diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libtls/tls.h | 3 | ||||
| -rw-r--r-- | src/lib/libtls/tls_config.c | 8 | ||||
| -rw-r--r-- | src/lib/libtls/tls_init.3 | 10 | ||||
| -rw-r--r-- | src/lib/libtls/tls_internal.h | 3 | ||||
| -rw-r--r-- | src/lib/libtls/tls_ocsp.c | 7 | ||||
| -rw-r--r-- | src/usr.bin/nc/nc.1 | 12 | ||||
| -rw-r--r-- | src/usr.bin/nc/netcat.c | 6 |
7 files changed, 37 insertions, 12 deletions
diff --git a/src/lib/libtls/tls.h b/src/lib/libtls/tls.h index 3929cb848e..2f998d4561 100644 --- a/src/lib/libtls/tls.h +++ b/src/lib/libtls/tls.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls.h,v 1.39 2016/11/02 15:18:42 beck Exp $ */ | 1 | /* $OpenBSD: tls.h,v 1.40 2016/11/04 05:13:13 beck Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -117,6 +117,7 @@ void tls_config_insecure_noverifyname(struct tls_config *_config); | |||
| 117 | void tls_config_insecure_noverifytime(struct tls_config *_config); | 117 | void tls_config_insecure_noverifytime(struct tls_config *_config); |
| 118 | void tls_config_verify(struct tls_config *_config); | 118 | void tls_config_verify(struct tls_config *_config); |
| 119 | 119 | ||
| 120 | void tls_config_ocsp_require_stapling(struct tls_config *_config); | ||
| 120 | void tls_config_verify_client(struct tls_config *_config); | 121 | void tls_config_verify_client(struct tls_config *_config); |
| 121 | void tls_config_verify_client_optional(struct tls_config *_config); | 122 | void tls_config_verify_client_optional(struct tls_config *_config); |
| 122 | 123 | ||
diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c index c07621acaf..5c73c29d65 100644 --- a/src/lib/libtls/tls_config.c +++ b/src/lib/libtls/tls_config.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls_config.c,v 1.28 2016/08/22 14:55:59 jsing Exp $ */ | 1 | /* $OpenBSD: tls_config.c,v 1.29 2016/11/04 05:13:13 beck Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -621,6 +621,12 @@ tls_config_verify(struct tls_config *config) | |||
| 621 | } | 621 | } |
| 622 | 622 | ||
| 623 | void | 623 | void |
| 624 | tls_config_ocsp_require_stapling(struct tls_config *config) | ||
| 625 | { | ||
| 626 | config->ocsp_require_stapling = 1; | ||
| 627 | } | ||
| 628 | |||
| 629 | void | ||
| 624 | tls_config_verify_client(struct tls_config *config) | 630 | tls_config_verify_client(struct tls_config *config) |
| 625 | { | 631 | { |
| 626 | config->verify_client = 1; | 632 | config->verify_client = 1; |
diff --git a/src/lib/libtls/tls_init.3 b/src/lib/libtls/tls_init.3 index d0b6292b4a..88195deb2e 100644 --- a/src/lib/libtls/tls_init.3 +++ b/src/lib/libtls/tls_init.3 | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | .\" $OpenBSD: tls_init.3,v 1.76 2016/11/03 12:54:16 beck Exp $ | 1 | .\" $OpenBSD: tls_init.3,v 1.77 2016/11/04 05:13:13 beck Exp $ |
| 2 | .\" | 2 | .\" |
| 3 | .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org> | 3 | .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org> |
| 4 | .\" | 4 | .\" |
| @@ -14,7 +14,7 @@ | |||
| 14 | .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF | 14 | .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
| 15 | .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | 15 | .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
| 16 | .\" | 16 | .\" |
| 17 | .Dd $Mdocdate: November 3 2016 $ | 17 | .Dd $Mdocdate: November 4 2016 $ |
| 18 | .Dt TLS_INIT 3 | 18 | .Dt TLS_INIT 3 |
| 19 | .Os | 19 | .Os |
| 20 | .Sh NAME | 20 | .Sh NAME |
| @@ -47,6 +47,7 @@ | |||
| 47 | .Nm tls_config_insecure_noverifycert , | 47 | .Nm tls_config_insecure_noverifycert , |
| 48 | .Nm tls_config_insecure_noverifyname , | 48 | .Nm tls_config_insecure_noverifyname , |
| 49 | .Nm tls_config_insecure_noverifytime , | 49 | .Nm tls_config_insecure_noverifytime , |
| 50 | .Nm tls_config_ocsp_require_stapling , | ||
| 50 | .Nm tls_config_verify , | 51 | .Nm tls_config_verify , |
| 51 | .Nm tls_config_verify_client , | 52 | .Nm tls_config_verify_client , |
| 52 | .Nm tls_config_verify_client_optional , | 53 | .Nm tls_config_verify_client_optional , |
| @@ -150,6 +151,8 @@ | |||
| 150 | .Ft "void" | 151 | .Ft "void" |
| 151 | .Fn tls_config_insecure_noverifytime "struct tls_config *config" | 152 | .Fn tls_config_insecure_noverifytime "struct tls_config *config" |
| 152 | .Ft "void" | 153 | .Ft "void" |
| 154 | .Fn tls_config_ocsp_require_stapling "struct tls_config *config" | ||
| 155 | .Ft "void" | ||
| 153 | .Fn tls_config_verify "struct tls_config *config" | 156 | .Fn tls_config_verify "struct tls_config *config" |
| 154 | .Ft "void" | 157 | .Ft "void" |
| 155 | .Fn tls_config_verify_client "struct tls_config *config" | 158 | .Fn tls_config_verify_client "struct tls_config *config" |
| @@ -456,6 +459,9 @@ Be careful when using this option. | |||
| 456 | disables validity checking of certificates and OCSP validation. | 459 | disables validity checking of certificates and OCSP validation. |
| 457 | Be careful when using this option. | 460 | Be careful when using this option. |
| 458 | .It | 461 | .It |
| 462 | .Fn tls_config_ocsp_require_stapling | ||
| 463 | requires that a valid stapled OCSP response be provided during the TLS handshake. | ||
| 464 | .It | ||
| 459 | .Fn tls_config_verify | 465 | .Fn tls_config_verify |
| 460 | reenables server name and certificate verification. | 466 | reenables server name and certificate verification. |
| 461 | .It | 467 | .It |
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h index fde4066f7c..0112ceedb9 100644 --- a/src/lib/libtls/tls_internal.h +++ b/src/lib/libtls/tls_internal.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls_internal.h,v 1.45 2016/11/03 10:05:32 jsing Exp $ */ | 1 | /* $OpenBSD: tls_internal.h,v 1.46 2016/11/04 05:13:13 beck Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> | 3 | * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> |
| 4 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 4 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> |
| @@ -64,6 +64,7 @@ struct tls_config { | |||
| 64 | int dheparams; | 64 | int dheparams; |
| 65 | int ecdhecurve; | 65 | int ecdhecurve; |
| 66 | struct tls_keypair *keypair; | 66 | struct tls_keypair *keypair; |
| 67 | int ocsp_require_stapling; | ||
| 67 | uint32_t protocols; | 68 | uint32_t protocols; |
| 68 | int verify_cert; | 69 | int verify_cert; |
| 69 | int verify_client; | 70 | int verify_client; |
diff --git a/src/lib/libtls/tls_ocsp.c b/src/lib/libtls/tls_ocsp.c index aa085bd245..af65771f7c 100644 --- a/src/lib/libtls/tls_ocsp.c +++ b/src/lib/libtls/tls_ocsp.c | |||
| @@ -304,8 +304,13 @@ tls_ocsp_verify_cb(SSL *ssl, void *arg) | |||
| 304 | return -1; | 304 | return -1; |
| 305 | 305 | ||
| 306 | size = SSL_get_tlsext_status_ocsp_resp(ssl, &raw); | 306 | size = SSL_get_tlsext_status_ocsp_resp(ssl, &raw); |
| 307 | if (size <= 0) | 307 | if (size <= 0) { |
| 308 | if (ctx->config->ocsp_require_stapling) { | ||
| 309 | tls_set_errorx(ctx, "no stapled OCSP response provided"); | ||
| 310 | return 0; | ||
| 311 | } | ||
| 308 | return 1; | 312 | return 1; |
| 313 | } | ||
| 309 | 314 | ||
| 310 | tls_ocsp_ctx_free(ctx->ocsp_ctx); | 315 | tls_ocsp_ctx_free(ctx->ocsp_ctx); |
| 311 | ctx->ocsp_ctx = tls_ocsp_setup_from_peer(ctx); | 316 | ctx->ocsp_ctx = tls_ocsp_setup_from_peer(ctx); |
diff --git a/src/usr.bin/nc/nc.1 b/src/usr.bin/nc/nc.1 index 8b7c92aa63..313ec1f19c 100644 --- a/src/usr.bin/nc/nc.1 +++ b/src/usr.bin/nc/nc.1 | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | .\" $OpenBSD: nc.1,v 1.74 2016/07/02 05:58:00 jmc Exp $ | 1 | .\" $OpenBSD: nc.1,v 1.75 2016/11/04 05:13:13 beck Exp $ |
| 2 | .\" | 2 | .\" |
| 3 | .\" Copyright (c) 1996 David Sacerdote | 3 | .\" Copyright (c) 1996 David Sacerdote |
| 4 | .\" All rights reserved. | 4 | .\" All rights reserved. |
| @@ -25,7 +25,7 @@ | |||
| 25 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 25 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| 26 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 26 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 27 | .\" | 27 | .\" |
| 28 | .Dd $Mdocdate: July 2 2016 $ | 28 | .Dd $Mdocdate: November 4 2016 $ |
| 29 | .Dt NC 1 | 29 | .Dt NC 1 |
| 30 | .Os | 30 | .Os |
| 31 | .Sh NAME | 31 | .Sh NAME |
| @@ -229,10 +229,12 @@ which allows legacy TLS protocols; | |||
| 229 | .Ar noverify , | 229 | .Ar noverify , |
| 230 | which disables certificate verification; | 230 | which disables certificate verification; |
| 231 | .Ar noname , | 231 | .Ar noname , |
| 232 | which disables certificate name checking; or | 232 | which disables certificate name checking; |
| 233 | .Ar clientcert , | 233 | .Ar clientcert , |
| 234 | which requires a client certificate on incoming connections. | 234 | which requires a client certificate on incoming connections; or |
| 235 | It is illegal to specify TLS options if not using TLS. | 235 | .Ar muststaple , |
| 236 | which requires the peer to provide a valid stapled OCSP response | ||
| 237 | with the handshake. It is illegal to specify TLS options if not using TLS. | ||
| 236 | .Pp | 238 | .Pp |
| 237 | For IPv4 TOS value | 239 | For IPv4 TOS value |
| 238 | .Ar keyword | 240 | .Ar keyword |
diff --git a/src/usr.bin/nc/netcat.c b/src/usr.bin/nc/netcat.c index 6b05b3fdf7..b71c0426dc 100644 --- a/src/usr.bin/nc/netcat.c +++ b/src/usr.bin/nc/netcat.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: netcat.c,v 1.166 2016/11/03 15:54:39 beck Exp $ */ | 1 | /* $OpenBSD: netcat.c,v 1.167 2016/11/04 05:13:13 beck Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2001 Eric Jackson <ericj@monkey.org> | 3 | * Copyright (c) 2001 Eric Jackson <ericj@monkey.org> |
| 4 | * Copyright (c) 2015 Bob Beck. All rights reserved. | 4 | * Copyright (c) 2015 Bob Beck. All rights reserved. |
| @@ -71,6 +71,7 @@ | |||
| 71 | #define TLS_NOVERIFY (1 << 2) | 71 | #define TLS_NOVERIFY (1 << 2) |
| 72 | #define TLS_NONAME (1 << 3) | 72 | #define TLS_NONAME (1 << 3) |
| 73 | #define TLS_CCERT (1 << 4) | 73 | #define TLS_CCERT (1 << 4) |
| 74 | #define TLS_MUSTSTAPLE (1 << 5) | ||
| 74 | 75 | ||
| 75 | /* Command Line Options */ | 76 | /* Command Line Options */ |
| 76 | int dflag; /* detached, no stdin */ | 77 | int dflag; /* detached, no stdin */ |
| @@ -468,6 +469,8 @@ main(int argc, char *argv[]) | |||
| 468 | "together"); | 469 | "together"); |
| 469 | tls_config_insecure_noverifycert(tls_cfg); | 470 | tls_config_insecure_noverifycert(tls_cfg); |
| 470 | } | 471 | } |
| 472 | if (TLSopt & TLS_MUSTSTAPLE) | ||
| 473 | tls_config_ocsp_require_stapling(tls_cfg); | ||
| 471 | 474 | ||
| 472 | if (Pflag) { | 475 | if (Pflag) { |
| 473 | if (pledge("stdio inet dns tty", NULL) == -1) | 476 | if (pledge("stdio inet dns tty", NULL) == -1) |
| @@ -1502,6 +1505,7 @@ map_tls(char *s, int *val) | |||
| 1502 | { "noverify", TLS_NOVERIFY }, | 1505 | { "noverify", TLS_NOVERIFY }, |
| 1503 | { "noname", TLS_NONAME }, | 1506 | { "noname", TLS_NONAME }, |
| 1504 | { "clientcert", TLS_CCERT}, | 1507 | { "clientcert", TLS_CCERT}, |
| 1508 | { "muststaple", TLS_MUSTSTAPLE}, | ||
| 1505 | { NULL, -1 }, | 1509 | { NULL, -1 }, |
| 1506 | }; | 1510 | }; |
| 1507 | 1511 | ||