This new version returns an error when trying to set the CURLOPT_SSL_VERIFYSTATUS option if the SSL backend doesn't support the status_request extension. I also updated the CURLOPT_SSL_VERIFYSTATUS manpage to reflect this.
Backends that may support the extension implement a Curl_X_cert_status_request function (e.g. Curl_gtls_cert_status_request) and define the macro curlssl_cert_status_request used by the Curl_ssl_cert_status_request function. If the macro is not defined, the backend is assumed to not support the extension, otherwise the function is called. Cheers
From 34ee2099bb56f0a67e721b70073c077b2c4dca2c Mon Sep 17 00:00:00 2001 From: Alessandro Ghedini <[email protected]> Date: Mon, 16 Jun 2014 13:20:47 +0200 Subject: [PATCH 1/4] url: add CURLOPT_SSL_VERIFYSTATUS option This option can be used to enable/disable certificate status verification using the "Certificate Status Request" TLS extension defined in RFC6066 section 8. This also adds the CURLE_SSL_INVALIDCERTSTATUS error, to be used when the certificate status verification fails, and the Curl_ssl_cert_status_request() function, used to check whether the SSL backend supports the status_request extension. --- docs/libcurl/opts/CURLOPT_SSL_VERIFYSTATUS.3 | 53 ++++++++++++++++++++++++++++ include/curl/curl.h | 4 +++ lib/url.c | 11 ++++++ lib/urldata.h | 1 + lib/vtls/vtls.c | 12 +++++++ lib/vtls/vtls.h | 2 ++ 6 files changed, 83 insertions(+) create mode 100644 docs/libcurl/opts/CURLOPT_SSL_VERIFYSTATUS.3 diff --git a/docs/libcurl/opts/CURLOPT_SSL_VERIFYSTATUS.3 b/docs/libcurl/opts/CURLOPT_SSL_VERIFYSTATUS.3 new file mode 100644 index 0000000..d5217cb --- /dev/null +++ b/docs/libcurl/opts/CURLOPT_SSL_VERIFYSTATUS.3 @@ -0,0 +1,53 @@ +.\" ************************************************************************** +.\" * _ _ ____ _ +.\" * Project ___| | | | _ \| | +.\" * / __| | | | |_) | | +.\" * | (__| |_| | _ <| |___ +.\" * \___|\___/|_| \_\_____| +.\" * +.\" * Copyright (C) 1998 - 2014, Daniel Stenberg, <[email protected]>, et al. +.\" * +.\" * This software is licensed as described in the file COPYING, which +.\" * you should have received as part of this distribution. The terms +.\" * are also available at http://curl.haxx.se/docs/copyright.html. +.\" * +.\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell +.\" * copies of the Software, and permit persons to whom the Software is +.\" * furnished to do so, under the terms of the COPYING file. +.\" * +.\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY +.\" * KIND, either express or implied. +.\" * +.\" ************************************************************************** +.\" +.TH CURLOPT_SSL_VERIFYSTATUS 3 "04 Dec 2014" "libcurl 7.40.0" "curl_easy_setopt options" +.SH NAME +CURLOPT_SSL_VERIFYSTATUS \- verify the certificate's status +.SH SYNOPSIS +#include <curl/curl.h> + +CURLcode curl_easy_setopt(CURL *handle, CURLOPT_SSL_VERIFYSTATUS, long verify); +.SH DESCRIPTION +Pass a long as parameter to enable or disable. + +This option determines whether libcurl verifies the status of the server cert +using the "Certificate Status Request" TLS extension (aka. OCSP stapling). + +Note that if this option is enabled but the server does not support the TLS +extension, the verification will fail. + +.SH DEFAULT +0 +.SH PROTOCOLS +All TLS based protocols: HTTPS, FTPS, IMAPS, POP3, SMTPS etc. +.SH EXAMPLE +TODO +.SH AVAILABILITY +This is currently only supported by the GnuTLS and NSS TLS backends. +.SH RETURN VALUE +Returns CURLE_OK if OCSP stapling is supported by the SSL backend, otherwise +returns CURLE_NOT_BUILT_IN. +.SH "SEE ALSO" +.BR CURLOPT_SSL_VERIFYHOST "(3), " +.BR CURLOPT_SSL_VERIFYPEER "(3), " +.BR CURLOPT_CAINFO "(3), " diff --git a/include/curl/curl.h b/include/curl/curl.h index 44b1b7e..32fc48b 100644 --- a/include/curl/curl.h +++ b/include/curl/curl.h @@ -523,6 +523,7 @@ typedef enum { session will be queued */ CURLE_SSL_PINNEDPUBKEYNOTMATCH, /* 90 - specified pinned public key did not match */ + CURLE_SSL_INVALIDCERTSTATUS, /* 91 - invalid certificate status */ CURL_LAST /* never use! */ } CURLcode; @@ -1622,6 +1623,9 @@ typedef enum { /* Path to Unix domain socket */ CINIT(UNIX_SOCKET_PATH, OBJECTPOINT, 231), + /* Set if we should verify the certificate status. */ + CINIT(SSL_VERIFYSTATUS, LONG, 232), + CURLOPT_LASTENTRY /* the last unused */ } CURLoption; diff --git a/lib/url.c b/lib/url.c index d3bb5e0..407910c 100644 --- a/lib/url.c +++ b/lib/url.c @@ -1997,6 +1997,17 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, data->set.ssl.verifyhost = (0 != arg)?TRUE:FALSE; break; + case CURLOPT_SSL_VERIFYSTATUS: + /* + * Enable certificate status verifying. + */ + if(!Curl_ssl_cert_status_request()) { + result = CURLE_NOT_BUILT_IN; + break; + } + + data->set.ssl.verifystatus = (0 != va_arg(param, long))?TRUE:FALSE; + break; case CURLOPT_SSL_CTX_FUNCTION: #ifdef have_curlssl_ssl_ctx /* diff --git a/lib/urldata.h b/lib/urldata.h index 5f77470..50a745f 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -366,6 +366,7 @@ struct ssl_config_data { bool verifypeer; /* set TRUE if this is desired */ bool verifyhost; /* set TRUE if CN/SAN must match hostname */ + bool verifystatus; /* set TRUE if certificate status must be checked */ char *CApath; /* certificate dir (doesn't work on windows) */ char *CAfile; /* certificate to verify peer against */ const char *CRLfile; /* CRL to check certificate revocation */ diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c index a53ff4a..cf1df24 100644 --- a/lib/vtls/vtls.c +++ b/lib/vtls/vtls.c @@ -848,4 +848,16 @@ void Curl_ssl_md5sum(unsigned char *tmp, /* input */ #endif } +/* + * Check whether the SSL backend supports the status_request extension. + */ +bool Curl_ssl_cert_status_request(void) +{ +#ifdef curlssl_cert_status_request + return curlssl_cert_status_request(); +#else + return FALSE; +#endif +} + #endif /* USE_SSL */ diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h index 19ef1cd..eedf921 100644 --- a/lib/vtls/vtls.h +++ b/lib/vtls/vtls.h @@ -116,6 +116,8 @@ void Curl_ssl_md5sum(unsigned char *tmp, /* input */ CURLcode Curl_pin_peer_pubkey(const char *pinnedpubkey, const unsigned char *pubkey, size_t pubkeylen); +bool Curl_ssl_cert_status_request(void); + #define SSL_SHUTDOWN_TIMEOUT 10000 /* ms */ #else -- 2.1.4
From 58097168388887f7ff856bcddbaef30675f38a5e Mon Sep 17 00:00:00 2001 From: Alessandro Ghedini <[email protected]> Date: Mon, 16 Jun 2014 13:21:02 +0200 Subject: [PATCH 2/4] gtls: add support for the Certificate Status Request TLS extension Also known as "status_request" or OCSP stapling, defined in RFC6066 section 8. This requires GnuTLS 3.1.3 or higher to build, however it's recommended to use at least GnuTLS 3.3.11 since previous versions had a bug that caused the OCSP response verfication to fail even on valid responses. --- lib/vtls/gtls.c | 44 ++++++++++++++++++++++++++++++++++++++++++++ lib/vtls/gtls.h | 3 +++ 2 files changed, 47 insertions(+) diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c index 5d4e48a..27ca691 100644 --- a/lib/vtls/gtls.c +++ b/lib/vtls/gtls.c @@ -98,6 +98,14 @@ static bool gtls_inited = FALSE; # define HAS_ALPN # endif # endif + +# if (GNUTLS_VERSION_NUMBER >= 0x03020d) +# define HAS_OCSP +# endif +#endif + +#ifdef HAS_OCSP +# include <gnutls/ocsp.h> #endif /* @@ -663,6 +671,16 @@ gtls_connect_step1(struct connectdata *conn, /* lowat must be set to zero when using custom push and pull functions. */ gnutls_transport_set_lowat(session, 0); +#ifdef HAS_OCSP + if(data->set.ssl.verifystatus) { + rc = gnutls_ocsp_status_request_enable_client(session, NULL, 0, NULL); + if(rc != GNUTLS_E_SUCCESS) { + failf(data, "gnutls_ocsp_status_request_enable_client() failed: %d", rc); + return CURLE_SSL_CONNECT_ERROR; + } + } +#endif + /* This might be a reconnect, so we check for a session ID in the cache to speed up things */ @@ -822,6 +840,23 @@ gtls_connect_step3(struct connectdata *conn, else infof(data, "\t server certificate verification SKIPPED\n"); +#ifdef HAS_OCSP + if(data->set.ssl.verifystatus) { + if(gnutls_ocsp_status_request_is_checked(session, 0) == 0) { + if(verify_status & GNUTLS_CERT_REVOKED) + failf(data, "SSL server certificate was REVOKED\n"); + else + failf(data, "SSL server certificate status verification FAILED"); + + return CURLE_SSL_INVALIDCERTSTATUS; + } + else + infof(data, "SSL server certificate status verification OK\n"); + } + else + infof(data, "SSL server certificate status verification SKIPPED\n"); +#endif + /* initialize an X.509 certificate structure. */ gnutls_x509_crt_init(&x509_cert); @@ -1392,4 +1427,13 @@ void Curl_gtls_md5sum(unsigned char *tmp, /* input */ #endif } +bool Curl_gtls_cert_status_request(void) +{ +#ifdef HAS_OCSP + return TRUE; +#else + return FALSE; +#endif +} + #endif /* USE_GNUTLS */ diff --git a/lib/vtls/gtls.h b/lib/vtls/gtls.h index 12460be..d02a366 100644 --- a/lib/vtls/gtls.h +++ b/lib/vtls/gtls.h @@ -53,6 +53,8 @@ void Curl_gtls_md5sum(unsigned char *tmp, /* input */ unsigned char *md5sum, /* output */ size_t md5len); +bool Curl_gtls_cert_status_request(void); + /* API setup for GnuTLS */ #define curlssl_init Curl_gtls_init #define curlssl_cleanup Curl_gtls_cleanup @@ -70,6 +72,7 @@ void Curl_gtls_md5sum(unsigned char *tmp, /* input */ #define curlssl_data_pending(x,y) ((void)x, (void)y, 0) #define curlssl_random(x,y,z) Curl_gtls_random(x,y,z) #define curlssl_md5sum(a,b,c,d) Curl_gtls_md5sum(a,b,c,d) +#define curlssl_cert_status_request() Curl_gtls_cert_status_request() #define CURL_SSL_BACKEND CURLSSLBACKEND_GNUTLS #endif /* USE_GNUTLS */ -- 2.1.4
From 38fb2cd0e2b60d8ab34f08564fec1a83d5e782c8 Mon Sep 17 00:00:00 2001 From: Alessandro Ghedini <[email protected]> Date: Tue, 24 Jun 2014 23:25:59 +0200 Subject: [PATCH 3/4] nss: add support for the Certificate Status Request TLS extension Also known as "status_request" or OCSP stapling, defined in RFC6066 section 8. This requires NSS 3.15 or higher. --- lib/vtls/nss.c | 45 +++++++++++++++++++++++++++++++++++++++++++++ lib/vtls/nssg.h | 3 +++ 2 files changed, 48 insertions(+) diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c index 37fe480..0dff268 100644 --- a/lib/vtls/nss.c +++ b/lib/vtls/nss.c @@ -639,6 +639,34 @@ static SECStatus nss_auth_cert_hook(void *arg, PRFileDesc *fd, PRBool checksig, PRBool isServer) { struct connectdata *conn = (struct connectdata *)arg; + +#ifdef SSL_ENABLE_OCSP_STAPLING + if(conn->data->set.ssl.verifystatus) { + SECStatus cacheResult; + + const SECItemArray *csa = SSL_PeerStapledOCSPResponses(fd); + if(!csa) { + failf(conn->data, "Invalid OCSP response"); + return SECFailure; + } + + if(csa->len == 0) { + failf(conn->data, "No OCSP response received"); + return SECFailure; + } + + cacheResult = CERT_CacheOCSPResponseFromSideChannel( + CERT_GetDefaultCertDB(), SSL_PeerCertificate(fd), + PR_Now(), &csa->items[0], arg + ); + + if(cacheResult != SECSuccess) { + failf(conn->data, "Invalid OCSP response"); + return cacheResult; + } + } +#endif + if(!conn->data->set.ssl.verifypeer) { infof(conn->data, "skipping SSL peer certificate verification\n"); return SECSuccess; @@ -1620,6 +1648,14 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex) SSL_SetPKCS11PinArg(connssl->handle, data->set.str[STRING_KEY_PASSWD]); } +#ifdef SSL_ENABLE_OCSP_STAPLING + if(data->set.ssl.verifystatus) { + if(SSL_OptionSet(connssl->handle, SSL_ENABLE_OCSP_STAPLING, PR_TRUE) + != SECSuccess) + goto error; + } +#endif + #ifdef USE_NGHTTP2 if(data->set.httpversion == CURL_HTTP_VERSION_2_0) { #ifdef SSL_ENABLE_NPN @@ -1908,4 +1944,13 @@ void Curl_nss_md5sum(unsigned char *tmp, /* input */ PK11_DestroyContext(MD5pw, PR_TRUE); } +bool Curl_nss_cert_status_request(void) +{ +#ifdef SSL_ENABLE_OCSP_STAPLING + return TRUE; +#else + return FALSE; +#endif +} + #endif /* USE_NSS */ diff --git a/lib/vtls/nssg.h b/lib/vtls/nssg.h index 74840e8..963ce4a 100644 --- a/lib/vtls/nssg.h +++ b/lib/vtls/nssg.h @@ -60,6 +60,8 @@ void Curl_nss_md5sum(unsigned char *tmp, /* input */ unsigned char *md5sum, /* output */ size_t md5len); +bool Curl_nss_cert_status_request(void); + /* this backend supports the CAPATH option */ #define have_curlssl_ca_path 1 @@ -86,6 +88,7 @@ void Curl_nss_md5sum(unsigned char *tmp, /* input */ #define curlssl_data_pending(x,y) ((void)x, (void)y, 0) #define curlssl_random(x,y,z) Curl_nss_random(x,y,z) #define curlssl_md5sum(a,b,c,d) Curl_nss_md5sum(a,b,c,d) +#define curlssl_cert_status_request() Curl_nss_cert_status_request() #define CURL_SSL_BACKEND CURLSSLBACKEND_NSS #endif /* USE_NSS */ -- 2.1.4
From 731aaedce7f9aea243c6c2ec3644c9a3c19af8d7 Mon Sep 17 00:00:00 2001 From: Alessandro Ghedini <[email protected]> Date: Mon, 16 Jun 2014 20:47:26 +0200 Subject: [PATCH 4/4] curl: add --cert-status option This enables the CURLOPT_SSL_VERIFYSTATUS functionality. --- docs/curl.1 | 10 ++++++++++ src/tool_cfgable.h | 1 + src/tool_getparam.c | 5 +++++ src/tool_operate.c | 3 +++ 4 files changed, 19 insertions(+) diff --git a/docs/curl.1 b/docs/curl.1 index 0b9971c..aa4ceb9 100644 --- a/docs/curl.1 +++ b/docs/curl.1 @@ -552,6 +552,16 @@ This is currently only implemented in the OpenSSL, GnuTLS and GSKit backends. If this option is used several times, the last one will be used. (Added in 7.39.0) +.IP "--cert-status" +(SSL) Tells curl to verify the status of the server certificate by using the +Certificate Status Request (aka. OCSP stapling) TLS extension. + +If this option is enabled and the server sends an invalid (e.g. expired) +response, if the response suggests that the server certificate has been revoked, +or no response at all is received, the verification fails. + +This is currently only implemented in the GnuTLS and NSS backends. +(Added in 7.40.0) .IP "-f, --fail" (HTTP) Fail silently (no output at all) on server errors. This is mostly done to better enable scripts etc to better deal with failed attempts. In normal diff --git a/src/tool_cfgable.h b/src/tool_cfgable.h index cf8d563..4008cd0 100644 --- a/src/tool_cfgable.h +++ b/src/tool_cfgable.h @@ -126,6 +126,7 @@ struct OperationConfig { bool globoff; bool use_httpget; bool insecure_ok; /* set TRUE to allow insecure SSL connects */ + bool verifystatus; bool create_dirs; bool ftp_create_dirs; bool ftp_skip_ip; diff --git a/src/tool_getparam.c b/src/tool_getparam.c index 3932ccb..ee198c3 100644 --- a/src/tool_getparam.c +++ b/src/tool_getparam.c @@ -217,6 +217,7 @@ static const struct LongShort aliases[]= { {"En", "ssl-allow-beast", FALSE}, {"Eo", "login-options", TRUE}, {"Ep", "pinnedpubkey", TRUE}, + {"Eq", "cert-status", FALSE}, {"f", "fail", FALSE}, {"F", "form", TRUE}, {"Fs", "form-string", TRUE}, @@ -1363,6 +1364,10 @@ ParameterError getparameter(char *flag, /* f or -long-flag */ GetStr(&config->pinnedpubkey, nextarg); break; + case 'q': /* --cert-status */ + config->verifystatus = TRUE; + break; + default: /* certificate file */ { char *certname, *passphrase; diff --git a/src/tool_operate.c b/src/tool_operate.c index a21bbca..04fd59b 100644 --- a/src/tool_operate.c +++ b/src/tool_operate.c @@ -1038,6 +1038,9 @@ static CURLcode operate_do(struct GlobalConfig *global, /* libcurl default is strict verifyhost -> 2L */ /* my_setopt(curl, CURLOPT_SSL_VERIFYHOST, 2L); */ } + + if(config->verifystatus) + my_setopt(curl, CURLOPT_SSL_VERIFYSTATUS, 1L); } if(built_in_protos & (CURLPROTO_SCP|CURLPROTO_SFTP)) { -- 2.1.4
signature.asc
Description: Digital signature
------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
