aboutsummaryrefslogtreecommitdiffstats
path: root/apps/ocsp.c
diff options
context:
space:
mode:
authorJung-uk Kim <jkim@FreeBSD.org>2015-10-23 19:46:02 +0000
committerJung-uk Kim <jkim@FreeBSD.org>2015-10-23 19:46:02 +0000
commite9fcefce9bb70f20c272a996443928c5f6ab8cd8 (patch)
treeae816a5a768ec78af3610e509ca39507b33aa9f7 /apps/ocsp.c
parentc07d7b3a386974c338492659291008bed07948e6 (diff)
downloadsrc-e9fcefce9bb70f20c272a996443928c5f6ab8cd8.tar.gz
src-e9fcefce9bb70f20c272a996443928c5f6ab8cd8.zip
Import OpenSSL 1.0.2d.vendor/openssl/1.0.2d
Notes
Notes: svn path=/vendor-crypto/openssl/dist/; revision=289848 svn path=/vendor-crypto/openssl/1.0.2d/; revision=289849; tag=vendor/openssl/1.0.2d
Diffstat (limited to 'apps/ocsp.c')
-rw-r--r--apps/ocsp.c96
1 files changed, 69 insertions, 27 deletions
diff --git a/apps/ocsp.c b/apps/ocsp.c
index 572f0643e13c..926083dd1b5c 100644
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -110,16 +110,17 @@ static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req,
CA_DB *db, X509 *ca, X509 *rcert,
- EVP_PKEY *rkey, STACK_OF(X509) *rother,
- unsigned long flags, int nmin, int ndays);
+ EVP_PKEY *rkey, const EVP_MD *md,
+ STACK_OF(X509) *rother, unsigned long flags,
+ int nmin, int ndays, int badsig);
static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser);
-static BIO *init_responder(char *port);
+static BIO *init_responder(const char *port);
static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,
- char *port);
+ const char *port);
static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp);
-static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path,
- STACK_OF(CONF_VALUE) *headers,
+static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, const char *path,
+ const STACK_OF(CONF_VALUE) *headers,
OCSP_REQUEST *req, int req_timeout);
# undef PROG
@@ -154,12 +155,14 @@ int MAIN(int argc, char **argv)
long nsec = MAX_VALIDITY_PERIOD, maxage = -1;
char *CAfile = NULL, *CApath = NULL;
X509_STORE *store = NULL;
+ X509_VERIFY_PARAM *vpm = NULL;
STACK_OF(X509) *sign_other = NULL, *verify_other = NULL, *rother = NULL;
char *sign_certfile = NULL, *verify_certfile = NULL, *rcertfile = NULL;
unsigned long sign_flags = 0, verify_flags = 0, rflags = 0;
int ret = 1;
int accept_count = -1;
int badarg = 0;
+ int badsig = 0;
int i;
int ignore_err = 0;
STACK_OF(OPENSSL_STRING) *reqnames = NULL;
@@ -170,7 +173,7 @@ int MAIN(int argc, char **argv)
char *rca_filename = NULL;
CA_DB *rdb = NULL;
int nmin = 0, ndays = -1;
- const EVP_MD *cert_id_md = NULL;
+ const EVP_MD *cert_id_md = NULL, *rsign_md = NULL;
if (bio_err == NULL)
bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
@@ -206,6 +209,7 @@ int MAIN(int argc, char **argv)
OPENSSL_free(tport);
if (tpath)
OPENSSL_free(tpath);
+ thost = tport = tpath = NULL;
if (args[1]) {
args++;
if (!OCSP_parse_url(*args, &host, &port, &path, &use_ssl)) {
@@ -264,6 +268,8 @@ int MAIN(int argc, char **argv)
verify_flags |= OCSP_TRUSTOTHER;
else if (!strcmp(*args, "-no_intern"))
verify_flags |= OCSP_NOINTERN;
+ else if (!strcmp(*args, "-badsig"))
+ badsig = 1;
else if (!strcmp(*args, "-text")) {
req_text = 1;
resp_text = 1;
@@ -320,6 +326,10 @@ int MAIN(int argc, char **argv)
CApath = *args;
} else
badarg = 1;
+ } else if (args_verify(&args, NULL, &badarg, bio_err, &vpm)) {
+ if (badarg)
+ goto end;
+ continue;
} else if (!strcmp(*args, "-validity_period")) {
if (args[1]) {
args++;
@@ -465,6 +475,14 @@ int MAIN(int argc, char **argv)
rcertfile = *args;
} else
badarg = 1;
+ } else if (!strcmp(*args, "-rmd")) {
+ if (args[1]) {
+ args++;
+ rsign_md = EVP_get_digestbyname(*args);
+ if (!rsign_md)
+ badarg = 1;
+ } else
+ badarg = 1;
} else if ((cert_id_md = EVP_get_digestbyname((*args) + 1)) == NULL) {
badarg = 1;
}
@@ -584,7 +602,10 @@ int MAIN(int argc, char **argv)
add_nonce = 0;
if (!req && reqin) {
- derbio = BIO_new_file(reqin, "rb");
+ if (!strcmp(reqin, "-"))
+ derbio = BIO_new_fp(stdin, BIO_NOCLOSE);
+ else
+ derbio = BIO_new_file(reqin, "rb");
if (!derbio) {
BIO_printf(bio_err, "Error Opening OCSP request file\n");
goto end;
@@ -681,7 +702,10 @@ int MAIN(int argc, char **argv)
OCSP_REQUEST_print(out, req, 0);
if (reqout) {
- derbio = BIO_new_file(reqout, "wb");
+ if (!strcmp(reqout, "-"))
+ derbio = BIO_new_fp(stdout, BIO_NOCLOSE);
+ else
+ derbio = BIO_new_file(reqout, "wb");
if (!derbio) {
BIO_printf(bio_err, "Error opening file %s\n", reqout);
goto end;
@@ -706,7 +730,7 @@ int MAIN(int argc, char **argv)
if (rdb) {
i = make_ocsp_response(&resp, req, rdb, rca_cert, rsigner, rkey,
- rother, rflags, nmin, ndays);
+ rsign_md, rother, rflags, nmin, ndays, badsig);
if (cbio)
send_ocsp_response(cbio, resp);
} else if (host) {
@@ -721,7 +745,10 @@ int MAIN(int argc, char **argv)
goto end;
# endif
} else if (respin) {
- derbio = BIO_new_file(respin, "rb");
+ if (!strcmp(respin, "-"))
+ derbio = BIO_new_fp(stdin, BIO_NOCLOSE);
+ else
+ derbio = BIO_new_file(respin, "rb");
if (!derbio) {
BIO_printf(bio_err, "Error Opening OCSP response file\n");
goto end;
@@ -741,7 +768,10 @@ int MAIN(int argc, char **argv)
done_resp:
if (respout) {
- derbio = BIO_new_file(respout, "wb");
+ if (!strcmp(respout, "-"))
+ derbio = BIO_new_fp(stdout, BIO_NOCLOSE);
+ else
+ derbio = BIO_new_file(respout, "wb");
if (!derbio) {
BIO_printf(bio_err, "Error opening file %s\n", respout);
goto end;
@@ -778,6 +808,10 @@ int MAIN(int argc, char **argv)
resp = NULL;
goto redo_accept;
}
+ ret = 0;
+ goto end;
+ } else if (ridx_filename) {
+ ret = 0;
goto end;
}
@@ -785,6 +819,8 @@ int MAIN(int argc, char **argv)
store = setup_verify(bio_err, CAfile, CApath);
if (!store)
goto end;
+ if (vpm)
+ X509_STORE_set1_param(store, vpm);
if (verify_certfile) {
verify_other = load_certs(bio_err, verify_certfile, FORMAT_PEM,
NULL, e, "validator certificate");
@@ -799,37 +835,38 @@ int MAIN(int argc, char **argv)
goto end;
}
+ ret = 0;
+
if (!noverify) {
if (req && ((i = OCSP_check_nonce(req, bs)) <= 0)) {
if (i == -1)
BIO_printf(bio_err, "WARNING: no nonce in response\n");
else {
BIO_printf(bio_err, "Nonce Verify error\n");
+ ret = 1;
goto end;
}
}
i = OCSP_basic_verify(bs, verify_other, store, verify_flags);
- if (i < 0)
- i = OCSP_basic_verify(bs, NULL, store, 0);
-
if (i <= 0) {
BIO_printf(bio_err, "Response Verify Failure\n");
ERR_print_errors(bio_err);
+ ret = 1;
} else
BIO_printf(bio_err, "Response verify OK\n");
}
if (!print_ocsp_summary(out, bs, req, reqnames, ids, nsec, maxage))
- goto end;
-
- ret = 0;
+ ret = 1;
end:
ERR_print_errors(bio_err);
X509_free(signer);
X509_STORE_free(store);
+ if (vpm)
+ X509_VERIFY_PARAM_free(vpm);
EVP_PKEY_free(key);
EVP_PKEY_free(rkey);
X509_free(issuer);
@@ -984,8 +1021,9 @@ static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req,
CA_DB *db, X509 *ca, X509 *rcert,
- EVP_PKEY *rkey, STACK_OF(X509) *rother,
- unsigned long flags, int nmin, int ndays)
+ EVP_PKEY *rkey, const EVP_MD *rmd,
+ STACK_OF(X509) *rother, unsigned long flags,
+ int nmin, int ndays, int badsig)
{
ASN1_TIME *thisupd = NULL, *nextupd = NULL;
OCSP_CERTID *cid, *ca_id = NULL;
@@ -1069,7 +1107,10 @@ static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req,
OCSP_copy_nonce(bs, req);
- OCSP_basic_sign(bs, rcert, rkey, NULL, rother, flags);
+ OCSP_basic_sign(bs, rcert, rkey, rmd, rother, flags);
+
+ if (badsig)
+ bs->signature->data[bs->signature->length - 1] ^= 0x1;
*resp = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs);
@@ -1105,7 +1146,7 @@ static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser)
/* Quick and dirty OCSP server: read in and parse input request */
-static BIO *init_responder(char *port)
+static BIO *init_responder(const char *port)
{
BIO *acbio = NULL, *bufbio = NULL;
bufbio = BIO_new(BIO_f_buffer());
@@ -1137,7 +1178,7 @@ static BIO *init_responder(char *port)
}
static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,
- char *port)
+ const char *port)
{
int have_post = 0, len;
OCSP_REQUEST *req = NULL;
@@ -1198,8 +1239,8 @@ static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp)
return 1;
}
-static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path,
- STACK_OF(CONF_VALUE) *headers,
+static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, const char *path,
+ const STACK_OF(CONF_VALUE) *headers,
OCSP_REQUEST *req, int req_timeout)
{
int fd;
@@ -1286,8 +1327,9 @@ static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path,
}
OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req,
- char *host, char *path, char *port,
- int use_ssl, STACK_OF(CONF_VALUE) *headers,
+ const char *host, const char *path,
+ const char *port, int use_ssl,
+ const STACK_OF(CONF_VALUE) *headers,
int req_timeout)
{
BIO *cbio = NULL;