feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Merge pull request #1174 from dgarske/ocsp_cb_ctx

Browse Source 
Improvement to `wolfSSL_SetOCSP_Cb` to allow context per WOLFSSL object
This commit is contained in:
toddouska
2017-10-12 10:02:49 -07:00
committed by GitHub
parent de77d5cc83 280de41515
commit 04106a0089
7 changed files with 44 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
src/internal.c
View File

@ -8265,8 +8265,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
if (ssl->ctx->cm->ocspEnabled &&
ssl->ctx->cm->ocspCheckAll) {
WOLFSSL_MSG("Doing Non Leaf OCSP check");
ret = CheckCertOCSP(ssl->ctx->cm->ocsp, args->dCert,
NULL);
ret = CheckCertOCSP_ex(ssl->ctx->cm->ocsp,
args->dCert, NULL, ssl);
#ifdef WOLFSSL_ASYNC_CRYPT
/* non-blocking socket re-entry requires async */
if (ret == WANT_READ) {
@ -8442,8 +8442,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
#ifdef HAVE_OCSP
if (doLookup && ssl->ctx->cm->ocspEnabled) {
WOLFSSL_MSG("Doing Leaf OCSP check");
ret = CheckCertOCSP(ssl->ctx->cm->ocsp, args->dCert,
NULL);
ret = CheckCertOCSP_ex(ssl->ctx->cm->ocsp,
args->dCert, NULL, ssl);
#ifdef WOLFSSL_ASYNC_CRYPT
/* non-blocking socket re-entry requires async */
if (ret == WANT_READ) {
@ -13537,9 +13537,7 @@ int SendCertificateStatus(WOLFSSL* ssl)
}
if (ret == 0) {
#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
request->ssl = ssl;
#endif
ret = CheckOcspRequest(ssl->ctx->cm->ocsp_stapling, request,
&response);
@ -13643,9 +13641,7 @@ int SendCertificateStatus(WOLFSSL* ssl)
}
if (ret == 0) {
#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
request->ssl = ssl;
#endif
ret = CheckOcspRequest(ssl->ctx->cm->ocsp_stapling, request,
&responses[0]);
@ -13726,9 +13722,7 @@ int SendCertificateStatus(WOLFSSL* ssl)
break;
}
#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
request->ssl = ssl;
#endif
ret = CheckOcspRequest(ssl->ctx->cm->ocsp_stapling,
request, &responses[i + 1]);
@ -13755,9 +13749,7 @@ int SendCertificateStatus(WOLFSSL* ssl)
else {
while (ret == 0 &&
NULL != (request = ssl->ctx->chainOcspRequest[i])) {
#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
request->ssl = ssl;
#endif
ret = CheckOcspRequest(ssl->ctx->cm->ocsp_stapling,
request, &responses[++i]);

29
src/ocsp.c
View File

@ -122,8 +122,7 @@ static int xstat2err(int st)
}
}
int CheckCertOCSP(WOLFSSL_OCSP* ocsp, DecodedCert* cert, buffer* responseBuffer)
int CheckCertOCSP_ex(WOLFSSL_OCSP* ocsp, DecodedCert* cert, buffer* responseBuffer, WOLFSSL* ssl)
{
int ret = OCSP_LOOKUP_FAIL;
@ -147,6 +146,7 @@ int CheckCertOCSP(WOLFSSL_OCSP* ocsp, DecodedCert* cert, buffer* responseBuffer)
if (InitOcspRequest(ocspRequest, cert, ocsp->cm->ocspSendNonce,
ocsp->cm->heap) == 0) {
ocspRequest->ssl = ssl;
ret = CheckOcspRequest(ocsp, ocspRequest, responseBuffer);
FreeOcspRequest(ocspRequest);
@ -159,6 +159,10 @@ int CheckCertOCSP(WOLFSSL_OCSP* ocsp, DecodedCert* cert, buffer* responseBuffer)
WOLFSSL_LEAVE("CheckCertOCSP", ret);
return ret;
}
int CheckCertOCSP(WOLFSSL_OCSP* ocsp, DecodedCert* cert, buffer* responseBuffer)
{
return CheckCertOCSP_ex(ocsp, cert, responseBuffer, NULL);
}
static int GetOcspEntry(WOLFSSL_OCSP* ocsp, OcspRequest* request,
OcspEntry** entry)
@ -386,9 +390,14 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest,
const char* url = NULL;
int urlSz = 0;
int ret = -1;
WOLFSSL* ssl;
void* ioCtx;
WOLFSSL_ENTER("CheckOcspRequest");
if (ocsp == NULL || ocspRequest == NULL)
return BAD_FUNC_ARG;
if (responseBuffer) {
responseBuffer->buffer = NULL;
responseBuffer->length = 0;
@ -402,12 +411,16 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest,
if (ret != OCSP_INVALID_STATUS)
return ret;
/* get SSL and IOCtx */
ssl = (WOLFSSL*)ocspRequest->ssl;
ioCtx = (ssl && ssl->ocspIOCtx != NULL) ?
ssl->ocspIOCtx : ocsp->cm->ocspIOCtx;
#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
if (ocsp->statusCb != NULL && ocspRequest->ssl != NULL) {
ret = ocsp->statusCb((WOLFSSL*)ocspRequest->ssl, ocsp->cm->ocspIOCtx);
if (ocsp->statusCb != NULL && ssl != NULL) {
ret = ocsp->statusCb(ssl, ioCtx);
if (ret == 0) {
ret = wolfSSL_get_ocsp_response((WOLFSSL*)ocspRequest->ssl,
&response);
ret = wolfSSL_get_ocsp_response(ssl, &response);
ret = CheckResponse(ocsp, response, ret, responseBuffer, status,
entry, NULL);
if (response != NULL)
@ -442,7 +455,7 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest,
requestSz = EncodeOcspRequest(ocspRequest, request, requestSz);
if (requestSz > 0 && ocsp->cm->ocspIOCb) {
responseSz = ocsp->cm->ocspIOCb(ocsp->cm->ocspIOCtx, url, urlSz,
responseSz = ocsp->cm->ocspIOCb(ioCtx, url, urlSz,
request, requestSz, &response);
}
if (responseSz == WOLFSSL_CBIO_ERR_WANT_READ) {
@ -457,7 +470,7 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest,
}
if (response != NULL && ocsp->cm->ocspRespFreeCb)
ocsp->cm->ocspRespFreeCb(ocsp->cm->ocspIOCtx, response);
ocsp->cm->ocspRespFreeCb(ioCtx, response);
WOLFSSL_LEAVE("CheckOcspRequest", ret);
return ret;

9
src/ssl.c
View File

@ -5901,9 +5901,11 @@ int wolfSSL_SetOCSP_Cb(WOLFSSL* ssl,
CbOCSPIO ioCb, CbOCSPRespFree respFreeCb, void* ioCbCtx)
{
WOLFSSL_ENTER("wolfSSL_SetOCSP_Cb");
if (ssl)
if (ssl) {
ssl->ocspIOCtx = ioCbCtx; /* use SSL specific ioCbCtx */
return wolfSSL_CertManagerSetOCSP_Cb(ssl->ctx->cm,
ioCb, respFreeCb, ioCbCtx);
ioCb, respFreeCb, NULL);
}
else
return BAD_FUNC_ARG;
}
@ -16943,6 +16945,7 @@ WOLFSSL_API void ERR_load_SSL_strings(void)
}
#ifdef HAVE_OCSP
WOLFSSL_API long wolfSSL_get_tlsext_status_ocsp_resp(WOLFSSL *s, unsigned char **resp)
{
if (s == NULL || resp == NULL)
@ -16963,7 +16966,7 @@ WOLFSSL_API long wolfSSL_set_tlsext_status_ocsp_resp(WOLFSSL *s,
return SSL_SUCCESS;
}
#endif
long wolfSSL_get_verify_result(const WOLFSSL *ssl)
{

4
src/tls.c
View File

@ -2355,9 +2355,7 @@ int TLSX_CSR_ForceRequest(WOLFSSL* ssl)
switch (csr->status_type) {
case WOLFSSL_CSR_OCSP:
if (ssl->ctx->cm->ocspEnabled) {
#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
csr->request.ocsp.ssl = ssl;
#endif
return CheckOcspRequest(ssl->ctx->cm->ocsp,
&csr->request.ocsp, NULL);
}
@ -2769,9 +2767,7 @@ int TLSX_CSR2_ForceRequest(WOLFSSL* ssl)
case WOLFSSL_CSR2_OCSP_MULTI:
if (ssl->ctx->cm->ocspEnabled) {
#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
csr2->request.ocsp[0].ssl = ssl;
#endif
return CheckOcspRequest(ssl->ctx->cm->ocsp,
&csr2->request.ocsp[0], NULL);
}

15
wolfssl/internal.h
View File

@ -3423,12 +3423,15 @@ struct WOLFSSL {
byte expect_session_ticket;
#endif
#endif /* HAVE_TLS_EXTENSIONS */
#ifdef OPENSSL_EXTRA
byte* ocspResp;
int ocspRespSz;
#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
char* url;
#endif
#ifdef HAVE_OCSP
void* ocspIOCtx;
#ifdef OPENSSL_EXTRA
byte* ocspResp;
int ocspRespSz;
#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
char* url;
#endif
#endif
#endif
#ifdef HAVE_NETX
NetX_Ctx nxCtx; /* NetX IO Context */

6
wolfssl/ocsp.h
View File

@ -49,9 +49,11 @@ WOLFSSL_LOCAL int InitOCSP(WOLFSSL_OCSP*, WOLFSSL_CERT_MANAGER*);
WOLFSSL_LOCAL void FreeOCSP(WOLFSSL_OCSP*, int dynamic);
WOLFSSL_LOCAL int CheckCertOCSP(WOLFSSL_OCSP*, DecodedCert*,
WOLFSSL_BUFFER_INFO* responseBuffer);
WOLFSSL_BUFFER_INFO* responseBuffer);
WOLFSSL_LOCAL int CheckCertOCSP_ex(WOLFSSL_OCSP*, DecodedCert*,
WOLFSSL_BUFFER_INFO* responseBuffer, WOLFSSL* ssl);
WOLFSSL_LOCAL int CheckOcspRequest(WOLFSSL_OCSP* ocsp,
OcspRequest* ocspRequest, WOLFSSL_BUFFER_INFO* responseBuffer);
OcspRequest* ocspRequest, WOLFSSL_BUFFER_INFO* responseBuffer);
#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)

3
wolfssl/wolfcrypt/asn.h
View File

@ -942,10 +942,7 @@ struct OcspRequest {
byte nonce[MAX_OCSP_NONCE_SZ];
int nonceSz;
void* heap;
#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
void* ssl;
#endif
};