wolf SSL / wolfSSL

wolfSSL SSL/TLS library, support up to TLS1.3

Dependents:   CyaSSL-Twitter-OAuth4Tw Example-client-tls-cert TwitterReader TweetTest ... more

src/ocsp.c@13:f67a6c6013ca, 2017-08-22 (annotated)

Committer:
wolfSSL
Date:
Tue Aug 22 10:48:22 2017 +0000
Revision:
13:f67a6c6013ca
wolfSSL3.12.0 with TLS1.3

Who changed what in which revision?

UserRevisionLine numberNew contents of line
wolfSSL 13:f67a6c6013ca 1 /* ocsp.c
wolfSSL 13:f67a6c6013ca 2 *
wolfSSL 13:f67a6c6013ca 3 * Copyright (C) 2006-2016 wolfSSL Inc.
wolfSSL 13:f67a6c6013ca 4 *
wolfSSL 13:f67a6c6013ca 5 * This file is part of wolfSSL.
wolfSSL 13:f67a6c6013ca 6 *
wolfSSL 13:f67a6c6013ca 7 * wolfSSL is free software; you can redistribute it and/or modify
wolfSSL 13:f67a6c6013ca 8 * it under the terms of the GNU General Public License as published by
wolfSSL 13:f67a6c6013ca 9 * the Free Software Foundation; either version 2 of the License, or
wolfSSL 13:f67a6c6013ca 10 * (at your option) any later version.
wolfSSL 13:f67a6c6013ca 11 *
wolfSSL 13:f67a6c6013ca 12 * wolfSSL is distributed in the hope that it will be useful,
wolfSSL 13:f67a6c6013ca 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
wolfSSL 13:f67a6c6013ca 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
wolfSSL 13:f67a6c6013ca 15 * GNU General Public License for more details.
wolfSSL 13:f67a6c6013ca 16 *
wolfSSL 13:f67a6c6013ca 17 * You should have received a copy of the GNU General Public License
wolfSSL 13:f67a6c6013ca 18 * along with this program; if not, write to the Free Software
wolfSSL 13:f67a6c6013ca 19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
wolfSSL 13:f67a6c6013ca 20 */
wolfSSL 13:f67a6c6013ca 21
wolfSSL 13:f67a6c6013ca 22
wolfSSL 13:f67a6c6013ca 23 /* Name change compatibility layer no longer needs to be included here */
wolfSSL 13:f67a6c6013ca 24
wolfSSL 13:f67a6c6013ca 25 #ifdef HAVE_CONFIG_H
wolfSSL 13:f67a6c6013ca 26 #include <config.h>
wolfSSL 13:f67a6c6013ca 27 #endif
wolfSSL 13:f67a6c6013ca 28
wolfSSL 13:f67a6c6013ca 29 #include <wolfssl/wolfcrypt/settings.h>
wolfSSL 13:f67a6c6013ca 30
wolfSSL 13:f67a6c6013ca 31 #ifndef WOLFCRYPT_ONLY
wolfSSL 13:f67a6c6013ca 32 #ifdef HAVE_OCSP
wolfSSL 13:f67a6c6013ca 33
wolfSSL 13:f67a6c6013ca 34 #include <wolfssl/error-ssl.h>
wolfSSL 13:f67a6c6013ca 35 #include <wolfssl/ocsp.h>
wolfSSL 13:f67a6c6013ca 36 #include <wolfssl/internal.h>
wolfSSL 13:f67a6c6013ca 37
wolfSSL 13:f67a6c6013ca 38 #ifdef NO_INLINE
wolfSSL 13:f67a6c6013ca 39 #include <wolfssl/wolfcrypt/misc.h>
wolfSSL 13:f67a6c6013ca 40 #else
wolfSSL 13:f67a6c6013ca 41 #define WOLFSSL_MISC_INCLUDED
wolfSSL 13:f67a6c6013ca 42 #include <wolfcrypt/src/misc.c>
wolfSSL 13:f67a6c6013ca 43 #endif
wolfSSL 13:f67a6c6013ca 44
wolfSSL 13:f67a6c6013ca 45
wolfSSL 13:f67a6c6013ca 46 int InitOCSP(WOLFSSL_OCSP* ocsp, WOLFSSL_CERT_MANAGER* cm)
wolfSSL 13:f67a6c6013ca 47 {
wolfSSL 13:f67a6c6013ca 48 WOLFSSL_ENTER("InitOCSP");
wolfSSL 13:f67a6c6013ca 49
wolfSSL 13:f67a6c6013ca 50 ForceZero(ocsp, sizeof(WOLFSSL_OCSP));
wolfSSL 13:f67a6c6013ca 51
wolfSSL 13:f67a6c6013ca 52 if (wc_InitMutex(&ocsp->ocspLock) != 0)
wolfSSL 13:f67a6c6013ca 53 return BAD_MUTEX_E;
wolfSSL 13:f67a6c6013ca 54
wolfSSL 13:f67a6c6013ca 55 ocsp->cm = cm;
wolfSSL 13:f67a6c6013ca 56
wolfSSL 13:f67a6c6013ca 57 return 0;
wolfSSL 13:f67a6c6013ca 58 }
wolfSSL 13:f67a6c6013ca 59
wolfSSL 13:f67a6c6013ca 60
wolfSSL 13:f67a6c6013ca 61 static int InitOcspEntry(OcspEntry* entry, OcspRequest* request)
wolfSSL 13:f67a6c6013ca 62 {
wolfSSL 13:f67a6c6013ca 63 WOLFSSL_ENTER("InitOcspEntry");
wolfSSL 13:f67a6c6013ca 64
wolfSSL 13:f67a6c6013ca 65 ForceZero(entry, sizeof(OcspEntry));
wolfSSL 13:f67a6c6013ca 66
wolfSSL 13:f67a6c6013ca 67 XMEMCPY(entry->issuerHash, request->issuerHash, OCSP_DIGEST_SIZE);
wolfSSL 13:f67a6c6013ca 68 XMEMCPY(entry->issuerKeyHash, request->issuerKeyHash, OCSP_DIGEST_SIZE);
wolfSSL 13:f67a6c6013ca 69
wolfSSL 13:f67a6c6013ca 70 return 0;
wolfSSL 13:f67a6c6013ca 71 }
wolfSSL 13:f67a6c6013ca 72
wolfSSL 13:f67a6c6013ca 73
wolfSSL 13:f67a6c6013ca 74 static void FreeOcspEntry(OcspEntry* entry, void* heap)
wolfSSL 13:f67a6c6013ca 75 {
wolfSSL 13:f67a6c6013ca 76 CertStatus *status, *next;
wolfSSL 13:f67a6c6013ca 77
wolfSSL 13:f67a6c6013ca 78 WOLFSSL_ENTER("FreeOcspEntry");
wolfSSL 13:f67a6c6013ca 79
wolfSSL 13:f67a6c6013ca 80 for (status = entry->status; status; status = next) {
wolfSSL 13:f67a6c6013ca 81 next = status->next;
wolfSSL 13:f67a6c6013ca 82
wolfSSL 13:f67a6c6013ca 83 if (status->rawOcspResponse)
wolfSSL 13:f67a6c6013ca 84 XFREE(status->rawOcspResponse, heap, DYNAMIC_TYPE_OCSP_STATUS);
wolfSSL 13:f67a6c6013ca 85
wolfSSL 13:f67a6c6013ca 86 XFREE(status, heap, DYNAMIC_TYPE_OCSP_STATUS);
wolfSSL 13:f67a6c6013ca 87 }
wolfSSL 13:f67a6c6013ca 88
wolfSSL 13:f67a6c6013ca 89 (void)heap;
wolfSSL 13:f67a6c6013ca 90 }
wolfSSL 13:f67a6c6013ca 91
wolfSSL 13:f67a6c6013ca 92
wolfSSL 13:f67a6c6013ca 93 void FreeOCSP(WOLFSSL_OCSP* ocsp, int dynamic)
wolfSSL 13:f67a6c6013ca 94 {
wolfSSL 13:f67a6c6013ca 95 OcspEntry *entry, *next;
wolfSSL 13:f67a6c6013ca 96
wolfSSL 13:f67a6c6013ca 97 WOLFSSL_ENTER("FreeOCSP");
wolfSSL 13:f67a6c6013ca 98
wolfSSL 13:f67a6c6013ca 99 for (entry = ocsp->ocspList; entry; entry = next) {
wolfSSL 13:f67a6c6013ca 100 next = entry->next;
wolfSSL 13:f67a6c6013ca 101 FreeOcspEntry(entry, ocsp->cm->heap);
wolfSSL 13:f67a6c6013ca 102 XFREE(entry, ocsp->cm->heap, DYNAMIC_TYPE_OCSP_ENTRY);
wolfSSL 13:f67a6c6013ca 103 }
wolfSSL 13:f67a6c6013ca 104
wolfSSL 13:f67a6c6013ca 105 wc_FreeMutex(&ocsp->ocspLock);
wolfSSL 13:f67a6c6013ca 106
wolfSSL 13:f67a6c6013ca 107 if (dynamic)
wolfSSL 13:f67a6c6013ca 108 XFREE(ocsp, ocsp->cm->heap, DYNAMIC_TYPE_OCSP);
wolfSSL 13:f67a6c6013ca 109
wolfSSL 13:f67a6c6013ca 110 }
wolfSSL 13:f67a6c6013ca 111
wolfSSL 13:f67a6c6013ca 112
wolfSSL 13:f67a6c6013ca 113 static int xstat2err(int st)
wolfSSL 13:f67a6c6013ca 114 {
wolfSSL 13:f67a6c6013ca 115 switch (st) {
wolfSSL 13:f67a6c6013ca 116 case CERT_GOOD:
wolfSSL 13:f67a6c6013ca 117 return 0;
wolfSSL 13:f67a6c6013ca 118 case CERT_REVOKED:
wolfSSL 13:f67a6c6013ca 119 return OCSP_CERT_REVOKED;
wolfSSL 13:f67a6c6013ca 120 default:
wolfSSL 13:f67a6c6013ca 121 return OCSP_CERT_UNKNOWN;
wolfSSL 13:f67a6c6013ca 122 }
wolfSSL 13:f67a6c6013ca 123 }
wolfSSL 13:f67a6c6013ca 124
wolfSSL 13:f67a6c6013ca 125
wolfSSL 13:f67a6c6013ca 126 int CheckCertOCSP(WOLFSSL_OCSP* ocsp, DecodedCert* cert, buffer* responseBuffer)
wolfSSL 13:f67a6c6013ca 127 {
wolfSSL 13:f67a6c6013ca 128 int ret = OCSP_LOOKUP_FAIL;
wolfSSL 13:f67a6c6013ca 129
wolfSSL 13:f67a6c6013ca 130 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:f67a6c6013ca 131 OcspRequest* ocspRequest;
wolfSSL 13:f67a6c6013ca 132 #else
wolfSSL 13:f67a6c6013ca 133 OcspRequest ocspRequest[1];
wolfSSL 13:f67a6c6013ca 134 #endif
wolfSSL 13:f67a6c6013ca 135
wolfSSL 13:f67a6c6013ca 136 WOLFSSL_ENTER("CheckCertOCSP");
wolfSSL 13:f67a6c6013ca 137
wolfSSL 13:f67a6c6013ca 138
wolfSSL 13:f67a6c6013ca 139 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:f67a6c6013ca 140 ocspRequest = (OcspRequest*)XMALLOC(sizeof(OcspRequest), NULL,
wolfSSL 13:f67a6c6013ca 141 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:f67a6c6013ca 142 if (ocspRequest == NULL) {
wolfSSL 13:f67a6c6013ca 143 WOLFSSL_LEAVE("CheckCertOCSP", MEMORY_ERROR);
wolfSSL 13:f67a6c6013ca 144 return MEMORY_E;
wolfSSL 13:f67a6c6013ca 145 }
wolfSSL 13:f67a6c6013ca 146 #endif
wolfSSL 13:f67a6c6013ca 147
wolfSSL 13:f67a6c6013ca 148 if (InitOcspRequest(ocspRequest, cert, ocsp->cm->ocspSendNonce,
wolfSSL 13:f67a6c6013ca 149 ocsp->cm->heap) == 0) {
wolfSSL 13:f67a6c6013ca 150 ret = CheckOcspRequest(ocsp, ocspRequest, responseBuffer);
wolfSSL 13:f67a6c6013ca 151
wolfSSL 13:f67a6c6013ca 152 FreeOcspRequest(ocspRequest);
wolfSSL 13:f67a6c6013ca 153 }
wolfSSL 13:f67a6c6013ca 154
wolfSSL 13:f67a6c6013ca 155 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:f67a6c6013ca 156 XFREE(ocspRequest, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:f67a6c6013ca 157 #endif
wolfSSL 13:f67a6c6013ca 158
wolfSSL 13:f67a6c6013ca 159 WOLFSSL_LEAVE("CheckCertOCSP", ret);
wolfSSL 13:f67a6c6013ca 160 return ret;
wolfSSL 13:f67a6c6013ca 161 }
wolfSSL 13:f67a6c6013ca 162
wolfSSL 13:f67a6c6013ca 163 static int GetOcspEntry(WOLFSSL_OCSP* ocsp, OcspRequest* request,
wolfSSL 13:f67a6c6013ca 164 OcspEntry** entry)
wolfSSL 13:f67a6c6013ca 165 {
wolfSSL 13:f67a6c6013ca 166 WOLFSSL_ENTER("GetOcspEntry");
wolfSSL 13:f67a6c6013ca 167
wolfSSL 13:f67a6c6013ca 168 *entry = NULL;
wolfSSL 13:f67a6c6013ca 169
wolfSSL 13:f67a6c6013ca 170 if (wc_LockMutex(&ocsp->ocspLock) != 0) {
wolfSSL 13:f67a6c6013ca 171 WOLFSSL_LEAVE("CheckCertOCSP", BAD_MUTEX_E);
wolfSSL 13:f67a6c6013ca 172 return BAD_MUTEX_E;
wolfSSL 13:f67a6c6013ca 173 }
wolfSSL 13:f67a6c6013ca 174
wolfSSL 13:f67a6c6013ca 175 for (*entry = ocsp->ocspList; *entry; *entry = (*entry)->next)
wolfSSL 13:f67a6c6013ca 176 if (XMEMCMP((*entry)->issuerHash, request->issuerHash,
wolfSSL 13:f67a6c6013ca 177 OCSP_DIGEST_SIZE) == 0
wolfSSL 13:f67a6c6013ca 178 && XMEMCMP((*entry)->issuerKeyHash, request->issuerKeyHash,
wolfSSL 13:f67a6c6013ca 179 OCSP_DIGEST_SIZE) == 0)
wolfSSL 13:f67a6c6013ca 180 break;
wolfSSL 13:f67a6c6013ca 181
wolfSSL 13:f67a6c6013ca 182 if (*entry == NULL) {
wolfSSL 13:f67a6c6013ca 183 *entry = (OcspEntry*)XMALLOC(sizeof(OcspEntry),
wolfSSL 13:f67a6c6013ca 184 ocsp->cm->heap, DYNAMIC_TYPE_OCSP_ENTRY);
wolfSSL 13:f67a6c6013ca 185 if (*entry) {
wolfSSL 13:f67a6c6013ca 186 InitOcspEntry(*entry, request);
wolfSSL 13:f67a6c6013ca 187 (*entry)->next = ocsp->ocspList;
wolfSSL 13:f67a6c6013ca 188 ocsp->ocspList = *entry;
wolfSSL 13:f67a6c6013ca 189 }
wolfSSL 13:f67a6c6013ca 190 }
wolfSSL 13:f67a6c6013ca 191
wolfSSL 13:f67a6c6013ca 192 wc_UnLockMutex(&ocsp->ocspLock);
wolfSSL 13:f67a6c6013ca 193
wolfSSL 13:f67a6c6013ca 194 return *entry ? 0 : MEMORY_ERROR;
wolfSSL 13:f67a6c6013ca 195 }
wolfSSL 13:f67a6c6013ca 196
wolfSSL 13:f67a6c6013ca 197
wolfSSL 13:f67a6c6013ca 198 static int GetOcspStatus(WOLFSSL_OCSP* ocsp, OcspRequest* request,
wolfSSL 13:f67a6c6013ca 199 OcspEntry* entry, CertStatus** status, buffer* responseBuffer)
wolfSSL 13:f67a6c6013ca 200 {
wolfSSL 13:f67a6c6013ca 201 int ret = OCSP_INVALID_STATUS;
wolfSSL 13:f67a6c6013ca 202
wolfSSL 13:f67a6c6013ca 203 WOLFSSL_ENTER("GetOcspStatus");
wolfSSL 13:f67a6c6013ca 204
wolfSSL 13:f67a6c6013ca 205 *status = NULL;
wolfSSL 13:f67a6c6013ca 206
wolfSSL 13:f67a6c6013ca 207 if (wc_LockMutex(&ocsp->ocspLock) != 0) {
wolfSSL 13:f67a6c6013ca 208 WOLFSSL_LEAVE("CheckCertOCSP", BAD_MUTEX_E);
wolfSSL 13:f67a6c6013ca 209 return BAD_MUTEX_E;
wolfSSL 13:f67a6c6013ca 210 }
wolfSSL 13:f67a6c6013ca 211
wolfSSL 13:f67a6c6013ca 212 for (*status = entry->status; *status; *status = (*status)->next)
wolfSSL 13:f67a6c6013ca 213 if ((*status)->serialSz == request->serialSz
wolfSSL 13:f67a6c6013ca 214 && !XMEMCMP((*status)->serial, request->serial, (*status)->serialSz))
wolfSSL 13:f67a6c6013ca 215 break;
wolfSSL 13:f67a6c6013ca 216
wolfSSL 13:f67a6c6013ca 217 if (responseBuffer && *status && !(*status)->rawOcspResponse) {
wolfSSL 13:f67a6c6013ca 218 /* force fetching again */
wolfSSL 13:f67a6c6013ca 219 ret = OCSP_INVALID_STATUS;
wolfSSL 13:f67a6c6013ca 220 }
wolfSSL 13:f67a6c6013ca 221 else if (*status) {
wolfSSL 13:f67a6c6013ca 222 #ifndef NO_ASN_TIME
wolfSSL 13:f67a6c6013ca 223 if (ValidateDate((*status)->thisDate, (*status)->thisDateFormat, BEFORE)
wolfSSL 13:f67a6c6013ca 224 && ((*status)->nextDate[0] != 0)
wolfSSL 13:f67a6c6013ca 225 && ValidateDate((*status)->nextDate, (*status)->nextDateFormat, AFTER))
wolfSSL 13:f67a6c6013ca 226 #endif
wolfSSL 13:f67a6c6013ca 227 {
wolfSSL 13:f67a6c6013ca 228 ret = xstat2err((*status)->status);
wolfSSL 13:f67a6c6013ca 229
wolfSSL 13:f67a6c6013ca 230 if (responseBuffer) {
wolfSSL 13:f67a6c6013ca 231 responseBuffer->buffer = (byte*)XMALLOC(
wolfSSL 13:f67a6c6013ca 232 (*status)->rawOcspResponseSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:f67a6c6013ca 233
wolfSSL 13:f67a6c6013ca 234 if (responseBuffer->buffer) {
wolfSSL 13:f67a6c6013ca 235 responseBuffer->length = (*status)->rawOcspResponseSz;
wolfSSL 13:f67a6c6013ca 236 XMEMCPY(responseBuffer->buffer,
wolfSSL 13:f67a6c6013ca 237 (*status)->rawOcspResponse,
wolfSSL 13:f67a6c6013ca 238 (*status)->rawOcspResponseSz);
wolfSSL 13:f67a6c6013ca 239 }
wolfSSL 13:f67a6c6013ca 240 }
wolfSSL 13:f67a6c6013ca 241 }
wolfSSL 13:f67a6c6013ca 242 }
wolfSSL 13:f67a6c6013ca 243
wolfSSL 13:f67a6c6013ca 244 wc_UnLockMutex(&ocsp->ocspLock);
wolfSSL 13:f67a6c6013ca 245
wolfSSL 13:f67a6c6013ca 246 return ret;
wolfSSL 13:f67a6c6013ca 247 }
wolfSSL 13:f67a6c6013ca 248
wolfSSL 13:f67a6c6013ca 249 /* Check that the response for validity. Store result in status.
wolfSSL 13:f67a6c6013ca 250 *
wolfSSL 13:f67a6c6013ca 251 * ocsp Context object for OCSP status.
wolfSSL 13:f67a6c6013ca 252 * response OCSP response message data.
wolfSSL 13:f67a6c6013ca 253 * responseSz Length of OCSP response message data.
wolfSSL 13:f67a6c6013ca 254 * reponseBuffer Buffer object to return the response with.
wolfSSL 13:f67a6c6013ca 255 * status The certificate status object.
wolfSSL 13:f67a6c6013ca 256 * entry The OCSP entry for this certificate.
wolfSSL 13:f67a6c6013ca 257 * returns OCSP_LOOKUP_FAIL when the response is bad and 0 otherwise.
wolfSSL 13:f67a6c6013ca 258 */
wolfSSL 13:f67a6c6013ca 259 static int CheckResponse(WOLFSSL_OCSP* ocsp, byte* response, int responseSz,
wolfSSL 13:f67a6c6013ca 260 buffer* responseBuffer, CertStatus* status,
wolfSSL 13:f67a6c6013ca 261 OcspEntry* entry, OcspRequest* ocspRequest)
wolfSSL 13:f67a6c6013ca 262 {
wolfSSL 13:f67a6c6013ca 263 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:f67a6c6013ca 264 CertStatus* newStatus;
wolfSSL 13:f67a6c6013ca 265 OcspResponse* ocspResponse;
wolfSSL 13:f67a6c6013ca 266 #else
wolfSSL 13:f67a6c6013ca 267 CertStatus newStatus[1];
wolfSSL 13:f67a6c6013ca 268 OcspResponse ocspResponse[1];
wolfSSL 13:f67a6c6013ca 269 #endif
wolfSSL 13:f67a6c6013ca 270 int ret;
wolfSSL 13:f67a6c6013ca 271 int validated = 0; /* ocsp validation flag */
wolfSSL 13:f67a6c6013ca 272
wolfSSL 13:f67a6c6013ca 273 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:f67a6c6013ca 274 newStatus = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL,
wolfSSL 13:f67a6c6013ca 275 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:f67a6c6013ca 276 ocspResponse = (OcspResponse*)XMALLOC(sizeof(OcspResponse), NULL,
wolfSSL 13:f67a6c6013ca 277 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:f67a6c6013ca 278
wolfSSL 13:f67a6c6013ca 279 if (newStatus == NULL || ocspResponse == NULL) {
wolfSSL 13:f67a6c6013ca 280 if (newStatus) XFREE(newStatus, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:f67a6c6013ca 281 if (ocspResponse) XFREE(ocspResponse, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:f67a6c6013ca 282
wolfSSL 13:f67a6c6013ca 283 WOLFSSL_LEAVE("CheckCertOCSP", MEMORY_ERROR);
wolfSSL 13:f67a6c6013ca 284 return MEMORY_E;
wolfSSL 13:f67a6c6013ca 285 }
wolfSSL 13:f67a6c6013ca 286 #endif
wolfSSL 13:f67a6c6013ca 287 XMEMSET(newStatus, 0, sizeof(CertStatus));
wolfSSL 13:f67a6c6013ca 288
wolfSSL 13:f67a6c6013ca 289 InitOcspResponse(ocspResponse, newStatus, response, responseSz);
wolfSSL 13:f67a6c6013ca 290 ret = OcspResponseDecode(ocspResponse, ocsp->cm, ocsp->cm->heap, 0);
wolfSSL 13:f67a6c6013ca 291 if (ret != 0) {
wolfSSL 13:f67a6c6013ca 292 WOLFSSL_MSG("OcspResponseDecode failed");
wolfSSL 13:f67a6c6013ca 293 goto end;
wolfSSL 13:f67a6c6013ca 294 }
wolfSSL 13:f67a6c6013ca 295
wolfSSL 13:f67a6c6013ca 296 if (ocspResponse->responseStatus != OCSP_SUCCESSFUL) {
wolfSSL 13:f67a6c6013ca 297 WOLFSSL_MSG("OcspResponse status bad");
wolfSSL 13:f67a6c6013ca 298 goto end;
wolfSSL 13:f67a6c6013ca 299 }
wolfSSL 13:f67a6c6013ca 300 if (ocspRequest != NULL) {
wolfSSL 13:f67a6c6013ca 301 ret = CompareOcspReqResp(ocspRequest, ocspResponse);
wolfSSL 13:f67a6c6013ca 302 if (ret != 0) {
wolfSSL 13:f67a6c6013ca 303 goto end;
wolfSSL 13:f67a6c6013ca 304 }
wolfSSL 13:f67a6c6013ca 305 }
wolfSSL 13:f67a6c6013ca 306
wolfSSL 13:f67a6c6013ca 307 if (responseBuffer) {
wolfSSL 13:f67a6c6013ca 308 responseBuffer->buffer = (byte*)XMALLOC(responseSz, ocsp->cm->heap,
wolfSSL 13:f67a6c6013ca 309 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:f67a6c6013ca 310
wolfSSL 13:f67a6c6013ca 311 if (responseBuffer->buffer) {
wolfSSL 13:f67a6c6013ca 312 responseBuffer->length = responseSz;
wolfSSL 13:f67a6c6013ca 313 XMEMCPY(responseBuffer->buffer, response, responseSz);
wolfSSL 13:f67a6c6013ca 314 }
wolfSSL 13:f67a6c6013ca 315 }
wolfSSL 13:f67a6c6013ca 316
wolfSSL 13:f67a6c6013ca 317 ret = xstat2err(ocspResponse->status->status);
wolfSSL 13:f67a6c6013ca 318 if (ret == 0) {
wolfSSL 13:f67a6c6013ca 319 validated = 1;
wolfSSL 13:f67a6c6013ca 320 }
wolfSSL 13:f67a6c6013ca 321
wolfSSL 13:f67a6c6013ca 322 if (wc_LockMutex(&ocsp->ocspLock) != 0) {
wolfSSL 13:f67a6c6013ca 323 ret = BAD_MUTEX_E;
wolfSSL 13:f67a6c6013ca 324 goto end;
wolfSSL 13:f67a6c6013ca 325 }
wolfSSL 13:f67a6c6013ca 326
wolfSSL 13:f67a6c6013ca 327 if (status != NULL) {
wolfSSL 13:f67a6c6013ca 328 if (status->rawOcspResponse) {
wolfSSL 13:f67a6c6013ca 329 XFREE(status->rawOcspResponse, ocsp->cm->heap,
wolfSSL 13:f67a6c6013ca 330 DYNAMIC_TYPE_OCSP_STATUS);
wolfSSL 13:f67a6c6013ca 331 }
wolfSSL 13:f67a6c6013ca 332
wolfSSL 13:f67a6c6013ca 333 /* Replace existing certificate entry with updated */
wolfSSL 13:f67a6c6013ca 334 XMEMCPY(status, newStatus, sizeof(CertStatus));
wolfSSL 13:f67a6c6013ca 335 }
wolfSSL 13:f67a6c6013ca 336 else {
wolfSSL 13:f67a6c6013ca 337 /* Save new certificate entry */
wolfSSL 13:f67a6c6013ca 338 status = (CertStatus*)XMALLOC(sizeof(CertStatus),
wolfSSL 13:f67a6c6013ca 339 ocsp->cm->heap, DYNAMIC_TYPE_OCSP_STATUS);
wolfSSL 13:f67a6c6013ca 340 if (status != NULL) {
wolfSSL 13:f67a6c6013ca 341 XMEMCPY(status, newStatus, sizeof(CertStatus));
wolfSSL 13:f67a6c6013ca 342 status->next = entry->status;
wolfSSL 13:f67a6c6013ca 343 entry->status = status;
wolfSSL 13:f67a6c6013ca 344 entry->totalStatus++;
wolfSSL 13:f67a6c6013ca 345 }
wolfSSL 13:f67a6c6013ca 346 }
wolfSSL 13:f67a6c6013ca 347
wolfSSL 13:f67a6c6013ca 348 if (status && responseBuffer && responseBuffer->buffer) {
wolfSSL 13:f67a6c6013ca 349 status->rawOcspResponse = (byte*)XMALLOC(responseBuffer->length,
wolfSSL 13:f67a6c6013ca 350 ocsp->cm->heap,
wolfSSL 13:f67a6c6013ca 351 DYNAMIC_TYPE_OCSP_STATUS);
wolfSSL 13:f67a6c6013ca 352
wolfSSL 13:f67a6c6013ca 353 if (status->rawOcspResponse) {
wolfSSL 13:f67a6c6013ca 354 status->rawOcspResponseSz = responseBuffer->length;
wolfSSL 13:f67a6c6013ca 355 XMEMCPY(status->rawOcspResponse, responseBuffer->buffer,
wolfSSL 13:f67a6c6013ca 356 responseBuffer->length);
wolfSSL 13:f67a6c6013ca 357 }
wolfSSL 13:f67a6c6013ca 358 }
wolfSSL 13:f67a6c6013ca 359
wolfSSL 13:f67a6c6013ca 360 wc_UnLockMutex(&ocsp->ocspLock);
wolfSSL 13:f67a6c6013ca 361
wolfSSL 13:f67a6c6013ca 362 end:
wolfSSL 13:f67a6c6013ca 363 if (ret == 0 && validated == 1) {
wolfSSL 13:f67a6c6013ca 364 WOLFSSL_MSG("New OcspResponse validated");
wolfSSL 13:f67a6c6013ca 365 } else if (ret != OCSP_CERT_REVOKED) {
wolfSSL 13:f67a6c6013ca 366 ret = OCSP_LOOKUP_FAIL;
wolfSSL 13:f67a6c6013ca 367 }
wolfSSL 13:f67a6c6013ca 368
wolfSSL 13:f67a6c6013ca 369 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:f67a6c6013ca 370 XFREE(newStatus, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:f67a6c6013ca 371 XFREE(ocspResponse, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:f67a6c6013ca 372 #endif
wolfSSL 13:f67a6c6013ca 373 return ret;
wolfSSL 13:f67a6c6013ca 374 }
wolfSSL 13:f67a6c6013ca 375
wolfSSL 13:f67a6c6013ca 376 /* 0 on success */
wolfSSL 13:f67a6c6013ca 377 int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest,
wolfSSL 13:f67a6c6013ca 378 buffer* responseBuffer)
wolfSSL 13:f67a6c6013ca 379 {
wolfSSL 13:f67a6c6013ca 380 OcspEntry* entry = NULL;
wolfSSL 13:f67a6c6013ca 381 CertStatus* status = NULL;
wolfSSL 13:f67a6c6013ca 382 byte* request = NULL;
wolfSSL 13:f67a6c6013ca 383 int requestSz = 2048;
wolfSSL 13:f67a6c6013ca 384 int responseSz = 0;
wolfSSL 13:f67a6c6013ca 385 byte* response = NULL;
wolfSSL 13:f67a6c6013ca 386 const char* url = NULL;
wolfSSL 13:f67a6c6013ca 387 int urlSz = 0;
wolfSSL 13:f67a6c6013ca 388 int ret = -1;
wolfSSL 13:f67a6c6013ca 389
wolfSSL 13:f67a6c6013ca 390 WOLFSSL_ENTER("CheckOcspRequest");
wolfSSL 13:f67a6c6013ca 391
wolfSSL 13:f67a6c6013ca 392 if (responseBuffer) {
wolfSSL 13:f67a6c6013ca 393 responseBuffer->buffer = NULL;
wolfSSL 13:f67a6c6013ca 394 responseBuffer->length = 0;
wolfSSL 13:f67a6c6013ca 395 }
wolfSSL 13:f67a6c6013ca 396
wolfSSL 13:f67a6c6013ca 397 ret = GetOcspEntry(ocsp, ocspRequest, &entry);
wolfSSL 13:f67a6c6013ca 398 if (ret != 0)
wolfSSL 13:f67a6c6013ca 399 return ret;
wolfSSL 13:f67a6c6013ca 400
wolfSSL 13:f67a6c6013ca 401 ret = GetOcspStatus(ocsp, ocspRequest, entry, &status, responseBuffer);
wolfSSL 13:f67a6c6013ca 402 if (ret != OCSP_INVALID_STATUS)
wolfSSL 13:f67a6c6013ca 403 return ret;
wolfSSL 13:f67a6c6013ca 404
wolfSSL 13:f67a6c6013ca 405 #if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
wolfSSL 13:f67a6c6013ca 406 if (ocsp->statusCb != NULL && ocspRequest->ssl != NULL) {
wolfSSL 13:f67a6c6013ca 407 ret = ocsp->statusCb((WOLFSSL*)ocspRequest->ssl, ocsp->cm->ocspIOCtx);
wolfSSL 13:f67a6c6013ca 408 if (ret == 0) {
wolfSSL 13:f67a6c6013ca 409 ret = wolfSSL_get_ocsp_response((WOLFSSL*)ocspRequest->ssl,
wolfSSL 13:f67a6c6013ca 410 &response);
wolfSSL 13:f67a6c6013ca 411 ret = CheckResponse(ocsp, response, ret, responseBuffer, status,
wolfSSL 13:f67a6c6013ca 412 entry, NULL);
wolfSSL 13:f67a6c6013ca 413 if (response != NULL)
wolfSSL 13:f67a6c6013ca 414 XFREE(response, NULL, DYNAMIC_TYPE_OPENSSL);
wolfSSL 13:f67a6c6013ca 415 return ret;
wolfSSL 13:f67a6c6013ca 416 }
wolfSSL 13:f67a6c6013ca 417 return OCSP_LOOKUP_FAIL;
wolfSSL 13:f67a6c6013ca 418 }
wolfSSL 13:f67a6c6013ca 419 #endif
wolfSSL 13:f67a6c6013ca 420
wolfSSL 13:f67a6c6013ca 421 if (ocsp->cm->ocspUseOverrideURL) {
wolfSSL 13:f67a6c6013ca 422 url = ocsp->cm->ocspOverrideURL;
wolfSSL 13:f67a6c6013ca 423 if (url != NULL && url[0] != '\0')
wolfSSL 13:f67a6c6013ca 424 urlSz = (int)XSTRLEN(url);
wolfSSL 13:f67a6c6013ca 425 else
wolfSSL 13:f67a6c6013ca 426 return OCSP_NEED_URL;
wolfSSL 13:f67a6c6013ca 427 }
wolfSSL 13:f67a6c6013ca 428 else if (ocspRequest->urlSz != 0 && ocspRequest->url != NULL) {
wolfSSL 13:f67a6c6013ca 429 url = (const char *)ocspRequest->url;
wolfSSL 13:f67a6c6013ca 430 urlSz = ocspRequest->urlSz;
wolfSSL 13:f67a6c6013ca 431 }
wolfSSL 13:f67a6c6013ca 432 else {
wolfSSL 13:f67a6c6013ca 433 /* cert doesn't have extAuthInfo, assuming CERT_GOOD */
wolfSSL 13:f67a6c6013ca 434 return 0;
wolfSSL 13:f67a6c6013ca 435 }
wolfSSL 13:f67a6c6013ca 436
wolfSSL 13:f67a6c6013ca 437 request = (byte*)XMALLOC(requestSz, ocsp->cm->heap, DYNAMIC_TYPE_OCSP);
wolfSSL 13:f67a6c6013ca 438 if (request == NULL) {
wolfSSL 13:f67a6c6013ca 439 WOLFSSL_LEAVE("CheckCertOCSP", MEMORY_ERROR);
wolfSSL 13:f67a6c6013ca 440 return MEMORY_ERROR;
wolfSSL 13:f67a6c6013ca 441 }
wolfSSL 13:f67a6c6013ca 442
wolfSSL 13:f67a6c6013ca 443 requestSz = EncodeOcspRequest(ocspRequest, request, requestSz);
wolfSSL 13:f67a6c6013ca 444 if (requestSz > 0 && ocsp->cm->ocspIOCb) {
wolfSSL 13:f67a6c6013ca 445 responseSz = ocsp->cm->ocspIOCb(ocsp->cm->ocspIOCtx, url, urlSz,
wolfSSL 13:f67a6c6013ca 446 request, requestSz, &response);
wolfSSL 13:f67a6c6013ca 447 }
wolfSSL 13:f67a6c6013ca 448 if (responseSz == WOLFSSL_CBIO_ERR_WANT_READ) {
wolfSSL 13:f67a6c6013ca 449 ret = WANT_READ;
wolfSSL 13:f67a6c6013ca 450 }
wolfSSL 13:f67a6c6013ca 451
wolfSSL 13:f67a6c6013ca 452 XFREE(request, ocsp->cm->heap, DYNAMIC_TYPE_OCSP);
wolfSSL 13:f67a6c6013ca 453
wolfSSL 13:f67a6c6013ca 454 if (responseSz >= 0 && response) {
wolfSSL 13:f67a6c6013ca 455 ret = CheckResponse(ocsp, response, responseSz, responseBuffer, status,
wolfSSL 13:f67a6c6013ca 456 entry, ocspRequest);
wolfSSL 13:f67a6c6013ca 457 }
wolfSSL 13:f67a6c6013ca 458
wolfSSL 13:f67a6c6013ca 459 if (response != NULL && ocsp->cm->ocspRespFreeCb)
wolfSSL 13:f67a6c6013ca 460 ocsp->cm->ocspRespFreeCb(ocsp->cm->ocspIOCtx, response);
wolfSSL 13:f67a6c6013ca 461
wolfSSL 13:f67a6c6013ca 462 WOLFSSL_LEAVE("CheckOcspRequest", ret);
wolfSSL 13:f67a6c6013ca 463 return ret;
wolfSSL 13:f67a6c6013ca 464 }
wolfSSL 13:f67a6c6013ca 465
wolfSSL 13:f67a6c6013ca 466 #if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
wolfSSL 13:f67a6c6013ca 467
wolfSSL 13:f67a6c6013ca 468 int wolfSSL_OCSP_resp_find_status(WOLFSSL_OCSP_BASICRESP *bs,
wolfSSL 13:f67a6c6013ca 469 WOLFSSL_OCSP_CERTID* id, int* status, int* reason,
wolfSSL 13:f67a6c6013ca 470 WOLFSSL_ASN1_TIME** revtime, WOLFSSL_ASN1_TIME** thisupd,
wolfSSL 13:f67a6c6013ca 471 WOLFSSL_ASN1_TIME** nextupd)
wolfSSL 13:f67a6c6013ca 472 {
wolfSSL 13:f67a6c6013ca 473 if (bs == NULL || id == NULL)
wolfSSL 13:f67a6c6013ca 474 return SSL_FAILURE;
wolfSSL 13:f67a6c6013ca 475
wolfSSL 13:f67a6c6013ca 476 /* Only supporting one certificate status in asn.c. */
wolfSSL 13:f67a6c6013ca 477 if (CompareOcspReqResp(id, bs) != 0)
wolfSSL 13:f67a6c6013ca 478 return SSL_FAILURE;
wolfSSL 13:f67a6c6013ca 479
wolfSSL 13:f67a6c6013ca 480 if (status != NULL)
wolfSSL 13:f67a6c6013ca 481 *status = bs->status->status;
wolfSSL 13:f67a6c6013ca 482 if (thisupd != NULL)
wolfSSL 13:f67a6c6013ca 483 *thisupd = (WOLFSSL_ASN1_TIME*)bs->status->thisDateAsn;
wolfSSL 13:f67a6c6013ca 484 if (nextupd != NULL)
wolfSSL 13:f67a6c6013ca 485 *nextupd = (WOLFSSL_ASN1_TIME*)bs->status->nextDateAsn;
wolfSSL 13:f67a6c6013ca 486
wolfSSL 13:f67a6c6013ca 487 /* TODO: Not needed for Nginx. */
wolfSSL 13:f67a6c6013ca 488 if (reason != NULL)
wolfSSL 13:f67a6c6013ca 489 *reason = 0;
wolfSSL 13:f67a6c6013ca 490 if (revtime != NULL)
wolfSSL 13:f67a6c6013ca 491 *revtime = NULL;
wolfSSL 13:f67a6c6013ca 492
wolfSSL 13:f67a6c6013ca 493 return SSL_SUCCESS;
wolfSSL 13:f67a6c6013ca 494 }
wolfSSL 13:f67a6c6013ca 495
wolfSSL 13:f67a6c6013ca 496 const char *wolfSSL_OCSP_cert_status_str(long s)
wolfSSL 13:f67a6c6013ca 497 {
wolfSSL 13:f67a6c6013ca 498 switch (s) {
wolfSSL 13:f67a6c6013ca 499 case CERT_GOOD:
wolfSSL 13:f67a6c6013ca 500 return "good";
wolfSSL 13:f67a6c6013ca 501 case CERT_REVOKED:
wolfSSL 13:f67a6c6013ca 502 return "revoked";
wolfSSL 13:f67a6c6013ca 503 case CERT_UNKNOWN:
wolfSSL 13:f67a6c6013ca 504 return "unknown";
wolfSSL 13:f67a6c6013ca 505 default:
wolfSSL 13:f67a6c6013ca 506 return "(UNKNOWN)";
wolfSSL 13:f67a6c6013ca 507 }
wolfSSL 13:f67a6c6013ca 508 }
wolfSSL 13:f67a6c6013ca 509
wolfSSL 13:f67a6c6013ca 510 int wolfSSL_OCSP_check_validity(WOLFSSL_ASN1_TIME* thisupd,
wolfSSL 13:f67a6c6013ca 511 WOLFSSL_ASN1_TIME* nextupd, long sec, long maxsec)
wolfSSL 13:f67a6c6013ca 512 {
wolfSSL 13:f67a6c6013ca 513 (void)thisupd;
wolfSSL 13:f67a6c6013ca 514 (void)nextupd;
wolfSSL 13:f67a6c6013ca 515 (void)sec;
wolfSSL 13:f67a6c6013ca 516 (void)maxsec;
wolfSSL 13:f67a6c6013ca 517 /* Dates validated in DecodeSingleResponse. */
wolfSSL 13:f67a6c6013ca 518 return SSL_SUCCESS;
wolfSSL 13:f67a6c6013ca 519 }
wolfSSL 13:f67a6c6013ca 520
wolfSSL 13:f67a6c6013ca 521 void wolfSSL_OCSP_CERTID_free(WOLFSSL_OCSP_CERTID* certId)
wolfSSL 13:f67a6c6013ca 522 {
wolfSSL 13:f67a6c6013ca 523 FreeOcspRequest(certId);
wolfSSL 13:f67a6c6013ca 524 XFREE(certId, NULL, DYNAMIC_TYPE_OPENSSL);
wolfSSL 13:f67a6c6013ca 525 }
wolfSSL 13:f67a6c6013ca 526
wolfSSL 13:f67a6c6013ca 527 WOLFSSL_OCSP_CERTID* wolfSSL_OCSP_cert_to_id(
wolfSSL 13:f67a6c6013ca 528 const WOLFSSL_EVP_MD *dgst, const WOLFSSL_X509 *subject,
wolfSSL 13:f67a6c6013ca 529 const WOLFSSL_X509 *issuer)
wolfSSL 13:f67a6c6013ca 530 {
wolfSSL 13:f67a6c6013ca 531 WOLFSSL_OCSP_CERTID* certId;
wolfSSL 13:f67a6c6013ca 532 DecodedCert cert;
wolfSSL 13:f67a6c6013ca 533 WOLFSSL_CERT_MANAGER* cm;
wolfSSL 13:f67a6c6013ca 534 int ret;
wolfSSL 13:f67a6c6013ca 535 DerBuffer* derCert = NULL;
wolfSSL 13:f67a6c6013ca 536
wolfSSL 13:f67a6c6013ca 537 (void)dgst;
wolfSSL 13:f67a6c6013ca 538
wolfSSL 13:f67a6c6013ca 539 cm = wolfSSL_CertManagerNew();
wolfSSL 13:f67a6c6013ca 540 if (cm == NULL)
wolfSSL 13:f67a6c6013ca 541 return NULL;
wolfSSL 13:f67a6c6013ca 542
wolfSSL 13:f67a6c6013ca 543 ret = AllocDer(&derCert, issuer->derCert->length,
wolfSSL 13:f67a6c6013ca 544 issuer->derCert->type, NULL);
wolfSSL 13:f67a6c6013ca 545 if (ret == 0) {
wolfSSL 13:f67a6c6013ca 546 /* AddCA() frees the buffer. */
wolfSSL 13:f67a6c6013ca 547 XMEMCPY(derCert->buffer, issuer->derCert->buffer,
wolfSSL 13:f67a6c6013ca 548 issuer->derCert->length);
wolfSSL 13:f67a6c6013ca 549 AddCA(cm, &derCert, WOLFSSL_USER_CA, 1);
wolfSSL 13:f67a6c6013ca 550 }
wolfSSL 13:f67a6c6013ca 551
wolfSSL 13:f67a6c6013ca 552 certId = (WOLFSSL_OCSP_CERTID*)XMALLOC(sizeof(WOLFSSL_OCSP_CERTID), NULL,
wolfSSL 13:f67a6c6013ca 553 DYNAMIC_TYPE_OPENSSL);
wolfSSL 13:f67a6c6013ca 554 if (certId != NULL) {
wolfSSL 13:f67a6c6013ca 555 InitDecodedCert(&cert, subject->derCert->buffer,
wolfSSL 13:f67a6c6013ca 556 subject->derCert->length, NULL);
wolfSSL 13:f67a6c6013ca 557 if (ParseCertRelative(&cert, CERT_TYPE, VERIFY_OCSP, cm) != 0) {
wolfSSL 13:f67a6c6013ca 558 XFREE(certId, NULL, DYNAMIC_TYPE_OPENSSL);
wolfSSL 13:f67a6c6013ca 559 certId = NULL;
wolfSSL 13:f67a6c6013ca 560 }
wolfSSL 13:f67a6c6013ca 561 else {
wolfSSL 13:f67a6c6013ca 562 ret = InitOcspRequest(certId, &cert, 0, NULL);
wolfSSL 13:f67a6c6013ca 563 if (ret != 0) {
wolfSSL 13:f67a6c6013ca 564 XFREE(certId, NULL, DYNAMIC_TYPE_OPENSSL);
wolfSSL 13:f67a6c6013ca 565 certId = NULL;
wolfSSL 13:f67a6c6013ca 566 }
wolfSSL 13:f67a6c6013ca 567 }
wolfSSL 13:f67a6c6013ca 568 FreeDecodedCert(&cert);
wolfSSL 13:f67a6c6013ca 569 }
wolfSSL 13:f67a6c6013ca 570
wolfSSL 13:f67a6c6013ca 571 wolfSSL_CertManagerFree(cm);
wolfSSL 13:f67a6c6013ca 572
wolfSSL 13:f67a6c6013ca 573 return certId;
wolfSSL 13:f67a6c6013ca 574 }
wolfSSL 13:f67a6c6013ca 575
wolfSSL 13:f67a6c6013ca 576 void wolfSSL_OCSP_BASICRESP_free(WOLFSSL_OCSP_BASICRESP* basicResponse)
wolfSSL 13:f67a6c6013ca 577 {
wolfSSL 13:f67a6c6013ca 578 wolfSSL_OCSP_RESPONSE_free(basicResponse);
wolfSSL 13:f67a6c6013ca 579 }
wolfSSL 13:f67a6c6013ca 580
wolfSSL 13:f67a6c6013ca 581 /* Signature verified in DecodeBasicOcspResponse.
wolfSSL 13:f67a6c6013ca 582 * But no store available to verify certificate. */
wolfSSL 13:f67a6c6013ca 583 int wolfSSL_OCSP_basic_verify(WOLFSSL_OCSP_BASICRESP *bs,
wolfSSL 13:f67a6c6013ca 584 STACK_OF(WOLFSSL_X509) *certs, WOLFSSL_X509_STORE *st, unsigned long flags)
wolfSSL 13:f67a6c6013ca 585 {
wolfSSL 13:f67a6c6013ca 586 DecodedCert cert;
wolfSSL 13:f67a6c6013ca 587 int ret = SSL_SUCCESS;
wolfSSL 13:f67a6c6013ca 588
wolfSSL 13:f67a6c6013ca 589 (void)certs;
wolfSSL 13:f67a6c6013ca 590
wolfSSL 13:f67a6c6013ca 591 if (flags & OCSP_NOVERIFY)
wolfSSL 13:f67a6c6013ca 592 return SSL_SUCCESS;
wolfSSL 13:f67a6c6013ca 593
wolfSSL 13:f67a6c6013ca 594 InitDecodedCert(&cert, bs->cert, bs->certSz, NULL);
wolfSSL 13:f67a6c6013ca 595 if (ParseCertRelative(&cert, CERT_TYPE, VERIFY, st->cm) < 0)
wolfSSL 13:f67a6c6013ca 596 ret = SSL_FAILURE;
wolfSSL 13:f67a6c6013ca 597 FreeDecodedCert(&cert);
wolfSSL 13:f67a6c6013ca 598
wolfSSL 13:f67a6c6013ca 599 return ret;
wolfSSL 13:f67a6c6013ca 600 }
wolfSSL 13:f67a6c6013ca 601
wolfSSL 13:f67a6c6013ca 602 void wolfSSL_OCSP_RESPONSE_free(OcspResponse* response)
wolfSSL 13:f67a6c6013ca 603 {
wolfSSL 13:f67a6c6013ca 604 if (response->status != NULL)
wolfSSL 13:f67a6c6013ca 605 XFREE(response->status, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:f67a6c6013ca 606 if (response->source != NULL)
wolfSSL 13:f67a6c6013ca 607 XFREE(response->source, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:f67a6c6013ca 608 XFREE(response, NULL, DYNAMIC_TYPE_OPENSSL);
wolfSSL 13:f67a6c6013ca 609 }
wolfSSL 13:f67a6c6013ca 610
wolfSSL 13:f67a6c6013ca 611 OcspResponse* wolfSSL_d2i_OCSP_RESPONSE_bio(WOLFSSL_BIO* bio,
wolfSSL 13:f67a6c6013ca 612 OcspResponse** response)
wolfSSL 13:f67a6c6013ca 613 {
wolfSSL 13:f67a6c6013ca 614 byte* data;
wolfSSL 13:f67a6c6013ca 615 byte* p;
wolfSSL 13:f67a6c6013ca 616 int len;
wolfSSL 13:f67a6c6013ca 617 int dataAlloced = 0;
wolfSSL 13:f67a6c6013ca 618 OcspResponse* ret = NULL;
wolfSSL 13:f67a6c6013ca 619
wolfSSL 13:f67a6c6013ca 620 if (bio == NULL)
wolfSSL 13:f67a6c6013ca 621 return NULL;
wolfSSL 13:f67a6c6013ca 622
wolfSSL 13:f67a6c6013ca 623 if (bio->type == BIO_MEMORY) {
wolfSSL 13:f67a6c6013ca 624 len = wolfSSL_BIO_get_mem_data(bio, &data);
wolfSSL 13:f67a6c6013ca 625 if (len <= 0 || data == NULL) {
wolfSSL 13:f67a6c6013ca 626 return NULL;
wolfSSL 13:f67a6c6013ca 627 }
wolfSSL 13:f67a6c6013ca 628 }
wolfSSL 13:f67a6c6013ca 629 else if (bio->type == BIO_FILE) {
wolfSSL 13:f67a6c6013ca 630 long i;
wolfSSL 13:f67a6c6013ca 631 long l;
wolfSSL 13:f67a6c6013ca 632
wolfSSL 13:f67a6c6013ca 633 i = XFTELL(bio->file);
wolfSSL 13:f67a6c6013ca 634 if (i < 0)
wolfSSL 13:f67a6c6013ca 635 return NULL;
wolfSSL 13:f67a6c6013ca 636 XFSEEK(bio->file, 0, SEEK_END);
wolfSSL 13:f67a6c6013ca 637 l = XFTELL(bio->file);
wolfSSL 13:f67a6c6013ca 638 if (l < 0)
wolfSSL 13:f67a6c6013ca 639 return NULL;
wolfSSL 13:f67a6c6013ca 640 XFSEEK(bio->file, i, SEEK_SET);
wolfSSL 13:f67a6c6013ca 641
wolfSSL 13:f67a6c6013ca 642 /* check calulated length */
wolfSSL 13:f67a6c6013ca 643 if (l - i <= 0)
wolfSSL 13:f67a6c6013ca 644 return NULL;
wolfSSL 13:f67a6c6013ca 645
wolfSSL 13:f67a6c6013ca 646 data = (byte*)XMALLOC(l - i, 0, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:f67a6c6013ca 647 if (data == NULL)
wolfSSL 13:f67a6c6013ca 648 return NULL;
wolfSSL 13:f67a6c6013ca 649 dataAlloced = 1;
wolfSSL 13:f67a6c6013ca 650
wolfSSL 13:f67a6c6013ca 651 len = wolfSSL_BIO_read(bio, (char *)data, (int)l);
wolfSSL 13:f67a6c6013ca 652 }
wolfSSL 13:f67a6c6013ca 653 else
wolfSSL 13:f67a6c6013ca 654 return NULL;
wolfSSL 13:f67a6c6013ca 655
wolfSSL 13:f67a6c6013ca 656 if (len > 0) {
wolfSSL 13:f67a6c6013ca 657 p = data;
wolfSSL 13:f67a6c6013ca 658 ret = wolfSSL_d2i_OCSP_RESPONSE(response, (const unsigned char **)&p, len);
wolfSSL 13:f67a6c6013ca 659 }
wolfSSL 13:f67a6c6013ca 660
wolfSSL 13:f67a6c6013ca 661 if (dataAlloced)
wolfSSL 13:f67a6c6013ca 662 XFREE(data, 0, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:f67a6c6013ca 663
wolfSSL 13:f67a6c6013ca 664 return ret;
wolfSSL 13:f67a6c6013ca 665 }
wolfSSL 13:f67a6c6013ca 666
wolfSSL 13:f67a6c6013ca 667 OcspResponse* wolfSSL_d2i_OCSP_RESPONSE(OcspResponse** response,
wolfSSL 13:f67a6c6013ca 668 const unsigned char** data, int len)
wolfSSL 13:f67a6c6013ca 669 {
wolfSSL 13:f67a6c6013ca 670 OcspResponse *resp = NULL;
wolfSSL 13:f67a6c6013ca 671 word32 idx = 0;
wolfSSL 13:f67a6c6013ca 672 int length = 0;
wolfSSL 13:f67a6c6013ca 673
wolfSSL 13:f67a6c6013ca 674 if (data == NULL)
wolfSSL 13:f67a6c6013ca 675 return NULL;
wolfSSL 13:f67a6c6013ca 676
wolfSSL 13:f67a6c6013ca 677 if (response != NULL)
wolfSSL 13:f67a6c6013ca 678 resp = *response;
wolfSSL 13:f67a6c6013ca 679 if (resp == NULL) {
wolfSSL 13:f67a6c6013ca 680 resp = (OcspResponse*)XMALLOC(sizeof(OcspResponse), NULL,
wolfSSL 13:f67a6c6013ca 681 DYNAMIC_TYPE_OPENSSL);
wolfSSL 13:f67a6c6013ca 682 if (resp == NULL)
wolfSSL 13:f67a6c6013ca 683 return NULL;
wolfSSL 13:f67a6c6013ca 684 XMEMSET(resp, 0, sizeof(OcspResponse));
wolfSSL 13:f67a6c6013ca 685 }
wolfSSL 13:f67a6c6013ca 686
wolfSSL 13:f67a6c6013ca 687 resp->source = (byte*)XMALLOC(len, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:f67a6c6013ca 688 if (resp->source == NULL) {
wolfSSL 13:f67a6c6013ca 689 XFREE(resp, NULL, DYNAMIC_TYPE_OPENSSL);
wolfSSL 13:f67a6c6013ca 690 return NULL;
wolfSSL 13:f67a6c6013ca 691 }
wolfSSL 13:f67a6c6013ca 692 resp->status = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL,
wolfSSL 13:f67a6c6013ca 693 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:f67a6c6013ca 694 if (resp->status == NULL) {
wolfSSL 13:f67a6c6013ca 695 XFREE(resp->source, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:f67a6c6013ca 696 XFREE(resp, NULL, DYNAMIC_TYPE_OPENSSL);
wolfSSL 13:f67a6c6013ca 697 return NULL;
wolfSSL 13:f67a6c6013ca 698 }
wolfSSL 13:f67a6c6013ca 699
wolfSSL 13:f67a6c6013ca 700 XMEMCPY(resp->source, *data, len);
wolfSSL 13:f67a6c6013ca 701 resp->maxIdx = len;
wolfSSL 13:f67a6c6013ca 702
wolfSSL 13:f67a6c6013ca 703 if (OcspResponseDecode(resp, NULL, NULL, 1) != 0) {
wolfSSL 13:f67a6c6013ca 704 wolfSSL_OCSP_RESPONSE_free(resp);
wolfSSL 13:f67a6c6013ca 705 return NULL;
wolfSSL 13:f67a6c6013ca 706 }
wolfSSL 13:f67a6c6013ca 707
wolfSSL 13:f67a6c6013ca 708 if (GetSequence(*data, &idx, &length, len) >= 0)
wolfSSL 13:f67a6c6013ca 709 (*data) += idx + length;
wolfSSL 13:f67a6c6013ca 710
wolfSSL 13:f67a6c6013ca 711 return resp;
wolfSSL 13:f67a6c6013ca 712 }
wolfSSL 13:f67a6c6013ca 713
wolfSSL 13:f67a6c6013ca 714 int wolfSSL_i2d_OCSP_RESPONSE(OcspResponse* response,
wolfSSL 13:f67a6c6013ca 715 unsigned char** data)
wolfSSL 13:f67a6c6013ca 716 {
wolfSSL 13:f67a6c6013ca 717 if (data == NULL)
wolfSSL 13:f67a6c6013ca 718 return response->maxIdx;
wolfSSL 13:f67a6c6013ca 719
wolfSSL 13:f67a6c6013ca 720 XMEMCPY(*data, response->source, response->maxIdx);
wolfSSL 13:f67a6c6013ca 721 return response->maxIdx;
wolfSSL 13:f67a6c6013ca 722 }
wolfSSL 13:f67a6c6013ca 723
wolfSSL 13:f67a6c6013ca 724 int wolfSSL_OCSP_response_status(OcspResponse *response)
wolfSSL 13:f67a6c6013ca 725 {
wolfSSL 13:f67a6c6013ca 726 return response->responseStatus;
wolfSSL 13:f67a6c6013ca 727 }
wolfSSL 13:f67a6c6013ca 728
wolfSSL 13:f67a6c6013ca 729 const char *wolfSSL_OCSP_response_status_str(long s)
wolfSSL 13:f67a6c6013ca 730 {
wolfSSL 13:f67a6c6013ca 731 switch (s) {
wolfSSL 13:f67a6c6013ca 732 case OCSP_SUCCESSFUL:
wolfSSL 13:f67a6c6013ca 733 return "successful";
wolfSSL 13:f67a6c6013ca 734 case OCSP_MALFORMED_REQUEST:
wolfSSL 13:f67a6c6013ca 735 return "malformedrequest";
wolfSSL 13:f67a6c6013ca 736 case OCSP_INTERNAL_ERROR:
wolfSSL 13:f67a6c6013ca 737 return "internalerror";
wolfSSL 13:f67a6c6013ca 738 case OCSP_TRY_LATER:
wolfSSL 13:f67a6c6013ca 739 return "trylater";
wolfSSL 13:f67a6c6013ca 740 case OCSP_SIG_REQUIRED:
wolfSSL 13:f67a6c6013ca 741 return "sigrequired";
wolfSSL 13:f67a6c6013ca 742 case OCSP_UNAUTHROIZED:
wolfSSL 13:f67a6c6013ca 743 return "unauthorized";
wolfSSL 13:f67a6c6013ca 744 default:
wolfSSL 13:f67a6c6013ca 745 return "(UNKNOWN)";
wolfSSL 13:f67a6c6013ca 746 }
wolfSSL 13:f67a6c6013ca 747 }
wolfSSL 13:f67a6c6013ca 748
wolfSSL 13:f67a6c6013ca 749 WOLFSSL_OCSP_BASICRESP* wolfSSL_OCSP_response_get1_basic(OcspResponse* response)
wolfSSL 13:f67a6c6013ca 750 {
wolfSSL 13:f67a6c6013ca 751 WOLFSSL_OCSP_BASICRESP* bs;
wolfSSL 13:f67a6c6013ca 752
wolfSSL 13:f67a6c6013ca 753 bs = (WOLFSSL_OCSP_BASICRESP*)XMALLOC(sizeof(WOLFSSL_OCSP_BASICRESP), NULL,
wolfSSL 13:f67a6c6013ca 754 DYNAMIC_TYPE_OPENSSL);
wolfSSL 13:f67a6c6013ca 755 if (bs == NULL)
wolfSSL 13:f67a6c6013ca 756 return NULL;
wolfSSL 13:f67a6c6013ca 757
wolfSSL 13:f67a6c6013ca 758 XMEMCPY(bs, response, sizeof(OcspResponse));
wolfSSL 13:f67a6c6013ca 759 bs->status = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL,
wolfSSL 13:f67a6c6013ca 760 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:f67a6c6013ca 761 bs->source = (byte*)XMALLOC(bs->maxIdx, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:f67a6c6013ca 762 if (bs->status == NULL || bs->source == NULL) {
wolfSSL 13:f67a6c6013ca 763 if (bs->status) XFREE(bs->status, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:f67a6c6013ca 764 if (bs->source) XFREE(bs->source, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:f67a6c6013ca 765 wolfSSL_OCSP_RESPONSE_free(bs);
wolfSSL 13:f67a6c6013ca 766 bs = NULL;
wolfSSL 13:f67a6c6013ca 767 }
wolfSSL 13:f67a6c6013ca 768 else {
wolfSSL 13:f67a6c6013ca 769 XMEMCPY(bs->status, response->status, sizeof(CertStatus));
wolfSSL 13:f67a6c6013ca 770 XMEMCPY(bs->source, response->source, response->maxIdx);
wolfSSL 13:f67a6c6013ca 771 }
wolfSSL 13:f67a6c6013ca 772 return bs;
wolfSSL 13:f67a6c6013ca 773 }
wolfSSL 13:f67a6c6013ca 774
wolfSSL 13:f67a6c6013ca 775 OcspRequest* wolfSSL_OCSP_REQUEST_new(void)
wolfSSL 13:f67a6c6013ca 776 {
wolfSSL 13:f67a6c6013ca 777 OcspRequest* request;
wolfSSL 13:f67a6c6013ca 778
wolfSSL 13:f67a6c6013ca 779 request = (OcspRequest*)XMALLOC(sizeof(OcspRequest), NULL,
wolfSSL 13:f67a6c6013ca 780 DYNAMIC_TYPE_OPENSSL);
wolfSSL 13:f67a6c6013ca 781 if (request != NULL)
wolfSSL 13:f67a6c6013ca 782 XMEMSET(request, 0, sizeof(OcspRequest));
wolfSSL 13:f67a6c6013ca 783
wolfSSL 13:f67a6c6013ca 784 return request;
wolfSSL 13:f67a6c6013ca 785 }
wolfSSL 13:f67a6c6013ca 786
wolfSSL 13:f67a6c6013ca 787 void wolfSSL_OCSP_REQUEST_free(OcspRequest* request)
wolfSSL 13:f67a6c6013ca 788 {
wolfSSL 13:f67a6c6013ca 789 FreeOcspRequest(request);
wolfSSL 13:f67a6c6013ca 790 XFREE(request, NULL, DYNAMIC_TYPE_OPENSSL);
wolfSSL 13:f67a6c6013ca 791 }
wolfSSL 13:f67a6c6013ca 792
wolfSSL 13:f67a6c6013ca 793 int wolfSSL_i2d_OCSP_REQUEST(OcspRequest* request, unsigned char** data)
wolfSSL 13:f67a6c6013ca 794 {
wolfSSL 13:f67a6c6013ca 795 word32 size;
wolfSSL 13:f67a6c6013ca 796
wolfSSL 13:f67a6c6013ca 797 size = EncodeOcspRequest(request, NULL, 0);
wolfSSL 13:f67a6c6013ca 798 if (size <= 0 || data == NULL)
wolfSSL 13:f67a6c6013ca 799 return size;
wolfSSL 13:f67a6c6013ca 800
wolfSSL 13:f67a6c6013ca 801 return EncodeOcspRequest(request, *data, size);
wolfSSL 13:f67a6c6013ca 802 }
wolfSSL 13:f67a6c6013ca 803
wolfSSL 13:f67a6c6013ca 804 WOLFSSL_OCSP_ONEREQ* wolfSSL_OCSP_request_add0_id(OcspRequest *req,
wolfSSL 13:f67a6c6013ca 805 WOLFSSL_OCSP_CERTID *cid)
wolfSSL 13:f67a6c6013ca 806 {
wolfSSL 13:f67a6c6013ca 807 if (req == NULL || cid == NULL)
wolfSSL 13:f67a6c6013ca 808 return NULL;
wolfSSL 13:f67a6c6013ca 809
wolfSSL 13:f67a6c6013ca 810 FreeOcspRequest(req);
wolfSSL 13:f67a6c6013ca 811 XMEMCPY(req, cid, sizeof(OcspRequest));
wolfSSL 13:f67a6c6013ca 812
wolfSSL 13:f67a6c6013ca 813 if (cid->serial != NULL) {
wolfSSL 13:f67a6c6013ca 814 req->serial = (byte*)XMALLOC(cid->serialSz, NULL,
wolfSSL 13:f67a6c6013ca 815 DYNAMIC_TYPE_OCSP_REQUEST);
wolfSSL 13:f67a6c6013ca 816 req->url = (byte*)XMALLOC(cid->urlSz, NULL, DYNAMIC_TYPE_OCSP_REQUEST);
wolfSSL 13:f67a6c6013ca 817 if (req->serial == NULL || req->url == NULL) {
wolfSSL 13:f67a6c6013ca 818 FreeOcspRequest(req);
wolfSSL 13:f67a6c6013ca 819 return NULL;
wolfSSL 13:f67a6c6013ca 820 }
wolfSSL 13:f67a6c6013ca 821
wolfSSL 13:f67a6c6013ca 822 XMEMCPY(req->serial, cid->serial, cid->serialSz);
wolfSSL 13:f67a6c6013ca 823 XMEMCPY(req->url, cid->url, cid->urlSz);
wolfSSL 13:f67a6c6013ca 824 }
wolfSSL 13:f67a6c6013ca 825
wolfSSL 13:f67a6c6013ca 826 wolfSSL_OCSP_REQUEST_free(cid);
wolfSSL 13:f67a6c6013ca 827
wolfSSL 13:f67a6c6013ca 828 return req;
wolfSSL 13:f67a6c6013ca 829 }
wolfSSL 13:f67a6c6013ca 830
wolfSSL 13:f67a6c6013ca 831 #endif
wolfSSL 13:f67a6c6013ca 832
wolfSSL 13:f67a6c6013ca 833 #else /* HAVE_OCSP */
wolfSSL 13:f67a6c6013ca 834
wolfSSL 13:f67a6c6013ca 835
wolfSSL 13:f67a6c6013ca 836 #ifdef _MSC_VER
wolfSSL 13:f67a6c6013ca 837 /* 4206 warning for blank file */
wolfSSL 13:f67a6c6013ca 838 #pragma warning(disable: 4206)
wolfSSL 13:f67a6c6013ca 839 #endif
wolfSSL 13:f67a6c6013ca 840
wolfSSL 13:f67a6c6013ca 841
wolfSSL 13:f67a6c6013ca 842 #endif /* HAVE_OCSP */
wolfSSL 13:f67a6c6013ca 843 #endif /* WOLFCRYPT_ONLY */
wolfSSL 13:f67a6c6013ca 844
wolfSSL 13:f67a6c6013ca 845