From 3af90a6e19249807f99bc9ee7b50d3e58849072a Mon Sep 17 00:00:00 2001 From: Alessandro Ghedini Date: Mon, 16 Jun 2014 13:20:47 +0200 Subject: url: add CURLOPT_SSL_VERIFYSTATUS option This option can be used to enable/disable certificate status verification using the "Certificate Status Request" TLS extension defined in RFC6066 section 8. This also adds the CURLE_SSL_INVALIDCERTSTATUS error, to be used when the certificate status verification fails, and the Curl_ssl_cert_status_request() function, used to check whether the SSL backend supports the status_request extension. --- docs/libcurl/opts/CURLOPT_SSL_VERIFYSTATUS.3 | 53 ++++++++++++++++++++++++++++ docs/libcurl/symbols-in-versions | 2 ++ include/curl/curl.h | 4 +++ lib/strerror.c | 5 ++- lib/url.c | 11 ++++++ lib/urldata.h | 1 + lib/vtls/vtls.c | 12 +++++++ lib/vtls/vtls.h | 2 ++ 8 files changed, 89 insertions(+), 1 deletion(-) create mode 100644 docs/libcurl/opts/CURLOPT_SSL_VERIFYSTATUS.3 diff --git a/docs/libcurl/opts/CURLOPT_SSL_VERIFYSTATUS.3 b/docs/libcurl/opts/CURLOPT_SSL_VERIFYSTATUS.3 new file mode 100644 index 000000000..d5217cb33 --- /dev/null +++ b/docs/libcurl/opts/CURLOPT_SSL_VERIFYSTATUS.3 @@ -0,0 +1,53 @@ +.\" ************************************************************************** +.\" * _ _ ____ _ +.\" * Project ___| | | | _ \| | +.\" * / __| | | | |_) | | +.\" * | (__| |_| | _ <| |___ +.\" * \___|\___/|_| \_\_____| +.\" * +.\" * Copyright (C) 1998 - 2014, Daniel Stenberg, , et al. +.\" * +.\" * This software is licensed as described in the file COPYING, which +.\" * you should have received as part of this distribution. The terms +.\" * are also available at http://curl.haxx.se/docs/copyright.html. +.\" * +.\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell +.\" * copies of the Software, and permit persons to whom the Software is +.\" * furnished to do so, under the terms of the COPYING file. +.\" * +.\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY +.\" * KIND, either express or implied. +.\" * +.\" ************************************************************************** +.\" +.TH CURLOPT_SSL_VERIFYSTATUS 3 "04 Dec 2014" "libcurl 7.40.0" "curl_easy_setopt options" +.SH NAME +CURLOPT_SSL_VERIFYSTATUS \- verify the certificate's status +.SH SYNOPSIS +#include + +CURLcode curl_easy_setopt(CURL *handle, CURLOPT_SSL_VERIFYSTATUS, long verify); +.SH DESCRIPTION +Pass a long as parameter to enable or disable. + +This option determines whether libcurl verifies the status of the server cert +using the "Certificate Status Request" TLS extension (aka. OCSP stapling). + +Note that if this option is enabled but the server does not support the TLS +extension, the verification will fail. + +.SH DEFAULT +0 +.SH PROTOCOLS +All TLS based protocols: HTTPS, FTPS, IMAPS, POP3, SMTPS etc. +.SH EXAMPLE +TODO +.SH AVAILABILITY +This is currently only supported by the GnuTLS and NSS TLS backends. +.SH RETURN VALUE +Returns CURLE_OK if OCSP stapling is supported by the SSL backend, otherwise +returns CURLE_NOT_BUILT_IN. +.SH "SEE ALSO" +.BR CURLOPT_SSL_VERIFYHOST "(3), " +.BR CURLOPT_SSL_VERIFYPEER "(3), " +.BR CURLOPT_CAINFO "(3), " diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions index b8b0838b0..e9ef3f61c 100644 --- a/docs/libcurl/symbols-in-versions +++ b/docs/libcurl/symbols-in-versions @@ -118,6 +118,7 @@ CURLE_SSL_CRL_BADFILE 7.19.0 CURLE_SSL_ENGINE_INITFAILED 7.12.3 CURLE_SSL_ENGINE_NOTFOUND 7.9.3 CURLE_SSL_ENGINE_SETFAILED 7.9.3 +CURLE_SSL_INVALIDCERTSTATUS 7.41.0 CURLE_SSL_ISSUER_ERROR 7.19.0 CURLE_SSL_PEER_CERTIFICATE 7.8 7.17.1 CURLE_SSL_PINNEDPUBKEYNOTMATCH 7.39.0 @@ -513,6 +514,7 @@ CURLOPT_SSL_OPTIONS 7.25.0 CURLOPT_SSL_SESSIONID_CACHE 7.16.0 CURLOPT_SSL_VERIFYHOST 7.8.1 CURLOPT_SSL_VERIFYPEER 7.4.2 +CURLOPT_SSL_VERIFYSTATUS 7.41.0 CURLOPT_STDERR 7.1 CURLOPT_TCP_KEEPALIVE 7.25.0 CURLOPT_TCP_KEEPIDLE 7.25.0 diff --git a/include/curl/curl.h b/include/curl/curl.h index e3688872e..0a326d3ba 100644 --- a/include/curl/curl.h +++ b/include/curl/curl.h @@ -523,6 +523,7 @@ typedef enum { session will be queued */ CURLE_SSL_PINNEDPUBKEYNOTMATCH, /* 90 - specified pinned public key did not match */ + CURLE_SSL_INVALIDCERTSTATUS, /* 91 - invalid certificate status */ CURL_LAST /* never use! */ } CURLcode; @@ -1622,6 +1623,9 @@ typedef enum { /* Path to Unix domain socket */ CINIT(UNIX_SOCKET_PATH, OBJECTPOINT, 231), + /* Set if we should verify the certificate status. */ + CINIT(SSL_VERIFYSTATUS, LONG, 232), + CURLOPT_LASTENTRY /* the last unused */ } CURLoption; diff --git a/lib/strerror.c b/lib/strerror.c index b85b56839..56e438563 100644 --- a/lib/strerror.c +++ b/lib/strerror.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 2004 - 2014, Daniel Stenberg, , et al. + * Copyright (C) 2004 - 2015, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -301,6 +301,9 @@ curl_easy_strerror(CURLcode error) case CURLE_SSL_PINNEDPUBKEYNOTMATCH: return "SSL public key does not match pinned public key"; + case CURLE_SSL_INVALIDCERTSTATUS: + return "SSL server certificate status verification FAILED"; + /* error codes not used by current libcurl */ case CURLE_OBSOLETE20: case CURLE_OBSOLETE24: diff --git a/lib/url.c b/lib/url.c index d3bb5e011..407910cc2 100644 --- a/lib/url.c +++ b/lib/url.c @@ -1997,6 +1997,17 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, data->set.ssl.verifyhost = (0 != arg)?TRUE:FALSE; break; + case CURLOPT_SSL_VERIFYSTATUS: + /* + * Enable certificate status verifying. + */ + if(!Curl_ssl_cert_status_request()) { + result = CURLE_NOT_BUILT_IN; + break; + } + + data->set.ssl.verifystatus = (0 != va_arg(param, long))?TRUE:FALSE; + break; case CURLOPT_SSL_CTX_FUNCTION: #ifdef have_curlssl_ssl_ctx /* diff --git a/lib/urldata.h b/lib/urldata.h index 5f774704a..50a745f11 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -366,6 +366,7 @@ struct ssl_config_data { bool verifypeer; /* set TRUE if this is desired */ bool verifyhost; /* set TRUE if CN/SAN must match hostname */ + bool verifystatus; /* set TRUE if certificate status must be checked */ char *CApath; /* certificate dir (doesn't work on windows) */ char *CAfile; /* certificate to verify peer against */ const char *CRLfile; /* CRL to check certificate revocation */ diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c index a53ff4ad6..cf1df24e4 100644 --- a/lib/vtls/vtls.c +++ b/lib/vtls/vtls.c @@ -848,4 +848,16 @@ void Curl_ssl_md5sum(unsigned char *tmp, /* input */ #endif } +/* + * Check whether the SSL backend supports the status_request extension. + */ +bool Curl_ssl_cert_status_request(void) +{ +#ifdef curlssl_cert_status_request + return curlssl_cert_status_request(); +#else + return FALSE; +#endif +} + #endif /* USE_SSL */ diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h index 19ef1cd6e..eedf9212c 100644 --- a/lib/vtls/vtls.h +++ b/lib/vtls/vtls.h @@ -116,6 +116,8 @@ void Curl_ssl_md5sum(unsigned char *tmp, /* input */ CURLcode Curl_pin_peer_pubkey(const char *pinnedpubkey, const unsigned char *pubkey, size_t pubkeylen); +bool Curl_ssl_cert_status_request(void); + #define SSL_SHUTDOWN_TIMEOUT 10000 /* ms */ #else -- cgit v1.2.3