OpenSSL CVS Repository
http://cvs.openssl.org/
____________________________________________________________
________________
Server: cvs.openssl.org Name: Dr.
Stephen Henson
Root: /v/openssl/cvs Email: steve openssl.org
Module: openssl Date:
26-Sep-2007 23:57:01
Branch: HEAD Handle:
2007092622565306
Modified files:
openssl CHANGES
openssl/apps apps.h ocsp.c s_client.c
s_server.c x509.c
openssl/crypto ossl_typ.h
openssl/crypto/asn1 x_exten.c
openssl/crypto/ocsp ocsp.h
openssl/crypto/stack safestack.h
openssl/crypto/x509 x509.h x509_req.c
openssl/crypto/x509v3 v3_utl.c x509v3.h
openssl/ssl s23_clnt.c s3_clnt.c s3_lib.c
s3_srvr.c ssl.h
ssl3.h ssl_err.c ssl_lib.c
ssl_locl.h t1_enc.c
t1_lib.c tls1.h
Log:
Support for certificate status TLS extension.
Summary:
Revision Changes Path
1.1394 +7 -0 openssl/CHANGES
1.80 +9 -0 openssl/apps/apps.h
1.45 +51 -40 openssl/apps/ocsp.c
1.109 +48 -0 openssl/apps/s_client.c
1.125 +182 -0 openssl/apps/s_server.c
1.99 +9 -2 openssl/apps/x509.c
1.13 +5 -0 openssl/crypto/asn1/x_exten.c
1.40 +8 -4 openssl/crypto/ocsp/ocsp.h
1.16 +2 -0 openssl/crypto/ossl_typ.h
1.64 +22 -0
openssl/crypto/stack/safestack.h
1.154 +3 -0 openssl/crypto/x509/x509.h
1.19 +0 -4 openssl/crypto/x509/x509_req.c
1.38 +24 -0 openssl/crypto/x509v3/v3_utl.c
1.115 +1 -0 openssl/crypto/x509v3/x509v3.h
1.40 +2 -0 openssl/ssl/s23_clnt.c
1.113 +90 -0 openssl/ssl/s3_clnt.c
1.119 +46 -0 openssl/ssl/s3_lib.c
1.156 +56 -0 openssl/ssl/s3_srvr.c
1.201 +29 -0 openssl/ssl/ssl.h
1.43 +5 -0 openssl/ssl/ssl3.h
1.69 +3 -0 openssl/ssl/ssl_err.c
1.163 +17 -0 openssl/ssl/ssl_lib.c
1.87 +2 -0 openssl/ssl/ssl_locl.h
1.47 +1 -1 openssl/ssl/t1_enc.c
1.48 +231 -2 openssl/ssl/t1_lib.c
1.38 +32 -3 openssl/ssl/tls1.h
____________________________________________________________
________________
patch -p0 <<' .'
Index: openssl/CHANGES
============================================================
================
$ cvs diff -u -r1.1393 -r1.1394 CHANGES
--- openssl/CHANGES 21 Sep 2007 06:54:10 -0000 1.1393
+++ openssl/CHANGES 26 Sep 2007 21:56:53 -0000 1.1394
-4,6 +4,13
Changes between 0.9.8f and 0.9.9 [xx XXX xxxx]
+ *) Implement certificate status request TLS extension
defined in RFC3546.
+ A client can set the appropriate parameters and
receive the encoded
+ OCSP response via a callback. A server can query the
supplied parameters
+ and set the encoded OCSP response in the callback.
Add simplified examples
+ to s_client and s_server.
+ [Steve Henson]
+
*) Implement Opaque PRF Input TLS extension as
specified in
draft-rescorla-tls-opaque-prf-input-00.txt. Since
this is not an
official specification yet and no extension type
assignment by
.
patch -p0 <<' .'
Index: openssl/apps/apps.h
============================================================
================
$ cvs diff -u -r1.79 -r1.80 apps.h
--- openssl/apps/apps.h 11 Apr 2007 17:20:38 -0000 1.79
+++ openssl/apps/apps.h 26 Sep 2007 21:56:54 -0000 1.80
-122,6 +122,9
#ifndef OPENSSL_NO_ENGINE
#include <openssl/engine.h>
#endif
+#ifndef OPENSSL_NO_OCSP
+#include <openssl/ocsp.h>
+#endif
#include <openssl/ossl_typ.h>
int app_RAND_load_file(const char *file, BIO *bio_e, int
dont_warn);
-247,6 +250,12
ENGINE *setup_engine(BIO *err, const char *engine, int
debug);
#endif
+#ifndef OPENSSL_NO_OCSP
+OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST
*req,
+ char *host, char *path, char *port, int use_ssl,
+ int req_timeout);
+#endif
+
int load_config(BIO *err, CONF *cnf);
char *make_config_name(void);
.
patch -p0 <<' .'
Index: openssl/apps/ocsp.c
============================================================
================
$ cvs diff -u -r1.44 -r1.45 ocsp.c
--- openssl/apps/ocsp.c 12 Aug 2007 17:44:27 -0000 1.44
+++ openssl/apps/ocsp.c 26 Sep 2007 21:56:54 -0000 1.45
-120,7 +120,6
long nsec = MAX_VALIDITY_PERIOD, maxage = -1;
char *CAfile = NULL, *CApath = NULL;
X509_STORE *store = NULL;
- SSL_CTX *ctx = NULL;
STACK_OF(X509) *sign_other = NULL, *verify_other = NULL,
*rother = NULL;
char *sign_certfile = NULL, *verify_certfile = NULL,
*rcertfile = NULL;
unsigned long sign_flags = 0, verify_flags = 0, rflags =
0;
-723,48 +722,14
else if (host)
{
#ifndef OPENSSL_NO_SOCK
- cbio = BIO_new_connect(host);
+ resp = process_responder(bio_err, req, host, path,
+ port, use_ssl, req_timeout);
+ if (!resp)
+ goto end;
#else
BIO_printf(bio_err, "Error creating connect BIO -
sockets not supported.n");
goto end;
#endif
- if (!cbio)
- {
- BIO_printf(bio_err, "Error creating connect
BIOn");
- goto end;
- }
- if (port) BIO_set_conn_port(cbio, port);
- if (use_ssl == 1)
- {
- BIO *sbio;
-#if !defined(OPENSSL_NO_SSL2) &&
!defined(OPENSSL_NO_SSL3)
- ctx = SSL_CTX_new(SSLv23_client_method());
-#elif !defined(OPENSSL_NO_SSL3)
- ctx = SSL_CTX_new(SSLv3_client_method());
-#elif !defined(OPENSSL_NO_SSL2)
- ctx = SSL_CTX_new(SSLv2_client_method());
-#else
- BIO_printf(bio_err, "SSL is disabledn");
- goto end;
-#endif
- if (ctx == NULL)
- {
- BIO_printf(bio_err, "Error creating SSL
context.n");
- goto end;
- }
- SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
- sbio = BIO_new_ssl(ctx, 1);
- cbio = BIO_push(sbio, cbio);
- }
-
- resp = query_responder(bio_err, cbio, path, req,
req_timeout);
- BIO_free_all(cbio);
- cbio = NULL;
- if (!resp)
- {
- BIO_printf(bio_err, "Error querying OCSP
responsdern");
- goto end;
- }
}
else if (respin)
{
-913,7 +878,6
OPENSSL_free(host);
OPENSSL_free(port);
OPENSSL_free(path);
- SSL_CTX_free(ctx);
}
OPENSSL_EXIT(ret);
-1334,4 +1298,51
return rsp;
}
+OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST
*req,
+ char *host, char *path, char *port, int use_ssl,
+ int req_timeout)
+ {
+ BIO *cbio = NULL;
+ SSL_CTX *ctx = NULL;
+ OCSP_RESPONSE *resp = NULL;
+ cbio = BIO_new_connect(host);
+ if (!cbio)
+ {
+ BIO_printf(err, "Error creating connect
BIOn");
+ goto end;
+ }
+ if (port) BIO_set_conn_port(cbio, port);
+ if (use_ssl == 1)
+ {
+ BIO *sbio;
+#if !defined(OPENSSL_NO_SSL2) &&
!defined(OPENSSL_NO_SSL3)
+ ctx = SSL_CTX_new(SSLv23_client_method());
+#elif !defined(OPENSSL_NO_SSL3)
+ ctx = SSL_CTX_new(SSLv3_client_method());
+#elif !defined(OPENSSL_NO_SSL2)
+ ctx = SSL_CTX_new(SSLv2_client_method());
+#else
+ BIO_printf(err, "SSL is disabledn");
+ goto end;
+#endif
+ if (ctx == NULL)
+ {
+ BIO_printf(err, "Error creating SSL
context.n");
+ goto end;
+ }
+ SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
+ sbio = BIO_new_ssl(ctx, 1);
+ cbio = BIO_push(sbio, cbio);
+ }
+ resp = query_responder(err, cbio, path, req,
req_timeout);
+ if (!resp)
+ BIO_printf(bio_err, "Error querying OCSP
responsdern");
+ end:
+ if (ctx)
+ SSL_CTX_free(ctx);
+ if (cbio)
+ BIO_free_all(cbio);
+ return resp;
+ }
+
#endif
.
patch -p0 <<' .'
Index: openssl/apps/s_client.c
============================================================
================
$ cvs diff -u -r1.108 -r1.109 s_client.c
--- openssl/apps/s_client.c 23 Sep 2007 11:08:58
-0000 1.108
+++ openssl/apps/s_client.c 26 Sep 2007 21:56:54
-0000 1.109
-161,6 +161,7
#include <openssl/err.h>
#include <openssl/pem.h>
#include <openssl/rand.h>
+#include <openssl/ocsp.h>
#include "s_apps.h"
#include "timeouts.h"
-196,12 +197,14
static int c_debug=0;
#ifndef OPENSSL_NO_TLSEXT
static int c_tlsextdebug=0;
+static int c_status_req=0;
#endif
static int c_msg=0;
static int c_showcerts=0;
static void sc_usage(void);
static void print_stuff(BIO *berr,SSL *con,int full);
+static int ocsp_resp_cb(SSL *s, void *arg);
static BIO *bio_c_out=NULL;
static int c_quiet=0;
static int c_ign_eof=0;
-329,6 +332,7
#ifndef OPENSSL_NO_TLSEXT
BIO_printf(bio_err," -servername host - Set TLS
extension servername in ClientHellon");
BIO_printf(bio_err," -tlsextdebug - hex dump
of all TLS extensions receivedn");
+ BIO_printf(bio_err," -status - request
certificate status from servern");
BIO_printf(bio_err," -no_ticket - disable
use of RFC4507bis session ticketsn");
#endif
}
-528,6 +532,8
#ifndef OPENSSL_NO_TLSEXT
else if (strcmp(*argv,"-tlsextdebug") == 0)
c_tlsextdebug=1;
+ else if (strcmp(*argv,"-status") == 0)
+ c_status_req=1;
#endif
#ifdef WATT32
else if (strcmp(*argv,"-wdebug") == 0)
-954,6 +960,23
SSL_set_tlsext_debug_callback(con, tlsext_cb);
SSL_set_tlsext_debug_arg(con, bio_c_out);
}
+ if (c_status_req)
+ {
+ SSL_set_tlsext_status_type(con,
TLSEXT_STATUSTYPE_ocsp);
+ SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb);
+ SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out);
+#if 0
+{
+STACK_OF(OCSP_RESPID) *ids = sk_OCSP_RESPID_new_null();
+OCSP_RESPID *id = OCSP_RESPID_new();
+id->value.byKey = ASN1_OCTET_STRING_new();
+id->type = V_OCSP_RESPID_KEY;
+ASN1_STRING_set(id->value.byKey, "Hello
World", -1);
+sk_OCSP_RESPID_push(ids, id);
+SSL_set_tlsext_status_ids(con, ids);
+}
+#endif
+ }
#endif
SSL_set_bio(con,sbio,sbio);
-1592,3 +1615,28
(void)BIO_flush(bio);
}
+static int ocsp_resp_cb(SSL *s, void *arg)
+ {
+ const unsigned char *p;
+ int len;
+ OCSP_RESPONSE *rsp;
+ len = SSL_get_tlsext_status_ocsp_resp(s, &p);
+ BIO_puts(arg, "OCSP response: ");
+ if (!p)
+ {
+ BIO_puts(arg, "no response sentn");
+ return 1;
+ }
+ rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
+ if (!rsp)
+ {
+ BIO_puts(arg, "response parse errorn");
+ BIO_dump_indent(arg, (char *)p, len, 4);
+ return 0;
+ }
+ BIO_puts(arg,
"n======================================n");
+ OCSP_RESPONSE_print(arg, rsp, 0);
+ BIO_puts(arg,
"======================================n");
+ OCSP_RESPONSE_free(rsp);
+ return 1;
+ }
.
patch -p0 <<' .'
Index: openssl/apps/s_server.c
============================================================
================
$ cvs diff -u -r1.124 -r1.125 s_server.c
--- openssl/apps/s_server.c 23 Sep 2007 11:08:59
-0000 1.124
+++ openssl/apps/s_server.c 26 Sep 2007 21:56:55
-0000 1.125
-179,6 +179,7
#include <openssl/x509.h>
#include <openssl/ssl.h>
#include <openssl/rand.h>
+#include <openssl/ocsp.h>
#ifndef OPENSSL_NO_DH
#include <openssl/dh.h>
#endif
-283,6 +284,8
static int s_debug=0;
#ifndef OPENSSL_NO_TLSEXT
static int s_tlsextdebug=0;
+static int s_tlsextstatus=0;
+static int cert_status_cb(SSL *s, void *arg);
#endif
static int s_msg=0;
static int s_quiet=0;
-664,6 +667,152
}
return SSL_TLSEXT_ERR_OK;
}
+
+/* Structure passed to cert status callback */
+
+typedef struct tlsextstatusctx_st {
+ /* Default responder to use */
+ char *host, *path, *port;
+ int use_ssl;
+ int timeout;
+ BIO *err;
+ int verbose;
+} tlsextstatusctx;
+
+static tlsextstatusctx tlscstatp = {NULL, NULL, NULL, 0,
-1, NULL, 0};
+
+/* Certificate Status callback. This is called when a
client includes a
+ * certificate status request extension.
+ *
+ * This is a simplified version. It examines certificates
each time and
+ * makes one OCSP responder query for each request.
+ *
+ * A full version would store details such as the OCSP
certificate IDs and
+ * minimise the number of OCSP responses by caching them
until they were
+ * considered "expired".
+ */
+
+static int cert_status_cb(SSL *s, void *arg)
+ {
+ tlsextstatusctx *srctx = arg;
+ BIO *err = srctx->err;
+ char *host, *port, *path;
+ int use_ssl;
+ unsigned char *rspder = NULL;
+ int rspderlen;
+ STACK *aia = NULL;
+ X509 *x = NULL;
+ X509_STORE_CTX inctx;
+ X509_OBJECT obj;
+ OCSP_REQUEST *req = NULL;
+ OCSP_RESPONSE *resp = NULL;
+ OCSP_CERTID *id = NULL;
+ STACK_OF(X509_EXTENSION) *exts;
+ int ret = SSL_TLSEXT_ERR_NOACK;
+ int i;
+#if 0
+STACK_OF(OCSP_RESPID) *ids;
+SSL_get_tlsext_status_ids(s, &ids);
+BIO_printf(err, "cert_status: received %d
idsn", sk_OCSP_RESPID_num(ids));
+#endif
+ if (srctx->verbose)
+ BIO_puts(err, "cert_status: callback
calledn");
+ /* Build up OCSP query from server certificate */
+ x = SSL_get_certificate(s);
+ aia = X509_get1_ocsp(x);
+ if (aia)
+ {
+ if (!OCSP_parse_url(sk_value(aia, 0),
+ &host, &port, &path, &use_ssl))
+ {
+ BIO_puts(err, "cert_status: can't parse AIA
URLn");
+ goto err;
+ }
+ if (srctx->verbose)
+ BIO_printf(err, "cert_status: AIA URL:
%sn",
+ sk_value(aia, 0));
+ }
+ else
+ {
+ if (!srctx->host)
+ {
+ BIO_puts(srctx->err, "cert_status: no AIA and
no default responder URLn");
+ goto done;
+ }
+ host = srctx->host;
+ path = srctx->path;
+ port = srctx->port;
+ use_ssl = srctx->use_ssl;
+ }
+
+ if (!X509_STORE_CTX_init(&inctx,
+ SSL_CTX_get_cert_store(SSL_get_SSL_CTX(s)),
+ NULL, NULL))
+ goto err;
+ if (X509_STORE_get_by_subject(&inctx,X509_LU_X509,
+ X509_get_issuer_name(x),&obj) <= 0)
+ {
+ BIO_puts(err, "cert_status: Can't retrieve issuer
certificate.n");
+ X509_STORE_CTX_cleanup(&inctx);
+ goto done;
+ }
+ req = OCSP_REQUEST_new();
+ if (!req)
+ goto err;
+ id = OCSP_cert_to_id(NULL, x, obj.data.x509);
+ X509_free(obj.data.x509);
+ X509_STORE_CTX_cleanup(&inctx);
+ if (!id)
+ goto err;
+ if (!OCSP_request_add0_id(req, id))
+ goto err;
+ id = NULL;
+ /* Add any extensions to the request */
+ SSL_get_tlsext_status_exts(s, &exts);
+ for (i = 0; i < sk_X509_EXTENSION_num(exts); i++)
+ {
+ X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts,
i);
+ if (!OCSP_REQUEST_add_ext(req, ext, -1))
+ goto err;
+ }
+ resp = process_responder(err, req, host, path, port,
use_ssl,
+ srctx->timeout);
+ if (!resp)
+ {
+ BIO_puts(err, "cert_status: error querying
respondern");
+ goto done;
+ }
+ rspderlen = i2d_OCSP_RESPONSE(resp, &rspder);
+ if (rspderlen <= 0)
+ goto err;
+ SSL_set_tlsext_status_ocsp_resp(s, rspder, rspderlen);
+ if (srctx->verbose)
+ {
+ BIO_puts(err, "cert_status: ocsp response
sent:n");
+ OCSP_RESPONSE_print(err, resp, 2);
+ }
+ ret = SSL_TLSEXT_ERR_OK;
+ done:
+ if (ret != SSL_TLSEXT_ERR_OK)
+ ERR_print_errors(err);
+ if (aia)
+ {
+ OPENSSL_free(host);
+ OPENSSL_free(path);
+ OPENSSL_free(port);
+ X509_email_free(aia);
+ }
+ if (id)
+ OCSP_CERTID_free(id);
+ if (req)
+ OCSP_REQUEST_free(req);
+ if (resp)
+ OCSP_RESPONSE_free(resp);
+ return ret;
+ err:
+ ret = SSL_TLSEXT_ERR_ALERT_FATAL;
+ goto done;
+ }
#endif
int MAIN(int, char **);
-877,6 +1026,33
#ifndef OPENSSL_NO_TLSEXT
else if (strcmp(*argv,"-tlsextdebug") == 0)
s_tlsextdebug=1;
+ else if (strcmp(*argv,"-status") == 0)
+ s_tlsextstatus=1;
+ else if (strcmp(*argv,"-status_verbose") ==
0)
+ {
+ s_tlsextstatus=1;
+ tlscstatp.verbose = 1;
+ }
+ else if (!strcmp(*argv, "-status_timeout"))
+ {
+ s_tlsextstatus=1;
+ if (--argc < 1) goto bad;
+ tlscstatp.timeout = atoi(*(++argv));
+ }
+ else if (!strcmp(*argv, "-status_url"))
+ {
+ s_tlsextstatus=1;
+ if (--argc < 1) goto bad;
+ if (!OCSP_parse_url(*(++argv),
+ &tlscstatp.host,
+ &tlscstatp.port,
+ &tlscstatp.path,
+ &tlscstatp.use_ssl))
+ {
+ BIO_printf(bio_err, "Error parsing
URLn");
+ goto bad;
+ }
+ }
#endif
else if (strcmp(*argv,"-msg") == 0)
{ s_msg=1; }
-1560,6 +1736,12
SSL_set_tlsext_debug_callback(con, tlsext_cb);
SSL_set_tlsext_debug_arg(con, bio_s_out);
}
+ if (s_tlsextstatus);
+ {
+ SSL_CTX_set_tlsext_status_cb(ctx, cert_status_cb);
+ tlscstatp.err = bio_err;
+ SSL_CTX_set_tlsext_status_arg(ctx, &tlscstatp);
+ }
#endif
#ifndef OPENSSL_NO_KRB5
if ((con->kssl_ctx = kssl_ctx_new()) != NULL)
.
patch -p0 <<' .'
Index: openssl/apps/x509.c
============================================================
================
$ cvs diff -u -r1.98 -r1.99 x509.c
--- openssl/apps/x509.c 7 May 2006 17:09:03 -0000 1.98
+++ openssl/apps/x509.c 26 Sep 2007 21:56:55 -0000 1.99
-114,6 +114,7
" -alias - output certificate
aliasn",
" -noout - no certificate outputn",
" -ocspid - print OCSP hash values for the
subject name and public keyn",
+" -ocspurl - print OCSP Responder
URL(s)n",
" -trustout - output a "trusted"
certificaten",
" -clrtrust - clear all trusted
purposesn",
" -clrreject - clear all rejected
purposesn",
-179,6 +180,7
int next_serial=0;
int subject_hash=0,issuer_hash=0,ocspid=0;
int
noout=0,sign_flag=0,CA_flag=0,CA_createserial=0,email=0;
+ int ocsp_uri=0;
int
trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0;
int C=0;
int x509req=0,days=DEF_DAYS,modulus=0,pubkey=0;
-378,6 +380,8
C= ++num;
else if (strcmp(*argv,"-email") == 0)
email= ++num;
+ else if (strcmp(*argv,"-ocsp_uri") == 0)
+ ocsp_uri= ++num;
else if (strcmp(*argv,"-serial") == 0)
serial= ++num;
else if (strcmp(*argv,"-next_serial") == 0)
-731,11 +735,14
ASN1_INTEGER_free(ser);
BIO_puts(out, "n");
}
- else if (email == i)
+ else if ((email == i) || (ocsp_uri == i))
{
int j;
STACK *emlst;
- emlst = X509_get1_email(x);
+ if (email == i)
+ emlst = X509_get1_email(x);
+ else
+ emlst = X509_get1_ocsp(x);
for (j = 0; j < sk_num(emlst); j++)
BIO_printf(STDout, "%sn", sk_value(emlst,
j));
X509_email_free(emlst);
.
patch -p0 <<' .'
Index: openssl/crypto/asn1/x_exten.c
============================================================
================
$ cvs diff -u -r1.12 -r1.13 x_exten.c
--- openssl/crypto/asn1/x_exten.c 27 Jul 2001 02:22:24
-0000 1.12
+++ openssl/crypto/asn1/x_exten.c 26 Sep 2007 21:56:56
-0000 1.13
-67,5 +67,10
ASN1_SIMPLE(X509_EXTENSION, value, ASN1_OCTET_STRING)
} ASN1_SEQUENCE_END(X509_EXTENSION)
+ASN1_ITEM_TEMPLATE(X509_EXTENSIONS) =
+ ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
Extension, X509_EXTENSION)
+ASN1_ITEM_TEMPLATE_END(X509_EXTENSIONS)
+
IMPLEMENT_ASN1_FUNCTIONS(X509_EXTENSION)
+IMPLEMENT_ASN1_ENCODE_FUNCTIONS_fname(X509_EXTENSIONS,
X509_EXTENSIONS, X509_EXTENSIONS)
IMPLEMENT_ASN1_DUP_FUNCTION(X509_EXTENSION)
.
patch -p0 <<' .'
Index: openssl/crypto/ocsp/ocsp.h
============================================================
================
$ cvs diff -u -r1.39 -r1.40 ocsp.h
--- openssl/crypto/ocsp/ocsp.h 7 Jun 2007 13:14:36
-0000 1.39
+++ openssl/crypto/ocsp/ocsp.h 26 Sep 2007 21:56:56
-0000 1.40
-187,11 +187,11
* responseStatus OCSPResponseStatus,
* responseBytes [0] EXPLICIT ResponseBytes
OPTIONAL }
*/
-typedef struct ocsp_response_st
+struct ocsp_response_st
{
ASN1_ENUMERATED *responseStatus;
OCSP_RESPBYTES *responseBytes;
- } OCSP_RESPONSE;
+ };
/* ResponderID ::= CHOICE {
* byName [1] Name,
-199,14 +199,18
*/
#define V_OCSP_RESPID_NAME 0
#define V_OCSP_RESPID_KEY 1
-typedef struct ocsp_responder_id_st
+struct ocsp_responder_id_st
{
int type;
union {
X509_NAME* byName;
ASN1_OCTET_STRING *byKey;
} value;
- } OCSP_RESPID;
+ };
+
+DECLARE_STACK_OF(OCSP_RESPID)
+DECLARE_ASN1_FUNCTIONS(OCSP_RESPID)
+
/* KeyHash ::= OCTET STRING --SHA-1 hash of responder's
public key
* --(excluding the tag and
length fields)
*/
.
patch -p0 <<' .'
Index: openssl/crypto/ossl_typ.h
============================================================
================
$ cvs diff -u -r1.15 -r1.16 ossl_typ.h
--- openssl/crypto/ossl_typ.h 21 Sep 2006 12:42:14
-0000 1.15
+++ openssl/crypto/ossl_typ.h 26 Sep 2007 21:56:56
-0000 1.16
-188,5 +188,7
int idx, long argl, void *argp);
typedef struct ocsp_req_ctx_st OCSP_REQ_CTX;
+typedef struct ocsp_response_st OCSP_RESPONSE;
+typedef struct ocsp_responder_id_st OCSP_RESPID;
#endif /* def HEADER_OPENSSL_TYPES_H */
.
patch -p0 <<' .'
Index: openssl/crypto/stack/safestack.h
============================================================
================
$ cvs diff -u -r1.63 -r1.64 safestack.h
--- openssl/crypto/stack/safestack.h 7 Sep 2007 13:25:12
-0000 1.63
+++ openssl/crypto/stack/safestack.h 26 Sep 2007 21:56:57
-0000 1.64
-1074,6 +1074,28
#define sk_OCSP_ONEREQ_sort(st) SKM_sk_sort(OCSP_ONEREQ,
(st))
#define sk_OCSP_ONEREQ_is_sorted(st)
SKM_sk_is_sorted(OCSP_ONEREQ, (st))
+#define sk_OCSP_RESPID_new(st) SKM_sk_new(OCSP_RESPID,
(st))
+#define sk_OCSP_RESPID_new_null()
SKM_sk_new_null(OCSP_RESPID)
+#define sk_OCSP_RESPID_free(st) SKM_sk_free(OCSP_RESPID,
(st))
+#define sk_OCSP_RESPID_num(st) SKM_sk_num(OCSP_RESPID,
(st))
+#define sk_OCSP_RESPID_value(st, i)
SKM_sk_value(OCSP_RESPID, (st), (i))
+#define sk_OCSP_RESPID_set(st, i, val)
SKM_sk_set(OCSP_RESPID, (st), (i), (val))
+#define sk_OCSP_RESPID_zero(st) SKM_sk_zero(OCSP_RESPID,
(st))
+#define sk_OCSP_RESPID_push(st, val)
SKM_sk_push(OCSP_RESPID, (st), (val))
+#define sk_OCSP_RESPID_unshift(st, val)
SKM_sk_unshift(OCSP_RESPID, (st), (val))
+#define sk_OCSP_RESPID_find(st, val)
SKM_sk_find(OCSP_RESPID, (st), (val))
+#define sk_OCSP_RESPID_find_ex(st, val)
SKM_sk_find_ex(OCSP_RESPID, (st), (val))
+#define sk_OCSP_RESPID_delete(st, i)
SKM_sk_delete(OCSP_RESPID, (st), (i))
+#define sk_OCSP_RESPID_delete_ptr(st, ptr)
SKM_sk_delete_ptr(OCSP_RESPID, (st), (ptr))
+#define sk_OCSP_RESPID_insert(st, val, i)
SKM_sk_insert(OCSP_RESPID, (st), (val), (i))
+#define sk_OCSP_RESPID_set_cmp_func(st, cmp)
SKM_sk_set_cmp_func(OCSP_RESPID, (st), (cmp))
+#define sk_OCSP_RESPID_dup(st) SKM_sk_dup(OCSP_RESPID,
st)
+#define sk_OCSP_RESPID_pop_free(st, free_func)
SKM_sk_pop_free(OCSP_RESPID, (st), (free_func))
+#define sk_OCSP_RESPID_shift(st)
SKM_sk_shift(OCSP_RESPID, (st))
+#define sk_OCSP_RESPID_pop(st) SKM_sk_pop(OCSP_RESPID,
(st))
+#define sk_OCSP_RESPID_sort(st) SKM_sk_sort(OCSP_RESPID,
(st))
+#define sk_OCSP_RESPID_is_sorted(st)
SKM_sk_is_sorted(OCSP_RESPID, (st))
+
#define sk_OCSP_SINGLERESP_new(st)
SKM_sk_new(OCSP_SINGLERESP, (st))
#define sk_OCSP_SINGLERESP_new_null()
SKM_sk_new_null(OCSP_SINGLERESP)
#define sk_OCSP_SINGLERESP_free(st)
SKM_sk_free(OCSP_SINGLERESP, (st))
.
patch -p0 <<' .'
Index: openssl/crypto/x509/x509.h
============================================================
================
$ cvs diff -u -r1.153 -r1.154 x509.h
--- openssl/crypto/x509/x509.h 11 Dec 2006 22:35:51
-0000 1.153
+++ openssl/crypto/x509/x509.h 26 Sep 2007 21:56:57
-0000 1.154
-205,6 +205,8
ASN1_OCTET_STRING *value;
} X509_EXTENSION;
+typedef STACK_OF(X509_EXTENSION) X509_EXTENSIONS;
+
DECLARE_STACK_OF(X509_EXTENSION)
DECLARE_ASN1_SET_OF(X509_EXTENSION)
-801,6 +803,7
X509_ATTRIBUTE *X509_ATTRIBUTE_create(int nid, int
atrtype, void *value);
DECLARE_ASN1_FUNCTIONS(X509_EXTENSION)
+DECLARE_ASN1_ENCODE_FUNCTIONS(X509_EXTENSIONS,
X509_EXTENSIONS, X509_EXTENSIONS)
DECLARE_ASN1_FUNCTIONS(X509_NAME_ENTRY)
.
patch -p0 <<' .'
Index: openssl/crypto/x509/x509_req.c
============================================================
================
$ cvs diff -u -r1.18 -r1.19 x509_req.c
--- openssl/crypto/x509/x509_req.c 7 Jun 2007 13:14:38
-0000 1.18
+++ openssl/crypto/x509/x509_req.c 26 Sep 2007 21:56:57
-0000 1.19
-67,10 +67,6
#include <openssl/buffer.h>
#include <openssl/pem.h>
-ASN1_ITEM_TEMPLATE(X509_EXTENSIONS) =
- ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
Extension, X509_EXTENSION)
-ASN1_ITEM_TEMPLATE_END(X509_EXTENSIONS)
-
X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const
EVP_MD *md)
{
X509_REQ *ret;
.
patch -p0 <<' .'
Index: openssl/crypto/x509v3/v3_utl.c
============================================================
================
$ cvs diff -u -r1.37 -r1.38 v3_utl.c
--- openssl/crypto/x509v3/v3_utl.c 11 Apr 2007 12:26:52
-0000 1.37
+++ openssl/crypto/x509v3/v3_utl.c 26 Sep 2007 21:56:58
-0000 1.38
-473,6 +473,30
return ret;
}
+STACK *X509_get1_ocsp(X509 *x)
+{
+ AUTHORITY_INFO_ACCESS *info;
+ STACK *ret = NULL;
+ int i;
+ info = X509_get_ext_d2i(x, NID_info_access, NULL,
NULL);
+ if (!info)
+ return NULL;
+ for (i = 0; i < sk_ACCESS_DESCRIPTION_num(info);
i++)
+ {
+ ACCESS_DESCRIPTION *ad =
sk_ACCESS_DESCRIPTION_value(info, i);
+ if (OBJ_obj2nid(ad->method) == NID_ad_OCSP)
+ {
+ if (ad->location->type == GEN_URI)
+ {
+ if (!append_ia5(&ret,
ad->location->d.uniformResourceIdentifier))
+ break;
+ }
+ }
+ }
+ AUTHORITY_INFO_ACCESS_free(info);
+ return ret;
+}
+
STACK *X509_REQ_get1_email(X509_REQ *x)
{
GENERAL_NAMES *gens;
.
patch -p0 <<' .'
Index: openssl/crypto/x509v3/x509v3.h
============================================================
================
$ cvs diff -u -r1.114 -r1.115 x509v3.h
--- openssl/crypto/x509v3/x509v3.h 7 Jun 2007 13:14:39
-0000 1.114
+++ openssl/crypto/x509v3/x509v3.h 26 Sep 2007 21:56:58
-0000 1.115
-649,6 +649,7
STACK *X509_get1_email(X509 *x);
STACK *X509_REQ_get1_email(X509_REQ *x);
void X509_email_free(STACK *sk);
+STACK *X509_get1_ocsp(X509 *x);
ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc);
ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc);
.
patch -p0 <<' .'
Index: openssl/ssl/s23_clnt.c
============================================================
================
$ cvs diff -u -r1.39 -r1.40 s23_clnt.c
--- openssl/ssl/s23_clnt.c 21 Sep 2007 06:54:16
-0000 1.39
+++ openssl/ssl/s23_clnt.c 26 Sep 2007 21:56:58
-0000 1.40
-283,6 +283,8
if (s->tlsext_hostname != NULL)
ssl2_compat = 0;
+ if (s->tlsext_status_type != -1)
+ ssl2_compat = 0;
#ifdef TLSEXT_TYPE_opaque_prf_input
if (s->ctx->tlsext_opaque_prf_input_callback != 0
|| s->tlsext_opaque_prf_input != NULL)
.
patch -p0 <<' .'
Index: openssl/ssl/s3_clnt.c
============================================================
================
$ cvs diff -u -r1.112 -r1.113 s3_clnt.c
--- openssl/ssl/s3_clnt.c 21 Sep 2007 06:54:16
-0000 1.112
+++ openssl/ssl/s3_clnt.c 26 Sep 2007 21:56:58
-0000 1.113
-307,10 +307,23
{
ret=ssl3_get_server_certificate(s);
if (ret <= 0) goto end;
+#ifndef OPENSSL_NO_TLSEXT
+ if (s->tlsext_status_expected)
+ s->state=SSL3_ST_CR_CERT_STATUS_A;
+ else
+ s->state=SSL3_ST_CR_KEY_EXCH_A;
+ }
+ else
+ {
+ skip = 1;
+ s->state=SSL3_ST_CR_KEY_EXCH_A;
}
+#else
else
skip=1;
+
s->state=SSL3_ST_CR_KEY_EXCH_A;
+#endif
s->init_num=0;
break;
-473,6 +486,14
s->state=SSL3_ST_CR_FINISHED_A;
s->init_num=0;
break;
+
+ case SSL3_ST_CR_CERT_STATUS_A:
+ case SSL3_ST_CR_CERT_STATUS_B:
+ ret=ssl3_get_cert_status(s);
+ if (ret <= 0) goto end;
+ s->state=SSL3_ST_CR_KEY_EXCH_A;
+ s->init_num=0;
+ break;
#endif
case SSL3_ST_CR_FINISHED_A:
-1795,6 +1816,75
err:
return(-1);
}
+
+int ssl3_get_cert_status(SSL *s)
+ {
+ int ok, al;
+ unsigned long resplen;
+ long n;
+ const unsigned char *p;
+
+ n=s->method->ssl_get_message(s,
+ SSL3_ST_CR_CERT_STATUS_A,
+ SSL3_ST_CR_CERT_STATUS_B,
+ SSL3_MT_CERTIFICATE_STATUS,
+ 16384,
+ &ok);
+
+ if (!ok) return((int)n);
+ if (n < 4)
+ {
+ /* need at least status type + length */
+ al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_LENGTH_MISMATCH);
+ goto f_err;
+ }
+ p = (unsigned char *)s->init_msg;
+ if (*p++ != TLSEXT_STATUSTYPE_ocsp)
+ {
+ al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_UNSUPPORTED_STATU
S_TYPE);
+ goto f_err;
+ }
+ n2l3(p, resplen);
+ if (resplen + 4 != n)
+ {
+ al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_LENGTH_MISMATCH);
+ goto f_err;
+ }
+ if (s->tlsext_ocsp_resp)
+ OPENSSL_free(s->tlsext_ocsp_resp);
+ s->tlsext_ocsp_resp = BUF_memdup(p, resplen);
+ if (!s->tlsext_ocsp_resp)
+ {
+ al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_SSL3_GET_CERT_STATUS,ERR_R_MALLOC_FAILURE);
+ goto f_err;
+ }
+ s->tlsext_ocsp_resplen = resplen;
+ if (s->ctx->tlsext_status_cb)
+ {
+ int ret;
+ ret = s->ctx->tlsext_status_cb(s,
s->ctx->tlsext_status_arg);
+ if (ret == 0)
+ {
+ al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
+ SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_INVALID_STATUS_R
ESPONSE);
+ goto f_err;
+ }
+ if (ret < 0)
+ {
+ al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_SSL3_GET_CERT_STATUS,ERR_R_MALLOC_FAILURE);
+ goto f_err;
+ }
+ }
+ return 1;
+f_err:
+ ssl3_send_alert(s,SSL3_AL_FATAL,al);
+ return(-1);
+ }
#endif
int ssl3_get_server_done(SSL *s)
.
patch -p0 <<' .'
Index: openssl/ssl/s3_lib.c
============================================================
================
$ cvs diff -u -r1.118 -r1.119 s3_lib.c
--- openssl/ssl/s3_lib.c 23 Sep 2007 11:30:51 -0000 1.118
+++ openssl/ssl/s3_lib.c 26 Sep 2007 21:56:58 -0000 1.119
-2383,6 +2383,43
break;
#endif
+ case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE:
+ s->tlsext_status_type=larg;
+ ret = 1;
+ break;
+
+ case SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS:
+ *(STACK_OF(X509_EXTENSION) **)parg =
s->tlsext_ocsp_exts;
+ ret = 1;
+ break;
+
+ case SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS:
+ s->tlsext_ocsp_exts = parg;
+ ret = 1;
+ break;
+
+ case SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS:
+ *(STACK_OF(OCSP_RESPID) **)parg =
s->tlsext_ocsp_ids;
+ ret = 1;
+ break;
+
+ case SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS:
+ s->tlsext_ocsp_ids = parg;
+ ret = 1;
+ break;
+
+ case SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP:
+ *(unsigned char **)parg = s->tlsext_ocsp_resp;
+ return s->tlsext_ocsp_resplen;
+
+ case SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP:
+ if (s->tlsext_ocsp_resp)
+ OPENSSL_free(s->tlsext_ocsp_resp);
+ s->tlsext_ocsp_resp = parg;
+ s->tlsext_ocsp_resplen = larg;
+ ret = 1;
+ break;
+
#endif /* !OPENSSL_NO_TLSEXT */
default:
break;
-2610,6 +2647,11
return 1;
#endif
+ case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG:
+ ctx->tlsext_status_arg=parg;
+ return 1;
+ break;
+
#endif /* !OPENSSL_NO_TLSEXT */
/* A Thawte special  */
-2668,6 +2710,10
break;
#endif
+ case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB:
+ ctx->tlsext_status_cb=(int (*)(SSL *,void *))fp;
+ break;
+
#endif
default:
return(0);
.
patch -p0 <<' .'
Index: openssl/ssl/s3_srvr.c
============================================================
================
$ cvs diff -u -r1.155 -r1.156 s3_srvr.c
--- openssl/ssl/s3_srvr.c 31 Aug 2007 12:42:50
-0000 1.155
+++ openssl/ssl/s3_srvr.c 26 Sep 2007 21:56:58
-0000 1.156
-332,10 +332,23
{
ret=ssl3_send_server_certificate(s);
if (ret <= 0) goto end;
+#ifndef OPENSSL_NO_TLSEXT
+ if (s->tlsext_status_expected)
+ s->state=SSL3_ST_SW_CERT_STATUS_A;
+ else
+ s->state=SSL3_ST_SW_KEY_EXCH_A;
}
else
+ {
+ skip = 1;
+ s->state=SSL3_ST_SW_KEY_EXCH_A;
+ }
+#else
+ else
skip=1;
+
s->state=SSL3_ST_SW_KEY_EXCH_A;
+#endif
s->init_num=0;
break;
-551,6 +564,14
s->init_num=0;
break;
+ case SSL3_ST_SW_CERT_STATUS_A:
+ case SSL3_ST_SW_CERT_STATUS_B:
+ ret=ssl3_send_cert_status(s);
+ if (ret <= 0) goto end;
+ s->state=SSL3_ST_SW_KEY_EXCH_A;
+ s->init_num=0;
+ break;
+
#endif
case SSL3_ST_SW_CHANGE_A:
-2823,4 +2844,39
/* SSL3_ST_SW_SESSION_TICKET_B */
return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
}
+
+int ssl3_send_cert_status(SSL *s)
+ {
+ if (s->state == SSL3_ST_SW_CERT_STATUS_A)
+ {
+ unsigned char *p;
+ /* Grow buffer if need be: the length calculation is
as
+ * follows 1 (message type) + 3 (message length) +
+ * 1 (ocsp response type) + 3 (ocsp response length)
+ * + (ocsp response)
+ */
+ if (!BUF_MEM_grow(s->init_buf, 8 +
s->tlsext_ocsp_resplen))
+ return -1;
+
+ p=(unsigned char *)s->init_buf->data;
+
+ /* do the header */
+ *(p++)=SSL3_MT_CERTIFICATE_STATUS;
+ /* message length */
+ l2n3(s->tlsext_ocsp_resplen + 4, p);
+ /* status type */
+ *(p++)= s->tlsext_status_type;
+ /* length of OCSP response */
+ l2n3(s->tlsext_ocsp_resplen, p);
+ /* actual response */
+ memcpy(p, s->tlsext_ocsp_resp,
s->tlsext_ocsp_resplen);
+ /* number of bytes to write */
+ s->init_num = 8 + s->tlsext_ocsp_resplen;
+ s->state=SSL3_ST_SW_CERT_STATUS_B;
+ s->init_off = 0;
+ }
+
+ /* SSL3_ST_SW_CERT_STATUS_B */
+ return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
+ }
#endif
.
patch -p0 <<' .'
Index: openssl/ssl/ssl.h
============================================================
================
$ cvs diff -u -r1.200 -r1.201 ssl.h
--- openssl/ssl/ssl.h 21 Sep 2007 06:54:18 -0000 1.200
+++ openssl/ssl/ssl.h 26 Sep 2007 21:56:58 -0000 1.201
-800,6 +800,11
unsigned char tlsext_tick_hmac_key[16];
unsigned char tlsext_tick_aes_key[16];
+ /* certificate status request info */
+ /* Callback for status request */
+ int (*tlsext_status_cb)(SSL *ssl, void *arg);
+ void *tlsext_status_arg;
+
/* draft-rescorla-tls-opaque-prf-input-00.txt
information */
int (*tlsext_opaque_prf_input_callback)(SSL *, void
*peerinput, size_t len, void *arg);
void *tlsext_opaque_prf_input_callback_arg;
-1083,6 +1088,18
1 : prepare 2, allow last ack
just after in server callback.
2 : don't call servername
callback, no ack in server hello
*/
+ /* certificate status request info */
+ /* Status type or -1 if no status type */
+ int tlsext_status_type;
+ /* Expect OCSP CertificateStatus message */
+ int tlsext_status_expected;
+ /* OCSP status request only */
+ STACK_OF(OCSP_RESPID) *tlsext_ocsp_ids;
+ X509_EXTENSIONS *tlsext_ocsp_exts;
+ /* OCSP response received or to be sent */
+ unsigned char *tlsext_ocsp_resp;
+ int tlsext_ocsp_resplen;
+
/* RFC4507 session ticket expected to be received or
sent */
int tlsext_ticket_expected;
#ifndef OPENSSL_NO_EC
-1317,6 +1334,15
#define SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT 60
#define SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB 61
#define SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB_ARG 62
+#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB 63
+#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG 64
+#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE 65
+#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS 66
+#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS 67
+#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS 68
+#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS 69
+#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP 70
+#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP 71
#endif
#define SSL_session_reused(ssl)
-1766,6 +1792,7
#define SSL_F_SSL3_ENC 134
#define SSL_F_SSL3_GENERATE_KEY_BLOCK 238
#define SSL_F_SSL3_GET_CERTIFICATE_REQUEST 135
+#define SSL_F_SSL3_GET_CERT_STATUS 288
#define SSL_F_SSL3_GET_CERT_VERIFY 136
#define SSL_F_SSL3_GET_CLIENT_CERTIFICATE 137
#define SSL_F_SSL3_GET_CLIENT_HELLO 138
-1964,6 +1991,7
#define SSL_R_INVALID_CHALLENGE_LENGTH 158
#define SSL_R_INVALID_COMMAND 280
#define SSL_R_INVALID_PURPOSE 278
+#define SSL_R_INVALID_STATUS_RESPONSE 328
#define SSL_R_INVALID_TICKET_KEYS_LENGTH 325
#define SSL_R_INVALID_TRUST 279
#define SSL_R_KEY_ARG_TOO_LONG 284
-2132,6 +2160,7
#define SSL_R_UNSUPPORTED_ELLIPTIC_CURVE 315
#define SSL_R_UNSUPPORTED_PROTOCOL 258
#define SSL_R_UNSUPPORTED_SSL_VERSION 259
+#define SSL_R_UNSUPPORTED_STATUS_TYPE 329
#define SSL_R_WRITE_BIO_NOT_SET 260
#define SSL_R_WRONG_CIPHER_RETURNED 261
#define SSL_R_WRONG_MESSAGE_TYPE 262
.
patch -p0 <<' .'
Index: openssl/ssl/ssl3.h
============================================================
================
$ cvs diff -u -r1.42 -r1.43 ssl3.h
--- openssl/ssl/ssl3.h 23 Sep 2007 15:55:15 -0000 1.42
+++ openssl/ssl/ssl3.h 26 Sep 2007 21:56:59 -0000 1.43
-545,6 +545,8
#define SSL3_ST_CR_FINISHED_B (0x1D1|SSL_ST_CONNECT)
#define
SSL3_ST_CR_SESSION_TICKET_A (0x1E0|SSL_ST_CONNECT)
#define
SSL3_ST_CR_SESSION_TICKET_B (0x1E1|SSL_ST_CONNECT)
+#define SSL3_ST_CR_CERT_STATUS_A (0x1F0|SSL_ST_CONNECT)
+#define SSL3_ST_CR_CERT_STATUS_B (0x1F1|SSL_ST_CONNECT)
/* server */
/* extra state */
-588,6 +590,8
#define SSL3_ST_SW_FINISHED_B (0x1E1|SSL_ST_ACCEPT)
#define
SSL3_ST_SW_SESSION_TICKET_A (0x1F0|SSL_ST_ACCEPT)
#define
SSL3_ST_SW_SESSION_TICKET_B (0x1F1|SSL_ST_ACCEPT)
+#define SSL3_ST_SW_CERT_STATUS_A (0x200|SSL_ST_ACCEPT)
+#define SSL3_ST_SW_CERT_STATUS_B (0x201|SSL_ST_ACCEPT)
#define SSL3_MT_HELLO_REQUEST 0
#define SSL3_MT_CLIENT_HELLO 1
-600,6 +604,7
#define SSL3_MT_CERTIFICATE_VERIFY 15
#define SSL3_MT_CLIENT_KEY_EXCHANGE 16
#define SSL3_MT_FINISHED 20
+#define SSL3_MT_CERTIFICATE_STATUS 22
#define DTLS1_MT_HELLO_VERIFY_REQUEST 3
.
patch -p0 <<' .'
Index: openssl/ssl/ssl_err.c
============================================================
================
$ cvs diff -u -r1.68 -r1.69 ssl_err.c
--- openssl/ssl/ssl_err.c 21 Sep 2007 06:54:21 -0000 1.68
+++ openssl/ssl/ssl_err.c 26 Sep 2007 21:56:59 -0000 1.69
-140,6 +140,7
{ERR_FUNC(SSL_F_SSL3_ENC), "SSL3_ENC"},
{ERR_FUNC(SSL_F_SSL3_GENERATE_KEY_BLOCK), "SSL3_GENERAT
E_KEY_BLOCK"},
{ERR_FUNC(SSL_F_SSL3_GET_CERTIFICATE_REQUEST), "SSL3_GE
T_CERTIFICATE_REQUEST"},
+{ERR_FUNC(SSL_F_SSL3_GET_CERT_STATUS), "SSL3_GET_CERT_
STATUS"},
{ERR_FUNC(SSL_F_SSL3_GET_CERT_VERIFY), "SSL3_GET_CERT_V
ERIFY"},
{ERR_FUNC(SSL_F_SSL3_GET_CLIENT_CERTIFICATE), "SSL3_GET
_CLIENT_CERTIFICATE"},
{ERR_FUNC(SSL_F_SSL3_GET_CLIENT_HELLO), "SSL3_GET_CLIEN
T_HELLO"},
-341,6 +342,7
{ERR_REASON(SSL_R_INVALID_CHALLENGE_LENGTH),"invalid
challenge length"},
{ERR_REASON(SSL_R_INVALID_COMMAND) ,"invalid
command"},
{ERR_REASON(SSL_R_INVALID_PURPOSE) ,"invalid
purpose"},
+{ERR_REASON(SSL_R_INVALID_STATUS_RESPONSE),"invalid
status response"},
{ERR_REASON(SSL_R_INVALID_TICKET_KEYS_LENGTH),"invalid
ticket keys length"},
{ERR_REASON(SSL_R_INVALID_TRUST) ,"invalid
trust"},
{ERR_REASON(SSL_R_KEY_ARG_TOO_LONG) ,"key arg
too long"},
-509,6 +511,7
{ERR_REASON(SSL_R_UNSUPPORTED_ELLIPTIC_CURVE),"unsuppor
ted elliptic curve"},
{ERR_REASON(SSL_R_UNSUPPORTED_PROTOCOL)
,"unsupported protocol"},
{ERR_REASON(SSL_R_UNSUPPORTED_SSL_VERSION),"unsupported
ssl version"},
+{ERR_REASON(SSL_R_UNSUPPORTED_STATUS_TYPE),"unsupporte
d status type"},
{ERR_REASON(SSL_R_WRITE_BIO_NOT_SET) ,"write bio
not set"},
{ERR_REASON(SSL_R_WRONG_CIPHER_RETURNED) ,"wrong
cipher returned"},
{ERR_REASON(SSL_R_WRONG_MESSAGE_TYPE) ,"wrong
message type"},
.
patch -p0 <<' .'
Index: openssl/ssl/ssl_lib.c
============================================================
================
$ cvs diff -u -r1.162 -r1.163 ssl_lib.c
--- openssl/ssl/ssl_lib.c 21 Sep 2007 06:54:21
-0000 1.162
+++ openssl/ssl/ssl_lib.c 26 Sep 2007 21:56:59
-0000 1.163
-152,6 +152,7
#include <openssl/lhash.h>
#include <openssl/x509v3.h>
#include <openssl/rand.h>
+#include <openssl/ocsp.h>
#ifndef OPENSSL_NO_DH
#include <openssl/dh.h>
#endif
-340,6 +341,12
s->tlsext_debug_cb = 0;
s->tlsext_debug_arg = NULL;
s->tlsext_ticket_expected = 0;
+ s->tlsext_status_type = -1;
+ s->tlsext_status_expected = 0;
+ s->tlsext_ocsp_ids = NULL;
+ s->tlsext_ocsp_exts = NULL;
+ s->tlsext_ocsp_resp = NULL;
+ s->tlsext_ocsp_resplen = -1;
CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
s->initial_ctx=ctx;
#endif
-543,6 +550,13
if (s->tlsext_ellipticcurvelist)
OPENSSL_free(s->tlsext_ellipticcurvelist);
#endif /* OPENSSL_NO_EC */
if (s->tlsext_opaque_prf_input)
OPENSSL_free(s->tlsext_opaque_prf_input);
+ if (s->tlsext_ocsp_exts)
+ sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
+ X509_EXTENSION_free);
+ if (s->tlsext_ocsp_ids)
+ sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids,
OCSP_RESPID_free);
+ if (s->tlsext_ocsp_resp)
+ OPENSSL_free(s->tlsext_ocsp_resp);
#endif
if (s->client_CA != NULL)
-1556,6 +1570,9
|| (RAND_bytes(ret->tlsext_tick_aes_key, 16) <=
0))
ret->options |= SSL_OP_NO_TICKET;
+ ret->tlsext_status_cb = 0;
+ ret->tlsext_status_arg = NULL;
+
#endif
#ifndef OPENSSL_NO_PSK
ret->psk_identity_hint=NULL;
.
patch -p0 <<' .'
Index: openssl/ssl/ssl_locl.h
============================================================
================
$ cvs diff -u -r1.86 -r1.87 ssl_locl.h
--- openssl/ssl/ssl_locl.h 21 Sep 2007 06:54:22
-0000 1.86
+++ openssl/ssl/ssl_locl.h 26 Sep 2007 21:56:59
-0000 1.87
-829,6 +829,7
void ssl3_init_finished_mac(SSL *s);
int ssl3_send_server_certificate(SSL *s);
int ssl3_send_newsession_ticket(SSL *s);
+int ssl3_send_cert_status(SSL *s);
int ssl3_get_finished(SSL *s,int state_a,int state_b);
int ssl3_setup_key_block(SSL *s);
int ssl3_send_change_cipher_spec(SSL *s,int state_a,int
state_b);
-921,6 +922,7
int ssl3_get_server_hello(SSL *s);
int ssl3_get_certificate_request(SSL *s);
int ssl3_get_new_session_ticket(SSL *s);
+int ssl3_get_cert_status(SSL *s);
int ssl3_get_server_done(SSL *s);
int ssl3_send_client_verify(SSL *s);
int ssl3_send_client_certificate(SSL *s);
.
patch -p0 <<' .'
Index: openssl/ssl/t1_enc.c
============================================================
================
$ cvs diff -u -r1.46 -r1.47 t1_enc.c
--- openssl/ssl/t1_enc.c 21 Sep 2007 06:54:23 -0000 1.46
+++ openssl/ssl/t1_enc.c 26 Sep 2007 21:56:59 -0000 1.47
-899,7 +899,7
{
unsigned char buff[SSL_MAX_MASTER_KEY_LENGTH];
const void *co = NULL, *so = NULL;
- int col = 0, sol = NULL;
+ int col = 0, sol = 0;
#ifdef KSSL_DEBUG
printf ("tls1_generate_master_secret(%p,%p, %p,
%d)n", s,out, p,len);
.
patch -p0 <<' .'
Index: openssl/ssl/t1_lib.c
============================================================
================
$ cvs diff -u -r1.47 -r1.48 t1_lib.c
--- openssl/ssl/t1_lib.c 23 Sep 2007 11:30:53 -0000 1.47
+++ openssl/ssl/t1_lib.c 26 Sep 2007 21:56:59 -0000 1.48
-113,6 +113,7
#include <openssl/objects.h>
#include <openssl/evp.h>
#include <openssl/hmac.h>
+#include <openssl/ocsp.h>
#include "ssl_locl.h"
const char tls1_version_str[]="TLSv1"
OPENSSL_VERSION_PTEXT;
-387,6 +388,54
}
#endif
+ if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
+ {
+ int i;
+ long extlen, idlen, itmp;
+ OCSP_RESPID *id;
+
+ idlen = 0;
+ for (i = 0; i <
sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
+ {
+ id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
+ itmp = i2d_OCSP_RESPID(id, NULL);
+ if (itmp <= 0)
+ return NULL;
+ idlen += itmp + 2;
+ }
+
+ if (s->tlsext_ocsp_exts)
+ {
+ extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts,
NULL);
+ if (extlen < 0)
+ return NULL;
+ }
+ else
+ extlen = 0;
+
+ if ((long)(limit - ret - 7 - extlen - idlen) < 0)
return NULL;
+ s2n(TLSEXT_TYPE_status_request, ret);
+ if (extlen + idlen > 0xFFF0)
+ return NULL;
+ s2n(extlen + idlen + 5, ret);
+ *(ret++) = TLSEXT_STATUSTYPE_ocsp;
+ s2n(idlen, ret);
+ for (i = 0; i <
sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
+ {
+ /* save position of id len */
+ unsigned char *q = ret;
+ id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
+ /* skip over id len */
+ ret += 2;
+ itmp = i2d_OCSP_RESPID(id, &ret);
+ /* write id len */
+ s2n(itmp, q);
+ }
+ s2n(extlen, ret);
+ if (extlen > 0)
+ i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts,
&ret);
+ }
+
if ((extdatalen = ret-p-2)== 0)
return p;
-432,7 +481,7
}
/* Currently the server should not respond with a
SupportedCurves extension */
#endif /* OPENSSL_NO_EC */
-
+
if (s->tlsext_ticket_expected
&& !(SSL_get_options(s) &
SSL_OP_NO_TICKET))
{
-441,6 +490,13
s2n(0,ret);
}
+ if (s->tlsext_status_expected)
+ {
+ if ((long)(limit - ret - 4) < 0) return NULL;
+ s2n(TLSEXT_TYPE_status_request,ret);
+ s2n(0,ret);
+ }
+
#ifdef TLSEXT_TYPE_opaque_prf_input
if (s->s3->server_opaque_prf_input != NULL)
{
-473,6 +529,7
unsigned short len;
unsigned char *data = *p;
s->servername_done = 0;
+ s->tlsext_status_type = -1;
if (data >= (d+n-2))
return 1;
-675,6 +732,106
}
}
#endif
+ else if (type == TLSEXT_TYPE_status_request
+ && s->ctx->tlsext_status_cb)
+ {
+
+ if (size < 5)
+ {
+ *al = SSL_AD_DECODE_ERROR;
+ return 0;
+ }
+
+ s->tlsext_status_type = *data++;
+ size--;
+ if (s->tlsext_status_type ==
TLSEXT_STATUSTYPE_ocsp)
+ {
+ const unsigned char *sdata;
+ int dsize;
+ /* Read in responder_id_list */
+ n2s(data,dsize);
+ size -= 2;
+ if (dsize > size )
+ {
+ *al = SSL_AD_DECODE_ERROR;
+ return 0;
+ }
+ while (dsize > 0)
+ {
+ OCSP_RESPID *id;
+ int idsize;
+ if (dsize < 4)
+ {
+ *al = SSL_AD_DECODE_ERROR;
+ return 0;
+ }
+ n2s(data, idsize);
+ dsize -= 2 + idsize;
+ if (dsize < 0)
+ {
+ *al = SSL_AD_DECODE_ERROR;
+ return 0;
+ }
+ sdata = data;
+ data += idsize;
+ id = d2i_OCSP_RESPID(NULL,
+ &sdata, idsize);
+ if (!id)
+ {
+ *al = SSL_AD_DECODE_ERROR;
+ return 0;
+ }
+ if (data != sdata)
+ {
+ OCSP_RESPID_free(id);
+ *al = SSL_AD_DECODE_ERROR;
+ return 0;
+ }
+ if (!s->tlsext_ocsp_ids
+ && !(s->tlsext_ocsp_ids =
+ sk_OCSP_RESPID_new_null()))
+ {
+ OCSP_RESPID_free(id);
+ *al = SSL_AD_INTERNAL_ERROR;
+ return 0;
+ }
+ if (!sk_OCSP_RESPID_push(
+ s->tlsext_ocsp_ids, id))
+ {
+ OCSP_RESPID_free(id);
+ *al = SSL_AD_INTERNAL_ERROR;
+ return 0;
+ }
+ }
+
+ /* Read in request_extensions */
+ n2s(data,dsize);
+ size -= 2;
+ if (dsize > size)
+ {
+ *al = SSL_AD_DECODE_ERROR;
+ return 0;
+ }
+ sdata = data;
+ if (dsize > 0)
+ {
+ s->tlsext_ocsp_exts =
+ d2i_X509_EXTENSIONS(NULL,
+ &sdata, dsize);
+ if (!s->tlsext_ocsp_exts
+ || (data + dsize != sdata))
+ {
+ *al = SSL_AD_DECODE_ERROR;
+ return 0;
+ }
+ }
+ }
+ /* We don't know what to do with any other type
+ * so ignore it.
+ */
+ else
+ s->tlsext_status_type = -1;
+ }
/* session ticket processed earlier */
data+=size;
-791,6 +948,19
}
}
#endif
+ else if (type == TLSEXT_TYPE_status_request)
+ {
+ /* MUST be empty and only sent if we've requested
+ * a status request message.
+ */
+ if ((s->tlsext_status_type == -1) || (size >
0))
+ {
+ *al = TLS1_AD_UNSUPPORTED_EXTENSION;
+ return 0;
+ }
+ /* Set flag to expect CertificateStatus message */
+ s->tlsext_status_expected = 1;
+ }
data+=size;
}
-822,6 +992,35
}
}
+ /* If we've requested certificate status and we wont get
one
+ * tell the callback
+ */
+ if ((s->tlsext_status_type != -1) &&
!(s->tlsext_status_expected)
+ && s->ctx->tlsext_status_cb)
+ {
+ int r;
+ /* Set resp to NULL, resplen to -1 so callback knows
+ * there is no response.
+ */
+ if (s->tlsext_ocsp_resp)
+ {
+ OPENSSL_free(s->tlsext_ocsp_resp);
+ s->tlsext_ocsp_resp = NULL;
+ }
+ s->tlsext_ocsp_resplen = -1;
+ r = s->ctx->tlsext_status_cb(s,
s->ctx->tlsext_status_arg);
+ if (r == 0)
+ {
+ *al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
+ return 0;
+ }
+ if (r < 0)
+ {
+ *al = SSL_AD_INTERNAL_ERROR;
+ return 0;
+ }
+ }
+
*p = data;
return 1;
}
-966,6 +1165,36
else if (s->initial_ctx != NULL &&
s->initial_ctx->tlsext_servername_callback != 0)
ret =
s->initial_ctx->tlsext_servername_callback(s, &al,
s->initial_ctx->tlsext_servername_arg);
+ /* If status request then ask callback what to do.
+ * Note: this must be called after servername callbacks
in case
+ * the certificate has changed.
+ */
+ if ((s->tlsext_status_type != -1) &&
s->ctx->tlsext_status_cb)
+ {
+ int r;
+ r = s->ctx->tlsext_status_cb(s,
s->ctx->tlsext_status_arg);
+ switch (r)
+ {
+ /* We don't want to send a status request response */
+ case SSL_TLSEXT_ERR_NOACK:
+ s->tlsext_status_expected = 0;
+ break;
+ /* status request response should be sent */
+ case SSL_TLSEXT_ERR_OK:
+ if (s->tlsext_ocsp_resp)
+ s->tlsext_status_expected = 1;
+ else
+ s->tlsext_status_expected = 0;
+ break;
+ /* something bad happened */
+ case SSL_TLSEXT_ERR_ALERT_FATAL:
+ ret = SSL_TLSEXT_ERR_ALERT_FATAL;
+ al = SSL_AD_INTERNAL_ERROR;
+ goto err;
+ }
+ }
+ else
+ s->tlsext_status_expected = 0;
#ifdef TLSEXT_TYPE_opaque_prf_input
{
-1022,8 +1251,8
al = SSL_AD_HANDSHAKE_FAILURE;
}
}
-#endif
+#endif
err:
switch (ret)
{
.
patch -p0 <<' .'
Index: openssl/ssl/tls1.h
============================================================
================
$ cvs diff -u -r1.37 -r1.38 tls1.h
--- openssl/ssl/tls1.h 21 Sep 2007 06:54:24 -0000 1.37
+++ openssl/ssl/tls1.h 26 Sep 2007 21:56:59 -0000 1.38
-203,6 +203,8
/* NameType value from RFC 3546 */
#define TLSEXT_NAMETYPE_host_name 0
+/* status request value from RFC 3546 */
+#define TLSEXT_STATUSTYPE_ocsp 1
/* ECPointFormat values from draft-ietf-tls-ecc-12 */
#define TLSEXT_ECPOINTFORMAT_first 0
-227,12 +229,33
#define SSL_set_tlsext_debug_arg(ssl, arg)
SSL_ctrl(ssl,SSL_CTRL_SET_TLSEXT_DEBUG_ARG,0, (void
*)arg)
+#define SSL_set_tlsext_status_type(ssl, type)
+SSL_ctrl(ssl,SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE,type,
NULL)
+
+#define SSL_get_tlsext_status_exts(ssl, arg)
+SSL_ctrl(ssl,SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS,0, (void
*)arg)
+
+#define SSL_set_tlsext_status_exts(ssl, arg)
+SSL_ctrl(ssl,SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS,0, (void
*)arg)
+
+#define SSL_get_tlsext_status_ids(ssl, arg)
+SSL_ctrl(ssl,SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS,0, (void
*)arg)
+
+#define SSL_set_tlsext_status_ids(ssl, arg)
+SSL_ctrl(ssl,SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS,0, (void
*)arg)
+
+#define SSL_get_tlsext_status_ocsp_resp(ssl, arg)
+SSL_ctrl(ssl,SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP,0,
(void *)arg)
+
+#define SSL_set_tlsext_status_ocsp_resp(ssl, arg, arglen)
+SSL_ctrl(ssl,SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP,argle
n, (void *)arg)
+
#define SSL_CTX_set_tlsext_servername_callback(ctx, cb)
SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TLSEXT_SERVERNAME_CB,
(void (*)(void))cb)
-#define SSL_TLSEXT_ERR_OK 0
-#define SSL_TLSEXT_ERR_ALERT_WARNING 1
-#define SSL_TLSEXT_ERR_ALERT_FATAL 2
+#define SSL_TLSEXT_ERR_OK 0
+#define SSL_TLSEXT_ERR_ALERT_WARNING 1
+#define SSL_TLSEXT_ERR_ALERT_FATAL 2
#define SSL_TLSEXT_ERR_NOACK 3
#define SSL_CTX_set_tlsext_servername_arg(ctx, arg)
-243,6 +266,12
#define SSL_CTX_set_tlsext_ticket_keys(ctx, keys, keylen)
SSL_CTX_ctrl((ctx),SSL_CTRL_SET_TLXEXT_TICKET_KEYS,(keylen)
,(keys))
+#define SSL_CTX_set_tlsext_status_cb(ssl, cb)
+SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
,(void (*)(void))cb)
+
+#define SSL_CTX_set_tlsext_status_arg(ssl, arg)
+SSL_CTX_ctrl(ssl,SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG,0,
(void *)arg)
+
#define SSL_set_tlsext_opaque_prf_input(s, src, len)
SSL_ctrl(s,SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT, len,
src)
#define SSL_CTX_set_tlsext_opaque_prf_input_callback(ctx,
cb)
.
____________________________________________________________
__________
OpenSSL Project http://www.openssl.org
CVS Repository Commit List
openssl-cvsopenssl.org
Automated List Manager
majordomoopenssl.org
|
