summaryrefslogtreecommitdiff
path: root/usr.bin/openssl
diff options
context:
space:
mode:
authorTheo Buehler <tb@cvs.openbsd.org>2020-10-13 18:25:36 +0000
committerTheo Buehler <tb@cvs.openbsd.org>2020-10-13 18:25:36 +0000
commitbbdafeb2f22aad0afc8218c8e08bbcf32eefd88a (patch)
tree57c272ef19d9b19bec3f58ba4917a3a7dcd1f049 /usr.bin/openssl
parent5a41812b1748ad14f05d4d8a4296e6c34a86066a (diff)
Make sure an OCSP query sends a host header
While OCSP uses HTTP/1.0 where a host header is optional, some widely used OCSP responders will return 400 bad request if it is missing. Add such a header unless it's already provided in the user's custom headers. OpenSSL did something similar in ff4a9394a23 and 76e0cd12f68 (both commits are under the old license) ok inoguchi
Diffstat (limited to 'usr.bin/openssl')
-rw-r--r--usr.bin/openssl/ocsp.c17
1 files changed, 13 insertions, 4 deletions
diff --git a/usr.bin/openssl/ocsp.c b/usr.bin/openssl/ocsp.c
index 3f01416053d..f954d9697b6 100644
--- a/usr.bin/openssl/ocsp.c
+++ b/usr.bin/openssl/ocsp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ocsp.c,v 1.20 2020/10/08 23:46:57 beck Exp $ */
+/* $OpenBSD: ocsp.c,v 1.21 2020/10/13 18:25:35 tb Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2000.
*/
@@ -97,7 +97,8 @@ static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,
char *port);
static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp);
static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path,
- STACK_OF(CONF_VALUE) *headers, OCSP_REQUEST *req, int req_timeout);
+ STACK_OF(CONF_VALUE) *headers, const char *host, OCSP_REQUEST *req,
+ int req_timeout);
static struct {
int accept_count;
@@ -1408,11 +1409,12 @@ send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp)
static OCSP_RESPONSE *
query_responder(BIO *err, BIO *cbio, char *path, STACK_OF(CONF_VALUE) *headers,
- OCSP_REQUEST *req, int req_timeout)
+ const char *host, OCSP_REQUEST *req, int req_timeout)
{
int fd;
int rv;
int i;
+ int have_host = 0;
OCSP_REQ_CTX *ctx = NULL;
OCSP_RESPONSE *rsp = NULL;
struct pollfd pfd[1];
@@ -1449,10 +1451,17 @@ query_responder(BIO *err, BIO *cbio, char *path, STACK_OF(CONF_VALUE) *headers,
for (i = 0; i < sk_CONF_VALUE_num(headers); i++) {
CONF_VALUE *hdr = sk_CONF_VALUE_value(headers, i);
+ if (strcasecmp("host", hdr->name) == 0)
+ have_host = 1;
if (!OCSP_REQ_CTX_add1_header(ctx, hdr->name, hdr->value))
goto err;
}
+ if (!have_host) {
+ if (!OCSP_REQ_CTX_add1_header(ctx, "Host", host))
+ goto err;
+ }
+
if (!OCSP_REQ_CTX_set1_req(ctx, req))
goto err;
@@ -1513,7 +1522,7 @@ process_responder(BIO *err, OCSP_REQUEST *req, char *host, char *path,
sbio = BIO_new_ssl(ctx, 1);
cbio = BIO_push(sbio, cbio);
}
- resp = query_responder(err, cbio, path, headers, req, req_timeout);
+ resp = query_responder(err, cbio, path, headers, host, req, req_timeout);
if (!resp)
BIO_printf(bio_err, "Error querying OCSP responder\n");