diff options
| author |   beck <beck@openbsd.org> | 2016-11-02 15:18:42 +0000 |
|---|---|---|
| committer | beck <beck@openbsd.org> | 2016-11-02 15:18:42 +0000 |
| commit | 2dc6b4e4bea94e3efa098d1c718af993a0a863d8 (patch) | |
| tree | a1b395678f389813828b6ac267879c15b745413c /lib/libtls/tls.c | |
| parent | Make an empty state on error rather than leaving something partially (diff) | |
| download | wireguard-openbsd-2dc6b4e4bea94e3efa098d1c718af993a0a863d8.tar.xz wireguard-openbsd-2dc6b4e4bea94e3efa098d1c718af993a0a863d8.zip | |
Add OCSP client side support to libtls.
- Provide access to certificate OCSP URL
- Provide ability to check a raw OCSP reply against an
established TLS ctx
- Check and validate OCSP stapling info in the TLS handshake
if a stapled OCSP response is provided.`
Add example code to show OCSP URL and stapled info
into netcat.
ok jsing@
Diffstat (limited to 'lib/libtls/tls.c')
| -rw-r--r-- | lib/libtls/tls.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/lib/libtls/tls.c b/lib/libtls/tls.c index 00564edb3c8..cccdb00531a 100644 --- a/lib/libtls/tls.c +++ b/lib/libtls/tls.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls.c,v 1.49 2016/09/04 12:26:43 bcook Exp $ */ +/* $OpenBSD: tls.c,v 1.50 2016/11/02 15:18:42 beck Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -419,6 +419,9 @@ tls_reset(struct tls *ctx) tls_conninfo_free(ctx->conninfo); ctx->conninfo = NULL; + tls_ocsp_ctx_free(ctx->ocsp_ctx); + ctx->ocsp_ctx = NULL; + for (sni = ctx->sni_ctx; sni != NULL; sni = nsni) { nsni = sni->next; tls_sni_ctx_free(sni); @@ -499,6 +502,8 @@ tls_handshake(struct tls *ctx) ctx->ssl_peer_cert = SSL_get_peer_certificate(ctx->ssl_conn); if (tls_conninfo_populate(ctx) == -1) rv = -1; + if (ctx->ocsp_ctx == NULL) + ctx->ocsp_ctx = tls_ocsp_setup_from_peer(ctx); } out: /* Prevent callers from performing incorrect error handling */ |