Add ocsp_require_stapling config option for tls - allows a connection

to indicate that it requires the peer to provide a stapled OCSP response with the handshake. Provide a "-T muststaple" for nc that uses it. ok jsing@, guenther@
author: beck <> 2016-11-04 05:13:13 +0000
committer: beck <> 2016-11-04 05:13:13 +0000
commit: dfcc608101125b045153abb36d8b26d283aeb812 (patch)
tree: beb66ed0e210e9dcdda1ae81df9eaf1ac13b84b6 /src
parent: 85d1a393066ebc8950b3667cae2d5c9e9da47ed8 (diff)
download: openbsd-dfcc608101125b045153abb36d8b26d283aeb812.tar.gz
openbsd-dfcc608101125b045153abb36d8b26d283aeb812.tar.bz2
openbsd-dfcc608101125b045153abb36d8b26d283aeb812.zip
7 files changed, 37 insertions, 12 deletions
diff --git a/src/lib/libtls/tls.h b/src/lib/libtls/tls.h
index 3929cb848e..2f998d4561 100644
--- a/src/lib/libtls/tls.h
+++ b/src/lib/libtls/tls.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.h,v 1.39 2016/11/02 15:18:42 beck Exp $ */
+/* $OpenBSD: tls.h,v 1.40 2016/11/04 05:13:13 beck Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -117,6 +117,7 @@ void tls_config_insecure_noverifyname(struct tls_config *_config);
 void tls_config_insecure_noverifytime(struct tls_config *_config);
 void tls_config_verify(struct tls_config *_config);
+void tls_config_ocsp_require_stapling(struct tls_config *_config);
 void tls_config_verify_client(struct tls_config *_config);
 void tls_config_verify_client_optional(struct tls_config *_config);
diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c
index c07621acaf..5c73c29d65 100644
--- a/src/lib/libtls/tls_config.c
+++ b/src/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_config.c,v 1.28 2016/08/22 14:55:59 jsing Exp $ */
+/* $OpenBSD: tls_config.c,v 1.29 2016/11/04 05:13:13 beck Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -621,6 +621,12 @@ tls_config_verify(struct tls_config *config)
 }
 void
+tls_config_ocsp_require_stapling(struct tls_config *config)
+{
+        config->ocsp_require_stapling = 1;
+}
+void
 tls_config_verify_client(struct tls_config *config)
 {
        config->verify_client = 1;
diff --git a/src/lib/libtls/tls_init.3 b/src/lib/libtls/tls_init.3
index d0b6292b4a..88195deb2e 100644
--- a/src/lib/libtls/tls_init.3
+++ b/src/lib/libtls/tls_init.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_init.3,v 1.76 2016/11/03 12:54:16 beck Exp $
+.\" $OpenBSD: tls_init.3,v 1.77 2016/11/04 05:13:13 beck Exp $
 .\"
 .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: November 3 2016 $
+.Dd $Mdocdate: November 4 2016 $
 .Dt TLS_INIT 3
 .Os
 .Sh NAME
@@ -47,6 +47,7 @@
 .Nm tls_config_insecure_noverifycert ,
 .Nm tls_config_insecure_noverifyname ,
 .Nm tls_config_insecure_noverifytime ,
+.Nm tls_config_ocsp_require_stapling ,
 .Nm tls_config_verify ,
 .Nm tls_config_verify_client ,
 .Nm tls_config_verify_client_optional ,
@@ -150,6 +151,8 @@
 .Ft "void"
 .Fn tls_config_insecure_noverifytime "struct tls_config *config"
 .Ft "void"
+.Fn tls_config_ocsp_require_stapling "struct tls_config *config"
+.Ft "void"
 .Fn tls_config_verify "struct tls_config *config"
 .Ft "void"
 .Fn tls_config_verify_client "struct tls_config *config"
@@ -456,6 +459,9 @@ Be careful when using this option.
 disables validity checking of certificates and OCSP validation.
 Be careful when using this option.
 .It
+.Fn tls_config_ocsp_require_stapling
+requires that a valid stapled OCSP response be provided during the TLS handshake.
+.It
 .Fn tls_config_verify
 reenables server name and certificate verification.
 .It
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h
index fde4066f7c..0112ceedb9 100644
--- a/src/lib/libtls/tls_internal.h
+++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.45 2016/11/03 10:05:32 jsing Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.46 2016/11/04 05:13:13 beck Exp $ */
 /*
 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -64,6 +64,7 @@ struct tls_config {
        int dheparams;
        int ecdhecurve;
        struct tls_keypair *keypair;
+        int ocsp_require_stapling;
        uint32_t protocols;
        int verify_cert;
        int verify_client;
diff --git a/src/lib/libtls/tls_ocsp.c b/src/lib/libtls/tls_ocsp.c
index aa085bd245..af65771f7c 100644
--- a/src/lib/libtls/tls_ocsp.c
+++ b/src/lib/libtls/tls_ocsp.c
@@ -304,8 +304,13 @@ tls_ocsp_verify_cb(SSL *ssl, void *arg)
                return -1;
        size = SSL_get_tlsext_status_ocsp_resp(ssl, &raw);
-        if (size <= 0)
+        if (size <= 0) {
+                if (ctx->config->ocsp_require_stapling) {
+                        tls_set_errorx(ctx, "no stapled OCSP response provided");
+                        return 0;
+                }
                return 1;
+        }
        tls_ocsp_ctx_free(ctx->ocsp_ctx);
        ctx->ocsp_ctx = tls_ocsp_setup_from_peer(ctx);
diff --git a/src/usr.bin/nc/nc.1 b/src/usr.bin/nc/nc.1
index 8b7c92aa63..313ec1f19c 100644
--- a/src/usr.bin/nc/nc.1
+++ b/src/usr.bin/nc/nc.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: nc.1,v 1.74 2016/07/02 05:58:00 jmc Exp $
+.\"     $OpenBSD: nc.1,v 1.75 2016/11/04 05:13:13 beck Exp $
 .\"
 .\" Copyright (c) 1996 David Sacerdote
 .\" All rights reserved.
@@ -25,7 +25,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 2 2016 $
+.Dd $Mdocdate: November 4 2016 $
 .Dt NC 1
 .Os
 .Sh NAME
@@ -229,10 +229,12 @@ which allows legacy TLS protocols;
 .Ar noverify ,
 which disables certificate verification;
 .Ar noname ,
-which disables certificate name checking; or
+which disables certificate name checking;
 .Ar clientcert ,
-which requires a client certificate on incoming connections.
+which requires a client certificate on incoming connections; or
-It is illegal to specify TLS options if not using TLS.
+.Ar muststaple ,
+which requires the peer to provide a valid stapled OCSP response 
+with the handshake. It is illegal to specify TLS options if not using TLS.
 .Pp
 For IPv4 TOS value
 .Ar keyword
diff --git a/src/usr.bin/nc/netcat.c b/src/usr.bin/nc/netcat.c
index 6b05b3fdf7..b71c0426dc 100644
--- a/src/usr.bin/nc/netcat.c
+++ b/src/usr.bin/nc/netcat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: netcat.c,v 1.166 2016/11/03 15:54:39 beck Exp $ */
+/* $OpenBSD: netcat.c,v 1.167 2016/11/04 05:13:13 beck Exp $ */
 /*
 * Copyright (c) 2001 Eric Jackson <ericj@monkey.org>
 * Copyright (c) 2015 Bob Beck.  All rights reserved.
@@ -71,6 +71,7 @@
 #define TLS_NOVERIFY    (1 << 2)
 #define TLS_NONAME      (1 << 3)
 #define TLS_CCERT       (1 << 4)
+#define TLS_MUSTSTAPLE  (1 << 5)
 /* Command Line Options */
 int     dflag;                                  /* detached, no stdin */
@@ -468,6 +469,8 @@ main(int argc, char *argv[])
                                    "together");
                        tls_config_insecure_noverifycert(tls_cfg);
                }
+                if (TLSopt & TLS_MUSTSTAPLE)
+                        tls_config_ocsp_require_stapling(tls_cfg);
                if (Pflag) {
                        if (pledge("stdio inet dns tty", NULL) == -1)
@@ -1502,6 +1505,7 @@ map_tls(char *s, int *val)
                { "noverify",           TLS_NOVERIFY },
                { "noname",             TLS_NONAME },
                { "clientcert",         TLS_CCERT},
+                { "muststaple",         TLS_MUSTSTAPLE},
                { NULL,                 -1 },
        };
author	beck <>	2016-11-04 05:13:13 +0000
committer	beck <>	2016-11-04 05:13:13 +0000
commit	dfcc608101125b045153abb36d8b26d283aeb812 (patch)
tree	beb66ed0e210e9dcdda1ae81df9eaf1ac13b84b6 /src
parent	85d1a393066ebc8950b3667cae2d5c9e9da47ed8 (diff)
download	openbsd-dfcc608101125b045153abb36d8b26d283aeb812.tar.gz openbsd-dfcc608101125b045153abb36d8b26d283aeb812.tar.bz2 openbsd-dfcc608101125b045153abb36d8b26d283aeb812.zip