feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

OCSP

Browse Source 
1. Modify the other OCSP Stapling scripts to better manage the OCSP responder.
2. Modify the client's W option to take:
 - 1 for Stapling v1
 - 2 for Stapling v2
 - 3 for Stapling v2 MULTI
3. Modify the client to disallow stapling v2 with TLSv1.3.
This commit is contained in:
John Safranek
2018-08-02 16:25:38 -07:00
parent 5ae45436f4
commit f45dbed8f9
3 changed files with 50 additions and 50 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
examples/client/client.c
View File

@ -50,6 +50,11 @@
#define DEFAULT_TIMEOUT_SEC 2
#define OCSP_STAPLING 1
#define OCSP_STAPLINGV2 2
#define OCSP_STAPLINGV2_MULTI 3
#define OCSP_STAPLING_OPT_MAX OCSP_STAPLINGV2_MULTI
/* Note on using port 0: the client standalone example doesn't utilize the
* port 0 port sharing; that is used by (1) the server in external control
* test mode and (2) the testsuite which uses this code and sets up the correct
@ -787,7 +792,7 @@ static void Usage(void)
#endif
#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
|| defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
printf("-W Use OCSP Stapling\n");
printf("-W <num> Use OCSP Stapling (1 v1, 2 v2, 3 v2 multi)\n");
#endif
#ifdef ATOMIC_USER
printf("-U Atomic User Record Layer Callbacks\n");
@ -1249,6 +1254,10 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
|| defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
statusRequest = atoi(myoptarg);
if (statusRequest > OCSP_STAPLING_OPT_MAX) {
Usage();
XEXIT_T(MY_EX_USAGE);
}
#endif
break;
@ -1986,33 +1995,32 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
wolfSSL_UseALPN(ssl, alpnList, (word32)XSTRLEN(alpnList), alpn_opt);
}
#endif
#ifdef HAVE_CERTIFICATE_STATUS_REQUEST
#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) || \
defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
if (statusRequest) {
if (version == 4 &&
(statusRequest == OCSP_STAPLINGV2 || \
statusRequest == OCSP_STAPLINGV2_MULTI)) {
err_sys("Cannot use OCSP Stapling V2 with TLSv1.3");
}
if (wolfSSL_CTX_EnableOCSPStapling(ctx) != WOLFSSL_SUCCESS)
err_sys("can't enable OCSP Stapling Certificate Manager");
switch (statusRequest) {
case WOLFSSL_CSR_OCSP:
#ifdef HAVE_CERTIFICATE_STATUS_REQUEST
case OCSP_STAPLING:
if (wolfSSL_UseOCSPStapling(ssl, WOLFSSL_CSR_OCSP,
WOLFSSL_CSR_OCSP_USE_NONCE) != WOLFSSL_SUCCESS) {
wolfSSL_free(ssl); ssl = NULL;
wolfSSL_CTX_free(ctx); ctx = NULL;
err_sys("UseCertificateStatusRequest failed");
}
break;
}
wolfSSL_CTX_EnableOCSP(ctx, 0);
}
#endif
#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
if (statusRequest) {
if (wolfSSL_CTX_EnableOCSPStapling(ctx) != WOLFSSL_SUCCESS)
err_sys("can't enable OCSP Stapling Certificate Manager");
switch (statusRequest) {
case WOLFSSL_CSR2_OCSP:
#endif
#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
case OCSP_STAPLINGV2:
if (wolfSSL_UseOCSPStaplingV2(ssl,
WOLFSSL_CSR2_OCSP, WOLFSSL_CSR2_OCSP_USE_NONCE)
!= WOLFSSL_SUCCESS) {
@ -2021,7 +2029,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
err_sys("UseCertificateStatusRequest failed");
}
break;
case WOLFSSL_CSR2_OCSP_MULTI:
case OCSP_STAPLINGV2_MULTI:
if (wolfSSL_UseOCSPStaplingV2(ssl,
WOLFSSL_CSR2_OCSP_MULTI, 0)
!= WOLFSSL_SUCCESS) {
@ -2030,7 +2038,9 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
err_sys("UseCertificateStatusRequest failed");
}
break;
#endif
default:
err_sys("Invalid OCSP Stapling option");
}
wolfSSL_CTX_EnableOCSP(ctx, 0);

18
scripts/ocsp-stapling-with-ca-as-responder.test
View File

@ -1,15 +1,14 @@
#!/bin/bash
#set an invalid default PID so we don't cleanup a process unexpectedly
OSSL_INT1_PID="INVALID"
# ocsp-stapling.test
cleanup(){
# "jobs" is not portable for posix. Must use bash interpreter!
for i in `jobs -p`; do pkill -TERM -P $i; done
kill $OSSL_INT1_PID
cleanup()
{
for i in $(jobs -pr)
do
kill -s HUP "$i"
done
}
trap cleanup INT TERM EXIT
trap cleanup EXIT INT TERM HUP
server=login.live.com
ca=certs/external/baltimore-cybertrust-root.pem
@ -37,7 +36,6 @@ openssl ocsp -port 22221 -nmin 1 \
-CA certs/ocsp/intermediate1-ca-cert.pem \
$@ \
&
OSSL_INT1_PID=$!
sleep 1
# "jobs" is not portable for posix. Must use bash interpreter!

36
scripts/ocsp-stapling2.test
View File

@ -1,19 +1,14 @@
#!/bin/bash
#set some invalid default PID(s) so we don't cleanup a process unexpectedly
OSSL_ROOT_PID="INVALID"
OSSL_INT2_PID="INVALID"
OSSL_INT3_PID="INVALID"
# ocsp-stapling.test
cleanup(){
# "jobs" is not portable for posix. Must use bash interpreter!
for i in `jobs -p`; do pkill -TERM -P $i; done
kill $OSSL_ROOT_PID
kill $OSSL_INT2_PID
kill $OSSL_INT3_PID
cleanup()
{
for i in $(jobs -pr)
do
kill -s HUP "$i"
done
}
trap cleanup INT TERM EXIT
trap cleanup EXIT INT TERM HUP
[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
@ -28,7 +23,6 @@ openssl ocsp -port 22220 -nmin 1 \
-CA certs/ocsp/root-ca-cert.pem \
$@ \
&
OSSL_ROOT_PID=$!
# OLD: ./certs/ocsp/ocspd-intermediate2-ca-issued-certs.sh &
# NEW: openssl isn't being cleaned up, invoke directly in script for cleanup
@ -40,7 +34,6 @@ openssl ocsp -port 22222 -nmin 1 \
-CA certs/ocsp/intermediate2-ca-cert.pem \
$@ \
&
OSSL_INT2_PID=$!
# OLD: ./certs/ocsp/ocspd-intermediate3-ca-issued-certs.sh &
# NEW: openssl isn't being cleaned up, invoke directly in script for cleanup
@ -52,7 +45,6 @@ openssl ocsp -port 22223 -nmin 1 \
-CA certs/ocsp/intermediate3-ca-cert.pem \
$@ \
&
OSSL_INT3_PID=$!
sleep 1
# "jobs" is not portable for posix. Must use bash interpreter!
@ -61,39 +53,39 @@ sleep 1
# client test against our own server - GOOD CERTS
./examples/server/server -c certs/ocsp/server3-cert.pem -k certs/ocsp/server3-key.pem &
sleep 1
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 -v 3
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1
./examples/server/server -c certs/ocsp/server3-cert.pem -k certs/ocsp/server3-key.pem &
sleep 1
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1
# client test against our own server - REVOKED SERVER CERT
./examples/server/server -c certs/ocsp/server4-cert.pem -k certs/ocsp/server4-key.pem &
sleep 1
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 -v 3
RESULT=$?
[ $RESULT -ne 1 ] && echo -e "\n\nClient connection suceeded $RESULT" && exit 1
./examples/server/server -c certs/ocsp/server4-cert.pem -k certs/ocsp/server4-key.pem &
sleep 1
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3
RESULT=$?
[ $RESULT -ne 1 ] && echo -e "\n\nClient connection suceeded $RESULT" && exit 1
# client test against our own server - REVOKED INTERMEDIATE CERT
./examples/server/server -c certs/ocsp/server5-cert.pem -k certs/ocsp/server5-key.pem &
sleep 1
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 -v 3
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed $RESULT" && exit 1
./examples/server/server -c certs/ocsp/server5-cert.pem -k certs/ocsp/server5-key.pem &
sleep 1
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3
RESULT=$?
[ $RESULT -ne 1 ] && echo -e "\n\nClient connection suceeded $RESULT" && exit 1