xref: /freebsd/crypto/openssl/apps/ocsp.c (revision 5022f21bd974c740b9052f149fb31745dc602965)
1 /* ocsp.c */
2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3  * project 2000.
4  */
5 /* ====================================================================
6  * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  *
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in
17  *    the documentation and/or other materials provided with the
18  *    distribution.
19  *
20  * 3. All advertising materials mentioning features or use of this
21  *    software must display the following acknowledgment:
22  *    "This product includes software developed by the OpenSSL Project
23  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24  *
25  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26  *    endorse or promote products derived from this software without
27  *    prior written permission. For written permission, please contact
28  *    licensing@OpenSSL.org.
29  *
30  * 5. Products derived from this software may not be called "OpenSSL"
31  *    nor may "OpenSSL" appear in their names without prior written
32  *    permission of the OpenSSL Project.
33  *
34  * 6. Redistributions of any form whatsoever must retain the following
35  *    acknowledgment:
36  *    "This product includes software developed by the OpenSSL Project
37  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38  *
39  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
43  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50  * OF THE POSSIBILITY OF SUCH DAMAGE.
51  * ====================================================================
52  *
53  * This product includes cryptographic software written by Eric Young
54  * (eay@cryptsoft.com).  This product includes software written by Tim
55  * Hudson (tjh@cryptsoft.com).
56  *
57  */
58 #ifndef OPENSSL_NO_OCSP
59 #define USE_SOCKETS
60 #include <stdio.h>
61 #include <stdlib.h>
62 #include <string.h>
63 #include "apps.h" /* needs to be included before the openssl headers! */
64 #include <openssl/e_os2.h>
65 #include <openssl/ssl.h>
66 #include <openssl/err.h>
67 
68 /* Maximum leeway in validity period: default 5 minutes */
69 #define MAX_VALIDITY_PERIOD	(5 * 60)
70 
71 static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, X509 *issuer,
72 				STACK_OF(OCSP_CERTID) *ids);
73 static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, X509 *issuer,
74 				STACK_OF(OCSP_CERTID) *ids);
75 static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
76 				STACK *names, STACK_OF(OCSP_CERTID) *ids,
77 				long nsec, long maxage);
78 
79 static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db,
80 			X509 *ca, X509 *rcert, EVP_PKEY *rkey,
81 			STACK_OF(X509) *rother, unsigned long flags,
82 			int nmin, int ndays);
83 
84 static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser);
85 static BIO *init_responder(char *port);
86 static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, char *port);
87 static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp);
88 static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path,
89 				OCSP_REQUEST *req, int req_timeout);
90 
91 #undef PROG
92 #define PROG ocsp_main
93 
94 int MAIN(int, char **);
95 
96 int MAIN(int argc, char **argv)
97 	{
98 	ENGINE *e = NULL;
99 	char **args;
100 	char *host = NULL, *port = NULL, *path = "/";
101 	char *reqin = NULL, *respin = NULL;
102 	char *reqout = NULL, *respout = NULL;
103 	char *signfile = NULL, *keyfile = NULL;
104 	char *rsignfile = NULL, *rkeyfile = NULL;
105 	char *outfile = NULL;
106 	int add_nonce = 1, noverify = 0, use_ssl = -1;
107 	OCSP_REQUEST *req = NULL;
108 	OCSP_RESPONSE *resp = NULL;
109 	OCSP_BASICRESP *bs = NULL;
110 	X509 *issuer = NULL, *cert = NULL;
111 	X509 *signer = NULL, *rsigner = NULL;
112 	EVP_PKEY *key = NULL, *rkey = NULL;
113 	BIO *acbio = NULL, *cbio = NULL;
114 	BIO *derbio = NULL;
115 	BIO *out = NULL;
116 	int req_timeout = -1;
117 	int req_text = 0, resp_text = 0;
118 	long nsec = MAX_VALIDITY_PERIOD, maxage = -1;
119 	char *CAfile = NULL, *CApath = NULL;
120 	X509_STORE *store = NULL;
121 	STACK_OF(X509) *sign_other = NULL, *verify_other = NULL, *rother = NULL;
122 	char *sign_certfile = NULL, *verify_certfile = NULL, *rcertfile = NULL;
123 	unsigned long sign_flags = 0, verify_flags = 0, rflags = 0;
124 	int ret = 1;
125 	int accept_count = -1;
126 	int badarg = 0;
127 	int i;
128 	int ignore_err = 0;
129 	STACK *reqnames = NULL;
130 	STACK_OF(OCSP_CERTID) *ids = NULL;
131 
132 	X509 *rca_cert = NULL;
133 	char *ridx_filename = NULL;
134 	char *rca_filename = NULL;
135 	CA_DB *rdb = NULL;
136 	int nmin = 0, ndays = -1;
137 
138 	if (bio_err == NULL) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
139 
140 	if (!load_config(bio_err, NULL))
141 		goto end;
142 	SSL_load_error_strings();
143 	OpenSSL_add_ssl_algorithms();
144 	args = argv + 1;
145 	reqnames = sk_new_null();
146 	ids = sk_OCSP_CERTID_new_null();
147 	while (!badarg && *args && *args[0] == '-')
148 		{
149 		if (!strcmp(*args, "-out"))
150 			{
151 			if (args[1])
152 				{
153 				args++;
154 				outfile = *args;
155 				}
156 			else badarg = 1;
157 			}
158 		else if (!strcmp(*args, "-timeout"))
159 			{
160 			if (args[1])
161 				{
162 				args++;
163 				req_timeout = atol(*args);
164 				if (req_timeout < 0)
165 					{
166 					BIO_printf(bio_err,
167 						"Illegal timeout value %s\n",
168 						*args);
169 					badarg = 1;
170 					}
171 				}
172 			else badarg = 1;
173 			}
174 		else if (!strcmp(*args, "-url"))
175 			{
176 			if (args[1])
177 				{
178 				args++;
179 				if (!OCSP_parse_url(*args, &host, &port, &path, &use_ssl))
180 					{
181 					BIO_printf(bio_err, "Error parsing URL\n");
182 					badarg = 1;
183 					}
184 				}
185 			else badarg = 1;
186 			}
187 		else if (!strcmp(*args, "-host"))
188 			{
189 			if (args[1])
190 				{
191 				args++;
192 				host = *args;
193 				}
194 			else badarg = 1;
195 			}
196 		else if (!strcmp(*args, "-port"))
197 			{
198 			if (args[1])
199 				{
200 				args++;
201 				port = *args;
202 				}
203 			else badarg = 1;
204 			}
205 		else if (!strcmp(*args, "-ignore_err"))
206 			ignore_err = 1;
207 		else if (!strcmp(*args, "-noverify"))
208 			noverify = 1;
209 		else if (!strcmp(*args, "-nonce"))
210 			add_nonce = 2;
211 		else if (!strcmp(*args, "-no_nonce"))
212 			add_nonce = 0;
213 		else if (!strcmp(*args, "-resp_no_certs"))
214 			rflags |= OCSP_NOCERTS;
215 		else if (!strcmp(*args, "-resp_key_id"))
216 			rflags |= OCSP_RESPID_KEY;
217 		else if (!strcmp(*args, "-no_certs"))
218 			sign_flags |= OCSP_NOCERTS;
219 		else if (!strcmp(*args, "-no_signature_verify"))
220 			verify_flags |= OCSP_NOSIGS;
221 		else if (!strcmp(*args, "-no_cert_verify"))
222 			verify_flags |= OCSP_NOVERIFY;
223 		else if (!strcmp(*args, "-no_chain"))
224 			verify_flags |= OCSP_NOCHAIN;
225 		else if (!strcmp(*args, "-no_cert_checks"))
226 			verify_flags |= OCSP_NOCHECKS;
227 		else if (!strcmp(*args, "-no_explicit"))
228 			verify_flags |= OCSP_NOEXPLICIT;
229 		else if (!strcmp(*args, "-trust_other"))
230 			verify_flags |= OCSP_TRUSTOTHER;
231 		else if (!strcmp(*args, "-no_intern"))
232 			verify_flags |= OCSP_NOINTERN;
233 		else if (!strcmp(*args, "-text"))
234 			{
235 			req_text = 1;
236 			resp_text = 1;
237 			}
238 		else if (!strcmp(*args, "-req_text"))
239 			req_text = 1;
240 		else if (!strcmp(*args, "-resp_text"))
241 			resp_text = 1;
242 		else if (!strcmp(*args, "-reqin"))
243 			{
244 			if (args[1])
245 				{
246 				args++;
247 				reqin = *args;
248 				}
249 			else badarg = 1;
250 			}
251 		else if (!strcmp(*args, "-respin"))
252 			{
253 			if (args[1])
254 				{
255 				args++;
256 				respin = *args;
257 				}
258 			else badarg = 1;
259 			}
260 		else if (!strcmp(*args, "-signer"))
261 			{
262 			if (args[1])
263 				{
264 				args++;
265 				signfile = *args;
266 				}
267 			else badarg = 1;
268 			}
269 		else if (!strcmp (*args, "-VAfile"))
270 			{
271 			if (args[1])
272 				{
273 				args++;
274 				verify_certfile = *args;
275 				verify_flags |= OCSP_TRUSTOTHER;
276 				}
277 			else badarg = 1;
278 			}
279 		else if (!strcmp(*args, "-sign_other"))
280 			{
281 			if (args[1])
282 				{
283 				args++;
284 				sign_certfile = *args;
285 				}
286 			else badarg = 1;
287 			}
288 		else if (!strcmp(*args, "-verify_other"))
289 			{
290 			if (args[1])
291 				{
292 				args++;
293 				verify_certfile = *args;
294 				}
295 			else badarg = 1;
296 			}
297 		else if (!strcmp (*args, "-CAfile"))
298 			{
299 			if (args[1])
300 				{
301 				args++;
302 				CAfile = *args;
303 				}
304 			else badarg = 1;
305 			}
306 		else if (!strcmp (*args, "-CApath"))
307 			{
308 			if (args[1])
309 				{
310 				args++;
311 				CApath = *args;
312 				}
313 			else badarg = 1;
314 			}
315 		else if (!strcmp (*args, "-validity_period"))
316 			{
317 			if (args[1])
318 				{
319 				args++;
320 				nsec = atol(*args);
321 				if (nsec < 0)
322 					{
323 					BIO_printf(bio_err,
324 						"Illegal validity period %s\n",
325 						*args);
326 					badarg = 1;
327 					}
328 				}
329 			else badarg = 1;
330 			}
331 		else if (!strcmp (*args, "-status_age"))
332 			{
333 			if (args[1])
334 				{
335 				args++;
336 				maxage = atol(*args);
337 				if (maxage < 0)
338 					{
339 					BIO_printf(bio_err,
340 						"Illegal validity age %s\n",
341 						*args);
342 					badarg = 1;
343 					}
344 				}
345 			else badarg = 1;
346 			}
347 		 else if (!strcmp(*args, "-signkey"))
348 			{
349 			if (args[1])
350 				{
351 				args++;
352 				keyfile = *args;
353 				}
354 			else badarg = 1;
355 			}
356 		else if (!strcmp(*args, "-reqout"))
357 			{
358 			if (args[1])
359 				{
360 				args++;
361 				reqout = *args;
362 				}
363 			else badarg = 1;
364 			}
365 		else if (!strcmp(*args, "-respout"))
366 			{
367 			if (args[1])
368 				{
369 				args++;
370 				respout = *args;
371 				}
372 			else badarg = 1;
373 			}
374 		 else if (!strcmp(*args, "-path"))
375 			{
376 			if (args[1])
377 				{
378 				args++;
379 				path = *args;
380 				}
381 			else badarg = 1;
382 			}
383 		else if (!strcmp(*args, "-issuer"))
384 			{
385 			if (args[1])
386 				{
387 				args++;
388 				X509_free(issuer);
389 				issuer = load_cert(bio_err, *args, FORMAT_PEM,
390 					NULL, e, "issuer certificate");
391 				if(!issuer) goto end;
392 				}
393 			else badarg = 1;
394 			}
395 		else if (!strcmp (*args, "-cert"))
396 			{
397 			if (args[1])
398 				{
399 				args++;
400 				X509_free(cert);
401 				cert = load_cert(bio_err, *args, FORMAT_PEM,
402 					NULL, e, "certificate");
403 				if(!cert) goto end;
404 				if(!add_ocsp_cert(&req, cert, issuer, ids))
405 					goto end;
406 				if(!sk_push(reqnames, *args))
407 					goto end;
408 				}
409 			else badarg = 1;
410 			}
411 		else if (!strcmp(*args, "-serial"))
412 			{
413 			if (args[1])
414 				{
415 				args++;
416 				if(!add_ocsp_serial(&req, *args, issuer, ids))
417 					goto end;
418 				if(!sk_push(reqnames, *args))
419 					goto end;
420 				}
421 			else badarg = 1;
422 			}
423 		else if (!strcmp(*args, "-index"))
424 			{
425 			if (args[1])
426 				{
427 				args++;
428 				ridx_filename = *args;
429 				}
430 			else badarg = 1;
431 			}
432 		else if (!strcmp(*args, "-CA"))
433 			{
434 			if (args[1])
435 				{
436 				args++;
437 				rca_filename = *args;
438 				}
439 			else badarg = 1;
440 			}
441 		else if (!strcmp (*args, "-nmin"))
442 			{
443 			if (args[1])
444 				{
445 				args++;
446 				nmin = atol(*args);
447 				if (nmin < 0)
448 					{
449 					BIO_printf(bio_err,
450 						"Illegal update period %s\n",
451 						*args);
452 					badarg = 1;
453 					}
454 				}
455 				if (ndays == -1)
456 					ndays = 0;
457 			else badarg = 1;
458 			}
459 		else if (!strcmp (*args, "-nrequest"))
460 			{
461 			if (args[1])
462 				{
463 				args++;
464 				accept_count = atol(*args);
465 				if (accept_count < 0)
466 					{
467 					BIO_printf(bio_err,
468 						"Illegal accept count %s\n",
469 						*args);
470 					badarg = 1;
471 					}
472 				}
473 			else badarg = 1;
474 			}
475 		else if (!strcmp (*args, "-ndays"))
476 			{
477 			if (args[1])
478 				{
479 				args++;
480 				ndays = atol(*args);
481 				if (ndays < 0)
482 					{
483 					BIO_printf(bio_err,
484 						"Illegal update period %s\n",
485 						*args);
486 					badarg = 1;
487 					}
488 				}
489 			else badarg = 1;
490 			}
491 		else if (!strcmp(*args, "-rsigner"))
492 			{
493 			if (args[1])
494 				{
495 				args++;
496 				rsignfile = *args;
497 				}
498 			else badarg = 1;
499 			}
500 		else if (!strcmp(*args, "-rkey"))
501 			{
502 			if (args[1])
503 				{
504 				args++;
505 				rkeyfile = *args;
506 				}
507 			else badarg = 1;
508 			}
509 		else if (!strcmp(*args, "-rother"))
510 			{
511 			if (args[1])
512 				{
513 				args++;
514 				rcertfile = *args;
515 				}
516 			else badarg = 1;
517 			}
518 		else badarg = 1;
519 		args++;
520 		}
521 
522 	/* Have we anything to do? */
523 	if (!req && !reqin && !respin && !(port && ridx_filename)) badarg = 1;
524 
525 	if (badarg)
526 		{
527 		BIO_printf (bio_err, "OCSP utility\n");
528 		BIO_printf (bio_err, "Usage ocsp [options]\n");
529 		BIO_printf (bio_err, "where options are\n");
530 		BIO_printf (bio_err, "-out file          output filename\n");
531 		BIO_printf (bio_err, "-issuer file       issuer certificate\n");
532 		BIO_printf (bio_err, "-cert file         certificate to check\n");
533 		BIO_printf (bio_err, "-serial n          serial number to check\n");
534 		BIO_printf (bio_err, "-signer file       certificate to sign OCSP request with\n");
535 		BIO_printf (bio_err, "-signkey file      private key to sign OCSP request with\n");
536 		BIO_printf (bio_err, "-sign_other file   additional certificates to include in signed request\n");
537 		BIO_printf (bio_err, "-no_certs          don't include any certificates in signed request\n");
538 		BIO_printf (bio_err, "-req_text          print text form of request\n");
539 		BIO_printf (bio_err, "-resp_text         print text form of response\n");
540 		BIO_printf (bio_err, "-text              print text form of request and response\n");
541 		BIO_printf (bio_err, "-reqout file       write DER encoded OCSP request to \"file\"\n");
542 		BIO_printf (bio_err, "-respout file      write DER encoded OCSP reponse to \"file\"\n");
543 		BIO_printf (bio_err, "-reqin file        read DER encoded OCSP request from \"file\"\n");
544 		BIO_printf (bio_err, "-respin file       read DER encoded OCSP reponse from \"file\"\n");
545 		BIO_printf (bio_err, "-nonce             add OCSP nonce to request\n");
546 		BIO_printf (bio_err, "-no_nonce          don't add OCSP nonce to request\n");
547 		BIO_printf (bio_err, "-url URL           OCSP responder URL\n");
548 		BIO_printf (bio_err, "-host host:n       send OCSP request to host on port n\n");
549 		BIO_printf (bio_err, "-path              path to use in OCSP request\n");
550 		BIO_printf (bio_err, "-CApath dir        trusted certificates directory\n");
551 		BIO_printf (bio_err, "-CAfile file       trusted certificates file\n");
552 		BIO_printf (bio_err, "-VAfile file       validator certificates file\n");
553 		BIO_printf (bio_err, "-validity_period n maximum validity discrepancy in seconds\n");
554 		BIO_printf (bio_err, "-status_age n      maximum status age in seconds\n");
555 		BIO_printf (bio_err, "-noverify          don't verify response at all\n");
556 		BIO_printf (bio_err, "-verify_other file additional certificates to search for signer\n");
557 		BIO_printf (bio_err, "-trust_other       don't verify additional certificates\n");
558 		BIO_printf (bio_err, "-no_intern         don't search certificates contained in response for signer\n");
559 		BIO_printf (bio_err, "-no_signature_verify don't check signature on response\n");
560 		BIO_printf (bio_err, "-no_cert_verify    don't check signing certificate\n");
561 		BIO_printf (bio_err, "-no_chain          don't chain verify response\n");
562 		BIO_printf (bio_err, "-no_cert_checks    don't do additional checks on signing certificate\n");
563 		BIO_printf (bio_err, "-port num		 port to run responder on\n");
564 		BIO_printf (bio_err, "-index file	 certificate status index file\n");
565 		BIO_printf (bio_err, "-CA file		 CA certificate\n");
566 		BIO_printf (bio_err, "-rsigner file	 responder certificate to sign responses with\n");
567 		BIO_printf (bio_err, "-rkey file	 responder key to sign responses with\n");
568 		BIO_printf (bio_err, "-rother file	 other certificates to include in response\n");
569 		BIO_printf (bio_err, "-resp_no_certs     don't include any certificates in response\n");
570 		BIO_printf (bio_err, "-nmin n	 	 number of minutes before next update\n");
571 		BIO_printf (bio_err, "-ndays n	 	 number of days before next update\n");
572 		BIO_printf (bio_err, "-resp_key_id       identify reponse by signing certificate key ID\n");
573 		BIO_printf (bio_err, "-nrequest n        number of requests to accept (default unlimited)\n");
574 		goto end;
575 		}
576 
577 	if(outfile) out = BIO_new_file(outfile, "w");
578 	else out = BIO_new_fp(stdout, BIO_NOCLOSE);
579 
580 	if(!out)
581 		{
582 		BIO_printf(bio_err, "Error opening output file\n");
583 		goto end;
584 		}
585 
586 	if (!req && (add_nonce != 2)) add_nonce = 0;
587 
588 	if (!req && reqin)
589 		{
590 		derbio = BIO_new_file(reqin, "rb");
591 		if (!derbio)
592 			{
593 			BIO_printf(bio_err, "Error Opening OCSP request file\n");
594 			goto end;
595 			}
596 		req = d2i_OCSP_REQUEST_bio(derbio, NULL);
597 		BIO_free(derbio);
598 		if(!req)
599 			{
600 			BIO_printf(bio_err, "Error reading OCSP request\n");
601 			goto end;
602 			}
603 		}
604 
605 	if (!req && port)
606 		{
607 		acbio = init_responder(port);
608 		if (!acbio)
609 			goto end;
610 		}
611 
612 	if (rsignfile && !rdb)
613 		{
614 		if (!rkeyfile) rkeyfile = rsignfile;
615 		rsigner = load_cert(bio_err, rsignfile, FORMAT_PEM,
616 			NULL, e, "responder certificate");
617 		if (!rsigner)
618 			{
619 			BIO_printf(bio_err, "Error loading responder certificate\n");
620 			goto end;
621 			}
622 		rca_cert = load_cert(bio_err, rca_filename, FORMAT_PEM,
623 			NULL, e, "CA certificate");
624 		if (rcertfile)
625 			{
626 			rother = load_certs(bio_err, rcertfile, FORMAT_PEM,
627 				NULL, e, "responder other certificates");
628 			if (!rother) goto end;
629 			}
630 		rkey = load_key(bio_err, rkeyfile, FORMAT_PEM, 0, NULL, NULL,
631 			"responder private key");
632 		if (!rkey)
633 			goto end;
634 		}
635 	if(acbio)
636 		BIO_printf(bio_err, "Waiting for OCSP client connections...\n");
637 
638 	redo_accept:
639 
640 	if (acbio)
641 		{
642 		if (!do_responder(&req, &cbio, acbio, port))
643 			goto end;
644 		if (!req)
645 			{
646 			resp = OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL);
647 			send_ocsp_response(cbio, resp);
648 			goto done_resp;
649 			}
650 		}
651 
652 	if (!req && (signfile || reqout || host || add_nonce || ridx_filename))
653 		{
654 		BIO_printf(bio_err, "Need an OCSP request for this operation!\n");
655 		goto end;
656 		}
657 
658 	if (req && add_nonce) OCSP_request_add1_nonce(req, NULL, -1);
659 
660 	if (signfile)
661 		{
662 		if (!keyfile) keyfile = signfile;
663 		signer = load_cert(bio_err, signfile, FORMAT_PEM,
664 			NULL, e, "signer certificate");
665 		if (!signer)
666 			{
667 			BIO_printf(bio_err, "Error loading signer certificate\n");
668 			goto end;
669 			}
670 		if (sign_certfile)
671 			{
672 			sign_other = load_certs(bio_err, sign_certfile, FORMAT_PEM,
673 				NULL, e, "signer certificates");
674 			if (!sign_other) goto end;
675 			}
676 		key = load_key(bio_err, keyfile, FORMAT_PEM, 0, NULL, NULL,
677 			"signer private key");
678 		if (!key)
679 			goto end;
680 		if (!OCSP_request_sign(req, signer, key, EVP_sha1(), sign_other, sign_flags))
681 			{
682 			BIO_printf(bio_err, "Error signing OCSP request\n");
683 			goto end;
684 			}
685 		}
686 
687 	if (req_text && req) OCSP_REQUEST_print(out, req, 0);
688 
689 	if (reqout)
690 		{
691 		derbio = BIO_new_file(reqout, "wb");
692 		if(!derbio)
693 			{
694 			BIO_printf(bio_err, "Error opening file %s\n", reqout);
695 			goto end;
696 			}
697 		i2d_OCSP_REQUEST_bio(derbio, req);
698 		BIO_free(derbio);
699 		}
700 
701 	if (ridx_filename && (!rkey || !rsigner || !rca_cert))
702 		{
703 		BIO_printf(bio_err, "Need a responder certificate, key and CA for this operation!\n");
704 		goto end;
705 		}
706 
707 	if (ridx_filename && !rdb)
708 		{
709 		rdb = load_index(ridx_filename, NULL);
710 		if (!rdb) goto end;
711 		if (!index_index(rdb)) goto end;
712 		}
713 
714 	if (rdb)
715 		{
716 		i = make_ocsp_response(&resp, req, rdb, rca_cert, rsigner, rkey, rother, rflags, nmin, ndays);
717 		if (cbio)
718 			send_ocsp_response(cbio, resp);
719 		}
720 	else if (host)
721 		{
722 #ifndef OPENSSL_NO_SOCK
723 		resp = process_responder(bio_err, req, host, path,
724 						port, use_ssl, req_timeout);
725 		if (!resp)
726 			goto end;
727 #else
728 		BIO_printf(bio_err, "Error creating connect BIO - sockets not supported.\n");
729 		goto end;
730 #endif
731 		}
732 	else if (respin)
733 		{
734 		derbio = BIO_new_file(respin, "rb");
735 		if (!derbio)
736 			{
737 			BIO_printf(bio_err, "Error Opening OCSP response file\n");
738 			goto end;
739 			}
740 		resp = d2i_OCSP_RESPONSE_bio(derbio, NULL);
741 		BIO_free(derbio);
742 		if(!resp)
743 			{
744 			BIO_printf(bio_err, "Error reading OCSP response\n");
745 			goto end;
746 			}
747 
748 		}
749 	else
750 		{
751 		ret = 0;
752 		goto end;
753 		}
754 
755 	done_resp:
756 
757 	if (respout)
758 		{
759 		derbio = BIO_new_file(respout, "wb");
760 		if(!derbio)
761 			{
762 			BIO_printf(bio_err, "Error opening file %s\n", respout);
763 			goto end;
764 			}
765 		i2d_OCSP_RESPONSE_bio(derbio, resp);
766 		BIO_free(derbio);
767 		}
768 
769 	i = OCSP_response_status(resp);
770 
771 	if (i != OCSP_RESPONSE_STATUS_SUCCESSFUL)
772 		{
773 		BIO_printf(out, "Responder Error: %s (%d)\n",
774 				OCSP_response_status_str(i), i);
775 		if (ignore_err)
776 			goto redo_accept;
777 		ret = 0;
778 		goto end;
779 		}
780 
781 	if (resp_text) OCSP_RESPONSE_print(out, resp, 0);
782 
783 	/* If running as responder don't verify our own response */
784 	if (cbio)
785 		{
786 		if (accept_count > 0)
787 			accept_count--;
788 		/* Redo if more connections needed */
789 		if (accept_count)
790 			{
791 			BIO_free_all(cbio);
792 			cbio = NULL;
793 			OCSP_REQUEST_free(req);
794 			req = NULL;
795 			OCSP_RESPONSE_free(resp);
796 			resp = NULL;
797 			goto redo_accept;
798 			}
799 		goto end;
800 		}
801 
802 	if (!store)
803 		store = setup_verify(bio_err, CAfile, CApath);
804 	if (!store)
805 		goto end;
806 	if (verify_certfile)
807 		{
808 		verify_other = load_certs(bio_err, verify_certfile, FORMAT_PEM,
809 			NULL, e, "validator certificate");
810 		if (!verify_other) goto end;
811 		}
812 
813 	bs = OCSP_response_get1_basic(resp);
814 
815 	if (!bs)
816 		{
817 		BIO_printf(bio_err, "Error parsing response\n");
818 		goto end;
819 		}
820 
821 	if (!noverify)
822 		{
823 		if (req && ((i = OCSP_check_nonce(req, bs)) <= 0))
824 			{
825 			if (i == -1)
826 				BIO_printf(bio_err, "WARNING: no nonce in response\n");
827 			else
828 				{
829 				BIO_printf(bio_err, "Nonce Verify error\n");
830 				goto end;
831 				}
832 			}
833 
834 		i = OCSP_basic_verify(bs, verify_other, store, verify_flags);
835                 if (i < 0) i = OCSP_basic_verify(bs, NULL, store, 0);
836 
837 		if(i <= 0)
838 			{
839 			BIO_printf(bio_err, "Response Verify Failure\n");
840 			ERR_print_errors(bio_err);
841 			}
842 		else
843 			BIO_printf(bio_err, "Response verify OK\n");
844 
845 		}
846 
847 	if (!print_ocsp_summary(out, bs, req, reqnames, ids, nsec, maxage))
848 		goto end;
849 
850 	ret = 0;
851 
852 end:
853 	ERR_print_errors(bio_err);
854 	X509_free(signer);
855 	X509_STORE_free(store);
856 	EVP_PKEY_free(key);
857 	EVP_PKEY_free(rkey);
858 	X509_free(issuer);
859 	X509_free(cert);
860 	X509_free(rsigner);
861 	X509_free(rca_cert);
862 	free_index(rdb);
863 	BIO_free_all(cbio);
864 	BIO_free_all(acbio);
865 	BIO_free(out);
866 	OCSP_REQUEST_free(req);
867 	OCSP_RESPONSE_free(resp);
868 	OCSP_BASICRESP_free(bs);
869 	sk_free(reqnames);
870 	sk_OCSP_CERTID_free(ids);
871 	sk_X509_pop_free(sign_other, X509_free);
872 	sk_X509_pop_free(verify_other, X509_free);
873 
874 	if (use_ssl != -1)
875 		{
876 		OPENSSL_free(host);
877 		OPENSSL_free(port);
878 		OPENSSL_free(path);
879 		}
880 
881 	OPENSSL_EXIT(ret);
882 }
883 
884 static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, X509 *issuer,
885 				STACK_OF(OCSP_CERTID) *ids)
886 	{
887 	OCSP_CERTID *id;
888 	if(!issuer)
889 		{
890 		BIO_printf(bio_err, "No issuer certificate specified\n");
891 		return 0;
892 		}
893 	if(!*req) *req = OCSP_REQUEST_new();
894 	if(!*req) goto err;
895 	id = OCSP_cert_to_id(NULL, cert, issuer);
896 	if(!id || !sk_OCSP_CERTID_push(ids, id)) goto err;
897 	if(!OCSP_request_add0_id(*req, id)) goto err;
898 	return 1;
899 
900 	err:
901 	BIO_printf(bio_err, "Error Creating OCSP request\n");
902 	return 0;
903 	}
904 
905 static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, X509 *issuer,
906 				STACK_OF(OCSP_CERTID) *ids)
907 	{
908 	OCSP_CERTID *id;
909 	X509_NAME *iname;
910 	ASN1_BIT_STRING *ikey;
911 	ASN1_INTEGER *sno;
912 	if(!issuer)
913 		{
914 		BIO_printf(bio_err, "No issuer certificate specified\n");
915 		return 0;
916 		}
917 	if(!*req) *req = OCSP_REQUEST_new();
918 	if(!*req) goto err;
919 	iname = X509_get_subject_name(issuer);
920 	ikey = X509_get0_pubkey_bitstr(issuer);
921 	sno = s2i_ASN1_INTEGER(NULL, serial);
922 	if(!sno)
923 		{
924 		BIO_printf(bio_err, "Error converting serial number %s\n", serial);
925 		return 0;
926 		}
927 	id = OCSP_cert_id_new(EVP_sha1(), iname, ikey, sno);
928 	ASN1_INTEGER_free(sno);
929 	if(!id || !sk_OCSP_CERTID_push(ids, id)) goto err;
930 	if(!OCSP_request_add0_id(*req, id)) goto err;
931 	return 1;
932 
933 	err:
934 	BIO_printf(bio_err, "Error Creating OCSP request\n");
935 	return 0;
936 	}
937 
938 static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
939 					STACK *names, STACK_OF(OCSP_CERTID) *ids,
940 					long nsec, long maxage)
941 	{
942 	OCSP_CERTID *id;
943 	char *name;
944 	int i;
945 
946 	int status, reason;
947 
948 	ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
949 
950 	if (!bs || !req || !sk_num(names) || !sk_OCSP_CERTID_num(ids))
951 		return 1;
952 
953 	for (i = 0; i < sk_OCSP_CERTID_num(ids); i++)
954 		{
955 		id = sk_OCSP_CERTID_value(ids, i);
956 		name = sk_value(names, i);
957 		BIO_printf(out, "%s: ", name);
958 
959 		if(!OCSP_resp_find_status(bs, id, &status, &reason,
960 					&rev, &thisupd, &nextupd))
961 			{
962 			BIO_puts(out, "ERROR: No Status found.\n");
963 			continue;
964 			}
965 
966 		/* Check validity: if invalid write to output BIO so we
967 		 * know which response this refers to.
968 		 */
969 		if (!OCSP_check_validity(thisupd, nextupd, nsec, maxage))
970 			{
971 			BIO_puts(out, "WARNING: Status times invalid.\n");
972 			ERR_print_errors(out);
973 			}
974 		BIO_printf(out, "%s\n", OCSP_cert_status_str(status));
975 
976 		BIO_puts(out, "\tThis Update: ");
977 		ASN1_GENERALIZEDTIME_print(out, thisupd);
978 		BIO_puts(out, "\n");
979 
980 		if(nextupd)
981 			{
982 			BIO_puts(out, "\tNext Update: ");
983 			ASN1_GENERALIZEDTIME_print(out, nextupd);
984 			BIO_puts(out, "\n");
985 			}
986 
987 		if (status != V_OCSP_CERTSTATUS_REVOKED)
988 			continue;
989 
990 		if (reason != -1)
991 			BIO_printf(out, "\tReason: %s\n",
992 				OCSP_crl_reason_str(reason));
993 
994 		BIO_puts(out, "\tRevocation Time: ");
995 		ASN1_GENERALIZEDTIME_print(out, rev);
996 		BIO_puts(out, "\n");
997 		}
998 
999 	return 1;
1000 	}
1001 
1002 
1003 static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db,
1004 			X509 *ca, X509 *rcert, EVP_PKEY *rkey,
1005 			STACK_OF(X509) *rother, unsigned long flags,
1006 			int nmin, int ndays)
1007 	{
1008 	ASN1_TIME *thisupd = NULL, *nextupd = NULL;
1009 	OCSP_CERTID *cid, *ca_id = NULL;
1010 	OCSP_BASICRESP *bs = NULL;
1011 	int i, id_count, ret = 1;
1012 
1013 
1014 	id_count = OCSP_request_onereq_count(req);
1015 
1016 	if (id_count <= 0)
1017 		{
1018 		*resp = OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL);
1019 		goto end;
1020 		}
1021 
1022 	ca_id = OCSP_cert_to_id(EVP_sha1(), NULL, ca);
1023 
1024 	bs = OCSP_BASICRESP_new();
1025 	thisupd = X509_gmtime_adj(NULL, 0);
1026 	if (ndays != -1)
1027 		nextupd = X509_gmtime_adj(NULL, nmin * 60 + ndays * 3600 * 24 );
1028 
1029 	/* Examine each certificate id in the request */
1030 	for (i = 0; i < id_count; i++)
1031 		{
1032 		OCSP_ONEREQ *one;
1033 		ASN1_INTEGER *serial;
1034 		char **inf;
1035 		one = OCSP_request_onereq_get0(req, i);
1036 		cid = OCSP_onereq_get0_id(one);
1037 		/* Is this request about our CA? */
1038 		if (OCSP_id_issuer_cmp(ca_id, cid))
1039 			{
1040 			OCSP_basic_add1_status(bs, cid,
1041 						V_OCSP_CERTSTATUS_UNKNOWN,
1042 						0, NULL,
1043 						thisupd, nextupd);
1044 			continue;
1045 			}
1046 		OCSP_id_get0_info(NULL, NULL, NULL, &serial, cid);
1047 		inf = lookup_serial(db, serial);
1048 		if (!inf)
1049 			OCSP_basic_add1_status(bs, cid,
1050 						V_OCSP_CERTSTATUS_UNKNOWN,
1051 						0, NULL,
1052 						thisupd, nextupd);
1053 		else if (inf[DB_type][0] == DB_TYPE_VAL)
1054 			OCSP_basic_add1_status(bs, cid,
1055 						V_OCSP_CERTSTATUS_GOOD,
1056 						0, NULL,
1057 						thisupd, nextupd);
1058 		else if (inf[DB_type][0] == DB_TYPE_REV)
1059 			{
1060 			ASN1_OBJECT *inst = NULL;
1061 			ASN1_TIME *revtm = NULL;
1062 			ASN1_GENERALIZEDTIME *invtm = NULL;
1063 			OCSP_SINGLERESP *single;
1064 			int reason = -1;
1065 			unpack_revinfo(&revtm, &reason, &inst, &invtm, inf[DB_rev_date]);
1066 			single = OCSP_basic_add1_status(bs, cid,
1067 						V_OCSP_CERTSTATUS_REVOKED,
1068 						reason, revtm,
1069 						thisupd, nextupd);
1070 			if (invtm)
1071 				OCSP_SINGLERESP_add1_ext_i2d(single, NID_invalidity_date, invtm, 0, 0);
1072 			else if (inst)
1073 				OCSP_SINGLERESP_add1_ext_i2d(single, NID_hold_instruction_code, inst, 0, 0);
1074 			ASN1_OBJECT_free(inst);
1075 			ASN1_TIME_free(revtm);
1076 			ASN1_GENERALIZEDTIME_free(invtm);
1077 			}
1078 		}
1079 
1080 	OCSP_copy_nonce(bs, req);
1081 
1082 	OCSP_basic_sign(bs, rcert, rkey, EVP_sha1(), rother, flags);
1083 
1084 	*resp = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs);
1085 
1086 	end:
1087 	ASN1_TIME_free(thisupd);
1088 	ASN1_TIME_free(nextupd);
1089 	OCSP_CERTID_free(ca_id);
1090 	OCSP_BASICRESP_free(bs);
1091 	return ret;
1092 
1093 	}
1094 
1095 static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser)
1096 	{
1097 	int i;
1098 	BIGNUM *bn = NULL;
1099 	char *itmp, *row[DB_NUMBER],**rrow;
1100 	for (i = 0; i < DB_NUMBER; i++) row[i] = NULL;
1101 	bn = ASN1_INTEGER_to_BN(ser,NULL);
1102 	OPENSSL_assert(bn); /* FIXME: should report an error at this point and abort */
1103 	if (BN_is_zero(bn))
1104 		itmp = BUF_strdup("00");
1105 	else
1106 		itmp = BN_bn2hex(bn);
1107 	row[DB_serial] = itmp;
1108 	BN_free(bn);
1109 	rrow=TXT_DB_get_by_index(db->db,DB_serial,row);
1110 	OPENSSL_free(itmp);
1111 	return rrow;
1112 	}
1113 
1114 /* Quick and dirty OCSP server: read in and parse input request */
1115 
1116 static BIO *init_responder(char *port)
1117 	{
1118 	BIO *acbio = NULL, *bufbio = NULL;
1119 	bufbio = BIO_new(BIO_f_buffer());
1120 	if (!bufbio)
1121 		goto err;
1122 #ifndef OPENSSL_NO_SOCK
1123 	acbio = BIO_new_accept(port);
1124 #else
1125 	BIO_printf(bio_err, "Error setting up accept BIO - sockets not supported.\n");
1126 #endif
1127 	if (!acbio)
1128 		goto err;
1129 	BIO_set_accept_bios(acbio, bufbio);
1130 	bufbio = NULL;
1131 
1132 	if (BIO_do_accept(acbio) <= 0)
1133 		{
1134 			BIO_printf(bio_err, "Error setting up accept BIO\n");
1135 			ERR_print_errors(bio_err);
1136 			goto err;
1137 		}
1138 
1139 	return acbio;
1140 
1141 	err:
1142 	BIO_free_all(acbio);
1143 	BIO_free(bufbio);
1144 	return NULL;
1145 	}
1146 
1147 static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, char *port)
1148 	{
1149 	int have_post = 0, len;
1150 	OCSP_REQUEST *req = NULL;
1151 	char inbuf[1024];
1152 	BIO *cbio = NULL;
1153 
1154 	if (BIO_do_accept(acbio) <= 0)
1155 		{
1156 			BIO_printf(bio_err, "Error accepting connection\n");
1157 			ERR_print_errors(bio_err);
1158 			return 0;
1159 		}
1160 
1161 	cbio = BIO_pop(acbio);
1162 	*pcbio = cbio;
1163 
1164 	for(;;)
1165 		{
1166 		len = BIO_gets(cbio, inbuf, sizeof inbuf);
1167 		if (len <= 0)
1168 			return 1;
1169 		/* Look for "POST" signalling start of query */
1170 		if (!have_post)
1171 			{
1172 			if(strncmp(inbuf, "POST", 4))
1173 				{
1174 				BIO_printf(bio_err, "Invalid request\n");
1175 				return 1;
1176 				}
1177 			have_post = 1;
1178 			}
1179 		/* Look for end of headers */
1180 		if ((inbuf[0] == '\r') || (inbuf[0] == '\n'))
1181 			break;
1182 		}
1183 
1184 	/* Try to read OCSP request */
1185 
1186 	req = d2i_OCSP_REQUEST_bio(cbio, NULL);
1187 
1188 	if (!req)
1189 		{
1190 		BIO_printf(bio_err, "Error parsing OCSP request\n");
1191 		ERR_print_errors(bio_err);
1192 		}
1193 
1194 	*preq = req;
1195 
1196 	return 1;
1197 
1198 	}
1199 
1200 static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp)
1201 	{
1202 	char http_resp[] =
1203 		"HTTP/1.0 200 OK\r\nContent-type: application/ocsp-response\r\n"
1204 		"Content-Length: %d\r\n\r\n";
1205 	if (!cbio)
1206 		return 0;
1207 	BIO_printf(cbio, http_resp, i2d_OCSP_RESPONSE(resp, NULL));
1208 	i2d_OCSP_RESPONSE_bio(cbio, resp);
1209 	(void)BIO_flush(cbio);
1210 	return 1;
1211 	}
1212 
1213 static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path,
1214 				OCSP_REQUEST *req, int req_timeout)
1215 	{
1216 	int fd;
1217 	int rv;
1218 	OCSP_REQ_CTX *ctx = NULL;
1219 	OCSP_RESPONSE *rsp = NULL;
1220 	fd_set confds;
1221 	struct timeval tv;
1222 
1223 	if (req_timeout != -1)
1224 		BIO_set_nbio(cbio, 1);
1225 
1226 	rv = BIO_do_connect(cbio);
1227 
1228 	if ((rv <= 0) && ((req_timeout == -1) || !BIO_should_retry(cbio)))
1229 		{
1230 		BIO_puts(err, "Error connecting BIO\n");
1231 		return NULL;
1232 		}
1233 
1234 	if (req_timeout == -1)
1235 		return OCSP_sendreq_bio(cbio, path, req);
1236 
1237 	if (BIO_get_fd(cbio, &fd) <= 0)
1238 		{
1239 		BIO_puts(err, "Can't get connection fd\n");
1240 		goto err;
1241 		}
1242 
1243 	if (rv <= 0)
1244 		{
1245 		FD_ZERO(&confds);
1246 		openssl_fdset(fd, &confds);
1247 		tv.tv_usec = 0;
1248 		tv.tv_sec = req_timeout;
1249 		rv = select(fd + 1, NULL, (void *)&confds, NULL, &tv);
1250 		if (rv == 0)
1251 			{
1252 			BIO_puts(err, "Timeout on connect\n");
1253 			return NULL;
1254 			}
1255 		}
1256 
1257 
1258 	ctx = OCSP_sendreq_new(cbio, path, req, -1);
1259 	if (!ctx)
1260 		return NULL;
1261 
1262 	for (;;)
1263 		{
1264 		rv = OCSP_sendreq_nbio(&rsp, ctx);
1265 		if (rv != -1)
1266 			break;
1267 		FD_ZERO(&confds);
1268 		openssl_fdset(fd, &confds);
1269 		tv.tv_usec = 0;
1270 		tv.tv_sec = req_timeout;
1271 		if (BIO_should_read(cbio))
1272 			rv = select(fd + 1, (void *)&confds, NULL, NULL, &tv);
1273 		else if (BIO_should_write(cbio))
1274 			rv = select(fd + 1, NULL, (void *)&confds, NULL, &tv);
1275 		else
1276 			{
1277 			BIO_puts(err, "Unexpected retry condition\n");
1278 			goto err;
1279 			}
1280 		if (rv == 0)
1281 			{
1282 			BIO_puts(err, "Timeout on request\n");
1283 			break;
1284 			}
1285 		if (rv == -1)
1286 			{
1287 			BIO_puts(err, "Select error\n");
1288 			break;
1289 			}
1290 
1291 		}
1292 	err:
1293 	if (ctx)
1294 		OCSP_REQ_CTX_free(ctx);
1295 
1296 	return rsp;
1297 	}
1298 
1299 OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req,
1300 			char *host, char *path, char *port, int use_ssl,
1301 			int req_timeout)
1302 	{
1303 	BIO *cbio = NULL;
1304 	SSL_CTX *ctx = NULL;
1305 	OCSP_RESPONSE *resp = NULL;
1306 	cbio = BIO_new_connect(host);
1307 	if (!cbio)
1308 		{
1309 		BIO_printf(err, "Error creating connect BIO\n");
1310 		goto end;
1311 		}
1312 	if (port) BIO_set_conn_port(cbio, port);
1313 	if (use_ssl == 1)
1314 		{
1315 		BIO *sbio;
1316 #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
1317 		ctx = SSL_CTX_new(SSLv23_client_method());
1318 #elif !defined(OPENSSL_NO_SSL3)
1319 		ctx = SSL_CTX_new(SSLv3_client_method());
1320 #elif !defined(OPENSSL_NO_SSL2)
1321 		ctx = SSL_CTX_new(SSLv2_client_method());
1322 #else
1323 		BIO_printf(err, "SSL is disabled\n");
1324 			goto end;
1325 #endif
1326 		if (ctx == NULL)
1327 			{
1328 			BIO_printf(err, "Error creating SSL context.\n");
1329 			goto end;
1330 			}
1331 		SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
1332 		sbio = BIO_new_ssl(ctx, 1);
1333 		cbio = BIO_push(sbio, cbio);
1334 		}
1335 	resp = query_responder(err, cbio, path, req, req_timeout);
1336 	if (!resp)
1337 		BIO_printf(bio_err, "Error querying OCSP responsder\n");
1338 	end:
1339 	if (ctx)
1340 		SSL_CTX_free(ctx);
1341 	if (cbio)
1342 		BIO_free_all(cbio);
1343 	return resp;
1344 	}
1345 
1346 #endif
1347