X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=crypto%2Focsp%2Focsp_ext.c;h=ec884cb08f4429f0fc4eeb6a4f32a5350e2d5585;hb=507b0d9d38486dbde08d7dc359d2d6fc904ee624;hp=56c54f735b55d978c2853b3f9d1c4cdde22fe1f3;hpb=26e083ccb72f0bfabb443c67b121ad8f9192217e;p=oweals%2Fopenssl.git

diff --git a/crypto/ocsp/ocsp_ext.c b/crypto/ocsp/ocsp_ext.c
index 56c54f735b..ec884cb08f 100644
--- a/crypto/ocsp/ocsp_ext.c
+++ b/crypto/ocsp/ocsp_ext.c
@@ -264,9 +264,9 @@ int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex, int loc)
 	}
 
 /* also CRL Entry Extensions */
-
-ASN1_STRING *ASN1_STRING_encode(ASN1_STRING *s, int (*i2d)(), 
-				char *data, STACK_OF(ASN1_OBJECT) *sk)
+#if 0
+ASN1_STRING *ASN1_STRING_encode(ASN1_STRING *s, i2d_of_void *i2d,
+				void *data, STACK_OF(ASN1_OBJECT) *sk)
         {
 	int i;
 	unsigned char *p, *b = NULL;
@@ -274,18 +274,23 @@ ASN1_STRING *ASN1_STRING_encode(ASN1_STRING *s, int (*i2d)(),
 	if (data)
 	        {
 		if ((i=i2d(data,NULL)) <= 0) goto err;
-		if (!(b=p=(unsigned char*)OPENSSL_malloc((unsigned int)i)))
+		if (!(b=p=OPENSSL_malloc((unsigned int)i)))
 			goto err;
 	        if (i2d(data, &p) <= 0) goto err;
 		}
 	else if (sk)
 	        {
-		if ((i=i2d_ASN1_SET_OF_ASN1_OBJECT(sk,NULL,i2d,V_ASN1_SEQUENCE,
-				   V_ASN1_UNIVERSAL,IS_SEQUENCE))<=0) goto err;
-		if (!(b=p=(unsigned char*)OPENSSL_malloc((unsigned int)i)))
+		if ((i=i2d_ASN1_SET_OF_ASN1_OBJECT(sk,NULL,
+						   (I2D_OF(ASN1_OBJECT))i2d,
+						   V_ASN1_SEQUENCE,
+						   V_ASN1_UNIVERSAL,
+						   IS_SEQUENCE))<=0) goto err;
+		if (!(b=p=OPENSSL_malloc((unsigned int)i)))
 			goto err;
-		if (i2d_ASN1_SET_OF_ASN1_OBJECT(sk,&p,i2d,V_ASN1_SEQUENCE,
-				 V_ASN1_UNIVERSAL,IS_SEQUENCE)<=0) goto err;
+		if (i2d_ASN1_SET_OF_ASN1_OBJECT(sk,&p,(I2D_OF(ASN1_OBJECT))i2d,
+						V_ASN1_SEQUENCE,
+						V_ASN1_UNIVERSAL,
+						IS_SEQUENCE)<=0) goto err;
 		}
 	else
 		{
@@ -300,39 +305,75 @@ err:
 	if (b) OPENSSL_free(b);
 	return NULL;
 	}
+#endif
 
 /* Nonce handling functions */
 
-/* Add a nonce to an OCSP request. A nonce can be specificed or if NULL
+/* Add a nonce to an extension stack. A nonce can be specificed or if NULL
  * a random nonce will be generated.
+ * Note: OpenSSL 0.9.7d and later create an OCTET STRING containing the 
+ * nonce, previous versions used the raw nonce.
  */
 
-int OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len)
+static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, unsigned char *val, int len)
 	{
 	unsigned char *tmpval;
 	ASN1_OCTET_STRING os;
 	int ret = 0;
 	if (len <= 0) len = OCSP_DEFAULT_NONCE_LENGTH;
-	if (val) tmpval = val;
+	/* Create the OCTET STRING manually by writing out the header and
+	 * appending the content octets. This avoids an extra memory allocation
+	 * operation in some cases. Applications should *NOT* do this because
+         * it relies on library internals.
+	 */
+	os.length = ASN1_object_size(0, len, V_ASN1_OCTET_STRING);
+	os.data = OPENSSL_malloc(os.length);
+	if (os.data == NULL)
+		goto err;
+	tmpval = os.data;
+	ASN1_put_object(&tmpval, 0, len, V_ASN1_OCTET_STRING, V_ASN1_UNIVERSAL);
+	if (val)
+		memcpy(tmpval, val, len);
 	else
-		{
-		if (!(tmpval = OPENSSL_malloc(len))) goto err;
 		RAND_pseudo_bytes(tmpval, len);
-		}
-	os.data = tmpval;
-	os.length = len;
-	if(!OCSP_REQUEST_add1_ext_i2d(req, NID_id_pkix_OCSP_Nonce,
+	if(!X509V3_add1_i2d(exts, NID_id_pkix_OCSP_Nonce,
 			&os, 0, X509V3_ADD_REPLACE))
 				goto err;
 	ret = 1;
 	err:
-	if(!val) OPENSSL_free(tmpval);
+	if (os.data)
+		OPENSSL_free(os.data);
 	return ret;
 	}
 
-/* Check nonce validity in a request and response: the nonce
- * must be either absent in both or present and equal in both. 
+
+/* Add nonce to an OCSP request */
+
+int OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len)
+	{
+	return ocsp_add1_nonce(&req->tbsRequest->requestExtensions, val, len);
+	}
+
+/* Same as above but for a response */
+
+int OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len)
+	{
+	return ocsp_add1_nonce(&resp->tbsResponseData->responseExtensions, val, len);
+	}
+
+/* Check nonce validity in a request and response.
+ * Return value reflects result:
+ *  1: nonces present and equal.
+ *  2: nonces both absent.
+ *  3: nonce present in response only.
+ *  0: nonces both present and not equal.
+ * -1: nonce in request only.
+ *
+ *  For most responders clients can check return > 0.
+ *  If responder doesn't handle nonces return != 0 may be
+ *  necessary. return == 0 is always an error.
  */
+
 int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs)
 	{
 	/*
@@ -343,32 +384,25 @@ int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs)
 	 * freed immediately anyway.
 	 */
 
-	int ret = 0, req_idx, resp_idx;
+	int req_idx, resp_idx;
 	X509_EXTENSION *req_ext, *resp_ext;
 	req_idx = OCSP_REQUEST_get_ext_by_NID(req, NID_id_pkix_OCSP_Nonce, -1);
 	resp_idx = OCSP_BASICRESP_get_ext_by_NID(bs, NID_id_pkix_OCSP_Nonce, -1);
-	/* If both absent its OK */
-	if((req_idx < 0) && (resp_idx < 0)) return 1;
-	if((req_idx < 0) && (resp_idx >= 0))
-		{
-		OCSPerr(OCSP_F_OCSP_CHECK_NONCE, OCSP_R_NONCE_MISSING_IN_RESPONSE);
-		goto err;
-		}
+	/* Check both absent */
+	if((req_idx < 0) && (resp_idx < 0))
+		return 2;
+	/* Check in request only */
+	if((req_idx >= 0) && (resp_idx < 0))
+		return -1;
+	/* Check in response but not request */
 	if((req_idx < 0) && (resp_idx >= 0))
-		{
-		OCSPerr(OCSP_F_OCSP_CHECK_NONCE, OCSP_R_UNEXPECTED_NONCE_IN_RESPONSE);
-		goto err;
-		}
+		return 3;
+	/* Otherwise nonce in request and response so retrieve the extensions */
 	req_ext = OCSP_REQUEST_get_ext(req, req_idx);
 	resp_ext = OCSP_BASICRESP_get_ext(bs, resp_idx);
 	if(ASN1_OCTET_STRING_cmp(req_ext->value, resp_ext->value))
-		{
-		OCSPerr(OCSP_F_OCSP_CHECK_NONCE, OCSP_R_NONCE_VALUE_MISMATCH);
-		goto err;
-		}
-	ret = 1;
-	err:
-	return ret;
+		return 0;
+	return 1;
 	}
 
 /* Copy the nonce value (if any) from an OCSP request to 
@@ -409,16 +443,10 @@ X509_EXTENSION *OCSP_crlID_new(char *url, long *n, char *tim)
 		if (!(ASN1_GENERALIZEDTIME_set_string(cid->crlTime, tim))) 
 		        goto err;
 		}
-	if (!(x = X509_EXTENSION_new())) goto err;
-	if (!(x->object = OBJ_nid2obj(NID_id_pkix_OCSP_CrlID))) goto err;
-	if (!(ASN1_STRING_encode(x->value,i2d_OCSP_CRLID,(char*)cid,NULL)))
-	        goto err;
-	OCSP_CRLID_free(cid);
-	return x;
+	x = X509V3_EXT_i2d(NID_id_pkix_OCSP_CrlID, 0, cid);
 err:
-	if (x) X509_EXTENSION_free(x);
 	if (cid) OCSP_CRLID_free(cid);
-	return NULL;
+	return x;
 	}
 
 /*   AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER */
@@ -429,24 +457,17 @@ X509_EXTENSION *OCSP_accept_responses_new(char **oids)
 	ASN1_OBJECT *o = NULL;
         X509_EXTENSION *x = NULL;
 
-	if (!(sk = sk_ASN1_OBJECT_new(NULL))) goto err;
+	if (!(sk = sk_ASN1_OBJECT_new_null())) goto err;
 	while (oids && *oids)
 	        {
 		if ((nid=OBJ_txt2nid(*oids))!=NID_undef&&(o=OBJ_nid2obj(nid))) 
 		        sk_ASN1_OBJECT_push(sk, o);
 		oids++;
 		}
-	if (!(x = X509_EXTENSION_new())) goto err;
-	if (!(x->object = OBJ_nid2obj(NID_id_pkix_OCSP_acceptableResponses)))
-		goto err;
-	if (!(ASN1_STRING_encode(x->value,i2d_ASN1_OBJECT,NULL,sk)))
-	        goto err;
-	sk_ASN1_OBJECT_pop_free(sk, ASN1_OBJECT_free);
-	return x;
+	x = X509V3_EXT_i2d(NID_id_pkix_OCSP_acceptableResponses, 0, sk);
 err:
-	if (x) X509_EXTENSION_free(x);
 	if (sk) sk_ASN1_OBJECT_pop_free(sk, ASN1_OBJECT_free);
-	return NULL;
+	return x;
         }
 
 /*  ArchiveCutoff ::= GeneralizedTime */
@@ -457,16 +478,10 @@ X509_EXTENSION *OCSP_archive_cutoff_new(char* tim)
 
 	if (!(gt = ASN1_GENERALIZEDTIME_new())) goto err;
 	if (!(ASN1_GENERALIZEDTIME_set_string(gt, tim))) goto err;
-	if (!(x = X509_EXTENSION_new())) goto err;
-	if (!(x->object=OBJ_nid2obj(NID_id_pkix_OCSP_archiveCutoff)))goto err;
-	if (!(ASN1_STRING_encode(x->value,i2d_ASN1_GENERALIZEDTIME,
-				 (char*)gt,NULL))) goto err;
-	ASN1_GENERALIZEDTIME_free(gt);
-	return x;
+	x = X509V3_EXT_i2d(NID_id_pkix_OCSP_archiveCutoff, 0, gt);
 err:
 	if (gt) ASN1_GENERALIZEDTIME_free(gt);
-	if (x) X509_EXTENSION_free(x);
-	return NULL;
+	return x;
 	}
 
 /* per ACCESS_DESCRIPTION parameter are oids, of which there are currently
@@ -482,7 +497,7 @@ X509_EXTENSION *OCSP_url_svcloc_new(X509_NAME* issuer, char **urls)
 	
 	if (!(sloc = OCSP_SERVICELOC_new())) goto err;
 	if (!(sloc->issuer = X509_NAME_dup(issuer))) goto err;
-	if (urls && *urls && !(sloc->locator = sk_ACCESS_DESCRIPTION_new(NULL))) goto err;
+	if (urls && *urls && !(sloc->locator = sk_ACCESS_DESCRIPTION_new_null())) goto err;
 	while (urls && *urls)
 	        {
 		if (!(ad = ACCESS_DESCRIPTION_new())) goto err;
@@ -495,16 +510,9 @@ X509_EXTENSION *OCSP_url_svcloc_new(X509_NAME* issuer, char **urls)
 		if (!sk_ACCESS_DESCRIPTION_push(sloc->locator, ad)) goto err;
 		urls++;
 		}
-	if (!(x = X509_EXTENSION_new())) goto err;
-	if (!(x->object = OBJ_nid2obj(NID_id_pkix_OCSP_serviceLocator))) 
-	        goto err;
-	if (!(ASN1_STRING_encode(x->value, i2d_OCSP_SERVICELOC,
-				 (char*)sloc, NULL))) goto err;
-	OCSP_SERVICELOC_free(sloc);
-	return x;
+	x = X509V3_EXT_i2d(NID_id_pkix_OCSP_serviceLocator, 0, sloc);
 err:
-	if (x) X509_EXTENSION_free(x);
 	if (sloc) OCSP_SERVICELOC_free(sloc);
-	return NULL;
+	return x;
 	}