updates to OCSP

ctaocrypt/src/asn.c

@@ -4105,6 +4105,18 @@ int OcspResponseDecode(OcspResponse* resp)
     return 0;
 }
 
+
+void InitOcspRequest(OcspRequest* req)
+{
+}
+
+
+int MakeOcspRequest(OcspRequest* req)
+{
+    return 0;
+}
+
+
 int EncodeOcspRequest(void)
 {
     return 0;

cyassl/ctaocrypt/asn.h

@@ -333,6 +333,14 @@ enum Ocsp_Sums {
 
 
 typedef struct OcspResponse OcspResponse;
+typedef struct OcspRequest OcspRequest;
+
+
+struct OcspRequest {
+    byte* serialNumber; /* not owned by us */
+    int serialSz;
+};
+
 
 struct OcspResponse {
     int     responseStatus;  /* return code from Responder */

cyassl/internal.h

@@ -40,6 +40,9 @@
 #ifndef NO_SHA256
     #include <cyassl/ctaocrypt/sha256.h>
 #endif
+#ifdef HAVE_OCSP
+    #include <cyassl/ocsp.h>
+#endif
 
 #ifdef CYASSL_CALLBACKS
     #include <cyassl/openssl/cyassl_callbacks.h>
@@ -642,6 +645,9 @@ struct CYASSL_CTX {
     pem_password_cb passwd_cb;
     void*            userdata;
 #endif /* OPENSSL_EXTRA */
+#ifdef HAVE_OCSP
+    CYASSL_OCSP      ocsp;
+#endif
 };
 
 

cyassl/ocsp.h

@@ -0,0 +1,71 @@
+/* ssl.h
+ *
+ * Copyright (C) 2006-2012 Sawtooth Consulting Ltd.
+ *
+ * This file is part of CyaSSL.
+ *
+ * CyaSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * CyaSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
+ */
+
+
+/* CyaSSL OCSP API */
+
+#ifndef CYASSL_OCSP_H
+#define CYASSL_OCSP_H
+
+
+#include <cyassl/ctaocrypt/asn.h>
+
+
+#ifdef __cplusplus
+    extern "C" {
+#endif
+
+typedef struct CYASSL_OCSP CYASSL_OCSP;
+typedef struct CertStatus CertStatus;
+
+struct CertStatus {
+    byte subjectHash[SHA_SIZE];
+    byte issuerHash[SHA_SIZE];
+    byte serial[EXTERNAL_SERIAL_SIZE];
+    int serialSz;
+    int status;
+};
+
+struct CYASSL_OCSP {
+    byte enabled;
+    byte useOverrideUrl;
+    char overrideName[80];
+    int  overridePort;
+    int statusLen;
+    CertStatus status[1];
+};
+
+
+
+CYASSL_LOCAL int  CyaSSL_OCSP_Init(CYASSL_OCSP*);
+CYASSL_LOCAL void CyaSSL_OCSP_Cleanup(CYASSL_OCSP*);
+CYASSL_LOCAL int  CyaSSL_OCSP_set_override_url(CYASSL_OCSP*, const char*);
+CYASSL_LOCAL int  CyaSSL_OCSP_Lookup_Cert(CYASSL_OCSP*, DecodedCert*);
+
+
+#ifdef __cplusplus
+    }  /* extern "C" */
+#endif
+
+
+#endif /* CYASSL_OCSP_H */
+
+

cyassl/ssl.h

@@ -794,6 +794,13 @@ CYASSL_API int CyaSSL_accept_ex(CYASSL*, HandShakeCallBack, TimeoutCallBack,
 #endif /* CYASSL_CALLBACKS */
 
 
+CYASSL_API long CyaSSL_CTX_OCSP_set_options(CYASSL_CTX*, long);
+CYASSL_API int  CyaSSL_CTX_OCSP_set_override_url(CYASSL_CTX*, const char*);
+
+/* OCSP Options */
+#define CYASSL_OCSP_ENABLE       0x0001 /* Enable OCSP lookups */
+#define CYASSL_OCSP_URL_OVERRIDE 0x0002 /* Use the override URL instead of URL
+                                         * in certificate */
 
 
 #ifdef __cplusplus

src/internal.c

@@ -388,6 +388,9 @@ int InitSSL_Ctx(CYASSL_CTX* ctx, CYASSL_METHOD* method)
     ctx->sendVerify = 0;
     ctx->quietShutdown = 0;
     ctx->groupMessages = 0;
+#ifdef HAVE_OCSP
+    CyaSSL_OCSP_Init(&ctx->ocsp);
+#endif
 
     if (InitMutex(&ctx->countMutex) < 0) {
         CYASSL_MSG("Mutex error on CTX init");
@@ -408,6 +411,10 @@ void SSL_CtxResourceFree(CYASSL_CTX* ctx)
     XFREE(ctx->method, ctx->heap, DYNAMIC_TYPE_METHOD);
 
     FreeSigners(ctx->caList, ctx->heap);
+
+#ifdef HAVE_OCSP
+    CyaSSL_OCSP_Cleanup(&ctx->ocsp);
+#endif
 }
 
 
@@ -1624,6 +1631,10 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx)
             }
         }
 
+#ifdef HAVE_OCSP
+        CyaSSL_OCSP_Lookup_Cert(&ssl->ctx->ocsp, &dCert);
+#endif
+
 #ifdef OPENSSL_EXTRA
         /* set X509 format for peer cert even if fatal */
         XSTRNCPY(ssl->peerCert.issuer.name, dCert.issuer, ASN_NAME_MAX);

src/ocsp.c

@@ -24,12 +24,117 @@
 #endif
 
 #include <cyassl/error.h>
-#include <cyassl/ctaocrypt/asn.h>
+#include <cyassl/ocsp.h>
 
 
 #ifdef HAVE_OCSP
+CYASSL_API int ocsp_test(unsigned char* buf, int sz);
+#define CYASSL_OCSP_ENABLE       0x0001 /* Enable OCSP lookups */
+#define CYASSL_OCSP_URL_OVERRIDE 0x0002 /* Use the override URL instead of URL
+                                         * in certificate */
+
+
+int ocsp_test(unsigned char* buf, int sz)
+{
+    CYASSL_OCSP ocsp;
+    OcspResponse resp;
+    int result;
+    
+    CyaSSL_OCSP_Init(&ocsp);
+    InitOcspResponse(&resp, buf, sz, NULL);
+
+    ocsp.enabled = 1;
+    ocsp.useOverrideUrl = 1;
+    CyaSSL_OCSP_set_override_url(&ocsp, "http://ocsp.example.com:8080/");
+    CyaSSL_OCSP_Lookup_Cert(&ocsp, NULL);
+
+    result = OcspResponseDecode(&resp);
+    
+    FreeOcspResponse(&resp);
+    CyaSSL_OCSP_Cleanup(&ocsp);
+
+    return result;
+}
+
+
+int CyaSSL_OCSP_Init(CYASSL_OCSP* ocsp)
+{
+    if (ocsp != NULL) {
+        XMEMSET(ocsp, 0, sizeof(*ocsp));
+        return 0;
+    }
+
+    return -1;
+}
+
+
+void CyaSSL_OCSP_Cleanup(CYASSL_OCSP* ocsp)
+{
+    ocsp->enabled = 0;
+    /* Deallocate memory */
+}
+
+
+int CyaSSL_OCSP_set_override_url(CYASSL_OCSP* ocsp, const char* url)
+{
+    if (ocsp != NULL && url != NULL) {
+        int i, cur, hostname;
+
+        /* need to break the url down into scheme, address, and port */
+        /* "http://example.com:8080/" */
+        if (XSTRNCMP(url, "http://", 7) == 0) {
+            cur = 7;
+        } else cur = 0;
+
+        i = 0;
+        while (url[cur] != 0 && url[cur] != ':' && url[cur] != '/') {
+            ocsp->overrideName[i++] = url[cur++];
+        }
+        ocsp->overrideName[i] = 0;
+
+        if (url[cur] == ':') {
+            char port[6];
+            int j;
+            i = 0;
+            cur++;
+            while (url[cur] != 0 && url[cur] != '/' && i < 6) {
+                port[i++] = url[cur++];
+            }
+
+            ocsp->overridePort = 0;
+            for (j = 0; j < i; j++) {
+                if (port[j] < '0' || port[j] > '9') return -1;
+                ocsp->overridePort = 
+                            (ocsp->overridePort * 10) + (port[j] - '0');
+            }
+        }
+        else
+            ocsp->overridePort = 80;
+
+        return 1;
+    }
+
+    return 0;
+}
+
+
+int CyaSSL_OCSP_Lookup_Cert(CYASSL_OCSP* ocsp, DecodedCert* cert)
+{
+    /* If OCSP lookups are disabled, return success. */
+    if (!ocsp->enabled) return 1;
+
+    /* If OCSP lookups are enabled, but URL Override is disabled, return 
+    ** a failure. Need to have an override URL for right now. */
+    if (!ocsp->useOverrideUrl || cert == NULL) return 0;
+
+    XMEMCPY(ocsp->status[0].subjectHash, cert->subjectHash, SHA_SIZE);
+    XMEMCPY(ocsp->status[0].issuerHash, cert->issuerHash, SHA_SIZE);
+    XMEMCPY(ocsp->status[0].serial, cert->serial, cert->serialSz);
+    ocsp->status[0].serialSz = cert->serialSz;
+
+    return 1;
+}
 
-void ocsp_stub(void) {}
 
 #endif /* HAVE_OCSP */
 

src/ssl.c

@@ -5379,3 +5379,26 @@ const byte* CyaSSL_get_sessionID(const CYASSL_SESSION* session)
 
 #endif /* SESSION_CERTS */
 
+
+#ifdef HAVE_OCSP
+
+long CyaSSL_CTX_OCSP_set_options(CYASSL_CTX* ctx, long options)
+{
+    CYASSL_ENTER("CyaSSL_CTX_OCSP_set_options");
+    if (ctx != NULL) {
+        ctx->ocsp.enabled = (options && CYASSL_OCSP_ENABLE) != 0;
+        ctx->ocsp.useOverrideUrl = (options && CYASSL_OCSP_URL_OVERRIDE) != 0;
+        return 1;
+    }
+    return 0;
+}
+
+
+int CyaSSL_CTX_OCSP_set_override_url(CYASSL_CTX* ctx, const char* url)
+{
+    CYASSL_ENTER("CyaSSL_CTX_OCSP_set_override_url");
+    return CyaSSL_OCSP_set_override_url(&ctx->ocsp, url);
+}
+
+#endif
+