Loading CHANGES +4 −0 Original line number Original line Diff line number Diff line Loading @@ -4,6 +4,10 @@ Changes between 0.9.8k and 1.0 [xx XXX xxxx] Changes between 0.9.8k and 1.0 [xx XXX xxxx] *) Update OCSP request code to permit adding custom headers to the request: some responders need this. [Steve Henson] *) Extensive audit of libcrypto with DEBUG_UNUSED. Fix many cases where *) Extensive audit of libcrypto with DEBUG_UNUSED. Fix many cases where return value is ignored. NB. The functions RAND_add(), RAND_seed(), return value is ignored. NB. The functions RAND_add(), RAND_seed(), BIO_set_cipher() and some obscure PEM functions were changed so they BIO_set_cipher() and some obscure PEM functions were changed so they Loading apps/apps.h +1 −0 Original line number Original line Diff line number Diff line Loading @@ -259,6 +259,7 @@ ENGINE *setup_engine(BIO *err, const char *engine, int debug); #ifndef OPENSSL_NO_OCSP #ifndef OPENSSL_NO_OCSP OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req, OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req, char *host, char *path, char *port, int use_ssl, char *host, char *path, char *port, int use_ssl, STACK_OF(CONF_VALUE) *headers, int req_timeout); int req_timeout); #endif #endif Loading apps/ocsp.c +34 −8 Original line number Original line Diff line number Diff line Loading @@ -75,6 +75,7 @@ #include <openssl/ssl.h> #include <openssl/ssl.h> #include <openssl/evp.h> #include <openssl/evp.h> #include <openssl/bn.h> #include <openssl/bn.h> #include <openssl/x509v3.h> #if defined(NETWARE_CLIB) #if defined(NETWARE_CLIB) # ifdef NETWARE_BSDSOCK # ifdef NETWARE_BSDSOCK Loading Loading @@ -113,6 +114,7 @@ static BIO *init_responder(char *port); static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, char *port); static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, char *port); static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp); static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp); static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path, static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path, STACK_OF(CONF_VALUE) *headers, OCSP_REQUEST *req, int req_timeout); OCSP_REQUEST *req, int req_timeout); #undef PROG #undef PROG Loading @@ -131,6 +133,7 @@ int MAIN(int argc, char **argv) char *rsignfile = NULL, *rkeyfile = NULL; char *rsignfile = NULL, *rkeyfile = NULL; char *outfile = NULL; char *outfile = NULL; int add_nonce = 1, noverify = 0, use_ssl = -1; int add_nonce = 1, noverify = 0, use_ssl = -1; STACK_OF(CONF_VALUE) *headers = NULL; OCSP_REQUEST *req = NULL; OCSP_REQUEST *req = NULL; OCSP_RESPONSE *resp = NULL; OCSP_RESPONSE *resp = NULL; OCSP_BASICRESP *bs = NULL; OCSP_BASICRESP *bs = NULL; Loading Loading @@ -230,6 +233,16 @@ int MAIN(int argc, char **argv) } } else badarg = 1; else badarg = 1; } } else if (!strcmp(*args, "-header")) { if (args[1] && args[2]) { if (!X509V3_add_value(args[1], args[2], &headers)) goto end; args += 2; } else badarg = 1; } else if (!strcmp(*args, "-ignore_err")) else if (!strcmp(*args, "-ignore_err")) ignore_err = 1; ignore_err = 1; else if (!strcmp(*args, "-noverify")) else if (!strcmp(*args, "-noverify")) Loading Loading @@ -756,7 +769,7 @@ int MAIN(int argc, char **argv) { { #ifndef OPENSSL_NO_SOCK #ifndef OPENSSL_NO_SOCK resp = process_responder(bio_err, req, host, path, resp = process_responder(bio_err, req, host, path, port, use_ssl, req_timeout); port, use_ssl, headers, req_timeout); if (!resp) if (!resp) goto end; goto end; #else #else Loading Loading @@ -905,6 +918,7 @@ end: sk_OCSP_CERTID_free(ids); sk_OCSP_CERTID_free(ids); sk_X509_pop_free(sign_other, X509_free); sk_X509_pop_free(sign_other, X509_free); sk_X509_pop_free(verify_other, X509_free); sk_X509_pop_free(verify_other, X509_free); sk_CONF_VALUE_pop_free(headers, X509V3_conf_free); if (use_ssl != -1) if (use_ssl != -1) { { Loading Loading @@ -1260,10 +1274,12 @@ static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp) } } static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path, static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path, STACK_OF(CONF_VALUE) *headers, OCSP_REQUEST *req, int req_timeout) OCSP_REQUEST *req, int req_timeout) { { int fd; int fd; int rv; int rv; int i; OCSP_REQ_CTX *ctx = NULL; OCSP_REQ_CTX *ctx = NULL; OCSP_RESPONSE *rsp = NULL; OCSP_RESPONSE *rsp = NULL; fd_set confds; fd_set confds; Loading @@ -1280,16 +1296,13 @@ static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path, return NULL; return NULL; } } if (req_timeout == -1) return OCSP_sendreq_bio(cbio, path, req); if (BIO_get_fd(cbio, &fd) <= 0) if (BIO_get_fd(cbio, &fd) <= 0) { { BIO_puts(err, "Can't get connection fd\n"); BIO_puts(err, "Can't get connection fd\n"); goto err; goto err; } } if (rv <= 0) if (req_timeout != -1 && rv <= 0) { { FD_ZERO(&confds); FD_ZERO(&confds); openssl_fdset(fd, &confds); openssl_fdset(fd, &confds); Loading @@ -1304,15 +1317,27 @@ static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path, } } ctx = OCSP_sendreq_new(cbio, path, req, -1); ctx = OCSP_sendreq_new(cbio, path, NULL, -1); if (!ctx) if (!ctx) return NULL; return NULL; for (i = 0; i < sk_CONF_VALUE_num(headers); i++) { CONF_VALUE *hdr = sk_CONF_VALUE_value(headers, i); if (!OCSP_REQ_CTX_add1_header(ctx, hdr->name, hdr->value)) goto err; } if (!OCSP_REQ_CTX_set1_req(ctx, req)) goto err; for (;;) for (;;) { { rv = OCSP_sendreq_nbio(&rsp, ctx); rv = OCSP_sendreq_nbio(&rsp, ctx); if (rv != -1) if (rv != -1) break; break; if (req_timeout == -1) continue; FD_ZERO(&confds); FD_ZERO(&confds); openssl_fdset(fd, &confds); openssl_fdset(fd, &confds); tv.tv_usec = 0; tv.tv_usec = 0; Loading Loading @@ -1347,6 +1372,7 @@ static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path, OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req, OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req, char *host, char *path, char *port, int use_ssl, char *host, char *path, char *port, int use_ssl, STACK_OF(CONF_VALUE) *headers, int req_timeout) int req_timeout) { { BIO *cbio = NULL; BIO *cbio = NULL; Loading Loading @@ -1381,7 +1407,7 @@ OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req, sbio = BIO_new_ssl(ctx, 1); sbio = BIO_new_ssl(ctx, 1); cbio = BIO_push(sbio, cbio); cbio = BIO_push(sbio, cbio); } } resp = query_responder(err, cbio, path, req, req_timeout); resp = query_responder(err, cbio, path, headers, req, req_timeout); if (!resp) if (!resp) BIO_printf(bio_err, "Error querying OCSP responsder\n"); BIO_printf(bio_err, "Error querying OCSP responsder\n"); end: end: Loading apps/s_server.c +1 −1 Original line number Original line Diff line number Diff line Loading @@ -787,7 +787,7 @@ BIO_printf(err, "cert_status: received %d ids\n", sk_OCSP_RESPID_num(ids)); if (!OCSP_REQUEST_add_ext(req, ext, -1)) if (!OCSP_REQUEST_add_ext(req, ext, -1)) goto err; goto err; } } resp = process_responder(err, req, host, path, port, use_ssl, resp = process_responder(err, req, host, path, port, use_ssl, NULL, srctx->timeout); srctx->timeout); if (!resp) if (!resp) { { Loading crypto/ocsp/ocsp.h +3 −0 Original line number Original line Diff line number Diff line Loading @@ -406,6 +406,9 @@ OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, char *path, OCSP_REQUEST *req, int maxline); int maxline); int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx); int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx); void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx); void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx); int OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, OCSP_REQUEST *req); int OCSP_REQ_CTX_add1_header(OCSP_REQ_CTX *rctx, const char *name, const char *value); OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer); OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer); Loading Loading
CHANGES +4 −0 Original line number Original line Diff line number Diff line Loading @@ -4,6 +4,10 @@ Changes between 0.9.8k and 1.0 [xx XXX xxxx] Changes between 0.9.8k and 1.0 [xx XXX xxxx] *) Update OCSP request code to permit adding custom headers to the request: some responders need this. [Steve Henson] *) Extensive audit of libcrypto with DEBUG_UNUSED. Fix many cases where *) Extensive audit of libcrypto with DEBUG_UNUSED. Fix many cases where return value is ignored. NB. The functions RAND_add(), RAND_seed(), return value is ignored. NB. The functions RAND_add(), RAND_seed(), BIO_set_cipher() and some obscure PEM functions were changed so they BIO_set_cipher() and some obscure PEM functions were changed so they Loading
apps/apps.h +1 −0 Original line number Original line Diff line number Diff line Loading @@ -259,6 +259,7 @@ ENGINE *setup_engine(BIO *err, const char *engine, int debug); #ifndef OPENSSL_NO_OCSP #ifndef OPENSSL_NO_OCSP OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req, OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req, char *host, char *path, char *port, int use_ssl, char *host, char *path, char *port, int use_ssl, STACK_OF(CONF_VALUE) *headers, int req_timeout); int req_timeout); #endif #endif Loading
apps/ocsp.c +34 −8 Original line number Original line Diff line number Diff line Loading @@ -75,6 +75,7 @@ #include <openssl/ssl.h> #include <openssl/ssl.h> #include <openssl/evp.h> #include <openssl/evp.h> #include <openssl/bn.h> #include <openssl/bn.h> #include <openssl/x509v3.h> #if defined(NETWARE_CLIB) #if defined(NETWARE_CLIB) # ifdef NETWARE_BSDSOCK # ifdef NETWARE_BSDSOCK Loading Loading @@ -113,6 +114,7 @@ static BIO *init_responder(char *port); static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, char *port); static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, char *port); static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp); static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp); static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path, static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path, STACK_OF(CONF_VALUE) *headers, OCSP_REQUEST *req, int req_timeout); OCSP_REQUEST *req, int req_timeout); #undef PROG #undef PROG Loading @@ -131,6 +133,7 @@ int MAIN(int argc, char **argv) char *rsignfile = NULL, *rkeyfile = NULL; char *rsignfile = NULL, *rkeyfile = NULL; char *outfile = NULL; char *outfile = NULL; int add_nonce = 1, noverify = 0, use_ssl = -1; int add_nonce = 1, noverify = 0, use_ssl = -1; STACK_OF(CONF_VALUE) *headers = NULL; OCSP_REQUEST *req = NULL; OCSP_REQUEST *req = NULL; OCSP_RESPONSE *resp = NULL; OCSP_RESPONSE *resp = NULL; OCSP_BASICRESP *bs = NULL; OCSP_BASICRESP *bs = NULL; Loading Loading @@ -230,6 +233,16 @@ int MAIN(int argc, char **argv) } } else badarg = 1; else badarg = 1; } } else if (!strcmp(*args, "-header")) { if (args[1] && args[2]) { if (!X509V3_add_value(args[1], args[2], &headers)) goto end; args += 2; } else badarg = 1; } else if (!strcmp(*args, "-ignore_err")) else if (!strcmp(*args, "-ignore_err")) ignore_err = 1; ignore_err = 1; else if (!strcmp(*args, "-noverify")) else if (!strcmp(*args, "-noverify")) Loading Loading @@ -756,7 +769,7 @@ int MAIN(int argc, char **argv) { { #ifndef OPENSSL_NO_SOCK #ifndef OPENSSL_NO_SOCK resp = process_responder(bio_err, req, host, path, resp = process_responder(bio_err, req, host, path, port, use_ssl, req_timeout); port, use_ssl, headers, req_timeout); if (!resp) if (!resp) goto end; goto end; #else #else Loading Loading @@ -905,6 +918,7 @@ end: sk_OCSP_CERTID_free(ids); sk_OCSP_CERTID_free(ids); sk_X509_pop_free(sign_other, X509_free); sk_X509_pop_free(sign_other, X509_free); sk_X509_pop_free(verify_other, X509_free); sk_X509_pop_free(verify_other, X509_free); sk_CONF_VALUE_pop_free(headers, X509V3_conf_free); if (use_ssl != -1) if (use_ssl != -1) { { Loading Loading @@ -1260,10 +1274,12 @@ static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp) } } static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path, static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path, STACK_OF(CONF_VALUE) *headers, OCSP_REQUEST *req, int req_timeout) OCSP_REQUEST *req, int req_timeout) { { int fd; int fd; int rv; int rv; int i; OCSP_REQ_CTX *ctx = NULL; OCSP_REQ_CTX *ctx = NULL; OCSP_RESPONSE *rsp = NULL; OCSP_RESPONSE *rsp = NULL; fd_set confds; fd_set confds; Loading @@ -1280,16 +1296,13 @@ static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path, return NULL; return NULL; } } if (req_timeout == -1) return OCSP_sendreq_bio(cbio, path, req); if (BIO_get_fd(cbio, &fd) <= 0) if (BIO_get_fd(cbio, &fd) <= 0) { { BIO_puts(err, "Can't get connection fd\n"); BIO_puts(err, "Can't get connection fd\n"); goto err; goto err; } } if (rv <= 0) if (req_timeout != -1 && rv <= 0) { { FD_ZERO(&confds); FD_ZERO(&confds); openssl_fdset(fd, &confds); openssl_fdset(fd, &confds); Loading @@ -1304,15 +1317,27 @@ static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path, } } ctx = OCSP_sendreq_new(cbio, path, req, -1); ctx = OCSP_sendreq_new(cbio, path, NULL, -1); if (!ctx) if (!ctx) return NULL; return NULL; for (i = 0; i < sk_CONF_VALUE_num(headers); i++) { CONF_VALUE *hdr = sk_CONF_VALUE_value(headers, i); if (!OCSP_REQ_CTX_add1_header(ctx, hdr->name, hdr->value)) goto err; } if (!OCSP_REQ_CTX_set1_req(ctx, req)) goto err; for (;;) for (;;) { { rv = OCSP_sendreq_nbio(&rsp, ctx); rv = OCSP_sendreq_nbio(&rsp, ctx); if (rv != -1) if (rv != -1) break; break; if (req_timeout == -1) continue; FD_ZERO(&confds); FD_ZERO(&confds); openssl_fdset(fd, &confds); openssl_fdset(fd, &confds); tv.tv_usec = 0; tv.tv_usec = 0; Loading Loading @@ -1347,6 +1372,7 @@ static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path, OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req, OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req, char *host, char *path, char *port, int use_ssl, char *host, char *path, char *port, int use_ssl, STACK_OF(CONF_VALUE) *headers, int req_timeout) int req_timeout) { { BIO *cbio = NULL; BIO *cbio = NULL; Loading Loading @@ -1381,7 +1407,7 @@ OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req, sbio = BIO_new_ssl(ctx, 1); sbio = BIO_new_ssl(ctx, 1); cbio = BIO_push(sbio, cbio); cbio = BIO_push(sbio, cbio); } } resp = query_responder(err, cbio, path, req, req_timeout); resp = query_responder(err, cbio, path, headers, req, req_timeout); if (!resp) if (!resp) BIO_printf(bio_err, "Error querying OCSP responsder\n"); BIO_printf(bio_err, "Error querying OCSP responsder\n"); end: end: Loading
apps/s_server.c +1 −1 Original line number Original line Diff line number Diff line Loading @@ -787,7 +787,7 @@ BIO_printf(err, "cert_status: received %d ids\n", sk_OCSP_RESPID_num(ids)); if (!OCSP_REQUEST_add_ext(req, ext, -1)) if (!OCSP_REQUEST_add_ext(req, ext, -1)) goto err; goto err; } } resp = process_responder(err, req, host, path, port, use_ssl, resp = process_responder(err, req, host, path, port, use_ssl, NULL, srctx->timeout); srctx->timeout); if (!resp) if (!resp) { { Loading
crypto/ocsp/ocsp.h +3 −0 Original line number Original line Diff line number Diff line Loading @@ -406,6 +406,9 @@ OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, char *path, OCSP_REQUEST *req, int maxline); int maxline); int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx); int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx); void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx); void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx); int OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, OCSP_REQUEST *req); int OCSP_REQ_CTX_add1_header(OCSP_REQ_CTX *rctx, const char *name, const char *value); OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer); OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer); Loading
