With "-multi" the OCSP responder forks multiple child processes,
and respawns them as needed. This can be used as a long-running
service, not just a demo program. Therefore the index file is
automatically re-read when changed. The responder also now optionally
times out client requests.
Reviewed-by: Matt Caswell <matt@openssl.org>
Retain open file handle and previous stat data for the CA index
file, enabling detection and index reload (upcoming commit).
Check requirements before entering accept loop.
Reviewed-by: Matt Caswell <matt@openssl.org>
Everything in apps includes apps.h, because that one declares apps
internal library routines. However, progs.h doesn't declare library
routines, but rather the main commands and their options, and there's
no reason why the library modules should include it.
So, remove the inclusion of progs.h from apps.h and add that inclusion
in all command source files.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5222)
Add a -rsigopt option to the ocsp command that allows signature parameters to be provided for the signing of OCSP responses. The parameters that may be provided to -rsigopt are the same as may be provided to -sigopt in the ca, req, and x509 commands.
This PR also defines a OCSP_basic_sign_ctx() function, which functions in the same way as OCSP_basic_sign(), except that it accepts a EVP_MD_CTX rather than a key and digest. The OCSP_basic_sign_ctx() function is used to implement the -rsigopt option in the ocsp command.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4190)
Around 138 distinct errors found and fixed; thanks!
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3459)
Since return is inconsistent, I removed unnecessary parentheses and
unified them.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4541)
Remove GETPID_IS_MEANINGLESS and osslargused.
Move socket-related things to new file internal/sockets.h; this is now
only needed by four(!!!) files. Compiles should be a bit faster.
Remove USE_SOCKETS ifdef's
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4209)
This fixes issue #3043, which ultimately was reported because
documentation was not clear on the meaning of the "-ignore_err" option.
Update both command line documentation and add this option to manpage.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4143)
Mostly braces and NULL pointer check and also copyright year bump
Signed-off-by: Paul Yang <paulyang.inf@gmail.com>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3657)
RT3877: Add X509 OCSP error codes and messages
Add additional OCSP error codes for X509 verify usage
RT3867: Support Multiple CA certs in ocsp app
Add the ability to read multiple CA certs from a single file in the
ocsp app.
Update some missing X509 errors in documentation.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/941)
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1694)
Deprecate the function ASN1_STRING_data() and replace with a new function
ASN1_STRING_get0_data() which returns a constant pointer. Update library
to use new function.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Multiple digest options to the ocsp utility are allowed: e.g. to use
different digests for different certificate IDs. A digest option without
a following certificate is however illegal.
RT#4215
Reviewed-by: Rich Salz <rsalz@openssl.org>
Link errors were occurring on Windows because the header files were not
correctly guarding some functions with OPENSSL_NO_SOCK
Reviewed-by: Rich Salz <rsalz@openssl.org>
enc:
- typo in -base64 option
- missing help opt text
ocsp, req, rsautl, s_client:
- missing help opt text
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
On some platforms, the implementation is such that a signed char
triggers a warning when used with is*() functions. On others, the
behavior is outright buggy when presented with a char that happens
to get promoted to a negative integer.
The safest thing is to cast the char that's used to an unsigned char.
Reviewed-by: Andy Polyakov <appro@openssl.org>
The ocsp utility is something of a jack-of-all-trades; most anything
related to the OCSP can be done with it. In particular, the manual
page calls out that it can be used as either a client or a server
of the protocol, but there are also a few things that it can do
which do not quite fit into either role, such as encoding an OCSP
request but not sending it, printing out a text form of an OCSP
response (or request) from a file akin to the asn1parse utility,
or performing a lookup into the server-side revocation database
without actually sending a request or response. All three of these
are documented as examples in the manual page, but the documentation
prior to this commit is somewhat misleading, in that when printing
the text form of an OCSP response, the code also attempts to
verify the response, displaying an error message and returning
failure if the response does not verify. (It is possible that
the response would be able to verify with the given example, since
the default trust roots are used for that verification, but OCSP
responses frequently have alternate certification authorities
that would require passing -CAfile or -CApath for verification.)
Tidy up the documentation by passing -noverify for the case of
converting from binary to textual representation, and also
change a few instances of -respin to -reqin as appropriate, note
that the -url option provides the same functionality as the -host
and -path options, clarify that the example that saves an OCSP
response to a file will also perform verification on that response,
and fix a couple grammar nits in the manual page.
Also remove an always-true conditional for rdb != NULL -- there
are no codepaths in which it could be initialized at the time of
this check.
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Rename BUF_{strdup,strlcat,strlcpy,memdup,strndup,strnlen}
to OPENSSL_{strdup,strlcat,strlcpy,memdup,strndup,strnlen}
Add #define's for the old names.
Add CRYPTO_{memdup,strndup}, called by OPENSSL_{memdup,strndup} macros.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Check for Host header in query_responder instead of process_responder. This
also fixes a memory leak in the old code if the headers was NULL.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Loading the config file after processing command line options can
cause problems, e.g. where an engine provides new ciphers/digests
these are not then recoginised on the command line. Move the
default config file loading to before the command line option
processing. Whilst we're doing this we might as well centralise
this instead of doing it individually for each application. Finally
if we do it before the OpenSSL_add_ssl_algorithms() call then
ciphersuites provided by an engine (e.g. GOST) can be available to
the apps.
RT#4085
RT#4086
Reviewed-by: Richard Levitte <levitte@openssl.org>
For those command line options that take the verification options
-CApath and -CAfile, if those options are absent then the default path or
file is used instead. It is not currently possible to specify *no* path or
file at all. This change adds the options -no-CApath and -no-CAfile to
specify that the default locations should not be used to all relevant
applications.
Reviewed-by: Andy Polyakov <appro@openssl.org>
The different apps had the liberty to decide whether they would open their
input and output files in binary mode or not, which could be confusing if
two different apps were handling the same type of file in different ways.
The solution is to centralise the decision of low level file organisation,
and that the apps would use a selection of formats to state the intent of
the file.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Add Host Header in OCSP query if no host header is set via -header
Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Ben Laurie <ben@openssl.org>