Add support for TLS 1.3 server to send certificate status

messages with oscp staples. ok jsing@ tb@
author: beck <> 2020-05-19 01:30:34 +0000
committer: beck <> 2020-05-19 01:30:34 +0000
commit: 0286c965db48149ae18c03e50dcc7965dfa5887e (patch)
tree: 8f5ae09863670d19a22fed1e3b31bc81cd7c0353
parent: e73b818448057ce4fec815b7f2b2770ece5877f7 (diff)
download: openbsd-0286c965db48149ae18c03e50dcc7965dfa5887e.tar.gz
openbsd-0286c965db48149ae18c03e50dcc7965dfa5887e.tar.bz2
openbsd-0286c965db48149ae18c03e50dcc7965dfa5887e.zip
5 files changed, 38 insertions, 15 deletions
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 814eb7c5cf..1ec8ac00ef 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.68 2020/05/13 17:55:34 jsing Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.69 2020/05/19 01:30:34 beck Exp $ */
 /*
 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -909,12 +909,34 @@ tlsext_ocsp_server_parse(SSL *s, CBS *cbs, int *alert)
 int
 tlsext_ocsp_server_needs(SSL *s)
 {
+        if (s->version >= TLS1_3_VERSION &&
+            s->ctx->internal->tlsext_status_cb != NULL) {
+                s->internal->tlsext_status_expected = 0;
+                if (s->ctx->internal->tlsext_status_cb(s,
+                    s->ctx->internal->tlsext_status_arg) == SSL_TLSEXT_ERR_OK &&
+                    s->internal->tlsext_ocsp_resp_len > 0)
+                        s->internal->tlsext_status_expected = 1;
+        }
        return s->internal->tlsext_status_expected;
 }
 int
 tlsext_ocsp_server_build(SSL *s, CBB *cbb)
 {
+        CBB ocsp_response;
+        if (s->version >= TLS1_3_VERSION) {
+                if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp))
+                        return 0;
+                if (!CBB_add_u24_length_prefixed(cbb, &ocsp_response))
+                        return 0;
+                if (!CBB_add_bytes(&ocsp_response,
+                    s->internal->tlsext_ocsp_resp,
+                    s->internal->tlsext_ocsp_resp_len))
+                        return 0;
+                if (!CBB_flush(cbb))
+                        return 0;
+        }
        return 1;
 }
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index 652953f2bb..a17b2bd47f 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.61 2020/05/17 14:26:15 jsing Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.62 2020/05/19 01:30:34 beck Exp $ */
 /*
 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
 *
@@ -847,12 +847,12 @@ tls13_client_certificate_send(struct tls13_ctx *ctx, CBB *cbb)
        if (cpk->x509 == NULL)
                goto done;
-        if (!tls13_cert_add(&cert_list, cpk->x509))
+        if (!tls13_cert_add(ctx, &cert_list, cpk->x509, tlsext_client_build))
                goto err;
        for (i = 0; i < sk_X509_num(chain); i++) {
                cert = sk_X509_value(chain, i);
-                if (!tls13_cert_add(&cert_list, cert))
+                if (!tls13_cert_add(ctx, &cert_list, cert, tlsext_client_build))
                        goto err;
        }
diff --git a/src/lib/libssl/tls13_internal.h b/src/lib/libssl/tls13_internal.h
index 98cbf4c8a7..7e188981f4 100644
--- a/src/lib/libssl/tls13_internal.h
+++ b/src/lib/libssl/tls13_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_internal.h,v 1.80 2020/05/16 14:42:35 jsing Exp $ */
+/* $OpenBSD: tls13_internal.h,v 1.81 2020/05/19 01:30:34 beck Exp $ */
 /*
 * Copyright (c) 2018 Bob Beck <beck@openbsd.org>
 * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@@ -380,8 +380,9 @@ int tls13_server_finished_send(struct tls13_ctx *ctx, CBB *cbb);
 int tls13_server_finished_sent(struct tls13_ctx *ctx);
 void tls13_error_clear(struct tls13_error *error);
+int tls13_cert_add(struct tls13_ctx *ctx, CBB *cbb, X509 *cert,
+    int(*build_extensions)(SSL *s, CBB *cbb, uint16_t msg_type));
-int tls13_cert_add(CBB *cbb, X509 *cert);
 int tls13_synthetic_handshake_message(struct tls13_ctx *ctx);
 int tls13_error_set(struct tls13_error *error, int code, int subcode,
diff --git a/src/lib/libssl/tls13_lib.c b/src/lib/libssl/tls13_lib.c
index 3527539095..60b4a389b7 100644
--- a/src/lib/libssl/tls13_lib.c
+++ b/src/lib/libssl/tls13_lib.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls13_lib.c,v 1.45 2020/05/17 19:07:15 beck Exp $ */
+/*      $OpenBSD: tls13_lib.c,v 1.46 2020/05/19 01:30:34 beck Exp $ */
 /*
 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2019 Bob Beck <beck@openbsd.org>
@@ -21,6 +21,7 @@
 #include <openssl/evp.h>
 #include "ssl_locl.h"
+#include "ssl_tlsext.h"
 #include "tls13_internal.h"
 /*
@@ -410,9 +411,10 @@ tls13_ctx_free(struct tls13_ctx *ctx)
 }
 int
-tls13_cert_add(CBB *cbb, X509 *cert)
+tls13_cert_add(struct tls13_ctx *ctx, CBB *cbb, X509 *cert,
+    int(*build_extensions)(SSL *s, CBB *cbb, uint16_t msg_type))
 {
-        CBB cert_data, cert_exts;
+        CBB cert_data;
        uint8_t *data;
        int cert_len;
@@ -425,10 +427,8 @@ tls13_cert_add(CBB *cbb, X509 *cert)
                return 0;
        if (i2d_X509(cert, &data) != cert_len)
                return 0;
+        if (!build_extensions(ctx->ssl, cbb, SSL_TLSEXT_MSG_CT))
-        if (!CBB_add_u16_length_prefixed(cbb, &cert_exts))
                return 0;
        if (!CBB_flush(cbb))
                return 0;
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index 4e40aa7ba3..ea14cfa683 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.47 2020/05/16 14:40:53 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.48 2020/05/19 01:30:34 beck Exp $ */
 /*
 * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -454,12 +454,12 @@ tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb)
        if (!CBB_add_u24_length_prefixed(cbb, &cert_list))
                goto err;
-        if (!tls13_cert_add(&cert_list, cpk->x509))
+        if (!tls13_cert_add(ctx, &cert_list, cpk->x509, tlsext_server_build))
                goto err;
        for (i = 0; i < sk_X509_num(chain); i++) {
                cert = sk_X509_value(chain, i);
-                if (!tls13_cert_add(&cert_list, cert))
+                if (!tls13_cert_add(ctx, &cert_list, cert, tlsext_server_build))
                        goto err;
        }
author	beck <>	2020-05-19 01:30:34 +0000
committer	beck <>	2020-05-19 01:30:34 +0000
commit	0286c965db48149ae18c03e50dcc7965dfa5887e (patch)
tree	8f5ae09863670d19a22fed1e3b31bc81cd7c0353
parent	e73b818448057ce4fec815b7f2b2770ece5877f7 (diff)
download	openbsd-0286c965db48149ae18c03e50dcc7965dfa5887e.tar.gz openbsd-0286c965db48149ae18c03e50dcc7965dfa5887e.tar.bz2 openbsd-0286c965db48149ae18c03e50dcc7965dfa5887e.zip

diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c index 814eb7c5cf..1ec8ac00ef 100644 --- a/src/lib/libssl/ssl_tlsext.c +++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_tlsext.c,v 1.68 2020/05/13 17:55:34 jsing Exp $ */	1	/* $OpenBSD: ssl_tlsext.c,v 1.69 2020/05/19 01:30:34 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>	4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -909,12 +909,34 @@ tlsext_ocsp_server_parse(SSL s, CBS cbs, int *alert)
909	int	909	int
910	tlsext_ocsp_server_needs(SSL *s)	910	tlsext_ocsp_server_needs(SSL *s)
911	{	911	{
		912	if (s->version >= TLS1_3_VERSION &&
		913	s->ctx->internal->tlsext_status_cb != NULL) {
		914	s->internal->tlsext_status_expected = 0;
		915	if (s->ctx->internal->tlsext_status_cb(s,
		916	s->ctx->internal->tlsext_status_arg) == SSL_TLSEXT_ERR_OK &&
		917	s->internal->tlsext_ocsp_resp_len > 0)
		918	s->internal->tlsext_status_expected = 1;
		919	}
912	return s->internal->tlsext_status_expected;	920	return s->internal->tlsext_status_expected;
913	}	921	}
914		922
915	int	923	int
916	tlsext_ocsp_server_build(SSL s, CBB cbb)	924	tlsext_ocsp_server_build(SSL s, CBB cbb)
917	{	925	{
		926	CBB ocsp_response;
		927
		928	if (s->version >= TLS1_3_VERSION) {
		929	if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp))
		930	return 0;
		931	if (!CBB_add_u24_length_prefixed(cbb, &ocsp_response))
		932	return 0;
		933	if (!CBB_add_bytes(&ocsp_response,
		934	s->internal->tlsext_ocsp_resp,
		935	s->internal->tlsext_ocsp_resp_len))
		936	return 0;
		937	if (!CBB_flush(cbb))
		938	return 0;
		939	}
918	return 1;	940	return 1;
919	}	941	}
920		942


diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c index 652953f2bb..a17b2bd47f 100644 --- a/src/lib/libssl/tls13_client.c +++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_client.c,v 1.61 2020/05/17 14:26:15 jsing Exp $ */	1	/* $OpenBSD: tls13_client.c,v 1.62 2020/05/19 01:30:34 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -847,12 +847,12 @@ tls13_client_certificate_send(struct tls13_ctx ctx, CBB cbb)
847	if (cpk->x509 == NULL)	847	if (cpk->x509 == NULL)
848	goto done;	848	goto done;
849		849
850	if (!tls13_cert_add(&cert_list, cpk->x509))	850	if (!tls13_cert_add(ctx, &cert_list, cpk->x509, tlsext_client_build))
851	goto err;	851	goto err;
852		852
853	for (i = 0; i < sk_X509_num(chain); i++) {	853	for (i = 0; i < sk_X509_num(chain); i++) {
854	cert = sk_X509_value(chain, i);	854	cert = sk_X509_value(chain, i);
855	if (!tls13_cert_add(&cert_list, cert))	855	if (!tls13_cert_add(ctx, &cert_list, cert, tlsext_client_build))
856	goto err;	856	goto err;
857	}	857	}
858		858


diff --git a/src/lib/libssl/tls13_internal.h b/src/lib/libssl/tls13_internal.h index 98cbf4c8a7..7e188981f4 100644 --- a/src/lib/libssl/tls13_internal.h +++ b/src/lib/libssl/tls13_internal.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_internal.h,v 1.80 2020/05/16 14:42:35 jsing Exp $ */	1	/* $OpenBSD: tls13_internal.h,v 1.81 2020/05/19 01:30:34 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018 Bob Beck <beck@openbsd.org>	3	* Copyright (c) 2018 Bob Beck <beck@openbsd.org>
4	* Copyright (c) 2018 Theo Buehler <tb@openbsd.org>	4	* Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@@ -380,8 +380,9 @@ int tls13_server_finished_send(struct tls13_ctx ctx, CBB cbb);
380	int tls13_server_finished_sent(struct tls13_ctx *ctx);	380	int tls13_server_finished_sent(struct tls13_ctx *ctx);
381		381
382	void tls13_error_clear(struct tls13_error *error);	382	void tls13_error_clear(struct tls13_error *error);
		383	int tls13_cert_add(struct tls13_ctx ctx, CBB cbb, X509 *cert,
		384	int(build_extensions)(SSL s, CBB *cbb, uint16_t msg_type));
383		385
384	int tls13_cert_add(CBB cbb, X509 cert);
385	int tls13_synthetic_handshake_message(struct tls13_ctx *ctx);	386	int tls13_synthetic_handshake_message(struct tls13_ctx *ctx);
386		387
387	int tls13_error_set(struct tls13_error *error, int code, int subcode,	388	int tls13_error_set(struct tls13_error *error, int code, int subcode,


diff --git a/src/lib/libssl/tls13_lib.c b/src/lib/libssl/tls13_lib.c index 3527539095..60b4a389b7 100644 --- a/src/lib/libssl/tls13_lib.c +++ b/src/lib/libssl/tls13_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_lib.c,v 1.45 2020/05/17 19:07:15 beck Exp $ */	1	/* $OpenBSD: tls13_lib.c,v 1.46 2020/05/19 01:30:34 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2019 Bob Beck <beck@openbsd.org>	4	* Copyright (c) 2019 Bob Beck <beck@openbsd.org>
@@ -21,6 +21,7 @@
21	#include <openssl/evp.h>	21	#include <openssl/evp.h>
22		22
23	#include "ssl_locl.h"	23	#include "ssl_locl.h"
		24	#include "ssl_tlsext.h"
24	#include "tls13_internal.h"	25	#include "tls13_internal.h"
25		26
26	/*	27	/*
@@ -410,9 +411,10 @@ tls13_ctx_free(struct tls13_ctx *ctx)
410	}	411	}
411		412
412	int	413	int
413	tls13_cert_add(CBB cbb, X509 cert)	414	tls13_cert_add(struct tls13_ctx ctx, CBB cbb, X509 *cert,
		415	int(build_extensions)(SSL s, CBB *cbb, uint16_t msg_type))
414	{	416	{
415	CBB cert_data, cert_exts;	417	CBB cert_data;
416	uint8_t *data;	418	uint8_t *data;
417	int cert_len;	419	int cert_len;
418		420
@@ -425,10 +427,8 @@ tls13_cert_add(CBB cbb, X509 cert)
425	return 0;	427	return 0;
426	if (i2d_X509(cert, &data) != cert_len)	428	if (i2d_X509(cert, &data) != cert_len)
427	return 0;	429	return 0;
428		430	if (!build_extensions(ctx->ssl, cbb, SSL_TLSEXT_MSG_CT))
429	if (!CBB_add_u16_length_prefixed(cbb, &cert_exts))
430	return 0;	431	return 0;
431
432	if (!CBB_flush(cbb))	432	if (!CBB_flush(cbb))
433	return 0;	433	return 0;
434		434


diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c index 4e40aa7ba3..ea14cfa683 100644 --- a/src/lib/libssl/tls13_server.c +++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_server.c,v 1.47 2020/05/16 14:40:53 jsing Exp $ */	1	/* $OpenBSD: tls13_server.c,v 1.48 2020/05/19 01:30:34 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2020 Bob Beck <beck@openbsd.org>	4	* Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -454,12 +454,12 @@ tls13_server_certificate_send(struct tls13_ctx ctx, CBB cbb)
454	if (!CBB_add_u24_length_prefixed(cbb, &cert_list))	454	if (!CBB_add_u24_length_prefixed(cbb, &cert_list))
455	goto err;	455	goto err;
456		456
457	if (!tls13_cert_add(&cert_list, cpk->x509))	457	if (!tls13_cert_add(ctx, &cert_list, cpk->x509, tlsext_server_build))
458	goto err;	458	goto err;
459		459
460	for (i = 0; i < sk_X509_num(chain); i++) {	460	for (i = 0; i < sk_X509_num(chain); i++) {
461	cert = sk_X509_value(chain, i);	461	cert = sk_X509_value(chain, i);
462	if (!tls13_cert_add(&cert_list, cert))	462	if (!tls13_cert_add(ctx, &cert_list, cert, tlsext_server_build))
463	goto err;	463	goto err;
464	}	464	}
465		465