diff options
| author | beck <> | 2016-11-05 15:13:26 +0000 |
|---|---|---|
| committer | beck <> | 2016-11-05 15:13:26 +0000 |
| commit | e11dddc2de1dbf045d34adf894146594aded7e8d (patch) | |
| tree | 539491edf35461b59c4b7f94d33635fed5473983 /src/lib/libtls | |
| parent | 464dd6c7ce174b2e5a477e2359d33ac3740c1482 (diff) | |
| download | openbsd-e11dddc2de1dbf045d34adf894146594aded7e8d.tar.gz openbsd-e11dddc2de1dbf045d34adf894146594aded7e8d.tar.bz2 openbsd-e11dddc2de1dbf045d34adf894146594aded7e8d.zip | |
Add support for server side OCSP stapling to libtls.
Add support for server side OCSP stapling to netcat.
Diffstat (limited to 'src/lib/libtls')
| -rw-r--r-- | src/lib/libtls/Symbols.list | 2 | ||||
| -rw-r--r-- | src/lib/libtls/tls.h | 4 | ||||
| -rw-r--r-- | src/lib/libtls/tls_config.c | 16 | ||||
| -rw-r--r-- | src/lib/libtls/tls_init.3 | 18 | ||||
| -rw-r--r-- | src/lib/libtls/tls_internal.h | 9 | ||||
| -rw-r--r-- | src/lib/libtls/tls_ocsp.c | 34 | ||||
| -rw-r--r-- | src/lib/libtls/tls_server.c | 8 |
7 files changed, 79 insertions, 12 deletions
diff --git a/src/lib/libtls/Symbols.list b/src/lib/libtls/Symbols.list index 9074d5e011..7ed1d58bdc 100644 --- a/src/lib/libtls/Symbols.list +++ b/src/lib/libtls/Symbols.list | |||
| @@ -29,6 +29,8 @@ tls_config_set_key_file | |||
| 29 | tls_config_set_key_mem | 29 | tls_config_set_key_mem |
| 30 | tls_config_set_keypair_file | 30 | tls_config_set_keypair_file |
| 31 | tls_config_set_keypair_mem | 31 | tls_config_set_keypair_mem |
| 32 | tls_config_set_ocsp_staple_mem | ||
| 33 | tls_config_set_ocsp_staple_file | ||
| 32 | tls_config_set_protocols | 34 | tls_config_set_protocols |
| 33 | tls_config_set_verify_depth | 35 | tls_config_set_verify_depth |
| 34 | tls_config_verify | 36 | tls_config_verify |
diff --git a/src/lib/libtls/tls.h b/src/lib/libtls/tls.h index 2f998d4561..2f8c721a15 100644 --- a/src/lib/libtls/tls.h +++ b/src/lib/libtls/tls.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls.h,v 1.40 2016/11/04 05:13:13 beck Exp $ */ | 1 | /* $OpenBSD: tls.h,v 1.41 2016/11/05 15:13:26 beck Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -106,6 +106,8 @@ int tls_config_set_keypair_file(struct tls_config *_config, | |||
| 106 | const char *_cert_file, const char *_key_file); | 106 | const char *_cert_file, const char *_key_file); |
| 107 | int tls_config_set_keypair_mem(struct tls_config *_config, const uint8_t *_cert, | 107 | int tls_config_set_keypair_mem(struct tls_config *_config, const uint8_t *_cert, |
| 108 | size_t _cert_len, const uint8_t *_key, size_t _key_len); | 108 | size_t _cert_len, const uint8_t *_key, size_t _key_len); |
| 109 | int tls_config_set_ocsp_staple_mem(struct tls_config *_config, char *_staple, size_t _len); | ||
| 110 | int tls_config_set_ocsp_staple_file(struct tls_config *_config, const char *_staple_file); | ||
| 109 | void tls_config_set_protocols(struct tls_config *_config, uint32_t _protocols); | 111 | void tls_config_set_protocols(struct tls_config *_config, uint32_t _protocols); |
| 110 | void tls_config_set_verify_depth(struct tls_config *_config, int _verify_depth); | 112 | void tls_config_set_verify_depth(struct tls_config *_config, int _verify_depth); |
| 111 | 113 | ||
diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c index 218a4c4e72..3ac674e597 100644 --- a/src/lib/libtls/tls_config.c +++ b/src/lib/libtls/tls_config.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls_config.c,v 1.31 2016/11/04 19:01:04 jsing Exp $ */ | 1 | /* $OpenBSD: tls_config.c,v 1.32 2016/11/05 15:13:26 beck Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -227,6 +227,7 @@ tls_config_free(struct tls_config *config) | |||
| 227 | free((char *)config->ca_mem); | 227 | free((char *)config->ca_mem); |
| 228 | free((char *)config->ca_path); | 228 | free((char *)config->ca_path); |
| 229 | free((char *)config->ciphers); | 229 | free((char *)config->ciphers); |
| 230 | free(config->ocsp_staple); | ||
| 230 | 231 | ||
| 231 | free(config); | 232 | free(config); |
| 232 | } | 233 | } |
| @@ -641,3 +642,16 @@ tls_config_verify_client_optional(struct tls_config *config) | |||
| 641 | { | 642 | { |
| 642 | config->verify_client = 2; | 643 | config->verify_client = 2; |
| 643 | } | 644 | } |
| 645 | |||
| 646 | int | ||
| 647 | tls_config_set_ocsp_staple_file(struct tls_config *config, const char *staple_file) | ||
| 648 | { | ||
| 649 | return tls_config_load_file(&config->error, "OCSP", staple_file, | ||
| 650 | &config->ocsp_staple, &config->ocsp_staple_len); | ||
| 651 | } | ||
| 652 | |||
| 653 | int | ||
| 654 | tls_config_set_ocsp_staple_mem(struct tls_config *config, char *staple, size_t len) | ||
| 655 | { | ||
| 656 | return set_mem(&config->ocsp_staple, &config->ocsp_staple_len, staple, len); | ||
| 657 | } | ||
diff --git a/src/lib/libtls/tls_init.3 b/src/lib/libtls/tls_init.3 index 88195deb2e..a6ab619c19 100644 --- a/src/lib/libtls/tls_init.3 +++ b/src/lib/libtls/tls_init.3 | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | .\" $OpenBSD: tls_init.3,v 1.77 2016/11/04 05:13:13 beck Exp $ | 1 | .\" $OpenBSD: tls_init.3,v 1.78 2016/11/05 15:13:26 beck Exp $ |
| 2 | .\" | 2 | .\" |
| 3 | .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org> | 3 | .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org> |
| 4 | .\" | 4 | .\" |
| @@ -14,7 +14,7 @@ | |||
| 14 | .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF | 14 | .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
| 15 | .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | 15 | .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
| 16 | .\" | 16 | .\" |
| 17 | .Dd $Mdocdate: November 4 2016 $ | 17 | .Dd $Mdocdate: November 5 2016 $ |
| 18 | .Dt TLS_INIT 3 | 18 | .Dt TLS_INIT 3 |
| 19 | .Os | 19 | .Os |
| 20 | .Sh NAME | 20 | .Sh NAME |
| @@ -39,6 +39,8 @@ | |||
| 39 | .Nm tls_config_set_key_mem , | 39 | .Nm tls_config_set_key_mem , |
| 40 | .Nm tls_config_set_keypair_file , | 40 | .Nm tls_config_set_keypair_file , |
| 41 | .Nm tls_config_set_keypair_mem , | 41 | .Nm tls_config_set_keypair_mem , |
| 42 | .Nm tls_config_set_ocsp_staple_mem , | ||
| 43 | .Nm tls_config_set_ocsp_staple_file , | ||
| 42 | .Nm tls_config_set_protocols , | 44 | .Nm tls_config_set_protocols , |
| 43 | .Nm tls_config_set_verify_depth , | 45 | .Nm tls_config_set_verify_depth , |
| 44 | .Nm tls_config_prefer_ciphers_client , | 46 | .Nm tls_config_prefer_ciphers_client , |
| @@ -134,6 +136,10 @@ | |||
| 134 | .Fn tls_config_set_keypair_file "struct tls_config *config" "const char *cert_file" "const char *key_file" | 136 | .Fn tls_config_set_keypair_file "struct tls_config *config" "const char *cert_file" "const char *key_file" |
| 135 | .Ft "int" | 137 | .Ft "int" |
| 136 | .Fn tls_config_set_keypair_mem "struct tls_config *config" "const uint8_t *cert" "size_t cert_len" "const uint8_t *key" "size_t key_len" | 138 | .Fn tls_config_set_keypair_mem "struct tls_config *config" "const uint8_t *cert" "size_t cert_len" "const uint8_t *key" "size_t key_len" |
| 139 | .Ft "int" | ||
| 140 | .Fn tls_config_set_ocsp_staple_mem "struct tls_config *config" "const char *staple" "size_t len" | ||
| 141 | .Ft "int" | ||
| 142 | .Fn tls_config_set_ocsp_staple_file "struct tls_config *config" "const char *staple_file | ||
| 137 | .Ft "void" | 143 | .Ft "void" |
| 138 | .Fn tls_config_set_protocols "struct tls_config *config" "uint32_t protocols" | 144 | .Fn tls_config_set_protocols "struct tls_config *config" "uint32_t protocols" |
| 139 | .Ft "void" | 145 | .Ft "void" |
| @@ -365,6 +371,14 @@ used as an alternative certificate for Server Name Indication (server only). | |||
| 365 | adds an additional public certificate and private key from memory, | 371 | adds an additional public certificate and private key from memory, |
| 366 | used as an alternative certificate for Server Name Indication (server only). | 372 | used as an alternative certificate for Server Name Indication (server only). |
| 367 | .It | 373 | .It |
| 374 | .Fn tls_config_set_ocsp_staple_mem | ||
| 375 | adds a DER encoded OCSP response to be stapled during the TLS handshake from | ||
| 376 | memory. | ||
| 377 | .It | ||
| 378 | .Fn tls_config_set_ocsp_staple_file | ||
| 379 | adds a DER encoded OCSP response to be stapled during the TLS handshake from | ||
| 380 | the specified file. | ||
| 381 | .It | ||
| 368 | .Fn tls_config_set_alpn | 382 | .Fn tls_config_set_alpn |
| 369 | sets the ALPN protocols that are supported. | 383 | sets the ALPN protocols that are supported. |
| 370 | The alpn string is a comma separated list of protocols, in order of preference. | 384 | The alpn string is a comma separated list of protocols, in order of preference. |
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h index 65b65371b2..1db186a05f 100644 --- a/src/lib/libtls/tls_internal.h +++ b/src/lib/libtls/tls_internal.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls_internal.h,v 1.49 2016/11/05 14:50:05 beck Exp $ */ | 1 | /* $OpenBSD: tls_internal.h,v 1.50 2016/11/05 15:13:26 beck Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> | 3 | * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> |
| 4 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 4 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> |
| @@ -67,6 +67,8 @@ struct tls_config { | |||
| 67 | int ecdhecurve; | 67 | int ecdhecurve; |
| 68 | struct tls_keypair *keypair; | 68 | struct tls_keypair *keypair; |
| 69 | int ocsp_require_stapling; | 69 | int ocsp_require_stapling; |
| 70 | char *ocsp_staple; | ||
| 71 | size_t ocsp_staple_len; | ||
| 70 | uint32_t protocols; | 72 | uint32_t protocols; |
| 71 | int verify_cert; | 73 | int verify_cert; |
| 72 | int verify_client; | 74 | int verify_client; |
| @@ -110,10 +112,6 @@ struct tls_ocsp { | |||
| 110 | /* responder location */ | 112 | /* responder location */ |
| 111 | char *ocsp_url; | 113 | char *ocsp_url; |
| 112 | 114 | ||
| 113 | /* request blob */ | ||
| 114 | uint8_t *request_data; | ||
| 115 | size_t request_size; | ||
| 116 | |||
| 117 | /* cert data, this struct does not own these */ | 115 | /* cert data, this struct does not own these */ |
| 118 | X509 *main_cert; | 116 | X509 *main_cert; |
| 119 | STACK_OF(X509) *extra_certs; | 117 | STACK_OF(X509) *extra_certs; |
| @@ -208,6 +206,7 @@ int tls_conninfo_populate(struct tls *ctx); | |||
| 208 | void tls_conninfo_free(struct tls_conninfo *conninfo); | 206 | void tls_conninfo_free(struct tls_conninfo *conninfo); |
| 209 | 207 | ||
| 210 | int tls_ocsp_verify_cb(SSL *ssl, void *arg); | 208 | int tls_ocsp_verify_cb(SSL *ssl, void *arg); |
| 209 | int tls_ocsp_stapling_cb(SSL *ssl, void *arg); | ||
| 211 | void tls_ocsp_free(struct tls_ocsp *ctx); | 210 | void tls_ocsp_free(struct tls_ocsp *ctx); |
| 212 | struct tls_ocsp *tls_ocsp_setup_from_peer(struct tls *ctx); | 211 | struct tls_ocsp *tls_ocsp_setup_from_peer(struct tls *ctx); |
| 213 | 212 | ||
diff --git a/src/lib/libtls/tls_ocsp.c b/src/lib/libtls/tls_ocsp.c index 2da88f4281..9ed60a2aa9 100644 --- a/src/lib/libtls/tls_ocsp.c +++ b/src/lib/libtls/tls_ocsp.c | |||
| @@ -50,8 +50,6 @@ tls_ocsp_free(struct tls_ocsp *ocsp) | |||
| 50 | ocsp->ocsp_result = NULL; | 50 | ocsp->ocsp_result = NULL; |
| 51 | free(ocsp->ocsp_url); | 51 | free(ocsp->ocsp_url); |
| 52 | ocsp->ocsp_url = NULL; | 52 | ocsp->ocsp_url = NULL; |
| 53 | free(ocsp->request_data); | ||
| 54 | ocsp->request_data = NULL; | ||
| 55 | free(ocsp); | 53 | free(ocsp); |
| 56 | } | 54 | } |
| 57 | 55 | ||
| @@ -322,6 +320,38 @@ tls_ocsp_verify_cb(SSL *ssl, void *arg) | |||
| 322 | return (res == 0) ? 1 : 0; | 320 | return (res == 0) ? 1 : 0; |
| 323 | } | 321 | } |
| 324 | 322 | ||
| 323 | |||
| 324 | /* Staple the OCSP information in ctx->ocsp to the server handshake. */ | ||
| 325 | int | ||
| 326 | tls_ocsp_stapling_cb(SSL *ssl, void *arg) | ||
| 327 | { | ||
| 328 | struct tls *ctx; | ||
| 329 | unsigned char *ocsp_staple = NULL; | ||
| 330 | int ret = SSL_TLSEXT_ERR_ALERT_FATAL; | ||
| 331 | |||
| 332 | if ((ctx = SSL_get_app_data(ssl)) == NULL) | ||
| 333 | goto err; | ||
| 334 | |||
| 335 | if (ctx->config->ocsp_staple == NULL || | ||
| 336 | ctx->config->ocsp_staple_len == 0) | ||
| 337 | return SSL_TLSEXT_ERR_NOACK; | ||
| 338 | |||
| 339 | if ((ocsp_staple = malloc(ctx->config->ocsp_staple_len)) == NULL) | ||
| 340 | goto err; | ||
| 341 | |||
| 342 | memcpy(ocsp_staple, ctx->config->ocsp_staple, | ||
| 343 | ctx->config->ocsp_staple_len); | ||
| 344 | if (SSL_set_tlsext_status_ocsp_resp(ctx->ssl_conn, ocsp_staple, | ||
| 345 | ctx->config->ocsp_staple_len) != 1) | ||
| 346 | goto err; | ||
| 347 | |||
| 348 | ret = SSL_TLSEXT_ERR_OK; | ||
| 349 | err: | ||
| 350 | if (ret != SSL_TLSEXT_ERR_OK) | ||
| 351 | free(ocsp_staple); | ||
| 352 | return ret; | ||
| 353 | } | ||
| 354 | |||
| 325 | /* | 355 | /* |
| 326 | * Public API | 356 | * Public API |
| 327 | */ | 357 | */ |
diff --git a/src/lib/libtls/tls_server.c b/src/lib/libtls/tls_server.c index e3b03e1301..a9a5902add 100644 --- a/src/lib/libtls/tls_server.c +++ b/src/lib/libtls/tls_server.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls_server.c,v 1.29 2016/11/04 19:01:29 jsing Exp $ */ | 1 | /* $OpenBSD: tls_server.c,v 1.30 2016/11/05 15:13:26 beck Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -48,6 +48,7 @@ tls_server_conn(struct tls *ctx) | |||
| 48 | return (NULL); | 48 | return (NULL); |
| 49 | 49 | ||
| 50 | conn_ctx->flags |= TLS_SERVER_CONN; | 50 | conn_ctx->flags |= TLS_SERVER_CONN; |
| 51 | conn_ctx->config = ctx->config; | ||
| 51 | 52 | ||
| 52 | return (conn_ctx); | 53 | return (conn_ctx); |
| 53 | } | 54 | } |
| @@ -213,6 +214,11 @@ tls_configure_server_ssl(struct tls *ctx, SSL_CTX **ssl_ctx, | |||
| 213 | if (ctx->config->ciphers_server == 1) | 214 | if (ctx->config->ciphers_server == 1) |
| 214 | SSL_CTX_set_options(*ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); | 215 | SSL_CTX_set_options(*ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); |
| 215 | 216 | ||
| 217 | if (SSL_CTX_set_tlsext_status_cb(ctx->ssl_ctx, tls_ocsp_stapling_cb) != 1) { | ||
| 218 | tls_set_errorx(ctx, "failed to add OCSP stapling callback"); | ||
| 219 | goto err; | ||
| 220 | } | ||
| 221 | |||
| 216 | /* | 222 | /* |
| 217 | * Set session ID context to a random value. We don't support | 223 | * Set session ID context to a random value. We don't support |
| 218 | * persistent caching of sessions so it is OK to set a temporary | 224 | * persistent caching of sessions so it is OK to set a temporary |