xref: /freebsd/crypto/openssl/apps/ocsp.c (revision 1f4bcc459a76b7aa664f3fd557684cd0ba6da352)
1 /* ocsp.c */
2 /*
3  * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
4  * 2000.
5  */
6 /* ====================================================================
7  * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  *
13  * 1. Redistributions of source code must retain the above copyright
14  *    notice, this list of conditions and the following disclaimer.
15  *
16  * 2. Redistributions in binary form must reproduce the above copyright
17  *    notice, this list of conditions and the following disclaimer in
18  *    the documentation and/or other materials provided with the
19  *    distribution.
20  *
21  * 3. All advertising materials mentioning features or use of this
22  *    software must display the following acknowledgment:
23  *    "This product includes software developed by the OpenSSL Project
24  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25  *
26  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27  *    endorse or promote products derived from this software without
28  *    prior written permission. For written permission, please contact
29  *    licensing@OpenSSL.org.
30  *
31  * 5. Products derived from this software may not be called "OpenSSL"
32  *    nor may "OpenSSL" appear in their names without prior written
33  *    permission of the OpenSSL Project.
34  *
35  * 6. Redistributions of any form whatsoever must retain the following
36  *    acknowledgment:
37  *    "This product includes software developed by the OpenSSL Project
38  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39  *
40  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
44  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51  * OF THE POSSIBILITY OF SUCH DAMAGE.
52  * ====================================================================
53  *
54  * This product includes cryptographic software written by Eric Young
55  * (eay@cryptsoft.com).  This product includes software written by Tim
56  * Hudson (tjh@cryptsoft.com).
57  *
58  */
59 #ifndef OPENSSL_NO_OCSP
60 
61 # ifdef OPENSSL_SYS_VMS
62 #  define _XOPEN_SOURCE_EXTENDED/* So fd_set and friends get properly defined
63                                  * on OpenVMS */
64 # endif
65 
66 # define USE_SOCKETS
67 
68 # include <stdio.h>
69 # include <stdlib.h>
70 # include <string.h>
71 # include <time.h>
72 # include "apps.h"              /* needs to be included before the openssl
73                                  * headers! */
74 # include <openssl/e_os2.h>
75 # include <openssl/crypto.h>
76 # include <openssl/err.h>
77 # include <openssl/ssl.h>
78 # include <openssl/evp.h>
79 # include <openssl/bn.h>
80 # include <openssl/x509v3.h>
81 
82 # if defined(NETWARE_CLIB)
83 #  ifdef NETWARE_BSDSOCK
84 #   include <sys/socket.h>
85 #   include <sys/bsdskt.h>
86 #  else
87 #   include <novsock2.h>
88 #  endif
89 # elif defined(NETWARE_LIBC)
90 #  ifdef NETWARE_BSDSOCK
91 #   include <sys/select.h>
92 #  else
93 #   include <novsock2.h>
94 #  endif
95 # endif
96 
97 /* Maximum leeway in validity period: default 5 minutes */
98 # define MAX_VALIDITY_PERIOD     (5 * 60)
99 
100 static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert,
101                          const EVP_MD *cert_id_md, X509 *issuer,
102                          STACK_OF(OCSP_CERTID) *ids);
103 static int add_ocsp_serial(OCSP_REQUEST **req, char *serial,
104                            const EVP_MD *cert_id_md, X509 *issuer,
105                            STACK_OF(OCSP_CERTID) *ids);
106 static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
107                               STACK_OF(OPENSSL_STRING) *names,
108                               STACK_OF(OCSP_CERTID) *ids, long nsec,
109                               long maxage);
110 
111 static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req,
112                               CA_DB *db, X509 *ca, X509 *rcert,
113                               EVP_PKEY *rkey, const EVP_MD *md,
114                               STACK_OF(X509) *rother, unsigned long flags,
115                               int nmin, int ndays, int badsig);
116 
117 static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser);
118 static BIO *init_responder(const char *port);
119 static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,
120                         const char *port);
121 static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp);
122 static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, const char *path,
123                                       const STACK_OF(CONF_VALUE) *headers,
124                                       OCSP_REQUEST *req, int req_timeout);
125 
126 # undef PROG
127 # define PROG ocsp_main
128 
129 int MAIN(int, char **);
130 
131 int MAIN(int argc, char **argv)
132 {
133     ENGINE *e = NULL;
134     char **args;
135     char *host = NULL, *port = NULL, *path = "/";
136     char *thost = NULL, *tport = NULL, *tpath = NULL;
137     char *reqin = NULL, *respin = NULL;
138     char *reqout = NULL, *respout = NULL;
139     char *signfile = NULL, *keyfile = NULL;
140     char *rsignfile = NULL, *rkeyfile = NULL;
141     char *outfile = NULL;
142     int add_nonce = 1, noverify = 0, use_ssl = -1;
143     STACK_OF(CONF_VALUE) *headers = NULL;
144     OCSP_REQUEST *req = NULL;
145     OCSP_RESPONSE *resp = NULL;
146     OCSP_BASICRESP *bs = NULL;
147     X509 *issuer = NULL, *cert = NULL;
148     X509 *signer = NULL, *rsigner = NULL;
149     EVP_PKEY *key = NULL, *rkey = NULL;
150     BIO *acbio = NULL, *cbio = NULL;
151     BIO *derbio = NULL;
152     BIO *out = NULL;
153     int req_timeout = -1;
154     int req_text = 0, resp_text = 0;
155     long nsec = MAX_VALIDITY_PERIOD, maxage = -1;
156     char *CAfile = NULL, *CApath = NULL;
157     X509_STORE *store = NULL;
158     X509_VERIFY_PARAM *vpm = NULL;
159     STACK_OF(X509) *sign_other = NULL, *verify_other = NULL, *rother = NULL;
160     char *sign_certfile = NULL, *verify_certfile = NULL, *rcertfile = NULL;
161     unsigned long sign_flags = 0, verify_flags = 0, rflags = 0;
162     int ret = 1;
163     int accept_count = -1;
164     int badarg = 0;
165     int badsig = 0;
166     int i;
167     int ignore_err = 0;
168     STACK_OF(OPENSSL_STRING) *reqnames = NULL;
169     STACK_OF(OCSP_CERTID) *ids = NULL;
170 
171     X509 *rca_cert = NULL;
172     char *ridx_filename = NULL;
173     char *rca_filename = NULL;
174     CA_DB *rdb = NULL;
175     int nmin = 0, ndays = -1;
176     const EVP_MD *cert_id_md = NULL, *rsign_md = NULL;
177 
178     if (bio_err == NULL)
179         bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
180 
181     if (!load_config(bio_err, NULL))
182         goto end;
183     SSL_load_error_strings();
184     OpenSSL_add_ssl_algorithms();
185     args = argv + 1;
186     reqnames = sk_OPENSSL_STRING_new_null();
187     ids = sk_OCSP_CERTID_new_null();
188     while (!badarg && *args && *args[0] == '-') {
189         if (!strcmp(*args, "-out")) {
190             if (args[1]) {
191                 args++;
192                 outfile = *args;
193             } else
194                 badarg = 1;
195         } else if (!strcmp(*args, "-timeout")) {
196             if (args[1]) {
197                 args++;
198                 req_timeout = atol(*args);
199                 if (req_timeout < 0) {
200                     BIO_printf(bio_err, "Illegal timeout value %s\n", *args);
201                     badarg = 1;
202                 }
203             } else
204                 badarg = 1;
205         } else if (!strcmp(*args, "-url")) {
206             if (thost)
207                 OPENSSL_free(thost);
208             if (tport)
209                 OPENSSL_free(tport);
210             if (tpath)
211                 OPENSSL_free(tpath);
212             thost = tport = tpath = NULL;
213             if (args[1]) {
214                 args++;
215                 if (!OCSP_parse_url(*args, &host, &port, &path, &use_ssl)) {
216                     BIO_printf(bio_err, "Error parsing URL\n");
217                     badarg = 1;
218                 }
219                 thost = host;
220                 tport = port;
221                 tpath = path;
222             } else
223                 badarg = 1;
224         } else if (!strcmp(*args, "-host")) {
225             if (args[1]) {
226                 args++;
227                 host = *args;
228             } else
229                 badarg = 1;
230         } else if (!strcmp(*args, "-port")) {
231             if (args[1]) {
232                 args++;
233                 port = *args;
234             } else
235                 badarg = 1;
236         } else if (!strcmp(*args, "-header")) {
237             if (args[1] && args[2]) {
238                 if (!X509V3_add_value(args[1], args[2], &headers))
239                     goto end;
240                 args += 2;
241             } else
242                 badarg = 1;
243         } else if (!strcmp(*args, "-ignore_err"))
244             ignore_err = 1;
245         else if (!strcmp(*args, "-noverify"))
246             noverify = 1;
247         else if (!strcmp(*args, "-nonce"))
248             add_nonce = 2;
249         else if (!strcmp(*args, "-no_nonce"))
250             add_nonce = 0;
251         else if (!strcmp(*args, "-resp_no_certs"))
252             rflags |= OCSP_NOCERTS;
253         else if (!strcmp(*args, "-resp_key_id"))
254             rflags |= OCSP_RESPID_KEY;
255         else if (!strcmp(*args, "-no_certs"))
256             sign_flags |= OCSP_NOCERTS;
257         else if (!strcmp(*args, "-no_signature_verify"))
258             verify_flags |= OCSP_NOSIGS;
259         else if (!strcmp(*args, "-no_cert_verify"))
260             verify_flags |= OCSP_NOVERIFY;
261         else if (!strcmp(*args, "-no_chain"))
262             verify_flags |= OCSP_NOCHAIN;
263         else if (!strcmp(*args, "-no_cert_checks"))
264             verify_flags |= OCSP_NOCHECKS;
265         else if (!strcmp(*args, "-no_explicit"))
266             verify_flags |= OCSP_NOEXPLICIT;
267         else if (!strcmp(*args, "-trust_other"))
268             verify_flags |= OCSP_TRUSTOTHER;
269         else if (!strcmp(*args, "-no_intern"))
270             verify_flags |= OCSP_NOINTERN;
271         else if (!strcmp(*args, "-badsig"))
272             badsig = 1;
273         else if (!strcmp(*args, "-text")) {
274             req_text = 1;
275             resp_text = 1;
276         } else if (!strcmp(*args, "-req_text"))
277             req_text = 1;
278         else if (!strcmp(*args, "-resp_text"))
279             resp_text = 1;
280         else if (!strcmp(*args, "-reqin")) {
281             if (args[1]) {
282                 args++;
283                 reqin = *args;
284             } else
285                 badarg = 1;
286         } else if (!strcmp(*args, "-respin")) {
287             if (args[1]) {
288                 args++;
289                 respin = *args;
290             } else
291                 badarg = 1;
292         } else if (!strcmp(*args, "-signer")) {
293             if (args[1]) {
294                 args++;
295                 signfile = *args;
296             } else
297                 badarg = 1;
298         } else if (!strcmp(*args, "-VAfile")) {
299             if (args[1]) {
300                 args++;
301                 verify_certfile = *args;
302                 verify_flags |= OCSP_TRUSTOTHER;
303             } else
304                 badarg = 1;
305         } else if (!strcmp(*args, "-sign_other")) {
306             if (args[1]) {
307                 args++;
308                 sign_certfile = *args;
309             } else
310                 badarg = 1;
311         } else if (!strcmp(*args, "-verify_other")) {
312             if (args[1]) {
313                 args++;
314                 verify_certfile = *args;
315             } else
316                 badarg = 1;
317         } else if (!strcmp(*args, "-CAfile")) {
318             if (args[1]) {
319                 args++;
320                 CAfile = *args;
321             } else
322                 badarg = 1;
323         } else if (!strcmp(*args, "-CApath")) {
324             if (args[1]) {
325                 args++;
326                 CApath = *args;
327             } else
328                 badarg = 1;
329         } else if (args_verify(&args, NULL, &badarg, bio_err, &vpm)) {
330             if (badarg)
331                 goto end;
332             continue;
333         } else if (!strcmp(*args, "-validity_period")) {
334             if (args[1]) {
335                 args++;
336                 nsec = atol(*args);
337                 if (nsec < 0) {
338                     BIO_printf(bio_err,
339                                "Illegal validity period %s\n", *args);
340                     badarg = 1;
341                 }
342             } else
343                 badarg = 1;
344         } else if (!strcmp(*args, "-status_age")) {
345             if (args[1]) {
346                 args++;
347                 maxage = atol(*args);
348                 if (maxage < 0) {
349                     BIO_printf(bio_err, "Illegal validity age %s\n", *args);
350                     badarg = 1;
351                 }
352             } else
353                 badarg = 1;
354         } else if (!strcmp(*args, "-signkey")) {
355             if (args[1]) {
356                 args++;
357                 keyfile = *args;
358             } else
359                 badarg = 1;
360         } else if (!strcmp(*args, "-reqout")) {
361             if (args[1]) {
362                 args++;
363                 reqout = *args;
364             } else
365                 badarg = 1;
366         } else if (!strcmp(*args, "-respout")) {
367             if (args[1]) {
368                 args++;
369                 respout = *args;
370             } else
371                 badarg = 1;
372         } else if (!strcmp(*args, "-path")) {
373             if (args[1]) {
374                 args++;
375                 path = *args;
376             } else
377                 badarg = 1;
378         } else if (!strcmp(*args, "-issuer")) {
379             if (args[1]) {
380                 args++;
381                 X509_free(issuer);
382                 issuer = load_cert(bio_err, *args, FORMAT_PEM,
383                                    NULL, e, "issuer certificate");
384                 if (!issuer)
385                     goto end;
386             } else
387                 badarg = 1;
388         } else if (!strcmp(*args, "-cert")) {
389             if (args[1]) {
390                 args++;
391                 X509_free(cert);
392                 cert = load_cert(bio_err, *args, FORMAT_PEM,
393                                  NULL, e, "certificate");
394                 if (!cert)
395                     goto end;
396                 if (!cert_id_md)
397                     cert_id_md = EVP_sha1();
398                 if (!add_ocsp_cert(&req, cert, cert_id_md, issuer, ids))
399                     goto end;
400                 if (!sk_OPENSSL_STRING_push(reqnames, *args))
401                     goto end;
402             } else
403                 badarg = 1;
404         } else if (!strcmp(*args, "-serial")) {
405             if (args[1]) {
406                 args++;
407                 if (!cert_id_md)
408                     cert_id_md = EVP_sha1();
409                 if (!add_ocsp_serial(&req, *args, cert_id_md, issuer, ids))
410                     goto end;
411                 if (!sk_OPENSSL_STRING_push(reqnames, *args))
412                     goto end;
413             } else
414                 badarg = 1;
415         } else if (!strcmp(*args, "-index")) {
416             if (args[1]) {
417                 args++;
418                 ridx_filename = *args;
419             } else
420                 badarg = 1;
421         } else if (!strcmp(*args, "-CA")) {
422             if (args[1]) {
423                 args++;
424                 rca_filename = *args;
425             } else
426                 badarg = 1;
427         } else if (!strcmp(*args, "-nmin")) {
428             if (args[1]) {
429                 args++;
430                 nmin = atol(*args);
431                 if (nmin < 0) {
432                     BIO_printf(bio_err, "Illegal update period %s\n", *args);
433                     badarg = 1;
434                 }
435             }
436             if (ndays == -1)
437                 ndays = 0;
438             else
439                 badarg = 1;
440         } else if (!strcmp(*args, "-nrequest")) {
441             if (args[1]) {
442                 args++;
443                 accept_count = atol(*args);
444                 if (accept_count < 0) {
445                     BIO_printf(bio_err, "Illegal accept count %s\n", *args);
446                     badarg = 1;
447                 }
448             } else
449                 badarg = 1;
450         } else if (!strcmp(*args, "-ndays")) {
451             if (args[1]) {
452                 args++;
453                 ndays = atol(*args);
454                 if (ndays < 0) {
455                     BIO_printf(bio_err, "Illegal update period %s\n", *args);
456                     badarg = 1;
457                 }
458             } else
459                 badarg = 1;
460         } else if (!strcmp(*args, "-rsigner")) {
461             if (args[1]) {
462                 args++;
463                 rsignfile = *args;
464             } else
465                 badarg = 1;
466         } else if (!strcmp(*args, "-rkey")) {
467             if (args[1]) {
468                 args++;
469                 rkeyfile = *args;
470             } else
471                 badarg = 1;
472         } else if (!strcmp(*args, "-rother")) {
473             if (args[1]) {
474                 args++;
475                 rcertfile = *args;
476             } else
477                 badarg = 1;
478         } else if (!strcmp(*args, "-rmd")) {
479             if (args[1]) {
480                 args++;
481                 rsign_md = EVP_get_digestbyname(*args);
482                 if (!rsign_md)
483                     badarg = 1;
484             } else
485                 badarg = 1;
486         } else if ((cert_id_md = EVP_get_digestbyname((*args) + 1)) == NULL) {
487             badarg = 1;
488         }
489         args++;
490     }
491 
492     /* Have we anything to do? */
493     if (!req && !reqin && !respin && !(port && ridx_filename))
494         badarg = 1;
495 
496     if (badarg) {
497         BIO_printf(bio_err, "OCSP utility\n");
498         BIO_printf(bio_err, "Usage ocsp [options]\n");
499         BIO_printf(bio_err, "where options are\n");
500         BIO_printf(bio_err, "-out file            output filename\n");
501         BIO_printf(bio_err, "-issuer file         issuer certificate\n");
502         BIO_printf(bio_err, "-cert file           certificate to check\n");
503         BIO_printf(bio_err, "-serial n            serial number to check\n");
504         BIO_printf(bio_err,
505                    "-signer file         certificate to sign OCSP request with\n");
506         BIO_printf(bio_err,
507                    "-signkey file        private key to sign OCSP request with\n");
508         BIO_printf(bio_err,
509                    "-sign_other file     additional certificates to include in signed request\n");
510         BIO_printf(bio_err,
511                    "-no_certs            don't include any certificates in signed request\n");
512         BIO_printf(bio_err,
513                    "-req_text            print text form of request\n");
514         BIO_printf(bio_err,
515                    "-resp_text           print text form of response\n");
516         BIO_printf(bio_err,
517                    "-text                print text form of request and response\n");
518         BIO_printf(bio_err,
519                    "-reqout file         write DER encoded OCSP request to \"file\"\n");
520         BIO_printf(bio_err,
521                    "-respout file        write DER encoded OCSP reponse to \"file\"\n");
522         BIO_printf(bio_err,
523                    "-reqin file          read DER encoded OCSP request from \"file\"\n");
524         BIO_printf(bio_err,
525                    "-respin file         read DER encoded OCSP reponse from \"file\"\n");
526         BIO_printf(bio_err,
527                    "-nonce               add OCSP nonce to request\n");
528         BIO_printf(bio_err,
529                    "-no_nonce            don't add OCSP nonce to request\n");
530         BIO_printf(bio_err, "-url URL             OCSP responder URL\n");
531         BIO_printf(bio_err,
532                    "-host host:n         send OCSP request to host on port n\n");
533         BIO_printf(bio_err,
534                    "-path                path to use in OCSP request\n");
535         BIO_printf(bio_err,
536                    "-CApath dir          trusted certificates directory\n");
537         BIO_printf(bio_err,
538                    "-CAfile file         trusted certificates file\n");
539         BIO_printf(bio_err,
540                    "-no_alt_chains       only ever use the first certificate chain found\n");
541         BIO_printf(bio_err,
542                    "-VAfile file         validator certificates file\n");
543         BIO_printf(bio_err,
544                    "-validity_period n   maximum validity discrepancy in seconds\n");
545         BIO_printf(bio_err,
546                    "-status_age n        maximum status age in seconds\n");
547         BIO_printf(bio_err,
548                    "-noverify            don't verify response at all\n");
549         BIO_printf(bio_err,
550                    "-verify_other file   additional certificates to search for signer\n");
551         BIO_printf(bio_err,
552                    "-trust_other         don't verify additional certificates\n");
553         BIO_printf(bio_err,
554                    "-no_intern           don't search certificates contained in response for signer\n");
555         BIO_printf(bio_err,
556                    "-no_signature_verify don't check signature on response\n");
557         BIO_printf(bio_err,
558                    "-no_cert_verify      don't check signing certificate\n");
559         BIO_printf(bio_err,
560                    "-no_chain            don't chain verify response\n");
561         BIO_printf(bio_err,
562                    "-no_cert_checks      don't do additional checks on signing certificate\n");
563         BIO_printf(bio_err,
564                    "-port num            port to run responder on\n");
565         BIO_printf(bio_err,
566                    "-index file          certificate status index file\n");
567         BIO_printf(bio_err, "-CA file             CA certificate\n");
568         BIO_printf(bio_err,
569                    "-rsigner file        responder certificate to sign responses with\n");
570         BIO_printf(bio_err,
571                    "-rkey file           responder key to sign responses with\n");
572         BIO_printf(bio_err,
573                    "-rother file         other certificates to include in response\n");
574         BIO_printf(bio_err,
575                    "-resp_no_certs       don't include any certificates in response\n");
576         BIO_printf(bio_err,
577                    "-nmin n              number of minutes before next update\n");
578         BIO_printf(bio_err,
579                    "-ndays n             number of days before next update\n");
580         BIO_printf(bio_err,
581                    "-resp_key_id         identify reponse by signing certificate key ID\n");
582         BIO_printf(bio_err,
583                    "-nrequest n          number of requests to accept (default unlimited)\n");
584         BIO_printf(bio_err,
585                    "-<dgst alg>          use specified digest in the request\n");
586         BIO_printf(bio_err,
587                    "-timeout n           timeout connection to OCSP responder after n seconds\n");
588         goto end;
589     }
590 
591     if (outfile)
592         out = BIO_new_file(outfile, "w");
593     else
594         out = BIO_new_fp(stdout, BIO_NOCLOSE);
595 
596     if (!out) {
597         BIO_printf(bio_err, "Error opening output file\n");
598         goto end;
599     }
600 
601     if (!req && (add_nonce != 2))
602         add_nonce = 0;
603 
604     if (!req && reqin) {
605         if (!strcmp(reqin, "-"))
606             derbio = BIO_new_fp(stdin, BIO_NOCLOSE);
607         else
608             derbio = BIO_new_file(reqin, "rb");
609         if (!derbio) {
610             BIO_printf(bio_err, "Error Opening OCSP request file\n");
611             goto end;
612         }
613         req = d2i_OCSP_REQUEST_bio(derbio, NULL);
614         BIO_free(derbio);
615         if (!req) {
616             BIO_printf(bio_err, "Error reading OCSP request\n");
617             goto end;
618         }
619     }
620 
621     if (!req && port) {
622         acbio = init_responder(port);
623         if (!acbio)
624             goto end;
625     }
626 
627     if (rsignfile && !rdb) {
628         if (!rkeyfile)
629             rkeyfile = rsignfile;
630         rsigner = load_cert(bio_err, rsignfile, FORMAT_PEM,
631                             NULL, e, "responder certificate");
632         if (!rsigner) {
633             BIO_printf(bio_err, "Error loading responder certificate\n");
634             goto end;
635         }
636         rca_cert = load_cert(bio_err, rca_filename, FORMAT_PEM,
637                              NULL, e, "CA certificate");
638         if (rcertfile) {
639             rother = load_certs(bio_err, rcertfile, FORMAT_PEM,
640                                 NULL, e, "responder other certificates");
641             if (!rother)
642                 goto end;
643         }
644         rkey = load_key(bio_err, rkeyfile, FORMAT_PEM, 0, NULL, NULL,
645                         "responder private key");
646         if (!rkey)
647             goto end;
648     }
649     if (acbio)
650         BIO_printf(bio_err, "Waiting for OCSP client connections...\n");
651 
652  redo_accept:
653 
654     if (acbio) {
655         if (!do_responder(&req, &cbio, acbio, port))
656             goto end;
657         if (!req) {
658             resp =
659                 OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST,
660                                      NULL);
661             send_ocsp_response(cbio, resp);
662             goto done_resp;
663         }
664     }
665 
666     if (!req && (signfile || reqout || host || add_nonce || ridx_filename)) {
667         BIO_printf(bio_err, "Need an OCSP request for this operation!\n");
668         goto end;
669     }
670 
671     if (req && add_nonce)
672         OCSP_request_add1_nonce(req, NULL, -1);
673 
674     if (signfile) {
675         if (!keyfile)
676             keyfile = signfile;
677         signer = load_cert(bio_err, signfile, FORMAT_PEM,
678                            NULL, e, "signer certificate");
679         if (!signer) {
680             BIO_printf(bio_err, "Error loading signer certificate\n");
681             goto end;
682         }
683         if (sign_certfile) {
684             sign_other = load_certs(bio_err, sign_certfile, FORMAT_PEM,
685                                     NULL, e, "signer certificates");
686             if (!sign_other)
687                 goto end;
688         }
689         key = load_key(bio_err, keyfile, FORMAT_PEM, 0, NULL, NULL,
690                        "signer private key");
691         if (!key)
692             goto end;
693 
694         if (!OCSP_request_sign
695             (req, signer, key, NULL, sign_other, sign_flags)) {
696             BIO_printf(bio_err, "Error signing OCSP request\n");
697             goto end;
698         }
699     }
700 
701     if (req_text && req)
702         OCSP_REQUEST_print(out, req, 0);
703 
704     if (reqout) {
705         if (!strcmp(reqout, "-"))
706             derbio = BIO_new_fp(stdout, BIO_NOCLOSE);
707         else
708             derbio = BIO_new_file(reqout, "wb");
709         if (!derbio) {
710             BIO_printf(bio_err, "Error opening file %s\n", reqout);
711             goto end;
712         }
713         i2d_OCSP_REQUEST_bio(derbio, req);
714         BIO_free(derbio);
715     }
716 
717     if (ridx_filename && (!rkey || !rsigner || !rca_cert)) {
718         BIO_printf(bio_err,
719                    "Need a responder certificate, key and CA for this operation!\n");
720         goto end;
721     }
722 
723     if (ridx_filename && !rdb) {
724         rdb = load_index(ridx_filename, NULL);
725         if (!rdb)
726             goto end;
727         if (!index_index(rdb))
728             goto end;
729     }
730 
731     if (rdb) {
732         i = make_ocsp_response(&resp, req, rdb, rca_cert, rsigner, rkey,
733                                rsign_md, rother, rflags, nmin, ndays, badsig);
734         if (cbio)
735             send_ocsp_response(cbio, resp);
736     } else if (host) {
737 # ifndef OPENSSL_NO_SOCK
738         resp = process_responder(bio_err, req, host, path,
739                                  port, use_ssl, headers, req_timeout);
740         if (!resp)
741             goto end;
742 # else
743         BIO_printf(bio_err,
744                    "Error creating connect BIO - sockets not supported.\n");
745         goto end;
746 # endif
747     } else if (respin) {
748         if (!strcmp(respin, "-"))
749             derbio = BIO_new_fp(stdin, BIO_NOCLOSE);
750         else
751             derbio = BIO_new_file(respin, "rb");
752         if (!derbio) {
753             BIO_printf(bio_err, "Error Opening OCSP response file\n");
754             goto end;
755         }
756         resp = d2i_OCSP_RESPONSE_bio(derbio, NULL);
757         BIO_free(derbio);
758         if (!resp) {
759             BIO_printf(bio_err, "Error reading OCSP response\n");
760             goto end;
761         }
762 
763     } else {
764         ret = 0;
765         goto end;
766     }
767 
768  done_resp:
769 
770     if (respout) {
771         if (!strcmp(respout, "-"))
772             derbio = BIO_new_fp(stdout, BIO_NOCLOSE);
773         else
774             derbio = BIO_new_file(respout, "wb");
775         if (!derbio) {
776             BIO_printf(bio_err, "Error opening file %s\n", respout);
777             goto end;
778         }
779         i2d_OCSP_RESPONSE_bio(derbio, resp);
780         BIO_free(derbio);
781     }
782 
783     i = OCSP_response_status(resp);
784 
785     if (i != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
786         BIO_printf(out, "Responder Error: %s (%d)\n",
787                    OCSP_response_status_str(i), i);
788         if (ignore_err)
789             goto redo_accept;
790         ret = 0;
791         goto end;
792     }
793 
794     if (resp_text)
795         OCSP_RESPONSE_print(out, resp, 0);
796 
797     /* If running as responder don't verify our own response */
798     if (cbio) {
799         if (accept_count > 0)
800             accept_count--;
801         /* Redo if more connections needed */
802         if (accept_count) {
803             BIO_free_all(cbio);
804             cbio = NULL;
805             OCSP_REQUEST_free(req);
806             req = NULL;
807             OCSP_RESPONSE_free(resp);
808             resp = NULL;
809             goto redo_accept;
810         }
811         ret = 0;
812         goto end;
813     } else if (ridx_filename) {
814         ret = 0;
815         goto end;
816     }
817 
818     if (!store)
819         store = setup_verify(bio_err, CAfile, CApath);
820     if (!store)
821         goto end;
822     if (vpm)
823         X509_STORE_set1_param(store, vpm);
824     if (verify_certfile) {
825         verify_other = load_certs(bio_err, verify_certfile, FORMAT_PEM,
826                                   NULL, e, "validator certificate");
827         if (!verify_other)
828             goto end;
829     }
830 
831     bs = OCSP_response_get1_basic(resp);
832 
833     if (!bs) {
834         BIO_printf(bio_err, "Error parsing response\n");
835         goto end;
836     }
837 
838     ret = 0;
839 
840     if (!noverify) {
841         if (req && ((i = OCSP_check_nonce(req, bs)) <= 0)) {
842             if (i == -1)
843                 BIO_printf(bio_err, "WARNING: no nonce in response\n");
844             else {
845                 BIO_printf(bio_err, "Nonce Verify error\n");
846                 ret = 1;
847                 goto end;
848             }
849         }
850 
851         i = OCSP_basic_verify(bs, verify_other, store, verify_flags);
852         if (i <= 0) {
853             BIO_printf(bio_err, "Response Verify Failure\n");
854             ERR_print_errors(bio_err);
855             ret = 1;
856         } else
857             BIO_printf(bio_err, "Response verify OK\n");
858 
859     }
860 
861     if (!print_ocsp_summary(out, bs, req, reqnames, ids, nsec, maxage))
862         ret = 1;
863 
864  end:
865     ERR_print_errors(bio_err);
866     X509_free(signer);
867     X509_STORE_free(store);
868     if (vpm)
869         X509_VERIFY_PARAM_free(vpm);
870     EVP_PKEY_free(key);
871     EVP_PKEY_free(rkey);
872     X509_free(issuer);
873     X509_free(cert);
874     X509_free(rsigner);
875     X509_free(rca_cert);
876     free_index(rdb);
877     BIO_free_all(cbio);
878     BIO_free_all(acbio);
879     BIO_free(out);
880     OCSP_REQUEST_free(req);
881     OCSP_RESPONSE_free(resp);
882     OCSP_BASICRESP_free(bs);
883     sk_OPENSSL_STRING_free(reqnames);
884     sk_OCSP_CERTID_free(ids);
885     sk_X509_pop_free(sign_other, X509_free);
886     sk_X509_pop_free(verify_other, X509_free);
887     sk_CONF_VALUE_pop_free(headers, X509V3_conf_free);
888 
889     if (thost)
890         OPENSSL_free(thost);
891     if (tport)
892         OPENSSL_free(tport);
893     if (tpath)
894         OPENSSL_free(tpath);
895 
896     OPENSSL_EXIT(ret);
897 }
898 
899 static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert,
900                          const EVP_MD *cert_id_md, X509 *issuer,
901                          STACK_OF(OCSP_CERTID) *ids)
902 {
903     OCSP_CERTID *id;
904     if (!issuer) {
905         BIO_printf(bio_err, "No issuer certificate specified\n");
906         return 0;
907     }
908     if (!*req)
909         *req = OCSP_REQUEST_new();
910     if (!*req)
911         goto err;
912     id = OCSP_cert_to_id(cert_id_md, cert, issuer);
913     if (!id || !sk_OCSP_CERTID_push(ids, id))
914         goto err;
915     if (!OCSP_request_add0_id(*req, id))
916         goto err;
917     return 1;
918 
919  err:
920     BIO_printf(bio_err, "Error Creating OCSP request\n");
921     return 0;
922 }
923 
924 static int add_ocsp_serial(OCSP_REQUEST **req, char *serial,
925                            const EVP_MD *cert_id_md, X509 *issuer,
926                            STACK_OF(OCSP_CERTID) *ids)
927 {
928     OCSP_CERTID *id;
929     X509_NAME *iname;
930     ASN1_BIT_STRING *ikey;
931     ASN1_INTEGER *sno;
932     if (!issuer) {
933         BIO_printf(bio_err, "No issuer certificate specified\n");
934         return 0;
935     }
936     if (!*req)
937         *req = OCSP_REQUEST_new();
938     if (!*req)
939         goto err;
940     iname = X509_get_subject_name(issuer);
941     ikey = X509_get0_pubkey_bitstr(issuer);
942     sno = s2i_ASN1_INTEGER(NULL, serial);
943     if (!sno) {
944         BIO_printf(bio_err, "Error converting serial number %s\n", serial);
945         return 0;
946     }
947     id = OCSP_cert_id_new(cert_id_md, iname, ikey, sno);
948     ASN1_INTEGER_free(sno);
949     if (!id || !sk_OCSP_CERTID_push(ids, id))
950         goto err;
951     if (!OCSP_request_add0_id(*req, id))
952         goto err;
953     return 1;
954 
955  err:
956     BIO_printf(bio_err, "Error Creating OCSP request\n");
957     return 0;
958 }
959 
960 static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
961                               STACK_OF(OPENSSL_STRING) *names,
962                               STACK_OF(OCSP_CERTID) *ids, long nsec,
963                               long maxage)
964 {
965     OCSP_CERTID *id;
966     char *name;
967     int i;
968 
969     int status, reason;
970 
971     ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
972 
973     if (!bs || !req || !sk_OPENSSL_STRING_num(names)
974         || !sk_OCSP_CERTID_num(ids))
975         return 1;
976 
977     for (i = 0; i < sk_OCSP_CERTID_num(ids); i++) {
978         id = sk_OCSP_CERTID_value(ids, i);
979         name = sk_OPENSSL_STRING_value(names, i);
980         BIO_printf(out, "%s: ", name);
981 
982         if (!OCSP_resp_find_status(bs, id, &status, &reason,
983                                    &rev, &thisupd, &nextupd)) {
984             BIO_puts(out, "ERROR: No Status found.\n");
985             continue;
986         }
987 
988         /*
989          * Check validity: if invalid write to output BIO so we know which
990          * response this refers to.
991          */
992         if (!OCSP_check_validity(thisupd, nextupd, nsec, maxage)) {
993             BIO_puts(out, "WARNING: Status times invalid.\n");
994             ERR_print_errors(out);
995         }
996         BIO_printf(out, "%s\n", OCSP_cert_status_str(status));
997 
998         BIO_puts(out, "\tThis Update: ");
999         ASN1_GENERALIZEDTIME_print(out, thisupd);
1000         BIO_puts(out, "\n");
1001 
1002         if (nextupd) {
1003             BIO_puts(out, "\tNext Update: ");
1004             ASN1_GENERALIZEDTIME_print(out, nextupd);
1005             BIO_puts(out, "\n");
1006         }
1007 
1008         if (status != V_OCSP_CERTSTATUS_REVOKED)
1009             continue;
1010 
1011         if (reason != -1)
1012             BIO_printf(out, "\tReason: %s\n", OCSP_crl_reason_str(reason));
1013 
1014         BIO_puts(out, "\tRevocation Time: ");
1015         ASN1_GENERALIZEDTIME_print(out, rev);
1016         BIO_puts(out, "\n");
1017     }
1018 
1019     return 1;
1020 }
1021 
1022 static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req,
1023                               CA_DB *db, X509 *ca, X509 *rcert,
1024                               EVP_PKEY *rkey, const EVP_MD *rmd,
1025                               STACK_OF(X509) *rother, unsigned long flags,
1026                               int nmin, int ndays, int badsig)
1027 {
1028     ASN1_TIME *thisupd = NULL, *nextupd = NULL;
1029     OCSP_CERTID *cid, *ca_id = NULL;
1030     OCSP_BASICRESP *bs = NULL;
1031     int i, id_count, ret = 1;
1032 
1033     id_count = OCSP_request_onereq_count(req);
1034 
1035     if (id_count <= 0) {
1036         *resp =
1037             OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL);
1038         goto end;
1039     }
1040 
1041     bs = OCSP_BASICRESP_new();
1042     thisupd = X509_gmtime_adj(NULL, 0);
1043     if (ndays != -1)
1044         nextupd = X509_time_adj_ex(NULL, ndays, nmin * 60, NULL);
1045 
1046     /* Examine each certificate id in the request */
1047     for (i = 0; i < id_count; i++) {
1048         OCSP_ONEREQ *one;
1049         ASN1_INTEGER *serial;
1050         char **inf;
1051         ASN1_OBJECT *cert_id_md_oid;
1052         const EVP_MD *cert_id_md;
1053         one = OCSP_request_onereq_get0(req, i);
1054         cid = OCSP_onereq_get0_id(one);
1055 
1056         OCSP_id_get0_info(NULL, &cert_id_md_oid, NULL, NULL, cid);
1057 
1058         cert_id_md = EVP_get_digestbyobj(cert_id_md_oid);
1059         if (!cert_id_md) {
1060             *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR,
1061                                          NULL);
1062             goto end;
1063         }
1064         if (ca_id)
1065             OCSP_CERTID_free(ca_id);
1066         ca_id = OCSP_cert_to_id(cert_id_md, NULL, ca);
1067 
1068         /* Is this request about our CA? */
1069         if (OCSP_id_issuer_cmp(ca_id, cid)) {
1070             OCSP_basic_add1_status(bs, cid,
1071                                    V_OCSP_CERTSTATUS_UNKNOWN,
1072                                    0, NULL, thisupd, nextupd);
1073             continue;
1074         }
1075         OCSP_id_get0_info(NULL, NULL, NULL, &serial, cid);
1076         inf = lookup_serial(db, serial);
1077         if (!inf)
1078             OCSP_basic_add1_status(bs, cid,
1079                                    V_OCSP_CERTSTATUS_UNKNOWN,
1080                                    0, NULL, thisupd, nextupd);
1081         else if (inf[DB_type][0] == DB_TYPE_VAL)
1082             OCSP_basic_add1_status(bs, cid,
1083                                    V_OCSP_CERTSTATUS_GOOD,
1084                                    0, NULL, thisupd, nextupd);
1085         else if (inf[DB_type][0] == DB_TYPE_REV) {
1086             ASN1_OBJECT *inst = NULL;
1087             ASN1_TIME *revtm = NULL;
1088             ASN1_GENERALIZEDTIME *invtm = NULL;
1089             OCSP_SINGLERESP *single;
1090             int reason = -1;
1091             unpack_revinfo(&revtm, &reason, &inst, &invtm, inf[DB_rev_date]);
1092             single = OCSP_basic_add1_status(bs, cid,
1093                                             V_OCSP_CERTSTATUS_REVOKED,
1094                                             reason, revtm, thisupd, nextupd);
1095             if (invtm)
1096                 OCSP_SINGLERESP_add1_ext_i2d(single, NID_invalidity_date,
1097                                              invtm, 0, 0);
1098             else if (inst)
1099                 OCSP_SINGLERESP_add1_ext_i2d(single,
1100                                              NID_hold_instruction_code, inst,
1101                                              0, 0);
1102             ASN1_OBJECT_free(inst);
1103             ASN1_TIME_free(revtm);
1104             ASN1_GENERALIZEDTIME_free(invtm);
1105         }
1106     }
1107 
1108     OCSP_copy_nonce(bs, req);
1109 
1110     OCSP_basic_sign(bs, rcert, rkey, rmd, rother, flags);
1111 
1112     if (badsig)
1113         bs->signature->data[bs->signature->length - 1] ^= 0x1;
1114 
1115     *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs);
1116 
1117  end:
1118     ASN1_TIME_free(thisupd);
1119     ASN1_TIME_free(nextupd);
1120     OCSP_CERTID_free(ca_id);
1121     OCSP_BASICRESP_free(bs);
1122     return ret;
1123 
1124 }
1125 
1126 static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser)
1127 {
1128     int i;
1129     BIGNUM *bn = NULL;
1130     char *itmp, *row[DB_NUMBER], **rrow;
1131     for (i = 0; i < DB_NUMBER; i++)
1132         row[i] = NULL;
1133     bn = ASN1_INTEGER_to_BN(ser, NULL);
1134     OPENSSL_assert(bn);         /* FIXME: should report an error at this
1135                                  * point and abort */
1136     if (BN_is_zero(bn))
1137         itmp = BUF_strdup("00");
1138     else
1139         itmp = BN_bn2hex(bn);
1140     row[DB_serial] = itmp;
1141     BN_free(bn);
1142     rrow = TXT_DB_get_by_index(db->db, DB_serial, row);
1143     OPENSSL_free(itmp);
1144     return rrow;
1145 }
1146 
1147 /* Quick and dirty OCSP server: read in and parse input request */
1148 
1149 static BIO *init_responder(const char *port)
1150 {
1151     BIO *acbio = NULL, *bufbio = NULL;
1152     bufbio = BIO_new(BIO_f_buffer());
1153     if (!bufbio)
1154         goto err;
1155 # ifndef OPENSSL_NO_SOCK
1156     acbio = BIO_new_accept(port);
1157 # else
1158     BIO_printf(bio_err,
1159                "Error setting up accept BIO - sockets not supported.\n");
1160 # endif
1161     if (!acbio)
1162         goto err;
1163     BIO_set_accept_bios(acbio, bufbio);
1164     bufbio = NULL;
1165 
1166     if (BIO_do_accept(acbio) <= 0) {
1167         BIO_printf(bio_err, "Error setting up accept BIO\n");
1168         ERR_print_errors(bio_err);
1169         goto err;
1170     }
1171 
1172     return acbio;
1173 
1174  err:
1175     BIO_free_all(acbio);
1176     BIO_free(bufbio);
1177     return NULL;
1178 }
1179 
1180 static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,
1181                         const char *port)
1182 {
1183     int have_post = 0, len;
1184     OCSP_REQUEST *req = NULL;
1185     char inbuf[1024];
1186     BIO *cbio = NULL;
1187 
1188     if (BIO_do_accept(acbio) <= 0) {
1189         BIO_printf(bio_err, "Error accepting connection\n");
1190         ERR_print_errors(bio_err);
1191         return 0;
1192     }
1193 
1194     cbio = BIO_pop(acbio);
1195     *pcbio = cbio;
1196 
1197     for (;;) {
1198         len = BIO_gets(cbio, inbuf, sizeof inbuf);
1199         if (len <= 0)
1200             return 1;
1201         /* Look for "POST" signalling start of query */
1202         if (!have_post) {
1203             if (strncmp(inbuf, "POST", 4)) {
1204                 BIO_printf(bio_err, "Invalid request\n");
1205                 return 1;
1206             }
1207             have_post = 1;
1208         }
1209         /* Look for end of headers */
1210         if ((inbuf[0] == '\r') || (inbuf[0] == '\n'))
1211             break;
1212     }
1213 
1214     /* Try to read OCSP request */
1215 
1216     req = d2i_OCSP_REQUEST_bio(cbio, NULL);
1217 
1218     if (!req) {
1219         BIO_printf(bio_err, "Error parsing OCSP request\n");
1220         ERR_print_errors(bio_err);
1221     }
1222 
1223     *preq = req;
1224 
1225     return 1;
1226 
1227 }
1228 
1229 static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp)
1230 {
1231     char http_resp[] =
1232         "HTTP/1.0 200 OK\r\nContent-type: application/ocsp-response\r\n"
1233         "Content-Length: %d\r\n\r\n";
1234     if (!cbio)
1235         return 0;
1236     BIO_printf(cbio, http_resp, i2d_OCSP_RESPONSE(resp, NULL));
1237     i2d_OCSP_RESPONSE_bio(cbio, resp);
1238     (void)BIO_flush(cbio);
1239     return 1;
1240 }
1241 
1242 static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, const char *path,
1243                                       const STACK_OF(CONF_VALUE) *headers,
1244                                       OCSP_REQUEST *req, int req_timeout)
1245 {
1246     int fd;
1247     int rv;
1248     int i;
1249     OCSP_REQ_CTX *ctx = NULL;
1250     OCSP_RESPONSE *rsp = NULL;
1251     fd_set confds;
1252     struct timeval tv;
1253 
1254     if (req_timeout != -1)
1255         BIO_set_nbio(cbio, 1);
1256 
1257     rv = BIO_do_connect(cbio);
1258 
1259     if ((rv <= 0) && ((req_timeout == -1) || !BIO_should_retry(cbio))) {
1260         BIO_puts(err, "Error connecting BIO\n");
1261         return NULL;
1262     }
1263 
1264     if (BIO_get_fd(cbio, &fd) < 0) {
1265         BIO_puts(bio_err, "Can't get connection fd\n");
1266         goto err;
1267     }
1268 
1269     if (req_timeout != -1 && rv <= 0) {
1270         FD_ZERO(&confds);
1271         openssl_fdset(fd, &confds);
1272         tv.tv_usec = 0;
1273         tv.tv_sec = req_timeout;
1274         rv = select(fd + 1, NULL, (void *)&confds, NULL, &tv);
1275         if (rv == 0) {
1276             BIO_puts(err, "Timeout on connect\n");
1277             return NULL;
1278         }
1279     }
1280 
1281     ctx = OCSP_sendreq_new(cbio, path, NULL, -1);
1282     if (!ctx)
1283         return NULL;
1284 
1285     for (i = 0; i < sk_CONF_VALUE_num(headers); i++) {
1286         CONF_VALUE *hdr = sk_CONF_VALUE_value(headers, i);
1287         if (!OCSP_REQ_CTX_add1_header(ctx, hdr->name, hdr->value))
1288             goto err;
1289     }
1290 
1291     if (!OCSP_REQ_CTX_set1_req(ctx, req))
1292         goto err;
1293 
1294     for (;;) {
1295         rv = OCSP_sendreq_nbio(&rsp, ctx);
1296         if (rv != -1)
1297             break;
1298         if (req_timeout == -1)
1299             continue;
1300         FD_ZERO(&confds);
1301         openssl_fdset(fd, &confds);
1302         tv.tv_usec = 0;
1303         tv.tv_sec = req_timeout;
1304         if (BIO_should_read(cbio))
1305             rv = select(fd + 1, (void *)&confds, NULL, NULL, &tv);
1306         else if (BIO_should_write(cbio))
1307             rv = select(fd + 1, NULL, (void *)&confds, NULL, &tv);
1308         else {
1309             BIO_puts(err, "Unexpected retry condition\n");
1310             goto err;
1311         }
1312         if (rv == 0) {
1313             BIO_puts(err, "Timeout on request\n");
1314             break;
1315         }
1316         if (rv == -1) {
1317             BIO_puts(err, "Select error\n");
1318             break;
1319         }
1320 
1321     }
1322  err:
1323     if (ctx)
1324         OCSP_REQ_CTX_free(ctx);
1325 
1326     return rsp;
1327 }
1328 
1329 OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req,
1330                                  const char *host, const char *path,
1331                                  const char *port, int use_ssl,
1332                                  const STACK_OF(CONF_VALUE) *headers,
1333                                  int req_timeout)
1334 {
1335     BIO *cbio = NULL;
1336     SSL_CTX *ctx = NULL;
1337     OCSP_RESPONSE *resp = NULL;
1338     cbio = BIO_new_connect(host);
1339     if (!cbio) {
1340         BIO_printf(err, "Error creating connect BIO\n");
1341         goto end;
1342     }
1343     if (port)
1344         BIO_set_conn_port(cbio, port);
1345     if (use_ssl == 1) {
1346         BIO *sbio;
1347         ctx = SSL_CTX_new(SSLv23_client_method());
1348         if (ctx == NULL) {
1349             BIO_printf(err, "Error creating SSL context.\n");
1350             goto end;
1351         }
1352         SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
1353         sbio = BIO_new_ssl(ctx, 1);
1354         cbio = BIO_push(sbio, cbio);
1355     }
1356     resp = query_responder(err, cbio, path, headers, req, req_timeout);
1357     if (!resp)
1358         BIO_printf(bio_err, "Error querying OCSP responder\n");
1359  end:
1360     if (cbio)
1361         BIO_free_all(cbio);
1362     if (ctx)
1363         SSL_CTX_free(ctx);
1364     return resp;
1365 }
1366 
1367 #endif
1368