diff --git a/examples/client/client.c b/examples/client/client.c index c1af7dd8f..a76379622 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -50,6 +50,11 @@ #define DEFAULT_TIMEOUT_SEC 2 +#define OCSP_STAPLING 1 +#define OCSP_STAPLINGV2 2 +#define OCSP_STAPLINGV2_MULTI 3 +#define OCSP_STAPLING_OPT_MAX OCSP_STAPLINGV2_MULTI + /* Note on using port 0: the client standalone example doesn't utilize the * port 0 port sharing; that is used by (1) the server in external control * test mode and (2) the testsuite which uses this code and sets up the correct @@ -787,7 +792,7 @@ static void Usage(void) #endif #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) - printf("-W Use OCSP Stapling\n"); + printf("-W Use OCSP Stapling (1 v1, 2 v2, 3 v2 multi)\n"); #endif #ifdef ATOMIC_USER printf("-U Atomic User Record Layer Callbacks\n"); @@ -1249,6 +1254,10 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) statusRequest = atoi(myoptarg); + if (statusRequest > OCSP_STAPLING_OPT_MAX) { + Usage(); + XEXIT_T(MY_EX_USAGE); + } #endif break; @@ -1986,33 +1995,32 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) wolfSSL_UseALPN(ssl, alpnList, (word32)XSTRLEN(alpnList), alpn_opt); } #endif -#ifdef HAVE_CERTIFICATE_STATUS_REQUEST + +#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) || \ + defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) if (statusRequest) { + if (version == 4 && + (statusRequest == OCSP_STAPLINGV2 || \ + statusRequest == OCSP_STAPLINGV2_MULTI)) { + err_sys("Cannot use OCSP Stapling V2 with TLSv1.3"); + } + if (wolfSSL_CTX_EnableOCSPStapling(ctx) != WOLFSSL_SUCCESS) err_sys("can't enable OCSP Stapling Certificate Manager"); switch (statusRequest) { - case WOLFSSL_CSR_OCSP: + #ifdef HAVE_CERTIFICATE_STATUS_REQUEST + case OCSP_STAPLING: if (wolfSSL_UseOCSPStapling(ssl, WOLFSSL_CSR_OCSP, WOLFSSL_CSR_OCSP_USE_NONCE) != WOLFSSL_SUCCESS) { wolfSSL_free(ssl); ssl = NULL; wolfSSL_CTX_free(ctx); ctx = NULL; err_sys("UseCertificateStatusRequest failed"); } - break; - } - - wolfSSL_CTX_EnableOCSP(ctx, 0); - } -#endif -#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 - if (statusRequest) { - if (wolfSSL_CTX_EnableOCSPStapling(ctx) != WOLFSSL_SUCCESS) - err_sys("can't enable OCSP Stapling Certificate Manager"); - - switch (statusRequest) { - case WOLFSSL_CSR2_OCSP: + #endif + #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 + case OCSP_STAPLINGV2: if (wolfSSL_UseOCSPStaplingV2(ssl, WOLFSSL_CSR2_OCSP, WOLFSSL_CSR2_OCSP_USE_NONCE) != WOLFSSL_SUCCESS) { @@ -2021,7 +2029,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) err_sys("UseCertificateStatusRequest failed"); } break; - case WOLFSSL_CSR2_OCSP_MULTI: + case OCSP_STAPLINGV2_MULTI: if (wolfSSL_UseOCSPStaplingV2(ssl, WOLFSSL_CSR2_OCSP_MULTI, 0) != WOLFSSL_SUCCESS) { @@ -2030,7 +2038,9 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) err_sys("UseCertificateStatusRequest failed"); } break; - + #endif + default: + err_sys("Invalid OCSP Stapling option"); } wolfSSL_CTX_EnableOCSP(ctx, 0); diff --git a/scripts/ocsp-stapling-with-ca-as-responder.test b/scripts/ocsp-stapling-with-ca-as-responder.test index dc020dee0..303dd713f 100755 --- a/scripts/ocsp-stapling-with-ca-as-responder.test +++ b/scripts/ocsp-stapling-with-ca-as-responder.test @@ -1,15 +1,14 @@ #!/bin/bash - -#set an invalid default PID so we don't cleanup a process unexpectedly -OSSL_INT1_PID="INVALID" - # ocsp-stapling.test -cleanup(){ - # "jobs" is not portable for posix. Must use bash interpreter! - for i in `jobs -p`; do pkill -TERM -P $i; done - kill $OSSL_INT1_PID + +cleanup() +{ + for i in $(jobs -pr) + do + kill -s HUP "$i" + done } -trap cleanup INT TERM EXIT +trap cleanup EXIT INT TERM HUP server=login.live.com ca=certs/external/baltimore-cybertrust-root.pem @@ -37,7 +36,6 @@ openssl ocsp -port 22221 -nmin 1 \ -CA certs/ocsp/intermediate1-ca-cert.pem \ $@ \ & -OSSL_INT1_PID=$! sleep 1 # "jobs" is not portable for posix. Must use bash interpreter! diff --git a/scripts/ocsp-stapling2.test b/scripts/ocsp-stapling2.test index a784733df..028f01f8a 100755 --- a/scripts/ocsp-stapling2.test +++ b/scripts/ocsp-stapling2.test @@ -1,19 +1,14 @@ #!/bin/bash - -#set some invalid default PID(s) so we don't cleanup a process unexpectedly -OSSL_ROOT_PID="INVALID" -OSSL_INT2_PID="INVALID" -OSSL_INT3_PID="INVALID" - # ocsp-stapling.test -cleanup(){ - # "jobs" is not portable for posix. Must use bash interpreter! - for i in `jobs -p`; do pkill -TERM -P $i; done - kill $OSSL_ROOT_PID - kill $OSSL_INT2_PID - kill $OSSL_INT3_PID + +cleanup() +{ + for i in $(jobs -pr) + do + kill -s HUP "$i" + done } -trap cleanup INT TERM EXIT +trap cleanup EXIT INT TERM HUP [ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1 @@ -28,7 +23,6 @@ openssl ocsp -port 22220 -nmin 1 \ -CA certs/ocsp/root-ca-cert.pem \ $@ \ & -OSSL_ROOT_PID=$! # OLD: ./certs/ocsp/ocspd-intermediate2-ca-issued-certs.sh & # NEW: openssl isn't being cleaned up, invoke directly in script for cleanup @@ -40,7 +34,6 @@ openssl ocsp -port 22222 -nmin 1 \ -CA certs/ocsp/intermediate2-ca-cert.pem \ $@ \ & -OSSL_INT2_PID=$! # OLD: ./certs/ocsp/ocspd-intermediate3-ca-issued-certs.sh & # NEW: openssl isn't being cleaned up, invoke directly in script for cleanup @@ -52,7 +45,6 @@ openssl ocsp -port 22223 -nmin 1 \ -CA certs/ocsp/intermediate3-ca-cert.pem \ $@ \ & -OSSL_INT3_PID=$! sleep 1 # "jobs" is not portable for posix. Must use bash interpreter! @@ -61,39 +53,39 @@ sleep 1 # client test against our own server - GOOD CERTS ./examples/server/server -c certs/ocsp/server3-cert.pem -k certs/ocsp/server3-key.pem & sleep 1 -./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 +./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 -v 3 RESULT=$? [ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1 ./examples/server/server -c certs/ocsp/server3-cert.pem -k certs/ocsp/server3-key.pem & sleep 1 -./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 +./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3 RESULT=$? [ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1 # client test against our own server - REVOKED SERVER CERT ./examples/server/server -c certs/ocsp/server4-cert.pem -k certs/ocsp/server4-key.pem & sleep 1 -./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 +./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 -v 3 RESULT=$? [ $RESULT -ne 1 ] && echo -e "\n\nClient connection suceeded $RESULT" && exit 1 ./examples/server/server -c certs/ocsp/server4-cert.pem -k certs/ocsp/server4-key.pem & sleep 1 -./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 +./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3 RESULT=$? [ $RESULT -ne 1 ] && echo -e "\n\nClient connection suceeded $RESULT" && exit 1 # client test against our own server - REVOKED INTERMEDIATE CERT ./examples/server/server -c certs/ocsp/server5-cert.pem -k certs/ocsp/server5-key.pem & sleep 1 -./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 +./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 -v 3 RESULT=$? [ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed $RESULT" && exit 1 ./examples/server/server -c certs/ocsp/server5-cert.pem -k certs/ocsp/server5-key.pem & sleep 1 -./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 +./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3 RESULT=$? [ $RESULT -ne 1 ] && echo -e "\n\nClient connection suceeded $RESULT" && exit 1