[openssl-commits] [openssl] master update
Matt Caswell
matt at openssl.org
Wed Apr 6 14:00:49 UTC 2016
The branch master has been updated
via 3e41ac35281827b59e55d51058cf6bb086c1f2b5 (commit)
from 7626fbf2ef70e02f47afe59b7dd7210e75371ed7 (commit)
- Log -----------------------------------------------------------------
commit 3e41ac35281827b59e55d51058cf6bb086c1f2b5
Author: Matt Caswell <matt at openssl.org>
Date: Mon Mar 21 16:54:53 2016 +0000
Fix no-ocsp
Misc fixes for no-ocsp
Reviewed-by: Rich Salz <rsalz at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
apps/ocsp.c | 11 ++++++++---
apps/s_client.c | 8 ++++++++
apps/s_server.c | 9 ++++++++-
crypto/err/err_all.c | 2 ++
crypto/x509/x_all.c | 4 ++++
include/openssl/x509.h | 4 ++++
ssl/ssl_lib.c | 7 +++++++
ssl/t1_lib.c | 16 ++++++++++------
test/recipes/70-test_sslcertstatus.t | 3 +++
test/recipes/80-test_ocsp.t | 4 ++++
10 files changed, 58 insertions(+), 10 deletions(-)
diff --git a/apps/ocsp.c b/apps/ocsp.c
index 574ed8c..24d88da 100644
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -55,8 +55,12 @@
* Hudson (tjh at cryptsoft.com).
*
*/
-#ifndef OPENSSL_NO_OCSP
+#include <openssl/opensslconf.h>
+
+#ifdef OPENSSL_NO_OCSP
+NON_EMPTY_TRANSLATION_UNIT
+#else
# ifdef OPENSSL_SYS_VMS
# define _XOPEN_SOURCE_EXTENDED/* So fd_set and friends get properly defined
* on OpenVMS */
@@ -69,8 +73,9 @@
# include <string.h>
# include <time.h>
# include <ctype.h>
-# include "apps.h" /* needs to be included before the openssl
- * headers! */
+
+/* Needs to be included before the openssl headers */
+# include "apps.h"
# include <openssl/e_os2.h>
# include <openssl/crypto.h>
# include <openssl/err.h>
diff --git a/apps/s_client.c b/apps/s_client.c
index 5b4cd48..b180dbc 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -207,7 +207,9 @@ static int c_ign_eof = 0;
static int c_brief = 0;
static void print_stuff(BIO *berr, SSL *con, int full);
+#ifndef OPENSSL_NO_OCSP
static int ocsp_resp_cb(SSL *s, void *arg);
+#endif
static int saved_errno;
@@ -757,7 +759,9 @@ OPTIONS s_client_options[] = {
"Set TLS extension servername in ClientHello"},
{"tlsextdebug", OPT_TLSEXTDEBUG, '-',
"Hex dump of all TLS extensions received"},
+#ifndef OPENSSL_NO_OCSP
{"status", OPT_STATUS, '-', "Request certificate status from server"},
+#endif
{"serverinfo", OPT_SERVERINFO, 's',
"types Send empty ClientHello extensions (comma-separated numbers)"},
{"alpn", OPT_ALPN, 's',
@@ -1888,11 +1892,13 @@ int s_client_main(int argc, char **argv)
SSL_set_tlsext_debug_callback(con, tlsext_cb);
SSL_set_tlsext_debug_arg(con, bio_c_out);
}
+#ifndef OPENSSL_NO_OCSP
if (c_status_req) {
SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp);
SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb);
SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out);
}
+#endif
SSL_set_bio(con, sbio, sbio);
SSL_set_connect_state(con);
@@ -2736,6 +2742,7 @@ static void print_stuff(BIO *bio, SSL *s, int full)
(void)BIO_flush(bio);
}
+# ifndef OPENSSL_NO_OCSP
static int ocsp_resp_cb(SSL *s, void *arg)
{
const unsigned char *p;
@@ -2759,5 +2766,6 @@ static int ocsp_resp_cb(SSL *s, void *arg)
OCSP_RESPONSE_free(rsp);
return 1;
}
+# endif
#endif
diff --git a/apps/s_server.c b/apps/s_server.c
index 08acc47..e0aa2ae 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -230,7 +230,6 @@ static BIO *bio_s_msg = NULL;
static int s_debug = 0;
static int s_tlsextdebug = 0;
static int s_tlsextstatus = 0;
-static int cert_status_cb(SSL *s, void *arg);
static int no_resume_ephemeral = 0;
static int s_msg = 0;
static int s_quiet = 0;
@@ -604,6 +603,7 @@ typedef struct tlsextstatusctx_st {
static tlsextstatusctx tlscstatp = { NULL, NULL, NULL, 0, -1, 0 };
+#ifndef OPENSSL_NO_OCSP
/*
* Certificate Status callback. This is called when a client includes a
* certificate status request extension. This is a simplified version. It
@@ -717,6 +717,7 @@ static int cert_status_cb(SSL *s, void *arg)
ret = SSL_TLSEXT_ERR_ALERT_FATAL;
goto done;
}
+#endif
#ifndef OPENSSL_NO_NEXTPROTONEG
/* This is the context that we pass to next_proto_cb */
@@ -919,12 +920,14 @@ OPTIONS s_server_options[] = {
"CA file for certificate verification (PEM format)"},
{"ign_eof", OPT_IGN_EOF, '-', "ignore input eof (default when -quiet)"},
{"no_ign_eof", OPT_NO_IGN_EOF, '-', "Do not ignore input eof"},
+#ifndef OPENSSL_NO_OCSP
{"status", OPT_STATUS, '-', "Request certificate status from server"},
{"status_verbose", OPT_STATUS_VERBOSE, '-',
"Print more output in certificate status callback"},
{"status_timeout", OPT_STATUS_TIMEOUT, 'n',
"Status request responder timeout"},
{"status_url", OPT_STATUS_URL, 's', "Status request fallback URL"},
+#endif
#ifndef OPENSSL_NO_SSL_TRACE
{"trace", OPT_TRACE, '-', "trace protocol messages"},
#endif
@@ -1323,6 +1326,7 @@ int s_server_main(int argc, char *argv[])
tlscstatp.timeout = atoi(opt_arg());
break;
case OPT_STATUS_URL:
+#ifndef OPENSSL_NO_OCSP
s_tlsextstatus = 1;
if (!OCSP_parse_url(opt_arg(),
&tlscstatp.host,
@@ -1331,6 +1335,7 @@ int s_server_main(int argc, char *argv[])
BIO_printf(bio_err, "Error parsing URL\n");
goto end;
}
+#endif
break;
case OPT_MSG:
s_msg = 1;
@@ -2009,6 +2014,7 @@ int s_server_main(int argc, char *argv[])
if (ctx2)
SSL_CTX_set_client_CA_list(ctx2, SSL_load_client_CA_file(CAfile));
}
+#ifndef OPENSSL_NO_OCSP
if (s_tlsextstatus) {
SSL_CTX_set_tlsext_status_cb(ctx, cert_status_cb);
SSL_CTX_set_tlsext_status_arg(ctx, &tlscstatp);
@@ -2017,6 +2023,7 @@ int s_server_main(int argc, char *argv[])
SSL_CTX_set_tlsext_status_arg(ctx2, &tlscstatp);
}
}
+#endif
BIO_printf(bio_s_out, "ACCEPT\n");
(void)BIO_flush(bio_s_out);
diff --git a/crypto/err/err_all.c b/crypto/err/err_all.c
index 78cdd5b..f939db7 100644
--- a/crypto/err/err_all.c
+++ b/crypto/err/err_all.c
@@ -132,7 +132,9 @@ void err_load_crypto_strings_intern(void)
# ifndef OPENSSL_NO_ENGINE
ERR_load_ENGINE_strings();
# endif
+# ifndef OPENSSL_NO_OCSP
ERR_load_OCSP_strings();
+# endif
#ifndef OPENSSL_NO_UI
ERR_load_UI_strings();
#endif
diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c
index c370ba9..0f28c58 100644
--- a/crypto/x509/x_all.c
+++ b/crypto/x509/x_all.c
@@ -103,11 +103,13 @@ int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx)
&x->sig_alg, &x->signature, &x->cert_info, ctx);
}
+#ifndef OPENSSL_NO_OCSP
int X509_http_nbio(OCSP_REQ_CTX *rctx, X509 **pcert)
{
return OCSP_REQ_CTX_nbio_d2i(rctx,
(ASN1_VALUE **)pcert, ASN1_ITEM_rptr(X509));
}
+#endif
int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md)
{
@@ -137,12 +139,14 @@ int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx)
&x->crl, ctx);
}
+#ifndef OPENSSL_NO_OCSP
int X509_CRL_http_nbio(OCSP_REQ_CTX *rctx, X509_CRL **pcrl)
{
return OCSP_REQ_CTX_nbio_d2i(rctx,
(ASN1_VALUE **)pcrl,
ASN1_ITEM_rptr(X509_CRL));
}
+#endif
int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md)
{
diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index ae2fb1d..b7123d0 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -408,12 +408,16 @@ int X509_signature_print(BIO *bp, X509_ALGOR *alg, ASN1_STRING *sig);
int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md);
int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx);
+# ifndef OPENSSL_NO_OCSP
int X509_http_nbio(OCSP_REQ_CTX *rctx, X509 **pcert);
+# endif
int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md);
int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx);
int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md);
int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx);
+# ifndef OPENSSL_NO_OCSP
int X509_CRL_http_nbio(OCSP_REQ_CTX *rctx, X509_CRL **pcrl);
+# endif
int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md);
int X509_pubkey_digest(const X509 *data, const EVP_MD *type,
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index e651189..6875f38 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1057,7 +1057,9 @@ void SSL_free(SSL *s)
OPENSSL_free(s->tlsext_ellipticcurvelist);
#endif /* OPENSSL_NO_EC */
sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, X509_EXTENSION_free);
+#ifndef OPENSSL_NO_OCSP
sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free);
+#endif
#ifndef OPENSSL_NO_CT
SCT_LIST_free(s->scts);
OPENSSL_free(s->tlsext_scts);
@@ -3951,6 +3953,7 @@ static int ct_extract_tls_extension_scts(SSL *s)
*/
static int ct_extract_ocsp_response_scts(SSL *s)
{
+#ifndef OPENSSL_NO_OCSP
int scts_extracted = 0;
const unsigned char *p;
OCSP_BASICRESP *br = NULL;
@@ -3987,6 +3990,10 @@ err:
OCSP_BASICRESP_free(br);
OCSP_RESPONSE_free(rsp);
return scts_extracted;
+#else
+ /* Behave as if no OCSP response exists */
+ return 0;
+#endif
}
/*
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index a20e85f..6e7b5ed 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1347,6 +1347,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
ret += salglen;
}
+#ifndef OPENSSL_NO_OCSP
if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
int i;
long extlen, idlen, itmp;
@@ -1390,6 +1391,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
if (extlen > 0)
i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
}
+#endif
#ifndef OPENSSL_NO_HEARTBEATS
if (SSL_IS_DTLS(s)) {
/* Add Heartbeat extension */
@@ -2128,14 +2130,14 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al)
}
}
} else if (type == TLSEXT_TYPE_status_request) {
- const unsigned char *ext_data;
-
if (!PACKET_get_1(&extension,
(unsigned int *)&s->tlsext_status_type)) {
return 0;
}
+#ifndef OPENSSL_NO_OCSP
if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
+ const unsigned char *ext_data;
PACKET responder_id_list, exts;
if (!PACKET_get_length_prefixed_2(&extension, &responder_id_list))
return 0;
@@ -2192,10 +2194,12 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al)
return 0;
}
}
- /*
- * We don't know what to do with any other type * so ignore it.
- */
- } else {
+ } else
+#endif
+ {
+ /*
+ * We don't know what to do with any other type so ignore it.
+ */
s->tlsext_status_type = -1;
}
}
diff --git a/test/recipes/70-test_sslcertstatus.t b/test/recipes/70-test_sslcertstatus.t
index d2bc280..298f6da 100755
--- a/test/recipes/70-test_sslcertstatus.t
+++ b/test/recipes/70-test_sslcertstatus.t
@@ -69,6 +69,9 @@ plan skip_all => "$test_name needs the dynamic engine feature enabled"
plan skip_all => "$test_name needs the sock feature enabled"
if disabled("sock");
+plan skip_all => "$test_name needs the ocsp feature enabled"
+ if disabled("ocsp");
+
$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
my $proxy = TLSProxy::Proxy->new(
\&certstatus_filter,
diff --git a/test/recipes/80-test_ocsp.t b/test/recipes/80-test_ocsp.t
index 43087f9..ae4bf85 100644
--- a/test/recipes/80-test_ocsp.t
+++ b/test/recipes/80-test_ocsp.t
@@ -7,9 +7,13 @@ use POSIX;
use File::Spec::Functions qw/devnull catfile/;
use File::Copy;
use OpenSSL::Test qw/:DEFAULT with pipe srctop_dir/;
+use OpenSSL::Test::Utils;
setup("test_ocsp");
+plan skip_all => "OCSP is not supported by this OpenSSL build"
+ if disabled("ocsp");
+
my $ocspdir=srctop_dir("test", "ocsp-tests");
# 17 December 2012 so we don't get certificate expiry errors.
my @check_time=("-attime", "1355875200");
More information about the openssl-commits
mailing list