diff --git a/certs/ocsp/include.am b/certs/ocsp/include.am index f3ba21121..784c3bed4 100644 --- a/certs/ocsp/include.am +++ b/certs/ocsp/include.am @@ -4,9 +4,13 @@ EXTRA_DIST += \ certs/ocsp/index-ca-and-intermediate-cas.txt \ + certs/ocsp/index-ca-and-intermediate-cas.txt.attr \ certs/ocsp/index-intermediate1-ca-issued-certs.txt \ + certs/ocsp/index-intermediate1-ca-issued-certs.txt.attr \ + certs/ocsp/index-intermediate2-ca-issued-certs.txt \ + certs/ocsp/index-intermediate2-ca-issued-certs.txt.attr \ certs/ocsp/index-intermediate3-ca-issued-certs.txt \ - certs/ocsp/index-intermediate3-ca-issued-certs.txt \ + certs/ocsp/index-intermediate3-ca-issued-certs.txt.attr \ certs/ocsp/openssl.cnf \ certs/ocsp/intermediate1-ca-key.pem \ certs/ocsp/intermediate1-ca-cert.pem \ diff --git a/certs/ocsp/index-ca-and-intermediate-cas.txt.attr b/certs/ocsp/index-ca-and-intermediate-cas.txt.attr new file mode 100644 index 000000000..3a7e39e6e --- /dev/null +++ b/certs/ocsp/index-ca-and-intermediate-cas.txt.attr @@ -0,0 +1 @@ +unique_subject = no diff --git a/certs/ocsp/index-intermediate1-ca-issued-certs.txt.attr b/certs/ocsp/index-intermediate1-ca-issued-certs.txt.attr new file mode 100644 index 000000000..3a7e39e6e --- /dev/null +++ b/certs/ocsp/index-intermediate1-ca-issued-certs.txt.attr @@ -0,0 +1 @@ +unique_subject = no diff --git a/certs/ocsp/index-intermediate2-ca-issued-certs.txt.attr b/certs/ocsp/index-intermediate2-ca-issued-certs.txt.attr new file mode 100644 index 000000000..3a7e39e6e --- /dev/null +++ b/certs/ocsp/index-intermediate2-ca-issued-certs.txt.attr @@ -0,0 +1 @@ +unique_subject = no diff --git a/certs/ocsp/index-intermediate3-ca-issued-certs.txt.attr b/certs/ocsp/index-intermediate3-ca-issued-certs.txt.attr new file mode 100644 index 000000000..3a7e39e6e --- /dev/null +++ b/certs/ocsp/index-intermediate3-ca-issued-certs.txt.attr @@ -0,0 +1 @@ +unique_subject = no diff --git a/certs/ocsp/ocspd-intermediate1-ca-issued-certs-with-ca-as-responder.sh b/certs/ocsp/ocspd-intermediate1-ca-issued-certs-with-ca-as-responder.sh deleted file mode 100755 index eecd81b58..000000000 --- a/certs/ocsp/ocspd-intermediate1-ca-issued-certs-with-ca-as-responder.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/sh - -openssl ocsp -port 22221 -nmin 1 \ - -index certs/ocsp/index-intermediate1-ca-issued-certs.txt \ - -rsigner certs/ocsp/intermediate1-ca-cert.pem \ - -rkey certs/ocsp/intermediate1-ca-key.pem \ - -CA certs/ocsp/intermediate1-ca-cert.pem \ - $@ diff --git a/certs/ocsp/ocspd-intermediate1-ca-issued-certs.sh b/certs/ocsp/ocspd-intermediate1-ca-issued-certs.sh deleted file mode 100755 index debfd63bb..000000000 --- a/certs/ocsp/ocspd-intermediate1-ca-issued-certs.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/sh - -openssl ocsp -port 22221 -nmin 1 \ - -index certs/ocsp/index-intermediate1-ca-issued-certs.txt \ - -rsigner certs/ocsp/ocsp-responder-cert.pem \ - -rkey certs/ocsp/ocsp-responder-key.pem \ - -CA certs/ocsp/intermediate1-ca-cert.pem \ - $@ diff --git a/certs/ocsp/ocspd-intermediate2-ca-issued-certs.sh b/certs/ocsp/ocspd-intermediate2-ca-issued-certs.sh deleted file mode 100755 index 0d06c5be1..000000000 --- a/certs/ocsp/ocspd-intermediate2-ca-issued-certs.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/sh - -openssl ocsp -port 22222 -nmin 1 \ - -index certs/ocsp/index-intermediate2-ca-issued-certs.txt \ - -rsigner certs/ocsp/ocsp-responder-cert.pem \ - -rkey certs/ocsp/ocsp-responder-key.pem \ - -CA certs/ocsp/intermediate2-ca-cert.pem \ - $@ diff --git a/certs/ocsp/ocspd-intermediate3-ca-issued-certs.sh b/certs/ocsp/ocspd-intermediate3-ca-issued-certs.sh deleted file mode 100755 index 5e6a5173c..000000000 --- a/certs/ocsp/ocspd-intermediate3-ca-issued-certs.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/sh - -openssl ocsp -port 22223 -nmin 1 \ - -index certs/ocsp/index-intermediate3-ca-issued-certs.txt \ - -rsigner certs/ocsp/ocsp-responder-cert.pem \ - -rkey certs/ocsp/ocsp-responder-key.pem \ - -CA certs/ocsp/intermediate3-ca-cert.pem \ - $@ diff --git a/certs/ocsp/ocspd-root-ca-and-intermediate-cas.sh b/certs/ocsp/ocspd-root-ca-and-intermediate-cas.sh deleted file mode 100755 index d3c3bc1ad..000000000 --- a/certs/ocsp/ocspd-root-ca-and-intermediate-cas.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/sh - -openssl ocsp -port 22220 -nmin 1 \ - -index certs/ocsp/index-ca-and-intermediate-cas.txt \ - -rsigner certs/ocsp/ocsp-responder-cert.pem \ - -rkey certs/ocsp/ocsp-responder-key.pem \ - -CA certs/ocsp/root-ca-cert.pem \ - $@ diff --git a/examples/client/client.c b/examples/client/client.c index f34369ce7..a76379622 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -50,6 +50,11 @@ #define DEFAULT_TIMEOUT_SEC 2 +#define OCSP_STAPLING 1 +#define OCSP_STAPLINGV2 2 +#define OCSP_STAPLINGV2_MULTI 3 +#define OCSP_STAPLING_OPT_MAX OCSP_STAPLINGV2_MULTI + /* Note on using port 0: the client standalone example doesn't utilize the * port 0 port sharing; that is used by (1) the server in external control * test mode and (2) the testsuite which uses this code and sets up the correct @@ -787,7 +792,7 @@ static void Usage(void) #endif #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) - printf("-W Use OCSP Stapling\n"); + printf("-W Use OCSP Stapling (1 v1, 2 v2, 3 v2 multi)\n"); #endif #ifdef ATOMIC_USER printf("-U Atomic User Record Layer Callbacks\n"); @@ -1249,6 +1254,10 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) statusRequest = atoi(myoptarg); + if (statusRequest > OCSP_STAPLING_OPT_MAX) { + Usage(); + XEXIT_T(MY_EX_USAGE); + } #endif break; @@ -1454,7 +1463,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #endif if (done) { - printf("external test can't be run in this mode"); + printf("external test can't be run in this mode\n"); ((func_args*)args)->return_code = 0; XEXIT_T(EXIT_SUCCESS); @@ -1986,33 +1995,32 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) wolfSSL_UseALPN(ssl, alpnList, (word32)XSTRLEN(alpnList), alpn_opt); } #endif -#ifdef HAVE_CERTIFICATE_STATUS_REQUEST + +#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) || \ + defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) if (statusRequest) { + if (version == 4 && + (statusRequest == OCSP_STAPLINGV2 || \ + statusRequest == OCSP_STAPLINGV2_MULTI)) { + err_sys("Cannot use OCSP Stapling V2 with TLSv1.3"); + } + if (wolfSSL_CTX_EnableOCSPStapling(ctx) != WOLFSSL_SUCCESS) err_sys("can't enable OCSP Stapling Certificate Manager"); switch (statusRequest) { - case WOLFSSL_CSR_OCSP: + #ifdef HAVE_CERTIFICATE_STATUS_REQUEST + case OCSP_STAPLING: if (wolfSSL_UseOCSPStapling(ssl, WOLFSSL_CSR_OCSP, WOLFSSL_CSR_OCSP_USE_NONCE) != WOLFSSL_SUCCESS) { wolfSSL_free(ssl); ssl = NULL; wolfSSL_CTX_free(ctx); ctx = NULL; err_sys("UseCertificateStatusRequest failed"); } - break; - } - - wolfSSL_CTX_EnableOCSP(ctx, 0); - } -#endif -#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 - if (statusRequest) { - if (wolfSSL_CTX_EnableOCSPStapling(ctx) != WOLFSSL_SUCCESS) - err_sys("can't enable OCSP Stapling Certificate Manager"); - - switch (statusRequest) { - case WOLFSSL_CSR2_OCSP: + #endif + #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 + case OCSP_STAPLINGV2: if (wolfSSL_UseOCSPStaplingV2(ssl, WOLFSSL_CSR2_OCSP, WOLFSSL_CSR2_OCSP_USE_NONCE) != WOLFSSL_SUCCESS) { @@ -2021,7 +2029,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) err_sys("UseCertificateStatusRequest failed"); } break; - case WOLFSSL_CSR2_OCSP_MULTI: + case OCSP_STAPLINGV2_MULTI: if (wolfSSL_UseOCSPStaplingV2(ssl, WOLFSSL_CSR2_OCSP_MULTI, 0) != WOLFSSL_SUCCESS) { @@ -2030,7 +2038,9 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) err_sys("UseCertificateStatusRequest failed"); } break; - + #endif + default: + err_sys("Invalid OCSP Stapling option"); } wolfSSL_CTX_EnableOCSP(ctx, 0); diff --git a/scripts/ocsp-stapling-with-ca-as-responder.test b/scripts/ocsp-stapling-with-ca-as-responder.test index 3b538c9d1..303dd713f 100755 --- a/scripts/ocsp-stapling-with-ca-as-responder.test +++ b/scripts/ocsp-stapling-with-ca-as-responder.test @@ -1,8 +1,14 @@ -#!/bin/sh - +#!/bin/bash # ocsp-stapling.test -trap 'for i in `jobs -p`; do pkill -TERM -P $i; done' EXIT +cleanup() +{ + for i in $(jobs -pr) + do + kill -s HUP "$i" + done +} +trap cleanup EXIT INT TERM HUP server=login.live.com ca=certs/external/baltimore-cybertrust-root.pem @@ -13,13 +19,26 @@ ca=certs/external/baltimore-cybertrust-root.pem #./scripts/ping.test $server 2 # client test against the server -./examples/client/client -X -C -h $server -p 443 -A $ca -g -W 1 -RESULT=$? -[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1 +# external test case was never running, disable for now but retain case in event +# we wish to re-activate in the future. +#./examples/client/client -X -C -h $server -p 443 -A $ca -g -W 1 +#RESULT=$? +#[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1 # setup ocsp responder -./certs/ocsp/ocspd-intermediate1-ca-issued-certs-with-ca-as-responder.sh & +# OLD: ./certs/ocsp/ocspd-intermediate1-ca-issued-certs-with-ca-as-responder.sh & +# NEW: openssl isn't being cleaned up, invoke directly in script for cleanup +# purposes! +openssl ocsp -port 22221 -nmin 1 \ + -index certs/ocsp/index-intermediate1-ca-issued-certs.txt \ + -rsigner certs/ocsp/intermediate1-ca-cert.pem \ + -rkey certs/ocsp/intermediate1-ca-key.pem \ + -CA certs/ocsp/intermediate1-ca-cert.pem \ + $@ \ + & + sleep 1 +# "jobs" is not portable for posix. Must use bash interpreter! [ $(jobs -r | wc -l) -ne 1 ] && echo -e "\n\nSetup ocsp responder failed, skipping" && exit 0 # client test against our own server - GOOD CERT diff --git a/scripts/ocsp-stapling.test b/scripts/ocsp-stapling.test index 511ae3b00..01173f5f8 100755 --- a/scripts/ocsp-stapling.test +++ b/scripts/ocsp-stapling.test @@ -1,8 +1,15 @@ -#!/bin/sh +#!/bin/bash # ocsp-stapling.test -trap 'for i in `jobs -p`; do pkill -TERM -P $i; done' EXIT +cleanup() +{ + for i in $(jobs -pr) + do + kill -s HUP "$i" + done +} +trap cleanup EXIT INT TERM HUP server=login.live.com ca=certs/external/baltimore-cybertrust-root.pem @@ -17,7 +24,7 @@ fi #./scripts/ping.test $server 2 # client test against the server -./examples/client/client -X -C -h $server -p 443 -A $ca -g -W 1 +./examples/client/client -C -h $server -p 443 -A $ca -g -W 1 RESULT=$? [ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1 @@ -30,8 +37,18 @@ if [ $? -eq 0 ]; then fi # setup ocsp responder -./certs/ocsp/ocspd-intermediate1-ca-issued-certs.sh & +# OLD: ./certs/ocsp/ocspd-intermediate1-ca-issued-certs.sh & +# NEW: openssl isn't being cleaned up, invoke directly in script for cleanup +# purposes! +openssl ocsp -port 22221 -nmin 1 \ + -index certs/ocsp/index-intermediate1-ca-issued-certs.txt \ + -rsigner certs/ocsp/ocsp-responder-cert.pem \ + -rkey certs/ocsp/ocsp-responder-key.pem \ + -CA certs/ocsp/intermediate1-ca-cert.pem \ + "$@" & + sleep 1 +# "jobs" is not portable for posix. Must use bash interpreter! [ $(jobs -r | wc -l) -ne 1 ] && echo -e "\n\nSetup ocsp responder failed, skipping" && exit 0 # client test against our own server - GOOD CERT diff --git a/scripts/ocsp-stapling2.test b/scripts/ocsp-stapling2.test index 7a5bed878..028f01f8a 100755 --- a/scripts/ocsp-stapling2.test +++ b/scripts/ocsp-stapling2.test @@ -1,54 +1,91 @@ -#!/bin/sh - +#!/bin/bash # ocsp-stapling.test -trap 'for i in `jobs -p`; do pkill -TERM -P $i; done' EXIT +cleanup() +{ + for i in $(jobs -pr) + do + kill -s HUP "$i" + done +} +trap cleanup EXIT INT TERM HUP [ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1 # setup ocsp responders -./certs/ocsp/ocspd-root-ca-and-intermediate-cas.sh & -./certs/ocsp/ocspd-intermediate2-ca-issued-certs.sh & -./certs/ocsp/ocspd-intermediate3-ca-issued-certs.sh & +# OLD: ./certs/ocsp/ocspd-root-ca-and-intermediate-cas.sh & +# NEW: openssl isn't being cleaned up, invoke directly in script for cleanup +# purposes! +openssl ocsp -port 22220 -nmin 1 \ + -index certs/ocsp/index-ca-and-intermediate-cas.txt \ + -rsigner certs/ocsp/ocsp-responder-cert.pem \ + -rkey certs/ocsp/ocsp-responder-key.pem \ + -CA certs/ocsp/root-ca-cert.pem \ + $@ \ + & + +# OLD: ./certs/ocsp/ocspd-intermediate2-ca-issued-certs.sh & +# NEW: openssl isn't being cleaned up, invoke directly in script for cleanup +# purposes! +openssl ocsp -port 22222 -nmin 1 \ + -index certs/ocsp/index-intermediate2-ca-issued-certs.txt \ + -rsigner certs/ocsp/ocsp-responder-cert.pem \ + -rkey certs/ocsp/ocsp-responder-key.pem \ + -CA certs/ocsp/intermediate2-ca-cert.pem \ + $@ \ + & + +# OLD: ./certs/ocsp/ocspd-intermediate3-ca-issued-certs.sh & +# NEW: openssl isn't being cleaned up, invoke directly in script for cleanup +# purposes! +openssl ocsp -port 22223 -nmin 1 \ + -index certs/ocsp/index-intermediate3-ca-issued-certs.txt \ + -rsigner certs/ocsp/ocsp-responder-cert.pem \ + -rkey certs/ocsp/ocsp-responder-key.pem \ + -CA certs/ocsp/intermediate3-ca-cert.pem \ + $@ \ + & + sleep 1 +# "jobs" is not portable for posix. Must use bash interpreter! [ $(jobs -r | wc -l) -ne 3 ] && echo -e "\n\nSetup ocsp responder failed, skipping" && exit 0 # client test against our own server - GOOD CERTS ./examples/server/server -c certs/ocsp/server3-cert.pem -k certs/ocsp/server3-key.pem & sleep 1 -./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 +./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 -v 3 RESULT=$? [ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1 ./examples/server/server -c certs/ocsp/server3-cert.pem -k certs/ocsp/server3-key.pem & sleep 1 -./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 +./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3 RESULT=$? [ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1 # client test against our own server - REVOKED SERVER CERT ./examples/server/server -c certs/ocsp/server4-cert.pem -k certs/ocsp/server4-key.pem & sleep 1 -./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 +./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 -v 3 RESULT=$? [ $RESULT -ne 1 ] && echo -e "\n\nClient connection suceeded $RESULT" && exit 1 ./examples/server/server -c certs/ocsp/server4-cert.pem -k certs/ocsp/server4-key.pem & sleep 1 -./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 +./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3 RESULT=$? [ $RESULT -ne 1 ] && echo -e "\n\nClient connection suceeded $RESULT" && exit 1 # client test against our own server - REVOKED INTERMEDIATE CERT ./examples/server/server -c certs/ocsp/server5-cert.pem -k certs/ocsp/server5-key.pem & sleep 1 -./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 +./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 -v 3 RESULT=$? [ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed $RESULT" && exit 1 ./examples/server/server -c certs/ocsp/server5-cert.pem -k certs/ocsp/server5-key.pem & sleep 1 -./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 +./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3 RESULT=$? [ $RESULT -ne 1 ] && echo -e "\n\nClient connection suceeded $RESULT" && exit 1 diff --git a/src/internal.c b/src/internal.c index eab007237..bb3997286 100644 --- a/src/internal.c +++ b/src/internal.c @@ -14050,8 +14050,10 @@ int CreateOcspResponse(WOLFSSL* ssl, OcspRequest** ocspRequest, der->length); } - if (request != NULL) + if (request != NULL && ret != 0) { XFREE(request, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST); + request = NULL; + } #ifdef WOLFSSL_SMALL_STACK XFREE(cert, ssl->heap, DYNAMIC_TYPE_DCERT); #endif diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index a06492227..700e72ccb 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -13351,7 +13351,7 @@ int InitOcspRequest(OcspRequest* req, DecodedCert* cert, byte useNonce, req->serialSz = cert->serialSz; if (cert->extAuthInfoSz != 0 && cert->extAuthInfo != NULL) { - req->url = (byte*)XMALLOC(cert->extAuthInfoSz, req->heap, + req->url = (byte*)XMALLOC(cert->extAuthInfoSz + 1, req->heap, DYNAMIC_TYPE_OCSP_REQUEST); if (req->url == NULL) { XFREE(req->serial, req->heap, DYNAMIC_TYPE_OCSP); @@ -13360,6 +13360,7 @@ int InitOcspRequest(OcspRequest* req, DecodedCert* cert, byte useNonce, XMEMCPY(req->url, cert->extAuthInfo, cert->extAuthInfoSz); req->urlSz = cert->extAuthInfoSz; + req->url[req->urlSz] = 0; } }