forked from wolfSSL/wolfssl
reuse OcspRequest data in ocsp stapling;
This commit is contained in:
Moisés Guimarães
@@ -542,6 +542,13 @@ void SSL_CtxResourceFree(WOLFSSL_CTX* ctx)
|
|||||||
#endif
|
#endif
|
||||||
#ifdef HAVE_TLS_EXTENSIONS
|
#ifdef HAVE_TLS_EXTENSIONS
|
||||||
TLSX_FreeAll(ctx->extensions);
|
TLSX_FreeAll(ctx->extensions);
|
||||||
|
|
||||||
|
#ifdef HAVE_CERTIFICATE_STATUS_REQUEST
|
||||||
|
if (ctx->certOcspRequest) {
|
||||||
|
FreeOcspRequest(ctx->certOcspRequest);
|
||||||
|
XFREE(ctx->certOcspRequest, NULL, DYNAMIC_TYPE_OCSP_REQUEST);
|
||||||
|
}
|
||||||
|
#endif
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -8231,35 +8238,69 @@ int SendCertificateStatus(WOLFSSL* ssl)
|
|||||||
switch (status_type) {
|
switch (status_type) {
|
||||||
#if defined HAVE_CERTIFICATE_STATUS_REQUEST
|
#if defined HAVE_CERTIFICATE_STATUS_REQUEST
|
||||||
case WOLFSSL_CSR_OCSP: {
|
case WOLFSSL_CSR_OCSP: {
|
||||||
|
OcspRequest* request = ssl->ctx->certOcspRequest;
|
||||||
buffer response = {NULL, 0};
|
buffer response = {NULL, 0};
|
||||||
buffer der = ssl->buffers.certificate;
|
|
||||||
#ifdef WOLFSSL_SMALL_STACK
|
|
||||||
DecodedCert* cert = NULL;
|
|
||||||
#else
|
|
||||||
DecodedCert cert[1];
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/* unable to fetch status. skip. */
|
/* unable to fetch status. skip. */
|
||||||
if (ssl->ctx->cm == NULL || ssl->ctx->cm->ocspStaplingEnabled == 0)
|
if (ssl->ctx->cm == NULL || ssl->ctx->cm->ocspStaplingEnabled == 0)
|
||||||
return 0;
|
return 0;
|
||||||
if (der.buffer == NULL || der.length == 0)
|
|
||||||
return 0;
|
if (!request || ssl->buffers.weOwnCert) {
|
||||||
|
buffer der = ssl->buffers.certificate;
|
||||||
|
#ifdef WOLFSSL_SMALL_STACK
|
||||||
|
DecodedCert* cert = NULL;
|
||||||
|
#else
|
||||||
|
DecodedCert cert[1];
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* unable to fetch status. skip. */
|
||||||
|
if (der.buffer == NULL || der.length == 0)
|
||||||
|
return 0;
|
||||||
|
|
||||||
#ifdef WOLFSSL_SMALL_STACK
|
#ifdef WOLFSSL_SMALL_STACK
|
||||||
cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL,
|
cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL,
|
||||||
DYNAMIC_TYPE_TMP_BUFFER);
|
DYNAMIC_TYPE_TMP_BUFFER);
|
||||||
if (cert == NULL)
|
if (cert == NULL)
|
||||||
return MEMORY_E;
|
return MEMORY_E;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
InitDecodedCert(cert, der.buffer, der.length, NULL);
|
InitDecodedCert(cert, der.buffer, der.length, NULL);
|
||||||
|
|
||||||
if ((ret = ParseCertRelative(cert, CERT_TYPE, VERIFY,
|
if ((ret = ParseCertRelative(cert, CERT_TYPE, VERIFY,
|
||||||
ssl->ctx->cm)) != 0) {
|
ssl->ctx->cm)) != 0) {
|
||||||
WOLFSSL_MSG("ParseCert failed");
|
WOLFSSL_MSG("ParseCert failed");
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
request = (OcspRequest*)XMALLOC(sizeof(OcspRequest), NULL,
|
||||||
|
DYNAMIC_TYPE_OCSP_REQUEST);
|
||||||
|
if (request == NULL) {
|
||||||
|
FreeDecodedCert(cert);
|
||||||
|
#ifdef WOLFSSL_SMALL_STACK
|
||||||
|
XFREE(cert, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
||||||
|
#endif
|
||||||
|
return MEMORY_E;
|
||||||
|
}
|
||||||
|
|
||||||
|
ret = InitOcspRequest(request, cert, 0);
|
||||||
|
if (ret != 0) {
|
||||||
|
XFREE(request, NULL, DYNAMIC_TYPE_OCSP_REQUEST);
|
||||||
|
}
|
||||||
|
else if (!ssl->buffers.weOwnCert && 0 == LockMutex(
|
||||||
|
&ssl->ctx->cm->ocsp_stapling->ocspLock)) {
|
||||||
|
if (!ssl->ctx->certOcspRequest)
|
||||||
|
ssl->ctx->certOcspRequest = request;
|
||||||
|
UnLockMutex(&ssl->ctx->cm->ocsp_stapling->ocspLock);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
FreeDecodedCert(cert);
|
||||||
|
#ifdef WOLFSSL_SMALL_STACK
|
||||||
|
XFREE(cert, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
||||||
|
#endif
|
||||||
}
|
}
|
||||||
else {
|
|
||||||
ret = CheckCertOCSP(ssl->ctx->cm->ocsp_stapling, cert,
|
if (ret == 0) {
|
||||||
|
ret = CheckOcspRequest(ssl->ctx->cm->ocsp_stapling, request,
|
||||||
&response);
|
&response);
|
||||||
|
|
||||||
/* Suppressing, not critical */
|
/* Suppressing, not critical */
|
||||||
@@ -8274,12 +8315,11 @@ int SendCertificateStatus(WOLFSSL* ssl)
|
|||||||
|
|
||||||
XFREE(response.buffer, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
XFREE(response.buffer, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
FreeDecodedCert(cert);
|
if (request != ssl->ctx->certOcspRequest)
|
||||||
#ifdef WOLFSSL_SMALL_STACK
|
XFREE(request, NULL, DYNAMIC_TYPE_OCSP_REQUEST);
|
||||||
XFREE(cert, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
|
||||||
#endif
|
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
#endif
|
#endif
|
||||||
|
|||||||
@@ -1769,6 +1769,9 @@ struct WOLFSSL_CTX {
|
|||||||
#endif
|
#endif
|
||||||
#ifdef HAVE_TLS_EXTENSIONS
|
#ifdef HAVE_TLS_EXTENSIONS
|
||||||
TLSX* extensions; /* RFC 6066 TLS Extensions data */
|
TLSX* extensions; /* RFC 6066 TLS Extensions data */
|
||||||
|
#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) && !defined(NO_WOLFSSL_SERVER)
|
||||||
|
OcspRequest* certOcspRequest;
|
||||||
|
#endif
|
||||||
#if defined(HAVE_SESSION_TICKET) && !defined(NO_WOLFSSL_SEVER)
|
#if defined(HAVE_SESSION_TICKET) && !defined(NO_WOLFSSL_SEVER)
|
||||||
SessionTicketEncCb ticketEncCb; /* enc/dec session ticket Cb */
|
SessionTicketEncCb ticketEncCb; /* enc/dec session ticket Cb */
|
||||||
void* ticketEncCtx; /* session encrypt context */
|
void* ticketEncCtx; /* session encrypt context */
|
||||||
|
|||||||
Reference in New Issue
Block a user