wolfSSL SSL/TLS library, support up to TLS1.3
Dependents: CyaSSL-Twitter-OAuth4Tw Example-client-tls-cert TwitterReader TweetTest ... more
src/ocsp.c@13:f67a6c6013ca, 2017-08-22 (annotated)
- Committer:
- wolfSSL
- Date:
- Tue Aug 22 10:48:22 2017 +0000
- Revision:
- 13:f67a6c6013ca
wolfSSL3.12.0 with TLS1.3
Who changed what in which revision?
User | Revision | Line number | New contents of line |
---|---|---|---|
wolfSSL | 13:f67a6c6013ca | 1 | /* ocsp.c |
wolfSSL | 13:f67a6c6013ca | 2 | * |
wolfSSL | 13:f67a6c6013ca | 3 | * Copyright (C) 2006-2016 wolfSSL Inc. |
wolfSSL | 13:f67a6c6013ca | 4 | * |
wolfSSL | 13:f67a6c6013ca | 5 | * This file is part of wolfSSL. |
wolfSSL | 13:f67a6c6013ca | 6 | * |
wolfSSL | 13:f67a6c6013ca | 7 | * wolfSSL is free software; you can redistribute it and/or modify |
wolfSSL | 13:f67a6c6013ca | 8 | * it under the terms of the GNU General Public License as published by |
wolfSSL | 13:f67a6c6013ca | 9 | * the Free Software Foundation; either version 2 of the License, or |
wolfSSL | 13:f67a6c6013ca | 10 | * (at your option) any later version. |
wolfSSL | 13:f67a6c6013ca | 11 | * |
wolfSSL | 13:f67a6c6013ca | 12 | * wolfSSL is distributed in the hope that it will be useful, |
wolfSSL | 13:f67a6c6013ca | 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
wolfSSL | 13:f67a6c6013ca | 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
wolfSSL | 13:f67a6c6013ca | 15 | * GNU General Public License for more details. |
wolfSSL | 13:f67a6c6013ca | 16 | * |
wolfSSL | 13:f67a6c6013ca | 17 | * You should have received a copy of the GNU General Public License |
wolfSSL | 13:f67a6c6013ca | 18 | * along with this program; if not, write to the Free Software |
wolfSSL | 13:f67a6c6013ca | 19 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA |
wolfSSL | 13:f67a6c6013ca | 20 | */ |
wolfSSL | 13:f67a6c6013ca | 21 | |
wolfSSL | 13:f67a6c6013ca | 22 | |
wolfSSL | 13:f67a6c6013ca | 23 | /* Name change compatibility layer no longer needs to be included here */ |
wolfSSL | 13:f67a6c6013ca | 24 | |
wolfSSL | 13:f67a6c6013ca | 25 | #ifdef HAVE_CONFIG_H |
wolfSSL | 13:f67a6c6013ca | 26 | #include <config.h> |
wolfSSL | 13:f67a6c6013ca | 27 | #endif |
wolfSSL | 13:f67a6c6013ca | 28 | |
wolfSSL | 13:f67a6c6013ca | 29 | #include <wolfssl/wolfcrypt/settings.h> |
wolfSSL | 13:f67a6c6013ca | 30 | |
wolfSSL | 13:f67a6c6013ca | 31 | #ifndef WOLFCRYPT_ONLY |
wolfSSL | 13:f67a6c6013ca | 32 | #ifdef HAVE_OCSP |
wolfSSL | 13:f67a6c6013ca | 33 | |
wolfSSL | 13:f67a6c6013ca | 34 | #include <wolfssl/error-ssl.h> |
wolfSSL | 13:f67a6c6013ca | 35 | #include <wolfssl/ocsp.h> |
wolfSSL | 13:f67a6c6013ca | 36 | #include <wolfssl/internal.h> |
wolfSSL | 13:f67a6c6013ca | 37 | |
wolfSSL | 13:f67a6c6013ca | 38 | #ifdef NO_INLINE |
wolfSSL | 13:f67a6c6013ca | 39 | #include <wolfssl/wolfcrypt/misc.h> |
wolfSSL | 13:f67a6c6013ca | 40 | #else |
wolfSSL | 13:f67a6c6013ca | 41 | #define WOLFSSL_MISC_INCLUDED |
wolfSSL | 13:f67a6c6013ca | 42 | #include <wolfcrypt/src/misc.c> |
wolfSSL | 13:f67a6c6013ca | 43 | #endif |
wolfSSL | 13:f67a6c6013ca | 44 | |
wolfSSL | 13:f67a6c6013ca | 45 | |
wolfSSL | 13:f67a6c6013ca | 46 | int InitOCSP(WOLFSSL_OCSP* ocsp, WOLFSSL_CERT_MANAGER* cm) |
wolfSSL | 13:f67a6c6013ca | 47 | { |
wolfSSL | 13:f67a6c6013ca | 48 | WOLFSSL_ENTER("InitOCSP"); |
wolfSSL | 13:f67a6c6013ca | 49 | |
wolfSSL | 13:f67a6c6013ca | 50 | ForceZero(ocsp, sizeof(WOLFSSL_OCSP)); |
wolfSSL | 13:f67a6c6013ca | 51 | |
wolfSSL | 13:f67a6c6013ca | 52 | if (wc_InitMutex(&ocsp->ocspLock) != 0) |
wolfSSL | 13:f67a6c6013ca | 53 | return BAD_MUTEX_E; |
wolfSSL | 13:f67a6c6013ca | 54 | |
wolfSSL | 13:f67a6c6013ca | 55 | ocsp->cm = cm; |
wolfSSL | 13:f67a6c6013ca | 56 | |
wolfSSL | 13:f67a6c6013ca | 57 | return 0; |
wolfSSL | 13:f67a6c6013ca | 58 | } |
wolfSSL | 13:f67a6c6013ca | 59 | |
wolfSSL | 13:f67a6c6013ca | 60 | |
wolfSSL | 13:f67a6c6013ca | 61 | static int InitOcspEntry(OcspEntry* entry, OcspRequest* request) |
wolfSSL | 13:f67a6c6013ca | 62 | { |
wolfSSL | 13:f67a6c6013ca | 63 | WOLFSSL_ENTER("InitOcspEntry"); |
wolfSSL | 13:f67a6c6013ca | 64 | |
wolfSSL | 13:f67a6c6013ca | 65 | ForceZero(entry, sizeof(OcspEntry)); |
wolfSSL | 13:f67a6c6013ca | 66 | |
wolfSSL | 13:f67a6c6013ca | 67 | XMEMCPY(entry->issuerHash, request->issuerHash, OCSP_DIGEST_SIZE); |
wolfSSL | 13:f67a6c6013ca | 68 | XMEMCPY(entry->issuerKeyHash, request->issuerKeyHash, OCSP_DIGEST_SIZE); |
wolfSSL | 13:f67a6c6013ca | 69 | |
wolfSSL | 13:f67a6c6013ca | 70 | return 0; |
wolfSSL | 13:f67a6c6013ca | 71 | } |
wolfSSL | 13:f67a6c6013ca | 72 | |
wolfSSL | 13:f67a6c6013ca | 73 | |
wolfSSL | 13:f67a6c6013ca | 74 | static void FreeOcspEntry(OcspEntry* entry, void* heap) |
wolfSSL | 13:f67a6c6013ca | 75 | { |
wolfSSL | 13:f67a6c6013ca | 76 | CertStatus *status, *next; |
wolfSSL | 13:f67a6c6013ca | 77 | |
wolfSSL | 13:f67a6c6013ca | 78 | WOLFSSL_ENTER("FreeOcspEntry"); |
wolfSSL | 13:f67a6c6013ca | 79 | |
wolfSSL | 13:f67a6c6013ca | 80 | for (status = entry->status; status; status = next) { |
wolfSSL | 13:f67a6c6013ca | 81 | next = status->next; |
wolfSSL | 13:f67a6c6013ca | 82 | |
wolfSSL | 13:f67a6c6013ca | 83 | if (status->rawOcspResponse) |
wolfSSL | 13:f67a6c6013ca | 84 | XFREE(status->rawOcspResponse, heap, DYNAMIC_TYPE_OCSP_STATUS); |
wolfSSL | 13:f67a6c6013ca | 85 | |
wolfSSL | 13:f67a6c6013ca | 86 | XFREE(status, heap, DYNAMIC_TYPE_OCSP_STATUS); |
wolfSSL | 13:f67a6c6013ca | 87 | } |
wolfSSL | 13:f67a6c6013ca | 88 | |
wolfSSL | 13:f67a6c6013ca | 89 | (void)heap; |
wolfSSL | 13:f67a6c6013ca | 90 | } |
wolfSSL | 13:f67a6c6013ca | 91 | |
wolfSSL | 13:f67a6c6013ca | 92 | |
wolfSSL | 13:f67a6c6013ca | 93 | void FreeOCSP(WOLFSSL_OCSP* ocsp, int dynamic) |
wolfSSL | 13:f67a6c6013ca | 94 | { |
wolfSSL | 13:f67a6c6013ca | 95 | OcspEntry *entry, *next; |
wolfSSL | 13:f67a6c6013ca | 96 | |
wolfSSL | 13:f67a6c6013ca | 97 | WOLFSSL_ENTER("FreeOCSP"); |
wolfSSL | 13:f67a6c6013ca | 98 | |
wolfSSL | 13:f67a6c6013ca | 99 | for (entry = ocsp->ocspList; entry; entry = next) { |
wolfSSL | 13:f67a6c6013ca | 100 | next = entry->next; |
wolfSSL | 13:f67a6c6013ca | 101 | FreeOcspEntry(entry, ocsp->cm->heap); |
wolfSSL | 13:f67a6c6013ca | 102 | XFREE(entry, ocsp->cm->heap, DYNAMIC_TYPE_OCSP_ENTRY); |
wolfSSL | 13:f67a6c6013ca | 103 | } |
wolfSSL | 13:f67a6c6013ca | 104 | |
wolfSSL | 13:f67a6c6013ca | 105 | wc_FreeMutex(&ocsp->ocspLock); |
wolfSSL | 13:f67a6c6013ca | 106 | |
wolfSSL | 13:f67a6c6013ca | 107 | if (dynamic) |
wolfSSL | 13:f67a6c6013ca | 108 | XFREE(ocsp, ocsp->cm->heap, DYNAMIC_TYPE_OCSP); |
wolfSSL | 13:f67a6c6013ca | 109 | |
wolfSSL | 13:f67a6c6013ca | 110 | } |
wolfSSL | 13:f67a6c6013ca | 111 | |
wolfSSL | 13:f67a6c6013ca | 112 | |
wolfSSL | 13:f67a6c6013ca | 113 | static int xstat2err(int st) |
wolfSSL | 13:f67a6c6013ca | 114 | { |
wolfSSL | 13:f67a6c6013ca | 115 | switch (st) { |
wolfSSL | 13:f67a6c6013ca | 116 | case CERT_GOOD: |
wolfSSL | 13:f67a6c6013ca | 117 | return 0; |
wolfSSL | 13:f67a6c6013ca | 118 | case CERT_REVOKED: |
wolfSSL | 13:f67a6c6013ca | 119 | return OCSP_CERT_REVOKED; |
wolfSSL | 13:f67a6c6013ca | 120 | default: |
wolfSSL | 13:f67a6c6013ca | 121 | return OCSP_CERT_UNKNOWN; |
wolfSSL | 13:f67a6c6013ca | 122 | } |
wolfSSL | 13:f67a6c6013ca | 123 | } |
wolfSSL | 13:f67a6c6013ca | 124 | |
wolfSSL | 13:f67a6c6013ca | 125 | |
wolfSSL | 13:f67a6c6013ca | 126 | int CheckCertOCSP(WOLFSSL_OCSP* ocsp, DecodedCert* cert, buffer* responseBuffer) |
wolfSSL | 13:f67a6c6013ca | 127 | { |
wolfSSL | 13:f67a6c6013ca | 128 | int ret = OCSP_LOOKUP_FAIL; |
wolfSSL | 13:f67a6c6013ca | 129 | |
wolfSSL | 13:f67a6c6013ca | 130 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 131 | OcspRequest* ocspRequest; |
wolfSSL | 13:f67a6c6013ca | 132 | #else |
wolfSSL | 13:f67a6c6013ca | 133 | OcspRequest ocspRequest[1]; |
wolfSSL | 13:f67a6c6013ca | 134 | #endif |
wolfSSL | 13:f67a6c6013ca | 135 | |
wolfSSL | 13:f67a6c6013ca | 136 | WOLFSSL_ENTER("CheckCertOCSP"); |
wolfSSL | 13:f67a6c6013ca | 137 | |
wolfSSL | 13:f67a6c6013ca | 138 | |
wolfSSL | 13:f67a6c6013ca | 139 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 140 | ocspRequest = (OcspRequest*)XMALLOC(sizeof(OcspRequest), NULL, |
wolfSSL | 13:f67a6c6013ca | 141 | DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 142 | if (ocspRequest == NULL) { |
wolfSSL | 13:f67a6c6013ca | 143 | WOLFSSL_LEAVE("CheckCertOCSP", MEMORY_ERROR); |
wolfSSL | 13:f67a6c6013ca | 144 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 145 | } |
wolfSSL | 13:f67a6c6013ca | 146 | #endif |
wolfSSL | 13:f67a6c6013ca | 147 | |
wolfSSL | 13:f67a6c6013ca | 148 | if (InitOcspRequest(ocspRequest, cert, ocsp->cm->ocspSendNonce, |
wolfSSL | 13:f67a6c6013ca | 149 | ocsp->cm->heap) == 0) { |
wolfSSL | 13:f67a6c6013ca | 150 | ret = CheckOcspRequest(ocsp, ocspRequest, responseBuffer); |
wolfSSL | 13:f67a6c6013ca | 151 | |
wolfSSL | 13:f67a6c6013ca | 152 | FreeOcspRequest(ocspRequest); |
wolfSSL | 13:f67a6c6013ca | 153 | } |
wolfSSL | 13:f67a6c6013ca | 154 | |
wolfSSL | 13:f67a6c6013ca | 155 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 156 | XFREE(ocspRequest, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 157 | #endif |
wolfSSL | 13:f67a6c6013ca | 158 | |
wolfSSL | 13:f67a6c6013ca | 159 | WOLFSSL_LEAVE("CheckCertOCSP", ret); |
wolfSSL | 13:f67a6c6013ca | 160 | return ret; |
wolfSSL | 13:f67a6c6013ca | 161 | } |
wolfSSL | 13:f67a6c6013ca | 162 | |
wolfSSL | 13:f67a6c6013ca | 163 | static int GetOcspEntry(WOLFSSL_OCSP* ocsp, OcspRequest* request, |
wolfSSL | 13:f67a6c6013ca | 164 | OcspEntry** entry) |
wolfSSL | 13:f67a6c6013ca | 165 | { |
wolfSSL | 13:f67a6c6013ca | 166 | WOLFSSL_ENTER("GetOcspEntry"); |
wolfSSL | 13:f67a6c6013ca | 167 | |
wolfSSL | 13:f67a6c6013ca | 168 | *entry = NULL; |
wolfSSL | 13:f67a6c6013ca | 169 | |
wolfSSL | 13:f67a6c6013ca | 170 | if (wc_LockMutex(&ocsp->ocspLock) != 0) { |
wolfSSL | 13:f67a6c6013ca | 171 | WOLFSSL_LEAVE("CheckCertOCSP", BAD_MUTEX_E); |
wolfSSL | 13:f67a6c6013ca | 172 | return BAD_MUTEX_E; |
wolfSSL | 13:f67a6c6013ca | 173 | } |
wolfSSL | 13:f67a6c6013ca | 174 | |
wolfSSL | 13:f67a6c6013ca | 175 | for (*entry = ocsp->ocspList; *entry; *entry = (*entry)->next) |
wolfSSL | 13:f67a6c6013ca | 176 | if (XMEMCMP((*entry)->issuerHash, request->issuerHash, |
wolfSSL | 13:f67a6c6013ca | 177 | OCSP_DIGEST_SIZE) == 0 |
wolfSSL | 13:f67a6c6013ca | 178 | && XMEMCMP((*entry)->issuerKeyHash, request->issuerKeyHash, |
wolfSSL | 13:f67a6c6013ca | 179 | OCSP_DIGEST_SIZE) == 0) |
wolfSSL | 13:f67a6c6013ca | 180 | break; |
wolfSSL | 13:f67a6c6013ca | 181 | |
wolfSSL | 13:f67a6c6013ca | 182 | if (*entry == NULL) { |
wolfSSL | 13:f67a6c6013ca | 183 | *entry = (OcspEntry*)XMALLOC(sizeof(OcspEntry), |
wolfSSL | 13:f67a6c6013ca | 184 | ocsp->cm->heap, DYNAMIC_TYPE_OCSP_ENTRY); |
wolfSSL | 13:f67a6c6013ca | 185 | if (*entry) { |
wolfSSL | 13:f67a6c6013ca | 186 | InitOcspEntry(*entry, request); |
wolfSSL | 13:f67a6c6013ca | 187 | (*entry)->next = ocsp->ocspList; |
wolfSSL | 13:f67a6c6013ca | 188 | ocsp->ocspList = *entry; |
wolfSSL | 13:f67a6c6013ca | 189 | } |
wolfSSL | 13:f67a6c6013ca | 190 | } |
wolfSSL | 13:f67a6c6013ca | 191 | |
wolfSSL | 13:f67a6c6013ca | 192 | wc_UnLockMutex(&ocsp->ocspLock); |
wolfSSL | 13:f67a6c6013ca | 193 | |
wolfSSL | 13:f67a6c6013ca | 194 | return *entry ? 0 : MEMORY_ERROR; |
wolfSSL | 13:f67a6c6013ca | 195 | } |
wolfSSL | 13:f67a6c6013ca | 196 | |
wolfSSL | 13:f67a6c6013ca | 197 | |
wolfSSL | 13:f67a6c6013ca | 198 | static int GetOcspStatus(WOLFSSL_OCSP* ocsp, OcspRequest* request, |
wolfSSL | 13:f67a6c6013ca | 199 | OcspEntry* entry, CertStatus** status, buffer* responseBuffer) |
wolfSSL | 13:f67a6c6013ca | 200 | { |
wolfSSL | 13:f67a6c6013ca | 201 | int ret = OCSP_INVALID_STATUS; |
wolfSSL | 13:f67a6c6013ca | 202 | |
wolfSSL | 13:f67a6c6013ca | 203 | WOLFSSL_ENTER("GetOcspStatus"); |
wolfSSL | 13:f67a6c6013ca | 204 | |
wolfSSL | 13:f67a6c6013ca | 205 | *status = NULL; |
wolfSSL | 13:f67a6c6013ca | 206 | |
wolfSSL | 13:f67a6c6013ca | 207 | if (wc_LockMutex(&ocsp->ocspLock) != 0) { |
wolfSSL | 13:f67a6c6013ca | 208 | WOLFSSL_LEAVE("CheckCertOCSP", BAD_MUTEX_E); |
wolfSSL | 13:f67a6c6013ca | 209 | return BAD_MUTEX_E; |
wolfSSL | 13:f67a6c6013ca | 210 | } |
wolfSSL | 13:f67a6c6013ca | 211 | |
wolfSSL | 13:f67a6c6013ca | 212 | for (*status = entry->status; *status; *status = (*status)->next) |
wolfSSL | 13:f67a6c6013ca | 213 | if ((*status)->serialSz == request->serialSz |
wolfSSL | 13:f67a6c6013ca | 214 | && !XMEMCMP((*status)->serial, request->serial, (*status)->serialSz)) |
wolfSSL | 13:f67a6c6013ca | 215 | break; |
wolfSSL | 13:f67a6c6013ca | 216 | |
wolfSSL | 13:f67a6c6013ca | 217 | if (responseBuffer && *status && !(*status)->rawOcspResponse) { |
wolfSSL | 13:f67a6c6013ca | 218 | /* force fetching again */ |
wolfSSL | 13:f67a6c6013ca | 219 | ret = OCSP_INVALID_STATUS; |
wolfSSL | 13:f67a6c6013ca | 220 | } |
wolfSSL | 13:f67a6c6013ca | 221 | else if (*status) { |
wolfSSL | 13:f67a6c6013ca | 222 | #ifndef NO_ASN_TIME |
wolfSSL | 13:f67a6c6013ca | 223 | if (ValidateDate((*status)->thisDate, (*status)->thisDateFormat, BEFORE) |
wolfSSL | 13:f67a6c6013ca | 224 | && ((*status)->nextDate[0] != 0) |
wolfSSL | 13:f67a6c6013ca | 225 | && ValidateDate((*status)->nextDate, (*status)->nextDateFormat, AFTER)) |
wolfSSL | 13:f67a6c6013ca | 226 | #endif |
wolfSSL | 13:f67a6c6013ca | 227 | { |
wolfSSL | 13:f67a6c6013ca | 228 | ret = xstat2err((*status)->status); |
wolfSSL | 13:f67a6c6013ca | 229 | |
wolfSSL | 13:f67a6c6013ca | 230 | if (responseBuffer) { |
wolfSSL | 13:f67a6c6013ca | 231 | responseBuffer->buffer = (byte*)XMALLOC( |
wolfSSL | 13:f67a6c6013ca | 232 | (*status)->rawOcspResponseSz, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 233 | |
wolfSSL | 13:f67a6c6013ca | 234 | if (responseBuffer->buffer) { |
wolfSSL | 13:f67a6c6013ca | 235 | responseBuffer->length = (*status)->rawOcspResponseSz; |
wolfSSL | 13:f67a6c6013ca | 236 | XMEMCPY(responseBuffer->buffer, |
wolfSSL | 13:f67a6c6013ca | 237 | (*status)->rawOcspResponse, |
wolfSSL | 13:f67a6c6013ca | 238 | (*status)->rawOcspResponseSz); |
wolfSSL | 13:f67a6c6013ca | 239 | } |
wolfSSL | 13:f67a6c6013ca | 240 | } |
wolfSSL | 13:f67a6c6013ca | 241 | } |
wolfSSL | 13:f67a6c6013ca | 242 | } |
wolfSSL | 13:f67a6c6013ca | 243 | |
wolfSSL | 13:f67a6c6013ca | 244 | wc_UnLockMutex(&ocsp->ocspLock); |
wolfSSL | 13:f67a6c6013ca | 245 | |
wolfSSL | 13:f67a6c6013ca | 246 | return ret; |
wolfSSL | 13:f67a6c6013ca | 247 | } |
wolfSSL | 13:f67a6c6013ca | 248 | |
wolfSSL | 13:f67a6c6013ca | 249 | /* Check that the response for validity. Store result in status. |
wolfSSL | 13:f67a6c6013ca | 250 | * |
wolfSSL | 13:f67a6c6013ca | 251 | * ocsp Context object for OCSP status. |
wolfSSL | 13:f67a6c6013ca | 252 | * response OCSP response message data. |
wolfSSL | 13:f67a6c6013ca | 253 | * responseSz Length of OCSP response message data. |
wolfSSL | 13:f67a6c6013ca | 254 | * reponseBuffer Buffer object to return the response with. |
wolfSSL | 13:f67a6c6013ca | 255 | * status The certificate status object. |
wolfSSL | 13:f67a6c6013ca | 256 | * entry The OCSP entry for this certificate. |
wolfSSL | 13:f67a6c6013ca | 257 | * returns OCSP_LOOKUP_FAIL when the response is bad and 0 otherwise. |
wolfSSL | 13:f67a6c6013ca | 258 | */ |
wolfSSL | 13:f67a6c6013ca | 259 | static int CheckResponse(WOLFSSL_OCSP* ocsp, byte* response, int responseSz, |
wolfSSL | 13:f67a6c6013ca | 260 | buffer* responseBuffer, CertStatus* status, |
wolfSSL | 13:f67a6c6013ca | 261 | OcspEntry* entry, OcspRequest* ocspRequest) |
wolfSSL | 13:f67a6c6013ca | 262 | { |
wolfSSL | 13:f67a6c6013ca | 263 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 264 | CertStatus* newStatus; |
wolfSSL | 13:f67a6c6013ca | 265 | OcspResponse* ocspResponse; |
wolfSSL | 13:f67a6c6013ca | 266 | #else |
wolfSSL | 13:f67a6c6013ca | 267 | CertStatus newStatus[1]; |
wolfSSL | 13:f67a6c6013ca | 268 | OcspResponse ocspResponse[1]; |
wolfSSL | 13:f67a6c6013ca | 269 | #endif |
wolfSSL | 13:f67a6c6013ca | 270 | int ret; |
wolfSSL | 13:f67a6c6013ca | 271 | int validated = 0; /* ocsp validation flag */ |
wolfSSL | 13:f67a6c6013ca | 272 | |
wolfSSL | 13:f67a6c6013ca | 273 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 274 | newStatus = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL, |
wolfSSL | 13:f67a6c6013ca | 275 | DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 276 | ocspResponse = (OcspResponse*)XMALLOC(sizeof(OcspResponse), NULL, |
wolfSSL | 13:f67a6c6013ca | 277 | DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 278 | |
wolfSSL | 13:f67a6c6013ca | 279 | if (newStatus == NULL || ocspResponse == NULL) { |
wolfSSL | 13:f67a6c6013ca | 280 | if (newStatus) XFREE(newStatus, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 281 | if (ocspResponse) XFREE(ocspResponse, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 282 | |
wolfSSL | 13:f67a6c6013ca | 283 | WOLFSSL_LEAVE("CheckCertOCSP", MEMORY_ERROR); |
wolfSSL | 13:f67a6c6013ca | 284 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 285 | } |
wolfSSL | 13:f67a6c6013ca | 286 | #endif |
wolfSSL | 13:f67a6c6013ca | 287 | XMEMSET(newStatus, 0, sizeof(CertStatus)); |
wolfSSL | 13:f67a6c6013ca | 288 | |
wolfSSL | 13:f67a6c6013ca | 289 | InitOcspResponse(ocspResponse, newStatus, response, responseSz); |
wolfSSL | 13:f67a6c6013ca | 290 | ret = OcspResponseDecode(ocspResponse, ocsp->cm, ocsp->cm->heap, 0); |
wolfSSL | 13:f67a6c6013ca | 291 | if (ret != 0) { |
wolfSSL | 13:f67a6c6013ca | 292 | WOLFSSL_MSG("OcspResponseDecode failed"); |
wolfSSL | 13:f67a6c6013ca | 293 | goto end; |
wolfSSL | 13:f67a6c6013ca | 294 | } |
wolfSSL | 13:f67a6c6013ca | 295 | |
wolfSSL | 13:f67a6c6013ca | 296 | if (ocspResponse->responseStatus != OCSP_SUCCESSFUL) { |
wolfSSL | 13:f67a6c6013ca | 297 | WOLFSSL_MSG("OcspResponse status bad"); |
wolfSSL | 13:f67a6c6013ca | 298 | goto end; |
wolfSSL | 13:f67a6c6013ca | 299 | } |
wolfSSL | 13:f67a6c6013ca | 300 | if (ocspRequest != NULL) { |
wolfSSL | 13:f67a6c6013ca | 301 | ret = CompareOcspReqResp(ocspRequest, ocspResponse); |
wolfSSL | 13:f67a6c6013ca | 302 | if (ret != 0) { |
wolfSSL | 13:f67a6c6013ca | 303 | goto end; |
wolfSSL | 13:f67a6c6013ca | 304 | } |
wolfSSL | 13:f67a6c6013ca | 305 | } |
wolfSSL | 13:f67a6c6013ca | 306 | |
wolfSSL | 13:f67a6c6013ca | 307 | if (responseBuffer) { |
wolfSSL | 13:f67a6c6013ca | 308 | responseBuffer->buffer = (byte*)XMALLOC(responseSz, ocsp->cm->heap, |
wolfSSL | 13:f67a6c6013ca | 309 | DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 310 | |
wolfSSL | 13:f67a6c6013ca | 311 | if (responseBuffer->buffer) { |
wolfSSL | 13:f67a6c6013ca | 312 | responseBuffer->length = responseSz; |
wolfSSL | 13:f67a6c6013ca | 313 | XMEMCPY(responseBuffer->buffer, response, responseSz); |
wolfSSL | 13:f67a6c6013ca | 314 | } |
wolfSSL | 13:f67a6c6013ca | 315 | } |
wolfSSL | 13:f67a6c6013ca | 316 | |
wolfSSL | 13:f67a6c6013ca | 317 | ret = xstat2err(ocspResponse->status->status); |
wolfSSL | 13:f67a6c6013ca | 318 | if (ret == 0) { |
wolfSSL | 13:f67a6c6013ca | 319 | validated = 1; |
wolfSSL | 13:f67a6c6013ca | 320 | } |
wolfSSL | 13:f67a6c6013ca | 321 | |
wolfSSL | 13:f67a6c6013ca | 322 | if (wc_LockMutex(&ocsp->ocspLock) != 0) { |
wolfSSL | 13:f67a6c6013ca | 323 | ret = BAD_MUTEX_E; |
wolfSSL | 13:f67a6c6013ca | 324 | goto end; |
wolfSSL | 13:f67a6c6013ca | 325 | } |
wolfSSL | 13:f67a6c6013ca | 326 | |
wolfSSL | 13:f67a6c6013ca | 327 | if (status != NULL) { |
wolfSSL | 13:f67a6c6013ca | 328 | if (status->rawOcspResponse) { |
wolfSSL | 13:f67a6c6013ca | 329 | XFREE(status->rawOcspResponse, ocsp->cm->heap, |
wolfSSL | 13:f67a6c6013ca | 330 | DYNAMIC_TYPE_OCSP_STATUS); |
wolfSSL | 13:f67a6c6013ca | 331 | } |
wolfSSL | 13:f67a6c6013ca | 332 | |
wolfSSL | 13:f67a6c6013ca | 333 | /* Replace existing certificate entry with updated */ |
wolfSSL | 13:f67a6c6013ca | 334 | XMEMCPY(status, newStatus, sizeof(CertStatus)); |
wolfSSL | 13:f67a6c6013ca | 335 | } |
wolfSSL | 13:f67a6c6013ca | 336 | else { |
wolfSSL | 13:f67a6c6013ca | 337 | /* Save new certificate entry */ |
wolfSSL | 13:f67a6c6013ca | 338 | status = (CertStatus*)XMALLOC(sizeof(CertStatus), |
wolfSSL | 13:f67a6c6013ca | 339 | ocsp->cm->heap, DYNAMIC_TYPE_OCSP_STATUS); |
wolfSSL | 13:f67a6c6013ca | 340 | if (status != NULL) { |
wolfSSL | 13:f67a6c6013ca | 341 | XMEMCPY(status, newStatus, sizeof(CertStatus)); |
wolfSSL | 13:f67a6c6013ca | 342 | status->next = entry->status; |
wolfSSL | 13:f67a6c6013ca | 343 | entry->status = status; |
wolfSSL | 13:f67a6c6013ca | 344 | entry->totalStatus++; |
wolfSSL | 13:f67a6c6013ca | 345 | } |
wolfSSL | 13:f67a6c6013ca | 346 | } |
wolfSSL | 13:f67a6c6013ca | 347 | |
wolfSSL | 13:f67a6c6013ca | 348 | if (status && responseBuffer && responseBuffer->buffer) { |
wolfSSL | 13:f67a6c6013ca | 349 | status->rawOcspResponse = (byte*)XMALLOC(responseBuffer->length, |
wolfSSL | 13:f67a6c6013ca | 350 | ocsp->cm->heap, |
wolfSSL | 13:f67a6c6013ca | 351 | DYNAMIC_TYPE_OCSP_STATUS); |
wolfSSL | 13:f67a6c6013ca | 352 | |
wolfSSL | 13:f67a6c6013ca | 353 | if (status->rawOcspResponse) { |
wolfSSL | 13:f67a6c6013ca | 354 | status->rawOcspResponseSz = responseBuffer->length; |
wolfSSL | 13:f67a6c6013ca | 355 | XMEMCPY(status->rawOcspResponse, responseBuffer->buffer, |
wolfSSL | 13:f67a6c6013ca | 356 | responseBuffer->length); |
wolfSSL | 13:f67a6c6013ca | 357 | } |
wolfSSL | 13:f67a6c6013ca | 358 | } |
wolfSSL | 13:f67a6c6013ca | 359 | |
wolfSSL | 13:f67a6c6013ca | 360 | wc_UnLockMutex(&ocsp->ocspLock); |
wolfSSL | 13:f67a6c6013ca | 361 | |
wolfSSL | 13:f67a6c6013ca | 362 | end: |
wolfSSL | 13:f67a6c6013ca | 363 | if (ret == 0 && validated == 1) { |
wolfSSL | 13:f67a6c6013ca | 364 | WOLFSSL_MSG("New OcspResponse validated"); |
wolfSSL | 13:f67a6c6013ca | 365 | } else if (ret != OCSP_CERT_REVOKED) { |
wolfSSL | 13:f67a6c6013ca | 366 | ret = OCSP_LOOKUP_FAIL; |
wolfSSL | 13:f67a6c6013ca | 367 | } |
wolfSSL | 13:f67a6c6013ca | 368 | |
wolfSSL | 13:f67a6c6013ca | 369 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 370 | XFREE(newStatus, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 371 | XFREE(ocspResponse, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 372 | #endif |
wolfSSL | 13:f67a6c6013ca | 373 | return ret; |
wolfSSL | 13:f67a6c6013ca | 374 | } |
wolfSSL | 13:f67a6c6013ca | 375 | |
wolfSSL | 13:f67a6c6013ca | 376 | /* 0 on success */ |
wolfSSL | 13:f67a6c6013ca | 377 | int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest, |
wolfSSL | 13:f67a6c6013ca | 378 | buffer* responseBuffer) |
wolfSSL | 13:f67a6c6013ca | 379 | { |
wolfSSL | 13:f67a6c6013ca | 380 | OcspEntry* entry = NULL; |
wolfSSL | 13:f67a6c6013ca | 381 | CertStatus* status = NULL; |
wolfSSL | 13:f67a6c6013ca | 382 | byte* request = NULL; |
wolfSSL | 13:f67a6c6013ca | 383 | int requestSz = 2048; |
wolfSSL | 13:f67a6c6013ca | 384 | int responseSz = 0; |
wolfSSL | 13:f67a6c6013ca | 385 | byte* response = NULL; |
wolfSSL | 13:f67a6c6013ca | 386 | const char* url = NULL; |
wolfSSL | 13:f67a6c6013ca | 387 | int urlSz = 0; |
wolfSSL | 13:f67a6c6013ca | 388 | int ret = -1; |
wolfSSL | 13:f67a6c6013ca | 389 | |
wolfSSL | 13:f67a6c6013ca | 390 | WOLFSSL_ENTER("CheckOcspRequest"); |
wolfSSL | 13:f67a6c6013ca | 391 | |
wolfSSL | 13:f67a6c6013ca | 392 | if (responseBuffer) { |
wolfSSL | 13:f67a6c6013ca | 393 | responseBuffer->buffer = NULL; |
wolfSSL | 13:f67a6c6013ca | 394 | responseBuffer->length = 0; |
wolfSSL | 13:f67a6c6013ca | 395 | } |
wolfSSL | 13:f67a6c6013ca | 396 | |
wolfSSL | 13:f67a6c6013ca | 397 | ret = GetOcspEntry(ocsp, ocspRequest, &entry); |
wolfSSL | 13:f67a6c6013ca | 398 | if (ret != 0) |
wolfSSL | 13:f67a6c6013ca | 399 | return ret; |
wolfSSL | 13:f67a6c6013ca | 400 | |
wolfSSL | 13:f67a6c6013ca | 401 | ret = GetOcspStatus(ocsp, ocspRequest, entry, &status, responseBuffer); |
wolfSSL | 13:f67a6c6013ca | 402 | if (ret != OCSP_INVALID_STATUS) |
wolfSSL | 13:f67a6c6013ca | 403 | return ret; |
wolfSSL | 13:f67a6c6013ca | 404 | |
wolfSSL | 13:f67a6c6013ca | 405 | #if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) |
wolfSSL | 13:f67a6c6013ca | 406 | if (ocsp->statusCb != NULL && ocspRequest->ssl != NULL) { |
wolfSSL | 13:f67a6c6013ca | 407 | ret = ocsp->statusCb((WOLFSSL*)ocspRequest->ssl, ocsp->cm->ocspIOCtx); |
wolfSSL | 13:f67a6c6013ca | 408 | if (ret == 0) { |
wolfSSL | 13:f67a6c6013ca | 409 | ret = wolfSSL_get_ocsp_response((WOLFSSL*)ocspRequest->ssl, |
wolfSSL | 13:f67a6c6013ca | 410 | &response); |
wolfSSL | 13:f67a6c6013ca | 411 | ret = CheckResponse(ocsp, response, ret, responseBuffer, status, |
wolfSSL | 13:f67a6c6013ca | 412 | entry, NULL); |
wolfSSL | 13:f67a6c6013ca | 413 | if (response != NULL) |
wolfSSL | 13:f67a6c6013ca | 414 | XFREE(response, NULL, DYNAMIC_TYPE_OPENSSL); |
wolfSSL | 13:f67a6c6013ca | 415 | return ret; |
wolfSSL | 13:f67a6c6013ca | 416 | } |
wolfSSL | 13:f67a6c6013ca | 417 | return OCSP_LOOKUP_FAIL; |
wolfSSL | 13:f67a6c6013ca | 418 | } |
wolfSSL | 13:f67a6c6013ca | 419 | #endif |
wolfSSL | 13:f67a6c6013ca | 420 | |
wolfSSL | 13:f67a6c6013ca | 421 | if (ocsp->cm->ocspUseOverrideURL) { |
wolfSSL | 13:f67a6c6013ca | 422 | url = ocsp->cm->ocspOverrideURL; |
wolfSSL | 13:f67a6c6013ca | 423 | if (url != NULL && url[0] != '\0') |
wolfSSL | 13:f67a6c6013ca | 424 | urlSz = (int)XSTRLEN(url); |
wolfSSL | 13:f67a6c6013ca | 425 | else |
wolfSSL | 13:f67a6c6013ca | 426 | return OCSP_NEED_URL; |
wolfSSL | 13:f67a6c6013ca | 427 | } |
wolfSSL | 13:f67a6c6013ca | 428 | else if (ocspRequest->urlSz != 0 && ocspRequest->url != NULL) { |
wolfSSL | 13:f67a6c6013ca | 429 | url = (const char *)ocspRequest->url; |
wolfSSL | 13:f67a6c6013ca | 430 | urlSz = ocspRequest->urlSz; |
wolfSSL | 13:f67a6c6013ca | 431 | } |
wolfSSL | 13:f67a6c6013ca | 432 | else { |
wolfSSL | 13:f67a6c6013ca | 433 | /* cert doesn't have extAuthInfo, assuming CERT_GOOD */ |
wolfSSL | 13:f67a6c6013ca | 434 | return 0; |
wolfSSL | 13:f67a6c6013ca | 435 | } |
wolfSSL | 13:f67a6c6013ca | 436 | |
wolfSSL | 13:f67a6c6013ca | 437 | request = (byte*)XMALLOC(requestSz, ocsp->cm->heap, DYNAMIC_TYPE_OCSP); |
wolfSSL | 13:f67a6c6013ca | 438 | if (request == NULL) { |
wolfSSL | 13:f67a6c6013ca | 439 | WOLFSSL_LEAVE("CheckCertOCSP", MEMORY_ERROR); |
wolfSSL | 13:f67a6c6013ca | 440 | return MEMORY_ERROR; |
wolfSSL | 13:f67a6c6013ca | 441 | } |
wolfSSL | 13:f67a6c6013ca | 442 | |
wolfSSL | 13:f67a6c6013ca | 443 | requestSz = EncodeOcspRequest(ocspRequest, request, requestSz); |
wolfSSL | 13:f67a6c6013ca | 444 | if (requestSz > 0 && ocsp->cm->ocspIOCb) { |
wolfSSL | 13:f67a6c6013ca | 445 | responseSz = ocsp->cm->ocspIOCb(ocsp->cm->ocspIOCtx, url, urlSz, |
wolfSSL | 13:f67a6c6013ca | 446 | request, requestSz, &response); |
wolfSSL | 13:f67a6c6013ca | 447 | } |
wolfSSL | 13:f67a6c6013ca | 448 | if (responseSz == WOLFSSL_CBIO_ERR_WANT_READ) { |
wolfSSL | 13:f67a6c6013ca | 449 | ret = WANT_READ; |
wolfSSL | 13:f67a6c6013ca | 450 | } |
wolfSSL | 13:f67a6c6013ca | 451 | |
wolfSSL | 13:f67a6c6013ca | 452 | XFREE(request, ocsp->cm->heap, DYNAMIC_TYPE_OCSP); |
wolfSSL | 13:f67a6c6013ca | 453 | |
wolfSSL | 13:f67a6c6013ca | 454 | if (responseSz >= 0 && response) { |
wolfSSL | 13:f67a6c6013ca | 455 | ret = CheckResponse(ocsp, response, responseSz, responseBuffer, status, |
wolfSSL | 13:f67a6c6013ca | 456 | entry, ocspRequest); |
wolfSSL | 13:f67a6c6013ca | 457 | } |
wolfSSL | 13:f67a6c6013ca | 458 | |
wolfSSL | 13:f67a6c6013ca | 459 | if (response != NULL && ocsp->cm->ocspRespFreeCb) |
wolfSSL | 13:f67a6c6013ca | 460 | ocsp->cm->ocspRespFreeCb(ocsp->cm->ocspIOCtx, response); |
wolfSSL | 13:f67a6c6013ca | 461 | |
wolfSSL | 13:f67a6c6013ca | 462 | WOLFSSL_LEAVE("CheckOcspRequest", ret); |
wolfSSL | 13:f67a6c6013ca | 463 | return ret; |
wolfSSL | 13:f67a6c6013ca | 464 | } |
wolfSSL | 13:f67a6c6013ca | 465 | |
wolfSSL | 13:f67a6c6013ca | 466 | #if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) |
wolfSSL | 13:f67a6c6013ca | 467 | |
wolfSSL | 13:f67a6c6013ca | 468 | int wolfSSL_OCSP_resp_find_status(WOLFSSL_OCSP_BASICRESP *bs, |
wolfSSL | 13:f67a6c6013ca | 469 | WOLFSSL_OCSP_CERTID* id, int* status, int* reason, |
wolfSSL | 13:f67a6c6013ca | 470 | WOLFSSL_ASN1_TIME** revtime, WOLFSSL_ASN1_TIME** thisupd, |
wolfSSL | 13:f67a6c6013ca | 471 | WOLFSSL_ASN1_TIME** nextupd) |
wolfSSL | 13:f67a6c6013ca | 472 | { |
wolfSSL | 13:f67a6c6013ca | 473 | if (bs == NULL || id == NULL) |
wolfSSL | 13:f67a6c6013ca | 474 | return SSL_FAILURE; |
wolfSSL | 13:f67a6c6013ca | 475 | |
wolfSSL | 13:f67a6c6013ca | 476 | /* Only supporting one certificate status in asn.c. */ |
wolfSSL | 13:f67a6c6013ca | 477 | if (CompareOcspReqResp(id, bs) != 0) |
wolfSSL | 13:f67a6c6013ca | 478 | return SSL_FAILURE; |
wolfSSL | 13:f67a6c6013ca | 479 | |
wolfSSL | 13:f67a6c6013ca | 480 | if (status != NULL) |
wolfSSL | 13:f67a6c6013ca | 481 | *status = bs->status->status; |
wolfSSL | 13:f67a6c6013ca | 482 | if (thisupd != NULL) |
wolfSSL | 13:f67a6c6013ca | 483 | *thisupd = (WOLFSSL_ASN1_TIME*)bs->status->thisDateAsn; |
wolfSSL | 13:f67a6c6013ca | 484 | if (nextupd != NULL) |
wolfSSL | 13:f67a6c6013ca | 485 | *nextupd = (WOLFSSL_ASN1_TIME*)bs->status->nextDateAsn; |
wolfSSL | 13:f67a6c6013ca | 486 | |
wolfSSL | 13:f67a6c6013ca | 487 | /* TODO: Not needed for Nginx. */ |
wolfSSL | 13:f67a6c6013ca | 488 | if (reason != NULL) |
wolfSSL | 13:f67a6c6013ca | 489 | *reason = 0; |
wolfSSL | 13:f67a6c6013ca | 490 | if (revtime != NULL) |
wolfSSL | 13:f67a6c6013ca | 491 | *revtime = NULL; |
wolfSSL | 13:f67a6c6013ca | 492 | |
wolfSSL | 13:f67a6c6013ca | 493 | return SSL_SUCCESS; |
wolfSSL | 13:f67a6c6013ca | 494 | } |
wolfSSL | 13:f67a6c6013ca | 495 | |
wolfSSL | 13:f67a6c6013ca | 496 | const char *wolfSSL_OCSP_cert_status_str(long s) |
wolfSSL | 13:f67a6c6013ca | 497 | { |
wolfSSL | 13:f67a6c6013ca | 498 | switch (s) { |
wolfSSL | 13:f67a6c6013ca | 499 | case CERT_GOOD: |
wolfSSL | 13:f67a6c6013ca | 500 | return "good"; |
wolfSSL | 13:f67a6c6013ca | 501 | case CERT_REVOKED: |
wolfSSL | 13:f67a6c6013ca | 502 | return "revoked"; |
wolfSSL | 13:f67a6c6013ca | 503 | case CERT_UNKNOWN: |
wolfSSL | 13:f67a6c6013ca | 504 | return "unknown"; |
wolfSSL | 13:f67a6c6013ca | 505 | default: |
wolfSSL | 13:f67a6c6013ca | 506 | return "(UNKNOWN)"; |
wolfSSL | 13:f67a6c6013ca | 507 | } |
wolfSSL | 13:f67a6c6013ca | 508 | } |
wolfSSL | 13:f67a6c6013ca | 509 | |
wolfSSL | 13:f67a6c6013ca | 510 | int wolfSSL_OCSP_check_validity(WOLFSSL_ASN1_TIME* thisupd, |
wolfSSL | 13:f67a6c6013ca | 511 | WOLFSSL_ASN1_TIME* nextupd, long sec, long maxsec) |
wolfSSL | 13:f67a6c6013ca | 512 | { |
wolfSSL | 13:f67a6c6013ca | 513 | (void)thisupd; |
wolfSSL | 13:f67a6c6013ca | 514 | (void)nextupd; |
wolfSSL | 13:f67a6c6013ca | 515 | (void)sec; |
wolfSSL | 13:f67a6c6013ca | 516 | (void)maxsec; |
wolfSSL | 13:f67a6c6013ca | 517 | /* Dates validated in DecodeSingleResponse. */ |
wolfSSL | 13:f67a6c6013ca | 518 | return SSL_SUCCESS; |
wolfSSL | 13:f67a6c6013ca | 519 | } |
wolfSSL | 13:f67a6c6013ca | 520 | |
wolfSSL | 13:f67a6c6013ca | 521 | void wolfSSL_OCSP_CERTID_free(WOLFSSL_OCSP_CERTID* certId) |
wolfSSL | 13:f67a6c6013ca | 522 | { |
wolfSSL | 13:f67a6c6013ca | 523 | FreeOcspRequest(certId); |
wolfSSL | 13:f67a6c6013ca | 524 | XFREE(certId, NULL, DYNAMIC_TYPE_OPENSSL); |
wolfSSL | 13:f67a6c6013ca | 525 | } |
wolfSSL | 13:f67a6c6013ca | 526 | |
wolfSSL | 13:f67a6c6013ca | 527 | WOLFSSL_OCSP_CERTID* wolfSSL_OCSP_cert_to_id( |
wolfSSL | 13:f67a6c6013ca | 528 | const WOLFSSL_EVP_MD *dgst, const WOLFSSL_X509 *subject, |
wolfSSL | 13:f67a6c6013ca | 529 | const WOLFSSL_X509 *issuer) |
wolfSSL | 13:f67a6c6013ca | 530 | { |
wolfSSL | 13:f67a6c6013ca | 531 | WOLFSSL_OCSP_CERTID* certId; |
wolfSSL | 13:f67a6c6013ca | 532 | DecodedCert cert; |
wolfSSL | 13:f67a6c6013ca | 533 | WOLFSSL_CERT_MANAGER* cm; |
wolfSSL | 13:f67a6c6013ca | 534 | int ret; |
wolfSSL | 13:f67a6c6013ca | 535 | DerBuffer* derCert = NULL; |
wolfSSL | 13:f67a6c6013ca | 536 | |
wolfSSL | 13:f67a6c6013ca | 537 | (void)dgst; |
wolfSSL | 13:f67a6c6013ca | 538 | |
wolfSSL | 13:f67a6c6013ca | 539 | cm = wolfSSL_CertManagerNew(); |
wolfSSL | 13:f67a6c6013ca | 540 | if (cm == NULL) |
wolfSSL | 13:f67a6c6013ca | 541 | return NULL; |
wolfSSL | 13:f67a6c6013ca | 542 | |
wolfSSL | 13:f67a6c6013ca | 543 | ret = AllocDer(&derCert, issuer->derCert->length, |
wolfSSL | 13:f67a6c6013ca | 544 | issuer->derCert->type, NULL); |
wolfSSL | 13:f67a6c6013ca | 545 | if (ret == 0) { |
wolfSSL | 13:f67a6c6013ca | 546 | /* AddCA() frees the buffer. */ |
wolfSSL | 13:f67a6c6013ca | 547 | XMEMCPY(derCert->buffer, issuer->derCert->buffer, |
wolfSSL | 13:f67a6c6013ca | 548 | issuer->derCert->length); |
wolfSSL | 13:f67a6c6013ca | 549 | AddCA(cm, &derCert, WOLFSSL_USER_CA, 1); |
wolfSSL | 13:f67a6c6013ca | 550 | } |
wolfSSL | 13:f67a6c6013ca | 551 | |
wolfSSL | 13:f67a6c6013ca | 552 | certId = (WOLFSSL_OCSP_CERTID*)XMALLOC(sizeof(WOLFSSL_OCSP_CERTID), NULL, |
wolfSSL | 13:f67a6c6013ca | 553 | DYNAMIC_TYPE_OPENSSL); |
wolfSSL | 13:f67a6c6013ca | 554 | if (certId != NULL) { |
wolfSSL | 13:f67a6c6013ca | 555 | InitDecodedCert(&cert, subject->derCert->buffer, |
wolfSSL | 13:f67a6c6013ca | 556 | subject->derCert->length, NULL); |
wolfSSL | 13:f67a6c6013ca | 557 | if (ParseCertRelative(&cert, CERT_TYPE, VERIFY_OCSP, cm) != 0) { |
wolfSSL | 13:f67a6c6013ca | 558 | XFREE(certId, NULL, DYNAMIC_TYPE_OPENSSL); |
wolfSSL | 13:f67a6c6013ca | 559 | certId = NULL; |
wolfSSL | 13:f67a6c6013ca | 560 | } |
wolfSSL | 13:f67a6c6013ca | 561 | else { |
wolfSSL | 13:f67a6c6013ca | 562 | ret = InitOcspRequest(certId, &cert, 0, NULL); |
wolfSSL | 13:f67a6c6013ca | 563 | if (ret != 0) { |
wolfSSL | 13:f67a6c6013ca | 564 | XFREE(certId, NULL, DYNAMIC_TYPE_OPENSSL); |
wolfSSL | 13:f67a6c6013ca | 565 | certId = NULL; |
wolfSSL | 13:f67a6c6013ca | 566 | } |
wolfSSL | 13:f67a6c6013ca | 567 | } |
wolfSSL | 13:f67a6c6013ca | 568 | FreeDecodedCert(&cert); |
wolfSSL | 13:f67a6c6013ca | 569 | } |
wolfSSL | 13:f67a6c6013ca | 570 | |
wolfSSL | 13:f67a6c6013ca | 571 | wolfSSL_CertManagerFree(cm); |
wolfSSL | 13:f67a6c6013ca | 572 | |
wolfSSL | 13:f67a6c6013ca | 573 | return certId; |
wolfSSL | 13:f67a6c6013ca | 574 | } |
wolfSSL | 13:f67a6c6013ca | 575 | |
wolfSSL | 13:f67a6c6013ca | 576 | void wolfSSL_OCSP_BASICRESP_free(WOLFSSL_OCSP_BASICRESP* basicResponse) |
wolfSSL | 13:f67a6c6013ca | 577 | { |
wolfSSL | 13:f67a6c6013ca | 578 | wolfSSL_OCSP_RESPONSE_free(basicResponse); |
wolfSSL | 13:f67a6c6013ca | 579 | } |
wolfSSL | 13:f67a6c6013ca | 580 | |
wolfSSL | 13:f67a6c6013ca | 581 | /* Signature verified in DecodeBasicOcspResponse. |
wolfSSL | 13:f67a6c6013ca | 582 | * But no store available to verify certificate. */ |
wolfSSL | 13:f67a6c6013ca | 583 | int wolfSSL_OCSP_basic_verify(WOLFSSL_OCSP_BASICRESP *bs, |
wolfSSL | 13:f67a6c6013ca | 584 | STACK_OF(WOLFSSL_X509) *certs, WOLFSSL_X509_STORE *st, unsigned long flags) |
wolfSSL | 13:f67a6c6013ca | 585 | { |
wolfSSL | 13:f67a6c6013ca | 586 | DecodedCert cert; |
wolfSSL | 13:f67a6c6013ca | 587 | int ret = SSL_SUCCESS; |
wolfSSL | 13:f67a6c6013ca | 588 | |
wolfSSL | 13:f67a6c6013ca | 589 | (void)certs; |
wolfSSL | 13:f67a6c6013ca | 590 | |
wolfSSL | 13:f67a6c6013ca | 591 | if (flags & OCSP_NOVERIFY) |
wolfSSL | 13:f67a6c6013ca | 592 | return SSL_SUCCESS; |
wolfSSL | 13:f67a6c6013ca | 593 | |
wolfSSL | 13:f67a6c6013ca | 594 | InitDecodedCert(&cert, bs->cert, bs->certSz, NULL); |
wolfSSL | 13:f67a6c6013ca | 595 | if (ParseCertRelative(&cert, CERT_TYPE, VERIFY, st->cm) < 0) |
wolfSSL | 13:f67a6c6013ca | 596 | ret = SSL_FAILURE; |
wolfSSL | 13:f67a6c6013ca | 597 | FreeDecodedCert(&cert); |
wolfSSL | 13:f67a6c6013ca | 598 | |
wolfSSL | 13:f67a6c6013ca | 599 | return ret; |
wolfSSL | 13:f67a6c6013ca | 600 | } |
wolfSSL | 13:f67a6c6013ca | 601 | |
wolfSSL | 13:f67a6c6013ca | 602 | void wolfSSL_OCSP_RESPONSE_free(OcspResponse* response) |
wolfSSL | 13:f67a6c6013ca | 603 | { |
wolfSSL | 13:f67a6c6013ca | 604 | if (response->status != NULL) |
wolfSSL | 13:f67a6c6013ca | 605 | XFREE(response->status, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 606 | if (response->source != NULL) |
wolfSSL | 13:f67a6c6013ca | 607 | XFREE(response->source, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 608 | XFREE(response, NULL, DYNAMIC_TYPE_OPENSSL); |
wolfSSL | 13:f67a6c6013ca | 609 | } |
wolfSSL | 13:f67a6c6013ca | 610 | |
wolfSSL | 13:f67a6c6013ca | 611 | OcspResponse* wolfSSL_d2i_OCSP_RESPONSE_bio(WOLFSSL_BIO* bio, |
wolfSSL | 13:f67a6c6013ca | 612 | OcspResponse** response) |
wolfSSL | 13:f67a6c6013ca | 613 | { |
wolfSSL | 13:f67a6c6013ca | 614 | byte* data; |
wolfSSL | 13:f67a6c6013ca | 615 | byte* p; |
wolfSSL | 13:f67a6c6013ca | 616 | int len; |
wolfSSL | 13:f67a6c6013ca | 617 | int dataAlloced = 0; |
wolfSSL | 13:f67a6c6013ca | 618 | OcspResponse* ret = NULL; |
wolfSSL | 13:f67a6c6013ca | 619 | |
wolfSSL | 13:f67a6c6013ca | 620 | if (bio == NULL) |
wolfSSL | 13:f67a6c6013ca | 621 | return NULL; |
wolfSSL | 13:f67a6c6013ca | 622 | |
wolfSSL | 13:f67a6c6013ca | 623 | if (bio->type == BIO_MEMORY) { |
wolfSSL | 13:f67a6c6013ca | 624 | len = wolfSSL_BIO_get_mem_data(bio, &data); |
wolfSSL | 13:f67a6c6013ca | 625 | if (len <= 0 || data == NULL) { |
wolfSSL | 13:f67a6c6013ca | 626 | return NULL; |
wolfSSL | 13:f67a6c6013ca | 627 | } |
wolfSSL | 13:f67a6c6013ca | 628 | } |
wolfSSL | 13:f67a6c6013ca | 629 | else if (bio->type == BIO_FILE) { |
wolfSSL | 13:f67a6c6013ca | 630 | long i; |
wolfSSL | 13:f67a6c6013ca | 631 | long l; |
wolfSSL | 13:f67a6c6013ca | 632 | |
wolfSSL | 13:f67a6c6013ca | 633 | i = XFTELL(bio->file); |
wolfSSL | 13:f67a6c6013ca | 634 | if (i < 0) |
wolfSSL | 13:f67a6c6013ca | 635 | return NULL; |
wolfSSL | 13:f67a6c6013ca | 636 | XFSEEK(bio->file, 0, SEEK_END); |
wolfSSL | 13:f67a6c6013ca | 637 | l = XFTELL(bio->file); |
wolfSSL | 13:f67a6c6013ca | 638 | if (l < 0) |
wolfSSL | 13:f67a6c6013ca | 639 | return NULL; |
wolfSSL | 13:f67a6c6013ca | 640 | XFSEEK(bio->file, i, SEEK_SET); |
wolfSSL | 13:f67a6c6013ca | 641 | |
wolfSSL | 13:f67a6c6013ca | 642 | /* check calulated length */ |
wolfSSL | 13:f67a6c6013ca | 643 | if (l - i <= 0) |
wolfSSL | 13:f67a6c6013ca | 644 | return NULL; |
wolfSSL | 13:f67a6c6013ca | 645 | |
wolfSSL | 13:f67a6c6013ca | 646 | data = (byte*)XMALLOC(l - i, 0, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 647 | if (data == NULL) |
wolfSSL | 13:f67a6c6013ca | 648 | return NULL; |
wolfSSL | 13:f67a6c6013ca | 649 | dataAlloced = 1; |
wolfSSL | 13:f67a6c6013ca | 650 | |
wolfSSL | 13:f67a6c6013ca | 651 | len = wolfSSL_BIO_read(bio, (char *)data, (int)l); |
wolfSSL | 13:f67a6c6013ca | 652 | } |
wolfSSL | 13:f67a6c6013ca | 653 | else |
wolfSSL | 13:f67a6c6013ca | 654 | return NULL; |
wolfSSL | 13:f67a6c6013ca | 655 | |
wolfSSL | 13:f67a6c6013ca | 656 | if (len > 0) { |
wolfSSL | 13:f67a6c6013ca | 657 | p = data; |
wolfSSL | 13:f67a6c6013ca | 658 | ret = wolfSSL_d2i_OCSP_RESPONSE(response, (const unsigned char **)&p, len); |
wolfSSL | 13:f67a6c6013ca | 659 | } |
wolfSSL | 13:f67a6c6013ca | 660 | |
wolfSSL | 13:f67a6c6013ca | 661 | if (dataAlloced) |
wolfSSL | 13:f67a6c6013ca | 662 | XFREE(data, 0, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 663 | |
wolfSSL | 13:f67a6c6013ca | 664 | return ret; |
wolfSSL | 13:f67a6c6013ca | 665 | } |
wolfSSL | 13:f67a6c6013ca | 666 | |
wolfSSL | 13:f67a6c6013ca | 667 | OcspResponse* wolfSSL_d2i_OCSP_RESPONSE(OcspResponse** response, |
wolfSSL | 13:f67a6c6013ca | 668 | const unsigned char** data, int len) |
wolfSSL | 13:f67a6c6013ca | 669 | { |
wolfSSL | 13:f67a6c6013ca | 670 | OcspResponse *resp = NULL; |
wolfSSL | 13:f67a6c6013ca | 671 | word32 idx = 0; |
wolfSSL | 13:f67a6c6013ca | 672 | int length = 0; |
wolfSSL | 13:f67a6c6013ca | 673 | |
wolfSSL | 13:f67a6c6013ca | 674 | if (data == NULL) |
wolfSSL | 13:f67a6c6013ca | 675 | return NULL; |
wolfSSL | 13:f67a6c6013ca | 676 | |
wolfSSL | 13:f67a6c6013ca | 677 | if (response != NULL) |
wolfSSL | 13:f67a6c6013ca | 678 | resp = *response; |
wolfSSL | 13:f67a6c6013ca | 679 | if (resp == NULL) { |
wolfSSL | 13:f67a6c6013ca | 680 | resp = (OcspResponse*)XMALLOC(sizeof(OcspResponse), NULL, |
wolfSSL | 13:f67a6c6013ca | 681 | DYNAMIC_TYPE_OPENSSL); |
wolfSSL | 13:f67a6c6013ca | 682 | if (resp == NULL) |
wolfSSL | 13:f67a6c6013ca | 683 | return NULL; |
wolfSSL | 13:f67a6c6013ca | 684 | XMEMSET(resp, 0, sizeof(OcspResponse)); |
wolfSSL | 13:f67a6c6013ca | 685 | } |
wolfSSL | 13:f67a6c6013ca | 686 | |
wolfSSL | 13:f67a6c6013ca | 687 | resp->source = (byte*)XMALLOC(len, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 688 | if (resp->source == NULL) { |
wolfSSL | 13:f67a6c6013ca | 689 | XFREE(resp, NULL, DYNAMIC_TYPE_OPENSSL); |
wolfSSL | 13:f67a6c6013ca | 690 | return NULL; |
wolfSSL | 13:f67a6c6013ca | 691 | } |
wolfSSL | 13:f67a6c6013ca | 692 | resp->status = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL, |
wolfSSL | 13:f67a6c6013ca | 693 | DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 694 | if (resp->status == NULL) { |
wolfSSL | 13:f67a6c6013ca | 695 | XFREE(resp->source, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 696 | XFREE(resp, NULL, DYNAMIC_TYPE_OPENSSL); |
wolfSSL | 13:f67a6c6013ca | 697 | return NULL; |
wolfSSL | 13:f67a6c6013ca | 698 | } |
wolfSSL | 13:f67a6c6013ca | 699 | |
wolfSSL | 13:f67a6c6013ca | 700 | XMEMCPY(resp->source, *data, len); |
wolfSSL | 13:f67a6c6013ca | 701 | resp->maxIdx = len; |
wolfSSL | 13:f67a6c6013ca | 702 | |
wolfSSL | 13:f67a6c6013ca | 703 | if (OcspResponseDecode(resp, NULL, NULL, 1) != 0) { |
wolfSSL | 13:f67a6c6013ca | 704 | wolfSSL_OCSP_RESPONSE_free(resp); |
wolfSSL | 13:f67a6c6013ca | 705 | return NULL; |
wolfSSL | 13:f67a6c6013ca | 706 | } |
wolfSSL | 13:f67a6c6013ca | 707 | |
wolfSSL | 13:f67a6c6013ca | 708 | if (GetSequence(*data, &idx, &length, len) >= 0) |
wolfSSL | 13:f67a6c6013ca | 709 | (*data) += idx + length; |
wolfSSL | 13:f67a6c6013ca | 710 | |
wolfSSL | 13:f67a6c6013ca | 711 | return resp; |
wolfSSL | 13:f67a6c6013ca | 712 | } |
wolfSSL | 13:f67a6c6013ca | 713 | |
wolfSSL | 13:f67a6c6013ca | 714 | int wolfSSL_i2d_OCSP_RESPONSE(OcspResponse* response, |
wolfSSL | 13:f67a6c6013ca | 715 | unsigned char** data) |
wolfSSL | 13:f67a6c6013ca | 716 | { |
wolfSSL | 13:f67a6c6013ca | 717 | if (data == NULL) |
wolfSSL | 13:f67a6c6013ca | 718 | return response->maxIdx; |
wolfSSL | 13:f67a6c6013ca | 719 | |
wolfSSL | 13:f67a6c6013ca | 720 | XMEMCPY(*data, response->source, response->maxIdx); |
wolfSSL | 13:f67a6c6013ca | 721 | return response->maxIdx; |
wolfSSL | 13:f67a6c6013ca | 722 | } |
wolfSSL | 13:f67a6c6013ca | 723 | |
wolfSSL | 13:f67a6c6013ca | 724 | int wolfSSL_OCSP_response_status(OcspResponse *response) |
wolfSSL | 13:f67a6c6013ca | 725 | { |
wolfSSL | 13:f67a6c6013ca | 726 | return response->responseStatus; |
wolfSSL | 13:f67a6c6013ca | 727 | } |
wolfSSL | 13:f67a6c6013ca | 728 | |
wolfSSL | 13:f67a6c6013ca | 729 | const char *wolfSSL_OCSP_response_status_str(long s) |
wolfSSL | 13:f67a6c6013ca | 730 | { |
wolfSSL | 13:f67a6c6013ca | 731 | switch (s) { |
wolfSSL | 13:f67a6c6013ca | 732 | case OCSP_SUCCESSFUL: |
wolfSSL | 13:f67a6c6013ca | 733 | return "successful"; |
wolfSSL | 13:f67a6c6013ca | 734 | case OCSP_MALFORMED_REQUEST: |
wolfSSL | 13:f67a6c6013ca | 735 | return "malformedrequest"; |
wolfSSL | 13:f67a6c6013ca | 736 | case OCSP_INTERNAL_ERROR: |
wolfSSL | 13:f67a6c6013ca | 737 | return "internalerror"; |
wolfSSL | 13:f67a6c6013ca | 738 | case OCSP_TRY_LATER: |
wolfSSL | 13:f67a6c6013ca | 739 | return "trylater"; |
wolfSSL | 13:f67a6c6013ca | 740 | case OCSP_SIG_REQUIRED: |
wolfSSL | 13:f67a6c6013ca | 741 | return "sigrequired"; |
wolfSSL | 13:f67a6c6013ca | 742 | case OCSP_UNAUTHROIZED: |
wolfSSL | 13:f67a6c6013ca | 743 | return "unauthorized"; |
wolfSSL | 13:f67a6c6013ca | 744 | default: |
wolfSSL | 13:f67a6c6013ca | 745 | return "(UNKNOWN)"; |
wolfSSL | 13:f67a6c6013ca | 746 | } |
wolfSSL | 13:f67a6c6013ca | 747 | } |
wolfSSL | 13:f67a6c6013ca | 748 | |
wolfSSL | 13:f67a6c6013ca | 749 | WOLFSSL_OCSP_BASICRESP* wolfSSL_OCSP_response_get1_basic(OcspResponse* response) |
wolfSSL | 13:f67a6c6013ca | 750 | { |
wolfSSL | 13:f67a6c6013ca | 751 | WOLFSSL_OCSP_BASICRESP* bs; |
wolfSSL | 13:f67a6c6013ca | 752 | |
wolfSSL | 13:f67a6c6013ca | 753 | bs = (WOLFSSL_OCSP_BASICRESP*)XMALLOC(sizeof(WOLFSSL_OCSP_BASICRESP), NULL, |
wolfSSL | 13:f67a6c6013ca | 754 | DYNAMIC_TYPE_OPENSSL); |
wolfSSL | 13:f67a6c6013ca | 755 | if (bs == NULL) |
wolfSSL | 13:f67a6c6013ca | 756 | return NULL; |
wolfSSL | 13:f67a6c6013ca | 757 | |
wolfSSL | 13:f67a6c6013ca | 758 | XMEMCPY(bs, response, sizeof(OcspResponse)); |
wolfSSL | 13:f67a6c6013ca | 759 | bs->status = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL, |
wolfSSL | 13:f67a6c6013ca | 760 | DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 761 | bs->source = (byte*)XMALLOC(bs->maxIdx, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 762 | if (bs->status == NULL || bs->source == NULL) { |
wolfSSL | 13:f67a6c6013ca | 763 | if (bs->status) XFREE(bs->status, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 764 | if (bs->source) XFREE(bs->source, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 765 | wolfSSL_OCSP_RESPONSE_free(bs); |
wolfSSL | 13:f67a6c6013ca | 766 | bs = NULL; |
wolfSSL | 13:f67a6c6013ca | 767 | } |
wolfSSL | 13:f67a6c6013ca | 768 | else { |
wolfSSL | 13:f67a6c6013ca | 769 | XMEMCPY(bs->status, response->status, sizeof(CertStatus)); |
wolfSSL | 13:f67a6c6013ca | 770 | XMEMCPY(bs->source, response->source, response->maxIdx); |
wolfSSL | 13:f67a6c6013ca | 771 | } |
wolfSSL | 13:f67a6c6013ca | 772 | return bs; |
wolfSSL | 13:f67a6c6013ca | 773 | } |
wolfSSL | 13:f67a6c6013ca | 774 | |
wolfSSL | 13:f67a6c6013ca | 775 | OcspRequest* wolfSSL_OCSP_REQUEST_new(void) |
wolfSSL | 13:f67a6c6013ca | 776 | { |
wolfSSL | 13:f67a6c6013ca | 777 | OcspRequest* request; |
wolfSSL | 13:f67a6c6013ca | 778 | |
wolfSSL | 13:f67a6c6013ca | 779 | request = (OcspRequest*)XMALLOC(sizeof(OcspRequest), NULL, |
wolfSSL | 13:f67a6c6013ca | 780 | DYNAMIC_TYPE_OPENSSL); |
wolfSSL | 13:f67a6c6013ca | 781 | if (request != NULL) |
wolfSSL | 13:f67a6c6013ca | 782 | XMEMSET(request, 0, sizeof(OcspRequest)); |
wolfSSL | 13:f67a6c6013ca | 783 | |
wolfSSL | 13:f67a6c6013ca | 784 | return request; |
wolfSSL | 13:f67a6c6013ca | 785 | } |
wolfSSL | 13:f67a6c6013ca | 786 | |
wolfSSL | 13:f67a6c6013ca | 787 | void wolfSSL_OCSP_REQUEST_free(OcspRequest* request) |
wolfSSL | 13:f67a6c6013ca | 788 | { |
wolfSSL | 13:f67a6c6013ca | 789 | FreeOcspRequest(request); |
wolfSSL | 13:f67a6c6013ca | 790 | XFREE(request, NULL, DYNAMIC_TYPE_OPENSSL); |
wolfSSL | 13:f67a6c6013ca | 791 | } |
wolfSSL | 13:f67a6c6013ca | 792 | |
wolfSSL | 13:f67a6c6013ca | 793 | int wolfSSL_i2d_OCSP_REQUEST(OcspRequest* request, unsigned char** data) |
wolfSSL | 13:f67a6c6013ca | 794 | { |
wolfSSL | 13:f67a6c6013ca | 795 | word32 size; |
wolfSSL | 13:f67a6c6013ca | 796 | |
wolfSSL | 13:f67a6c6013ca | 797 | size = EncodeOcspRequest(request, NULL, 0); |
wolfSSL | 13:f67a6c6013ca | 798 | if (size <= 0 || data == NULL) |
wolfSSL | 13:f67a6c6013ca | 799 | return size; |
wolfSSL | 13:f67a6c6013ca | 800 | |
wolfSSL | 13:f67a6c6013ca | 801 | return EncodeOcspRequest(request, *data, size); |
wolfSSL | 13:f67a6c6013ca | 802 | } |
wolfSSL | 13:f67a6c6013ca | 803 | |
wolfSSL | 13:f67a6c6013ca | 804 | WOLFSSL_OCSP_ONEREQ* wolfSSL_OCSP_request_add0_id(OcspRequest *req, |
wolfSSL | 13:f67a6c6013ca | 805 | WOLFSSL_OCSP_CERTID *cid) |
wolfSSL | 13:f67a6c6013ca | 806 | { |
wolfSSL | 13:f67a6c6013ca | 807 | if (req == NULL || cid == NULL) |
wolfSSL | 13:f67a6c6013ca | 808 | return NULL; |
wolfSSL | 13:f67a6c6013ca | 809 | |
wolfSSL | 13:f67a6c6013ca | 810 | FreeOcspRequest(req); |
wolfSSL | 13:f67a6c6013ca | 811 | XMEMCPY(req, cid, sizeof(OcspRequest)); |
wolfSSL | 13:f67a6c6013ca | 812 | |
wolfSSL | 13:f67a6c6013ca | 813 | if (cid->serial != NULL) { |
wolfSSL | 13:f67a6c6013ca | 814 | req->serial = (byte*)XMALLOC(cid->serialSz, NULL, |
wolfSSL | 13:f67a6c6013ca | 815 | DYNAMIC_TYPE_OCSP_REQUEST); |
wolfSSL | 13:f67a6c6013ca | 816 | req->url = (byte*)XMALLOC(cid->urlSz, NULL, DYNAMIC_TYPE_OCSP_REQUEST); |
wolfSSL | 13:f67a6c6013ca | 817 | if (req->serial == NULL || req->url == NULL) { |
wolfSSL | 13:f67a6c6013ca | 818 | FreeOcspRequest(req); |
wolfSSL | 13:f67a6c6013ca | 819 | return NULL; |
wolfSSL | 13:f67a6c6013ca | 820 | } |
wolfSSL | 13:f67a6c6013ca | 821 | |
wolfSSL | 13:f67a6c6013ca | 822 | XMEMCPY(req->serial, cid->serial, cid->serialSz); |
wolfSSL | 13:f67a6c6013ca | 823 | XMEMCPY(req->url, cid->url, cid->urlSz); |
wolfSSL | 13:f67a6c6013ca | 824 | } |
wolfSSL | 13:f67a6c6013ca | 825 | |
wolfSSL | 13:f67a6c6013ca | 826 | wolfSSL_OCSP_REQUEST_free(cid); |
wolfSSL | 13:f67a6c6013ca | 827 | |
wolfSSL | 13:f67a6c6013ca | 828 | return req; |
wolfSSL | 13:f67a6c6013ca | 829 | } |
wolfSSL | 13:f67a6c6013ca | 830 | |
wolfSSL | 13:f67a6c6013ca | 831 | #endif |
wolfSSL | 13:f67a6c6013ca | 832 | |
wolfSSL | 13:f67a6c6013ca | 833 | #else /* HAVE_OCSP */ |
wolfSSL | 13:f67a6c6013ca | 834 | |
wolfSSL | 13:f67a6c6013ca | 835 | |
wolfSSL | 13:f67a6c6013ca | 836 | #ifdef _MSC_VER |
wolfSSL | 13:f67a6c6013ca | 837 | /* 4206 warning for blank file */ |
wolfSSL | 13:f67a6c6013ca | 838 | #pragma warning(disable: 4206) |
wolfSSL | 13:f67a6c6013ca | 839 | #endif |
wolfSSL | 13:f67a6c6013ca | 840 | |
wolfSSL | 13:f67a6c6013ca | 841 | |
wolfSSL | 13:f67a6c6013ca | 842 | #endif /* HAVE_OCSP */ |
wolfSSL | 13:f67a6c6013ca | 843 | #endif /* WOLFCRYPT_ONLY */ |
wolfSSL | 13:f67a6c6013ca | 844 | |
wolfSSL | 13:f67a6c6013ca | 845 |