1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/os/ossrv/ssl/tsrc/BC/libcrypto/topenssl/src/ocsp.c Fri Jun 15 03:10:57 2012 +0200
1.3 @@ -0,0 +1,1227 @@
1.4 +/* ocsp.c */
1.5 +/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
1.6 + * project 2000.
1.7 + */
1.8 +/* ====================================================================
1.9 + * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
1.10 + *
1.11 + * Redistribution and use in source and binary forms, with or without
1.12 + * modification, are permitted provided that the following conditions
1.13 + * are met:
1.14 + *
1.15 + * 1. Redistributions of source code must retain the above copyright
1.16 + * notice, this list of conditions and the following disclaimer.
1.17 + *
1.18 + * 2. Redistributions in binary form must reproduce the above copyright
1.19 + * notice, this list of conditions and the following disclaimer in
1.20 + * the documentation and/or other materials provided with the
1.21 + * distribution.
1.22 + *
1.23 + * 3. All advertising materials mentioning features or use of this
1.24 + * software must display the following acknowledgment:
1.25 + * "This product includes software developed by the OpenSSL Project
1.26 + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
1.27 + *
1.28 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
1.29 + * endorse or promote products derived from this software without
1.30 + * prior written permission. For written permission, please contact
1.31 + * licensing@OpenSSL.org.
1.32 + *
1.33 + * 5. Products derived from this software may not be called "OpenSSL"
1.34 + * nor may "OpenSSL" appear in their names without prior written
1.35 + * permission of the OpenSSL Project.
1.36 + *
1.37 + * 6. Redistributions of any form whatsoever must retain the following
1.38 + * acknowledgment:
1.39 + * "This product includes software developed by the OpenSSL Project
1.40 + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
1.41 + *
1.42 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
1.43 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1.44 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
1.45 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
1.46 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
1.47 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
1.48 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
1.49 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1.50 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
1.51 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
1.52 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
1.53 + * OF THE POSSIBILITY OF SUCH DAMAGE.
1.54 + * ====================================================================
1.55 + *
1.56 + * This product includes cryptographic software written by Eric Young
1.57 + * (eay@cryptsoft.com). This product includes software written by Tim
1.58 + * Hudson (tjh@cryptsoft.com).
1.59 + *
1.60 + */
1.61 +#ifndef OPENSSL_NO_OCSP
1.62 +
1.63 +#include <stdio.h>
1.64 +#include <string.h>
1.65 +#include "apps.h"
1.66 +#include <openssl/pem.h>
1.67 +#include <openssl/ocsp.h>
1.68 +#include <openssl/err.h>
1.69 +#include <openssl/ssl.h>
1.70 +#include <openssl/bn.h>
1.71 +
1.72 +/* Maximum leeway in validity period: default 5 minutes */
1.73 +#define MAX_VALIDITY_PERIOD (5 * 60)
1.74 +
1.75 +static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, X509 *issuer,
1.76 + STACK_OF(OCSP_CERTID) *ids);
1.77 +static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, X509 *issuer,
1.78 + STACK_OF(OCSP_CERTID) *ids);
1.79 +static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
1.80 + STACK *names, STACK_OF(OCSP_CERTID) *ids,
1.81 + long nsec, long maxage);
1.82 +
1.83 +static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db,
1.84 + X509 *ca, X509 *rcert, EVP_PKEY *rkey,
1.85 + STACK_OF(X509) *rother, unsigned long flags,
1.86 + int nmin, int ndays);
1.87 +
1.88 +static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser);
1.89 +static BIO *init_responder(char *port);
1.90 +static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, char *port);
1.91 +static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp);
1.92 +
1.93 +#undef PROG
1.94 +#define PROG ocsp_main
1.95 +
1.96 +int MAIN(int, char **);
1.97 +
1.98 +int MAIN(int argc, char **argv)
1.99 + {
1.100 + ENGINE *e = NULL;
1.101 + char **args;
1.102 + char *host = NULL, *port = NULL, *path = "/";
1.103 + char *reqin = NULL, *respin = NULL;
1.104 + char *reqout = NULL, *respout = NULL;
1.105 + char *signfile = NULL, *keyfile = NULL;
1.106 + char *rsignfile = NULL, *rkeyfile = NULL;
1.107 + char *outfile = NULL;
1.108 + int add_nonce = 1, noverify = 0, use_ssl = -1;
1.109 + OCSP_REQUEST *req = NULL;
1.110 + OCSP_RESPONSE *resp = NULL;
1.111 + OCSP_BASICRESP *bs = NULL;
1.112 + X509 *issuer = NULL, *cert = NULL;
1.113 + X509 *signer = NULL, *rsigner = NULL;
1.114 + EVP_PKEY *key = NULL, *rkey = NULL;
1.115 + BIO *acbio = NULL, *cbio = NULL;
1.116 + BIO *derbio = NULL;
1.117 + BIO *out = NULL;
1.118 + int req_text = 0, resp_text = 0;
1.119 + long nsec = MAX_VALIDITY_PERIOD, maxage = -1;
1.120 + char *CAfile = NULL, *CApath = NULL;
1.121 + X509_STORE *store = NULL;
1.122 + SSL_CTX *ctx = NULL;
1.123 + STACK_OF(X509) *sign_other = NULL, *verify_other = NULL, *rother = NULL;
1.124 + char *sign_certfile = NULL, *verify_certfile = NULL, *rcertfile = NULL;
1.125 + unsigned long sign_flags = 0, verify_flags = 0, rflags = 0;
1.126 + int ret = 1;
1.127 + int accept_count = -1;
1.128 + int badarg = 0;
1.129 + int i;
1.130 + int ignore_err = 0;
1.131 + STACK *reqnames = NULL;
1.132 + STACK_OF(OCSP_CERTID) *ids = NULL;
1.133 +
1.134 + X509 *rca_cert = NULL;
1.135 + char *ridx_filename = NULL;
1.136 + char *rca_filename = NULL;
1.137 + CA_DB *rdb = NULL;
1.138 + int nmin = 0, ndays = -1;
1.139 +
1.140 + if (bio_err == NULL)
1.141 + bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
1.142 + if (!load_config(bio_err, NULL))
1.143 + goto end;
1.144 + SSL_load_error_strings();
1.145 + args = argv + 1;
1.146 + reqnames = sk_new_null();
1.147 + ids = sk_OCSP_CERTID_new_null();
1.148 + while (!badarg && *args && *args[0] == '-')
1.149 + {
1.150 + if (!strcmp(*args, "-out"))
1.151 + {
1.152 + if (args[1])
1.153 + {
1.154 + args++;
1.155 + outfile = *args;
1.156 + }
1.157 + else badarg = 1;
1.158 + }
1.159 + else if (!strcmp(*args, "-url"))
1.160 + {
1.161 + if (args[1])
1.162 + {
1.163 + args++;
1.164 + if (!OCSP_parse_url(*args, &host, &port, &path, &use_ssl))
1.165 + {
1.166 + BIO_printf(bio_err, "Error parsing URL\n");
1.167 + badarg = 1;
1.168 + }
1.169 + }
1.170 + else badarg = 1;
1.171 + }
1.172 + else if (!strcmp(*args, "-host"))
1.173 + {
1.174 + if (args[1])
1.175 + {
1.176 + args++;
1.177 + host = *args;
1.178 + }
1.179 + else badarg = 1;
1.180 + }
1.181 + else if (!strcmp(*args, "-port"))
1.182 + {
1.183 + if (args[1])
1.184 + {
1.185 + args++;
1.186 + port = *args;
1.187 + }
1.188 + else badarg = 1;
1.189 + }
1.190 + else if (!strcmp(*args, "-ignore_err"))
1.191 + ignore_err = 1;
1.192 + else if (!strcmp(*args, "-noverify"))
1.193 + noverify = 1;
1.194 + else if (!strcmp(*args, "-nonce"))
1.195 + add_nonce = 2;
1.196 + else if (!strcmp(*args, "-no_nonce"))
1.197 + add_nonce = 0;
1.198 + else if (!strcmp(*args, "-resp_no_certs"))
1.199 + rflags |= OCSP_NOCERTS;
1.200 + else if (!strcmp(*args, "-resp_key_id"))
1.201 + rflags |= OCSP_RESPID_KEY;
1.202 + else if (!strcmp(*args, "-no_certs"))
1.203 + sign_flags |= OCSP_NOCERTS;
1.204 + else if (!strcmp(*args, "-no_signature_verify"))
1.205 + verify_flags |= OCSP_NOSIGS;
1.206 + else if (!strcmp(*args, "-no_cert_verify"))
1.207 + verify_flags |= OCSP_NOVERIFY;
1.208 + else if (!strcmp(*args, "-no_chain"))
1.209 + verify_flags |= OCSP_NOCHAIN;
1.210 + else if (!strcmp(*args, "-no_cert_checks"))
1.211 + verify_flags |= OCSP_NOCHECKS;
1.212 + else if (!strcmp(*args, "-no_explicit"))
1.213 + verify_flags |= OCSP_NOEXPLICIT;
1.214 + else if (!strcmp(*args, "-trust_other"))
1.215 + verify_flags |= OCSP_TRUSTOTHER;
1.216 + else if (!strcmp(*args, "-no_intern"))
1.217 + verify_flags |= OCSP_NOINTERN;
1.218 + else if (!strcmp(*args, "-text"))
1.219 + {
1.220 + req_text = 1;
1.221 + resp_text = 1;
1.222 + }
1.223 + else if (!strcmp(*args, "-req_text"))
1.224 + req_text = 1;
1.225 + else if (!strcmp(*args, "-resp_text"))
1.226 + resp_text = 1;
1.227 + else if (!strcmp(*args, "-reqin"))
1.228 + {
1.229 + if (args[1])
1.230 + {
1.231 + args++;
1.232 + reqin = *args;
1.233 + }
1.234 + else badarg = 1;
1.235 + }
1.236 + else if (!strcmp(*args, "-respin"))
1.237 + {
1.238 + if (args[1])
1.239 + {
1.240 + args++;
1.241 + respin = *args;
1.242 + }
1.243 + else badarg = 1;
1.244 + }
1.245 + else if (!strcmp(*args, "-signer"))
1.246 + {
1.247 + if (args[1])
1.248 + {
1.249 + args++;
1.250 + signfile = *args;
1.251 + }
1.252 + else badarg = 1;
1.253 + }
1.254 + else if (!strcmp (*args, "-VAfile"))
1.255 + {
1.256 + if (args[1])
1.257 + {
1.258 + args++;
1.259 + verify_certfile = *args;
1.260 + verify_flags |= OCSP_TRUSTOTHER;
1.261 + }
1.262 + else badarg = 1;
1.263 + }
1.264 + else if (!strcmp(*args, "-sign_other"))
1.265 + {
1.266 + if (args[1])
1.267 + {
1.268 + args++;
1.269 + sign_certfile = *args;
1.270 + }
1.271 + else badarg = 1;
1.272 + }
1.273 + else if (!strcmp(*args, "-verify_other"))
1.274 + {
1.275 + if (args[1])
1.276 + {
1.277 + args++;
1.278 + verify_certfile = *args;
1.279 + }
1.280 + else badarg = 1;
1.281 + }
1.282 + else if (!strcmp (*args, "-CAfile"))
1.283 + {
1.284 + if (args[1])
1.285 + {
1.286 + args++;
1.287 + CAfile = *args;
1.288 + }
1.289 + else badarg = 1;
1.290 + }
1.291 + else if (!strcmp (*args, "-CApath"))
1.292 + {
1.293 + if (args[1])
1.294 + {
1.295 + args++;
1.296 + CApath = *args;
1.297 + }
1.298 + else badarg = 1;
1.299 + }
1.300 + else if (!strcmp (*args, "-validity_period"))
1.301 + {
1.302 + if (args[1])
1.303 + {
1.304 + args++;
1.305 + nsec = atol(*args);
1.306 + if (nsec < 0)
1.307 + {
1.308 + BIO_printf(bio_err,
1.309 + "Illegal validity period %s\n",
1.310 + *args);
1.311 + badarg = 1;
1.312 + }
1.313 + }
1.314 + else badarg = 1;
1.315 + }
1.316 + else if (!strcmp (*args, "-status_age"))
1.317 + {
1.318 + if (args[1])
1.319 + {
1.320 + args++;
1.321 + maxage = atol(*args);
1.322 + if (maxage < 0)
1.323 + {
1.324 + BIO_printf(bio_err,
1.325 + "Illegal validity age %s\n",
1.326 + *args);
1.327 + badarg = 1;
1.328 + }
1.329 + }
1.330 + else badarg = 1;
1.331 + }
1.332 + else if (!strcmp(*args, "-signkey"))
1.333 + {
1.334 + if (args[1])
1.335 + {
1.336 + args++;
1.337 + keyfile = *args;
1.338 + }
1.339 + else badarg = 1;
1.340 + }
1.341 + else if (!strcmp(*args, "-reqout"))
1.342 + {
1.343 + if (args[1])
1.344 + {
1.345 + args++;
1.346 + reqout = *args;
1.347 + }
1.348 + else badarg = 1;
1.349 + }
1.350 + else if (!strcmp(*args, "-respout"))
1.351 + {
1.352 + if (args[1])
1.353 + {
1.354 + args++;
1.355 + respout = *args;
1.356 + }
1.357 + else badarg = 1;
1.358 + }
1.359 + else if (!strcmp(*args, "-path"))
1.360 + {
1.361 + if (args[1])
1.362 + {
1.363 + args++;
1.364 + path = *args;
1.365 + }
1.366 + else badarg = 1;
1.367 + }
1.368 + else if (!strcmp(*args, "-issuer"))
1.369 + {
1.370 + if (args[1])
1.371 + {
1.372 + args++;
1.373 + X509_free(issuer);
1.374 + issuer = load_cert(bio_err, *args, FORMAT_PEM,
1.375 + NULL, e, "issuer certificate");
1.376 + if(!issuer) goto end;
1.377 + }
1.378 + else badarg = 1;
1.379 + }
1.380 + else if (!strcmp (*args, "-cert"))
1.381 + {
1.382 + if (args[1])
1.383 + {
1.384 + args++;
1.385 + X509_free(cert);
1.386 + cert = load_cert(bio_err, *args, FORMAT_PEM,
1.387 + NULL, e, "certificate");
1.388 + if(!cert) goto end;
1.389 + if(!add_ocsp_cert(&req, cert, issuer, ids))
1.390 + goto end;
1.391 + if(!sk_push(reqnames, *args))
1.392 + goto end;
1.393 + }
1.394 + else badarg = 1;
1.395 + }
1.396 + else if (!strcmp(*args, "-serial"))
1.397 + {
1.398 + if (args[1])
1.399 + {
1.400 + args++;
1.401 + if(!add_ocsp_serial(&req, *args, issuer, ids))
1.402 + goto end;
1.403 + if(!sk_push(reqnames, *args))
1.404 + goto end;
1.405 + }
1.406 + else badarg = 1;
1.407 + }
1.408 + else if (!strcmp(*args, "-index"))
1.409 + {
1.410 + if (args[1])
1.411 + {
1.412 + args++;
1.413 + ridx_filename = *args;
1.414 + }
1.415 + else badarg = 1;
1.416 + }
1.417 + else if (!strcmp(*args, "-CA"))
1.418 + {
1.419 + if (args[1])
1.420 + {
1.421 + args++;
1.422 + rca_filename = *args;
1.423 + }
1.424 + else badarg = 1;
1.425 + }
1.426 + else if (!strcmp (*args, "-nmin"))
1.427 + {
1.428 + if (args[1])
1.429 + {
1.430 + args++;
1.431 + nmin = atol(*args);
1.432 + if (nmin < 0)
1.433 + {
1.434 + BIO_printf(bio_err,
1.435 + "Illegal update period %s\n",
1.436 + *args);
1.437 + badarg = 1;
1.438 + }
1.439 + }
1.440 + if (ndays == -1)
1.441 + ndays = 0;
1.442 + else badarg = 1;
1.443 + }
1.444 + else if (!strcmp (*args, "-nrequest"))
1.445 + {
1.446 + if (args[1])
1.447 + {
1.448 + args++;
1.449 + accept_count = atol(*args);
1.450 + if (accept_count < 0)
1.451 + {
1.452 + BIO_printf(bio_err,
1.453 + "Illegal accept count %s\n",
1.454 + *args);
1.455 + badarg = 1;
1.456 + }
1.457 + }
1.458 + else badarg = 1;
1.459 + }
1.460 + else if (!strcmp (*args, "-ndays"))
1.461 + {
1.462 + if (args[1])
1.463 + {
1.464 + args++;
1.465 + ndays = atol(*args);
1.466 + if (ndays < 0)
1.467 + {
1.468 + BIO_printf(bio_err,
1.469 + "Illegal update period %s\n",
1.470 + *args);
1.471 + badarg = 1;
1.472 + }
1.473 + }
1.474 + else badarg = 1;
1.475 + }
1.476 + else if (!strcmp(*args, "-rsigner"))
1.477 + {
1.478 + if (args[1])
1.479 + {
1.480 + args++;
1.481 + rsignfile = *args;
1.482 + }
1.483 + else badarg = 1;
1.484 + }
1.485 + else if (!strcmp(*args, "-rkey"))
1.486 + {
1.487 + if (args[1])
1.488 + {
1.489 + args++;
1.490 + rkeyfile = *args;
1.491 + }
1.492 + else badarg = 1;
1.493 + }
1.494 + else if (!strcmp(*args, "-rother"))
1.495 + {
1.496 + if (args[1])
1.497 + {
1.498 + args++;
1.499 + rcertfile = *args;
1.500 + }
1.501 + else badarg = 1;
1.502 + }
1.503 + else badarg = 1;
1.504 + args++;
1.505 + }
1.506 +
1.507 + /* Have we anything to do? */
1.508 + if (!req && !reqin && !respin && !(port && ridx_filename)) badarg = 1;
1.509 +
1.510 + if (badarg)
1.511 + {
1.512 + BIO_printf (bio_err, "OCSP utility\n");
1.513 + BIO_printf (bio_err, "Usage ocsp [options]\n");
1.514 + BIO_printf (bio_err, "where options are\n");
1.515 + BIO_printf (bio_err, "-out file output filename\n");
1.516 + BIO_printf (bio_err, "-issuer file issuer certificate\n");
1.517 + BIO_printf (bio_err, "-cert file certificate to check\n");
1.518 + BIO_printf (bio_err, "-serial n serial number to check\n");
1.519 + BIO_printf (bio_err, "-signer file certificate to sign OCSP request with\n");
1.520 + BIO_printf (bio_err, "-signkey file private key to sign OCSP request with\n");
1.521 + BIO_printf (bio_err, "-sign_other file additional certificates to include in signed request\n");
1.522 + BIO_printf (bio_err, "-no_certs don't include any certificates in signed request\n");
1.523 + BIO_printf (bio_err, "-req_text print text form of request\n");
1.524 + BIO_printf (bio_err, "-resp_text print text form of response\n");
1.525 + BIO_printf (bio_err, "-text print text form of request and response\n");
1.526 + BIO_printf (bio_err, "-reqout file write DER encoded OCSP request to \"file\"\n");
1.527 + BIO_printf (bio_err, "-respout file write DER encoded OCSP reponse to \"file\"\n");
1.528 + BIO_printf (bio_err, "-reqin file read DER encoded OCSP request from \"file\"\n");
1.529 + BIO_printf (bio_err, "-respin file read DER encoded OCSP reponse from \"file\"\n");
1.530 + BIO_printf (bio_err, "-nonce add OCSP nonce to request\n");
1.531 + BIO_printf (bio_err, "-no_nonce don't add OCSP nonce to request\n");
1.532 + BIO_printf (bio_err, "-url URL OCSP responder URL\n");
1.533 + BIO_printf (bio_err, "-host host:n send OCSP request to host on port n\n");
1.534 + BIO_printf (bio_err, "-path path to use in OCSP request\n");
1.535 + BIO_printf (bio_err, "-CApath dir trusted certificates directory\n");
1.536 + BIO_printf (bio_err, "-CAfile file trusted certificates file\n");
1.537 + BIO_printf (bio_err, "-VAfile file validator certificates file\n");
1.538 + BIO_printf (bio_err, "-validity_period n maximum validity discrepancy in seconds\n");
1.539 + BIO_printf (bio_err, "-status_age n maximum status age in seconds\n");
1.540 + BIO_printf (bio_err, "-noverify don't verify response at all\n");
1.541 + BIO_printf (bio_err, "-verify_other file additional certificates to search for signer\n");
1.542 + BIO_printf (bio_err, "-trust_other don't verify additional certificates\n");
1.543 + BIO_printf (bio_err, "-no_intern don't search certificates contained in response for signer\n");
1.544 + BIO_printf (bio_err, "-no_signature_verify don't check signature on response\n");
1.545 + BIO_printf (bio_err, "-no_cert_verify don't check signing certificate\n");
1.546 + BIO_printf (bio_err, "-no_chain don't chain verify response\n");
1.547 + BIO_printf (bio_err, "-no_cert_checks don't do additional checks on signing certificate\n");
1.548 + BIO_printf (bio_err, "-port num port to run responder on\n");
1.549 + BIO_printf (bio_err, "-index file certificate status index file\n");
1.550 + BIO_printf (bio_err, "-CA file CA certificate\n");
1.551 + BIO_printf (bio_err, "-rsigner file responder certificate to sign responses with\n");
1.552 + BIO_printf (bio_err, "-rkey file responder key to sign responses with\n");
1.553 + BIO_printf (bio_err, "-rother file other certificates to include in response\n");
1.554 + BIO_printf (bio_err, "-resp_no_certs don't include any certificates in response\n");
1.555 + BIO_printf (bio_err, "-nmin n number of minutes before next update\n");
1.556 + BIO_printf (bio_err, "-ndays n number of days before next update\n");
1.557 + BIO_printf (bio_err, "-resp_key_id identify reponse by signing certificate key ID\n");
1.558 + BIO_printf (bio_err, "-nrequest n number of requests to accept (default unlimited)\n");
1.559 + goto end;
1.560 + }
1.561 +
1.562 + if(outfile) out = BIO_new_file(outfile, "w");
1.563 + else out = BIO_new_fp(stdout, BIO_NOCLOSE);
1.564 + if(!out)
1.565 + {
1.566 + BIO_printf(bio_err, "Error opening output file\n");
1.567 + goto end;
1.568 + }
1.569 +
1.570 + if (!req && (add_nonce != 2)) add_nonce = 0;
1.571 +
1.572 + if (!req && reqin)
1.573 + {
1.574 + derbio = BIO_new_file(reqin, "rb");
1.575 + if (!derbio)
1.576 + {
1.577 + BIO_printf(bio_err, "Error Opening OCSP request file\n");
1.578 + goto end;
1.579 + }
1.580 + req = d2i_OCSP_REQUEST_bio(derbio, NULL);
1.581 + BIO_free(derbio);
1.582 + if(!req)
1.583 + {
1.584 + BIO_printf(bio_err, "Error reading OCSP request\n");
1.585 + goto end;
1.586 + }
1.587 + }
1.588 +
1.589 + if (!req && port)
1.590 + {
1.591 + acbio = init_responder(port);
1.592 + if (!acbio)
1.593 + goto end;
1.594 + }
1.595 +
1.596 + if (rsignfile && !rdb)
1.597 + {
1.598 + if (!rkeyfile) rkeyfile = rsignfile;
1.599 + rsigner = load_cert(bio_err, rsignfile, FORMAT_PEM,
1.600 + NULL, e, "responder certificate");
1.601 + if (!rsigner)
1.602 + {
1.603 + BIO_printf(bio_err, "Error loading responder certificate\n");
1.604 + goto end;
1.605 + }
1.606 + rca_cert = load_cert(bio_err, rca_filename, FORMAT_PEM,
1.607 + NULL, e, "CA certificate");
1.608 + if (rcertfile)
1.609 + {
1.610 + rother = load_certs(bio_err, rcertfile, FORMAT_PEM,
1.611 + NULL, e, "responder other certificates");
1.612 + if (!rother) goto end;
1.613 + }
1.614 + rkey = load_key(bio_err, rkeyfile, FORMAT_PEM, 0, NULL, NULL,
1.615 + "responder private key");
1.616 + if (!rkey)
1.617 + goto end;
1.618 + }
1.619 + if(acbio)
1.620 + BIO_printf(bio_err, "Waiting for OCSP client connections...\n");
1.621 +
1.622 + redo_accept:
1.623 +
1.624 + if (acbio)
1.625 + {
1.626 + if (!do_responder(&req, &cbio, acbio, port))
1.627 + goto end;
1.628 + if (!req)
1.629 + {
1.630 + resp = OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL);
1.631 + send_ocsp_response(cbio, resp);
1.632 + goto done_resp;
1.633 + }
1.634 + }
1.635 +
1.636 + if (!req && (signfile || reqout || host || add_nonce || ridx_filename))
1.637 + {
1.638 + BIO_printf(bio_err, "Need an OCSP request for this operation!\n");
1.639 + goto end;
1.640 + }
1.641 +
1.642 + if (req && add_nonce) OCSP_request_add1_nonce(req, NULL, -1);
1.643 +
1.644 + if (signfile)
1.645 + {
1.646 + if (!keyfile) keyfile = signfile;
1.647 + signer = load_cert(bio_err, signfile, FORMAT_PEM,
1.648 + NULL, e, "signer certificate");
1.649 + if (!signer)
1.650 + {
1.651 + BIO_printf(bio_err, "Error loading signer certificate\n");
1.652 + goto end;
1.653 + }
1.654 + if (sign_certfile)
1.655 + {
1.656 + sign_other = load_certs(bio_err, sign_certfile, FORMAT_PEM,
1.657 + NULL, e, "signer certificates");
1.658 + if (!sign_other) goto end;
1.659 + }
1.660 + key = load_key(bio_err, keyfile, FORMAT_PEM, 0, NULL, NULL,
1.661 + "signer private key");
1.662 + if (!key)
1.663 + goto end;
1.664 + if (!OCSP_request_sign(req, signer, key, EVP_sha1(), sign_other, sign_flags))
1.665 + {
1.666 + BIO_printf(bio_err, "Error signing OCSP request\n");
1.667 + goto end;
1.668 + }
1.669 + }
1.670 +
1.671 + if (req_text && req) OCSP_REQUEST_print(out, req, 0);
1.672 +
1.673 + if (reqout)
1.674 + {
1.675 + derbio = BIO_new_file(reqout, "wb");
1.676 + if(!derbio)
1.677 + {
1.678 + BIO_printf(bio_err, "Error opening file %s\n", reqout);
1.679 + goto end;
1.680 + }
1.681 + i2d_OCSP_REQUEST_bio(derbio, req);
1.682 + BIO_free(derbio);
1.683 + }
1.684 +
1.685 + if (ridx_filename && (!rkey || !rsigner || !rca_cert))
1.686 + {
1.687 + BIO_printf(bio_err, "Need a responder certificate, key and CA for this operation!\n");
1.688 + goto end;
1.689 + }
1.690 +
1.691 + if (ridx_filename && !rdb)
1.692 + {
1.693 + rdb = load_index(ridx_filename, NULL);
1.694 + if (!rdb) goto end;
1.695 + if (!index_index(rdb)) goto end;
1.696 + }
1.697 +
1.698 + if (rdb)
1.699 + {
1.700 + i = make_ocsp_response(&resp, req, rdb, rca_cert, rsigner, rkey, rother, rflags, nmin, ndays);
1.701 + if (cbio)
1.702 + send_ocsp_response(cbio, resp);
1.703 + }
1.704 + else if (host)
1.705 + {
1.706 +#ifndef OPENSSL_NO_SOCK
1.707 + cbio = BIO_new_connect(host);
1.708 +#else
1.709 + BIO_printf(bio_err, "Error creating connect BIO - sockets not supported.\n");
1.710 + goto end;
1.711 +#endif
1.712 + if (!cbio)
1.713 + {
1.714 + BIO_printf(bio_err, "Error creating connect BIO\n");
1.715 + goto end;
1.716 + }
1.717 + if (port) BIO_set_conn_port(cbio, port);
1.718 + if (use_ssl == 1)
1.719 + {
1.720 + BIO *sbio;
1.721 +#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
1.722 + ctx = SSL_CTX_new(SSLv23_client_method());
1.723 +#elif !defined(OPENSSL_NO_SSL3)
1.724 + ctx = SSL_CTX_new(SSLv3_client_method());
1.725 +#elif !defined(OPENSSL_NO_SSL2)
1.726 + ctx = SSL_CTX_new(SSLv2_client_method());
1.727 +#else
1.728 + BIO_printf(bio_err, "SSL is disabled\n");
1.729 + goto end;
1.730 +#endif
1.731 + SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
1.732 + sbio = BIO_new_ssl(ctx, 1);
1.733 + cbio = BIO_push(sbio, cbio);
1.734 + }
1.735 + if (BIO_do_connect(cbio) <= 0)
1.736 + {
1.737 + BIO_printf(bio_err, "Error connecting BIO\n");
1.738 + goto end;
1.739 + }
1.740 + resp = OCSP_sendreq_bio(cbio, path, req);
1.741 + BIO_free_all(cbio);
1.742 + cbio = NULL;
1.743 + if (!resp)
1.744 + {
1.745 + BIO_printf(bio_err, "Error querying OCSP responsder\n");
1.746 + goto end;
1.747 + }
1.748 + }
1.749 + else if (respin)
1.750 + {
1.751 + derbio = BIO_new_file(respin, "rb");
1.752 + if (!derbio)
1.753 + {
1.754 + BIO_printf(bio_err, "Error Opening OCSP response file\n");
1.755 + goto end;
1.756 + }
1.757 + resp = d2i_OCSP_RESPONSE_bio(derbio, NULL);
1.758 + BIO_free(derbio);
1.759 + if(!resp)
1.760 + {
1.761 + BIO_printf(bio_err, "Error reading OCSP response\n");
1.762 + goto end;
1.763 + }
1.764 +
1.765 + }
1.766 + else
1.767 + {
1.768 + ret = 0;
1.769 + goto end;
1.770 + }
1.771 +
1.772 + done_resp:
1.773 +
1.774 + if (respout)
1.775 + {
1.776 + derbio = BIO_new_file(respout, "wb");
1.777 + if(!derbio)
1.778 + {
1.779 + BIO_printf(bio_err, "Error opening file %s\n", respout);
1.780 + goto end;
1.781 + }
1.782 + i2d_OCSP_RESPONSE_bio(derbio, resp);
1.783 + BIO_free(derbio);
1.784 + }
1.785 +
1.786 + i = OCSP_response_status(resp);
1.787 +
1.788 + if (i != OCSP_RESPONSE_STATUS_SUCCESSFUL)
1.789 + {
1.790 + BIO_printf(out, "Responder Error: %s (%d)\n",
1.791 + OCSP_response_status_str(i), i);
1.792 + if (ignore_err)
1.793 + goto redo_accept;
1.794 + ret = 0;
1.795 + goto end;
1.796 + }
1.797 +
1.798 + if (resp_text) OCSP_RESPONSE_print(out, resp, 0);
1.799 +
1.800 + /* If running as responder don't verify our own response */
1.801 + if (cbio)
1.802 + {
1.803 + if (accept_count > 0)
1.804 + accept_count--;
1.805 + /* Redo if more connections needed */
1.806 + if (accept_count)
1.807 + {
1.808 + BIO_free_all(cbio);
1.809 + cbio = NULL;
1.810 + OCSP_REQUEST_free(req);
1.811 + req = NULL;
1.812 + OCSP_RESPONSE_free(resp);
1.813 + resp = NULL;
1.814 + goto redo_accept;
1.815 + }
1.816 + goto end;
1.817 + }
1.818 +
1.819 + if (!store)
1.820 + store = setup_verify(bio_err, CAfile, CApath);
1.821 + if (!store)
1.822 + goto end;
1.823 + if (verify_certfile)
1.824 + {
1.825 + verify_other = load_certs(bio_err, verify_certfile, FORMAT_PEM,
1.826 + NULL, e, "validator certificate");
1.827 + if (!verify_other) goto end;
1.828 + }
1.829 +
1.830 + bs = OCSP_response_get1_basic(resp);
1.831 +
1.832 + if (!bs)
1.833 + {
1.834 + BIO_printf(bio_err, "Error parsing response\n");
1.835 + goto end;
1.836 + }
1.837 +
1.838 + if (!noverify)
1.839 + {
1.840 + if (req && ((i = OCSP_check_nonce(req, bs)) <= 0))
1.841 + {
1.842 + if (i == -1)
1.843 + BIO_printf(bio_err, "WARNING: no nonce in response\n");
1.844 + else
1.845 + {
1.846 + BIO_printf(bio_err, "Nonce Verify error\n");
1.847 + goto end;
1.848 + }
1.849 + }
1.850 +
1.851 + i = OCSP_basic_verify(bs, verify_other, store, verify_flags);
1.852 + if (i < 0) i = OCSP_basic_verify(bs, NULL, store, 0);
1.853 +
1.854 + if(i <= 0)
1.855 + {
1.856 + BIO_printf(bio_err, "Response Verify Failure\n");
1.857 + ERR_print_errors(bio_err);
1.858 + }
1.859 + else
1.860 + BIO_printf(bio_err, "Response verify OK\n");
1.861 +
1.862 + }
1.863 +
1.864 + if (!print_ocsp_summary(out, bs, req, reqnames, ids, nsec, maxage))
1.865 + goto end;
1.866 +
1.867 + ret = 0;
1.868 +
1.869 +end:
1.870 + ERR_print_errors(bio_err);
1.871 + X509_free(signer);
1.872 + X509_STORE_free(store);
1.873 + EVP_PKEY_free(key);
1.874 + EVP_PKEY_free(rkey);
1.875 + X509_free(issuer);
1.876 + X509_free(cert);
1.877 + X509_free(rsigner);
1.878 + X509_free(rca_cert);
1.879 + free_index(rdb);
1.880 + BIO_free_all(cbio);
1.881 + BIO_free_all(acbio);
1.882 + BIO_free(out);
1.883 + OCSP_REQUEST_free(req);
1.884 + OCSP_RESPONSE_free(resp);
1.885 + OCSP_BASICRESP_free(bs);
1.886 + sk_free(reqnames);
1.887 + sk_OCSP_CERTID_free(ids);
1.888 + sk_X509_pop_free(sign_other, X509_free);
1.889 + sk_X509_pop_free(verify_other, X509_free);
1.890 +
1.891 + if (use_ssl != -1)
1.892 + {
1.893 + OPENSSL_free(host);
1.894 + OPENSSL_free(port);
1.895 + OPENSSL_free(path);
1.896 + SSL_CTX_free(ctx);
1.897 + }
1.898 +
1.899 + OPENSSL_EXIT(ret);
1.900 +}
1.901 +
1.902 +static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, X509 *issuer,
1.903 + STACK_OF(OCSP_CERTID) *ids)
1.904 + {
1.905 + OCSP_CERTID *id;
1.906 + if(!issuer)
1.907 + {
1.908 + BIO_printf(bio_err, "No issuer certificate specified\n");
1.909 + return 0;
1.910 + }
1.911 + if(!*req) *req = OCSP_REQUEST_new();
1.912 + if(!*req) goto err;
1.913 + id = OCSP_cert_to_id(NULL, cert, issuer);
1.914 + if(!id || !sk_OCSP_CERTID_push(ids, id)) goto err;
1.915 + if(!OCSP_request_add0_id(*req, id)) goto err;
1.916 + return 1;
1.917 +
1.918 + err:
1.919 + BIO_printf(bio_err, "Error Creating OCSP request\n");
1.920 + return 0;
1.921 + }
1.922 +
1.923 +static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, X509 *issuer,
1.924 + STACK_OF(OCSP_CERTID) *ids)
1.925 + {
1.926 + OCSP_CERTID *id;
1.927 + X509_NAME *iname;
1.928 + ASN1_BIT_STRING *ikey;
1.929 + ASN1_INTEGER *sno;
1.930 + if(!issuer)
1.931 + {
1.932 + BIO_printf(bio_err, "No issuer certificate specified\n");
1.933 + return 0;
1.934 + }
1.935 + if(!*req) *req = OCSP_REQUEST_new();
1.936 + if(!*req) goto err;
1.937 + iname = X509_get_subject_name(issuer);
1.938 + ikey = X509_get0_pubkey_bitstr(issuer);
1.939 + sno = s2i_ASN1_INTEGER(NULL, serial);
1.940 + if(!sno)
1.941 + {
1.942 + BIO_printf(bio_err, "Error converting serial number %s\n", serial);
1.943 + return 0;
1.944 + }
1.945 + id = OCSP_cert_id_new(EVP_sha1(), iname, ikey, sno);
1.946 + ASN1_INTEGER_free(sno);
1.947 + if(!id || !sk_OCSP_CERTID_push(ids, id)) goto err;
1.948 + if(!OCSP_request_add0_id(*req, id)) goto err;
1.949 + return 1;
1.950 +
1.951 + err:
1.952 + BIO_printf(bio_err, "Error Creating OCSP request\n");
1.953 + return 0;
1.954 + }
1.955 +
1.956 +static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
1.957 + STACK *names, STACK_OF(OCSP_CERTID) *ids,
1.958 + long nsec, long maxage)
1.959 + {
1.960 + OCSP_CERTID *id;
1.961 + char *name;
1.962 + int i;
1.963 +
1.964 + int status, reason;
1.965 +
1.966 + ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
1.967 +
1.968 + if (!bs || !req || !sk_num(names) || !sk_OCSP_CERTID_num(ids))
1.969 + return 1;
1.970 +
1.971 + for (i = 0; i < sk_OCSP_CERTID_num(ids); i++)
1.972 + {
1.973 + id = sk_OCSP_CERTID_value(ids, i);
1.974 + name = sk_value(names, i);
1.975 + BIO_printf(out, "%s: ", name);
1.976 +
1.977 + if(!OCSP_resp_find_status(bs, id, &status, &reason,
1.978 + &rev, &thisupd, &nextupd))
1.979 + {
1.980 + BIO_puts(out, "ERROR: No Status found.\n");
1.981 + continue;
1.982 + }
1.983 +
1.984 + /* Check validity: if invalid write to output BIO so we
1.985 + * know which response this refers to.
1.986 + */
1.987 + if (!OCSP_check_validity(thisupd, nextupd, nsec, maxage))
1.988 + {
1.989 + BIO_puts(out, "WARNING: Status times invalid.\n");
1.990 + ERR_print_errors(out);
1.991 + }
1.992 + BIO_printf(out, "%s\n", OCSP_cert_status_str(status));
1.993 +
1.994 + BIO_puts(out, "\tThis Update: ");
1.995 + ASN1_GENERALIZEDTIME_print(out, thisupd);
1.996 + BIO_puts(out, "\n");
1.997 +
1.998 + if(nextupd)
1.999 + {
1.1000 + BIO_puts(out, "\tNext Update: ");
1.1001 + ASN1_GENERALIZEDTIME_print(out, nextupd);
1.1002 + BIO_puts(out, "\n");
1.1003 + }
1.1004 +
1.1005 + if (status != V_OCSP_CERTSTATUS_REVOKED)
1.1006 + continue;
1.1007 +
1.1008 + if (reason != -1)
1.1009 + BIO_printf(out, "\tReason: %s\n",
1.1010 + OCSP_crl_reason_str(reason));
1.1011 +
1.1012 + BIO_puts(out, "\tRevocation Time: ");
1.1013 + ASN1_GENERALIZEDTIME_print(out, rev);
1.1014 + BIO_puts(out, "\n");
1.1015 + }
1.1016 +
1.1017 + return 1;
1.1018 + }
1.1019 +
1.1020 +
1.1021 +static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db,
1.1022 + X509 *ca, X509 *rcert, EVP_PKEY *rkey,
1.1023 + STACK_OF(X509) *rother, unsigned long flags,
1.1024 + int nmin, int ndays)
1.1025 + {
1.1026 + ASN1_TIME *thisupd = NULL, *nextupd = NULL;
1.1027 + OCSP_CERTID *cid, *ca_id = NULL;
1.1028 + OCSP_BASICRESP *bs = NULL;
1.1029 + int i, id_count, ret = 1;
1.1030 +
1.1031 +
1.1032 + id_count = OCSP_request_onereq_count(req);
1.1033 +
1.1034 + if (id_count <= 0)
1.1035 + {
1.1036 + *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL);
1.1037 + goto end;
1.1038 + }
1.1039 +
1.1040 + ca_id = OCSP_cert_to_id(EVP_sha1(), NULL, ca);
1.1041 +
1.1042 + bs = OCSP_BASICRESP_new();
1.1043 + thisupd = X509_gmtime_adj(NULL, 0);
1.1044 + if (ndays != -1)
1.1045 + nextupd = X509_gmtime_adj(NULL, nmin * 60 + ndays * 3600 * 24 );
1.1046 +
1.1047 + /* Examine each certificate id in the request */
1.1048 + for (i = 0; i < id_count; i++)
1.1049 + {
1.1050 + OCSP_ONEREQ *one;
1.1051 + ASN1_INTEGER *serial;
1.1052 + char **inf;
1.1053 + one = OCSP_request_onereq_get0(req, i);
1.1054 + cid = OCSP_onereq_get0_id(one);
1.1055 + /* Is this request about our CA? */
1.1056 + if (OCSP_id_issuer_cmp(ca_id, cid))
1.1057 + {
1.1058 + OCSP_basic_add1_status(bs, cid,
1.1059 + V_OCSP_CERTSTATUS_UNKNOWN,
1.1060 + 0, NULL,
1.1061 + thisupd, nextupd);
1.1062 + continue;
1.1063 + }
1.1064 + OCSP_id_get0_info(NULL, NULL, NULL, &serial, cid);
1.1065 + inf = lookup_serial(db, serial);
1.1066 + if (!inf)
1.1067 + OCSP_basic_add1_status(bs, cid,
1.1068 + V_OCSP_CERTSTATUS_UNKNOWN,
1.1069 + 0, NULL,
1.1070 + thisupd, nextupd);
1.1071 + else if (inf[DB_type][0] == DB_TYPE_VAL)
1.1072 + OCSP_basic_add1_status(bs, cid,
1.1073 + V_OCSP_CERTSTATUS_GOOD,
1.1074 + 0, NULL,
1.1075 + thisupd, nextupd);
1.1076 + else if (inf[DB_type][0] == DB_TYPE_REV)
1.1077 + {
1.1078 + ASN1_OBJECT *inst = NULL;
1.1079 + ASN1_TIME *revtm = NULL;
1.1080 + ASN1_GENERALIZEDTIME *invtm = NULL;
1.1081 + OCSP_SINGLERESP *single;
1.1082 + int reason = -1;
1.1083 + unpack_revinfo(&revtm, &reason, &inst, &invtm, inf[DB_rev_date]);
1.1084 + single = OCSP_basic_add1_status(bs, cid,
1.1085 + V_OCSP_CERTSTATUS_REVOKED,
1.1086 + reason, revtm,
1.1087 + thisupd, nextupd);
1.1088 + if (invtm)
1.1089 + OCSP_SINGLERESP_add1_ext_i2d(single, NID_invalidity_date, invtm, 0, 0);
1.1090 + else if (inst)
1.1091 + OCSP_SINGLERESP_add1_ext_i2d(single, NID_hold_instruction_code, inst, 0, 0);
1.1092 + ASN1_OBJECT_free(inst);
1.1093 + ASN1_TIME_free(revtm);
1.1094 + ASN1_GENERALIZEDTIME_free(invtm);
1.1095 + }
1.1096 + }
1.1097 +
1.1098 + OCSP_copy_nonce(bs, req);
1.1099 +
1.1100 + OCSP_basic_sign(bs, rcert, rkey, EVP_sha1(), rother, flags);
1.1101 +
1.1102 + *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs);
1.1103 +
1.1104 + end:
1.1105 + ASN1_TIME_free(thisupd);
1.1106 + ASN1_TIME_free(nextupd);
1.1107 + OCSP_CERTID_free(ca_id);
1.1108 + OCSP_BASICRESP_free(bs);
1.1109 + return ret;
1.1110 +
1.1111 + }
1.1112 +
1.1113 +static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser)
1.1114 + {
1.1115 + int i;
1.1116 + BIGNUM *bn = NULL;
1.1117 + char *itmp, *row[DB_NUMBER],**rrow;
1.1118 + for (i = 0; i < DB_NUMBER; i++) row[i] = NULL;
1.1119 + bn = ASN1_INTEGER_to_BN(ser,NULL);
1.1120 + if (BN_is_zero(bn))
1.1121 + itmp = BUF_strdup("00");
1.1122 + else
1.1123 + itmp = BN_bn2hex(bn);
1.1124 + row[DB_serial] = itmp;
1.1125 + BN_free(bn);
1.1126 + rrow=TXT_DB_get_by_index(db->db,DB_serial,row);
1.1127 + OPENSSL_free(itmp);
1.1128 + return rrow;
1.1129 + }
1.1130 +
1.1131 +/* Quick and dirty OCSP server: read in and parse input request */
1.1132 +
1.1133 +static BIO *init_responder(char *port)
1.1134 + {
1.1135 + BIO *acbio = NULL, *bufbio = NULL;
1.1136 + bufbio = BIO_new(BIO_f_buffer());
1.1137 + if (!bufbio)
1.1138 + goto err;
1.1139 +#ifndef OPENSSL_NO_SOCK
1.1140 + acbio = BIO_new_accept(port);
1.1141 +#else
1.1142 + BIO_printf(bio_err, "Error setting up accept BIO - sockets not supported.\n");
1.1143 +#endif
1.1144 + if (!acbio)
1.1145 + goto err;
1.1146 + BIO_set_accept_bios(acbio, bufbio);
1.1147 + bufbio = NULL;
1.1148 +
1.1149 + if (BIO_do_accept(acbio) <= 0)
1.1150 + {
1.1151 + BIO_printf(bio_err, "Error setting up accept BIO\n");
1.1152 + ERR_print_errors(bio_err);
1.1153 + goto err;
1.1154 + }
1.1155 +
1.1156 + return acbio;
1.1157 +
1.1158 + err:
1.1159 + BIO_free_all(acbio);
1.1160 + BIO_free(bufbio);
1.1161 + return NULL;
1.1162 + }
1.1163 +
1.1164 +static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, char *port)
1.1165 + {
1.1166 + int have_post = 0, len;
1.1167 + OCSP_REQUEST *req = NULL;
1.1168 + char inbuf[1024];
1.1169 + BIO *cbio = NULL;
1.1170 +
1.1171 + if (BIO_do_accept(acbio) <= 0)
1.1172 + {
1.1173 + BIO_printf(bio_err, "Error accepting connection\n");
1.1174 + ERR_print_errors(bio_err);
1.1175 + return 0;
1.1176 + }
1.1177 +
1.1178 + cbio = BIO_pop(acbio);
1.1179 + *pcbio = cbio;
1.1180 +
1.1181 + for(;;)
1.1182 + {
1.1183 + len = BIO_gets(cbio, inbuf, sizeof inbuf);
1.1184 + if (len <= 0)
1.1185 + return 1;
1.1186 + /* Look for "POST" signalling start of query */
1.1187 + if (!have_post)
1.1188 + {
1.1189 + if(strncmp(inbuf, "POST", 4))
1.1190 + {
1.1191 + BIO_printf(bio_err, "Invalid request\n");
1.1192 + return 1;
1.1193 + }
1.1194 + have_post = 1;
1.1195 + }
1.1196 + /* Look for end of headers */
1.1197 + if ((inbuf[0] == '\r') || (inbuf[0] == '\n'))
1.1198 + break;
1.1199 + }
1.1200 +
1.1201 + /* Try to read OCSP request */
1.1202 +
1.1203 + req = d2i_OCSP_REQUEST_bio(cbio, NULL);
1.1204 +
1.1205 + if (!req)
1.1206 + {
1.1207 + BIO_printf(bio_err, "Error parsing OCSP request\n");
1.1208 + ERR_print_errors(bio_err);
1.1209 + }
1.1210 +
1.1211 + *preq = req;
1.1212 +
1.1213 + return 1;
1.1214 +
1.1215 + }
1.1216 +
1.1217 +static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp)
1.1218 + {
1.1219 + char http_resp[] =
1.1220 + "HTTP/1.0 200 OK\r\nContent-type: application/ocsp-response\r\n"
1.1221 + "Content-Length: %d\r\n\r\n";
1.1222 + if (!cbio)
1.1223 + return 0;
1.1224 + BIO_printf(cbio, http_resp, i2d_OCSP_RESPONSE(resp, NULL));
1.1225 + i2d_OCSP_RESPONSE_bio(cbio, resp);
1.1226 + BIO_flush(cbio);
1.1227 + return 1;
1.1228 + }
1.1229 +
1.1230 +#endif