]> git.ipfire.org Git - thirdparty/openssl.git/blame - apps/ocsp.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Make sha512-armv4.pl byte-order neutral.
[thirdparty/openssl.git] / apps / ocsp.c
CommitLineData
5782ceb2
DSH		 1/* ocsp.c */
2/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
3 * project 2000.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
85d686e7 58#ifndef OPENSSL_NO_OCSP
5782ceb2
DSH		 59
60#include <stdio.h>
ad35cdac 61#include <stdlib.h>
5782ceb2 62#include <string.h>
ad35cdac
DSH		 63#include <openssl/e_os2.h>
64#include <openssl/bio.h>
5782ceb2 65#include <openssl/ocsp.h>
ad35cdac 66#include <openssl/txt_db.h>
cdc7b8cc 67#include <openssl/ssl.h>
ad35cdac 68#include "apps.h"
5782ceb2 69
f1965221
DSH		 70/* Maximum leeway in validity period: default 5 minutes */
71#define MAX_VALIDITY_PERIOD (5 * 60)
72
73758d43
DSH		 73static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, X509 *issuer,
74 STACK_OF(OCSP_CERTID) *ids);
75static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, X509 *issuer,
76 STACK_OF(OCSP_CERTID) *ids);
77static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
f1965221
DSH		 78 STACK *names, STACK_OF(OCSP_CERTID) *ids,
79 long nsec, long maxage);
5782ceb2 80
f85b68cd 81static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db,
ee306a13
DSH		 82 X509 *ca, X509 *rcert, EVP_PKEY *rkey,
83 STACK_OF(X509) *rother, unsigned long flags,
84 int nmin, int ndays);
85
f85b68cd 86static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser);
534a1ed0
DSH		 87static BIO *init_responder(char *port);
88static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, char *port);
ee306a13 89static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp);
454dbbc5
DSH		 90static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path,
91 OCSP_REQUEST *req, int req_timeout);
ee306a13 92
5782ceb2
DSH		 93#undef PROG
94#define PROG ocsp_main
95
96int MAIN(int, char **);
97
98int MAIN(int argc, char **argv)
99 {
30b4c272 100 ENGINE *e = NULL;
5782ceb2 101 char **args;
67c18019 102 char *host = NULL, *port = NULL, *path = "/";
5782ceb2
DSH		 103 char *reqin = NULL, *respin = NULL;
104 char *reqout = NULL, *respout = NULL;
105 char *signfile = NULL, *keyfile = NULL;
ee306a13 106 char *rsignfile = NULL, *rkeyfile = NULL;
5782ceb2 107 char *outfile = NULL;
67c18019 108 int add_nonce = 1, noverify = 0, use_ssl = -1;
5782ceb2
DSH		 109 OCSP_REQUEST *req = NULL;
110 OCSP_RESPONSE *resp = NULL;
81f169e9 111 OCSP_BASICRESP *bs = NULL;
5782ceb2 112 X509 *issuer = NULL, *cert = NULL;
ee306a13
DSH		 113 X509 *signer = NULL, *rsigner = NULL;
114 EVP_PKEY *key = NULL, *rkey = NULL;
534a1ed0
DSH		 115 BIO *acbio = NULL, *cbio = NULL;
116 BIO *derbio = NULL;
5782ceb2 117 BIO *out = NULL;
454dbbc5 118 int req_timeout = -1;
5782ceb2 119 int req_text = 0, resp_text = 0;
f1965221 120 long nsec = MAX_VALIDITY_PERIOD, maxage = -1;
81f169e9
DSH		 121 char *CAfile = NULL, *CApath = NULL;
122 X509_STORE *store = NULL;
cdc7b8cc 123 SSL_CTX *ctx = NULL;
ee306a13
DSH		 124 STACK_OF(X509) *sign_other = NULL, *verify_other = NULL, *rother = NULL;
125 char *sign_certfile = NULL, *verify_certfile = NULL, *rcertfile = NULL;
126 unsigned long sign_flags = 0, verify_flags = 0, rflags = 0;
5782ceb2 127 int ret = 1;
534a1ed0 128 int accept_count = -1;
5782ceb2 129 int badarg = 0;
81f169e9 130 int i;
560dfd2a 131 int ignore_err = 0;
73758d43
DSH		 132 STACK *reqnames = NULL;
133 STACK_OF(OCSP_CERTID) *ids = NULL;
ee306a13
DSH		 134
135 X509 *rca_cert = NULL;
136 char *ridx_filename = NULL;
137 char *rca_filename = NULL;
f85b68cd 138 CA_DB *rdb = NULL;
ee306a13
DSH		 139 int nmin = 0, ndays = -1;
140
5782ceb2 141 if (bio_err == NULL) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
3647bee2
DSH		 142
143 if (!load_config(bio_err, NULL))
144 goto end;
cdc7b8cc 145 SSL_load_error_strings();
5dfe9100 146 OpenSSL_add_ssl_algorithms();
5782ceb2 147 args = argv + 1;
73758d43
DSH		 148 reqnames = sk_new_null();
149 ids = sk_OCSP_CERTID_new_null();
5782ceb2
DSH		 150 while (!badarg && *args && *args[0] == '-')
151 {
152 if (!strcmp(*args, "-out"))
153 {
154 if (args[1])
155 {
156 args++;
157 outfile = *args;
158 }
159 else badarg = 1;
160 }
454dbbc5
DSH		 161 else if (!strcmp(*args, "-timeout"))
162 {
163 if (args[1])
164 {
165 args++;
166 req_timeout = atol(*args);
167 if (req_timeout < 0)
168 {
169 BIO_printf(bio_err,
170 "Illegal timeout value %s\n",
171 *args);
172 badarg = 1;
173 }
174 }
175 else badarg = 1;
176 }
67c18019
DSH		 177 else if (!strcmp(*args, "-url"))
178 {
179 if (args[1])
180 {
181 args++;
182 if (!OCSP_parse_url(*args, &host, &port, &path, &use_ssl))
183 {
184 BIO_printf(bio_err, "Error parsing URL\n");
185 badarg = 1;
186 }
187 }
188 else badarg = 1;
189 }
5782ceb2
DSH		 190 else if (!strcmp(*args, "-host"))
191 {
192 if (args[1])
193 {
194 args++;
195 host = *args;
196 }
197 else badarg = 1;
198 }
ee306a13
DSH		 199 else if (!strcmp(*args, "-port"))
200 {
201 if (args[1])
202 {
203 args++;
204 port = *args;
205 }
206 else badarg = 1;
207 }
560dfd2a
DSH		 208 else if (!strcmp(*args, "-ignore_err"))
209 ignore_err = 1;
73758d43
DSH		 210 else if (!strcmp(*args, "-noverify"))
211 noverify = 1;
5782ceb2
DSH		 212 else if (!strcmp(*args, "-nonce"))
213 add_nonce = 2;
214 else if (!strcmp(*args, "-no_nonce"))
215 add_nonce = 0;
534a1ed0 216 else if (!strcmp(*args, "-resp_no_certs"))
ee306a13 217 rflags |= OCSP_NOCERTS;
534a1ed0 218 else if (!strcmp(*args, "-resp_key_id"))
ee306a13 219 rflags |= OCSP_RESPID_KEY;
8c950429
DSH		 220 else if (!strcmp(*args, "-no_certs"))
221 sign_flags |= OCSP_NOCERTS;
222 else if (!strcmp(*args, "-no_signature_verify"))
223 verify_flags |= OCSP_NOSIGS;
224 else if (!strcmp(*args, "-no_cert_verify"))
225 verify_flags |= OCSP_NOVERIFY;
226 else if (!strcmp(*args, "-no_chain"))
227 verify_flags |= OCSP_NOCHAIN;
228 else if (!strcmp(*args, "-no_cert_checks"))
229 verify_flags |= OCSP_NOCHECKS;
230 else if (!strcmp(*args, "-no_explicit"))
231 verify_flags |= OCSP_NOEXPLICIT;
232 else if (!strcmp(*args, "-trust_other"))
233 verify_flags |= OCSP_TRUSTOTHER;
234 else if (!strcmp(*args, "-no_intern"))
235 verify_flags |= OCSP_NOINTERN;
5782ceb2
DSH		 236 else if (!strcmp(*args, "-text"))
237 {
238 req_text = 1;
239 resp_text = 1;
240 }
241 else if (!strcmp(*args, "-req_text"))
242 req_text = 1;
243 else if (!strcmp(*args, "-resp_text"))
244 resp_text = 1;
245 else if (!strcmp(*args, "-reqin"))
246 {
247 if (args[1])
248 {
249 args++;
250 reqin = *args;
251 }
252 else badarg = 1;
253 }
254 else if (!strcmp(*args, "-respin"))
255 {
256 if (args[1])
257 {
258 args++;
259 respin = *args;
260 }
261 else badarg = 1;
262 }
263 else if (!strcmp(*args, "-signer"))
264 {
265 if (args[1])
266 {
267 args++;
268 signfile = *args;
269 }
270 else badarg = 1;
271 }
9235adbf
RL		 272 else if (!strcmp (*args, "-VAfile"))
273 {
274 if (args[1])
275 {
276 args++;
8c950429
DSH		 277 verify_certfile = *args;
278 verify_flags |= OCSP_TRUSTOTHER;
279 }
280 else badarg = 1;
281 }
282 else if (!strcmp(*args, "-sign_other"))
283 {
284 if (args[1])
285 {
286 args++;
287 sign_certfile = *args;
288 }
289 else badarg = 1;
290 }
291 else if (!strcmp(*args, "-verify_other"))
292 {
293 if (args[1])
294 {
295 args++;
296 verify_certfile = *args;
9235adbf
RL		 297 }
298 else badarg = 1;
299 }
81f169e9
DSH		 300 else if (!strcmp (*args, "-CAfile"))
301 {
302 if (args[1])
303 {
304 args++;
305 CAfile = *args;
306 }
307 else badarg = 1;
308 }
309 else if (!strcmp (*args, "-CApath"))
310 {
311 if (args[1])
312 {
313 args++;
314 CApath = *args;
315 }
316 else badarg = 1;
317 }
f1965221
DSH		 318 else if (!strcmp (*args, "-validity_period"))
319 {
320 if (args[1])
321 {
322 args++;
323 nsec = atol(*args);
324 if (nsec < 0)
325 {
326 BIO_printf(bio_err,
327 "Illegal validity period %s\n",
328 *args);
329 badarg = 1;
330 }
331 }
332 else badarg = 1;
333 }
334 else if (!strcmp (*args, "-status_age"))
335 {
336 if (args[1])
337 {
338 args++;
339 maxage = atol(*args);
340 if (maxage < 0)
341 {
342 BIO_printf(bio_err,
343 "Illegal validity age %s\n",
344 *args);
345 badarg = 1;
346 }
347 }
348 else badarg = 1;
349 }
5782ceb2
DSH		 350 else if (!strcmp(*args, "-signkey"))
351 {
352 if (args[1])
353 {
354 args++;
355 keyfile = *args;
356 }
357 else badarg = 1;
358 }
359 else if (!strcmp(*args, "-reqout"))
360 {
361 if (args[1])
362 {
363 args++;
364 reqout = *args;
365 }
366 else badarg = 1;
367 }
368 else if (!strcmp(*args, "-respout"))
369 {
370 if (args[1])
371 {
372 args++;
373 respout = *args;
374 }
375 else badarg = 1;
376 }
377 else if (!strcmp(*args, "-path"))
378 {
379 if (args[1])
380 {
381 args++;
382 path = *args;
383 }
384 else badarg = 1;
385 }
386 else if (!strcmp(*args, "-issuer"))
387 {
388 if (args[1])
389 {
390 args++;
391 X509_free(issuer);
30b4c272
RL		 392 issuer = load_cert(bio_err, *args, FORMAT_PEM,
393 NULL, e, "issuer certificate");
5782ceb2
DSH		 394 if(!issuer) goto end;
395 }
396 else badarg = 1;
397 }
398 else if (!strcmp (*args, "-cert"))
399 {
400 if (args[1])
401 {
402 args++;
403 X509_free(cert);
30b4c272
RL		 404 cert = load_cert(bio_err, *args, FORMAT_PEM,
405 NULL, e, "certificate");
5782ceb2 406 if(!cert) goto end;
73758d43
DSH		 407 if(!add_ocsp_cert(&req, cert, issuer, ids))
408 goto end;
409 if(!sk_push(reqnames, *args))
5782ceb2
DSH		 410 goto end;
411 }
412 else badarg = 1;
413 }
414 else if (!strcmp(*args, "-serial"))
415 {
416 if (args[1])
417 {
418 args++;
73758d43
DSH		 419 if(!add_ocsp_serial(&req, *args, issuer, ids))
420 goto end;
421 if(!sk_push(reqnames, *args))
5782ceb2
DSH		 422 goto end;
423 }
424 else badarg = 1;
425 }
ee306a13
DSH		 426 else if (!strcmp(*args, "-index"))
427 {
428 if (args[1])
429 {
430 args++;
431 ridx_filename = *args;
432 }
433 else badarg = 1;
434 }
435 else if (!strcmp(*args, "-CA"))
436 {
437 if (args[1])
438 {
439 args++;
440 rca_filename = *args;
441 }
442 else badarg = 1;
443 }
444 else if (!strcmp (*args, "-nmin"))
445 {
446 if (args[1])
447 {
448 args++;
449 nmin = atol(*args);
450 if (nmin < 0)
451 {
452 BIO_printf(bio_err,
453 "Illegal update period %s\n",
454 *args);
455 badarg = 1;
456 }
457 }
458 if (ndays == -1)
459 ndays = 0;
460 else badarg = 1;
461 }
534a1ed0
DSH		 462 else if (!strcmp (*args, "-nrequest"))
463 {
464 if (args[1])
465 {
466 args++;
467 accept_count = atol(*args);
468 if (accept_count < 0)
469 {
470 BIO_printf(bio_err,
471 "Illegal accept count %s\n",
472 *args);
473 badarg = 1;
474 }
475 }
476 else badarg = 1;
477 }
ee306a13
DSH		 478 else if (!strcmp (*args, "-ndays"))
479 {
480 if (args[1])
481 {
482 args++;
483 ndays = atol(*args);
484 if (ndays < 0)
485 {
486 BIO_printf(bio_err,
487 "Illegal update period %s\n",
488 *args);
489 badarg = 1;
490 }
491 }
492 else badarg = 1;
493 }
494 else if (!strcmp(*args, "-rsigner"))
495 {
496 if (args[1])
497 {
498 args++;
499 rsignfile = *args;
500 }
501 else badarg = 1;
502 }
503 else if (!strcmp(*args, "-rkey"))
504 {
505 if (args[1])
506 {
507 args++;
508 rkeyfile = *args;
509 }
510 else badarg = 1;
511 }
512 else if (!strcmp(*args, "-rother"))
513 {
514 if (args[1])
515 {
516 args++;
517 rcertfile = *args;
518 }
519 else badarg = 1;
520 }
5782ceb2
DSH		 521 else badarg = 1;
522 args++;
523 }
524
525 /* Have we anything to do? */
ee306a13 526 if (!req && !reqin && !respin && !(port && ridx_filename)) badarg = 1;
5782ceb2
DSH		 527
528 if (badarg)
529 {
530 BIO_printf (bio_err, "OCSP utility\n");
531 BIO_printf (bio_err, "Usage ocsp [options]\n");
532 BIO_printf (bio_err, "where options are\n");
8c950429
DSH		 533 BIO_printf (bio_err, "-out file output filename\n");
534 BIO_printf (bio_err, "-issuer file issuer certificate\n");
535 BIO_printf (bio_err, "-cert file certificate to check\n");
536 BIO_printf (bio_err, "-serial n serial number to check\n");
537 BIO_printf (bio_err, "-signer file certificate to sign OCSP request with\n");
538 BIO_printf (bio_err, "-signkey file private key to sign OCSP request with\n");
e5b0508a 539 BIO_printf (bio_err, "-sign_other file additional certificates to include in signed request\n");
b3f2e399 540 BIO_printf (bio_err, "-no_certs don't include any certificates in signed request\n");
8c950429
DSH		 541 BIO_printf (bio_err, "-req_text print text form of request\n");
542 BIO_printf (bio_err, "-resp_text print text form of response\n");
543 BIO_printf (bio_err, "-text print text form of request and response\n");
544 BIO_printf (bio_err, "-reqout file write DER encoded OCSP request to \"file\"\n");
545 BIO_printf (bio_err, "-respout file write DER encoded OCSP reponse to \"file\"\n");
546 BIO_printf (bio_err, "-reqin file read DER encoded OCSP request from \"file\"\n");
547 BIO_printf (bio_err, "-respin file read DER encoded OCSP reponse from \"file\"\n");
548 BIO_printf (bio_err, "-nonce add OCSP nonce to request\n");
549 BIO_printf (bio_err, "-no_nonce don't add OCSP nonce to request\n");
67c18019 550 BIO_printf (bio_err, "-url URL OCSP responder URL\n");
8c950429
DSH		 551 BIO_printf (bio_err, "-host host:n send OCSP request to host on port n\n");
552 BIO_printf (bio_err, "-path path to use in OCSP request\n");
553 BIO_printf (bio_err, "-CApath dir trusted certificates directory\n");
554 BIO_printf (bio_err, "-CAfile file trusted certificates file\n");
555 BIO_printf (bio_err, "-VAfile file validator certificates file\n");
f1965221
DSH		 556 BIO_printf (bio_err, "-validity_period n maximum validity discrepancy in seconds\n");
557 BIO_printf (bio_err, "-status_age n maximum status age in seconds\n");
8c950429 558 BIO_printf (bio_err, "-noverify don't verify response at all\n");
e5b0508a 559 BIO_printf (bio_err, "-verify_other file additional certificates to search for signer\n");
b3f2e399
DSH		 560 BIO_printf (bio_err, "-trust_other don't verify additional certificates\n");
561 BIO_printf (bio_err, "-no_intern don't search certificates contained in response for signer\n");
e5b0508a 562 BIO_printf (bio_err, "-no_signature_verify don't check signature on response\n");
b3f2e399
DSH		 563 BIO_printf (bio_err, "-no_cert_verify don't check signing certificate\n");
564 BIO_printf (bio_err, "-no_chain don't chain verify response\n");
565 BIO_printf (bio_err, "-no_cert_checks don't do additional checks on signing certificate\n");
b439a746 566 BIO_printf (bio_err, "-port num port to run responder on\n");
534a1ed0
DSH		 567 BIO_printf (bio_err, "-index file certificate status index file\n");
568 BIO_printf (bio_err, "-CA file CA certificate\n");
99889b46
DSH		 569 BIO_printf (bio_err, "-rsigner file responder certificate to sign responses with\n");
570 BIO_printf (bio_err, "-rkey file responder key to sign responses with\n");
534a1ed0
DSH		 571 BIO_printf (bio_err, "-rother file other certificates to include in response\n");
572 BIO_printf (bio_err, "-resp_no_certs don't include any certificates in response\n");
573 BIO_printf (bio_err, "-nmin n number of minutes before next update\n");
574 BIO_printf (bio_err, "-ndays n number of days before next update\n");
575 BIO_printf (bio_err, "-resp_key_id identify reponse by signing certificate key ID\n");
576 BIO_printf (bio_err, "-nrequest n number of requests to accept (default unlimited)\n");
5782ceb2
DSH		 577 goto end;
578 }
579
580 if(outfile) out = BIO_new_file(outfile, "w");
581 else out = BIO_new_fp(stdout, BIO_NOCLOSE);
582
583 if(!out)
584 {
585 BIO_printf(bio_err, "Error opening output file\n");
586 goto end;
587 }
588
589 if (!req && (add_nonce != 2)) add_nonce = 0;
590
591 if (!req && reqin)
592 {
593 derbio = BIO_new_file(reqin, "rb");
594 if (!derbio)
595 {
596 BIO_printf(bio_err, "Error Opening OCSP request file\n");
597 goto end;
598 }
599 req = d2i_OCSP_REQUEST_bio(derbio, NULL);
600 BIO_free(derbio);
601 if(!req)
602 {
603 BIO_printf(bio_err, "Error reading OCSP request\n");
604 goto end;
605 }
606 }
607
ee306a13
DSH		 608 if (!req && port)
609 {
534a1ed0
DSH		 610 acbio = init_responder(port);
611 if (!acbio)
ee306a13 612 goto end;
534a1ed0
DSH		 613 }
614
b439a746
DSH		 615 if (rsignfile && !rdb)
616 {
617 if (!rkeyfile) rkeyfile = rsignfile;
618 rsigner = load_cert(bio_err, rsignfile, FORMAT_PEM,
619 NULL, e, "responder certificate");
620 if (!rsigner)
621 {
622 BIO_printf(bio_err, "Error loading responder certificate\n");
623 goto end;
624 }
625 rca_cert = load_cert(bio_err, rca_filename, FORMAT_PEM,
626 NULL, e, "CA certificate");
627 if (rcertfile)
628 {
5575f781 629 rother = load_certs(bio_err, rcertfile, FORMAT_PEM,
b439a746 630 NULL, e, "responder other certificates");
5575f781 631 if (!rother) goto end;
b439a746 632 }
da9b9724 633 rkey = load_key(bio_err, rkeyfile, FORMAT_PEM, 0, NULL, NULL,
b439a746
DSH		 634 "responder private key");
635 if (!rkey)
636 goto end;
637 }
638 if(acbio)
639 BIO_printf(bio_err, "Waiting for OCSP client connections...\n");
640
534a1ed0
DSH		 641 redo_accept:
642
643 if (acbio)
644 {
645 if (!do_responder(&req, &cbio, acbio, port))
646 goto end;
647 if (!req)
ee306a13
DSH		 648 {
649 resp = OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL);
650 send_ocsp_response(cbio, resp);
651 goto done_resp;
652 }
653 }
654
655 if (!req && (signfile || reqout || host || add_nonce || ridx_filename))
5782ceb2
DSH		 656 {
657 BIO_printf(bio_err, "Need an OCSP request for this operation!\n");
658 goto end;
659 }
660
73758d43 661 if (req && add_nonce) OCSP_request_add1_nonce(req, NULL, -1);
5782ceb2
DSH		 662
663 if (signfile)
664 {
665 if (!keyfile) keyfile = signfile;
30b4c272
RL		 666 signer = load_cert(bio_err, signfile, FORMAT_PEM,
667 NULL, e, "signer certificate");
5782ceb2
DSH		 668 if (!signer)
669 {
670 BIO_printf(bio_err, "Error loading signer certificate\n");
671 goto end;
672 }
8c950429
DSH		 673 if (sign_certfile)
674 {
30b4c272
RL		 675 sign_other = load_certs(bio_err, sign_certfile, FORMAT_PEM,
676 NULL, e, "signer certificates");
8c950429
DSH		 677 if (!sign_other) goto end;
678 }
da9b9724 679 key = load_key(bio_err, keyfile, FORMAT_PEM, 0, NULL, NULL,
30b4c272 680 "signer private key");
5782ceb2 681 if (!key)
5782ceb2 682 goto end;
8c950429 683 if (!OCSP_request_sign(req, signer, key, EVP_sha1(), sign_other, sign_flags))
5782ceb2
DSH		 684 {
685 BIO_printf(bio_err, "Error signing OCSP request\n");
686 goto end;
687 }
688 }
689
ee306a13
DSH		 690 if (req_text && req) OCSP_REQUEST_print(out, req, 0);
691
99889b46
DSH		 692 if (reqout)
693 {
694 derbio = BIO_new_file(reqout, "wb");
695 if(!derbio)
696 {
697 BIO_printf(bio_err, "Error opening file %s\n", reqout);
698 goto end;
699 }
700 i2d_OCSP_REQUEST_bio(derbio, req);
701 BIO_free(derbio);
702 }
703
ee306a13
DSH		 704 if (ridx_filename && (!rkey || !rsigner || !rca_cert))
705 {
706 BIO_printf(bio_err, "Need a responder certificate, key and CA for this operation!\n");
707 goto end;
708 }
5782ceb2 709
534a1ed0 710 if (ridx_filename && !rdb)
ee306a13 711 {
f85b68cd
RL		 712 rdb = load_index(ridx_filename, NULL);
713 if (!rdb) goto end;
714 if (!index_index(rdb)) goto end;
534a1ed0
DSH		 715 }
716
717 if (rdb)
718 {
ee306a13
DSH		 719 i = make_ocsp_response(&resp, req, rdb, rca_cert, rsigner, rkey, rother, rflags, nmin, ndays);
720 if (cbio)
721 send_ocsp_response(cbio, resp);
722 }
723 else if (host)
5782ceb2 724 {
85d686e7 725#ifndef OPENSSL_NO_SOCK
5782ceb2 726 cbio = BIO_new_connect(host);
85d686e7
RL		 727#else
728 BIO_printf(bio_err, "Error creating connect BIO - sockets not supported.\n");
729 goto end;
730#endif
5782ceb2
DSH		 731 if (!cbio)
732 {
733 BIO_printf(bio_err, "Error creating connect BIO\n");
734 goto end;
735 }
67c18019 736 if (port) BIO_set_conn_port(cbio, port);
cdc7b8cc
DSH		 737 if (use_ssl == 1)
738 {
739 BIO *sbio;
e270cf9c 740#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
cdc7b8cc 741 ctx = SSL_CTX_new(SSLv23_client_method());
e270cf9c
RL		 742#elif !defined(OPENSSL_NO_SSL3)
743 ctx = SSL_CTX_new(SSLv3_client_method());
744#elif !defined(OPENSSL_NO_SSL2)
745 ctx = SSL_CTX_new(SSLv2_client_method());
746#else
747 BIO_printf(bio_err, "SSL is disabled\n");
748 goto end;
749#endif
5dfe9100
NL		 750 if (ctx == NULL)
751 {
752 BIO_printf(bio_err, "Error creating SSL context.\n");
753 goto end;
754 }
cdc7b8cc
DSH		 755 SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
756 sbio = BIO_new_ssl(ctx, 1);
757 cbio = BIO_push(sbio, cbio);
758 }
454dbbc5
DSH		 759
760 resp = query_responder(bio_err, cbio, path, req, req_timeout);
cdc7b8cc 761 BIO_free_all(cbio);
5782ceb2
DSH		 762 cbio = NULL;
763 if (!resp)
764 {
765 BIO_printf(bio_err, "Error querying OCSP responsder\n");
766 goto end;
767 }
768 }
769 else if (respin)
770 {
771 derbio = BIO_new_file(respin, "rb");
772 if (!derbio)
773 {
774 BIO_printf(bio_err, "Error Opening OCSP response file\n");
775 goto end;
776 }
777 resp = d2i_OCSP_RESPONSE_bio(derbio, NULL);
778 BIO_free(derbio);
779 if(!resp)
780 {
781 BIO_printf(bio_err, "Error reading OCSP response\n");
782 goto end;
783 }
784
785 }
786 else
787 {
788 ret = 0;
789 goto end;
790 }
791
ee306a13
DSH		 792 done_resp:
793
5782ceb2
DSH		 794 if (respout)
795 {
796 derbio = BIO_new_file(respout, "wb");
797 if(!derbio)
798 {
799 BIO_printf(bio_err, "Error opening file %s\n", respout);
800 goto end;
801 }
802 i2d_OCSP_RESPONSE_bio(derbio, resp);
803 BIO_free(derbio);
804 }
805
73758d43
DSH		 806 i = OCSP_response_status(resp);
807
808 if (i != OCSP_RESPONSE_STATUS_SUCCESSFUL)
809 {
3ae70939 810 BIO_printf(out, "Responder Error: %s (%d)\n",
73758d43 811 OCSP_response_status_str(i), i);
560dfd2a
DSH		 812 if (ignore_err)
813 goto redo_accept;
73758d43
DSH		 814 ret = 0;
815 goto end;
816 }
817
5782ceb2
DSH		 818 if (resp_text) OCSP_RESPONSE_print(out, resp, 0);
819
ee306a13
DSH		 820 /* If running as responder don't verify our own response */
821 if (cbio)
534a1ed0
DSH		 822 {
823 if (accept_count > 0)
824 accept_count--;
825 /* Redo if more connections needed */
826 if (accept_count)
827 {
828 BIO_free_all(cbio);
829 cbio = NULL;
830 OCSP_REQUEST_free(req);
831 req = NULL;
832 OCSP_RESPONSE_free(resp);
833 resp = NULL;
834 goto redo_accept;
835 }
ee306a13 836 goto end;
534a1ed0 837 }
ee306a13 838
534a1ed0
DSH		 839 if (!store)
840 store = setup_verify(bio_err, CAfile, CApath);
99889b46
DSH		 841 if (!store)
842 goto end;
8c950429
DSH		 843 if (verify_certfile)
844 {
30b4c272
RL		 845 verify_other = load_certs(bio_err, verify_certfile, FORMAT_PEM,
846 NULL, e, "validator certificate");
8c950429
DSH		 847 if (!verify_other) goto end;
848 }
9235adbf 849
81f169e9
DSH		 850 bs = OCSP_response_get1_basic(resp);
851
73758d43
DSH		 852 if (!bs)
853 {
854 BIO_printf(bio_err, "Error parsing response\n");
855 goto end;
856 }
81f169e9 857
73758d43 858 if (!noverify)
81f169e9 859 {
46a58ab9 860 if (req && ((i = OCSP_check_nonce(req, bs)) <= 0))
73758d43 861 {
46a58ab9
DSH		 862 if (i == -1)
863 BIO_printf(bio_err, "WARNING: no nonce in response\n");
864 else
865 {
866 BIO_printf(bio_err, "Nonce Verify error\n");
867 goto end;
868 }
73758d43
DSH		 869 }
870
8c950429 871 i = OCSP_basic_verify(bs, verify_other, store, verify_flags);
9235adbf 872 if (i < 0) i = OCSP_basic_verify(bs, NULL, store, 0);
73758d43
DSH		 873
874 if(i <= 0)
875 {
3ae70939 876 BIO_printf(bio_err, "Response Verify Failure\n");
73758d43
DSH		 877 ERR_print_errors(bio_err);
878 }
879 else
880 BIO_printf(bio_err, "Response verify OK\n");
881
81f169e9 882 }
73758d43 883
f1965221 884 if (!print_ocsp_summary(out, bs, req, reqnames, ids, nsec, maxage))
73758d43 885 goto end;
81f169e9 886
5782ceb2
DSH		 887 ret = 0;
888
889end:
890 ERR_print_errors(bio_err);
891 X509_free(signer);
81f169e9 892 X509_STORE_free(store);
5782ceb2 893 EVP_PKEY_free(key);
ee306a13 894 EVP_PKEY_free(rkey);
5782ceb2
DSH		 895 X509_free(issuer);
896 X509_free(cert);
ee306a13
DSH		 897 X509_free(rsigner);
898 X509_free(rca_cert);
f85b68cd 899 free_index(rdb);
cdc7b8cc 900 BIO_free_all(cbio);
534a1ed0 901 BIO_free_all(acbio);
5782ceb2
DSH		 902 BIO_free(out);
903 OCSP_REQUEST_free(req);
904 OCSP_RESPONSE_free(resp);
81f169e9 905 OCSP_BASICRESP_free(bs);
73758d43
DSH		 906 sk_free(reqnames);
907 sk_OCSP_CERTID_free(ids);
8c950429
DSH		 908 sk_X509_pop_free(sign_other, X509_free);
909 sk_X509_pop_free(verify_other, X509_free);
5782ceb2 910
67c18019
DSH		 911 if (use_ssl != -1)
912 {
913 OPENSSL_free(host);
914 OPENSSL_free(port);
915 OPENSSL_free(path);
cdc7b8cc 916 SSL_CTX_free(ctx);
67c18019
DSH		 917 }
918
1c3e4a36 919 OPENSSL_EXIT(ret);
5782ceb2
DSH		 920}
921
73758d43
DSH		 922static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, X509 *issuer,
923 STACK_OF(OCSP_CERTID) *ids)
5782ceb2
DSH		 924 {
925 OCSP_CERTID *id;
926 if(!issuer)
927 {
928 BIO_printf(bio_err, "No issuer certificate specified\n");
929 return 0;
930 }
931 if(!*req) *req = OCSP_REQUEST_new();
932 if(!*req) goto err;
933 id = OCSP_cert_to_id(NULL, cert, issuer);
73758d43 934 if(!id || !sk_OCSP_CERTID_push(ids, id)) goto err;
5782ceb2
DSH		 935 if(!OCSP_request_add0_id(*req, id)) goto err;
936 return 1;
937
938 err:
939 BIO_printf(bio_err, "Error Creating OCSP request\n");
940 return 0;
941 }
942
73758d43
DSH		 943static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, X509 *issuer,
944 STACK_OF(OCSP_CERTID) *ids)
5782ceb2
DSH		 945 {
946 OCSP_CERTID *id;
947 X509_NAME *iname;
948 ASN1_BIT_STRING *ikey;
949 ASN1_INTEGER *sno;
950 if(!issuer)
951 {
952 BIO_printf(bio_err, "No issuer certificate specified\n");
953 return 0;
954 }
955 if(!*req) *req = OCSP_REQUEST_new();
956 if(!*req) goto err;
957 iname = X509_get_subject_name(issuer);
88ce56f8 958 ikey = X509_get0_pubkey_bitstr(issuer);
5782ceb2
DSH		 959 sno = s2i_ASN1_INTEGER(NULL, serial);
960 if(!sno)
961 {
962 BIO_printf(bio_err, "Error converting serial number %s\n", serial);
963 return 0;
964 }
965 id = OCSP_cert_id_new(EVP_sha1(), iname, ikey, sno);
966 ASN1_INTEGER_free(sno);
73758d43 967 if(!id || !sk_OCSP_CERTID_push(ids, id)) goto err;
5782ceb2
DSH		 968 if(!OCSP_request_add0_id(*req, id)) goto err;
969 return 1;
970
971 err:
972 BIO_printf(bio_err, "Error Creating OCSP request\n");
973 return 0;
974 }
73758d43
DSH		 975
976static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
f1965221
DSH		 977 STACK *names, STACK_OF(OCSP_CERTID) *ids,
978 long nsec, long maxage)
73758d43
DSH		 979 {
980 OCSP_CERTID *id;
981 char *name;
982 int i;
983
984 int status, reason;
985
986 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
987
988 if (!bs || !req || !sk_num(names) || !sk_OCSP_CERTID_num(ids))
989 return 1;
990
991 for (i = 0; i < sk_OCSP_CERTID_num(ids); i++)
992 {
993 id = sk_OCSP_CERTID_value(ids, i);
994 name = sk_value(names, i);
995 BIO_printf(out, "%s: ", name);
996
997 if(!OCSP_resp_find_status(bs, id, &status, &reason,
998 &rev, &thisupd, &nextupd))
999 {
1000 BIO_puts(out, "ERROR: No Status found.\n");
1001 continue;
1002 }
f1965221
DSH		 1003
1004 /* Check validity: if invalid write to output BIO so we
1005 * know which response this refers to.
1006 */
1007 if (!OCSP_check_validity(thisupd, nextupd, nsec, maxage))
1008 {
1009 BIO_puts(out, "WARNING: Status times invalid.\n");
1010 ERR_print_errors(out);
1011 }
73758d43
DSH		 1012 BIO_printf(out, "%s\n", OCSP_cert_status_str(status));
1013
1014 BIO_puts(out, "\tThis Update: ");
1015 ASN1_GENERALIZEDTIME_print(out, thisupd);
1016 BIO_puts(out, "\n");
1017
1018 if(nextupd)
1019 {
1020 BIO_puts(out, "\tNext Update: ");
569afce4 1021 ASN1_GENERALIZEDTIME_print(out, nextupd);
73758d43
DSH		 1022 BIO_puts(out, "\n");
1023 }
1024
1025 if (status != V_OCSP_CERTSTATUS_REVOKED)
1026 continue;
1027
8e8972bb 1028 if (reason != -1)
73758d43
DSH		 1029 BIO_printf(out, "\tReason: %s\n",
1030 OCSP_crl_reason_str(reason));
1031
1032 BIO_puts(out, "\tRevocation Time: ");
1033 ASN1_GENERALIZEDTIME_print(out, rev);
1034 BIO_puts(out, "\n");
1035 }
1036
1037 return 1;
1038 }
1039
ee306a13 1040
f85b68cd 1041static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db,
ee306a13
DSH		 1042 X509 *ca, X509 *rcert, EVP_PKEY *rkey,
1043 STACK_OF(X509) *rother, unsigned long flags,
1044 int nmin, int ndays)
1045 {
1046 ASN1_TIME *thisupd = NULL, *nextupd = NULL;
1047 OCSP_CERTID *cid, *ca_id = NULL;
1048 OCSP_BASICRESP *bs = NULL;
1049 int i, id_count, ret = 1;
1050
1051
1052 id_count = OCSP_request_onereq_count(req);
1053
1054 if (id_count <= 0)
1055 {
1056 *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL);
1057 goto end;
1058 }
1059
1060 ca_id = OCSP_cert_to_id(EVP_sha1(), NULL, ca);
1061
1062 bs = OCSP_BASICRESP_new();
1063 thisupd = X509_gmtime_adj(NULL, 0);
1064 if (ndays != -1)
1065 nextupd = X509_gmtime_adj(NULL, nmin * 60 + ndays * 3600 * 24 );
1066
1067 /* Examine each certificate id in the request */
1068 for (i = 0; i < id_count; i++)
1069 {
1070 OCSP_ONEREQ *one;
1071 ASN1_INTEGER *serial;
1072 char **inf;
1073 one = OCSP_request_onereq_get0(req, i);
1074 cid = OCSP_onereq_get0_id(one);
1075 /* Is this request about our CA? */
1076 if (OCSP_id_issuer_cmp(ca_id, cid))
1077 {
1078 OCSP_basic_add1_status(bs, cid,
1079 V_OCSP_CERTSTATUS_UNKNOWN,
1080 0, NULL,
1081 thisupd, nextupd);
1082 continue;
1083 }
1084 OCSP_id_get0_info(NULL, NULL, NULL, &serial, cid);
1085 inf = lookup_serial(db, serial);
1086 if (!inf)
1087 OCSP_basic_add1_status(bs, cid,
1088 V_OCSP_CERTSTATUS_UNKNOWN,
1089 0, NULL,
1090 thisupd, nextupd);
1091 else if (inf[DB_type][0] == DB_TYPE_VAL)
1092 OCSP_basic_add1_status(bs, cid,
1093 V_OCSP_CERTSTATUS_GOOD,
1094 0, NULL,
1095 thisupd, nextupd);
1096 else if (inf[DB_type][0] == DB_TYPE_REV)
1097 {
1098 ASN1_OBJECT *inst = NULL;
1099 ASN1_TIME *revtm = NULL;
1100 ASN1_GENERALIZEDTIME *invtm = NULL;
1101 OCSP_SINGLERESP *single;
1102 int reason = -1;
1103 unpack_revinfo(&revtm, &reason, &inst, &invtm, inf[DB_rev_date]);
1104 single = OCSP_basic_add1_status(bs, cid,
1105 V_OCSP_CERTSTATUS_REVOKED,
1106 reason, revtm,
1107 thisupd, nextupd);
1108 if (invtm)
1109 OCSP_SINGLERESP_add1_ext_i2d(single, NID_invalidity_date, invtm, 0, 0);
1110 else if (inst)
1111 OCSP_SINGLERESP_add1_ext_i2d(single, NID_hold_instruction_code, inst, 0, 0);
1112 ASN1_OBJECT_free(inst);
1113 ASN1_TIME_free(revtm);
1114 ASN1_GENERALIZEDTIME_free(invtm);
1115 }
1116 }
1117
1118 OCSP_copy_nonce(bs, req);
1119
1120 OCSP_basic_sign(bs, rcert, rkey, EVP_sha1(), rother, flags);
1121
1122 *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs);
1123
1124 end:
1125 ASN1_TIME_free(thisupd);
1126 ASN1_TIME_free(nextupd);
1127 OCSP_CERTID_free(ca_id);
1128 OCSP_BASICRESP_free(bs);
1129 return ret;
1130
1131 }
1132
f85b68cd 1133static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser)
ee306a13
DSH		 1134 {
1135 int i;
1136 BIGNUM *bn = NULL;
1137 char *itmp, *row[DB_NUMBER],**rrow;
1138 for (i = 0; i < DB_NUMBER; i++) row[i] = NULL;
1139 bn = ASN1_INTEGER_to_BN(ser,NULL);
4b8747e4 1140 OPENSSL_assert(bn); /* FIXME: should report an error at this point and abort */
2245cd87
RL		 1141 if (BN_is_zero(bn))
1142 itmp = BUF_strdup("00");
1143 else
1144 itmp = BN_bn2hex(bn);
ee306a13
DSH		 1145 row[DB_serial] = itmp;
1146 BN_free(bn);
f85b68cd 1147 rrow=TXT_DB_get_by_index(db->db,DB_serial,row);
ee306a13
DSH		 1148 OPENSSL_free(itmp);
1149 return rrow;
1150 }
1151
1152/* Quick and dirty OCSP server: read in and parse input request */
1153
534a1ed0 1154static BIO *init_responder(char *port)
ee306a13 1155 {
534a1ed0 1156 BIO *acbio = NULL, *bufbio = NULL;
ee306a13
DSH		 1157 bufbio = BIO_new(BIO_f_buffer());
1158 if (!bufbio)
1159 goto err;
85d686e7 1160#ifndef OPENSSL_NO_SOCK
ee306a13 1161 acbio = BIO_new_accept(port);
85d686e7
RL		 1162#else
1163 BIO_printf(bio_err, "Error setting up accept BIO - sockets not supported.\n");
1164#endif
ee306a13
DSH		 1165 if (!acbio)
1166 goto err;
1167 BIO_set_accept_bios(acbio, bufbio);
1168 bufbio = NULL;
1169
1170 if (BIO_do_accept(acbio) <= 0)
1171 {
1172 BIO_printf(bio_err, "Error setting up accept BIO\n");
1173 ERR_print_errors(bio_err);
1174 goto err;
1175 }
534a1ed0
DSH		 1176
1177 return acbio;
1178
1179 err:
1180 BIO_free_all(acbio);
1181 BIO_free(bufbio);
1182 return NULL;
1183 }
ee306a13 1184
534a1ed0
DSH		 1185static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, char *port)
1186 {
1187 int have_post = 0, len;
1188 OCSP_REQUEST *req = NULL;
1189 char inbuf[1024];
1190 BIO *cbio = NULL;
ee306a13
DSH		 1191
1192 if (BIO_do_accept(acbio) <= 0)
1193 {
1194 BIO_printf(bio_err, "Error accepting connection\n");
1195 ERR_print_errors(bio_err);
534a1ed0 1196 return 0;
ee306a13
DSH		 1197 }
1198
ee306a13 1199 cbio = BIO_pop(acbio);
534a1ed0 1200 *pcbio = cbio;
ee306a13
DSH		 1201
1202 for(;;)
1203 {
54a656ef 1204 len = BIO_gets(cbio, inbuf, sizeof inbuf);
534a1ed0
DSH		 1205 if (len <= 0)
1206 return 1;
ee306a13
DSH		 1207 /* Look for "POST" signalling start of query */
1208 if (!have_post)
1209 {
1210 if(strncmp(inbuf, "POST", 4))
1211 {
1212 BIO_printf(bio_err, "Invalid request\n");
534a1ed0 1213 return 1;
ee306a13
DSH		 1214 }
1215 have_post = 1;
1216 }
1217 /* Look for end of headers */
1218 if ((inbuf[0] == '\r') || (inbuf[0] == '\n'))
1219 break;
1220 }
1221
1222 /* Try to read OCSP request */
1223
1224 req = d2i_OCSP_REQUEST_bio(cbio, NULL);
1225
ee306a13
DSH		 1226 if (!req)
1227 {
1228 BIO_printf(bio_err, "Error parsing OCSP request\n");
1229 ERR_print_errors(bio_err);
1230 }
1231
534a1ed0
DSH		 1232 *preq = req;
1233
1234 return 1;
ee306a13 1235
ee306a13
DSH		 1236 }
1237
1238static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp)
1239 {
1240 char http_resp[] =
1241 "HTTP/1.0 200 OK\r\nContent-type: application/ocsp-response\r\n"
1242 "Content-Length: %d\r\n\r\n";
1243 if (!cbio)
1244 return 0;
1245 BIO_printf(cbio, http_resp, i2d_OCSP_RESPONSE(resp, NULL));
1246 i2d_OCSP_RESPONSE_bio(cbio, resp);
710069c1 1247 (void)BIO_flush(cbio);
ee306a13
DSH		 1248 return 1;
1249 }
1250
454dbbc5
DSH		 1251static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path,
1252 OCSP_REQUEST *req, int req_timeout)
1253 {
1254 int fd;
1255 int rv;
1256 OCSP_REQ_CTX *ctx = NULL;
1257 OCSP_RESPONSE *rsp = NULL;
1258 fd_set confds;
1259 struct timeval tv;
1260
1261 if (req_timeout != -1)
1262 BIO_set_nbio(cbio, 1);
1263
1264 rv = BIO_do_connect(cbio);
1265
1266 if ((rv <= 0) && ((req_timeout == -1) || !BIO_should_retry(cbio)))
1267 {
1268 BIO_puts(err, "Error connecting BIO\n");
1269 return NULL;
1270 }
1271
1272 if (req_timeout == -1)
1273 return OCSP_sendreq_bio(cbio, path, req);
1274
1275 if (BIO_get_fd(cbio, &fd) <= 0)
1276 {
1277 BIO_puts(err, "Can't get connection fd\n");
1278 goto err;
1279 }
1280
b5894279
DSH		 1281 if (rv <= 0)
1282 {
1283 FD_ZERO(&confds);
1284 openssl_fdset(fd, &confds);
1285 tv.tv_usec = 0;
1286 tv.tv_sec = req_timeout;
1287 rv = select(fd + 1, NULL, (void *)&confds, NULL, &tv);
1288 if (rv == 0)
1289 {
1290 BIO_puts(err, "Timeout on connect\n");
1291 return NULL;
1292 }
1293 }
454dbbc5 1294
b5894279
DSH		 1295
1296 ctx = OCSP_sendreq_new(cbio, path, req, -1);
454dbbc5
DSH		 1297 if (!ctx)
1298 return NULL;
1299
1300 for (;;)
1301 {
1302 rv = OCSP_sendreq_nbio(&rsp, ctx);
1303 if (rv != -1)
1304 break;
1305 FD_ZERO(&confds);
b5894279 1306 openssl_fdset(fd, &confds);
454dbbc5
DSH		 1307 tv.tv_usec = 0;
1308 tv.tv_sec = req_timeout;
b5894279 1309 if (BIO_should_read(cbio))
454dbbc5
DSH		 1310 rv = select(fd + 1, (void *)&confds, NULL, NULL, &tv);
1311 else if (BIO_should_write(cbio))
1312 rv = select(fd + 1, NULL, (void *)&confds, NULL, &tv);
1313 else
1314 {
1315 BIO_puts(err, "Unexpected retry condition\n");
1316 goto err;
1317 }
1318 if (rv == 0)
1319 {
1320 BIO_puts(err, "Timeout on request\n");
1321 break;
1322 }
1323 if (rv == -1)
1324 {
1325 BIO_puts(err, "Select error\n");
1326 break;
1327 }
1328
1329 }
454dbbc5 1330 err:
313fce7b
BL		 1331 if (ctx)
1332 OCSP_REQ_CTX_free(ctx);
454dbbc5
DSH		 1333
1334 return rsp;
1335 }
1336
85d686e7 1337#endif
A mirror of the official openssl repository