From 42380793c943a0d9840fd8e16a66e8281b8479ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moise=CC=81s=20Guimara=CC=83es?= Date: Fri, 23 Oct 2015 19:25:41 -0300 Subject: [PATCH] adds comparison of OcspRequest and OcspResponse; removes TLS Extension Status Request at context level as specific data is always needed for each session; --- examples/client/client.c | 12 +-- src/internal.c | 48 +++++---- src/ocsp.c | 13 ++- src/ssl.c | 9 -- src/tls.c | 30 +++++- wolfcrypt/src/asn.c | 40 ++++++-- wolfssl/error-ssl.h | 209 ++++++++++++++++++++------------------- wolfssl/internal.h | 5 + wolfssl/ssl.h | 3 - wolfssl/wolfcrypt/asn.h | 19 ++-- 10 files changed, 220 insertions(+), 168 deletions(-) diff --git a/examples/client/client.c b/examples/client/client.c index b3a11e407..1821a0894 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -946,12 +946,6 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) if (wolfSSL_CTX_UseTruncatedHMAC(ctx) != SSL_SUCCESS) err_sys("UseTruncatedHMAC failed"); #endif -#ifdef HAVE_CERTIFICATE_STATUS_REQUEST - if (statusRequest) - if (wolfSSL_CTX_UseCertificateStatusRequest(ctx, WOLFSSL_CSR_OCSP) - != SSL_SUCCESS) - err_sys("UseCertificateStatusRequest failed"); -#endif #ifdef HAVE_SESSION_TICKET if (wolfSSL_CTX_UseSessionTicket(ctx) != SSL_SUCCESS) err_sys("UseSessionTicket failed"); @@ -988,6 +982,12 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) wolfSSL_UseALPN(ssl, alpnList, (word32)XSTRLEN(alpnList), alpn_opt); } #endif +#ifdef HAVE_CERTIFICATE_STATUS_REQUEST + if (statusRequest) + if (wolfSSL_UseCertificateStatusRequest(ssl, WOLFSSL_CSR_OCSP) + != SSL_SUCCESS) + err_sys("UseCertificateStatusRequest failed"); +#endif tcp_connect(&sockfd, host, port, doDTLS, ssl); diff --git a/src/internal.c b/src/internal.c index f0b998e14..b22fef72a 100644 --- a/src/internal.c +++ b/src/internal.c @@ -4447,12 +4447,28 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, #if defined(HAVE_OCSP) || defined(HAVE_CRL) if (fatal == 0) { - int doCrlLookup = 1; + int doLookup = 1; + +#ifdef HAVE_CERTIFICATE_STATUS_REQUEST + if (ssl->options.side == WOLFSSL_CLIENT_END) { + switch (ssl->status_request) { + case WOLFSSL_CSR_OCSP: { + OcspRequest* request = + TLSX_CSR_GetRequest(ssl->extensions); + + fatal = InitOcspRequest(request, dCert, 0, NULL, 0); + doLookup = 0; + } + break; + } + } +#endif + #ifdef HAVE_OCSP - if (ssl->ctx->cm->ocspEnabled) { + if (doLookup && ssl->ctx->cm->ocspEnabled) { WOLFSSL_MSG("Doing Leaf OCSP check"); ret = CheckCertOCSP(ssl->ctx->cm->ocsp, dCert); - doCrlLookup = (ret == OCSP_CERT_UNKNOWN); + doLookup = (ret == OCSP_CERT_UNKNOWN); if (ret != 0) { WOLFSSL_MSG("\tOCSP Lookup not ok"); fatal = 0; @@ -4461,7 +4477,7 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, #endif /* HAVE_OCSP */ #ifdef HAVE_CRL - if (doCrlLookup && ssl->ctx->cm->crlEnabled) { + if (doLookup && ssl->ctx->cm->crlEnabled) { WOLFSSL_MSG("Doing Leaf CRL check"); ret = CheckCertCRL(ssl->ctx->cm->crl, dCert); if (ret != 0) { @@ -4469,14 +4485,13 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, fatal = 0; } } -#else - (void)doCrlLookup; #endif /* HAVE_CRL */ + (void)doLookup; } #endif /* HAVE_OCSP || HAVE_CRL */ #ifdef KEEP_PEER_CERT - { + if (fatal == 0) { /* set X509 format for peer cert even if fatal */ int copyRet = CopyDecodedToX509(&ssl->peerCert, dCert); if (copyRet == MEMORY_E) @@ -4801,6 +4816,7 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx, #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) case WOLFSSL_CSR_OCSP: { + OcspRequest* request = TLSX_CSR_GetRequest(ssl->extensions); #ifdef WOLFSSL_SMALL_STACK CertStatus* status; @@ -4817,12 +4833,6 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx, break; } #endif - #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 - if (ssl->status_request_v2) { - ssl->status_request_v2 = 0; - break; - } - #endif return BUFFER_ERROR; } while(0); @@ -4844,12 +4854,11 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx, if ((ret = OcspResponseDecode(response)) == 0) { if (response->responseStatus != OCSP_SUCCESSFUL) - ret = FATAL_ERROR; - /* TODO CSR */ - /*else if (CompareOcspReqResp(request, response) != 0) - ret = FATAL_ERROR; */ + ret = BAD_CERTIFICATE_STATUS_ERROR; + else if (CompareOcspReqResp(request, response) != 0) + ret = BAD_CERTIFICATE_STATUS_ERROR; else if (response->status->status != CERT_GOOD) - ret = FATAL_ERROR; + ret = BAD_CERTIFICATE_STATUS_ERROR; } *inOutIdx += status_length; @@ -8730,6 +8739,9 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e) case UNKNOWN_ALPN_PROTOCOL_NAME_E: return "Unrecognized protocol name Error"; + case BAD_CERTIFICATE_STATUS_ERROR: + return "Bad Certificate Status Message Error"; + case HANDSHAKE_SIZE_ERROR: return "Handshake message too large Error"; diff --git a/src/ocsp.c b/src/ocsp.c index 2b355d988..ae8cb8978 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -227,13 +227,15 @@ int CheckCertOCSP(WOLFSSL_OCSP* ocsp, DecodedCert* cert) } #endif - InitOcspRequest(ocspRequest, cert, ocsp->cm->ocspSendNonce, + result = InitOcspRequest(ocspRequest, cert, ocsp->cm->ocspSendNonce, ocspReqBuf, ocspReqSz); - ocspReqSz = EncodeOcspRequest(ocspRequest); - - if (ocsp->cm->ocspIOCb) - result = ocsp->cm->ocspIOCb(ocsp->cm->ocspIOCtx, url, urlSz, + if (result == 0) { + ocspReqSz = EncodeOcspRequest(ocspRequest); + + if (ocsp->cm->ocspIOCb) + result = ocsp->cm->ocspIOCb(ocsp->cm->ocspIOCtx, url, urlSz, ocspReqBuf, ocspReqSz, &ocspRespBuf); + } if (result >= 0 && ocspRespBuf) { XMEMSET(newStatus, 0, sizeof(CertStatus)); @@ -275,6 +277,7 @@ int CheckCertOCSP(WOLFSSL_OCSP* ocsp, DecodedCert* cert) else result = OCSP_LOOKUP_FAIL; + FreeOcspRequest(ocspRequest); XFREE(ocspReqBuf, NULL, DYNAMIC_TYPE_IN_BUFFER); #ifdef WOLFSSL_SMALL_STACK diff --git a/src/ssl.c b/src/ssl.c index 8b5a2efb8..fedee84f3 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -804,15 +804,6 @@ int wolfSSL_UseCertificateStatusRequest(WOLFSSL* ssl, byte status_type) return TLSX_UseCertificateStatusRequest(&ssl->extensions, status_type); } - -int wolfSSL_CTX_UseCertificateStatusRequest(WOLFSSL_CTX* ctx, byte status_type) -{ - if (ctx == NULL || ctx->method->side != WOLFSSL_CLIENT_END) - return BAD_FUNC_ARG; - - return TLSX_UseCertificateStatusRequest(&ctx->extensions, status_type); -} - #endif /* HAVE_CERTIFICATE_STATUS_REQUEST */ /* Elliptic Curves */ diff --git a/src/tls.c b/src/tls.c index 668951b3a..1b20f96e9 100644 --- a/src/tls.c +++ b/src/tls.c @@ -1900,7 +1900,7 @@ static void TLSX_CSR_Free(CertificateStatusRequest* csr) { switch (csr->status_type) { case WOLFSSL_CSR_OCSP: - /* nothing to release for now... */ + FreeOcspRequest(&csr->data.ocspRequest); break; } @@ -1963,14 +1963,38 @@ static int TLSX_CSR_Parse(WOLFSSL* ssl, byte* input, word16 length, (void) ssl; (void) input; if (!isRequest) { - ssl->status_request = 1; +#ifndef NO_WOLFSSL_CLIENT + TLSX* extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST); + CertificateStatusRequest* csr = extension ? extension->data : NULL; + + if (csr == NULL) + return BUFFER_ERROR; /* unexpected extension */ + + ssl->status_request = csr->status_type; return length ? BUFFER_ERROR : 0; /* extension_data MUST be empty. */ +#endif } return 0; } +void* TLSX_CSR_GetRequest(TLSX* extensions) +{ + TLSX* extension = TLSX_Find(extensions, TLSX_STATUS_REQUEST); + CertificateStatusRequest* csr = extension ? extension->data : NULL; + + if (csr) { + switch (csr->status_type) { + case WOLFSSL_CSR_OCSP: + return &csr->data.ocspRequest; + break; + } + } + + return NULL; +} + int TLSX_UseCertificateStatusRequest(TLSX** extensions, byte status_type) { CertificateStatusRequest* csr = NULL; @@ -1988,7 +2012,7 @@ int TLSX_UseCertificateStatusRequest(TLSX** extensions, byte status_type) switch (status_type) { case WOLFSSL_CSR_OCSP: - /* nothing to handle for now... */ + ForceZero(&csr->data.ocspRequest, sizeof(OcspRequest)); break; default: diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 0ac8a3b67..7a981d8f2 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -8848,7 +8848,7 @@ int EncodeOcspRequest(OcspRequest* req) byte issuerKeyArray[MAX_ENCODED_DIG_SZ]; byte snArray[MAX_SN_SZ]; byte extArray[MAX_OCSP_EXT_SZ]; - byte* output = req->dest; + byte* output = req->request; word32 seqSz[5], algoSz, issuerSz, issuerKeySz, snSz, extSz, totalSz; int i; @@ -8915,21 +8915,41 @@ int EncodeOcspRequest(OcspRequest* req) } -void InitOcspRequest(OcspRequest* req, DecodedCert* cert, byte useNonce, +int InitOcspRequest(OcspRequest* req, DecodedCert* cert, byte useNonce, byte* dest, word32 destSz) { WOLFSSL_ENTER("InitOcspRequest"); + if (req == NULL) + return BAD_FUNC_ARG; + ForceZero(req, sizeof(OcspRequest)); - req->cert = cert; - req->useNonce = useNonce; - req->issuerHash = cert->issuerHash; - req->issuerKeyHash = cert->issuerKeyHash; - req->serial = cert->serial; - req->serialSz = cert->serialSz; - req->dest = dest; - req->destSz = destSz; + if (cert) { + XMEMCPY(req->issuerHash, cert->issuerHash, KEYID_SIZE); + XMEMCPY(req->issuerKeyHash, cert->issuerKeyHash, KEYID_SIZE); + + req->serial = (byte*)XMALLOC(cert->serialSz, NULL, DYNAMIC_TYPE_OCSP); + if (req->serial == NULL) + return MEMORY_E; + + XMEMCPY(req->serial, cert->serial, cert->serialSz); + req->serialSz = cert->serialSz; + } + + req->useNonce = useNonce; + req->request = dest; + req->requestSz = destSz; + + return 0; +} + +void FreeOcspRequest(OcspRequest* req) +{ + WOLFSSL_ENTER("FreeOcspRequest"); + + if (req && req->serial) + XFREE(req->serial, NULL, DYNAMIC_TYPE_OCSP); } diff --git a/wolfssl/error-ssl.h b/wolfssl/error-ssl.h index f07796079..37952a318 100644 --- a/wolfssl/error-ssl.h +++ b/wolfssl/error-ssl.h @@ -30,121 +30,122 @@ #endif enum wolfSSL_ErrorCodes { - INPUT_CASE_ERROR = -301, /* process input state error */ - PREFIX_ERROR = -302, /* bad index to key rounds */ - MEMORY_ERROR = -303, /* out of memory */ - VERIFY_FINISHED_ERROR = -304, /* verify problem on finished */ - VERIFY_MAC_ERROR = -305, /* verify mac problem */ - PARSE_ERROR = -306, /* parse error on header */ - UNKNOWN_HANDSHAKE_TYPE = -307, /* weird handshake type */ - SOCKET_ERROR_E = -308, /* error state on socket */ - SOCKET_NODATA = -309, /* expected data, not there */ - INCOMPLETE_DATA = -310, /* don't have enough data to + INPUT_CASE_ERROR = -301, /* process input state error */ + PREFIX_ERROR = -302, /* bad index to key rounds */ + MEMORY_ERROR = -303, /* out of memory */ + VERIFY_FINISHED_ERROR = -304, /* verify problem on finished */ + VERIFY_MAC_ERROR = -305, /* verify mac problem */ + PARSE_ERROR = -306, /* parse error on header */ + UNKNOWN_HANDSHAKE_TYPE = -307, /* weird handshake type */ + SOCKET_ERROR_E = -308, /* error state on socket */ + SOCKET_NODATA = -309, /* expected data, not there */ + INCOMPLETE_DATA = -310, /* don't have enough data to complete task */ - UNKNOWN_RECORD_TYPE = -311, /* unknown type in record hdr */ - DECRYPT_ERROR = -312, /* error during decryption */ - FATAL_ERROR = -313, /* recvd alert fatal error */ - ENCRYPT_ERROR = -314, /* error during encryption */ - FREAD_ERROR = -315, /* fread problem */ - NO_PEER_KEY = -316, /* need peer's key */ - NO_PRIVATE_KEY = -317, /* need the private key */ - RSA_PRIVATE_ERROR = -318, /* error during rsa priv op */ - NO_DH_PARAMS = -319, /* server missing DH params */ - BUILD_MSG_ERROR = -320, /* build message failure */ + UNKNOWN_RECORD_TYPE = -311, /* unknown type in record hdr */ + DECRYPT_ERROR = -312, /* error during decryption */ + FATAL_ERROR = -313, /* recvd alert fatal error */ + ENCRYPT_ERROR = -314, /* error during encryption */ + FREAD_ERROR = -315, /* fread problem */ + NO_PEER_KEY = -316, /* need peer's key */ + NO_PRIVATE_KEY = -317, /* need the private key */ + RSA_PRIVATE_ERROR = -318, /* error during rsa priv op */ + NO_DH_PARAMS = -319, /* server missing DH params */ + BUILD_MSG_ERROR = -320, /* build message failure */ - BAD_HELLO = -321, /* client hello malformed */ - DOMAIN_NAME_MISMATCH = -322, /* peer subject name mismatch */ - WANT_READ = -323, /* want read, call again */ - NOT_READY_ERROR = -324, /* handshake layer not ready */ - PMS_VERSION_ERROR = -325, /* pre m secret version error */ - VERSION_ERROR = -326, /* record layer version error */ - WANT_WRITE = -327, /* want write, call again */ - BUFFER_ERROR = -328, /* malformed buffer input */ - VERIFY_CERT_ERROR = -329, /* verify cert error */ - VERIFY_SIGN_ERROR = -330, /* verify sign error */ - CLIENT_ID_ERROR = -331, /* psk client identity error */ - SERVER_HINT_ERROR = -332, /* psk server hint error */ - PSK_KEY_ERROR = -333, /* psk key error */ - ZLIB_INIT_ERROR = -334, /* zlib init error */ - ZLIB_COMPRESS_ERROR = -335, /* zlib compression error */ - ZLIB_DECOMPRESS_ERROR = -336, /* zlib decompression error */ + BAD_HELLO = -321, /* client hello malformed */ + DOMAIN_NAME_MISMATCH = -322, /* peer subject name mismatch */ + WANT_READ = -323, /* want read, call again */ + NOT_READY_ERROR = -324, /* handshake layer not ready */ + PMS_VERSION_ERROR = -325, /* pre m secret version error */ + VERSION_ERROR = -326, /* record layer version error */ + WANT_WRITE = -327, /* want write, call again */ + BUFFER_ERROR = -328, /* malformed buffer input */ + VERIFY_CERT_ERROR = -329, /* verify cert error */ + VERIFY_SIGN_ERROR = -330, /* verify sign error */ + CLIENT_ID_ERROR = -331, /* psk client identity error */ + SERVER_HINT_ERROR = -332, /* psk server hint error */ + PSK_KEY_ERROR = -333, /* psk key error */ + ZLIB_INIT_ERROR = -334, /* zlib init error */ + ZLIB_COMPRESS_ERROR = -335, /* zlib compression error */ + ZLIB_DECOMPRESS_ERROR = -336, /* zlib decompression error */ - GETTIME_ERROR = -337, /* gettimeofday failed ??? */ - GETITIMER_ERROR = -338, /* getitimer failed ??? */ - SIGACT_ERROR = -339, /* sigaction failed ??? */ - SETITIMER_ERROR = -340, /* setitimer failed ??? */ - LENGTH_ERROR = -341, /* record layer length error */ - PEER_KEY_ERROR = -342, /* can't decode peer key */ - ZERO_RETURN = -343, /* peer sent close notify */ - SIDE_ERROR = -344, /* wrong client/server type */ - NO_PEER_CERT = -345, /* peer didn't send key */ - NTRU_KEY_ERROR = -346, /* NTRU key error */ - NTRU_DRBG_ERROR = -347, /* NTRU drbg error */ - NTRU_ENCRYPT_ERROR = -348, /* NTRU encrypt error */ - NTRU_DECRYPT_ERROR = -349, /* NTRU decrypt error */ - ECC_CURVETYPE_ERROR = -350, /* Bad ECC Curve Type */ - ECC_CURVE_ERROR = -351, /* Bad ECC Curve */ - ECC_PEERKEY_ERROR = -352, /* Bad Peer ECC Key */ - ECC_MAKEKEY_ERROR = -353, /* Bad Make ECC Key */ - ECC_EXPORT_ERROR = -354, /* Bad ECC Export Key */ - ECC_SHARED_ERROR = -355, /* Bad ECC Shared Secret */ - NOT_CA_ERROR = -357, /* Not a CA cert error */ - BAD_PATH_ERROR = -358, /* Bad path for opendir */ - BAD_CERT_MANAGER_ERROR = -359, /* Bad Cert Manager */ - OCSP_CERT_REVOKED = -360, /* OCSP Certificate revoked */ - CRL_CERT_REVOKED = -361, /* CRL Certificate revoked */ - CRL_MISSING = -362, /* CRL Not loaded */ - MONITOR_RUNNING_E = -363, /* CRL Monitor already running */ - THREAD_CREATE_E = -364, /* Thread Create Error */ - OCSP_NEED_URL = -365, /* OCSP need an URL for lookup */ - OCSP_CERT_UNKNOWN = -366, /* OCSP responder doesn't know */ - OCSP_LOOKUP_FAIL = -367, /* OCSP lookup not successful */ - MAX_CHAIN_ERROR = -368, /* max chain depth exceeded */ - COOKIE_ERROR = -369, /* dtls cookie error */ - SEQUENCE_ERROR = -370, /* dtls sequence error */ - SUITES_ERROR = -371, /* suites pointer error */ - SSL_NO_PEM_HEADER = -372, /* no PEM header found */ - OUT_OF_ORDER_E = -373, /* out of order message */ - BAD_KEA_TYPE_E = -374, /* bad KEA type found */ - SANITY_CIPHER_E = -375, /* sanity check on cipher error */ - RECV_OVERFLOW_E = -376, /* RXCB returned more than rqed */ - GEN_COOKIE_E = -377, /* Generate Cookie Error */ - NO_PEER_VERIFY = -378, /* Need peer cert verify Error */ - FWRITE_ERROR = -379, /* fwrite problem */ - CACHE_MATCH_ERROR = -380, /* chache hdr match error */ - UNKNOWN_SNI_HOST_NAME_E = -381, /* Unrecognized host name Error */ - UNKNOWN_MAX_FRAG_LEN_E = -382, /* Unrecognized max frag len Error */ - KEYUSE_SIGNATURE_E = -383, /* KeyUse digSignature error */ - KEYUSE_ENCIPHER_E = -385, /* KeyUse keyEncipher error */ - EXTKEYUSE_AUTH_E = -386, /* ExtKeyUse server|client_auth */ - SEND_OOB_READ_E = -387, /* Send Cb out of bounds read */ - SECURE_RENEGOTIATION_E = -388, /* Invalid Renegotiation Info */ - SESSION_TICKET_LEN_E = -389, /* Session Ticket too large */ - SESSION_TICKET_EXPECT_E = -390, /* Session Ticket missing */ - SCR_DIFFERENT_CERT_E = -391, /* SCR Different cert error */ - SESSION_SECRET_CB_E = -392, /* Session secret Cb fcn failure */ - NO_CHANGE_CIPHER_E = -393, /* Finished before change cipher */ - SANITY_MSG_E = -394, /* Sanity check on msg order error */ - DUPLICATE_MSG_E = -395, /* Duplicate message error */ - SNI_UNSUPPORTED = -396, /* SSL 3.0 does not support SNI */ - SOCKET_PEER_CLOSED_E = -397, /* Underlying transport closed */ + GETTIME_ERROR = -337, /* gettimeofday failed ??? */ + GETITIMER_ERROR = -338, /* getitimer failed ??? */ + SIGACT_ERROR = -339, /* sigaction failed ??? */ + SETITIMER_ERROR = -340, /* setitimer failed ??? */ + LENGTH_ERROR = -341, /* record layer length error */ + PEER_KEY_ERROR = -342, /* can't decode peer key */ + ZERO_RETURN = -343, /* peer sent close notify */ + SIDE_ERROR = -344, /* wrong client/server type */ + NO_PEER_CERT = -345, /* peer didn't send key */ + NTRU_KEY_ERROR = -346, /* NTRU key error */ + NTRU_DRBG_ERROR = -347, /* NTRU drbg error */ + NTRU_ENCRYPT_ERROR = -348, /* NTRU encrypt error */ + NTRU_DECRYPT_ERROR = -349, /* NTRU decrypt error */ + ECC_CURVETYPE_ERROR = -350, /* Bad ECC Curve Type */ + ECC_CURVE_ERROR = -351, /* Bad ECC Curve */ + ECC_PEERKEY_ERROR = -352, /* Bad Peer ECC Key */ + ECC_MAKEKEY_ERROR = -353, /* Bad Make ECC Key */ + ECC_EXPORT_ERROR = -354, /* Bad ECC Export Key */ + ECC_SHARED_ERROR = -355, /* Bad ECC Shared Secret */ + NOT_CA_ERROR = -357, /* Not a CA cert error */ + BAD_PATH_ERROR = -358, /* Bad path for opendir */ + BAD_CERT_MANAGER_ERROR = -359, /* Bad Cert Manager */ + OCSP_CERT_REVOKED = -360, /* OCSP Certificate revoked */ + CRL_CERT_REVOKED = -361, /* CRL Certificate revoked */ + CRL_MISSING = -362, /* CRL Not loaded */ + MONITOR_RUNNING_E = -363, /* CRL Monitor already running */ + THREAD_CREATE_E = -364, /* Thread Create Error */ + OCSP_NEED_URL = -365, /* OCSP need an URL for lookup */ + OCSP_CERT_UNKNOWN = -366, /* OCSP responder doesn't know */ + OCSP_LOOKUP_FAIL = -367, /* OCSP lookup not successful */ + MAX_CHAIN_ERROR = -368, /* max chain depth exceeded */ + COOKIE_ERROR = -369, /* dtls cookie error */ + SEQUENCE_ERROR = -370, /* dtls sequence error */ + SUITES_ERROR = -371, /* suites pointer error */ + SSL_NO_PEM_HEADER = -372, /* no PEM header found */ + OUT_OF_ORDER_E = -373, /* out of order message */ + BAD_KEA_TYPE_E = -374, /* bad KEA type found */ + SANITY_CIPHER_E = -375, /* sanity check on cipher error */ + RECV_OVERFLOW_E = -376, /* RXCB returned more than rqed */ + GEN_COOKIE_E = -377, /* Generate Cookie Error */ + NO_PEER_VERIFY = -378, /* Need peer cert verify Error */ + FWRITE_ERROR = -379, /* fwrite problem */ + CACHE_MATCH_ERROR = -380, /* chache hdr match error */ + UNKNOWN_SNI_HOST_NAME_E = -381, /* Unrecognized host name Error */ + UNKNOWN_MAX_FRAG_LEN_E = -382, /* Unrecognized max frag len Error */ + KEYUSE_SIGNATURE_E = -383, /* KeyUse digSignature error */ + KEYUSE_ENCIPHER_E = -385, /* KeyUse keyEncipher error */ + EXTKEYUSE_AUTH_E = -386, /* ExtKeyUse server|client_auth */ + SEND_OOB_READ_E = -387, /* Send Cb out of bounds read */ + SECURE_RENEGOTIATION_E = -388, /* Invalid Renegotiation Info */ + SESSION_TICKET_LEN_E = -389, /* Session Ticket too large */ + SESSION_TICKET_EXPECT_E = -390, /* Session Ticket missing */ + SCR_DIFFERENT_CERT_E = -391, /* SCR Different cert error */ + SESSION_SECRET_CB_E = -392, /* Session secret Cb fcn failure */ + NO_CHANGE_CIPHER_E = -393, /* Finished before change cipher */ + SANITY_MSG_E = -394, /* Sanity check on msg order error */ + DUPLICATE_MSG_E = -395, /* Duplicate message error */ + SNI_UNSUPPORTED = -396, /* SSL 3.0 does not support SNI */ + SOCKET_PEER_CLOSED_E = -397, /* Underlying transport closed */ - BAD_TICKET_KEY_CB_SZ = -398, /* Bad session ticket key cb size */ - BAD_TICKET_MSG_SZ = -399, /* Bad session ticket msg size */ - BAD_TICKET_ENCRYPT = -400, /* Bad user ticket encrypt */ + BAD_TICKET_KEY_CB_SZ = -398, /* Bad session ticket key cb size */ + BAD_TICKET_MSG_SZ = -399, /* Bad session ticket msg size */ + BAD_TICKET_ENCRYPT = -400, /* Bad user ticket encrypt */ - DH_KEY_SIZE_E = -401, /* DH Key too small */ - SNI_ABSENT_ERROR = -402, /* No SNI request. */ - RSA_SIGN_FAULT = -403, /* RSA Sign fault */ - HANDSHAKE_SIZE_ERROR = -404, /* Handshake message too large */ + DH_KEY_SIZE_E = -401, /* DH Key too small */ + SNI_ABSENT_ERROR = -402, /* No SNI request. */ + RSA_SIGN_FAULT = -403, /* RSA Sign fault */ + HANDSHAKE_SIZE_ERROR = -404, /* Handshake message too large */ UNKNOWN_ALPN_PROTOCOL_NAME_E = -405, /* Unrecognized protocol name Error*/ + BAD_CERTIFICATE_STATUS_ERROR = -406, /* Bad certificate status message */ /* add strings to SetErrorString !!!!! */ /* begin negotiation parameter errors */ - UNSUPPORTED_SUITE = -500, /* unsupported cipher suite */ - MATCH_SUITE_ERROR = -501 /* can't match cipher suite */ + UNSUPPORTED_SUITE = -500, /* unsupported cipher suite */ + MATCH_SUITE_ERROR = -501 /* can't match cipher suite */ /* end negotiation parameter errors only 10 for now */ /* add strings to SetErrorString !!!!! */ diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 63d4d177b..dce8acbbd 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1576,10 +1576,15 @@ WOLFSSL_LOCAL int TLSX_UseTruncatedHMAC(TLSX** extensions); typedef struct { byte status_type; + union { + OcspRequest ocspRequest; + } data; } CertificateStatusRequest; WOLFSSL_LOCAL int TLSX_UseCertificateStatusRequest(TLSX** extensions, byte status_type); +WOLFSSL_LOCAL void* TLSX_CSR_GetRequest(TLSX* extensions); + #endif diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index b507df897..24bbfb0f3 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -1419,9 +1419,6 @@ enum { WOLFSSL_API int wolfSSL_UseCertificateStatusRequest(WOLFSSL* ssl, unsigned char status_type); -WOLFSSL_API int wolfSSL_CTX_UseCertificateStatusRequest(WOLFSSL_CTX* ctx, - unsigned char status_type); - #endif #endif diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index 48e0412c2..290d312f3 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -707,27 +707,26 @@ struct OcspResponse { struct OcspRequest { - DecodedCert* cert; + byte issuerHash[KEYID_SIZE]; + byte issuerKeyHash[KEYID_SIZE]; + byte* serial; /* copy of the serial number in source cert; OWNED */ + int serialSz; - byte useNonce; byte nonce[MAX_OCSP_NONCE_SZ]; int nonceSz; + byte useNonce; - byte* issuerHash; /* pointer to issuerHash in source cert */ - byte* issuerKeyHash; /* pointer to issuerKeyHash in source cert */ - byte* serial; /* pointer to serial number in source cert */ - int serialSz; /* length of the serial number */ - - byte* dest; /* pointer to the destination ASN.1 buffer */ - word32 destSz; /* length of the destination buffer */ + byte* request; /* pointer to the destination ASN.1 buffer; NOT OWNED */ + word32 requestSz; /* length of the destination buffer */ }; WOLFSSL_LOCAL void InitOcspResponse(OcspResponse*, CertStatus*, byte*, word32); WOLFSSL_LOCAL int OcspResponseDecode(OcspResponse*); -WOLFSSL_LOCAL void InitOcspRequest(OcspRequest*, DecodedCert*, +WOLFSSL_LOCAL int InitOcspRequest(OcspRequest*, DecodedCert*, byte, byte*, word32); +WOLFSSL_LOCAL void FreeOcspRequest(OcspRequest*); WOLFSSL_LOCAL int EncodeOcspRequest(OcspRequest*); WOLFSSL_LOCAL int CompareOcspReqResp(OcspRequest*, OcspResponse*);