Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
btwise
openssl
提交
3e41ac35
O
openssl
项目概览
btwise
/
openssl
通知
1
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
DevOps
流水线
流水线任务
计划
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
O
openssl
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
DevOps
DevOps
流水线
流水线任务
计划
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
流水线任务
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
3e41ac35
编写于
3月 21, 2016
作者:
M
Matt Caswell
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Fix no-ocsp
Misc fixes for no-ocsp Reviewed-by:
N
Rich Salz
<
rsalz@openssl.org
>
上级
7626fbf2
变更
10
隐藏空白更改
内联
并排
Showing
10 changed file
with
58 addition
and
10 deletion
+58
-10
apps/ocsp.c
apps/ocsp.c
+8
-3
apps/s_client.c
apps/s_client.c
+8
-0
apps/s_server.c
apps/s_server.c
+8
-1
crypto/err/err_all.c
crypto/err/err_all.c
+2
-0
crypto/x509/x_all.c
crypto/x509/x_all.c
+4
-0
include/openssl/x509.h
include/openssl/x509.h
+4
-0
ssl/ssl_lib.c
ssl/ssl_lib.c
+7
-0
ssl/t1_lib.c
ssl/t1_lib.c
+10
-6
test/recipes/70-test_sslcertstatus.t
test/recipes/70-test_sslcertstatus.t
+3
-0
test/recipes/80-test_ocsp.t
test/recipes/80-test_ocsp.t
+4
-0
未找到文件。
apps/ocsp.c
浏览文件 @
3e41ac35
...
...
@@ -55,8 +55,12 @@
* Hudson (tjh@cryptsoft.com).
*
*/
#ifndef OPENSSL_NO_OCSP
#include <openssl/opensslconf.h>
#ifdef OPENSSL_NO_OCSP
NON_EMPTY_TRANSLATION_UNIT
#else
# ifdef OPENSSL_SYS_VMS
# define _XOPEN_SOURCE_EXTENDED
/* So fd_set and friends get properly defined
* on OpenVMS */
...
...
@@ -69,8 +73,9 @@
# include <string.h>
# include <time.h>
# include <ctype.h>
# include "apps.h"
/* needs to be included before the openssl
* headers! */
/* Needs to be included before the openssl headers */
# include "apps.h"
# include <openssl/e_os2.h>
# include <openssl/crypto.h>
# include <openssl/err.h>
...
...
apps/s_client.c
浏览文件 @
3e41ac35
...
...
@@ -207,7 +207,9 @@ static int c_ign_eof = 0;
static
int
c_brief
=
0
;
static
void
print_stuff
(
BIO
*
berr
,
SSL
*
con
,
int
full
);
#ifndef OPENSSL_NO_OCSP
static
int
ocsp_resp_cb
(
SSL
*
s
,
void
*
arg
);
#endif
static
int
saved_errno
;
...
...
@@ -757,7 +759,9 @@ OPTIONS s_client_options[] = {
"Set TLS extension servername in ClientHello"
},
{
"tlsextdebug"
,
OPT_TLSEXTDEBUG
,
'-'
,
"Hex dump of all TLS extensions received"
},
#ifndef OPENSSL_NO_OCSP
{
"status"
,
OPT_STATUS
,
'-'
,
"Request certificate status from server"
},
#endif
{
"serverinfo"
,
OPT_SERVERINFO
,
's'
,
"types Send empty ClientHello extensions (comma-separated numbers)"
},
{
"alpn"
,
OPT_ALPN
,
's'
,
...
...
@@ -1888,11 +1892,13 @@ int s_client_main(int argc, char **argv)
SSL_set_tlsext_debug_callback
(
con
,
tlsext_cb
);
SSL_set_tlsext_debug_arg
(
con
,
bio_c_out
);
}
#ifndef OPENSSL_NO_OCSP
if
(
c_status_req
)
{
SSL_set_tlsext_status_type
(
con
,
TLSEXT_STATUSTYPE_ocsp
);
SSL_CTX_set_tlsext_status_cb
(
ctx
,
ocsp_resp_cb
);
SSL_CTX_set_tlsext_status_arg
(
ctx
,
bio_c_out
);
}
#endif
SSL_set_bio
(
con
,
sbio
,
sbio
);
SSL_set_connect_state
(
con
);
...
...
@@ -2736,6 +2742,7 @@ static void print_stuff(BIO *bio, SSL *s, int full)
(
void
)
BIO_flush
(
bio
);
}
# ifndef OPENSSL_NO_OCSP
static
int
ocsp_resp_cb
(
SSL
*
s
,
void
*
arg
)
{
const
unsigned
char
*
p
;
...
...
@@ -2759,5 +2766,6 @@ static int ocsp_resp_cb(SSL *s, void *arg)
OCSP_RESPONSE_free
(
rsp
);
return
1
;
}
# endif
#endif
apps/s_server.c
浏览文件 @
3e41ac35
...
...
@@ -230,7 +230,6 @@ static BIO *bio_s_msg = NULL;
static
int
s_debug
=
0
;
static
int
s_tlsextdebug
=
0
;
static
int
s_tlsextstatus
=
0
;
static
int
cert_status_cb
(
SSL
*
s
,
void
*
arg
);
static
int
no_resume_ephemeral
=
0
;
static
int
s_msg
=
0
;
static
int
s_quiet
=
0
;
...
...
@@ -604,6 +603,7 @@ typedef struct tlsextstatusctx_st {
static
tlsextstatusctx
tlscstatp
=
{
NULL
,
NULL
,
NULL
,
0
,
-
1
,
0
};
#ifndef OPENSSL_NO_OCSP
/*
* Certificate Status callback. This is called when a client includes a
* certificate status request extension. This is a simplified version. It
...
...
@@ -717,6 +717,7 @@ static int cert_status_cb(SSL *s, void *arg)
ret
=
SSL_TLSEXT_ERR_ALERT_FATAL
;
goto
done
;
}
#endif
#ifndef OPENSSL_NO_NEXTPROTONEG
/* This is the context that we pass to next_proto_cb */
...
...
@@ -919,12 +920,14 @@ OPTIONS s_server_options[] = {
"CA file for certificate verification (PEM format)"
},
{
"ign_eof"
,
OPT_IGN_EOF
,
'-'
,
"ignore input eof (default when -quiet)"
},
{
"no_ign_eof"
,
OPT_NO_IGN_EOF
,
'-'
,
"Do not ignore input eof"
},
#ifndef OPENSSL_NO_OCSP
{
"status"
,
OPT_STATUS
,
'-'
,
"Request certificate status from server"
},
{
"status_verbose"
,
OPT_STATUS_VERBOSE
,
'-'
,
"Print more output in certificate status callback"
},
{
"status_timeout"
,
OPT_STATUS_TIMEOUT
,
'n'
,
"Status request responder timeout"
},
{
"status_url"
,
OPT_STATUS_URL
,
's'
,
"Status request fallback URL"
},
#endif
#ifndef OPENSSL_NO_SSL_TRACE
{
"trace"
,
OPT_TRACE
,
'-'
,
"trace protocol messages"
},
#endif
...
...
@@ -1323,6 +1326,7 @@ int s_server_main(int argc, char *argv[])
tlscstatp
.
timeout
=
atoi
(
opt_arg
());
break
;
case
OPT_STATUS_URL
:
#ifndef OPENSSL_NO_OCSP
s_tlsextstatus
=
1
;
if
(
!
OCSP_parse_url
(
opt_arg
(),
&
tlscstatp
.
host
,
...
...
@@ -1331,6 +1335,7 @@ int s_server_main(int argc, char *argv[])
BIO_printf
(
bio_err
,
"Error parsing URL
\n
"
);
goto
end
;
}
#endif
break
;
case
OPT_MSG
:
s_msg
=
1
;
...
...
@@ -2009,6 +2014,7 @@ int s_server_main(int argc, char *argv[])
if
(
ctx2
)
SSL_CTX_set_client_CA_list
(
ctx2
,
SSL_load_client_CA_file
(
CAfile
));
}
#ifndef OPENSSL_NO_OCSP
if
(
s_tlsextstatus
)
{
SSL_CTX_set_tlsext_status_cb
(
ctx
,
cert_status_cb
);
SSL_CTX_set_tlsext_status_arg
(
ctx
,
&
tlscstatp
);
...
...
@@ -2017,6 +2023,7 @@ int s_server_main(int argc, char *argv[])
SSL_CTX_set_tlsext_status_arg
(
ctx2
,
&
tlscstatp
);
}
}
#endif
BIO_printf
(
bio_s_out
,
"ACCEPT
\n
"
);
(
void
)
BIO_flush
(
bio_s_out
);
...
...
crypto/err/err_all.c
浏览文件 @
3e41ac35
...
...
@@ -132,7 +132,9 @@ void err_load_crypto_strings_intern(void)
# ifndef OPENSSL_NO_ENGINE
ERR_load_ENGINE_strings
();
# endif
# ifndef OPENSSL_NO_OCSP
ERR_load_OCSP_strings
();
# endif
#ifndef OPENSSL_NO_UI
ERR_load_UI_strings
();
#endif
...
...
crypto/x509/x_all.c
浏览文件 @
3e41ac35
...
...
@@ -103,11 +103,13 @@ int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx)
&
x
->
sig_alg
,
&
x
->
signature
,
&
x
->
cert_info
,
ctx
);
}
#ifndef OPENSSL_NO_OCSP
int
X509_http_nbio
(
OCSP_REQ_CTX
*
rctx
,
X509
**
pcert
)
{
return
OCSP_REQ_CTX_nbio_d2i
(
rctx
,
(
ASN1_VALUE
**
)
pcert
,
ASN1_ITEM_rptr
(
X509
));
}
#endif
int
X509_REQ_sign
(
X509_REQ
*
x
,
EVP_PKEY
*
pkey
,
const
EVP_MD
*
md
)
{
...
...
@@ -137,12 +139,14 @@ int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx)
&
x
->
crl
,
ctx
);
}
#ifndef OPENSSL_NO_OCSP
int
X509_CRL_http_nbio
(
OCSP_REQ_CTX
*
rctx
,
X509_CRL
**
pcrl
)
{
return
OCSP_REQ_CTX_nbio_d2i
(
rctx
,
(
ASN1_VALUE
**
)
pcrl
,
ASN1_ITEM_rptr
(
X509_CRL
));
}
#endif
int
NETSCAPE_SPKI_sign
(
NETSCAPE_SPKI
*
x
,
EVP_PKEY
*
pkey
,
const
EVP_MD
*
md
)
{
...
...
include/openssl/x509.h
浏览文件 @
3e41ac35
...
...
@@ -408,12 +408,16 @@ int X509_signature_print(BIO *bp, X509_ALGOR *alg, ASN1_STRING *sig);
int
X509_sign
(
X509
*
x
,
EVP_PKEY
*
pkey
,
const
EVP_MD
*
md
);
int
X509_sign_ctx
(
X509
*
x
,
EVP_MD_CTX
*
ctx
);
# ifndef OPENSSL_NO_OCSP
int
X509_http_nbio
(
OCSP_REQ_CTX
*
rctx
,
X509
**
pcert
);
# endif
int
X509_REQ_sign
(
X509_REQ
*
x
,
EVP_PKEY
*
pkey
,
const
EVP_MD
*
md
);
int
X509_REQ_sign_ctx
(
X509_REQ
*
x
,
EVP_MD_CTX
*
ctx
);
int
X509_CRL_sign
(
X509_CRL
*
x
,
EVP_PKEY
*
pkey
,
const
EVP_MD
*
md
);
int
X509_CRL_sign_ctx
(
X509_CRL
*
x
,
EVP_MD_CTX
*
ctx
);
# ifndef OPENSSL_NO_OCSP
int
X509_CRL_http_nbio
(
OCSP_REQ_CTX
*
rctx
,
X509_CRL
**
pcrl
);
# endif
int
NETSCAPE_SPKI_sign
(
NETSCAPE_SPKI
*
x
,
EVP_PKEY
*
pkey
,
const
EVP_MD
*
md
);
int
X509_pubkey_digest
(
const
X509
*
data
,
const
EVP_MD
*
type
,
...
...
ssl/ssl_lib.c
浏览文件 @
3e41ac35
...
...
@@ -1057,7 +1057,9 @@ void SSL_free(SSL *s)
OPENSSL_free
(
s
->
tlsext_ellipticcurvelist
);
#endif
/* OPENSSL_NO_EC */
sk_X509_EXTENSION_pop_free
(
s
->
tlsext_ocsp_exts
,
X509_EXTENSION_free
);
#ifndef OPENSSL_NO_OCSP
sk_OCSP_RESPID_pop_free
(
s
->
tlsext_ocsp_ids
,
OCSP_RESPID_free
);
#endif
#ifndef OPENSSL_NO_CT
SCT_LIST_free
(
s
->
scts
);
OPENSSL_free
(
s
->
tlsext_scts
);
...
...
@@ -3951,6 +3953,7 @@ static int ct_extract_tls_extension_scts(SSL *s)
*/
static
int
ct_extract_ocsp_response_scts
(
SSL
*
s
)
{
#ifndef OPENSSL_NO_OCSP
int
scts_extracted
=
0
;
const
unsigned
char
*
p
;
OCSP_BASICRESP
*
br
=
NULL
;
...
...
@@ -3987,6 +3990,10 @@ err:
OCSP_BASICRESP_free
(
br
);
OCSP_RESPONSE_free
(
rsp
);
return
scts_extracted
;
#else
/* Behave as if no OCSP response exists */
return
0
;
#endif
}
/*
...
...
ssl/t1_lib.c
浏览文件 @
3e41ac35
...
...
@@ -1347,6 +1347,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
ret
+=
salglen
;
}
#ifndef OPENSSL_NO_OCSP
if
(
s
->
tlsext_status_type
==
TLSEXT_STATUSTYPE_ocsp
)
{
int
i
;
long
extlen
,
idlen
,
itmp
;
...
...
@@ -1390,6 +1391,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
if
(
extlen
>
0
)
i2d_X509_EXTENSIONS
(
s
->
tlsext_ocsp_exts
,
&
ret
);
}
#endif
#ifndef OPENSSL_NO_HEARTBEATS
if
(
SSL_IS_DTLS
(
s
))
{
/* Add Heartbeat extension */
...
...
@@ -2128,14 +2130,14 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al)
}
}
}
else
if
(
type
==
TLSEXT_TYPE_status_request
)
{
const
unsigned
char
*
ext_data
;
if
(
!
PACKET_get_1
(
&
extension
,
(
unsigned
int
*
)
&
s
->
tlsext_status_type
))
{
return
0
;
}
#ifndef OPENSSL_NO_OCSP
if
(
s
->
tlsext_status_type
==
TLSEXT_STATUSTYPE_ocsp
)
{
const
unsigned
char
*
ext_data
;
PACKET
responder_id_list
,
exts
;
if
(
!
PACKET_get_length_prefixed_2
(
&
extension
,
&
responder_id_list
))
return
0
;
...
...
@@ -2192,10 +2194,12 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al)
return
0
;
}
}
/*
* We don't know what to do with any other type * so ignore it.
*/
}
else
{
}
else
#endif
{
/*
* We don't know what to do with any other type so ignore it.
*/
s
->
tlsext_status_type
=
-
1
;
}
}
...
...
test/recipes/70-test_sslcertstatus.t
浏览文件 @
3e41ac35
...
...
@@ -69,6 +69,9 @@ plan skip_all => "$test_name needs the dynamic engine feature enabled"
plan
skip_all
=>
"
$test_name
needs the sock feature enabled
"
if
disabled
("
sock
");
plan
skip_all
=>
"
$test_name
needs the ocsp feature enabled
"
if
disabled
("
ocsp
");
$ENV
{
OPENSSL_ia32cap
}
=
'
~0x200000200000000
';
my
$proxy
=
TLSProxy::
Proxy
->
new
(
\
&certstatus_filter
,
...
...
test/recipes/80-test_ocsp.t
浏览文件 @
3e41ac35
...
...
@@ -7,9 +7,13 @@ use POSIX;
use
File::Spec::
Functions
qw/devnull catfile/
;
use
File::
Copy
;
use
OpenSSL::
Test
qw/:DEFAULT with pipe srctop_dir/
;
use
OpenSSL::Test::
Utils
;
setup
("
test_ocsp
");
plan
skip_all
=>
"
OCSP is not supported by this OpenSSL build
"
if
disabled
("
ocsp
");
my
$ocspdir
=
srctop_dir
("
test
",
"
ocsp-tests
");
# 17 December 2012 so we don't get certificate expiry errors.
my
@check_time
=
("
-attime
",
"
1355875200
");
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录