wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-30 18:57:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #5708 from JacobBarthelmeh/OCSP

Browse Source
This commit is contained in:
Hayden Roche
2022-10-26 15:43:15 -07:00
committed by GitHub
parent 8f2d35bb84 d08c204466
commit 294a26ba0c
6 changed files with 82 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
certs/ocsp/include.am
View File

@ -35,4 +35,5 @@ EXTRA_DIST += \
certs/ocsp/root-ca-cert.pem \ certs/ocsp/root-ca-cert.pem \
certs/ocsp/test-response.der \ certs/ocsp/test-response.der \
certs/ocsp/test-response-rsapss.der \ certs/ocsp/test-response-rsapss.der \
certs/ocsp/test-response-nointern.der certs/ocsp/test-response-nointern.der \
certs/ocsp/test-multi-response.der

1
certs/ocsp/renewcerts.sh
View File

@ -87,6 +87,7 @@ PID=$!
openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response.der -noverify openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response.der -noverify
openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response-nointern.der -no_intern -noverify openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response-nointern.der -no_intern -noverify
openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -cert ./intermediate2-ca-cert.pem -url http://localhost:22221/ -respout test-multi-response.der -noverify
kill $PID kill $PID
wait $PID wait $PID

BIN
certs/ocsp/test-multi-response.der Normal file
View File

Binary file not shown.

7
src/ocsp.c
View File

@ -327,6 +327,8 @@ int CheckOcspResponse(WOLFSSL_OCSP *ocsp, byte *response, int responseSz,
goto end; goto end;
} }
if (ocspRequest != NULL) { if (ocspRequest != NULL) {
/* Has the chance to bubble up response changing ocspResponse->single to
no longer be pointing at newSingle */
ret = CompareOcspReqResp(ocspRequest, ocspResponse); ret = CompareOcspReqResp(ocspRequest, ocspResponse);
if (ret != 0) { if (ret != 0) {
goto end; goto end;
@ -361,14 +363,14 @@ int CheckOcspResponse(WOLFSSL_OCSP *ocsp, byte *response, int responseSz,
/* Replace existing certificate entry with updated */ /* Replace existing certificate entry with updated */
newSingle->status->next = status->next; newSingle->status->next = status->next;
XMEMCPY(status, newSingle->status, sizeof(CertStatus)); XMEMCPY(status, ocspResponse->single->status, sizeof(CertStatus));
} }
else { else {
/* Save new certificate entry */ /* Save new certificate entry */
status = (CertStatus*)XMALLOC(sizeof(CertStatus), status = (CertStatus*)XMALLOC(sizeof(CertStatus),
ocsp->cm->heap, DYNAMIC_TYPE_OCSP_STATUS); ocsp->cm->heap, DYNAMIC_TYPE_OCSP_STATUS);
if (status != NULL) { if (status != NULL) {
XMEMCPY(status, newSingle->status, sizeof(CertStatus)); XMEMCPY(status, ocspResponse->single->status, sizeof(CertStatus));
status->next = entry->status; status->next = entry->status;
entry->status = status; entry->status = status;
entry->ownStatus = 1; entry->ownStatus = 1;
@ -397,6 +399,7 @@ end:
ret = OCSP_LOOKUP_FAIL; ret = OCSP_LOOKUP_FAIL;
} }
FreeOcspResponse(ocspResponse);
#ifdef WOLFSSL_SMALL_STACK #ifdef WOLFSSL_SMALL_STACK
XFREE(newStatus, NULL, DYNAMIC_TYPE_OCSP_STATUS); XFREE(newStatus, NULL, DYNAMIC_TYPE_OCSP_STATUS);
XFREE(newSingle, NULL, DYNAMIC_TYPE_OCSP_ENTRY); XFREE(newSingle, NULL, DYNAMIC_TYPE_OCSP_ENTRY);

65
tests/api.c
View File

@ -1672,6 +1672,7 @@ static int test_wolfSSL_CheckOCSPResponse(void)
{ {
#if defined(HAVE_OCSP) && !defined(NO_RSA) && defined(OPENSSL_ALL) #if defined(HAVE_OCSP) && !defined(NO_RSA) && defined(OPENSSL_ALL)
const char* responseFile = "./certs/ocsp/test-response.der"; const char* responseFile = "./certs/ocsp/test-response.der";
const char* responseMultiFile = "./certs/ocsp/test-multi-response.der";
const char* responseNoInternFile = "./certs/ocsp/test-response-nointern.der"; const char* responseNoInternFile = "./certs/ocsp/test-response-nointern.der";
const char* caFile = "./certs/ocsp/root-ca-cert.pem"; const char* caFile = "./certs/ocsp/root-ca-cert.pem";
OcspResponse* res = NULL; OcspResponse* res = NULL;
@ -1720,6 +1721,70 @@ static int test_wolfSSL_CheckOCSPResponse(void)
AssertNotNull(res); AssertNotNull(res);
wolfSSL_OCSP_RESPONSE_free(res); wolfSSL_OCSP_RESPONSE_free(res);
/* check loading a response with multiple certs */
{
WOLFSSL_CERT_MANAGER* cm = NULL;
OcspEntry *entry;
CertStatus status[1];
OcspRequest* request;
byte serial[] = {0x02};
byte issuerHash[] = {
0x44, 0xA8, 0xDB, 0xD1, 0xBC, 0x97, 0x0A, 0x83,
0x3B, 0x5B, 0x31, 0x9A, 0x4C, 0xB8, 0xD2, 0x52,
0x37, 0x15, 0x8A, 0x88
};
byte issuerKeyHash[] = {
0x73, 0xB0, 0x1C, 0xA4, 0x2F, 0x82, 0xCB, 0xCF,
0x47, 0xA5, 0x38, 0xD7, 0xB0, 0x04, 0x82, 0x3A,
0x7E, 0x72, 0x15, 0x21
};
entry = (OcspEntry*)XMALLOC(sizeof(OcspEntry), NULL,
DYNAMIC_TYPE_OPENSSL);
AssertNotNull(entry);
XMEMSET(entry, 0, sizeof(OcspEntry));
XMEMSET(status, 0, sizeof(CertStatus));
AssertNotNull(request = wolfSSL_OCSP_REQUEST_new());
request->serial = (byte*)XMALLOC(sizeof(serial), NULL,
DYNAMIC_TYPE_OCSP_REQUEST);
AssertNotNull(request->serial);
request->serialSz = sizeof(serial);
XMEMCPY(request->serial, serial, sizeof(serial));
XMEMCPY(request->issuerHash, issuerHash, sizeof(issuerHash));
XMEMCPY(request->issuerKeyHash, issuerKeyHash, sizeof(issuerKeyHash));
AssertNotNull(cm = wolfSSL_CertManagerNew_ex(NULL));
AssertIntEQ(wolfSSL_CertManagerEnableOCSP(cm, 0), WOLFSSL_SUCCESS);
AssertIntEQ(wolfSSL_CertManagerLoadCA(cm, caFile, NULL),
WOLFSSL_SUCCESS);
f = XFOPEN(responseMultiFile, "rb");
AssertTrue(f != XBADFILE);
dataSz = (word32)XFREAD(data, 1, sizeof(data), f);
AssertIntGT(dataSz, 0);
XFCLOSE(f);
AssertIntEQ(wolfSSL_CertManagerCheckOCSPResponse(cm, data,
dataSz, NULL, status, entry, request), WOLFSSL_SUCCESS);
AssertIntEQ(wolfSSL_CertManagerCheckOCSPResponse(cm, data,
dataSz, NULL, entry->status, entry, request), WOLFSSL_SUCCESS);
/* compare the status found */
AssertNotNull(entry->status);
AssertIntEQ(status->serialSz, entry->status->serialSz);
AssertIntEQ(XMEMCMP(status->serial, entry->status->serial,
status->serialSz), 0);
wolfSSL_OCSP_CERTID_free(entry);
wolfSSL_OCSP_REQUEST_free(request);
wolfSSL_CertManagerFree(cm);
}
#if defined(WC_RSA_PSS) #if defined(WC_RSA_PSS)
{ {
const char* responsePssFile = "./certs/ocsp/test-response-rsapss.der"; const char* responsePssFile = "./certs/ocsp/test-response-rsapss.der";

15
wolfcrypt/src/asn.c
View File

@ -34226,7 +34226,7 @@ static int DecodeResponseData(byte* source, word32* ioIndex,
XMEMSET(single->next->status, 0, sizeof(CertStatus)); XMEMSET(single->next->status, 0, sizeof(CertStatus));
/* Entry to be freed. */ /* Entry to be freed. */
single->isDynamic = 1; single->next->isDynamic = 1;
/* used will be 0 (false) */ /* used will be 0 (false) */
single = single->next; single = single->next;
@ -34675,11 +34675,14 @@ void InitOcspResponse(OcspResponse* resp, OcspEntry* single, CertStatus* status,
void FreeOcspResponse(OcspResponse* resp) void FreeOcspResponse(OcspResponse* resp)
{ {
OcspEntry *single, *next; OcspEntry *single, *next;
for (single = resp->single; single; single = next) {
next = single->next; if (resp != NULL) {
if (single->isDynamic) { for (single = resp->single; single; single = next) {
XFREE(single->status, resp->heap, DYNAMIC_TYPE_OCSP_STATUS); next = single->next;
XFREE(single, resp->heap, DYNAMIC_TYPE_OCSP_ENTRY); if (single->isDynamic) {
XFREE(single->status, resp->heap, DYNAMIC_TYPE_OCSP_STATUS);
XFREE(single, resp->heap, DYNAMIC_TYPE_OCSP_ENTRY);
}
} }
} }
} }