From 0286c965db48149ae18c03e50dcc7965dfa5887e Mon Sep 17 00:00:00 2001 From: beck <> Date: Tue, 19 May 2020 01:30:34 +0000 Subject: Add support for TLS 1.3 server to send certificate status messages with oscp staples. ok jsing@ tb@ --- src/lib/libssl/ssl_tlsext.c | 24 +++++++++++++++++++++++- src/lib/libssl/tls13_client.c | 6 +++--- src/lib/libssl/tls13_internal.h | 5 +++-- src/lib/libssl/tls13_lib.c | 12 ++++++------ src/lib/libssl/tls13_server.c | 6 +++--- 5 files changed, 38 insertions(+), 15 deletions(-) diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c index 814eb7c5cf..1ec8ac00ef 100644 --- a/src/lib/libssl/ssl_tlsext.c +++ b/src/lib/libssl/ssl_tlsext.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_tlsext.c,v 1.68 2020/05/13 17:55:34 jsing Exp $ */ +/* $OpenBSD: ssl_tlsext.c,v 1.69 2020/05/19 01:30:34 beck Exp $ */ /* * Copyright (c) 2016, 2017, 2019 Joel Sing * Copyright (c) 2017 Doug Hogan @@ -909,12 +909,34 @@ tlsext_ocsp_server_parse(SSL *s, CBS *cbs, int *alert) int tlsext_ocsp_server_needs(SSL *s) { + if (s->version >= TLS1_3_VERSION && + s->ctx->internal->tlsext_status_cb != NULL) { + s->internal->tlsext_status_expected = 0; + if (s->ctx->internal->tlsext_status_cb(s, + s->ctx->internal->tlsext_status_arg) == SSL_TLSEXT_ERR_OK && + s->internal->tlsext_ocsp_resp_len > 0) + s->internal->tlsext_status_expected = 1; + } return s->internal->tlsext_status_expected; } int tlsext_ocsp_server_build(SSL *s, CBB *cbb) { + CBB ocsp_response; + + if (s->version >= TLS1_3_VERSION) { + if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp)) + return 0; + if (!CBB_add_u24_length_prefixed(cbb, &ocsp_response)) + return 0; + if (!CBB_add_bytes(&ocsp_response, + s->internal->tlsext_ocsp_resp, + s->internal->tlsext_ocsp_resp_len)) + return 0; + if (!CBB_flush(cbb)) + return 0; + } return 1; } diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c index 652953f2bb..a17b2bd47f 100644 --- a/src/lib/libssl/tls13_client.c +++ b/src/lib/libssl/tls13_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_client.c,v 1.61 2020/05/17 14:26:15 jsing Exp $ */ +/* $OpenBSD: tls13_client.c,v 1.62 2020/05/19 01:30:34 beck Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing * @@ -847,12 +847,12 @@ tls13_client_certificate_send(struct tls13_ctx *ctx, CBB *cbb) if (cpk->x509 == NULL) goto done; - if (!tls13_cert_add(&cert_list, cpk->x509)) + if (!tls13_cert_add(ctx, &cert_list, cpk->x509, tlsext_client_build)) goto err; for (i = 0; i < sk_X509_num(chain); i++) { cert = sk_X509_value(chain, i); - if (!tls13_cert_add(&cert_list, cert)) + if (!tls13_cert_add(ctx, &cert_list, cert, tlsext_client_build)) goto err; } diff --git a/src/lib/libssl/tls13_internal.h b/src/lib/libssl/tls13_internal.h index 98cbf4c8a7..7e188981f4 100644 --- a/src/lib/libssl/tls13_internal.h +++ b/src/lib/libssl/tls13_internal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_internal.h,v 1.80 2020/05/16 14:42:35 jsing Exp $ */ +/* $OpenBSD: tls13_internal.h,v 1.81 2020/05/19 01:30:34 beck Exp $ */ /* * Copyright (c) 2018 Bob Beck * Copyright (c) 2018 Theo Buehler @@ -380,8 +380,9 @@ int tls13_server_finished_send(struct tls13_ctx *ctx, CBB *cbb); int tls13_server_finished_sent(struct tls13_ctx *ctx); void tls13_error_clear(struct tls13_error *error); +int tls13_cert_add(struct tls13_ctx *ctx, CBB *cbb, X509 *cert, + int(*build_extensions)(SSL *s, CBB *cbb, uint16_t msg_type)); -int tls13_cert_add(CBB *cbb, X509 *cert); int tls13_synthetic_handshake_message(struct tls13_ctx *ctx); int tls13_error_set(struct tls13_error *error, int code, int subcode, diff --git a/src/lib/libssl/tls13_lib.c b/src/lib/libssl/tls13_lib.c index 3527539095..60b4a389b7 100644 --- a/src/lib/libssl/tls13_lib.c +++ b/src/lib/libssl/tls13_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_lib.c,v 1.45 2020/05/17 19:07:15 beck Exp $ */ +/* $OpenBSD: tls13_lib.c,v 1.46 2020/05/19 01:30:34 beck Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing * Copyright (c) 2019 Bob Beck @@ -21,6 +21,7 @@ #include #include "ssl_locl.h" +#include "ssl_tlsext.h" #include "tls13_internal.h" /* @@ -410,9 +411,10 @@ tls13_ctx_free(struct tls13_ctx *ctx) } int -tls13_cert_add(CBB *cbb, X509 *cert) +tls13_cert_add(struct tls13_ctx *ctx, CBB *cbb, X509 *cert, + int(*build_extensions)(SSL *s, CBB *cbb, uint16_t msg_type)) { - CBB cert_data, cert_exts; + CBB cert_data; uint8_t *data; int cert_len; @@ -425,10 +427,8 @@ tls13_cert_add(CBB *cbb, X509 *cert) return 0; if (i2d_X509(cert, &data) != cert_len) return 0; - - if (!CBB_add_u16_length_prefixed(cbb, &cert_exts)) + if (!build_extensions(ctx->ssl, cbb, SSL_TLSEXT_MSG_CT)) return 0; - if (!CBB_flush(cbb)) return 0; diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c index 4e40aa7ba3..ea14cfa683 100644 --- a/src/lib/libssl/tls13_server.c +++ b/src/lib/libssl/tls13_server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_server.c,v 1.47 2020/05/16 14:40:53 jsing Exp $ */ +/* $OpenBSD: tls13_server.c,v 1.48 2020/05/19 01:30:34 beck Exp $ */ /* * Copyright (c) 2019, 2020 Joel Sing * Copyright (c) 2020 Bob Beck @@ -454,12 +454,12 @@ tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb) if (!CBB_add_u24_length_prefixed(cbb, &cert_list)) goto err; - if (!tls13_cert_add(&cert_list, cpk->x509)) + if (!tls13_cert_add(ctx, &cert_list, cpk->x509, tlsext_server_build)) goto err; for (i = 0; i < sk_X509_num(chain); i++) { cert = sk_X509_value(chain, i); - if (!tls13_cert_add(&cert_list, cert)) + if (!tls13_cert_add(ctx, &cert_list, cert, tlsext_server_build)) goto err; } -- cgit v1.2.3-55-g6feb