1 files changed, 168 insertions, 3 deletions
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 9db2d1ab41..646c59e5d6 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,7 +1,8 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.8 2017/08/12 21:47:59 jsing Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.9 2017/08/12 23:38:12 beck Exp $ */
 /*
 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
+ * Copyright (c) 2017 Bob Beck <beck@openbsd.org>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
@@ -15,6 +16,7 @@
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
+#include <openssl/ocsp.h>
 #include "ssl_locl.h"
@@ -551,6 +553,160 @@ tlsext_sni_serverhello_parse(SSL *s, CBS *cbs, int *alert)
 }
 /*
+ *Certificate Status Request - RFC 6066 section 8.
+ */
+int
+tlsext_ocsp_clienthello_needs(SSL *s)
+{
+        return (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
+            s->version != DTLS1_VERSION);
+}
+int
+tlsext_ocsp_clienthello_build(SSL *s, CBB *cbb)
+{
+        CBB ocsp_respid_list, respid, exts;
+        unsigned char *ext_data;
+        size_t ext_len;
+        int i;
+        if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp))
+                return 0;
+        if (!CBB_add_u16_length_prefixed(cbb, &ocsp_respid_list))
+                return 0;
+        if (!CBB_add_u16_length_prefixed(cbb, &exts))
+                return 0;
+        for (i = 0; i < sk_OCSP_RESPID_num(s->internal->tlsext_ocsp_ids); i++) {
+                unsigned char *respid_data;
+                OCSP_RESPID *id;
+                size_t id_len;
+                if ((id = sk_OCSP_RESPID_value(s->internal->tlsext_ocsp_ids,
+                    i)) ==  NULL)
+                        return 0;
+                if ((id_len = i2d_OCSP_RESPID(id, NULL)) == -1)
+                        return 0;
+                if (!CBB_add_u16_length_prefixed(&ocsp_respid_list, &respid))
+                        return 0;
+                if (!CBB_add_space(&respid, &respid_data, id_len))
+                        return 0;
+                if ((i2d_OCSP_RESPID(id, &respid_data)) != id_len)
+                        return 0;
+        }
+        if ((ext_len = i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts,
+            NULL)) == -1)
+                return 0;
+        if (!CBB_add_space(&exts, &ext_data, ext_len))
+                return 0;
+        if ((i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, &ext_data) !=
+            ext_len))
+                return 0;
+        if (!CBB_flush(cbb))
+                return 0;
+        return 1;
+}
+int
+tlsext_ocsp_clienthello_parse(SSL *s, CBS *cbs, int *alert)
+{
+        int failure = SSL_AD_DECODE_ERROR;
+        unsigned char *respid_data = NULL;
+        unsigned char *ext_data = NULL;
+        size_t ext_len, respid_len;
+        uint8_t status_type;
+        CBS respids, exts;
+        int ret = 0;
+        if (!CBS_get_u8(cbs, &status_type))
+                goto err;
+        if (status_type != TLSEXT_STATUSTYPE_ocsp) {
+                /* ignore unknown status types */
+                s->tlsext_status_type = -1;
+                return 1;
+        }
+        s->tlsext_status_type = status_type;
+        if (!CBS_get_u16_length_prefixed(cbs, &respids))
+                goto err;
+        /* XXX */
+        sk_OCSP_RESPID_pop_free(s->internal->tlsext_ocsp_ids, OCSP_RESPID_free);
+        s->internal->tlsext_ocsp_ids = NULL;
+        if (CBS_len(cbs) > 0) {
+                s->internal->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null();
+                if (s->internal->tlsext_ocsp_ids == NULL) {
+                        failure = SSL_AD_INTERNAL_ERROR;
+                        goto err;
+                }
+        }
+        while (CBS_len(&respids) > 0) {
+                OCSP_RESPID *id = NULL;
+                if (!CBS_stow(cbs, &respid_data, &respid_len))
+                        goto err;
+                if ((id = d2i_OCSP_RESPID(NULL,
+                    (const unsigned char **)&respid_data, respid_len)) == NULL)
+                        goto err;
+                if (!sk_OCSP_RESPID_push(s->internal->tlsext_ocsp_ids, id)) {
+                        failure = SSL_AD_INTERNAL_ERROR;
+                        OCSP_RESPID_free(id);
+                        goto err;
+                }
+                free(respid_data);
+                respid_data = NULL;
+        }
+        /* Read in request_extensions */
+        if (!CBS_get_u16_length_prefixed(cbs, &exts))
+                goto err;
+        if (!CBS_stow(&exts, &ext_data, &ext_len))
+                goto err;
+        if (ext_len > 0) {
+                sk_X509_EXTENSION_pop_free(s->internal->tlsext_ocsp_exts,
+                    X509_EXTENSION_free);
+                if ((s->internal->tlsext_ocsp_exts = d2i_X509_EXTENSIONS(NULL,
+                    (const unsigned char **)&ext_data, ext_len)) == NULL)
+                        goto err;
+        }
+        /* should be nothing left */
+        if (CBS_len(cbs) > 0)
+                goto err;
+        ret = 1;
+ err:
+        free(respid_data);
+        free(ext_data);
+        if (ret == 0)
+                *alert = failure;
+        return ret;
+}
+int
+tlsext_ocsp_serverhello_needs(SSL *s)
+{
+        return s->internal->tlsext_status_expected;
+}
+int
+tlsext_ocsp_serverhello_build(SSL *s, CBB *cbb)
+{
+        return 1;
+}
+int
+tlsext_ocsp_serverhello_parse(SSL *s, CBS *cbs, int *alert)
+{
+        if (s->tlsext_status_type == -1) {
+                *alert = TLS1_AD_UNSUPPORTED_EXTENSION;
+                return 0;
+        }
+        /* Set flag to expect CertificateStatus message */
+        s->internal->tlsext_status_expected = 1;
+        return 1;
+}
+/*
 * SessionTicket extension - RFC 5077 section 3.2
 */
 int
@@ -705,6 +861,15 @@ static struct tls_extension tls_extensions[] = {
                .serverhello_parse = tlsext_ri_serverhello_parse,
        },
        {
+                .type = TLSEXT_TYPE_status_request,
+                .clienthello_needs = tlsext_ocsp_clienthello_needs,
+                .clienthello_build = tlsext_ocsp_clienthello_build,
+                .clienthello_parse = tlsext_ocsp_clienthello_parse,
+                .serverhello_needs = tlsext_ocsp_serverhello_needs,
+                .serverhello_build = tlsext_ocsp_serverhello_build,
+                .serverhello_parse = tlsext_ocsp_serverhello_parse,
+        },
+        {
                .type = TLSEXT_TYPE_ec_point_formats,
                .clienthello_needs = tlsext_ecpf_clienthello_needs,
                .clienthello_build = tlsext_ecpf_clienthello_build,
@@ -758,7 +923,7 @@ tlsext_clienthello_build(SSL *s, CBB *cbb)
                if (!tlsext->clienthello_needs(s))
                        continue;
-                
                if (!CBB_add_u16(cbb, tlsext->type))
                        return 0;
                if (!CBB_add_u16_length_prefixed(cbb, &extension_data))
@@ -811,7 +976,7 @@ tlsext_serverhello_build(SSL *s, CBB *cbb)
                if (!tlsext->serverhello_needs(s))
                        continue;
-                
                if (!CBB_add_u16(cbb, tlsext->type))
                        return 0;
                if (!CBB_add_u16_length_prefixed(cbb, &extension_data))

diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c index 9db2d1ab41..646c59e5d6 100644 --- a/src/lib/libssl/ssl_tlsext.c +++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,7 +1,8 @@
1	/* $OpenBSD: ssl_tlsext.c,v 1.8 2017/08/12 21:47:59 jsing Exp $ */	1	/* $OpenBSD: ssl_tlsext.c,v 1.9 2017/08/12 23:38:12 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>	4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
		5	* Copyright (c) 2017 Bob Beck <beck@openbsd.org>
5	*	6	*
6	* Permission to use, copy, modify, and distribute this software for any	7	* Permission to use, copy, modify, and distribute this software for any
7	* purpose with or without fee is hereby granted, provided that the above	8	* purpose with or without fee is hereby granted, provided that the above
@@ -15,6 +16,7 @@
15	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF	16	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	17	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17	*/	18	*/
		19	#include <openssl/ocsp.h>
18		20
19	#include "ssl_locl.h"	21	#include "ssl_locl.h"
20		22
@@ -551,6 +553,160 @@ tlsext_sni_serverhello_parse(SSL s, CBS cbs, int *alert)
551	}	553	}
552		554
553	/*	555	/*
		556	*Certificate Status Request - RFC 6066 section 8.
		557	*/
		558
		559	int
		560	tlsext_ocsp_clienthello_needs(SSL *s)
		561	{
		562	return (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
		563	s->version != DTLS1_VERSION);
		564	}
		565
		566	int
		567	tlsext_ocsp_clienthello_build(SSL s, CBB cbb)
		568	{
		569	CBB ocsp_respid_list, respid, exts;
		570	unsigned char *ext_data;
		571	size_t ext_len;
		572	int i;
		573
		574	if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp))
		575	return 0;
		576	if (!CBB_add_u16_length_prefixed(cbb, &ocsp_respid_list))
		577	return 0;
		578	if (!CBB_add_u16_length_prefixed(cbb, &exts))
		579	return 0;
		580	for (i = 0; i < sk_OCSP_RESPID_num(s->internal->tlsext_ocsp_ids); i++) {
		581	unsigned char *respid_data;
		582	OCSP_RESPID *id;
		583	size_t id_len;
		584
		585	if ((id = sk_OCSP_RESPID_value(s->internal->tlsext_ocsp_ids,
		586	i)) == NULL)
		587	return 0;
		588	if ((id_len = i2d_OCSP_RESPID(id, NULL)) == -1)
		589	return 0;
		590	if (!CBB_add_u16_length_prefixed(&ocsp_respid_list, &respid))
		591	return 0;
		592	if (!CBB_add_space(&respid, &respid_data, id_len))
		593	return 0;
		594	if ((i2d_OCSP_RESPID(id, &respid_data)) != id_len)
		595	return 0;
		596	}
		597	if ((ext_len = i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts,
		598	NULL)) == -1)
		599	return 0;
		600	if (!CBB_add_space(&exts, &ext_data, ext_len))
		601	return 0;
		602	if ((i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, &ext_data) !=
		603	ext_len))
		604	return 0;
		605	if (!CBB_flush(cbb))
		606	return 0;
		607	return 1;
		608	}
		609
		610	int
		611	tlsext_ocsp_clienthello_parse(SSL s, CBS cbs, int *alert)
		612	{
		613	int failure = SSL_AD_DECODE_ERROR;
		614	unsigned char *respid_data = NULL;
		615	unsigned char *ext_data = NULL;
		616	size_t ext_len, respid_len;
		617	uint8_t status_type;
		618	CBS respids, exts;
		619	int ret = 0;
		620
		621	if (!CBS_get_u8(cbs, &status_type))
		622	goto err;
		623	if (status_type != TLSEXT_STATUSTYPE_ocsp) {
		624	/* ignore unknown status types */
		625	s->tlsext_status_type = -1;
		626	return 1;
		627	}
		628	s->tlsext_status_type = status_type;
		629	if (!CBS_get_u16_length_prefixed(cbs, &respids))
		630	goto err;
		631
		632	/* XXX */
		633	sk_OCSP_RESPID_pop_free(s->internal->tlsext_ocsp_ids, OCSP_RESPID_free);
		634	s->internal->tlsext_ocsp_ids = NULL;
		635	if (CBS_len(cbs) > 0) {
		636	s->internal->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null();
		637	if (s->internal->tlsext_ocsp_ids == NULL) {
		638	failure = SSL_AD_INTERNAL_ERROR;
		639	goto err;
		640	}
		641	}
		642
		643	while (CBS_len(&respids) > 0) {
		644	OCSP_RESPID *id = NULL;
		645
		646	if (!CBS_stow(cbs, &respid_data, &respid_len))
		647	goto err;
		648	if ((id = d2i_OCSP_RESPID(NULL,
		649	(const unsigned char **)&respid_data, respid_len)) == NULL)
		650	goto err;
		651	if (!sk_OCSP_RESPID_push(s->internal->tlsext_ocsp_ids, id)) {
		652	failure = SSL_AD_INTERNAL_ERROR;
		653	OCSP_RESPID_free(id);
		654	goto err;
		655	}
		656	free(respid_data);
		657	respid_data = NULL;
		658	}
		659
		660	/* Read in request_extensions */
		661	if (!CBS_get_u16_length_prefixed(cbs, &exts))
		662	goto err;
		663	if (!CBS_stow(&exts, &ext_data, &ext_len))
		664	goto err;
		665	if (ext_len > 0) {
		666	sk_X509_EXTENSION_pop_free(s->internal->tlsext_ocsp_exts,
		667	X509_EXTENSION_free);
		668	if ((s->internal->tlsext_ocsp_exts = d2i_X509_EXTENSIONS(NULL,
		669	(const unsigned char **)&ext_data, ext_len)) == NULL)
		670	goto err;
		671	}
		672	/* should be nothing left */
		673	if (CBS_len(cbs) > 0)
		674	goto err;
		675
		676	ret = 1;
		677	err:
		678	free(respid_data);
		679	free(ext_data);
		680	if (ret == 0)
		681	*alert = failure;
		682	return ret;
		683	}
		684
		685	int
		686	tlsext_ocsp_serverhello_needs(SSL *s)
		687	{
		688	return s->internal->tlsext_status_expected;
		689	}
		690
		691	int
		692	tlsext_ocsp_serverhello_build(SSL s, CBB cbb)
		693	{
		694	return 1;
		695	}
		696
		697	int
		698	tlsext_ocsp_serverhello_parse(SSL s, CBS cbs, int *alert)
		699	{
		700	if (s->tlsext_status_type == -1) {
		701	*alert = TLS1_AD_UNSUPPORTED_EXTENSION;
		702	return 0;
		703	}
		704	/* Set flag to expect CertificateStatus message */
		705	s->internal->tlsext_status_expected = 1;
		706	return 1;
		707	}
		708
		709	/*
554	* SessionTicket extension - RFC 5077 section 3.2	710	* SessionTicket extension - RFC 5077 section 3.2
555	*/	711	*/
556	int	712	int
@@ -705,6 +861,15 @@ static struct tls_extension tls_extensions[] = {
705	.serverhello_parse = tlsext_ri_serverhello_parse,	861	.serverhello_parse = tlsext_ri_serverhello_parse,
706	},	862	},
707	{	863	{
		864	.type = TLSEXT_TYPE_status_request,
		865	.clienthello_needs = tlsext_ocsp_clienthello_needs,
		866	.clienthello_build = tlsext_ocsp_clienthello_build,
		867	.clienthello_parse = tlsext_ocsp_clienthello_parse,
		868	.serverhello_needs = tlsext_ocsp_serverhello_needs,
		869	.serverhello_build = tlsext_ocsp_serverhello_build,
		870	.serverhello_parse = tlsext_ocsp_serverhello_parse,
		871	},
		872	{
708	.type = TLSEXT_TYPE_ec_point_formats,	873	.type = TLSEXT_TYPE_ec_point_formats,
709	.clienthello_needs = tlsext_ecpf_clienthello_needs,	874	.clienthello_needs = tlsext_ecpf_clienthello_needs,
710	.clienthello_build = tlsext_ecpf_clienthello_build,	875	.clienthello_build = tlsext_ecpf_clienthello_build,
@@ -758,7 +923,7 @@ tlsext_clienthello_build(SSL s, CBB cbb)
758		923
759	if (!tlsext->clienthello_needs(s))	924	if (!tlsext->clienthello_needs(s))
760	continue;	925	continue;
761		926
762	if (!CBB_add_u16(cbb, tlsext->type))	927	if (!CBB_add_u16(cbb, tlsext->type))
763	return 0;	928	return 0;
764	if (!CBB_add_u16_length_prefixed(cbb, &extension_data))	929	if (!CBB_add_u16_length_prefixed(cbb, &extension_data))
@@ -811,7 +976,7 @@ tlsext_serverhello_build(SSL s, CBB cbb)
811		976
812	if (!tlsext->serverhello_needs(s))	977	if (!tlsext->serverhello_needs(s))
813	continue;	978	continue;
814		979
815	if (!CBB_add_u16(cbb, tlsext->type))	980	if (!CBB_add_u16(cbb, tlsext->type))
816	return 0;	981	return 0;
817	if (!CBB_add_u16_length_prefixed(cbb, &extension_data))	982	if (!CBB_add_u16_length_prefixed(cbb, &extension_data))