openbsd/src/usr.sbin/ocspcheck, branch libressl-v3.2.0

The X509_LOOKUP code tries to grope around in /etc/ssl/cert/ to find

2020-01-23T03:53:39+00:00

CA certs it couldn't find otherwise. This may lead to a pledge rpath violation reported by Kor, son of Rynar. Unfortunately, providing certs inside a directory is common in linuxes, so we need to keep this functionality for portable. Check if /etc/ssl/cert.pem and /etc/ssl/cert exist and pledge accordingly. Add unveils to restrict this program further on a default OpenBSD install. Fix -C to look only inside the provided root bundle. Input from jsing and sthen, tests by sthen and Kor ok beck, jsing, sthen (after much back and forth)

Set "Content-Type: application/ocsp-request" in ocspcheck(1)'s POSTs,

2020-01-11T17:37:19+00:00

it is required by the RFC and some CAs require it (e.g. sectigo). From daharmasterkor at gmail com, ok jca@

When system calls indicate an error they return -1, not some arbitrary

2019-06-28T13:35:02+00:00

value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.

check result of ftruncate() as we do write() below

2019-05-15T13:44:18+00:00

ok beck@

update for libtls default cert changes.

2018-11-29T14:25:07+00:00

bonus: this exposed a few missing const qualifiers.

Use TLS_CA_CERT_FILE instead of a separate define.

2018-11-06T20:41:11+00:00

ok beck@ bluhm@ tb@

Avoid using an uninitialized variable.

2017-12-01T14:42:23+00:00

Found by gcc. OK jca@

add -i to SYNOPSIS/usage() and sundry tweaks;

2017-11-29T21:15:45+00:00

ok beck

Add option -i to allow oscpcheck to be used to validate an on-disk staple

2017-11-28T23:32:00+00:00

ok claudio@ benno@

add missing HISTORY; based on CVS logs and release announcements

2017-10-17T22:47:58+00:00