diff --git a/.gitignore b/.gitignore index de8952da1..12f1afe3d 100644 --- a/.gitignore +++ b/.gitignore @@ -247,6 +247,9 @@ embedded/tls-sock-threaded embedded/tls-threaded hash/sha256-hash + +ocsp/ocsp_nonblock/ocsp_nonblock + sslkeylog.log tpm/evp_tpm diff --git a/ocsp/ocsp_nonblock/Makefile b/ocsp/ocsp_nonblock/Makefile new file mode 100644 index 000000000..46e29316a --- /dev/null +++ b/ocsp/ocsp_nonblock/Makefile @@ -0,0 +1,36 @@ +# Examples Makefile +CC = gcc +LIB_PATH = /usr/local +CFLAGS = -Wall -I$(LIB_PATH)/include +LIBS = -L$(LIB_PATH)/lib + +# option variables +DYN_LIB = -lwolfssl +STATIC_LIB = $(LIB_PATH)/lib/libwolfssl.a +DEBUG_FLAGS = -g -DDEBUG +DEBUG_INC_PATHS = -MD +OPTIMIZE = -Os + +# Options +#CFLAGS+=$(DEBUG_FLAGS) +CFLAGS+=$(OPTIMIZE) +#LIBS+=$(STATIC_LIB) +LIBS+=$(DYN_LIB) + +# build targets +SRC=$(wildcard *.c) +TARGETS=$(patsubst %.c, %, $(SRC)) + +.PHONY: clean all + +all: $(TARGETS) + +debug: CFLAGS+=$(DEBUG_FLAGS) +debug: all + +# build template +%: %.c + $(CC) -o $@ $< $(CFLAGS) $(LIBS) + +clean: + rm -f $(TARGETS) diff --git a/ocsp/ocsp_nonblock/README.md b/ocsp/ocsp_nonblock/README.md new file mode 100644 index 000000000..d48b591e8 --- /dev/null +++ b/ocsp/ocsp_nonblock/README.md @@ -0,0 +1,34 @@ +# OCSP Examples + +Online Certificate Status Protocol (OCSP) is used for obtaining the revocation status of an X.509 digital certificate. + + +## OCSP non-blocking example + +This uses a google.com certificate chain to demonstrate validating revocation status using an OCSP server. + +The Google.com certificate defines OCSP in the X509v3 extension "Authority Information Access" section. + +Example usage: + +```sh +$ ./configure --enable-ocsp CFLAGS="-DHAVE_IO_TIMEOUT -DWOLFSSL_NONBLOCK_OCSP" +$ make +$ sudo make install + +% make +gcc -o ocsp_nonblock ocsp_nonblock.c -Wall -I/usr/local/include -Os -L/usr/local/lib -lwolfssl + +% ./ocsp_nonblock +Loaded Trusted CA dir ca_certs (ret 1) +Convert Google.com PEM cert to DER (ret 1) +Verify Google.com cert: 1 +OCSP Lookup: + URL: http://ocsp.pki.goog/gts1c3 + Domain: ocsp.pki.goog + Path: /gts1c3 + Port: 80 +OCSP Response: ret 471, nonblock count 409421 +Check OCSP for Google.com (ret 1) +Ret = 1: success +``` diff --git a/ocsp/ocsp_nonblock/ca_certs/GTS_CA_1C3.pem b/ocsp/ocsp_nonblock/ca_certs/GTS_CA_1C3.pem new file mode 100644 index 000000000..2acab7259 --- /dev/null +++ b/ocsp/ocsp_nonblock/ca_certs/GTS_CA_1C3.pem @@ -0,0 +1,32 @@ +-----BEGIN CERTIFICATE----- +MIIFljCCA36gAwIBAgINAgO8U1lrNMcY9QFQZjANBgkqhkiG9w0BAQsFADBHMQsw +CQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEU +MBIGA1UEAxMLR1RTIFJvb3QgUjEwHhcNMjAwODEzMDAwMDQyWhcNMjcwOTMwMDAw +MDQyWjBGMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZp +Y2VzIExMQzETMBEGA1UEAxMKR1RTIENBIDFDMzCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBAPWI3+dijB43+DdCkH9sh9D7ZYIl/ejLa6T/belaI+KZ9hzp +kgOZE3wJCor6QtZeViSqejOEH9Hpabu5dOxXTGZok3c3VVP+ORBNtzS7XyV3NzsX +lOo85Z3VvMO0Q+sup0fvsEQRY9i0QYXdQTBIkxu/t/bgRQIh4JZCF8/ZK2VWNAcm +BA2o/X3KLu/qSHw3TT8An4Pf73WELnlXXPxXbhqW//yMmqaZviXZf5YsBvcRKgKA +gOtjGDxQSYflispfGStZloEAoPtR28p3CwvJlk/vcEnHXG0g/Zm0tOLKLnf9LdwL +tmsTDIwZKxeWmLnwi/agJ7u2441Rj72ux5uxiZ0CAwEAAaOCAYAwggF8MA4GA1Ud +DwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEgYDVR0T +AQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUinR/r4XN7pXNPZzQ4kYU83E1HScwHwYD +VR0jBBgwFoAU5K8rJnEaK0gnhS9SZizv8IkTcT4waAYIKwYBBQUHAQEEXDBaMCYG +CCsGAQUFBzABhhpodHRwOi8vb2NzcC5wa2kuZ29vZy9ndHNyMTAwBggrBgEFBQcw +AoYkaHR0cDovL3BraS5nb29nL3JlcG8vY2VydHMvZ3RzcjEuZGVyMDQGA1UdHwQt +MCswKaAnoCWGI2h0dHA6Ly9jcmwucGtpLmdvb2cvZ3RzcjEvZ3RzcjEuY3JsMFcG +A1UdIARQME4wOAYKKwYBBAHWeQIFAzAqMCgGCCsGAQUFBwIBFhxodHRwczovL3Br +aS5nb29nL3JlcG9zaXRvcnkvMAgGBmeBDAECATAIBgZngQwBAgIwDQYJKoZIhvcN +AQELBQADggIBAIl9rCBcDDy+mqhXlRu0rvqrpXJxtDaV/d9AEQNMwkYUuxQkq/BQ +cSLbrcRuf8/xam/IgxvYzolfh2yHuKkMo5uhYpSTld9brmYZCwKWnvy15xBpPnrL +RklfRuFBsdeYTWU0AIAaP0+fbH9JAIFTQaSSIYKCGvGjRFsqUBITTcFTNvNCCK9U ++o53UxtkOCcXCb1YyRt8OS1b887U7ZfbFAO/CVMkH8IMBHmYJvJh8VNS/UKMG2Yr +PxWhu//2m+OBmgEGcYk1KCTd4b3rGS3hSMs9WYNRtHTGnXzGsYZbr8w0xNPM1IER +lQCh9BIiAfq0g3GvjLeMcySsN1PCAJA/Ef5c7TaUEDu9Ka7ixzpiO2xj2YC/WXGs +Yye5TBeg2vZzFb8q3o/zpWwygTMD0IZRcZk0upONXbVRWPeyk+gB9lm+cZv9TSjO +z23HFtz30dZGm6fKa+l3D/2gthsjgx0QGtkJAITgRNOidSOzNIb2ILCkXhAd4FJG +AJ2xDx8hcFH1mt0G/FX0Kw4zd8NLQsLxdxP8c4CU6x+7Nz/OAipmsHMdMqUybDKw +juDEI/9bfU1lcKwrmz3O2+BtjjKAvpafkmO8l7tdufThcV4q5O8DIrGKZTqPwJNl +1IXNDw9bg1kWRxYtnCQ6yICmJhSFm/Y3m6xv+cXDBlHz4n/FsRC6UfTd +-----END CERTIFICATE----- \ No newline at end of file diff --git a/ocsp/ocsp_nonblock/ca_certs/GTS_Root_R1.pem b/ocsp/ocsp_nonblock/ca_certs/GTS_Root_R1.pem new file mode 100644 index 000000000..e5aa68147 --- /dev/null +++ b/ocsp/ocsp_nonblock/ca_certs/GTS_Root_R1.pem @@ -0,0 +1,31 @@ +-----BEGIN CERTIFICATE----- +MIIFYjCCBEqgAwIBAgIQd70NbNs2+RrqIQ/E8FjTDTANBgkqhkiG9w0BAQsFADBX +MQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEQMA4GA1UE +CxMHUm9vdCBDQTEbMBkGA1UEAxMSR2xvYmFsU2lnbiBSb290IENBMB4XDTIwMDYx +OTAwMDA0MloXDTI4MDEyODAwMDA0MlowRzELMAkGA1UEBhMCVVMxIjAgBgNVBAoT +GUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBMTEMxFDASBgNVBAMTC0dUUyBSb290IFIx +MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAthECix7joXebO9y/lD63 +ladAPKH9gvl9MgaCcfb2jH/76Nu8ai6Xl6OMS/kr9rH5zoQdsfnFl97vufKj6bwS +iV6nqlKr+CMny6SxnGPb15l+8Ape62im9MZaRw1NEDPjTrETo8gYbEvs/AmQ351k +KSUjB6G00j0uYODP0gmHu81I8E3CwnqIiru6z1kZ1q+PsAewnjHxgsHA3y6mbWwZ +DrXYfiYaRQM9sHmklCitD38m5agI/pboPGiUU+6DOogrFZYJsuB6jC511pzrp1Zk +j5ZPaK49l8KEj8C8QMALXL32h7M1bKwYUH+E4EzNktMg6TO8UpmvMrUpsyUqtEj5 +cuHKZPfmghCN6J3Cioj6OGaK/GP5Afl4/Xtcd/p2h/rs37EOeZVXtL0m79YB0esW +CruOC7XFxYpVq9Os6pFLKcwZpDIlTirxZUTQAs6qzkm06p98g7BAe+dDq6dso499 +iYH6TKX/1Y7DzkvgtdizjkXPdsDtQCv9Uw+wp9U7DbGKogPeMa3Md+pvez7W35Ei +Eua++tgy/BBjFFFy3l3WFpO9KWgz7zpm7AeKJt8T11dleCfeXkkUAKIAf5qoIbap +sZWwpbkNFhHax2xIPEDgfg1azVY80ZcFuctL7TlLnMQ/0lUTbiSw1nH69MG6zO0b +9f6BQdgAmD06yK56mDcYBZUCAwEAAaOCATgwggE0MA4GA1UdDwEB/wQEAwIBhjAP +BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTkrysmcRorSCeFL1JmLO/wiRNxPjAf +BgNVHSMEGDAWgBRge2YaRQ2XyolQL30EzTSo//z9SzBgBggrBgEFBQcBAQRUMFIw +JQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnBraS5nb29nL2dzcjEwKQYIKwYBBQUH +MAKGHWh0dHA6Ly9wa2kuZ29vZy9nc3IxL2dzcjEuY3J0MDIGA1UdHwQrMCkwJ6Al +oCOGIWh0dHA6Ly9jcmwucGtpLmdvb2cvZ3NyMS9nc3IxLmNybDA7BgNVHSAENDAy +MAgGBmeBDAECATAIBgZngQwBAgIwDQYLKwYBBAHWeQIFAwIwDQYLKwYBBAHWeQIF +AwMwDQYJKoZIhvcNAQELBQADggEBADSkHrEoo9C0dhemMXoh6dFSPsjbdBZBiLg9 +NR3t5P+T4Vxfq7vqfM/b5A3Ri1fyJm9bvhdGaJQ3b2t6yMAYN/olUazsaL+yyEn9 +WprKASOshIArAoyZl+tJaox118fessmXn1hIVw41oeQa1v1vg4Fv74zPl6/AhSrw +9U5pCZEt4Wi4wStz6dTZ/CLANx8LZh1J7QJVj2fhMtfTJr9w4z30Z209fOU0iOMy ++qduBmpvvYuR7hZL6Dupszfnw0Skfths18dG9ZKb59UhvmaSGZRVbNQpsg3BZlvi +d0lIKO2d1xozclOzgjXPYovJJIultzkMu34qQb9Sz/yilrbCgj8= +-----END CERTIFICATE----- \ No newline at end of file diff --git a/ocsp/ocsp_nonblock/google.pem b/ocsp/ocsp_nonblock/google.pem new file mode 100644 index 000000000..6f8b67a44 --- /dev/null +++ b/ocsp/ocsp_nonblock/google.pem @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIEhjCCA26gAwIBAgIQWwvxxxXoxEkSWJsftFiO7jANBgkqhkiG9w0BAQsFADBG +MQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExM +QzETMBEGA1UEAxMKR1RTIENBIDFDMzAeFw0yMjA1MDQxNzQwMDVaFw0yMjA3Mjcx +NzQwMDRaMBkxFzAVBgNVBAMTDnd3dy5nb29nbGUuY29tMFkwEwYHKoZIzj0CAQYI +KoZIzj0DAQcDQgAEy3kqjk9F7+Ap8XWjvvDnAUfiJXV6bHblqegicb6Krq3zUw8T +KUQ8wxMtRoZXHv9DtZgC1ErW6qAPt0BWdzP7waOCAmYwggJiMA4GA1UdDwEB/wQE +AwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMB0GA1UdDgQW +BBSoMrJUWSIVHdDkqXgfi2VI5nQ2TjAfBgNVHSMEGDAWgBSKdH+vhc3ulc09nNDi +RhTzcTUdJzBqBggrBgEFBQcBAQReMFwwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3Nw +LnBraS5nb29nL2d0czFjMzAxBggrBgEFBQcwAoYlaHR0cDovL3BraS5nb29nL3Jl +cG8vY2VydHMvZ3RzMWMzLmRlcjAZBgNVHREEEjAQgg53d3cuZ29vZ2xlLmNvbTAh +BgNVHSAEGjAYMAgGBmeBDAECATAMBgorBgEEAdZ5AgUDMDwGA1UdHwQ1MDMwMaAv +oC2GK2h0dHA6Ly9jcmxzLnBraS5nb29nL2d0czFjMy9RT3ZKME4xc1QyQS5jcmww +ggEDBgorBgEEAdZ5AgQCBIH0BIHxAO8AdQBByMqx3yJGShDGoToJQodeTjGLGwPr +60vHaPCQYpYG9gAAAYCQX05XAAAEAwBGMEQCIA/HX1T2lssgnL8weEBFzPsILM4q +/3iJ5FyXJgZZ9ZMQAiBi0HochB+UgZMpslJ72ei48hvzGErcXvUJUwXVx4x6ZwB2 +ACl5vvCeOTkh8FZzn2Old+W+V32cYAr4+U1dJlwlXceEAAABgJBfTiYAAAQDAEcw +RQIhAIcwKuzq6j1VwM1F3P/3L0Un5LKUt4o52+KREIULHJ6yAiAIVxHlI0vTToyP +N96UQkuM0FvPus2vGZLfIimVHrqrQzANBgkqhkiG9w0BAQsFAAOCAQEAw/wVl+C1 +0mjwVu3NCu9sbnX47TuPz2lwT/6aUOMmRQg5Z3I9qWwRs5TdwYS/RXjGbATG8STu +Qmq5h4GRil5523D2OKmJ2ZBc033tk/aDJzf3bRQrFnzYNDIo2zW7rrdg0yUE2ytq +30pP0so32wVtqAKZOdtgYyQs1WXEgOVouGkecgdKv2pMyWa6TVjMNnMxCwqq4MRG +R5thr5l5tg20zvpGM7bE/VuYegTSqQyaF6arUpjpOX7xclfERZ1RUOh1EHHnH4gf +l7eOUXh950nbb3bjp2bUF1CjsnveJI1UfqcUrp3Tuoh7ScT1gEiJ82qGsVtyq3AU +FvKz0TJH0ipymA== +-----END CERTIFICATE----- \ No newline at end of file diff --git a/ocsp/ocsp_nonblock/ocsp_nonblock.c b/ocsp/ocsp_nonblock/ocsp_nonblock.c new file mode 100644 index 000000000..ba5c5ba22 --- /dev/null +++ b/ocsp/ocsp_nonblock/ocsp_nonblock.c @@ -0,0 +1,236 @@ + +/* ocsp_nonblock.c + * + * Copyright (C) 2006-2022 wolfSSL Inc. + * + * This file is part of wolfSSL. (formerly known as CyaSSL) + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + **/ + +#include +#include +#include +#include +#include +#include + +static const char* kCACertsDir = "ca_certs"; /* put CA certs into this directory */ +static const char* kGoogleCom = "google.pem"; /* www.google.com */ + +#ifndef HTTP_SCRATCH_BUFFER_SIZE + #define HTTP_SCRATCH_BUFFER_SIZE 512 +#endif +#ifndef MAX_URL_ITEM_SIZE + #define MAX_URL_ITEM_SIZE 80 +#endif +#ifndef DEFAULT_TIMEOUT_SEC + #define DEFAULT_TIMEOUT_SEC 0 /* no timeout */ +#endif + +static int io_timeout_sec = DEFAULT_TIMEOUT_SEC; + + +static SOCKET_T sfd = SOCKET_INVALID; +static word16 port; +static char path[MAX_URL_ITEM_SIZE]; +static char domainName[MAX_URL_ITEM_SIZE]; +static int nonBlockCnt = 0; +static byte* httpBuf; + +/* Return size of the OCSP response or negative for error */ +static int OcspLookupNonBlockCb(void* ctx, const char* url, int urlSz, + byte* ocspReqBuf, int ocspReqSz, byte** ocspRespBuf) +{ + int ret = WOLFSSL_CBIO_ERR_GENERAL; + + if (sfd != SOCKET_INVALID) { + ret = wolfIO_HttpProcessResponseOcsp(sfd, ocspRespBuf, + httpBuf, HTTP_SCRATCH_BUFFER_SIZE, NULL); + nonBlockCnt++; + if (ret == OCSP_WANT_READ) + return WOLFSSL_CBIO_ERR_WANT_READ; + printf("OCSP Response: ret %d, nonblock count %d\n", + ret, nonBlockCnt); + XFREE(httpBuf, NULL, DYNAMIC_TYPE_OCSP); + httpBuf = NULL; + return ret; + } + + if (ocspReqBuf == NULL || ocspReqSz == 0) { + printf("OCSP request is required for lookup\n"); + } + else if (ocspRespBuf == NULL) { + printf("Cannot save OCSP response\n"); + } + else if (wolfIO_DecodeUrl(url, urlSz, domainName, path, &port) < 0) { + printf("Unable to decode OCSP URL\n"); + } + else { + /* Note: This is free'd in OcspRespFreeCb callback */ + int httpBufSz = HTTP_SCRATCH_BUFFER_SIZE; + httpBuf = (byte*)XMALLOC(httpBufSz, NULL, DYNAMIC_TYPE_OCSP); + + printf("OCSP Lookup:\n"); + printf("\tURL: %s\n", url); + printf("\tDomain: %s\n", domainName); + printf("\tPath: %s\n", path); + printf("\tPort: %d\n", port); + + if (httpBuf == NULL) { + printf("Unable to create OCSP response buffer\n"); + } + else { + httpBufSz = wolfIO_HttpBuildRequestOcsp(domainName, path, ocspReqSz, + httpBuf, httpBufSz); + + ret = wolfIO_TcpConnect(&sfd, domainName, port, io_timeout_sec); + if (ret == 0) { + #if defined(WOLFSSL_NONBLOCK_OCSP) && defined(HAVE_IO_TIMEOUT) + wolfIO_SetBlockingMode(sfd, 1); /* non-blocking */ + #endif + + if (wolfIO_Send(sfd, (char*)httpBuf, httpBufSz, 0) != + httpBufSz) { + printf("OCSP http request failed\n"); + } + else if (wolfIO_Send(sfd, (char*)ocspReqBuf, ocspReqSz, 0) != + ocspReqSz) { + printf("OCSP ocsp request failed\n"); + } + else { + do { + ret = wolfIO_HttpProcessResponseOcsp(sfd, ocspRespBuf, + httpBuf, HTTP_SCRATCH_BUFFER_SIZE, NULL); + nonBlockCnt++; + if (ret == OCSP_WANT_READ) + return WOLFSSL_CBIO_ERR_WANT_READ; + } while (ret == OCSP_WANT_READ); + printf("OCSP Response: ret %d, nonblock count %d\n", + ret, nonBlockCnt); + } + } + else { + printf("OCSP Responder connection failed\n"); + } + if (sfd != SOCKET_INVALID) + CloseSocket(sfd); + XFREE(httpBuf, NULL, DYNAMIC_TYPE_OCSP); + httpBuf = NULL; + } + } + (void)ctx; + printf("Resp ret: %d\n", ret); + return ret; +} + +static void OcspRespFreeCb(void* ctx, byte *resp) +{ + if (resp) + XFREE(resp, NULL, DYNAMIC_TYPE_OCSP); + httpBuf = NULL; + + (void)ctx; +} + +int main(int argc, char** argv) +{ + int ret; + WOLFSSL_CERT_MANAGER* pCm; + char pem[2048]; + int pemSz = 0; + byte der[2000]; + int derSz = 0; + FILE* file; + const char* certFile = kGoogleCom; + +#if 0 + wolfSSL_Debugging_ON(); +#endif + + if (argc > 1) { + certFile = argv[1]; + } + + /* Create certificate manager context */ + pCm = wolfSSL_CertManagerNew(); + if (pCm) { + #ifdef HAVE_OCSP + /* Enable OCSP */ + ret = wolfSSL_CertManagerEnableOCSP(pCm, 0); + if (ret == WOLFSSL_SUCCESS) { + /* Setup callbacks for OCSP */ + ret = wolfSSL_CertManagerSetOCSP_Cb(pCm, + OcspLookupNonBlockCb, + OcspRespFreeCb, + NULL /* optional context */ + ); + } + #else + ret = WOLFSSL_SUCCESS; + #endif + if (ret == WOLFSSL_SUCCESS) { + /* Load root CAs into Certificate Manager */ + ret = wolfSSL_CertManagerLoadCA(pCm, NULL, kCACertsDir); + printf("Loaded Trusted CA dir %s (ret %d)\n", kCACertsDir, ret); + } + if (ret == WOLFSSL_SUCCESS) { + /* Load PEM to buffer */ + file = fopen(certFile, "rb"); + if (file != NULL) { + pemSz = fread(pem, 1, sizeof(pem), file); + fclose(file); + } + + /* Convert certificate to DER/ASN.1 */ + ret = wc_CertPemToDer( + (byte*)pem, pemSz, + der, sizeof(der), CERT_TYPE); + if (ret >= 0) { + derSz = ret; + ret = WOLFSSL_SUCCESS; + } + printf("Convert Google.com PEM cert to DER (ret %d)\n", ret); + } + if (ret == WOLFSSL_SUCCESS) { + /* Load and verify certificate */ + ret = wolfSSL_CertManagerVerifyBuffer(pCm, + der, derSz, WOLFSSL_FILETYPE_ASN1); + printf("Verify Google.com cert: %d\n", ret); + } + #ifdef HAVE_OCSP + if (ret == WOLFSSL_SUCCESS) { + /* Check OCSP for certificate */ + do { + ret = wolfSSL_CertManagerCheckOCSP(pCm, + der, derSz); + } while (ret == OCSP_WANT_READ); + printf("Check OCSP for Google.com (ret %d)\n", ret); + } + #endif + + wolfSSL_CertManagerFree(pCm); + } + else { + ret = MEMORY_E; + } + + printf("Ret = %d: %s\n", + ret, (ret == WOLFSSL_SUCCESS) ? + "success" : + wc_GetErrorString(ret)); + + return ret; +}