feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Merge pull request #1174 from dgarske/ocsp_cb_ctx

Browse Source 
Improvement to `wolfSSL_SetOCSP_Cb` to allow context per WOLFSSL object
This commit is contained in:
toddouska
2017-10-12 10:02:49 -07:00
committed by GitHub
parent de77d5cc83 280de41515
commit 04106a0089
7 changed files with 44 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
src/internal.c
View File

@ -8265,8 +8265,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
if (ssl->ctx->cm->ocspEnabled && if (ssl->ctx->cm->ocspEnabled &&
ssl->ctx->cm->ocspCheckAll) { ssl->ctx->cm->ocspCheckAll) {
WOLFSSL_MSG("Doing Non Leaf OCSP check"); WOLFSSL_MSG("Doing Non Leaf OCSP check");
ret = CheckCertOCSP(ssl->ctx->cm->ocsp, args->dCert, ret = CheckCertOCSP_ex(ssl->ctx->cm->ocsp,
NULL); args->dCert, NULL, ssl);
#ifdef WOLFSSL_ASYNC_CRYPT #ifdef WOLFSSL_ASYNC_CRYPT
/* non-blocking socket re-entry requires async */ /* non-blocking socket re-entry requires async */
if (ret == WANT_READ) { if (ret == WANT_READ) {
@ -8442,8 +8442,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
#ifdef HAVE_OCSP #ifdef HAVE_OCSP
if (doLookup && ssl->ctx->cm->ocspEnabled) { if (doLookup && ssl->ctx->cm->ocspEnabled) {
WOLFSSL_MSG("Doing Leaf OCSP check"); WOLFSSL_MSG("Doing Leaf OCSP check");
ret = CheckCertOCSP(ssl->ctx->cm->ocsp, args->dCert, ret = CheckCertOCSP_ex(ssl->ctx->cm->ocsp,
NULL); args->dCert, NULL, ssl);
#ifdef WOLFSSL_ASYNC_CRYPT #ifdef WOLFSSL_ASYNC_CRYPT
/* non-blocking socket re-entry requires async */ /* non-blocking socket re-entry requires async */
if (ret == WANT_READ) { if (ret == WANT_READ) {
@ -13537,9 +13537,7 @@ int SendCertificateStatus(WOLFSSL* ssl)
} }
if (ret == 0) { if (ret == 0) {
#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
request->ssl = ssl; request->ssl = ssl;
#endif
ret = CheckOcspRequest(ssl->ctx->cm->ocsp_stapling, request, ret = CheckOcspRequest(ssl->ctx->cm->ocsp_stapling, request,
&response); &response);
@ -13643,9 +13641,7 @@ int SendCertificateStatus(WOLFSSL* ssl)
} }
if (ret == 0) { if (ret == 0) {
#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
request->ssl = ssl; request->ssl = ssl;
#endif
ret = CheckOcspRequest(ssl->ctx->cm->ocsp_stapling, request, ret = CheckOcspRequest(ssl->ctx->cm->ocsp_stapling, request,
&responses[0]); &responses[0]);
@ -13726,9 +13722,7 @@ int SendCertificateStatus(WOLFSSL* ssl)
break; break;
} }
#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
request->ssl = ssl; request->ssl = ssl;
#endif
ret = CheckOcspRequest(ssl->ctx->cm->ocsp_stapling, ret = CheckOcspRequest(ssl->ctx->cm->ocsp_stapling,
request, &responses[i + 1]); request, &responses[i + 1]);
@ -13755,9 +13749,7 @@ int SendCertificateStatus(WOLFSSL* ssl)
else { else {
while (ret == 0 && while (ret == 0 &&
NULL != (request = ssl->ctx->chainOcspRequest[i])) { NULL != (request = ssl->ctx->chainOcspRequest[i])) {
#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
request->ssl = ssl; request->ssl = ssl;
#endif
ret = CheckOcspRequest(ssl->ctx->cm->ocsp_stapling, ret = CheckOcspRequest(ssl->ctx->cm->ocsp_stapling,
request, &responses[++i]); request, &responses[++i]);

29
src/ocsp.c
View File

@ -122,8 +122,7 @@ static int xstat2err(int st)
} }
} }
int CheckCertOCSP_ex(WOLFSSL_OCSP* ocsp, DecodedCert* cert, buffer* responseBuffer, WOLFSSL* ssl)
int CheckCertOCSP(WOLFSSL_OCSP* ocsp, DecodedCert* cert, buffer* responseBuffer)
{ {
int ret = OCSP_LOOKUP_FAIL; int ret = OCSP_LOOKUP_FAIL;
@ -147,6 +146,7 @@ int CheckCertOCSP(WOLFSSL_OCSP* ocsp, DecodedCert* cert, buffer* responseBuffer)
if (InitOcspRequest(ocspRequest, cert, ocsp->cm->ocspSendNonce, if (InitOcspRequest(ocspRequest, cert, ocsp->cm->ocspSendNonce,
ocsp->cm->heap) == 0) { ocsp->cm->heap) == 0) {
ocspRequest->ssl = ssl;
ret = CheckOcspRequest(ocsp, ocspRequest, responseBuffer); ret = CheckOcspRequest(ocsp, ocspRequest, responseBuffer);
FreeOcspRequest(ocspRequest); FreeOcspRequest(ocspRequest);
@ -159,6 +159,10 @@ int CheckCertOCSP(WOLFSSL_OCSP* ocsp, DecodedCert* cert, buffer* responseBuffer)
WOLFSSL_LEAVE("CheckCertOCSP", ret); WOLFSSL_LEAVE("CheckCertOCSP", ret);
return ret; return ret;
} }
int CheckCertOCSP(WOLFSSL_OCSP* ocsp, DecodedCert* cert, buffer* responseBuffer)
{
return CheckCertOCSP_ex(ocsp, cert, responseBuffer, NULL);
}
static int GetOcspEntry(WOLFSSL_OCSP* ocsp, OcspRequest* request, static int GetOcspEntry(WOLFSSL_OCSP* ocsp, OcspRequest* request,
OcspEntry** entry) OcspEntry** entry)
@ -386,9 +390,14 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest,
const char* url = NULL; const char* url = NULL;
int urlSz = 0; int urlSz = 0;
int ret = -1; int ret = -1;
WOLFSSL* ssl;
void* ioCtx;
WOLFSSL_ENTER("CheckOcspRequest"); WOLFSSL_ENTER("CheckOcspRequest");
if (ocsp == NULL || ocspRequest == NULL)
return BAD_FUNC_ARG;
if (responseBuffer) { if (responseBuffer) {
responseBuffer->buffer = NULL; responseBuffer->buffer = NULL;
responseBuffer->length = 0; responseBuffer->length = 0;
@ -402,12 +411,16 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest,
if (ret != OCSP_INVALID_STATUS) if (ret != OCSP_INVALID_STATUS)
return ret; return ret;
/* get SSL and IOCtx */
ssl = (WOLFSSL*)ocspRequest->ssl;
ioCtx = (ssl && ssl->ocspIOCtx != NULL) ?
ssl->ocspIOCtx : ocsp->cm->ocspIOCtx;
#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) #if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
if (ocsp->statusCb != NULL && ocspRequest->ssl != NULL) { if (ocsp->statusCb != NULL && ssl != NULL) {
ret = ocsp->statusCb((WOLFSSL*)ocspRequest->ssl, ocsp->cm->ocspIOCtx); ret = ocsp->statusCb(ssl, ioCtx);
if (ret == 0) { if (ret == 0) {
ret = wolfSSL_get_ocsp_response((WOLFSSL*)ocspRequest->ssl, ret = wolfSSL_get_ocsp_response(ssl, &response);
&response);
ret = CheckResponse(ocsp, response, ret, responseBuffer, status, ret = CheckResponse(ocsp, response, ret, responseBuffer, status,
entry, NULL); entry, NULL);
if (response != NULL) if (response != NULL)
@ -442,7 +455,7 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest,
requestSz = EncodeOcspRequest(ocspRequest, request, requestSz); requestSz = EncodeOcspRequest(ocspRequest, request, requestSz);
if (requestSz > 0 && ocsp->cm->ocspIOCb) { if (requestSz > 0 && ocsp->cm->ocspIOCb) {
responseSz = ocsp->cm->ocspIOCb(ocsp->cm->ocspIOCtx, url, urlSz, responseSz = ocsp->cm->ocspIOCb(ioCtx, url, urlSz,
request, requestSz, &response); request, requestSz, &response);
} }
if (responseSz == WOLFSSL_CBIO_ERR_WANT_READ) { if (responseSz == WOLFSSL_CBIO_ERR_WANT_READ) {
@ -457,7 +470,7 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest,
} }
if (response != NULL && ocsp->cm->ocspRespFreeCb) if (response != NULL && ocsp->cm->ocspRespFreeCb)
ocsp->cm->ocspRespFreeCb(ocsp->cm->ocspIOCtx, response); ocsp->cm->ocspRespFreeCb(ioCtx, response);
WOLFSSL_LEAVE("CheckOcspRequest", ret); WOLFSSL_LEAVE("CheckOcspRequest", ret);
return ret; return ret;

9
src/ssl.c
View File

@ -5901,9 +5901,11 @@ int wolfSSL_SetOCSP_Cb(WOLFSSL* ssl,
CbOCSPIO ioCb, CbOCSPRespFree respFreeCb, void* ioCbCtx) CbOCSPIO ioCb, CbOCSPRespFree respFreeCb, void* ioCbCtx)
{ {
WOLFSSL_ENTER("wolfSSL_SetOCSP_Cb"); WOLFSSL_ENTER("wolfSSL_SetOCSP_Cb");
if (ssl) if (ssl) {
ssl->ocspIOCtx = ioCbCtx; /* use SSL specific ioCbCtx */
return wolfSSL_CertManagerSetOCSP_Cb(ssl->ctx->cm, return wolfSSL_CertManagerSetOCSP_Cb(ssl->ctx->cm,
ioCb, respFreeCb, ioCbCtx); ioCb, respFreeCb, NULL);
}
else else
return BAD_FUNC_ARG; return BAD_FUNC_ARG;
} }
@ -16943,6 +16945,7 @@ WOLFSSL_API void ERR_load_SSL_strings(void)
} }
#ifdef HAVE_OCSP
WOLFSSL_API long wolfSSL_get_tlsext_status_ocsp_resp(WOLFSSL *s, unsigned char **resp) WOLFSSL_API long wolfSSL_get_tlsext_status_ocsp_resp(WOLFSSL *s, unsigned char **resp)
{ {
if (s == NULL || resp == NULL) if (s == NULL || resp == NULL)
@ -16963,7 +16966,7 @@ WOLFSSL_API long wolfSSL_set_tlsext_status_ocsp_resp(WOLFSSL *s,
return SSL_SUCCESS; return SSL_SUCCESS;
} }
#endif
long wolfSSL_get_verify_result(const WOLFSSL *ssl) long wolfSSL_get_verify_result(const WOLFSSL *ssl)
{ {

4
src/tls.c
View File

@ -2355,9 +2355,7 @@ int TLSX_CSR_ForceRequest(WOLFSSL* ssl)
switch (csr->status_type) { switch (csr->status_type) {
case WOLFSSL_CSR_OCSP: case WOLFSSL_CSR_OCSP:
if (ssl->ctx->cm->ocspEnabled) { if (ssl->ctx->cm->ocspEnabled) {
#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
csr->request.ocsp.ssl = ssl; csr->request.ocsp.ssl = ssl;
#endif
return CheckOcspRequest(ssl->ctx->cm->ocsp, return CheckOcspRequest(ssl->ctx->cm->ocsp,
&csr->request.ocsp, NULL); &csr->request.ocsp, NULL);
} }
@ -2769,9 +2767,7 @@ int TLSX_CSR2_ForceRequest(WOLFSSL* ssl)
case WOLFSSL_CSR2_OCSP_MULTI: case WOLFSSL_CSR2_OCSP_MULTI:
if (ssl->ctx->cm->ocspEnabled) { if (ssl->ctx->cm->ocspEnabled) {
#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
csr2->request.ocsp[0].ssl = ssl; csr2->request.ocsp[0].ssl = ssl;
#endif
return CheckOcspRequest(ssl->ctx->cm->ocsp, return CheckOcspRequest(ssl->ctx->cm->ocsp,
&csr2->request.ocsp[0], NULL); &csr2->request.ocsp[0], NULL);
} }

15
wolfssl/internal.h
View File

@ -3423,12 +3423,15 @@ struct WOLFSSL {
byte expect_session_ticket; byte expect_session_ticket;
#endif #endif
#endif /* HAVE_TLS_EXTENSIONS */ #endif /* HAVE_TLS_EXTENSIONS */
#ifdef OPENSSL_EXTRA #ifdef HAVE_OCSP
byte* ocspResp; void* ocspIOCtx;
int ocspRespSz; #ifdef OPENSSL_EXTRA
#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) byte* ocspResp;
char* url; int ocspRespSz;
#endif #if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
char* url;
#endif
#endif
#endif #endif
#ifdef HAVE_NETX #ifdef HAVE_NETX
NetX_Ctx nxCtx; /* NetX IO Context */ NetX_Ctx nxCtx; /* NetX IO Context */

6
wolfssl/ocsp.h
View File

@ -49,9 +49,11 @@ WOLFSSL_LOCAL int InitOCSP(WOLFSSL_OCSP*, WOLFSSL_CERT_MANAGER*);
WOLFSSL_LOCAL void FreeOCSP(WOLFSSL_OCSP*, int dynamic); WOLFSSL_LOCAL void FreeOCSP(WOLFSSL_OCSP*, int dynamic);
WOLFSSL_LOCAL int CheckCertOCSP(WOLFSSL_OCSP*, DecodedCert*, WOLFSSL_LOCAL int CheckCertOCSP(WOLFSSL_OCSP*, DecodedCert*,
WOLFSSL_BUFFER_INFO* responseBuffer); WOLFSSL_BUFFER_INFO* responseBuffer);
WOLFSSL_LOCAL int CheckCertOCSP_ex(WOLFSSL_OCSP*, DecodedCert*,
WOLFSSL_BUFFER_INFO* responseBuffer, WOLFSSL* ssl);
WOLFSSL_LOCAL int CheckOcspRequest(WOLFSSL_OCSP* ocsp, WOLFSSL_LOCAL int CheckOcspRequest(WOLFSSL_OCSP* ocsp,
OcspRequest* ocspRequest, WOLFSSL_BUFFER_INFO* responseBuffer); OcspRequest* ocspRequest, WOLFSSL_BUFFER_INFO* responseBuffer);
#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) #if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)

3
wolfssl/wolfcrypt/asn.h
View File

@ -942,10 +942,7 @@ struct OcspRequest {
byte nonce[MAX_OCSP_NONCE_SZ]; byte nonce[MAX_OCSP_NONCE_SZ];
int nonceSz; int nonceSz;
void* heap; void* heap;
#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
void* ssl; void* ssl;
#endif
}; };