feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Moved OCSP into the CertManager like the CRL.

Browse Source
This commit is contained in:
John Safranek
2013-12-27 12:11:47 -08:00
parent 4ce2e59adf
commit d46c68ba10
10 changed files with 318 additions and 173 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
cyassl/ctaocrypt/types.h
View File

@ -270,7 +270,8 @@ enum {
DYNAMIC_TYPE_CAVIUM_TMP = 40, DYNAMIC_TYPE_CAVIUM_TMP = 40,
DYNAMIC_TYPE_CAVIUM_RSA = 41, DYNAMIC_TYPE_CAVIUM_RSA = 41,
DYNAMIC_TYPE_X509 = 42, DYNAMIC_TYPE_X509 = 42,
DYNAMIC_TYPE_TLSX = 43 DYNAMIC_TYPE_TLSX = 43,
DYNAMIC_TYPE_OCSP = 44
}; };
/* max error buffer string size */ /* max error buffer string size */

28
cyassl/internal.h
View File

@ -982,24 +982,22 @@ typedef struct OCSP_Entry OCSP_Entry;
#endif #endif
struct OCSP_Entry { struct OCSP_Entry {
OCSP_Entry* next; /* next entry */ OCSP_Entry* next; /* next entry */
byte issuerHash[OCSP_DIGEST_SIZE]; /* issuer hash */ byte issuerHash[OCSP_DIGEST_SIZE]; /* issuer hash */
byte issuerKeyHash[OCSP_DIGEST_SIZE]; /* issuer public key hash */ byte issuerKeyHash[OCSP_DIGEST_SIZE]; /* issuer public key hash */
CertStatus* status; /* OCSP response list */ CertStatus* status; /* OCSP response list */
int totalStatus; /* number on list */ int totalStatus; /* number on list */
}; };
#ifndef HAVE_OCSP
typedef struct CYASSL_OCSP CYASSL_OCSP;
#endif
/* CyaSSL OCSP controller */ /* CyaSSL OCSP controller */
struct CYASSL_OCSP { struct CYASSL_OCSP {
byte enabled; CYASSL_CERT_MANAGER* cm; /* pointer back to cert manager */
byte useOverrideUrl; OCSP_Entry* ocspList; /* OCSP response list */
byte useNonce;
char overrideUrl[80];
OCSP_Entry* ocspList;
void* IOCB_OcspCtx;
CallbackIOOcsp CBIOOcsp;
CallbackIOOcspRespFree CBIOOcspRespFree;
}; };
#ifndef MAX_DATE_SIZE #ifndef MAX_DATE_SIZE
@ -1077,6 +1075,14 @@ struct CYASSL_CERT_MANAGER {
byte crlEnabled; /* is CRL on ? */ byte crlEnabled; /* is CRL on ? */
byte crlCheckAll; /* always leaf, but all ? */ byte crlCheckAll; /* always leaf, but all ? */
CbMissingCRL cbMissingCRL; /* notify through cb of missing crl */ CbMissingCRL cbMissingCRL; /* notify through cb of missing crl */
CYASSL_OCSP* ocsp; /* OCSP checker */
byte ocspEnabled; /* is OCSP on ? */
byte ocspSendNonce; /* send the OCSP nonce ? */
byte ocspUseOverrideURL; /* ignore cert's responder, override */
char* ocspOverrideURL; /* use this responder */
void* ocspIOCtx; /* I/O callback CTX */
CbOCSPIO ocspIOCb; /* I/O callback for OCSP lookup */
CbOCSPRespFree ocspRespFreeCb; /* Frees OCSP Response from IO Cb */
}; };
CYASSL_LOCAL int CM_SaveCertCache(CYASSL_CERT_MANAGER*, const char*); CYASSL_LOCAL int CM_SaveCertCache(CYASSL_CERT_MANAGER*, const char*);

8
cyassl/ocsp.h
View File

@ -36,12 +36,10 @@
typedef struct CYASSL_OCSP CYASSL_OCSP; typedef struct CYASSL_OCSP CYASSL_OCSP;
CYASSL_LOCAL int CyaSSL_OCSP_Init(CYASSL_OCSP*); CYASSL_LOCAL int InitOCSP(CYASSL_OCSP*, CYASSL_CERT_MANAGER*);
CYASSL_LOCAL void CyaSSL_OCSP_Cleanup(CYASSL_OCSP*); CYASSL_LOCAL void FreeOCSP(CYASSL_OCSP*, int dynamic);
CYASSL_LOCAL int CyaSSL_OCSP_set_override_url(CYASSL_OCSP*, const char*);
CYASSL_LOCAL int CyaSSL_OCSP_Lookup_Cert(CYASSL_OCSP*, DecodedCert*);
CYASSL_LOCAL int CheckCertOCSP(CYASSL_OCSP*, DecodedCert*);
#ifdef __cplusplus #ifdef __cplusplus
} /* extern "C" */ } /* extern "C" */

43
cyassl/ssl.h
View File

@ -543,6 +543,9 @@ enum {
OCSP_RESPONSE = 8, OCSP_RESPONSE = 8,
OCSP_BASICRESP = 16, OCSP_BASICRESP = 16,
CYASSL_OCSP_URL_OVERRIDE = 1,
CYASSL_OCSP_NO_NONCE = 2,
CYASSL_CRL_CHECKALL = 1, CYASSL_CRL_CHECKALL = 1,
ASN1_GENERALIZEDTIME = 4, ASN1_GENERALIZEDTIME = 4,
@ -943,15 +946,6 @@ CYASSL_API void CyaSSL_CTX_SetGenCookie(CYASSL_CTX*, CallbackGenCookie);
CYASSL_API void CyaSSL_SetCookieCtx(CYASSL* ssl, void *ctx); CYASSL_API void CyaSSL_SetCookieCtx(CYASSL* ssl, void *ctx);
CYASSL_API void* CyaSSL_GetCookieCtx(CYASSL* ssl); CYASSL_API void* CyaSSL_GetCookieCtx(CYASSL* ssl);
typedef int (*CallbackIOOcsp)(void*, const char*, int,
unsigned char*, int, unsigned char**);
typedef void (*CallbackIOOcspRespFree)(void*,unsigned char*);
#ifdef HAVE_OCSP
CYASSL_API void CyaSSL_SetIOOcsp(CYASSL_CTX *ocsp, CallbackIOOcsp cb);
CYASSL_API void CyaSSL_SetIOOcspRespFree(CYASSL_CTX *ocsp,
CallbackIOOcspRespFree cb);
CYASSL_API void CyaSSL_SetIOOcspCtx(CYASSL_CTX *ocsp, void *octx);
#endif
/* I/O Callback default errors */ /* I/O Callback default errors */
enum IOerrors { enum IOerrors {
@ -982,6 +976,9 @@ CYASSL_API int CyaSSL_KeyPemToDer(const unsigned char*, int sz, unsigned char*,
typedef void (*CallbackCACache)(unsigned char* der, int sz, int type); typedef void (*CallbackCACache)(unsigned char* der, int sz, int type);
typedef void (*CbMissingCRL)(const char* url); typedef void (*CbMissingCRL)(const char* url);
typedef int (*CbOCSPIO)(void*, const char*, int,
unsigned char*, int, unsigned char**);
typedef void (*CbOCSPRespFree)(void*,unsigned char*);
/* User Atomic Record Layer CallBacks */ /* User Atomic Record Layer CallBacks */
typedef int (*CallbackMacEncrypt)(CYASSL* ssl, unsigned char* macOut, typedef int (*CallbackMacEncrypt)(CYASSL* ssl, unsigned char* macOut,
@ -1127,16 +1124,34 @@ CYASSL_API void* CyaSSL_GetRsaDecCtx(CYASSL* ssl);
int, int); int, int);
CYASSL_API int CyaSSL_CertManagerSetCRL_Cb(CYASSL_CERT_MANAGER*, CYASSL_API int CyaSSL_CertManagerSetCRL_Cb(CYASSL_CERT_MANAGER*,
CbMissingCRL); CbMissingCRL);
CYASSL_API int CyaSSL_CertManagerCheckOCSP(CYASSL_CERT_MANAGER*,
unsigned char*, int sz);
CYASSL_API int CyaSSL_CertManagerEnableOCSP(CYASSL_CERT_MANAGER*,
int options);
CYASSL_API int CyaSSL_CertManagerDisableOCSP(CYASSL_CERT_MANAGER*);
CYASSL_API int CyaSSL_CertManagerSetOCSPOverrideURL(CYASSL_CERT_MANAGER*,
const char*);
CYASSL_API int CyaSSL_CertManagerSetOCSP_Cb(CYASSL_CERT_MANAGER*,
CbOCSPIO, CbOCSPRespFree, void*);
CYASSL_API int CyaSSL_EnableCRL(CYASSL* ssl, int options); CYASSL_API int CyaSSL_EnableCRL(CYASSL* ssl, int options);
CYASSL_API int CyaSSL_DisableCRL(CYASSL* ssl); CYASSL_API int CyaSSL_DisableCRL(CYASSL* ssl);
CYASSL_API int CyaSSL_LoadCRL(CYASSL*, const char*, int, int); CYASSL_API int CyaSSL_LoadCRL(CYASSL*, const char*, int, int);
CYASSL_API int CyaSSL_SetCRL_Cb(CYASSL*, CbMissingCRL); CYASSL_API int CyaSSL_SetCRL_Cb(CYASSL*, CbMissingCRL);
CYASSL_API int CyaSSL_EnableOCSP(CYASSL*, int options);
CYASSL_API int CyaSSL_DisableOCSP(CYASSL*);
CYASSL_API int CyaSSL_SetOCSP_OverrideURL(CYASSL*, const char*);
CYASSL_API int CyaSSL_SetOCSP_Cb(CYASSL*, CbOCSPIO, CbOCSPRespFree, void*);
CYASSL_API int CyaSSL_CTX_EnableCRL(CYASSL_CTX* ctx, int options); CYASSL_API int CyaSSL_CTX_EnableCRL(CYASSL_CTX* ctx, int options);
CYASSL_API int CyaSSL_CTX_DisableCRL(CYASSL_CTX* ctx); CYASSL_API int CyaSSL_CTX_DisableCRL(CYASSL_CTX* ctx);
CYASSL_API int CyaSSL_CTX_LoadCRL(CYASSL_CTX*, const char*, int, int); CYASSL_API int CyaSSL_CTX_LoadCRL(CYASSL_CTX*, const char*, int, int);
CYASSL_API int CyaSSL_CTX_SetCRL_Cb(CYASSL_CTX*, CbMissingCRL); CYASSL_API int CyaSSL_CTX_SetCRL_Cb(CYASSL_CTX*, CbMissingCRL);
CYASSL_API int CyaSSL_CTX_EnableOCSP(CYASSL_CTX*, int options);
CYASSL_API int CyaSSL_CTX_DisableOCSP(CYASSL_CTX*);
CYASSL_API int CyaSSL_CTX_SetOCSP_OverrideURL(CYASSL_CTX*, const char*);
CYASSL_API int CyaSSL_CTX_SetOCSP_Cb(CYASSL_CTX*,
CbOCSPIO, CbOCSPRespFree, void*);
#endif /* !NO_CERTS */ #endif /* !NO_CERTS */
/* end of handshake frees temporary arrays, if user needs for get_keys or /* end of handshake frees temporary arrays, if user needs for get_keys or
@ -1245,16 +1260,6 @@ CYASSL_API int CyaSSL_accept_ex(CYASSL*, HandShakeCallBack, TimeoutCallBack,
#endif /* CYASSL_CALLBACKS */ #endif /* CYASSL_CALLBACKS */
CYASSL_API int CyaSSL_CTX_OCSP_set_options(CYASSL_CTX*, int);
CYASSL_API int CyaSSL_CTX_OCSP_set_override_url(CYASSL_CTX*, const char*);
/* OCSP Options */
#define CYASSL_OCSP_ENABLE 0x0001 /* Enable OCSP lookups */
#define CYASSL_OCSP_URL_OVERRIDE 0x0002 /* Use the override URL instead of URL
* in certificate */
#define CYASSL_OCSP_NO_NONCE 0x0004 /* Disables the request nonce. */
#ifdef __cplusplus #ifdef __cplusplus
} /* extern "C" */ } /* extern "C" */
#endif #endif

9
examples/client/client.c
View File

@ -506,13 +506,12 @@ THREAD_RETURN CYASSL_THREAD client_test(void* args)
#ifdef HAVE_OCSP #ifdef HAVE_OCSP
if (useOcsp) { if (useOcsp) {
if (ocspUrl != NULL) { if (ocspUrl != NULL) {
CyaSSL_CTX_OCSP_set_override_url(ctx, ocspUrl); CyaSSL_CTX_SetOCSP_OverrideURL(ctx, ocspUrl);
CyaSSL_CTX_OCSP_set_options(ctx, CYASSL_OCSP_ENABLE | CyaSSL_CTX_EnableOCSP(ctx, CYASSL_OCSP_NO_NONCE
CYASSL_OCSP_URL_OVERRIDE | CYASSL_OCSP_NO_NONCE); | CYASSL_OCSP_URL_OVERRIDE);
} }
else else
CyaSSL_CTX_OCSP_set_options(ctx, CYASSL_OCSP_ENABLE | CyaSSL_CTX_EnableOCSP(ctx, CYASSL_OCSP_NO_NONCE);
CYASSL_OCSP_NO_NONCE);
} }
#endif #endif

9
examples/server/server.c
View File

@ -460,13 +460,12 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
#ifdef HAVE_OCSP #ifdef HAVE_OCSP
if (useOcsp) { if (useOcsp) {
if (ocspUrl != NULL) { if (ocspUrl != NULL) {
CyaSSL_CTX_OCSP_set_override_url(ctx, ocspUrl); CyaSSL_CTX_SetOCSP_OverrideURL(ctx, ocspUrl);
CyaSSL_CTX_OCSP_set_options(ctx, CYASSL_OCSP_ENABLE | CyaSSL_CTX_EnableOCSP(ctx, CYASSL_OCSP_NO_NONCE
CYASSL_OCSP_URL_OVERRIDE | CYASSL_OCSP_NO_NONCE); | CYASSL_OCSP_URL_OVERRIDE);
} }
else else
CyaSSL_CTX_OCSP_set_options(ctx, CYASSL_OCSP_ENABLE | CyaSSL_CTX_EnableOCSP(ctx, CYASSL_OCSP_NO_NONCE);
CYASSL_OCSP_NO_NONCE);
} }
#endif #endif
#ifdef HAVE_PK_CALLBACKS #ifdef HAVE_PK_CALLBACKS

12
src/internal.c
View File

@ -426,9 +426,6 @@ int InitSSL_Ctx(CYASSL_CTX* ctx, CYASSL_METHOD* method)
ctx->sendVerify = 0; ctx->sendVerify = 0;
ctx->quietShutdown = 0; ctx->quietShutdown = 0;
ctx->groupMessages = 0; ctx->groupMessages = 0;
#ifdef HAVE_OCSP
CyaSSL_OCSP_Init(&ctx->ocsp);
#endif
#ifdef HAVE_CAVIUM #ifdef HAVE_CAVIUM
ctx->devId = NO_CAVIUM_DEVICE; ctx->devId = NO_CAVIUM_DEVICE;
#endif #endif
@ -479,9 +476,6 @@ void SSL_CtxResourceFree(CYASSL_CTX* ctx)
XFREE(ctx->certChain.buffer, ctx->heap, DYNAMIC_TYPE_CERT); XFREE(ctx->certChain.buffer, ctx->heap, DYNAMIC_TYPE_CERT);
CyaSSL_CertManagerFree(ctx->cm); CyaSSL_CertManagerFree(ctx->cm);
#endif #endif
#ifdef HAVE_OCSP
CyaSSL_OCSP_Cleanup(&ctx->ocsp);
#endif
#ifdef HAVE_TLS_EXTENSIONS #ifdef HAVE_TLS_EXTENSIONS
TLSX_FreeAll(ctx->extensions); TLSX_FreeAll(ctx->extensions);
#endif #endif
@ -3393,8 +3387,8 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx)
} }
#ifdef HAVE_OCSP #ifdef HAVE_OCSP
if (fatal == 0) { if (fatal == 0 && ssl->ctx->cm->ocspEnabled) {
ret = CyaSSL_OCSP_Lookup_Cert(&ssl->ctx->ocsp, &dCert); ret = CheckCertOCSP(ssl->ctx->cm->ocsp, &dCert);
if (ret != 0) { if (ret != 0) {
CYASSL_MSG("\tOCSP Lookup not ok"); CYASSL_MSG("\tOCSP Lookup not ok");
fatal = 0; fatal = 0;
@ -3407,7 +3401,7 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx)
int doCrlLookup = 1; int doCrlLookup = 1;
#ifdef HAVE_OCSP #ifdef HAVE_OCSP
if (ssl->ctx->ocsp.enabled) { if (ssl->ctx->cm->ocspEnabled) {
doCrlLookup = (ret == OCSP_CERT_UNKNOWN); doCrlLookup = (ret == OCSP_CERT_UNKNOWN);
} }
#endif /* HAVE_OCSP */ #endif /* HAVE_OCSP */

21
src/io.c
View File

@ -950,27 +950,6 @@ CYASSL_API void* CyaSSL_GetCookieCtx(CYASSL* ssl)
#endif /* CYASSL_DTLS */ #endif /* CYASSL_DTLS */
#ifdef HAVE_OCSP
CYASSL_API void CyaSSL_SetIOOcsp(CYASSL_CTX* ctx, CallbackIOOcsp cb)
{
ctx->ocsp.CBIOOcsp = cb;
}
CYASSL_API void CyaSSL_SetIOOcspRespFree(CYASSL_CTX* ctx,
CallbackIOOcspRespFree cb)
{
ctx->ocsp.CBIOOcspRespFree = cb;
}
CYASSL_API void CyaSSL_SetIOOcspCtx(CYASSL_CTX* ctx, void *octx)
{
ctx->ocsp.IOCB_OcspCtx = octx;
}
#endif
#ifdef HAVE_NETX #ifdef HAVE_NETX
/* The NetX receive callback /* The NetX receive callback

90
src/ocsp.c
View File

@ -32,19 +32,27 @@
#include <cyassl/internal.h> #include <cyassl/internal.h>
int CyaSSL_OCSP_Init(CYASSL_OCSP* ocsp) int InitOCSP(CYASSL_OCSP* ocsp, CYASSL_CERT_MANAGER* cm)
{ {
if (ocsp != NULL) { CYASSL_ENTER("InitOCSP");
XMEMSET(ocsp, 0, sizeof(*ocsp)); XMEMSET(ocsp, 0, sizeof(*ocsp));
ocsp->useNonce = 1; ocsp->cm = cm;
#ifndef CYASSL_USER_IO
ocsp->CBIOOcsp = EmbedOcspLookup;
ocsp->CBIOOcspRespFree = EmbedOcspRespFree;
#endif
return 0;
}
return -1; return 0;
}
static int InitOCSP_Entry(OCSP_Entry* ocspe, DecodedCert* cert)
{
CYASSL_ENTER("InitOCSP_Entry");
ocspe->next = NULL;
XMEMCPY(ocspe->issuerHash, cert->issuerHash, SHA_DIGEST_SIZE);
XMEMCPY(ocspe->issuerKeyHash, cert->issuerKeyHash, SHA_DIGEST_SIZE);
ocspe->status = NULL;
ocspe->totalStatus = 0;
return 0;
} }
@ -62,45 +70,21 @@ static void FreeOCSP_Entry(OCSP_Entry* ocspe)
} }
void CyaSSL_OCSP_Cleanup(CYASSL_OCSP* ocsp) void FreeOCSP(CYASSL_OCSP* ocsp, int dynamic)
{ {
OCSP_Entry* tmp = ocsp->ocspList; OCSP_Entry* tmp = ocsp->ocspList;
ocsp->enabled = 0; CYASSL_ENTER("FreeOCSP");
while (tmp) { while (tmp) {
OCSP_Entry* next = tmp->next; OCSP_Entry* next = tmp->next;
FreeOCSP_Entry(tmp); FreeOCSP_Entry(tmp);
XFREE(tmp, NULL, DYNAMIC_TYPE_OCSP_ENTRY); XFREE(tmp, NULL, DYNAMIC_TYPE_OCSP_ENTRY);
tmp = next; tmp = next;
} }
}
if (dynamic)
int CyaSSL_OCSP_set_override_url(CYASSL_OCSP* ocsp, const char* url) XFREE(ocsp, NULL, DYNAMIC_TYPE_OCSP);
{
if (ocsp != NULL) {
int urlSz = (int)XSTRLEN(url);
if (urlSz < (int)sizeof(ocsp->overrideUrl)) {
XSTRNCPY(ocsp->overrideUrl, url, urlSz);
return 1;
}
}
return 0;
}
static int InitOCSP_Entry(OCSP_Entry* ocspe, DecodedCert* cert)
{
CYASSL_ENTER("InitOCSP_Entry");
ocspe->next = NULL;
XMEMCPY(ocspe->issuerHash, cert->issuerHash, SHA_DIGEST_SIZE);
XMEMCPY(ocspe->issuerKeyHash, cert->issuerKeyHash, SHA_DIGEST_SIZE);
ocspe->status = NULL;
ocspe->totalStatus = 0;
return 0;
} }
@ -193,7 +177,7 @@ static int xstat2err(int stat)
} }
int CyaSSL_OCSP_Lookup_Cert(CYASSL_OCSP* ocsp, DecodedCert* cert) int CheckCertOCSP(CYASSL_OCSP* ocsp, DecodedCert* cert)
{ {
byte* ocspReqBuf = NULL; byte* ocspReqBuf = NULL;
int ocspReqSz = 2048; int ocspReqSz = 2048;
@ -206,11 +190,7 @@ int CyaSSL_OCSP_Lookup_Cert(CYASSL_OCSP* ocsp, DecodedCert* cert)
const char *url; const char *url;
int urlSz; int urlSz;
/* If OCSP lookups are disabled, return success. */ CYASSL_ENTER("CheckCertOCSP");
if (!ocsp->enabled) {
CYASSL_MSG("OCSP lookup disabled, assuming CERT_GOOD");
return 0;
}
ocspe = find_ocsp_entry(ocsp, cert); ocspe = find_ocsp_entry(ocsp, cert);
if (ocspe == NULL) { if (ocspe == NULL) {
@ -244,11 +224,10 @@ int CyaSSL_OCSP_Lookup_Cert(CYASSL_OCSP* ocsp, DecodedCert* cert)
} }
} }
if (ocsp->useOverrideUrl) { if (ocsp->cm->ocspUseOverrideURL) {
if (ocsp->overrideUrl[0] != '\0') { url = ocsp->cm->ocspOverrideURL;
url = ocsp->overrideUrl; if (url != NULL && url[0] != '\0')
urlSz = (int)XSTRLEN(url); urlSz = (int)XSTRLEN(url);
}
else else
return OCSP_NEED_URL; return OCSP_NEED_URL;
} }
@ -266,11 +245,12 @@ int CyaSSL_OCSP_Lookup_Cert(CYASSL_OCSP* ocsp, DecodedCert* cert)
CYASSL_MSG("\talloc OCSP request buffer failed"); CYASSL_MSG("\talloc OCSP request buffer failed");
return MEMORY_ERROR; return MEMORY_ERROR;
} }
InitOcspRequest(&ocspRequest, cert, ocsp->useNonce, ocspReqBuf, ocspReqSz); InitOcspRequest(&ocspRequest, cert, ocsp->cm->ocspSendNonce,
ocspReqBuf, ocspReqSz);
ocspReqSz = EncodeOcspRequest(&ocspRequest); ocspReqSz = EncodeOcspRequest(&ocspRequest);
if (ocsp->CBIOOcsp) { if (ocsp->cm->ocspIOCb) {
result = ocsp->CBIOOcsp(ocsp->IOCB_OcspCtx, url, urlSz, result = ocsp->cm->ocspIOCb(ocsp->cm->ocspIOCtx, url, urlSz,
ocspReqBuf, ocspReqSz, &ocspRespBuf); ocspReqBuf, ocspReqSz, &ocspRespBuf);
} }
@ -300,8 +280,8 @@ int CyaSSL_OCSP_Lookup_Cert(CYASSL_OCSP* ocsp, DecodedCert* cert)
if (ocspReqBuf != NULL) { if (ocspReqBuf != NULL) {
XFREE(ocspReqBuf, NULL, DYNAMIC_TYPE_IN_BUFFER); XFREE(ocspReqBuf, NULL, DYNAMIC_TYPE_IN_BUFFER);
} }
if (ocspRespBuf != NULL && ocsp->CBIOOcspRespFree) { if (ocspRespBuf != NULL && ocsp->cm->ocspRespFreeCb) {
ocsp->CBIOOcspRespFree(ocsp->IOCB_OcspCtx, ocspRespBuf); ocsp->cm->ocspRespFreeCb(ocsp->cm->ocspIOCtx, ocspRespBuf);
} }
return result; return result;

268
src/ssl.c
View File

@ -1005,16 +1005,7 @@ CYASSL_CERT_MANAGER* CyaSSL_CertManagerNew(void)
cm = (CYASSL_CERT_MANAGER*) XMALLOC(sizeof(CYASSL_CERT_MANAGER), 0, cm = (CYASSL_CERT_MANAGER*) XMALLOC(sizeof(CYASSL_CERT_MANAGER), 0,
DYNAMIC_TYPE_CERT_MANAGER); DYNAMIC_TYPE_CERT_MANAGER);
if (cm) { if (cm) {
int i; XMEMSET(cm, 0, sizeof(CYASSL_CERT_MANAGER));
for (i = 0; i < CA_TABLE_SIZE; i++)
cm->caTable[i] = NULL;
cm->heap = NULL;
cm->caCacheCallback = NULL;
cm->crl = NULL;
cm->crlEnabled = 0;
cm->crlCheckAll = 0;
cm->cbMissingCRL = NULL;
if (InitMutex(&cm->caLock) != 0) { if (InitMutex(&cm->caLock) != 0) {
CYASSL_MSG("Bad mutex init"); CYASSL_MSG("Bad mutex init");
@ -1036,6 +1027,10 @@ void CyaSSL_CertManagerFree(CYASSL_CERT_MANAGER* cm)
if (cm->crl) if (cm->crl)
FreeCRL(cm->crl, 1); FreeCRL(cm->crl, 1);
#endif #endif
#ifdef HAVE_OCSP
if (cm->ocsp)
FreeOCSP(cm->ocsp, 1);
#endif
FreeSignerTable(cm->caTable, CA_TABLE_SIZE, NULL); FreeSignerTable(cm->caTable, CA_TABLE_SIZE, NULL);
FreeMutex(&cm->caLock); FreeMutex(&cm->caLock);
XFREE(cm, NULL, DYNAMIC_TYPE_CERT_MANAGER); XFREE(cm, NULL, DYNAMIC_TYPE_CERT_MANAGER);
@ -2504,6 +2499,62 @@ int CyaSSL_CertManagerDisableCRL(CYASSL_CERT_MANAGER* cm)
} }
/* turn on OCSP if off and compiled in, set options */
int CyaSSL_CertManagerEnableOCSP(CYASSL_CERT_MANAGER* cm, int options)
{
int ret = SSL_SUCCESS;
(void)options;
CYASSL_ENTER("CyaSSL_CertManagerEnableOCSP");
if (cm == NULL)
return BAD_FUNC_ARG;
#ifdef HAVE_OCSP
if (cm->ocsp == NULL) {
cm->ocsp = (CYASSL_OCSP*)XMALLOC(sizeof(CYASSL_OCSP), cm->heap,
DYNAMIC_TYPE_OCSP);
if (cm->ocsp == NULL)
return MEMORY_E;
if (InitOCSP(cm->ocsp, cm) != 0) {
CYASSL_MSG("Init OCSP failed");
FreeOCSP(cm->ocsp, 1);
cm->ocsp = NULL;
return SSL_FAILURE;
}
}
cm->ocspEnabled = 1;
if (options & CYASSL_OCSP_URL_OVERRIDE)
cm->ocspUseOverrideURL = 1;
if (options & CYASSL_OCSP_NO_NONCE)
cm->ocspSendNonce = 0;
else
cm->ocspSendNonce = 1;
#ifndef CYASSL_USER_IO
cm->ocspIOCb = EmbedOcspLookup;
cm->ocspRespFreeCb = EmbedOcspRespFree;
#endif /* CYASSL_USER_IO */
#else
ret = NOT_COMPILED_IN;
#endif
return ret;
}
int CyaSSL_CertManagerDisableOCSP(CYASSL_CERT_MANAGER* cm)
{
CYASSL_ENTER("CyaSSL_CertManagerDisableOCSP");
if (cm == NULL)
return BAD_FUNC_ARG;
cm->ocspEnabled = 0;
return SSL_SUCCESS;
}
int CyaSSL_CTX_check_private_key(CYASSL_CTX* ctx) int CyaSSL_CTX_check_private_key(CYASSL_CTX* ctx)
{ {
/* TODO: check private against public for RSA match */ /* TODO: check private against public for RSA match */
@ -2666,6 +2717,171 @@ int CyaSSL_CTX_SetCRL_Cb(CYASSL_CTX* ctx, CbMissingCRL cb)
#endif /* HAVE_CRL */ #endif /* HAVE_CRL */
#ifdef HAVE_OCSP
/* check CRL if enabled, SSL_SUCCESS */
int CyaSSL_CertManagerCheckOCSP(CYASSL_CERT_MANAGER* cm, byte* der, int sz)
{
int ret;
DecodedCert cert;
CYASSL_ENTER("CyaSSL_CertManagerCheckOCSP");
if (cm == NULL)
return BAD_FUNC_ARG;
if (cm->ocspEnabled == 0)
return SSL_SUCCESS;
InitDecodedCert(&cert, der, sz, NULL);
ret = ParseCertRelative(&cert, CERT_TYPE, NO_VERIFY, cm);
if (ret != 0) {
CYASSL_MSG("ParseCert failed");
return ret;
}
else {
ret = CheckCertOCSP(cm->ocsp, &cert);
if (ret != 0) {
CYASSL_MSG("CheckCertOCSP failed");
}
}
FreeDecodedCert(&cert);
if (ret == 0)
return SSL_SUCCESS; /* convert */
return ret;
}
int CyaSSL_CertManagerSetOCSPOverrideURL(CYASSL_CERT_MANAGER* cm,
const char* url)
{
CYASSL_ENTER("CyaSSL_CertManagerSetOCSPOverrideURL");
if (cm == NULL)
return BAD_FUNC_ARG;
XFREE(cm->ocspOverrideURL, cm->heap, 0);
if (url != NULL) {
int urlSz = (int)XSTRLEN(url) + 1;
cm->ocspOverrideURL = (char*)XMALLOC(urlSz, cm->heap, 0);
if (cm->ocspOverrideURL != NULL) {
XMEMCPY(cm->ocspOverrideURL, url, urlSz);
}
else
return MEMORY_E;
}
else
cm->ocspOverrideURL = NULL;
return SSL_SUCCESS;
}
int CyaSSL_CertManagerSetOCSP_Cb(CYASSL_CERT_MANAGER* cm,
CbOCSPIO ioCb, CbOCSPRespFree respFreeCb, void* ioCbCtx)
{
CYASSL_ENTER("CyaSSL_CertManagerSetOCSP_Cb");
if (cm == NULL)
return BAD_FUNC_ARG;
cm->ocspIOCb = ioCb;
cm->ocspRespFreeCb = respFreeCb;
cm->ocspIOCtx = ioCbCtx;
return SSL_SUCCESS;
}
int CyaSSL_EnableOCSP(CYASSL* ssl, int options)
{
CYASSL_ENTER("CyaSSL_EnableOCSP");
if (ssl)
return CyaSSL_CertManagerEnableOCSP(ssl->ctx->cm, options);
else
return BAD_FUNC_ARG;
}
int CyaSSL_DisableOCSP(CYASSL* ssl)
{
CYASSL_ENTER("CyaSSL_DisableOCSP");
if (ssl)
return CyaSSL_CertManagerDisableOCSP(ssl->ctx->cm);
else
return BAD_FUNC_ARG;
}
int CyaSSL_SetOCSP_OverrideURL(CYASSL* ssl, const char* url)
{
CYASSL_ENTER("CyaSSL_SetOCSP_OverrideURL");
if (ssl)
return CyaSSL_CertManagerSetOCSPOverrideURL(ssl->ctx->cm, url);
else
return BAD_FUNC_ARG;
}
int CyaSSL_SetOCSP_Cb(CYASSL* ssl,
CbOCSPIO ioCb, CbOCSPRespFree respFreeCb, void* ioCbCtx)
{
CYASSL_ENTER("CyaSSL_SetOCSP_Cb");
if (ssl)
return CyaSSL_CertManagerSetOCSP_Cb(ssl->ctx->cm,
ioCb, respFreeCb, ioCbCtx);
else
return BAD_FUNC_ARG;
}
int CyaSSL_CTX_EnableOCSP(CYASSL_CTX* ctx, int options)
{
CYASSL_ENTER("CyaSSL_CTX_EnableOCSP");
if (ctx)
return CyaSSL_CertManagerEnableOCSP(ctx->cm, options);
else
return BAD_FUNC_ARG;
}
int CyaSSL_CTX_DisableOCSP(CYASSL_CTX* ctx)
{
CYASSL_ENTER("CyaSSL_CTX_DisableOCSP");
if (ctx)
return CyaSSL_CertManagerDisableOCSP(ctx->cm);
else
return BAD_FUNC_ARG;
}
int CyaSSL_CTX_SetOCSP_OverrideURL(CYASSL_CTX* ctx, const char* url)
{
CYASSL_ENTER("CyaSSL_SetOCSP_OverrideURL");
if (ctx)
return CyaSSL_CertManagerSetOCSPOverrideURL(ctx->cm, url);
else
return BAD_FUNC_ARG;
}
int CyaSSL_CTX_SetOCSP_Cb(CYASSL_CTX* ctx,
CbOCSPIO ioCb, CbOCSPRespFree respFreeCb, void* ioCbCtx)
{
CYASSL_ENTER("CyaSSL_CTX_SetOCSP_Cb");
if (ctx)
return CyaSSL_CertManagerSetOCSP_Cb(ctx->cm, ioCb, respFreeCb, ioCbCtx);
else
return BAD_FUNC_ARG;
}
#endif /* HAVE_OCSP */
#ifdef CYASSL_DER_LOAD #ifdef CYASSL_DER_LOAD
/* Add format parameter to allow DER load of CA files */ /* Add format parameter to allow DER load of CA files */
@ -10921,38 +11137,6 @@ const byte* CyaSSL_get_sessionID(const CYASSL_SESSION* session)
#endif /* SESSION_CERTS */ #endif /* SESSION_CERTS */
int CyaSSL_CTX_OCSP_set_options(CYASSL_CTX* ctx, int options)
{
CYASSL_ENTER("CyaSSL_CTX_OCSP_set_options");
#ifdef HAVE_OCSP
if (ctx != NULL) {
ctx->ocsp.enabled = (options & CYASSL_OCSP_ENABLE) != 0;
ctx->ocsp.useOverrideUrl = (options & CYASSL_OCSP_URL_OVERRIDE) != 0;
ctx->ocsp.useNonce = (options & CYASSL_OCSP_NO_NONCE) == 0;
return SSL_SUCCESS;
}
return SSL_FAILURE;
#else
(void)ctx;
(void)options;
return NOT_COMPILED_IN;
#endif
}
int CyaSSL_CTX_OCSP_set_override_url(CYASSL_CTX* ctx, const char* url)
{
CYASSL_ENTER("CyaSSL_CTX_OCSP_set_override_url");
#ifdef HAVE_OCSP
return CyaSSL_OCSP_set_override_url(&ctx->ocsp, url);
#else
(void)ctx;
(void)url;
return NOT_COMPILED_IN;
#endif
}
#ifndef NO_CERTS #ifndef NO_CERTS
#ifdef HAVE_PK_CALLBACKS #ifdef HAVE_PK_CALLBACKS