static int ocsp_resp_cb(SSL *s, void *arg) { const unsigned char *p; int len; OCSP_RESPONSE *rsp; len = SSL_get_tlsext_status_ocsp_resp(s, &p); BIO_puts(arg, "OCSP response: "); if (!p) { BIO_puts(arg, "no response sent\n"); return 1; } rsp = d2i_OCSP_RESPONSE(NULL, &p, len); if (!rsp) { BIO_puts(arg, "response parse error\n"); BIO_dump_indent(arg, (char *)p, len, 4); return 0; } BIO_puts(arg, "\n======================================\n"); OCSP_RESPONSE_print(arg, rsp, 0); BIO_puts(arg, "======================================\n"); OCSP_RESPONSE_free(rsp); return 1; }
static int client_ocsp_cb(SSL *s, void *arg) { const unsigned char *resp; int len; len = SSL_get_tlsext_status_ocsp_resp(s, &resp); if (len != 1 || *resp != dummy_ocsp_resp_good_val) return 0; return 1; }
static int ocsp_client_cb(SSL *s, void *arg) { int *argi = (int *)arg; const unsigned char *respderin; size_t len; if (*argi != 1 && *argi != 2) return 0; len = SSL_get_tlsext_status_ocsp_resp(s, &respderin); if (memcmp(orespder, respderin, len) != 0) return 0; ocsp_client_called = 1; return 1; }
int main(int argc, char *argv[]) { int sd, ocsp_status; const unsigned char *p; long len; OCSP_RESPONSE *rsp = NULL; OCSP_BASICRESP *br = NULL; X509_STORE *st = NULL; STACK_OF(X509) *ch = NULL; char *host, *port; #ifdef _PATH_SSL_CA_FILE char *cafile = _PATH_SSL_CA_FILE; #else char *cafile = "/etc/ssl/cert.pem"; #endif SSL *ssl; SSL_CTX *ctx; SSL_library_init(); SSL_load_error_strings(); ctx = SSL_CTX_new(SSLv23_client_method()); if (!SSL_CTX_load_verify_locations(ctx, cafile, NULL)) { printf("failed to load %s\n", cafile); exit(-1); } if (argc != 3) errx(-1, "need a host and port to connect to"); else { host = argv[1]; port = argv[2]; } sd = tcp_connect(host, port); ssl = SSL_new(ctx); SSL_set_fd(ssl, (int) sd); SSL_set_tlsext_status_type(ssl, TLSEXT_STATUSTYPE_ocsp); if (SSL_connect(ssl) <= 0) { printf("SSL connect error\n"); exit(-1); } if (SSL_get_verify_result(ssl) != X509_V_OK) { printf("Certificate doesn't verify from host %s port %s\n", host, port); exit(-1); } /* ==== VERIFY OCSP RESPONSE ==== */ len = SSL_get_tlsext_status_ocsp_resp(ssl, &p); if (!p) { printf("No OCSP response received for %s port %s\n", host, port); exit(-1); } rsp = d2i_OCSP_RESPONSE(NULL, &p, len); if (!rsp) { puts("Invalid OCSP response"); exit(-1); } ocsp_status = OCSP_response_status(rsp); if (ocsp_status != OCSP_RESPONSE_STATUS_SUCCESSFUL) { printf("Invalid OCSP response status: %s (%d)", OCSP_response_status_str(ocsp_status), ocsp_status); exit(-1); } br = OCSP_response_get1_basic(rsp); if (!br) { puts("Invalid OCSP response"); exit(-1); } ch = SSL_get_peer_cert_chain(ssl); st = SSL_CTX_get_cert_store(ctx); if (OCSP_basic_verify(br, ch, st, 0) <= 0) { puts("OCSP response verification failed"); exit(-1); } printf("OCSP validated from %s %s\n", host, port); return 0; }