[openssl-commits] [openssl] master update

Matt Caswell matt at openssl.org
Mon May 16 13:46:05 UTC 2016 

The branch master has been updated
       via  c408b80c50b3839816aa6608c9a27db35adc8fb6 (commit)
       via  ba261f718b1828751ec8a88ee5592fa6436aa422 (commit)
      from  b04f947941d08b5d077a63b017ecee5e4e2e11cc (commit)


- Log -----------------------------------------------------------------
commit c408b80c50b3839816aa6608c9a27db35adc8fb6
Author: Matt Caswell <matt at openssl.org>
Date:   Fri May 6 10:19:35 2016 +0100

    Add some documentation of SSL_CTX_set_tlsext_status_type()
    
    The previous commit added SSL_CTX_set_tlsext_status_type(). This one adds
    some documentation for it.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>

commit ba261f718b1828751ec8a88ee5592fa6436aa422
Author: jfigus <foleyj at cisco.com>
Date:   Tue Dec 2 15:44:49 2014 -0500

    Propagate tlsext_status_type from SSL_CTX to SSL
    
    To allow OCSP stapling to work with libcurl.
    
    Github PR #200
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 doc/ssl/SSL_CTX_set_tlsext_status_cb.pod | 36 ++++++++++++++++++++------------
 include/openssl/tls1.h                   |  3 +++
 ssl/s3_lib.c                             |  4 ++++
 ssl/ssl_lib.c                            |  4 +++-
 ssl/ssl_locl.h                           |  4 ++++
 5 files changed, 37 insertions(+), 14 deletions(-)

diff --git a/doc/ssl/SSL_CTX_set_tlsext_status_cb.pod b/doc/ssl/SSL_CTX_set_tlsext_status_cb.pod
index b8147ba..0148138 100644
--- a/doc/ssl/SSL_CTX_set_tlsext_status_cb.pod
+++ b/doc/ssl/SSL_CTX_set_tlsext_status_cb.pod
@@ -3,8 +3,9 @@
 =head1 NAME
 
 SSL_CTX_set_tlsext_status_cb, SSL_CTX_set_tlsext_status_arg,
-SSL_set_tlsext_status_type, SSL_get_tlsext_status_ocsp_resp,
-SSL_set_tlsext_status_ocsp_resp - OCSP Certificate Status Request functions
+SSL_CTX_set_tlsext_status_type, SSL_set_tlsext_status_type,
+SSL_get_tlsext_status_ocsp_resp, SSL_set_tlsext_status_ocsp_resp - OCSP
+Certificate Status Request functions
 
 =head1 SYNOPSIS
 
@@ -14,6 +15,8 @@ SSL_set_tlsext_status_ocsp_resp - OCSP Certificate Status Request functions
                                    int (*callback)(SSL *, void *));
  long SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg);
 
+ long SSL_CTX_set_tlsext_status_type(SSL_CTX *ctx, int type);
+
  long SSL_set_tlsext_status_type(SSL *s, int type);
 
  long SSL_get_tlsext_status_ocsp_resp(ssl, unsigned char **resp);
@@ -23,16 +26,19 @@ SSL_set_tlsext_status_ocsp_resp - OCSP Certificate Status Request functions
 
 A client application may request that a server send back an OCSP status response
 (also known as OCSP stapling). To do so the client should call the
-SSL_set_tlsext_status_type() function prior to the start of the handshake.
+SSL_CTX_set_tlsext_status_type() function prior to the creation of any SSL
+objects. Alternatively an application can call the SSL_set_tlsext_status_type()
+function on an individual SSL object prior to the start of the handshake.
 Currently the only supported type is B<TLSEXT_STATUSTYPE_ocsp>. This value
-should be passed in the B<type> argument. The client should additionally provide
-a callback function to decide what to do with the returned OCSP response by
-calling SSL_CTX_set_tlsext_status_cb(). The callback function should determine
-whether the returned OCSP response is acceptable or not. The callback will be
-passed as an argument the value previously set via a call to
-SSL_CTX_set_tlsext_status_arg(). Note that the callback will not be called in
-the event of a handshake where session resumption occurs (because there are no
-Certificates exchanged in such a handshake).
+should be passed in the B<type> argument.
+
+The client should additionally provide a callback function to decide what to do
+with the returned OCSP response by calling SSL_CTX_set_tlsext_status_cb(). The
+callback function should determine whether the returned OCSP response is
+acceptable or not. The callback will be passed as an argument the value
+previously set via a call to SSL_CTX_set_tlsext_status_arg(). Note that the
+callback will not be called in the event of a handshake where session resumption
+occurs (because there are no Certificates exchanged in such a handshake).
 
 The response returned by the server can be obtained via a call to
 SSL_get_tlsext_status_ocsp_resp(). The value B<*resp> will be updated to point
@@ -64,10 +70,14 @@ returned) or SSL_TLSEXT_ERR_ALERT_FATAL (meaning that a fatal error has
 occurred).
 
 SSL_CTX_set_tlsext_status_cb(), SSL_CTX_set_tlsext_status_arg(),
-SSL_set_tlsext_status_type() and SSL_set_tlsext_status_ocsp_resp() return 0 on
-error or 1 on success.
+SSL_CTX_set_tlsext_status_type(), SSL_set_tlsext_status_type() and
+SSL_set_tlsext_status_ocsp_resp() return 0 on error or 1 on success.
 
 SSL_get_tlsext_status_ocsp_resp() returns the length of the OCSP response data
 or -1 if there is no OCSP response data.
 
+=head1 HISTORY
+
+SSL_CTX_set_tlsext_status_type() was added in OpenSSL 1.1.0.
+
 =cut
diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
index ffc6eb7..61d5bcc 100644
--- a/include/openssl/tls1.h
+++ b/include/openssl/tls1.h
@@ -394,6 +394,9 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB,(void (*)(void))cb)
 # define SSL_CTX_set_tlsext_status_arg(ssl, arg) \
 SSL_CTX_ctrl(ssl,SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG,0, (void *)arg)
 
+#define SSL_CTX_set_tlsext_status_type(ssl, type) \
+        SSL_CTX_ctrl(ssl, SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE, type, NULL)
+
 # define SSL_CTX_set_tlsext_ticket_key_cb(ssl, cb) \
 SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
 
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 5d5293e..eaf6ee2 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3413,6 +3413,10 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
             return 1;
         }
 
+    case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE:
+        ctx->tlsext_status_type = larg;
+        break;
+
     case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG:
         ctx->tlsext_status_arg = parg;
         return 1;
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index e7eb302..14e8c1e 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -693,7 +693,7 @@ SSL *SSL_new(SSL_CTX *ctx)
     s->tlsext_debug_cb = 0;
     s->tlsext_debug_arg = NULL;
     s->tlsext_ticket_expected = 0;
-    s->tlsext_status_type = -1;
+    s->tlsext_status_type = ctx->tlsext_status_type;
     s->tlsext_status_expected = 0;
     s->tlsext_ocsp_ids = NULL;
     s->tlsext_ocsp_exts = NULL;
@@ -2502,6 +2502,8 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
      */
     ret->options |= SSL_OP_NO_COMPRESSION;
 
+    ret->tlsext_status_type = -1;
+
     return ret;
  err:
     SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE);
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index c9c071a..9bc9892 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -953,6 +953,10 @@ struct ssl_ctx_st {
     size_t tlsext_ellipticcurvelist_length;
     unsigned char *tlsext_ellipticcurvelist;
 #  endif                        /* OPENSSL_NO_EC */
+
+    /* ext status type used for CSR extension (OCSP Stapling) */
+    int tlsext_status_type;
+
     CRYPTO_RWLOCK *lock;
 };

More information about the openssl-commits mailing list