ocsp_ht.c 13 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502
  1. /*
  2. * Copyright 2001-2017 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the OpenSSL license (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include "e_os.h"
  10. #include <stdio.h>
  11. #include <stdlib.h>
  12. #include "crypto/ctype.h"
  13. #include <string.h>
  14. #include <openssl/asn1.h>
  15. #include <openssl/ocsp.h>
  16. #include <openssl/err.h>
  17. #include <openssl/buffer.h>
  18. /* Stateful OCSP request code, supporting non-blocking I/O */
  19. /* Opaque OCSP request status structure */
  20. struct ocsp_req_ctx_st {
  21. int state; /* Current I/O state */
  22. unsigned char *iobuf; /* Line buffer */
  23. int iobuflen; /* Line buffer length */
  24. BIO *io; /* BIO to perform I/O with */
  25. BIO *mem; /* Memory BIO response is built into */
  26. unsigned long asn1_len; /* ASN1 length of response */
  27. unsigned long max_resp_len; /* Maximum length of response */
  28. };
  29. #define OCSP_MAX_RESP_LENGTH (100 * 1024)
  30. #define OCSP_MAX_LINE_LEN 4096;
  31. /* OCSP states */
  32. /* If set no reading should be performed */
  33. #define OHS_NOREAD 0x1000
  34. /* Error condition */
  35. #define OHS_ERROR (0 | OHS_NOREAD)
  36. /* First line being read */
  37. #define OHS_FIRSTLINE 1
  38. /* MIME headers being read */
  39. #define OHS_HEADERS 2
  40. /* OCSP initial header (tag + length) being read */
  41. #define OHS_ASN1_HEADER 3
  42. /* OCSP content octets being read */
  43. #define OHS_ASN1_CONTENT 4
  44. /* First call: ready to start I/O */
  45. #define OHS_ASN1_WRITE_INIT (5 | OHS_NOREAD)
  46. /* Request being sent */
  47. #define OHS_ASN1_WRITE (6 | OHS_NOREAD)
  48. /* Request being flushed */
  49. #define OHS_ASN1_FLUSH (7 | OHS_NOREAD)
  50. /* Completed */
  51. #define OHS_DONE (8 | OHS_NOREAD)
  52. /* Headers set, no final \r\n included */
  53. #define OHS_HTTP_HEADER (9 | OHS_NOREAD)
  54. static int parse_http_line1(char *line);
  55. OCSP_REQ_CTX *OCSP_REQ_CTX_new(BIO *io, int maxline)
  56. {
  57. OCSP_REQ_CTX *rctx = OPENSSL_zalloc(sizeof(*rctx));
  58. if (rctx == NULL)
  59. return NULL;
  60. rctx->state = OHS_ERROR;
  61. rctx->max_resp_len = OCSP_MAX_RESP_LENGTH;
  62. rctx->mem = BIO_new(BIO_s_mem());
  63. rctx->io = io;
  64. if (maxline > 0)
  65. rctx->iobuflen = maxline;
  66. else
  67. rctx->iobuflen = OCSP_MAX_LINE_LEN;
  68. rctx->iobuf = OPENSSL_malloc(rctx->iobuflen);
  69. if (rctx->iobuf == NULL || rctx->mem == NULL) {
  70. OCSP_REQ_CTX_free(rctx);
  71. return NULL;
  72. }
  73. return rctx;
  74. }
  75. void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx)
  76. {
  77. if (!rctx)
  78. return;
  79. BIO_free(rctx->mem);
  80. OPENSSL_free(rctx->iobuf);
  81. OPENSSL_free(rctx);
  82. }
  83. BIO *OCSP_REQ_CTX_get0_mem_bio(OCSP_REQ_CTX *rctx)
  84. {
  85. return rctx->mem;
  86. }
  87. void OCSP_set_max_response_length(OCSP_REQ_CTX *rctx, unsigned long len)
  88. {
  89. if (len == 0)
  90. rctx->max_resp_len = OCSP_MAX_RESP_LENGTH;
  91. else
  92. rctx->max_resp_len = len;
  93. }
  94. int OCSP_REQ_CTX_i2d(OCSP_REQ_CTX *rctx, const ASN1_ITEM *it, ASN1_VALUE *val)
  95. {
  96. static const char req_hdr[] =
  97. "Content-Type: application/ocsp-request\r\n"
  98. "Content-Length: %d\r\n\r\n";
  99. int reqlen = ASN1_item_i2d(val, NULL, it);
  100. if (BIO_printf(rctx->mem, req_hdr, reqlen) <= 0)
  101. return 0;
  102. if (ASN1_item_i2d_bio(it, rctx->mem, val) <= 0)
  103. return 0;
  104. rctx->state = OHS_ASN1_WRITE_INIT;
  105. return 1;
  106. }
  107. int OCSP_REQ_CTX_nbio_d2i(OCSP_REQ_CTX *rctx,
  108. ASN1_VALUE **pval, const ASN1_ITEM *it)
  109. {
  110. int rv, len;
  111. const unsigned char *p;
  112. rv = OCSP_REQ_CTX_nbio(rctx);
  113. if (rv != 1)
  114. return rv;
  115. len = BIO_get_mem_data(rctx->mem, &p);
  116. *pval = ASN1_item_d2i(NULL, &p, len, it);
  117. if (*pval == NULL) {
  118. rctx->state = OHS_ERROR;
  119. return 0;
  120. }
  121. return 1;
  122. }
  123. int OCSP_REQ_CTX_http(OCSP_REQ_CTX *rctx, const char *op, const char *path)
  124. {
  125. static const char http_hdr[] = "%s %s HTTP/1.0\r\n";
  126. if (!path)
  127. path = "/";
  128. if (BIO_printf(rctx->mem, http_hdr, op, path) <= 0)
  129. return 0;
  130. rctx->state = OHS_HTTP_HEADER;
  131. return 1;
  132. }
  133. int OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, OCSP_REQUEST *req)
  134. {
  135. return OCSP_REQ_CTX_i2d(rctx, ASN1_ITEM_rptr(OCSP_REQUEST),
  136. (ASN1_VALUE *)req);
  137. }
  138. int OCSP_REQ_CTX_add1_header(OCSP_REQ_CTX *rctx,
  139. const char *name, const char *value)
  140. {
  141. if (!name)
  142. return 0;
  143. if (BIO_puts(rctx->mem, name) <= 0)
  144. return 0;
  145. if (value) {
  146. if (BIO_write(rctx->mem, ": ", 2) != 2)
  147. return 0;
  148. if (BIO_puts(rctx->mem, value) <= 0)
  149. return 0;
  150. }
  151. if (BIO_write(rctx->mem, "\r\n", 2) != 2)
  152. return 0;
  153. rctx->state = OHS_HTTP_HEADER;
  154. return 1;
  155. }
  156. OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, const char *path, OCSP_REQUEST *req,
  157. int maxline)
  158. {
  159. OCSP_REQ_CTX *rctx = NULL;
  160. rctx = OCSP_REQ_CTX_new(io, maxline);
  161. if (rctx == NULL)
  162. return NULL;
  163. if (!OCSP_REQ_CTX_http(rctx, "POST", path))
  164. goto err;
  165. if (req && !OCSP_REQ_CTX_set1_req(rctx, req))
  166. goto err;
  167. return rctx;
  168. err:
  169. OCSP_REQ_CTX_free(rctx);
  170. return NULL;
  171. }
  172. /*
  173. * Parse the HTTP response. This will look like this: "HTTP/1.0 200 OK". We
  174. * need to obtain the numeric code and (optional) informational message.
  175. */
  176. static int parse_http_line1(char *line)
  177. {
  178. int retcode;
  179. char *p, *q, *r;
  180. /* Skip to first white space (passed protocol info) */
  181. for (p = line; *p && !ossl_isspace(*p); p++)
  182. continue;
  183. if (!*p) {
  184. OCSPerr(OCSP_F_PARSE_HTTP_LINE1, OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
  185. return 0;
  186. }
  187. /* Skip past white space to start of response code */
  188. while (*p && ossl_isspace(*p))
  189. p++;
  190. if (!*p) {
  191. OCSPerr(OCSP_F_PARSE_HTTP_LINE1, OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
  192. return 0;
  193. }
  194. /* Find end of response code: first whitespace after start of code */
  195. for (q = p; *q && !ossl_isspace(*q); q++)
  196. continue;
  197. if (!*q) {
  198. OCSPerr(OCSP_F_PARSE_HTTP_LINE1, OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
  199. return 0;
  200. }
  201. /* Set end of response code and start of message */
  202. *q++ = 0;
  203. /* Attempt to parse numeric code */
  204. retcode = strtoul(p, &r, 10);
  205. if (*r)
  206. return 0;
  207. /* Skip over any leading white space in message */
  208. while (*q && ossl_isspace(*q))
  209. q++;
  210. if (*q) {
  211. /*
  212. * Finally zap any trailing white space in message (include CRLF)
  213. */
  214. /* We know q has a non white space character so this is OK */
  215. for (r = q + strlen(q) - 1; ossl_isspace(*r); r--)
  216. *r = 0;
  217. }
  218. if (retcode != 200) {
  219. OCSPerr(OCSP_F_PARSE_HTTP_LINE1, OCSP_R_SERVER_RESPONSE_ERROR);
  220. if (!*q)
  221. ERR_add_error_data(2, "Code=", p);
  222. else
  223. ERR_add_error_data(4, "Code=", p, ",Reason=", q);
  224. return 0;
  225. }
  226. return 1;
  227. }
  228. int OCSP_REQ_CTX_nbio(OCSP_REQ_CTX *rctx)
  229. {
  230. int i, n;
  231. const unsigned char *p;
  232. next_io:
  233. if (!(rctx->state & OHS_NOREAD)) {
  234. n = BIO_read(rctx->io, rctx->iobuf, rctx->iobuflen);
  235. if (n <= 0) {
  236. if (BIO_should_retry(rctx->io))
  237. return -1;
  238. return 0;
  239. }
  240. /* Write data to memory BIO */
  241. if (BIO_write(rctx->mem, rctx->iobuf, n) != n)
  242. return 0;
  243. }
  244. switch (rctx->state) {
  245. case OHS_HTTP_HEADER:
  246. /* Last operation was adding headers: need a final \r\n */
  247. if (BIO_write(rctx->mem, "\r\n", 2) != 2) {
  248. rctx->state = OHS_ERROR;
  249. return 0;
  250. }
  251. rctx->state = OHS_ASN1_WRITE_INIT;
  252. /* fall thru */
  253. case OHS_ASN1_WRITE_INIT:
  254. rctx->asn1_len = BIO_get_mem_data(rctx->mem, NULL);
  255. rctx->state = OHS_ASN1_WRITE;
  256. /* fall thru */
  257. case OHS_ASN1_WRITE:
  258. n = BIO_get_mem_data(rctx->mem, &p);
  259. i = BIO_write(rctx->io, p + (n - rctx->asn1_len), rctx->asn1_len);
  260. if (i <= 0) {
  261. if (BIO_should_retry(rctx->io))
  262. return -1;
  263. rctx->state = OHS_ERROR;
  264. return 0;
  265. }
  266. rctx->asn1_len -= i;
  267. if (rctx->asn1_len > 0)
  268. goto next_io;
  269. rctx->state = OHS_ASN1_FLUSH;
  270. (void)BIO_reset(rctx->mem);
  271. /* fall thru */
  272. case OHS_ASN1_FLUSH:
  273. i = BIO_flush(rctx->io);
  274. if (i > 0) {
  275. rctx->state = OHS_FIRSTLINE;
  276. goto next_io;
  277. }
  278. if (BIO_should_retry(rctx->io))
  279. return -1;
  280. rctx->state = OHS_ERROR;
  281. return 0;
  282. case OHS_ERROR:
  283. return 0;
  284. case OHS_FIRSTLINE:
  285. case OHS_HEADERS:
  286. /* Attempt to read a line in */
  287. next_line:
  288. /*
  289. * Due to &%^*$" memory BIO behaviour with BIO_gets we have to check
  290. * there's a complete line in there before calling BIO_gets or we'll
  291. * just get a partial read.
  292. */
  293. n = BIO_get_mem_data(rctx->mem, &p);
  294. if ((n <= 0) || !memchr(p, '\n', n)) {
  295. if (n >= rctx->iobuflen) {
  296. rctx->state = OHS_ERROR;
  297. return 0;
  298. }
  299. goto next_io;
  300. }
  301. n = BIO_gets(rctx->mem, (char *)rctx->iobuf, rctx->iobuflen);
  302. if (n <= 0) {
  303. if (BIO_should_retry(rctx->mem))
  304. goto next_io;
  305. rctx->state = OHS_ERROR;
  306. return 0;
  307. }
  308. /* Don't allow excessive lines */
  309. if (n == rctx->iobuflen) {
  310. rctx->state = OHS_ERROR;
  311. return 0;
  312. }
  313. /* First line */
  314. if (rctx->state == OHS_FIRSTLINE) {
  315. if (parse_http_line1((char *)rctx->iobuf)) {
  316. rctx->state = OHS_HEADERS;
  317. goto next_line;
  318. } else {
  319. rctx->state = OHS_ERROR;
  320. return 0;
  321. }
  322. } else {
  323. /* Look for blank line: end of headers */
  324. for (p = rctx->iobuf; *p; p++) {
  325. if ((*p != '\r') && (*p != '\n'))
  326. break;
  327. }
  328. if (*p)
  329. goto next_line;
  330. rctx->state = OHS_ASN1_HEADER;
  331. }
  332. /* Fall thru */
  333. case OHS_ASN1_HEADER:
  334. /*
  335. * Now reading ASN1 header: can read at least 2 bytes which is enough
  336. * for ASN1 SEQUENCE header and either length field or at least the
  337. * length of the length field.
  338. */
  339. n = BIO_get_mem_data(rctx->mem, &p);
  340. if (n < 2)
  341. goto next_io;
  342. /* Check it is an ASN1 SEQUENCE */
  343. if (*p++ != (V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED)) {
  344. rctx->state = OHS_ERROR;
  345. return 0;
  346. }
  347. /* Check out length field */
  348. if (*p & 0x80) {
  349. /*
  350. * If MSB set on initial length octet we can now always read 6
  351. * octets: make sure we have them.
  352. */
  353. if (n < 6)
  354. goto next_io;
  355. n = *p & 0x7F;
  356. /* Not NDEF or excessive length */
  357. if (!n || (n > 4)) {
  358. rctx->state = OHS_ERROR;
  359. return 0;
  360. }
  361. p++;
  362. rctx->asn1_len = 0;
  363. for (i = 0; i < n; i++) {
  364. rctx->asn1_len <<= 8;
  365. rctx->asn1_len |= *p++;
  366. }
  367. if (rctx->asn1_len > rctx->max_resp_len) {
  368. rctx->state = OHS_ERROR;
  369. return 0;
  370. }
  371. rctx->asn1_len += n + 2;
  372. } else
  373. rctx->asn1_len = *p + 2;
  374. rctx->state = OHS_ASN1_CONTENT;
  375. /* Fall thru */
  376. case OHS_ASN1_CONTENT:
  377. n = BIO_get_mem_data(rctx->mem, NULL);
  378. if (n < (int)rctx->asn1_len)
  379. goto next_io;
  380. rctx->state = OHS_DONE;
  381. return 1;
  382. case OHS_DONE:
  383. return 1;
  384. }
  385. return 0;
  386. }
  387. int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx)
  388. {
  389. return OCSP_REQ_CTX_nbio_d2i(rctx,
  390. (ASN1_VALUE **)presp,
  391. ASN1_ITEM_rptr(OCSP_RESPONSE));
  392. }
  393. /* Blocking OCSP request handler: now a special case of non-blocking I/O */
  394. OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, const char *path, OCSP_REQUEST *req)
  395. {
  396. OCSP_RESPONSE *resp = NULL;
  397. OCSP_REQ_CTX *ctx;
  398. int rv;
  399. ctx = OCSP_sendreq_new(b, path, req, -1);
  400. if (ctx == NULL)
  401. return NULL;
  402. do {
  403. rv = OCSP_sendreq_nbio(&resp, ctx);
  404. } while ((rv == -1) && BIO_should_retry(b));
  405. OCSP_REQ_CTX_free(ctx);
  406. if (rv)
  407. return resp;
  408. return NULL;
  409. }