/*
 * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

// SPDX-License-Identifier: Apache-2.0 OR ISC
// Modifications Copyright Amazon.com, Inc. or its affiliates.

#include <openssl/mem.h>
#include <openssl/rand.h>
#include <string.h>

#include "../internal.h"
#include "internal.h"

#define OCSP_DEFAULT_NONCE_LENGTH 16

int OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *req, int nid, int lastpos) {
  return X509v3_get_ext_by_NID(req->tbsRequest->requestExtensions, nid,
                               lastpos);
}

X509_EXTENSION *OCSP_REQUEST_get_ext(OCSP_REQUEST *req, int loc) {
  return X509v3_get_ext(req->tbsRequest->requestExtensions, loc);
}

int OCSP_BASICRESP_add_ext(OCSP_BASICRESP *bs, X509_EXTENSION *ex, int loc) {
  return (X509v3_add_ext(&bs->tbsResponseData->responseExtensions, ex, loc) !=
          NULL);
}

int OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *bs, int nid, int lastpos) {
  return X509v3_get_ext_by_NID(bs->tbsResponseData->responseExtensions, nid,
                               lastpos);
}

X509_EXTENSION *OCSP_BASICRESP_get_ext(OCSP_BASICRESP *bs, int loc) {
  return X509v3_get_ext(bs->tbsResponseData->responseExtensions, loc);
}

X509_EXTENSION *OCSP_BASICRESP_delete_ext(OCSP_BASICRESP *x, int loc) {
  return X509v3_delete_ext(x->tbsResponseData->responseExtensions, loc);
}

int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *sresp, X509_EXTENSION *ex,
                            int loc) {
  GUARD_PTR(sresp);
  return (X509v3_add_ext(&sresp->singleExtensions, ex, loc) != NULL);
}

int OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *sresp) {
  GUARD_PTR(sresp);
  return X509v3_get_ext_count(sresp->singleExtensions);
}

X509_EXTENSION *OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP *sresp, int loc) {
  GUARD_PTR(sresp);
  return X509v3_get_ext(sresp->singleExtensions, loc);
}

static int ocsp_add_nonce(STACK_OF(X509_EXTENSION) **exts, unsigned char *val,
                          int len) {
  unsigned char *tmpval;
  ASN1_OCTET_STRING os;
  int ret = 0;
  if (len <= 0) {
    len = OCSP_DEFAULT_NONCE_LENGTH;
  }
  // Create the OCTET STRING manually by writing out the header and
  // appending the content octets. This avoids an extra memory allocation
  // operation in some cases. Applications should *NOT* do this because it
  // relies on library internals.
  os.length = ASN1_object_size(0, len, V_ASN1_OCTET_STRING);
  if (os.length < 0) {
    return 0;
  }

  os.data = OPENSSL_malloc(os.length);
  if (os.data == NULL) {
    goto err;
  }
  tmpval = os.data;
  ASN1_put_object(&tmpval, 0, len, V_ASN1_OCTET_STRING, V_ASN1_UNIVERSAL);
  if (val != NULL) {
    OPENSSL_memcpy(tmpval, val, len);
  } else if (RAND_bytes(tmpval, len) <= 0) {
    goto err;
  }
  if (X509V3_add1_i2d(exts, NID_id_pkix_OCSP_Nonce, &os, 0,
                      X509V3_ADD_REPLACE) <= 0) {
    goto err;
  }
  ret = 1;
err:
  OPENSSL_free(os.data);
  return ret;
}

int OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len) {
  if (req == NULL) {
    OPENSSL_PUT_ERROR(OCSP, ERR_R_PASSED_NULL_PARAMETER);
    return 0;
  }
  if (val != NULL && len <= 0) {
    OPENSSL_PUT_ERROR(OCSP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
    return 0;
  }
  return ocsp_add_nonce(&req->tbsRequest->requestExtensions, val, len);
}

int OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len) {
  if (resp == NULL) {
    OPENSSL_PUT_ERROR(OCSP, ERR_R_PASSED_NULL_PARAMETER);
    return 0;
  }
  if (val != NULL && len <= 0) {
    OPENSSL_PUT_ERROR(OCSP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
    return 0;
  }
  return ocsp_add_nonce(&resp->tbsResponseData->responseExtensions, val, len);
}

int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs) {
  if (req == NULL || bs == NULL) {
    OPENSSL_PUT_ERROR(OCSP, ERR_R_PASSED_NULL_PARAMETER);
    return OCSP_NONCE_NOT_EQUAL;
  }
  // Since we are only interested in the presence or absence of
  // the nonce and comparing its value there is no need to use
  // the X509V3 routines: this way we can avoid them allocating an
  // ASN1_OCTET_STRING structure for the value which would be
  // freed immediately anyway.

  int req_idx, resp_idx;
  X509_EXTENSION *req_ext, *resp_ext;
  req_idx = OCSP_REQUEST_get_ext_by_NID(req, NID_id_pkix_OCSP_Nonce, -1);
  resp_idx = OCSP_BASICRESP_get_ext_by_NID(bs, NID_id_pkix_OCSP_Nonce, -1);
  // Check that both are absent.
  if ((req_idx < 0) && (resp_idx < 0)) {
    return OCSP_NONCE_BOTH_ABSENT;
  }
  // Check in request only.
  if ((req_idx >= 0) && (resp_idx < 0)) {
    return OCSP_NONCE_REQUEST_ONLY;
  }
  // Check in response, but not request.
  if ((req_idx < 0) && (resp_idx >= 0)) {
    return OCSP_NONCE_RESPONSE_ONLY;
  }
  // Otherwise, there is a nonce in both the request and response, so retrieve
  // the extensions.
  req_ext = OCSP_REQUEST_get_ext(req, req_idx);
  resp_ext = OCSP_BASICRESP_get_ext(bs, resp_idx);
  if (ASN1_OCTET_STRING_cmp(X509_EXTENSION_get_data(req_ext),
                            X509_EXTENSION_get_data(resp_ext))) {
    return OCSP_NONCE_NOT_EQUAL;
  }
  return OCSP_NONCE_EQUAL;
}

int OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req) {
  GUARD_PTR(resp);
  GUARD_PTR(req);

  // Check for nonce in request.
  int req_idx = OCSP_REQUEST_get_ext_by_NID(req, NID_id_pkix_OCSP_Nonce, -1);
  // If no nonce, that's OK. We return 2 in this case.
  if (req_idx < 0) {
    return 2;
  }
  X509_EXTENSION *req_ext = OCSP_REQUEST_get_ext(req, req_idx);
  // Nonce found, but no entry at the index.
  // This shouldn't happen under normal circumstances.
  GUARD_PTR(req_ext);

  // Append the nonce.
  return OCSP_BASICRESP_add_ext(resp, req_ext, -1);
}