1 files changed, 118 insertions, 3 deletions
diff --git a/src/lib/libtls/tls_init.3 b/src/lib/libtls/tls_init.3
index 6059c3f8a0..2f6ca3d802 100644
--- a/src/lib/libtls/tls_init.3
+++ b/src/lib/libtls/tls_init.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_init.3,v 1.72 2016/09/13 13:40:58 tedu Exp $
+.\" $OpenBSD: tls_init.3,v 1.73 2016/11/02 15:18:42 beck Exp $
 .\"
 .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 13 2016 $
+.Dd $Mdocdate: November 2 2016 $
 .Dt TLS_INIT 3
 .Os
 .Sh NAME
@@ -50,6 +50,7 @@
 .Nm tls_config_verify ,
 .Nm tls_config_verify_client ,
 .Nm tls_config_verify_client_optional ,
+.Nm tls_ocsp_process_response,
 .Nm tls_peer_cert_provided ,
 .Nm tls_peer_cert_contains_name ,
 .Nm tls_peer_cert_issuer ,
@@ -57,6 +58,14 @@
 .Nm tls_peer_cert_hash ,
 .Nm tls_peer_cert_notbefore ,
 .Nm tls_peer_cert_notafter ,
+.Nm tls_peer_ocsp_cert_status,
+.Nm tls_peer_ocsp_crl_reason,
+.Nm tls_peer_ocsp_next_update,
+.Nm tls_peer_ocsp_response_status,
+.Nm tls_peer_ocsp_result_msg,
+.Nm tls_peer_ocsp_revocation_time,
+.Nm tls_peer_ocsp_this_update,
+.Nm tls_peer_ocsp_url,
 .Nm tls_conn_alpn_selected ,
 .Nm tls_conn_cipher ,
 .Nm tls_conn_servername ,
@@ -160,6 +169,24 @@
 .Fn tls_peer_cert_notbefore "struct tls *ctx"
 .Ft "time_t"
 .Fn tls_peer_cert_notafter "struct tls *ctx"
+.Ft "int"
+.Fn tls_ocsp_process_response "struct tls *ctx" "const unsigned char *response" "size_t size"
+.Ft "int"
+.Fn tls_peer_ocsp_cert_status "struct tls *ctx"
+.Ft "int"
+.Fn tls_peer_ocsp_crl_reason "struct tls *ctx"
+.Ft time_t
+.Fn tls_peer_ocsp_next_update "struct tls *ctx"
+.Ft "int"
+.Fn tls_peer_ocsp_response_status "struct tls *ctx"
+.Ft "const char *"
+.Fn tls_peer_ocsp_result_msg "struct tls *ctx"
+.Ft "time_t"
+.Fn tls_peer_ocsp_revocation_time "struct tls *ctx"
+.Ft "time_t"
+.Fn tls_peer_ocsp_this_update" struct tls *ctx"
+.Ft "const char *"
+.Fn tls_peer_ocsp_url "struct tls *ctx"
 .Ft "const char *"
 .Fn tls_conn_alpn_selected "struct tls *ctx"
 .Ft "const char *"
@@ -513,6 +540,53 @@ the peer certificate from
 returns the time corresponding to the end of the validity period of
 the peer certificate from
 .Ar ctx .
+.Ed
+.It
+.Fn tls_ocsp_process_response
+processes a raw ocsp response in 
+.Ar response
+of size
+.Ar size
+to check the revocation status of the peer certificate from
+.Ar ctx .
+A successful return code of 0 indicates that the certificate has not been revoked. 
+.Ed
+.It
+.Fn tls_peer_ocsp_url
+returns the URL for OCSP validation of the peer certificate from
+.Ar ctx
+.El
+.Pp
+The following functions return informaiton about the peer certificate from 
+.Ar ctx
+tha was obtained by validating a stapled OCSP response during the handshake, or
+via a previous call to
+.Xr tls_ocsp_process_response
+.Bl -bullet -offset four
+.It
+.Fn tls_peer_ocsp_cert_status
+returns the OCSP certificate status code as per RFC 6960 section 2.2 
+.Ed
+.It
+.Fn tls_peer_ocsp_crl_reason
+returns the OCSP certificate revocation reason status code as per RFC 5280
+section 5.3.1
+.Ed
+.It
+.Fn tls_peer_ocsp_next_update
+returns the OCSP next update time
+.Ed
+.It
+.Fn tls_peer_ocsp_response_status
+returns the OCSP response status as per RFC 6960 section 2.3
+.Ed
+.It
+.Fn tls_peer_ocsp_revocation_time
+returns the OCSP revocation time
+.Ed
+.It
+.Fn tls_peer_ocsp_this_update
+returns the OCSP this update time
 .El
 .Pp
 The following are TLS related utility functions:
@@ -616,16 +690,57 @@ The
 and
 .Fn tls_peer_cert_contains_name
 functions return 1 if the check succeeds, and 0 if it does not.
+.Pp
 Functions that return a
 .Vt time_t
 will return a time in epoch-seconds on success, and -1 on error.
+.Pp
 Functions that return a
 .Vt ssize_t
 will return a size on success, and -1 on error.
+.Pp
+The 
+.Fn tls_peer_ocsp_response_status
+function returns one of 
+.Ar TLS_OCSP_RESPONSE_SUCCESSFUL ,
+.Ar TLS_OCSP_RESPONSE_MALFORMED ,
+.Ar TLS_OCSP_RESPONSE_INTERNALERROR ,
+.Ar TLS_OCSP_RESPONSE_TRYLATER ,
+.Ar TLS_OCSP_RESPONSE_SIGREQUIRED ,
+or
+.AR TLS_OCSP_RESPONSE_UNAUTHORIZED
+on success, and -1 on error.
+.Pp
+The 
+.Fn tls_peer_ocsp_cert_status
+function returns one of
+.Ar TLS_OCSP_CERT_GOOD ,
+.Ar TLS_OCSP_CERT_REVOKED ,
+or 
+.Ar TLS_OCSP_CERT_UNKNOWN
+on success, and -1 on error.
+.Pp
+The 
+.Fn tls_peer_ocsp_crl_reason
+function returns one of
+.Ar TLS_CRL_REASON_UNSPECIFIED ,
+.Ar TLS_CRL_REASON_KEY_COMPROMISE ,
+.Ar TLS_CRL_REASON_CA_COMPROMISE , 
+.Ar TLS_CRL_REASON_AFFILIATION_CHANGED ,
+.Ar TLS_CRL_REASON_SUPERSEDED ,
+.Ar TLS_CRL_REASON_CESSATION_OF_OPERATION ,
+.Ar TLS_CRL_REASON_CERTIFICATE_HOLD ,
+.Ar TLS_CRL_REASON_REMOVE_FROM_CRL ,
+.Ar TLS_CRL_REASON_PRIVILEGE_WITHDRAWN ,
+or 
+.Ar  TLS_CRL_REASON_AA_COMPROMISE
+on success, and -1 on error.
+.Pp
 All other functions that return
 .Vt int
 will return 0 on success and -1 on error.
-Functions that return a pointer will return NULL on error, which indicates an
+.Pp
+Functions that return a pointer will return NULL on error or an
 out of memory condition.
 .Pp
 The

diff --git a/src/lib/libtls/tls_init.3 b/src/lib/libtls/tls_init.3 index 6059c3f8a0..2f6ca3d802 100644 --- a/src/lib/libtls/tls_init.3 +++ b/src/lib/libtls/tls_init.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: tls_init.3,v 1.72 2016/09/13 13:40:58 tedu Exp $	1	.\" $OpenBSD: tls_init.3,v 1.73 2016/11/02 15:18:42 beck Exp $
2	.\"	2	.\"
3	.\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>	3	.\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
4	.\"	4	.\"
@@ -14,7 +14,7 @@
14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF	14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16	.\"	16	.\"
17	.Dd $Mdocdate: September 13 2016 $	17	.Dd $Mdocdate: November 2 2016 $
18	.Dt TLS_INIT 3	18	.Dt TLS_INIT 3
19	.Os	19	.Os
20	.Sh NAME	20	.Sh NAME
@@ -50,6 +50,7 @@
50	.Nm tls_config_verify ,	50	.Nm tls_config_verify ,
51	.Nm tls_config_verify_client ,	51	.Nm tls_config_verify_client ,
52	.Nm tls_config_verify_client_optional ,	52	.Nm tls_config_verify_client_optional ,
		53	.Nm tls_ocsp_process_response,
53	.Nm tls_peer_cert_provided ,	54	.Nm tls_peer_cert_provided ,
54	.Nm tls_peer_cert_contains_name ,	55	.Nm tls_peer_cert_contains_name ,
55	.Nm tls_peer_cert_issuer ,	56	.Nm tls_peer_cert_issuer ,
@@ -57,6 +58,14 @@
57	.Nm tls_peer_cert_hash ,	58	.Nm tls_peer_cert_hash ,
58	.Nm tls_peer_cert_notbefore ,	59	.Nm tls_peer_cert_notbefore ,
59	.Nm tls_peer_cert_notafter ,	60	.Nm tls_peer_cert_notafter ,
		61	.Nm tls_peer_ocsp_cert_status,
		62	.Nm tls_peer_ocsp_crl_reason,
		63	.Nm tls_peer_ocsp_next_update,
		64	.Nm tls_peer_ocsp_response_status,
		65	.Nm tls_peer_ocsp_result_msg,
		66	.Nm tls_peer_ocsp_revocation_time,
		67	.Nm tls_peer_ocsp_this_update,
		68	.Nm tls_peer_ocsp_url,
60	.Nm tls_conn_alpn_selected ,	69	.Nm tls_conn_alpn_selected ,
61	.Nm tls_conn_cipher ,	70	.Nm tls_conn_cipher ,
62	.Nm tls_conn_servername ,	71	.Nm tls_conn_servername ,
@@ -160,6 +169,24 @@
160	.Fn tls_peer_cert_notbefore "struct tls *ctx"	169	.Fn tls_peer_cert_notbefore "struct tls *ctx"
161	.Ft "time_t"	170	.Ft "time_t"
162	.Fn tls_peer_cert_notafter "struct tls *ctx"	171	.Fn tls_peer_cert_notafter "struct tls *ctx"
		172	.Ft "int"
		173	.Fn tls_ocsp_process_response "struct tls ctx" "const unsigned char response" "size_t size"
		174	.Ft "int"
		175	.Fn tls_peer_ocsp_cert_status "struct tls *ctx"
		176	.Ft "int"
		177	.Fn tls_peer_ocsp_crl_reason "struct tls *ctx"
		178	.Ft time_t
		179	.Fn tls_peer_ocsp_next_update "struct tls *ctx"
		180	.Ft "int"
		181	.Fn tls_peer_ocsp_response_status "struct tls *ctx"
		182	.Ft "const char *"
		183	.Fn tls_peer_ocsp_result_msg "struct tls *ctx"
		184	.Ft "time_t"
		185	.Fn tls_peer_ocsp_revocation_time "struct tls *ctx"
		186	.Ft "time_t"
		187	.Fn tls_peer_ocsp_this_update" struct tls *ctx"
		188	.Ft "const char *"
		189	.Fn tls_peer_ocsp_url "struct tls *ctx"
163	.Ft "const char *"	190	.Ft "const char *"
164	.Fn tls_conn_alpn_selected "struct tls *ctx"	191	.Fn tls_conn_alpn_selected "struct tls *ctx"
165	.Ft "const char *"	192	.Ft "const char *"
@@ -513,6 +540,53 @@ the peer certificate from
513	returns the time corresponding to the end of the validity period of	540	returns the time corresponding to the end of the validity period of
514	the peer certificate from	541	the peer certificate from
515	.Ar ctx .	542	.Ar ctx .
		543	.Ed
		544	.It
		545	.Fn tls_ocsp_process_response
		546	processes a raw ocsp response in
		547	.Ar response
		548	of size
		549	.Ar size
		550	to check the revocation status of the peer certificate from
		551	.Ar ctx .
		552	A successful return code of 0 indicates that the certificate has not been revoked.
		553	.Ed
		554	.It
		555	.Fn tls_peer_ocsp_url
		556	returns the URL for OCSP validation of the peer certificate from
		557	.Ar ctx
		558	.El
		559	.Pp
		560	The following functions return informaiton about the peer certificate from
		561	.Ar ctx
		562	tha was obtained by validating a stapled OCSP response during the handshake, or
		563	via a previous call to
		564	.Xr tls_ocsp_process_response
		565	.Bl -bullet -offset four
		566	.It
		567	.Fn tls_peer_ocsp_cert_status
		568	returns the OCSP certificate status code as per RFC 6960 section 2.2
		569	.Ed
		570	.It
		571	.Fn tls_peer_ocsp_crl_reason
		572	returns the OCSP certificate revocation reason status code as per RFC 5280
		573	section 5.3.1
		574	.Ed
		575	.It
		576	.Fn tls_peer_ocsp_next_update
		577	returns the OCSP next update time
		578	.Ed
		579	.It
		580	.Fn tls_peer_ocsp_response_status
		581	returns the OCSP response status as per RFC 6960 section 2.3
		582	.Ed
		583	.It
		584	.Fn tls_peer_ocsp_revocation_time
		585	returns the OCSP revocation time
		586	.Ed
		587	.It
		588	.Fn tls_peer_ocsp_this_update
		589	returns the OCSP this update time
516	.El	590	.El
517	.Pp	591	.Pp
518	The following are TLS related utility functions:	592	The following are TLS related utility functions:
@@ -616,16 +690,57 @@ The
616	and	690	and
617	.Fn tls_peer_cert_contains_name	691	.Fn tls_peer_cert_contains_name
618	functions return 1 if the check succeeds, and 0 if it does not.	692	functions return 1 if the check succeeds, and 0 if it does not.
		693	.Pp
619	Functions that return a	694	Functions that return a
620	.Vt time_t	695	.Vt time_t
621	will return a time in epoch-seconds on success, and -1 on error.	696	will return a time in epoch-seconds on success, and -1 on error.
		697	.Pp
622	Functions that return a	698	Functions that return a
623	.Vt ssize_t	699	.Vt ssize_t
624	will return a size on success, and -1 on error.	700	will return a size on success, and -1 on error.
		701	.Pp
		702	The
		703	.Fn tls_peer_ocsp_response_status
		704	function returns one of
		705	.Ar TLS_OCSP_RESPONSE_SUCCESSFUL ,
		706	.Ar TLS_OCSP_RESPONSE_MALFORMED ,
		707	.Ar TLS_OCSP_RESPONSE_INTERNALERROR ,
		708	.Ar TLS_OCSP_RESPONSE_TRYLATER ,
		709	.Ar TLS_OCSP_RESPONSE_SIGREQUIRED ,
		710	or
		711	.AR TLS_OCSP_RESPONSE_UNAUTHORIZED
		712	on success, and -1 on error.
		713	.Pp
		714	The
		715	.Fn tls_peer_ocsp_cert_status
		716	function returns one of
		717	.Ar TLS_OCSP_CERT_GOOD ,
		718	.Ar TLS_OCSP_CERT_REVOKED ,
		719	or
		720	.Ar TLS_OCSP_CERT_UNKNOWN
		721	on success, and -1 on error.
		722	.Pp
		723	The
		724	.Fn tls_peer_ocsp_crl_reason
		725	function returns one of
		726	.Ar TLS_CRL_REASON_UNSPECIFIED ,
		727	.Ar TLS_CRL_REASON_KEY_COMPROMISE ,
		728	.Ar TLS_CRL_REASON_CA_COMPROMISE ,
		729	.Ar TLS_CRL_REASON_AFFILIATION_CHANGED ,
		730	.Ar TLS_CRL_REASON_SUPERSEDED ,
		731	.Ar TLS_CRL_REASON_CESSATION_OF_OPERATION ,
		732	.Ar TLS_CRL_REASON_CERTIFICATE_HOLD ,
		733	.Ar TLS_CRL_REASON_REMOVE_FROM_CRL ,
		734	.Ar TLS_CRL_REASON_PRIVILEGE_WITHDRAWN ,
		735	or
		736	.Ar TLS_CRL_REASON_AA_COMPROMISE
		737	on success, and -1 on error.
		738	.Pp
625	All other functions that return	739	All other functions that return
626	.Vt int	740	.Vt int
627	will return 0 on success and -1 on error.	741	will return 0 on success and -1 on error.
628	Functions that return a pointer will return NULL on error, which indicates an	742	.Pp
		743	Functions that return a pointer will return NULL on error or an
629	out of memory condition.	744	out of memory condition.
630	.Pp	745	.Pp
631	The	746	The