From 280de4151512482d629060d5a4aadc538ef1fe9f Mon Sep 17 00:00:00 2001 From: David Garske Date: Fri, 6 Oct 2017 12:18:21 -0700 Subject: [PATCH] Improvement to `wolfSSL_SetOCSP_Cb` to set the context per WOLFSSL object (callback functions are same). Adding API unit tests next. --- src/internal.c | 16 ++++------------ src/ocsp.c | 29 +++++++++++++++++++++-------- src/ssl.c | 9 ++++++--- src/tls.c | 4 ---- wolfssl/internal.h | 15 +++++++++------ wolfssl/ocsp.h | 6 ++++-- wolfssl/wolfcrypt/asn.h | 3 --- 7 files changed, 44 insertions(+), 38 deletions(-) diff --git a/src/internal.c b/src/internal.c index dce0ff717..99bf1bad1 100755 --- a/src/internal.c +++ b/src/internal.c @@ -8232,8 +8232,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, if (ssl->ctx->cm->ocspEnabled && ssl->ctx->cm->ocspCheckAll) { WOLFSSL_MSG("Doing Non Leaf OCSP check"); - ret = CheckCertOCSP(ssl->ctx->cm->ocsp, args->dCert, - NULL); + ret = CheckCertOCSP_ex(ssl->ctx->cm->ocsp, + args->dCert, NULL, ssl); #ifdef WOLFSSL_ASYNC_CRYPT /* non-blocking socket re-entry requires async */ if (ret == WANT_READ) { @@ -8403,8 +8403,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, #ifdef HAVE_OCSP if (doLookup && ssl->ctx->cm->ocspEnabled) { WOLFSSL_MSG("Doing Leaf OCSP check"); - ret = CheckCertOCSP(ssl->ctx->cm->ocsp, args->dCert, - NULL); + ret = CheckCertOCSP_ex(ssl->ctx->cm->ocsp, + args->dCert, NULL, ssl); #ifdef WOLFSSL_ASYNC_CRYPT /* non-blocking socket re-entry requires async */ if (ret == WANT_READ) { @@ -13492,9 +13492,7 @@ int SendCertificateStatus(WOLFSSL* ssl) } if (ret == 0) { - #if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) request->ssl = ssl; - #endif ret = CheckOcspRequest(ssl->ctx->cm->ocsp_stapling, request, &response); @@ -13598,9 +13596,7 @@ int SendCertificateStatus(WOLFSSL* ssl) } if (ret == 0) { - #if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) request->ssl = ssl; - #endif ret = CheckOcspRequest(ssl->ctx->cm->ocsp_stapling, request, &responses[0]); @@ -13681,9 +13677,7 @@ int SendCertificateStatus(WOLFSSL* ssl) break; } - #if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) request->ssl = ssl; - #endif ret = CheckOcspRequest(ssl->ctx->cm->ocsp_stapling, request, &responses[i + 1]); @@ -13710,9 +13704,7 @@ int SendCertificateStatus(WOLFSSL* ssl) else { while (ret == 0 && NULL != (request = ssl->ctx->chainOcspRequest[i])) { - #if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) request->ssl = ssl; - #endif ret = CheckOcspRequest(ssl->ctx->cm->ocsp_stapling, request, &responses[++i]); diff --git a/src/ocsp.c b/src/ocsp.c index 4554b24b0..e0b4be247 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -122,8 +122,7 @@ static int xstat2err(int st) } } - -int CheckCertOCSP(WOLFSSL_OCSP* ocsp, DecodedCert* cert, buffer* responseBuffer) +int CheckCertOCSP_ex(WOLFSSL_OCSP* ocsp, DecodedCert* cert, buffer* responseBuffer, WOLFSSL* ssl) { int ret = OCSP_LOOKUP_FAIL; @@ -147,6 +146,7 @@ int CheckCertOCSP(WOLFSSL_OCSP* ocsp, DecodedCert* cert, buffer* responseBuffer) if (InitOcspRequest(ocspRequest, cert, ocsp->cm->ocspSendNonce, ocsp->cm->heap) == 0) { + ocspRequest->ssl = ssl; ret = CheckOcspRequest(ocsp, ocspRequest, responseBuffer); FreeOcspRequest(ocspRequest); @@ -159,6 +159,10 @@ int CheckCertOCSP(WOLFSSL_OCSP* ocsp, DecodedCert* cert, buffer* responseBuffer) WOLFSSL_LEAVE("CheckCertOCSP", ret); return ret; } +int CheckCertOCSP(WOLFSSL_OCSP* ocsp, DecodedCert* cert, buffer* responseBuffer) +{ + return CheckCertOCSP_ex(ocsp, cert, responseBuffer, NULL); +} static int GetOcspEntry(WOLFSSL_OCSP* ocsp, OcspRequest* request, OcspEntry** entry) @@ -386,9 +390,14 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest, const char* url = NULL; int urlSz = 0; int ret = -1; + WOLFSSL* ssl; + void* ioCtx; WOLFSSL_ENTER("CheckOcspRequest"); + if (ocsp == NULL || ocspRequest == NULL) + return BAD_FUNC_ARG; + if (responseBuffer) { responseBuffer->buffer = NULL; responseBuffer->length = 0; @@ -402,12 +411,16 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest, if (ret != OCSP_INVALID_STATUS) return ret; + /* get SSL and IOCtx */ + ssl = (WOLFSSL*)ocspRequest->ssl; + ioCtx = (ssl && ssl->ocspIOCtx != NULL) ? + ssl->ocspIOCtx : ocsp->cm->ocspIOCtx; + #if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) - if (ocsp->statusCb != NULL && ocspRequest->ssl != NULL) { - ret = ocsp->statusCb((WOLFSSL*)ocspRequest->ssl, ocsp->cm->ocspIOCtx); + if (ocsp->statusCb != NULL && ssl != NULL) { + ret = ocsp->statusCb(ssl, ioCtx); if (ret == 0) { - ret = wolfSSL_get_ocsp_response((WOLFSSL*)ocspRequest->ssl, - &response); + ret = wolfSSL_get_ocsp_response(ssl, &response); ret = CheckResponse(ocsp, response, ret, responseBuffer, status, entry, NULL); if (response != NULL) @@ -442,7 +455,7 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest, requestSz = EncodeOcspRequest(ocspRequest, request, requestSz); if (requestSz > 0 && ocsp->cm->ocspIOCb) { - responseSz = ocsp->cm->ocspIOCb(ocsp->cm->ocspIOCtx, url, urlSz, + responseSz = ocsp->cm->ocspIOCb(ioCtx, url, urlSz, request, requestSz, &response); } if (responseSz == WOLFSSL_CBIO_ERR_WANT_READ) { @@ -457,7 +470,7 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest, } if (response != NULL && ocsp->cm->ocspRespFreeCb) - ocsp->cm->ocspRespFreeCb(ocsp->cm->ocspIOCtx, response); + ocsp->cm->ocspRespFreeCb(ioCtx, response); WOLFSSL_LEAVE("CheckOcspRequest", ret); return ret; diff --git a/src/ssl.c b/src/ssl.c index 620b9c52f..6138a4030 100755 --- a/src/ssl.c +++ b/src/ssl.c @@ -5901,9 +5901,11 @@ int wolfSSL_SetOCSP_Cb(WOLFSSL* ssl, CbOCSPIO ioCb, CbOCSPRespFree respFreeCb, void* ioCbCtx) { WOLFSSL_ENTER("wolfSSL_SetOCSP_Cb"); - if (ssl) + if (ssl) { + ssl->ocspIOCtx = ioCbCtx; /* use SSL specific ioCbCtx */ return wolfSSL_CertManagerSetOCSP_Cb(ssl->ctx->cm, - ioCb, respFreeCb, ioCbCtx); + ioCb, respFreeCb, NULL); + } else return BAD_FUNC_ARG; } @@ -16943,6 +16945,7 @@ WOLFSSL_API void ERR_load_SSL_strings(void) } +#ifdef HAVE_OCSP WOLFSSL_API long wolfSSL_get_tlsext_status_ocsp_resp(WOLFSSL *s, unsigned char **resp) { if (s == NULL || resp == NULL) @@ -16963,7 +16966,7 @@ WOLFSSL_API long wolfSSL_set_tlsext_status_ocsp_resp(WOLFSSL *s, return SSL_SUCCESS; } - +#endif long wolfSSL_get_verify_result(const WOLFSSL *ssl) { diff --git a/src/tls.c b/src/tls.c index 477860c3c..27da0df3f 100755 --- a/src/tls.c +++ b/src/tls.c @@ -2355,9 +2355,7 @@ int TLSX_CSR_ForceRequest(WOLFSSL* ssl) switch (csr->status_type) { case WOLFSSL_CSR_OCSP: if (ssl->ctx->cm->ocspEnabled) { - #if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) csr->request.ocsp.ssl = ssl; - #endif return CheckOcspRequest(ssl->ctx->cm->ocsp, &csr->request.ocsp, NULL); } @@ -2769,9 +2767,7 @@ int TLSX_CSR2_ForceRequest(WOLFSSL* ssl) case WOLFSSL_CSR2_OCSP_MULTI: if (ssl->ctx->cm->ocspEnabled) { - #if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) csr2->request.ocsp[0].ssl = ssl; - #endif return CheckOcspRequest(ssl->ctx->cm->ocsp, &csr2->request.ocsp[0], NULL); } diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 9818ebda7..35ed0639d 100755 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -3417,12 +3417,15 @@ struct WOLFSSL { byte expect_session_ticket; #endif #endif /* HAVE_TLS_EXTENSIONS */ -#ifdef OPENSSL_EXTRA - byte* ocspResp; - int ocspRespSz; -#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) - char* url; -#endif +#ifdef HAVE_OCSP + void* ocspIOCtx; + #ifdef OPENSSL_EXTRA + byte* ocspResp; + int ocspRespSz; + #if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) + char* url; + #endif + #endif #endif #ifdef HAVE_NETX NetX_Ctx nxCtx; /* NetX IO Context */ diff --git a/wolfssl/ocsp.h b/wolfssl/ocsp.h index 844ce272e..0f0396af7 100644 --- a/wolfssl/ocsp.h +++ b/wolfssl/ocsp.h @@ -49,9 +49,11 @@ WOLFSSL_LOCAL int InitOCSP(WOLFSSL_OCSP*, WOLFSSL_CERT_MANAGER*); WOLFSSL_LOCAL void FreeOCSP(WOLFSSL_OCSP*, int dynamic); WOLFSSL_LOCAL int CheckCertOCSP(WOLFSSL_OCSP*, DecodedCert*, - WOLFSSL_BUFFER_INFO* responseBuffer); + WOLFSSL_BUFFER_INFO* responseBuffer); +WOLFSSL_LOCAL int CheckCertOCSP_ex(WOLFSSL_OCSP*, DecodedCert*, + WOLFSSL_BUFFER_INFO* responseBuffer, WOLFSSL* ssl); WOLFSSL_LOCAL int CheckOcspRequest(WOLFSSL_OCSP* ocsp, - OcspRequest* ocspRequest, WOLFSSL_BUFFER_INFO* responseBuffer); + OcspRequest* ocspRequest, WOLFSSL_BUFFER_INFO* responseBuffer); #if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index 592ea2b9a..1635bcfd1 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -942,10 +942,7 @@ struct OcspRequest { byte nonce[MAX_OCSP_NONCE_SZ]; int nonceSz; void* heap; - -#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) void* ssl; -#endif };