X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=apps%2Focsp.c;h=982eddf20cccaacdf4033441d6d63802958c9e5d;hp=4d44da845cec50f9b1ce024baf5b01f99c9bc347;hb=bb7fc98c43e29b9169522f6e25aa5988ce931c6c;hpb=fc3cec53501ec226a493b0b04b9dd0a6f7944b0f diff --git a/apps/ocsp.c b/apps/ocsp.c index 4d44da845c..982eddf20c 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -68,6 +68,7 @@ # include # include # include +# include # include "apps.h" /* needs to be included before the openssl * headers! */ # include @@ -130,7 +131,7 @@ typedef enum OPTION_choice { OPT_NO_CERT_CHECKS, OPT_NO_EXPLICIT, OPT_TRUST_OTHER, OPT_NO_INTERN, OPT_BADSIG, OPT_TEXT, OPT_REQ_TEXT, OPT_RESP_TEXT, OPT_REQIN, OPT_RESPIN, OPT_SIGNER, OPT_VAFILE, OPT_SIGN_OTHER, - OPT_VERIFY_OTHER, OPT_CAFILE, OPT_CAPATH, + OPT_VERIFY_OTHER, OPT_CAFILE, OPT_CAPATH, OPT_NOCAFILE, OPT_NOCAPATH, OPT_VALIDITY_PERIOD, OPT_STATUS_AGE, OPT_SIGNKEY, OPT_REQOUT, OPT_RESPOUT, OPT_PATH, OPT_ISSUER, OPT_CERT, OPT_SERIAL, OPT_INDEX, OPT_CA, OPT_NMIN, OPT_REQUEST, OPT_NDAYS, OPT_RSIGNER, @@ -182,6 +183,10 @@ OPTIONS ocsp_options[] = { "Additional certificates to search for signer"}, {"CAfile", OPT_CAFILE, '<', "Trusted certificates file"}, {"CApath", OPT_CAPATH, '<', "Trusted certificates directory"}, + {"no-CAfile", OPT_NOCAFILE, '-', + "Do not load the default certificates file"}, + {"no-CApath", OPT_NOCAPATH, '-', + "Do not load certificates from the default certificates directory"}, {"validity_period", OPT_VALIDITY_PERIOD, 'u', "Maximum validity discrepancy in seconds"}, {"status_age", OPT_STATUS_AGE, 'p', "Maximum status age in seconds"}, @@ -235,6 +240,7 @@ int ocsp_main(int argc, char **argv) char *sign_certfile = NULL, *verify_certfile = NULL, *rcertfile = NULL; char *signfile = NULL, *keyfile = NULL; char *thost = NULL, *tport = NULL, *tpath = NULL; + int noCAfile = 0, noCApath = 0; int accept_count = -1, add_nonce = 1, noverify = 0, use_ssl = -1; int vpmtouched = 0, badsig = 0, i, ignore_err = 0, nmin = 0, ndays = -1; int req_text = 0, resp_text = 0, req_timeout = -1, ret = 1; @@ -274,6 +280,7 @@ int ocsp_main(int argc, char **argv) OPENSSL_free(thost); OPENSSL_free(tport); OPENSSL_free(tpath); + thost = tport = tpath = NULL; if (!OCSP_parse_url(opt_arg(), &host, &port, &path, &use_ssl)) { BIO_printf(bio_err, "%s Error parsing URL\n", prog); goto end; @@ -367,6 +374,12 @@ int ocsp_main(int argc, char **argv) case OPT_CAPATH: CApath = opt_arg(); break; + case OPT_NOCAFILE: + noCAfile = 1; + break; + case OPT_NOCAPATH: + noCApath = 1; + break; case OPT_V_CASES: if (!opt_verify(o, vpm)) goto end; @@ -391,13 +404,14 @@ int ocsp_main(int argc, char **argv) path = opt_arg(); break; case OPT_ISSUER: - X509_free(issuer); issuer = load_cert(opt_arg(), FORMAT_PEM, NULL, NULL, "issuer certificate"); if (issuer == NULL) goto end; - if ((issuers = sk_X509_new_null()) == NULL) - goto end; + if (issuers == NULL) { + if ((issuers = sk_X509_new_null()) == NULL) + goto end; + } sk_X509_push(issuers, issuer); break; case OPT_CERT: @@ -481,7 +495,7 @@ int ocsp_main(int argc, char **argv) if (!req && !reqin && !respin && !(port && ridx_filename)) goto opthelp; - out = bio_open_default(outfile, "w"); + out = bio_open_default(outfile, 'w', FORMAT_TEXT); if (out == NULL) goto end; @@ -489,7 +503,7 @@ int ocsp_main(int argc, char **argv) add_nonce = 0; if (!req && reqin) { - derbio = bio_open_default(reqin, "rb"); + derbio = bio_open_default(reqin, 'r', FORMAT_ASN1); if (derbio == NULL) goto end; req = d2i_OCSP_REQUEST_bio(derbio, NULL); @@ -584,7 +598,7 @@ int ocsp_main(int argc, char **argv) OCSP_REQUEST_print(out, req, 0); if (reqout) { - derbio = bio_open_default(reqout, "wb"); + derbio = bio_open_default(reqout, 'w', FORMAT_ASN1); if (derbio == NULL) goto end; i2d_OCSP_REQUEST_bio(derbio, req); @@ -622,7 +636,7 @@ int ocsp_main(int argc, char **argv) goto end; # endif } else if (respin) { - derbio = bio_open_default(respin, "rb"); + derbio = bio_open_default(respin, 'r', FORMAT_ASN1); if (derbio == NULL) goto end; resp = d2i_OCSP_RESPONSE_bio(derbio, NULL); @@ -639,7 +653,7 @@ int ocsp_main(int argc, char **argv) done_resp: if (respout) { - derbio = bio_open_default(respout, "wb"); + derbio = bio_open_default(respout, 'w', FORMAT_ASN1); if (derbio == NULL) goto end; i2d_OCSP_RESPONSE_bio(derbio, resp); @@ -661,7 +675,8 @@ int ocsp_main(int argc, char **argv) /* If running as responder don't verify our own response */ if (cbio) { - if (--accept_count <= 0) { + /* If not unlimited, see if we took all we should. */ + if (accept_count != -1 && --accept_count <= 0) { ret = 0; goto end; } @@ -679,7 +694,7 @@ int ocsp_main(int argc, char **argv) } if (!store) { - store = setup_verify(CAfile, CApath); + store = setup_verify(CAfile, CApath, noCAfile, noCApath); if (!store) goto end; } @@ -736,6 +751,7 @@ int ocsp_main(int argc, char **argv) EVP_PKEY_free(key); EVP_PKEY_free(rkey); X509_free(cert); + sk_X509_pop_free(issuers, X509_free); X509_free(rsigner); X509_free(rca_cert); free_index(rdb); @@ -1006,22 +1022,27 @@ static BIO *init_responder(const char *port) { BIO *acbio = NULL, *bufbio = NULL; - bufbio = BIO_new(BIO_f_buffer()); - if (!bufbio) - goto err; -# ifndef OPENSSL_NO_SOCK - acbio = BIO_new_accept(port); -# else +# ifdef OPENSSL_NO_SOCK BIO_printf(bio_err, "Error setting up accept BIO - sockets not supported.\n"); + return NULL; # endif - if (!acbio) + bufbio = BIO_new(BIO_f_buffer()); + if (!bufbio) goto err; + acbio = BIO_new(BIO_s_accept()); + if (acbio == NULL + || BIO_set_bind_mode(acbio, BIO_BIND_REUSEADDR) < 0 + || BIO_set_accept_port(acbio, port) < 0) { + BIO_printf(bio_err, "Error setting up accept BIO\n"); + ERR_print_errors(bio_err); + goto err; + } + BIO_set_accept_bios(acbio, bufbio); bufbio = NULL; - if (BIO_do_accept(acbio) <= 0) { - BIO_printf(bio_err, "Error setting up accept BIO\n"); + BIO_printf(bio_err, "Error starting accept\n"); ERR_print_errors(bio_err); goto err; } @@ -1245,12 +1266,14 @@ static OCSP_RESPONSE *query_responder(BIO *cbio, const char *path, OCSP_RESPONSE *process_responder(OCSP_REQUEST *req, const char *host, const char *path, const char *port, int use_ssl, - const STACK_OF(CONF_VALUE) *headers, + STACK_OF(CONF_VALUE) *headers, int req_timeout) { BIO *cbio = NULL; SSL_CTX *ctx = NULL; OCSP_RESPONSE *resp = NULL; + int found, i; + cbio = BIO_new_connect(host); if (!cbio) { BIO_printf(bio_err, "Error creating connect BIO\n"); @@ -1260,7 +1283,7 @@ OCSP_RESPONSE *process_responder(OCSP_REQUEST *req, BIO_set_conn_port(cbio, port); if (use_ssl == 1) { BIO *sbio; - ctx = SSL_CTX_new(SSLv23_client_method()); + ctx = SSL_CTX_new(TLS_client_method()); if (ctx == NULL) { BIO_printf(bio_err, "Error creating SSL context.\n"); goto end; @@ -1269,6 +1292,17 @@ OCSP_RESPONSE *process_responder(OCSP_REQUEST *req, sbio = BIO_new_ssl(ctx, 1); cbio = BIO_push(sbio, cbio); } + for (found = i = 0; i < sk_CONF_VALUE_num(headers); i++) { + CONF_VALUE *hdr = sk_CONF_VALUE_value(headers, i); + if (strcasecmp("host", hdr->name) == 0) { + found = 1; + break; + } + } + + if (!found && !X509V3_add_value("Host", host, &headers)) + BIO_printf(bio_err, "Error setting HTTP Host header\n"); + resp = query_responder(cbio, path, headers, req, req_timeout); if (!resp) BIO_printf(bio_err, "Error querying OCSP responder\n");