wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix no-ocsp

Browse source 
Misc fixes for no-ocsp

Reviewed-by: Rich Salz <rsalz@openssl.org>
This commit is contained in:
Matt Caswell 2016-03-21 16:54:53 +00:00
parent 7626fbf2ef
commit 3e41ac3528
10 changed files with 58 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
apps/ocsp.c
View file

@ -55,8 +55,12 @@
* Hudson (tjh@cryptsoft.com).
*
*/
#ifndef OPENSSL_NO_OCSP
#include <openssl/opensslconf.h>
#ifdef OPENSSL_NO_OCSP
NON_EMPTY_TRANSLATION_UNIT
#else
# ifdef OPENSSL_SYS_VMS
# define _XOPEN_SOURCE_EXTENDED/* So fd_set and friends get properly defined
* on OpenVMS */
@ -69,8 +73,9 @@
# include <string.h>
# include <time.h>
# include <ctype.h>
# include "apps.h" /* needs to be included before the openssl
* headers! */
/* Needs to be included before the openssl headers */
# include "apps.h"
# include <openssl/e_os2.h>
# include <openssl/crypto.h>
# include <openssl/err.h>

8
apps/s_client.c
View file

@ -207,7 +207,9 @@ static int c_ign_eof = 0;
static int c_brief = 0;
static void print_stuff(BIO *berr, SSL *con, int full);
#ifndef OPENSSL_NO_OCSP
static int ocsp_resp_cb(SSL *s, void *arg);
#endif
static int saved_errno;
@ -757,7 +759,9 @@ OPTIONS s_client_options[] = {
"Set TLS extension servername in ClientHello"},
{"tlsextdebug", OPT_TLSEXTDEBUG, '-',
"Hex dump of all TLS extensions received"},
#ifndef OPENSSL_NO_OCSP
{"status", OPT_STATUS, '-', "Request certificate status from server"},
#endif
{"serverinfo", OPT_SERVERINFO, 's',
"types Send empty ClientHello extensions (comma-separated numbers)"},
{"alpn", OPT_ALPN, 's',
@ -1888,11 +1892,13 @@ int s_client_main(int argc, char **argv)
SSL_set_tlsext_debug_callback(con, tlsext_cb);
SSL_set_tlsext_debug_arg(con, bio_c_out);
}
#ifndef OPENSSL_NO_OCSP
if (c_status_req) {
SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp);
SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb);
SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out);
}
#endif
SSL_set_bio(con, sbio, sbio);
SSL_set_connect_state(con);
@ -2736,6 +2742,7 @@ static void print_stuff(BIO *bio, SSL *s, int full)
(void)BIO_flush(bio);
}
# ifndef OPENSSL_NO_OCSP
static int ocsp_resp_cb(SSL *s, void *arg)
{
const unsigned char *p;
@ -2759,5 +2766,6 @@ static int ocsp_resp_cb(SSL *s, void *arg)
OCSP_RESPONSE_free(rsp);
return 1;
}
# endif
#endif

9
apps/s_server.c
View file

@ -230,7 +230,6 @@ static BIO *bio_s_msg = NULL;
static int s_debug = 0;
static int s_tlsextdebug = 0;
static int s_tlsextstatus = 0;
static int cert_status_cb(SSL *s, void *arg);
static int no_resume_ephemeral = 0;
static int s_msg = 0;
static int s_quiet = 0;
@ -604,6 +603,7 @@ typedef struct tlsextstatusctx_st {
static tlsextstatusctx tlscstatp = { NULL, NULL, NULL, 0, -1, 0 };
#ifndef OPENSSL_NO_OCSP
/*
* Certificate Status callback. This is called when a client includes a
* certificate status request extension. This is a simplified version. It
@ -717,6 +717,7 @@ static int cert_status_cb(SSL *s, void *arg)
ret = SSL_TLSEXT_ERR_ALERT_FATAL;
goto done;
}
#endif
#ifndef OPENSSL_NO_NEXTPROTONEG
/* This is the context that we pass to next_proto_cb */
@ -919,12 +920,14 @@ OPTIONS s_server_options[] = {
"CA file for certificate verification (PEM format)"},
{"ign_eof", OPT_IGN_EOF, '-', "ignore input eof (default when -quiet)"},
{"no_ign_eof", OPT_NO_IGN_EOF, '-', "Do not ignore input eof"},
#ifndef OPENSSL_NO_OCSP
{"status", OPT_STATUS, '-', "Request certificate status from server"},
{"status_verbose", OPT_STATUS_VERBOSE, '-',
"Print more output in certificate status callback"},
{"status_timeout", OPT_STATUS_TIMEOUT, 'n',
"Status request responder timeout"},
{"status_url", OPT_STATUS_URL, 's', "Status request fallback URL"},
#endif
#ifndef OPENSSL_NO_SSL_TRACE
{"trace", OPT_TRACE, '-', "trace protocol messages"},
#endif
@ -1323,6 +1326,7 @@ int s_server_main(int argc, char *argv[])
tlscstatp.timeout = atoi(opt_arg());
break;
case OPT_STATUS_URL:
#ifndef OPENSSL_NO_OCSP
s_tlsextstatus = 1;
if (!OCSP_parse_url(opt_arg(),
&tlscstatp.host,
@ -1331,6 +1335,7 @@ int s_server_main(int argc, char *argv[])
BIO_printf(bio_err, "Error parsing URL\n");
goto end;
}
#endif
break;
case OPT_MSG:
s_msg = 1;
@ -2009,6 +2014,7 @@ int s_server_main(int argc, char *argv[])
if (ctx2)
SSL_CTX_set_client_CA_list(ctx2, SSL_load_client_CA_file(CAfile));
}
#ifndef OPENSSL_NO_OCSP
if (s_tlsextstatus) {
SSL_CTX_set_tlsext_status_cb(ctx, cert_status_cb);
SSL_CTX_set_tlsext_status_arg(ctx, &tlscstatp);
@ -2017,6 +2023,7 @@ int s_server_main(int argc, char *argv[])
SSL_CTX_set_tlsext_status_arg(ctx2, &tlscstatp);
}
}
#endif
BIO_printf(bio_s_out, "ACCEPT\n");
(void)BIO_flush(bio_s_out);

2
crypto/err/err_all.c
View file

@ -132,7 +132,9 @@ void err_load_crypto_strings_intern(void)
# ifndef OPENSSL_NO_ENGINE
ERR_load_ENGINE_strings();
# endif
# ifndef OPENSSL_NO_OCSP
ERR_load_OCSP_strings();
# endif
#ifndef OPENSSL_NO_UI
ERR_load_UI_strings();
#endif

4
crypto/x509/x_all.c
View file

@ -103,11 +103,13 @@ int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx)
&x->sig_alg, &x->signature, &x->cert_info, ctx);
}
#ifndef OPENSSL_NO_OCSP
int X509_http_nbio(OCSP_REQ_CTX *rctx, X509 **pcert)
{
return OCSP_REQ_CTX_nbio_d2i(rctx,
(ASN1_VALUE **)pcert, ASN1_ITEM_rptr(X509));
}
#endif
int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md)
{
@ -137,12 +139,14 @@ int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx)
&x->crl, ctx);
}
#ifndef OPENSSL_NO_OCSP
int X509_CRL_http_nbio(OCSP_REQ_CTX *rctx, X509_CRL **pcrl)
{
return OCSP_REQ_CTX_nbio_d2i(rctx,
(ASN1_VALUE **)pcrl,
ASN1_ITEM_rptr(X509_CRL));
}
#endif
int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md)
{

4
include/openssl/x509.h
View file

@ -408,12 +408,16 @@ int X509_signature_print(BIO *bp, X509_ALGOR *alg, ASN1_STRING *sig);
int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md);
int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx);
# ifndef OPENSSL_NO_OCSP
int X509_http_nbio(OCSP_REQ_CTX *rctx, X509 **pcert);
# endif
int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md);
int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx);
int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md);
int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx);
# ifndef OPENSSL_NO_OCSP
int X509_CRL_http_nbio(OCSP_REQ_CTX *rctx, X509_CRL **pcrl);
# endif
int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md);
int X509_pubkey_digest(const X509 *data, const EVP_MD *type,

7
ssl/ssl_lib.c
View file

@ -1057,7 +1057,9 @@ void SSL_free(SSL *s)
OPENSSL_free(s->tlsext_ellipticcurvelist);
#endif /* OPENSSL_NO_EC */
sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, X509_EXTENSION_free);
#ifndef OPENSSL_NO_OCSP
sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free);
#endif
#ifndef OPENSSL_NO_CT
SCT_LIST_free(s->scts);
OPENSSL_free(s->tlsext_scts);
@ -3951,6 +3953,7 @@ static int ct_extract_tls_extension_scts(SSL *s)
*/
static int ct_extract_ocsp_response_scts(SSL *s)
{
#ifndef OPENSSL_NO_OCSP
int scts_extracted = 0;
const unsigned char *p;
OCSP_BASICRESP *br = NULL;
@ -3987,6 +3990,10 @@ err:
OCSP_BASICRESP_free(br);
OCSP_RESPONSE_free(rsp);
return scts_extracted;
#else
/* Behave as if no OCSP response exists */
return 0;
#endif
}
/*

16
ssl/t1_lib.c
View file

@ -1347,6 +1347,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
ret += salglen;
}
#ifndef OPENSSL_NO_OCSP
if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
int i;
long extlen, idlen, itmp;
@ -1390,6 +1391,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
if (extlen > 0)
i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
}
#endif
#ifndef OPENSSL_NO_HEARTBEATS
if (SSL_IS_DTLS(s)) {
/* Add Heartbeat extension */
@ -2128,14 +2130,14 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al)
}
}
} else if (type == TLSEXT_TYPE_status_request) {
const unsigned char *ext_data;
if (!PACKET_get_1(&extension,
(unsigned int *)&s->tlsext_status_type)) {
return 0;
}
#ifndef OPENSSL_NO_OCSP
if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
const unsigned char *ext_data;
PACKET responder_id_list, exts;
if (!PACKET_get_length_prefixed_2(&extension, &responder_id_list))
return 0;
@ -2192,10 +2194,12 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al)
return 0;
}
}
/*
* We don't know what to do with any other type * so ignore it.
*/
} else {
} else
#endif
{
/*
* We don't know what to do with any other type so ignore it.
*/
s->tlsext_status_type = -1;
}
}

3
test/recipes/70-test_sslcertstatus.t
View file

@ -69,6 +69,9 @@ plan skip_all => "$test_name needs the dynamic engine feature enabled"
plan skip_all => "$test_name needs the sock feature enabled"
if disabled("sock");
plan skip_all => "$test_name needs the ocsp feature enabled"
if disabled("ocsp");
$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
my $proxy = TLSProxy::Proxy->new(
\&certstatus_filter,

4
test/recipes/80-test_ocsp.t
View file

@ -7,9 +7,13 @@ use POSIX;
use File::Spec::Functions qw/devnull catfile/;
use File::Copy;
use OpenSSL::Test qw/:DEFAULT with pipe srctop_dir/;
use OpenSSL::Test::Utils;
setup("test_ocsp");
plan skip_all => "OCSP is not supported by this OpenSSL build"
if disabled("ocsp");
my $ocspdir=srctop_dir("test", "ocsp-tests");
# 17 December 2012 so we don't get certificate expiry errors.
my @check_time=("-attime", "1355875200");