Add ocsp_require_stapling config option for tls - allows a connection

to indicate that it requires the peer to provide a stapled OCSP response with the handshake. Provide a "-T muststaple" for nc that uses it. ok jsing@, guenther@
author: beck <> 2016-11-04 05:13:13 +0000
committer: beck <> 2016-11-04 05:13:13 +0000
commit: dfcc608101125b045153abb36d8b26d283aeb812 (patch)
tree: beb66ed0e210e9dcdda1ae81df9eaf1ac13b84b6 /src/lib
parent: 85d1a393066ebc8950b3667cae2d5c9e9da47ed8 (diff)
download: openbsd-dfcc608101125b045153abb36d8b26d283aeb812.tar.gz
openbsd-dfcc608101125b045153abb36d8b26d283aeb812.tar.bz2
openbsd-dfcc608101125b045153abb36d8b26d283aeb812.zip
5 files changed, 25 insertions, 6 deletions
diff --git a/src/lib/libtls/tls.h b/src/lib/libtls/tls.h
index 3929cb848e..2f998d4561 100644
--- a/src/lib/libtls/tls.h
+++ b/src/lib/libtls/tls.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.h,v 1.39 2016/11/02 15:18:42 beck Exp $ */
+/* $OpenBSD: tls.h,v 1.40 2016/11/04 05:13:13 beck Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -117,6 +117,7 @@ void tls_config_insecure_noverifyname(struct tls_config *_config);
 void tls_config_insecure_noverifytime(struct tls_config *_config);
 void tls_config_verify(struct tls_config *_config);
+void tls_config_ocsp_require_stapling(struct tls_config *_config);
 void tls_config_verify_client(struct tls_config *_config);
 void tls_config_verify_client_optional(struct tls_config *_config);
diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c
index c07621acaf..5c73c29d65 100644
--- a/src/lib/libtls/tls_config.c
+++ b/src/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_config.c,v 1.28 2016/08/22 14:55:59 jsing Exp $ */
+/* $OpenBSD: tls_config.c,v 1.29 2016/11/04 05:13:13 beck Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -621,6 +621,12 @@ tls_config_verify(struct tls_config *config)
 }
 void
+tls_config_ocsp_require_stapling(struct tls_config *config)
+{
+        config->ocsp_require_stapling = 1;
+}
+void
 tls_config_verify_client(struct tls_config *config)
 {
        config->verify_client = 1;
diff --git a/src/lib/libtls/tls_init.3 b/src/lib/libtls/tls_init.3
index d0b6292b4a..88195deb2e 100644
--- a/src/lib/libtls/tls_init.3
+++ b/src/lib/libtls/tls_init.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_init.3,v 1.76 2016/11/03 12:54:16 beck Exp $
+.\" $OpenBSD: tls_init.3,v 1.77 2016/11/04 05:13:13 beck Exp $
 .\"
 .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: November 3 2016 $
+.Dd $Mdocdate: November 4 2016 $
 .Dt TLS_INIT 3
 .Os
 .Sh NAME
@@ -47,6 +47,7 @@
 .Nm tls_config_insecure_noverifycert ,
 .Nm tls_config_insecure_noverifyname ,
 .Nm tls_config_insecure_noverifytime ,
+.Nm tls_config_ocsp_require_stapling ,
 .Nm tls_config_verify ,
 .Nm tls_config_verify_client ,
 .Nm tls_config_verify_client_optional ,
@@ -150,6 +151,8 @@
 .Ft "void"
 .Fn tls_config_insecure_noverifytime "struct tls_config *config"
 .Ft "void"
+.Fn tls_config_ocsp_require_stapling "struct tls_config *config"
+.Ft "void"
 .Fn tls_config_verify "struct tls_config *config"
 .Ft "void"
 .Fn tls_config_verify_client "struct tls_config *config"
@@ -456,6 +459,9 @@ Be careful when using this option.
 disables validity checking of certificates and OCSP validation.
 Be careful when using this option.
 .It
+.Fn tls_config_ocsp_require_stapling
+requires that a valid stapled OCSP response be provided during the TLS handshake.
+.It
 .Fn tls_config_verify
 reenables server name and certificate verification.
 .It
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h
index fde4066f7c..0112ceedb9 100644
--- a/src/lib/libtls/tls_internal.h
+++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.45 2016/11/03 10:05:32 jsing Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.46 2016/11/04 05:13:13 beck Exp $ */
 /*
 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -64,6 +64,7 @@ struct tls_config {
        int dheparams;
        int ecdhecurve;
        struct tls_keypair *keypair;
+        int ocsp_require_stapling;
        uint32_t protocols;
        int verify_cert;
        int verify_client;
diff --git a/src/lib/libtls/tls_ocsp.c b/src/lib/libtls/tls_ocsp.c
index aa085bd245..af65771f7c 100644
--- a/src/lib/libtls/tls_ocsp.c
+++ b/src/lib/libtls/tls_ocsp.c
@@ -304,8 +304,13 @@ tls_ocsp_verify_cb(SSL *ssl, void *arg)
                return -1;
        size = SSL_get_tlsext_status_ocsp_resp(ssl, &raw);
-        if (size <= 0)
+        if (size <= 0) {
+                if (ctx->config->ocsp_require_stapling) {
+                        tls_set_errorx(ctx, "no stapled OCSP response provided");
+                        return 0;
+                }
                return 1;
+        }
        tls_ocsp_ctx_free(ctx->ocsp_ctx);
        ctx->ocsp_ctx = tls_ocsp_setup_from_peer(ctx);
author	beck <>	2016-11-04 05:13:13 +0000
committer	beck <>	2016-11-04 05:13:13 +0000
commit	dfcc608101125b045153abb36d8b26d283aeb812 (patch)
tree	beb66ed0e210e9dcdda1ae81df9eaf1ac13b84b6 /src/lib
parent	85d1a393066ebc8950b3667cae2d5c9e9da47ed8 (diff)
download	openbsd-dfcc608101125b045153abb36d8b26d283aeb812.tar.gz openbsd-dfcc608101125b045153abb36d8b26d283aeb812.tar.bz2 openbsd-dfcc608101125b045153abb36d8b26d283aeb812.zip