summaryrefslogtreecommitdiff
path: root/src/usr.sbin/ocspcheck/ocspcheck.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/usr.sbin/ocspcheck/ocspcheck.c')
-rw-r--r--src/usr.sbin/ocspcheck/ocspcheck.c32
1 files changed, 13 insertions, 19 deletions
diff --git a/src/usr.sbin/ocspcheck/ocspcheck.c b/src/usr.sbin/ocspcheck/ocspcheck.c
index c19ecf4f05..5f79a999cb 100644
--- a/src/usr.sbin/ocspcheck/ocspcheck.c
+++ b/src/usr.sbin/ocspcheck/ocspcheck.c
@@ -86,7 +86,7 @@ host_dns(const char *s, struct addr vec[MAX_SERVERS_DNS])
86 } 86 }
87 87
88 for (vecsz = 0, res = res0; 88 for (vecsz = 0, res = res0;
89 NULL != res && vecsz < MAX_SERVERS_DNS; 89 res != NULL && vecsz < MAX_SERVERS_DNS;
90 res = res->ai_next) { 90 res = res->ai_next) {
91 if (res->ai_family != AF_INET && 91 if (res->ai_family != AF_INET &&
92 res->ai_family != AF_INET6) 92 res->ai_family != AF_INET6)
@@ -94,7 +94,7 @@ host_dns(const char *s, struct addr vec[MAX_SERVERS_DNS])
94 94
95 sa = res->ai_addr; 95 sa = res->ai_addr;
96 96
97 if (AF_INET == res->ai_family) { 97 if (res->ai_family == AF_INET) {
98 vec[vecsz].family = 4; 98 vec[vecsz].family = 4;
99 inet_ntop(AF_INET, 99 inet_ntop(AF_INET,
100 &(((struct sockaddr_in *)sa)->sin_addr), 100 &(((struct sockaddr_in *)sa)->sin_addr),
@@ -127,15 +127,15 @@ url2host(const char *host, short *port, char **path)
127 127
128 /* We only understand HTTP and HTTPS. */ 128 /* We only understand HTTP and HTTPS. */
129 129
130 if (0 == strncmp(host, "https://", 8)) { 130 if (strncmp(host, "https://", 8) == 0) {
131 *port = 443; 131 *port = 443;
132 if (NULL == (url = strdup(host + 8))) { 132 if ((url = strdup(host + 8)) == NULL) {
133 warn("strdup"); 133 warn("strdup");
134 return (NULL); 134 return (NULL);
135 } 135 }
136 } else if (0 == strncmp(host, "http://", 7)) { 136 } else if (strncmp(host, "http://", 7) == 0) {
137 *port = 80; 137 *port = 80;
138 if (NULL == (url = strdup(host + 7))) { 138 if ((url = strdup(host + 7)) == NULL) {
139 warn("strdup"); 139 warn("strdup");
140 return (NULL); 140 return (NULL);
141 } 141 }
@@ -146,13 +146,13 @@ url2host(const char *host, short *port, char **path)
146 146
147 /* Terminate path part. */ 147 /* Terminate path part. */
148 148
149 if (NULL != (ep = strchr(url, '/'))) { 149 if ((ep = strchr(url, '/')) != NULL) {
150 *path = strdup(ep); 150 *path = strdup(ep);
151 *ep = '\0'; 151 *ep = '\0';
152 } else 152 } else
153 *path = strdup(""); 153 *path = strdup("");
154 154
155 if (NULL == *path) { 155 if (*path == NULL) {
156 warn("strdup"); 156 warn("strdup");
157 free(url); 157 free(url);
158 return (NULL); 158 return (NULL);
@@ -227,23 +227,21 @@ read_fullchain(const char *file, int *count)
227 *count = 0; 227 *count = 0;
228 228
229 if ((bio = BIO_new_file(file, "r")) == NULL) { 229 if ((bio = BIO_new_file(file, "r")) == NULL) {
230 warnx("Error opening %s\n", file); 230 warnx("Unable to read a certificate from %s", file);
231 ERR_print_errors_fp(stderr);
232 return NULL; 231 return NULL;
233 } 232 }
234 if ((xis = PEM_X509_INFO_read_bio(bio, NULL, NULL, NULL)) == NULL) { 233 if ((xis = PEM_X509_INFO_read_bio(bio, NULL, NULL, NULL)) == NULL) {
235 warnx("Unable to read PEM format from %s\n", file); 234 warnx("Unable to read PEM format from %s", file);
236 ERR_print_errors_fp(stderr);
237 return NULL; 235 return NULL;
238 } 236 }
239 BIO_free(bio); 237 BIO_free(bio);
240 238
241 if (sk_X509_INFO_num(xis) <= 0) { 239 if (sk_X509_INFO_num(xis) <= 0) {
242 warnx("No certificates in file %s\n", file); 240 warnx("No certificates in file %s", file);
243 goto end; 241 goto end;
244 } 242 }
245 if ((rv = sk_X509_new_null()) == NULL) { 243 if ((rv = sk_X509_new_null()) == NULL) {
246 ERR_print_errors_fp(stderr); 244 warnx("malloc failed");
247 goto end; 245 goto end;
248 } 246 }
249 247
@@ -252,7 +250,7 @@ read_fullchain(const char *file, int *count)
252 if (xi->x509 == NULL) 250 if (xi->x509 == NULL)
253 continue; 251 continue;
254 if (!sk_X509_push(rv, xi->x509)) { 252 if (!sk_X509_push(rv, xi->x509)) {
255 ERR_print_errors_fp(stderr); 253 warnx("unable to build x509 chain");
256 sk_X509_pop_free(rv, X509_free); 254 sk_X509_pop_free(rv, X509_free);
257 rv = NULL; 255 rv = NULL;
258 goto end; 256 goto end;
@@ -337,12 +335,10 @@ ocsp_request_new_from_cert(char *file, int nonce)
337 cert_id_md = EVP_sha1(); /* XXX. This sucks but OCSP is poopy */ 335 cert_id_md = EVP_sha1(); /* XXX. This sucks but OCSP is poopy */
338 if ((id = OCSP_cert_to_id(cert_id_md, cert, issuer)) == NULL) { 336 if ((id = OCSP_cert_to_id(cert_id_md, cert, issuer)) == NULL) {
339 warnx("Unable to get certificate id from cert in %s", file); 337 warnx("Unable to get certificate id from cert in %s", file);
340 ERR_print_errors_fp(stderr);
341 return NULL; 338 return NULL;
342 } 339 }
343 if (OCSP_request_add0_id(request->req, id) == NULL) { 340 if (OCSP_request_add0_id(request->req, id) == NULL) {
344 warnx("Unable to add certificate id to request"); 341 warnx("Unable to add certificate id to request");
345 ERR_print_errors_fp(stderr);
346 return NULL; 342 return NULL;
347 } 343 }
348 344
@@ -402,7 +398,6 @@ validate_response(char *buf, size_t size, ocsp_request *request,
402 398
403 if (OCSP_basic_verify(bresp, request->fullchain, store, 399 if (OCSP_basic_verify(bresp, request->fullchain, store,
404 OCSP_TRUSTOTHER) != 1) { 400 OCSP_TRUSTOTHER) != 1) {
405 ERR_print_errors_fp(stderr);
406 warnx("OCSP verify failed from %s", host); 401 warnx("OCSP verify failed from %s", host);
407 return 0; 402 return 0;
408 } 403 }
@@ -606,7 +601,6 @@ main (int argc, char **argv)
606 /* 601 /*
607 * Validate the OCSP response we got back 602 * Validate the OCSP response we got back
608 */ 603 */
609 ERR_load_crypto_strings();
610 OPENSSL_add_all_algorithms_noconf(); 604 OPENSSL_add_all_algorithms_noconf();
611 if (!validate_response(hget->bodypart, hget->bodypartsz, 605 if (!validate_response(hget->bodypart, hget->bodypartsz,
612 request, castore, host, certfile)) 606 request, castore, host, certfile))
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-15 15:37:32 +0000