Bug Summary

File:sslutils.c
Location:line 674, column 13
Description:Value stored to 'errnum' is never read

Annotated Source Code

1/* Licensed to the Apache Software Foundation (ASF) under one or more
2 * contributor license agreements. See the NOTICE file distributed with
3 * this work for additional information regarding copyright ownership.
4 * The ASF licenses this file to You under the Apache License, Version 2.0
5 * (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17/** SSL Utilities
18 *
19 * @author Mladen Turk
20 * @version $Id: sslutils.c 1507125 2013-07-25 21:01:25Z schultz $
21 */
22
23#include "tcn.h"
24
25#ifdef HAVE_OPENSSL1
26#include "apr_poll.h"
27#include "ssl_private.h"
28
29#ifdef WIN32
30extern int WIN32_SSL_password_prompt(tcn_pass_cb_t *data);
31#endif
32
33#ifdef HAVE_OPENSSL_OCSP
34#include <openssl/bio.h>
35#include <openssl/ocsp.h>
36/* defines with the values as seen by the asn1parse -dump openssl command */
37#define ASN1_SEQUENCE 0x30
38#define ASN1_OID 0x06
39#define ASN1_STRING 0x86
40#pragma message("Using OCSP")
41static int ssl_verify_OCSP(int ok, X509_STORE_CTX *ctx);
42static int ssl_ocsp_request(X509 *cert, X509 *issuer);
43#endif
44
45/* _________________________________________________________________
46**
47** Additional High-Level Functions for OpenSSL
48** _________________________________________________________________
49*/
50
51/* we initialize this index at startup time
52 * and never write to it at request time,
53 * so this static is thread safe.
54 * also note that OpenSSL increments at static variable when
55 * SSL_get_ex_new_index() is called, so we _must_ do this at startup.
56 */
57static int SSL_app_data2_idx = -1;
58
59void SSL_init_app_data2_idx(void)
60{
61 int i;
62
63 if (SSL_app_data2_idx > -1) {
64 return;
65 }
66
67 /* we _do_ need to call this twice */
68 for (i = 0; i <= 1; i++) {
69 SSL_app_data2_idx =
70 SSL_get_ex_new_index(0,
71 "Second Application Data for SSL",
72 NULL((void*)0), NULL((void*)0), NULL((void*)0));
73 }
74}
75
76void *SSL_get_app_data2(SSL *ssl)
77{
78 return (void *)SSL_get_ex_data(ssl, SSL_app_data2_idx);
79}
80
81void SSL_set_app_data2(SSL *ssl, void *arg)
82{
83 SSL_set_ex_data(ssl, SSL_app_data2_idx, (char *)arg);
84 return;
85}
86
87/* Simple echo password prompting */
88int SSL_password_prompt(tcn_pass_cb_t *data)
89{
90 int rv = 0;
91 data->password[0] = '\0';
92 if (data->cb.obj) {
93 JNIEnv *e;
94 jobject o;
95 jstring prompt;
96 tcn_get_java_env(&e);
97 prompt = AJP_TO_JSTRING(data->prompt)(*e)->NewStringUTF((e), (data->prompt));
98 if ((o = (*e)->CallObjectMethod(e, data->cb.obj,
99 data->cb.mid[0], prompt))) {
100 TCN_ALLOC_CSTRING(o)const char *co = o ? (const char *)((*e)->GetStringUTFChars
(e, o, 0)) : ((void*)0)
;
101 if (J2S(o)co) {
102 strncpy(data->password, J2S(o), SSL_MAX_PASSWORD_LEN)__builtin_strncpy (data->password, co, (256));
103 data->password[SSL_MAX_PASSWORD_LEN(256)-1] = '\0';
104 rv = (int)strlen(data->password);
105 }
106 TCN_FREE_CSTRING(o)if (co) (*e)->ReleaseStringUTFChars(e, o, co);
107 }
108 }
109 else {
110#ifdef WIN32
111 rv = WIN32_SSL_password_prompt(data);
112#else
113 EVP_read_pw_string(data->password, SSL_MAX_PASSWORD_LEN(256),
114 data->prompt, 0);
115#endif
116 rv = (int)strlen(data->password);
117 }
118 if (rv > 0) {
119 /* Remove LF char if present */
120 char *r = strchr(data->password, '\n')(__extension__ (__builtin_constant_p ('\n') && !__builtin_constant_p
(data->password) && ('\n') == '\0' ? (char *) __rawmemchr
(data->password, '\n') : __builtin_strchr (data->password
, '\n')))
;
121 if (r) {
122 *r = '\0';
123 rv--;
124 }
125#ifdef WIN32
126 if ((r = strchr(data->password, '\r')(__extension__ (__builtin_constant_p ('\r') && !__builtin_constant_p
(data->password) && ('\r') == '\0' ? (char *) __rawmemchr
(data->password, '\r') : __builtin_strchr (data->password
, '\r')))
)) {
127 *r = '\0';
128 rv--;
129 }
130#endif
131 }
132 return rv;
133}
134
135int SSL_password_callback(char *buf, int bufsiz, int verify,
136 void *cb)
137{
138 tcn_pass_cb_t *cb_data = (tcn_pass_cb_t *)cb;
139
140 if (buf == NULL((void*)0))
141 return 0;
142 *buf = '\0';
143 if (cb_data == NULL((void*)0))
144 cb_data = &tcn_password_callback;
145 if (!cb_data->prompt)
146 cb_data->prompt = SSL_DEFAULT_PASS_PROMPT"Some of your private key files are encrypted for security reasons.\n"
"In order to read them you have to provide the pass phrases.\n"
"Enter password :"
;
147 if (cb_data->password[0]) {
148 /* Return already obtained password */
149 strncpy(buf, cb_data->password, bufsiz)__builtin_strncpy (buf, cb_data->password, bufsiz);
150 buf[bufsiz - 1] = '\0';
151 return (int)strlen(buf);
152 }
153 else {
154 if (SSL_password_prompt(cb_data) > 0)
155 strncpy(buf, cb_data->password, bufsiz)__builtin_strncpy (buf, cb_data->password, bufsiz);
156 }
157 buf[bufsiz - 1] = '\0';
158 return (int)strlen(buf);
159}
160
161static unsigned char dh0512_p[]={
162 0xD9,0xBA,0xBF,0xFD,0x69,0x38,0xC9,0x51,0x2D,0x19,0x37,0x39,
163 0xD7,0x7D,0x7E,0x3E,0x25,0x58,0x55,0x94,0x90,0x60,0x93,0x7A,
164 0xF2,0xD5,0x61,0x5F,0x06,0xE8,0x08,0xB4,0x57,0xF4,0xCF,0xB4,
165 0x41,0xCC,0xC4,0xAC,0xD4,0xF0,0x45,0x88,0xC9,0xD1,0x21,0x4C,
166 0xB6,0x72,0x48,0xBD,0x73,0x80,0xE0,0xDD,0x88,0x41,0xA0,0xF1,
167 0xEA,0x4B,0x71,0x13
168};
169static unsigned char dh1024_p[]={
170 0xA2,0x95,0x7E,0x7C,0xA9,0xD5,0x55,0x1D,0x7C,0x77,0x11,0xAC,
171 0xFD,0x48,0x8C,0x3B,0x94,0x1B,0xC5,0xC0,0x99,0x93,0xB5,0xDC,
172 0xDC,0x06,0x76,0x9E,0xED,0x1E,0x3D,0xBB,0x9A,0x29,0xD6,0x8B,
173 0x1F,0xF6,0xDA,0xC9,0xDF,0xD5,0x02,0x4F,0x09,0xDE,0xEC,0x2C,
174 0x59,0x1E,0x82,0x32,0x80,0x9B,0xED,0x51,0x68,0xD2,0xFB,0x1E,
175 0x25,0xDB,0xDF,0x9C,0x11,0x70,0xDF,0xCA,0x19,0x03,0x3D,0x3D,
176 0xC1,0xAC,0x28,0x88,0x4F,0x13,0xAF,0x16,0x60,0x6B,0x5B,0x2F,
177 0x56,0xC7,0x5B,0x5D,0xDE,0x8F,0x50,0x08,0xEC,0xB1,0xB9,0x29,
178 0xAA,0x54,0xF4,0x05,0xC9,0xDF,0x95,0x9D,0x79,0xC6,0xEA,0x3F,
179 0xC9,0x70,0x42,0xDA,0x90,0xC7,0xCC,0x12,0xB9,0x87,0x86,0x39,
180 0x1E,0x1A,0xCE,0xF7,0x3F,0x15,0xB5,0x2B
181};
182static unsigned char dh2048_p[]={
183 0xF2,0x4A,0xFC,0x7E,0x73,0x48,0x21,0x03,0xD1,0x1D,0xA8,0x16,
184 0x87,0xD0,0xD2,0xDC,0x42,0xA8,0xD2,0x73,0xE3,0xA9,0x21,0x31,
185 0x70,0x5D,0x69,0xC7,0x8F,0x95,0x0C,0x9F,0xB8,0x0E,0x37,0xAE,
186 0xD1,0x6F,0x36,0x1C,0x26,0x63,0x2A,0x36,0xBA,0x0D,0x2A,0xF5,
187 0x1A,0x0F,0xE8,0xC0,0xEA,0xD1,0xB5,0x52,0x47,0x1F,0x9A,0x0C,
188 0x0F,0xED,0x71,0x51,0xED,0xE6,0x62,0xD5,0xF8,0x81,0x93,0x55,
189 0xC1,0x0F,0xB4,0x72,0x64,0xB3,0x73,0xAA,0x90,0x9A,0x81,0xCE,
190 0x03,0xFD,0x6D,0xB1,0x27,0x7D,0xE9,0x90,0x5E,0xE2,0x10,0x74,
191 0x4F,0x94,0xC3,0x05,0x21,0x73,0xA9,0x12,0x06,0x9B,0x0E,0x20,
192 0xD1,0x5F,0xF7,0xC9,0x4C,0x9D,0x4F,0xFA,0xCA,0x4D,0xFD,0xFF,
193 0x6A,0x62,0x9F,0xF0,0x0F,0x3B,0xA9,0x1D,0xF2,0x69,0x29,0x00,
194 0xBD,0xE9,0xB0,0x9D,0x88,0xC7,0x4A,0xAE,0xB0,0x53,0xAC,0xA2,
195 0x27,0x40,0x88,0x58,0x8F,0x26,0xB2,0xC2,0x34,0x7D,0xA2,0xCF,
196 0x92,0x60,0x9B,0x35,0xF6,0xF3,0x3B,0xC3,0xAA,0xD8,0x58,0x9C,
197 0xCF,0x5D,0x9F,0xDB,0x14,0x93,0xFA,0xA3,0xFA,0x44,0xB1,0xB2,
198 0x4B,0x0F,0x08,0x70,0x44,0x71,0x3A,0x73,0x45,0x8E,0x6D,0x9C,
199 0x56,0xBC,0x9A,0xB5,0xB1,0x3D,0x8B,0x1F,0x1E,0x2B,0x0E,0x93,
200 0xC2,0x9B,0x84,0xE2,0xE8,0xFC,0x29,0x85,0x83,0x8D,0x2E,0x5C,
201 0xDD,0x9A,0xBB,0xFD,0xF0,0x87,0xBF,0xAF,0xC4,0xB6,0x1D,0xE7,
202 0xF9,0x46,0x50,0x7F,0xC3,0xAC,0xFD,0xC9,0x8C,0x9D,0x66,0x6B,
203 0x4C,0x6A,0xC9,0x3F,0x0C,0x0A,0x74,0x94,0x41,0x85,0x26,0x8F,
204 0x9F,0xF0,0x7C,0x0B
205};
206static unsigned char dh4096_p[] = {
207 0x8D,0xD3,0x8F,0x77,0x6F,0x6F,0xB0,0x74,0x3F,0x22,0xE9,0xD1,
208 0x17,0x15,0x69,0xD8,0x24,0x85,0xCD,0xC4,0xE4,0x0E,0xF6,0x52,
209 0x40,0xF7,0x1C,0x34,0xD0,0xA5,0x20,0x77,0xE2,0xFC,0x7D,0xA1,
210 0x82,0xF1,0xF3,0x78,0x95,0x05,0x5B,0xB8,0xDB,0xB3,0xE4,0x17,
211 0x93,0xD6,0x68,0xA7,0x0A,0x0C,0xC5,0xBB,0x9C,0x5E,0x1E,0x83,
212 0x72,0xB3,0x12,0x81,0xA2,0xF5,0xCD,0x44,0x67,0xAA,0xE8,0xAD,
213 0x1E,0x8F,0x26,0x25,0xF2,0x8A,0xA0,0xA5,0xF4,0xFB,0x95,0xAE,
214 0x06,0x50,0x4B,0xD0,0xE7,0x0C,0x55,0x88,0xAA,0xE6,0xB8,0xF6,
215 0xE9,0x2F,0x8D,0xA7,0xAD,0x84,0xBC,0x8D,0x4C,0xFE,0x76,0x60,
216 0xCD,0xC8,0xED,0x7C,0xBF,0xF3,0xC1,0xF8,0x6A,0xED,0xEC,0xE9,
217 0x13,0x7D,0x4E,0x72,0x20,0x77,0x06,0xA4,0x12,0xF8,0xD2,0x34,
218 0x6F,0xDC,0x97,0xAB,0xD3,0xA0,0x45,0x8E,0x7D,0x21,0xA9,0x35,
219 0x6E,0xE4,0xC9,0xC4,0x53,0xFF,0xE5,0xD9,0x72,0x61,0xC4,0x8A,
220 0x75,0x78,0x36,0x97,0x1A,0xAB,0x92,0x85,0x74,0x61,0x7B,0xE0,
221 0x92,0xB8,0xC6,0x12,0xA1,0x72,0xBB,0x5B,0x61,0xAA,0xE6,0x2C,
222 0x2D,0x9F,0x45,0x79,0x9E,0xF4,0x41,0x93,0x93,0xEF,0x8B,0xEF,
223 0xB7,0xBF,0x6D,0xF0,0x91,0x11,0x4F,0x7C,0x71,0x84,0xB5,0x88,
224 0xA3,0x8C,0x1A,0xD5,0xD0,0x81,0x9C,0x50,0xAC,0xA9,0x2B,0xE9,
225 0x92,0x2D,0x73,0x7C,0x0A,0xA3,0xFA,0xD3,0x6C,0x91,0x43,0xA6,
226 0x80,0x7F,0xD7,0xC4,0xD8,0x6F,0x85,0xF8,0x15,0xFD,0x08,0xA6,
227 0xF8,0x7B,0x3A,0xF4,0xD3,0x50,0xB4,0x2F,0x75,0xC8,0x48,0xB8,
228 0xA8,0xFD,0xCA,0x8F,0x62,0xF1,0x4C,0x89,0xB7,0x18,0x67,0xB2,
229 0x93,0x2C,0xC4,0xD4,0x71,0x29,0xA9,0x26,0x20,0xED,0x65,0x37,
230 0x06,0x87,0xFC,0xFB,0x65,0x02,0x1B,0x3C,0x52,0x03,0xA1,0xBB,
231 0xCF,0xE7,0x1B,0xA4,0x1A,0xE3,0x94,0x97,0x66,0x06,0xBF,0xA9,
232 0xCE,0x1B,0x07,0x10,0xBA,0xF8,0xD4,0xD4,0x05,0xCF,0x53,0x47,
233 0x16,0x2C,0xA1,0xFC,0x6B,0xEF,0xF8,0x6C,0x23,0x34,0xEF,0xB7,
234 0xD3,0x3F,0xC2,0x42,0x5C,0x53,0x9A,0x00,0x52,0xCF,0xAC,0x42,
235 0xD3,0x3B,0x2E,0xB6,0x04,0x32,0xE1,0x09,0xED,0x64,0xCD,0x6A,
236 0x63,0x58,0xB8,0x43,0x56,0x5A,0xBE,0xA4,0x9F,0x68,0xD4,0xF7,
237 0xC9,0x04,0xDF,0xCD,0xE5,0x93,0xB0,0x2F,0x06,0x19,0x3E,0xB8,
238 0xAB,0x7E,0xF8,0xE7,0xE7,0xC8,0x53,0xA2,0x06,0xC3,0xC7,0xF9,
239 0x18,0x3B,0x51,0xC3,0x9B,0xFF,0x8F,0x00,0x0E,0x87,0x19,0x68,
240 0x2F,0x40,0xC0,0x68,0xFA,0x12,0xAE,0x57,0xB5,0xF0,0x97,0xCA,
241 0x78,0x23,0x31,0xAB,0x67,0x7B,0x10,0x6B,0x59,0x32,0x9C,0x64,
242 0x20,0x38,0x1F,0xC5,0x07,0x84,0x9E,0xC4,0x49,0xB1,0xDF,0xED,
243 0x7A,0x8A,0xC3,0xE0,0xDD,0x30,0x55,0xFF,0x95,0x45,0xA6,0xEE,
244 0xCB,0xE4,0x26,0xB9,0x8E,0x89,0x37,0x63,0xD4,0x02,0x3D,0x5B,
245 0x4F,0xE5,0x90,0xF6,0x72,0xF8,0x10,0xEE,0x31,0x04,0x54,0x17,
246 0xE3,0xD5,0x63,0x84,0x80,0x62,0x54,0x46,0x85,0x6C,0xD2,0xC1,
247 0x3E,0x19,0xBD,0xE2,0x80,0x11,0x86,0xC7,0x4B,0x7F,0x67,0x86,
248 0x47,0xD2,0x38,0xCD,0x8F,0xFE,0x65,0x3C,0x11,0xCD,0x96,0x99,
249 0x4E,0x45,0xEB,0xEC,0x1D,0x94,0x8C,0x53,
250};
251static unsigned char dhxxx2_g[]={
252 0x02
253};
254
255static DH *get_dh(int idx)
256{
257 DH *dh;
258
259 if ((dh = DH_new()) == NULL((void*)0))
260 return NULL((void*)0);
261 switch (idx) {
262 case SSL_TMP_KEY_DH_512(4):
263 dh->p = BN_bin2bn(dh0512_p, sizeof(dh0512_p), NULL((void*)0));
264 break;
265 case SSL_TMP_KEY_DH_1024(5):
266 dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL((void*)0));
267 break;
268 case SSL_TMP_KEY_DH_2048(6):
269 dh->p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL((void*)0));
270 break;
271 case SSL_TMP_KEY_DH_4096(7):
272 dh->p = BN_bin2bn(dh4096_p, sizeof(dh2048_p), NULL((void*)0));
273 break;
274 }
275 dh->g = BN_bin2bn(dhxxx2_g, sizeof(dhxxx2_g), NULL((void*)0));
276 if ((dh->p == NULL((void*)0)) || (dh->g == NULL((void*)0))) {
277 DH_free(dh);
278 return NULL((void*)0);
279 }
280 else
281 return dh;
282}
283
284DH *SSL_dh_get_tmp_param(int key_len)
285{
286 DH *dh;
287
288 if (key_len == 512)
289 dh = get_dh(SSL_TMP_KEY_DH_512(4));
290 else if (key_len == 1024)
291 dh = get_dh(SSL_TMP_KEY_DH_1024(5));
292 else if (key_len == 2048)
293 dh = get_dh(SSL_TMP_KEY_DH_2048(6));
294 else if (key_len == 4096)
295 dh = get_dh(SSL_TMP_KEY_DH_4096(7));
296 else
297 dh = get_dh(SSL_TMP_KEY_DH_1024(5));
298 return dh;
299}
300
301DH *SSL_dh_get_param_from_file(const char *file)
302{
303 DH *dh = NULL((void*)0);
304 BIO *bio;
305
306 if ((bio = BIO_new_file(file, "r")) == NULL((void*)0))
307 return NULL((void*)0);
308 dh = PEM_read_bio_DHparams(bio, NULL((void*)0), NULL((void*)0), NULL((void*)0));
309 BIO_free(bio);
310 return dh;
311}
312
313/*
314 * Handle out temporary RSA private keys on demand
315 *
316 * The background of this as the TLSv1 standard explains it:
317 *
318 * | D.1. Temporary RSA keys
319 * |
320 * | US Export restrictions limit RSA keys used for encryption to 512
321 * | bits, but do not place any limit on lengths of RSA keys used for
322 * | signing operations. Certificates often need to be larger than 512
323 * | bits, since 512-bit RSA keys are not secure enough for high-value
324 * | transactions or for applications requiring long-term security. Some
325 * | certificates are also designated signing-only, in which case they
326 * | cannot be used for key exchange.
327 * |
328 * | When the public key in the certificate cannot be used for encryption,
329 * | the server signs a temporary RSA key, which is then exchanged. In
330 * | exportable applications, the temporary RSA key should be the maximum
331 * | allowable length (i.e., 512 bits). Because 512-bit RSA keys are
332 * | relatively insecure, they should be changed often. For typical
333 * | electronic commerce applications, it is suggested that keys be
334 * | changed daily or every 500 transactions, and more often if possible.
335 * | Note that while it is acceptable to use the same temporary key for
336 * | multiple transactions, it must be signed each time it is used.
337 * |
338 * | RSA key generation is a time-consuming process. In many cases, a
339 * | low-priority process can be assigned the task of key generation.
340 * | Whenever a new key is completed, the existing temporary key can be
341 * | replaced with the new one.
342 *
343 * XXX: base on comment above, if thread support is enabled,
344 * we should spawn a low-priority thread to generate new keys
345 * on the fly.
346 *
347 * So we generated 512 and 1024 bit temporary keys on startup
348 * which we now just hand out on demand....
349 */
350
351RSA *SSL_callback_tmp_RSA(SSL *ssl, int export, int keylen)
352{
353 int idx;
354
355 /* doesn't matter if export flag is on,
356 * we won't be asked for keylen > 512 in that case.
357 * if we are asked for a keylen > 1024, it is too expensive
358 * to generate on the fly.
359 */
360
361 switch (keylen) {
362 case 512:
363 idx = SSL_TMP_KEY_RSA_512(0);
364 break;
365 case 2048:
366 idx = SSL_TMP_KEY_RSA_2048(2);
367 if (SSL_temp_keys[idx] == NULL((void*)0))
368 idx = SSL_TMP_KEY_RSA_1024(1);
369 break;
370 case 4096:
371 idx = SSL_TMP_KEY_RSA_4096(3);
372 if (SSL_temp_keys[idx] == NULL((void*)0))
373 idx = SSL_TMP_KEY_RSA_2048(2);
374 break;
375 case 1024:
376 default:
377 idx = SSL_TMP_KEY_RSA_1024(1);
378 break;
379 }
380 return (RSA *)SSL_temp_keys[idx];
381}
382
383/*
384 * Hand out the already generated DH parameters...
385 */
386DH *SSL_callback_tmp_DH(SSL *ssl, int export, int keylen)
387{
388 int idx;
389 switch (keylen) {
390 case 512:
391 idx = SSL_TMP_KEY_DH_512(4);
392 break;
393 case 2048:
394 idx = SSL_TMP_KEY_DH_2048(6);
395 break;
396 case 4096:
397 idx = SSL_TMP_KEY_DH_4096(7);
398 break;
399 case 1024:
400 default:
401 idx = SSL_TMP_KEY_DH_1024(5);
402 break;
403 }
404 return (DH *)SSL_temp_keys[idx];
405}
406
407/*
408 * Read a file that optionally contains the server certificate in PEM
409 * format, possibly followed by a sequence of CA certificates that
410 * should be sent to the peer in the SSL Certificate message.
411 */
412int SSL_CTX_use_certificate_chain(SSL_CTX *ctx, const char *file,
413 int skipfirst)
414{
415 BIO *bio;
416 X509 *x509;
417 unsigned long err;
418 int n;
419 STACK_OF(X509)struct stack_st_X509 *extra_certs;
420
421 if ((bio = BIO_new(BIO_s_file_internalBIO_s_file())) == NULL((void*)0))
422 return -1;
423 if (BIO_read_filename(bio, file)BIO_ctrl(bio,108, 0x01|0x02,(char *)file) <= 0) {
424 BIO_free(bio);
425 return -1;
426 }
427 /* optionally skip a leading server certificate */
428 if (skipfirst) {
429 if ((x509 = PEM_read_bio_X509(bio, NULL((void*)0), NULL((void*)0), NULL((void*)0))) == NULL((void*)0)) {
430 BIO_free(bio);
431 return -1;
432 }
433 X509_free(x509);
434 }
435 /* free a perhaps already configured extra chain */
436 extra_certs = SSL_CTX_get_extra_certs(ctx)((ctx)->extra_certs);
437 if (extra_certs != NULL((void*)0)) {
438 sk_X509_pop_free(extra_certs, X509_free)sk_pop_free(((_STACK*) (1 ? (extra_certs) : (struct stack_st_X509
*)0)), ((void (*)(void *)) ((1 ? (X509_free) : (void (*)(X509
*))0))))
;
439 SSL_CTX_set_extra_certs(ctx,NULL)if (1) { (ctx)->extra_certs = (((void*)0)); } else (void)(
0)
;
440 }
441 /* create new extra chain by loading the certs */
442 n = 0;
443 while ((x509 = PEM_read_bio_X509(bio, NULL((void*)0), NULL((void*)0), NULL((void*)0))) != NULL((void*)0)) {
444 if (!SSL_CTX_add_extra_chain_cert(ctx, x509)SSL_CTX_ctrl(ctx,14,0,(char *)x509)) {
445 X509_free(x509);
446 BIO_free(bio);
447 return -1;
448 }
449 n++;
450 }
451 /* Make sure that only the error is just an EOF */
452 if ((err = ERR_peek_error()) > 0) {
453 if (!( ERR_GET_LIB(err)(int)((((unsigned long)err)>>24L)&0xffL) == ERR_LIB_PEM9
454 && ERR_GET_REASON(err)(int)((err)&0xfffL) == PEM_R_NO_START_LINE108)) {
455 BIO_free(bio);
456 return -1;
457 }
458 while (ERR_get_error() > 0) ;
459 }
460 BIO_free(bio);
461 return n;
462}
463
464static int ssl_X509_STORE_lookup(X509_STORE *store, int yype,
465 X509_NAME *name, X509_OBJECT *obj)
466{
467 X509_STORE_CTX ctx;
468 int rc;
469
470 X509_STORE_CTX_init(&ctx, store, NULL((void*)0), NULL((void*)0));
471 rc = X509_STORE_get_by_subject(&ctx, yype, name, obj);
472 X509_STORE_CTX_cleanup(&ctx);
473 return rc;
474}
475
476static int ssl_verify_CRL(int ok, X509_STORE_CTX *ctx, tcn_ssl_conn_t *con)
477{
478 X509_OBJECT obj;
479 X509_NAME *subject, *issuer;
480 X509 *cert;
481 X509_CRL *crl;
482 EVP_PKEY *pubkey;
483 int i, n, rc;
484
485 /*
486 * Determine certificate ingredients in advance
487 */
488 cert = X509_STORE_CTX_get_current_cert(ctx);
489 subject = X509_get_subject_name(cert);
490 issuer = X509_get_issuer_name(cert);
491
492 /*
493 * OpenSSL provides the general mechanism to deal with CRLs but does not
494 * use them automatically when verifying certificates, so we do it
495 * explicitly here. We will check the CRL for the currently checked
496 * certificate, if there is such a CRL in the store.
497 *
498 * We come through this procedure for each certificate in the certificate
499 * chain, starting with the root-CA's certificate. At each step we've to
500 * both verify the signature on the CRL (to make sure it's a valid CRL)
501 * and it's revocation list (to make sure the current certificate isn't
502 * revoked). But because to check the signature on the CRL we need the
503 * public key of the issuing CA certificate (which was already processed
504 * one round before), we've a little problem. But we can both solve it and
505 * at the same time optimize the processing by using the following
506 * verification scheme (idea and code snippets borrowed from the GLOBUS
507 * project):
508 *
509 * 1. We'll check the signature of a CRL in each step when we find a CRL
510 * through the _subject_ name of the current certificate. This CRL
511 * itself will be needed the first time in the next round, of course.
512 * But we do the signature processing one round before this where the
513 * public key of the CA is available.
514 *
515 * 2. We'll check the revocation list of a CRL in each step when
516 * we find a CRL through the _issuer_ name of the current certificate.
517 * This CRLs signature was then already verified one round before.
518 *
519 * This verification scheme allows a CA to revoke its own certificate as
520 * well, of course.
521 */
522
523 /*
524 * Try to retrieve a CRL corresponding to the _subject_ of
525 * the current certificate in order to verify it's integrity.
526 */
527 memset((char *)&obj, 0, sizeof(obj));
528 rc = ssl_X509_STORE_lookup(con->ctx->crl,
529 X509_LU_CRL2, subject, &obj);
530 crl = obj.data.crl;
531
532 if ((rc > 0) && crl) {
533 /*
534 * Log information about CRL
535 * (A little bit complicated because of ASN.1 and BIOs...)
536 */
537 /*
538 * Verify the signature on this CRL
539 */
540 pubkey = X509_get_pubkey(cert);
541 rc = X509_CRL_verify(crl, pubkey);
542 /* Only refcounted in OpenSSL */
543 if (pubkey)
544 EVP_PKEY_free(pubkey);
545 if (rc <= 0) {
546 /* TODO: Log Invalid signature on CRL */
547 X509_STORE_CTX_set_error(ctx, X509_V_ERR_CRL_SIGNATURE_FAILURE8);
548 X509_OBJECT_free_contents(&obj);
549 return 0;
550 }
551
552 /*
553 * Check date of CRL to make sure it's not expired
554 */
555 i = X509_cmp_current_time(X509_CRL_get_nextUpdate(crl)((crl)->crl->nextUpdate));
556
557 if (i == 0) {
558 /* TODO: Log Found CRL has invalid nextUpdate field */
559
560 X509_STORE_CTX_set_error(ctx,
561 X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD16);
562 X509_OBJECT_free_contents(&obj);
563 return 0;
564 }
565
566 if (i < 0) {
567 /* TODO: Log Found CRL is expired */
568 X509_STORE_CTX_set_error(ctx, X509_V_ERR_CRL_HAS_EXPIRED12);
569 X509_OBJECT_free_contents(&obj);
570
571 return 0;
572 }
573
574 X509_OBJECT_free_contents(&obj);
575 }
576
577 /*
578 * Try to retrieve a CRL corresponding to the _issuer_ of
579 * the current certificate in order to check for revocation.
580 */
581 memset((char *)&obj, 0, sizeof(obj));
582 rc = ssl_X509_STORE_lookup(con->ctx->crl,
583 X509_LU_CRL2, issuer, &obj);
584
585 crl = obj.data.crl;
586 if ((rc > 0) && crl) {
587 /*
588 * Check if the current certificate is revoked by this CRL
589 */
590 n = sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl))sk_num(((_STACK*) (1 ? (((crl)->crl->revoked)) : (struct
stack_st_X509_REVOKED*)0)))
;
591
592 for (i = 0; i < n; i++) {
593 X509_REVOKED *revoked =
594 sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i)((X509_REVOKED *)sk_value(((_STACK*) (1 ? (((crl)->crl->
revoked)) : (struct stack_st_X509_REVOKED*)0)), (i)))
;
595
596 ASN1_INTEGER *sn = revoked->serialNumber;
597
598 if (!ASN1_INTEGER_cmp(sn, X509_get_serialNumber(cert))) {
599 X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REVOKED23);
600 X509_OBJECT_free_contents(&obj);
601
602 return 0;
603 }
604 }
605
606 X509_OBJECT_free_contents(&obj);
607 }
608
609 return ok;
610}
611
612/*
613 * This OpenSSL callback function is called when OpenSSL
614 * does client authentication and verifies the certificate chain.
615 */
616
617
618int SSL_callback_SSL_verify(int ok, X509_STORE_CTX *ctx)
619{
620 /* Get Apache context back through OpenSSL context */
621 SSL *ssl = X509_STORE_CTX_get_ex_data(ctx,
622 SSL_get_ex_data_X509_STORE_CTX_idx());
623 tcn_ssl_conn_t *con = (tcn_ssl_conn_t *)SSL_get_app_data(ssl)(SSL_get_ex_data(ssl,0));
624 /* Get verify ingredients */
625 int errnum = X509_STORE_CTX_get_error(ctx);
626 int errdepth = X509_STORE_CTX_get_error_depth(ctx);
627 int verify = con->ctx->verify_mode;
628 int depth = con->ctx->verify_depth;
629 int skip_crl = 0;
630
631 if (verify == SSL_CVERIFY_UNSET(-1) ||
632 verify == SSL_CVERIFY_NONE(0))
633 return 1;
634
635 if (SSL_VERIFY_ERROR_IS_OPTIONAL(errnum)((errnum == 18) || (errnum == 19) || (errnum == 20) || (errnum
== 27) || (errnum == 21))
&&
636 (verify == SSL_CVERIFY_OPTIONAL_NO_CA(3))) {
637 ok = 1;
638 SSL_set_verify_result(ssl, X509_V_OK0);
639 }
640
641#ifdef HAVE_OPENSSL_OCSP
642 /* First perform OCSP validation if possible */
643 if (ok) {
644 /* If there was an optional verification error, it's not
645 * possible to perform OCSP validation since the issuer may be
646 * missing/untrusted. Fail in that case.
647 */
648 if (SSL_VERIFY_ERROR_IS_OPTIONAL(errnum)((errnum == 18) || (errnum == 19) || (errnum == 20) || (errnum
== 27) || (errnum == 21))
) {
649 X509_STORE_CTX_set_error(ctx, X509_V_ERR_APPLICATION_VERIFICATION50);
650 errnum = X509_V_ERR_APPLICATION_VERIFICATION50;
651 ok = 0;
652 }
653 else {
654 int ocsp_response = ssl_verify_OCSP(ok, ctx);
655 if (ocsp_response == OCSP_STATUS_OK0) {
656 skip_crl = 1; /* we know it is valid we skip crl evaluation */
657 }
658 else if (ocsp_response == OCSP_STATUS_REVOKED1) {
659 ok = 0 ;
660 errnum = X509_STORE_CTX_get_error(ctx);
661 }
662 else if (ocsp_response == OCSP_STATUS_UNKNOWN2) {
663 /* TODO: do nothing for time being, continue with CRL */
664 ;
665 }
666 }
667 }
668#endif
669 /*
670 * Additionally perform CRL-based revocation checks
671 */
672 if (ok && con->ctx->crl && !skip_crl) {
673 if (!(ok = ssl_verify_CRL(ok, ctx, con))) {
674 errnum = X509_STORE_CTX_get_error(ctx);
Value stored to 'errnum' is never read
675 /* TODO: Log something */
676 }
677 }
678 /*
679 * If we already know it's not ok, log the real reason
680 */
681 if (!ok) {
682 /* TODO: Some logging
683 * Certificate Verification: Error
684 */
685 if (con->peer) {
686 X509_free(con->peer);
687 con->peer = NULL((void*)0);
688 }
689 }
690 if (errdepth > depth) {
691 /* TODO: Some logging
692 * Certificate Verification: Certificate Chain too long
693 */
694 ok = 0;
695 }
696 return ok;
697}
698
699/*
700 * This callback function is executed while OpenSSL processes the SSL
701 * handshake and does SSL record layer stuff. It's used to trap
702 * client-initiated renegotiations, and for dumping everything to the
703 * log.
704 */
705void SSL_callback_handshake(const SSL *ssl, int where, int rc)
706{
707 tcn_ssl_conn_t *con = (tcn_ssl_conn_t *)SSL_get_app_data(ssl)(SSL_get_ex_data(ssl,0));
708
709 /* Retrieve the conn_rec and the associated SSLConnRec. */
710 if (con == NULL((void*)0)) {
711 return;
712 }
713
714
715 /* If the reneg state is to reject renegotiations, check the SSL
716 * state machine and move to ABORT if a Client Hello is being
717 * read. */
718 if ((where & SSL_CB_ACCEPT_LOOP(0x2000|0x01)) && con->reneg_state == RENEG_REJECT) {
719 int state = SSL_get_state(ssl)SSL_state(ssl);
720
721 if (state == SSL3_ST_SR_CLNT_HELLO_A(0x110|0x2000)
722 || state == SSL23_ST_SR_CLNT_HELLO_A(0x210|0x2000)) {
723 con->reneg_state = RENEG_ABORT;
724 /* XXX: rejecting client initiated renegotiation
725 */
726 }
727 }
728 /* If the first handshake is complete, change state to reject any
729 * subsequent client-initated renegotiation. */
730 else if ((where & SSL_CB_HANDSHAKE_DONE0x20) && con->reneg_state == RENEG_INIT) {
731 con->reneg_state = RENEG_REJECT;
732 }
733
734}
735
736#ifdef HAVE_OPENSSL_OCSP
737
738/* Function that is used to do the OCSP verification */
739static int ssl_verify_OCSP(int ok, X509_STORE_CTX *ctx)
740{
741 X509 *cert, *issuer;
742 int r = OCSP_STATUS_UNKNOWN2;
743
744 cert = X509_STORE_CTX_get_current_cert(ctx);
745 /* if we can't get the issuer, we cannot perform OCSP verification */
746 if (X509_STORE_CTX_get1_issuer(&issuer, ctx, cert) == 1 ) {
747 r = ssl_ocsp_request(cert, issuer);
748 if (r == OCSP_STATUS_REVOKED1) {
749 /* we set the error if we know that it is revoked */
750 X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REVOKED23);
751 }
752 else {
753 /* else we return unknown, so that we can continue with the crl */
754 r = OCSP_STATUS_UNKNOWN2;
755 }
756 X509_free(issuer); /* It appears that we should free issuer since
757 * X509_STORE_CTX_get1_issuer() calls X509_OBJECT_up_ref_count()
758 * on the issuer object (unline X509_STORE_CTX_get_current_cert()
759 * that just returns the pointer
760 */
761 }
762 return r;
763}
764
765
766/* Helps with error handling or realloc */
767static void *apr_xrealloc(void *buf, size_t oldlen, size_t len, apr_pool_t *p)
768{
769 void *newp = apr_palloc(p, len);
770
771 if(newp)
772 memcpy(newp, buf, oldlen);
773 return newp;
774}
775
776/* parses the ocsp url and updates the ocsp_urls and nocsp_urls variables
777 returns 0 on success, 1 on failure */
778static int parse_ocsp_url(unsigned char *asn1, char ***ocsp_urls,
779 int *nocsp_urls, apr_pool_t *p)
780{
781 char **new_ocsp_urls, *ocsp_url;
782 int len, err = 0, new_nocsp_urls;
783
784 if (*asn1 == ASN1_STRING) {
785 len = *++asn1;
786 asn1++;
787 new_nocsp_urls = *nocsp_urls+1;
788 if ((new_ocsp_urls = apr_xrealloc(*ocsp_urls,*nocsp_urls, new_nocsp_urls, p)) == NULL((void*)0))
789 err = 1;
790 if (!err) {
791 *ocsp_urls = new_ocsp_urls;
792 *nocsp_urls = new_nocsp_urls;
793 *(*ocsp_urls + *nocsp_urls) = NULL((void*)0);
794 if ((ocsp_url = apr_palloc(p, len + 1)) == NULL((void*)0)) {
795 err = 1;
796 }
797 else {
798 memcpy(ocsp_url, asn1, len);
799 ocsp_url[len] = '\0';
800 *(*ocsp_urls + *nocsp_urls - 1) = ocsp_url;
801 }
802 }
803 }
804 return err;
805
806}
807
808/* parses the ANS1 OID and if it is an OCSP OID then calls the parse_ocsp_url function */
809static int parse_ASN1_OID(unsigned char *asn1, char ***ocsp_urls, int *nocsp_urls, apr_pool_t *p)
810{
811 int len, err = 0 ;
812 const unsigned char OCSP_OID[] = {0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01};
813
814 len = *++asn1;
815 asn1++;
816 if (memcmp(asn1, OCSP_OID, len) == 0) {
817 asn1+=len;
818 err = parse_ocsp_url(asn1, ocsp_urls, nocsp_urls, p);
819 }
820 return err;
821}
822
823
824/* Parses an ASN1 Sequence. It is a recursive function, since if it finds a sequence
825 within the sequence it calls recursively itself. This function stops when it finds
826 the end of the ASN1 sequence (marked by '\0'), so if there are other sequences within
827 the same sequence the while loop parses the sequences */
828
829/* This algo was developed with AIA in mind so it was tested only with this extension */
830static int parse_ASN1_Sequence(unsigned char *asn1, char ***ocsp_urls,
831 int *nocsp_urls, apr_pool_t *p)
832{
833 int len = 0 , err = 0;
834
835 while (!err && *asn1 != '\0') {
836 switch(*asn1) {
837 case ASN1_SEQUENCE:
838 len = *++asn1;
839 asn1++;
840 err = parse_ASN1_Sequence(asn1, ocsp_urls, nocsp_urls, p);
841 break;
842 case ASN1_OID:
843 err = parse_ASN1_OID(asn1,ocsp_urls,nocsp_urls, p);
844 return 0;
845 break;
846 default:
847 err = 1; /* we shouldn't have any errors */
848 break;
849 }
850 asn1+=len;
851 }
852 return err;
853}
854
855/* the main function that gets the ASN1 encoding string and returns
856 a pointer to a NULL terminated "array" of char *, that contains
857 the ocsp_urls */
858static char **decode_OCSP_url(ASN1_OCTET_STRING *os, apr_pool_t *p)
859{
860 char **response = NULL((void*)0);
861 unsigned char *ocsp_urls;
862 int len, numofresponses = 0 ;
863
864 len = ASN1_STRING_length(os);
865
866 ocsp_urls = apr_palloc(p, len + 1);
867 memcpy(ocsp_urls,os->data, len);
868 ocsp_urls[len] = '\0';
869
870 if ((response = apr_pcalloc(p, sizeof(char *))memset(apr_palloc(p, sizeof(char *)), 0, sizeof(char *))) == NULL((void*)0))
871 return NULL((void*)0);
872 if (parse_ASN1_Sequence(ocsp_urls, &response, &numofresponses, p))
873 response = NULL((void*)0);
874 return response;
875}
876
877
878/* stolen from openssl ocsp command */
879static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, X509 *issuer,
880 STACK_OF(OCSP_CERTID)struct stack_st_OCSP_CERTID *ids)
881{
882 OCSP_CERTID *id;
883
884 if (!issuer)
885 return 0;
886 if (!*req)
887 *req = OCSP_REQUEST_new();
888 if (!*req)
889 return 0;
890 id = OCSP_cert_to_id(NULL((void*)0), cert, issuer);
891 if (!id || !sk_OCSP_CERTID_push(ids, id)sk_push(((_STACK*) (1 ? (ids) : (struct stack_st_OCSP_CERTID*
)0)), ((void*) (1 ? (id) : (OCSP_CERTID*)0)))
)
892 return 0;
893 if (!OCSP_request_add0_id(*req, id))
894 return 0;
895 else
896 return 1;
897}
898
899
900/* Creates the APR socket and connect to the hostname. Returns the
901 socket or NULL if there is an error.
902*/
903static apr_socket_t *make_socket(char *hostname, int port, apr_pool_t *mp)
904{
905 apr_sockaddr_t *sa_in;
906 apr_status_t status;
907 apr_socket_t *sock = NULL((void*)0);
908
909
910 status = apr_sockaddr_info_get(&sa_in, hostname, APR_INET2, port, 0, mp);
911
912 if (status == APR_SUCCESS0)
913 status = apr_socket_create(&sock, sa_in->family, SOCK_STREAMSOCK_STREAM, APR_PROTO_TCP6, mp);
914 if (status == APR_SUCCESS0)
915 status = apr_socket_connect(sock, sa_in);
916
917 if (status == APR_SUCCESS0)
918 return sock;
919 return NULL((void*)0);
920}
921
922
923/* Creates the request in a memory BIO in order to send it to the OCSP server.
924 Most parts of this function are taken from mod_ssl support for OCSP (with some
925 minor modifications
926*/
927static BIO *serialize_request(OCSP_REQUEST *req, char *host, int port, char *path)
928{
929 BIO *bio;
930 int len;
931
932 len = i2d_OCSP_REQUEST(req, NULL((void*)0));
933
934 bio = BIO_new(BIO_s_mem());
935
936 BIO_printf(bio, "POST %s HTTP/1.0\r\n"
937 "Host: %s:%d\r\n"
938 "Content-Type: application/ocsp-request\r\n"
939 "Content-Length: %d\r\n"
940 "\r\n",
941 path, host, port, len);
942
943 if (i2d_OCSP_REQUEST_bio(bio, req) != 1) {
944 BIO_free(bio);
945 return NULL((void*)0);
946 }
947
948 return bio;
949}
950
951
952/* Send the OCSP request to the OCSP server. Taken from mod_ssl OCSP support */
953static int ocsp_send_req(apr_socket_t *sock, BIO *req)
954{
955 int len;
956 char buf[TCN_BUFFER_SZ8192];
957 apr_status_t rv;
958 int ok = 1;
959
960 while ((len = BIO_read(req, buf, sizeof buf)) > 0) {
961 char *wbuf = buf;
962 apr_size_t remain = len;
963
964 do {
965 apr_size_t wlen = remain;
966 rv = apr_socket_send(sock, wbuf, &wlen);
967 wbuf += remain;
968 remain -= wlen;
969 } while (rv == APR_SUCCESS0 && remain > 0);
970
971 if (rv != APR_SUCCESS0) {
972 apr_socket_close(sock);
973 ok = 0;
974 }
975 }
976
977 return ok;
978}
979
980
981
982/* Parses the buffer from the response and extracts the OCSP response.
983 Taken from openssl library */
984static OCSP_RESPONSE *parse_ocsp_resp(char *buf, int len)
985{
986 BIO *mem = NULL((void*)0);
987 char tmpbuf[1024];
988 OCSP_RESPONSE *resp = NULL((void*)0);
989 char *p, *q, *r;
990 int retcode;
991
992 mem = BIO_new(BIO_s_mem());
993 if(mem == NULL((void*)0))
994 return NULL((void*)0);
995
996 BIO_write(mem, buf, len); /* write the buffer to the bio */
997 if (BIO_gets(mem, tmpbuf, 512) <= 0) {
998 OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_RESPONSE_PARSE_ERROR)ERR_put_error(39,(OCSP_F_OCSP_SENDREQ_BIO),(OCSP_R_SERVER_RESPONSE_PARSE_ERROR
),"src/sslutils.c",998)
;
999 goto err;
1000 }
1001 /* Parse the HTTP response. This will look like this:
1002 * "HTTP/1.0 200 OK". We need to obtain the numeric code and
1003 * (optional) informational message.
1004 */
1005
1006 /* Skip to first white space (passed protocol info) */
1007 for (p = tmpbuf; *p && !apr_isspace(*p)(((*__ctype_b_loc ())[(int) ((((unsigned char)(*p))))] & (
unsigned short int) _ISspace))
; p++)
1008 continue;
1009 if (!*p) {
1010 goto err;
1011 }
1012 /* Skip past white space to start of response code */
1013 while (apr_isspace(*p)(((*__ctype_b_loc ())[(int) ((((unsigned char)(*p))))] & (
unsigned short int) _ISspace))
)
1014 p++;
1015 if (!*p) {
1016 goto err;
1017 }
1018 /* Find end of response code: first whitespace after start of code */
1019 for (q = p; *q && !apr_isspace(*q)(((*__ctype_b_loc ())[(int) ((((unsigned char)(*q))))] & (
unsigned short int) _ISspace))
; q++)
1020 continue;
1021 if (!*q) {
1022 goto err;
1023 }
1024 /* Set end of response code and start of message */
1025 *q++ = 0;
1026 /* Attempt to parse numeric code */
1027 retcode = strtoul(p, &r, 10);
1028 if (*r)
1029 goto err;
1030 /* Skip over any leading white space in message */
1031 while (apr_isspace(*q)(((*__ctype_b_loc ())[(int) ((((unsigned char)(*q))))] & (
unsigned short int) _ISspace))
)
1032 q++;
1033 if (*q) {
1034 /* Finally zap any trailing white space in message (include CRLF) */
1035 /* We know q has a non white space character so this is OK */
1036 for(r = q + strlen(q) - 1; apr_isspace(*r)(((*__ctype_b_loc ())[(int) ((((unsigned char)(*r))))] & (
unsigned short int) _ISspace))
; r--) *r = 0;
1037 }
1038 if (retcode != 200) {
1039 goto err;
1040 }
1041 /* Find blank line marking beginning of content */
1042 while (BIO_gets(mem, tmpbuf, 512) > 0) {
1043 for (p = tmpbuf; apr_isspace(*p)(((*__ctype_b_loc ())[(int) ((((unsigned char)(*p))))] & (
unsigned short int) _ISspace))
; p++)
1044 continue;
1045 if (!*p)
1046 break;
1047 }
1048 if (*p) {
1049 goto err;
1050 }
1051 if (!(resp = d2i_OCSP_RESPONSE_bio(mem, NULL((void*)0)))) {
1052 goto err;
1053 }
1054err:
1055 BIO_free(mem);
1056 return resp;
1057}
1058
1059
1060/* Reads the respnse from the APR socket to a buffer, and parses the buffer to
1061 return the OCSP response */
1062#define ADDLEN 512
1063static OCSP_RESPONSE *ocsp_get_resp(apr_socket_t *sock)
1064{
1065 int buflen;
1066 apr_size_t totalread = 0;
1067 apr_size_t readlen;
1068 char *buf, tmpbuf[ADDLEN];
1069 apr_status_t rv = APR_SUCCESS0;
1070 apr_pool_t *p;
1071 OCSP_RESPONSE *resp;
1072
1073 apr_pool_create(&p, NULL)apr_pool_create_ex(&p, ((void*)0), ((void*)0), ((void*)0)
)
;
1074 buflen = ADDLEN;
1075 buf = apr_palloc(p, buflen);
1076 if (buf == NULL((void*)0)) {
1077 apr_pool_destroy(p);
1078 return NULL((void*)0);
1079 }
1080
1081 while (rv == APR_SUCCESS0 ) {
1082 readlen = sizeof(tmpbuf);
1083 rv = apr_socket_recv(sock, tmpbuf, &readlen);
1084 if (rv == APR_SUCCESS0) { /* if we have read something .. we can put it in the buffer*/
1085 if ((totalread + readlen) >= buflen) {
1086 buf = apr_xrealloc(buf, buflen, buflen + ADDLEN, p);
1087 if (buf == NULL((void*)0)) {
1088 apr_pool_destroy(p);
1089 return NULL((void*)0);
1090 }
1091 buflen += ADDLEN; /* if needed we enlarge the buffer */
1092 }
1093 memcpy(buf + totalread, tmpbuf, readlen); /* the copy to the buffer */
1094 totalread += readlen; /* update the total bytes read */
1095 }
1096 else {
1097 if (rv == APR_EOF((20000 + 50000) + 14) && readlen == 0)
1098 ; /* EOF, normal situation */
1099 else if (readlen == 0) {
1100 /* Not success, and readlen == 0 .. some error */
1101 apr_pool_destroy(p);
1102 return NULL((void*)0);
1103 }
1104 }
1105 }
1106
1107 resp = parse_ocsp_resp(buf, buflen);
1108 apr_pool_destroy(p);
1109 return resp;
1110}
1111
1112/* Creates and OCSP request and returns the OCSP_RESPONSE */
1113static OCSP_RESPONSE *get_ocsp_response(X509 *cert, X509 *issuer, char *url)
1114{
1115 OCSP_RESPONSE *ocsp_resp = NULL((void*)0);
1116 OCSP_REQUEST *ocsp_req = NULL((void*)0);
1117 BIO *bio_req;
1118 char *hostname, *path, *c_port;
1119 int port, use_ssl;
1120 STACK_OF(OCSP_CERTID)struct stack_st_OCSP_CERTID *ids = NULL((void*)0);
1121 int ok = 0;
1122 apr_socket_t *apr_sock = NULL((void*)0);
1123 apr_pool_t *mp;
1124
1125 apr_pool_create(&mp, NULL)apr_pool_create_ex(&mp, ((void*)0), ((void*)0), ((void*)0
))
;
1126 ids = sk_OCSP_CERTID_new_null()((struct stack_st_OCSP_CERTID *)sk_new_null());
1127
1128 /* problem parsing the URL */
1129 if (OCSP_parse_url(url,&hostname, &c_port, &path, &use_ssl) == 0 ) {
1130 sk_OCSP_CERTID_free(ids)sk_free(((_STACK*) (1 ? (ids) : (struct stack_st_OCSP_CERTID*
)0)))
;
1131 return NULL((void*)0);
1132 }
1133
1134 /* Create the OCSP request */
1135 if (sscanf(c_port, "%d", &port) != 1)
1136 goto end;
1137 ocsp_req = OCSP_REQUEST_new();
1138 if (ocsp_req == NULL((void*)0))
1139 return NULL((void*)0);
1140 if (add_ocsp_cert(&ocsp_req,cert,issuer,ids) == 0 )
1141 goto free_req;
1142
1143 /* create the BIO with the request to send */
1144 bio_req = serialize_request(ocsp_req, hostname, port, path);
1145 if (bio_req == NULL((void*)0)) {
1146 goto free_req;
1147 }
1148
1149 apr_sock = make_socket(hostname, port, mp);
1150 if (apr_sock == NULL((void*)0)) {
1151 ocsp_resp = NULL((void*)0);
1152 goto free_bio;
1153 }
1154
1155 ok = ocsp_send_req(apr_sock, bio_req);
1156 if (ok)
1157 ocsp_resp = ocsp_get_resp(apr_sock);
1158
1159free_bio:
1160 BIO_free(bio_req);
1161
1162free_req:
1163 if(apr_sock && ok) /* if ok == 0 we have already closed the socket */
1164 apr_socket_close(apr_sock);
1165
1166 apr_pool_destroy(mp);
1167
1168 sk_OCSP_CERTID_free(ids)sk_free(((_STACK*) (1 ? (ids) : (struct stack_st_OCSP_CERTID*
)0)))
;
1169 OCSP_REQUEST_free(ocsp_req);
1170
1171end:
1172 return ocsp_resp;
1173}
1174
1175/* Process the OCSP_RESPONSE and returns the corresponding
1176 answert according to the status.
1177*/
1178static int process_ocsp_response(OCSP_RESPONSE *ocsp_resp)
1179{
1180 int r, o = V_OCSP_CERTSTATUS_UNKNOWN, i;
1181 OCSP_BASICRESP *bs;
1182 OCSP_SINGLERESP *ss;
1183
1184 r = OCSP_response_status(ocsp_resp);
1185
1186 if (r != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
1187 OCSP_RESPONSE_free(ocsp_resp);
1188 return OCSP_STATUS_UNKNOWN2;
1189 }
1190 bs = OCSP_response_get1_basic(ocsp_resp);
1191
1192 ss = OCSP_resp_get0(bs,0); /* we know we have only 1 request */
1193
1194 i = OCSP_single_get0_status(ss, NULL((void*)0), NULL((void*)0), NULL((void*)0), NULL((void*)0));
1195 if (i == V_OCSP_CERTSTATUS_GOOD)
1196 o = OCSP_STATUS_OK0;
1197 else if (i == V_OCSP_CERTSTATUS_REVOKED)
1198 o = OCSP_STATUS_REVOKED1;
1199 else if (i == V_OCSP_CERTSTATUS_UNKNOWN)
1200 o = OCSP_STATUS_UNKNOWN2;
1201
1202 /* we clean up */
1203 OCSP_RESPONSE_free(ocsp_resp);
1204 return o;
1205}
1206
1207static int ssl_ocsp_request(X509 *cert, X509 *issuer)
1208{
1209 char **ocsp_urls = NULL((void*)0);
1210 int nid;
1211 X509_EXTENSION *ext;
1212 ASN1_OCTET_STRING *os;
1213 apr_pool_t *p;
1214
1215 apr_pool_create(&p, NULL)apr_pool_create_ex(&p, ((void*)0), ((void*)0), ((void*)0)
)
;
1216
1217 /* Get the proper extension */
1218 nid = X509_get_ext_by_NID(cert,NID_info_access177,-1);
1219 if (nid >= 0 ) {
1220 ext = X509_get_ext(cert,nid);
1221 os = X509_EXTENSION_get_data(ext);
1222
1223 ocsp_urls = decode_OCSP_url(os, p);
1224 }
1225
1226 /* if we find the extensions and we can parse it check
1227 the ocsp status. Otherwise, return OCSP_STATUS_UNKNOWN */
1228 if (ocsp_urls != NULL((void*)0)) {
1229 OCSP_RESPONSE *resp;
1230 /* for the time being just check for the fist response .. a better
1231 approach is to iterate for all the possible ocsp urls */
1232 resp = get_ocsp_response(cert, issuer, ocsp_urls[0]);
1233
1234 if (resp != NULL((void*)0)) {
1235 apr_pool_destroy(p);
1236 return process_ocsp_response(resp);
1237 }
1238 }
1239 apr_pool_destroy(p);
1240 return OCSP_STATUS_UNKNOWN2;
1241}
1242
1243#endif /* HAS_OCSP_ENABLED */
1244#endif /* HAVE_OPENSSL */