Add OCSP stapling request support.

This commit adds an API to s2n which enables the client to request an OCSP
ticket from the server when handshaking.

works towards: #18

api/s2n.h

@@ -45,6 +45,7 @@ extern int s2n_config_add_dhparams(struct s2n_config *config, char *dhparams_pem
 extern int s2n_config_set_key_exchange_preferences(struct s2n_config *config, const char *preferences);
 extern int s2n_config_set_cipher_preferences(struct s2n_config *config, const char *version);
 extern int s2n_config_set_protocol_preferences(struct s2n_config *config, const char **protocols, int protocol_count);
+extern int s2n_config_set_ocsp_status_request(struct s2n_config *config, uint8_t enable);
 
 struct s2n_connection;
 typedef enum { S2N_SERVER, S2N_CLIENT } s2n_mode;

tls/s2n_client_extensions.c

@@ -46,6 +46,9 @@ int s2n_client_extensions_send(struct s2n_connection *conn, struct s2n_stuffer *
     if (application_protocols_len) {
         total_size += 6 + application_protocols_len;
     }
+    if (conn->config->ocsp_status_request) {
+        total_size += 9;
+    }
 
     GUARD(s2n_stuffer_write_uint16(out, total_size));
 
@@ -86,6 +89,14 @@ int s2n_client_extensions_send(struct s2n_connection *conn, struct s2n_stuffer *
         GUARD(s2n_stuffer_write(out, &conn->config->application_protocols));
     }
 
+    if (conn->config->ocsp_status_request) {
+        GUARD(s2n_stuffer_write_uint16(out, TLS_EXTENSION_STATUS_REQUEST));
+        GUARD(s2n_stuffer_write_uint16(out, 5));
+        GUARD(s2n_stuffer_write_uint8(out, 1));
+        GUARD(s2n_stuffer_write_uint16(out, 0));
+        GUARD(s2n_stuffer_write_uint16(out, 0));
+    }
+
     return 0;
 }
 
@@ -177,7 +188,6 @@ int s2n_client_extensions_recv(struct s2n_connection *conn, struct s2n_blob *ext
             }
             break;
         case TLS_EXTENSION_ALPN:
-            {
             GUARD(s2n_stuffer_read_uint16(&extension, &size_of_all));
             if (size_of_all > s2n_stuffer_data_available(&extension) || size_of_all < 3) {
                 continue;
@@ -190,7 +200,8 @@ int s2n_client_extensions_recv(struct s2n_connection *conn, struct s2n_blob *ext
             GUARD(s2n_alpn_mutual_protocol(conn));
 
             break;
-            }
+        case TLS_EXTENSION_STATUS_REQUEST:
+            break;
         }
     }
 

tls/s2n_config.c

@@ -93,6 +93,7 @@ struct s2n_config *s2n_config_new()
     new_config->dhparams = NULL;
     new_config->application_protocols.data = NULL;
     new_config->application_protocols.size = 0;
+    new_config->ocsp_status_request = 0;
 
     GUARD_PTR(s2n_config_set_cipher_preferences(new_config, "default"));
 
@@ -201,6 +202,13 @@ int s2n_config_set_protocol_preferences(struct s2n_config *config, const char **
     return 0;
 }
 
+int s2n_config_set_ocsp_status_request(struct s2n_config *config, uint8_t enable)
+{
+    config->ocsp_status_request = enable;
+
+    return 0;
+}
+
 int s2n_config_add_cert_chain_and_key(struct s2n_config *config, char *cert_chain_pem, char *private_key_pem)
 {
     struct s2n_stuffer chain_in_stuffer, cert_out_stuffer, key_in_stuffer, key_out_stuffer;

tls/s2n_config.h

@@ -39,6 +39,7 @@ struct s2n_config {
     struct s2n_cert_chain_and_key *cert_and_key_pairs;
     struct s2n_cipher_preferences *cipher_preferences;
     struct s2n_blob application_protocols;
+    uint8_t ocsp_status_request;
 };
 
 extern struct s2n_config s2n_default_config;

tls/s2n_tls_parameters.h

@@ -39,10 +39,11 @@
 
 /* TLS extension and algorithm types */
 #define TLS_EXTENSION_SERVER_NAME           0
+#define TLS_EXTENSION_STATUS_REQUEST        5
 #define TLS_EXTENSION_SIGNATURE_ALGORITHMS 13
+#define TLS_EXTENSION_ALPN                 16
 #define TLS_SIGNATURE_ALGORITHM_RSA         1
 #define TLS_SIGNATURE_ALGORITHM_SHA1        2
-#define TLS_EXTENSION_ALPN                 16
 
 /* The TLS record types we support */
 #define TLS_CHANGE_CIPHER_SPEC 20