Add OCSP stapling support to httpd

ok jsing@ bcook@

5 files changed, 96 insertions, 10 deletions

diff --git a/usr.sbin/httpd/config.c b/usr.sbin/httpd/config.c
index 66fde6fea6d..f337a72d8e4 100644
--- a/usr.sbin/httpd/config.c
+++ b/usr.sbin/httpd/config.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: config.c,v 1.49 2016/10/12 10:57:30 reyk Exp $	*/
+/*	$OpenBSD: config.c,v 1.50 2016/11/06 10:49:38 beck Exp $	*/
 
 /*
  * Copyright (c) 2011 - 2015 Reyk Floeter <reyk@openbsd.org>
@@ -300,6 +300,28 @@ config_settls(struct httpd *env, struct server *srv)
 		}
 	}
 
+	if (srv_conf->tls_ocsp_staple_len != 0) {
+		DPRINTF("%s: sending ocsp staple \"%s[%u]\" to %s fd %d", __func__,
+		    srv_conf->name, srv_conf->id, ps->ps_title[PROC_SERVER],
+		    srv->srv_s);
+
+		memset(&tls, 0, sizeof(tls));
+		tls.id = srv_conf->id;
+		tls.tls_ocsp_staple_len = srv_conf->tls_ocsp_staple_len;
+
+		c = 0;
+		iov[c].iov_base = &tls;
+		iov[c++].iov_len = sizeof(tls);
+		iov[c].iov_base = srv_conf->tls_ocsp_staple;
+		iov[c++].iov_len = srv_conf->tls_ocsp_staple_len;
+
+		if (proc_composev(ps, PROC_SERVER, IMSG_CFG_TLS, iov, c) != 0) {
+			log_warn("%s: failed to compose IMSG_CFG_TLS imsg for "
+			    "`%s'", __func__, srv_conf->name);
+			return (-1);
+		}
+	}
+
 	return (0);
 }
 
@@ -583,7 +605,8 @@ config_gettls(struct httpd *env, struct imsg *imsg)
 	s = sizeof(tls_conf);
 
 	if ((IMSG_DATA_SIZE(imsg) - s) <
-	    (tls_conf.tls_cert_len + tls_conf.tls_key_len)) {
+	    (tls_conf.tls_cert_len + tls_conf.tls_key_len +
+	    tls_conf.tls_ocsp_staple_len)) {
 		log_debug("%s: invalid message length", __func__);
 		goto fail;
 	}
@@ -611,6 +634,13 @@ config_gettls(struct httpd *env, struct imsg *imsg)
 			goto fail;
 		s += tls_conf.tls_key_len;
 	}
+	if (tls_conf.tls_ocsp_staple_len != 0) {
+		srv_conf->tls_ocsp_staple_len = tls_conf.tls_ocsp_staple_len;
+		if ((srv_conf->tls_ocsp_staple = get_data(p + s,
+		    tls_conf.tls_ocsp_staple_len)) == NULL)
+			goto fail;
+		s += tls_conf.tls_ocsp_staple_len;
+	}
 
 	return (0);
 
diff --git a/usr.sbin/httpd/httpd.conf.5 b/usr.sbin/httpd/httpd.conf.5
index 2bd3ec74b07..5c56f991f56 100644
--- a/usr.sbin/httpd/httpd.conf.5
+++ b/usr.sbin/httpd/httpd.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: httpd.conf.5,v 1.73 2016/05/09 19:36:54 tj Exp $
+.\"	$OpenBSD: httpd.conf.5,v 1.74 2016/11/06 10:49:38 beck Exp $
 .\"
 .\" Copyright (c) 2014, 2015 Reyk Floeter <reyk@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: May 9 2016 $
+.Dd $Mdocdate: November 6 2016 $
 .Dt HTTPD.CONF 5
 .Os
 .Sh NAME
@@ -533,6 +533,16 @@ root directory of
 .Nm httpd .
 The default is
 .Pa /etc/ssl/private/server.key .
+.It Ic ocsp Ar file
+Specify an OCSP response to be stapled during TLS handshakes
+with this server.
+The
+.Ar file
+should contain a DER format OCSP response retrieved from an
+OCSP server for the
+.Ar certificate
+in use. 
+The default is to not to use OCSP stapling.
 .It Ic protocols Ar string
 Specify the TLS protocols to enable for this server.
 If not specified, the value
diff --git a/usr.sbin/httpd/httpd.h b/usr.sbin/httpd/httpd.h
index 6cf9b4c763a..d9a8895375c 100644
--- a/usr.sbin/httpd/httpd.h
+++ b/usr.sbin/httpd/httpd.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: httpd.h,v 1.122 2016/10/12 10:57:30 reyk Exp $	*/
+/*	$OpenBSD: httpd.h,v 1.123 2016/11/06 10:49:38 beck Exp $	*/
 
 /*
  * Copyright (c) 2006 - 2015 Reyk Floeter <reyk@openbsd.org>
@@ -449,6 +449,9 @@ struct server_config {
 	size_t			 tls_key_len;
 	char			*tls_key_file;
 	uint32_t		 tls_protocols;
+	uint8_t			*tls_ocsp_staple;
+	size_t			 tls_ocsp_staple_len;
+	char			*tls_ocsp_staple_file;
 
 	uint32_t		 flags;
 	int			 strip;
@@ -482,6 +485,7 @@ struct tls_config {
 
 	size_t			 tls_cert_len;
 	size_t			 tls_key_len;
+	size_t			 tls_ocsp_staple_len;
 };
 
 struct server {
diff --git a/usr.sbin/httpd/parse.y b/usr.sbin/httpd/parse.y
index e836d4c8af4..c3de86f2593 100644
--- a/usr.sbin/httpd/parse.y
+++ b/usr.sbin/httpd/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.82 2016/09/03 14:44:21 reyk Exp $	*/
+/*	$OpenBSD: parse.y,v 1.83 2016/11/06 10:49:38 beck Exp $	*/
 
 /*
  * Copyright (c) 2007 - 2015 Reyk Floeter <reyk@openbsd.org>
@@ -131,9 +131,9 @@ typedef struct {
 
 %token	ACCESS ALIAS AUTO BACKLOG BODY BUFFER CERTIFICATE CHROOT CIPHERS COMMON
 %token	COMBINED CONNECTION DHE DIRECTORY ECDHE ERR FCGI INDEX IP KEY LISTEN
-%token	LOCATION LOG LOGDIR MATCH MAXIMUM NO NODELAY ON PORT PREFORK PROTOCOLS
-%token	REQUEST REQUESTS ROOT SACK SERVER SOCKET STRIP STYLE SYSLOG TCP TIMEOUT
-%token	TLS TYPE TYPES HSTS MAXAGE SUBDOMAINS DEFAULT PRELOAD
+%token	LOCATION LOG LOGDIR MATCH MAXIMUM NO NODELAY OCSP ON PORT PREFORK
+%token	PROTOCOLS REQUESTS ROOT SACK SERVER SOCKET STRIP STYLE SYSLOG TCP TIMEOUT
+%token	TLS TYPE TYPES HSTS MAXAGE SUBDOMAINS DEFAULT PRELOAD REQUEST
 %token	ERROR INCLUDE AUTHENTICATE WITH BLOCK DROP RETURN PASS
 %token	<v.string>	STRING
 %token  <v.number>	NUMBER
@@ -706,6 +706,13 @@ tlsopts		: CERTIFICATE STRING		{
 				fatal("out of memory");
 			free($2);
 		}
+		| OCSP STRING			{
+			free(srv_conf->tls_ocsp_staple_file);
+			if ((srv_conf->tls_ocsp_staple_file = strdup($2))
+			    == NULL)
+				fatal("out of memory");
+			free($2);
+		}
 		| CIPHERS STRING		{
 			if (strlcpy(srv_conf->tls_ciphers, $2,
 			    sizeof(srv_conf->tls_ciphers)) >=
@@ -1206,6 +1213,7 @@ lookup(char *s)
 		{ "max-age",		MAXAGE },
 		{ "no",			NO },
 		{ "nodelay",		NODELAY },
+		{ "ocsp",		OCSP },
 		{ "on",			ON },
 		{ "pass",		PASS },
 		{ "port",		PORT },
@@ -2007,6 +2015,9 @@ server_inherit(struct server *src, struct server_config *alias,
 	if ((dst->srv_conf.tls_key_file =
 	    strdup(src->srv_conf.tls_key_file)) == NULL)
 		fatal("out of memory");
+	if ((dst->srv_conf.tls_ocsp_staple_file =
+	    strdup(src->srv_conf.tls_ocsp_staple_file)) == NULL)
+		fatal("out of memory");
 	dst->srv_conf.tls_cert = NULL;
 	dst->srv_conf.tls_key = NULL;
 	dst->srv_conf.tls_cert_len = 0;
diff --git a/usr.sbin/httpd/server.c b/usr.sbin/httpd/server.c
index 7d3394d7055..63873cfb4a4 100644
--- a/usr.sbin/httpd/server.c
+++ b/usr.sbin/httpd/server.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: server.c,v 1.95 2016/08/30 14:31:53 rzalamena Exp $	*/
+/*	$OpenBSD: server.c,v 1.96 2016/11/06 10:49:38 beck Exp $	*/
 
 /*
  * Copyright (c) 2006 - 2015 Reyk Floeter <reyk@openbsd.org>
@@ -173,6 +173,14 @@ server_tls_load_keypair(struct server *srv)
 	log_debug("%s: using private key %s", __func__,
 	    srv->srv_conf.tls_key_file);
 
+	if ((srv->srv_conf.tls_ocsp_staple = tls_load_file(
+	    srv->srv_conf.tls_ocsp_staple_file,
+	    &srv->srv_conf.tls_ocsp_staple_len,
+	    NULL)) == NULL)
+		return (-1);
+	log_debug("%s: using ocsp staple from %s", __func__,
+	    srv->srv_conf.tls_ocsp_staple_file);
+
 	return (0);
 }
 
@@ -229,6 +237,15 @@ server_tls_init(struct server *srv)
 		return (-1);
 	}
 
+	if (srv->srv_conf.tls_ocsp_staple != NULL) {
+		if (tls_config_set_ocsp_staple_mem(srv->srv_tls_config,
+		    srv->srv_conf.tls_ocsp_staple,
+		    srv->srv_conf.tls_ocsp_staple_len) != 0 ) {
+			log_warnx("%s: failed to add ocsp staple", __func__);
+			return (-1);
+		}
+	}
+
 	TAILQ_FOREACH(srv_conf, &srv->srv_hosts, entry) {
 		if (srv_conf->tls_cert == NULL || srv_conf->tls_key == NULL)
 			continue;
@@ -240,6 +257,16 @@ server_tls_init(struct server *srv)
 			log_warnx("%s: failed to add tls keypair", __func__);
 			return (-1);
 		}
+		if (srv_conf->tls_ocsp_staple == NULL)
+			continue;
+		log_debug("%s: adding ocsp staple for server %s", __func__,
+		    srv->srv_conf.name);
+		if (tls_config_set_ocsp_staple_mem(srv->srv_tls_config,
+		    srv_conf->tls_ocsp_staple, srv_conf->tls_ocsp_staple_len)
+		    != 0 ) {
+			log_warnx("%s: failed to add ocsp staple", __func__);
+			return (-1);
+		}
 	}
 
 	if (tls_configure(srv->srv_tls_ctx, srv->srv_tls_config) != 0) {
@@ -354,6 +381,8 @@ serverconfig_free(struct server_config *srv_conf)
 	free(srv_conf->return_uri);
 	free(srv_conf->tls_cert_file);
 	free(srv_conf->tls_key_file);
+	free(srv_conf->tls_ocsp_staple_file);
+	free(srv_conf->tls_ocsp_staple);
 
 	if (srv_conf->tls_cert != NULL) {
 		explicit_bzero(srv_conf->tls_cert, srv_conf->tls_cert_len);
@@ -375,6 +404,8 @@ serverconfig_reset(struct server_config *srv_conf)
 	srv_conf->tls_cert_file = NULL;
 	srv_conf->tls_key = NULL;
 	srv_conf->tls_key_file = NULL;
+	srv_conf->tls_ocsp_staple = NULL;
+	srv_conf->tls_ocsp_staple_file = NULL;
 }
 
 struct server *