diff options
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/libtls/tls.h | 3 | ||||
| -rw-r--r-- | src/lib/libtls/tls_config.c | 8 | ||||
| -rw-r--r-- | src/lib/libtls/tls_init.3 | 10 | ||||
| -rw-r--r-- | src/lib/libtls/tls_internal.h | 3 | ||||
| -rw-r--r-- | src/lib/libtls/tls_ocsp.c | 7 |
5 files changed, 25 insertions, 6 deletions
diff --git a/src/lib/libtls/tls.h b/src/lib/libtls/tls.h index 3929cb848e..2f998d4561 100644 --- a/src/lib/libtls/tls.h +++ b/src/lib/libtls/tls.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls.h,v 1.39 2016/11/02 15:18:42 beck Exp $ */ | 1 | /* $OpenBSD: tls.h,v 1.40 2016/11/04 05:13:13 beck Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -117,6 +117,7 @@ void tls_config_insecure_noverifyname(struct tls_config *_config); | |||
| 117 | void tls_config_insecure_noverifytime(struct tls_config *_config); | 117 | void tls_config_insecure_noverifytime(struct tls_config *_config); |
| 118 | void tls_config_verify(struct tls_config *_config); | 118 | void tls_config_verify(struct tls_config *_config); |
| 119 | 119 | ||
| 120 | void tls_config_ocsp_require_stapling(struct tls_config *_config); | ||
| 120 | void tls_config_verify_client(struct tls_config *_config); | 121 | void tls_config_verify_client(struct tls_config *_config); |
| 121 | void tls_config_verify_client_optional(struct tls_config *_config); | 122 | void tls_config_verify_client_optional(struct tls_config *_config); |
| 122 | 123 | ||
diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c index c07621acaf..5c73c29d65 100644 --- a/src/lib/libtls/tls_config.c +++ b/src/lib/libtls/tls_config.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls_config.c,v 1.28 2016/08/22 14:55:59 jsing Exp $ */ | 1 | /* $OpenBSD: tls_config.c,v 1.29 2016/11/04 05:13:13 beck Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -621,6 +621,12 @@ tls_config_verify(struct tls_config *config) | |||
| 621 | } | 621 | } |
| 622 | 622 | ||
| 623 | void | 623 | void |
| 624 | tls_config_ocsp_require_stapling(struct tls_config *config) | ||
| 625 | { | ||
| 626 | config->ocsp_require_stapling = 1; | ||
| 627 | } | ||
| 628 | |||
| 629 | void | ||
| 624 | tls_config_verify_client(struct tls_config *config) | 630 | tls_config_verify_client(struct tls_config *config) |
| 625 | { | 631 | { |
| 626 | config->verify_client = 1; | 632 | config->verify_client = 1; |
diff --git a/src/lib/libtls/tls_init.3 b/src/lib/libtls/tls_init.3 index d0b6292b4a..88195deb2e 100644 --- a/src/lib/libtls/tls_init.3 +++ b/src/lib/libtls/tls_init.3 | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | .\" $OpenBSD: tls_init.3,v 1.76 2016/11/03 12:54:16 beck Exp $ | 1 | .\" $OpenBSD: tls_init.3,v 1.77 2016/11/04 05:13:13 beck Exp $ |
| 2 | .\" | 2 | .\" |
| 3 | .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org> | 3 | .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org> |
| 4 | .\" | 4 | .\" |
| @@ -14,7 +14,7 @@ | |||
| 14 | .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF | 14 | .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
| 15 | .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | 15 | .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
| 16 | .\" | 16 | .\" |
| 17 | .Dd $Mdocdate: November 3 2016 $ | 17 | .Dd $Mdocdate: November 4 2016 $ |
| 18 | .Dt TLS_INIT 3 | 18 | .Dt TLS_INIT 3 |
| 19 | .Os | 19 | .Os |
| 20 | .Sh NAME | 20 | .Sh NAME |
| @@ -47,6 +47,7 @@ | |||
| 47 | .Nm tls_config_insecure_noverifycert , | 47 | .Nm tls_config_insecure_noverifycert , |
| 48 | .Nm tls_config_insecure_noverifyname , | 48 | .Nm tls_config_insecure_noverifyname , |
| 49 | .Nm tls_config_insecure_noverifytime , | 49 | .Nm tls_config_insecure_noverifytime , |
| 50 | .Nm tls_config_ocsp_require_stapling , | ||
| 50 | .Nm tls_config_verify , | 51 | .Nm tls_config_verify , |
| 51 | .Nm tls_config_verify_client , | 52 | .Nm tls_config_verify_client , |
| 52 | .Nm tls_config_verify_client_optional , | 53 | .Nm tls_config_verify_client_optional , |
| @@ -150,6 +151,8 @@ | |||
| 150 | .Ft "void" | 151 | .Ft "void" |
| 151 | .Fn tls_config_insecure_noverifytime "struct tls_config *config" | 152 | .Fn tls_config_insecure_noverifytime "struct tls_config *config" |
| 152 | .Ft "void" | 153 | .Ft "void" |
| 154 | .Fn tls_config_ocsp_require_stapling "struct tls_config *config" | ||
| 155 | .Ft "void" | ||
| 153 | .Fn tls_config_verify "struct tls_config *config" | 156 | .Fn tls_config_verify "struct tls_config *config" |
| 154 | .Ft "void" | 157 | .Ft "void" |
| 155 | .Fn tls_config_verify_client "struct tls_config *config" | 158 | .Fn tls_config_verify_client "struct tls_config *config" |
| @@ -456,6 +459,9 @@ Be careful when using this option. | |||
| 456 | disables validity checking of certificates and OCSP validation. | 459 | disables validity checking of certificates and OCSP validation. |
| 457 | Be careful when using this option. | 460 | Be careful when using this option. |
| 458 | .It | 461 | .It |
| 462 | .Fn tls_config_ocsp_require_stapling | ||
| 463 | requires that a valid stapled OCSP response be provided during the TLS handshake. | ||
| 464 | .It | ||
| 459 | .Fn tls_config_verify | 465 | .Fn tls_config_verify |
| 460 | reenables server name and certificate verification. | 466 | reenables server name and certificate verification. |
| 461 | .It | 467 | .It |
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h index fde4066f7c..0112ceedb9 100644 --- a/src/lib/libtls/tls_internal.h +++ b/src/lib/libtls/tls_internal.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls_internal.h,v 1.45 2016/11/03 10:05:32 jsing Exp $ */ | 1 | /* $OpenBSD: tls_internal.h,v 1.46 2016/11/04 05:13:13 beck Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> | 3 | * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> |
| 4 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 4 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> |
| @@ -64,6 +64,7 @@ struct tls_config { | |||
| 64 | int dheparams; | 64 | int dheparams; |
| 65 | int ecdhecurve; | 65 | int ecdhecurve; |
| 66 | struct tls_keypair *keypair; | 66 | struct tls_keypair *keypair; |
| 67 | int ocsp_require_stapling; | ||
| 67 | uint32_t protocols; | 68 | uint32_t protocols; |
| 68 | int verify_cert; | 69 | int verify_cert; |
| 69 | int verify_client; | 70 | int verify_client; |
diff --git a/src/lib/libtls/tls_ocsp.c b/src/lib/libtls/tls_ocsp.c index aa085bd245..af65771f7c 100644 --- a/src/lib/libtls/tls_ocsp.c +++ b/src/lib/libtls/tls_ocsp.c | |||
| @@ -304,8 +304,13 @@ tls_ocsp_verify_cb(SSL *ssl, void *arg) | |||
| 304 | return -1; | 304 | return -1; |
| 305 | 305 | ||
| 306 | size = SSL_get_tlsext_status_ocsp_resp(ssl, &raw); | 306 | size = SSL_get_tlsext_status_ocsp_resp(ssl, &raw); |
| 307 | if (size <= 0) | 307 | if (size <= 0) { |
| 308 | if (ctx->config->ocsp_require_stapling) { | ||
| 309 | tls_set_errorx(ctx, "no stapled OCSP response provided"); | ||
| 310 | return 0; | ||
| 311 | } | ||
| 308 | return 1; | 312 | return 1; |
| 313 | } | ||
| 309 | 314 | ||
| 310 | tls_ocsp_ctx_free(ctx->ocsp_ctx); | 315 | tls_ocsp_ctx_free(ctx->ocsp_ctx); |
| 311 | ctx->ocsp_ctx = tls_ocsp_setup_from_peer(ctx); | 316 | ctx->ocsp_ctx = tls_ocsp_setup_from_peer(ctx); |