-
Notifications
You must be signed in to change notification settings - Fork 705
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for OCSP requests and responses #57
Conversation
This commit adds an API to s2n which enables the client to request an OCSP ticket from the server when handshaking. works towards: #18
LibreSSL and BoringSSL remain TBD, but we should be able to work with them in this framework.
Building with LibreSSL does work
Looks like this is a no-op on Mac, but baldwinm reports it's needed on Linux.
…t and we have a status to send
Conflicts: api/s2n.h bin/s2nc.c
@@ -26,7 +26,7 @@ LDFLAGS += -L../lib/ -ls2n ${LIBS} | |||
CRUFT += s2nc s2nd | |||
|
|||
s2nc: s2nc.c echo.c | |||
${CC} ${CFLAGS} s2nc.c echo.c -o s2nc ${LDFLAGS} | |||
${CC} ${CFLAGS} s2nc.c echo.c -o s2nc ${LDFLAGS} ../libcrypto-root/lib/libcrypto.a |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you really need this line? it's worrying if we do. libs2n should have the libcrypto stuff included already. If applications need to also link against libcrypto things are going to get very messy.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it comes from adding the code to echo.c
i can remove it and use your suggestion for now.
|
||
BIO_free(bio_err); | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I really dislike polluting echo.c, which is our cleanest reference code, with OpenSSL code like this. Can we treat it as a blob for now, until we add ASN.1 to s2n itself? then we can add our own convenience routine for printing it out.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sure
Nice! We should have test cases too though. |
will add tests - i thoght i did, perhaps on another local branch though |
Added unit tests |
LGTM |
Add support for OCSP requests and responses
Add support for OCSP requests and responses
An S2N_CLIENT can request the OCSP status of a remote server by calling
s2n_config_set_status_request_type(config, S2N_STATUS_REQUEST_OCSP);
after handshaking, the status of the remote server can be retrieved through
const uint8_t *resp = s2n_connection_get_ocsp_response(conn, &length);
an S2N_SERVER can specify the OCSP response to send as part of the config, using the following API:
s2n_config_add_cert_status(config, status, status_length);
closes: #18