Add option -i to allow oscpcheck to be used to validate an on-disk staple

ok claudio@ benno@
author: beck <> 2017-11-28 23:32:00 +0000
committer: beck <> 2017-11-28 23:32:00 +0000
commit: aa9c99e53a08fd5b5178e337b1082d178fb34c07 (patch)
tree: b61427f044550d21a63392cc8723dfb4fd807aa3
parent: 8e3da22d9e96b1f66fa86b077a8226eff4b85e17 (diff)
download: openbsd-aa9c99e53a08fd5b5178e337b1082d178fb34c07.tar.gz
openbsd-aa9c99e53a08fd5b5178e337b1082d178fb34c07.tar.bz2
openbsd-aa9c99e53a08fd5b5178e337b1082d178fb34c07.zip
2 files changed, 103 insertions, 49 deletions
diff --git a/src/usr.sbin/ocspcheck/ocspcheck.8 b/src/usr.sbin/ocspcheck/ocspcheck.8
index dabac38a65..2a3f2d6187 100644
--- a/src/usr.sbin/ocspcheck/ocspcheck.8
+++ b/src/usr.sbin/ocspcheck/ocspcheck.8
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ocspcheck.8,v 1.7 2017/10/17 22:47:58 schwarze Exp $
+.\"     $OpenBSD: ocspcheck.8,v 1.8 2017/11/28 23:32:00 beck Exp $
 .\"
 .\" Copyright (c) 2017 Bob Beck <beck@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: October 17 2017 $
+.Dd $Mdocdate: November 28 2017 $
 .Dt OCSPCHECK 8
 .Os
 .Sh NAME
@@ -45,10 +45,18 @@ By default no certificates are used beyond those in the
 certificate chain provided by the
 .Ar file
 argument.
+.It Fl i Ar staplefile
+Specify an input filename from which a DER encoded OCSP response
+will be read instead of fetching it from the OCSP server.
+A filename
+of
+.Sq -
+will read the response from standard input.
 .It Fl N
 Do not use a nonce value in the OCSP request, or validate that the
 nonce was returned in the OCSP response.
-By default a nonce is always used and validated.
+By default a nonce is always used and validated when retrieving
+a response from an OCSP server. 
 The use of this flag is a security risk as it will allow OCSP
 responses to be replayed.
 It should not be used unless the OCSP server does not support the
diff --git a/src/usr.sbin/ocspcheck/ocspcheck.c b/src/usr.sbin/ocspcheck/ocspcheck.c
index df14265370..6038f8817d 100644
--- a/src/usr.sbin/ocspcheck/ocspcheck.c
+++ b/src/usr.sbin/ocspcheck/ocspcheck.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ocspcheck.c,v 1.21 2017/05/08 20:15:34 beck Exp $ */
+/* $OpenBSD: ocspcheck.c,v 1.22 2017/11/28 23:32:00 beck Exp $ */
 /*
 * Copyright (c) 2017 Bob Beck <beck@openbsd.org>
@@ -40,6 +40,7 @@
 #define MAXAGE_SEC (14*24*60*60)
 #define JITTER_SEC (60)
+#define OCSP_MAX_RESPONSE_SIZE (20480)
 typedef struct ocsp_request {
        STACK_OF(X509) *fullchain;
@@ -505,19 +506,19 @@ int
 main(int argc, char **argv)
 {
        char *host = NULL, *path = "/", *certfile = NULL, *outfile = NULL,
-            *cafile = NULL;
+            *cafile = NULL, *instaple = NULL, *infile = NULL;
        struct addr addrs[MAX_SERVERS_DNS] = {{0}};
        struct source sources[MAX_SERVERS_DNS];
-        int i, ch, staplefd = -1, nonce = 1;
+        int i, ch, staplefd = -1, infd = -1, nonce = 1;
        ocsp_request *request = NULL;
-        size_t rescount, httphsz;
+        size_t rescount, httphsz = 0, instaplesz = 0;
-        struct httphead *httph;
+        struct httphead *httph = NULL;
        struct httpget *hget;
        X509_STORE *castore;
        ssize_t written, w;
        short port;
-        while ((ch = getopt(argc, argv, "C:No:v")) != -1) {
+        while ((ch = getopt(argc, argv, "C:i:No:v")) != -1) {
                switch (ch) {
                case 'C':
                        cafile = optarg;
@@ -528,6 +529,9 @@ main(int argc, char **argv)
                case 'o':
                        outfile = optarg;
                        break;
+                case 'i':
+                        infile = optarg;
+                        break;
                case 'v':
                        verbose++;
                        break;
@@ -551,6 +555,16 @@ main(int argc, char **argv)
                        err(1, "Unable to open output file %s", outfile);
        }
+        if (infile != NULL) {
+                if (strcmp(infile, "-") == 0)
+                        infd = STDIN_FILENO;
+                else
+                        infd = open(infile, O_RDONLY);
+                if (infd < 0)
+                        err(1, "Unable to open input file %s", infile);
+                nonce = 0; /* Can't validate a nonce on a saved reply */
+        }
        if (pledge("stdio inet rpath dns", NULL) == -1)
                err(1, "pledge");
@@ -571,50 +585,82 @@ main(int argc, char **argv)
                    certfile);
        if (*path == '\0')
                path = "/";
-        vspew("Using %s to host %s, port %d, path %s\n",
-            port == 443 ? "https" : "http", host, port, path);
-        rescount = host_dns(host, addrs);
+        if (infd == -1) {
-        for (i = 0; i < rescount; i++) {
+                /* Get a new OCSP response from the indicated server */
-                sources[i].ip = addrs[i].ip;
-                sources[i].family = addrs[i].family;
-        }
-        /*
+                vspew("Using %s to host %s, port %d, path %s\n",
-         * Do an HTTP post to send our request to the OCSP
+                    port == 443 ? "https" : "http", host, port, path);
-         * server, and hopefully get an answer back
-         */
-        hget = http_get(sources, rescount, host, port, path,
-            request->data, request->size);
-        if (hget == NULL)
-                errx(1, "http_get");
-        /*
+                rescount = host_dns(host, addrs);
-         * Pledge minimally before fiddling with libcrypto init
+                for (i = 0; i < rescount; i++) {
-         * routines and parsing untrusted input from someone's OCSP
+                        sources[i].ip = addrs[i].ip;
-         * server.
+                        sources[i].family = addrs[i].family;
-         */
+                }
-        if (pledge("stdio", NULL) == -1)
-                err(1, "pledge");
-        httph = http_head_parse(hget->http, hget->xfer, &httphsz);
-        dspew("Server at %s returns:\n", host);
-        for (i = 0; i < httphsz; i++)
-                dspew("   [%s]=[%s]\n", httph[i].key, httph[i].val);
-        dspew("   [Body]=[%zu bytes]\n", hget->bodypartsz);
-        if (hget->bodypartsz <= 0)
-                errx(1, "No body in reply from %s", host);
-        if (hget->code != 200)
-                errx(1, "http reply code %d from %s", hget->code, host);
-        /*
+                /*
-         * Validate the OCSP response we got back
+                 * Do an HTTP post to send our request to the OCSP
-         */
+                 * server, and hopefully get an answer back
-        OPENSSL_add_all_algorithms_noconf();
+                 */
-        if (!validate_response(hget->bodypart, hget->bodypartsz,
+                hget = http_get(sources, rescount, host, port, path,
-            request, castore, host, certfile))
+                    request->data, request->size);
-                exit(1);
+                if (hget == NULL)
+                        errx(1, "http_get");
+                /*
+                 * Pledge minimally before fiddling with libcrypto init
+                 * routines and parsing untrusted input from someone's OCSP
+                 * server.
+                 */
+                if (pledge("stdio", NULL) == -1)
+                        err(1, "pledge");
+                dspew("Server at %s returns:\n", host);
+                for (i = 0; i < httphsz; i++)
+                        dspew("   [%s]=[%s]\n", httph[i].key, httph[i].val);
+                dspew("   [Body]=[%zu bytes]\n", hget->bodypartsz);
+                if (hget->bodypartsz <= 0)
+                        errx(1, "No body in reply from %s", host);
+                if (hget->code != 200)
+                        errx(1, "http reply code %d from %s", hget->code, host);
+                /*
+                 * Validate the OCSP response we got back
+                 */
+                OPENSSL_add_all_algorithms_noconf();
+                if (!validate_response(hget->bodypart, hget->bodypartsz,
+                        request, castore, host, certfile))
+                        exit(1);
+        } else {
+                size_t nr = 0;
+                instaplesz = 0;
+                /*
+                 * Pledge minimally before fiddling with libcrypto init
+                 */
+                if (pledge("stdio", NULL) == -1)
+                        err(1, "pledge");
+                dspew("Using ocsp response saved in %s:\n", infile);
+                /* Use the existing OCSP response saved in infd */
+                instaple = calloc(OCSP_MAX_RESPONSE_SIZE, 1);
+                if (instaple) {
+                        while ((nr = read(infd, instaple + instaplesz,
+                            OCSP_MAX_RESPONSE_SIZE - instaplesz)) != -1 &&
+                            nr != 0)
+                                instaplesz += nr;
+                }
+                if (instaplesz == 0)
+                        exit(1);
+                /*
+                 * Validate the OCSP staple we read in.
+                 */
+                OPENSSL_add_all_algorithms_noconf();
+                if (!validate_response(instaple, instaplesz,
+                        request, castore, host, certfile))
+                        exit(1);
+        }
        /*
         * If we have been given a place to save a staple,
author	beck <>	2017-11-28 23:32:00 +0000
committer	beck <>	2017-11-28 23:32:00 +0000
commit	aa9c99e53a08fd5b5178e337b1082d178fb34c07 (patch)
tree	b61427f044550d21a63392cc8723dfb4fd807aa3
parent	8e3da22d9e96b1f66fa86b077a8226eff4b85e17 (diff)
download	openbsd-aa9c99e53a08fd5b5178e337b1082d178fb34c07.tar.gz openbsd-aa9c99e53a08fd5b5178e337b1082d178fb34c07.tar.bz2 openbsd-aa9c99e53a08fd5b5178e337b1082d178fb34c07.zip