:v form"}, |
---|
200 | {"header", OPT_HEADER, 's', "key=value header to add"}, |
---|
201 | {"", OPT_MD, '-', "Any supported digest algorithm (sha1,sha256, ... )"}, |
---|
202 | OPT_V_OPTIONS, |
---|
203 | {NULL} |
---|
204 | }; |
---|
205 | |
---|
206 | int ocsp_main(int argc, char **argv) |
---|
207 | { |
---|
208 | BIO *acbio = NULL, *cbio = NULL, *derbio = NULL, *out = NULL; |
---|
209 | const EVP_MD *cert_id_md = NULL, *rsign_md = NULL; |
---|
210 | STACK_OF(OPENSSL_STRING) *rsign_sigopts = NULL; |
---|
211 | int trailing_md = 0; |
---|
212 | CA_DB *rdb = NULL; |
---|
213 | EVP_PKEY *key = NULL, *rkey = NULL; |
---|
214 | OCSP_BASICRESP *bs = NULL; |
---|
215 | OCSP_REQUEST *req = NULL; |
---|
216 | OCSP_RESPONSE *resp = NULL; |
---|
217 | STACK_OF(CONF_VALUE) *headers = NULL; |
---|
218 | STACK_OF(OCSP_CERTID) *ids = NULL; |
---|
219 | STACK_OF(OPENSSL_STRING) *reqnames = NULL; |
---|
220 | STACK_OF(X509) *sign_other = NULL, *verify_other = NULL, *rother = NULL; |
---|
221 | STACK_OF(X509) *issuers = NULL; |
---|
222 | X509 *issuer = NULL, *cert = NULL; |
---|
223 | STACK_OF(X509) *rca_cert = NULL; |
---|
224 | X509 *signer = NULL, *rsigner = NULL; |
---|
225 | X509_STORE *store = NULL; |
---|
226 | X509_VERIFY_PARAM *vpm = NULL; |
---|
227 | const char *CAfile = NULL, *CApath = NULL; |
---|
228 | char *header, *value; |
---|
229 | char *host = NULL, *port = NULL, *path = "/", *outfile = NULL; |
---|
230 | char *rca_filename = NULL, *reqin = NULL, *respin = NULL; |
---|
231 | char *reqout = NULL, *respout = NULL, *ridx_filename = NULL; |
---|
232 | char *rsignfile = NULL, *rkeyfile = NULL; |
---|
233 | char *sign_certfile = NULL, *verify_certfile = NULL, *rcertfile = NULL; |
---|
234 | char *signfile = NULL, *keyfile = NULL; |
---|
235 | char *thost = NULL, *tport = NULL, *tpath = NULL; |
---|
236 | int noCAfile = 0, noCApath = 0; |
---|
237 | int accept_count = -1, add_nonce = 1, noverify = 0, use_ssl = -1; |
---|
238 | int vpmtouched = 0, badsig = 0, i, ignore_err = 0, nmin = 0, ndays = -1; |
---|
239 | int req_text = 0, resp_text = 0, ret = 1; |
---|
240 | int req_timeout = -1; |
---|
241 | long nsec = MAX_VALIDITY_PERIOD, maxage = -1; |
---|
242 | unsigned long sign_flags = 0, verify_flags = 0, rflags = 0; |
---|
243 | OPTION_CHOICE o; |
---|
244 | |
---|
245 | reqnames = sk_OPENSSL_STRING_new_null(); |
---|
246 | if (reqnames == NULL) |
---|
247 | goto end; |
---|
248 | ids = sk_OCSP_CERTID_new_null(); |
---|
249 | if (ids == NULL) |
---|
250 | goto end; |
---|
251 | if ((vpm = X509_VERIFY_PARAM_new()) == NULL) |
---|
252 | return 1; |
---|
253 | |
---|
254 | prog = opt_init(argc, argv, ocsp_options); |
---|
255 | while ((o = opt_next()) != OPT_EOF) { |
---|
256 | switch (o) { |
---|
257 | case OPT_EOF: |
---|
258 | case OPT_ERR: |
---|
259 | opthelp: |
---|
260 | BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); |
---|
261 | goto end; |
---|
262 | case OPT_HELP: |
---|
263 | ret = 0; |
---|
264 | opt_help(ocsp_options); |
---|
265 | goto end; |
---|
266 | case OPT_OUTFILE: |
---|
267 | outfile = opt_arg(); |
---|
268 | break; |
---|
269 | case OPT_TIMEOUT: |
---|
270 | #ifndef OPENSSL_NO_SOCK |
---|
271 | req_timeout = atoi(opt_arg()); |
---|
272 | #endif |
---|
273 | break; |
---|
274 | case OPT_URL: |
---|
275 | OPENSSL_free(thost); |
---|
276 | OPENSSL_free(tport); |
---|
277 | OPENSSL_free(tpath); |
---|
278 | thost = tport = tpath = NULL; |
---|
279 | if (!OCSP_parse_url(opt_arg(), &host, &port, &path, &use_ssl)) { |
---|
280 | BIO_printf(bio_err, "%s Error parsing URL\n", prog); |
---|
281 | goto end; |
---|
282 | } |
---|
283 | thost = host; |
---|
284 | tport = port; |
---|
285 | tpath = path; |
---|
286 | break; |
---|
287 | case OPT_HOST: |
---|
288 | host = opt_arg(); |
---|
289 | break; |
---|
290 | case OPT_PORT: |
---|
291 | port = opt_arg(); |
---|
292 | break; |
---|
293 | case OPT_IGNORE_ERR: |
---|
294 | ignore_err = 1; |
---|
295 | break; |
---|
296 | case OPT_NOVERIFY: |
---|
297 | noverify = 1; |
---|
298 | break; |
---|
299 | case OPT_NONCE: |
---|
300 | add_nonce = 2; |
---|
301 | break; |
---|
302 | case OPT_NO_NONCE: |
---|
303 | add_nonce = 0; |
---|
304 | break; |
---|
305 | case OPT_RESP_NO_CERTS: |
---|
306 | rflags |= OCSP_NOCERTS; |
---|
307 | break; |
---|
308 | case OPT_RESP_KEY_ID: |
---|
309 | rflags |= OCSP_RESPID_KEY; |
---|
310 | break; |
---|
311 | case OPT_NO_CERTS: |
---|
312 | sign_flags |= OCSP_NOCERTS; |
---|
313 | break; |
---|
314 | case OPT_NO_SIGNATURE_VERIFY: |
---|
315 | verify_flags |= OCSP_NOSIGS; |
---|
316 | break; |
---|
317 | case OPT_NO_CERT_VERIFY: |
---|
318 | verify_flags |= OCSP_NOVERIFY; |
---|
319 | break; |
---|
320 | case OPT_NO_CHAIN: |
---|
321 | verify_flags |= OCSP_NOCHAIN; |
---|
322 | break; |
---|
323 | case OPT_NO_CERT_CHECKS: |
---|
324 | verify_flags |= OCSP_NOCHECKS; |
---|
325 | break; |
---|
326 | case OPT_NO_EXPLICIT: |
---|
327 | verify_flags |= OCSP_NOEXPLICIT; |
---|
328 | break; |
---|
329 | case OPT_TRUST_OTHER: |
---|
330 | verify_flags |= OCSP_TRUSTOTHER; |
---|
331 | break; |
---|
332 | case OPT_NO_INTERN: |
---|
333 | verify_flags |= OCSP_NOINTERN; |
---|
334 | break; |
---|
335 | case OPT_BADSIG: |
---|
336 | badsig = 1; |
---|
337 | break; |
---|
338 | case OPT_TEXT: |
---|
339 | req_text = resp_text = 1; |
---|
340 | break; |
---|
341 | case OPT_REQ_TEXT: |
---|
342 | req_text = 1; |
---|
343 | break; |
---|
344 | case OPT_RESP_TEXT: |
---|
345 | resp_text = 1; |
---|
346 | break; |
---|
347 | case OPT_REQIN: |
---|
348 | reqin = opt_arg(); |
---|
349 | break; |
---|
350 | case OPT_RESPIN: |
---|
351 | respin = opt_arg(); |
---|
352 | break; |
---|
353 | case OPT_SIGNER: |
---|
354 | signfile = opt_arg(); |
---|
355 | break; |
---|
356 | case OPT_VAFILE: |
---|
357 | verify_certfile = opt_arg(); |
---|
358 | verify_flags |= OCSP_TRUSTOTHER; |
---|
359 | break; |
---|
360 | case OPT_SIGN_OTHER: |
---|
361 | sign_certfile = opt_arg(); |
---|
362 | break; |
---|
363 | case OPT_VERIFY_OTHER: |
---|
364 | verify_certfile = opt_arg(); |
---|
365 | break; |
---|
366 | case OPT_CAFILE: |
---|
367 | CAfile = opt_arg(); |
---|
368 | break; |
---|
369 | case OPT_CAPATH: |
---|
370 | CApath = opt_arg(); |
---|
371 | break; |
---|
372 | case OPT_NOCAFILE: |
---|
373 | noCAfile = 1; |
---|
374 | break; |
---|
375 | case OPT_NOCAPATH: |
---|
376 | noCApath = 1; |
---|
377 | break; |
---|
378 | case OPT_V_CASES: |
---|
379 | if (!opt_verify(o, vpm)) |
---|
380 | goto end; |
---|
381 | vpmtouched++; |
---|
382 | break; |
---|
383 | case OPT_VALIDITY_PERIOD: |
---|
384 | opt_long(opt_arg(), &nsec); |
---|
385 | break; |
---|
386 | case OPT_STATUS_AGE: |
---|
387 | opt_long(opt_arg(), &maxage); |
---|
388 | break; |
---|
389 | case OPT_SIGNKEY: |
---|
390 | keyfile = opt_arg(); |
---|
391 | break; |
---|
392 | case OPT_REQOUT: |
---|
393 | reqout = opt_arg(); |
---|
394 | break; |
---|
395 | case OPT_RESPOUT: |
---|
396 | respout = opt_arg(); |
---|
397 | break; |
---|
398 | case OPT_PATH: |
---|
399 | path = opt_arg(); |
---|
400 | break; |
---|
401 | case OPT_ISSUER: |
---|
402 | issuer = load_cert(opt_arg(), FORMAT_PEM, "issuer certificate"); |
---|
403 | if (issuer == NULL) |
---|
404 | goto end; |
---|
405 | if (issuers == NULL) { |
---|
406 | if ((issuers = sk_X509_new_null()) == NULL) |
---|
407 | goto end; |
---|
408 | } |
---|
409 | sk_X509_push(issuers, issuer); |
---|
410 | break; |
---|
411 | case OPT_CERT: |
---|
412 | X509_free(cert); |
---|
413 | cert = load_cert(opt_arg(), FORMAT_PEM, "certificate"); |
---|
414 | if (cert == NULL) |
---|
415 | goto end; |
---|
416 | if (cert_id_md == NULL) |
---|
417 | cert_id_md = EVP_sha1(); |
---|
418 | if (!add_ocsp_cert(&req, cert, cert_id_md, issuer, ids)) |
---|
419 | goto end; |
---|
420 | if (!sk_OPENSSL_STRING_push(reqnames, opt_arg())) |
---|
421 | goto end; |
---|
422 | trailing_md = 0; |
---|
423 | break; |
---|
424 | case OPT_SERIAL: |
---|
425 | if (cert_id_md == NULL) |
---|
426 | cert_id_md = EVP_sha1(); |
---|
427 | if (!add_ocsp_serial(&req, opt_arg(), cert_id_md, issuer, ids)) |
---|
428 | goto end; |
---|
429 | if (!sk_OPENSSL_STRING_push(reqnames, opt_arg())) |
---|
430 | goto end; |
---|
431 | trailing_md = 0; |
---|
432 | break; |
---|
433 | case OPT_INDEX: |
---|
434 | ridx_filename = opt_arg(); |
---|
435 | break; |
---|
436 | case OPT_CA: |
---|
437 | rca_filename = opt_arg(); |
---|
438 | break; |
---|
439 | case OPT_NMIN: |
---|
440 | opt_int(opt_arg(), &nmin); |
---|
441 | if (ndays == -1) |
---|
442 | ndays = 0; |
---|
443 | break; |
---|
444 | case OPT_REQUEST: |
---|
445 | opt_int(opt_arg(), &accept_count); |
---|
446 | break; |
---|
447 | case OPT_NDAYS: |
---|
448 | ndays = atoi(opt_arg()); |
---|
449 | break; |
---|
450 | case OPT_RSIGNER: |
---|
451 | rsignfile = opt_arg(); |
---|
452 | break; |
---|
453 | case OPT_RKEY: |
---|
454 | rkeyfile = opt_arg(); |
---|
455 | break; |
---|
456 | case OPT_ROTHER: |
---|
457 | rcertfile = opt_arg(); |
---|
458 | break; |
---|
459 | case OPT_RMD: /* Response MessageDigest */ |
---|
460 | if (!opt_md(opt_arg(), &rsign_md)) |
---|
461 | goto end; |
---|
462 | break; |
---|
463 | case OPT_RSIGOPT: |
---|
464 | if (rsign_sigopts == NULL) |
---|
465 | rsign_sigopts = sk_OPENSSL_STRING_new_null(); |
---|
466 | if (rsign_sigopts == NULL || !sk_OPENSSL_STRING_push(rsign_sigopts, opt_arg())) |
---|
467 | goto end; |
---|
468 | break; |
---|
469 | case OPT_HEADER: |
---|
470 | header = opt_arg(); |
---|
471 | value = strchr(header, '='); |
---|
472 | if (value == NULL) { |
---|
473 | BIO_printf(bio_err, "Missing = in header key=value\n"); |
---|
474 | goto opthelp; |
---|
475 | } |
---|
476 | *value++ = '\0'; |
---|
477 | if (!X509V3_add_value(header, value, &headers)) |
---|
478 | goto end; |
---|
479 | break; |
---|
480 | case OPT_MD: |
---|
481 | if (trailing_md) { |
---|
482 | BIO_printf(bio_err, |
---|
483 | "%s: Digest must be before -cert or -serial\n", |
---|
484 | prog); |
---|
485 | goto opthelp; |
---|
486 | } |
---|
487 | if (!opt_md(opt_unknown(), &cert_id_md)) |
---|
488 | goto opthelp; |
---|
489 | trailing_md = 1; |
---|
490 | break; |
---|
491 | case OPT_MULTI: |
---|
492 | # ifdef OCSP_DAEMON |
---|
493 | multi = atoi(opt_arg()); |
---|
494 | # endif |
---|
495 | break; |
---|
496 | } |
---|
497 | } |
---|
498 | if (trailing_md) { |
---|
499 | BIO_printf(bio_err, "%s: Digest must be before -cert or -serial\n", |
---|
500 | prog); |
---|
501 | goto opthelp; |
---|
502 | } |
---|
503 | argc = opt_num_rest(); |
---|
504 | if (argc != 0) |
---|
505 | goto opthelp; |
---|
506 | |
---|
507 | /* Have we anything to do? */ |
---|
508 | if (req == NULL && reqin == NULL |
---|
509 | && respin == NULL && !(port != NULL && ridx_filename != NULL)) |
---|
510 | goto opthelp; |
---|
511 | |
---|
512 | out = bio_open_default(outfile, 'w', FORMAT_TEXT); |
---|
513 | if (out == NULL) |
---|
514 | goto end; |
---|
515 | |
---|
516 | if (req == NULL && (add_nonce != 2)) |
---|
517 | add_nonce = 0; |
---|
518 | |
---|
519 | if (req == NULL && reqin != NULL) { |
---|
520 | derbio = bio_open_default(reqin, 'r', FORMAT_ASN1); |
---|
521 | if (derbio == NULL) |
---|
522 | goto end; |
---|
523 | req = d2i_OCSP_REQUEST_bio(derbio, NULL); |
---|
524 | BIO_free(derbio); |
---|
525 | if (req == NULL) { |
---|
526 | BIO_printf(bio_err, "Error reading OCSP request\n"); |
---|
527 | goto end; |
---|
528 | } |
---|
529 | } |
---|
530 | |
---|
531 | if (req == NULL && port != NULL) { |
---|
532 | acbio = init_responder(port); |
---|
533 | if (acbio == NULL) |
---|
534 | goto end; |
---|
535 | } |
---|
536 | |
---|
537 | if (rsignfile != NULL) { |
---|
538 | if (rkeyfile == NULL) |
---|
539 | rkeyfile = rsignfile; |
---|
540 | rsigner = load_cert(rsignfile, FORMAT_PEM, "responder certificate"); |
---|
541 | if (rsigner == NULL) { |
---|
542 | BIO_printf(bio_err, "Error loading responder certificate\n"); |
---|
543 | goto end; |
---|
544 | } |
---|
545 | if (!load_certs(rca_filename, &rca_cert, FORMAT_PEM, |
---|
546 | NULL, "CA certificate")) |
---|
547 | goto end; |
---|
548 | if (rcertfile != NULL) { |
---|
549 | if (!load_certs(rcertfile, &rother, FORMAT_PEM, NULL, |
---|
550 | "responder other certificates")) |
---|
551 | goto end; |
---|
552 | } |
---|
553 | rkey = load_key(rkeyfile, FORMAT_PEM, 0, NULL, NULL, |
---|
554 | "responder private key"); |
---|
555 | if (rkey == NULL) |
---|
556 | goto end; |
---|
557 | } |
---|
558 | |
---|
559 | if (ridx_filename != NULL |
---|
560 | && (rkey == NULL || rsigner == NULL || rca_cert == NULL)) { |
---|
561 | BIO_printf(bio_err, |
---|
562 | "Responder mode requires certificate, key, and CA.\n"); |
---|
563 | goto end; |
---|
564 | } |
---|
565 | |
---|
566 | if (ridx_filename != NULL) { |
---|
567 | rdb = load_index(ridx_filename, NULL); |
---|
568 | if (rdb == NULL || index_index(rdb) <= 0) { |
---|
569 | ret = 1; |
---|
570 | goto end; |
---|
571 | } |
---|
572 | } |
---|
573 | |
---|
574 | # ifdef OCSP_DAEMON |
---|
575 | if (multi && acbio != NULL) |
---|
576 | spawn_loop(); |
---|
577 | if (acbio != NULL && req_timeout > 0) |
---|
578 | signal(SIGALRM, sock_timeout); |
---|
579 | #endif |
---|
580 | |
---|
581 | if (acbio != NULL) |
---|
582 | log_message(LOG_INFO, "waiting for OCSP client connections..."); |
---|
583 | |
---|
584 | redo_accept: |
---|
585 | |
---|
586 | if (acbio != NULL) { |
---|
587 | # ifdef OCSP_DAEMON |
---|
588 | if (index_changed(rdb)) { |
---|
589 | CA_DB *newrdb = load_index(ridx_filename, NULL); |
---|
590 | |
---|
591 | if (newrdb != NULL && index_index(newrdb) > 0) { |
---|
592 | free_index(rdb); |
---|
593 | rdb = newrdb; |
---|
594 | } else { |
---|
595 | free_index(newrdb); |
---|
596 | log_message(LOG_ERR, "error reloading updated index: %s", |
---|
597 | ridx_filename); |
---|
598 | } |
---|
599 | } |
---|
600 | # endif |
---|
601 | |
---|
602 | req = NULL; |
---|
603 | if (!do_responder(&req, &cbio, acbio, req_timeout)) |
---|
604 | goto redo_accept; |
---|
605 | |
---|
606 | if (req == NULL) { |
---|
607 | resp = |
---|
608 | OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, |
---|
609 | NULL); |
---|
610 | send_ocsp_response(cbio, resp); |
---|
611 | goto done_resp; |
---|
612 | } |
---|
613 | } |
---|
614 | |
---|
615 | if (req == NULL |
---|
616 | && (signfile != NULL || reqout != NULL |
---|
617 | || host != NULL || add_nonce || ridx_filename != NULL)) { |
---|
618 | BIO_printf(bio_err, "Need an OCSP request for this operation!\n"); |
---|
619 | goto end; |
---|
620 | } |
---|
621 | |
---|
622 | if (req != NULL && add_nonce) |
---|
623 | OCSP_request_add1_nonce(req, NULL, -1); |
---|
624 | |
---|
625 | if (signfile != NULL) { |
---|
626 | if (keyfile == NULL) |
---|
627 | keyfile = signfile; |
---|
628 | signer = load_cert(signfile, FORMAT_PEM, "signer certificate"); |
---|
629 | if (signer == NULL) { |
---|
630 | BIO_printf(bio_err, "Error loading signer certificate\n"); |
---|
631 | goto end; |
---|
632 | } |
---|
633 | if (sign_certfile != NULL) { |
---|
634 | if (!load_certs(sign_certfile, &sign_other, FORMAT_PEM, NULL, |
---|
635 | "signer certificates")) |
---|
636 | goto end; |
---|
637 | } |
---|
638 | key = load_key(keyfile, FORMAT_PEM, 0, NULL, NULL, |
---|
639 | "signer private key"); |
---|
640 | if (key == NULL) |
---|
641 | goto end; |
---|
642 | |
---|
643 | if (!OCSP_request_sign |
---|
644 | (req, signer, key, NULL, sign_other, sign_flags)) { |
---|
645 | BIO_printf(bio_err, "Error signing OCSP request\n"); |
---|
646 | goto end; |
---|
647 | } |
---|
648 | } |
---|
649 | |
---|
650 | if (req_text && req != NULL) |
---|
651 | OCSP_REQUEST_print(out, req, 0); |
---|
652 | |
---|
653 | if (reqout != NULL) { |
---|
654 | derbio = bio_open_default(reqout, 'w', FORMAT_ASN1); |
---|
655 | if (derbio == NULL) |
---|
656 | goto end; |
---|
657 | i2d_OCSP_REQUEST_bio(derbio, req); |
---|
658 | BIO_free(derbio); |
---|
659 | } |
---|
660 | |
---|
661 | if (rdb != NULL) { |
---|
662 | make_ocsp_response(bio_err, &resp, req, rdb, rca_cert, rsigner, rkey, |
---|
663 | rsign_md, rsign_sigopts, rother, rflags, nmin, ndays, badsig); |
---|
664 | if (cbio != NULL) |
---|
665 | send_ocsp_response(cbio, resp); |
---|
666 | } else if (host != NULL) { |
---|
667 | # ifndef OPENSSL_NO_SOCK |
---|
668 | resp = process_responder(req, host, path, |
---|
669 | port, use_ssl, headers, req_timeout); |
---|
670 | if (resp == NULL) |
---|
671 | goto end; |
---|
672 | # else |
---|
673 | BIO_printf(bio_err, |
---|
674 | "Error creating connect BIO - sockets not supported.\n"); |
---|
675 | goto end; |
---|
676 | # endif |
---|
677 | } else if (respin != NULL) { |
---|
678 | derbio = bio_open_default(respin, 'r', FORMAT_ASN1); |
---|
679 | if (derbio == NULL) |
---|
680 | goto end; |
---|
681 | resp = d2i_OCSP_RESPONSE_bio(derbio, NULL); |
---|
682 | BIO_free(derbio); |
---|
683 | if (resp == NULL) { |
---|
684 | BIO_printf(bio_err, "Error reading OCSP response\n"); |
---|
685 | goto end; |
---|
686 | } |
---|
687 | } else { |
---|
688 | ret = 0; |
---|
689 | goto end; |
---|
690 | } |
---|
691 | |
---|
692 | done_resp: |
---|
693 | |
---|
694 | if (respout != NULL) { |
---|
695 | derbio = bio_open_default(respout, 'w', FORMAT_ASN1); |
---|
696 | if (derbio == NULL) |
---|
697 | goto end; |
---|
698 | i2d_OCSP_RESPONSE_bio(derbio, resp); |
---|
699 | BIO_free(derbio); |
---|
700 | } |
---|
701 | |
---|
702 | i = OCSP_response_status(resp); |
---|
703 | if (i != OCSP_RESPONSE_STATUS_SUCCESSFUL) { |
---|
704 | BIO_printf(out, "Responder Error: %s (%d)\n", |
---|
705 | OCSP_response_status_str(i), i); |
---|
706 | if (!ignore_err) |
---|
707 | goto end; |
---|
708 | } |
---|
709 | |
---|
710 | if (resp_text) |
---|
711 | OCSP_RESPONSE_print(out, resp, 0); |
---|
712 | |
---|
713 | /* If running as responder don't verify our own response */ |
---|
714 | if (cbio != NULL) { |
---|
715 | /* If not unlimited, see if we took all we should. */ |
---|
716 | if (accept_count != -1 && --accept_count <= 0) { |
---|
717 | ret = 0; |
---|
718 | goto end; |
---|
719 | } |
---|
720 | BIO_free_all(cbio); |
---|
721 | cbio = NULL; |
---|
722 | OCSP_REQUEST_free(req); |
---|
723 | req = NULL; |
---|
724 | OCSP_RESPONSE_free(resp); |
---|
725 | resp = NULL; |
---|
726 | goto redo_accept; |
---|
727 | } |
---|
728 | if (ridx_filename != NULL) { |
---|
729 | ret = 0; |
---|
730 | goto end; |
---|
731 | } |
---|
732 | |
---|
733 | if (store == NULL) { |
---|
734 | store = setup_verify(CAfile, CApath, noCAfile, noCApath); |
---|
735 | if (!store) |
---|
736 | goto end; |
---|
737 | } |
---|
738 | if (vpmtouched) |
---|
739 | X509_STORE_set1_param(store, vpm); |
---|
740 | if (verify_certfile != NULL) { |
---|
741 | if (!load_certs(verify_certfile, &verify_other, FORMAT_PEM, NULL, |
---|
742 | "validator certificate")) |
---|
743 | goto end; |
---|
744 | } |
---|
745 | |
---|
746 | bs = OCSP_response_get1_basic(resp); |
---|
747 | if (bs == NULL) { |
---|
748 | BIO_printf(bio_err, "Error parsing response\n"); |
---|
749 | goto end; |
---|
750 | } |
---|
751 | |
---|
752 | ret = 0; |
---|
753 | |
---|
754 | if (!noverify) { |
---|
755 | if (req != NULL && ((i = OCSP_check_nonce(req, bs)) <= 0)) { |
---|
756 | if (i == -1) |
---|
757 | BIO_printf(bio_err, "WARNING: no nonce in response\n"); |
---|
758 | else { |
---|
759 | BIO_printf(bio_err, "Nonce Verify error\n"); |
---|
760 | ret = 1; |
---|
761 | goto end; |
---|
762 | } |
---|
763 | } |
---|
764 | |
---|
765 | i = OCSP_basic_verify(bs, verify_other, store, verify_flags); |
---|
766 | if (i <= 0 && issuers) { |
---|
767 | i = OCSP_basic_verify(bs, issuers, store, OCSP_TRUSTOTHER); |
---|
768 | if (i > 0) |
---|
769 | ERR_clear_error(); |
---|
770 | } |
---|
771 | if (i <= 0) { |
---|
772 | BIO_printf(bio_err, "Response Verify Failure\n"); |
---|
773 | ERR_print_errors(bio_err); |
---|
774 | ret = 1; |
---|
775 | } else { |
---|
776 | BIO_printf(bio_err, "Response verify OK\n"); |
---|
777 | } |
---|
778 | } |
---|
779 | |
---|
780 | print_ocsp_summary(out, bs, req, reqnames, ids, nsec, maxage); |
---|
781 | |
---|
782 | end: |
---|
783 | ERR_print_errors(bio_err); |
---|
784 | X509_free(signer); |
---|
785 | X509_STORE_free(store); |
---|
786 | X509_VERIFY_PARAM_free(vpm); |
---|
787 | sk_OPENSSL_STRING_free(rsign_sigopts); |
---|
788 | EVP_PKEY_free(key); |
---|
789 | EVP_PKEY_free(rkey); |
---|
790 | X509_free(cert); |
---|
791 | sk_X509_pop_free(issuers, X509_free); |
---|
792 | X509_free(rsigner); |
---|
793 | sk_X509_pop_free(rca_cert, X509_free); |
---|
794 | free_index(rdb); |
---|
795 | BIO_free_all(cbio); |
---|
796 | BIO_free_all(acbio); |
---|
797 | BIO_free_all(out); |
---|
798 | OCSP_REQUEST_free(req); |
---|
799 | OCSP_RESPONSE_free(resp); |
---|
800 | OCSP_BASICRESP_free(bs); |
---|
801 | sk_OPENSSL_STRING_free(reqnames); |
---|
802 | sk_OCSP_CERTID_free(ids); |
---|
803 | sk_X509_pop_free(sign_other, X509_free); |
---|
804 | sk_X509_pop_free(verify_other, X509_free); |
---|
805 | sk_CONF_VALUE_pop_free(headers, X509V3_conf_free); |
---|
806 | OPENSSL_free(thost); |
---|
807 | OPENSSL_free(tport); |
---|
808 | OPENSSL_free(tpath); |
---|
809 | |
---|
810 | return ret; |
---|
811 | } |
---|
812 | |
---|
813 | static void |
---|
814 | log_message(int level, const char *fmt, ...) |
---|
815 | { |
---|
816 | va_list ap; |
---|
817 | |
---|
818 | va_start(ap, fmt); |
---|
819 | # ifdef OCSP_DAEMON |
---|
820 | if (multi) { |
---|
821 | char buf[1024]; |
---|
822 | if (vsnprintf(buf, sizeof(buf), fmt, ap) > 0) { |
---|
823 | syslog(level, "%s", buf); |
---|
824 | } |
---|
825 | if (level >= LOG_ERR) |
---|
826 | ERR_print_errors_cb(print_syslog, &level); |
---|
827 | } |
---|
828 | # endif |
---|
829 | if (!multi) { |
---|
830 | BIO_printf(bio_err, "%s: ", prog); |
---|
831 | BIO_vprintf(bio_err, fmt, ap); |
---|
832 | BIO_printf(bio_err, "\n"); |
---|
833 | } |
---|
834 | va_end(ap); |
---|
835 | } |
---|
836 | |
---|
837 | # ifdef OCSP_DAEMON |
---|
838 | |
---|
839 | static int print_syslog(const char *str, size_t len, void *levPtr) |
---|
840 | { |
---|
841 | int level = *(int *)levPtr; |
---|
842 | int ilen = (len > MAXERRLEN) ? MAXERRLEN : len; |
---|
843 | |
---|
844 | syslog(level, "%.*s", ilen, str); |
---|
845 | |
---|
846 | return ilen; |
---|
847 | } |
---|
848 | |
---|
849 | static int index_changed(CA_DB *rdb) |
---|
850 | { |
---|
851 | struct stat sb; |
---|
852 | |
---|
853 | if (rdb != NULL && stat(rdb->dbfname, &sb) != -1) { |
---|
854 | if (rdb->dbst.st_mtime != sb.st_mtime |
---|
855 | || rdb->dbst.st_ctime != sb.st_ctime |
---|
856 | || rdb->dbst.st_ino != sb.st_ino |
---|
857 | || rdb->dbst.st_dev != sb.st_dev) { |
---|
858 | syslog(LOG_INFO, "index file changed, reloading"); |
---|
859 | return 1; |
---|
860 | } |
---|
861 | } |
---|
862 | return 0; |
---|
863 | } |
---|
864 | |
---|
865 | static void killall(int ret, pid_t *kidpids) |
---|
866 | { |
---|
867 | int i; |
---|
868 | |
---|
869 | for (i = 0; i < multi; ++i) |
---|
870 | if (kidpids[i] != 0) |
---|
871 | (void)kill(kidpids[i], SIGTERM); |
---|
872 | sleep(1); |
---|
873 | exit(ret); |
---|
874 | } |
---|
875 | |
---|
876 | static int termsig = 0; |
---|
877 | |
---|
878 | static void noteterm (int sig) |
---|
879 | { |
---|
880 | termsig = sig; |
---|
881 | } |
---|
882 | |
---|
883 | /* |
---|
884 | * Loop spawning up to `multi` child processes, only child processes return |
---|
885 | * from this function. The parent process loops until receiving a termination |
---|
886 | * signal, kills extant children and exits without returning. |
---|
887 | */ |
---|
888 | static void spawn_loop(void) |
---|
889 | { |
---|
890 | pid_t *kidpids = NULL; |
---|
891 | int status; |
---|
892 | int procs = 0; |
---|
893 | int i; |
---|
894 | |
---|
895 | openlog(prog, LOG_PID, LOG_DAEMON); |
---|
896 | |
---|
897 | if (setpgid(0, 0)) { |
---|
898 | syslog(LOG_ERR, "fatal: error detaching from parent process group: %s", |
---|
899 | strerror(errno)); |
---|
900 | exit(1); |
---|
901 | } |
---|
902 | kidpids = app_malloc(multi * sizeof(*kidpids), "child PID array"); |
---|
903 | for (i = 0; i < multi; ++i) |
---|
904 | kidpids[i] = 0; |
---|
905 | |
---|
906 | signal(SIGINT, noteterm); |
---|
907 | signal(SIGTERM, noteterm); |
---|
908 | |
---|
909 | while (termsig == 0) { |
---|
910 | pid_t fpid; |
---|
911 | |
---|
912 | /* |
---|
913 | * Wait for a child to replace when we're at the limit. |
---|
914 | * Slow down if a child exited abnormally or waitpid() < 0 |
---|
915 | */ |
---|
916 | while (termsig == 0 && procs >= multi) { |
---|
917 | if ((fpid = waitpid(-1, &status, 0)) > 0) { |
---|
918 | for (i = 0; i < procs; ++i) { |
---|
919 | if (kidpids[i] == fpid) { |
---|
920 | kidpids[i] = 0; |
---|
921 | --procs; |
---|
922 | break; |
---|
923 | } |
---|
924 | } |
---|
925 | if (i >= multi) { |
---|
926 | syslog(LOG_ERR, "fatal: internal error: " |
---|
927 | "no matching child slot for pid: %ld", |
---|
928 | (long) fpid); |
---|
929 | killall(1, kidpids); |
---|
930 | } |
---|
931 | if (status != 0) { |
---|
932 | if (WIFEXITED(status)) |
---|
933 | syslog(LOG_WARNING, "child process: %ld, exit status: %d", |
---|
934 | (long)fpid, WEXITSTATUS(status)); |
---|
935 | else if (WIFSIGNALED(status)) |
---|
936 | syslog(LOG_WARNING, "child process: %ld, term signal %d%s", |
---|
937 | (long)fpid, WTERMSIG(status), |
---|
938 | #ifdef WCOREDUMP |
---|
939 | WCOREDUMP(status) ? " (core dumped)" : |
---|
940 | #endif |
---|
941 | ""); |
---|
942 | sleep(1); |
---|
943 | } |
---|
944 | break; |
---|
945 | } else if (errno != EINTR) { |
---|
946 | syslog(LOG_ERR, "fatal: waitpid(): %s", strerror(errno)); |
---|
947 | killall(1, kidpids); |
---|
948 | } |
---|
949 | } |
---|
950 | if (termsig) |
---|
951 | break; |
---|
952 | |
---|
953 | switch(fpid = fork()) { |
---|
954 | case -1: /* error */ |
---|
955 | /* System critically low on memory, pause and try again later */ |
---|
956 | sleep(30); |
---|
957 | break; |
---|
958 | case 0: /* child */ |
---|
959 | OPENSSL_free(kidpids); |
---|
960 | signal(SIGINT, SIG_DFL); |
---|
961 | signal(SIGTERM, SIG_DFL); |
---|
962 | if (termsig) |
---|
963 | _exit(0); |
---|
964 | if (RAND_poll() <= 0) { |
---|
965 | syslog(LOG_ERR, "fatal: RAND_poll() failed"); |
---|
966 | _exit(1); |
---|
967 | } |
---|
968 | return; |
---|
969 | default: /* parent */ |
---|
970 | for (i = 0; i < multi; ++i) { |
---|
971 | if (kidpids[i] == 0) { |
---|
972 | kidpids[i] = fpid; |
---|
973 | procs++; |
---|
974 | break; |
---|
975 | } |
---|
976 | } |
---|
977 | if (i >= multi) { |
---|
978 | syslog(LOG_ERR, "fatal: internal error: no free child slots"); |
---|
979 | killall(1, kidpids); |
---|
980 | } |
---|
981 | break; |
---|
982 | } |
---|
983 | } |
---|
984 | |
---|
985 | /* The loop above can only break on termsig */ |
---|
986 | OPENSSL_free(kidpids); |
---|
987 | syslog(LOG_INFO, "terminating on signal: %d", termsig); |
---|
988 | killall(0, kidpids); |
---|
989 | } |
---|
990 | # endif |
---|
991 | |
---|
992 | static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, |
---|
993 | const EVP_MD *cert_id_md, X509 *issuer, |
---|
994 | STACK_OF(OCSP_CERTID) *ids) |
---|
995 | { |
---|
996 | OCSP_CERTID *id; |
---|
997 | |
---|
998 | if (issuer == NULL) { |
---|
999 | BIO_printf(bio_err, "No issuer certificate specified\n"); |
---|
1000 | return 0; |
---|
1001 | } |
---|
1002 | if (*req == NULL) |
---|
1003 | *req = OCSP_REQUEST_new(); |
---|
1004 | if (*req == NULL) |
---|
1005 | goto err; |
---|
1006 | id = OCSP_cert_to_id(cert_id_md, cert, issuer); |
---|
1007 | if (id == NULL || !sk_OCSP_CERTID_push(ids, id)) |
---|
1008 | goto err; |
---|
1009 | if (!OCSP_request_add0_id(*req, id)) |
---|
1010 | goto err; |
---|
1011 | return 1; |
---|
1012 | |
---|
1013 | err: |
---|
1014 | BIO_printf(bio_err, "Error Creating OCSP request\n"); |
---|
1015 | return 0; |
---|
1016 | } |
---|
1017 | |
---|
1018 | static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, |
---|
1019 | const EVP_MD *cert_id_md, X509 *issuer, |
---|
1020 | STACK_OF(OCSP_CERTID) *ids) |
---|
1021 | { |
---|
1022 | OCSP_CERTID *id; |
---|
1023 | X509_NAME *iname; |
---|
1024 | ASN1_BIT_STRING *ikey; |
---|
1025 | ASN1_INTEGER *sno; |
---|
1026 | |
---|
1027 | if (issuer == NULL) { |
---|
1028 | BIO_printf(bio_err, "No issuer certificate specified\n"); |
---|
1029 | return 0; |
---|
1030 | } |
---|
1031 | if (*req == NULL) |
---|
1032 | *req = OCSP_REQUEST_new(); |
---|
1033 | if (*req == NULL) |
---|
1034 | goto err; |
---|
1035 | iname = X509_get_subject_name(issuer); |
---|
1036 | ikey = X509_get0_pubkey_bitstr(issuer); |
---|
1037 | sno = s2i_ASN1_INTEGER(NULL, serial); |
---|
1038 | if (sno == NULL) { |
---|
1039 | BIO_printf(bio_err, "Error converting serial number %s\n", serial); |
---|
1040 | return 0; |
---|
1041 | } |
---|
1042 | id = OCSP_cert_id_new(cert_id_md, iname, ikey, sno); |
---|
1043 | ASN1_INTEGER_free(sno); |
---|
1044 | if (id == NULL || !sk_OCSP_CERTID_push(ids, id)) |
---|
1045 | goto err; |
---|
1046 | if (!OCSP_request_add0_id(*req, id)) |
---|
1047 | goto err; |
---|
1048 | return 1; |
---|
1049 | |
---|
1050 | err: |
---|
1051 | BIO_printf(bio_err, "Error Creating OCSP request\n"); |
---|
1052 | return 0; |
---|
1053 | } |
---|
1054 | |
---|
1055 | static void print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req, |
---|
1056 | STACK_OF(OPENSSL_STRING) *names, |
---|
1057 | STACK_OF(OCSP_CERTID) *ids, long nsec, |
---|
1058 | long maxage) |
---|
1059 | { |
---|
1060 | OCSP_CERTID *id; |
---|
1061 | const char *name; |
---|
1062 | int i, status, reason; |
---|
1063 | ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd; |
---|
1064 | |
---|
1065 | if (bs == NULL || req == NULL || !sk_OPENSSL_STRING_num(names) |
---|
1066 | || !sk_OCSP_CERTID_num(ids)) |
---|
1067 | return; |
---|
1068 | |
---|
1069 | for (i = 0; i < sk_OCSP_CERTID_num(ids); i++) { |
---|
1070 | id = sk_OCSP_CERTID_value(ids, i); |
---|
1071 | name = sk_OPENSSL_STRING_value(names, i); |
---|
1072 | BIO_printf(out, "%s: ", name); |
---|
1073 | |
---|
1074 | if (!OCSP_resp_find_status(bs, id, &status, &reason, |
---|
1075 | &rev, &thisupd, &nextupd)) { |
---|
1076 | BIO_puts(out, "ERROR: No Status found.\n"); |
---|
1077 | continue; |
---|
1078 | } |
---|
1079 | |
---|
1080 | /* |
---|
1081 | * Check validity: if invalid write to output BIO so we know which |
---|
1082 | * response this refers to. |
---|
1083 | */ |
---|
1084 | if (!OCSP_check_validity(thisupd, nextupd, nsec, maxage)) { |
---|
1085 | BIO_puts(out, "WARNING: Status times invalid.\n"); |
---|
1086 | ERR_print_errors(out); |
---|
1087 | } |
---|
1088 | BIO_printf(out, "%s\n", OCSP_cert_status_str(status)); |
---|
1089 | |
---|
1090 | BIO_puts(out, "\tThis Update: "); |
---|
1091 | ASN1_GENERALIZEDTIME_print(out, thisupd); |
---|
1092 | BIO_puts(out, "\n"); |
---|
1093 | |
---|
1094 | if (nextupd) { |
---|
1095 | BIO_puts(out, "\tNext Update: "); |
---|
1096 | ASN1_GENERALIZEDTIME_print(out, nextupd); |
---|
1097 | BIO_puts(out, "\n"); |
---|
1098 | } |
---|
1099 | |
---|
1100 | if (status != V_OCSP_CERTSTATUS_REVOKED) |
---|
1101 | continue; |
---|
1102 | |
---|
1103 | if (reason != -1) |
---|
1104 | BIO_printf(out, "\tReason: %s\n", OCSP_crl_reason_str(reason)); |
---|
1105 | |
---|
1106 | BIO_puts(out, "\tRevocation Time: "); |
---|
1107 | ASN1_GENERALIZEDTIME_print(out, rev); |
---|
1108 | BIO_puts(out, "\n"); |
---|
1109 | } |
---|
1110 | } |
---|
1111 | |
---|
1112 | static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST *req, |
---|
1113 | CA_DB *db, STACK_OF(X509) *ca, X509 *rcert, |
---|
1114 | EVP_PKEY *rkey, const EVP_MD *rmd, |
---|
1115 | STACK_OF(OPENSSL_STRING) *sigopts, |
---|
1116 | STACK_OF(X509) *rother, unsigned long flags, |
---|
1117 | int nmin, int ndays, int badsig) |
---|
1118 | { |
---|
1119 | ASN1_TIME *thisupd = NULL, *nextupd = NULL; |
---|
1120 | OCSP_CERTID *cid; |
---|
1121 | OCSP_BASICRESP *bs = NULL; |
---|
1122 | int i, id_count; |
---|
1123 | EVP_MD_CTX *mctx = NULL; |
---|
1124 | EVP_PKEY_CTX *pkctx = NULL; |
---|
1125 | |
---|
1126 | id_count = OCSP_request_onereq_count(req); |
---|
1127 | |
---|
1128 | if (id_count <= 0) { |
---|
1129 | *resp = |
---|
1130 | OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL); |
---|
1131 | goto end; |
---|
1132 | } |
---|
1133 | |
---|
1134 | bs = OCSP_BASICRESP_new(); |
---|
1135 | thisupd = X509_gmtime_adj(NULL, 0); |
---|
1136 | if (ndays != -1) |
---|
1137 | nextupd = X509_time_adj_ex(NULL, ndays, nmin * 60, NULL); |
---|
1138 | |
---|
1139 | /* Examine each certificate id in the request */ |
---|
1140 | for (i = 0; i < id_count; i++) { |
---|
1141 | OCSP_ONEREQ *one; |
---|
1142 | ASN1_INTEGER *serial; |
---|
1143 | char **inf; |
---|
1144 | int jj; |
---|
1145 | int found = 0; |
---|
1146 | ASN1_OBJECT *cert_id_md_oid; |
---|
1147 | const EVP_MD *cert_id_md; |
---|
1148 | one = OCSP_request_onereq_get0(req, i); |
---|
1149 | cid = OCSP_onereq_get0_id(one); |
---|
1150 | |
---|
1151 | OCSP_id_get0_info(NULL, &cert_id_md_oid, NULL, NULL, cid); |
---|
1152 | |
---|
1153 | cert_id_md = EVP_get_digestbyobj(cert_id_md_oid); |
---|
1154 | if (cert_id_md == NULL) { |
---|
1155 | *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR, |
---|
1156 | NULL); |
---|
1157 | goto end; |
---|
1158 | } |
---|
1159 | for (jj = 0; jj < sk_X509_num(ca) && !found; jj++) { |
---|
1160 | X509 *ca_cert = sk_X509_value(ca, jj); |
---|
1161 | OCSP_CERTID *ca_id = OCSP_cert_to_id(cert_id_md, NULL, ca_cert); |
---|
1162 | |
---|
1163 | if (OCSP_id_issuer_cmp(ca_id, cid) == 0) |
---|
1164 | found = 1; |
---|
1165 | |
---|
1166 | OCSP_CERTID_free(ca_id); |
---|
1167 | } |
---|
1168 | |
---|
1169 | if (!found) { |
---|
1170 | OCSP_basic_add1_status(bs, cid, |
---|
1171 | V_OCSP_CERTSTATUS_UNKNOWN, |
---|
1172 | 0, NULL, thisupd, nextupd); |
---|
1173 | continue; |
---|
1174 | } |
---|
1175 | OCSP_id_get0_info(NULL, NULL, NULL, &serial, cid); |
---|
1176 | inf = lookup_serial(db, serial); |
---|
1177 | if (inf == NULL) { |
---|
1178 | OCSP_basic_add1_status(bs, cid, |
---|
1179 | V_OCSP_CERTSTATUS_UNKNOWN, |
---|
1180 | 0, NULL, thisupd, nextupd); |
---|
1181 | } else if (inf[DB_type][0] == DB_TYPE_VAL) { |
---|
1182 | OCSP_basic_add1_status(bs, cid, |
---|
1183 | V_OCSP_CERTSTATUS_GOOD, |
---|
1184 | 0, NULL, thisupd, nextupd); |
---|
1185 | } else if (inf[DB_type][0] == DB_TYPE_REV) { |
---|
1186 | ASN1_OBJECT *inst = NULL; |
---|
1187 | ASN1_TIME *revtm = NULL; |
---|
1188 | ASN1_GENERALIZEDTIME *invtm = NULL; |
---|
1189 | OCSP_SINGLERESP *single; |
---|
1190 | int reason = -1; |
---|
1191 | unpack_revinfo(&revtm, &reason, &inst, &invtm, inf[DB_rev_date]); |
---|
1192 | single = OCSP_basic_add1_status(bs, cid, |
---|
1193 | V_OCSP_CERTSTATUS_REVOKED, |
---|
1194 | reason, revtm, thisupd, nextupd); |
---|
1195 | if (invtm != NULL) |
---|
1196 | OCSP_SINGLERESP_add1_ext_i2d(single, NID_invalidity_date, |
---|
1197 | invtm, 0, 0); |
---|
1198 | else if (inst != NULL) |
---|
1199 | OCSP_SINGLERESP_add1_ext_i2d(single, |
---|
1200 | NID_hold_instruction_code, inst, |
---|
1201 | 0, 0); |
---|
1202 | ASN1_OBJECT_free(inst); |
---|
1203 | ASN1_TIME_free(revtm); |
---|
1204 | ASN1_GENERALIZEDTIME_free(invtm); |
---|
1205 | } |
---|
1206 | } |
---|
1207 | |
---|
1208 | OCSP_copy_nonce(bs, req); |
---|
1209 | |
---|
1210 | mctx = EVP_MD_CTX_new(); |
---|
1211 | if ( mctx == NULL || !EVP_DigestSignInit(mctx, &pkctx, rmd, NULL, rkey)) { |
---|
1212 | *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR, NULL); |
---|
1213 | goto end; |
---|
1214 | } |
---|
1215 | for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++) { |
---|
1216 | char *sigopt = sk_OPENSSL_STRING_value(sigopts, i); |
---|
1217 | |
---|
1218 | if (pkey_ctrl_string(pkctx, sigopt) <= 0) { |
---|
1219 | BIO_printf(err, "parameter error \"%s\"\n", sigopt); |
---|
1220 | ERR_print_errors(bio_err); |
---|
1221 | *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR, |
---|
1222 | NULL); |
---|
1223 | goto end; |
---|
1224 | } |
---|
1225 | } |
---|
1226 | OCSP_basic_sign_ctx(bs, rcert, mctx, rother, flags); |
---|
1227 | |
---|
1228 | if (badsig) { |
---|
1229 | const ASN1_OCTET_STRING *sig = OCSP_resp_get0_signature(bs); |
---|
1230 | corrupt_signature(sig); |
---|
1231 | } |
---|
1232 | |
---|
1233 | *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs); |
---|
1234 | |
---|
1235 | end: |
---|
1236 | EVP_MD_CTX_free(mctx); |
---|
1237 | ASN1_TIME_free(thisupd); |
---|
1238 | ASN1_TIME_free(nextupd); |
---|
1239 | OCSP_BASICRESP_free(bs); |
---|
1240 | } |
---|
1241 | |
---|
1242 | static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser) |
---|
1243 | { |
---|
1244 | int i; |
---|
1245 | BIGNUM *bn = NULL; |
---|
1246 | char *itmp, *row[DB_NUMBER], **rrow; |
---|
1247 | for (i = 0; i < DB_NUMBER; i++) |
---|
1248 | row[i] = NULL; |
---|
1249 | bn = ASN1_INTEGER_to_BN(ser, NULL); |
---|
1250 | OPENSSL_assert(bn); /* FIXME: should report an error at this |
---|
1251 | * point and abort */ |
---|
1252 | if (BN_is_zero(bn)) |
---|
1253 | itmp = OPENSSL_strdup("00"); |
---|
1254 | else |
---|
1255 | itmp = BN_bn2hex(bn); |
---|
1256 | row[DB_serial] = itmp; |
---|
1257 | BN_free(bn); |
---|
1258 | rrow = TXT_DB_get_by_index(db->db, DB_serial, row); |
---|
1259 | OPENSSL_free(itmp); |
---|
1260 | return rrow; |
---|
1261 | } |
---|
1262 | |
---|
1263 | /* Quick and dirty OCSP server: read in and parse input request */ |
---|
1264 | |
---|
1265 | static BIO *init_responder(const char *port) |
---|
1266 | { |
---|
1267 | # ifdef OPENSSL_NO_SOCK |
---|
1268 | BIO_printf(bio_err, |
---|
1269 | "Error setting up accept BIO - sockets not supported.\n"); |
---|
1270 | return NULL; |
---|
1271 | # else |
---|
1272 | BIO *acbio = NULL, *bufbio = NULL; |
---|
1273 | |
---|
1274 | bufbio = BIO_new(BIO_f_buffer()); |
---|
1275 | if (bufbio == NULL) |
---|
1276 | goto err; |
---|
1277 | acbio = BIO_new(BIO_s_accept()); |
---|
1278 | if (acbio == NULL |
---|
1279 | || BIO_set_bind_mode(acbio, BIO_BIND_REUSEADDR) < 0 |
---|
1280 | || BIO_set_accept_port(acbio, port) < 0) { |
---|
1281 | log_message(LOG_ERR, "Error setting up accept BIO"); |
---|
1282 | goto err; |
---|
1283 | } |
---|
1284 | |
---|
1285 | BIO_set_accept_bios(acbio, bufbio); |
---|
1286 | bufbio = NULL; |
---|
1287 | if (BIO_do_accept(acbio) <= 0) { |
---|
1288 | log_message(LOG_ERR, "Error starting accept"); |
---|
1289 | goto err; |
---|
1290 | } |
---|
1291 | |
---|
1292 | return acbio; |
---|
1293 | |
---|
1294 | err: |
---|
1295 | BIO_free_all(acbio); |
---|
1296 | BIO_free(bufbio); |
---|
1297 | return NULL; |
---|
1298 | # endif |
---|
1299 | } |
---|
1300 | |
---|
1301 | # ifndef OPENSSL_NO_SOCK |
---|
1302 | /* |
---|
1303 | * Decode %xx URL-decoding in-place. Ignores mal-formed sequences. |
---|
1304 | */ |
---|
1305 | static int urldecode(char *p) |
---|
1306 | { |
---|
1307 | unsigned char *out = (unsigned char *)p; |
---|
1308 | unsigned char *save = out; |
---|
1309 | |
---|
1310 | for (; *p; p++) { |
---|
1311 | if (*p != '%') |
---|
1312 | *out++ = *p; |
---|
1313 | else if (isxdigit(_UC(p[1])) && isxdigit(_UC(p[2]))) { |
---|
1314 | /* Don't check, can't fail because of ixdigit() call. */ |
---|
1315 | *out++ = (OPENSSL_hexchar2int(p[1]) << 4) |
---|
1316 | | OPENSSL_hexchar2int(p[2]); |
---|
1317 | p += 2; |
---|
1318 | } |
---|
1319 | else |
---|
1320 | return -1; |
---|
1321 | } |
---|
1322 | *out = '\0'; |
---|
1323 | return (int)(out - save); |
---|
1324 | } |
---|
1325 | # endif |
---|
1326 | |
---|
1327 | # ifdef OCSP_DAEMON |
---|
1328 | static void sock_timeout(int signum) |
---|
1329 | { |
---|
1330 | if (acfd != (int)INVALID_SOCKET) |
---|
1331 | (void)shutdown(acfd, SHUT_RD); |
---|
1332 | } |
---|
1333 | # endif |
---|
1334 | |
---|
1335 | static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, |
---|
1336 | int timeout) |
---|
1337 | { |
---|
1338 | # ifdef OPENSSL_NO_SOCK |
---|
1339 | return 0; |
---|
1340 | # else |
---|
1341 | int len; |
---|
1342 | OCSP_REQUEST *req = NULL; |
---|
1343 | char inbuf[2048], reqbuf[2048]; |
---|
1344 | char *p, *q; |
---|
1345 | BIO *cbio = NULL, *getbio = NULL, *b64 = NULL; |
---|
1346 | const char *client; |
---|
1347 | |
---|
1348 | *preq = NULL; |
---|
1349 | |
---|
1350 | /* Connection loss before accept() is routine, ignore silently */ |
---|
1351 | if (BIO_do_accept(acbio) <= 0) |
---|
1352 | return 0; |
---|
1353 | |
---|
1354 | cbio = BIO_pop(acbio); |
---|
1355 | *pcbio = cbio; |
---|
1356 | client = BIO_get_peer_name(cbio); |
---|
1357 | |
---|
1358 | # ifdef OCSP_DAEMON |
---|
1359 | if (timeout > 0) { |
---|
1360 | (void) BIO_get_fd(cbio, &acfd); |
---|
1361 | alarm(timeout); |
---|
1362 | } |
---|
1363 | # endif |
---|
1364 | |
---|
1365 | /* Read the request line. */ |
---|
1366 | len = BIO_gets(cbio, reqbuf, sizeof(reqbuf)); |
---|
1367 | if (len <= 0) |
---|
1368 | goto out; |
---|
1369 | |
---|
1370 | if (strncmp(reqbuf, "GET ", 4) == 0) { |
---|
1371 | /* Expecting GET {sp} /URL {sp} HTTP/1.x */ |
---|
1372 | for (p = reqbuf + 4; *p == ' '; ++p) |
---|
1373 | continue; |
---|
1374 | if (*p != '/') { |
---|
1375 | log_message(LOG_INFO, "Invalid request -- bad URL: %s", client); |
---|
1376 | goto out; |
---|
1377 | } |
---|
1378 | p++; |
---|
1379 | |
---|
1380 | /* Splice off the HTTP version identifier. */ |
---|
1381 | for (q = p; *q; q++) |
---|
1382 | if (*q == ' ') |
---|
1383 | break; |
---|
1384 | if (strncmp(q, " HTTP/1.", 8) != 0) { |
---|
1385 | log_message(LOG_INFO, |
---|
1386 | "Invalid request -- bad HTTP version: %s", client); |
---|
1387 | goto out; |
---|
1388 | } |
---|
1389 | *q = '\0'; |
---|
1390 | |
---|
1391 | /* |
---|
1392 | * Skip "GET / HTTP..." requests often used by load-balancers |
---|
1393 | */ |
---|
1394 | if (p[1] == '\0') |
---|
1395 | goto out; |
---|
1396 | |
---|
1397 | len = urldecode(p); |
---|
1398 | if (len <= 0) { |
---|
1399 | log_message(LOG_INFO, |
---|
1400 | "Invalid request -- bad URL encoding: %s", client); |
---|
1401 | goto out; |
---|
1402 | } |
---|
1403 | if ((getbio = BIO_new_mem_buf(p, len)) == NULL |
---|
1404 | || (b64 = BIO_new(BIO_f_base64())) == NULL) { |
---|
1405 | log_message(LOG_ERR, "Could not allocate base64 bio: %s", client); |
---|
1406 | goto out; |
---|
1407 | } |
---|
1408 | BIO_set_flags(b64, BIO_FLAGS_BASE64_NO_NL); |
---|
1409 | getbio = BIO_push(b64, getbio); |
---|
1410 | } else if (strncmp(reqbuf, "POST ", 5) != 0) { |
---|
1411 | log_message(LOG_INFO, "Invalid request -- bad HTTP verb: %s", client); |
---|
1412 | goto out; |
---|
1413 | } |
---|
1414 | |
---|
1415 | /* Read and skip past the headers. */ |
---|
1416 | for (;;) { |
---|
1417 | len = BIO_gets(cbio, inbuf, sizeof(inbuf)); |
---|
1418 | if (len <= 0) |
---|
1419 | goto out; |
---|
1420 | if ((inbuf[0] == '\r') || (inbuf[0] == '\n')) |
---|
1421 | break; |
---|
1422 | } |
---|
1423 | |
---|
1424 | # ifdef OCSP_DAEMON |
---|
1425 | /* Clear alarm before we close the client socket */ |
---|
1426 | alarm(0); |
---|
1427 | timeout = 0; |
---|
1428 | # endif |
---|
1429 | |
---|
1430 | /* Try to read OCSP request */ |
---|
1431 | if (getbio != NULL) { |
---|
1432 | req = d2i_OCSP_REQUEST_bio(getbio, NULL); |
---|
1433 | BIO_free_all(getbio); |
---|
1434 | } else { |
---|
1435 | req = d2i_OCSP_REQUEST_bio(cbio, NULL); |
---|
1436 | } |
---|
1437 | |
---|
1438 | if (req == NULL) |
---|
1439 | log_message(LOG_ERR, "Error parsing OCSP request"); |
---|
1440 | |
---|
1441 | *preq = req; |
---|
1442 | |
---|
1443 | out: |
---|
1444 | # ifdef OCSP_DAEMON |
---|
1445 | if (timeout > 0) |
---|
1446 | alarm(0); |
---|
1447 | acfd = (int)INVALID_SOCKET; |
---|
1448 | # endif |
---|
1449 | return 1; |
---|
1450 | # endif |
---|
1451 | } |
---|
1452 | |
---|
1453 | static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp) |
---|
1454 | { |
---|
1455 | char http_resp[] = |
---|
1456 | "HTTP/1.0 200 OK\r\nContent-type: application/ocsp-response\r\n" |
---|
1457 | "Content-Length: %d\r\n\r\n"; |
---|
1458 | if (cbio == NULL) |
---|
1459 | return 0; |
---|
1460 | BIO_printf(cbio, http_resp, i2d_OCSP_RESPONSE(resp, NULL)); |
---|
1461 | i2d_OCSP_RESPONSE_bio(cbio, resp); |
---|
1462 | (void)BIO_flush(cbio); |
---|
1463 | return 1; |
---|
1464 | } |
---|
1465 | |
---|
1466 | # ifndef OPENSSL_NO_SOCK |
---|
1467 | static OCSP_RESPONSE *query_responder(BIO *cbio, const char *host, |
---|
1468 | const char *path, |
---|
1469 | const STACK_OF(CONF_VALUE) *headers, |
---|
1470 | OCSP_REQUEST *req, int req_timeout) |
---|
1471 | { |
---|
1472 | int fd; |
---|
1473 | int rv; |
---|
1474 | int i; |
---|
1475 | int add_host = 1; |
---|
1476 | OCSP_REQ_CTX *ctx = NULL; |
---|
1477 | OCSP_RESPONSE *rsp = NULL; |
---|
1478 | fd_set confds; |
---|
1479 | struct timeval tv; |
---|
1480 | |
---|
1481 | if (req_timeout != -1) |
---|
1482 | BIO_set_nbio(cbio, 1); |
---|
1483 | |
---|
1484 | rv = BIO_do_connect(cbio); |
---|
1485 | |
---|
1486 | if ((rv <= 0) && ((req_timeout == -1) || !BIO_should_retry(cbio))) { |
---|
1487 | BIO_puts(bio_err, "Error connecting BIO\n"); |
---|
1488 | return NULL; |
---|
1489 | } |
---|
1490 | |
---|
1491 | if (BIO_get_fd(cbio, &fd) < 0) { |
---|
1492 | BIO_puts(bio_err, "Can't get connection fd\n"); |
---|
1493 | goto err; |
---|
1494 | } |
---|
1495 | |
---|
1496 | if (req_timeout != -1 && rv <= 0) { |
---|
1497 | FD_ZERO(&confds); |
---|
1498 | openssl_fdset(fd, &confds); |
---|
1499 | tv.tv_usec = 0; |
---|
1500 | tv.tv_sec = req_timeout; |
---|
1501 | rv = select(fd + 1, NULL, (void *)&confds, NULL, &tv); |
---|
1502 | if (rv == 0) { |
---|
1503 | BIO_puts(bio_err, "Timeout on connect\n"); |
---|
1504 | return NULL; |
---|
1505 | } |
---|
1506 | } |
---|
1507 | |
---|
1508 | ctx = OCSP_sendreq_new(cbio, path, NULL, -1); |
---|
1509 | if (ctx == NULL) |
---|
1510 | return NULL; |
---|
1511 | |
---|
1512 | for (i = 0; i < sk_CONF_VALUE_num(headers); i++) { |
---|
1513 | CONF_VALUE *hdr = sk_CONF_VALUE_value(headers, i); |
---|
1514 | if (add_host == 1 && strcasecmp("host", hdr->name) == 0) |
---|
1515 | add_host = 0; |
---|
1516 | if (!OCSP_REQ_CTX_add1_header(ctx, hdr->name, hdr->value)) |
---|
1517 | goto err; |
---|
1518 | } |
---|
1519 | |
---|
1520 | if (add_host == 1 && OCSP_REQ_CTX_add1_header(ctx, "Host", host) == 0) |
---|
1521 | goto err; |
---|
1522 | |
---|
1523 | if (!OCSP_REQ_CTX_set1_req(ctx, req)) |
---|
1524 | goto err; |
---|
1525 | |
---|
1526 | for (;;) { |
---|
1527 | rv = OCSP_sendreq_nbio(&rsp, ctx); |
---|
1528 | if (rv != -1) |
---|
1529 | break; |
---|
1530 | if (req_timeout == -1) |
---|
1531 | continue; |
---|
1532 | FD_ZERO(&confds); |
---|
1533 | openssl_fdset(fd, &confds); |
---|
1534 | tv.tv_usec = 0; |
---|
1535 | tv.tv_sec = req_timeout; |
---|
1536 | if (BIO_should_read(cbio)) { |
---|
1537 | rv = select(fd + 1, (void *)&confds, NULL, NULL, &tv); |
---|
1538 | } else if (BIO_should_write(cbio)) { |
---|
1539 | rv = select(fd + 1, NULL, (void *)&confds, NULL, &tv); |
---|
1540 | } else { |
---|
1541 | BIO_puts(bio_err, "Unexpected retry condition\n"); |
---|
1542 | goto err; |
---|
1543 | } |
---|
1544 | if (rv == 0) { |
---|
1545 | BIO_puts(bio_err, "Timeout on request\n"); |
---|
1546 | break; |
---|
1547 | } |
---|
1548 | if (rv == -1) { |
---|
1549 | BIO_puts(bio_err, "Select error\n"); |
---|
1550 | break; |
---|
1551 | } |
---|
1552 | |
---|
1553 | } |
---|
1554 | err: |
---|
1555 | OCSP_REQ_CTX_free(ctx); |
---|
1556 | |
---|
1557 | return rsp; |
---|
1558 | } |
---|
1559 | |
---|
1560 | OCSP_RESPONSE *process_responder(OCSP_REQUEST *req, |
---|
1561 | const char *host, const char *path, |
---|
1562 | const char *port, int use_ssl, |
---|
1563 | STACK_OF(CONF_VALUE) *headers, |
---|
1564 | int req_timeout) |
---|
1565 | { |
---|
1566 | BIO *cbio = NULL; |
---|
1567 | SSL_CTX *ctx = NULL; |
---|
1568 | OCSP_RESPONSE *resp = NULL; |
---|
1569 | |
---|
1570 | cbio = BIO_new_connect(host); |
---|
1571 | if (cbio == NULL) { |
---|
1572 | BIO_printf(bio_err, "Error creating connect BIO\n"); |
---|
1573 | goto end; |
---|
1574 | } |
---|
1575 | if (port != NULL) |
---|
1576 | BIO_set_conn_port(cbio, port); |
---|
1577 | if (use_ssl == 1) { |
---|
1578 | BIO *sbio; |
---|
1579 | ctx = SSL_CTX_new(TLS_client_method()); |
---|
1580 | if (ctx == NULL) { |
---|
1581 | BIO_printf(bio_err, "Error creating SSL context.\n"); |
---|
1582 | goto end; |
---|
1583 | } |
---|
1584 | SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); |
---|
1585 | sbio = BIO_new_ssl(ctx, 1); |
---|
1586 | cbio = BIO_push(sbio, cbio); |
---|
1587 | } |
---|
1588 | |
---|
1589 | resp = query_responder(cbio, host, path, headers, req, req_timeout); |
---|
1590 | if (resp == NULL) |
---|
1591 | BIO_printf(bio_err, "Error querying OCSP responder\n"); |
---|
1592 | end: |
---|
1593 | BIO_free_all(cbio); |
---|
1594 | SSL_CTX_free(ctx); |
---|
1595 | return resp; |
---|
1596 | } |
---|
1597 | # endif |
---|
1598 | |
---|
1599 | #endif |
---|
1600 | #ifdef __rtems__ |
---|
1601 | #include "rtems-bsd-openssl-ocsp-data.h" |
---|
1602 | #endif /* __rtems__ */ |
---|