From: Matt Caswell Date: Mon, 21 Mar 2016 16:54:53 +0000 (+0000) Subject: Fix no-ocsp X-Git-Tag: OpenSSL_1_1_0-pre5~121 X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=3e41ac35281827b59e55d51058cf6bb086c1f2b5 Fix no-ocsp Misc fixes for no-ocsp Reviewed-by: Rich Salz --- diff --git a/apps/ocsp.c b/apps/ocsp.c index 574ed8c67f..24d88da5c3 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -55,8 +55,12 @@ * Hudson (tjh@cryptsoft.com). * */ -#ifndef OPENSSL_NO_OCSP +#include + +#ifdef OPENSSL_NO_OCSP +NON_EMPTY_TRANSLATION_UNIT +#else # ifdef OPENSSL_SYS_VMS # define _XOPEN_SOURCE_EXTENDED/* So fd_set and friends get properly defined * on OpenVMS */ @@ -69,8 +73,9 @@ # include # include # include -# include "apps.h" /* needs to be included before the openssl - * headers! */ + +/* Needs to be included before the openssl headers */ +# include "apps.h" # include # include # include diff --git a/apps/s_client.c b/apps/s_client.c index 5b4cd4839f..b180dbc1cb 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -207,7 +207,9 @@ static int c_ign_eof = 0; static int c_brief = 0; static void print_stuff(BIO *berr, SSL *con, int full); +#ifndef OPENSSL_NO_OCSP static int ocsp_resp_cb(SSL *s, void *arg); +#endif static int saved_errno; @@ -757,7 +759,9 @@ OPTIONS s_client_options[] = { "Set TLS extension servername in ClientHello"}, {"tlsextdebug", OPT_TLSEXTDEBUG, '-', "Hex dump of all TLS extensions received"}, +#ifndef OPENSSL_NO_OCSP {"status", OPT_STATUS, '-', "Request certificate status from server"}, +#endif {"serverinfo", OPT_SERVERINFO, 's', "types Send empty ClientHello extensions (comma-separated numbers)"}, {"alpn", OPT_ALPN, 's', @@ -1888,11 +1892,13 @@ int s_client_main(int argc, char **argv) SSL_set_tlsext_debug_callback(con, tlsext_cb); SSL_set_tlsext_debug_arg(con, bio_c_out); } +#ifndef OPENSSL_NO_OCSP if (c_status_req) { SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp); SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb); SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out); } +#endif SSL_set_bio(con, sbio, sbio); SSL_set_connect_state(con); @@ -2736,6 +2742,7 @@ static void print_stuff(BIO *bio, SSL *s, int full) (void)BIO_flush(bio); } +# ifndef OPENSSL_NO_OCSP static int ocsp_resp_cb(SSL *s, void *arg) { const unsigned char *p; @@ -2759,5 +2766,6 @@ static int ocsp_resp_cb(SSL *s, void *arg) OCSP_RESPONSE_free(rsp); return 1; } +# endif #endif diff --git a/apps/s_server.c b/apps/s_server.c index 08acc476a7..e0aa2ae4f8 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -230,7 +230,6 @@ static BIO *bio_s_msg = NULL; static int s_debug = 0; static int s_tlsextdebug = 0; static int s_tlsextstatus = 0; -static int cert_status_cb(SSL *s, void *arg); static int no_resume_ephemeral = 0; static int s_msg = 0; static int s_quiet = 0; @@ -604,6 +603,7 @@ typedef struct tlsextstatusctx_st { static tlsextstatusctx tlscstatp = { NULL, NULL, NULL, 0, -1, 0 }; +#ifndef OPENSSL_NO_OCSP /* * Certificate Status callback. This is called when a client includes a * certificate status request extension. This is a simplified version. It @@ -717,6 +717,7 @@ static int cert_status_cb(SSL *s, void *arg) ret = SSL_TLSEXT_ERR_ALERT_FATAL; goto done; } +#endif #ifndef OPENSSL_NO_NEXTPROTONEG /* This is the context that we pass to next_proto_cb */ @@ -919,12 +920,14 @@ OPTIONS s_server_options[] = { "CA file for certificate verification (PEM format)"}, {"ign_eof", OPT_IGN_EOF, '-', "ignore input eof (default when -quiet)"}, {"no_ign_eof", OPT_NO_IGN_EOF, '-', "Do not ignore input eof"}, +#ifndef OPENSSL_NO_OCSP {"status", OPT_STATUS, '-', "Request certificate status from server"}, {"status_verbose", OPT_STATUS_VERBOSE, '-', "Print more output in certificate status callback"}, {"status_timeout", OPT_STATUS_TIMEOUT, 'n', "Status request responder timeout"}, {"status_url", OPT_STATUS_URL, 's', "Status request fallback URL"}, +#endif #ifndef OPENSSL_NO_SSL_TRACE {"trace", OPT_TRACE, '-', "trace protocol messages"}, #endif @@ -1323,6 +1326,7 @@ int s_server_main(int argc, char *argv[]) tlscstatp.timeout = atoi(opt_arg()); break; case OPT_STATUS_URL: +#ifndef OPENSSL_NO_OCSP s_tlsextstatus = 1; if (!OCSP_parse_url(opt_arg(), &tlscstatp.host, @@ -1331,6 +1335,7 @@ int s_server_main(int argc, char *argv[]) BIO_printf(bio_err, "Error parsing URL\n"); goto end; } +#endif break; case OPT_MSG: s_msg = 1; @@ -2009,6 +2014,7 @@ int s_server_main(int argc, char *argv[]) if (ctx2) SSL_CTX_set_client_CA_list(ctx2, SSL_load_client_CA_file(CAfile)); } +#ifndef OPENSSL_NO_OCSP if (s_tlsextstatus) { SSL_CTX_set_tlsext_status_cb(ctx, cert_status_cb); SSL_CTX_set_tlsext_status_arg(ctx, &tlscstatp); @@ -2017,6 +2023,7 @@ int s_server_main(int argc, char *argv[]) SSL_CTX_set_tlsext_status_arg(ctx2, &tlscstatp); } } +#endif BIO_printf(bio_s_out, "ACCEPT\n"); (void)BIO_flush(bio_s_out); diff --git a/crypto/err/err_all.c b/crypto/err/err_all.c index 78cdd5bb06..f939db702e 100644 --- a/crypto/err/err_all.c +++ b/crypto/err/err_all.c @@ -132,7 +132,9 @@ void err_load_crypto_strings_intern(void) # ifndef OPENSSL_NO_ENGINE ERR_load_ENGINE_strings(); # endif +# ifndef OPENSSL_NO_OCSP ERR_load_OCSP_strings(); +# endif #ifndef OPENSSL_NO_UI ERR_load_UI_strings(); #endif diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c index c370ba94bb..0f28c58f2b 100644 --- a/crypto/x509/x_all.c +++ b/crypto/x509/x_all.c @@ -103,11 +103,13 @@ int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx) &x->sig_alg, &x->signature, &x->cert_info, ctx); } +#ifndef OPENSSL_NO_OCSP int X509_http_nbio(OCSP_REQ_CTX *rctx, X509 **pcert) { return OCSP_REQ_CTX_nbio_d2i(rctx, (ASN1_VALUE **)pcert, ASN1_ITEM_rptr(X509)); } +#endif int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md) { @@ -137,12 +139,14 @@ int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx) &x->crl, ctx); } +#ifndef OPENSSL_NO_OCSP int X509_CRL_http_nbio(OCSP_REQ_CTX *rctx, X509_CRL **pcrl) { return OCSP_REQ_CTX_nbio_d2i(rctx, (ASN1_VALUE **)pcrl, ASN1_ITEM_rptr(X509_CRL)); } +#endif int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md) { diff --git a/include/openssl/x509.h b/include/openssl/x509.h index ae2fb1dabf..b7123d09c1 100644 --- a/include/openssl/x509.h +++ b/include/openssl/x509.h @@ -408,12 +408,16 @@ int X509_signature_print(BIO *bp, X509_ALGOR *alg, ASN1_STRING *sig); int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md); int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx); +# ifndef OPENSSL_NO_OCSP int X509_http_nbio(OCSP_REQ_CTX *rctx, X509 **pcert); +# endif int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md); int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx); int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md); int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx); +# ifndef OPENSSL_NO_OCSP int X509_CRL_http_nbio(OCSP_REQ_CTX *rctx, X509_CRL **pcrl); +# endif int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md); int X509_pubkey_digest(const X509 *data, const EVP_MD *type, diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index e6511895ce..6875f384b1 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -1057,7 +1057,9 @@ void SSL_free(SSL *s) OPENSSL_free(s->tlsext_ellipticcurvelist); #endif /* OPENSSL_NO_EC */ sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, X509_EXTENSION_free); +#ifndef OPENSSL_NO_OCSP sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free); +#endif #ifndef OPENSSL_NO_CT SCT_LIST_free(s->scts); OPENSSL_free(s->tlsext_scts); @@ -3951,6 +3953,7 @@ static int ct_extract_tls_extension_scts(SSL *s) */ static int ct_extract_ocsp_response_scts(SSL *s) { +#ifndef OPENSSL_NO_OCSP int scts_extracted = 0; const unsigned char *p; OCSP_BASICRESP *br = NULL; @@ -3987,6 +3990,10 @@ err: OCSP_BASICRESP_free(br); OCSP_RESPONSE_free(rsp); return scts_extracted; +#else + /* Behave as if no OCSP response exists */ + return 0; +#endif } /* diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index a20e85fb4b..6e7b5edbc4 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -1347,6 +1347,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, ret += salglen; } +#ifndef OPENSSL_NO_OCSP if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) { int i; long extlen, idlen, itmp; @@ -1390,6 +1391,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, if (extlen > 0) i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret); } +#endif #ifndef OPENSSL_NO_HEARTBEATS if (SSL_IS_DTLS(s)) { /* Add Heartbeat extension */ @@ -2128,14 +2130,14 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al) } } } else if (type == TLSEXT_TYPE_status_request) { - const unsigned char *ext_data; - if (!PACKET_get_1(&extension, (unsigned int *)&s->tlsext_status_type)) { return 0; } +#ifndef OPENSSL_NO_OCSP if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) { + const unsigned char *ext_data; PACKET responder_id_list, exts; if (!PACKET_get_length_prefixed_2(&extension, &responder_id_list)) return 0; @@ -2192,10 +2194,12 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al) return 0; } } - /* - * We don't know what to do with any other type * so ignore it. - */ - } else { + } else +#endif + { + /* + * We don't know what to do with any other type so ignore it. + */ s->tlsext_status_type = -1; } } diff --git a/test/recipes/70-test_sslcertstatus.t b/test/recipes/70-test_sslcertstatus.t index d2bc280770..298f6da7fd 100755 --- a/test/recipes/70-test_sslcertstatus.t +++ b/test/recipes/70-test_sslcertstatus.t @@ -69,6 +69,9 @@ plan skip_all => "$test_name needs the dynamic engine feature enabled" plan skip_all => "$test_name needs the sock feature enabled" if disabled("sock"); +plan skip_all => "$test_name needs the ocsp feature enabled" + if disabled("ocsp"); + $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; my $proxy = TLSProxy::Proxy->new( \&certstatus_filter, diff --git a/test/recipes/80-test_ocsp.t b/test/recipes/80-test_ocsp.t index 43087f9fd1..ae4bf857f3 100644 --- a/test/recipes/80-test_ocsp.t +++ b/test/recipes/80-test_ocsp.t @@ -7,9 +7,13 @@ use POSIX; use File::Spec::Functions qw/devnull catfile/; use File::Copy; use OpenSSL::Test qw/:DEFAULT with pipe srctop_dir/; +use OpenSSL::Test::Utils; setup("test_ocsp"); +plan skip_all => "OCSP is not supported by this OpenSSL build" + if disabled("ocsp"); + my $ocspdir=srctop_dir("test", "ocsp-tests"); # 17 December 2012 so we don't get certificate expiry errors. my @check_time=("-attime", "1355875200");