@@ -127,6 +127,7 @@ struct Options {
127127 on_initial_expect_curve_id : Option < NamedGroup > ,
128128 on_resume_expect_curve_id : Option < NamedGroup > ,
129129 wait_for_debugger : bool ,
130+ ocsp : OcspValidation ,
130131}
131132
132133impl Options {
@@ -197,6 +198,7 @@ impl Options {
197198 on_initial_expect_curve_id : None ,
198199 on_resume_expect_curve_id : None ,
199200 wait_for_debugger : false ,
201+ ocsp : OcspValidation :: default ( ) ,
200202 }
201203 }
202204
@@ -411,10 +413,11 @@ impl ClientCertVerifier for DummyClientAuth {
411413#[ derive( Debug ) ]
412414struct DummyServerAuth {
413415 parent : Arc < dyn ServerCertVerifier > ,
416+ ocsp : OcspValidation ,
414417}
415418
416419impl DummyServerAuth {
417- fn new ( trusted_cert_file : & str ) -> Self {
420+ fn new ( trusted_cert_file : & str , ocsp : OcspValidation ) -> Self {
418421 Self {
419422 parent : WebPkiServerVerifier :: builder_with_provider (
420423 load_root_certs ( trusted_cert_file) ,
@@ -424,6 +427,7 @@ impl DummyServerAuth {
424427 )
425428 . build ( )
426429 . unwrap ( ) ,
430+ ocsp,
427431 }
428432 }
429433}
@@ -437,6 +441,9 @@ impl ServerCertVerifier for DummyServerAuth {
437441 _ocsp : & [ u8 ] ,
438442 _now : UnixTime ,
439443 ) -> Result < ServerCertVerified , Error > {
444+ if let OcspValidation :: Reject = self . ocsp {
445+ return Err ( CertificateError :: InvalidOcspResponse . into ( ) ) ;
446+ }
440447 Ok ( ServerCertVerified :: assertion ( ) )
441448 }
442449
@@ -465,6 +472,16 @@ impl ServerCertVerifier for DummyServerAuth {
465472 }
466473}
467474
475+ #[ derive( Clone , Copy , Debug , Default ) ]
476+ enum OcspValidation {
477+ /// Totally ignore `ocsp_response` value
478+ #[ default]
479+ None ,
480+
481+ /// Return an error (irrespective of `ocsp_response` value)
482+ Reject ,
483+ }
484+
468485#[ derive( Debug ) ]
469486struct FixedSignatureSchemeSigningKey {
470487 key : Arc < dyn sign:: SigningKey > ,
@@ -807,7 +824,10 @@ fn make_client_cfg(opts: &Options) -> Arc<ClientConfig> {
807824
808825 let cfg = cfg
809826 . dangerous ( )
810- . with_custom_certificate_verifier ( Arc :: new ( DummyServerAuth :: new ( & opts. trusted_cert_file ) ) ) ;
827+ . with_custom_certificate_verifier ( Arc :: new ( DummyServerAuth :: new (
828+ & opts. trusted_cert_file ,
829+ opts. ocsp ,
830+ ) ) ) ;
811831
812832 let mut cfg = if !opts. cert_file . is_empty ( ) && !opts. key_file . is_empty ( ) {
813833 let cert = CertificateDer :: pem_file_iter ( & opts. cert_file )
@@ -1016,6 +1036,10 @@ fn handle_err(opts: &Options, err: Error) -> ! {
10161036 Error :: InvalidCertificate ( CertificateError :: UnsupportedSignatureAlgorithm ) => {
10171037 quit ( ":WRONG_SIGNATURE_TYPE:" )
10181038 }
1039+ Error :: InvalidCertificate ( CertificateError :: InvalidOcspResponse ) => {
1040+ // note: only use is in this file.
1041+ quit ( ":OCSP_CB_ERROR:" )
1042+ }
10191043 Error :: InvalidCertificate ( e) => quit ( & format ! ( ":BAD_CERT: ({e:?})" ) ) ,
10201044 Error :: PeerSentOversizedRecord => quit ( ":DATA_LENGTH_TOO_LONG:" ) ,
10211045 _ => {
@@ -1645,6 +1669,9 @@ pub fn main() {
16451669 "-server-preference" => {
16461670 opts. server_preference = true ;
16471671 }
1672+ "-fail-ocsp-callback" => {
1673+ opts. ocsp = OcspValidation :: Reject ;
1674+ }
16481675 "-wait-for-debugger" => {
16491676 #[ cfg( windows) ]
16501677 {
@@ -1669,6 +1696,7 @@ pub fn main() {
16691696 "-expect-no-session" |
16701697 "-expect-ticket-renewal" |
16711698 "-enable-ocsp-stapling" |
1699+ "-use-ocsp-callback" |
16721700 "-forbid-renegotiation-after-handshake" |
16731701 // internal openssl details:
16741702 "-async" |
0 commit comments