url: add CURLOPT_SSL_VERIFYSTATUS option

This option can be used to enable/disable certificate status verification using
the "Certificate Status Request" TLS extension defined in RFC6066 section 8.

This also adds the CURLE_SSL_INVALIDCERTSTATUS error, to be used when the
certificate status verification fails, and the Curl_ssl_cert_status_request()
function, used to check whether the SSL backend supports the status_request
extension.

diff --git a/docs/libcurl/opts/CURLOPT_SSL_VERIFYSTATUS.3 b/docs/libcurl/opts/CURLOPT_SSL_VERIFYSTATUS.3
new file mode 100644 (file)
index 0000000..d5217cb
--- /dev/null
+++ b/docs/libcurl/opts/CURLOPT_SSL_VERIFYSTATUS.3
@@ -0,0 +1,53 @@
+.\" **************************************************************************
+.\" *                                  _   _ ____  _
+.\" *  Project                     ___| | | |  _ \| |
+.\" *                             / __| | | | |_) | |
+.\" *                            | (__| |_| |  _ <| |___
+.\" *                             \___|\___/|_| \_\_____|
+.\" *
+.\" * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+.\" *
+.\" * This software is licensed as described in the file COPYING, which
+.\" * you should have received as part of this distribution. The terms
+.\" * are also available at http://curl.haxx.se/docs/copyright.html.
+.\" *
+.\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+.\" * copies of the Software, and permit persons to whom the Software is
+.\" * furnished to do so, under the terms of the COPYING file.
+.\" *
+.\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+.\" * KIND, either express or implied.
+.\" *
+.\" **************************************************************************
+.\"
+.TH CURLOPT_SSL_VERIFYSTATUS 3 "04 Dec 2014" "libcurl 7.40.0" "curl_easy_setopt options"
+.SH NAME
+CURLOPT_SSL_VERIFYSTATUS \- verify the certificate's status
+.SH SYNOPSIS
+#include <curl/curl.h>
+
+CURLcode curl_easy_setopt(CURL *handle, CURLOPT_SSL_VERIFYSTATUS, long verify);
+.SH DESCRIPTION
+Pass a long as parameter to enable or disable.
+
+This option determines whether libcurl verifies the status of the server cert
+using the "Certificate Status Request" TLS extension (aka. OCSP stapling).
+
+Note that if this option is enabled but the server does not support the TLS
+extension, the verification will fail.
+
+.SH DEFAULT
+0
+.SH PROTOCOLS
+All TLS based protocols: HTTPS, FTPS, IMAPS, POP3, SMTPS etc.
+.SH EXAMPLE
+TODO
+.SH AVAILABILITY
+This is currently only supported by the GnuTLS and NSS TLS backends.
+.SH RETURN VALUE
+Returns CURLE_OK if OCSP stapling is supported by the SSL backend, otherwise
+returns CURLE_NOT_BUILT_IN.
+.SH "SEE ALSO"
+.BR CURLOPT_SSL_VERIFYHOST "(3), "
+.BR CURLOPT_SSL_VERIFYPEER "(3), "
+.BR CURLOPT_CAINFO "(3), "

diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
index b8b0838b02a6024b3d9fc456544790e21bafa2c8..e9ef3f61c5226567830433509c6b7d6bef8cf872 100644 (file)
--- a/docs/libcurl/symbols-in-versions
+++ b/docs/libcurl/symbols-in-versions
@@ -118,6 +118,7 @@ CURLE_SSL_CRL_BADFILE           7.19.0
 CURLE_SSL_ENGINE_INITFAILED     7.12.3
 CURLE_SSL_ENGINE_NOTFOUND       7.9.3
 CURLE_SSL_ENGINE_SETFAILED      7.9.3
+CURLE_SSL_INVALIDCERTSTATUS     7.41.0
 CURLE_SSL_ISSUER_ERROR          7.19.0
 CURLE_SSL_PEER_CERTIFICATE      7.8           7.17.1
 CURLE_SSL_PINNEDPUBKEYNOTMATCH  7.39.0
@@ -513,6 +514,7 @@ CURLOPT_SSL_OPTIONS             7.25.0
 CURLOPT_SSL_SESSIONID_CACHE     7.16.0
 CURLOPT_SSL_VERIFYHOST          7.8.1
 CURLOPT_SSL_VERIFYPEER          7.4.2
+CURLOPT_SSL_VERIFYSTATUS        7.41.0
 CURLOPT_STDERR                  7.1
 CURLOPT_TCP_KEEPALIVE           7.25.0
 CURLOPT_TCP_KEEPIDLE            7.25.0

diff --git a/include/curl/curl.h b/include/curl/curl.h
index e3688872ec8aa9ac09e8f742f2b8d1eba17b7907..0a326d3bae89b3c099583b913c6cc945c52cffea 100644 (file)
--- a/include/curl/curl.h
+++ b/include/curl/curl.h
@@ -523,6 +523,7 @@ typedef enum {
                                     session will be queued */
   CURLE_SSL_PINNEDPUBKEYNOTMATCH, /* 90 - specified pinned public key did not
                                      match */
+  CURLE_SSL_INVALIDCERTSTATUS,   /* 91 - invalid certificate status */
   CURL_LAST /* never use! */
 } CURLcode;
 
@@ -1622,6 +1623,9 @@ typedef enum {
   /* Path to Unix domain socket */
   CINIT(UNIX_SOCKET_PATH, OBJECTPOINT, 231),
 
+  /* Set if we should verify the certificate status. */
+  CINIT(SSL_VERIFYSTATUS, LONG, 232),
+
   CURLOPT_LASTENTRY /* the last unused */
 } CURLoption;
 

diff --git a/lib/strerror.c b/lib/strerror.c
index b85b56839cfa3832be3290ce31463c191b6d3ec8..56e43856313edb0d98ed0118a45d4935d1c0765e 100644 (file)
--- a/lib/strerror.c
+++ b/lib/strerror.c
@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 2004 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 2004 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -301,6 +301,9 @@ curl_easy_strerror(CURLcode error)
   case CURLE_SSL_PINNEDPUBKEYNOTMATCH:
     return "SSL public key does not match pinned public key";
 
+  case CURLE_SSL_INVALIDCERTSTATUS:
+    return "SSL server certificate status verification FAILED";
+
     /* error codes not used by current libcurl */
   case CURLE_OBSOLETE20:
   case CURLE_OBSOLETE24:

diff --git a/lib/url.c b/lib/url.c
index d3bb5e0116e502dfe126333cb805cd8a4499dcc7..407910cc2d94b003e0fa82ba8d3c5339786439d6 100644 (file)
--- a/lib/url.c
+++ b/lib/url.c
@@ -1997,6 +1997,17 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option,
 
     data->set.ssl.verifyhost = (0 != arg)?TRUE:FALSE;
     break;
+  case CURLOPT_SSL_VERIFYSTATUS:
+    /*
+     * Enable certificate status verifying.
+     */
+    if(!Curl_ssl_cert_status_request()) {
+      result = CURLE_NOT_BUILT_IN;
+      break;
+    }
+
+    data->set.ssl.verifystatus = (0 != va_arg(param, long))?TRUE:FALSE;
+    break;
   case CURLOPT_SSL_CTX_FUNCTION:
 #ifdef have_curlssl_ssl_ctx
     /*

diff --git a/lib/urldata.h b/lib/urldata.h
index 5f774704ae5b6d1c25d4d20660f022fb232b55db..50a745f112ea3a148628aabcf3339b39f35d4c9d 100644 (file)
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -366,6 +366,7 @@ struct ssl_config_data {
 
   bool verifypeer;       /* set TRUE if this is desired */
   bool verifyhost;       /* set TRUE if CN/SAN must match hostname */
+  bool verifystatus;     /* set TRUE if certificate status must be checked */
   char *CApath;          /* certificate dir (doesn't work on windows) */
   char *CAfile;          /* certificate to verify peer against */
   const char *CRLfile;   /* CRL to check certificate revocation */

diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
index a53ff4ad6f2a78fc06b717dddb81630d7befa12b..cf1df24e46dddbf0502a3959e576699229661925 100644 (file)
--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
@@ -848,4 +848,16 @@ void Curl_ssl_md5sum(unsigned char *tmp, /* input */
 #endif
 }
 
+/*
+ * Check whether the SSL backend supports the status_request extension.
+ */
+bool Curl_ssl_cert_status_request(void)
+{
+#ifdef curlssl_cert_status_request
+  return curlssl_cert_status_request();
+#else
+  return FALSE;
+#endif
+}
+
 #endif /* USE_SSL */

diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h
index 19ef1cd6eac9215dea0189d2abd70f2d42bfab58..eedf9212c371cbb089909d0a9e5757ff9fde7027 100644 (file)
--- a/lib/vtls/vtls.h
+++ b/lib/vtls/vtls.h
@@ -116,6 +116,8 @@ void Curl_ssl_md5sum(unsigned char *tmp, /* input */
 CURLcode Curl_pin_peer_pubkey(const char *pinnedpubkey,
                               const unsigned char *pubkey, size_t pubkeylen);
 
+bool Curl_ssl_cert_status_request(void);
+
 #define SSL_SHUTDOWN_TIMEOUT 10000 /* ms */
 
 #else