-/* ocsp.c */
/*
* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
* 2000.
# endif
/* Maximum leeway in validity period: default 5 minutes */
-# define MAX_VALIDITY_PERIOD (5 * 60)
+# define MAX_VALIDITY_PERIOD (5 * 60)
static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert,
const EVP_MD *cert_id_md, X509 *issuer,
static int add_ocsp_serial(OCSP_REQUEST **req, char *serial,
const EVP_MD *cert_id_md, X509 *issuer,
STACK_OF(OCSP_CERTID) *ids);
-static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
+static void print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
STACK_OF(OPENSSL_STRING) *names,
STACK_OF(OCSP_CERTID) *ids, long nsec,
long maxage);
-
-static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req,
+static void make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req,
CA_DB *db, X509 *ca, X509 *rcert,
EVP_PKEY *rkey, const EVP_MD *md,
STACK_OF(X509) *rother, unsigned long flags,
static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,
const char *port);
static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp);
-static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, const char *path,
+static OCSP_RESPONSE *query_responder(BIO *cbio, const char *path,
const STACK_OF(CONF_VALUE) *headers,
OCSP_REQUEST *req, int req_timeout);
-# undef PROG
-# define PROG ocsp_main
-
-int MAIN(int, char **);
-
-int MAIN(int argc, char **argv)
+typedef enum OPTION_choice {
+ OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+ OPT_OUTFILE, OPT_TIMEOUT, OPT_URL, OPT_HOST, OPT_PORT,
+ OPT_IGNORE_ERR, OPT_NOVERIFY, OPT_NONCE, OPT_NO_NONCE,
+ OPT_RESP_NO_CERTS, OPT_RESP_KEY_ID, OPT_NO_CERTS,
+ OPT_NO_SIGNATURE_VERIFY, OPT_NO_CERT_VERIFY, OPT_NO_CHAIN,
+ OPT_NO_CERT_CHECKS, OPT_NO_EXPLICIT, OPT_TRUST_OTHER,
+ OPT_NO_INTERN, OPT_BADSIG, OPT_TEXT, OPT_REQ_TEXT, OPT_RESP_TEXT,
+ OPT_REQIN, OPT_RESPIN, OPT_SIGNER, OPT_VAFILE, OPT_SIGN_OTHER,
+ OPT_VERIFY_OTHER, OPT_CAFILE, OPT_CAPATH,
+ OPT_VALIDITY_PERIOD, OPT_STATUS_AGE, OPT_SIGNKEY, OPT_REQOUT,
+ OPT_RESPOUT, OPT_PATH, OPT_ISSUER, OPT_CERT, OPT_SERIAL,
+ OPT_INDEX, OPT_CA, OPT_NMIN, OPT_REQUEST, OPT_NDAYS, OPT_RSIGNER,
+ OPT_RKEY, OPT_ROTHER, OPT_RMD, OPT_HEADER,
+ OPT_V_ENUM,
+ OPT_MD
+} OPTION_CHOICE;
+
+OPTIONS ocsp_options[] = {
+ {"help", OPT_HELP, '-', "Display this summary"},
+ {"out", OPT_OUTFILE, '>', "Output filename"},
+ {"timeout", OPT_TIMEOUT, 'p'},
+ {"url", OPT_URL, 's', "Responder URL"},
+ {"host", OPT_HOST, 's', "host:prot top to connect to"},
+ {"port", OPT_PORT, 'p', "Port to run responder on"},
+ {"ignore_err", OPT_IGNORE_ERR, '-'},
+ {"noverify", OPT_NOVERIFY, '-', "Don't verify response at all"},
+ {"nonce", OPT_NONCE, '-', "Add OCSP nonce to request"},
+ {"no_nonce", OPT_NO_NONCE, '-', "Don't add OCSP nonce to request"},
+ {"resp_no_certs", OPT_RESP_NO_CERTS, '-',
+ "Don't include any certificates in response"},
+ {"resp_key_id", OPT_RESP_KEY_ID, '-',
+ "Identify reponse by signing certificate key ID"},
+ {"no_certs", OPT_NO_CERTS, '-',
+ "Don't include any certificates in signed request"},
+ {"no_signature_verify", OPT_NO_SIGNATURE_VERIFY, '-',
+ "Don't check signature on response"},
+ {"no_cert_verify", OPT_NO_CERT_VERIFY, '-',
+ "Don't check signing certificate"},
+ {"no_chain", OPT_NO_CHAIN, '-', "Don't chain verify response"},
+ {"no_cert_checks", OPT_NO_CERT_CHECKS, '-',
+ "Don't do additional checks on signing certificate"},
+ {"no_explicit", OPT_NO_EXPLICIT, '-'},
+ {"trust_other", OPT_TRUST_OTHER, '-',
+ "Don't verify additional certificates"},
+ {"no_intern", OPT_NO_INTERN, '-',
+ "Don't search certificates contained in response for signer"},
+ {"badsig", OPT_BADSIG, '-'},
+ {"text", OPT_TEXT, '-', "Print text form of request and response"},
+ {"req_text", OPT_REQ_TEXT, '-', "Print text form of request"},
+ {"resp_text", OPT_RESP_TEXT, '-', "Print text form of response"},
+ {"reqin", OPT_REQIN, 's', "File with the DER-encoded request"},
+ {"respin", OPT_RESPIN, 's', "File with the DER-encoded response"},
+ {"signer", OPT_SIGNER, '<', "Certificate to sign OCSP request with"},
+ {"VAfile", OPT_VAFILE, '<', "Validator certificates file"},
+ {"sign_other", OPT_SIGN_OTHER, '<',
+ "Additional certificates to include in signed request"},
+ {"verify_other", OPT_VERIFY_OTHER, '<',
+ "Additional certificates to search for signer"},
+ {"CAfile", OPT_CAFILE, '<', "Trusted certificates file"},
+ {"CApath", OPT_CAPATH, '<', "Trusted certificates directory"},
+ {"validity_period", OPT_VALIDITY_PERIOD, 'u',
+ "Maximum validity discrepancy in seconds"},
+ {"status_age", OPT_STATUS_AGE, 'p', "Maximum status age in seconds"},
+ {"signkey", OPT_SIGNKEY, 's', "Private key to sign OCSP request with"},
+ {"reqout", OPT_REQOUT, 's', "Output file for the DER-encoded request"},
+ {"respout", OPT_RESPOUT, 's', "Output file for the DER-encoded response"},
+ {"path", OPT_PATH, 's', "Path to use in OCSP request"},
+ {"issuer", OPT_ISSUER, '<', "Issuer certificate"},
+ {"cert", OPT_CERT, '<', "Certificate to check"},
+ {"serial", OPT_SERIAL, 's', "Nerial number to check"},
+ {"index", OPT_INDEX, '<', "Certificate status index file"},
+ {"CA", OPT_CA, '<', "CA certificate"},
+ {"nmin", OPT_NMIN, 'p', "Number of minutes before next update"},
+ {"nrequest", OPT_REQUEST, 'p',
+ "Number of requests to accept (default unlimited)"},
+ {"ndays", OPT_NDAYS, 'p', "Number of days before next update"},
+ {"rsigner", OPT_RSIGNER, '<',
+ "Sesponder certificate to sign responses with"},
+ {"rkey", OPT_RKEY, '<', "Responder key to sign responses with"},
+ {"rother", OPT_ROTHER, '<', "Other certificates to include in response"},
+ {"rmd", OPT_RMD, 's'},
+ {"header", OPT_HEADER, 's', "key=value header to add"},
+ {"", OPT_MD, '-', "Any supported digest"},
+ OPT_V_OPTIONS,
+ {NULL}
+};
+
+int ocsp_main(int argc, char **argv)
{
- ENGINE *e = NULL;
- char **args;
- char *host = NULL, *port = NULL, *path = "/";
- char *thost = NULL, *tport = NULL, *tpath = NULL;
- char *reqin = NULL, *respin = NULL;
- char *reqout = NULL, *respout = NULL;
- char *signfile = NULL, *keyfile = NULL;
- char *rsignfile = NULL, *rkeyfile = NULL;
- char *outfile = NULL;
- int add_nonce = 1, noverify = 0, use_ssl = -1;
- STACK_OF(CONF_VALUE) *headers = NULL;
+ BIO *acbio = NULL, *cbio = NULL, *derbio = NULL, *out = NULL;
+ const EVP_MD *cert_id_md = NULL, *rsign_md = NULL;
+ CA_DB *rdb = NULL;
+ EVP_PKEY *key = NULL, *rkey = NULL;
+ OCSP_BASICRESP *bs = NULL;
OCSP_REQUEST *req = NULL;
OCSP_RESPONSE *resp = NULL;
- OCSP_BASICRESP *bs = NULL;
- X509 *issuer = NULL, *cert = NULL;
+ STACK_OF(CONF_VALUE) *headers = NULL;
+ STACK_OF(OCSP_CERTID) *ids = NULL;
+ STACK_OF(OPENSSL_STRING) *reqnames = NULL;
+ STACK_OF(X509) *sign_other = NULL, *verify_other = NULL, *rother = NULL;
+ STACK_OF(X509) *issuers = NULL;
+ X509 *issuer = NULL, *cert = NULL, *rca_cert = NULL;
X509 *signer = NULL, *rsigner = NULL;
- EVP_PKEY *key = NULL, *rkey = NULL;
- BIO *acbio = NULL, *cbio = NULL;
- BIO *derbio = NULL;
- BIO *out = NULL;
- int req_timeout = -1;
- int req_text = 0, resp_text = 0;
- long nsec = MAX_VALIDITY_PERIOD, maxage = -1;
- char *CAfile = NULL, *CApath = NULL;
X509_STORE *store = NULL;
X509_VERIFY_PARAM *vpm = NULL;
- STACK_OF(X509) *sign_other = NULL, *verify_other = NULL, *rother = NULL;
+ char *CAfile = NULL, *CApath = NULL, *header, *value;
+ char *host = NULL, *port = NULL, *path = "/", *outfile = NULL;
+ char *rca_filename = NULL, *reqin = NULL, *respin = NULL;
+ char *reqout = NULL, *respout = NULL, *ridx_filename = NULL;
+ char *rsignfile = NULL, *rkeyfile = NULL;
char *sign_certfile = NULL, *verify_certfile = NULL, *rcertfile = NULL;
+ char *signfile = NULL, *keyfile = NULL;
+ char *thost = NULL, *tport = NULL, *tpath = NULL;
+ int accept_count = -1, add_nonce = 1, noverify = 0, use_ssl = -1;
+ int vpmtouched = 0, badsig = 0, i, ignore_err = 0, nmin = 0, ndays = -1;
+ int req_text = 0, resp_text = 0, req_timeout = -1, ret = 1;
+ long nsec = MAX_VALIDITY_PERIOD, maxage = -1;
unsigned long sign_flags = 0, verify_flags = 0, rflags = 0;
- int ret = 1;
- int accept_count = -1;
- int badarg = 0;
- int badsig = 0;
- int i;
- int ignore_err = 0;
- STACK_OF(OPENSSL_STRING) *reqnames = NULL;
- STACK_OF(OCSP_CERTID) *ids = NULL;
-
- X509 *rca_cert = NULL;
- char *ridx_filename = NULL;
- char *rca_filename = NULL;
- CA_DB *rdb = NULL;
- int nmin = 0, ndays = -1;
- const EVP_MD *cert_id_md = NULL, *rsign_md = NULL;
+ OPTION_CHOICE o;
+ char *prog;
- if (bio_err == NULL)
- bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
-
- if (!load_config(bio_err, NULL))
- goto end;
- SSL_load_error_strings();
- OpenSSL_add_ssl_algorithms();
- args = argv + 1;
reqnames = sk_OPENSSL_STRING_new_null();
+ if (!reqnames)
+ goto end;
ids = sk_OCSP_CERTID_new_null();
- while (!badarg && *args && *args[0] == '-') {
- if (!strcmp(*args, "-out")) {
- if (args[1]) {
- args++;
- outfile = *args;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-timeout")) {
- if (args[1]) {
- args++;
- req_timeout = atol(*args);
- if (req_timeout < 0) {
- BIO_printf(bio_err, "Illegal timeout value %s\n", *args);
- badarg = 1;
- }
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-url")) {
- if (thost)
- OPENSSL_free(thost);
- if (tport)
- OPENSSL_free(tport);
- if (tpath)
- OPENSSL_free(tpath);
- if (args[1]) {
- args++;
- if (!OCSP_parse_url(*args, &host, &port, &path, &use_ssl)) {
- BIO_printf(bio_err, "Error parsing URL\n");
- badarg = 1;
- }
- thost = host;
- tport = port;
- tpath = path;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-host")) {
- if (args[1]) {
- args++;
- host = *args;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-port")) {
- if (args[1]) {
- args++;
- port = *args;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-header")) {
- if (args[1] && args[2]) {
- if (!X509V3_add_value(args[1], args[2], &headers))
- goto end;
- args += 2;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-ignore_err"))
+ if (!ids)
+ goto end;
+ if ((vpm = X509_VERIFY_PARAM_new()) == NULL)
+ return 1;
+
+ prog = opt_init(argc, argv, ocsp_options);
+ while ((o = opt_next()) != OPT_EOF) {
+ switch (o) {
+ case OPT_EOF:
+ case OPT_ERR:
+ opthelp:
+ BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
+ goto end;
+ case OPT_HELP:
+ ret = 0;
+ opt_help(ocsp_options);
+ goto end;
+ case OPT_OUTFILE:
+ outfile = opt_arg();
+ break;
+ case OPT_TIMEOUT:
+ req_timeout = atoi(opt_arg());
+ break;
+ case OPT_URL:
+ OPENSSL_free(thost);
+ OPENSSL_free(tport);
+ OPENSSL_free(tpath);
+ if (!OCSP_parse_url(opt_arg(), &host, &port, &path, &use_ssl)) {
+ BIO_printf(bio_err, "%s Error parsing URL\n", prog);
+ goto end;
+ }
+ thost = host;
+ tport = port;
+ tpath = path;
+ break;
+ case OPT_HOST:
+ host = opt_arg();
+ break;
+ case OPT_PORT:
+ port = opt_arg();
+ break;
+ case OPT_IGNORE_ERR:
ignore_err = 1;
- else if (!strcmp(*args, "-noverify"))
+ break;
+ case OPT_NOVERIFY:
noverify = 1;
- else if (!strcmp(*args, "-nonce"))
+ break;
+ case OPT_NONCE:
add_nonce = 2;
- else if (!strcmp(*args, "-no_nonce"))
+ break;
+ case OPT_NO_NONCE:
add_nonce = 0;
- else if (!strcmp(*args, "-resp_no_certs"))
+ break;
+ case OPT_RESP_NO_CERTS:
rflags |= OCSP_NOCERTS;
- else if (!strcmp(*args, "-resp_key_id"))
+ break;
+ case OPT_RESP_KEY_ID:
rflags |= OCSP_RESPID_KEY;
- else if (!strcmp(*args, "-no_certs"))
+ break;
+ case OPT_NO_CERTS:
sign_flags |= OCSP_NOCERTS;
- else if (!strcmp(*args, "-no_signature_verify"))
+ break;
+ case OPT_NO_SIGNATURE_VERIFY:
verify_flags |= OCSP_NOSIGS;
- else if (!strcmp(*args, "-no_cert_verify"))
+ break;
+ case OPT_NO_CERT_VERIFY:
verify_flags |= OCSP_NOVERIFY;
- else if (!strcmp(*args, "-no_chain"))
+ break;
+ case OPT_NO_CHAIN:
verify_flags |= OCSP_NOCHAIN;
- else if (!strcmp(*args, "-no_cert_checks"))
+ break;
+ case OPT_NO_CERT_CHECKS:
verify_flags |= OCSP_NOCHECKS;
- else if (!strcmp(*args, "-no_explicit"))
+ break;
+ case OPT_NO_EXPLICIT:
verify_flags |= OCSP_NOEXPLICIT;
- else if (!strcmp(*args, "-trust_other"))
+ break;
+ case OPT_TRUST_OTHER:
verify_flags |= OCSP_TRUSTOTHER;
- else if (!strcmp(*args, "-no_intern"))
+ break;
+ case OPT_NO_INTERN:
verify_flags |= OCSP_NOINTERN;
- else if (!strcmp(*args, "-badsig"))
+ break;
+ case OPT_BADSIG:
badsig = 1;
- else if (!strcmp(*args, "-text")) {
- req_text = 1;
- resp_text = 1;
- } else if (!strcmp(*args, "-req_text"))
+ break;
+ case OPT_TEXT:
+ req_text = resp_text = 1;
+ break;
+ case OPT_REQ_TEXT:
req_text = 1;
- else if (!strcmp(*args, "-resp_text"))
+ break;
+ case OPT_RESP_TEXT:
resp_text = 1;
- else if (!strcmp(*args, "-reqin")) {
- if (args[1]) {
- args++;
- reqin = *args;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-respin")) {
- if (args[1]) {
- args++;
- respin = *args;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-signer")) {
- if (args[1]) {
- args++;
- signfile = *args;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-VAfile")) {
- if (args[1]) {
- args++;
- verify_certfile = *args;
- verify_flags |= OCSP_TRUSTOTHER;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-sign_other")) {
- if (args[1]) {
- args++;
- sign_certfile = *args;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-verify_other")) {
- if (args[1]) {
- args++;
- verify_certfile = *args;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-CAfile")) {
- if (args[1]) {
- args++;
- CAfile = *args;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-CApath")) {
- if (args[1]) {
- args++;
- CApath = *args;
- } else
- badarg = 1;
- } else if (args_verify(&args, NULL, &badarg, bio_err, &vpm)) {
- if (badarg)
+ break;
+ case OPT_REQIN:
+ reqin = opt_arg();
+ break;
+ case OPT_RESPIN:
+ respin = opt_arg();
+ break;
+ case OPT_SIGNER:
+ signfile = opt_arg();
+ break;
+ case OPT_VAFILE:
+ verify_certfile = opt_arg();
+ verify_flags |= OCSP_TRUSTOTHER;
+ break;
+ case OPT_SIGN_OTHER:
+ sign_certfile = opt_arg();
+ break;
+ case OPT_VERIFY_OTHER:
+ verify_certfile = opt_arg();
+ break;
+ case OPT_CAFILE:
+ CAfile = opt_arg();
+ break;
+ case OPT_CAPATH:
+ CApath = opt_arg();
+ break;
+ case OPT_V_CASES:
+ if (!opt_verify(o, vpm))
goto end;
- continue;
- } else if (!strcmp(*args, "-validity_period")) {
- if (args[1]) {
- args++;
- nsec = atol(*args);
- if (nsec < 0) {
- BIO_printf(bio_err,
- "Illegal validity period %s\n", *args);
- badarg = 1;
- }
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-status_age")) {
- if (args[1]) {
- args++;
- maxage = atol(*args);
- if (maxage < 0) {
- BIO_printf(bio_err, "Illegal validity age %s\n", *args);
- badarg = 1;
- }
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-signkey")) {
- if (args[1]) {
- args++;
- keyfile = *args;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-reqout")) {
- if (args[1]) {
- args++;
- reqout = *args;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-respout")) {
- if (args[1]) {
- args++;
- respout = *args;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-path")) {
- if (args[1]) {
- args++;
- path = *args;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-issuer")) {
- if (args[1]) {
- args++;
- X509_free(issuer);
- issuer = load_cert(bio_err, *args, FORMAT_PEM,
- NULL, e, "issuer certificate");
- if (!issuer)
- goto end;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-cert")) {
- if (args[1]) {
- args++;
- X509_free(cert);
- cert = load_cert(bio_err, *args, FORMAT_PEM,
- NULL, e, "certificate");
- if (!cert)
- goto end;
- if (!cert_id_md)
- cert_id_md = EVP_sha1();
- if (!add_ocsp_cert(&req, cert, cert_id_md, issuer, ids))
- goto end;
- if (!sk_OPENSSL_STRING_push(reqnames, *args))
- goto end;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-serial")) {
- if (args[1]) {
- args++;
- if (!cert_id_md)
- cert_id_md = EVP_sha1();
- if (!add_ocsp_serial(&req, *args, cert_id_md, issuer, ids))
- goto end;
- if (!sk_OPENSSL_STRING_push(reqnames, *args))
- goto end;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-index")) {
- if (args[1]) {
- args++;
- ridx_filename = *args;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-CA")) {
- if (args[1]) {
- args++;
- rca_filename = *args;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-nmin")) {
- if (args[1]) {
- args++;
- nmin = atol(*args);
- if (nmin < 0) {
- BIO_printf(bio_err, "Illegal update period %s\n", *args);
- badarg = 1;
- }
- }
+ vpmtouched++;
+ break;
+ case OPT_VALIDITY_PERIOD:
+ opt_long(opt_arg(), &nsec);
+ break;
+ case OPT_STATUS_AGE:
+ opt_long(opt_arg(), &maxage);
+ break;
+ case OPT_SIGNKEY:
+ keyfile = opt_arg();
+ break;
+ case OPT_REQOUT:
+ reqout = opt_arg();
+ break;
+ case OPT_RESPOUT:
+ respout = opt_arg();
+ break;
+ case OPT_PATH:
+ path = opt_arg();
+ break;
+ case OPT_ISSUER:
+ X509_free(issuer);
+ issuer = load_cert(opt_arg(), FORMAT_PEM,
+ NULL, NULL, "issuer certificate");
+ if (issuer == NULL)
+ goto end;
+ if ((issuers = sk_X509_new_null()) == NULL)
+ goto end;
+ sk_X509_push(issuers, issuer);
+ break;
+ case OPT_CERT:
+ X509_free(cert);
+ cert = load_cert(opt_arg(), FORMAT_PEM,
+ NULL, NULL, "certificate");
+ if (cert == NULL)
+ goto end;
+ if (cert_id_md == NULL)
+ cert_id_md = EVP_sha1();
+ if (!add_ocsp_cert(&req, cert, cert_id_md, issuer, ids))
+ goto end;
+ if (!sk_OPENSSL_STRING_push(reqnames, opt_arg()))
+ goto end;
+ break;
+ case OPT_SERIAL:
+ if (cert_id_md == NULL)
+ cert_id_md = EVP_sha1();
+ if (!add_ocsp_serial(&req, opt_arg(), cert_id_md, issuer, ids))
+ goto end;
+ if (!sk_OPENSSL_STRING_push(reqnames, opt_arg()))
+ goto end;
+ break;
+ case OPT_INDEX:
+ ridx_filename = opt_arg();
+ break;
+ case OPT_CA:
+ rca_filename = opt_arg();
+ break;
+ case OPT_NMIN:
+ opt_int(opt_arg(), &nmin);
if (ndays == -1)
ndays = 0;
- else
- badarg = 1;
- } else if (!strcmp(*args, "-nrequest")) {
- if (args[1]) {
- args++;
- accept_count = atol(*args);
- if (accept_count < 0) {
- BIO_printf(bio_err, "Illegal accept count %s\n", *args);
- badarg = 1;
- }
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-ndays")) {
- if (args[1]) {
- args++;
- ndays = atol(*args);
- if (ndays < 0) {
- BIO_printf(bio_err, "Illegal update period %s\n", *args);
- badarg = 1;
- }
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-rsigner")) {
- if (args[1]) {
- args++;
- rsignfile = *args;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-rkey")) {
- if (args[1]) {
- args++;
- rkeyfile = *args;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-rother")) {
- if (args[1]) {
- args++;
- rcertfile = *args;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-rmd")) {
- if (args[1]) {
- args++;
- rsign_md = EVP_get_digestbyname(*args);
- if (!rsign_md)
- badarg = 1;
- } else
- badarg = 1;
- } else if ((cert_id_md = EVP_get_digestbyname((*args) + 1)) == NULL) {
- badarg = 1;
+ break;
+ case OPT_REQUEST:
+ opt_int(opt_arg(), &accept_count);
+ break;
+ case OPT_NDAYS:
+ ndays = atoi(opt_arg());
+ break;
+ case OPT_RSIGNER:
+ rsignfile = opt_arg();
+ break;
+ case OPT_RKEY:
+ rkeyfile = opt_arg();
+ break;
+ case OPT_ROTHER:
+ rcertfile = opt_arg();
+ break;
+ case OPT_RMD:
+ if (!opt_md(opt_arg(), &rsign_md))
+ goto end;
+ break;
+ case OPT_HEADER:
+ header = opt_arg();
+ value = strchr(header, '=');
+ if (value == NULL) {
+ BIO_printf(bio_err, "Missing = in header key=value\n");
+ goto opthelp;
+ }
+ *value++ = '\0';
+ if (!X509V3_add_value(header, value, &headers))
+ goto end;
+ break;
+ case OPT_MD:
+ if (cert_id_md != NULL) {
+ BIO_printf(bio_err,
+ "%s: Digest must be before -cert or -serial\n",
+ prog);
+ goto opthelp;
+ }
+ if (!opt_md(opt_unknown(), &cert_id_md))
+ goto opthelp;
+ break;
}
- args++;
}
+ argc = opt_num_rest();
+ argv = opt_rest();
/* Have we anything to do? */
if (!req && !reqin && !respin && !(port && ridx_filename))
- badarg = 1;
-
- if (badarg) {
- BIO_printf(bio_err, "OCSP utility\n");
- BIO_printf(bio_err, "Usage ocsp [options]\n");
- BIO_printf(bio_err, "where options are\n");
- BIO_printf(bio_err, "-out file output filename\n");
- BIO_printf(bio_err, "-issuer file issuer certificate\n");
- BIO_printf(bio_err, "-cert file certificate to check\n");
- BIO_printf(bio_err, "-serial n serial number to check\n");
- BIO_printf(bio_err,
- "-signer file certificate to sign OCSP request with\n");
- BIO_printf(bio_err,
- "-signkey file private key to sign OCSP request with\n");
- BIO_printf(bio_err,
- "-sign_other file additional certificates to include in signed request\n");
- BIO_printf(bio_err,
- "-no_certs don't include any certificates in signed request\n");
- BIO_printf(bio_err,
- "-req_text print text form of request\n");
- BIO_printf(bio_err,
- "-resp_text print text form of response\n");
- BIO_printf(bio_err,
- "-text print text form of request and response\n");
- BIO_printf(bio_err,
- "-reqout file write DER encoded OCSP request to \"file\"\n");
- BIO_printf(bio_err,
- "-respout file write DER encoded OCSP reponse to \"file\"\n");
- BIO_printf(bio_err,
- "-reqin file read DER encoded OCSP request from \"file\"\n");
- BIO_printf(bio_err,
- "-respin file read DER encoded OCSP reponse from \"file\"\n");
- BIO_printf(bio_err,
- "-nonce add OCSP nonce to request\n");
- BIO_printf(bio_err,
- "-no_nonce don't add OCSP nonce to request\n");
- BIO_printf(bio_err, "-url URL OCSP responder URL\n");
- BIO_printf(bio_err,
- "-host host:n send OCSP request to host on port n\n");
- BIO_printf(bio_err,
- "-path path to use in OCSP request\n");
- BIO_printf(bio_err,
- "-CApath dir trusted certificates directory\n");
- BIO_printf(bio_err,
- "-CAfile file trusted certificates file\n");
- BIO_printf(bio_err,
- "-trusted_first use locally trusted CA's first when building trust chain\n");
- BIO_printf(bio_err,
- "-no_alt_chains only ever use the first certificate chain found\n");
- BIO_printf(bio_err,
- "-VAfile file validator certificates file\n");
- BIO_printf(bio_err,
- "-validity_period n maximum validity discrepancy in seconds\n");
- BIO_printf(bio_err,
- "-status_age n maximum status age in seconds\n");
- BIO_printf(bio_err,
- "-noverify don't verify response at all\n");
- BIO_printf(bio_err,
- "-verify_other file additional certificates to search for signer\n");
- BIO_printf(bio_err,
- "-trust_other don't verify additional certificates\n");
- BIO_printf(bio_err,
- "-no_intern don't search certificates contained in response for signer\n");
- BIO_printf(bio_err,
- "-no_signature_verify don't check signature on response\n");
- BIO_printf(bio_err,
- "-no_cert_verify don't check signing certificate\n");
- BIO_printf(bio_err,
- "-no_chain don't chain verify response\n");
- BIO_printf(bio_err,
- "-no_cert_checks don't do additional checks on signing certificate\n");
- BIO_printf(bio_err,
- "-port num port to run responder on\n");
- BIO_printf(bio_err,
- "-index file certificate status index file\n");
- BIO_printf(bio_err, "-CA file CA certificate\n");
- BIO_printf(bio_err,
- "-rsigner file responder certificate to sign responses with\n");
- BIO_printf(bio_err,
- "-rkey file responder key to sign responses with\n");
- BIO_printf(bio_err,
- "-rother file other certificates to include in response\n");
- BIO_printf(bio_err,
- "-resp_no_certs don't include any certificates in response\n");
- BIO_printf(bio_err,
- "-nmin n number of minutes before next update\n");
- BIO_printf(bio_err,
- "-ndays n number of days before next update\n");
- BIO_printf(bio_err,
- "-resp_key_id identify reponse by signing certificate key ID\n");
- BIO_printf(bio_err,
- "-nrequest n number of requests to accept (default unlimited)\n");
- BIO_printf(bio_err,
- "-<dgst alg> use specified digest in the request\n");
- BIO_printf(bio_err,
- "-timeout n timeout connection to OCSP responder after n seconds\n");
- goto end;
- }
+ goto opthelp;
- if (outfile)
- out = BIO_new_file(outfile, "w");
- else
- out = BIO_new_fp(stdout, BIO_NOCLOSE);
-
- if (!out) {
- BIO_printf(bio_err, "Error opening output file\n");
+ out = bio_open_default(outfile, "w");
+ if (out == NULL)
goto end;
- }
if (!req && (add_nonce != 2))
add_nonce = 0;
if (!req && reqin) {
- if (!strcmp(reqin, "-"))
- derbio = BIO_new_fp(stdin, BIO_NOCLOSE);
- else
- derbio = BIO_new_file(reqin, "rb");
- if (!derbio) {
- BIO_printf(bio_err, "Error Opening OCSP request file\n");
+ derbio = bio_open_default(reqin, "rb");
+ if (derbio == NULL)
goto end;
- }
req = d2i_OCSP_REQUEST_bio(derbio, NULL);
BIO_free(derbio);
if (!req) {
if (rsignfile && !rdb) {
if (!rkeyfile)
rkeyfile = rsignfile;
- rsigner = load_cert(bio_err, rsignfile, FORMAT_PEM,
- NULL, e, "responder certificate");
+ rsigner = load_cert(rsignfile, FORMAT_PEM,
+ NULL, NULL, "responder certificate");
if (!rsigner) {
BIO_printf(bio_err, "Error loading responder certificate\n");
goto end;
}
- rca_cert = load_cert(bio_err, rca_filename, FORMAT_PEM,
- NULL, e, "CA certificate");
+ rca_cert = load_cert(rca_filename, FORMAT_PEM,
+ NULL, NULL, "CA certificate");
if (rcertfile) {
- rother = load_certs(bio_err, rcertfile, FORMAT_PEM,
- NULL, e, "responder other certificates");
+ rother = load_certs(rcertfile, FORMAT_PEM,
+ NULL, NULL, "responder other certificates");
if (!rother)
goto end;
}
- rkey = load_key(bio_err, rkeyfile, FORMAT_PEM, 0, NULL, NULL,
+ rkey = load_key(rkeyfile, FORMAT_PEM, 0, NULL, NULL,
"responder private key");
if (!rkey)
goto end;
if (signfile) {
if (!keyfile)
keyfile = signfile;
- signer = load_cert(bio_err, signfile, FORMAT_PEM,
- NULL, e, "signer certificate");
+ signer = load_cert(signfile, FORMAT_PEM,
+ NULL, NULL, "signer certificate");
if (!signer) {
BIO_printf(bio_err, "Error loading signer certificate\n");
goto end;
}
if (sign_certfile) {
- sign_other = load_certs(bio_err, sign_certfile, FORMAT_PEM,
- NULL, e, "signer certificates");
+ sign_other = load_certs(sign_certfile, FORMAT_PEM,
+ NULL, NULL, "signer certificates");
if (!sign_other)
goto end;
}
- key = load_key(bio_err, keyfile, FORMAT_PEM, 0, NULL, NULL,
+ key = load_key(keyfile, FORMAT_PEM, 0, NULL, NULL,
"signer private key");
if (!key)
goto end;
OCSP_REQUEST_print(out, req, 0);
if (reqout) {
- if (!strcmp(reqout, "-"))
- derbio = BIO_new_fp(stdout, BIO_NOCLOSE);
- else
- derbio = BIO_new_file(reqout, "wb");
- if (!derbio) {
- BIO_printf(bio_err, "Error opening file %s\n", reqout);
+ derbio = bio_open_default(reqout, "wb");
+ if (derbio == NULL)
goto end;
- }
i2d_OCSP_REQUEST_bio(derbio, req);
BIO_free(derbio);
}
}
if (rdb) {
- i = make_ocsp_response(&resp, req, rdb, rca_cert, rsigner, rkey,
+ make_ocsp_response(&resp, req, rdb, rca_cert, rsigner, rkey,
rsign_md, rother, rflags, nmin, ndays, badsig);
if (cbio)
send_ocsp_response(cbio, resp);
} else if (host) {
# ifndef OPENSSL_NO_SOCK
- resp = process_responder(bio_err, req, host, path,
+ resp = process_responder(req, host, path,
port, use_ssl, headers, req_timeout);
if (!resp)
goto end;
goto end;
# endif
} else if (respin) {
- if (!strcmp(respin, "-"))
- derbio = BIO_new_fp(stdin, BIO_NOCLOSE);
- else
- derbio = BIO_new_file(respin, "rb");
- if (!derbio) {
- BIO_printf(bio_err, "Error Opening OCSP response file\n");
+ derbio = bio_open_default(respin, "rb");
+ if (derbio == NULL)
goto end;
- }
resp = d2i_OCSP_RESPONSE_bio(derbio, NULL);
BIO_free(derbio);
if (!resp) {
BIO_printf(bio_err, "Error reading OCSP response\n");
goto end;
}
-
} else {
ret = 0;
goto end;
done_resp:
if (respout) {
- if (!strcmp(respout, "-"))
- derbio = BIO_new_fp(stdout, BIO_NOCLOSE);
- else
- derbio = BIO_new_file(respout, "wb");
- if (!derbio) {
- BIO_printf(bio_err, "Error opening file %s\n", respout);
+ derbio = bio_open_default(respout, "wb");
+ if (derbio == NULL)
goto end;
- }
i2d_OCSP_RESPONSE_bio(derbio, resp);
BIO_free(derbio);
}
i = OCSP_response_status(resp);
-
if (i != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
BIO_printf(out, "Responder Error: %s (%d)\n",
OCSP_response_status_str(i), i);
/* If running as responder don't verify our own response */
if (cbio) {
- if (accept_count > 0)
- accept_count--;
- /* Redo if more connections needed */
- if (accept_count) {
- BIO_free_all(cbio);
- cbio = NULL;
- OCSP_REQUEST_free(req);
- req = NULL;
- OCSP_RESPONSE_free(resp);
- resp = NULL;
- goto redo_accept;
+ if (--accept_count <= 0) {
+ ret = 0;
+ goto end;
}
- ret = 0;
- goto end;
- } else if (ridx_filename) {
+ BIO_free_all(cbio);
+ cbio = NULL;
+ OCSP_REQUEST_free(req);
+ req = NULL;
+ OCSP_RESPONSE_free(resp);
+ resp = NULL;
+ goto redo_accept;
+ }
+ if (ridx_filename) {
ret = 0;
goto end;
}
- if (!store)
- store = setup_verify(bio_err, CAfile, CApath);
- if (!store)
- goto end;
- if (vpm)
+ if (!store) {
+ store = setup_verify(CAfile, CApath);
+ if (!store)
+ goto end;
+ }
+ if (vpmtouched)
X509_STORE_set1_param(store, vpm);
if (verify_certfile) {
- verify_other = load_certs(bio_err, verify_certfile, FORMAT_PEM,
- NULL, e, "validator certificate");
+ verify_other = load_certs(verify_certfile, FORMAT_PEM,
+ NULL, NULL, "validator certificate");
if (!verify_other)
goto end;
}
bs = OCSP_response_get1_basic(resp);
-
if (!bs) {
BIO_printf(bio_err, "Error parsing response\n");
goto end;
}
i = OCSP_basic_verify(bs, verify_other, store, verify_flags);
+ if (i <= 0 && issuers) {
+ i = OCSP_basic_verify(bs, issuers, store, OCSP_TRUSTOTHER);
+ if (i > 0)
+ ERR_clear_error();
+ }
if (i <= 0) {
BIO_printf(bio_err, "Response Verify Failure\n");
ERR_print_errors(bio_err);
}
- if (!print_ocsp_summary(out, bs, req, reqnames, ids, nsec, maxage))
- ret = 1;
+ print_ocsp_summary(out, bs, req, reqnames, ids, nsec, maxage);
end:
ERR_print_errors(bio_err);
X509_free(signer);
X509_STORE_free(store);
- if (vpm)
- X509_VERIFY_PARAM_free(vpm);
+ X509_VERIFY_PARAM_free(vpm);
EVP_PKEY_free(key);
EVP_PKEY_free(rkey);
- X509_free(issuer);
X509_free(cert);
X509_free(rsigner);
X509_free(rca_cert);
sk_X509_pop_free(sign_other, X509_free);
sk_X509_pop_free(verify_other, X509_free);
sk_CONF_VALUE_pop_free(headers, X509V3_conf_free);
+ OPENSSL_free(thost);
+ OPENSSL_free(tport);
+ OPENSSL_free(tpath);
- if (thost)
- OPENSSL_free(thost);
- if (tport)
- OPENSSL_free(tport);
- if (tpath)
- OPENSSL_free(tpath);
-
- OPENSSL_EXIT(ret);
+ return (ret);
}
static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert,
return 0;
}
-static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
+static void print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
STACK_OF(OPENSSL_STRING) *names,
STACK_OF(OCSP_CERTID) *ids, long nsec,
long maxage)
{
OCSP_CERTID *id;
char *name;
- int i;
-
- int status, reason;
-
+ int i, status, reason;
ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
if (!bs || !req || !sk_OPENSSL_STRING_num(names)
|| !sk_OCSP_CERTID_num(ids))
- return 1;
+ return;
for (i = 0; i < sk_OCSP_CERTID_num(ids); i++) {
id = sk_OCSP_CERTID_value(ids, i);
ASN1_GENERALIZEDTIME_print(out, rev);
BIO_puts(out, "\n");
}
-
- return 1;
}
-static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req,
+static void make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req,
CA_DB *db, X509 *ca, X509 *rcert,
EVP_PKEY *rkey, const EVP_MD *rmd,
STACK_OF(X509) *rother, unsigned long flags,
ASN1_TIME *thisupd = NULL, *nextupd = NULL;
OCSP_CERTID *cid, *ca_id = NULL;
OCSP_BASICRESP *bs = NULL;
- int i, id_count, ret = 1;
+ int i, id_count;
id_count = OCSP_request_onereq_count(req);
NULL);
goto end;
}
- if (ca_id)
- OCSP_CERTID_free(ca_id);
+ OCSP_CERTID_free(ca_id);
ca_id = OCSP_cert_to_id(cert_id_md, NULL, ca);
/* Is this request about our CA? */
if (badsig) {
ASN1_OCTET_STRING *sig = OCSP_resp_get0_signature(bs);
- unsigned char *sigptr;
- sigptr = ASN1_STRING_data(sig);
+ unsigned char *sigptr = ASN1_STRING_data(sig);
sigptr[ASN1_STRING_length(sig) - 1] ^= 0x1;
}
ASN1_TIME_free(nextupd);
OCSP_CERTID_free(ca_id);
OCSP_BASICRESP_free(bs);
- return ret;
-
}
static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser)
static BIO *init_responder(const char *port)
{
BIO *acbio = NULL, *bufbio = NULL;
+
bufbio = BIO_new(BIO_f_buffer());
if (!bufbio)
goto err;
return NULL;
}
+
+/*
+ * Decode %xx URL-decoding in-place. Ignores mal-formed sequences.
+ */
+static int urldecode(char *p)
+{
+ unsigned char *out = (unsigned char *)p;
+ unsigned char *save = out;
+
+ for (; *p; p++) {
+ if (*p != '%')
+ *out++ = *p;
+ else if (isxdigit(p[1]) && isxdigit(p[2])) {
+ *out++ = (app_hex(p[1]) << 4) | app_hex(p[2]);
+ p += 2;
+ }
+ else
+ return -1;
+ }
+ *out = '\0';
+ return (int)(out - save);
+}
+
static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,
const char *port)
{
- int have_post = 0, len;
+ int len;
OCSP_REQUEST *req = NULL;
- char inbuf[1024];
- BIO *cbio = NULL;
+ char inbuf[2048], reqbuf[2048];
+ char *p, *q;
+ BIO *cbio = NULL, *getbio = NULL, *b64 = NULL;
if (BIO_do_accept(acbio) <= 0) {
BIO_printf(bio_err, "Error accepting connection\n");
cbio = BIO_pop(acbio);
*pcbio = cbio;
+ /* Read the request line. */
+ len = BIO_gets(cbio, reqbuf, sizeof reqbuf);
+ if (len <= 0)
+ return 1;
+ if (strncmp(reqbuf, "GET ", 4) == 0) {
+ /* Expecting GET {sp} /URL {sp} HTTP/1.x */
+ for (p = reqbuf + 4; *p == ' '; ++p)
+ continue;
+ if (*p != '/') {
+ BIO_printf(bio_err, "Invalid request -- bad URL\n");
+ return 1;
+ }
+ p++;
+
+ /* Splice off the HTTP version identifier. */
+ for (q = p; *q; q++)
+ if (*q == ' ')
+ break;
+ if (strncmp(q, " HTTP/1.", 8) != 0) {
+ BIO_printf(bio_err, "Invalid request -- bad HTTP vesion\n");
+ return 1;
+ }
+ *q = '\0';
+ len = urldecode(p);
+ if (len <= 0) {
+ BIO_printf(bio_err, "Invalid request -- bad URL encoding\n");
+ return 1;
+ }
+ if ((getbio = BIO_new_mem_buf(p, len)) == NULL
+ || (b64 = BIO_new(BIO_f_base64())) == NULL) {
+ BIO_printf(bio_err, "Could not allocate memory\n");
+ ERR_print_errors(bio_err);
+ return 1;
+ }
+ BIO_set_flags(b64, BIO_FLAGS_BASE64_NO_NL);
+ getbio = BIO_push(b64, getbio);
+ } else if (strncmp(reqbuf, "POST ", 5) != 0) {
+ BIO_printf(bio_err, "Invalid request -- bad HTTP verb\n");
+ return 1;
+ }
+
+ /* Read and skip past the headers. */
for (;;) {
len = BIO_gets(cbio, inbuf, sizeof inbuf);
if (len <= 0)
return 1;
- /* Look for "POST" signalling start of query */
- if (!have_post) {
- if (strncmp(inbuf, "POST", 4)) {
- BIO_printf(bio_err, "Invalid request\n");
- return 1;
- }
- have_post = 1;
- }
- /* Look for end of headers */
if ((inbuf[0] == '\r') || (inbuf[0] == '\n'))
break;
}
/* Try to read OCSP request */
-
- req = d2i_OCSP_REQUEST_bio(cbio, NULL);
+ if (getbio) {
+ req = d2i_OCSP_REQUEST_bio(getbio, NULL);
+ BIO_free_all(getbio);
+ } else
+ req = d2i_OCSP_REQUEST_bio(cbio, NULL);
if (!req) {
BIO_printf(bio_err, "Error parsing OCSP request\n");
return 1;
}
-static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, const char *path,
+static OCSP_RESPONSE *query_responder(BIO *cbio, const char *path,
const STACK_OF(CONF_VALUE) *headers,
OCSP_REQUEST *req, int req_timeout)
{
rv = BIO_do_connect(cbio);
if ((rv <= 0) && ((req_timeout == -1) || !BIO_should_retry(cbio))) {
- BIO_puts(err, "Error connecting BIO\n");
+ BIO_puts(bio_err, "Error connecting BIO\n");
return NULL;
}
if (BIO_get_fd(cbio, &fd) <= 0) {
- BIO_puts(err, "Can't get connection fd\n");
+ BIO_puts(bio_err, "Can't get connection fd\n");
goto err;
}
tv.tv_sec = req_timeout;
rv = select(fd + 1, NULL, (void *)&confds, NULL, &tv);
if (rv == 0) {
- BIO_puts(err, "Timeout on connect\n");
+ BIO_puts(bio_err, "Timeout on connect\n");
return NULL;
}
}
else if (BIO_should_write(cbio))
rv = select(fd + 1, NULL, (void *)&confds, NULL, &tv);
else {
- BIO_puts(err, "Unexpected retry condition\n");
+ BIO_puts(bio_err, "Unexpected retry condition\n");
goto err;
}
if (rv == 0) {
- BIO_puts(err, "Timeout on request\n");
+ BIO_puts(bio_err, "Timeout on request\n");
break;
}
if (rv == -1) {
- BIO_puts(err, "Select error\n");
+ BIO_puts(bio_err, "Select error\n");
break;
}
}
err:
- if (ctx)
- OCSP_REQ_CTX_free(ctx);
+ OCSP_REQ_CTX_free(ctx);
return rsp;
}
-OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req,
+OCSP_RESPONSE *process_responder(OCSP_REQUEST *req,
const char *host, const char *path,
const char *port, int use_ssl,
const STACK_OF(CONF_VALUE) *headers,
OCSP_RESPONSE *resp = NULL;
cbio = BIO_new_connect(host);
if (!cbio) {
- BIO_printf(err, "Error creating connect BIO\n");
+ BIO_printf(bio_err, "Error creating connect BIO\n");
goto end;
}
if (port)
BIO *sbio;
ctx = SSL_CTX_new(SSLv23_client_method());
if (ctx == NULL) {
- BIO_printf(err, "Error creating SSL context.\n");
+ BIO_printf(bio_err, "Error creating SSL context.\n");
goto end;
}
SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
sbio = BIO_new_ssl(ctx, 1);
cbio = BIO_push(sbio, cbio);
}
- resp = query_responder(err, cbio, path, headers, req, req_timeout);
+ resp = query_responder(cbio, path, headers, req, req_timeout);
if (!resp)
BIO_printf(bio_err, "Error querying OCSP responder\n");
end:
- if (cbio)
- BIO_free_all(cbio);
- if (ctx)
- SSL_CTX_free(ctx);
+ BIO_free_all(cbio);
+ SSL_CTX_free(ctx);
return resp;
}
projects / openssl.git / blobdiff