to accepting it. This addresses the problem of accepting CAs which would
have been marked as insecure otherwise (#877).
+** libgnutls: On client side only send OCSP staples if they have been requested
+ by the server (#876).
+
** libgnutls: The default-priority-string added to system configuration
to allow overriding compiled-in default-priority-string.
** API and ABI modifications:
GNUTLS_SFLAGS_CLI_REQUESTED_OCSP: Added
+GNUTLS_SFLAGS_SERV_REQUESTED_OCSP: Added
gnutls_ocsp_req_const_t: Added
#define HSK_RECORD_SIZE_LIMIT_SENT (1<<25) /* record_size_limit extension was sent */
#define HSK_RECORD_SIZE_LIMIT_RECEIVED (1<<26) /* server: record_size_limit extension was seen but not accepted yet */
#define HSK_OCSP_REQUESTED (1<<27) /* server: client requested OCSP stapling */
+#define HSK_CLIENT_OCSP_REQUESTED (1<<28) /* client: server requested OCSP stapling */
/* The hsk_flags are for use within the ongoing handshake;
* they are reset to zero prior to handshake start by gnutls_handshake. */
* @GNUTLS_SFLAGS_EARLY_START: The TLS1.3 server session returned early.
* @GNUTLS_SFLAGS_EARLY_DATA: The TLS1.3 early data has been received by the server.
* @GNUTLS_SFLAGS_CLI_REQUESTED_OCSP: Set when the client has requested OCSP staple during handshake.
+ * @GNUTLS_SFLAGS_SERV_REQUESTED_OCSP: Set when the server has requested OCSP staple during handshake.
*
* Enumeration of different session parameters.
*/
GNUTLS_SFLAGS_POST_HANDSHAKE_AUTH = 1<<8,
GNUTLS_SFLAGS_EARLY_START = 1<<9,
GNUTLS_SFLAGS_EARLY_DATA = 1<<10,
- GNUTLS_SFLAGS_CLI_REQUESTED_OCSP = 1<<11
+ GNUTLS_SFLAGS_CLI_REQUESTED_OCSP = 1<<11,
+ GNUTLS_SFLAGS_SERV_REQUESTED_OCSP = 1<<12
} gnutls_session_flags_t;
unsigned gnutls_session_get_flags(gnutls_session_t session);
flags |= GNUTLS_SFLAGS_EARLY_DATA;
if (session->internals.hsk_flags & HSK_OCSP_REQUESTED)
flags |= GNUTLS_SFLAGS_CLI_REQUESTED_OCSP;
+ if (session->internals.hsk_flags & HSK_CLIENT_OCSP_REQUESTED)
+ flags |= GNUTLS_SFLAGS_SERV_REQUESTED_OCSP;
return flags;
}
#ifdef ENABLE_OCSP
if ((session->internals.selected_ocsp_length > 0 ||
session->internals.selected_ocsp_func) &&
- (session->internals.hsk_flags & HSK_OCSP_REQUESTED)) {
+ (((session->internals.hsk_flags & HSK_OCSP_REQUESTED) && IS_SERVER(session)) ||
+ ((session->internals.hsk_flags & HSK_CLIENT_OCSP_REQUESTED) && !IS_SERVER(session)))) {
/* append status response if available */
ret = _gnutls_extv_append_init(&buf);
if (ret < 0) {
#include "handshake.h"
#include "tls13/certificate_request.h"
#include "ext/signature.h"
+#include "ext/status_request.h"
#include "mbuffers.h"
#include "algorithms.h"
#include "auth/cert.h"
ctx->pk_algos[ctx->pk_algos_length++] = se->pk;
}
+#ifdef ENABLE_OCSP
+ } else if (tls_id == ext_mod_status_request.tls_id) {
+ if (data_size != 0)
+ return gnutls_assert_val(GNUTLS_E_TLS_PACKET_DECODING_ERROR);
+
+ /* we are now allowed to send OCSP staples */
+ session->internals.hsk_flags |= HSK_CLIENT_OCSP_REQUESTED;
+#endif
} else if (tls_id == EXTID_CERTIFICATE_AUTHORITIES) {
if (data_size < 3) {
return gnutls_assert_val(GNUTLS_E_TLS_PACKET_DECODING_ERROR);
projects / thirdparty / gnutls.git / commitdiff
