Skip to content

Commit

Permalink
nss: add support for the Certificate Status Request TLS extension
Browse files Browse the repository at this point in the history 
Also known as "status_request" or OCSP stapling, defined in RFC6066 section 8.

This requires NSS 3.15 or higher.
  • Loading branch information
@ghedo @bagder
ghedo authored and bagder committed Jan 16, 2015
1 parent f13669a commit f46c6fb
Show file tree
Hide file tree
Showing 2 changed files with 54 additions and 0 deletions.
51 changes: 51 additions & 0 deletions lib/vtls/nss.c
View file
Expand Up @@ -60,6 +60,12 @@
#include <cert.h>
#include <prerror.h>

#define NSSVERNUM ((NSS_VMAJOR<<16)|(NSS_VMINOR<<8)|NSS_VPATCH)

#if NSSVERNUM >= 0x030f00 /* 3.15.0 */
#include <ocsp.h>
#endif

#include "curl_memory.h"
#include "rawstr.h"
#include "warnless.h"
Expand Down Expand Up @@ -639,6 +645,34 @@ static SECStatus nss_auth_cert_hook(void *arg, PRFileDesc *fd, PRBool checksig,
PRBool isServer)
{
struct connectdata *conn = (struct connectdata *)arg;

#ifdef SSL_ENABLE_OCSP_STAPLING
if(conn->data->set.ssl.verifystatus) {
SECStatus cacheResult;

const SECItemArray *csa = SSL_PeerStapledOCSPResponses(fd);
if(!csa) {
failf(conn->data, "Invalid OCSP response");
return SECFailure;
}

if(csa->len == 0) {
failf(conn->data, "No OCSP response received");
return SECFailure;
}

cacheResult = CERT_CacheOCSPResponseFromSideChannel(
CERT_GetDefaultCertDB(), SSL_PeerCertificate(fd),
PR_Now(), &csa->items[0], arg
);

if(cacheResult != SECSuccess) {
failf(conn->data, "Invalid OCSP response");
return cacheResult;
}
}
#endif

if(!conn->data->set.ssl.verifypeer) {
infof(conn->data, "skipping SSL peer certificate verification\n");
return SECSuccess;
Expand Down Expand Up @@ -1620,6 +1654,14 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
SSL_SetPKCS11PinArg(connssl->handle, data->set.str[STRING_KEY_PASSWD]);
}

#ifdef SSL_ENABLE_OCSP_STAPLING
if(data->set.ssl.verifystatus) {
if(SSL_OptionSet(connssl->handle, SSL_ENABLE_OCSP_STAPLING, PR_TRUE)
!= SECSuccess)
goto error;
}
#endif

#ifdef USE_NGHTTP2
if(data->set.httpversion == CURL_HTTP_VERSION_2_0) {
#ifdef SSL_ENABLE_NPN
Expand Down Expand Up @@ -1908,4 +1950,13 @@ void Curl_nss_md5sum(unsigned char *tmp, /* input */
PK11_DestroyContext(MD5pw, PR_TRUE);
}

bool Curl_nss_cert_status_request(void)
{
#ifdef SSL_ENABLE_OCSP_STAPLING
return TRUE;
#else
return FALSE;
#endif
}

#endif /* USE_NSS */
3 changes: 3 additions & 0 deletions lib/vtls/nssg.h
View file
Expand Up @@ -60,6 +60,8 @@ void Curl_nss_md5sum(unsigned char *tmp, /* input */
unsigned char *md5sum, /* output */
size_t md5len);

bool Curl_nss_cert_status_request(void);

/* this backend supports the CAPATH option */
#define have_curlssl_ca_path 1

Expand All @@ -86,6 +88,7 @@ void Curl_nss_md5sum(unsigned char *tmp, /* input */
#define curlssl_data_pending(x,y) ((void)x, (void)y, 0)
#define curlssl_random(x,y,z) Curl_nss_random(x,y,z)
#define curlssl_md5sum(a,b,c,d) Curl_nss_md5sum(a,b,c,d)
#define curlssl_cert_status_request() Curl_nss_cert_status_request()
#define CURL_SSL_BACKEND CURLSSLBACKEND_NSS

#endif /* USE_NSS */
Expand Down

0 comments on commit f46c6fb

Please sign in to comment.