Make sure an OCSP query sends a host header

While OCSP uses HTTP/1.0 where a host header is optional, some widely used OCSP responders will return 400 bad request if it is missing. Add such a header unless it's already provided in the user's custom headers. OpenSSL did something similar in ff4a9394a23 and 76e0cd12f68 (both commits are under the old license) ok inoguchi
author: tb <> 2020-10-13 18:25:35 +0000
committer: tb <> 2020-10-13 18:25:35 +0000
commit: 87c965f270f1392a6fca6ec56300842a90b005e0 (patch)
tree: e02b112b792bf6921d8e95533a246a387ea07426 /src
parent: 60521e1f94c8f7c93ad95d704b47995782d72ef5 (diff)
download: openbsd-87c965f270f1392a6fca6ec56300842a90b005e0.tar.gz
openbsd-87c965f270f1392a6fca6ec56300842a90b005e0.tar.bz2
openbsd-87c965f270f1392a6fca6ec56300842a90b005e0.zip
1 files changed, 13 insertions, 4 deletions
diff --git a/src/usr.bin/openssl/ocsp.c b/src/usr.bin/openssl/ocsp.c
index 3f01416053..f954d9697b 100644
--- a/src/usr.bin/openssl/ocsp.c
+++ b/src/usr.bin/openssl/ocsp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ocsp.c,v 1.20 2020/10/08 23:46:57 beck Exp $ */
+/* $OpenBSD: ocsp.c,v 1.21 2020/10/13 18:25:35 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2000.
 */
@@ -97,7 +97,8 @@ static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,
    char *port);
 static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp);
 static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path,
-    STACK_OF(CONF_VALUE) *headers, OCSP_REQUEST *req, int req_timeout);
+    STACK_OF(CONF_VALUE) *headers, const char *host, OCSP_REQUEST *req,
+    int req_timeout);
 static struct {
        int accept_count;
@@ -1408,11 +1409,12 @@ send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp)
 static OCSP_RESPONSE *
 query_responder(BIO *err, BIO *cbio, char *path, STACK_OF(CONF_VALUE) *headers,
-    OCSP_REQUEST *req, int req_timeout)
+    const char *host, OCSP_REQUEST *req, int req_timeout)
 {
        int fd;
        int rv;
        int i;
+        int have_host = 0;
        OCSP_REQ_CTX *ctx = NULL;
        OCSP_RESPONSE *rsp = NULL;
        struct pollfd pfd[1];
@@ -1449,10 +1451,17 @@ query_responder(BIO *err, BIO *cbio, char *path, STACK_OF(CONF_VALUE) *headers,
        for (i = 0; i < sk_CONF_VALUE_num(headers); i++) {
                CONF_VALUE *hdr = sk_CONF_VALUE_value(headers, i);
+                if (strcasecmp("host", hdr->name) == 0)
+                        have_host = 1;
                if (!OCSP_REQ_CTX_add1_header(ctx, hdr->name, hdr->value))
                        goto err;
        }
+        if (!have_host) {
+                if (!OCSP_REQ_CTX_add1_header(ctx, "Host", host))
+                        goto err;
+        }
        if (!OCSP_REQ_CTX_set1_req(ctx, req))
                goto err;
@@ -1513,7 +1522,7 @@ process_responder(BIO *err, OCSP_REQUEST *req, char *host, char *path,
                sbio = BIO_new_ssl(ctx, 1);
                cbio = BIO_push(sbio, cbio);
        }
-        resp = query_responder(err, cbio, path, headers, req, req_timeout);
+        resp = query_responder(err, cbio, path, headers, host, req, req_timeout);
        if (!resp)
                BIO_printf(bio_err, "Error querying OCSP responder\n");
author	tb <>	2020-10-13 18:25:35 +0000
committer	tb <>	2020-10-13 18:25:35 +0000
commit	87c965f270f1392a6fca6ec56300842a90b005e0 (patch)
tree	e02b112b792bf6921d8e95533a246a387ea07426 /src
parent	60521e1f94c8f7c93ad95d704b47995782d72ef5 (diff)
download	openbsd-87c965f270f1392a6fca6ec56300842a90b005e0.tar.gz openbsd-87c965f270f1392a6fca6ec56300842a90b005e0.tar.bz2 openbsd-87c965f270f1392a6fca6ec56300842a90b005e0.zip