Add OCSP client side support to libtls.

- Provide access to certificate OCSP URL - Provide ability to check a raw OCSP reply against an established TLS ctx - Check and validate OCSP stapling info in the TLS handshake if a stapled OCSP response is provided.` Add example code to show OCSP URL and stapled info into netcat. ok jsing@
author: beck <> 2016-11-02 15:18:42 +0000
committer: beck <> 2016-11-02 15:18:42 +0000
commit: 5418ce1f48164f4ba5618463049fa69568460f4f (patch)
tree: d759e28afc9aedffba6861487c1680a3f8e3331d /src/usr.bin/nc
parent: cc11de9530a463cf1046e63cc0a8b635aa93cdae (diff)
download: openbsd-5418ce1f48164f4ba5618463049fa69568460f4f.tar.gz
openbsd-5418ce1f48164f4ba5618463049fa69568460f4f.tar.bz2
openbsd-5418ce1f48164f4ba5618463049fa69568460f4f.zip
1 files changed, 37 insertions, 1 deletions
diff --git a/src/usr.bin/nc/netcat.c b/src/usr.bin/nc/netcat.c
index 3af7d50374..64e77a8b52 100644
--- a/src/usr.bin/nc/netcat.c
+++ b/src/usr.bin/nc/netcat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: netcat.c,v 1.163 2016/09/03 17:35:34 bcook Exp $ */
+/* $OpenBSD: netcat.c,v 1.164 2016/11/02 15:18:42 beck Exp $ */
 /*
 * Copyright (c) 2001 Eric Jackson <ericj@monkey.org>
 * Copyright (c) 2015 Bob Beck.  All rights reserved.
@@ -1518,6 +1518,8 @@ void
 report_tls(struct tls * tls_ctx, char * host, char *tls_expectname)
 {
        time_t t;
+        const char *ocsp_url;
        fprintf(stderr, "TLS handshake negotiated %s/%s with host %s\n",
            tls_conn_version(tls_ctx), tls_conn_cipher(tls_ctx), host);
        fprintf(stderr, "Peer name: %s\n",
@@ -1535,6 +1537,40 @@ report_tls(struct tls * tls_ctx, char * host, char *tls_expectname)
        if (tls_peer_cert_hash(tls_ctx))
                fprintf(stderr, "Cert Hash: %s\n",
                    tls_peer_cert_hash(tls_ctx));
+        ocsp_url = tls_peer_ocsp_url(tls_ctx);
+        fprintf(stderr, "OCSP URL: %s\n", ocsp_url == NULL ? "" : ocsp_url);
+        fprintf(stderr, "OCSP Stapling:");
+        switch (tls_peer_ocsp_response_status(tls_ctx)) {
+        case TLS_OCSP_RESPONSE_SUCCESSFUL:
+                fprintf(stderr, " %s\n",
+                    tls_peer_ocsp_result(tls_ctx) == NULL ?  "" :
+                    tls_peer_ocsp_result(tls_ctx));
+                fprintf(stderr,
+                    "  response_status=%d cert_status=%d crl_reason=%d\n",
+                    tls_peer_ocsp_response_status(tls_ctx),
+                    tls_peer_ocsp_cert_status(tls_ctx),
+                    tls_peer_ocsp_crl_reason(tls_ctx));
+                t = tls_peer_ocsp_this_update(tls_ctx);
+                fprintf(stderr, "  this update: %s",
+                    t != -1 ? ctime(&t) : "\n");
+                t =  tls_peer_ocsp_next_update(tls_ctx);
+                fprintf(stderr, "  next update: %s",
+                    t != -1 ? ctime(&t) : "\n");
+                t =  tls_peer_ocsp_revocation_time(tls_ctx);
+                fprintf(stderr, "  revocation: %s",
+                    t != -1 ? ctime(&t) : "\n");
+                break;
+        case -1:
+                fprintf(stderr, "\n");
+                break;
+        default:
+                fprintf(stderr, " failure - response_status %d (%s)\n",
+                    tls_peer_ocsp_response_status(tls_ctx),
+                    tls_peer_ocsp_result(tls_ctx) == NULL ?  "" :
+                    tls_peer_ocsp_result(tls_ctx));
+                break;
+        }
 }
 void
author	beck <>	2016-11-02 15:18:42 +0000
committer	beck <>	2016-11-02 15:18:42 +0000
commit	5418ce1f48164f4ba5618463049fa69568460f4f (patch)
tree	d759e28afc9aedffba6861487c1680a3f8e3331d /src/usr.bin/nc
parent	cc11de9530a463cf1046e63cc0a8b635aa93cdae (diff)
download	openbsd-5418ce1f48164f4ba5618463049fa69568460f4f.tar.gz openbsd-5418ce1f48164f4ba5618463049fa69568460f4f.tar.bz2 openbsd-5418ce1f48164f4ba5618463049fa69568460f4f.zip

diff --git a/src/usr.bin/nc/netcat.c b/src/usr.bin/nc/netcat.c index 3af7d50374..64e77a8b52 100644 --- a/src/usr.bin/nc/netcat.c +++ b/src/usr.bin/nc/netcat.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: netcat.c,v 1.163 2016/09/03 17:35:34 bcook Exp $ */	1	/* $OpenBSD: netcat.c,v 1.164 2016/11/02 15:18:42 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2001 Eric Jackson <ericj@monkey.org>	3	* Copyright (c) 2001 Eric Jackson <ericj@monkey.org>
4	* Copyright (c) 2015 Bob Beck. All rights reserved.	4	* Copyright (c) 2015 Bob Beck. All rights reserved.
@@ -1518,6 +1518,8 @@ void
1518	report_tls(struct tls * tls_ctx, char * host, char *tls_expectname)	1518	report_tls(struct tls * tls_ctx, char * host, char *tls_expectname)
1519	{	1519	{
1520	time_t t;	1520	time_t t;
		1521	const char *ocsp_url;
		1522
1521	fprintf(stderr, "TLS handshake negotiated %s/%s with host %s\n",	1523	fprintf(stderr, "TLS handshake negotiated %s/%s with host %s\n",
1522	tls_conn_version(tls_ctx), tls_conn_cipher(tls_ctx), host);	1524	tls_conn_version(tls_ctx), tls_conn_cipher(tls_ctx), host);
1523	fprintf(stderr, "Peer name: %s\n",	1525	fprintf(stderr, "Peer name: %s\n",
@@ -1535,6 +1537,40 @@ report_tls(struct tls * tls_ctx, char * host, char *tls_expectname)
1535	if (tls_peer_cert_hash(tls_ctx))	1537	if (tls_peer_cert_hash(tls_ctx))
1536	fprintf(stderr, "Cert Hash: %s\n",	1538	fprintf(stderr, "Cert Hash: %s\n",
1537	tls_peer_cert_hash(tls_ctx));	1539	tls_peer_cert_hash(tls_ctx));
		1540	ocsp_url = tls_peer_ocsp_url(tls_ctx);
		1541	fprintf(stderr, "OCSP URL: %s\n", ocsp_url == NULL ? "" : ocsp_url);
		1542	fprintf(stderr, "OCSP Stapling:");
		1543	switch (tls_peer_ocsp_response_status(tls_ctx)) {
		1544	case TLS_OCSP_RESPONSE_SUCCESSFUL:
		1545	fprintf(stderr, " %s\n",
		1546	tls_peer_ocsp_result(tls_ctx) == NULL ? "" :
		1547	tls_peer_ocsp_result(tls_ctx));
		1548	fprintf(stderr,
		1549	" response_status=%d cert_status=%d crl_reason=%d\n",
		1550	tls_peer_ocsp_response_status(tls_ctx),
		1551	tls_peer_ocsp_cert_status(tls_ctx),
		1552	tls_peer_ocsp_crl_reason(tls_ctx));
		1553	t = tls_peer_ocsp_this_update(tls_ctx);
		1554	fprintf(stderr, " this update: %s",
		1555	t != -1 ? ctime(&t) : "\n");
		1556	t = tls_peer_ocsp_next_update(tls_ctx);
		1557	fprintf(stderr, " next update: %s",
		1558	t != -1 ? ctime(&t) : "\n");
		1559	t = tls_peer_ocsp_revocation_time(tls_ctx);
		1560	fprintf(stderr, " revocation: %s",
		1561	t != -1 ? ctime(&t) : "\n");
		1562	break;
		1563	case -1:
		1564	fprintf(stderr, "\n");
		1565	break;
		1566	default:
		1567	fprintf(stderr, " failure - response_status %d (%s)\n",
		1568	tls_peer_ocsp_response_status(tls_ctx),
		1569	tls_peer_ocsp_result(tls_ctx) == NULL ? "" :
		1570	tls_peer_ocsp_result(tls_ctx));
		1571	break;
		1572
		1573	}
1538	}	1574	}
1539		1575
1540	void	1576	void