diff options
| author | Bob Beck <beck@cvs.openbsd.org> | 2016-11-04 05:13:14 +0000 |
|---|---|---|
| committer | Bob Beck <beck@cvs.openbsd.org> | 2016-11-04 05:13:14 +0000 |
| commit | 6c67ac6aa28822a20e4c64703966a9b71f22726c (patch) | |
| tree | 8bfa45e084bb81cb64224acd40acec4c937b762a /lib/libtls | |
| parent | 8f590197552ad5692ae7758a5e1b1be677c65582 (diff) | |
Add ocsp_require_stapling config option for tls - allows a connection
to indicate that it requires the peer to provide a stapled OCSP response
with the handshake. Provide a "-T muststaple" for nc that uses it.
ok jsing@, guenther@
Diffstat (limited to 'lib/libtls')
| -rw-r--r-- | lib/libtls/tls.h | 3 | ||||
| -rw-r--r-- | lib/libtls/tls_config.c | 8 | ||||
| -rw-r--r-- | lib/libtls/tls_init.3 | 10 | ||||
| -rw-r--r-- | lib/libtls/tls_internal.h | 3 | ||||
| -rw-r--r-- | lib/libtls/tls_ocsp.c | 7 |
5 files changed, 25 insertions, 6 deletions
diff --git a/lib/libtls/tls.h b/lib/libtls/tls.h index 3929cb848e4..2f998d45615 100644 --- a/lib/libtls/tls.h +++ b/lib/libtls/tls.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls.h,v 1.39 2016/11/02 15:18:42 beck Exp $ */ +/* $OpenBSD: tls.h,v 1.40 2016/11/04 05:13:13 beck Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -117,6 +117,7 @@ void tls_config_insecure_noverifyname(struct tls_config *_config); void tls_config_insecure_noverifytime(struct tls_config *_config); void tls_config_verify(struct tls_config *_config); +void tls_config_ocsp_require_stapling(struct tls_config *_config); void tls_config_verify_client(struct tls_config *_config); void tls_config_verify_client_optional(struct tls_config *_config); diff --git a/lib/libtls/tls_config.c b/lib/libtls/tls_config.c index c07621acaf2..5c73c29d659 100644 --- a/lib/libtls/tls_config.c +++ b/lib/libtls/tls_config.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_config.c,v 1.28 2016/08/22 14:55:59 jsing Exp $ */ +/* $OpenBSD: tls_config.c,v 1.29 2016/11/04 05:13:13 beck Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -621,6 +621,12 @@ tls_config_verify(struct tls_config *config) } void +tls_config_ocsp_require_stapling(struct tls_config *config) +{ + config->ocsp_require_stapling = 1; +} + +void tls_config_verify_client(struct tls_config *config) { config->verify_client = 1; diff --git a/lib/libtls/tls_init.3 b/lib/libtls/tls_init.3 index d0b6292b4ab..88195deb2e1 100644 --- a/lib/libtls/tls_init.3 +++ b/lib/libtls/tls_init.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: tls_init.3,v 1.76 2016/11/03 12:54:16 beck Exp $ +.\" $OpenBSD: tls_init.3,v 1.77 2016/11/04 05:13:13 beck Exp $ .\" .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org> .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: November 3 2016 $ +.Dd $Mdocdate: November 4 2016 $ .Dt TLS_INIT 3 .Os .Sh NAME @@ -47,6 +47,7 @@ .Nm tls_config_insecure_noverifycert , .Nm tls_config_insecure_noverifyname , .Nm tls_config_insecure_noverifytime , +.Nm tls_config_ocsp_require_stapling , .Nm tls_config_verify , .Nm tls_config_verify_client , .Nm tls_config_verify_client_optional , @@ -150,6 +151,8 @@ .Ft "void" .Fn tls_config_insecure_noverifytime "struct tls_config *config" .Ft "void" +.Fn tls_config_ocsp_require_stapling "struct tls_config *config" +.Ft "void" .Fn tls_config_verify "struct tls_config *config" .Ft "void" .Fn tls_config_verify_client "struct tls_config *config" @@ -456,6 +459,9 @@ Be careful when using this option. disables validity checking of certificates and OCSP validation. Be careful when using this option. .It +.Fn tls_config_ocsp_require_stapling +requires that a valid stapled OCSP response be provided during the TLS handshake. +.It .Fn tls_config_verify reenables server name and certificate verification. .It diff --git a/lib/libtls/tls_internal.h b/lib/libtls/tls_internal.h index fde4066f7cc..0112ceedb9c 100644 --- a/lib/libtls/tls_internal.h +++ b/lib/libtls/tls_internal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_internal.h,v 1.45 2016/11/03 10:05:32 jsing Exp $ */ +/* $OpenBSD: tls_internal.h,v 1.46 2016/11/04 05:13:13 beck Exp $ */ /* * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> @@ -64,6 +64,7 @@ struct tls_config { int dheparams; int ecdhecurve; struct tls_keypair *keypair; + int ocsp_require_stapling; uint32_t protocols; int verify_cert; int verify_client; diff --git a/lib/libtls/tls_ocsp.c b/lib/libtls/tls_ocsp.c index aa085bd245f..af65771f7cc 100644 --- a/lib/libtls/tls_ocsp.c +++ b/lib/libtls/tls_ocsp.c @@ -304,8 +304,13 @@ tls_ocsp_verify_cb(SSL *ssl, void *arg) return -1; size = SSL_get_tlsext_status_ocsp_resp(ssl, &raw); - if (size <= 0) + if (size <= 0) { + if (ctx->config->ocsp_require_stapling) { + tls_set_errorx(ctx, "no stapled OCSP response provided"); + return 0; + } return 1; + } tls_ocsp_ctx_free(ctx->ocsp_ctx); ctx->ocsp_ctx = tls_ocsp_setup_from_peer(ctx); |