summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/usr.sbin/ocspcheck/ocspcheck.c41
1 files changed, 18 insertions, 23 deletions
diff --git a/src/usr.sbin/ocspcheck/ocspcheck.c b/src/usr.sbin/ocspcheck/ocspcheck.c
index 3917515f64..a923024055 100644
--- a/src/usr.sbin/ocspcheck/ocspcheck.c
+++ b/src/usr.sbin/ocspcheck/ocspcheck.c
@@ -1,4 +1,5 @@
1/* $OpenBSD: ocspcheck.c,v 1.19 2017/03/27 18:26:53 beck Exp $ */ 1/* $OpenBSD: ocspcheck.c,v 1.20 2017/03/27 23:59:08 deraadt Exp $ */
2
2/* 3/*
3 * Copyright (c) 2017 Bob Beck <beck@openbsd.org> 4 * Copyright (c) 2017 Bob Beck <beck@openbsd.org>
4 * 5 *
@@ -42,7 +43,7 @@
42 43
43typedef struct ocsp_request { 44typedef struct ocsp_request {
44 STACK_OF(X509) *fullchain; 45 STACK_OF(X509) *fullchain;
45 OCSP_REQUEST * req; 46 OCSP_REQUEST *req;
46 char *url; 47 char *url;
47 unsigned char *data; 48 unsigned char *data;
48 size_t size; 49 size_t size;
@@ -73,7 +74,6 @@ host_dns(const char *s, struct addr vec[MAX_SERVERS_DNS])
73 memset(&hints, 0, sizeof(hints)); 74 memset(&hints, 0, sizeof(hints));
74 hints.ai_family = PF_UNSPEC; 75 hints.ai_family = PF_UNSPEC;
75 hints.ai_socktype = SOCK_DGRAM; /* DUMMY */ 76 hints.ai_socktype = SOCK_DGRAM; /* DUMMY */
76 /* ntpd MUST NOT use AI_ADDRCONFIG here */
77 77
78 error = getaddrinfo(s, NULL, &hints, &res0); 78 error = getaddrinfo(s, NULL, &hints, &res0);
79 79
@@ -82,12 +82,11 @@ host_dns(const char *s, struct addr vec[MAX_SERVERS_DNS])
82 error == EAI_NODATA || 82 error == EAI_NODATA ||
83#endif 83#endif
84 error == EAI_NONAME) 84 error == EAI_NONAME)
85 return(0); 85 return 0;
86 86
87 if (error) { 87 if (error) {
88 warnx("%s: parse error: %s", 88 warnx("%s: parse error: %s", s, gai_strerror(error));
89 s, gai_strerror(error)); 89 return -1;
90 return(-1);
91 } 90 }
92 91
93 for (vecsz = 0, res = res0; 92 for (vecsz = 0, res = res0;
@@ -117,7 +116,7 @@ host_dns(const char *s, struct addr vec[MAX_SERVERS_DNS])
117 } 116 }
118 117
119 freeaddrinfo(res0); 118 freeaddrinfo(res0);
120 return(vecsz); 119 return vecsz;
121} 120}
122 121
123/* 122/*
@@ -253,7 +252,7 @@ read_fullchain(const char *file, int *count)
253 for (i = 0; i < sk_X509_INFO_num(xis); i++) { 252 for (i = 0; i < sk_X509_INFO_num(xis); i++) {
254 xi = sk_X509_INFO_value(xis, i); 253 xi = sk_X509_INFO_value(xis, i);
255 if (xi->x509 == NULL) 254 if (xi->x509 == NULL)
256 continue; 255 continue;
257 if (!sk_X509_push(rv, xi->x509)) { 256 if (!sk_X509_push(rv, xi->x509)) {
258 warnx("unable to build x509 chain"); 257 warnx("unable to build x509 chain");
259 sk_X509_pop_free(rv, X509_free); 258 sk_X509_pop_free(rv, X509_free);
@@ -315,8 +314,7 @@ ocsp_request_new_from_cert(char *file, int nonce)
315 if (request->fullchain == NULL) 314 if (request->fullchain == NULL)
316 return NULL; 315 return NULL;
317 if (count <= 1) { 316 if (count <= 1) {
318 warnx("File %s does not contain a cert chain", 317 warnx("File %s does not contain a cert chain", file);
319 file);
320 return NULL; 318 return NULL;
321 } 319 }
322 if ((cert = cert_from_chain(request->fullchain)) == NULL) { 320 if ((cert = cert_from_chain(request->fullchain)) == NULL) {
@@ -340,7 +338,7 @@ ocsp_request_new_from_cert(char *file, int nonce)
340 cert_id_md = EVP_sha1(); /* XXX. This sucks but OCSP is poopy */ 338 cert_id_md = EVP_sha1(); /* XXX. This sucks but OCSP is poopy */
341 if ((id = OCSP_cert_to_id(cert_id_md, cert, issuer)) == NULL) { 339 if ((id = OCSP_cert_to_id(cert_id_md, cert, issuer)) == NULL) {
342 warnx("Unable to get certificate id from cert in %s", file); 340 warnx("Unable to get certificate id from cert in %s", file);
343 return NULL; 341 return NULL;
344 } 342 }
345 if (OCSP_request_add0_id(request->req, id) == NULL) { 343 if (OCSP_request_add0_id(request->req, id) == NULL) {
346 warnx("Unable to add certificate id to request"); 344 warnx("Unable to add certificate id to request");
@@ -360,7 +358,7 @@ ocsp_request_new_from_cert(char *file, int nonce)
360 warnx("Unable to allocte memory"); 358 warnx("Unable to allocte memory");
361 return NULL; 359 return NULL;
362 } 360 }
363 return(request); 361 return (request);
364} 362}
365 363
366 364
@@ -382,13 +380,12 @@ validate_response(char *buf, size_t size, ocsp_request *request,
382 return 0; 380 return 0;
383 } 381 }
384 if ((issuer = issuer_from_chain(request->fullchain)) == NULL) { 382 if ((issuer = issuer_from_chain(request->fullchain)) == NULL) {
385 warnx("Unable to find certificate issuer for cert in %s", 383 warnx("Unable to find certificate issuer for cert in %s", file);
386 file);
387 return 0; 384 return 0;
388 } 385 }
389 if ((cid = OCSP_cert_to_id(NULL, cert, issuer)) == NULL) { 386 if ((cid = OCSP_cert_to_id(NULL, cert, issuer)) == NULL) {
390 warnx("Unable to get issuer cert/CID in %s", file); 387 warnx("Unable to get issuer cert/CID in %s", file);
391 return(0); 388 return 0;
392 } 389 }
393 390
394 if ((resp = d2i_OCSP_RESPONSE(NULL, p, size)) == NULL) { 391 if ((resp = d2i_OCSP_RESPONSE(NULL, p, size)) == NULL) {
@@ -398,7 +395,7 @@ validate_response(char *buf, size_t size, ocsp_request *request,
398 395
399 if ((bresp = OCSP_response_get1_basic(resp)) == NULL) { 396 if ((bresp = OCSP_response_get1_basic(resp)) == NULL) {
400 warnx("Failed to load OCSP response from %s", host); 397 warnx("Failed to load OCSP response from %s", host);
401 return(0); 398 return 0;
402 } 399 }
403 400
404 if (OCSP_basic_verify(bresp, request->fullchain, store, 401 if (OCSP_basic_verify(bresp, request->fullchain, store,
@@ -412,7 +409,7 @@ validate_response(char *buf, size_t size, ocsp_request *request,
412 if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL) { 409 if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
413 warnx("OCSP Failure: code %d (%s) from host %s", 410 warnx("OCSP Failure: code %d (%s) from host %s",
414 status, OCSP_response_status_str(status), host); 411 status, OCSP_response_status_str(status), host);
415 return(0); 412 return 0;
416 } 413 }
417 dspew("OCSP response status %d from host %s\n", status, host); 414 dspew("OCSP response status %d from host %s\n", status, host);
418 415
@@ -551,8 +548,7 @@ main(int argc, char **argv)
551 staplefd = open(outfile, O_WRONLY|O_CREAT, 548 staplefd = open(outfile, O_WRONLY|O_CREAT,
552 S_IWUSR|S_IRUSR|S_IRGRP|S_IROTH); 549 S_IWUSR|S_IRUSR|S_IRGRP|S_IROTH);
553 if (staplefd < 0) 550 if (staplefd < 0)
554 err(1, "Unable to open output file %s", 551 err(1, "Unable to open output file %s", outfile);
555 outfile);
556 } 552 }
557 553
558 if (pledge("stdio inet rpath dns", NULL) == -1) 554 if (pledge("stdio inet rpath dns", NULL) == -1)
@@ -598,7 +594,6 @@ main(int argc, char **argv)
598 * routines and parsing untrusted input from someone's OCSP 594 * routines and parsing untrusted input from someone's OCSP
599 * server. 595 * server.
600 */ 596 */
601
602 if (pledge("stdio", NULL) == -1) 597 if (pledge("stdio", NULL) == -1)
603 err(1, "pledge"); 598 err(1, "pledge");
604 599
@@ -618,7 +613,7 @@ main(int argc, char **argv)
618 */ 613 */
619 OPENSSL_add_all_algorithms_noconf(); 614 OPENSSL_add_all_algorithms_noconf();
620 if (!validate_response(hget->bodypart, hget->bodypartsz, 615 if (!validate_response(hget->bodypart, hget->bodypartsz,
621 request, castore, host, certfile)) 616 request, castore, host, certfile))
622 exit(1); 617 exit(1);
623 618
624 /* 619 /*
@@ -627,7 +622,7 @@ main(int argc, char **argv)
627 */ 622 */
628 if (staplefd >= 0) { 623 if (staplefd >= 0) {
629 (void) ftruncate(staplefd, 0); 624 (void) ftruncate(staplefd, 0);
630 w = 0 ; 625 w = 0;
631 written = 0; 626 written = 0;
632 while (written < hget->bodypartsz) { 627 while (written < hget->bodypartsz) {
633 w = write(staplefd, hget->bodypart + written, 628 w = write(staplefd, hget->bodypart + written,
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-31 20:31:19 +0000