forked from wolfSSL/wolfssl
adds comparison of OcspRequest and OcspResponse;
removes TLS Extension Status Request at context level as specific data is always needed for each session;
This commit is contained in:
Moisés Guimarães
@@ -946,12 +946,6 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
|
||||
if (wolfSSL_CTX_UseTruncatedHMAC(ctx) != SSL_SUCCESS)
|
||||
err_sys("UseTruncatedHMAC failed");
|
||||
#endif
|
||||
#ifdef HAVE_CERTIFICATE_STATUS_REQUEST
|
||||
if (statusRequest)
|
||||
if (wolfSSL_CTX_UseCertificateStatusRequest(ctx, WOLFSSL_CSR_OCSP)
|
||||
!= SSL_SUCCESS)
|
||||
err_sys("UseCertificateStatusRequest failed");
|
||||
#endif
|
||||
#ifdef HAVE_SESSION_TICKET
|
||||
if (wolfSSL_CTX_UseSessionTicket(ctx) != SSL_SUCCESS)
|
||||
err_sys("UseSessionTicket failed");
|
||||
@@ -988,6 +982,12 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
|
||||
wolfSSL_UseALPN(ssl, alpnList, (word32)XSTRLEN(alpnList), alpn_opt);
|
||||
}
|
||||
#endif
|
||||
#ifdef HAVE_CERTIFICATE_STATUS_REQUEST
|
||||
if (statusRequest)
|
||||
if (wolfSSL_UseCertificateStatusRequest(ssl, WOLFSSL_CSR_OCSP)
|
||||
!= SSL_SUCCESS)
|
||||
err_sys("UseCertificateStatusRequest failed");
|
||||
#endif
|
||||
|
||||
tcp_connect(&sockfd, host, port, doDTLS, ssl);
|
||||
|
||||
|
||||
@@ -4447,12 +4447,28 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
||||
|
||||
#if defined(HAVE_OCSP) || defined(HAVE_CRL)
|
||||
if (fatal == 0) {
|
||||
int doCrlLookup = 1;
|
||||
int doLookup = 1;
|
||||
|
||||
#ifdef HAVE_CERTIFICATE_STATUS_REQUEST
|
||||
if (ssl->options.side == WOLFSSL_CLIENT_END) {
|
||||
switch (ssl->status_request) {
|
||||
case WOLFSSL_CSR_OCSP: {
|
||||
OcspRequest* request =
|
||||
TLSX_CSR_GetRequest(ssl->extensions);
|
||||
|
||||
fatal = InitOcspRequest(request, dCert, 0, NULL, 0);
|
||||
doLookup = 0;
|
||||
}
|
||||
break;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_OCSP
|
||||
if (ssl->ctx->cm->ocspEnabled) {
|
||||
if (doLookup && ssl->ctx->cm->ocspEnabled) {
|
||||
WOLFSSL_MSG("Doing Leaf OCSP check");
|
||||
ret = CheckCertOCSP(ssl->ctx->cm->ocsp, dCert);
|
||||
doCrlLookup = (ret == OCSP_CERT_UNKNOWN);
|
||||
doLookup = (ret == OCSP_CERT_UNKNOWN);
|
||||
if (ret != 0) {
|
||||
WOLFSSL_MSG("\tOCSP Lookup not ok");
|
||||
fatal = 0;
|
||||
@@ -4461,7 +4477,7 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
||||
#endif /* HAVE_OCSP */
|
||||
|
||||
#ifdef HAVE_CRL
|
||||
if (doCrlLookup && ssl->ctx->cm->crlEnabled) {
|
||||
if (doLookup && ssl->ctx->cm->crlEnabled) {
|
||||
WOLFSSL_MSG("Doing Leaf CRL check");
|
||||
ret = CheckCertCRL(ssl->ctx->cm->crl, dCert);
|
||||
if (ret != 0) {
|
||||
@@ -4469,14 +4485,13 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
||||
fatal = 0;
|
||||
}
|
||||
}
|
||||
#else
|
||||
(void)doCrlLookup;
|
||||
#endif /* HAVE_CRL */
|
||||
(void)doLookup;
|
||||
}
|
||||
#endif /* HAVE_OCSP || HAVE_CRL */
|
||||
|
||||
#ifdef KEEP_PEER_CERT
|
||||
{
|
||||
if (fatal == 0) {
|
||||
/* set X509 format for peer cert even if fatal */
|
||||
int copyRet = CopyDecodedToX509(&ssl->peerCert, dCert);
|
||||
if (copyRet == MEMORY_E)
|
||||
@@ -4801,6 +4816,7 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
||||
#if defined(HAVE_CERTIFICATE_STATUS_REQUEST)
|
||||
|
||||
case WOLFSSL_CSR_OCSP: {
|
||||
OcspRequest* request = TLSX_CSR_GetRequest(ssl->extensions);
|
||||
|
||||
#ifdef WOLFSSL_SMALL_STACK
|
||||
CertStatus* status;
|
||||
@@ -4817,12 +4833,6 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
||||
break;
|
||||
}
|
||||
#endif
|
||||
#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
|
||||
if (ssl->status_request_v2) {
|
||||
ssl->status_request_v2 = 0;
|
||||
break;
|
||||
}
|
||||
#endif
|
||||
return BUFFER_ERROR;
|
||||
} while(0);
|
||||
|
||||
@@ -4844,12 +4854,11 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
||||
|
||||
if ((ret = OcspResponseDecode(response)) == 0) {
|
||||
if (response->responseStatus != OCSP_SUCCESSFUL)
|
||||
ret = FATAL_ERROR;
|
||||
/* TODO CSR */
|
||||
/*else if (CompareOcspReqResp(request, response) != 0)
|
||||
ret = FATAL_ERROR; */
|
||||
ret = BAD_CERTIFICATE_STATUS_ERROR;
|
||||
else if (CompareOcspReqResp(request, response) != 0)
|
||||
ret = BAD_CERTIFICATE_STATUS_ERROR;
|
||||
else if (response->status->status != CERT_GOOD)
|
||||
ret = FATAL_ERROR;
|
||||
ret = BAD_CERTIFICATE_STATUS_ERROR;
|
||||
}
|
||||
|
||||
*inOutIdx += status_length;
|
||||
@@ -8730,6 +8739,9 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e)
|
||||
case UNKNOWN_ALPN_PROTOCOL_NAME_E:
|
||||
return "Unrecognized protocol name Error";
|
||||
|
||||
case BAD_CERTIFICATE_STATUS_ERROR:
|
||||
return "Bad Certificate Status Message Error";
|
||||
|
||||
case HANDSHAKE_SIZE_ERROR:
|
||||
return "Handshake message too large Error";
|
||||
|
||||
|
||||
@@ -227,13 +227,15 @@ int CheckCertOCSP(WOLFSSL_OCSP* ocsp, DecodedCert* cert)
|
||||
}
|
||||
#endif
|
||||
|
||||
InitOcspRequest(ocspRequest, cert, ocsp->cm->ocspSendNonce,
|
||||
result = InitOcspRequest(ocspRequest, cert, ocsp->cm->ocspSendNonce,
|
||||
ocspReqBuf, ocspReqSz);
|
||||
if (result == 0) {
|
||||
ocspReqSz = EncodeOcspRequest(ocspRequest);
|
||||
|
||||
if (ocsp->cm->ocspIOCb)
|
||||
result = ocsp->cm->ocspIOCb(ocsp->cm->ocspIOCtx, url, urlSz,
|
||||
ocspReqBuf, ocspReqSz, &ocspRespBuf);
|
||||
}
|
||||
|
||||
if (result >= 0 && ocspRespBuf) {
|
||||
XMEMSET(newStatus, 0, sizeof(CertStatus));
|
||||
@@ -275,6 +277,7 @@ int CheckCertOCSP(WOLFSSL_OCSP* ocsp, DecodedCert* cert)
|
||||
else
|
||||
result = OCSP_LOOKUP_FAIL;
|
||||
|
||||
FreeOcspRequest(ocspRequest);
|
||||
XFREE(ocspReqBuf, NULL, DYNAMIC_TYPE_IN_BUFFER);
|
||||
|
||||
#ifdef WOLFSSL_SMALL_STACK
|
||||
|
||||
@@ -804,15 +804,6 @@ int wolfSSL_UseCertificateStatusRequest(WOLFSSL* ssl, byte status_type)
|
||||
return TLSX_UseCertificateStatusRequest(&ssl->extensions, status_type);
|
||||
}
|
||||
|
||||
|
||||
int wolfSSL_CTX_UseCertificateStatusRequest(WOLFSSL_CTX* ctx, byte status_type)
|
||||
{
|
||||
if (ctx == NULL || ctx->method->side != WOLFSSL_CLIENT_END)
|
||||
return BAD_FUNC_ARG;
|
||||
|
||||
return TLSX_UseCertificateStatusRequest(&ctx->extensions, status_type);
|
||||
}
|
||||
|
||||
#endif /* HAVE_CERTIFICATE_STATUS_REQUEST */
|
||||
|
||||
/* Elliptic Curves */
|
||||
|
||||
30
src/tls.c
30
src/tls.c
@@ -1900,7 +1900,7 @@ static void TLSX_CSR_Free(CertificateStatusRequest* csr)
|
||||
{
|
||||
switch (csr->status_type) {
|
||||
case WOLFSSL_CSR_OCSP:
|
||||
/* nothing to release for now... */
|
||||
FreeOcspRequest(&csr->data.ocspRequest);
|
||||
break;
|
||||
}
|
||||
|
||||
@@ -1963,14 +1963,38 @@ static int TLSX_CSR_Parse(WOLFSSL* ssl, byte* input, word16 length,
|
||||
(void) ssl; (void) input;
|
||||
|
||||
if (!isRequest) {
|
||||
ssl->status_request = 1;
|
||||
#ifndef NO_WOLFSSL_CLIENT
|
||||
TLSX* extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST);
|
||||
CertificateStatusRequest* csr = extension ? extension->data : NULL;
|
||||
|
||||
if (csr == NULL)
|
||||
return BUFFER_ERROR; /* unexpected extension */
|
||||
|
||||
ssl->status_request = csr->status_type;
|
||||
|
||||
return length ? BUFFER_ERROR : 0; /* extension_data MUST be empty. */
|
||||
#endif
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
void* TLSX_CSR_GetRequest(TLSX* extensions)
|
||||
{
|
||||
TLSX* extension = TLSX_Find(extensions, TLSX_STATUS_REQUEST);
|
||||
CertificateStatusRequest* csr = extension ? extension->data : NULL;
|
||||
|
||||
if (csr) {
|
||||
switch (csr->status_type) {
|
||||
case WOLFSSL_CSR_OCSP:
|
||||
return &csr->data.ocspRequest;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
return NULL;
|
||||
}
|
||||
|
||||
int TLSX_UseCertificateStatusRequest(TLSX** extensions, byte status_type)
|
||||
{
|
||||
CertificateStatusRequest* csr = NULL;
|
||||
@@ -1988,7 +2012,7 @@ int TLSX_UseCertificateStatusRequest(TLSX** extensions, byte status_type)
|
||||
|
||||
switch (status_type) {
|
||||
case WOLFSSL_CSR_OCSP:
|
||||
/* nothing to handle for now... */
|
||||
ForceZero(&csr->data.ocspRequest, sizeof(OcspRequest));
|
||||
break;
|
||||
|
||||
default:
|
||||
|
||||
@@ -8848,7 +8848,7 @@ int EncodeOcspRequest(OcspRequest* req)
|
||||
byte issuerKeyArray[MAX_ENCODED_DIG_SZ];
|
||||
byte snArray[MAX_SN_SZ];
|
||||
byte extArray[MAX_OCSP_EXT_SZ];
|
||||
byte* output = req->dest;
|
||||
byte* output = req->request;
|
||||
word32 seqSz[5], algoSz, issuerSz, issuerKeySz, snSz, extSz, totalSz;
|
||||
int i;
|
||||
|
||||
@@ -8915,21 +8915,41 @@ int EncodeOcspRequest(OcspRequest* req)
|
||||
}
|
||||
|
||||
|
||||
void InitOcspRequest(OcspRequest* req, DecodedCert* cert, byte useNonce,
|
||||
int InitOcspRequest(OcspRequest* req, DecodedCert* cert, byte useNonce,
|
||||
byte* dest, word32 destSz)
|
||||
{
|
||||
WOLFSSL_ENTER("InitOcspRequest");
|
||||
|
||||
if (req == NULL)
|
||||
return BAD_FUNC_ARG;
|
||||
|
||||
ForceZero(req, sizeof(OcspRequest));
|
||||
|
||||
req->cert = cert;
|
||||
req->useNonce = useNonce;
|
||||
req->issuerHash = cert->issuerHash;
|
||||
req->issuerKeyHash = cert->issuerKeyHash;
|
||||
req->serial = cert->serial;
|
||||
if (cert) {
|
||||
XMEMCPY(req->issuerHash, cert->issuerHash, KEYID_SIZE);
|
||||
XMEMCPY(req->issuerKeyHash, cert->issuerKeyHash, KEYID_SIZE);
|
||||
|
||||
req->serial = (byte*)XMALLOC(cert->serialSz, NULL, DYNAMIC_TYPE_OCSP);
|
||||
if (req->serial == NULL)
|
||||
return MEMORY_E;
|
||||
|
||||
XMEMCPY(req->serial, cert->serial, cert->serialSz);
|
||||
req->serialSz = cert->serialSz;
|
||||
req->dest = dest;
|
||||
req->destSz = destSz;
|
||||
}
|
||||
|
||||
req->useNonce = useNonce;
|
||||
req->request = dest;
|
||||
req->requestSz = destSz;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
void FreeOcspRequest(OcspRequest* req)
|
||||
{
|
||||
WOLFSSL_ENTER("FreeOcspRequest");
|
||||
|
||||
if (req && req->serial)
|
||||
XFREE(req->serial, NULL, DYNAMIC_TYPE_OCSP);
|
||||
}
|
||||
|
||||
|
||||
|
||||
@@ -139,6 +139,7 @@ enum wolfSSL_ErrorCodes {
|
||||
HANDSHAKE_SIZE_ERROR = -404, /* Handshake message too large */
|
||||
|
||||
UNKNOWN_ALPN_PROTOCOL_NAME_E = -405, /* Unrecognized protocol name Error*/
|
||||
BAD_CERTIFICATE_STATUS_ERROR = -406, /* Bad certificate status message */
|
||||
|
||||
/* add strings to SetErrorString !!!!! */
|
||||
|
||||
|
||||
@@ -1576,10 +1576,15 @@ WOLFSSL_LOCAL int TLSX_UseTruncatedHMAC(TLSX** extensions);
|
||||
|
||||
typedef struct {
|
||||
byte status_type;
|
||||
union {
|
||||
OcspRequest ocspRequest;
|
||||
} data;
|
||||
} CertificateStatusRequest;
|
||||
|
||||
WOLFSSL_LOCAL int TLSX_UseCertificateStatusRequest(TLSX** extensions,
|
||||
byte status_type);
|
||||
WOLFSSL_LOCAL void* TLSX_CSR_GetRequest(TLSX* extensions);
|
||||
|
||||
|
||||
#endif
|
||||
|
||||
|
||||
@@ -1419,9 +1419,6 @@ enum {
|
||||
WOLFSSL_API int wolfSSL_UseCertificateStatusRequest(WOLFSSL* ssl,
|
||||
unsigned char status_type);
|
||||
|
||||
WOLFSSL_API int wolfSSL_CTX_UseCertificateStatusRequest(WOLFSSL_CTX* ctx,
|
||||
unsigned char status_type);
|
||||
|
||||
#endif
|
||||
#endif
|
||||
|
||||
|
||||
@@ -707,27 +707,26 @@ struct OcspResponse {
|
||||
|
||||
|
||||
struct OcspRequest {
|
||||
DecodedCert* cert;
|
||||
byte issuerHash[KEYID_SIZE];
|
||||
byte issuerKeyHash[KEYID_SIZE];
|
||||
byte* serial; /* copy of the serial number in source cert; OWNED */
|
||||
int serialSz;
|
||||
|
||||
byte useNonce;
|
||||
byte nonce[MAX_OCSP_NONCE_SZ];
|
||||
int nonceSz;
|
||||
byte useNonce;
|
||||
|
||||
byte* issuerHash; /* pointer to issuerHash in source cert */
|
||||
byte* issuerKeyHash; /* pointer to issuerKeyHash in source cert */
|
||||
byte* serial; /* pointer to serial number in source cert */
|
||||
int serialSz; /* length of the serial number */
|
||||
|
||||
byte* dest; /* pointer to the destination ASN.1 buffer */
|
||||
word32 destSz; /* length of the destination buffer */
|
||||
byte* request; /* pointer to the destination ASN.1 buffer; NOT OWNED */
|
||||
word32 requestSz; /* length of the destination buffer */
|
||||
};
|
||||
|
||||
|
||||
WOLFSSL_LOCAL void InitOcspResponse(OcspResponse*, CertStatus*, byte*, word32);
|
||||
WOLFSSL_LOCAL int OcspResponseDecode(OcspResponse*);
|
||||
|
||||
WOLFSSL_LOCAL void InitOcspRequest(OcspRequest*, DecodedCert*,
|
||||
WOLFSSL_LOCAL int InitOcspRequest(OcspRequest*, DecodedCert*,
|
||||
byte, byte*, word32);
|
||||
WOLFSSL_LOCAL void FreeOcspRequest(OcspRequest*);
|
||||
WOLFSSL_LOCAL int EncodeOcspRequest(OcspRequest*);
|
||||
|
||||
WOLFSSL_LOCAL int CompareOcspReqResp(OcspRequest*, OcspResponse*);
|
||||
|
||||
Reference in New Issue
Block a user