Add set of OCSP client functions. All experimental
and subject to addition, modifcation or deletion.

Add two OCSP nonce utility functions.

Fix typo in status code name.

CHANGES

@@ -3,7 +3,29 @@
 
  Changes between 0.9.6 and 0.9.7  [xx XXX 2000]
 
-  *) Change function OCSP_request_add() to OCSP_request_add0().
+  *) Move OCSP client related routines to ocsp_cl.c. These
+     provide utility functions which an application needing
+     to issue a request to an OCSP responder and analyse the
+     response will typically need: as opposed to those which an
+     OCSP responder itself would need which will be added later.
+
+     OCSP_request_sign() signs an OCSP request with an API similar
+     to PKCS7_sign(). OCSP_response_status() returns status of OCSP
+     response. OCSP_response_get1_basic() extracts basic response
+     from response. OCSP_resp_find_status(): finds and extracts status
+     information from an OCSP_CERTID structure (which will be created
+     when the request structure is built). These are built from lower
+     level functions which work on OCSP_SINGLERESP structures but
+     wont normally be used unless the application wishes to examine
+     extensions in the OCSP response for example.
+
+     Replace nonce routines with a pair of functions.
+     OCSP_request_add1_nonce() adds a nonce value and optionally
+     generates a random value. OCSP_check_nonce() checks the
+     validity of the nonce in an OCSP response.
+     [Steve Henson]
+
+  *) Change function OCSP_request_add() to OCSP_request_add0_id().
      This doesn't copy the supplied OCSP_CERTID and avoids the
      need to free up the newly created id. Change return type
      to OCSP_ONEREQ to return the internal OCSP_ONEREQ structure.

crypto/ocsp/Makefile.ssl

@@ -23,10 +23,10 @@ APPS=
 
 LIB=$(TOP)/libcrypto.a
 LIBSRC= ocsp_asn.c ocsp_ext.c ocsp_ht.c \
-	ocsp_lib.c ocsp_prn.c ocsp_err.c
+	ocsp_lib.c ocsp_cl.c ocsp_prn.c ocsp_err.c
 
 LIBOBJ= ocsp_asn.o ocsp_ext.o ocsp_ht.o \
-	ocsp_lib.o ocsp_prn.o ocsp_err.o
+	ocsp_lib.o ocsp_cl.o ocsp_prn.o ocsp_err.o
 
 SRC= $(LIBSRC)
 

crypto/ocsp/ocsp.h

@@ -72,6 +72,12 @@
 extern "C" {
 #endif
 
+/* Various flags and values */
+
+#define OCSP_DEFAULT_NONCE_LENGTH	16
+
+#define OCSP_NOCERTS			0x1
+
 /*   CertID ::= SEQUENCE {
  *       hashAlgorithm            AlgorithmIdentifier,
  *       issuerNameHash     OCTET STRING, -- Hash of Issuer's DN
@@ -146,7 +152,7 @@ typedef struct ocsp_request_st
  *       unauthorized          (6)       --Request unauthorized
  *   }
  */
-#define OCSP_RESPONSE_STATUS_SUCCESSFULL          0
+#define OCSP_RESPONSE_STATUS_SUCCESSFUL          0
 #define OCSP_RESPONSE_STATUS_MALFORMEDREQUEST     1
 #define OCSP_RESPONSE_STATUS_INTERNALERROR        2
 #define OCSP_RESPONSE_STATUS_TRYLATER             3
@@ -361,21 +367,21 @@ typedef struct ocsp_service_locator_st
 #define OCSP_REQUEST_sign(o,pkey,md) \
 	ASN1_item_sign(&OCSP_REQINFO_it,\
 		o->optionalSignature->signatureAlgorithm,NULL,\
-	        o->optionalSignature->signature,(char *)o->tbsRequest,pkey,md)
+	        o->optionalSignature->signature,o->tbsRequest,pkey,md)
 
 #define OCSP_BASICRESP_sign(o,pkey,md,d) \
 	ASN1_item_sign(&OCSP_RESPDATA_it,o->signatureAlgorithm,NULL,\
-		o->signature,(char *)o->tbsResponseData,pkey,md)
+		o->signature,o->tbsResponseData,pkey,md)
 
 #define OCSP_REQUEST_verify(a,r) ASN1_item_verify(&OCSP_REQINFO_it,\
         a->optionalSignature->signatureAlgorithm,\
-	a->optionalSignature->signature,(char *)a->tbsRequest,r)
+	a->optionalSignature->signature,a->tbsRequest,r)
 
 #define OCSP_BASICRESP_verify(a,r,d) ASN1_item_verify(&OCSP_RESPDATA_it,\
-	a->signatureAlgorithm,a->signature,(char *)a->tbsResponseData,r)
+	a->signatureAlgorithm,a->signature,a->tbsResponseData,r)
 
 #define ASN1_BIT_STRING_digest(data,type,md,len) \
-	ASN1_item_digest(&ASN1_BIT_STRING_it,type,(char *)data,md,len)
+	ASN1_item_digest(&ASN1_BIT_STRING_it,type,data,md,len)
 
 #define OCSP_CERTID_dup(cid) (OCSP_CERTID*)ASN1_dup((int(*)())i2d_OCSP_CERTID,\
 		(char *(*)())d2i_OCSP_CERTID,(char *)(cid))
@@ -395,15 +401,26 @@ OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst,
 
 OCSP_CERTSTATUS *OCSP_cert_status_new(int status, int reason, char *tim);
 
-OCSP_ONEREQ *OCSP_request_add0(OCSP_REQUEST *req, OCSP_CERTID *cid);
+OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid);
+int OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len);
+int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs);
+int OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm);
+int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert);
 
 int OCSP_request_sign(OCSP_REQUEST   *req,
+		      X509           *signer,
 		      EVP_PKEY       *key,
 		      const EVP_MD   *dgst,
-		      STACK_OF(X509) *certs);
+		      STACK_OF(X509) *certs,
+		      unsigned long flags);
+
+int OCSP_response_status(OCSP_RESPONSE *resp);
+OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp);
 
 int OCSP_request_verify(OCSP_REQUEST *req, EVP_PKEY *pkey);
 
+int OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b);
+
 OCSP_BASICRESP *OCSP_basic_response_new(int tag,
 					X509* cert);
 
@@ -431,8 +448,6 @@ OCSP_RESPONSE *OCSP_response_new(int status,
 ASN1_STRING *ASN1_STRING_encode(ASN1_STRING *s, int (*i2d)(), 
 				char *data, STACK_OF(ASN1_OBJECT) *sk);
 
-X509_EXTENSION *OCSP_nonce_new(void *p, unsigned int len);
-
 X509_EXTENSION *OCSP_crlID_new(char *url, long *n, char *tim);
 
 X509_EXTENSION *OCSP_accept_responses_new(char **oids);
@@ -520,6 +535,8 @@ void ERR_load_OCSP_strings(void);
 #define OCSP_F_CERT_ID_NEW				 102
 #define OCSP_F_CERT_STATUS_NEW				 103
 #define OCSP_F_D2I_OCSP_NONCE				 109
+#define OCSP_F_OCSP_CHECK_NONCE				 112
+#define OCSP_F_OCSP_RESPONSE_GET1_BASIC			 111
 #define OCSP_F_OCSP_SENDREQ_BIO				 110
 #define OCSP_F_REQUEST_VERIFY				 104
 #define OCSP_F_RESPONSE_VERIFY				 105
@@ -534,6 +551,9 @@ void ERR_load_OCSP_strings(void);
 #define OCSP_R_FAILED_TO_READ				 110
 #define OCSP_R_FAILED_TO_STAT				 111
 #define OCSP_R_MISSING_VALUE				 112
+#define OCSP_R_NONCE_MISSING_IN_RESPONSE		 121
+#define OCSP_R_NONCE_VALUE_MISMATCH			 122
+#define OCSP_R_NOT_BASIC_RESPONSE			 120
 #define OCSP_R_NO_CERTIFICATE				 102
 #define OCSP_R_NO_CONTENT				 115
 #define OCSP_R_NO_PUBLIC_KEY				 103
@@ -544,6 +564,7 @@ void ERR_load_OCSP_strings(void);
 #define OCSP_R_SERVER_RESPONSE_ERROR			 117
 #define OCSP_R_SERVER_RESPONSE_PARSE_ERROR		 118
 #define OCSP_R_SERVER_WRITE_ERROR			 119
+#define OCSP_R_UNEXPECTED_NONCE_IN_RESPONSE		 123
 #define OCSP_R_UNKNOWN_NID				 107
 #define OCSP_R_UNSUPPORTED_OPTION			 113
 #define OCSP_R_VALUE_ALREADY				 114

crypto/ocsp/ocsp_cl.c

+/* ocsp_cl.c */
+/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
+ * project. */
+
+/* History:
+   This file was transfered to Richard Levitte from CertCo by Kathy
+   Weinhold in mid-spring 2000 to be included in OpenSSL or released
+   as a patch kit. */
+
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <cryptlib.h>
+#include <openssl/objects.h>
+#include <openssl/rand.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/x509v3.h>
+#include <openssl/ocsp.h>
+
+/* Utility functions related to sending OCSP requests and extracting
+ * relevant information from the response.
+ */
+
+/* Add an OCSP_CERTID to an OCSP request. Return new OCSP_ONEREQ 
+ * pointer: useful if we want to add extensions.
+ */
+
+OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid)
+        {
+	OCSP_ONEREQ *one = NULL;
+
+	if (!(one = OCSP_ONEREQ_new())) goto err;
+	if (one->reqCert) OCSP_CERTID_free(one->reqCert);
+	one->reqCert = cid;
+	if (req &&
+		!sk_OCSP_ONEREQ_push(req->tbsRequest->requestList, one))
+				goto err;
+	return one;
+err:
+	OCSP_ONEREQ_free(one);
+	return NULL;
+        }
+
+/* Set requestorName from an X509_NAME structure */
+
+int OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm)
+	{
+	GENERAL_NAME *gen;
+	gen = GENERAL_NAME_new();
+	if (!X509_NAME_set(&gen->d.directoryName, nm))
+		{
+		GENERAL_NAME_free(gen);
+		return 0;
+		}
+	gen->type = GEN_DIRNAME;
+	if (req->tbsRequest->requestorName)
+		GENERAL_NAME_free(req->tbsRequest->requestorName);
+	req->tbsRequest->requestorName = gen;
+	return 1;
+	}
+	
+
+/* Add a certificate to an OCSP request */
+
+int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert)
+	{
+	OCSP_SIGNATURE *sig;
+	if (!req->optionalSignature)
+		req->optionalSignature = OCSP_SIGNATURE_new();
+	sig = req->optionalSignature;
+	if (!sig) return 0;
+	if (!cert) return 1;
+	if (!sig->certs && !(sig->certs = sk_X509_new_null()))
+		return 0;
+
+	if(!sk_X509_push(sig->certs, cert)) return 0;
+	CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
+	return 1;
+	}
+
+/* Sign an OCSP request set the requestorName to the subjec
+ * name of an optional signers certificate and include one
+ * or more optional certificates in the request. Behaves
+ * like PKCS7_sign().
+ */
+
+int OCSP_request_sign(OCSP_REQUEST   *req,
+		      X509           *signer,
+		      EVP_PKEY       *key,
+		      const EVP_MD   *dgst,
+		      STACK_OF(X509) *certs,
+		      unsigned long flags)
+        {
+	int i;
+	OCSP_SIGNATURE *sig;
+	X509 *x;
+
+	if (signer &&
+		!OCSP_request_set1_name(req, X509_get_subject_name(signer)))
+			goto err;
+
+	if (!(req->optionalSignature = sig = OCSP_SIGNATURE_new())) goto err;
+	if (!dgst) dgst = EVP_sha1();
+	if (key && !OCSP_REQUEST_sign(req, key, dgst)) goto err;
+	if (!(flags & OCSP_NOCERTS))
+		{
+		if (!OCSP_request_add1_cert(req, signer)) goto err;
+	        for (i = 0; i < sk_X509_num(certs); i++)
+			{
+			x = sk_X509_value(certs, i);
+			if (!OCSP_request_add1_cert(req, x)) goto err;
+			}
+		}
+	return 1;
+err:
+	OCSP_SIGNATURE_free(req->optionalSignature);
+	req->optionalSignature = NULL;
+	return 0;
+	}
+
+/* Get response status */
+
+int OCSP_response_status(OCSP_RESPONSE *resp)
+	{
+	return ASN1_ENUMERATED_get(resp->responseStatus);
+	}
+
+/* Extract basic response from OCSP_RESPONSE or NULL if
+ * no basic response present.
+ */
+ 
+
+OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp)
+	{
+	OCSP_RESPBYTES *rb;
+	rb = resp->responseBytes;
+	if (!rb)
+		{
+		OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC, OCSP_R_NO_RESPONSE_DATA);
+		return NULL;
+		}
+	if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic)
+		{
+		OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC, OCSP_R_NOT_BASIC_RESPONSE);
+		return NULL;
+		}
+
+	return ASN1_item_unpack(rb->response, &OCSP_BASICRESP_it);
+	}
+
+/* Return number of OCSP_SINGLERESP reponses present in
+ * a basic response.
+ */
+
+int OCSP_resp_count(OCSP_BASICRESP *bs)
+	{
+	if (!bs) return -1;
+	return sk_OCSP_SINGLERESP_num(bs->tbsResponseData->responses);
+	}
+
+/* Extract an OCSP_SINGLERESP response with a given index */
+
+OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx)
+	{
+	if (!bs) return NULL;
+	return sk_OCSP_SINGLERESP_value(bs->tbsResponseData->responses, idx);
+	}
+
+/* Look single response matching a given certificate ID */
+
+int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last)
+	{
+	int i;
+	STACK_OF(OCSP_SINGLERESP) *sresp;
+	OCSP_SINGLERESP *single;
+	if (!bs) return -1;
+	if (last < 0) last = 0;
+	else last++;
+	sresp = bs->tbsResponseData->responses;
+	for (i = last; i < sk_OCSP_SINGLERESP_num(sresp); i++)
+		{
+		single = sk_OCSP_SINGLERESP_value(sresp, i);
+		if (!OCSP_id_cmp(id, single->certId)) return i;
+		}
+	return -1;
+	}
+
+/* Extract status information from an OCSP_SINGLERESP structure.
+ * Note: the revtime and reason values are only set if the 
+ * certificate status is revoked. Returns numerical value of
+ * status.
+ */
+
+int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
+				ASN1_GENERALIZEDTIME **revtime,
+				ASN1_GENERALIZEDTIME **thisupd,
+				ASN1_GENERALIZEDTIME **nextupd)
+	{
+	int ret;
+	OCSP_CERTSTATUS *cst = single->certStatus;
+	if(!single) return -1;
+	ret = cst->type;
+	if (ret == V_OCSP_CERTSTATUS_REVOKED)
+		{
+		OCSP_REVOKEDINFO *rev = cst->value.revoked;
+		if (revtime) *revtime = rev->revocationTime;
+		if (reason) 
+			{
+			if(rev->revocationReason)
+				*reason = ASN1_ENUMERATED_get(rev->revocationReason);
+			else *reason = -1;
+			}
+		}
+	if(thisupd) *thisupd = single->thisUpdate;
+	if(nextupd) *nextupd = single->nextUpdate;
+	return ret;
+	}
+
+/* This function combines the previous ones: look a certificate ID and
+ * if found extract status information. Return 0 is successful.
+ */
+
+int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
+				int *reason,
+				ASN1_GENERALIZEDTIME **revtime,
+				ASN1_GENERALIZEDTIME **thisupd,
+				ASN1_GENERALIZEDTIME **nextupd)
+	{
+	int i;
+	OCSP_SINGLERESP *single;
+	i = OCSP_resp_find(bs, id, -1);
+	/* Maybe check for multiple responses and give an error? */
+	if(i < 0) return 0;
+	single = OCSP_resp_get0(bs, i);
+	i = OCSP_single_get0_status(single, reason, revtime, thisupd, nextupd);
+	if(reason) *reason = i;
+	return 1;
+	}

crypto/ocsp/ocsp_err.c

@@ -72,6 +72,8 @@ static ERR_STRING_DATA OCSP_str_functs[]=
 {ERR_PACK(0,OCSP_F_CERT_ID_NEW,0),	"CERT_ID_NEW"},
 {ERR_PACK(0,OCSP_F_CERT_STATUS_NEW,0),	"CERT_STATUS_NEW"},
 {ERR_PACK(0,OCSP_F_D2I_OCSP_NONCE,0),	"D2I_OCSP_NONCE"},
+{ERR_PACK(0,OCSP_F_OCSP_CHECK_NONCE,0),	"OCSP_check_nonce"},
+{ERR_PACK(0,OCSP_F_OCSP_RESPONSE_GET1_BASIC,0),	"OCSP_response_get1_basic"},
 {ERR_PACK(0,OCSP_F_OCSP_SENDREQ_BIO,0),	"OCSP_sendreq_bio"},
 {ERR_PACK(0,OCSP_F_REQUEST_VERIFY,0),	"REQUEST_VERIFY"},
 {ERR_PACK(0,OCSP_F_RESPONSE_VERIFY,0),	"RESPONSE_VERIFY"},
@@ -89,6 +91,9 @@ static ERR_STRING_DATA OCSP_str_reasons[]=
 {OCSP_R_FAILED_TO_READ                   ,"failed to read"},
 {OCSP_R_FAILED_TO_STAT                   ,"failed to stat"},
 {OCSP_R_MISSING_VALUE                    ,"missing value"},
+{OCSP_R_NONCE_MISSING_IN_RESPONSE        ,"nonce missing in response"},
+{OCSP_R_NONCE_VALUE_MISMATCH             ,"nonce value mismatch"},
+{OCSP_R_NOT_BASIC_RESPONSE               ,"not basic response"},
 {OCSP_R_NO_CERTIFICATE                   ,"no certificate"},
 {OCSP_R_NO_CONTENT                       ,"no content"},
 {OCSP_R_NO_PUBLIC_KEY                    ,"no public key"},
@@ -99,6 +104,7 @@ static ERR_STRING_DATA OCSP_str_reasons[]=
 {OCSP_R_SERVER_RESPONSE_ERROR            ,"server response error"},
 {OCSP_R_SERVER_RESPONSE_PARSE_ERROR      ,"server response parse error"},
 {OCSP_R_SERVER_WRITE_ERROR               ,"server write error"},
+{OCSP_R_UNEXPECTED_NONCE_IN_RESPONSE     ,"unexpected nonce in response"},
 {OCSP_R_UNKNOWN_NID                      ,"unknown nid"},
 {OCSP_R_UNSUPPORTED_OPTION               ,"unsupported option"},
 {OCSP_R_VALUE_ALREADY                    ,"value already"},

crypto/ocsp/ocsp_ext.c

@@ -66,6 +66,7 @@
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/ocsp.h>
+#include <openssl/rand.h>
 #include <openssl/x509v3.h>
 
 /* Standard wrapper functions for extensions */
@@ -300,6 +301,76 @@ err:
 	return NULL;
 	}
 
+/* Nonce handling functions */
+
+/* Add a nonce to an OCSP request. A nonce can be specificed or if NULL
+ * a random nonce will be generated.
+ */
+
+int OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len)
+	{
+	unsigned char *tmpval;
+	ASN1_OCTET_STRING os;
+	int ret = 0;
+	if (len <= 0) len = OCSP_DEFAULT_NONCE_LENGTH;
+	if (val) tmpval = val;
+	else
+		{
+		if (!(tmpval = OPENSSL_malloc(len))) goto err;
+		RAND_pseudo_bytes(tmpval, len);
+		}
+	os.data = tmpval;
+	os.length = len;
+	if(!OCSP_REQUEST_add1_ext_i2d(req, NID_id_pkix_OCSP_Nonce,
+			&os, 0, X509V3_ADD_REPLACE))
+				goto err;
+	ret = 1;
+	err:
+	if(!val) OPENSSL_free(tmpval);
+	return ret;
+	}
+
+/* Check nonce validity in a request and response: the nonce
+ * must be either absent in both or present and equal in both. 
+ */
+int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs)
+	{
+	/*
+	 * Since we are only interested in the presence or absence of
+	 * the nonce and comparing its value there is no need to use
+	 * the X509V3 routines: this way we can avoid them allocating an
+	 * ASN1_OCTET_STRING structure for the value which would be
+	 * freed immediately anyway.
+	 */
+
+	int ret = 0, req_idx, resp_idx;
+	X509_EXTENSION *req_ext, *resp_ext;
+	req_idx = OCSP_REQUEST_get_ext_by_NID(req, NID_id_pkix_OCSP_Nonce, -1);
+	resp_idx = OCSP_BASICRESP_get_ext_by_NID(bs, NID_id_pkix_OCSP_Nonce, -1);
+	/* If both absent its OK */
+	if((req_idx < 0) && (resp_idx < 0)) return 1;
+	if((req_idx < 0) && (resp_idx >= 0))
+		{
+		OCSPerr(OCSP_F_OCSP_CHECK_NONCE, OCSP_R_NONCE_MISSING_IN_RESPONSE);
+		goto err;
+		}
+	if((req_idx < 0) && (resp_idx >= 0))
+		{
+		OCSPerr(OCSP_F_OCSP_CHECK_NONCE, OCSP_R_UNEXPECTED_NONCE_IN_RESPONSE);
+		goto err;
+		}
+	req_ext = OCSP_REQUEST_get_ext(req, req_idx);
+	resp_ext = OCSP_BASICRESP_get_ext(bs, resp_idx);
+	if(ASN1_OCTET_STRING_cmp(req_ext->value, resp_ext->value))
+		{
+		OCSPerr(OCSP_F_OCSP_CHECK_NONCE, OCSP_R_NONCE_VALUE_MISMATCH);
+		goto err;
+		}
+	ret = 1;
+	err:
+	return ret;
+	}
+
 X509_EXTENSION *OCSP_nonce_new(void *p, unsigned int len)
         {
 	X509_EXTENSION *x=NULL;

crypto/ocsp/ocsp_lib.c

@@ -64,6 +64,7 @@
 #include <stdio.h>
 #include <cryptlib.h>
 #include <openssl/objects.h>
+#include <openssl/rand.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 #include <openssl/x509v3.h>
@@ -162,51 +163,16 @@ err:
 	return NULL;
 	}
 
-OCSP_ONEREQ *OCSP_request_add0(OCSP_REQUEST *req, OCSP_CERTID *cid)
-        {
-	OCSP_ONEREQ *one = NULL;
-
-	if (!(one = OCSP_ONEREQ_new())) goto err;
-	if (one->reqCert) OCSP_CERTID_free(one->reqCert);
-	one->reqCert = cid;
-	if (req &&
-		!sk_OCSP_ONEREQ_push(req->tbsRequest->requestList, one))
-				goto err;
-	return one;
-err:
-	if (one) OCSP_ONEREQ_free(one);
-	return NULL;
-        }
-
-int OCSP_request_sign(OCSP_REQUEST   *req,
-		      EVP_PKEY       *key,
-		      const EVP_MD   *dgst,
-		      STACK_OF(X509) *certs)
-        {
-	int i;
-	OCSP_SIGNATURE *sig;
-
-	if (!(req->optionalSignature = sig = OCSP_SIGNATURE_new())) goto err;
-	if (!OCSP_REQUEST_sign(req, key, dgst)) goto err;
-	if (certs)
-	        {
-	        if (!(sig->certs = sk_X509_dup(certs))) goto err;
-	        for (i = 0; i < sk_X509_num(sig->certs); i++)
-	                {
-			sk_X509_set(sig->certs, i, 
-		               X509_dup(sk_X509_value(certs,i)));
-		        if (! sk_X509_value(sig->certs, i))
-			      goto err;
-		        }
-		}
-	return 1;
-err:
-	if (req->optionalSignature)
-	        {
-		OCSP_SIGNATURE_free(req->optionalSignature);
-		req->optionalSignature = NULL;
-		}
-	return 0;
+int OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b)
+	{
+	int ret;
+	ret = OBJ_cmp(a->hashAlgorithm->algorithm, b->hashAlgorithm->algorithm);
+	if (ret) return ret;
+	ret = ASN1_OCTET_STRING_cmp(a->issuerNameHash, b->issuerNameHash);
+	if (ret) return ret;
+	ret = ASN1_OCTET_STRING_cmp(a->issuerKeyHash, b->issuerKeyHash);
+	if (ret) return ret;
+	return ASN1_INTEGER_cmp(a->serialNumber, b->serialNumber);
 	}
 
 OCSP_BASICRESP *OCSP_basic_response_new(int type, X509* cert)

crypto/ocsp/ocsp_prn.c

@@ -100,7 +100,7 @@ static char *table2string(long s, OCSP_TBLSTR *ts, int len)
 static char* ocspResponseStatus2string(long s)
         {
 	static OCSP_TBLSTR rstat_tbl[] = {
-	        { OCSP_RESPONSE_STATUS_SUCCESSFULL, "successful" },
+	        { OCSP_RESPONSE_STATUS_SUCCESSFUL, "successful" },
 	        { OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, "malformedrequest" },
 	        { OCSP_RESPONSE_STATUS_INTERNALERROR, "internalerror" },
 	        { OCSP_RESPONSE_STATUS_TRYLATER, "trylater" },
@@ -153,7 +153,6 @@ int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST* o, unsigned long flags)
 	if (BIO_write(bp,"\n    Requestor List:\n",21) <= 0) goto err;
 	for (i = 0; i < sk_OCSP_ONEREQ_num(inf->requestList); i++)
 	        {
-		if (!sk_OCSP_ONEREQ_value(inf->requestList, i)) continue;
 		one = sk_OCSP_ONEREQ_value(inf->requestList, i);
 		cid = one->reqCert;
 		ocsp_certid_print(bp, cid, 8);
@@ -207,6 +206,7 @@ int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags)
 		BIO_puts(bp," (unknown response type)\n");
 		return 1;
 		}
+
 	p = ASN1_STRING_data(rb->response);
 	i = ASN1_STRING_length(rb->response);
 	if (!(d2i_OCSP_BASICRESP(&br, &p, i))) goto err;