瀏覽代碼
Implement OCSP stapling in TLS 1.3.
Change-Id: Iad572f44448141c5e2be49bf25b42719c625a97a Reviewed-on: https://boringssl-review.googlesource.com/8812 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>kris/onging/CECPQ3_patch15
David Benjamin
8 年之前
committed by
CQ bot account: commit-bot@chromium.org
CQ bot account: commit-bot@chromium.org
共有 2 個文件被更改,包括 79 次插入 和 14 次删除
分割檢視
Diff Options
-
+47 -11ssl/t1_lib.c
-
+32 -3ssl/test/runner/runner.go
+ 47
- 11
ssl/t1_lib.c
查看文件
| @@ -1184,11 +1184,36 @@ static int ext_ocsp_parse_serverhello(SSL *ssl, uint8_t *out_alert, | |||
| return 1; | |||
| } | |||
| if (CBS_len(contents) != 0) { | |||
| /* OCSP stapling is forbidden on a non-certificate cipher. */ | |||
| if (!ssl_cipher_uses_certificate_auth(ssl->s3->tmp.new_cipher)) { | |||
| return 0; | |||
| } | |||
| if (ssl3_protocol_version(ssl) < TLS1_3_VERSION) { | |||
| if (CBS_len(contents) != 0) { | |||
| return 0; | |||
| } | |||
| ssl->s3->tmp.certificate_status_expected = 1; | |||
| return 1; | |||
| } | |||
| uint8_t status_type; | |||
| CBS ocsp_response; | |||
| if (!CBS_get_u8(contents, &status_type) || | |||
| status_type != TLSEXT_STATUSTYPE_ocsp || | |||
| !CBS_get_u24_length_prefixed(contents, &ocsp_response) || | |||
| CBS_len(&ocsp_response) == 0 || | |||
| CBS_len(contents) != 0) { | |||
| return 0; | |||
| } | |||
| if (!CBS_stow(&ocsp_response, &ssl->session->ocsp_response, | |||
| &ssl->session->ocsp_response_length)) { | |||
| *out_alert = SSL_AD_INTERNAL_ERROR; | |||
| return 0; | |||
| } | |||
| ssl->s3->tmp.certificate_status_expected = 1; | |||
| return 1; | |||
| } | |||
| @@ -1211,21 +1236,32 @@ static int ext_ocsp_parse_clienthello(SSL *ssl, uint8_t *out_alert, | |||
| } | |||
| static int ext_ocsp_add_serverhello(SSL *ssl, CBB *out) { | |||
| if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) { | |||
| if (!ssl->s3->tmp.ocsp_stapling_requested || | |||
| ssl->ctx->ocsp_response_length == 0 || | |||
| !ssl_cipher_uses_certificate_auth(ssl->s3->tmp.new_cipher)) { | |||
| return 1; | |||
| } | |||
| /* The extension shouldn't be sent when resuming sessions. */ | |||
| if (ssl->hit || | |||
| !ssl->s3->tmp.ocsp_stapling_requested || | |||
| ssl->ctx->ocsp_response_length == 0) { | |||
| return 1; | |||
| } | |||
| if (ssl3_protocol_version(ssl) < TLS1_3_VERSION) { | |||
| /* The extension shouldn't be sent when resuming sessions. */ | |||
| if (ssl->hit) { | |||
| return 1; | |||
| } | |||
| ssl->s3->tmp.certificate_status_expected = 1; | |||
| ssl->s3->tmp.certificate_status_expected = 1; | |||
| return CBB_add_u16(out, TLSEXT_TYPE_status_request) && | |||
| CBB_add_u16(out, 0 /* length */); | |||
| } | |||
| CBB body, ocsp_response; | |||
| return CBB_add_u16(out, TLSEXT_TYPE_status_request) && | |||
| CBB_add_u16(out, 0 /* length */); | |||
| CBB_add_u16_length_prefixed(out, &body) && | |||
| CBB_add_u8(&body, TLSEXT_STATUSTYPE_ocsp) && | |||
| CBB_add_u24_length_prefixed(&body, &ocsp_response) && | |||
| CBB_add_bytes(&ocsp_response, ssl->ctx->ocsp_response, | |||
| ssl->ctx->ocsp_response_length) && | |||
| CBB_flush(out); | |||
| } | |||
+ 32
- 3
ssl/test/runner/runner.go
查看文件
| @@ -507,7 +507,7 @@ func doExchange(test *testCase, config *Config, conn net.Conn, isResume bool) er | |||
| } | |||
| if test.expectedOCSPResponse != nil && !bytes.Equal(test.expectedOCSPResponse, tlsConn.OCSPResponse()) { | |||
| return fmt.Errorf("OCSP Response mismatch") | |||
| return fmt.Errorf("OCSP Response mismatch: got %x, wanted %x", tlsConn.OCSPResponse(), test.expectedOCSPResponse) | |||
| } | |||
| if test.expectedSCTList != nil && !bytes.Equal(test.expectedSCTList, connState.SCTList) { | |||
| @@ -3204,8 +3204,6 @@ func addStateMachineCoverageTests(config stateMachineTestConfig) { | |||
| }) | |||
| // OCSP stapling tests. | |||
| // | |||
| // TODO(davidben): Test the TLS 1.3 version of OCSP stapling. | |||
| tests = append(tests, testCase{ | |||
| testType: clientTest, | |||
| name: "OCSPStapling-Client", | |||
| @@ -3233,6 +3231,37 @@ func addStateMachineCoverageTests(config stateMachineTestConfig) { | |||
| }, | |||
| resumeSession: true, | |||
| }) | |||
| tests = append(tests, testCase{ | |||
| testType: clientTest, | |||
| name: "OCSPStapling-Client-TLS13", | |||
| config: Config{ | |||
| MaxVersion: VersionTLS13, | |||
| }, | |||
| flags: []string{ | |||
| "-enable-ocsp-stapling", | |||
| "-expect-ocsp-response", | |||
| base64.StdEncoding.EncodeToString(testOCSPResponse), | |||
| "-verify-peer", | |||
| }, | |||
| // TODO(davidben): Enable this when resumption is implemented | |||
| // in TLS 1.3. | |||
| resumeSession: false, | |||
| }) | |||
| tests = append(tests, testCase{ | |||
| testType: serverTest, | |||
| name: "OCSPStapling-Server-TLS13", | |||
| config: Config{ | |||
| MaxVersion: VersionTLS13, | |||
| }, | |||
| expectedOCSPResponse: testOCSPResponse, | |||
| flags: []string{ | |||
| "-ocsp-response", | |||
| base64.StdEncoding.EncodeToString(testOCSPResponse), | |||
| }, | |||
| // TODO(davidben): Enable this when resumption is implemented | |||
| // in TLS 1.3. | |||
| resumeSession: false, | |||
| }) | |||
| // Certificate verification tests. | |||
| for _, vers := range tlsVersions { | |||