1 /* $OpenBSD: ocsp_test.c,v 1.7 2023/07/07 19:54:36 bcook Exp $ */ 2 /* 3 * Copyright (c) 2016 Bob Beck <beck@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #include <stdio.h> 19 #include <netdb.h> 20 #include <stdlib.h> 21 #include <unistd.h> 22 #include <err.h> 23 #include <sys/socket.h> 24 25 #include <openssl/ssl.h> 26 #include <openssl/ocsp.h> 27 28 static int 29 tcp_connect(char *host, char *port) 30 { 31 int error, sd = -1; 32 struct addrinfo hints, *res, *r; 33 34 memset(&hints, 0, sizeof(struct addrinfo)); 35 hints.ai_family = AF_INET; 36 hints.ai_socktype = SOCK_STREAM; 37 38 if (BIO_sock_init() != 1) { 39 perror("BIO_sock_init()"); 40 exit(-1); 41 } 42 43 error = getaddrinfo(host, port, &hints, &res); 44 if (error != 0) { 45 perror("getaddrinfo()"); 46 exit(-1); 47 } 48 49 for (r = res; r != NULL; r = r->ai_next) { 50 sd = socket(r->ai_family, r->ai_socktype, r->ai_protocol); 51 if (sd == -1) 52 continue; 53 54 if (connect(sd, r->ai_addr, r->ai_addrlen) == 0) 55 break; 56 57 close(sd); 58 } 59 60 freeaddrinfo(res); 61 62 return sd; 63 } 64 65 int 66 main(int argc, char *argv[]) 67 { 68 int sd, ocsp_status; 69 const unsigned char *p; 70 long len; 71 OCSP_RESPONSE *rsp = NULL; 72 OCSP_BASICRESP *br = NULL; 73 X509_STORE *st = NULL; 74 STACK_OF(X509) *ch = NULL; 75 char *host, *port; 76 #ifdef _PATH_SSL_CA_FILE 77 char *cafile = _PATH_SSL_CA_FILE; 78 #else 79 char *cafile = "/etc/ssl/cert.pem"; 80 #endif 81 82 SSL *ssl; 83 SSL_CTX *ctx; 84 85 SSL_library_init(); 86 SSL_load_error_strings(); 87 88 ctx = SSL_CTX_new(SSLv23_client_method()); 89 90 if (!SSL_CTX_load_verify_locations(ctx, cafile, NULL)) { 91 printf("failed to load %s\n", cafile); 92 exit(-1); 93 } 94 95 if (argc != 3) 96 errx(-1, "need a host and port to connect to"); 97 else { 98 host = argv[1]; 99 port = argv[2]; 100 } 101 102 sd = tcp_connect(host, port); 103 104 ssl = SSL_new(ctx); 105 106 SSL_set_fd(ssl, (int) sd); 107 SSL_set_tlsext_status_type(ssl, TLSEXT_STATUSTYPE_ocsp); 108 109 if (SSL_connect(ssl) <= 0) { 110 printf("SSL connect error\n"); 111 exit(-1); 112 } 113 114 if (SSL_get_verify_result(ssl) != X509_V_OK) { 115 printf("Certificate doesn't verify from host %s port %s\n", host, port); 116 exit(-1); 117 } 118 119 /* ==== VERIFY OCSP RESPONSE ==== */ 120 121 122 len = SSL_get_tlsext_status_ocsp_resp(ssl, &p); 123 124 if (!p) { 125 printf("No OCSP response received for %s port %s\n", host, port); 126 exit(-1); 127 } 128 129 rsp = d2i_OCSP_RESPONSE(NULL, &p, len); 130 if (!rsp) { 131 puts("Invalid OCSP response"); 132 exit(-1); 133 } 134 135 ocsp_status = OCSP_response_status(rsp); 136 if (ocsp_status != OCSP_RESPONSE_STATUS_SUCCESSFUL) { 137 printf("Invalid OCSP response status: %s (%d)", 138 OCSP_response_status_str(ocsp_status), ocsp_status); 139 exit(-1); 140 } 141 142 br = OCSP_response_get1_basic(rsp); 143 if (!br) { 144 puts("Invalid OCSP response"); 145 exit(-1); 146 } 147 148 ch = SSL_get_peer_cert_chain(ssl); 149 st = SSL_CTX_get_cert_store(ctx); 150 151 if (OCSP_basic_verify(br, ch, st, 0) <= 0) { 152 puts("OCSP response verification failed"); 153 exit(-1); 154 } 155 156 printf("OCSP validated from %s %s\n", host, port); 157 158 return 0; 159 } 160