Add OCSP client side support to libtls.

   - Provide access to certificate OCSP URL
   - Provide ability to check a raw OCSP reply against an
     established TLS ctx
   - Check and validate OCSP stapling info in the TLS handshake
     if a stapled OCSP response is provided.`

Add example code to show OCSP URL and stapled info
into netcat.

ok jsing@

1 files changed, 6 insertions, 1 deletions

diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index 00564edb3c..cccdb00531 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.49 2016/09/04 12:26:43 bcook Exp $ */
+/* $OpenBSD: tls.c,v 1.50 2016/11/02 15:18:42 beck Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -419,6 +419,9 @@ tls_reset(struct tls *ctx)
         tls_conninfo_free(ctx->conninfo);
         ctx->conninfo = NULL;
 
+        tls_ocsp_ctx_free(ctx->ocsp_ctx);
+        ctx->ocsp_ctx = NULL;
+        
         for (sni = ctx->sni_ctx; sni != NULL; sni = nsni) {
                 nsni = sni->next;
                 tls_sni_ctx_free(sni);
@@ -499,6 +502,8 @@ tls_handshake(struct tls *ctx)
                 ctx->ssl_peer_cert =  SSL_get_peer_certificate(ctx->ssl_conn);
                 if (tls_conninfo_populate(ctx) == -1)
                     rv = -1;
+                if (ctx->ocsp_ctx == NULL)
+                        ctx->ocsp_ctx = tls_ocsp_setup_from_peer(ctx);
         }
  out:
         /* Prevent callers from performing incorrect error handling */