diff options
Diffstat (limited to 'apps/ocsp.c')
-rw-r--r-- | apps/ocsp.c | 214 |
1 files changed, 163 insertions, 51 deletions
diff --git a/apps/ocsp.c b/apps/ocsp.c index 3ee6dfb5ed33..1001f3b25ded 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -56,15 +56,14 @@ * */ #ifndef OPENSSL_NO_OCSP - +#define USE_SOCKETS #include <stdio.h> +#include <stdlib.h> #include <string.h> -#include "apps.h" -#include <openssl/pem.h> -#include <openssl/ocsp.h> -#include <openssl/err.h> +#include "apps.h" /* needs to be included before the openssl headers! */ +#include <openssl/e_os2.h> #include <openssl/ssl.h> -#include <openssl/bn.h> +#include <openssl/err.h> /* Maximum leeway in validity period: default 5 minutes */ #define MAX_VALIDITY_PERIOD (5 * 60) @@ -86,6 +85,8 @@ static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser); static BIO *init_responder(char *port); static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, char *port); static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp); +static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path, + OCSP_REQUEST *req, int req_timeout); #undef PROG #define PROG ocsp_main @@ -112,11 +113,11 @@ int MAIN(int argc, char **argv) BIO *acbio = NULL, *cbio = NULL; BIO *derbio = NULL; BIO *out = NULL; + int req_timeout = -1; int req_text = 0, resp_text = 0; long nsec = MAX_VALIDITY_PERIOD, maxage = -1; char *CAfile = NULL, *CApath = NULL; X509_STORE *store = NULL; - SSL_CTX *ctx = NULL; STACK_OF(X509) *sign_other = NULL, *verify_other = NULL, *rother = NULL; char *sign_certfile = NULL, *verify_certfile = NULL, *rcertfile = NULL; unsigned long sign_flags = 0, verify_flags = 0, rflags = 0; @@ -154,6 +155,22 @@ int MAIN(int argc, char **argv) } else badarg = 1; } + else if (!strcmp(*args, "-timeout")) + { + if (args[1]) + { + args++; + req_timeout = atol(*args); + if (req_timeout < 0) + { + BIO_printf(bio_err, + "Illegal timeout value %s\n", + *args); + badarg = 1; + } + } + else badarg = 1; + } else if (!strcmp(*args, "-url")) { if (args[1]) @@ -703,52 +720,14 @@ int MAIN(int argc, char **argv) else if (host) { #ifndef OPENSSL_NO_SOCK - cbio = BIO_new_connect(host); + resp = process_responder(bio_err, req, host, path, + port, use_ssl, req_timeout); + if (!resp) + goto end; #else BIO_printf(bio_err, "Error creating connect BIO - sockets not supported.\n"); goto end; #endif - if (!cbio) - { - BIO_printf(bio_err, "Error creating connect BIO\n"); - goto end; - } - if (port) BIO_set_conn_port(cbio, port); - if (use_ssl == 1) - { - BIO *sbio; -#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3) - ctx = SSL_CTX_new(SSLv23_client_method()); -#elif !defined(OPENSSL_NO_SSL3) - ctx = SSL_CTX_new(SSLv3_client_method()); -#elif !defined(OPENSSL_NO_SSL2) - ctx = SSL_CTX_new(SSLv2_client_method()); -#else - BIO_printf(bio_err, "SSL is disabled\n"); - goto end; -#endif - if (ctx == NULL) - { - BIO_printf(bio_err, "Error creating SSL context.\n"); - goto end; - } - SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); - sbio = BIO_new_ssl(ctx, 1); - cbio = BIO_push(sbio, cbio); - } - if (BIO_do_connect(cbio) <= 0) - { - BIO_printf(bio_err, "Error connecting BIO\n"); - goto end; - } - resp = OCSP_sendreq_bio(cbio, path, req); - BIO_free_all(cbio); - cbio = NULL; - if (!resp) - { - BIO_printf(bio_err, "Error querying OCSP responsder\n"); - goto end; - } } else if (respin) { @@ -897,7 +876,6 @@ end: OPENSSL_free(host); OPENSSL_free(port); OPENSSL_free(path); - SSL_CTX_free(ctx); } OPENSSL_EXIT(ret); @@ -1121,6 +1099,7 @@ static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser) char *itmp, *row[DB_NUMBER],**rrow; for (i = 0; i < DB_NUMBER; i++) row[i] = NULL; bn = ASN1_INTEGER_to_BN(ser,NULL); + OPENSSL_assert(bn); /* FIXME: should report an error at this point and abort */ if (BN_is_zero(bn)) itmp = BUF_strdup("00"); else @@ -1227,8 +1206,141 @@ static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp) return 0; BIO_printf(cbio, http_resp, i2d_OCSP_RESPONSE(resp, NULL)); i2d_OCSP_RESPONSE_bio(cbio, resp); - BIO_flush(cbio); + (void)BIO_flush(cbio); return 1; } +static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path, + OCSP_REQUEST *req, int req_timeout) + { + int fd; + int rv; + OCSP_REQ_CTX *ctx = NULL; + OCSP_RESPONSE *rsp = NULL; + fd_set confds; + struct timeval tv; + + if (req_timeout != -1) + BIO_set_nbio(cbio, 1); + + rv = BIO_do_connect(cbio); + + if ((rv <= 0) && ((req_timeout == -1) || !BIO_should_retry(cbio))) + { + BIO_puts(err, "Error connecting BIO\n"); + return NULL; + } + + if (req_timeout == -1) + return OCSP_sendreq_bio(cbio, path, req); + + if (BIO_get_fd(cbio, &fd) <= 0) + { + BIO_puts(err, "Can't get connection fd\n"); + goto err; + } + + if (rv <= 0) + { + FD_ZERO(&confds); + openssl_fdset(fd, &confds); + tv.tv_usec = 0; + tv.tv_sec = req_timeout; + rv = select(fd + 1, NULL, (void *)&confds, NULL, &tv); + if (rv == 0) + { + BIO_puts(err, "Timeout on connect\n"); + return NULL; + } + } + + + ctx = OCSP_sendreq_new(cbio, path, req, -1); + if (!ctx) + return NULL; + + for (;;) + { + rv = OCSP_sendreq_nbio(&rsp, ctx); + if (rv != -1) + break; + FD_ZERO(&confds); + openssl_fdset(fd, &confds); + tv.tv_usec = 0; + tv.tv_sec = req_timeout; + if (BIO_should_read(cbio)) + rv = select(fd + 1, (void *)&confds, NULL, NULL, &tv); + else if (BIO_should_write(cbio)) + rv = select(fd + 1, NULL, (void *)&confds, NULL, &tv); + else + { + BIO_puts(err, "Unexpected retry condition\n"); + goto err; + } + if (rv == 0) + { + BIO_puts(err, "Timeout on request\n"); + break; + } + if (rv == -1) + { + BIO_puts(err, "Select error\n"); + break; + } + + } + err: + if (ctx) + OCSP_REQ_CTX_free(ctx); + + return rsp; + } + +OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req, + char *host, char *path, char *port, int use_ssl, + int req_timeout) + { + BIO *cbio = NULL; + SSL_CTX *ctx = NULL; + OCSP_RESPONSE *resp = NULL; + cbio = BIO_new_connect(host); + if (!cbio) + { + BIO_printf(err, "Error creating connect BIO\n"); + goto end; + } + if (port) BIO_set_conn_port(cbio, port); + if (use_ssl == 1) + { + BIO *sbio; +#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3) + ctx = SSL_CTX_new(SSLv23_client_method()); +#elif !defined(OPENSSL_NO_SSL3) + ctx = SSL_CTX_new(SSLv3_client_method()); +#elif !defined(OPENSSL_NO_SSL2) + ctx = SSL_CTX_new(SSLv2_client_method()); +#else + BIO_printf(err, "SSL is disabled\n"); + goto end; +#endif + if (ctx == NULL) + { + BIO_printf(err, "Error creating SSL context.\n"); + goto end; + } + SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); + sbio = BIO_new_ssl(ctx, 1); + cbio = BIO_push(sbio, cbio); + } + resp = query_responder(err, cbio, path, req, req_timeout); + if (!resp) + BIO_printf(bio_err, "Error querying OCSP responsder\n"); + end: + if (ctx) + SSL_CTX_free(ctx); + if (cbio) + BIO_free_all(cbio); + return resp; + } + #endif |