diff options
author | Alessandro Ghedini <alessandro@ghedini.me> | 2014-06-16 13:21:02 +0200 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2015-01-16 23:23:29 +0100 |
commit | f13669a375f5bfd14797bda91642cabe076974fa (patch) | |
tree | 2930cae5863ac6f60d3dc615ccba00684ac01885 | |
parent | 3af90a6e19249807f99bc9ee7b50d3e58849072a (diff) |
gtls: add support for the Certificate Status Request TLS extension
Also known as "status_request" or OCSP stapling, defined in RFC6066 section 8.
This requires GnuTLS 3.1.3 or higher to build, however it's recommended to use
at least GnuTLS 3.3.11 since previous versions had a bug that caused the OCSP
response verfication to fail even on valid responses.
-rw-r--r-- | lib/vtls/gtls.c | 44 | ||||
-rw-r--r-- | lib/vtls/gtls.h | 3 |
2 files changed, 47 insertions, 0 deletions
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c index 5d4e48a25..27ca691e0 100644 --- a/lib/vtls/gtls.c +++ b/lib/vtls/gtls.c @@ -98,6 +98,14 @@ static bool gtls_inited = FALSE; # define HAS_ALPN # endif # endif + +# if (GNUTLS_VERSION_NUMBER >= 0x03020d) +# define HAS_OCSP +# endif +#endif + +#ifdef HAS_OCSP +# include <gnutls/ocsp.h> #endif /* @@ -663,6 +671,16 @@ gtls_connect_step1(struct connectdata *conn, /* lowat must be set to zero when using custom push and pull functions. */ gnutls_transport_set_lowat(session, 0); +#ifdef HAS_OCSP + if(data->set.ssl.verifystatus) { + rc = gnutls_ocsp_status_request_enable_client(session, NULL, 0, NULL); + if(rc != GNUTLS_E_SUCCESS) { + failf(data, "gnutls_ocsp_status_request_enable_client() failed: %d", rc); + return CURLE_SSL_CONNECT_ERROR; + } + } +#endif + /* This might be a reconnect, so we check for a session ID in the cache to speed up things */ @@ -822,6 +840,23 @@ gtls_connect_step3(struct connectdata *conn, else infof(data, "\t server certificate verification SKIPPED\n"); +#ifdef HAS_OCSP + if(data->set.ssl.verifystatus) { + if(gnutls_ocsp_status_request_is_checked(session, 0) == 0) { + if(verify_status & GNUTLS_CERT_REVOKED) + failf(data, "SSL server certificate was REVOKED\n"); + else + failf(data, "SSL server certificate status verification FAILED"); + + return CURLE_SSL_INVALIDCERTSTATUS; + } + else + infof(data, "SSL server certificate status verification OK\n"); + } + else + infof(data, "SSL server certificate status verification SKIPPED\n"); +#endif + /* initialize an X.509 certificate structure. */ gnutls_x509_crt_init(&x509_cert); @@ -1392,4 +1427,13 @@ void Curl_gtls_md5sum(unsigned char *tmp, /* input */ #endif } +bool Curl_gtls_cert_status_request(void) +{ +#ifdef HAS_OCSP + return TRUE; +#else + return FALSE; +#endif +} + #endif /* USE_GNUTLS */ diff --git a/lib/vtls/gtls.h b/lib/vtls/gtls.h index 12460beda..d02a366a6 100644 --- a/lib/vtls/gtls.h +++ b/lib/vtls/gtls.h @@ -53,6 +53,8 @@ void Curl_gtls_md5sum(unsigned char *tmp, /* input */ unsigned char *md5sum, /* output */ size_t md5len); +bool Curl_gtls_cert_status_request(void); + /* API setup for GnuTLS */ #define curlssl_init Curl_gtls_init #define curlssl_cleanup Curl_gtls_cleanup @@ -70,6 +72,7 @@ void Curl_gtls_md5sum(unsigned char *tmp, /* input */ #define curlssl_data_pending(x,y) ((void)x, (void)y, 0) #define curlssl_random(x,y,z) Curl_gtls_random(x,y,z) #define curlssl_md5sum(a,b,c,d) Curl_gtls_md5sum(a,b,c,d) +#define curlssl_cert_status_request() Curl_gtls_cert_status_request() #define CURL_SSL_BACKEND CURLSSLBACKEND_GNUTLS #endif /* USE_GNUTLS */ |