[openssl-commits] [openssl] master update

Matt Caswell matt at openssl.org
Wed Apr 6 14:00:49 UTC 2016


The branch master has been updated
       via  3e41ac35281827b59e55d51058cf6bb086c1f2b5 (commit)
      from  7626fbf2ef70e02f47afe59b7dd7210e75371ed7 (commit)


- Log -----------------------------------------------------------------
commit 3e41ac35281827b59e55d51058cf6bb086c1f2b5
Author: Matt Caswell <matt at openssl.org>
Date:   Mon Mar 21 16:54:53 2016 +0000

    Fix no-ocsp
    
    Misc fixes for no-ocsp
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 apps/ocsp.c                          | 11 ++++++++---
 apps/s_client.c                      |  8 ++++++++
 apps/s_server.c                      |  9 ++++++++-
 crypto/err/err_all.c                 |  2 ++
 crypto/x509/x_all.c                  |  4 ++++
 include/openssl/x509.h               |  4 ++++
 ssl/ssl_lib.c                        |  7 +++++++
 ssl/t1_lib.c                         | 16 ++++++++++------
 test/recipes/70-test_sslcertstatus.t |  3 +++
 test/recipes/80-test_ocsp.t          |  4 ++++
 10 files changed, 58 insertions(+), 10 deletions(-)

diff --git a/apps/ocsp.c b/apps/ocsp.c
index 574ed8c..24d88da 100644
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -55,8 +55,12 @@
  * Hudson (tjh at cryptsoft.com).
  *
  */
-#ifndef OPENSSL_NO_OCSP
 
+#include <openssl/opensslconf.h>
+
+#ifdef OPENSSL_NO_OCSP
+NON_EMPTY_TRANSLATION_UNIT
+#else
 # ifdef OPENSSL_SYS_VMS
 #  define _XOPEN_SOURCE_EXTENDED/* So fd_set and friends get properly defined
                                  * on OpenVMS */
@@ -69,8 +73,9 @@
 # include <string.h>
 # include <time.h>
 # include <ctype.h>
-# include "apps.h"              /* needs to be included before the openssl
-                                 * headers! */
+
+/* Needs to be included before the openssl headers */
+# include "apps.h"
 # include <openssl/e_os2.h>
 # include <openssl/crypto.h>
 # include <openssl/err.h>
diff --git a/apps/s_client.c b/apps/s_client.c
index 5b4cd48..b180dbc 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -207,7 +207,9 @@ static int c_ign_eof = 0;
 static int c_brief = 0;
 
 static void print_stuff(BIO *berr, SSL *con, int full);
+#ifndef OPENSSL_NO_OCSP
 static int ocsp_resp_cb(SSL *s, void *arg);
+#endif
 
 static int saved_errno;
 
@@ -757,7 +759,9 @@ OPTIONS s_client_options[] = {
      "Set TLS extension servername in ClientHello"},
     {"tlsextdebug", OPT_TLSEXTDEBUG, '-',
      "Hex dump of all TLS extensions received"},
+#ifndef OPENSSL_NO_OCSP
     {"status", OPT_STATUS, '-', "Request certificate status from server"},
+#endif
     {"serverinfo", OPT_SERVERINFO, 's',
      "types  Send empty ClientHello extensions (comma-separated numbers)"},
     {"alpn", OPT_ALPN, 's',
@@ -1888,11 +1892,13 @@ int s_client_main(int argc, char **argv)
         SSL_set_tlsext_debug_callback(con, tlsext_cb);
         SSL_set_tlsext_debug_arg(con, bio_c_out);
     }
+#ifndef OPENSSL_NO_OCSP
     if (c_status_req) {
         SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp);
         SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb);
         SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out);
     }
+#endif
 
     SSL_set_bio(con, sbio, sbio);
     SSL_set_connect_state(con);
@@ -2736,6 +2742,7 @@ static void print_stuff(BIO *bio, SSL *s, int full)
     (void)BIO_flush(bio);
 }
 
+# ifndef OPENSSL_NO_OCSP
 static int ocsp_resp_cb(SSL *s, void *arg)
 {
     const unsigned char *p;
@@ -2759,5 +2766,6 @@ static int ocsp_resp_cb(SSL *s, void *arg)
     OCSP_RESPONSE_free(rsp);
     return 1;
 }
+# endif
 
 #endif
diff --git a/apps/s_server.c b/apps/s_server.c
index 08acc47..e0aa2ae 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -230,7 +230,6 @@ static BIO *bio_s_msg = NULL;
 static int s_debug = 0;
 static int s_tlsextdebug = 0;
 static int s_tlsextstatus = 0;
-static int cert_status_cb(SSL *s, void *arg);
 static int no_resume_ephemeral = 0;
 static int s_msg = 0;
 static int s_quiet = 0;
@@ -604,6 +603,7 @@ typedef struct tlsextstatusctx_st {
 
 static tlsextstatusctx tlscstatp = { NULL, NULL, NULL, 0, -1, 0 };
 
+#ifndef OPENSSL_NO_OCSP
 /*
  * Certificate Status callback. This is called when a client includes a
  * certificate status request extension. This is a simplified version. It
@@ -717,6 +717,7 @@ static int cert_status_cb(SSL *s, void *arg)
     ret = SSL_TLSEXT_ERR_ALERT_FATAL;
     goto done;
 }
+#endif
 
 #ifndef OPENSSL_NO_NEXTPROTONEG
 /* This is the context that we pass to next_proto_cb */
@@ -919,12 +920,14 @@ OPTIONS s_server_options[] = {
      "CA file for certificate verification (PEM format)"},
     {"ign_eof", OPT_IGN_EOF, '-', "ignore input eof (default when -quiet)"},
     {"no_ign_eof", OPT_NO_IGN_EOF, '-', "Do not ignore input eof"},
+#ifndef OPENSSL_NO_OCSP
     {"status", OPT_STATUS, '-', "Request certificate status from server"},
     {"status_verbose", OPT_STATUS_VERBOSE, '-',
      "Print more output in certificate status callback"},
     {"status_timeout", OPT_STATUS_TIMEOUT, 'n',
      "Status request responder timeout"},
     {"status_url", OPT_STATUS_URL, 's', "Status request fallback URL"},
+#endif
 #ifndef OPENSSL_NO_SSL_TRACE
     {"trace", OPT_TRACE, '-', "trace protocol messages"},
 #endif
@@ -1323,6 +1326,7 @@ int s_server_main(int argc, char *argv[])
             tlscstatp.timeout = atoi(opt_arg());
             break;
         case OPT_STATUS_URL:
+#ifndef OPENSSL_NO_OCSP
             s_tlsextstatus = 1;
             if (!OCSP_parse_url(opt_arg(),
                                 &tlscstatp.host,
@@ -1331,6 +1335,7 @@ int s_server_main(int argc, char *argv[])
                 BIO_printf(bio_err, "Error parsing URL\n");
                 goto end;
             }
+#endif
             break;
         case OPT_MSG:
             s_msg = 1;
@@ -2009,6 +2014,7 @@ int s_server_main(int argc, char *argv[])
         if (ctx2)
             SSL_CTX_set_client_CA_list(ctx2, SSL_load_client_CA_file(CAfile));
     }
+#ifndef OPENSSL_NO_OCSP
     if (s_tlsextstatus) {
         SSL_CTX_set_tlsext_status_cb(ctx, cert_status_cb);
         SSL_CTX_set_tlsext_status_arg(ctx, &tlscstatp);
@@ -2017,6 +2023,7 @@ int s_server_main(int argc, char *argv[])
             SSL_CTX_set_tlsext_status_arg(ctx2, &tlscstatp);
         }
     }
+#endif
 
     BIO_printf(bio_s_out, "ACCEPT\n");
     (void)BIO_flush(bio_s_out);
diff --git a/crypto/err/err_all.c b/crypto/err/err_all.c
index 78cdd5b..f939db7 100644
--- a/crypto/err/err_all.c
+++ b/crypto/err/err_all.c
@@ -132,7 +132,9 @@ void err_load_crypto_strings_intern(void)
 # ifndef OPENSSL_NO_ENGINE
     ERR_load_ENGINE_strings();
 # endif
+# ifndef OPENSSL_NO_OCSP
     ERR_load_OCSP_strings();
+# endif
 #ifndef OPENSSL_NO_UI
     ERR_load_UI_strings();
 #endif
diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c
index c370ba9..0f28c58 100644
--- a/crypto/x509/x_all.c
+++ b/crypto/x509/x_all.c
@@ -103,11 +103,13 @@ int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx)
                               &x->sig_alg, &x->signature, &x->cert_info, ctx);
 }
 
+#ifndef OPENSSL_NO_OCSP
 int X509_http_nbio(OCSP_REQ_CTX *rctx, X509 **pcert)
 {
     return OCSP_REQ_CTX_nbio_d2i(rctx,
                                  (ASN1_VALUE **)pcert, ASN1_ITEM_rptr(X509));
 }
+#endif
 
 int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md)
 {
@@ -137,12 +139,14 @@ int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx)
                               &x->crl, ctx);
 }
 
+#ifndef OPENSSL_NO_OCSP
 int X509_CRL_http_nbio(OCSP_REQ_CTX *rctx, X509_CRL **pcrl)
 {
     return OCSP_REQ_CTX_nbio_d2i(rctx,
                                  (ASN1_VALUE **)pcrl,
                                  ASN1_ITEM_rptr(X509_CRL));
 }
+#endif
 
 int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md)
 {
diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index ae2fb1d..b7123d0 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -408,12 +408,16 @@ int X509_signature_print(BIO *bp, X509_ALGOR *alg, ASN1_STRING *sig);
 
 int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md);
 int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx);
+# ifndef OPENSSL_NO_OCSP
 int X509_http_nbio(OCSP_REQ_CTX *rctx, X509 **pcert);
+# endif
 int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md);
 int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx);
 int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md);
 int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx);
+# ifndef OPENSSL_NO_OCSP
 int X509_CRL_http_nbio(OCSP_REQ_CTX *rctx, X509_CRL **pcrl);
+# endif
 int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md);
 
 int X509_pubkey_digest(const X509 *data, const EVP_MD *type,
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index e651189..6875f38 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1057,7 +1057,9 @@ void SSL_free(SSL *s)
     OPENSSL_free(s->tlsext_ellipticcurvelist);
 #endif                         /* OPENSSL_NO_EC */
     sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, X509_EXTENSION_free);
+#ifndef OPENSSL_NO_OCSP
     sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free);
+#endif
 #ifndef OPENSSL_NO_CT
     SCT_LIST_free(s->scts);
     OPENSSL_free(s->tlsext_scts);
@@ -3951,6 +3953,7 @@ static int ct_extract_tls_extension_scts(SSL *s)
  */
 static int ct_extract_ocsp_response_scts(SSL *s)
 {
+#ifndef OPENSSL_NO_OCSP
     int scts_extracted = 0;
     const unsigned char *p;
     OCSP_BASICRESP *br = NULL;
@@ -3987,6 +3990,10 @@ err:
     OCSP_BASICRESP_free(br);
     OCSP_RESPONSE_free(rsp);
     return scts_extracted;
+#else
+    /* Behave as if no OCSP response exists */
+    return 0;
+#endif
 }
 
 /*
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index a20e85f..6e7b5ed 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1347,6 +1347,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
         ret += salglen;
     }
 
+#ifndef OPENSSL_NO_OCSP
     if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
         int i;
         long extlen, idlen, itmp;
@@ -1390,6 +1391,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
         if (extlen > 0)
             i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
     }
+#endif
 #ifndef OPENSSL_NO_HEARTBEATS
     if (SSL_IS_DTLS(s)) {
         /* Add Heartbeat extension */
@@ -2128,14 +2130,14 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al)
                 }
             }
         } else if (type == TLSEXT_TYPE_status_request) {
-            const unsigned char *ext_data;
-
             if (!PACKET_get_1(&extension,
                               (unsigned int *)&s->tlsext_status_type)) {
                 return 0;
             }
 
+#ifndef OPENSSL_NO_OCSP
             if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
+                const unsigned char *ext_data;
                 PACKET responder_id_list, exts;
                 if (!PACKET_get_length_prefixed_2(&extension, &responder_id_list))
                     return 0;
@@ -2192,10 +2194,12 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al)
                         return 0;
                     }
                 }
-            /*
-             * We don't know what to do with any other type * so ignore it.
-             */
-            } else {
+            } else
+#endif
+            {
+                /*
+                 * We don't know what to do with any other type so ignore it.
+                 */
                 s->tlsext_status_type = -1;
             }
         }
diff --git a/test/recipes/70-test_sslcertstatus.t b/test/recipes/70-test_sslcertstatus.t
index d2bc280..298f6da 100755
--- a/test/recipes/70-test_sslcertstatus.t
+++ b/test/recipes/70-test_sslcertstatus.t
@@ -69,6 +69,9 @@ plan skip_all => "$test_name needs the dynamic engine feature enabled"
 plan skip_all => "$test_name needs the sock feature enabled"
     if disabled("sock");
 
+plan skip_all => "$test_name needs the ocsp feature enabled"
+    if disabled("ocsp");
+
 $ENV{OPENSSL_ia32cap} = '~0x200000200000000';
 my $proxy = TLSProxy::Proxy->new(
     \&certstatus_filter,
diff --git a/test/recipes/80-test_ocsp.t b/test/recipes/80-test_ocsp.t
index 43087f9..ae4bf85 100644
--- a/test/recipes/80-test_ocsp.t
+++ b/test/recipes/80-test_ocsp.t
@@ -7,9 +7,13 @@ use POSIX;
 use File::Spec::Functions qw/devnull catfile/;
 use File::Copy;
 use OpenSSL::Test qw/:DEFAULT with pipe srctop_dir/;
+use OpenSSL::Test::Utils;
 
 setup("test_ocsp");
 
+plan skip_all => "OCSP is not supported by this OpenSSL build"
+    if disabled("ocsp");
+
 my $ocspdir=srctop_dir("test", "ocsp-tests");
 # 17 December 2012 so we don't get certificate expiry errors.
 my @check_time=("-attime", "1355875200");


More information about the openssl-commits mailing list