173a67b4c47da581ea722ede9308c6f50777bcd6
[openssl.git] / apps / ocsp.c
1 /* ocsp.c */
2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3  * project 2000.
4  */
5 /* ====================================================================
6  * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer. 
14  *
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in
17  *    the documentation and/or other materials provided with the
18  *    distribution.
19  *
20  * 3. All advertising materials mentioning features or use of this
21  *    software must display the following acknowledgment:
22  *    "This product includes software developed by the OpenSSL Project
23  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24  *
25  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26  *    endorse or promote products derived from this software without
27  *    prior written permission. For written permission, please contact
28  *    licensing@OpenSSL.org.
29  *
30  * 5. Products derived from this software may not be called "OpenSSL"
31  *    nor may "OpenSSL" appear in their names without prior written
32  *    permission of the OpenSSL Project.
33  *
34  * 6. Redistributions of any form whatsoever must retain the following
35  *    acknowledgment:
36  *    "This product includes software developed by the OpenSSL Project
37  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38  *
39  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
43  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50  * OF THE POSSIBILITY OF SUCH DAMAGE.
51  * ====================================================================
52  *
53  * This product includes cryptographic software written by Eric Young
54  * (eay@cryptsoft.com).  This product includes software written by Tim
55  * Hudson (tjh@cryptsoft.com).
56  *
57  */
58 #ifndef OPENSSL_NO_OCSP
59
60 #ifdef OPENSSL_SYS_VMS
61 #define _XOPEN_SOURCE_EXTENDED  /* So fd_set and friends get properly defined
62                                    on OpenVMS */
63 #endif
64
65 #define USE_SOCKETS
66
67 #include <stdio.h>
68 #include <stdlib.h>
69 #include <string.h>
70 #include <time.h>
71 #include "apps.h" /* needs to be included before the openssl headers! */
72 #include <openssl/e_os2.h>
73 #include <openssl/crypto.h>
74 #include <openssl/err.h>
75 #include <openssl/ssl.h>
76 #include <openssl/evp.h>
77 #include <openssl/bn.h>
78
79 #if defined(NETWARE_CLIB)
80 #  ifdef NETWARE_BSDSOCK
81 #    include <sys/socket.h>
82 #    include <sys/bsdskt.h>
83 #  else
84 #    include <novsock2.h>
85 #  endif
86 #elif defined(NETWARE_LIBC)
87 #  ifdef NETWARE_BSDSOCK
88 #    include <sys/select.h>
89 #  else
90 #    include <novsock2.h>
91 #  endif
92 #endif
93   
94 /* Maximum leeway in validity period: default 5 minutes */
95 #define MAX_VALIDITY_PERIOD     (5 * 60)
96
97 static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, const EVP_MD *cert_id_md, X509 *issuer,
98                                 STACK_OF(OCSP_CERTID) *ids);
99 static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, const EVP_MD * cert_id_md, X509 *issuer,
100                                 STACK_OF(OCSP_CERTID) *ids);
101 static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
102                               STACK_OF(OPENSSL_STRING) *names,
103                               STACK_OF(OCSP_CERTID) *ids, long nsec,
104                               long maxage);
105
106 static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db,
107                         X509 *ca, X509 *rcert, EVP_PKEY *rkey,
108                         STACK_OF(X509) *rother, unsigned long flags,
109                         int nmin, int ndays);
110
111 static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser);
112 static BIO *init_responder(char *port);
113 static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, char *port);
114 static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp);
115 static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path,
116                                 OCSP_REQUEST *req, int req_timeout);
117
118 #undef PROG
119 #define PROG ocsp_main
120
121 int MAIN(int, char **);
122
123 int MAIN(int argc, char **argv)
124         {
125         ENGINE *e = NULL;
126         char **args;
127         char *host = NULL, *port = NULL, *path = "/";
128         char *reqin = NULL, *respin = NULL;
129         char *reqout = NULL, *respout = NULL;
130         char *signfile = NULL, *keyfile = NULL;
131         char *rsignfile = NULL, *rkeyfile = NULL;
132         char *outfile = NULL;
133         int add_nonce = 1, noverify = 0, use_ssl = -1;
134         OCSP_REQUEST *req = NULL;
135         OCSP_RESPONSE *resp = NULL;
136         OCSP_BASICRESP *bs = NULL;
137         X509 *issuer = NULL, *cert = NULL;
138         X509 *signer = NULL, *rsigner = NULL;
139         EVP_PKEY *key = NULL, *rkey = NULL;
140         BIO *acbio = NULL, *cbio = NULL;
141         BIO *derbio = NULL;
142         BIO *out = NULL;
143         int req_timeout = -1;
144         int req_text = 0, resp_text = 0;
145         long nsec = MAX_VALIDITY_PERIOD, maxage = -1;
146         char *CAfile = NULL, *CApath = NULL;
147         X509_STORE *store = NULL;
148         STACK_OF(X509) *sign_other = NULL, *verify_other = NULL, *rother = NULL;
149         char *sign_certfile = NULL, *verify_certfile = NULL, *rcertfile = NULL;
150         unsigned long sign_flags = 0, verify_flags = 0, rflags = 0;
151         int ret = 1;
152         int accept_count = -1;
153         int badarg = 0;
154         int i;
155         int ignore_err = 0;
156         STACK_OF(OPENSSL_STRING) *reqnames = NULL;
157         STACK_OF(OCSP_CERTID) *ids = NULL;
158
159         X509 *rca_cert = NULL;
160         char *ridx_filename = NULL;
161         char *rca_filename = NULL;
162         CA_DB *rdb = NULL;
163         int nmin = 0, ndays = -1;
164         const EVP_MD *cert_id_md = NULL;
165
166         if (bio_err == NULL) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
167
168         if (!load_config(bio_err, NULL))
169                 goto end;
170         SSL_load_error_strings();
171         OpenSSL_add_ssl_algorithms();
172         args = argv + 1;
173         reqnames = sk_OPENSSL_STRING_new_null();
174         ids = sk_OCSP_CERTID_new_null();
175         while (!badarg && *args && *args[0] == '-')
176                 {
177                 if (!strcmp(*args, "-out"))
178                         {
179                         if (args[1])
180                                 {
181                                 args++;
182                                 outfile = *args;
183                                 }
184                         else badarg = 1;
185                         }
186                 else if (!strcmp(*args, "-timeout"))
187                         {
188                         if (args[1])
189                                 {
190                                 args++;
191                                 req_timeout = atol(*args);
192                                 if (req_timeout < 0)
193                                         {
194                                         BIO_printf(bio_err,
195                                                 "Illegal timeout value %s\n",
196                                                 *args);
197                                         badarg = 1;
198                                         }
199                                 }
200                         else badarg = 1;
201                         }
202                 else if (!strcmp(*args, "-url"))
203                         {
204                         if (args[1])
205                                 {
206                                 args++;
207                                 if (!OCSP_parse_url(*args, &host, &port, &path, &use_ssl))
208                                         {
209                                         BIO_printf(bio_err, "Error parsing URL\n");
210                                         badarg = 1;
211                                         }
212                                 }
213                         else badarg = 1;
214                         }
215                 else if (!strcmp(*args, "-host"))
216                         {
217                         if (args[1])
218                                 {
219                                 args++;
220                                 host = *args;
221                                 }
222                         else badarg = 1;
223                         }
224                 else if (!strcmp(*args, "-port"))
225                         {
226                         if (args[1])
227                                 {
228                                 args++;
229                                 port = *args;
230                                 }
231                         else badarg = 1;
232                         }
233                 else if (!strcmp(*args, "-ignore_err"))
234                         ignore_err = 1;
235                 else if (!strcmp(*args, "-noverify"))
236                         noverify = 1;
237                 else if (!strcmp(*args, "-nonce"))
238                         add_nonce = 2;
239                 else if (!strcmp(*args, "-no_nonce"))
240                         add_nonce = 0;
241                 else if (!strcmp(*args, "-resp_no_certs"))
242                         rflags |= OCSP_NOCERTS;
243                 else if (!strcmp(*args, "-resp_key_id"))
244                         rflags |= OCSP_RESPID_KEY;
245                 else if (!strcmp(*args, "-no_certs"))
246                         sign_flags |= OCSP_NOCERTS;
247                 else if (!strcmp(*args, "-no_signature_verify"))
248                         verify_flags |= OCSP_NOSIGS;
249                 else if (!strcmp(*args, "-no_cert_verify"))
250                         verify_flags |= OCSP_NOVERIFY;
251                 else if (!strcmp(*args, "-no_chain"))
252                         verify_flags |= OCSP_NOCHAIN;
253                 else if (!strcmp(*args, "-no_cert_checks"))
254                         verify_flags |= OCSP_NOCHECKS;
255                 else if (!strcmp(*args, "-no_explicit"))
256                         verify_flags |= OCSP_NOEXPLICIT;
257                 else if (!strcmp(*args, "-trust_other"))
258                         verify_flags |= OCSP_TRUSTOTHER;
259                 else if (!strcmp(*args, "-no_intern"))
260                         verify_flags |= OCSP_NOINTERN;
261                 else if (!strcmp(*args, "-text"))
262                         {
263                         req_text = 1;
264                         resp_text = 1;
265                         }
266                 else if (!strcmp(*args, "-req_text"))
267                         req_text = 1;
268                 else if (!strcmp(*args, "-resp_text"))
269                         resp_text = 1;
270                 else if (!strcmp(*args, "-reqin"))
271                         {
272                         if (args[1])
273                                 {
274                                 args++;
275                                 reqin = *args;
276                                 }
277                         else badarg = 1;
278                         }
279                 else if (!strcmp(*args, "-respin"))
280                         {
281                         if (args[1])
282                                 {
283                                 args++;
284                                 respin = *args;
285                                 }
286                         else badarg = 1;
287                         }
288                 else if (!strcmp(*args, "-signer"))
289                         {
290                         if (args[1])
291                                 {
292                                 args++;
293                                 signfile = *args;
294                                 }
295                         else badarg = 1;
296                         }
297                 else if (!strcmp (*args, "-VAfile"))
298                         {
299                         if (args[1])
300                                 {
301                                 args++;
302                                 verify_certfile = *args;
303                                 verify_flags |= OCSP_TRUSTOTHER;
304                                 }
305                         else badarg = 1;
306                         }
307                 else if (!strcmp(*args, "-sign_other"))
308                         {
309                         if (args[1])
310                                 {
311                                 args++;
312                                 sign_certfile = *args;
313                                 }
314                         else badarg = 1;
315                         }
316                 else if (!strcmp(*args, "-verify_other"))
317                         {
318                         if (args[1])
319                                 {
320                                 args++;
321                                 verify_certfile = *args;
322                                 }
323                         else badarg = 1;
324                         }
325                 else if (!strcmp (*args, "-CAfile"))
326                         {
327                         if (args[1])
328                                 {
329                                 args++;
330                                 CAfile = *args;
331                                 }
332                         else badarg = 1;
333                         }
334                 else if (!strcmp (*args, "-CApath"))
335                         {
336                         if (args[1])
337                                 {
338                                 args++;
339                                 CApath = *args;
340                                 }
341                         else badarg = 1;
342                         }
343                 else if (!strcmp (*args, "-validity_period"))
344                         {
345                         if (args[1])
346                                 {
347                                 args++;
348                                 nsec = atol(*args);
349                                 if (nsec < 0)
350                                         {
351                                         BIO_printf(bio_err,
352                                                 "Illegal validity period %s\n",
353                                                 *args);
354                                         badarg = 1;
355                                         }
356                                 }
357                         else badarg = 1;
358                         }
359                 else if (!strcmp (*args, "-status_age"))
360                         {
361                         if (args[1])
362                                 {
363                                 args++;
364                                 maxage = atol(*args);
365                                 if (maxage < 0)
366                                         {
367                                         BIO_printf(bio_err,
368                                                 "Illegal validity age %s\n",
369                                                 *args);
370                                         badarg = 1;
371                                         }
372                                 }
373                         else badarg = 1;
374                         }
375                  else if (!strcmp(*args, "-signkey"))
376                         {
377                         if (args[1])
378                                 {
379                                 args++;
380                                 keyfile = *args;
381                                 }
382                         else badarg = 1;
383                         }
384                 else if (!strcmp(*args, "-reqout"))
385                         {
386                         if (args[1])
387                                 {
388                                 args++;
389                                 reqout = *args;
390                                 }
391                         else badarg = 1;
392                         }
393                 else if (!strcmp(*args, "-respout"))
394                         {
395                         if (args[1])
396                                 {
397                                 args++;
398                                 respout = *args;
399                                 }
400                         else badarg = 1;
401                         }
402                  else if (!strcmp(*args, "-path"))
403                         {
404                         if (args[1])
405                                 {
406                                 args++;
407                                 path = *args;
408                                 }
409                         else badarg = 1;
410                         }
411                 else if (!strcmp(*args, "-issuer"))
412                         {
413                         if (args[1])
414                                 {
415                                 args++;
416                                 X509_free(issuer);
417                                 issuer = load_cert(bio_err, *args, FORMAT_PEM,
418                                         NULL, e, "issuer certificate");
419                                 if(!issuer) goto end;
420                                 }
421                         else badarg = 1;
422                         }
423                 else if (!strcmp (*args, "-cert"))
424                         {
425                         if (args[1])
426                                 {
427                                 args++;
428                                 X509_free(cert);
429                                 cert = load_cert(bio_err, *args, FORMAT_PEM,
430                                         NULL, e, "certificate");
431                                 if(!cert) goto end;
432                                 if (!cert_id_md) cert_id_md = EVP_sha1();
433                                 if(!add_ocsp_cert(&req, cert, cert_id_md, issuer, ids))
434                                         goto end;
435                                 if(!sk_OPENSSL_STRING_push(reqnames, *args))
436                                         goto end;
437                                 }
438                         else badarg = 1;
439                         }
440                 else if (!strcmp(*args, "-serial"))
441                         {
442                         if (args[1])
443                                 {
444                                 args++;
445                                 if (!cert_id_md) cert_id_md = EVP_sha1();
446                                 if(!add_ocsp_serial(&req, *args, cert_id_md, issuer, ids))
447                                         goto end;
448                                 if(!sk_OPENSSL_STRING_push(reqnames, *args))
449                                         goto end;
450                                 }
451                         else badarg = 1;
452                         }
453                 else if (!strcmp(*args, "-index"))
454                         {
455                         if (args[1])
456                                 {
457                                 args++;
458                                 ridx_filename = *args;
459                                 }
460                         else badarg = 1;
461                         }
462                 else if (!strcmp(*args, "-CA"))
463                         {
464                         if (args[1])
465                                 {
466                                 args++;
467                                 rca_filename = *args;
468                                 }
469                         else badarg = 1;
470                         }
471                 else if (!strcmp (*args, "-nmin"))
472                         {
473                         if (args[1])
474                                 {
475                                 args++;
476                                 nmin = atol(*args);
477                                 if (nmin < 0)
478                                         {
479                                         BIO_printf(bio_err,
480                                                 "Illegal update period %s\n",
481                                                 *args);
482                                         badarg = 1;
483                                         }
484                                 }
485                                 if (ndays == -1)
486                                         ndays = 0;
487                         else badarg = 1;
488                         }
489                 else if (!strcmp (*args, "-nrequest"))
490                         {
491                         if (args[1])
492                                 {
493                                 args++;
494                                 accept_count = atol(*args);
495                                 if (accept_count < 0)
496                                         {
497                                         BIO_printf(bio_err,
498                                                 "Illegal accept count %s\n",
499                                                 *args);
500                                         badarg = 1;
501                                         }
502                                 }
503                         else badarg = 1;
504                         }
505                 else if (!strcmp (*args, "-ndays"))
506                         {
507                         if (args[1])
508                                 {
509                                 args++;
510                                 ndays = atol(*args);
511                                 if (ndays < 0)
512                                         {
513                                         BIO_printf(bio_err,
514                                                 "Illegal update period %s\n",
515                                                 *args);
516                                         badarg = 1;
517                                         }
518                                 }
519                         else badarg = 1;
520                         }
521                 else if (!strcmp(*args, "-rsigner"))
522                         {
523                         if (args[1])
524                                 {
525                                 args++;
526                                 rsignfile = *args;
527                                 }
528                         else badarg = 1;
529                         }
530                 else if (!strcmp(*args, "-rkey"))
531                         {
532                         if (args[1])
533                                 {
534                                 args++;
535                                 rkeyfile = *args;
536                                 }
537                         else badarg = 1;
538                         }
539                 else if (!strcmp(*args, "-rother"))
540                         {
541                         if (args[1])
542                                 {
543                                 args++;
544                                 rcertfile = *args;
545                                 }
546                         else badarg = 1;
547                         }
548                 else if ((cert_id_md = EVP_get_digestbyname((*args)+1))==NULL)
549                         {
550                         badarg = 1;
551                         }
552                 args++;
553                 }
554
555         /* Have we anything to do? */
556         if (!req && !reqin && !respin && !(port && ridx_filename)) badarg = 1;
557
558         if (badarg)
559                 {
560                 BIO_printf (bio_err, "OCSP utility\n");
561                 BIO_printf (bio_err, "Usage ocsp [options]\n");
562                 BIO_printf (bio_err, "where options are\n");
563                 BIO_printf (bio_err, "-out file          output filename\n");
564                 BIO_printf (bio_err, "-issuer file       issuer certificate\n");
565                 BIO_printf (bio_err, "-cert file         certificate to check\n");
566                 BIO_printf (bio_err, "-serial n          serial number to check\n");
567                 BIO_printf (bio_err, "-signer file       certificate to sign OCSP request with\n");
568                 BIO_printf (bio_err, "-signkey file      private key to sign OCSP request with\n");
569                 BIO_printf (bio_err, "-sign_other file   additional certificates to include in signed request\n");
570                 BIO_printf (bio_err, "-no_certs          don't include any certificates in signed request\n");
571                 BIO_printf (bio_err, "-req_text          print text form of request\n");
572                 BIO_printf (bio_err, "-resp_text         print text form of response\n");
573                 BIO_printf (bio_err, "-text              print text form of request and response\n");
574                 BIO_printf (bio_err, "-reqout file       write DER encoded OCSP request to \"file\"\n");
575                 BIO_printf (bio_err, "-respout file      write DER encoded OCSP reponse to \"file\"\n");
576                 BIO_printf (bio_err, "-reqin file        read DER encoded OCSP request from \"file\"\n");
577                 BIO_printf (bio_err, "-respin file       read DER encoded OCSP reponse from \"file\"\n");
578                 BIO_printf (bio_err, "-nonce             add OCSP nonce to request\n");
579                 BIO_printf (bio_err, "-no_nonce          don't add OCSP nonce to request\n");
580                 BIO_printf (bio_err, "-url URL           OCSP responder URL\n");
581                 BIO_printf (bio_err, "-host host:n       send OCSP request to host on port n\n");
582                 BIO_printf (bio_err, "-path              path to use in OCSP request\n");
583                 BIO_printf (bio_err, "-CApath dir        trusted certificates directory\n");
584                 BIO_printf (bio_err, "-CAfile file       trusted certificates file\n");
585                 BIO_printf (bio_err, "-VAfile file       validator certificates file\n");
586                 BIO_printf (bio_err, "-validity_period n maximum validity discrepancy in seconds\n");
587                 BIO_printf (bio_err, "-status_age n      maximum status age in seconds\n");
588                 BIO_printf (bio_err, "-noverify          don't verify response at all\n");
589                 BIO_printf (bio_err, "-verify_other file additional certificates to search for signer\n");
590                 BIO_printf (bio_err, "-trust_other       don't verify additional certificates\n");
591                 BIO_printf (bio_err, "-no_intern         don't search certificates contained in response for signer\n");
592                 BIO_printf (bio_err, "-no_signature_verify don't check signature on response\n");
593                 BIO_printf (bio_err, "-no_cert_verify    don't check signing certificate\n");
594                 BIO_printf (bio_err, "-no_chain          don't chain verify response\n");
595                 BIO_printf (bio_err, "-no_cert_checks    don't do additional checks on signing certificate\n");
596                 BIO_printf (bio_err, "-port num          port to run responder on\n");
597                 BIO_printf (bio_err, "-index file        certificate status index file\n");
598                 BIO_printf (bio_err, "-CA file           CA certificate\n");
599                 BIO_printf (bio_err, "-rsigner file      responder certificate to sign responses with\n");
600                 BIO_printf (bio_err, "-rkey file         responder key to sign responses with\n");
601                 BIO_printf (bio_err, "-rother file       other certificates to include in response\n");
602                 BIO_printf (bio_err, "-resp_no_certs     don't include any certificates in response\n");
603                 BIO_printf (bio_err, "-nmin n            number of minutes before next update\n");
604                 BIO_printf (bio_err, "-ndays n           number of days before next update\n");
605                 BIO_printf (bio_err, "-resp_key_id       identify reponse by signing certificate key ID\n");
606                 BIO_printf (bio_err, "-nrequest n        number of requests to accept (default unlimited)\n");
607                 BIO_printf (bio_err, "-<dgst alg>     use specified digest in the request");
608                 goto end;
609                 }
610
611         if(outfile) out = BIO_new_file(outfile, "w");
612         else out = BIO_new_fp(stdout, BIO_NOCLOSE);
613
614         if(!out)
615                 {
616                 BIO_printf(bio_err, "Error opening output file\n");
617                 goto end;
618                 }
619
620         if (!req && (add_nonce != 2)) add_nonce = 0;
621
622         if (!req && reqin)
623                 {
624                 derbio = BIO_new_file(reqin, "rb");
625                 if (!derbio)
626                         {
627                         BIO_printf(bio_err, "Error Opening OCSP request file\n");
628                         goto end;
629                         }
630                 req = d2i_OCSP_REQUEST_bio(derbio, NULL);
631                 BIO_free(derbio);
632                 if(!req)
633                         {
634                         BIO_printf(bio_err, "Error reading OCSP request\n");
635                         goto end;
636                         }
637                 }
638
639         if (!req && port)
640                 {
641                 acbio = init_responder(port);
642                 if (!acbio)
643                         goto end;
644                 }
645
646         if (rsignfile && !rdb)
647                 {
648                 if (!rkeyfile) rkeyfile = rsignfile;
649                 rsigner = load_cert(bio_err, rsignfile, FORMAT_PEM,
650                         NULL, e, "responder certificate");
651                 if (!rsigner)
652                         {
653                         BIO_printf(bio_err, "Error loading responder certificate\n");
654                         goto end;
655                         }
656                 rca_cert = load_cert(bio_err, rca_filename, FORMAT_PEM,
657                         NULL, e, "CA certificate");
658                 if (rcertfile)
659                         {
660                         rother = load_certs(bio_err, rcertfile, FORMAT_PEM,
661                                 NULL, e, "responder other certificates");
662                         if (!rother) goto end;
663                         }
664                 rkey = load_key(bio_err, rkeyfile, FORMAT_PEM, 0, NULL, NULL,
665                         "responder private key");
666                 if (!rkey)
667                         goto end;
668                 }
669         if(acbio)
670                 BIO_printf(bio_err, "Waiting for OCSP client connections...\n");
671
672         redo_accept:
673
674         if (acbio)
675                 {
676                 if (!do_responder(&req, &cbio, acbio, port))
677                         goto end;
678                 if (!req)
679                         {
680                         resp = OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL);
681                         send_ocsp_response(cbio, resp);
682                         goto done_resp;
683                         }
684                 }
685
686         if (!req && (signfile || reqout || host || add_nonce || ridx_filename))
687                 {
688                 BIO_printf(bio_err, "Need an OCSP request for this operation!\n");
689                 goto end;
690                 }
691
692         if (req && add_nonce) OCSP_request_add1_nonce(req, NULL, -1);
693
694         if (signfile)
695                 {
696                 if (!keyfile) keyfile = signfile;
697                 signer = load_cert(bio_err, signfile, FORMAT_PEM,
698                         NULL, e, "signer certificate");
699                 if (!signer)
700                         {
701                         BIO_printf(bio_err, "Error loading signer certificate\n");
702                         goto end;
703                         }
704                 if (sign_certfile)
705                         {
706                         sign_other = load_certs(bio_err, sign_certfile, FORMAT_PEM,
707                                 NULL, e, "signer certificates");
708                         if (!sign_other) goto end;
709                         }
710                 key = load_key(bio_err, keyfile, FORMAT_PEM, 0, NULL, NULL,
711                         "signer private key");
712                 if (!key)
713                         goto end;
714
715                 if (!OCSP_request_sign(req, signer, key, NULL, sign_other, sign_flags))
716                         {
717                         BIO_printf(bio_err, "Error signing OCSP request\n");
718                         goto end;
719                         }
720                 }
721
722         if (req_text && req) OCSP_REQUEST_print(out, req, 0);
723
724         if (reqout)
725                 {
726                 derbio = BIO_new_file(reqout, "wb");
727                 if(!derbio)
728                         {
729                         BIO_printf(bio_err, "Error opening file %s\n", reqout);
730                         goto end;
731                         }
732                 i2d_OCSP_REQUEST_bio(derbio, req);
733                 BIO_free(derbio);
734                 }
735
736         if (ridx_filename && (!rkey || !rsigner || !rca_cert))
737                 {
738                 BIO_printf(bio_err, "Need a responder certificate, key and CA for this operation!\n");
739                 goto end;
740                 }
741
742         if (ridx_filename && !rdb)
743                 {
744                 rdb = load_index(ridx_filename, NULL);
745                 if (!rdb) goto end;
746                 if (!index_index(rdb)) goto end;
747                 }
748
749         if (rdb)
750                 {
751                 i = make_ocsp_response(&resp, req, rdb, rca_cert, rsigner, rkey, rother, rflags, nmin, ndays);
752                 if (cbio)
753                         send_ocsp_response(cbio, resp);
754                 }
755         else if (host)
756                 {
757 #ifndef OPENSSL_NO_SOCK
758                 resp = process_responder(bio_err, req, host, path,
759                                                 port, use_ssl, req_timeout);
760                 if (!resp)
761                         goto end;
762 #else
763                 BIO_printf(bio_err, "Error creating connect BIO - sockets not supported.\n");
764                 goto end;
765 #endif
766                 }
767         else if (respin)
768                 {
769                 derbio = BIO_new_file(respin, "rb");
770                 if (!derbio)
771                         {
772                         BIO_printf(bio_err, "Error Opening OCSP response file\n");
773                         goto end;
774                         }
775                 resp = d2i_OCSP_RESPONSE_bio(derbio, NULL);
776                 BIO_free(derbio);
777                 if(!resp)
778                         {
779                         BIO_printf(bio_err, "Error reading OCSP response\n");
780                         goto end;
781                         }
782         
783                 }
784         else
785                 {
786                 ret = 0;
787                 goto end;
788                 }
789
790         done_resp:
791
792         if (respout)
793                 {
794                 derbio = BIO_new_file(respout, "wb");
795                 if(!derbio)
796                         {
797                         BIO_printf(bio_err, "Error opening file %s\n", respout);
798                         goto end;
799                         }
800                 i2d_OCSP_RESPONSE_bio(derbio, resp);
801                 BIO_free(derbio);
802                 }
803
804         i = OCSP_response_status(resp);
805
806         if (i != OCSP_RESPONSE_STATUS_SUCCESSFUL)
807                 {
808                 BIO_printf(out, "Responder Error: %s (%d)\n",
809                                 OCSP_response_status_str(i), i);
810                 if (ignore_err)
811                         goto redo_accept;
812                 ret = 0;
813                 goto end;
814                 }
815
816         if (resp_text) OCSP_RESPONSE_print(out, resp, 0);
817
818         /* If running as responder don't verify our own response */
819         if (cbio)
820                 {
821                 if (accept_count > 0)
822                         accept_count--;
823                 /* Redo if more connections needed */
824                 if (accept_count)
825                         {
826                         BIO_free_all(cbio);
827                         cbio = NULL;
828                         OCSP_REQUEST_free(req);
829                         req = NULL;
830                         OCSP_RESPONSE_free(resp);
831                         resp = NULL;
832                         goto redo_accept;
833                         }
834                 goto end;
835                 }
836
837         if (!store)
838                 store = setup_verify(bio_err, CAfile, CApath);
839         if (!store)
840                 goto end;
841         if (verify_certfile)
842                 {
843                 verify_other = load_certs(bio_err, verify_certfile, FORMAT_PEM,
844                         NULL, e, "validator certificate");
845                 if (!verify_other) goto end;
846                 }
847
848         bs = OCSP_response_get1_basic(resp);
849
850         if (!bs)
851                 {
852                 BIO_printf(bio_err, "Error parsing response\n");
853                 goto end;
854                 }
855
856         if (!noverify)
857                 {
858                 if (req && ((i = OCSP_check_nonce(req, bs)) <= 0))
859                         {
860                         if (i == -1)
861                                 BIO_printf(bio_err, "WARNING: no nonce in response\n");
862                         else
863                                 {
864                                 BIO_printf(bio_err, "Nonce Verify error\n");
865                                 goto end;
866                                 }
867                         }
868
869                 i = OCSP_basic_verify(bs, verify_other, store, verify_flags);
870                 if (i < 0) i = OCSP_basic_verify(bs, NULL, store, 0);
871
872                 if(i <= 0)
873                         {
874                         BIO_printf(bio_err, "Response Verify Failure\n");
875                         ERR_print_errors(bio_err);
876                         }
877                 else
878                         BIO_printf(bio_err, "Response verify OK\n");
879
880                 }
881
882         if (!print_ocsp_summary(out, bs, req, reqnames, ids, nsec, maxage))
883                 goto end;
884
885         ret = 0;
886
887 end:
888         ERR_print_errors(bio_err);
889         X509_free(signer);
890         X509_STORE_free(store);
891         EVP_PKEY_free(key);
892         EVP_PKEY_free(rkey);
893         X509_free(issuer);
894         X509_free(cert);
895         X509_free(rsigner);
896         X509_free(rca_cert);
897         free_index(rdb);
898         BIO_free_all(cbio);
899         BIO_free_all(acbio);
900         BIO_free(out);
901         OCSP_REQUEST_free(req);
902         OCSP_RESPONSE_free(resp);
903         OCSP_BASICRESP_free(bs);
904         sk_OPENSSL_STRING_free(reqnames);
905         sk_OCSP_CERTID_free(ids);
906         sk_X509_pop_free(sign_other, X509_free);
907         sk_X509_pop_free(verify_other, X509_free);
908
909         if (use_ssl != -1)
910                 {
911                 OPENSSL_free(host);
912                 OPENSSL_free(port);
913                 OPENSSL_free(path);
914                 }
915
916         OPENSSL_EXIT(ret);
917 }
918
919 static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, const EVP_MD *cert_id_md,X509 *issuer,
920                                 STACK_OF(OCSP_CERTID) *ids)
921         {
922         OCSP_CERTID *id;
923         if(!issuer)
924                 {
925                 BIO_printf(bio_err, "No issuer certificate specified\n");
926                 return 0;
927                 }
928         if(!*req) *req = OCSP_REQUEST_new();
929         if(!*req) goto err;
930         id = OCSP_cert_to_id(cert_id_md, cert, issuer);
931         if(!id || !sk_OCSP_CERTID_push(ids, id)) goto err;
932         if(!OCSP_request_add0_id(*req, id)) goto err;
933         return 1;
934
935         err:
936         BIO_printf(bio_err, "Error Creating OCSP request\n");
937         return 0;
938         }
939
940 static int add_ocsp_serial(OCSP_REQUEST **req, char *serial,const EVP_MD *cert_id_md, X509 *issuer,
941                                 STACK_OF(OCSP_CERTID) *ids)
942         {
943         OCSP_CERTID *id;
944         X509_NAME *iname;
945         ASN1_BIT_STRING *ikey;
946         ASN1_INTEGER *sno;
947         if(!issuer)
948                 {
949                 BIO_printf(bio_err, "No issuer certificate specified\n");
950                 return 0;
951                 }
952         if(!*req) *req = OCSP_REQUEST_new();
953         if(!*req) goto err;
954         iname = X509_get_subject_name(issuer);
955         ikey = X509_get0_pubkey_bitstr(issuer);
956         sno = s2i_ASN1_INTEGER(NULL, serial);
957         if(!sno)
958                 {
959                 BIO_printf(bio_err, "Error converting serial number %s\n", serial);
960                 return 0;
961                 }
962         id = OCSP_cert_id_new(cert_id_md, iname, ikey, sno);
963         ASN1_INTEGER_free(sno);
964         if(!id || !sk_OCSP_CERTID_push(ids, id)) goto err;
965         if(!OCSP_request_add0_id(*req, id)) goto err;
966         return 1;
967
968         err:
969         BIO_printf(bio_err, "Error Creating OCSP request\n");
970         return 0;
971         }
972
973 static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
974                               STACK_OF(OPENSSL_STRING) *names,
975                               STACK_OF(OCSP_CERTID) *ids, long nsec,
976                               long maxage)
977         {
978         OCSP_CERTID *id;
979         char *name;
980         int i;
981
982         int status, reason;
983
984         ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
985
986         if (!bs || !req || !sk_OPENSSL_STRING_num(names) || !sk_OCSP_CERTID_num(ids))
987                 return 1;
988
989         for (i = 0; i < sk_OCSP_CERTID_num(ids); i++)
990                 {
991                 id = sk_OCSP_CERTID_value(ids, i);
992                 name = sk_OPENSSL_STRING_value(names, i);
993                 BIO_printf(out, "%s: ", name);
994
995                 if(!OCSP_resp_find_status(bs, id, &status, &reason,
996                                         &rev, &thisupd, &nextupd))
997                         {
998                         BIO_puts(out, "ERROR: No Status found.\n");
999                         continue;
1000                         }
1001
1002                 /* Check validity: if invalid write to output BIO so we
1003                  * know which response this refers to.
1004                  */
1005                 if (!OCSP_check_validity(thisupd, nextupd, nsec, maxage))
1006                         {
1007                         BIO_puts(out, "WARNING: Status times invalid.\n");
1008                         ERR_print_errors(out);
1009                         }
1010                 BIO_printf(out, "%s\n", OCSP_cert_status_str(status));
1011
1012                 BIO_puts(out, "\tThis Update: ");
1013                 ASN1_GENERALIZEDTIME_print(out, thisupd);
1014                 BIO_puts(out, "\n");
1015
1016                 if(nextupd)
1017                         {
1018                         BIO_puts(out, "\tNext Update: ");
1019                         ASN1_GENERALIZEDTIME_print(out, nextupd);
1020                         BIO_puts(out, "\n");
1021                         }
1022
1023                 if (status != V_OCSP_CERTSTATUS_REVOKED)
1024                         continue;
1025
1026                 if (reason != -1)
1027                         BIO_printf(out, "\tReason: %s\n",
1028                                 OCSP_crl_reason_str(reason));
1029
1030                 BIO_puts(out, "\tRevocation Time: ");
1031                 ASN1_GENERALIZEDTIME_print(out, rev);
1032                 BIO_puts(out, "\n");
1033                 }
1034
1035         return 1;
1036         }
1037
1038
1039 static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db,
1040                         X509 *ca, X509 *rcert, EVP_PKEY *rkey,
1041                         STACK_OF(X509) *rother, unsigned long flags,
1042                         int nmin, int ndays)
1043         {
1044         ASN1_TIME *thisupd = NULL, *nextupd = NULL;
1045         OCSP_CERTID *cid, *ca_id = NULL;
1046         OCSP_BASICRESP *bs = NULL;
1047         int i, id_count, ret = 1;
1048
1049         id_count = OCSP_request_onereq_count(req);
1050
1051         if (id_count <= 0)
1052                 {
1053                 *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL);
1054                 goto end;
1055                 }
1056
1057
1058         bs = OCSP_BASICRESP_new();
1059         thisupd = X509_gmtime_adj(NULL, 0);
1060         if (ndays != -1)
1061                 nextupd = X509_gmtime_adj(NULL, nmin * 60 + ndays * 3600 * 24 );
1062
1063         /* Examine each certificate id in the request */
1064         for (i = 0; i < id_count; i++)
1065                 {
1066                 OCSP_ONEREQ *one;
1067                 ASN1_INTEGER *serial;
1068                 char **inf;
1069                 ASN1_OBJECT *cert_id_md_oid;
1070                 const EVP_MD *cert_id_md;
1071                 one = OCSP_request_onereq_get0(req, i);
1072                 cid = OCSP_onereq_get0_id(one);
1073
1074                 OCSP_id_get0_info(NULL,&cert_id_md_oid, NULL,NULL, cid);
1075
1076                 cert_id_md = EVP_get_digestbyobj(cert_id_md_oid);       
1077                 if (! cert_id_md) 
1078                         {
1079                         *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR,
1080                                 NULL);
1081                                 goto end;
1082                         }       
1083                 if (ca_id) OCSP_CERTID_free(ca_id);
1084                 ca_id = OCSP_cert_to_id(cert_id_md, NULL, ca);
1085
1086                 /* Is this request about our CA? */
1087                 if (OCSP_id_issuer_cmp(ca_id, cid))
1088                         {
1089                         OCSP_basic_add1_status(bs, cid,
1090                                                 V_OCSP_CERTSTATUS_UNKNOWN,
1091                                                 0, NULL,
1092                                                 thisupd, nextupd);
1093                         continue;
1094                         }
1095                 OCSP_id_get0_info(NULL, NULL, NULL, &serial, cid);
1096                 inf = lookup_serial(db, serial);
1097                 if (!inf)
1098                         OCSP_basic_add1_status(bs, cid,
1099                                                 V_OCSP_CERTSTATUS_UNKNOWN,
1100                                                 0, NULL,
1101                                                 thisupd, nextupd);
1102                 else if (inf[DB_type][0] == DB_TYPE_VAL)
1103                         OCSP_basic_add1_status(bs, cid,
1104                                                 V_OCSP_CERTSTATUS_GOOD,
1105                                                 0, NULL,
1106                                                 thisupd, nextupd);
1107                 else if (inf[DB_type][0] == DB_TYPE_REV)
1108                         {
1109                         ASN1_OBJECT *inst = NULL;
1110                         ASN1_TIME *revtm = NULL;
1111                         ASN1_GENERALIZEDTIME *invtm = NULL;
1112                         OCSP_SINGLERESP *single;
1113                         int reason = -1;
1114                         unpack_revinfo(&revtm, &reason, &inst, &invtm, inf[DB_rev_date]);
1115                         single = OCSP_basic_add1_status(bs, cid,
1116                                                 V_OCSP_CERTSTATUS_REVOKED,
1117                                                 reason, revtm,
1118                                                 thisupd, nextupd);
1119                         if (invtm)
1120                                 OCSP_SINGLERESP_add1_ext_i2d(single, NID_invalidity_date, invtm, 0, 0);
1121                         else if (inst)
1122                                 OCSP_SINGLERESP_add1_ext_i2d(single, NID_hold_instruction_code, inst, 0, 0);
1123                         ASN1_OBJECT_free(inst);
1124                         ASN1_TIME_free(revtm);
1125                         ASN1_GENERALIZEDTIME_free(invtm);
1126                         }
1127                 }
1128
1129         OCSP_copy_nonce(bs, req);
1130         
1131         OCSP_basic_sign(bs, rcert, rkey, NULL, rother, flags);
1132
1133         *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs);
1134
1135         end:
1136         ASN1_TIME_free(thisupd);
1137         ASN1_TIME_free(nextupd);
1138         OCSP_CERTID_free(ca_id);
1139         OCSP_BASICRESP_free(bs);
1140         return ret;
1141
1142         }
1143
1144 static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser)
1145         {
1146         int i;
1147         BIGNUM *bn = NULL;
1148         char *itmp, *row[DB_NUMBER],**rrow;
1149         for (i = 0; i < DB_NUMBER; i++) row[i] = NULL;
1150         bn = ASN1_INTEGER_to_BN(ser,NULL);
1151         OPENSSL_assert(bn); /* FIXME: should report an error at this point and abort */
1152         if (BN_is_zero(bn))
1153                 itmp = BUF_strdup("00");
1154         else
1155                 itmp = BN_bn2hex(bn);
1156         row[DB_serial] = itmp;
1157         BN_free(bn);
1158         rrow=TXT_DB_get_by_index(db->db,DB_serial,row);
1159         OPENSSL_free(itmp);
1160         return rrow;
1161         }
1162
1163 /* Quick and dirty OCSP server: read in and parse input request */
1164
1165 static BIO *init_responder(char *port)
1166         {
1167         BIO *acbio = NULL, *bufbio = NULL;
1168         bufbio = BIO_new(BIO_f_buffer());
1169         if (!bufbio) 
1170                 goto err;
1171 #ifndef OPENSSL_NO_SOCK
1172         acbio = BIO_new_accept(port);
1173 #else
1174         BIO_printf(bio_err, "Error setting up accept BIO - sockets not supported.\n");
1175 #endif
1176         if (!acbio)
1177                 goto err;
1178         BIO_set_accept_bios(acbio, bufbio);
1179         bufbio = NULL;
1180
1181         if (BIO_do_accept(acbio) <= 0)
1182                 {
1183                         BIO_printf(bio_err, "Error setting up accept BIO\n");
1184                         ERR_print_errors(bio_err);
1185                         goto err;
1186                 }
1187
1188         return acbio;
1189
1190         err:
1191         BIO_free_all(acbio);
1192         BIO_free(bufbio);
1193         return NULL;
1194         }
1195
1196 static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, char *port)
1197         {
1198         int have_post = 0, len;
1199         OCSP_REQUEST *req = NULL;
1200         char inbuf[1024];
1201         BIO *cbio = NULL;
1202
1203         if (BIO_do_accept(acbio) <= 0)
1204                 {
1205                         BIO_printf(bio_err, "Error accepting connection\n");
1206                         ERR_print_errors(bio_err);
1207                         return 0;
1208                 }
1209
1210         cbio = BIO_pop(acbio);
1211         *pcbio = cbio;
1212
1213         for(;;)
1214                 {
1215                 len = BIO_gets(cbio, inbuf, sizeof inbuf);
1216                 if (len <= 0)
1217                         return 1;
1218                 /* Look for "POST" signalling start of query */
1219                 if (!have_post)
1220                         {
1221                         if(strncmp(inbuf, "POST", 4))
1222                                 {
1223                                 BIO_printf(bio_err, "Invalid request\n");
1224                                 return 1;
1225                                 }
1226                         have_post = 1;
1227                         }
1228                 /* Look for end of headers */
1229                 if ((inbuf[0] == '\r') || (inbuf[0] == '\n'))
1230                         break;
1231                 }
1232
1233         /* Try to read OCSP request */
1234
1235         req = d2i_OCSP_REQUEST_bio(cbio, NULL);
1236
1237         if (!req)
1238                 {
1239                 BIO_printf(bio_err, "Error parsing OCSP request\n");
1240                 ERR_print_errors(bio_err);
1241                 }
1242
1243         *preq = req;
1244
1245         return 1;
1246
1247         }
1248
1249 static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp)
1250         {
1251         char http_resp[] = 
1252                 "HTTP/1.0 200 OK\r\nContent-type: application/ocsp-response\r\n"
1253                 "Content-Length: %d\r\n\r\n";
1254         if (!cbio)
1255                 return 0;
1256         BIO_printf(cbio, http_resp, i2d_OCSP_RESPONSE(resp, NULL));
1257         i2d_OCSP_RESPONSE_bio(cbio, resp);
1258         (void)BIO_flush(cbio);
1259         return 1;
1260         }
1261
1262 static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path,
1263                                 OCSP_REQUEST *req, int req_timeout)
1264         {
1265         int fd;
1266         int rv;
1267         OCSP_REQ_CTX *ctx = NULL;
1268         OCSP_RESPONSE *rsp = NULL;
1269         fd_set confds;
1270         struct timeval tv;
1271
1272         if (req_timeout != -1)
1273                 BIO_set_nbio(cbio, 1);
1274
1275         rv = BIO_do_connect(cbio);
1276
1277         if ((rv <= 0) && ((req_timeout == -1) || !BIO_should_retry(cbio)))
1278                 {
1279                 BIO_puts(err, "Error connecting BIO\n");
1280                 return NULL;
1281                 }
1282
1283         if (req_timeout == -1)
1284                 return OCSP_sendreq_bio(cbio, path, req);
1285
1286         if (BIO_get_fd(cbio, &fd) <= 0)
1287                 {
1288                 BIO_puts(err, "Can't get connection fd\n");
1289                 goto err;
1290                 }
1291
1292         if (rv <= 0)
1293                 {
1294                 FD_ZERO(&confds);
1295                 openssl_fdset(fd, &confds);
1296                 tv.tv_usec = 0;
1297                 tv.tv_sec = req_timeout;
1298                 rv = select(fd + 1, NULL, (void *)&confds, NULL, &tv);
1299                 if (rv == 0)
1300                         {
1301                         BIO_puts(err, "Timeout on connect\n");
1302                         return NULL;
1303                         }
1304                 }
1305
1306
1307         ctx = OCSP_sendreq_new(cbio, path, req, -1);
1308         if (!ctx)
1309                 return NULL;
1310         
1311         for (;;)
1312                 {
1313                 rv = OCSP_sendreq_nbio(&rsp, ctx);
1314                 if (rv != -1)
1315                         break;
1316                 FD_ZERO(&confds);
1317                 openssl_fdset(fd, &confds);
1318                 tv.tv_usec = 0;
1319                 tv.tv_sec = req_timeout;
1320                 if (BIO_should_read(cbio))
1321                         rv = select(fd + 1, (void *)&confds, NULL, NULL, &tv);
1322                 else if (BIO_should_write(cbio))
1323                         rv = select(fd + 1, NULL, (void *)&confds, NULL, &tv);
1324                 else
1325                         {
1326                         BIO_puts(err, "Unexpected retry condition\n");
1327                         goto err;
1328                         }
1329                 if (rv == 0)
1330                         {
1331                         BIO_puts(err, "Timeout on request\n");
1332                         break;
1333                         }
1334                 if (rv == -1)
1335                         {
1336                         BIO_puts(err, "Select error\n");
1337                         break;
1338                         }
1339                         
1340                 }
1341         err:
1342         if (ctx)
1343                 OCSP_REQ_CTX_free(ctx);
1344
1345         return rsp;
1346         }
1347
1348 OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req,
1349                         char *host, char *path, char *port, int use_ssl,
1350                         int req_timeout)
1351         {
1352         BIO *cbio = NULL;
1353         SSL_CTX *ctx = NULL;
1354         OCSP_RESPONSE *resp = NULL;
1355         cbio = BIO_new_connect(host);
1356         if (!cbio)
1357                 {
1358                 BIO_printf(err, "Error creating connect BIO\n");
1359                 goto end;
1360                 }
1361         if (port) BIO_set_conn_port(cbio, port);
1362         if (use_ssl == 1)
1363                 {
1364                 BIO *sbio;
1365 #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
1366                 ctx = SSL_CTX_new(SSLv23_client_method());
1367 #elif !defined(OPENSSL_NO_SSL3)
1368                 ctx = SSL_CTX_new(SSLv3_client_method());
1369 #elif !defined(OPENSSL_NO_SSL2)
1370                 ctx = SSL_CTX_new(SSLv2_client_method());
1371 #else
1372                 BIO_printf(err, "SSL is disabled\n");
1373                         goto end;
1374 #endif
1375                 if (ctx == NULL)
1376                         {
1377                         BIO_printf(err, "Error creating SSL context.\n");
1378                         goto end;
1379                         }
1380                 SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
1381                 sbio = BIO_new_ssl(ctx, 1);
1382                 cbio = BIO_push(sbio, cbio);
1383                 }
1384         resp = query_responder(err, cbio, path, req, req_timeout);
1385         if (!resp)
1386                 BIO_printf(bio_err, "Error querying OCSP responsder\n");
1387         end:
1388         if (cbio)
1389                 BIO_free_all(cbio);
1390         if (ctx)
1391                 SSL_CTX_free(ctx);
1392         return resp;
1393         }
1394
1395 #endif