From d46c68ba1004d8ef79668437a999c129b100530f Mon Sep 17 00:00:00 2001 From: John Safranek Date: Fri, 27 Dec 2013 12:11:47 -0800 Subject: [PATCH] Moved OCSP into the CertManager like the CRL. --- cyassl/ctaocrypt/types.h | 3 +- cyassl/internal.h | 28 ++-- cyassl/ocsp.h | 8 +- cyassl/ssl.h | 43 ++++--- examples/client/client.c | 9 +- examples/server/server.c | 9 +- src/internal.c | 12 +- src/io.c | 21 --- src/ocsp.c | 90 +++++-------- src/ssl.c | 268 +++++++++++++++++++++++++++++++++------ 10 files changed, 318 insertions(+), 173 deletions(-) diff --git a/cyassl/ctaocrypt/types.h b/cyassl/ctaocrypt/types.h index c5075c51c..ea9cf8c11 100644 --- a/cyassl/ctaocrypt/types.h +++ b/cyassl/ctaocrypt/types.h @@ -270,7 +270,8 @@ enum { DYNAMIC_TYPE_CAVIUM_TMP = 40, DYNAMIC_TYPE_CAVIUM_RSA = 41, DYNAMIC_TYPE_X509 = 42, - DYNAMIC_TYPE_TLSX = 43 + DYNAMIC_TYPE_TLSX = 43, + DYNAMIC_TYPE_OCSP = 44 }; /* max error buffer string size */ diff --git a/cyassl/internal.h b/cyassl/internal.h index d961fcd09..4adbfd1ed 100644 --- a/cyassl/internal.h +++ b/cyassl/internal.h @@ -982,24 +982,22 @@ typedef struct OCSP_Entry OCSP_Entry; #endif struct OCSP_Entry { - OCSP_Entry* next; /* next entry */ + OCSP_Entry* next; /* next entry */ byte issuerHash[OCSP_DIGEST_SIZE]; /* issuer hash */ byte issuerKeyHash[OCSP_DIGEST_SIZE]; /* issuer public key hash */ - CertStatus* status; /* OCSP response list */ - int totalStatus; /* number on list */ + CertStatus* status; /* OCSP response list */ + int totalStatus; /* number on list */ }; +#ifndef HAVE_OCSP + typedef struct CYASSL_OCSP CYASSL_OCSP; +#endif + /* CyaSSL OCSP controller */ struct CYASSL_OCSP { - byte enabled; - byte useOverrideUrl; - byte useNonce; - char overrideUrl[80]; - OCSP_Entry* ocspList; - void* IOCB_OcspCtx; - CallbackIOOcsp CBIOOcsp; - CallbackIOOcspRespFree CBIOOcspRespFree; + CYASSL_CERT_MANAGER* cm; /* pointer back to cert manager */ + OCSP_Entry* ocspList; /* OCSP response list */ }; #ifndef MAX_DATE_SIZE @@ -1077,6 +1075,14 @@ struct CYASSL_CERT_MANAGER { byte crlEnabled; /* is CRL on ? */ byte crlCheckAll; /* always leaf, but all ? */ CbMissingCRL cbMissingCRL; /* notify through cb of missing crl */ + CYASSL_OCSP* ocsp; /* OCSP checker */ + byte ocspEnabled; /* is OCSP on ? */ + byte ocspSendNonce; /* send the OCSP nonce ? */ + byte ocspUseOverrideURL; /* ignore cert's responder, override */ + char* ocspOverrideURL; /* use this responder */ + void* ocspIOCtx; /* I/O callback CTX */ + CbOCSPIO ocspIOCb; /* I/O callback for OCSP lookup */ + CbOCSPRespFree ocspRespFreeCb; /* Frees OCSP Response from IO Cb */ }; CYASSL_LOCAL int CM_SaveCertCache(CYASSL_CERT_MANAGER*, const char*); diff --git a/cyassl/ocsp.h b/cyassl/ocsp.h index f47f671b1..f6931bd98 100644 --- a/cyassl/ocsp.h +++ b/cyassl/ocsp.h @@ -36,12 +36,10 @@ typedef struct CYASSL_OCSP CYASSL_OCSP; -CYASSL_LOCAL int CyaSSL_OCSP_Init(CYASSL_OCSP*); -CYASSL_LOCAL void CyaSSL_OCSP_Cleanup(CYASSL_OCSP*); - -CYASSL_LOCAL int CyaSSL_OCSP_set_override_url(CYASSL_OCSP*, const char*); -CYASSL_LOCAL int CyaSSL_OCSP_Lookup_Cert(CYASSL_OCSP*, DecodedCert*); +CYASSL_LOCAL int InitOCSP(CYASSL_OCSP*, CYASSL_CERT_MANAGER*); +CYASSL_LOCAL void FreeOCSP(CYASSL_OCSP*, int dynamic); +CYASSL_LOCAL int CheckCertOCSP(CYASSL_OCSP*, DecodedCert*); #ifdef __cplusplus } /* extern "C" */ diff --git a/cyassl/ssl.h b/cyassl/ssl.h index fc118b419..19db2aba1 100644 --- a/cyassl/ssl.h +++ b/cyassl/ssl.h @@ -543,6 +543,9 @@ enum { OCSP_RESPONSE = 8, OCSP_BASICRESP = 16, + CYASSL_OCSP_URL_OVERRIDE = 1, + CYASSL_OCSP_NO_NONCE = 2, + CYASSL_CRL_CHECKALL = 1, ASN1_GENERALIZEDTIME = 4, @@ -943,15 +946,6 @@ CYASSL_API void CyaSSL_CTX_SetGenCookie(CYASSL_CTX*, CallbackGenCookie); CYASSL_API void CyaSSL_SetCookieCtx(CYASSL* ssl, void *ctx); CYASSL_API void* CyaSSL_GetCookieCtx(CYASSL* ssl); -typedef int (*CallbackIOOcsp)(void*, const char*, int, - unsigned char*, int, unsigned char**); -typedef void (*CallbackIOOcspRespFree)(void*,unsigned char*); -#ifdef HAVE_OCSP -CYASSL_API void CyaSSL_SetIOOcsp(CYASSL_CTX *ocsp, CallbackIOOcsp cb); -CYASSL_API void CyaSSL_SetIOOcspRespFree(CYASSL_CTX *ocsp, - CallbackIOOcspRespFree cb); -CYASSL_API void CyaSSL_SetIOOcspCtx(CYASSL_CTX *ocsp, void *octx); -#endif /* I/O Callback default errors */ enum IOerrors { @@ -982,6 +976,9 @@ CYASSL_API int CyaSSL_KeyPemToDer(const unsigned char*, int sz, unsigned char*, typedef void (*CallbackCACache)(unsigned char* der, int sz, int type); typedef void (*CbMissingCRL)(const char* url); +typedef int (*CbOCSPIO)(void*, const char*, int, + unsigned char*, int, unsigned char**); +typedef void (*CbOCSPRespFree)(void*,unsigned char*); /* User Atomic Record Layer CallBacks */ typedef int (*CallbackMacEncrypt)(CYASSL* ssl, unsigned char* macOut, @@ -1127,16 +1124,34 @@ CYASSL_API void* CyaSSL_GetRsaDecCtx(CYASSL* ssl); int, int); CYASSL_API int CyaSSL_CertManagerSetCRL_Cb(CYASSL_CERT_MANAGER*, CbMissingCRL); + CYASSL_API int CyaSSL_CertManagerCheckOCSP(CYASSL_CERT_MANAGER*, + unsigned char*, int sz); + CYASSL_API int CyaSSL_CertManagerEnableOCSP(CYASSL_CERT_MANAGER*, + int options); + CYASSL_API int CyaSSL_CertManagerDisableOCSP(CYASSL_CERT_MANAGER*); + CYASSL_API int CyaSSL_CertManagerSetOCSPOverrideURL(CYASSL_CERT_MANAGER*, + const char*); + CYASSL_API int CyaSSL_CertManagerSetOCSP_Cb(CYASSL_CERT_MANAGER*, + CbOCSPIO, CbOCSPRespFree, void*); CYASSL_API int CyaSSL_EnableCRL(CYASSL* ssl, int options); CYASSL_API int CyaSSL_DisableCRL(CYASSL* ssl); CYASSL_API int CyaSSL_LoadCRL(CYASSL*, const char*, int, int); CYASSL_API int CyaSSL_SetCRL_Cb(CYASSL*, CbMissingCRL); + CYASSL_API int CyaSSL_EnableOCSP(CYASSL*, int options); + CYASSL_API int CyaSSL_DisableOCSP(CYASSL*); + CYASSL_API int CyaSSL_SetOCSP_OverrideURL(CYASSL*, const char*); + CYASSL_API int CyaSSL_SetOCSP_Cb(CYASSL*, CbOCSPIO, CbOCSPRespFree, void*); CYASSL_API int CyaSSL_CTX_EnableCRL(CYASSL_CTX* ctx, int options); CYASSL_API int CyaSSL_CTX_DisableCRL(CYASSL_CTX* ctx); CYASSL_API int CyaSSL_CTX_LoadCRL(CYASSL_CTX*, const char*, int, int); CYASSL_API int CyaSSL_CTX_SetCRL_Cb(CYASSL_CTX*, CbMissingCRL); + CYASSL_API int CyaSSL_CTX_EnableOCSP(CYASSL_CTX*, int options); + CYASSL_API int CyaSSL_CTX_DisableOCSP(CYASSL_CTX*); + CYASSL_API int CyaSSL_CTX_SetOCSP_OverrideURL(CYASSL_CTX*, const char*); + CYASSL_API int CyaSSL_CTX_SetOCSP_Cb(CYASSL_CTX*, + CbOCSPIO, CbOCSPRespFree, void*); #endif /* !NO_CERTS */ /* end of handshake frees temporary arrays, if user needs for get_keys or @@ -1245,16 +1260,6 @@ CYASSL_API int CyaSSL_accept_ex(CYASSL*, HandShakeCallBack, TimeoutCallBack, #endif /* CYASSL_CALLBACKS */ -CYASSL_API int CyaSSL_CTX_OCSP_set_options(CYASSL_CTX*, int); -CYASSL_API int CyaSSL_CTX_OCSP_set_override_url(CYASSL_CTX*, const char*); - -/* OCSP Options */ -#define CYASSL_OCSP_ENABLE 0x0001 /* Enable OCSP lookups */ -#define CYASSL_OCSP_URL_OVERRIDE 0x0002 /* Use the override URL instead of URL - * in certificate */ -#define CYASSL_OCSP_NO_NONCE 0x0004 /* Disables the request nonce. */ - - #ifdef __cplusplus } /* extern "C" */ #endif diff --git a/examples/client/client.c b/examples/client/client.c index 4a1ea40ac..ff0e9848f 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -506,13 +506,12 @@ THREAD_RETURN CYASSL_THREAD client_test(void* args) #ifdef HAVE_OCSP if (useOcsp) { if (ocspUrl != NULL) { - CyaSSL_CTX_OCSP_set_override_url(ctx, ocspUrl); - CyaSSL_CTX_OCSP_set_options(ctx, CYASSL_OCSP_ENABLE | - CYASSL_OCSP_URL_OVERRIDE | CYASSL_OCSP_NO_NONCE); + CyaSSL_CTX_SetOCSP_OverrideURL(ctx, ocspUrl); + CyaSSL_CTX_EnableOCSP(ctx, CYASSL_OCSP_NO_NONCE + | CYASSL_OCSP_URL_OVERRIDE); } else - CyaSSL_CTX_OCSP_set_options(ctx, CYASSL_OCSP_ENABLE | - CYASSL_OCSP_NO_NONCE); + CyaSSL_CTX_EnableOCSP(ctx, CYASSL_OCSP_NO_NONCE); } #endif diff --git a/examples/server/server.c b/examples/server/server.c index a6aaeb4ba..365418d5d 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -460,13 +460,12 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) #ifdef HAVE_OCSP if (useOcsp) { if (ocspUrl != NULL) { - CyaSSL_CTX_OCSP_set_override_url(ctx, ocspUrl); - CyaSSL_CTX_OCSP_set_options(ctx, CYASSL_OCSP_ENABLE | - CYASSL_OCSP_URL_OVERRIDE | CYASSL_OCSP_NO_NONCE); + CyaSSL_CTX_SetOCSP_OverrideURL(ctx, ocspUrl); + CyaSSL_CTX_EnableOCSP(ctx, CYASSL_OCSP_NO_NONCE + | CYASSL_OCSP_URL_OVERRIDE); } else - CyaSSL_CTX_OCSP_set_options(ctx, CYASSL_OCSP_ENABLE | - CYASSL_OCSP_NO_NONCE); + CyaSSL_CTX_EnableOCSP(ctx, CYASSL_OCSP_NO_NONCE); } #endif #ifdef HAVE_PK_CALLBACKS diff --git a/src/internal.c b/src/internal.c index 4c24d67e8..3aecbfe32 100644 --- a/src/internal.c +++ b/src/internal.c @@ -426,9 +426,6 @@ int InitSSL_Ctx(CYASSL_CTX* ctx, CYASSL_METHOD* method) ctx->sendVerify = 0; ctx->quietShutdown = 0; ctx->groupMessages = 0; -#ifdef HAVE_OCSP - CyaSSL_OCSP_Init(&ctx->ocsp); -#endif #ifdef HAVE_CAVIUM ctx->devId = NO_CAVIUM_DEVICE; #endif @@ -479,9 +476,6 @@ void SSL_CtxResourceFree(CYASSL_CTX* ctx) XFREE(ctx->certChain.buffer, ctx->heap, DYNAMIC_TYPE_CERT); CyaSSL_CertManagerFree(ctx->cm); #endif -#ifdef HAVE_OCSP - CyaSSL_OCSP_Cleanup(&ctx->ocsp); -#endif #ifdef HAVE_TLS_EXTENSIONS TLSX_FreeAll(ctx->extensions); #endif @@ -3393,8 +3387,8 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx) } #ifdef HAVE_OCSP - if (fatal == 0) { - ret = CyaSSL_OCSP_Lookup_Cert(&ssl->ctx->ocsp, &dCert); + if (fatal == 0 && ssl->ctx->cm->ocspEnabled) { + ret = CheckCertOCSP(ssl->ctx->cm->ocsp, &dCert); if (ret != 0) { CYASSL_MSG("\tOCSP Lookup not ok"); fatal = 0; @@ -3407,7 +3401,7 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx) int doCrlLookup = 1; #ifdef HAVE_OCSP - if (ssl->ctx->ocsp.enabled) { + if (ssl->ctx->cm->ocspEnabled) { doCrlLookup = (ret == OCSP_CERT_UNKNOWN); } #endif /* HAVE_OCSP */ diff --git a/src/io.c b/src/io.c index e216d4713..c023d00d7 100644 --- a/src/io.c +++ b/src/io.c @@ -950,27 +950,6 @@ CYASSL_API void* CyaSSL_GetCookieCtx(CYASSL* ssl) #endif /* CYASSL_DTLS */ -#ifdef HAVE_OCSP - -CYASSL_API void CyaSSL_SetIOOcsp(CYASSL_CTX* ctx, CallbackIOOcsp cb) -{ - ctx->ocsp.CBIOOcsp = cb; -} - -CYASSL_API void CyaSSL_SetIOOcspRespFree(CYASSL_CTX* ctx, - CallbackIOOcspRespFree cb) -{ - ctx->ocsp.CBIOOcspRespFree = cb; -} - -CYASSL_API void CyaSSL_SetIOOcspCtx(CYASSL_CTX* ctx, void *octx) -{ - ctx->ocsp.IOCB_OcspCtx = octx; -} - -#endif - - #ifdef HAVE_NETX /* The NetX receive callback diff --git a/src/ocsp.c b/src/ocsp.c index f36233a45..f24fc48b5 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -32,19 +32,27 @@ #include -int CyaSSL_OCSP_Init(CYASSL_OCSP* ocsp) +int InitOCSP(CYASSL_OCSP* ocsp, CYASSL_CERT_MANAGER* cm) { - if (ocsp != NULL) { - XMEMSET(ocsp, 0, sizeof(*ocsp)); - ocsp->useNonce = 1; - #ifndef CYASSL_USER_IO - ocsp->CBIOOcsp = EmbedOcspLookup; - ocsp->CBIOOcspRespFree = EmbedOcspRespFree; - #endif - return 0; - } + CYASSL_ENTER("InitOCSP"); + XMEMSET(ocsp, 0, sizeof(*ocsp)); + ocsp->cm = cm; - return -1; + return 0; +} + + +static int InitOCSP_Entry(OCSP_Entry* ocspe, DecodedCert* cert) +{ + CYASSL_ENTER("InitOCSP_Entry"); + + ocspe->next = NULL; + XMEMCPY(ocspe->issuerHash, cert->issuerHash, SHA_DIGEST_SIZE); + XMEMCPY(ocspe->issuerKeyHash, cert->issuerKeyHash, SHA_DIGEST_SIZE); + ocspe->status = NULL; + ocspe->totalStatus = 0; + + return 0; } @@ -62,45 +70,21 @@ static void FreeOCSP_Entry(OCSP_Entry* ocspe) } -void CyaSSL_OCSP_Cleanup(CYASSL_OCSP* ocsp) +void FreeOCSP(CYASSL_OCSP* ocsp, int dynamic) { OCSP_Entry* tmp = ocsp->ocspList; - ocsp->enabled = 0; + CYASSL_ENTER("FreeOCSP"); + while (tmp) { OCSP_Entry* next = tmp->next; FreeOCSP_Entry(tmp); XFREE(tmp, NULL, DYNAMIC_TYPE_OCSP_ENTRY); tmp = next; } -} - -int CyaSSL_OCSP_set_override_url(CYASSL_OCSP* ocsp, const char* url) -{ - if (ocsp != NULL) { - int urlSz = (int)XSTRLEN(url); - if (urlSz < (int)sizeof(ocsp->overrideUrl)) { - XSTRNCPY(ocsp->overrideUrl, url, urlSz); - return 1; - } - } - - return 0; -} - - -static int InitOCSP_Entry(OCSP_Entry* ocspe, DecodedCert* cert) -{ - CYASSL_ENTER("InitOCSP_Entry"); - - ocspe->next = NULL; - XMEMCPY(ocspe->issuerHash, cert->issuerHash, SHA_DIGEST_SIZE); - XMEMCPY(ocspe->issuerKeyHash, cert->issuerKeyHash, SHA_DIGEST_SIZE); - ocspe->status = NULL; - ocspe->totalStatus = 0; - - return 0; + if (dynamic) + XFREE(ocsp, NULL, DYNAMIC_TYPE_OCSP); } @@ -193,7 +177,7 @@ static int xstat2err(int stat) } -int CyaSSL_OCSP_Lookup_Cert(CYASSL_OCSP* ocsp, DecodedCert* cert) +int CheckCertOCSP(CYASSL_OCSP* ocsp, DecodedCert* cert) { byte* ocspReqBuf = NULL; int ocspReqSz = 2048; @@ -206,11 +190,7 @@ int CyaSSL_OCSP_Lookup_Cert(CYASSL_OCSP* ocsp, DecodedCert* cert) const char *url; int urlSz; - /* If OCSP lookups are disabled, return success. */ - if (!ocsp->enabled) { - CYASSL_MSG("OCSP lookup disabled, assuming CERT_GOOD"); - return 0; - } + CYASSL_ENTER("CheckCertOCSP"); ocspe = find_ocsp_entry(ocsp, cert); if (ocspe == NULL) { @@ -244,11 +224,10 @@ int CyaSSL_OCSP_Lookup_Cert(CYASSL_OCSP* ocsp, DecodedCert* cert) } } - if (ocsp->useOverrideUrl) { - if (ocsp->overrideUrl[0] != '\0') { - url = ocsp->overrideUrl; + if (ocsp->cm->ocspUseOverrideURL) { + url = ocsp->cm->ocspOverrideURL; + if (url != NULL && url[0] != '\0') urlSz = (int)XSTRLEN(url); - } else return OCSP_NEED_URL; } @@ -266,11 +245,12 @@ int CyaSSL_OCSP_Lookup_Cert(CYASSL_OCSP* ocsp, DecodedCert* cert) CYASSL_MSG("\talloc OCSP request buffer failed"); return MEMORY_ERROR; } - InitOcspRequest(&ocspRequest, cert, ocsp->useNonce, ocspReqBuf, ocspReqSz); + InitOcspRequest(&ocspRequest, cert, ocsp->cm->ocspSendNonce, + ocspReqBuf, ocspReqSz); ocspReqSz = EncodeOcspRequest(&ocspRequest); - if (ocsp->CBIOOcsp) { - result = ocsp->CBIOOcsp(ocsp->IOCB_OcspCtx, url, urlSz, + if (ocsp->cm->ocspIOCb) { + result = ocsp->cm->ocspIOCb(ocsp->cm->ocspIOCtx, url, urlSz, ocspReqBuf, ocspReqSz, &ocspRespBuf); } @@ -300,8 +280,8 @@ int CyaSSL_OCSP_Lookup_Cert(CYASSL_OCSP* ocsp, DecodedCert* cert) if (ocspReqBuf != NULL) { XFREE(ocspReqBuf, NULL, DYNAMIC_TYPE_IN_BUFFER); } - if (ocspRespBuf != NULL && ocsp->CBIOOcspRespFree) { - ocsp->CBIOOcspRespFree(ocsp->IOCB_OcspCtx, ocspRespBuf); + if (ocspRespBuf != NULL && ocsp->cm->ocspRespFreeCb) { + ocsp->cm->ocspRespFreeCb(ocsp->cm->ocspIOCtx, ocspRespBuf); } return result; diff --git a/src/ssl.c b/src/ssl.c index c7f5b255f..37c9313a6 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -1005,16 +1005,7 @@ CYASSL_CERT_MANAGER* CyaSSL_CertManagerNew(void) cm = (CYASSL_CERT_MANAGER*) XMALLOC(sizeof(CYASSL_CERT_MANAGER), 0, DYNAMIC_TYPE_CERT_MANAGER); if (cm) { - int i; - - for (i = 0; i < CA_TABLE_SIZE; i++) - cm->caTable[i] = NULL; - cm->heap = NULL; - cm->caCacheCallback = NULL; - cm->crl = NULL; - cm->crlEnabled = 0; - cm->crlCheckAll = 0; - cm->cbMissingCRL = NULL; + XMEMSET(cm, 0, sizeof(CYASSL_CERT_MANAGER)); if (InitMutex(&cm->caLock) != 0) { CYASSL_MSG("Bad mutex init"); @@ -1036,6 +1027,10 @@ void CyaSSL_CertManagerFree(CYASSL_CERT_MANAGER* cm) if (cm->crl) FreeCRL(cm->crl, 1); #endif + #ifdef HAVE_OCSP + if (cm->ocsp) + FreeOCSP(cm->ocsp, 1); + #endif FreeSignerTable(cm->caTable, CA_TABLE_SIZE, NULL); FreeMutex(&cm->caLock); XFREE(cm, NULL, DYNAMIC_TYPE_CERT_MANAGER); @@ -2504,6 +2499,62 @@ int CyaSSL_CertManagerDisableCRL(CYASSL_CERT_MANAGER* cm) } +/* turn on OCSP if off and compiled in, set options */ +int CyaSSL_CertManagerEnableOCSP(CYASSL_CERT_MANAGER* cm, int options) +{ + int ret = SSL_SUCCESS; + + (void)options; + + CYASSL_ENTER("CyaSSL_CertManagerEnableOCSP"); + if (cm == NULL) + return BAD_FUNC_ARG; + + #ifdef HAVE_OCSP + if (cm->ocsp == NULL) { + cm->ocsp = (CYASSL_OCSP*)XMALLOC(sizeof(CYASSL_OCSP), cm->heap, + DYNAMIC_TYPE_OCSP); + if (cm->ocsp == NULL) + return MEMORY_E; + + if (InitOCSP(cm->ocsp, cm) != 0) { + CYASSL_MSG("Init OCSP failed"); + FreeOCSP(cm->ocsp, 1); + cm->ocsp = NULL; + return SSL_FAILURE; + } + } + cm->ocspEnabled = 1; + if (options & CYASSL_OCSP_URL_OVERRIDE) + cm->ocspUseOverrideURL = 1; + if (options & CYASSL_OCSP_NO_NONCE) + cm->ocspSendNonce = 0; + else + cm->ocspSendNonce = 1; + #ifndef CYASSL_USER_IO + cm->ocspIOCb = EmbedOcspLookup; + cm->ocspRespFreeCb = EmbedOcspRespFree; + #endif /* CYASSL_USER_IO */ + #else + ret = NOT_COMPILED_IN; + #endif + + return ret; +} + + +int CyaSSL_CertManagerDisableOCSP(CYASSL_CERT_MANAGER* cm) +{ + CYASSL_ENTER("CyaSSL_CertManagerDisableOCSP"); + if (cm == NULL) + return BAD_FUNC_ARG; + + cm->ocspEnabled = 0; + + return SSL_SUCCESS; +} + + int CyaSSL_CTX_check_private_key(CYASSL_CTX* ctx) { /* TODO: check private against public for RSA match */ @@ -2666,6 +2717,171 @@ int CyaSSL_CTX_SetCRL_Cb(CYASSL_CTX* ctx, CbMissingCRL cb) #endif /* HAVE_CRL */ +#ifdef HAVE_OCSP + + +/* check CRL if enabled, SSL_SUCCESS */ +int CyaSSL_CertManagerCheckOCSP(CYASSL_CERT_MANAGER* cm, byte* der, int sz) +{ + int ret; + DecodedCert cert; + + CYASSL_ENTER("CyaSSL_CertManagerCheckOCSP"); + + if (cm == NULL) + return BAD_FUNC_ARG; + + if (cm->ocspEnabled == 0) + return SSL_SUCCESS; + + InitDecodedCert(&cert, der, sz, NULL); + + ret = ParseCertRelative(&cert, CERT_TYPE, NO_VERIFY, cm); + if (ret != 0) { + CYASSL_MSG("ParseCert failed"); + return ret; + } + else { + ret = CheckCertOCSP(cm->ocsp, &cert); + if (ret != 0) { + CYASSL_MSG("CheckCertOCSP failed"); + } + } + + FreeDecodedCert(&cert); + + if (ret == 0) + return SSL_SUCCESS; /* convert */ + + return ret; +} + + +int CyaSSL_CertManagerSetOCSPOverrideURL(CYASSL_CERT_MANAGER* cm, + const char* url) +{ + CYASSL_ENTER("CyaSSL_CertManagerSetOCSPOverrideURL"); + if (cm == NULL) + return BAD_FUNC_ARG; + + XFREE(cm->ocspOverrideURL, cm->heap, 0); + if (url != NULL) { + int urlSz = (int)XSTRLEN(url) + 1; + cm->ocspOverrideURL = (char*)XMALLOC(urlSz, cm->heap, 0); + if (cm->ocspOverrideURL != NULL) { + XMEMCPY(cm->ocspOverrideURL, url, urlSz); + } + else + return MEMORY_E; + } + else + cm->ocspOverrideURL = NULL; + + return SSL_SUCCESS; +} + + +int CyaSSL_CertManagerSetOCSP_Cb(CYASSL_CERT_MANAGER* cm, + CbOCSPIO ioCb, CbOCSPRespFree respFreeCb, void* ioCbCtx) +{ + CYASSL_ENTER("CyaSSL_CertManagerSetOCSP_Cb"); + if (cm == NULL) + return BAD_FUNC_ARG; + + cm->ocspIOCb = ioCb; + cm->ocspRespFreeCb = respFreeCb; + cm->ocspIOCtx = ioCbCtx; + + return SSL_SUCCESS; +} + + +int CyaSSL_EnableOCSP(CYASSL* ssl, int options) +{ + CYASSL_ENTER("CyaSSL_EnableOCSP"); + if (ssl) + return CyaSSL_CertManagerEnableOCSP(ssl->ctx->cm, options); + else + return BAD_FUNC_ARG; +} + + +int CyaSSL_DisableOCSP(CYASSL* ssl) +{ + CYASSL_ENTER("CyaSSL_DisableOCSP"); + if (ssl) + return CyaSSL_CertManagerDisableOCSP(ssl->ctx->cm); + else + return BAD_FUNC_ARG; +} + + +int CyaSSL_SetOCSP_OverrideURL(CYASSL* ssl, const char* url) +{ + CYASSL_ENTER("CyaSSL_SetOCSP_OverrideURL"); + if (ssl) + return CyaSSL_CertManagerSetOCSPOverrideURL(ssl->ctx->cm, url); + else + return BAD_FUNC_ARG; +} + + +int CyaSSL_SetOCSP_Cb(CYASSL* ssl, + CbOCSPIO ioCb, CbOCSPRespFree respFreeCb, void* ioCbCtx) +{ + CYASSL_ENTER("CyaSSL_SetOCSP_Cb"); + if (ssl) + return CyaSSL_CertManagerSetOCSP_Cb(ssl->ctx->cm, + ioCb, respFreeCb, ioCbCtx); + else + return BAD_FUNC_ARG; +} + + +int CyaSSL_CTX_EnableOCSP(CYASSL_CTX* ctx, int options) +{ + CYASSL_ENTER("CyaSSL_CTX_EnableOCSP"); + if (ctx) + return CyaSSL_CertManagerEnableOCSP(ctx->cm, options); + else + return BAD_FUNC_ARG; +} + + +int CyaSSL_CTX_DisableOCSP(CYASSL_CTX* ctx) +{ + CYASSL_ENTER("CyaSSL_CTX_DisableOCSP"); + if (ctx) + return CyaSSL_CertManagerDisableOCSP(ctx->cm); + else + return BAD_FUNC_ARG; +} + + +int CyaSSL_CTX_SetOCSP_OverrideURL(CYASSL_CTX* ctx, const char* url) +{ + CYASSL_ENTER("CyaSSL_SetOCSP_OverrideURL"); + if (ctx) + return CyaSSL_CertManagerSetOCSPOverrideURL(ctx->cm, url); + else + return BAD_FUNC_ARG; +} + + +int CyaSSL_CTX_SetOCSP_Cb(CYASSL_CTX* ctx, + CbOCSPIO ioCb, CbOCSPRespFree respFreeCb, void* ioCbCtx) +{ + CYASSL_ENTER("CyaSSL_CTX_SetOCSP_Cb"); + if (ctx) + return CyaSSL_CertManagerSetOCSP_Cb(ctx->cm, ioCb, respFreeCb, ioCbCtx); + else + return BAD_FUNC_ARG; +} + + +#endif /* HAVE_OCSP */ + + #ifdef CYASSL_DER_LOAD /* Add format parameter to allow DER load of CA files */ @@ -10921,38 +11137,6 @@ const byte* CyaSSL_get_sessionID(const CYASSL_SESSION* session) #endif /* SESSION_CERTS */ -int CyaSSL_CTX_OCSP_set_options(CYASSL_CTX* ctx, int options) -{ - CYASSL_ENTER("CyaSSL_CTX_OCSP_set_options"); -#ifdef HAVE_OCSP - if (ctx != NULL) { - ctx->ocsp.enabled = (options & CYASSL_OCSP_ENABLE) != 0; - ctx->ocsp.useOverrideUrl = (options & CYASSL_OCSP_URL_OVERRIDE) != 0; - ctx->ocsp.useNonce = (options & CYASSL_OCSP_NO_NONCE) == 0; - return SSL_SUCCESS; - } - return SSL_FAILURE; -#else - (void)ctx; - (void)options; - return NOT_COMPILED_IN; -#endif -} - - -int CyaSSL_CTX_OCSP_set_override_url(CYASSL_CTX* ctx, const char* url) -{ - CYASSL_ENTER("CyaSSL_CTX_OCSP_set_override_url"); -#ifdef HAVE_OCSP - return CyaSSL_OCSP_set_override_url(&ctx->ocsp, url); -#else - (void)ctx; - (void)url; - return NOT_COMPILED_IN; -#endif -} - - #ifndef NO_CERTS #ifdef HAVE_PK_CALLBACKS