diff options
| -rw-r--r-- | lib/libtls/tls.h | 3 | ||||
| -rw-r--r-- | lib/libtls/tls_config.c | 8 | ||||
| -rw-r--r-- | lib/libtls/tls_init.3 | 10 | ||||
| -rw-r--r-- | lib/libtls/tls_internal.h | 3 | ||||
| -rw-r--r-- | lib/libtls/tls_ocsp.c | 7 | ||||
| -rw-r--r-- | usr.bin/nc/nc.1 | 12 | ||||
| -rw-r--r-- | usr.bin/nc/netcat.c | 6 |
7 files changed, 37 insertions, 12 deletions
diff --git a/lib/libtls/tls.h b/lib/libtls/tls.h index 3929cb848e4..2f998d45615 100644 --- a/lib/libtls/tls.h +++ b/lib/libtls/tls.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls.h,v 1.39 2016/11/02 15:18:42 beck Exp $ */ +/* $OpenBSD: tls.h,v 1.40 2016/11/04 05:13:13 beck Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -117,6 +117,7 @@ void tls_config_insecure_noverifyname(struct tls_config *_config); void tls_config_insecure_noverifytime(struct tls_config *_config); void tls_config_verify(struct tls_config *_config); +void tls_config_ocsp_require_stapling(struct tls_config *_config); void tls_config_verify_client(struct tls_config *_config); void tls_config_verify_client_optional(struct tls_config *_config); diff --git a/lib/libtls/tls_config.c b/lib/libtls/tls_config.c index c07621acaf2..5c73c29d659 100644 --- a/lib/libtls/tls_config.c +++ b/lib/libtls/tls_config.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_config.c,v 1.28 2016/08/22 14:55:59 jsing Exp $ */ +/* $OpenBSD: tls_config.c,v 1.29 2016/11/04 05:13:13 beck Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -621,6 +621,12 @@ tls_config_verify(struct tls_config *config) } void +tls_config_ocsp_require_stapling(struct tls_config *config) +{ + config->ocsp_require_stapling = 1; +} + +void tls_config_verify_client(struct tls_config *config) { config->verify_client = 1; diff --git a/lib/libtls/tls_init.3 b/lib/libtls/tls_init.3 index d0b6292b4ab..88195deb2e1 100644 --- a/lib/libtls/tls_init.3 +++ b/lib/libtls/tls_init.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: tls_init.3,v 1.76 2016/11/03 12:54:16 beck Exp $ +.\" $OpenBSD: tls_init.3,v 1.77 2016/11/04 05:13:13 beck Exp $ .\" .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org> .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: November 3 2016 $ +.Dd $Mdocdate: November 4 2016 $ .Dt TLS_INIT 3 .Os .Sh NAME @@ -47,6 +47,7 @@ .Nm tls_config_insecure_noverifycert , .Nm tls_config_insecure_noverifyname , .Nm tls_config_insecure_noverifytime , +.Nm tls_config_ocsp_require_stapling , .Nm tls_config_verify , .Nm tls_config_verify_client , .Nm tls_config_verify_client_optional , @@ -150,6 +151,8 @@ .Ft "void" .Fn tls_config_insecure_noverifytime "struct tls_config *config" .Ft "void" +.Fn tls_config_ocsp_require_stapling "struct tls_config *config" +.Ft "void" .Fn tls_config_verify "struct tls_config *config" .Ft "void" .Fn tls_config_verify_client "struct tls_config *config" @@ -456,6 +459,9 @@ Be careful when using this option. disables validity checking of certificates and OCSP validation. Be careful when using this option. .It +.Fn tls_config_ocsp_require_stapling +requires that a valid stapled OCSP response be provided during the TLS handshake. +.It .Fn tls_config_verify reenables server name and certificate verification. .It diff --git a/lib/libtls/tls_internal.h b/lib/libtls/tls_internal.h index fde4066f7cc..0112ceedb9c 100644 --- a/lib/libtls/tls_internal.h +++ b/lib/libtls/tls_internal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_internal.h,v 1.45 2016/11/03 10:05:32 jsing Exp $ */ +/* $OpenBSD: tls_internal.h,v 1.46 2016/11/04 05:13:13 beck Exp $ */ /* * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> @@ -64,6 +64,7 @@ struct tls_config { int dheparams; int ecdhecurve; struct tls_keypair *keypair; + int ocsp_require_stapling; uint32_t protocols; int verify_cert; int verify_client; diff --git a/lib/libtls/tls_ocsp.c b/lib/libtls/tls_ocsp.c index aa085bd245f..af65771f7cc 100644 --- a/lib/libtls/tls_ocsp.c +++ b/lib/libtls/tls_ocsp.c @@ -304,8 +304,13 @@ tls_ocsp_verify_cb(SSL *ssl, void *arg) return -1; size = SSL_get_tlsext_status_ocsp_resp(ssl, &raw); - if (size <= 0) + if (size <= 0) { + if (ctx->config->ocsp_require_stapling) { + tls_set_errorx(ctx, "no stapled OCSP response provided"); + return 0; + } return 1; + } tls_ocsp_ctx_free(ctx->ocsp_ctx); ctx->ocsp_ctx = tls_ocsp_setup_from_peer(ctx); diff --git a/usr.bin/nc/nc.1 b/usr.bin/nc/nc.1 index 8b7c92aa636..313ec1f19ca 100644 --- a/usr.bin/nc/nc.1 +++ b/usr.bin/nc/nc.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: nc.1,v 1.74 2016/07/02 05:58:00 jmc Exp $ +.\" $OpenBSD: nc.1,v 1.75 2016/11/04 05:13:13 beck Exp $ .\" .\" Copyright (c) 1996 David Sacerdote .\" All rights reserved. @@ -25,7 +25,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: July 2 2016 $ +.Dd $Mdocdate: November 4 2016 $ .Dt NC 1 .Os .Sh NAME @@ -229,10 +229,12 @@ which allows legacy TLS protocols; .Ar noverify , which disables certificate verification; .Ar noname , -which disables certificate name checking; or +which disables certificate name checking; .Ar clientcert , -which requires a client certificate on incoming connections. -It is illegal to specify TLS options if not using TLS. +which requires a client certificate on incoming connections; or +.Ar muststaple , +which requires the peer to provide a valid stapled OCSP response +with the handshake. It is illegal to specify TLS options if not using TLS. .Pp For IPv4 TOS value .Ar keyword diff --git a/usr.bin/nc/netcat.c b/usr.bin/nc/netcat.c index 6b05b3fdf78..b71c0426dcf 100644 --- a/usr.bin/nc/netcat.c +++ b/usr.bin/nc/netcat.c @@ -1,4 +1,4 @@ -/* $OpenBSD: netcat.c,v 1.166 2016/11/03 15:54:39 beck Exp $ */ +/* $OpenBSD: netcat.c,v 1.167 2016/11/04 05:13:13 beck Exp $ */ /* * Copyright (c) 2001 Eric Jackson <ericj@monkey.org> * Copyright (c) 2015 Bob Beck. All rights reserved. @@ -71,6 +71,7 @@ #define TLS_NOVERIFY (1 << 2) #define TLS_NONAME (1 << 3) #define TLS_CCERT (1 << 4) +#define TLS_MUSTSTAPLE (1 << 5) /* Command Line Options */ int dflag; /* detached, no stdin */ @@ -468,6 +469,8 @@ main(int argc, char *argv[]) "together"); tls_config_insecure_noverifycert(tls_cfg); } + if (TLSopt & TLS_MUSTSTAPLE) + tls_config_ocsp_require_stapling(tls_cfg); if (Pflag) { if (pledge("stdio inet dns tty", NULL) == -1) @@ -1502,6 +1505,7 @@ map_tls(char *s, int *val) { "noverify", TLS_NOVERIFY }, { "noname", TLS_NONAME }, { "clientcert", TLS_CCERT}, + { "muststaple", TLS_MUSTSTAPLE}, { NULL, -1 }, }; |