projects
/
openssl.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Fix free errors in ocsp utility.
[openssl.git]
/
apps
/
ocsp.c
diff --git
a/apps/ocsp.c
b/apps/ocsp.c
index ce9bfa52d61e4573220c2cd6d8cf995d89bb6bf3..64c31826f3a97414e19ed13b102fd402dd01f9c3 100644
(file)
--- a/
apps/ocsp.c
+++ b/
apps/ocsp.c
@@
-105,17
+105,17
@@
static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
long maxage);
static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db,
long maxage);
static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db,
- X509 *ca, X509 *rcert, EVP_PKEY *rkey,
+ X509 *ca, X509 *rcert, EVP_PKEY *rkey,
const EVP_MD *md,
STACK_OF(X509) *rother, unsigned long flags,
STACK_OF(X509) *rother, unsigned long flags,
- int nmin, int ndays);
+ int nmin, int ndays
, int badsig
);
static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser);
static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser);
-static BIO *init_responder(char *port);
-static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, char *port);
+static BIO *init_responder(c
onst c
har *port);
+static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, c
onst c
har *port);
static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp);
static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp);
-static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path,
- STACK_OF(CONF_VALUE) *headers,
- OCSP_REQUEST *req, int req_timeout);
+static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, c
onst c
har *path,
+
const
STACK_OF(CONF_VALUE) *headers,
+
OCSP_REQUEST *req, int req_timeout);
#undef PROG
#define PROG ocsp_main
#undef PROG
#define PROG ocsp_main
@@
-127,6
+127,7
@@
int MAIN(int argc, char **argv)
ENGINE *e = NULL;
char **args;
char *host = NULL, *port = NULL, *path = "/";
ENGINE *e = NULL;
char **args;
char *host = NULL, *port = NULL, *path = "/";
+ char *thost = NULL, *tport = NULL, *tpath = NULL;
char *reqin = NULL, *respin = NULL;
char *reqout = NULL, *respout = NULL;
char *signfile = NULL, *keyfile = NULL;
char *reqin = NULL, *respin = NULL;
char *reqout = NULL, *respout = NULL;
char *signfile = NULL, *keyfile = NULL;
@@
-148,12
+149,14
@@
int MAIN(int argc, char **argv)
long nsec = MAX_VALIDITY_PERIOD, maxage = -1;
char *CAfile = NULL, *CApath = NULL;
X509_STORE *store = NULL;
long nsec = MAX_VALIDITY_PERIOD, maxage = -1;
char *CAfile = NULL, *CApath = NULL;
X509_STORE *store = NULL;
+ X509_VERIFY_PARAM *vpm = NULL;
STACK_OF(X509) *sign_other = NULL, *verify_other = NULL, *rother = NULL;
char *sign_certfile = NULL, *verify_certfile = NULL, *rcertfile = NULL;
unsigned long sign_flags = 0, verify_flags = 0, rflags = 0;
int ret = 1;
int accept_count = -1;
int badarg = 0;
STACK_OF(X509) *sign_other = NULL, *verify_other = NULL, *rother = NULL;
char *sign_certfile = NULL, *verify_certfile = NULL, *rcertfile = NULL;
unsigned long sign_flags = 0, verify_flags = 0, rflags = 0;
int ret = 1;
int accept_count = -1;
int badarg = 0;
+ int badsig = 0;
int i;
int ignore_err = 0;
STACK_OF(OPENSSL_STRING) *reqnames = NULL;
int i;
int ignore_err = 0;
STACK_OF(OPENSSL_STRING) *reqnames = NULL;
@@
-164,7
+167,7
@@
int MAIN(int argc, char **argv)
char *rca_filename = NULL;
CA_DB *rdb = NULL;
int nmin = 0, ndays = -1;
char *rca_filename = NULL;
CA_DB *rdb = NULL;
int nmin = 0, ndays = -1;
- const EVP_MD *cert_id_md = NULL;
+ const EVP_MD *cert_id_md = NULL
, *rsign_md = NULL
;
if (bio_err == NULL) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
if (bio_err == NULL) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
@@
-204,6
+207,12
@@
int MAIN(int argc, char **argv)
}
else if (!strcmp(*args, "-url"))
{
}
else if (!strcmp(*args, "-url"))
{
+ if (thost)
+ OPENSSL_free(thost);
+ if (tport)
+ OPENSSL_free(tport);
+ if (tpath)
+ OPENSSL_free(tpath);
if (args[1])
{
args++;
if (args[1])
{
args++;
@@
-212,6
+221,9
@@
int MAIN(int argc, char **argv)
BIO_printf(bio_err, "Error parsing URL\n");
badarg = 1;
}
BIO_printf(bio_err, "Error parsing URL\n");
badarg = 1;
}
+ thost = host;
+ tport = port;
+ tpath = path;
}
else badarg = 1;
}
}
else badarg = 1;
}
@@
-271,6
+283,8
@@
int MAIN(int argc, char **argv)
verify_flags |= OCSP_TRUSTOTHER;
else if (!strcmp(*args, "-no_intern"))
verify_flags |= OCSP_NOINTERN;
verify_flags |= OCSP_TRUSTOTHER;
else if (!strcmp(*args, "-no_intern"))
verify_flags |= OCSP_NOINTERN;
+ else if (!strcmp(*args, "-badsig"))
+ badsig = 1;
else if (!strcmp(*args, "-text"))
{
req_text = 1;
else if (!strcmp(*args, "-text"))
{
req_text = 1;
@@
-353,6
+367,12
@@
int MAIN(int argc, char **argv)
}
else badarg = 1;
}
}
else badarg = 1;
}
+ else if (args_verify(&args, NULL, &badarg, bio_err, &vpm))
+ {
+ if (badarg)
+ goto end;
+ continue;
+ }
else if (!strcmp (*args, "-validity_period"))
{
if (args[1])
else if (!strcmp (*args, "-validity_period"))
{
if (args[1])
@@
-558,6
+578,17
@@
int MAIN(int argc, char **argv)
}
else badarg = 1;
}
}
else badarg = 1;
}
+ else if (!strcmp(*args, "-rmd"))
+ {
+ if (args[1])
+ {
+ args++;
+ rsign_md = EVP_get_digestbyname(*args);
+ if (!rsign_md)
+ badarg = 1;
+ }
+ else badarg = 1;
+ }
else if ((cert_id_md = EVP_get_digestbyname((*args)+1))==NULL)
{
badarg = 1;
else if ((cert_id_md = EVP_get_digestbyname((*args)+1))==NULL)
{
badarg = 1;
@@
-617,7
+648,7
@@
int MAIN(int argc, char **argv)
BIO_printf (bio_err, "-ndays n number of days before next update\n");
BIO_printf (bio_err, "-resp_key_id identify reponse by signing certificate key ID\n");
BIO_printf (bio_err, "-nrequest n number of requests to accept (default unlimited)\n");
BIO_printf (bio_err, "-ndays n number of days before next update\n");
BIO_printf (bio_err, "-resp_key_id identify reponse by signing certificate key ID\n");
BIO_printf (bio_err, "-nrequest n number of requests to accept (default unlimited)\n");
- BIO_printf (bio_err, "-<dgst alg> use specified digest in the request");
+ BIO_printf (bio_err, "-<dgst alg> use specified digest in the request
\n
");
goto end;
}
goto end;
}
@@
-634,7
+665,10
@@
int MAIN(int argc, char **argv)
if (!req && reqin)
{
if (!req && reqin)
{
- derbio = BIO_new_file(reqin, "rb");
+ if (!strcmp(reqin, "-"))
+ derbio = BIO_new_fp(stdin, BIO_NOCLOSE);
+ else
+ derbio = BIO_new_file(reqin, "rb");
if (!derbio)
{
BIO_printf(bio_err, "Error Opening OCSP request file\n");
if (!derbio)
{
BIO_printf(bio_err, "Error Opening OCSP request file\n");
@@
-736,7
+770,10
@@
int MAIN(int argc, char **argv)
if (reqout)
{
if (reqout)
{
- derbio = BIO_new_file(reqout, "wb");
+ if (!strcmp(reqout, "-"))
+ derbio = BIO_new_fp(stdout, BIO_NOCLOSE);
+ else
+ derbio = BIO_new_file(reqout, "wb");
if(!derbio)
{
BIO_printf(bio_err, "Error opening file %s\n", reqout);
if(!derbio)
{
BIO_printf(bio_err, "Error opening file %s\n", reqout);
@@
-761,7
+798,7
@@
int MAIN(int argc, char **argv)
if (rdb)
{
if (rdb)
{
- i = make_ocsp_response(&resp, req, rdb, rca_cert, rsigner, rkey,
rother, rflags, nmin, ndays
);
+ i = make_ocsp_response(&resp, req, rdb, rca_cert, rsigner, rkey,
rsign_md, rother, rflags, nmin, ndays, badsig
);
if (cbio)
send_ocsp_response(cbio, resp);
}
if (cbio)
send_ocsp_response(cbio, resp);
}
@@
-779,7
+816,10
@@
int MAIN(int argc, char **argv)
}
else if (respin)
{
}
else if (respin)
{
- derbio = BIO_new_file(respin, "rb");
+ if (!strcmp(respin, "-"))
+ derbio = BIO_new_fp(stdin, BIO_NOCLOSE);
+ else
+ derbio = BIO_new_file(respin, "rb");
if (!derbio)
{
BIO_printf(bio_err, "Error Opening OCSP response file\n");
if (!derbio)
{
BIO_printf(bio_err, "Error Opening OCSP response file\n");
@@
-804,7
+844,10
@@
int MAIN(int argc, char **argv)
if (respout)
{
if (respout)
{
- derbio = BIO_new_file(respout, "wb");
+ if (!strcmp(respout, "-"))
+ derbio = BIO_new_fp(stdout, BIO_NOCLOSE);
+ else
+ derbio = BIO_new_file(respout, "wb");
if(!derbio)
{
BIO_printf(bio_err, "Error opening file %s\n", respout);
if(!derbio)
{
BIO_printf(bio_err, "Error opening file %s\n", respout);
@@
-844,6
+887,12
@@
int MAIN(int argc, char **argv)
resp = NULL;
goto redo_accept;
}
resp = NULL;
goto redo_accept;
}
+ ret = 0;
+ goto end;
+ }
+ else if (ridx_filename)
+ {
+ ret = 0;
goto end;
}
goto end;
}
@@
-851,6
+900,8
@@
int MAIN(int argc, char **argv)
store = setup_verify(bio_err, CAfile, CApath);
if (!store)
goto end;
store = setup_verify(bio_err, CAfile, CApath);
if (!store)
goto end;
+ if (vpm)
+ X509_STORE_set1_param(store, vpm);
if (verify_certfile)
{
verify_other = load_certs(bio_err, verify_certfile, FORMAT_PEM,
if (verify_certfile)
{
verify_other = load_certs(bio_err, verify_certfile, FORMAT_PEM,
@@
-901,6
+952,8
@@
end:
ERR_print_errors(bio_err);
X509_free(signer);
X509_STORE_free(store);
ERR_print_errors(bio_err);
X509_free(signer);
X509_STORE_free(store);
+ if (vpm)
+ X509_VERIFY_PARAM_free(vpm);
EVP_PKEY_free(key);
EVP_PKEY_free(rkey);
X509_free(issuer);
EVP_PKEY_free(key);
EVP_PKEY_free(rkey);
X509_free(issuer);
@@
-920,12
+973,12
@@
end:
sk_X509_pop_free(verify_other, X509_free);
sk_CONF_VALUE_pop_free(headers, X509V3_conf_free);
sk_X509_pop_free(verify_other, X509_free);
sk_CONF_VALUE_pop_free(headers, X509V3_conf_free);
- if (
use_ssl != -1
)
- {
- OPENSSL_free(host);
- OPENSSL_free(port);
- OPENSSL_free(path);
- }
+ if (
thost
)
+ OPENSSL_free(thost);
+ if (tport)
+ OPENSSL_free(
t
port);
+ if (tpath)
+ OPENSSL_free(tpath);
OPENSSL_EXIT(ret);
}
OPENSSL_EXIT(ret);
}
@@
-1051,9
+1104,10
@@
static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db,
static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db,
- X509 *ca, X509 *rcert, EVP_PKEY *rkey,
+ X509 *ca, X509 *rcert,
+ EVP_PKEY *rkey, const EVP_MD *rmd,
STACK_OF(X509) *rother, unsigned long flags,
STACK_OF(X509) *rother, unsigned long flags,
- int nmin, int ndays)
+ int nmin, int ndays
, int badsig
)
{
ASN1_TIME *thisupd = NULL, *nextupd = NULL;
OCSP_CERTID *cid, *ca_id = NULL;
{
ASN1_TIME *thisupd = NULL, *nextupd = NULL;
OCSP_CERTID *cid, *ca_id = NULL;
@@
-1142,7
+1196,10
@@
static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db
OCSP_copy_nonce(bs, req);
OCSP_copy_nonce(bs, req);
- OCSP_basic_sign(bs, rcert, rkey, NULL, rother, flags);
+ OCSP_basic_sign(bs, rcert, rkey, rmd, rother, flags);
+
+ if (badsig)
+ bs->signature->data[bs->signature->length -1] ^= 0x1;
*resp = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs);
*resp = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs);
@@
-1176,7
+1233,7
@@
static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser)
/* Quick and dirty OCSP server: read in and parse input request */
/* Quick and dirty OCSP server: read in and parse input request */
-static BIO *init_responder(char *port)
+static BIO *init_responder(c
onst c
har *port)
{
BIO *acbio = NULL, *bufbio = NULL;
bufbio = BIO_new(BIO_f_buffer());
{
BIO *acbio = NULL, *bufbio = NULL;
bufbio = BIO_new(BIO_f_buffer());
@@
-1207,7
+1264,8
@@
static BIO *init_responder(char *port)
return NULL;
}
return NULL;
}
-static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, char *port)
+static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,
+ const char *port)
{
int have_post = 0, len;
OCSP_REQUEST *req = NULL;
{
int have_post = 0, len;
OCSP_REQUEST *req = NULL;
@@
-1273,9
+1331,9
@@
static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp)
return 1;
}
return 1;
}
-static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path,
- STACK_OF(CONF_VALUE) *headers,
- OCSP_REQUEST *req, int req_timeout)
+static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, c
onst c
har *path,
+
const
STACK_OF(CONF_VALUE) *headers,
+
OCSP_REQUEST *req, int req_timeout)
{
int fd;
int rv;
{
int fd;
int rv;
@@
-1371,9
+1429,10
@@
static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path,
}
OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req,
}
OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req,
- char *host, char *path, char *port, int use_ssl,
- STACK_OF(CONF_VALUE) *headers,
- int req_timeout)
+ const char *host, const char *path,
+ const char *port, int use_ssl,
+ const STACK_OF(CONF_VALUE) *headers,
+ int req_timeout)
{
BIO *cbio = NULL;
SSL_CTX *ctx = NULL;
{
BIO *cbio = NULL;
SSL_CTX *ctx = NULL;