url: add CURLOPT_SSL_VERIFYSTATUS option

This option can be used to enable/disable certificate status verification using the "Certificate Status Request" TLS extension defined in RFC6066 section 8. This also adds the CURLE_SSL_INVALIDCERTSTATUS error, to be used when the certificate status verification fails, and the Curl_ssl_cert_status_request() function, used to check whether the SSL backend supports the status_request extension.
2014-06-16 13:20:47 +02:00
parent 5e113a18c5
commit 3af90a6e19
8 changed files with 89 additions and 1 deletions
--- a/lib/strerror.c
+++ b/lib/strerror.c
@@ -5,7 +5,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 2004 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 2004 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -301,6 +301,9 @@ curl_easy_strerror(CURLcode error)
  case CURLE_SSL_PINNEDPUBKEYNOTMATCH:
    return "SSL public key does not match pinned public key";

+  case CURLE_SSL_INVALIDCERTSTATUS:
+    return "SSL server certificate status verification FAILED";
+
    /* error codes not used by current libcurl */
  case CURLE_OBSOLETE20:
  case CURLE_OBSOLETE24:
--- a/lib/url.c
+++ b/lib/url.c
@@ -1997,6 +1997,17 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option,

    data->set.ssl.verifyhost = (0 != arg)?TRUE:FALSE;
    break;
+  case CURLOPT_SSL_VERIFYSTATUS:
+    /*
+     * Enable certificate status verifying.
+     */
+    if(!Curl_ssl_cert_status_request()) {
+      result = CURLE_NOT_BUILT_IN;
+      break;
+    }
+
+    data->set.ssl.verifystatus = (0 != va_arg(param, long))?TRUE:FALSE;
+    break;
  case CURLOPT_SSL_CTX_FUNCTION:
 #ifdef have_curlssl_ssl_ctx
    /*
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -366,6 +366,7 @@ struct ssl_config_data {

  bool verifypeer;       /* set TRUE if this is desired */
  bool verifyhost;       /* set TRUE if CN/SAN must match hostname */
+  bool verifystatus;     /* set TRUE if certificate status must be checked */
  char *CApath;          /* certificate dir (doesn't work on windows) */
  char *CAfile;          /* certificate to verify peer against */
  const char *CRLfile;   /* CRL to check certificate revocation */
--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
@@ -848,4 +848,16 @@ void Curl_ssl_md5sum(unsigned char *tmp, /* input */
 #endif
 }

+/*
+ * Check whether the SSL backend supports the status_request extension.
+ */
+bool Curl_ssl_cert_status_request(void)
+{
+#ifdef curlssl_cert_status_request
+  return curlssl_cert_status_request();
+#else
+  return FALSE;
+#endif
+}
+
 #endif /* USE_SSL */
--- a/lib/vtls/vtls.h
+++ b/lib/vtls/vtls.h
@@ -116,6 +116,8 @@ void Curl_ssl_md5sum(unsigned char *tmp, /* input */
 CURLcode Curl_pin_peer_pubkey(const char *pinnedpubkey,
                              const unsigned char *pubkey, size_t pubkeylen);

+bool Curl_ssl_cert_status_request(void);
+
 #define SSL_SHUTDOWN_TIMEOUT 10000 /* ms */

 #else