/*
- * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
# include <openssl/x509v3.h>
# include <openssl/rand.h>
-# if defined(OPENSSL_SYS_UNIX) && !defined(OPENSSL_NO_SOCK)
+#ifndef HAVE_FORK
+# if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS)
+# define HAVE_FORK 0
+# else
+# define HAVE_FORK 1
+# endif
+#endif
+
+#if HAVE_FORK
+# undef NO_FORK
+#else
+# define NO_FORK
+#endif
+
+# if !defined(NO_FORK) && !defined(OPENSSL_NO_SOCK) \
+ && !defined(OPENSSL_NO_POSIX_IO)
# define OCSP_DAEMON
# include <sys/types.h>
# include <sys/wait.h>
# define LOG_ERR 2
# endif
+# if defined(OPENSSL_SYS_VXWORKS)
+/* not supported */
+int setpgid(pid_t pid, pid_t pgid)
+{
+ errno = ENOSYS;
+ return 0;
+}
+/* not supported */
+pid_t fork(void)
+{
+ errno = ENOSYS;
+ return (pid_t) -1;
+}
+# endif
/* Maximum leeway in validity period: default 5 minutes */
# define MAX_VALIDITY_PERIOD (5 * 60)
static int index_changed(CA_DB *);
static void spawn_loop(void);
static int print_syslog(const char *str, size_t len, void *levPtr);
-static void sock_timeout(int signum);
+static void socket_timeout(int signum);
# endif
# ifndef OPENSSL_NO_SOCK
int accept_count = -1, add_nonce = 1, noverify = 0, use_ssl = -1;
int vpmtouched = 0, badsig = 0, i, ignore_err = 0, nmin = 0, ndays = -1;
int req_text = 0, resp_text = 0, ret = 1;
-# ifndef OPENSSL_NO_SOCK
int req_timeout = -1;
-# endif
long nsec = MAX_VALIDITY_PERIOD, maxage = -1;
unsigned long sign_flags = 0, verify_flags = 0, rflags = 0;
OPTION_CHOICE o;
goto opthelp;
trailing_md = 1;
break;
-# ifdef OCSP_DAEMON
case OPT_MULTI:
+# ifdef OCSP_DAEMON
multi = atoi(opt_arg());
- break;
# endif
+ break;
}
}
if (trailing_md) {
}
if (ridx_filename != NULL
- && (rkey != NULL || rsigner != NULL || rca_cert != NULL)) {
+ && (rkey == NULL || rsigner == NULL || rca_cert == NULL)) {
BIO_printf(bio_err,
"Responder mode requires certificate, key, and CA.\n");
goto end;
if (ridx_filename != NULL) {
rdb = load_index(ridx_filename, NULL);
- if (rdb == NULL || !index_index(rdb)) {
+ if (rdb == NULL || index_index(rdb) <= 0) {
ret = 1;
goto end;
}
if (multi && acbio != NULL)
spawn_loop();
if (acbio != NULL && req_timeout > 0)
- signal(SIGALRM, sock_timeout);
+ signal(SIGALRM, socket_timeout);
#endif
if (acbio != NULL)
if (index_changed(rdb)) {
CA_DB *newrdb = load_index(ridx_filename, NULL);
- if (newrdb != NULL) {
+ if (newrdb != NULL && index_index(newrdb) > 0) {
free_index(rdb);
rdb = newrdb;
} else {
+ free_index(newrdb);
log_message(LOG_ERR, "error reloading updated index: %s",
ridx_filename);
}
goto end;
}
- if (req != NULL && add_nonce)
- OCSP_request_add1_nonce(req, NULL, -1);
+ if (req != NULL && add_nonce) {
+ if (!OCSP_request_add1_nonce(req, NULL, -1))
+ goto end;
+ }
if (signfile != NULL) {
if (keyfile == NULL)
if (i != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
BIO_printf(out, "Responder Error: %s (%d)\n",
OCSP_response_status_str(i), i);
- if (!ignore_err) {
- ret = 0;
+ if (!ignore_err)
goto end;
- }
}
if (resp_text)
va_start(ap, fmt);
# ifdef OCSP_DAEMON
if (multi) {
- vsyslog(level, fmt, ap);
+ char buf[1024];
+ if (vsnprintf(buf, sizeof(buf), fmt, ap) > 0) {
+ syslog(level, "%s", buf);
+ }
if (level >= LOG_ERR)
ERR_print_errors_cb(print_syslog, &level);
}
for (i = 0; i < multi; ++i)
if (kidpids[i] != 0)
(void)kill(kidpids[i], SIGTERM);
+ OPENSSL_free(kidpids);
sleep(1);
exit(ret);
}
*/
static void spawn_loop(void)
{
- const char *signame;
pid_t *kidpids = NULL;
int status;
int procs = 0;
else if (WIFSIGNALED(status))
syslog(LOG_WARNING, "child process: %ld, term signal %d%s",
(long)fpid, WTERMSIG(status),
- WCOREDUMP(status) ? " (core dumped)" : "");
+#ifdef WCOREDUMP
+ WCOREDUMP(status) ? " (core dumped)" :
+#endif
+ "");
sleep(1);
}
break;
sleep(30);
break;
case 0: /* child */
+ OPENSSL_free(kidpids);
signal(SIGINT, SIG_DFL);
signal(SIGTERM, SIG_DFL);
if (termsig)
}
/* The loop above can only break on termsig */
- signame = strsignal(termsig);
- syslog(LOG_INFO, "terminating on signal: %s(%d)",
- signame ? signame : "", termsig);
+ syslog(LOG_INFO, "terminating on signal: %d", termsig);
killall(0, kidpids);
}
# endif
goto end;
}
}
- OCSP_basic_sign_ctx(bs, rcert, mctx, rother, flags);
+ if (!OCSP_basic_sign_ctx(bs, rcert, mctx, rother, flags)) {
+ *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR, bs);
+ goto end;
+ }
if (badsig) {
const ASN1_OCTET_STRING *sig = OCSP_resp_get0_signature(bs);
# endif
# ifdef OCSP_DAEMON
-static void sock_timeout(int signum)
+static void socket_timeout(int signum)
{
if (acfd != (int)INVALID_SOCKET)
(void)shutdown(acfd, SHUT_RD);
*q = '\0';
/*
- * Skip "GET / HTTP..." requests often used by load-balancers
+ * Skip "GET / HTTP..." requests often used by load-balancers. Note:
+ * 'p' was incremented above to point to the first byte *after* the
+ * leading slash, so with 'GET / ' it is now an empty string.
*/
- if (p[1] == '\0')
+ if (p[0] == '\0')
goto out;
len = urldecode(p);
projects / oweals / openssl.git / blobdiff