diff options
author | Theo Buehler <tb@cvs.openbsd.org> | 2020-10-13 18:25:36 +0000 |
---|---|---|
committer | Theo Buehler <tb@cvs.openbsd.org> | 2020-10-13 18:25:36 +0000 |
commit | bbdafeb2f22aad0afc8218c8e08bbcf32eefd88a (patch) | |
tree | 57c272ef19d9b19bec3f58ba4917a3a7dcd1f049 /usr.bin/openssl | |
parent | 5a41812b1748ad14f05d4d8a4296e6c34a86066a (diff) |
Make sure an OCSP query sends a host header
While OCSP uses HTTP/1.0 where a host header is optional, some widely
used OCSP responders will return 400 bad request if it is missing. Add
such a header unless it's already provided in the user's custom headers.
OpenSSL did something similar in ff4a9394a23 and 76e0cd12f68
(both commits are under the old license)
ok inoguchi
Diffstat (limited to 'usr.bin/openssl')
-rw-r--r-- | usr.bin/openssl/ocsp.c | 17 |
1 files changed, 13 insertions, 4 deletions
diff --git a/usr.bin/openssl/ocsp.c b/usr.bin/openssl/ocsp.c index 3f01416053d..f954d9697b6 100644 --- a/usr.bin/openssl/ocsp.c +++ b/usr.bin/openssl/ocsp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ocsp.c,v 1.20 2020/10/08 23:46:57 beck Exp $ */ +/* $OpenBSD: ocsp.c,v 1.21 2020/10/13 18:25:35 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2000. */ @@ -97,7 +97,8 @@ static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, char *port); static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp); static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path, - STACK_OF(CONF_VALUE) *headers, OCSP_REQUEST *req, int req_timeout); + STACK_OF(CONF_VALUE) *headers, const char *host, OCSP_REQUEST *req, + int req_timeout); static struct { int accept_count; @@ -1408,11 +1409,12 @@ send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp) static OCSP_RESPONSE * query_responder(BIO *err, BIO *cbio, char *path, STACK_OF(CONF_VALUE) *headers, - OCSP_REQUEST *req, int req_timeout) + const char *host, OCSP_REQUEST *req, int req_timeout) { int fd; int rv; int i; + int have_host = 0; OCSP_REQ_CTX *ctx = NULL; OCSP_RESPONSE *rsp = NULL; struct pollfd pfd[1]; @@ -1449,10 +1451,17 @@ query_responder(BIO *err, BIO *cbio, char *path, STACK_OF(CONF_VALUE) *headers, for (i = 0; i < sk_CONF_VALUE_num(headers); i++) { CONF_VALUE *hdr = sk_CONF_VALUE_value(headers, i); + if (strcasecmp("host", hdr->name) == 0) + have_host = 1; if (!OCSP_REQ_CTX_add1_header(ctx, hdr->name, hdr->value)) goto err; } + if (!have_host) { + if (!OCSP_REQ_CTX_add1_header(ctx, "Host", host)) + goto err; + } + if (!OCSP_REQ_CTX_set1_req(ctx, req)) goto err; @@ -1513,7 +1522,7 @@ process_responder(BIO *err, OCSP_REQUEST *req, char *host, char *path, sbio = BIO_new_ssl(ctx, 1); cbio = BIO_push(sbio, cbio); } - resp = query_responder(err, cbio, path, headers, req, req_timeout); + resp = query_responder(err, cbio, path, headers, host, req, req_timeout); if (!resp) BIO_printf(bio_err, "Error querying OCSP responder\n"); |