1*d75fd186Sbcook /* $OpenBSD: ocsp_test.c,v 1.7 2023/07/07 19:54:36 bcook Exp $ */
2ba1a24e2Stb /*
3ba1a24e2Stb * Copyright (c) 2016 Bob Beck <beck@openbsd.org>
4ba1a24e2Stb *
5ba1a24e2Stb * Permission to use, copy, modify, and distribute this software for any
6ba1a24e2Stb * purpose with or without fee is hereby granted, provided that the above
7ba1a24e2Stb * copyright notice and this permission notice appear in all copies.
8ba1a24e2Stb *
9ba1a24e2Stb * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10ba1a24e2Stb * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11ba1a24e2Stb * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12ba1a24e2Stb * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13ba1a24e2Stb * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14ba1a24e2Stb * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15ba1a24e2Stb * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16ba1a24e2Stb */
17657b055cStb
18cee14f7bSbeck #include <stdio.h>
19cee14f7bSbeck #include <netdb.h>
20cee14f7bSbeck #include <stdlib.h>
21cee14f7bSbeck #include <unistd.h>
22c12b6da0Sbeck #include <err.h>
23cee14f7bSbeck #include <sys/socket.h>
24cee14f7bSbeck
25cee14f7bSbeck #include <openssl/ssl.h>
26cee14f7bSbeck #include <openssl/ocsp.h>
27cee14f7bSbeck
2803b6db95Sjsing static int
tcp_connect(char * host,char * port)2903b6db95Sjsing tcp_connect(char *host, char *port)
3003b6db95Sjsing {
31c12b6da0Sbeck int error, sd = -1;
32cee14f7bSbeck struct addrinfo hints, *res, *r;
33cee14f7bSbeck
34cee14f7bSbeck memset(&hints, 0, sizeof(struct addrinfo));
35cee14f7bSbeck hints.ai_family = AF_INET;
36cee14f7bSbeck hints.ai_socktype = SOCK_STREAM;
37cee14f7bSbeck
38*d75fd186Sbcook if (BIO_sock_init() != 1) {
39*d75fd186Sbcook perror("BIO_sock_init()");
40*d75fd186Sbcook exit(-1);
41*d75fd186Sbcook }
42*d75fd186Sbcook
43c12b6da0Sbeck error = getaddrinfo(host, port, &hints, &res);
44c12b6da0Sbeck if (error != 0) {
45cee14f7bSbeck perror("getaddrinfo()");
46cee14f7bSbeck exit(-1);
47cee14f7bSbeck }
48cee14f7bSbeck
49cee14f7bSbeck for (r = res; r != NULL; r = r->ai_next) {
50cee14f7bSbeck sd = socket(r->ai_family, r->ai_socktype, r->ai_protocol);
51cee14f7bSbeck if (sd == -1)
52cee14f7bSbeck continue;
53cee14f7bSbeck
54cee14f7bSbeck if (connect(sd, r->ai_addr, r->ai_addrlen) == 0)
55cee14f7bSbeck break;
56cee14f7bSbeck
57cee14f7bSbeck close(sd);
58cee14f7bSbeck }
59cee14f7bSbeck
60cee14f7bSbeck freeaddrinfo(res);
61cee14f7bSbeck
62cee14f7bSbeck return sd;
63cee14f7bSbeck }
64cee14f7bSbeck
6503b6db95Sjsing int
main(int argc,char * argv[])6603b6db95Sjsing main(int argc, char *argv[])
6703b6db95Sjsing {
68cee14f7bSbeck int sd, ocsp_status;
69cee14f7bSbeck const unsigned char *p;
70cee14f7bSbeck long len;
71cee14f7bSbeck OCSP_RESPONSE *rsp = NULL;
72cee14f7bSbeck OCSP_BASICRESP *br = NULL;
73cee14f7bSbeck X509_STORE *st = NULL;
74cee14f7bSbeck STACK_OF(X509) *ch = NULL;
75c12b6da0Sbeck char *host, *port;
76ae58e10bSbcook #ifdef _PATH_SSL_CA_FILE
77ae58e10bSbcook char *cafile = _PATH_SSL_CA_FILE;
78ae58e10bSbcook #else
79ae58e10bSbcook char *cafile = "/etc/ssl/cert.pem";
80ae58e10bSbcook #endif
81cee14f7bSbeck
82cee14f7bSbeck SSL *ssl;
83cee14f7bSbeck SSL_CTX *ctx;
84cee14f7bSbeck
85cee14f7bSbeck SSL_library_init();
86cee14f7bSbeck SSL_load_error_strings();
87cee14f7bSbeck
88cee14f7bSbeck ctx = SSL_CTX_new(SSLv23_client_method());
89cee14f7bSbeck
90ae58e10bSbcook if (!SSL_CTX_load_verify_locations(ctx, cafile, NULL)) {
91ae58e10bSbcook printf("failed to load %s\n", cafile);
92ae58e10bSbcook exit(-1);
93ae58e10bSbcook }
94cee14f7bSbeck
95c12b6da0Sbeck if (argc != 3)
96c12b6da0Sbeck errx(-1, "need a host and port to connect to");
97c12b6da0Sbeck else {
98c12b6da0Sbeck host = argv[1];
99c12b6da0Sbeck port = argv[2];
100c12b6da0Sbeck }
101c12b6da0Sbeck
102c12b6da0Sbeck sd = tcp_connect(host, port);
103cee14f7bSbeck
104cee14f7bSbeck ssl = SSL_new(ctx);
105cee14f7bSbeck
106cee14f7bSbeck SSL_set_fd(ssl, (int) sd);
107cee14f7bSbeck SSL_set_tlsext_status_type(ssl, TLSEXT_STATUSTYPE_ocsp);
108cee14f7bSbeck
109cee14f7bSbeck if (SSL_connect(ssl) <= 0) {
110c12b6da0Sbeck printf("SSL connect error\n");
111cee14f7bSbeck exit(-1);
112cee14f7bSbeck }
113cee14f7bSbeck
114cee14f7bSbeck if (SSL_get_verify_result(ssl) != X509_V_OK) {
115c12b6da0Sbeck printf("Certificate doesn't verify from host %s port %s\n", host, port);
116cee14f7bSbeck exit(-1);
117cee14f7bSbeck }
118cee14f7bSbeck
119cee14f7bSbeck /* ==== VERIFY OCSP RESPONSE ==== */
120cee14f7bSbeck
121cee14f7bSbeck
122cee14f7bSbeck len = SSL_get_tlsext_status_ocsp_resp(ssl, &p);
123cee14f7bSbeck
124cee14f7bSbeck if (!p) {
125c12b6da0Sbeck printf("No OCSP response received for %s port %s\n", host, port);
126cee14f7bSbeck exit(-1);
127cee14f7bSbeck }
128cee14f7bSbeck
129cee14f7bSbeck rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
130cee14f7bSbeck if (!rsp) {
131cee14f7bSbeck puts("Invalid OCSP response");
132cee14f7bSbeck exit(-1);
133cee14f7bSbeck }
134cee14f7bSbeck
135cee14f7bSbeck ocsp_status = OCSP_response_status(rsp);
136cee14f7bSbeck if (ocsp_status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
137cee14f7bSbeck printf("Invalid OCSP response status: %s (%d)",
138cee14f7bSbeck OCSP_response_status_str(ocsp_status), ocsp_status);
139cee14f7bSbeck exit(-1);
140cee14f7bSbeck }
141cee14f7bSbeck
142cee14f7bSbeck br = OCSP_response_get1_basic(rsp);
143cee14f7bSbeck if (!br) {
144cee14f7bSbeck puts("Invalid OCSP response");
145cee14f7bSbeck exit(-1);
146cee14f7bSbeck }
147cee14f7bSbeck
148cee14f7bSbeck ch = SSL_get_peer_cert_chain(ssl);
149cee14f7bSbeck st = SSL_CTX_get_cert_store(ctx);
150cee14f7bSbeck
151cee14f7bSbeck if (OCSP_basic_verify(br, ch, st, 0) <= 0) {
152cee14f7bSbeck puts("OCSP response verification failed");
153cee14f7bSbeck exit(-1);
154cee14f7bSbeck }
155cee14f7bSbeck
156c12b6da0Sbeck printf("OCSP validated from %s %s\n", host, port);
157cee14f7bSbeck
158cee14f7bSbeck return 0;
159cee14f7bSbeck }
160