After the latest round of header-hacking, regenerate the dependencies in
[openssl.git] / crypto / ocsp / ocsp_lib.c
index 2a6c472..9e87fc7 100644 (file)
@@ -64,6 +64,7 @@
 #include <stdio.h>
 #include <cryptlib.h>
 #include <openssl/objects.h>
+#include <openssl/rand.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 #include <openssl/x509v3.h>
@@ -76,12 +77,20 @@ OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer)
        X509_NAME *iname;
        ASN1_INTEGER *serial;
        ASN1_BIT_STRING *ikey;
-#ifndef NO_SHA1
+#ifndef OPENSSL_NO_SHA1
        if(!dgst) dgst = EVP_sha1();
 #endif
-       iname = X509_get_issuer_name(subject);
-       serial = X509_get_serialNumber(subject);
-       ikey = issuer->cert_info->key->public_key;
+       if (subject)
+               {
+               iname = X509_get_issuer_name(subject);
+               serial = X509_get_serialNumber(subject);
+               }
+       else
+               {
+               iname = X509_get_subject_name(issuer);
+               serial = NULL;
+               }
+       ikey = X509_get0_pubkey_bitstr(issuer);
        return OCSP_cert_id_new(dgst, iname, ikey, serial);
 }
 
@@ -96,7 +105,6 @@ OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst,
        X509_ALGOR *alg;
        OCSP_CERTID *cid = NULL;
        unsigned char md[EVP_MAX_MD_SIZE];
-       EVP_MD_CTX ctx;
 
        if (!(cid = OCSP_CERTID_new())) goto err;
 
@@ -115,14 +123,15 @@ OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst,
        if (!(ASN1_OCTET_STRING_set(cid->issuerNameHash, md, i))) goto err;
 
        /* Calculate the issuerKey hash, excluding tag and length */
-       EVP_DigestInit(&ctx,dgst);
-       EVP_DigestUpdate(&ctx,issuerKey->data, issuerKey->length);
-       EVP_DigestFinal(&ctx,md,&i);
+       EVP_Digest(issuerKey->data, issuerKey->length, md, &i, dgst, NULL);
 
        if (!(ASN1_OCTET_STRING_set(cid->issuerKeyHash, md, i))) goto err;
-       
-       if (cid->serialNumber != NULL) ASN1_INTEGER_free(cid->serialNumber);
-       if (!(cid->serialNumber = ASN1_INTEGER_dup(serialNumber))) goto err;
+
+       if (serialNumber)
+               {
+               ASN1_INTEGER_free(cid->serialNumber);
+               if (!(cid->serialNumber = ASN1_INTEGER_dup(serialNumber))) goto err;
+               }
        return cid;
 digerr:
        OCSPerr(OCSP_F_CERT_ID_NEW,OCSP_R_DIGEST_ERR);
@@ -131,271 +140,123 @@ err:
        return NULL;
        }
 
-OCSP_CERTSTATUS *OCSP_cert_status_new(int status, int reason, char *tim)
-        {
-       OCSP_REVOKEDINFO *ri;
-       OCSP_CERTSTATUS *cs = NULL;
+int OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b)
+       {
+       int ret;
+       ret = OBJ_cmp(a->hashAlgorithm->algorithm, b->hashAlgorithm->algorithm);
+       if (ret) return ret;
+       ret = ASN1_OCTET_STRING_cmp(a->issuerNameHash, b->issuerNameHash);
+       if (ret) return ret;
+       return ASN1_OCTET_STRING_cmp(a->issuerKeyHash, b->issuerKeyHash);
+       }
 
-       if (!(cs = OCSP_CERTSTATUS_new())) goto err;
-       if ((cs->type = status) == V_OCSP_CERTSTATUS_REVOKED)
-               {
-               if (!time)
-                       {
-                       OCSPerr(OCSP_F_CERT_STATUS_NEW,OCSP_R_REVOKED_NO_TIME);
-                       goto err;
-                       }
-               if (!(cs->value.revoked = ri = OCSP_REVOKEDINFO_new())) goto err;
-               if (!ASN1_GENERALIZEDTIME_set_string(ri->revocationTime,tim))
-                       goto err;       
-               if (reason != OCSP_REVOKED_STATUS_NOSTATUS)
-                       {
-                       if (!(ri->revocationReason = ASN1_ENUMERATED_new())) 
-                               goto err;
-                       if (!(ASN1_ENUMERATED_set(ri->revocationReason, 
-                                                 reason)))
-                               goto err;       
-                       }
-               }
-       return cs;
-err:
-       if (cs) OCSP_CERTSTATUS_free(cs);
-       return NULL;
+int OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b)
+       {
+       int ret;
+       ret = OCSP_id_issuer_cmp(a, b);
+       if (ret) return ret;
+       return ASN1_INTEGER_cmp(a->serialNumber, b->serialNumber);
        }
 
-OCSP_ONEREQ *OCSP_request_add0(OCSP_REQUEST *req, OCSP_CERTID *cid)
-        {
-       OCSP_ONEREQ *one = NULL;
-
-       if (!(one = OCSP_ONEREQ_new())) goto err;
-       if (one->reqCert) OCSP_CERTID_free(one->reqCert);
-       one->reqCert = cid;
-       if (req &&
-               !sk_OCSP_ONEREQ_push(req->tbsRequest->requestList, one))
-                               goto err;
-       return one;
-err:
-       if (one) OCSP_ONEREQ_free(one);
-       return NULL;
-        }
 
-int OCSP_request_sign(OCSP_REQUEST   *req,
-                     EVP_PKEY       *key,
-                     const EVP_MD   *dgst,
-                     STACK_OF(X509) *certs)
-        {
-       int i;
-       OCSP_SIGNATURE *sig;
+/* Parse a URL and split it up into host, port and path components and whether
+ * it is SSL.
+ */
 
-       if (!(req->optionalSignature = sig = OCSP_SIGNATURE_new())) goto err;
-       if (!OCSP_REQUEST_sign(req, key, dgst)) goto err;
-       if (certs)
-               {
-               if (!(sig->certs = sk_X509_dup(certs))) goto err;
-               for (i = 0; i < sk_X509_num(sig->certs); i++)
-                       {
-                       sk_X509_set(sig->certs, i, 
-                              X509_dup(sk_X509_value(certs,i)));
-                       if (! sk_X509_value(sig->certs, i))
-                             goto err;
-                       }
-               }
-       return 1;
-err:
-       if (req->optionalSignature)
-               {
-               OCSP_SIGNATURE_free(req->optionalSignature);
-               req->optionalSignature = NULL;
-               }
-       return 0;
-       }
+int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pssl)
+       {
+       char *p, *buf;
 
-OCSP_BASICRESP *OCSP_basic_response_new(int type, X509* cert)
-        {
-       time_t t;
-       OCSP_RESPID *rid;
-        ASN1_BIT_STRING *bs;
-       OCSP_BASICRESP *rsp = NULL;
-       unsigned char md[SHA_DIGEST_LENGTH];
-       
-       if (!(rsp = OCSP_BASICRESP_new())) goto err;
-       rid = rsp->tbsResponseData->responderId;
-       switch (rid->type = type)
-               {
-               case V_OCSP_RESPID_NAME:
-                       /* cert is user cert */
-                       if (!(rid->value.byName =
-                                 X509_NAME_dup(X509_get_subject_name(cert))))
-                               goto err;
-                       break;
-               case V_OCSP_RESPID_KEY:
-                       /* cert is issuer cert */
-                       /* SHA-1 hash of responder's public key
-                         * (excluding the tag and length fields)
-                        */
-                       bs = cert->cert_info->key->public_key;
-                       SHA1(ASN1_STRING_data((ASN1_STRING*)bs), 
-                            ASN1_STRING_length((ASN1_STRING*)bs), md);
-                       if (!(rid->value.byKey = ASN1_OCTET_STRING_new()))
-                               goto err;
-                       if (!(ASN1_OCTET_STRING_set(rid->value.byKey,
-                                                   md, sizeof md)))
-                               goto err;
-                       break;
-               default:
-                       OCSPerr(OCSP_F_BASIC_RESPONSE_NEW,OCSP_R_BAD_TAG);
-                       goto err;
-                       break;
-               }
-       time(&t);
-       if (!(ASN1_GENERALIZEDTIME_set(rsp->tbsResponseData->producedAt, t)))
-               goto err;
-       if (!(rsp->tbsResponseData->responses = sk_OCSP_SINGLERESP_new(NULL))) goto err;
-       return rsp;
-err:
-       if (rsp) OCSP_BASICRESP_free(rsp);
-       return NULL;
-       }
+       char *host, *port;
 
-int OCSP_basic_response_add(OCSP_BASICRESP           *rsp,
-                           OCSP_CERTID              *cid,
-                           OCSP_CERTSTATUS          *cst,
-                           char                     *this,
-                           char                     *next)
-        {
-       OCSP_SINGLERESP *single = NULL;
-
-       if (!(single = OCSP_SINGLERESP_new())) goto err;
-       if (single->certId) OCSP_CERTID_free(single->certId);
-       if (!(single->certId = OCSP_CERTID_dup(cid))) goto err;
-       if (single->certStatus) OCSP_CERTSTATUS_free(single->certStatus);
-       if (!(single->certStatus = OCSP_CERTSTATUS_dup(cst))) goto err;
-       if (!ASN1_GENERALIZEDTIME_set_string(single->thisUpdate,this))goto err;
-       if (next)
-                { 
-               if (!(single->nextUpdate = ASN1_GENERALIZEDTIME_new()))
-                       goto err;
-               if (!ASN1_GENERALIZEDTIME_set_string(single->nextUpdate,next))
-                       goto err;
-               }
-       if (!sk_OCSP_SINGLERESP_push(rsp->tbsResponseData->responses,single)) goto err;
-       return 1;
-err:
-       if (single) OCSP_SINGLERESP_free(single);
-       return 0;
-       }
+       /* dup the buffer since we are going to mess with it */
+       buf = BUF_strdup(url);
+       if (!buf) goto mem_err;
 
-int OCSP_basic_response_sign(OCSP_BASICRESP *brsp, 
-                            EVP_PKEY       *key,
-                            const EVP_MD   *dgst,
-                            STACK_OF(X509) *certs)
-        {
-       int i;
+       *phost = NULL;
+       *pport = NULL;
+       *ppath = NULL;
 
-       /* Right now, I think that not doing double hashing is the right
-          thing.       -- Richard Levitte */
-       if (!OCSP_BASICRESP_sign(brsp, key, dgst, 0)) goto err;
-       if (certs)
-               {
-               if (!(brsp->certs = sk_X509_dup(certs))) goto err;
-               for (i = 0; i < sk_X509_num(brsp->certs); i++)
-                       {
-                       sk_X509_set(brsp->certs, i,
-                              X509_dup(sk_X509_value(certs, i)));
-                       if (! sk_X509_value(brsp->certs, i))
-                               goto err;
-                       }
-               }
-       return 1;
-err:
-       return 0;
-       }
+       /* Check for initial colon */
+       p = strchr(buf, ':');
 
-OCSP_RESPONSE *OCSP_response_new(int status,
-                                int nid,
-                                int (*i2d)(),
-                                char *data)
-        {
-        OCSP_RESPONSE *rsp = NULL;
-
-       if (!(rsp = OCSP_RESPONSE_new())) goto err;
-       if (!(ASN1_ENUMERATED_set(rsp->responseStatus, status))) goto err;
-       if (!(rsp->responseBytes = OCSP_RESPBYTES_new())) goto err;
-       if (rsp->responseBytes->responseType) ASN1_OBJECT_free(rsp->responseBytes->responseType);
-       if (!(rsp->responseBytes->responseType = OBJ_nid2obj(nid))) goto err;
-       if (!ASN1_STRING_encode((ASN1_STRING*)rsp->responseBytes->response,
-                               i2d, data, NULL)) goto err;
-       return rsp;
-err:
-       if (rsp) OCSP_RESPONSE_free(rsp);
-       return NULL;
-       }
+       if (!p) goto parse_err;
 
-/* XXX assumes certs in signature are sorted root to leaf XXX */
-int OCSP_request_verify(OCSP_REQUEST *req, EVP_PKEY *pkey)
-        {
-       STACK_OF(X509) *sk;
+       *(p++) = '\0';
 
-       if (!req->optionalSignature) return 0;
-       if (pkey == NULL)
-               {
-               if (!(sk = req->optionalSignature->certs)) return 0;
-               if (!(pkey=X509_get_pubkey(sk_X509_value(sk, sk_X509_num(sk)-1))))
-                       {
-                       OCSPerr(OCSP_F_REQUEST_VERIFY,OCSP_R_NO_PUBLIC_KEY);
-                       return 0;
-                       }
+       if (!strcmp(buf, "http"))
+               {
+               *pssl = 0;
+               port = "80";
+               }
+       else if (!strcmp(buf, "https"))
+               {
+               *pssl = 1;
+               port = "443";
                }
-       return OCSP_REQUEST_verify(req, pkey);
-        }
+       else
+               goto parse_err;
 
-int OCSP_response_verify(OCSP_RESPONSE *rsp, EVP_PKEY *pkey)
-        {
-       int i, r;
-       unsigned char *p;
-       OCSP_RESPBYTES *rb;
-       OCSP_BASICRESP *br = NULL;
+       /* Check for double slash */
+       if ((p[0] != '/') || (p[1] != '/'))
+               goto parse_err;
 
-       if ((rb = rsp->responseBytes) == NULL) 
-               {
-               OCSPerr(OCSP_F_RESPONSE_VERIFY,OCSP_R_NO_RESPONSE_DATA);
-                return 0;
-               }
-       if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic) 
-               {
-               OCSPerr(OCSP_F_RESPONSE_VERIFY,OCSP_R_BAD_TAG);
-                return 0;
+       p += 2;
+
+       host = p;
+
+       /* Check for trailing part of path */
+
+       p = strchr(p, '/');
+
+       if (!p) 
+               *ppath = BUF_strdup("/");
+       else
+               {
+               *ppath = BUF_strdup(p);
+               /* Set start of path to 0 so hostname is valid */
+               *p = '\0';
                }
-       p = ASN1_STRING_data(rb->response);
-       i = ASN1_STRING_length(rb->response);
-       if (!(d2i_OCSP_BASICRESP(&br, &p, i))) return 0;
-       r = OCSP_basic_response_verify(br, pkey);
-       OCSP_BASICRESP_free(br);
-       return r;
-        }
-
-int OCSP_basic_response_verify(OCSP_BASICRESP *rsp, EVP_PKEY *pkey)
-        {
-       STACK_OF(X509) *sk;
-       int ret;
 
-       if (!rsp->signature) 
-               {
-               OCSPerr(OCSP_F_BASIC_RESPONSE_VERIFY,OCSP_R_NO_SIGNATURE);
-                return 0;
+       if (!*ppath) goto mem_err;
+
+       /* Look for optional ':' for port number */
+       if ((p = strchr(host, ':')))
+               {
+               *p = 0;
+               port = p + 1;
                }
-       if (pkey == NULL)
-               {
-               if (!(sk = rsp->certs))
-                       {
-                       OCSPerr(OCSP_F_BASIC_RESPONSE_VERIFY,OCSP_R_NO_CERTIFICATE);
-                       return 0;
-                       }
-               if (!(pkey=X509_get_pubkey(sk_X509_value(sk, sk_X509_num(sk)-1))))
-                       {
-                       OCSPerr(OCSP_F_BASIC_RESPONSE_VERIFY,OCSP_R_NO_PUBLIC_KEY);
-                       return 0;
-                       }
+       else
+               {
+               /* Not found: set default port */
+               if (*pssl) port = "443";
+               else port = "80";
                }
-       ret = OCSP_BASICRESP_verify(rsp, pkey, 0);
-       return ret;
-        }
+
+       *pport = BUF_strdup(port);
+       if (!*pport) goto mem_err;
+
+       *phost = BUF_strdup(host);
+
+       if (!*phost) goto mem_err;
+
+       OPENSSL_free(buf);
+
+       return 1;
+
+       mem_err:
+       OCSPerr(OCSP_F_OCSP_PARSE_URL, ERR_R_MALLOC_FAILURE);
+       goto err;
+
+       parse_err:
+       OCSPerr(OCSP_F_OCSP_PARSE_URL, OCSP_R_ERROR_PARSING_URL);
+
+
+       err:
+       if (buf) OPENSSL_free(buf);
+       if (*ppath) OPENSSL_free(*ppath);
+       if (*pport) OPENSSL_free(*pport);
+       if (*phost) OPENSSL_free(*phost);
+       return 0;
+
+       }