Fix free errors in ocsp utility.
[openssl.git] / apps / ocsp.c
index 49a156a..64c3182 100644 (file)
@@ -1,5 +1,5 @@
 /* ocsp.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
 /* ====================================================================
  * Hudson (tjh@cryptsoft.com).
  *
  */
+#ifndef OPENSSL_NO_OCSP
+
+#ifdef OPENSSL_SYS_VMS
+#define _XOPEN_SOURCE_EXTENDED /* So fd_set and friends get properly defined
+                                  on OpenVMS */
+#endif
+
+#define USE_SOCKETS
 
 #include <stdio.h>
+#include <stdlib.h>
 #include <string.h>
-#include "apps.h"
-#include <openssl/pem.h>
-#include <openssl/ocsp.h>
+#include <time.h>
+#include "apps.h" /* needs to be included before the openssl headers! */
+#include <openssl/e_os2.h>
+#include <openssl/crypto.h>
 #include <openssl/err.h>
 #include <openssl/ssl.h>
-
+#include <openssl/evp.h>
+#include <openssl/bn.h>
+#include <openssl/x509v3.h>
+
+#if defined(NETWARE_CLIB)
+#  ifdef NETWARE_BSDSOCK
+#    include <sys/socket.h>
+#    include <sys/bsdskt.h>
+#  else
+#    include <novsock2.h>
+#  endif
+#elif defined(NETWARE_LIBC)
+#  ifdef NETWARE_BSDSOCK
+#    include <sys/select.h>
+#  else
+#    include <novsock2.h>
+#  endif
+#endif
+  
 /* Maximum leeway in validity period: default 5 minutes */
 #define MAX_VALIDITY_PERIOD    (5 * 60)
 
-/* CA index.txt definitions */
-#define DB_type         0
-#define DB_exp_date     1
-#define DB_rev_date     2
-#define DB_serial       3       /* index - unique */
-#define DB_file         4       
-#define DB_name         5       /* index - unique for active */
-#define DB_NUMBER       6
-
-#define DB_TYPE_REV    'R'
-#define DB_TYPE_EXP    'E'
-#define DB_TYPE_VAL    'V'
-
-static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, X509 *issuer,
+static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, const EVP_MD *cert_id_md, X509 *issuer,
                                STACK_OF(OCSP_CERTID) *ids);
-static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, X509 *issuer,
+static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, const EVP_MD * cert_id_md, X509 *issuer,
                                STACK_OF(OCSP_CERTID) *ids);
 static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
-                               STACK *names, STACK_OF(OCSP_CERTID) *ids,
-                               long nsec, long maxage);
+                             STACK_OF(OPENSSL_STRING) *names,
+                             STACK_OF(OCSP_CERTID) *ids, long nsec,
+                             long maxage);
 
-static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, TXT_DB *db,
-                       X509 *ca, X509 *rcert, EVP_PKEY *rkey,
+static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db,
+                       X509 *ca, X509 *rcert, EVP_PKEY *rkey, const EVP_MD *md,
                        STACK_OF(X509) *rother, unsigned long flags,
-                       int nmin, int ndays);
+                       int nmin, int ndays, int badsig);
 
-static char **lookup_serial(TXT_DB *db, ASN1_INTEGER *ser);
-static BIO *init_responder(char *port);
-static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, char *port);
+static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser);
+static BIO *init_responder(const char *port);
+static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, const char *port);
 static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp);
+static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, const char *path,
+                                     const STACK_OF(CONF_VALUE) *headers,
+                                     OCSP_REQUEST *req, int req_timeout);
 
 #undef PROG
 #define PROG ocsp_main
@@ -108,12 +127,14 @@ int MAIN(int argc, char **argv)
        ENGINE *e = NULL;
        char **args;
        char *host = NULL, *port = NULL, *path = "/";
+       char *thost = NULL, *tport = NULL, *tpath = NULL;
        char *reqin = NULL, *respin = NULL;
        char *reqout = NULL, *respout = NULL;
        char *signfile = NULL, *keyfile = NULL;
        char *rsignfile = NULL, *rkeyfile = NULL;
        char *outfile = NULL;
        int add_nonce = 1, noverify = 0, use_ssl = -1;
+       STACK_OF(CONF_VALUE) *headers = NULL;
        OCSP_REQUEST *req = NULL;
        OCSP_RESPONSE *resp = NULL;
        OCSP_BASICRESP *bs = NULL;
@@ -123,34 +144,39 @@ int MAIN(int argc, char **argv)
        BIO *acbio = NULL, *cbio = NULL;
        BIO *derbio = NULL;
        BIO *out = NULL;
+       int req_timeout = -1;
        int req_text = 0, resp_text = 0;
        long nsec = MAX_VALIDITY_PERIOD, maxage = -1;
        char *CAfile = NULL, *CApath = NULL;
        X509_STORE *store = NULL;
-       SSL_CTX *ctx = NULL;
+       X509_VERIFY_PARAM *vpm = NULL;
        STACK_OF(X509) *sign_other = NULL, *verify_other = NULL, *rother = NULL;
        char *sign_certfile = NULL, *verify_certfile = NULL, *rcertfile = NULL;
        unsigned long sign_flags = 0, verify_flags = 0, rflags = 0;
        int ret = 1;
        int accept_count = -1;
        int badarg = 0;
+       int badsig = 0;
        int i;
-       STACK *reqnames = NULL;
+       int ignore_err = 0;
+       STACK_OF(OPENSSL_STRING) *reqnames = NULL;
        STACK_OF(OCSP_CERTID) *ids = NULL;
 
        X509 *rca_cert = NULL;
        char *ridx_filename = NULL;
        char *rca_filename = NULL;
-       TXT_DB *rdb = NULL;
+       CA_DB *rdb = NULL;
        int nmin = 0, ndays = -1;
+       const EVP_MD *cert_id_md = NULL, *rsign_md = NULL;
 
        if (bio_err == NULL) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
 
        if (!load_config(bio_err, NULL))
                goto end;
        SSL_load_error_strings();
+       OpenSSL_add_ssl_algorithms();
        args = argv + 1;
-       reqnames = sk_new_null();
+       reqnames = sk_OPENSSL_STRING_new_null();
        ids = sk_OCSP_CERTID_new_null();
        while (!badarg && *args && *args[0] == '-')
                {
@@ -163,8 +189,30 @@ int MAIN(int argc, char **argv)
                                }
                        else badarg = 1;
                        }
+               else if (!strcmp(*args, "-timeout"))
+                       {
+                       if (args[1])
+                               {
+                               args++;
+                               req_timeout = atol(*args);
+                               if (req_timeout < 0)
+                                       {
+                                       BIO_printf(bio_err,
+                                               "Illegal timeout value %s\n",
+                                               *args);
+                                       badarg = 1;
+                                       }
+                               }
+                       else badarg = 1;
+                       }
                else if (!strcmp(*args, "-url"))
                        {
+                       if (thost)
+                               OPENSSL_free(thost);
+                       if (tport)
+                               OPENSSL_free(tport);
+                       if (tpath)
+                               OPENSSL_free(tpath);
                        if (args[1])
                                {
                                args++;
@@ -173,6 +221,9 @@ int MAIN(int argc, char **argv)
                                        BIO_printf(bio_err, "Error parsing URL\n");
                                        badarg = 1;
                                        }
+                               thost = host;
+                               tport = port;
+                               tpath = path;
                                }
                        else badarg = 1;
                        }
@@ -194,6 +245,18 @@ int MAIN(int argc, char **argv)
                                }
                        else badarg = 1;
                        }
+               else if (!strcmp(*args, "-header"))
+                       {
+                       if (args[1] && args[2])
+                               {
+                               if (!X509V3_add_value(args[1], args[2], &headers))
+                                       goto end;
+                               args += 2;
+                               }
+                       else badarg = 1;
+                       }
+               else if (!strcmp(*args, "-ignore_err"))
+                       ignore_err = 1;
                else if (!strcmp(*args, "-noverify"))
                        noverify = 1;
                else if (!strcmp(*args, "-nonce"))
@@ -220,6 +283,8 @@ int MAIN(int argc, char **argv)
                        verify_flags |= OCSP_TRUSTOTHER;
                else if (!strcmp(*args, "-no_intern"))
                        verify_flags |= OCSP_NOINTERN;
+               else if (!strcmp(*args, "-badsig"))
+                       badsig = 1;
                else if (!strcmp(*args, "-text"))
                        {
                        req_text = 1;
@@ -302,6 +367,12 @@ int MAIN(int argc, char **argv)
                                }
                        else badarg = 1;
                        }
+               else if (args_verify(&args, NULL, &badarg, bio_err, &vpm))
+                       {
+                       if (badarg)
+                               goto end;
+                       continue;
+                       }
                else if (!strcmp (*args, "-validity_period"))
                        {
                        if (args[1])
@@ -391,9 +462,10 @@ int MAIN(int argc, char **argv)
                                cert = load_cert(bio_err, *args, FORMAT_PEM,
                                        NULL, e, "certificate");
                                if(!cert) goto end;
-                               if(!add_ocsp_cert(&req, cert, issuer, ids))
+                               if (!cert_id_md) cert_id_md = EVP_sha1();
+                               if(!add_ocsp_cert(&req, cert, cert_id_md, issuer, ids))
                                        goto end;
-                               if(!sk_push(reqnames, *args))
+                               if(!sk_OPENSSL_STRING_push(reqnames, *args))
                                        goto end;
                                }
                        else badarg = 1;
@@ -403,9 +475,10 @@ int MAIN(int argc, char **argv)
                        if (args[1])
                                {
                                args++;
-                               if(!add_ocsp_serial(&req, *args, issuer, ids))
+                               if (!cert_id_md) cert_id_md = EVP_sha1();
+                               if(!add_ocsp_serial(&req, *args, cert_id_md, issuer, ids))
                                        goto end;
-                               if(!sk_push(reqnames, *args))
+                               if(!sk_OPENSSL_STRING_push(reqnames, *args))
                                        goto end;
                                }
                        else badarg = 1;
@@ -505,7 +578,21 @@ int MAIN(int argc, char **argv)
                                }
                        else badarg = 1;
                        }
-               else badarg = 1;
+               else if (!strcmp(*args, "-rmd"))
+                       {
+                       if (args[1])
+                               {
+                               args++;
+                               rsign_md = EVP_get_digestbyname(*args);
+                               if (!rsign_md)
+                                       badarg = 1;
+                               }
+                       else badarg = 1;
+                       }
+               else if ((cert_id_md = EVP_get_digestbyname((*args)+1))==NULL)
+                       {
+                       badarg = 1;
+                       }
                args++;
                }
 
@@ -523,7 +610,7 @@ int MAIN(int argc, char **argv)
                BIO_printf (bio_err, "-serial n          serial number to check\n");
                BIO_printf (bio_err, "-signer file       certificate to sign OCSP request with\n");
                BIO_printf (bio_err, "-signkey file      private key to sign OCSP request with\n");
-               BIO_printf (bio_err, "-sign_certs file   additional certificates to include in signed request\n");
+               BIO_printf (bio_err, "-sign_other file   additional certificates to include in signed request\n");
                BIO_printf (bio_err, "-no_certs          don't include any certificates in signed request\n");
                BIO_printf (bio_err, "-req_text          print text form of request\n");
                BIO_printf (bio_err, "-resp_text         print text form of response\n");
@@ -543,10 +630,10 @@ int MAIN(int argc, char **argv)
                BIO_printf (bio_err, "-validity_period n maximum validity discrepancy in seconds\n");
                BIO_printf (bio_err, "-status_age n      maximum status age in seconds\n");
                BIO_printf (bio_err, "-noverify          don't verify response at all\n");
-               BIO_printf (bio_err, "-verify_certs file additional certificates to search for signer\n");
+               BIO_printf (bio_err, "-verify_other file additional certificates to search for signer\n");
                BIO_printf (bio_err, "-trust_other       don't verify additional certificates\n");
                BIO_printf (bio_err, "-no_intern         don't search certificates contained in response for signer\n");
-               BIO_printf (bio_err, "-no_sig_verify     don't check signature on response\n");
+               BIO_printf (bio_err, "-no_signature_verify don't check signature on response\n");
                BIO_printf (bio_err, "-no_cert_verify    don't check signing certificate\n");
                BIO_printf (bio_err, "-no_chain          don't chain verify response\n");
                BIO_printf (bio_err, "-no_cert_checks    don't do additional checks on signing certificate\n");
@@ -561,6 +648,7 @@ int MAIN(int argc, char **argv)
                BIO_printf (bio_err, "-ndays n           number of days before next update\n");
                BIO_printf (bio_err, "-resp_key_id       identify reponse by signing certificate key ID\n");
                BIO_printf (bio_err, "-nrequest n        number of requests to accept (default unlimited)\n");
+               BIO_printf (bio_err, "-<dgst alg>     use specified digest in the request\n");
                goto end;
                }
 
@@ -577,7 +665,10 @@ int MAIN(int argc, char **argv)
 
        if (!req && reqin)
                {
-               derbio = BIO_new_file(reqin, "rb");
+               if (!strcmp(reqin, "-"))
+                       derbio = BIO_new_fp(stdin, BIO_NOCLOSE);
+               else
+                       derbio = BIO_new_file(reqin, "rb");
                if (!derbio)
                        {
                        BIO_printf(bio_err, "Error Opening OCSP request file\n");
@@ -613,11 +704,11 @@ int MAIN(int argc, char **argv)
                        NULL, e, "CA certificate");
                if (rcertfile)
                        {
-                       rother = load_certs(bio_err, sign_certfile, FORMAT_PEM,
+                       rother = load_certs(bio_err, rcertfile, FORMAT_PEM,
                                NULL, e, "responder other certificates");
-                       if (!sign_other) goto end;
+                       if (!rother) goto end;
                        }
-               rkey = load_key(bio_err, rkeyfile, FORMAT_PEM, NULL, NULL,
+               rkey = load_key(bio_err, rkeyfile, FORMAT_PEM, 0, NULL, NULL,
                        "responder private key");
                if (!rkey)
                        goto end;
@@ -663,11 +754,12 @@ int MAIN(int argc, char **argv)
                                NULL, e, "signer certificates");
                        if (!sign_other) goto end;
                        }
-               key = load_key(bio_err, keyfile, FORMAT_PEM, NULL, NULL,
+               key = load_key(bio_err, keyfile, FORMAT_PEM, 0, NULL, NULL,
                        "signer private key");
                if (!key)
                        goto end;
-               if (!OCSP_request_sign(req, signer, key, EVP_sha1(), sign_other, sign_flags))
+
+               if (!OCSP_request_sign(req, signer, key, NULL, sign_other, sign_flags))
                        {
                        BIO_printf(bio_err, "Error signing OCSP request\n");
                        goto end;
@@ -678,7 +770,10 @@ int MAIN(int argc, char **argv)
 
        if (reqout)
                {
-               derbio = BIO_new_file(reqout, "wb");
+               if (!strcmp(reqout, "-"))
+                       derbio = BIO_new_fp(stdout, BIO_NOCLOSE);
+               else
+                       derbio = BIO_new_file(reqout, "wb");
                if(!derbio)
                        {
                        BIO_printf(bio_err, "Error opening file %s\n", reqout);
@@ -696,64 +791,35 @@ int MAIN(int argc, char **argv)
 
        if (ridx_filename && !rdb)
                {
-               BIO *db_bio = NULL;
-               db_bio = BIO_new_file(ridx_filename, "r");
-               if (!db_bio)
-                       {
-                       BIO_printf(bio_err, "Error opening index file %s\n", ridx_filename);
-                       goto end;
-                       }
-               rdb = TXT_DB_read(db_bio, DB_NUMBER);
-               BIO_free(db_bio);
-               if (!rdb)
-                       {
-                       BIO_printf(bio_err, "Error reading index file %s\n", ridx_filename);
-                       goto end;
-                       }
-               if (!make_serial_index(rdb))
-                       goto end;
+               rdb = load_index(ridx_filename, NULL);
+               if (!rdb) goto end;
+               if (!index_index(rdb)) goto end;
                }
 
        if (rdb)
                {
-               i = make_ocsp_response(&resp, req, rdb, rca_cert, rsigner, rkey, rother, rflags, nmin, ndays);
+               i = make_ocsp_response(&resp, req, rdb, rca_cert, rsigner, rkey,rsign_md, rother, rflags, nmin, ndays, badsig);
                if (cbio)
                        send_ocsp_response(cbio, resp);
                }
        else if (host)
                {
-               cbio = BIO_new_connect(host);
-               if (!cbio)
-                       {
-                       BIO_printf(bio_err, "Error creating connect BIO\n");
-                       goto end;
-                       }
-               if (port) BIO_set_conn_port(cbio, port);
-               if (use_ssl == 1)
-                       {
-                       BIO *sbio;
-                       ctx = SSL_CTX_new(SSLv23_client_method());
-                       SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
-                       sbio = BIO_new_ssl(ctx, 1);
-                       cbio = BIO_push(sbio, cbio);
-                       }
-               if (BIO_do_connect(cbio) <= 0)
-                       {
-                       BIO_printf(bio_err, "Error connecting BIO\n");
-                       goto end;
-                       }
-               resp = OCSP_sendreq_bio(cbio, path, req);
-               BIO_free_all(cbio);
-               cbio = NULL;
+#ifndef OPENSSL_NO_SOCK
+               resp = process_responder(bio_err, req, host, path,
+                                       port, use_ssl, headers, req_timeout);
                if (!resp)
-                       {
-                       BIO_printf(bio_err, "Error querying OCSP responsder\n");
                        goto end;
-                       }
+#else
+               BIO_printf(bio_err, "Error creating connect BIO - sockets not supported.\n");
+               goto end;
+#endif
                }
        else if (respin)
                {
-               derbio = BIO_new_file(respin, "rb");
+               if (!strcmp(respin, "-"))
+                       derbio = BIO_new_fp(stdin, BIO_NOCLOSE);
+               else
+                       derbio = BIO_new_file(respin, "rb");
                if (!derbio)
                        {
                        BIO_printf(bio_err, "Error Opening OCSP response file\n");
@@ -778,7 +844,10 @@ int MAIN(int argc, char **argv)
 
        if (respout)
                {
-               derbio = BIO_new_file(respout, "wb");
+               if (!strcmp(respout, "-"))
+                       derbio = BIO_new_fp(stdout, BIO_NOCLOSE);
+               else
+                       derbio = BIO_new_file(respout, "wb");
                if(!derbio)
                        {
                        BIO_printf(bio_err, "Error opening file %s\n", respout);
@@ -792,8 +861,10 @@ int MAIN(int argc, char **argv)
 
        if (i != OCSP_RESPONSE_STATUS_SUCCESSFUL)
                {
-               BIO_printf(out, "Responder Error: %s (%ld)\n",
+               BIO_printf(out, "Responder Error: %s (%d)\n",
                                OCSP_response_status_str(i), i);
+               if (ignore_err)
+                       goto redo_accept;
                ret = 0;
                goto end;
                }
@@ -816,6 +887,12 @@ int MAIN(int argc, char **argv)
                        resp = NULL;
                        goto redo_accept;
                        }
+               ret = 0;
+               goto end;
+               }
+       else if (ridx_filename)
+               {
+               ret = 0;
                goto end;
                }
 
@@ -823,6 +900,8 @@ int MAIN(int argc, char **argv)
                store = setup_verify(bio_err, CAfile, CApath);
        if (!store)
                goto end;
+       if (vpm)
+               X509_STORE_set1_param(store, vpm);
        if (verify_certfile)
                {
                verify_other = load_certs(bio_err, verify_certfile, FORMAT_PEM,
@@ -838,6 +917,8 @@ int MAIN(int argc, char **argv)
                goto end;
                }
 
+       ret = 0;
+
        if (!noverify)
                {
                if (req && ((i = OCSP_check_nonce(req, bs)) <= 0))
@@ -847,17 +928,17 @@ int MAIN(int argc, char **argv)
                        else
                                {
                                BIO_printf(bio_err, "Nonce Verify error\n");
+                               ret = 1;
                                goto end;
                                }
                        }
 
                i = OCSP_basic_verify(bs, verify_other, store, verify_flags);
-                if (i < 0) i = OCSP_basic_verify(bs, NULL, store, 0);
-
                if(i <= 0)
                        {
-                       BIO_printf(bio_err, "Response Verify Failure\n", i);
+                       BIO_printf(bio_err, "Response Verify Failure\n");
                        ERR_print_errors(bio_err);
+                       ret = 1;
                        }
                else
                        BIO_printf(bio_err, "Response verify OK\n");
@@ -865,44 +946,44 @@ int MAIN(int argc, char **argv)
                }
 
        if (!print_ocsp_summary(out, bs, req, reqnames, ids, nsec, maxage))
-               goto end;
-
-       ret = 0;
+               ret = 1;
 
 end:
        ERR_print_errors(bio_err);
        X509_free(signer);
        X509_STORE_free(store);
+       if (vpm)
+               X509_VERIFY_PARAM_free(vpm);
        EVP_PKEY_free(key);
        EVP_PKEY_free(rkey);
        X509_free(issuer);
        X509_free(cert);
        X509_free(rsigner);
        X509_free(rca_cert);
-       TXT_DB_free(rdb);
+       free_index(rdb);
        BIO_free_all(cbio);
        BIO_free_all(acbio);
        BIO_free(out);
        OCSP_REQUEST_free(req);
        OCSP_RESPONSE_free(resp);
        OCSP_BASICRESP_free(bs);
-       sk_free(reqnames);
+       sk_OPENSSL_STRING_free(reqnames);
        sk_OCSP_CERTID_free(ids);
        sk_X509_pop_free(sign_other, X509_free);
        sk_X509_pop_free(verify_other, X509_free);
+       sk_CONF_VALUE_pop_free(headers, X509V3_conf_free);
 
-       if (use_ssl != -1)
-               {
-               OPENSSL_free(host);
-               OPENSSL_free(port);
-               OPENSSL_free(path);
-               SSL_CTX_free(ctx);
-               }
+       if (thost)
+               OPENSSL_free(thost);
+       if (tport)
+               OPENSSL_free(tport);
+       if (tpath)
+               OPENSSL_free(tpath);
 
-       EXIT(ret);
+       OPENSSL_EXIT(ret);
 }
 
-static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, X509 *issuer,
+static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, const EVP_MD *cert_id_md,X509 *issuer,
                                STACK_OF(OCSP_CERTID) *ids)
        {
        OCSP_CERTID *id;
@@ -913,7 +994,7 @@ static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, X509 *issuer,
                }
        if(!*req) *req = OCSP_REQUEST_new();
        if(!*req) goto err;
-       id = OCSP_cert_to_id(NULL, cert, issuer);
+       id = OCSP_cert_to_id(cert_id_md, cert, issuer);
        if(!id || !sk_OCSP_CERTID_push(ids, id)) goto err;
        if(!OCSP_request_add0_id(*req, id)) goto err;
        return 1;
@@ -923,7 +1004,7 @@ static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, X509 *issuer,
        return 0;
        }
 
-static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, X509 *issuer,
+static int add_ocsp_serial(OCSP_REQUEST **req, char *serial,const EVP_MD *cert_id_md, X509 *issuer,
                                STACK_OF(OCSP_CERTID) *ids)
        {
        OCSP_CERTID *id;
@@ -945,7 +1026,7 @@ static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, X509 *issuer,
                BIO_printf(bio_err, "Error converting serial number %s\n", serial);
                return 0;
                }
-       id = OCSP_cert_id_new(EVP_sha1(), iname, ikey, sno);
+       id = OCSP_cert_id_new(cert_id_md, iname, ikey, sno);
        ASN1_INTEGER_free(sno);
        if(!id || !sk_OCSP_CERTID_push(ids, id)) goto err;
        if(!OCSP_request_add0_id(*req, id)) goto err;
@@ -957,8 +1038,9 @@ static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, X509 *issuer,
        }
 
 static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
-                                       STACK *names, STACK_OF(OCSP_CERTID) *ids,
-                                       long nsec, long maxage)
+                             STACK_OF(OPENSSL_STRING) *names,
+                             STACK_OF(OCSP_CERTID) *ids, long nsec,
+                             long maxage)
        {
        OCSP_CERTID *id;
        char *name;
@@ -968,13 +1050,13 @@ static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
 
        ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
 
-       if (!bs || !req || !sk_num(names) || !sk_OCSP_CERTID_num(ids))
+       if (!bs || !req || !sk_OPENSSL_STRING_num(names) || !sk_OCSP_CERTID_num(ids))
                return 1;
 
        for (i = 0; i < sk_OCSP_CERTID_num(ids); i++)
                {
                id = sk_OCSP_CERTID_value(ids, i);
-               name = sk_value(names, i);
+               name = sk_OPENSSL_STRING_value(names, i);
                BIO_printf(out, "%s: ", name);
 
                if(!OCSP_resp_find_status(bs, id, &status, &reason,
@@ -1021,17 +1103,17 @@ static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
        }
 
 
-static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, TXT_DB *db,
-                       X509 *ca, X509 *rcert, EVP_PKEY *rkey,
+static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db,
+                       X509 *ca, X509 *rcert,
+                       EVP_PKEY *rkey, const EVP_MD *rmd,
                        STACK_OF(X509) *rother, unsigned long flags,
-                       int nmin, int ndays)
+                       int nmin, int ndays, int badsig)
        {
        ASN1_TIME *thisupd = NULL, *nextupd = NULL;
        OCSP_CERTID *cid, *ca_id = NULL;
        OCSP_BASICRESP *bs = NULL;
        int i, id_count, ret = 1;
 
-
        id_count = OCSP_request_onereq_count(req);
 
        if (id_count <= 0)
@@ -1040,7 +1122,6 @@ static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, TXT_DB *d
                goto end;
                }
 
-       ca_id = OCSP_cert_to_id(EVP_sha1(), NULL, ca);
 
        bs = OCSP_BASICRESP_new();
        thisupd = X509_gmtime_adj(NULL, 0);
@@ -1053,8 +1134,23 @@ static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, TXT_DB *d
                OCSP_ONEREQ *one;
                ASN1_INTEGER *serial;
                char **inf;
+               ASN1_OBJECT *cert_id_md_oid;
+               const EVP_MD *cert_id_md;
                one = OCSP_request_onereq_get0(req, i);
                cid = OCSP_onereq_get0_id(one);
+
+               OCSP_id_get0_info(NULL,&cert_id_md_oid, NULL,NULL, cid);
+
+               cert_id_md = EVP_get_digestbyobj(cert_id_md_oid);       
+               if (! cert_id_md) 
+                       {
+                       *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR,
+                               NULL);
+                               goto end;
+                       }       
+               if (ca_id) OCSP_CERTID_free(ca_id);
+               ca_id = OCSP_cert_to_id(cert_id_md, NULL, ca);
+
                /* Is this request about our CA? */
                if (OCSP_id_issuer_cmp(ca_id, cid))
                        {
@@ -1099,8 +1195,11 @@ static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, TXT_DB *d
                }
 
        OCSP_copy_nonce(bs, req);
-               
-       OCSP_basic_sign(bs, rcert, rkey, EVP_sha1(), rother, flags);
+       
+       OCSP_basic_sign(bs, rcert, rkey, rmd, rother, flags);
+
+       if (badsig)
+               bs->signature->data[bs->signature->length -1] ^= 0x1;
 
        *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs);
 
@@ -1113,30 +1212,38 @@ static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, TXT_DB *d
 
        }
 
-static char **lookup_serial(TXT_DB *db, ASN1_INTEGER *ser)
+static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser)
        {
        int i;
        BIGNUM *bn = NULL;
        char *itmp, *row[DB_NUMBER],**rrow;
        for (i = 0; i < DB_NUMBER; i++) row[i] = NULL;
        bn = ASN1_INTEGER_to_BN(ser,NULL);
-       itmp = BN_bn2hex(bn);
+       OPENSSL_assert(bn); /* FIXME: should report an error at this point and abort */
+       if (BN_is_zero(bn))
+               itmp = BUF_strdup("00");
+       else
+               itmp = BN_bn2hex(bn);
        row[DB_serial] = itmp;
        BN_free(bn);
-       rrow=TXT_DB_get_by_index(db,DB_serial,row);
+       rrow=TXT_DB_get_by_index(db->db,DB_serial,row);
        OPENSSL_free(itmp);
        return rrow;
        }
 
 /* Quick and dirty OCSP server: read in and parse input request */
 
-static BIO *init_responder(char *port)
+static BIO *init_responder(const char *port)
        {
        BIO *acbio = NULL, *bufbio = NULL;
        bufbio = BIO_new(BIO_f_buffer());
        if (!bufbio) 
                goto err;
+#ifndef OPENSSL_NO_SOCK
        acbio = BIO_new_accept(port);
+#else
+       BIO_printf(bio_err, "Error setting up accept BIO - sockets not supported.\n");
+#endif
        if (!acbio)
                goto err;
        BIO_set_accept_bios(acbio, bufbio);
@@ -1157,7 +1264,8 @@ static BIO *init_responder(char *port)
        return NULL;
        }
 
-static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, char *port)
+static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,
+                       const char *port)
        {
        int have_post = 0, len;
        OCSP_REQUEST *req = NULL;
@@ -1176,7 +1284,7 @@ static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, char *port
 
        for(;;)
                {
-               len = BIO_gets(cbio, inbuf, 1024);
+               len = BIO_gets(cbio, inbuf, sizeof inbuf);
                if (len <= 0)
                        return 1;
                /* Look for "POST" signalling start of query */
@@ -1219,7 +1327,154 @@ static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp)
                return 0;
        BIO_printf(cbio, http_resp, i2d_OCSP_RESPONSE(resp, NULL));
        i2d_OCSP_RESPONSE_bio(cbio, resp);
-       BIO_flush(cbio);
+       (void)BIO_flush(cbio);
        return 1;
        }
 
+static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, const char *path,
+                                     const STACK_OF(CONF_VALUE) *headers,
+                                     OCSP_REQUEST *req, int req_timeout)
+       {
+       int fd;
+       int rv;
+       int i;
+       OCSP_REQ_CTX *ctx = NULL;
+       OCSP_RESPONSE *rsp = NULL;
+       fd_set confds;
+       struct timeval tv;
+
+       if (req_timeout != -1)
+               BIO_set_nbio(cbio, 1);
+
+       rv = BIO_do_connect(cbio);
+
+       if ((rv <= 0) && ((req_timeout == -1) || !BIO_should_retry(cbio)))
+               {
+               BIO_puts(err, "Error connecting BIO\n");
+               return NULL;
+               }
+
+       if (BIO_get_fd(cbio, &fd) <= 0)
+               {
+               BIO_puts(err, "Can't get connection fd\n");
+               goto err;
+               }
+
+       if (req_timeout != -1 && rv <= 0)
+               {
+               FD_ZERO(&confds);
+               openssl_fdset(fd, &confds);
+               tv.tv_usec = 0;
+               tv.tv_sec = req_timeout;
+               rv = select(fd + 1, NULL, (void *)&confds, NULL, &tv);
+               if (rv == 0)
+                       {
+                       BIO_puts(err, "Timeout on connect\n");
+                       return NULL;
+                       }
+               }
+
+
+       ctx = OCSP_sendreq_new(cbio, path, NULL, -1);
+       if (!ctx)
+               return NULL;
+
+       for (i = 0; i < sk_CONF_VALUE_num(headers); i++)
+               {
+               CONF_VALUE *hdr = sk_CONF_VALUE_value(headers, i);
+               if (!OCSP_REQ_CTX_add1_header(ctx, hdr->name, hdr->value))
+                       goto err;
+               }
+
+       if (!OCSP_REQ_CTX_set1_req(ctx, req))
+               goto err;
+       
+       for (;;)
+               {
+               rv = OCSP_sendreq_nbio(&rsp, ctx);
+               if (rv != -1)
+                       break;
+               if (req_timeout == -1)
+                       continue;
+               FD_ZERO(&confds);
+               openssl_fdset(fd, &confds);
+               tv.tv_usec = 0;
+               tv.tv_sec = req_timeout;
+               if (BIO_should_read(cbio))
+                       rv = select(fd + 1, (void *)&confds, NULL, NULL, &tv);
+               else if (BIO_should_write(cbio))
+                       rv = select(fd + 1, NULL, (void *)&confds, NULL, &tv);
+               else
+                       {
+                       BIO_puts(err, "Unexpected retry condition\n");
+                       goto err;
+                       }
+               if (rv == 0)
+                       {
+                       BIO_puts(err, "Timeout on request\n");
+                       break;
+                       }
+               if (rv == -1)
+                       {
+                       BIO_puts(err, "Select error\n");
+                       break;
+                       }
+
+               }
+       err:
+       if (ctx)
+               OCSP_REQ_CTX_free(ctx);
+
+       return rsp;
+       }
+
+OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req,
+                                const char *host, const char *path,
+                                const char *port, int use_ssl,
+                                const STACK_OF(CONF_VALUE) *headers,
+                                int req_timeout)
+       {
+       BIO *cbio = NULL;
+       SSL_CTX *ctx = NULL;
+       OCSP_RESPONSE *resp = NULL;
+       cbio = BIO_new_connect(host);
+       if (!cbio)
+               {
+               BIO_printf(err, "Error creating connect BIO\n");
+               goto end;
+               }
+       if (port) BIO_set_conn_port(cbio, port);
+       if (use_ssl == 1)
+               {
+               BIO *sbio;
+#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
+               ctx = SSL_CTX_new(SSLv23_client_method());
+#elif !defined(OPENSSL_NO_SSL3)
+               ctx = SSL_CTX_new(SSLv3_client_method());
+#elif !defined(OPENSSL_NO_SSL2)
+               ctx = SSL_CTX_new(SSLv2_client_method());
+#else
+               BIO_printf(err, "SSL is disabled\n");
+                       goto end;
+#endif
+               if (ctx == NULL)
+                       {
+                       BIO_printf(err, "Error creating SSL context.\n");
+                       goto end;
+                       }
+               SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
+               sbio = BIO_new_ssl(ctx, 1);
+               cbio = BIO_push(sbio, cbio);
+               }
+       resp = query_responder(err, cbio, path, headers, req, req_timeout);
+       if (!resp)
+               BIO_printf(bio_err, "Error querying OCSP responsder\n");
+       end:
+       if (cbio)
+               BIO_free_all(cbio);
+       if (ctx)
+               SSL_CTX_free(ctx);
+       return resp;
+       }
+
+#endif