From e11dddc2de1dbf045d34adf894146594aded7e8d Mon Sep 17 00:00:00 2001 From: beck <> Date: Sat, 5 Nov 2016 15:13:26 +0000 Subject: Add support for server side OCSP stapling to libtls. Add support for server side OCSP stapling to netcat. --- src/usr.bin/nc/nc.1 | 11 +++++++++-- src/usr.bin/nc/netcat.c | 12 ++++++++++-- 2 files changed, 19 insertions(+), 4 deletions(-) (limited to 'src/usr.bin') diff --git a/src/usr.bin/nc/nc.1 b/src/usr.bin/nc/nc.1 index 8c7790f72a..2dda57af92 100644 --- a/src/usr.bin/nc/nc.1 +++ b/src/usr.bin/nc/nc.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: nc.1,v 1.76 2016/11/04 07:34:17 jmc Exp $ +.\" $OpenBSD: nc.1,v 1.77 2016/11/05 15:13:26 beck Exp $ .\" .\" Copyright (c) 1996 David Sacerdote .\" All rights reserved. @@ -25,7 +25,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 4 2016 $ +.Dd $Mdocdate: November 5 2016 $ .Dt NC 1 .Os .Sh NAME @@ -43,6 +43,7 @@ .Op Fl M Ar ttl .Op Fl m Ar minttl .Op Fl O Ar length +.Op Fl o Ar staplefile .Op Fl P Ar proxy_username .Op Fl p Ar source_port .Op Fl R Ar CAfile @@ -187,6 +188,12 @@ Do not do any DNS or service lookups on any specified addresses, hostnames or ports. .It Fl O Ar length Specifies the size of the TCP send buffer. +.It Fl o Ar staplefile +Specifies the filename from which to load data to be stapled +during the TLS handshake. +The file is expected to contain an OSCP response from an OCSP server in +DER format. +May only be used with TLS and when a certificate is being used. .It Fl P Ar proxy_username Specifies a username to present to a proxy server that requires authentication. If no username is specified then authentication will not be attempted. diff --git a/src/usr.bin/nc/netcat.c b/src/usr.bin/nc/netcat.c index b71c0426dc..4a841fb96d 100644 --- a/src/usr.bin/nc/netcat.c +++ b/src/usr.bin/nc/netcat.c @@ -1,4 +1,4 @@ -/* $OpenBSD: netcat.c,v 1.167 2016/11/04 05:13:13 beck Exp $ */ +/* $OpenBSD: netcat.c,v 1.168 2016/11/05 15:13:26 beck Exp $ */ /* * Copyright (c) 2001 Eric Jackson * Copyright (c) 2015 Bob Beck. All rights reserved. @@ -100,6 +100,7 @@ int rtableid = -1; int usetls; /* use TLS */ char *Cflag; /* Public cert file */ char *Kflag; /* Private key file */ +char *oflag; /* OCSP stapling file */ char *Rflag = DEFAULT_CA_FILE; /* Root CA file */ int tls_cachanged; /* Using non-default CA file */ int TLSopt; /* TLS options */ @@ -163,7 +164,7 @@ main(int argc, char *argv[]) signal(SIGPIPE, SIG_IGN); while ((ch = getopt(argc, argv, - "46C:cDde:FH:hI:i:K:klM:m:NnO:P:p:R:rSs:T:tUuV:vw:X:x:z")) != -1) { + "46C:cDde:FH:hI:i:K:klM:m:NnO:o:P:p:R:rSs:T:tUuV:vw:X:x:z")) != -1) { switch (ch) { case '4': family = AF_INET; @@ -295,6 +296,9 @@ main(int argc, char *argv[]) errx(1, "TCP send window %s: %s", errstr, optarg); break; + case 'o': + oflag = optarg; + break; case 'S': Sflag = 1; break; @@ -380,6 +384,8 @@ main(int argc, char *argv[]) errx(1, "you must specify -c to use -C"); if (Kflag && !usetls) errx(1, "you must specify -c to use -K"); + if (oflag && !Cflag) + errx(1, "you must specify -C to use -o"); if (tls_cachanged && !usetls) errx(1, "you must specify -c to use -R"); if (tls_expecthash && !usetls) @@ -455,6 +461,8 @@ main(int argc, char *argv[]) errx(1, "%s", tls_config_error(tls_cfg)); if (Kflag && tls_config_set_key_file(tls_cfg, Kflag) == -1) errx(1, "%s", tls_config_error(tls_cfg)); + if (oflag && tls_config_set_ocsp_staple_file(tls_cfg, oflag) == -1) + errx(1, "%s", tls_config_error(tls_cfg)); if (TLSopt & TLS_LEGACY) { tls_config_set_protocols(tls_cfg, TLS_PROTOCOLS_ALL); tls_config_set_ciphers(tls_cfg, "all"); -- cgit v1.2.3-55-g6feb