diff options
| author | Bob Beck <beck@cvs.openbsd.org> | 2016-11-05 15:13:27 +0000 |
|---|---|---|
| committer | Bob Beck <beck@cvs.openbsd.org> | 2016-11-05 15:13:27 +0000 |
| commit | 01d7edda90abcb83a913ac585465988def75fca9 (patch) | |
| tree | 6f4f9571e17753260113c7bf57efdc16582a89d8 | |
| parent | 4b6028e7b7e5c395e40b1e1fd2a48d0321c54ab7 (diff) | |
Add support for server side OCSP stapling to libtls.
Add support for server side OCSP stapling to netcat.
| -rw-r--r-- | lib/libtls/Symbols.list | 2 | ||||
| -rw-r--r-- | lib/libtls/tls.h | 4 | ||||
| -rw-r--r-- | lib/libtls/tls_config.c | 16 | ||||
| -rw-r--r-- | lib/libtls/tls_init.3 | 18 | ||||
| -rw-r--r-- | lib/libtls/tls_internal.h | 9 | ||||
| -rw-r--r-- | lib/libtls/tls_ocsp.c | 34 | ||||
| -rw-r--r-- | lib/libtls/tls_server.c | 8 | ||||
| -rw-r--r-- | usr.bin/nc/nc.1 | 11 | ||||
| -rw-r--r-- | usr.bin/nc/netcat.c | 12 |
9 files changed, 98 insertions, 16 deletions
diff --git a/lib/libtls/Symbols.list b/lib/libtls/Symbols.list index 9074d5e0110..7ed1d58bdca 100644 --- a/lib/libtls/Symbols.list +++ b/lib/libtls/Symbols.list @@ -29,6 +29,8 @@ tls_config_set_key_file tls_config_set_key_mem tls_config_set_keypair_file tls_config_set_keypair_mem +tls_config_set_ocsp_staple_mem +tls_config_set_ocsp_staple_file tls_config_set_protocols tls_config_set_verify_depth tls_config_verify diff --git a/lib/libtls/tls.h b/lib/libtls/tls.h index 2f998d45615..2f8c721a157 100644 --- a/lib/libtls/tls.h +++ b/lib/libtls/tls.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls.h,v 1.40 2016/11/04 05:13:13 beck Exp $ */ +/* $OpenBSD: tls.h,v 1.41 2016/11/05 15:13:26 beck Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -106,6 +106,8 @@ int tls_config_set_keypair_file(struct tls_config *_config, const char *_cert_file, const char *_key_file); int tls_config_set_keypair_mem(struct tls_config *_config, const uint8_t *_cert, size_t _cert_len, const uint8_t *_key, size_t _key_len); +int tls_config_set_ocsp_staple_mem(struct tls_config *_config, char *_staple, size_t _len); +int tls_config_set_ocsp_staple_file(struct tls_config *_config, const char *_staple_file); void tls_config_set_protocols(struct tls_config *_config, uint32_t _protocols); void tls_config_set_verify_depth(struct tls_config *_config, int _verify_depth); diff --git a/lib/libtls/tls_config.c b/lib/libtls/tls_config.c index 218a4c4e72d..3ac674e597c 100644 --- a/lib/libtls/tls_config.c +++ b/lib/libtls/tls_config.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_config.c,v 1.31 2016/11/04 19:01:04 jsing Exp $ */ +/* $OpenBSD: tls_config.c,v 1.32 2016/11/05 15:13:26 beck Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -227,6 +227,7 @@ tls_config_free(struct tls_config *config) free((char *)config->ca_mem); free((char *)config->ca_path); free((char *)config->ciphers); + free(config->ocsp_staple); free(config); } @@ -641,3 +642,16 @@ tls_config_verify_client_optional(struct tls_config *config) { config->verify_client = 2; } + +int +tls_config_set_ocsp_staple_file(struct tls_config *config, const char *staple_file) +{ + return tls_config_load_file(&config->error, "OCSP", staple_file, + &config->ocsp_staple, &config->ocsp_staple_len); +} + +int +tls_config_set_ocsp_staple_mem(struct tls_config *config, char *staple, size_t len) +{ + return set_mem(&config->ocsp_staple, &config->ocsp_staple_len, staple, len); +} diff --git a/lib/libtls/tls_init.3 b/lib/libtls/tls_init.3 index 88195deb2e1..a6ab619c199 100644 --- a/lib/libtls/tls_init.3 +++ b/lib/libtls/tls_init.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: tls_init.3,v 1.77 2016/11/04 05:13:13 beck Exp $ +.\" $OpenBSD: tls_init.3,v 1.78 2016/11/05 15:13:26 beck Exp $ .\" .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org> .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: November 4 2016 $ +.Dd $Mdocdate: November 5 2016 $ .Dt TLS_INIT 3 .Os .Sh NAME @@ -39,6 +39,8 @@ .Nm tls_config_set_key_mem , .Nm tls_config_set_keypair_file , .Nm tls_config_set_keypair_mem , +.Nm tls_config_set_ocsp_staple_mem , +.Nm tls_config_set_ocsp_staple_file , .Nm tls_config_set_protocols , .Nm tls_config_set_verify_depth , .Nm tls_config_prefer_ciphers_client , @@ -134,6 +136,10 @@ .Fn tls_config_set_keypair_file "struct tls_config *config" "const char *cert_file" "const char *key_file" .Ft "int" .Fn tls_config_set_keypair_mem "struct tls_config *config" "const uint8_t *cert" "size_t cert_len" "const uint8_t *key" "size_t key_len" +.Ft "int" +.Fn tls_config_set_ocsp_staple_mem "struct tls_config *config" "const char *staple" "size_t len" +.Ft "int" +.Fn tls_config_set_ocsp_staple_file "struct tls_config *config" "const char *staple_file .Ft "void" .Fn tls_config_set_protocols "struct tls_config *config" "uint32_t protocols" .Ft "void" @@ -365,6 +371,14 @@ used as an alternative certificate for Server Name Indication (server only). adds an additional public certificate and private key from memory, used as an alternative certificate for Server Name Indication (server only). .It +.Fn tls_config_set_ocsp_staple_mem +adds a DER encoded OCSP response to be stapled during the TLS handshake from +memory. +.It +.Fn tls_config_set_ocsp_staple_file +adds a DER encoded OCSP response to be stapled during the TLS handshake from +the specified file. +.It .Fn tls_config_set_alpn sets the ALPN protocols that are supported. The alpn string is a comma separated list of protocols, in order of preference. diff --git a/lib/libtls/tls_internal.h b/lib/libtls/tls_internal.h index 65b65371b23..1db186a05f9 100644 --- a/lib/libtls/tls_internal.h +++ b/lib/libtls/tls_internal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_internal.h,v 1.49 2016/11/05 14:50:05 beck Exp $ */ +/* $OpenBSD: tls_internal.h,v 1.50 2016/11/05 15:13:26 beck Exp $ */ /* * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> @@ -67,6 +67,8 @@ struct tls_config { int ecdhecurve; struct tls_keypair *keypair; int ocsp_require_stapling; + char *ocsp_staple; + size_t ocsp_staple_len; uint32_t protocols; int verify_cert; int verify_client; @@ -110,10 +112,6 @@ struct tls_ocsp { /* responder location */ char *ocsp_url; - /* request blob */ - uint8_t *request_data; - size_t request_size; - /* cert data, this struct does not own these */ X509 *main_cert; STACK_OF(X509) *extra_certs; @@ -208,6 +206,7 @@ int tls_conninfo_populate(struct tls *ctx); void tls_conninfo_free(struct tls_conninfo *conninfo); int tls_ocsp_verify_cb(SSL *ssl, void *arg); +int tls_ocsp_stapling_cb(SSL *ssl, void *arg); void tls_ocsp_free(struct tls_ocsp *ctx); struct tls_ocsp *tls_ocsp_setup_from_peer(struct tls *ctx); diff --git a/lib/libtls/tls_ocsp.c b/lib/libtls/tls_ocsp.c index 2da88f42812..9ed60a2aa91 100644 --- a/lib/libtls/tls_ocsp.c +++ b/lib/libtls/tls_ocsp.c @@ -50,8 +50,6 @@ tls_ocsp_free(struct tls_ocsp *ocsp) ocsp->ocsp_result = NULL; free(ocsp->ocsp_url); ocsp->ocsp_url = NULL; - free(ocsp->request_data); - ocsp->request_data = NULL; free(ocsp); } @@ -322,6 +320,38 @@ tls_ocsp_verify_cb(SSL *ssl, void *arg) return (res == 0) ? 1 : 0; } + +/* Staple the OCSP information in ctx->ocsp to the server handshake. */ +int +tls_ocsp_stapling_cb(SSL *ssl, void *arg) +{ + struct tls *ctx; + unsigned char *ocsp_staple = NULL; + int ret = SSL_TLSEXT_ERR_ALERT_FATAL; + + if ((ctx = SSL_get_app_data(ssl)) == NULL) + goto err; + + if (ctx->config->ocsp_staple == NULL || + ctx->config->ocsp_staple_len == 0) + return SSL_TLSEXT_ERR_NOACK; + + if ((ocsp_staple = malloc(ctx->config->ocsp_staple_len)) == NULL) + goto err; + + memcpy(ocsp_staple, ctx->config->ocsp_staple, + ctx->config->ocsp_staple_len); + if (SSL_set_tlsext_status_ocsp_resp(ctx->ssl_conn, ocsp_staple, + ctx->config->ocsp_staple_len) != 1) + goto err; + + ret = SSL_TLSEXT_ERR_OK; + err: + if (ret != SSL_TLSEXT_ERR_OK) + free(ocsp_staple); + return ret; +} + /* * Public API */ diff --git a/lib/libtls/tls_server.c b/lib/libtls/tls_server.c index e3b03e13019..a9a5902addc 100644 --- a/lib/libtls/tls_server.c +++ b/lib/libtls/tls_server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_server.c,v 1.29 2016/11/04 19:01:29 jsing Exp $ */ +/* $OpenBSD: tls_server.c,v 1.30 2016/11/05 15:13:26 beck Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -48,6 +48,7 @@ tls_server_conn(struct tls *ctx) return (NULL); conn_ctx->flags |= TLS_SERVER_CONN; + conn_ctx->config = ctx->config; return (conn_ctx); } @@ -213,6 +214,11 @@ tls_configure_server_ssl(struct tls *ctx, SSL_CTX **ssl_ctx, if (ctx->config->ciphers_server == 1) SSL_CTX_set_options(*ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); + if (SSL_CTX_set_tlsext_status_cb(ctx->ssl_ctx, tls_ocsp_stapling_cb) != 1) { + tls_set_errorx(ctx, "failed to add OCSP stapling callback"); + goto err; + } + /* * Set session ID context to a random value. We don't support * persistent caching of sessions so it is OK to set a temporary diff --git a/usr.bin/nc/nc.1 b/usr.bin/nc/nc.1 index 8c7790f72aa..2dda57af924 100644 --- a/usr.bin/nc/nc.1 +++ b/usr.bin/nc/nc.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: nc.1,v 1.76 2016/11/04 07:34:17 jmc Exp $ +.\" $OpenBSD: nc.1,v 1.77 2016/11/05 15:13:26 beck Exp $ .\" .\" Copyright (c) 1996 David Sacerdote .\" All rights reserved. @@ -25,7 +25,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 4 2016 $ +.Dd $Mdocdate: November 5 2016 $ .Dt NC 1 .Os .Sh NAME @@ -43,6 +43,7 @@ .Op Fl M Ar ttl .Op Fl m Ar minttl .Op Fl O Ar length +.Op Fl o Ar staplefile .Op Fl P Ar proxy_username .Op Fl p Ar source_port .Op Fl R Ar CAfile @@ -187,6 +188,12 @@ Do not do any DNS or service lookups on any specified addresses, hostnames or ports. .It Fl O Ar length Specifies the size of the TCP send buffer. +.It Fl o Ar staplefile +Specifies the filename from which to load data to be stapled +during the TLS handshake. +The file is expected to contain an OSCP response from an OCSP server in +DER format. +May only be used with TLS and when a certificate is being used. .It Fl P Ar proxy_username Specifies a username to present to a proxy server that requires authentication. If no username is specified then authentication will not be attempted. diff --git a/usr.bin/nc/netcat.c b/usr.bin/nc/netcat.c index b71c0426dcf..4a841fb96d3 100644 --- a/usr.bin/nc/netcat.c +++ b/usr.bin/nc/netcat.c @@ -1,4 +1,4 @@ -/* $OpenBSD: netcat.c,v 1.167 2016/11/04 05:13:13 beck Exp $ */ +/* $OpenBSD: netcat.c,v 1.168 2016/11/05 15:13:26 beck Exp $ */ /* * Copyright (c) 2001 Eric Jackson <ericj@monkey.org> * Copyright (c) 2015 Bob Beck. All rights reserved. @@ -100,6 +100,7 @@ int rtableid = -1; int usetls; /* use TLS */ char *Cflag; /* Public cert file */ char *Kflag; /* Private key file */ +char *oflag; /* OCSP stapling file */ char *Rflag = DEFAULT_CA_FILE; /* Root CA file */ int tls_cachanged; /* Using non-default CA file */ int TLSopt; /* TLS options */ @@ -163,7 +164,7 @@ main(int argc, char *argv[]) signal(SIGPIPE, SIG_IGN); while ((ch = getopt(argc, argv, - "46C:cDde:FH:hI:i:K:klM:m:NnO:P:p:R:rSs:T:tUuV:vw:X:x:z")) != -1) { + "46C:cDde:FH:hI:i:K:klM:m:NnO:o:P:p:R:rSs:T:tUuV:vw:X:x:z")) != -1) { switch (ch) { case '4': family = AF_INET; @@ -295,6 +296,9 @@ main(int argc, char *argv[]) errx(1, "TCP send window %s: %s", errstr, optarg); break; + case 'o': + oflag = optarg; + break; case 'S': Sflag = 1; break; @@ -380,6 +384,8 @@ main(int argc, char *argv[]) errx(1, "you must specify -c to use -C"); if (Kflag && !usetls) errx(1, "you must specify -c to use -K"); + if (oflag && !Cflag) + errx(1, "you must specify -C to use -o"); if (tls_cachanged && !usetls) errx(1, "you must specify -c to use -R"); if (tls_expecthash && !usetls) @@ -455,6 +461,8 @@ main(int argc, char *argv[]) errx(1, "%s", tls_config_error(tls_cfg)); if (Kflag && tls_config_set_key_file(tls_cfg, Kflag) == -1) errx(1, "%s", tls_config_error(tls_cfg)); + if (oflag && tls_config_set_ocsp_staple_file(tls_cfg, oflag) == -1) + errx(1, "%s", tls_config_error(tls_cfg)); if (TLSopt & TLS_LEGACY) { tls_config_set_protocols(tls_cfg, TLS_PROTOCOLS_ALL); tls_config_set_ciphers(tls_cfg, "all"); |