feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Merge pull request #7044 from julek-wolfssl/zd/17137

Browse Source 
ocsp: don't error out if we can't verify our certificate
This commit is contained in:
Sean Parkinson
2023-12-13 07:23:46 +10:00
committed by GitHub
parent 1aed438a21 51ba745214
commit 6e953e4d53
4 changed files with 135 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
scripts/ocsp-stapling.test
View File

@@ -243,16 +243,18 @@ else
OPENSSL_RESULT=$? OPENSSL_RESULT=$?
echo "$OPENSSL_OUTPUT" echo "$OPENSSL_OUTPUT"
fgrep -q 'self signed certificate in certificate chain' <<< "$OPENSSL_OUTPUT" fgrep -q 'self signed certificate in certificate chain' <<< "$OPENSSL_OUTPUT"
FGREP_RESULT=$? FGREP1_RESULT=$?
if [ $OPENSSL_RESULT -eq 0 -a $FGREP_RESULT -ne 0 ]; then fgrep -q 'self-signed certificate in certificate chain' <<< "$OPENSSL_OUTPUT"
FGREP2_RESULT=$?
if [ $OPENSSL_RESULT -eq 0 -a $FGREP1_RESULT -ne 0 -a $FGREP2_RESULT -ne 0 ]; then
printf '%s\n' "Expected verification error from s_client is missing." printf '%s\n' "Expected verification error from s_client is missing."
remove_single_rF "$ready_file" remove_single_rF "$ready_file"
exit 1 exit 1
fi fi
remove_single_rF "$ready_file" remove_single_rF "$ready_file"
wait $wolf_pid wait $wolf_pid
if [ $? -ne 1 ]; then if [ $? -ne 0 ]; then
printf '%s\n' "wolfSSL server unexpected fail value" printf '%s\n' "wolfSSL server unexpected fail"
exit 1 exit 1
fi fi
fi fi

37
src/internal.c
View File

@@ -15972,27 +15972,28 @@ static int SanityCheckMsgReceived(WOLFSSL* ssl, byte type)
WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E); WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
return OUT_OF_ORDER_E; return OUT_OF_ORDER_E;
} }
#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) || \
defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
if (ssl->msgsReceived.got_certificate_status == 0) { if (ssl->msgsReceived.got_certificate_status == 0) {
int csrRet = 0;
#ifdef HAVE_CERTIFICATE_STATUS_REQUEST #ifdef HAVE_CERTIFICATE_STATUS_REQUEST
if (ssl->status_request) { if (csrRet == 0 && ssl->status_request) {
int ret;
WOLFSSL_MSG("No CertificateStatus before ServerKeyExchange"); WOLFSSL_MSG("No CertificateStatus before ServerKeyExchange");
if ((ret = TLSX_CSR_ForceRequest(ssl)) != 0) csrRet = TLSX_CSR_ForceRequest(ssl);
return ret;
} }
#endif #endif
#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
if (ssl->status_request_v2) { if (csrRet == 0 && ssl->status_request_v2) {
int ret;
WOLFSSL_MSG("No CertificateStatus before ServerKeyExchange"); WOLFSSL_MSG("No CertificateStatus before ServerKeyExchange");
if ((ret = TLSX_CSR2_ForceRequest(ssl)) != 0) csrRet = TLSX_CSR2_ForceRequest(ssl);
return ret;
} }
#endif #endif
#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) || \ if (csrRet != 0) {
defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) /* Error out if OCSP lookups are enabled and failed or if
* the user requires stapling. */
if (SSL_CM(ssl)->ocspEnabled || SSL_CM(ssl)->ocspMustStaple)
return csrRet;
}
/* Check that a status request extension was seen as the /* Check that a status request extension was seen as the
* CertificateStatus wasn't when an OCSP staple is required. * CertificateStatus wasn't when an OCSP staple is required.
*/ */
@@ -16007,8 +16008,8 @@ static int SanityCheckMsgReceived(WOLFSSL* ssl, byte type)
WOLFSSL_ERROR_VERBOSE(OCSP_CERT_UNKNOWN); WOLFSSL_ERROR_VERBOSE(OCSP_CERT_UNKNOWN);
return OCSP_CERT_UNKNOWN; return OCSP_CERT_UNKNOWN;
} }
#endif
} }
#endif
break; break;
#endif #endif
@@ -23298,8 +23299,12 @@ int SendCertificateStatus(WOLFSSL* ssl)
if (ret == 0 && response.buffer) { if (ret == 0 && response.buffer) {
ret = BuildCertificateStatus(ssl, status_type, &response, 1); ret = BuildCertificateStatus(ssl, status_type, &response, 1);
} }
/* Let's not error out the connection if we can't verify our cert */
if (ret == ASN_SELF_SIGNED_E || ret == ASN_NO_SIGNER_E)
ret = 0;
if (response.buffer) { if (response.buffer) {
XFREE(response.buffer, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST); XFREE(response.buffer, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST);
response.buffer = NULL; response.buffer = NULL;
@@ -23428,6 +23433,10 @@ int SendCertificateStatus(WOLFSSL* ssl)
} }
} }
/* Let's not error out the connection if we can't verify our cert */
if (ret == ASN_SELF_SIGNED_E || ret == ASN_NO_SIGNER_E)
ret = 0;
break; break;
} }
#endif /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */ #endif /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */

4
src/tls.c
View File

@@ -3310,6 +3310,10 @@ static int TLSX_CSR_Parse(WOLFSSL* ssl, const byte* input, word16 length,
if (ret != 0) { if (ret != 0) {
FreeDecodedCert(cert); FreeDecodedCert(cert);
XFREE(cert, ssl->heap, DYNAMIC_TYPE_DCERT); XFREE(cert, ssl->heap, DYNAMIC_TYPE_DCERT);
/* Let's not error out the connection if we can't verify our
* cert */
if (ret == ASN_SELF_SIGNED_E || ret == ASN_NO_SIGNER_E)
ret = 0;
return ret; return ret;
} }
ret = TLSX_CSR_InitRequest(ssl->extensions, cert, ssl->heap); ret = TLSX_CSR_InitRequest(ssl->extensions, cert, ssl->heap);

97
tests/api.c
View File

@@ -68693,6 +68693,102 @@ static int test_dtls13_early_data(void)
return EXPECT_RESULT(); return EXPECT_RESULT();
} }
#ifdef HAVE_CERTIFICATE_STATUS_REQUEST
static int test_self_signed_stapling_client_v1_ctx_ready(WOLFSSL_CTX* ctx)
{
EXPECT_DECLS;
ExpectIntEQ(wolfSSL_CTX_EnableOCSPStapling(ctx), 1);
ExpectIntEQ(wolfSSL_CTX_UseOCSPStapling(ctx, WOLFSSL_CSR_OCSP,
WOLFSSL_CSR_OCSP_USE_NONCE), 1);
return EXPECT_RESULT();
}
#endif
#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
static int test_self_signed_stapling_client_v2_ctx_ready(WOLFSSL_CTX* ctx)
{
EXPECT_DECLS;
ExpectIntEQ(wolfSSL_CTX_EnableOCSPStapling(ctx), 1);
ExpectIntEQ(wolfSSL_CTX_UseOCSPStaplingV2(ctx, WOLFSSL_CSR2_OCSP,
WOLFSSL_CSR2_OCSP_USE_NONCE), 1);
return EXPECT_RESULT();
}
static int test_self_signed_stapling_client_v2_multi_ctx_ready(WOLFSSL_CTX* ctx)
{
EXPECT_DECLS;
ExpectIntEQ(wolfSSL_CTX_EnableOCSPStapling(ctx), 1);
ExpectIntEQ(wolfSSL_CTX_UseOCSPStaplingV2(ctx, WOLFSSL_CSR2_OCSP_MULTI,
0), 1);
return EXPECT_RESULT();
}
#endif
#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
|| defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
static int test_self_signed_stapling_server_ctx_ready(WOLFSSL_CTX* ctx)
{
EXPECT_DECLS;
ExpectIntEQ(wolfSSL_CTX_EnableOCSPStapling(ctx), 1);
return EXPECT_RESULT();
}
#endif
static int test_self_signed_stapling(void)
{
EXPECT_DECLS;
#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
|| defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
test_ssl_cbf client_cbf;
test_ssl_cbf server_cbf;
size_t i;
struct {
method_provider client_meth;
method_provider server_meth;
ctx_cb client_ctx;
const char* tls_version;
} params[] = {
#if defined(WOLFSSL_TLS13) && defined(HAVE_CERTIFICATE_STATUS_REQUEST)
{ wolfTLSv1_3_client_method, wolfTLSv1_3_server_method,
test_self_signed_stapling_client_v1_ctx_ready, "TLSv1_3 v1" },
#endif
#ifndef WOLFSSL_NO_TLS12
#ifdef HAVE_CERTIFICATE_STATUS_REQUEST
{ wolfTLSv1_2_client_method, wolfTLSv1_2_server_method,
test_self_signed_stapling_client_v1_ctx_ready, "TLSv1_2 v1" },
#endif
#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
{ wolfTLSv1_2_client_method, wolfTLSv1_2_server_method,
test_self_signed_stapling_client_v2_ctx_ready, "TLSv1_2 v2" },
{ wolfTLSv1_2_client_method, wolfTLSv1_2_server_method,
test_self_signed_stapling_client_v2_multi_ctx_ready,
"TLSv1_2 v2 multi" },
#endif
#endif
};
for (i = 0; i < sizeof(params)/sizeof(*params) && !EXPECT_FAIL(); i++) {
XMEMSET(&client_cbf, 0, sizeof(client_cbf));
XMEMSET(&server_cbf, 0, sizeof(server_cbf));
printf("\nTesting self-signed cert with status request: %s\n",
params[i].tls_version);
client_cbf.method = params[i].client_meth;
client_cbf.ctx_ready = params[i].client_ctx;
server_cbf.method = params[i].server_meth;
server_cbf.certPemFile = "certs/ca-cert.pem";
server_cbf.keyPemFile = "certs/ca-key.pem";
server_cbf.ctx_ready = test_self_signed_stapling_server_ctx_ready;
ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cbf,
&server_cbf, NULL), TEST_SUCCESS);
}
#endif
return EXPECT_RESULT();
}
/*----------------------------------------------------------------------------* /*----------------------------------------------------------------------------*
| Main | Main
*----------------------------------------------------------------------------*/ *----------------------------------------------------------------------------*/
@@ -69886,6 +69982,7 @@ TEST_CASE testCases[] = {
/* OCSP Stapling */ /* OCSP Stapling */
TEST_DECL(test_wolfSSL_UseOCSPStapling), TEST_DECL(test_wolfSSL_UseOCSPStapling),
TEST_DECL(test_wolfSSL_UseOCSPStaplingV2), TEST_DECL(test_wolfSSL_UseOCSPStaplingV2),
TEST_DECL(test_self_signed_stapling),
/* Multicast */ /* Multicast */
TEST_DECL(test_wolfSSL_mcast), TEST_DECL(test_wolfSSL_mcast),