1 /* $OpenBSD: ocspcheck.c,v 1.32 2023/11/13 11:46:24 tb Exp $ */ 2 3 /* 4 * Copyright (c) 2017,2020 Bob Beck <beck@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #include <arpa/inet.h> 20 #include <netinet/in.h> 21 #include <sys/socket.h> 22 #include <sys/stat.h> 23 24 #include <err.h> 25 #include <fcntl.h> 26 #include <limits.h> 27 #include <netdb.h> 28 #include <poll.h> 29 #include <stdio.h> 30 #include <stdlib.h> 31 #include <string.h> 32 #include <time.h> 33 #include <unistd.h> 34 35 #include <openssl/err.h> 36 #include <openssl/ocsp.h> 37 #include <openssl/ssl.h> 38 39 #include "http.h" 40 41 #define MAXAGE_SEC (14*24*60*60) 42 #define JITTER_SEC (60) 43 #define OCSP_MAX_RESPONSE_SIZE (20480) 44 45 typedef struct ocsp_request { 46 STACK_OF(X509) *fullchain; 47 OCSP_REQUEST *req; 48 char *url; 49 unsigned char *data; 50 size_t size; 51 int nonce; 52 } ocsp_request; 53 54 int verbose; 55 #define vspew(fmt, ...) \ 56 do { if (verbose >= 1) fprintf(stderr, fmt, __VA_ARGS__); } while (0) 57 #define dspew(fmt, ...) \ 58 do { if (verbose >= 2) fprintf(stderr, fmt, __VA_ARGS__); } while (0) 59 60 #define MAX_SERVERS_DNS 8 61 62 struct addr { 63 int family; /* 4 for PF_INET, 6 for PF_INET6 */ 64 char ip[INET6_ADDRSTRLEN]; 65 }; 66 67 static ssize_t 68 host_dns(const char *s, struct addr vec[MAX_SERVERS_DNS]) 69 { 70 struct addrinfo hints, *res0, *res; 71 int error; 72 ssize_t vecsz; 73 struct sockaddr *sa; 74 75 memset(&hints, 0, sizeof(hints)); 76 hints.ai_family = PF_UNSPEC; 77 hints.ai_socktype = SOCK_DGRAM; /* DUMMY */ 78 79 error = getaddrinfo(s, NULL, &hints, &res0); 80 81 if (error == EAI_AGAIN || 82 #ifdef EAI_NODATA 83 error == EAI_NODATA || 84 #endif 85 error == EAI_NONAME) 86 return 0; 87 88 if (error) { 89 warnx("%s: parse error: %s", s, gai_strerror(error)); 90 return -1; 91 } 92 93 for (vecsz = 0, res = res0; 94 res != NULL && vecsz < MAX_SERVERS_DNS; 95 res = res->ai_next) { 96 if (res->ai_family != AF_INET && 97 res->ai_family != AF_INET6) 98 continue; 99 100 sa = res->ai_addr; 101 102 if (res->ai_family == AF_INET) { 103 vec[vecsz].family = 4; 104 inet_ntop(AF_INET, 105 &(((struct sockaddr_in *)sa)->sin_addr), 106 vec[vecsz].ip, INET6_ADDRSTRLEN); 107 } else { 108 vec[vecsz].family = 6; 109 inet_ntop(AF_INET6, 110 &(((struct sockaddr_in6 *)sa)->sin6_addr), 111 vec[vecsz].ip, INET6_ADDRSTRLEN); 112 } 113 114 dspew("DNS returns %s for %s\n", vec[vecsz].ip, s); 115 vecsz++; 116 } 117 118 freeaddrinfo(res0); 119 return vecsz; 120 } 121 122 /* 123 * Extract the domain and port from a URL. 124 * The url must be formatted as schema://address[/stuff]. 125 * This returns NULL on failure. 126 */ 127 static char * 128 url2host(const char *host, short *port, char **path) 129 { 130 char *url, *ep; 131 132 /* We only understand HTTP and HTTPS. */ 133 134 if (strncmp(host, "https://", 8) == 0) { 135 *port = 443; 136 if ((url = strdup(host + 8)) == NULL) { 137 warn("strdup"); 138 return (NULL); 139 } 140 } else if (strncmp(host, "http://", 7) == 0) { 141 *port = 80; 142 if ((url = strdup(host + 7)) == NULL) { 143 warn("strdup"); 144 return (NULL); 145 } 146 } else { 147 warnx("%s: unknown schema", host); 148 return (NULL); 149 } 150 151 /* Terminate path part. */ 152 153 if ((ep = strchr(url, '/')) != NULL) { 154 *path = strdup(ep); 155 *ep = '\0'; 156 } else 157 *path = strdup("/"); 158 159 if (*path == NULL) { 160 warn("strdup"); 161 free(url); 162 return (NULL); 163 } 164 165 /* Check to see if there is a port in the url */ 166 if ((ep = strchr(url, ':')) != NULL) { 167 const char *errstr; 168 short pp; 169 pp = strtonum(ep + 1, 1, SHRT_MAX, &errstr); 170 if (errstr != NULL) { 171 warnx("error parsing port from '%s': %s", url, errstr); 172 free(url); 173 free(*path); 174 return NULL; 175 } 176 *port = pp; 177 *ep = '\0'; 178 } 179 180 return (url); 181 } 182 183 static time_t 184 parse_ocsp_time(ASN1_GENERALIZEDTIME *gt) 185 { 186 struct tm tm; 187 time_t rv = -1; 188 189 if (gt == NULL) 190 return -1; 191 /* RFC 6960 specifies that all times in OCSP must be GENERALIZEDTIME */ 192 if (!ASN1_GENERALIZEDTIME_check(gt)) 193 return -1; 194 if (!ASN1_TIME_to_tm(gt, &tm)) 195 return -1; 196 if ((rv = timegm(&tm)) == -1) 197 return -1; 198 return rv; 199 } 200 201 static X509_STORE * 202 read_cacerts(const char *file, const char *dir) 203 { 204 X509_STORE *store = NULL; 205 X509_LOOKUP *lookup; 206 207 if (file == NULL && dir == NULL) { 208 warnx("No CA certs to load"); 209 goto end; 210 } 211 if ((store = X509_STORE_new()) == NULL) { 212 warnx("Malloc failed"); 213 goto end; 214 } 215 if (file != NULL) { 216 if ((lookup = X509_STORE_add_lookup(store, 217 X509_LOOKUP_file())) == NULL) { 218 warnx("Unable to load CA cert file"); 219 goto end; 220 } 221 if (!X509_LOOKUP_load_file(lookup, file, X509_FILETYPE_PEM)) { 222 warnx("Unable to load CA certs from file %s", file); 223 goto end; 224 } 225 } 226 if (dir != NULL) { 227 if ((lookup = X509_STORE_add_lookup(store, 228 X509_LOOKUP_hash_dir())) == NULL) { 229 warnx("Unable to load CA cert directory"); 230 goto end; 231 } 232 if (!X509_LOOKUP_add_dir(lookup, dir, X509_FILETYPE_PEM)) { 233 warnx("Unable to load CA certs from directory %s", dir); 234 goto end; 235 } 236 } 237 return store; 238 239 end: 240 X509_STORE_free(store); 241 return NULL; 242 } 243 244 static STACK_OF(X509) * 245 read_fullchain(const char *file, int *count) 246 { 247 int i; 248 BIO *bio; 249 STACK_OF(X509_INFO) *xis = NULL; 250 X509_INFO *xi; 251 STACK_OF(X509) *rv = NULL; 252 253 *count = 0; 254 255 if ((bio = BIO_new_file(file, "r")) == NULL) { 256 warn("Unable to read a certificate from %s", file); 257 goto end; 258 } 259 if ((xis = PEM_X509_INFO_read_bio(bio, NULL, NULL, NULL)) == NULL) { 260 warnx("Unable to read PEM format from %s", file); 261 goto end; 262 } 263 if (sk_X509_INFO_num(xis) <= 0) { 264 warnx("No certificates in file %s", file); 265 goto end; 266 } 267 if ((rv = sk_X509_new_null()) == NULL) { 268 warnx("malloc failed"); 269 goto end; 270 } 271 272 for (i = 0; i < sk_X509_INFO_num(xis); i++) { 273 xi = sk_X509_INFO_value(xis, i); 274 if (xi->x509 == NULL) 275 continue; 276 if (!sk_X509_push(rv, xi->x509)) { 277 warnx("unable to build x509 chain"); 278 sk_X509_pop_free(rv, X509_free); 279 rv = NULL; 280 goto end; 281 } 282 xi->x509 = NULL; 283 (*count)++; 284 } 285 end: 286 BIO_free(bio); 287 sk_X509_INFO_pop_free(xis, X509_INFO_free); 288 return rv; 289 } 290 291 static inline X509 * 292 cert_from_chain(STACK_OF(X509) *fullchain) 293 { 294 return sk_X509_value(fullchain, 0); 295 } 296 297 static const X509 * 298 issuer_from_chain(STACK_OF(X509) *fullchain) 299 { 300 const X509 *cert; 301 X509_NAME *issuer_name; 302 303 cert = cert_from_chain(fullchain); 304 if ((issuer_name = X509_get_issuer_name(cert)) == NULL) 305 return NULL; 306 307 return X509_find_by_subject(fullchain, issuer_name); 308 } 309 310 static ocsp_request * 311 ocsp_request_new_from_cert(const char *cadir, char *file, int nonce) 312 { 313 X509 *cert; 314 int count = 0; 315 OCSP_CERTID *id = NULL; 316 ocsp_request *request = NULL; 317 const EVP_MD *cert_id_md = NULL; 318 const X509 *issuer; 319 STACK_OF(OPENSSL_STRING) *urls = NULL; 320 321 if ((request = calloc(1, sizeof(ocsp_request))) == NULL) { 322 warn("malloc"); 323 goto err; 324 } 325 326 if ((request->req = OCSP_REQUEST_new()) == NULL) 327 goto err; 328 329 request->fullchain = read_fullchain(file, &count); 330 if (cadir == NULL) { 331 /* Drop rpath from pledge, we don't need to read anymore */ 332 if (pledge("stdio inet dns", NULL) == -1) 333 err(1, "pledge"); 334 } 335 if (request->fullchain == NULL) { 336 warnx("Unable to read cert chain from file %s", file); 337 goto err; 338 } 339 if (count <= 1) { 340 warnx("File %s does not contain a cert chain", file); 341 goto err; 342 } 343 if ((cert = cert_from_chain(request->fullchain)) == NULL) { 344 warnx("No certificate found in %s", file); 345 goto err; 346 } 347 if ((issuer = issuer_from_chain(request->fullchain)) == NULL) { 348 warnx("Unable to find issuer for cert in %s", file); 349 goto err; 350 } 351 352 urls = X509_get1_ocsp(cert); 353 if (urls == NULL || sk_OPENSSL_STRING_num(urls) <= 0) { 354 warnx("Certificate in %s contains no OCSP url", file); 355 goto err; 356 } 357 if ((request->url = strdup(sk_OPENSSL_STRING_value(urls, 0))) == NULL) 358 goto err; 359 X509_email_free(urls); 360 urls = NULL; 361 362 cert_id_md = EVP_sha1(); /* XXX. This sucks but OCSP is poopy */ 363 if ((id = OCSP_cert_to_id(cert_id_md, cert, issuer)) == NULL) { 364 warnx("Unable to get certificate id from cert in %s", file); 365 goto err; 366 } 367 if (OCSP_request_add0_id(request->req, id) == NULL) { 368 warnx("Unable to add certificate id to request"); 369 goto err; 370 } 371 id = NULL; 372 373 request->nonce = nonce; 374 if (request->nonce) 375 OCSP_request_add1_nonce(request->req, NULL, -1); 376 377 if ((request->size = i2d_OCSP_REQUEST(request->req, 378 &request->data)) <= 0) { 379 warnx("Unable to encode ocsp request"); 380 goto err; 381 } 382 if (request->data == NULL) { 383 warnx("Unable to allocate memory"); 384 goto err; 385 } 386 return request; 387 388 err: 389 if (request != NULL) { 390 sk_X509_pop_free(request->fullchain, X509_free); 391 free(request->url); 392 OCSP_REQUEST_free(request->req); 393 free(request->data); 394 } 395 X509_email_free(urls); 396 OCSP_CERTID_free(id); 397 free(request); 398 return NULL; 399 } 400 401 402 int 403 validate_response(char *buf, size_t size, ocsp_request *request, 404 X509_STORE *store, char *host, char *file) 405 { 406 ASN1_GENERALIZEDTIME *revtime = NULL, *thisupd = NULL, *nextupd = NULL; 407 const unsigned char **p = (const unsigned char **)&buf; 408 int status, cert_status = 0, crl_reason = 0; 409 time_t now, rev_t = -1, this_t, next_t; 410 OCSP_RESPONSE *resp = NULL; 411 OCSP_BASICRESP *bresp = NULL; 412 OCSP_CERTID *cid = NULL; 413 const X509 *cert, *issuer; 414 int ret = 0; 415 416 if ((cert = cert_from_chain(request->fullchain)) == NULL) { 417 warnx("No certificate found in %s", file); 418 goto err; 419 } 420 if ((issuer = issuer_from_chain(request->fullchain)) == NULL) { 421 warnx("Unable to find certificate issuer for cert in %s", file); 422 goto err; 423 } 424 if ((cid = OCSP_cert_to_id(NULL, cert, issuer)) == NULL) { 425 warnx("Unable to get issuer cert/CID in %s", file); 426 goto err; 427 } 428 429 if ((resp = d2i_OCSP_RESPONSE(NULL, p, size)) == NULL) { 430 warnx("OCSP response unserializable from host %s", host); 431 goto err; 432 } 433 434 if ((bresp = OCSP_response_get1_basic(resp)) == NULL) { 435 warnx("Failed to load OCSP response from %s", host); 436 goto err; 437 } 438 439 if (OCSP_basic_verify(bresp, request->fullchain, store, 440 OCSP_TRUSTOTHER) != 1) { 441 warnx("OCSP verify failed from %s", host); 442 goto err; 443 } 444 dspew("OCSP response signature validated from %s\n", host); 445 446 status = OCSP_response_status(resp); 447 if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL) { 448 warnx("OCSP Failure: code %d (%s) from host %s", 449 status, OCSP_response_status_str(status), host); 450 goto err; 451 } 452 dspew("OCSP response status %d from host %s\n", status, host); 453 454 /* Check the nonce if we sent one */ 455 456 if (request->nonce) { 457 if (OCSP_check_nonce(request->req, bresp) <= 0) { 458 warnx("No OCSP nonce, or mismatch, from host %s", host); 459 goto err; 460 } 461 } 462 463 if (OCSP_resp_find_status(bresp, cid, &cert_status, &crl_reason, 464 &revtime, &thisupd, &nextupd) != 1) { 465 warnx("OCSP verify failed: no result for cert"); 466 goto err; 467 } 468 469 if (revtime && (rev_t = parse_ocsp_time(revtime)) == -1) { 470 warnx("Unable to parse revocation time in OCSP reply"); 471 goto err; 472 } 473 /* 474 * Belt and suspenders, Treat it as revoked if there is either 475 * a revocation time, or status revoked. 476 */ 477 if (rev_t != -1 || cert_status == V_OCSP_CERTSTATUS_REVOKED) { 478 warnx("Invalid OCSP reply: certificate is revoked"); 479 if (rev_t != -1) 480 warnx("Certificate revoked at: %s", ctime(&rev_t)); 481 goto err; 482 } 483 if ((this_t = parse_ocsp_time(thisupd)) == -1) { 484 warnx("unable to parse this update time in OCSP reply"); 485 goto err; 486 } 487 if ((next_t = parse_ocsp_time(nextupd)) == -1) { 488 warnx("unable to parse next update time in OCSP reply"); 489 goto err; 490 } 491 492 /* Don't allow this update to precede next update */ 493 if (this_t >= next_t) { 494 warnx("Invalid OCSP reply: this update >= next update"); 495 goto err; 496 } 497 498 now = time(NULL); 499 /* 500 * Check that this update is not more than JITTER seconds 501 * in the future. 502 */ 503 if (this_t > now + JITTER_SEC) { 504 warnx("Invalid OCSP reply: this update is in the future at %s", 505 ctime(&this_t)); 506 goto err; 507 } 508 509 /* 510 * Check that this update is not more than MAXSEC 511 * in the past. 512 */ 513 if (this_t < now - MAXAGE_SEC) { 514 warnx("Invalid OCSP reply: this update is too old %s", 515 ctime(&this_t)); 516 goto err; 517 } 518 519 /* 520 * Check that next update is still valid 521 */ 522 if (next_t < now - JITTER_SEC) { 523 warnx("Invalid OCSP reply: reply has expired at %s", 524 ctime(&next_t)); 525 goto err; 526 } 527 528 vspew("OCSP response validated from %s\n", host); 529 vspew(" This Update: %s", ctime(&this_t)); 530 vspew(" Next Update: %s", ctime(&next_t)); 531 ret = 1; 532 err: 533 OCSP_RESPONSE_free(resp); 534 OCSP_BASICRESP_free(bresp); 535 OCSP_CERTID_free(cid); 536 return ret; 537 } 538 539 static void 540 usage(void) 541 { 542 fprintf(stderr, 543 "usage: ocspcheck [-Nv] [-C CAfile] [-i staplefile] " 544 "[-o staplefile] file\n"); 545 exit(1); 546 } 547 548 int 549 main(int argc, char **argv) 550 { 551 const char *cafile = NULL, *cadir = NULL; 552 char *host = NULL, *path = NULL, *certfile = NULL, *outfile = NULL, 553 *instaple = NULL, *infile = NULL; 554 struct addr addrs[MAX_SERVERS_DNS] = {{0}}; 555 struct source sources[MAX_SERVERS_DNS]; 556 int i, ch, staplefd = -1, infd = -1, nonce = 1; 557 ocsp_request *request = NULL; 558 size_t rescount, httphsz = 0, instaplesz = 0; 559 struct httphead *httph = NULL; 560 struct httpget *hget; 561 X509_STORE *castore; 562 ssize_t written, w; 563 short port; 564 565 while ((ch = getopt(argc, argv, "C:i:No:v")) != -1) { 566 switch (ch) { 567 case 'C': 568 cafile = optarg; 569 break; 570 case 'N': 571 nonce = 0; 572 break; 573 case 'o': 574 outfile = optarg; 575 break; 576 case 'i': 577 infile = optarg; 578 break; 579 case 'v': 580 verbose++; 581 break; 582 default: 583 usage(); 584 } 585 } 586 argc -= optind; 587 argv += optind; 588 589 if (argc != 1 || (certfile = argv[0]) == NULL) 590 usage(); 591 592 if (outfile != NULL) { 593 if (strcmp(outfile, "-") == 0) 594 staplefd = STDOUT_FILENO; 595 else 596 staplefd = open(outfile, O_WRONLY|O_CREAT, 597 S_IWUSR|S_IRUSR|S_IRGRP|S_IROTH); 598 if (staplefd < 0) 599 err(1, "Unable to open output file %s", outfile); 600 } 601 602 if (infile != NULL) { 603 if (strcmp(infile, "-") == 0) 604 infd = STDIN_FILENO; 605 else 606 infd = open(infile, O_RDONLY); 607 if (infd < 0) 608 err(1, "Unable to open input file %s", infile); 609 nonce = 0; /* Can't validate a nonce on a saved reply */ 610 } 611 612 if (cafile == NULL) { 613 if (access(X509_get_default_cert_file(), R_OK) == 0) 614 cafile = X509_get_default_cert_file(); 615 if (access(X509_get_default_cert_dir(), F_OK) == 0) 616 cadir = X509_get_default_cert_dir(); 617 } 618 619 if (cafile != NULL) { 620 if (unveil(cafile, "r") == -1) 621 err(1, "unveil %s", cafile); 622 } 623 if (cadir != NULL) { 624 if (unveil(cadir, "r") == -1) 625 err(1, "unveil %s", cadir); 626 } 627 if (unveil(certfile, "r") == -1) 628 err(1, "unveil %s", certfile); 629 630 if (pledge("stdio inet rpath dns", NULL) == -1) 631 err(1, "pledge"); 632 633 /* 634 * Load our certificate and keystore, and build up an 635 * OCSP request based on the full certificate chain 636 * we have been given to check. 637 */ 638 if ((castore = read_cacerts(cafile, cadir)) == NULL) 639 exit(1); 640 if ((request = ocsp_request_new_from_cert(cadir, certfile, nonce)) 641 == NULL) 642 exit(1); 643 644 dspew("Built an %zu byte ocsp request\n", request->size); 645 646 if ((host = url2host(request->url, &port, &path)) == NULL) 647 errx(1, "Invalid OCSP url %s from %s", request->url, 648 certfile); 649 650 if (infd == -1) { 651 /* Get a new OCSP response from the indicated server */ 652 653 vspew("Using %s to host %s, port %d, path %s\n", 654 port == 443 ? "https" : "http", host, port, path); 655 656 rescount = host_dns(host, addrs); 657 for (i = 0; i < rescount; i++) { 658 sources[i].ip = addrs[i].ip; 659 sources[i].family = addrs[i].family; 660 } 661 662 /* 663 * Do an HTTP post to send our request to the OCSP 664 * server, and hopefully get an answer back 665 */ 666 hget = http_get(sources, rescount, host, port, path, 667 request->data, request->size); 668 if (hget == NULL) 669 errx(1, "http_get"); 670 /* 671 * Pledge minimally before fiddling with libcrypto init 672 * routines and parsing untrusted input from someone's OCSP 673 * server. 674 */ 675 if (cadir == NULL) { 676 if (pledge("stdio", NULL) == -1) 677 err(1, "pledge"); 678 } else { 679 if (pledge("stdio rpath", NULL) == -1) 680 err(1, "pledge"); 681 } 682 683 dspew("Server at %s returns:\n", host); 684 for (i = 0; i < httphsz; i++) 685 dspew(" [%s]=[%s]\n", httph[i].key, httph[i].val); 686 dspew(" [Body]=[%zu bytes]\n", hget->bodypartsz); 687 if (hget->bodypartsz <= 0) 688 errx(1, "No body in reply from %s", host); 689 690 if (hget->code != 200) 691 errx(1, "http reply code %d from %s", hget->code, host); 692 693 /* 694 * Validate the OCSP response we got back 695 */ 696 OPENSSL_add_all_algorithms_noconf(); 697 if (!validate_response(hget->bodypart, hget->bodypartsz, 698 request, castore, host, certfile)) 699 exit(1); 700 instaple = hget->bodypart; 701 instaplesz = hget->bodypartsz; 702 } else { 703 size_t nr = 0; 704 instaplesz = 0; 705 706 /* 707 * Pledge minimally before fiddling with libcrypto init 708 */ 709 if (cadir == NULL) { 710 if (pledge("stdio", NULL) == -1) 711 err(1, "pledge"); 712 } else { 713 if (pledge("stdio rpath", NULL) == -1) 714 err(1, "pledge"); 715 } 716 717 dspew("Using ocsp response saved in %s:\n", infile); 718 719 /* Use the existing OCSP response saved in infd */ 720 instaple = calloc(OCSP_MAX_RESPONSE_SIZE, 1); 721 if (instaple) { 722 while ((nr = read(infd, instaple + instaplesz, 723 OCSP_MAX_RESPONSE_SIZE - instaplesz)) != -1 && 724 nr != 0) 725 instaplesz += nr; 726 } 727 if (instaplesz == 0) 728 exit(1); 729 /* 730 * Validate the OCSP staple we read in. 731 */ 732 OPENSSL_add_all_algorithms_noconf(); 733 if (!validate_response(instaple, instaplesz, 734 request, castore, host, certfile)) 735 exit(1); 736 } 737 738 /* 739 * If we have been given a place to save a staple, 740 * write out the DER format response to the staplefd 741 */ 742 if (staplefd >= 0) { 743 while (ftruncate(staplefd, 0) < 0) { 744 if (errno == EINVAL) 745 break; 746 if (errno != EINTR && errno != EAGAIN) 747 err(1, "Write of OCSP response failed"); 748 } 749 written = 0; 750 while (written < instaplesz) { 751 w = write(staplefd, instaple + written, 752 instaplesz - written); 753 if (w == -1) { 754 if (errno != EINTR && errno != EAGAIN) 755 err(1, "Write of OCSP response failed"); 756 } else 757 written += w; 758 } 759 close(staplefd); 760 } 761 exit(0); 762 } 763