Add support for OCSP requests and responses #57

baldwinmatt · 2015-03-03T17:54:42Z

An S2N_CLIENT can request the OCSP status of a remote server by calling

s2n_config_set_status_request_type(config, S2N_STATUS_REQUEST_OCSP);

after handshaking, the status of the remote server can be retrieved through

const uint8_t *resp = s2n_connection_get_ocsp_response(conn, &length);

an S2N_SERVER can specify the OCSP response to send as part of the config, using the following API:

s2n_config_add_cert_status(config, status, status_length);

closes: #18

This commit adds an API to s2n which enables the client to request an OCSP ticket from the server when handshaking. works towards: #18

LibreSSL and BoringSSL remain TBD, but we should be able to work with them in this framework.

Building with LibreSSL does work

Looks like this is a no-op on Mac, but baldwinm reports it's needed on Linux.

…t and we have a status to send

Conflicts: api/s2n.h bin/s2nc.c

colmmacc · 2015-03-03T18:02:04Z

bin/Makefile

@@ -26,7 +26,7 @@ LDFLAGS += -L../lib/ -ls2n ${LIBS}
 CRUFT += s2nc s2nd

 s2nc: s2nc.c echo.c
-	${CC} ${CFLAGS} s2nc.c echo.c  -o s2nc ${LDFLAGS}
+	${CC} ${CFLAGS} s2nc.c echo.c  -o s2nc ${LDFLAGS} ../libcrypto-root/lib/libcrypto.a


Do you really need this line? it's worrying if we do. libs2n should have the libcrypto stuff included already. If applications need to also link against libcrypto things are going to get very messy.

it comes from adding the code to echo.c

i can remove it and use your suggestion for now.

colmmacc · 2015-03-03T18:05:30Z

bin/echo.c

+
+            BIO_free(bio_err);
+        }
+    }


I really dislike polluting echo.c, which is our cleanest reference code, with OpenSSL code like this. Can we treat it as a blob for now, until we add ASN.1 to s2n itself? then we can add our own convenience routine for printing it out.

colmmacc · 2015-03-03T18:10:31Z

Nice! We should have test cases too though.

baldwinmatt · 2015-03-03T18:29:27Z

will add tests - i thoght i did, perhaps on another local branch though

baldwinmatt · 2015-03-05T03:31:51Z

Added unit tests
fixed a couple of bugs
refactored the API based on feedback

colmmacc · 2015-03-05T15:46:58Z

LGTM

Add support for OCSP requests and responses

baldwinmatt and others added 28 commits February 26, 2015 18:02

Add OCSP stapling request support.

2946348

This commit adds an API to s2n which enables the client to request an OCSP ticket from the server when handshaking. works towards: #18

Add full instructions for building OpenSSL locally

9ce524a

LibreSSL and BoringSSL remain TBD, but we should be able to work with them in this framework.

Add instructions for LibreSSL

2add2c2

Building with LibreSSL does work

Typo fix: Config -> config

4ba1632

Fix ./Config and bin/Makefile per #51

02b6218

Add -fPIC to OpenSSL build

f463e78

Looks like this is a no-op on Mac, but baldwinm reports it's needed on Linux.

Add -ldl on non-Mac platforms

61bdc9a

Use const correct type for s2n_config_set_protocol_preferences

df4b5b3

Use getopt to support optional configuration arguments to s2nc

525d202

Add enum for status request type

f1abb15

Add support for OCSP to s2nc

a6f1747

Read the TLS_EXTENSION_STATUS_REQUEST from the Client Hello

6f613cd

Add ocsp_status to s2n_config so we can send it if we have it

78fa24c

Indicate in ServerHello that we support OCSP if the client requests i…

3190735

…t and we have a status to send

add macro for s2n_server_can_send_ocsp as we will need this later

46dff60

Added support for sending and receiving the certificate status

b4fd237

Add API to retrieve OCSP response data

a073b5f

Fix bugs in reading of the status request

506b883

APIs to add OCSP status and retrieve the response

3373141

bug fix

8f4b1d1

Add OCSP response to s2nc

a8b4df6

Merge remote-tracking branch 'awslabs/master' into ocsp-stapling

642fcc9

Updated the usage-guide with the new APIs

c535c6a

Refactor receiving of server extensions

361791b

Merge branch 'master' into ocsp-stapling

f8c4b78

Conflicts: api/s2n.h bin/s2nc.c

Merge remote-tracking branch 'awslabs/master' into ocsp-stapling

29dba06

Merge branch 'master' into ocsp-stapling

34bfd4f

Verify the OCSP status added to the config is valid

303ad5c

colmmacc reviewed Mar 3, 2015
View reviewed changes

baldwinmatt added 7 commits March 4, 2015 03:28

Don't use openssl code from our sample apps

5593297

Merge remote-tracking branch 'origin/master' into ocsp-stapling

6a3613e

Don't use magic number

83772b6

OCSP status is a member of the cert and key pairs

a31fdc1

Fix uage guide after refactor of API

b6ccd85

memcpy to the correct address

ddde143

Add OCSP tests

0b3dcd2

colmmacc added a commit that referenced this pull request Mar 5, 2015

Merge pull request #57 from baldwinmatt/ocsp-stapling

e2c6f70

Add support for OCSP requests and responses

colmmacc merged commit e2c6f70 into aws:master Mar 5, 2015

colmmacc added a commit that referenced this pull request Jun 29, 2015

Merge pull request #57 from baldwinmatt/ocsp-stapling

f10b68e

Add support for OCSP requests and responses

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add support for OCSP requests and responses #57

Add support for OCSP requests and responses #57

baldwinmatt commented Mar 3, 2015

colmmacc Mar 3, 2015

baldwinmatt Mar 3, 2015

colmmacc Mar 3, 2015

baldwinmatt Mar 3, 2015

colmmacc commented Mar 3, 2015

baldwinmatt commented Mar 3, 2015

baldwinmatt commented Mar 5, 2015

colmmacc commented Mar 5, 2015

Add support for OCSP requests and responses #57

Add support for OCSP requests and responses #57

Conversation

baldwinmatt commented Mar 3, 2015

colmmacc Mar 3, 2015

Choose a reason for hiding this comment

baldwinmatt Mar 3, 2015

Choose a reason for hiding this comment

colmmacc Mar 3, 2015

Choose a reason for hiding this comment

baldwinmatt Mar 3, 2015

Choose a reason for hiding this comment

colmmacc commented Mar 3, 2015

baldwinmatt commented Mar 3, 2015

baldwinmatt commented Mar 5, 2015

colmmacc commented Mar 5, 2015