X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=crypto%2Focsp%2Focsp_lib.c;h=3875af165c717fdb4cd670a31c0718a7f3164dc9;hp=18511e4fd89266348e306b7b7190a4a2ea646fb7;hb=dc90f64d563f2c9709749d0731d6b26c6bce5325;hpb=02e4fbed3d256f4f1fffff84f307a336b50fae1f diff --git a/crypto/ocsp/ocsp_lib.c b/crypto/ocsp/ocsp_lib.c index 18511e4fd8..3875af165c 100644 --- a/crypto/ocsp/ocsp_lib.c +++ b/crypto/ocsp/ocsp_lib.c @@ -77,11 +77,19 @@ OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer) X509_NAME *iname; ASN1_INTEGER *serial; ASN1_BIT_STRING *ikey; -#ifndef NO_SHA1 +#ifndef OPENSSL_NO_SHA1 if(!dgst) dgst = EVP_sha1(); #endif - iname = X509_get_issuer_name(subject); - serial = X509_get_serialNumber(subject); + if (subject) + { + iname = X509_get_issuer_name(subject); + serial = X509_get_serialNumber(subject); + } + else + { + iname = X509_get_subject_name(issuer); + serial = NULL; + } ikey = X509_get0_pubkey_bitstr(issuer); return OCSP_cert_id_new(dgst, iname, ikey, serial); } @@ -115,12 +123,15 @@ OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst, if (!(ASN1_OCTET_STRING_set(cid->issuerNameHash, md, i))) goto err; /* Calculate the issuerKey hash, excluding tag and length */ - EVP_Digest(issuerKey->data, issuerKey->length, md, &i, dgst); + EVP_Digest(issuerKey->data, issuerKey->length, md, &i, dgst, NULL); if (!(ASN1_OCTET_STRING_set(cid->issuerKeyHash, md, i))) goto err; - - if (cid->serialNumber != NULL) ASN1_INTEGER_free(cid->serialNumber); - if (!(cid->serialNumber = ASN1_INTEGER_dup(serialNumber))) goto err; + + if (serialNumber) + { + ASN1_INTEGER_free(cid->serialNumber); + if (!(cid->serialNumber = ASN1_INTEGER_dup(serialNumber))) goto err; + } return cid; digerr: OCSPerr(OCSP_F_CERT_ID_NEW,OCSP_R_DIGEST_ERR); @@ -147,20 +158,104 @@ int OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b) return ASN1_INTEGER_cmp(a->serialNumber, b->serialNumber); } -/* XXX assumes certs in signature are sorted root to leaf XXX */ -int OCSP_request_verify(OCSP_REQUEST *req, EVP_PKEY *pkey) - { - STACK_OF(X509) *sk; - if (!req->optionalSignature) return 0; - if (pkey == NULL) - { - if (!(sk = req->optionalSignature->certs)) return 0; - if (!(pkey=X509_get_pubkey(sk_X509_value(sk, sk_X509_num(sk)-1)))) - { - OCSPerr(OCSP_F_REQUEST_VERIFY,OCSP_R_NO_PUBLIC_KEY); - return 0; - } +/* Parse a URL and split it up into host, port and path components and whether + * it is SSL. + */ + +int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pssl) + { + char *p, *buf; + + char *host, *port; + + /* dup the buffer since we are going to mess with it */ + buf = BUF_strdup(url); + if (!buf) goto mem_err; + + *phost = NULL; + *pport = NULL; + *ppath = NULL; + + /* Check for initial colon */ + p = strchr(buf, ':'); + + if (!p) goto parse_err; + + *(p++) = '\0'; + + if (!strcmp(buf, "http")) + { + *pssl = 0; + port = "80"; + } + else if (!strcmp(buf, "https")) + { + *pssl = 1; + port = "443"; } - return OCSP_REQUEST_verify(req, pkey); - } + else + goto parse_err; + + /* Check for double slash */ + if ((p[0] != '/') || (p[1] != '/')) + goto parse_err; + + p += 2; + + host = p; + + /* Check for trailing part of path */ + + p = strchr(p, '/'); + + if (!p) + *ppath = BUF_strdup("/"); + else + { + *ppath = BUF_strdup(p); + /* Set start of path to 0 so hostname is valid */ + *p = '\0'; + } + + if (!*ppath) goto mem_err; + + /* Look for optional ':' for port number */ + if ((p = strchr(host, ':'))) + { + *p = 0; + port = p + 1; + } + else + { + /* Not found: set default port */ + if (*pssl) port = "443"; + else port = "80"; + } + + *pport = BUF_strdup(port); + if (!*pport) goto mem_err; + + *phost = BUF_strdup(host); + + if (!*phost) goto mem_err; + + OPENSSL_free(buf); + + return 1; + + mem_err: + OCSPerr(OCSP_F_OCSP_PARSE_URL, ERR_R_MALLOC_FAILURE); + goto err; + + parse_err: + OCSPerr(OCSP_F_OCSP_PARSE_URL, OCSP_R_ERROR_PARSING_URL); + + + err: + if (*ppath) OPENSSL_free(*ppath); + if (*pport) OPENSSL_free(*pport); + if (*phost) OPENSSL_free(*phost); + return 0; + + }