]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
Implement status_request OCSP extension.
authorSimon Josefsson <simon@josefsson.org>
Tue, 17 Apr 2012 12:31:09 +0000 (14:31 +0200)
committerNikos Mavrogiannopoulos <nmav@gnutls.org>
Fri, 28 Sep 2012 15:47:37 +0000 (17:47 +0200)
13 files changed:
doc/Makefile.am
doc/manpages/Makefile.am
lib/ext/Makefile.am
lib/ext/status_request.c [new file with mode: 0644]
lib/ext/status_request.h [new file with mode: 0644]
lib/gnutls_extensions.c
lib/gnutls_int.h
lib/includes/gnutls/gnutls.h.in
lib/libgnutls.map
src/cli-args.def
src/cli.c
src/serv-args.def
src/serv.c

index 549e680264970628425fcdbd31fb081c25f0f77c..b375353087f9816b26fdf8107b027df42f70531f 100644 (file)
@@ -496,6 +496,7 @@ ENUMS += enums/gnutls_sec_param_t
 ENUMS += enums/gnutls_server_name_type_t
 ENUMS += enums/gnutls_sign_algorithm_t
 ENUMS += enums/gnutls_supplemental_data_format_type_t
+ENUMS += enums/gnutls_tpmkey_fmt_t
 ENUMS += enums/gnutls_x509_crt_fmt_t
 ENUMS += enums/gnutls_x509_subject_alt_name_t
 
@@ -1078,14 +1079,6 @@ FUNCS += functions/gnutls_pk_algorithm_get_name
 FUNCS += functions/gnutls_pk_algorithm_get_name.short
 FUNCS += functions/gnutls_pk_bits_to_sec_param
 FUNCS += functions/gnutls_pk_bits_to_sec_param.short
-FUNCS += functions/gnutls_pk_get_id
-FUNCS += functions/gnutls_pk_get_id.short
-FUNCS += functions/gnutls_pk_get_name
-FUNCS += functions/gnutls_pk_get_name.short
-FUNCS += functions/gnutls_pk_list
-FUNCS += functions/gnutls_pk_list.short
-FUNCS += functions/gnutls_pk_to_sign
-FUNCS += functions/gnutls_pk_to_sign.short
 FUNCS += functions/gnutls_pkcs11_add_provider
 FUNCS += functions/gnutls_pkcs11_add_provider.short
 FUNCS += functions/gnutls_pkcs11_copy_secret_key
@@ -1232,6 +1225,14 @@ FUNCS += functions/gnutls_pkcs7_set_crt
 FUNCS += functions/gnutls_pkcs7_set_crt.short
 FUNCS += functions/gnutls_pkcs7_set_crt_raw
 FUNCS += functions/gnutls_pkcs7_set_crt_raw.short
+FUNCS += functions/gnutls_pk_get_id
+FUNCS += functions/gnutls_pk_get_id.short
+FUNCS += functions/gnutls_pk_get_name
+FUNCS += functions/gnutls_pk_get_name.short
+FUNCS += functions/gnutls_pk_list
+FUNCS += functions/gnutls_pk_list.short
+FUNCS += functions/gnutls_pk_to_sign
+FUNCS += functions/gnutls_pk_to_sign.short
 FUNCS += functions/gnutls_prf
 FUNCS += functions/gnutls_prf.short
 FUNCS += functions/gnutls_prf_raw
@@ -1534,6 +1535,10 @@ FUNCS += functions/gnutls_srp_set_server_credentials_function
 FUNCS += functions/gnutls_srp_set_server_credentials_function.short
 FUNCS += functions/gnutls_srp_verifier
 FUNCS += functions/gnutls_srp_verifier.short
+FUNCS += functions/gnutls_status_request_ocsp_client
+FUNCS += functions/gnutls_status_request_ocsp_client.short
+FUNCS += functions/gnutls_status_request_ocsp_server
+FUNCS += functions/gnutls_status_request_ocsp_server.short
 FUNCS += functions/gnutls_store_commitment
 FUNCS += functions/gnutls_store_commitment.short
 FUNCS += functions/gnutls_store_pubkey
@@ -1910,10 +1915,10 @@ FUNCS += functions/gnutls_x509_crt_set_pubkey
 FUNCS += functions/gnutls_x509_crt_set_pubkey.short
 FUNCS += functions/gnutls_x509_crt_set_serial
 FUNCS += functions/gnutls_x509_crt_set_serial.short
-FUNCS += functions/gnutls_x509_crt_set_subject_alt_name
-FUNCS += functions/gnutls_x509_crt_set_subject_alt_name.short
 FUNCS += functions/gnutls_x509_crt_set_subject_alternative_name
 FUNCS += functions/gnutls_x509_crt_set_subject_alternative_name.short
+FUNCS += functions/gnutls_x509_crt_set_subject_alt_name
+FUNCS += functions/gnutls_x509_crt_set_subject_alt_name.short
 FUNCS += functions/gnutls_x509_crt_set_subject_key_id
 FUNCS += functions/gnutls_x509_crt_set_subject_key_id.short
 FUNCS += functions/gnutls_x509_crt_set_version
index ff952ef893d8cd14b95026a4dbd4e94c00844dc3..7a9979dc40069ae1f013b261f4778b62ebbdd5be 100644 (file)
@@ -367,10 +367,6 @@ APIMANS += gnutls_pem_base64_encode_alloc.3
 APIMANS += gnutls_perror.3
 APIMANS += gnutls_pk_algorithm_get_name.3
 APIMANS += gnutls_pk_bits_to_sec_param.3
-APIMANS += gnutls_pk_get_id.3
-APIMANS += gnutls_pk_get_name.3
-APIMANS += gnutls_pk_list.3
-APIMANS += gnutls_pk_to_sign.3
 APIMANS += gnutls_pkcs11_add_provider.3
 APIMANS += gnutls_pkcs11_copy_secret_key.3
 APIMANS += gnutls_pkcs11_copy_x509_crt.3
@@ -444,6 +440,10 @@ APIMANS += gnutls_pkcs7_set_crl.3
 APIMANS += gnutls_pkcs7_set_crl_raw.3
 APIMANS += gnutls_pkcs7_set_crt.3
 APIMANS += gnutls_pkcs7_set_crt_raw.3
+APIMANS += gnutls_pk_get_id.3
+APIMANS += gnutls_pk_get_name.3
+APIMANS += gnutls_pk_list.3
+APIMANS += gnutls_pk_to_sign.3
 APIMANS += gnutls_prf.3
 APIMANS += gnutls_prf_raw.3
 APIMANS += gnutls_priority_certificate_type_list.3
@@ -595,6 +595,8 @@ APIMANS += gnutls_srp_set_prime_bits.3
 APIMANS += gnutls_srp_set_server_credentials_file.3
 APIMANS += gnutls_srp_set_server_credentials_function.3
 APIMANS += gnutls_srp_verifier.3
+APIMANS += gnutls_status_request_ocsp_client.3
+APIMANS += gnutls_status_request_ocsp_server.3
 APIMANS += gnutls_store_commitment.3
 APIMANS += gnutls_store_pubkey.3
 APIMANS += gnutls_strerror.3
@@ -783,8 +785,8 @@ APIMANS += gnutls_x509_crt_set_proxy.3
 APIMANS += gnutls_x509_crt_set_proxy_dn.3
 APIMANS += gnutls_x509_crt_set_pubkey.3
 APIMANS += gnutls_x509_crt_set_serial.3
-APIMANS += gnutls_x509_crt_set_subject_alt_name.3
 APIMANS += gnutls_x509_crt_set_subject_alternative_name.3
+APIMANS += gnutls_x509_crt_set_subject_alt_name.3
 APIMANS += gnutls_x509_crt_set_subject_key_id.3
 APIMANS += gnutls_x509_crt_set_version.3
 APIMANS += gnutls_x509_crt_sign.3
index 48a635e902d34b9e09708c1a83b9432f990fac7e..ca6628e8afb99d88570a8998fbea928cc5a80842 100644 (file)
@@ -38,4 +38,6 @@ libgnutls_ext_la_SOURCES = max_record.c cert_type.c \
        server_name.c signature.c safe_renegotiation.c \
        max_record.h cert_type.h server_name.h srp.h \
        session_ticket.h signature.h safe_renegotiation.h \
-       session_ticket.c srp.c ecc.c ecc.h heartbeat.c heartbeat.h
+       session_ticket.c srp.c ecc.c ecc.h heartbeat.c heartbeat.h \
+       status_request.h status_request.c
+
diff --git a/lib/ext/status_request.c b/lib/ext/status_request.c
new file mode 100644 (file)
index 0000000..07d6516
--- /dev/null
@@ -0,0 +1,413 @@
+/*
+ * Copyright (C) 2012 Free Software Foundation, Inc.
+ *
+ * Author: Simon Josefsson
+ *
+ * This file is part of GnuTLS.
+ *
+ * The GnuTLS is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public License
+ * as published by the Free Software Foundation; either version 3 of
+ * the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+/*
+  Status Request (OCSP) TLS extension.  See RFC 6066 section 8:
+  https://tools.ietf.org/html/rfc6066#section-8
+*/
+
+#include "gnutls_int.h"
+#include "gnutls_errors.h"
+#include <gnutls_extensions.h>
+#include <ext/status_request.h>
+
+typedef struct
+{
+  gnutls_datum_t *responder_id;
+  size_t responder_id_size;
+  gnutls_datum_t request_extensions;
+  int dealloc;
+
+  gnutls_status_request_ocsp_func ocsp_func;
+  void *ocsp_func_ptr;
+
+  int expect_certificate_status;
+} status_request_ext_st;
+
+/*
+  From RFC 6066.  Client sends:
+
+      struct {
+          CertificateStatusType status_type;
+          select (status_type) {
+              case ocsp: OCSPStatusRequest;
+          } request;
+      } CertificateStatusRequest;
+
+      enum { ocsp(1), (255) } CertificateStatusType;
+
+      struct {
+          ResponderID responder_id_list<0..2^16-1>;
+          Extensions  request_extensions;
+      } OCSPStatusRequest;
+
+      opaque ResponderID<1..2^16-1>;
+      opaque Extensions<0..2^16-1>;
+*/
+
+static int
+client_send (gnutls_session_t session,
+            gnutls_buffer_st* extdata,
+            status_request_ext_st *priv)
+{
+  int ret_len = 1 + 2;
+  int ret;
+  size_t i;
+
+  ret = _gnutls_buffer_append_prefix (extdata, 8, 1);
+  if (ret < 0)
+    return gnutls_assert_val (ret);
+
+  ret = _gnutls_buffer_append_prefix (extdata, 16, priv->responder_id_size);
+  if (ret < 0)
+    return gnutls_assert_val (ret);
+
+  for (i = 0; i < priv->responder_id_size; i++)
+    {
+      if (priv->responder_id[i].size <= 0)
+       return gnutls_assert_val (GNUTLS_E_INVALID_REQUEST);
+
+      ret = _gnutls_buffer_append_data_prefix (extdata, 16,
+                                              priv->responder_id[i].data,
+                                              priv->responder_id[i].size);
+      if (ret < 0)
+       return gnutls_assert_val (ret);
+
+      ret_len += 2 + priv->responder_id[i].size;
+    }
+
+  ret = _gnutls_buffer_append_data_prefix (extdata, 16,
+                                          priv->request_extensions.data,
+                                          priv->request_extensions.size);
+  if (ret < 0)
+    return gnutls_assert_val (ret);
+
+  ret_len += 2 + priv->request_extensions.size;
+
+  return ret_len;
+}
+
+static int
+server_recv (gnutls_session_t session,
+            status_request_ext_st *priv,
+            const uint8_t * data,
+            size_t size)
+{
+  size_t i;
+
+  _gnutls_handshake_log ("EXT[%p]: got ocsp\n", session);
+
+  /* minimum message is type (1) + responder_id_list (2) +
+     request_extension (2) = 5 */
+  if (size < 5)
+    return gnutls_assert_val (GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
+
+  /* We ignore non-ocsp CertificateStatusType.  The spec is unclear
+     what should be done. */
+  if (data[0] != '\x01')
+    {
+      gnutls_assert ();
+      _gnutls_handshake_log ("EXT[%p]: unknown status_type %d\n",
+                            session, data[0]);
+      return 0;
+    }
+  size--, data++;
+
+  priv->dealloc = 1;
+
+  priv->responder_id_size = _gnutls_read_uint16 (data);
+  size -= 2, data += 2;
+
+  if (size <= priv->responder_id_size * 2)
+    return gnutls_assert_val (GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
+
+  priv->responder_id = gnutls_malloc (priv->responder_id_size
+                                     * sizeof (*priv->responder_id));
+  if (priv->responder_id == NULL)
+    return gnutls_assert_val (GNUTLS_E_MEMORY_ERROR);
+
+  for (i = 0; i < priv->responder_id_size; i++)
+    {
+      size_t l;
+
+      if (size <= 2)
+       return gnutls_assert_val (GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
+
+      l = _gnutls_read_uint16 (data);
+      size -= 2, data += 2;
+
+      if (size <= l)
+       return gnutls_assert_val (GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
+
+      priv->responder_id[i].data = gnutls_malloc (l);
+      if (priv->responder_id[i].data == NULL)
+       return gnutls_assert_val (GNUTLS_E_MEMORY_ERROR);
+
+      memcpy (priv->responder_id[i].data, data, l);
+      priv->responder_id[i].size = l;
+
+      size -= l, data += l;
+    }
+
+  return 0;
+}
+
+/*
+  Servers return a certificate response along with their certificate
+  by sending a "CertificateStatus" message immediately after the
+  "Certificate" message (and before any "ServerKeyExchange" or
+  "CertificateRequest" messages).  If a server returns a
+  "CertificateStatus" message, then the server MUST have included an
+  extension of type "status_request" with empty "extension_data" in
+  the extended server hello.
+*/
+
+static int
+server_send (gnutls_session_t session,
+            gnutls_buffer_st* extdata,
+            status_request_ext_st *priv)
+{
+  int ret;
+
+  if (priv->ocsp_func == NULL)
+    return gnutls_assert_val (GNUTLS_E_SUCCESS);
+
+  ret = priv->ocsp_func (session, priv->ocsp_func_ptr, NULL);
+  if (ret == GNUTLS_E_NO_CERTIFICATE_STATUS)
+    return 0;
+  else if (ret != GNUTLS_E_SUCCESS)
+    return gnutls_assert_val (ret);
+
+  ret = _gnutls_buffer_append_data (extdata, "", 0);
+  if (ret < 0)
+    return gnutls_assert_val (ret);
+
+  priv->expect_certificate_status = 1;
+
+  return 0;
+}
+
+static int
+client_recv (gnutls_session_t session,
+            status_request_ext_st *priv,
+            const uint8_t * data,
+            size_t size)
+{
+  if (size != 0)
+    return gnutls_assert_val (GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
+
+  priv->expect_certificate_status = 1;
+
+  return 0;
+}
+
+static int
+_gnutls_status_request_send_params (gnutls_session_t session,
+                                   gnutls_buffer_st* extdata)
+{
+  extension_priv_data_t epriv;
+  status_request_ext_st *priv;
+  int ret;
+
+  ret = _gnutls_ext_get_session_data (session,
+                                     GNUTLS_EXTENSION_STATUS_REQUEST,
+                                     &epriv);
+  if (ret < 0)              /* it is ok not to have it */
+    return 0;
+
+  priv = epriv.ptr;
+
+  if (session->security_parameters.entity == GNUTLS_CLIENT)
+    return client_send (session, extdata, priv);
+  return server_send (session, extdata, priv);
+}
+
+static int
+_gnutls_status_request_recv_params (gnutls_session_t session,
+                                   const uint8_t * data,
+                                   size_t size)
+{
+  extension_priv_data_t epriv;
+  status_request_ext_st *priv;
+  int ret;
+
+  ret = _gnutls_ext_get_session_data (session,
+                                     GNUTLS_EXTENSION_STATUS_REQUEST,
+                                     &epriv);
+  if (ret < 0)              /* it is ok not to have it */
+    return 0;
+
+  priv = epriv.ptr;
+
+  if (session->security_parameters.entity == GNUTLS_CLIENT)
+    return client_recv (session, priv, data, size);
+  return server_recv (session, priv, data, size);
+}
+
+/**
+ * gnutls_status_request_ocsp_client:
+ * @session: is a #gnutls_session_t structure.
+ * @responder_id: array with #gnutls_datum_t with DER data of responder id
+ * @responder_id_size: number of members in @responder_id array
+ * @request_extensions: a #gnutls_datum_t with DER encoded OCSP extensions
+ *
+ * This function is to be used by clients to request OCSP response
+ * from the server, using the "status_request" TLS extension.  Only
+ * OCSP status type is supported.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
+ *   otherwise a negative error code is returned.
+ **/
+int
+gnutls_status_request_ocsp_client (gnutls_session_t session,
+                                  gnutls_datum_t *responder_id,
+                                  size_t responder_id_size,
+                                  gnutls_datum_t *request_extensions)
+{
+  status_request_ext_st *priv;
+  extension_priv_data_t epriv;
+
+  if (session->security_parameters.entity == GNUTLS_SERVER)
+    return gnutls_assert_val (GNUTLS_E_INVALID_REQUEST);
+
+  epriv.ptr = priv = gnutls_calloc (1, sizeof (*priv));
+  if (priv == NULL)
+    return gnutls_assert_val (GNUTLS_E_MEMORY_ERROR);
+
+  priv->responder_id = responder_id;
+  priv->responder_id_size = responder_id_size;
+  if (request_extensions)
+    {
+      priv->request_extensions.data = request_extensions->data;
+      priv->request_extensions.size = request_extensions->size;
+    }
+
+  _gnutls_ext_set_session_data (session,
+                               GNUTLS_EXTENSION_STATUS_REQUEST,
+                               epriv);
+
+  return 0;
+}
+
+/**
+ * gnutls_status_request_ocsp_server:
+ * @session: is a #gnutls_session_t structure.
+ * @ocsp_func: function pointer to OCSP status request callback.
+ * @ptr: opaque pointer passed to callback function
+ *
+ * This function is to be used by server to register a callback to
+ * handle OCSP status requests from the client.  The callback will be
+ * invoked if the client supplied a status-request OCSP extension.
+ * The callback function prototype is:
+ *
+ * typedef int (*gnutls_status_request_ocsp_func)
+ *    (gnutls_session_t session, void *ptr, gnutls_datum_t *ocsp_response);
+ *
+ * The callback may be invoked up to two times for each handshake.  It
+ * is called the first time when the client hello requested the status
+ * request extension.  In this case, ocsp_response is NULL.  The
+ * purpose of the first callback invocation is to determine whether
+ * the server will acknowledge the client's request to use the
+ * extension.  The callback may return
+ * %GNUTLS_E_NO_CERTIFICATE_STATUS, in which case the server will not
+ * enable the extension.  If the callback returns %GNUTLS_E_SUCCESS,
+ * the server enable the extension.  If the callback returns another
+ * error code, the handshake will terminate.
+ *
+ * If the first call to the callback enabled the extension, there will
+ * usually be a second phase, with a non-NULL ocsp_response.  Now the
+ * server is ready to send the CertificateStatus, and it expects the
+ * callback to provide the OCSP response data.  The callback can at
+ * this point return %GNUTLS_E_NO_CERTIFICATE_STATUS to avoid sending
+ * a CertificateStatus message.  If the callback returns
+ * %GNUTLS_E_SUCCESS the ocsp_response will be sent off to the client.
+ * If the callback returns an error, the handshake will terminate.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
+ *   otherwise a negative error code is returned.
+ **/
+int
+gnutls_status_request_ocsp_server (gnutls_session_t session,
+                                  gnutls_status_request_ocsp_func ocsp_func,
+                                  void *ptr)
+{
+  status_request_ext_st *priv;
+  extension_priv_data_t epriv;
+
+  if (session->security_parameters.entity == GNUTLS_CLIENT)
+    return gnutls_assert_val (GNUTLS_E_INVALID_REQUEST);
+
+  epriv.ptr = priv = gnutls_calloc (1, sizeof (*priv));
+  if (priv == NULL)
+    return gnutls_assert_val (GNUTLS_E_MEMORY_ERROR);
+
+  priv->ocsp_func = ocsp_func;
+  priv->ocsp_func_ptr = ptr;
+
+  _gnutls_ext_set_session_data (session,
+                               GNUTLS_EXTENSION_STATUS_REQUEST,
+                               epriv);
+
+  return 0;
+}
+
+static void
+_gnutls_status_request_deinit_data (extension_priv_data_t epriv)
+{
+  status_request_ext_st *priv = epriv.ptr;
+  size_t i;
+
+  if (priv->dealloc)
+    {
+      for (i = 0; i < priv->responder_id_size; i++)
+       gnutls_free (priv->responder_id[i].data);
+      gnutls_free (priv->responder_id);
+      gnutls_free (priv->request_extensions.data);
+    }
+
+  gnutls_free (priv);
+}
+
+static int
+_gnutls_status_request_pack (extension_priv_data_t epriv,
+                            gnutls_buffer_st * ps)
+{
+  return -1;
+}
+
+static int
+_gnutls_status_request_unpack (gnutls_buffer_st * ps,
+                              extension_priv_data_t * _priv)
+{
+  return -1;
+}
+
+extension_entry_st ext_mod_status_request = {
+  .name = "STATUS REQUEST",
+  .type = GNUTLS_EXTENSION_STATUS_REQUEST,
+  .parse_type = GNUTLS_EXT_TLS,
+  .recv_func = _gnutls_status_request_recv_params,
+  .send_func = _gnutls_status_request_send_params,
+  .pack_func = _gnutls_status_request_pack,
+  .unpack_func = _gnutls_status_request_unpack,
+  .deinit_func = _gnutls_status_request_deinit_data
+};
diff --git a/lib/ext/status_request.h b/lib/ext/status_request.h
new file mode 100644 (file)
index 0000000..dc807f8
--- /dev/null
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) 2012 Free Software Foundation, Inc.
+ *
+ * Author: Simon Josefsson
+ *
+ * This file is part of GnuTLS.
+ *
+ * The GnuTLS is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public License
+ * as published by the Free Software Foundation; either version 3 of
+ * the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+#ifndef EXT_STATUS_REQUEST_H
+#define EXT_STATUS_REQUEST_H
+
+#include <gnutls_extensions.h>
+
+extern extension_entry_st ext_mod_status_request;
+
+#endif
index eb07d28621635de5ff0e3999b7baaa1e84d2e3f2..54797b5ffdc64aee92ae0b2e89f5ace42c9fde80 100644 (file)
@@ -38,6 +38,7 @@
 #include <ext/signature.h>
 #include <ext/safe_renegotiation.h>
 #include <ext/ecc.h>
+#include <ext/status_request.h>
 #include <gnutls_num.h>
 
 
@@ -311,10 +312,13 @@ _gnutls_ext_init (void)
   if (ret != GNUTLS_E_SUCCESS)
     return ret;
 
-  ret = _gnutls_ext_register (&ext_mod_cert_type);
+  ret = _gnutls_ext_register (&ext_mod_status_request);
   if (ret != GNUTLS_E_SUCCESS)
     return ret;
 
+  ret = _gnutls_ext_register (&ext_mod_cert_type);
+  if (ret != GNUTLS_E_SUCCESS)
+    return ret;
 
   ret = _gnutls_ext_register (&ext_mod_server_name);
   if (ret != GNUTLS_E_SUCCESS)
index 19494029536584a78c49198e8f8c1e92944d7552..29b7f7b38f059ac7a5965f3628170ef99912874b 100644 (file)
@@ -254,6 +254,7 @@ typedef enum extensions_t
 {
   GNUTLS_EXTENSION_SERVER_NAME = 0,
   GNUTLS_EXTENSION_MAX_RECORD_SIZE = 1,
+  GNUTLS_EXTENSION_STATUS_REQUEST = 5,
   GNUTLS_EXTENSION_CERT_TYPE = 9,
   GNUTLS_EXTENSION_SUPPORTED_ECC = 10,
   GNUTLS_EXTENSION_SUPPORTED_ECC_PF = 11,
index ef4f1269e79ac7cde50c81ec10249f37f28dc81a..54fe31fe5ea05972f82b1279dd6cd7fc5d6af72c 100644 (file)
@@ -954,6 +954,17 @@ gnutls_ecc_curve_t gnutls_ecc_curve_get(gnutls_session_t session);
 
   int gnutls_key_generate (gnutls_datum_t * key, unsigned int key_size);
 
+  /* OCSP status request extension, RFC 6066 */
+  typedef int (*gnutls_status_request_ocsp_func)
+  (gnutls_session_t session, void *ptr, gnutls_datum_t *ocsp_response);
+  int gnutls_status_request_ocsp_server (gnutls_session_t session,
+                                gnutls_status_request_ocsp_func ocsp_func,
+                                        void *ptr);
+  int gnutls_status_request_ocsp_client (gnutls_session_t session,
+                                        gnutls_datum_t *responder_id,
+                                        size_t responder_id_size,
+                                        gnutls_datum_t *request_extensions);
+
 /* if you just want some defaults, use the following.
  */
   int gnutls_priority_init (gnutls_priority_t * priority_cache,
@@ -2030,6 +2041,8 @@ typedef int (*gnutls_pin_callback_t) (void *userdata, int attempt,
 #define GNUTLS_E_TPM_KEY_NOT_FOUND -333
 #define GNUTLS_E_TPM_UNINITIALIZED -334
 
+#define GNUTLS_E_NO_CERTIFICATE_STATUS -329
+
 #define GNUTLS_E_UNIMPLEMENTED_FEATURE -1250
 
 
index 8df7823577c4ccca67c0d075ccc9159f3cec4ca7..8c404facce0cb5fad2b7a45e5dd31c73371c4358 100644 (file)
@@ -790,6 +790,8 @@ GNUTLS_3_0_0 {
        gnutls_pk_to_sign;
        gnutls_certificate_set_x509_system_trust;
        gnutls_session_set_premaster;
+       gnutls_status_request_ocsp_client;
+       gnutls_status_request_ocsp_server;
 } GNUTLS_2_12;
 
 GNUTLS_3_1_0 {
index 1d9bc782dd45c2783be3fd710448666bb7b2c765..17cf85f7573048a650852ffe05dd51f5a3028382 100644 (file)
@@ -55,6 +55,12 @@ flag = {
     doc      = "";
 };
 
+flag = {
+    name      = status-request-ocsp;
+    descrip   = "Request OCSP status request";
+    doc       = "The client will indicate to the server in a TLS extension that it wants a OCSP status request.";
+};
+
 flag = {
     name      = starttls;
     value     = s;
index 95180b7ba6ec7ca8d9a5ca5aaf31e035141c03f5..aaf66c1c631e957f387fa3929c0f8baa12e79094 100644 (file)
--- a/src/cli.c
+++ b/src/cli.c
@@ -68,6 +68,7 @@ int resume, starttls, insecure, rehandshake, udp, mtu;
 const char *hostname = NULL;
 const char *service = NULL;
 int record_max_size;
+int status_request_ocsp;
 int fingerprint;
 int crlf;
 unsigned int verbose = 0;
@@ -628,6 +629,16 @@ init_tls_session (const char *hostname)
   if (HAVE_OPT(HEARTBEAT))
     gnutls_heartbeat_enable (session, GNUTLS_HB_PEER_ALLOWED_TO_SEND);
 
+  /* OCSP status-request TLS extension */
+  if (status_request_ocsp > 0 && disable_extensions == 0)
+    {
+      if (gnutls_status_request_ocsp_client (session, NULL, 0, NULL) < 0)
+        {
+          fprintf (stderr, "Cannot set OCSP status request information.\n");
+          exit (1);
+        }
+    }
+
 #ifdef ENABLE_SESSION_TICKET
   if (disable_extensions == 0 && !HAVE_OPT(NOTICKET)t)
     gnutls_session_ticket_enable_client (session);
@@ -1092,6 +1103,7 @@ const char* rest = NULL;
     }
 
   record_max_size = OPT_VALUE_RECORDSIZE;
+  status_request_ocsp = HAVE_OPT(STATUS_REQUEST_OCSP);
   fingerprint = HAVE_OPT(FINGERPRINT);
 
   if (HAVE_OPT(X509FMTDER))
index e61034e58d2593b906b7ee0ae81458b36af22193..c24e7ebca58dc3b17deb5e4014c01e2fc6fb7b88 100644 (file)
@@ -227,6 +227,14 @@ flag = {
     doc      = "";
 };
 
+flag = {
+    name      = status-response-ocsp;
+    arg-type  = file;
+    file-exists = yes;
+    descrip   = "OCSP response to send to client";
+    doc      = "If the client requested an OCSP response, return data from this file to the client.";
+};
+
 flag = {
     name      = port;
     value     = p;
index d3dc35043e7d3974bd7b47ef5cc06f73a59a055f..2e9c6747265a27bcf050e582f8c8d2a448778a20 100644 (file)
@@ -81,7 +81,8 @@ const char *x509_ecccertfile = NULL;
 const char *x509_cafile = NULL;
 const char *dh_params_file = NULL;
 const char *x509_crlfile = NULL;
-const char *priorities = NULL;
+const char * priorities = NULL;
+const char * status_response_ocsp = NULL;
 
 gnutls_datum_t session_ticket_key;
 static void tcp_server (const char *name, int port);
@@ -329,8 +330,15 @@ generate_rsa_params (void)
 
 LIST_DECLARE_INIT (listener_list, listener_item, listener_free);
 
-gnutls_session_t
-initialize_session (int dtls)
+static int
+ocsp_callback (gnutls_session_t session,
+              void *ptr,
+              gnutls_datum_t *ocsp_response)
+{
+  return GNUTLS_E_NO_CERTIFICATE_STATUS;
+}
+
+gnutls_session_t initialize_session (int dtls)
 {
   gnutls_session_t session;
   const char *err;
@@ -359,6 +367,19 @@ initialize_session (int dtls)
     gnutls_session_ticket_enable_server (session, &session_ticket_key);
 #endif
 
+  /* OCSP status-request TLS extension */
+  if (status_response_ocsp)
+    {
+      if (gnutls_status_request_ocsp_server (session, ocsp_callback, NULL) < 0)
+       {
+         fprintf (stderr, "Cannot set OCSP status request callback.\n");
+         exit (1);
+       }
+    }
+
+  if (noticket == 0)
+    gnutls_session_ticket_enable_server (session, &session_ticket_key);
+
   if (gnutls_priority_set_direct (session, priorities, &err) < 0)
     {
       fprintf (stderr, "Syntax error at: %s\n", err);
@@ -1650,6 +1671,9 @@ cmd_parser (int argc, char **argv)
   if (HAVE_OPT (PSKPASSWD))
     psk_passwd = OPT_ARG (PSKPASSWD);
 
+  if (HAVE_OPT(STATUS_RESPONSE_OCSP))
+    status_response_ocsp = OPT_ARG(STATUS_RESPONSE_OCSP);
+
 }
 
 /* session resuming support */