Guillaume Tamboise wrote:
I am getting one step further, but still facing an issue when compiling OCSPD:
[...] I do not have a fast solution for the first problem, I need more time to investigate it.
If I try to use gcc-2 instead, I am getting $ export PATH=/opt/sfw/gcc-2/bin:$PATH
[...]
configuration.c:142: for each function it appears in.) make[2]: *** [configuration.o] Error 1
I attach a patched version of the configuration.c file, try to use it
and, please, let me know if this fixes the problem :-D
--
Best Regards,
Massimiliano Pala
--o------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED]
Tel.: +39 (0)11 564 7081
http://security.polito.it Fax: +39 178 270 2077
Mobile: +39 (0)347 7222 365
Politecnico di Torino (EuroPKI)
Certification Authority Informations:
Authority Access Point http://ca.polito.it
Authority's Certificate: http://ca.polito.it/ca_cert/en_index.html
Certificate Revocation List: http://ca.polito.it/crl02/crl.crl
--o------------------------------------------------------------------------
/*
* OCSP responder
* by Massimiliano Pala ([EMAIL PROTECTED])
* OpenCA project 2001
*
* Copyright (c) 2001 The OpenCA Project. All rights reserved.
*
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* ([EMAIL PROTECTED]). This product includes software written by Tim
* Hudson ([EMAIL PROTECTED]).
*
*/
#include "configuration.h"
/* External imported variables */
extern int verbose;
/* Functions */
CONF *load_config( char *configfile, char **section ) {
CONF *conf;
long errorline= -1;
if (configfile == NULL) configfile = getenv("OCSP_CONF");
if (configfile == NULL) configfile = CONFIG_FILE;
if (configfile == NULL) return(NULL);
if( verbose )
syslog(LOG_INFO,"Using configuration from %s\n",configfile);
conf = NCONF_new(NULL);
if ( NCONF_load(conf, configfile, &errorline) <= 0 )
{
if (errorline <= 0)
syslog(LOG_ERR,
"error loading the config file '%s'\n",
configfile);
else
syslog(LOG_ERR,
"error on line %ld of config file '%s'\n"
,errorline, configfile);
return(NULL);
}
if (*section == NULL) {
#ifdef OCSPD_ARCH_SOLARIS
char sol_buf[1024];
#endif
*section=NCONF_get_string(conf,BASE_SECTION,ENV_DEFAULT_OCSPD);
if (*section == NULL) {
lookup_fail(BASE_SECTION,ENV_DEFAULT_OCSPD);
return(NULL);
}
#ifndef OCSPD_ARCH_SOLARIS
setenv( ENV_SECTION, *section, 1);
#else
sprintf(sol_buf, "ENV_SECTION=%s", section);
putenv( sol_buf );
#endif
if( verbose )
syslog(LOG_INFO,"section set to %s", *section );
}
return(conf);
}
int ocspd_load_ca_section ( OCSPD_CONFIG *conf, char *dbms_section ) {
STACK_OF(CONF_VALUE) *nval = NULL;
CONF_VALUE *val = NULL;
char *crlUrl_s = NULL;
char *crl_dn_s = NULL;
X509_CRL *crl_crl = NULL;
CRL_DATA crl_data;
char *caUrl_key = NULL;
char *caUrl_s = NULL;
char *tmp_s = NULL;
char *ca_section = NULL;
CA_LIST_ENTRY *ca = NULL;
CA_LIST_ENTRY tmp_ca;
int i, k, ret;
size_t list_size = 0;
char buf[2048];
/* Check for the existance of the dbms_section in config file */
if (!(nval = NCONF_get_section(conf->conf, dbms_section)))
return 0;
if( verbose )
syslog(LOG_INFO, "Number of CAs in configuration is %d",
sk_CONF_VALUE_num(nval));
/* At maximum we will have the number of CAs equal to the
entries in the dbms_section (each correasponds to a CA */
conf->ca_list = (CA_LIST_ENTRY **) OPENSSL_malloc(
sizeof(CA_LIST_ENTRY *) * sk_CONF_VALUE_num(nval));
/* Check for memory allocation to be succesfull */
if( conf->ca_list == NULL ) {
syslog( LOG_ERR, "%s:%d Memory allocation error.",
__FILE__, __LINE__ );
return 0;
}
for( i = 0; i < sk_CONF_VALUE_num(nval); i++ ) {
conf->ca_list[i] = (CA_LIST_ENTRY *)
OPENSSL_malloc( sizeof( CA_LIST_ENTRY ));
}
/* Initialise the CA counter */
conf->ca_list_len = 0;
/* Now we go through the whole dbms_section and we try to
get all the crl data for every listed CA */
for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
#ifdef OCSPD_ARCH_SOLARIS
char sol_buf[1024];
#endif
val = sk_CONF_VALUE_value(nval, i);
if( strstr( val->name, ENV_OCSPD_CA_SECTION ) != NULL ) {
if( (ca_section = strchr(val->value, '@')) == NULL ) {
syslog(LOG_ERR,
"Error, ca section value should begin
with @ (%s=%s)",
val->name, val->value);
continue;
}
/* The first character should be a '@' so we need
to inc the ca_section pointer */
ca_section++;
#ifndef OCSPD_ARCH_SOLARIS
setenv( ENV_SECTION, ca_section, 1);
#else
sprintf(sol_buf, "ENV_SECTION=%s", ca_section);
putenv( sol_buf );
#endif
/* Get the char * with the value for the CA URL */
if ((caUrl_s = NCONF_get_string(conf->conf,
ca_section, ENV_OCSPD_CACERT_URL)) == NULL) {
if( verbose )
lookup_fail(ca_section,
ENV_OCSPD_CACERT_URL);
continue;
};
/* Let's point to the CA_LIST entry */
ca = conf->ca_list[conf->ca_list_len];
/* Get the CA parsed url */
ca->url = getParsedUrl( caUrl_s );
/* Error, can not parse url data */
if( ! ca->url ) {
syslog( LOG_ERR, "Can not parse CA url in
section %s (%s)",
ca_section, caUrl_s);
return 0;
}
/* This is used if LDAP is used for CA certificate
retrieval */
ca->url->dn = NCONF_get_string(conf->conf,
ca_section, ENV_OCSPD_CACERT_ENTRY_DN);
ca->url->attr = NCONF_get_string(conf->conf,
ca_section, ENV_OCSPD_CACERT_ENTRY_ATTR);
/* Get the CA entry, usually the Base DN of the LDAP */
if( ca->url->proto == OCSP_CRL_PROTO_LDAP ){
if( verbose )
syslog(LOG_INFO,
"Using LDAP protocol for CA
retrivial");
if( !(ca->url->attr) ||
!(ca->url->dn) ) {
syslog( LOG_ERR,
"%s and %s are required while
using LDAP!",
ENV_OCSPD_CACERT_ENTRY_DN,
ENV_OCSPD_CACERT_ENTRY_ATTR );
return 0;
}
}
/* Get the CA certificate */
ca->cert = ocspd_get_ca(ca->url);
if(!ca->cert || (sk_X509_num(ca->cert) < 1)) {
if(ca->cert) sk_X509_free(ca->cert);
syslog(LOG_ERR, "Error loading CA URL data.");
continue;
} else {
if(verbose)
syslog( LOG_INFO,
"CA CERT for %s loaded successfully.",
ca_section );
}
if((ca->cid = ocspd_CA_ENTRY_CERTID_new ( ca->cert,
conf->digest)) == NULL ) {
syslog( LOG_ERR,
"%s:%s CA List structure init error.",
__FILE__, __LINE__ );
continue;
}
if(verbose)
syslog(LOG_INFO,
"CA List Entry added (CA list num %d)",
conf->ca_list_len);
/* First CA data correctly loaded */
conf->ca_list_len++;
/* Now process the CRL data */
if ((crlUrl_s = NCONF_get_string(conf->conf,
ca_section, ENV_OCSPD_CRL_URL)) == NULL) {
if( verbose )
lookup_fail(ca_section,
ENV_OCSPD_CRL_URL);
continue;
};
bzero(&crl_data, sizeof(crl_data));
/* Parse the CRL url */
crl_data.url = getParsedUrl( crlUrl_s );
/* Error, can not get crl data */
if( ! crl_data.url ) {
syslog( LOG_ERR,
"Can not parse CRL url @%s (%s)",
ca_section, crlUrl_s);
return 0;
}
ca->crl_url = crl_data.url;
crl_data.url->dn = NCONF_get_string(conf->conf,
ca_section, ENV_OCSPD_CRL_ENTRY_DN);
crl_data.url->attr = NCONF_get_string(conf->conf,
ca_section, ENV_OCSPD_CRL_ENTRY_ATTR);
/* Get the CRL entry, usually the Base DN of the LDAP */
if( crl_data.url->proto == OCSP_CRL_PROTO_LDAP ){
if( verbose )
syslog(LOG_INFO,
"Using LDAP protocol for CRL
retrivial");
if( !(crl_data.url->attr) ||
!(crl_data.url->dn) ) {
syslog( LOG_ERR,
"%s and %s are required while
using LDAP!",
ENV_OCSPD_CRL_ENTRY_DN,
ENV_OCSPD_CRL_ENTRY_ATTR );
return 0;
}
}
/* Set the ID of the CA */
ca->ca_id = ca_section;
if((ca->crl = ocspd_get_crl( crl_data.url )) == NULL) {
syslog(LOG_ERR, "Error Loading CRL for [ %s ]",
ca->ca_id );
};
if( verbose ) {
syslog(LOG_INFO, "CRL loaded [ %s ]",
ca_section );
}
/* Let's check the CRL against the CA certificate */
if( (ret = check_crl( ca->crl, ca->cert )) < 1 ) {
syslog( LOG_ERR, "CRL/CA check error [ %s:%d ]",
ca_section, ret );
}
/* Now we copy the lastUpdate and nextUpdate fields */
if( ca->crl ) {
ca->lastUpdate = M_ASN1_TIME_dup (
X509_CRL_get_lastUpdate(ca->crl));
ca->nextUpdate = M_ASN1_TIME_dup (
X509_CRL_get_nextUpdate(ca->crl));
}
ca->crl_status = check_crl_validity ( ca );
/* Let's get the CRLs entries, if any */
if( ocspd_build_crl_entries_list ( ca,
ca->crl ) == NULL ) {
syslog(LOG_ERR, "No Entries for CRL (@%s)",
ca_section );
};
syslog( LOG_INFO, "CRL loaded successfully [%s]",
ca_section );
}
}
return 1;
}
int ocspd_reload_all_ca ( OCSPD_CONFIG *conf ) {
int i, cnt, ret;
CA_LIST_ENTRY *ca = NULL;
for( i = 0; i < conf->ca_list_len; i++ ) {
ca = conf->ca_list[i];
/* Let's free the CA certs list, if present */
if( ca->cert ) {
sk_X509_pop_free(ca->cert, X509_free );
}
/* Get the CA certificate */
ca->cert = ocspd_get_ca(ca->url);
if(!ca->cert || !sk_X509_num(ca->cert)) {
syslog(LOG_ERR, "Error loading CA URL data.");
continue;
} else {
if(verbose)
syslog( LOG_INFO,
"CA CERT for %s loaded successfully.",
ca->ca_id );
}
if((ca->cid = ocspd_CA_ENTRY_CERTID_new ( ca->cert,
conf->digest)) == NULL ) {
syslog( LOG_ERR, "CA List structure init error.");
continue;
}
}
return 1;
}
int ocspd_reload_crls ( OCSPD_CONFIG *conf ) {
int i, cnt, ret;
X509_REVOKED *r = NULL;
CA_LIST_ENTRY *a = NULL;
X509_CRL *crl = NULL;
for( i=0; i<conf->ca_list_len; i++ ) {
a = conf->ca_list[i];
if( verbose ) {
syslog( LOG_INFO, "%s:%d freeing entries for CA %d",
__FILE__, __LINE__, i );
}
if( a == NULL ) break;
if( a->crl ) X509_CRL_free ( a->crl );
a->crl = NULL;
a->crl_list = NULL;
if( a->crl_url == NULL ) {
syslog( LOG_ERR, "Error reloading CRL for CA %s [URI]",
a->ca_id );
continue;
}
/* We now re-load the CRL */
if( (a->crl = ocspd_get_crl( a->crl_url )) == NULL ) {
syslog( LOG_ERR, "Error reloading CRL [ %s ]",
a->ca_id);
continue;
}
if( verbose )
syslog( LOG_ERR, "CRL OK [ %s:%d ]", a->ca_id, ret );
/* Let's get the CRLs entries, if any */
if( ocspd_build_crl_entries_list ( a, a->crl ) == NULL ) {
syslog(LOG_ERR, "No Entries for CRL [ %s ]",
a->ca_id );
};
if(verbose)
syslog( LOG_INFO,
"CRL loaded successfully [ %s:%d ]",
a->ca_id, ret );
/* If previous values are there, then we clear them up */
if ( a->lastUpdate ) ASN1_TIME_free(a->lastUpdate);
if ( a->nextUpdate ) ASN1_TIME_free(a->nextUpdate);
/* Get new values from the recently loaded CRL */
a->lastUpdate = M_ASN1_TIME_dup (
X509_CRL_get_lastUpdate(a->crl));
a->nextUpdate = M_ASN1_TIME_dup (
X509_CRL_get_nextUpdate(a->crl));
/* Now check the CRL validity */
a->crl_status = check_crl_validity( a );
}
return(1);
}
int check_crl ( X509_CRL *crl, STACK_OF(X509) *cacert ) {
EVP_PKEY *pkey = NULL;
int ret = -1;
int i, final;
if( !crl || !cacert ) {
if( verbose ) {
if(!crl)
syslog(LOG_ERR, "CRL missing");
if(!cacert)
syslog(LOG_ERR, "CA cert missing");
}
return(-1);
}
if( sk_X509_num(cacert) < 1 ) {
if(verbose)
syslog(LOG_ERR, "No CA cert loaded");
return(-2);
}
final = -1;
for( i = 0; i < sk_X509_num(cacert); i++ ) {
/* Gets the Public Key of the CA Certificate */
if((pkey = X509_get_pubkey(sk_X509_value(cacert,i))) == NULL )
return(-3);
/* Checks the CRL - 0 if failure, > 0 if successful */
ret = X509_CRL_verify(crl, pkey);
/* Free allocked memory */
if( pkey ) EVP_PKEY_free (pkey);
if( ret > final ) final = ret;
if( verbose ) {
if ( ret > 0 ) {
syslog(LOG_INFO, "CRL and CA cert [%d:%d] check ok",
i, ret );
} else {
syslog(LOG_INFO, "CRL and CA cert [%d:%d] not ok",
i, ret );
}
}
}
if ( final > 0 ) {
if(verbose)
syslog(LOG_INFO, "CRL matching CA cert ok [ %d ]",ret);
}
return final;
}
smime.p7s
Description: S/MIME Cryptographic Signature
