diff options
| author |   tb <tb@openbsd.org> | 2020-10-13 18:25:35 +0000 |
|---|---|---|
| committer | tb <tb@openbsd.org> | 2020-10-13 18:25:35 +0000 |
| commit | 7b6095445728dad7d8b132daf6e00f89170b1ae2 (patch) | |
| tree | 5c37f16415c3ffe30c0f703951448e246db254aa | |
| parent | setitimer(2): zero itv.it_interval if itv.it_value is zero (diff) | |
| download | wireguard-openbsd-7b6095445728dad7d8b132daf6e00f89170b1ae2.tar.xz wireguard-openbsd-7b6095445728dad7d8b132daf6e00f89170b1ae2.zip | |
Make sure an OCSP query sends a host header
While OCSP uses HTTP/1.0 where a host header is optional, some widely
used OCSP responders will return 400 bad request if it is missing. Add
such a header unless it's already provided in the user's custom headers.
OpenSSL did something similar in ff4a9394a23 and 76e0cd12f68
(both commits are under the old license)
ok inoguchi
| -rw-r--r-- | usr.bin/openssl/ocsp.c | 17 |
1 files changed, 13 insertions, 4 deletions
diff --git a/usr.bin/openssl/ocsp.c b/usr.bin/openssl/ocsp.c index 3f01416053d..f954d9697b6 100644 --- a/usr.bin/openssl/ocsp.c +++ b/usr.bin/openssl/ocsp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ocsp.c,v 1.20 2020/10/08 23:46:57 beck Exp $ */ +/* $OpenBSD: ocsp.c,v 1.21 2020/10/13 18:25:35 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2000. */ @@ -97,7 +97,8 @@ static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, char *port); static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp); static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path, - STACK_OF(CONF_VALUE) *headers, OCSP_REQUEST *req, int req_timeout); + STACK_OF(CONF_VALUE) *headers, const char *host, OCSP_REQUEST *req, + int req_timeout); static struct { int accept_count; @@ -1408,11 +1409,12 @@ send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp) static OCSP_RESPONSE * query_responder(BIO *err, BIO *cbio, char *path, STACK_OF(CONF_VALUE) *headers, - OCSP_REQUEST *req, int req_timeout) + const char *host, OCSP_REQUEST *req, int req_timeout) { int fd; int rv; int i; + int have_host = 0; OCSP_REQ_CTX *ctx = NULL; OCSP_RESPONSE *rsp = NULL; struct pollfd pfd[1]; @@ -1449,10 +1451,17 @@ query_responder(BIO *err, BIO *cbio, char *path, STACK_OF(CONF_VALUE) *headers, for (i = 0; i < sk_CONF_VALUE_num(headers); i++) { CONF_VALUE *hdr = sk_CONF_VALUE_value(headers, i); + if (strcasecmp("host", hdr->name) == 0) + have_host = 1; if (!OCSP_REQ_CTX_add1_header(ctx, hdr->name, hdr->value)) goto err; } + if (!have_host) { + if (!OCSP_REQ_CTX_add1_header(ctx, "Host", host)) + goto err; + } + if (!OCSP_REQ_CTX_set1_req(ctx, req)) goto err; @@ -1513,7 +1522,7 @@ process_responder(BIO *err, OCSP_REQUEST *req, char *host, char *path, sbio = BIO_new_ssl(ctx, 1); cbio = BIO_push(sbio, cbio); } - resp = query_responder(err, cbio, path, headers, req, req_timeout); + resp = query_responder(err, cbio, path, headers, host, req, req_timeout); if (!resp) BIO_printf(bio_err, "Error querying OCSP responder\n"); |