Merge pull request #1737 from ejohnstown/ocsp-free

OCSP Free
2025-08-01 03:34:39 +02:00 · 2018-08-06 09:08:01 -07:00
parent 738a121d61 f45dbed8f9
commit 30d6c0c1fc
16 changed files with 139 additions and 85 deletions
--- a/certs/ocsp/include.am
+++ b/certs/ocsp/include.am
@@ -4,9 +4,13 @@

 EXTRA_DIST += \
        certs/ocsp/index-ca-and-intermediate-cas.txt \
+        certs/ocsp/index-ca-and-intermediate-cas.txt.attr \
        certs/ocsp/index-intermediate1-ca-issued-certs.txt \
+        certs/ocsp/index-intermediate1-ca-issued-certs.txt.attr \
+        certs/ocsp/index-intermediate2-ca-issued-certs.txt \
+        certs/ocsp/index-intermediate2-ca-issued-certs.txt.attr \
        certs/ocsp/index-intermediate3-ca-issued-certs.txt \
-        certs/ocsp/index-intermediate3-ca-issued-certs.txt \
+        certs/ocsp/index-intermediate3-ca-issued-certs.txt.attr \
        certs/ocsp/openssl.cnf \
        certs/ocsp/intermediate1-ca-key.pem \
        certs/ocsp/intermediate1-ca-cert.pem \
--- a/certs/ocsp/index-ca-and-intermediate-cas.txt.attr
+++ b/certs/ocsp/index-ca-and-intermediate-cas.txt.attr
@@ -0,0 +1 @@
+unique_subject = no
--- a/certs/ocsp/index-intermediate1-ca-issued-certs.txt.attr
+++ b/certs/ocsp/index-intermediate1-ca-issued-certs.txt.attr
@@ -0,0 +1 @@
+unique_subject = no
--- a/certs/ocsp/index-intermediate2-ca-issued-certs.txt.attr
+++ b/certs/ocsp/index-intermediate2-ca-issued-certs.txt.attr
@@ -0,0 +1 @@
+unique_subject = no
--- a/certs/ocsp/index-intermediate3-ca-issued-certs.txt.attr
+++ b/certs/ocsp/index-intermediate3-ca-issued-certs.txt.attr
@@ -0,0 +1 @@
+unique_subject = no
--- a/certs/ocsp/ocspd-intermediate1-ca-issued-certs-with-ca-as-responder.sh
+++ b/certs/ocsp/ocspd-intermediate1-ca-issued-certs-with-ca-as-responder.sh
@@ -1,8 +0,0 @@
-#!/bin/sh
-
-openssl ocsp -port 22221 -nmin 1                                \
-    -index   certs/ocsp/index-intermediate1-ca-issued-certs.txt \
-    -rsigner certs/ocsp/intermediate1-ca-cert.pem               \
-    -rkey    certs/ocsp/intermediate1-ca-key.pem                \
-    -CA      certs/ocsp/intermediate1-ca-cert.pem               \
-    $@
--- a/certs/ocsp/ocspd-intermediate1-ca-issued-certs.sh
+++ b/certs/ocsp/ocspd-intermediate1-ca-issued-certs.sh
@@ -1,8 +0,0 @@
-#!/bin/sh
-
-openssl ocsp -port 22221 -nmin 1                                \
-    -index   certs/ocsp/index-intermediate1-ca-issued-certs.txt \
-    -rsigner certs/ocsp/ocsp-responder-cert.pem                 \
-    -rkey    certs/ocsp/ocsp-responder-key.pem                  \
-    -CA      certs/ocsp/intermediate1-ca-cert.pem               \
-    $@
--- a/certs/ocsp/ocspd-intermediate2-ca-issued-certs.sh
+++ b/certs/ocsp/ocspd-intermediate2-ca-issued-certs.sh
@@ -1,8 +0,0 @@
-#!/bin/sh
-
-openssl ocsp -port 22222 -nmin 1                                \
-    -index   certs/ocsp/index-intermediate2-ca-issued-certs.txt \
-    -rsigner certs/ocsp/ocsp-responder-cert.pem                 \
-    -rkey    certs/ocsp/ocsp-responder-key.pem                  \
-    -CA      certs/ocsp/intermediate2-ca-cert.pem               \
-    $@
--- a/certs/ocsp/ocspd-intermediate3-ca-issued-certs.sh
+++ b/certs/ocsp/ocspd-intermediate3-ca-issued-certs.sh
@@ -1,8 +0,0 @@
-#!/bin/sh
-
-openssl ocsp -port 22223 -nmin 1                                \
-    -index   certs/ocsp/index-intermediate3-ca-issued-certs.txt \
-    -rsigner certs/ocsp/ocsp-responder-cert.pem                 \
-    -rkey    certs/ocsp/ocsp-responder-key.pem                  \
-    -CA      certs/ocsp/intermediate3-ca-cert.pem               \
-    $@
--- a/certs/ocsp/ocspd-root-ca-and-intermediate-cas.sh
+++ b/certs/ocsp/ocspd-root-ca-and-intermediate-cas.sh
@@ -1,8 +0,0 @@
-#!/bin/sh
-
-openssl ocsp -port 22220 -nmin 1                          \
-    -index   certs/ocsp/index-ca-and-intermediate-cas.txt \
-    -rsigner certs/ocsp/ocsp-responder-cert.pem           \
-    -rkey    certs/ocsp/ocsp-responder-key.pem            \
-    -CA      certs/ocsp/root-ca-cert.pem                  \
-    $@
--- a/examples/client/client.c
+++ b/examples/client/client.c
@@ -50,6 +50,11 @@

 #define DEFAULT_TIMEOUT_SEC 2

+#define OCSP_STAPLING 1
+#define OCSP_STAPLINGV2 2
+#define OCSP_STAPLINGV2_MULTI 3
+#define OCSP_STAPLING_OPT_MAX OCSP_STAPLINGV2_MULTI
+
 /* Note on using port 0: the client standalone example doesn't utilize the
 * port 0 port sharing; that is used by (1) the server in external control
 * test mode and (2) the testsuite which uses this code and sets up the correct
@@ -787,7 +792,7 @@ static void Usage(void)
 #endif
 #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
 || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
-    printf("-W          Use OCSP Stapling\n");
+    printf("-W <num>    Use OCSP Stapling (1 v1, 2 v2, 3 v2 multi)\n");
 #endif
 #ifdef ATOMIC_USER
    printf("-U          Atomic User Record Layer Callbacks\n");
@@ -1249,6 +1254,10 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
                #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
                 || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
                    statusRequest = atoi(myoptarg);
+                    if (statusRequest > OCSP_STAPLING_OPT_MAX) {
+                        Usage();
+                        XEXIT_T(MY_EX_USAGE);
+                    }
                #endif
                break;

@@ -1454,7 +1463,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
        #endif

        if (done) {
-            printf("external test can't be run in this mode");
+            printf("external test can't be run in this mode\n");

            ((func_args*)args)->return_code = 0;
            XEXIT_T(EXIT_SUCCESS);
@@ -1986,33 +1995,32 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
       wolfSSL_UseALPN(ssl, alpnList, (word32)XSTRLEN(alpnList), alpn_opt);
    }
 #endif
-#ifdef HAVE_CERTIFICATE_STATUS_REQUEST
+
+#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) || \
+    defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
    if (statusRequest) {
+        if (version == 4 &&
+            (statusRequest == OCSP_STAPLINGV2 || \
+             statusRequest == OCSP_STAPLINGV2_MULTI)) {
+            err_sys("Cannot use OCSP Stapling V2 with TLSv1.3");
+        }
+
        if (wolfSSL_CTX_EnableOCSPStapling(ctx) != WOLFSSL_SUCCESS)
            err_sys("can't enable OCSP Stapling Certificate Manager");

        switch (statusRequest) {
-            case WOLFSSL_CSR_OCSP:
+        #ifdef HAVE_CERTIFICATE_STATUS_REQUEST
+            case OCSP_STAPLING:
                if (wolfSSL_UseOCSPStapling(ssl, WOLFSSL_CSR_OCSP,
                               WOLFSSL_CSR_OCSP_USE_NONCE) != WOLFSSL_SUCCESS) {
                    wolfSSL_free(ssl); ssl = NULL;
                    wolfSSL_CTX_free(ctx); ctx = NULL;
                    err_sys("UseCertificateStatusRequest failed");
                }
-
            break;
-        }
-
-        wolfSSL_CTX_EnableOCSP(ctx, 0);
-    }
-#endif
-#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
-    if (statusRequest) {
-        if (wolfSSL_CTX_EnableOCSPStapling(ctx) != WOLFSSL_SUCCESS)
-            err_sys("can't enable OCSP Stapling Certificate Manager");
-
-        switch (statusRequest) {
-            case WOLFSSL_CSR2_OCSP:
+        #endif
+        #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
+            case OCSP_STAPLINGV2:
                if (wolfSSL_UseOCSPStaplingV2(ssl,
                    WOLFSSL_CSR2_OCSP, WOLFSSL_CSR2_OCSP_USE_NONCE)
                                                           != WOLFSSL_SUCCESS) {
@@ -2021,7 +2029,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
                    err_sys("UseCertificateStatusRequest failed");
                }
            break;
-            case WOLFSSL_CSR2_OCSP_MULTI:
+            case OCSP_STAPLINGV2_MULTI:
                if (wolfSSL_UseOCSPStaplingV2(ssl,
                    WOLFSSL_CSR2_OCSP_MULTI, 0)
                                                           != WOLFSSL_SUCCESS) {
@@ -2030,7 +2038,9 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
                    err_sys("UseCertificateStatusRequest failed");
                }
            break;
-
+        #endif
+            default:
+                err_sys("Invalid OCSP Stapling option");
        }

        wolfSSL_CTX_EnableOCSP(ctx, 0);
--- a/scripts/ocsp-stapling-with-ca-as-responder.test
+++ b/scripts/ocsp-stapling-with-ca-as-responder.test
@@ -1,8 +1,14 @@
-#!/bin/sh
-
+#!/bin/bash
 # ocsp-stapling.test

-trap 'for i in `jobs -p`; do pkill -TERM -P $i; done' EXIT
+cleanup()
+{
+    for i in $(jobs -pr)
+    do
+        kill -s HUP "$i"
+    done
+}
+trap cleanup EXIT INT TERM HUP

 server=login.live.com
 ca=certs/external/baltimore-cybertrust-root.pem
@@ -13,13 +19,26 @@ ca=certs/external/baltimore-cybertrust-root.pem
 #./scripts/ping.test $server 2

 # client test against the server
-./examples/client/client -X -C -h $server -p 443 -A $ca -g -W 1
-RESULT=$?
-[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1
+# external test case was never running, disable for now but retain case in event
+# we wish to re-activate in the future.
+#./examples/client/client -X -C -h $server -p 443 -A $ca -g -W 1
+#RESULT=$?
+#[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1

 # setup ocsp responder
-./certs/ocsp/ocspd-intermediate1-ca-issued-certs-with-ca-as-responder.sh &
+# OLD: ./certs/ocsp/ocspd-intermediate1-ca-issued-certs-with-ca-as-responder.sh &
+# NEW: openssl isn't being cleaned up, invoke directly in script for cleanup
+# purposes!
+openssl ocsp -port 22221 -nmin 1                                \
+    -index   certs/ocsp/index-intermediate1-ca-issued-certs.txt \
+    -rsigner certs/ocsp/intermediate1-ca-cert.pem               \
+    -rkey    certs/ocsp/intermediate1-ca-key.pem                \
+    -CA      certs/ocsp/intermediate1-ca-cert.pem               \
+    $@                                                          \
+    &
+
 sleep 1
+# "jobs" is not portable for posix. Must use bash interpreter!
 [ $(jobs -r | wc -l) -ne 1 ] && echo -e "\n\nSetup ocsp responder failed, skipping" && exit 0

 # client test against our own server - GOOD CERT
--- a/scripts/ocsp-stapling.test
+++ b/scripts/ocsp-stapling.test
@@ -1,8 +1,15 @@
-#!/bin/sh
+#!/bin/bash

 # ocsp-stapling.test

-trap 'for i in `jobs -p`; do pkill -TERM -P $i; done' EXIT
+cleanup()
+{
+    for i in $(jobs -pr)
+    do
+        kill -s HUP "$i"
+    done
+}
+trap cleanup EXIT INT TERM HUP

 server=login.live.com
 ca=certs/external/baltimore-cybertrust-root.pem
@@ -17,7 +24,7 @@ fi
 #./scripts/ping.test $server 2

 # client test against the server
-./examples/client/client -X -C -h $server -p 443 -A $ca -g -W 1
+./examples/client/client -C -h $server -p 443 -A $ca -g -W 1
 RESULT=$?
 [ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1

@@ -30,8 +37,18 @@ if [ $? -eq 0 ]; then
 fi

 # setup ocsp responder
-./certs/ocsp/ocspd-intermediate1-ca-issued-certs.sh &
+# OLD: ./certs/ocsp/ocspd-intermediate1-ca-issued-certs.sh &
+# NEW: openssl isn't being cleaned up, invoke directly in script for cleanup
+# purposes!
+openssl ocsp -port 22221 -nmin 1                                \
+    -index   certs/ocsp/index-intermediate1-ca-issued-certs.txt \
+    -rsigner certs/ocsp/ocsp-responder-cert.pem                 \
+    -rkey    certs/ocsp/ocsp-responder-key.pem                  \
+    -CA      certs/ocsp/intermediate1-ca-cert.pem               \
+    "$@" &
+
 sleep 1
+# "jobs" is not portable for posix. Must use bash interpreter!
 [ $(jobs -r | wc -l) -ne 1 ] && echo -e "\n\nSetup ocsp responder failed, skipping" && exit 0

 # client test against our own server - GOOD CERT
--- a/scripts/ocsp-stapling2.test
+++ b/scripts/ocsp-stapling2.test
@@ -1,54 +1,91 @@
-#!/bin/sh
-
+#!/bin/bash
 # ocsp-stapling.test

-trap 'for i in `jobs -p`; do pkill -TERM -P $i; done' EXIT
+cleanup()
+{
+    for i in $(jobs -pr)
+    do
+        kill -s HUP "$i"
+    done
+}
+trap cleanup EXIT INT TERM HUP

 [ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1

 # setup ocsp responders
-./certs/ocsp/ocspd-root-ca-and-intermediate-cas.sh &
-./certs/ocsp/ocspd-intermediate2-ca-issued-certs.sh &
-./certs/ocsp/ocspd-intermediate3-ca-issued-certs.sh &
+# OLD: ./certs/ocsp/ocspd-root-ca-and-intermediate-cas.sh &
+# NEW: openssl isn't being cleaned up, invoke directly in script for cleanup
+# purposes!
+openssl ocsp -port 22220 -nmin 1                          \
+    -index   certs/ocsp/index-ca-and-intermediate-cas.txt \
+    -rsigner certs/ocsp/ocsp-responder-cert.pem           \
+    -rkey    certs/ocsp/ocsp-responder-key.pem            \
+    -CA      certs/ocsp/root-ca-cert.pem                  \
+    $@                                                    \
+    &
+
+# OLD: ./certs/ocsp/ocspd-intermediate2-ca-issued-certs.sh &
+# NEW: openssl isn't being cleaned up, invoke directly in script for cleanup
+# purposes!
+openssl ocsp -port 22222 -nmin 1                                \
+    -index   certs/ocsp/index-intermediate2-ca-issued-certs.txt \
+    -rsigner certs/ocsp/ocsp-responder-cert.pem                 \
+    -rkey    certs/ocsp/ocsp-responder-key.pem                  \
+    -CA      certs/ocsp/intermediate2-ca-cert.pem               \
+    $@                                                          \
+    &
+
+# OLD: ./certs/ocsp/ocspd-intermediate3-ca-issued-certs.sh &
+# NEW: openssl isn't being cleaned up, invoke directly in script for cleanup
+# purposes!
+openssl ocsp -port 22223 -nmin 1                                \
+    -index   certs/ocsp/index-intermediate3-ca-issued-certs.txt \
+    -rsigner certs/ocsp/ocsp-responder-cert.pem                 \
+    -rkey    certs/ocsp/ocsp-responder-key.pem                  \
+    -CA      certs/ocsp/intermediate3-ca-cert.pem               \
+    $@                                                          \
+    &
+
 sleep 1
+# "jobs" is not portable for posix. Must use bash interpreter!
 [ $(jobs -r | wc -l) -ne 3 ] && echo -e "\n\nSetup ocsp responder failed, skipping" && exit 0

 # client test against our own server - GOOD CERTS
 ./examples/server/server -c certs/ocsp/server3-cert.pem -k certs/ocsp/server3-key.pem &
 sleep 1
-./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1
+./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 -v 3
 RESULT=$?
 [ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1

 ./examples/server/server -c certs/ocsp/server3-cert.pem -k certs/ocsp/server3-key.pem &
 sleep 1
-./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2
+./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3
 RESULT=$?
 [ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1

 # client test against our own server - REVOKED SERVER CERT
 ./examples/server/server -c certs/ocsp/server4-cert.pem -k certs/ocsp/server4-key.pem &
 sleep 1
-./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1
+./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 -v 3
 RESULT=$?
 [ $RESULT -ne 1 ] && echo -e "\n\nClient connection suceeded $RESULT" && exit 1

 ./examples/server/server -c certs/ocsp/server4-cert.pem -k certs/ocsp/server4-key.pem &
 sleep 1
-./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2
+./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3
 RESULT=$?
 [ $RESULT -ne 1 ] && echo -e "\n\nClient connection suceeded $RESULT" && exit 1

 # client test against our own server - REVOKED INTERMEDIATE CERT
 ./examples/server/server -c certs/ocsp/server5-cert.pem -k certs/ocsp/server5-key.pem &
 sleep 1
-./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1
+./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 -v 3
 RESULT=$?
 [ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed $RESULT" && exit 1

 ./examples/server/server -c certs/ocsp/server5-cert.pem -k certs/ocsp/server5-key.pem &
 sleep 1
-./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2
+./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3
 RESULT=$?
 [ $RESULT -ne 1 ] && echo -e "\n\nClient connection suceeded $RESULT" && exit 1

--- a/src/internal.c
+++ b/src/internal.c
@@ -14050,8 +14050,10 @@ int CreateOcspResponse(WOLFSSL* ssl, OcspRequest** ocspRequest,
                                                                   der->length);
        }

-        if (request != NULL)
+        if (request != NULL && ret != 0) {
            XFREE(request, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST);
+            request = NULL;
+        }
    #ifdef WOLFSSL_SMALL_STACK
        XFREE(cert, ssl->heap, DYNAMIC_TYPE_DCERT);
    #endif
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -13351,7 +13351,7 @@ int InitOcspRequest(OcspRequest* req, DecodedCert* cert, byte useNonce,
        req->serialSz = cert->serialSz;

        if (cert->extAuthInfoSz != 0 && cert->extAuthInfo != NULL) {
-            req->url = (byte*)XMALLOC(cert->extAuthInfoSz, req->heap,
+            req->url = (byte*)XMALLOC(cert->extAuthInfoSz + 1, req->heap,
                                                     DYNAMIC_TYPE_OCSP_REQUEST);
            if (req->url == NULL) {
                XFREE(req->serial, req->heap, DYNAMIC_TYPE_OCSP);
@@ -13360,6 +13360,7 @@ int InitOcspRequest(OcspRequest* req, DecodedCert* cert, byte useNonce,

            XMEMCPY(req->url, cert->extAuthInfo, cert->extAuthInfoSz);
            req->urlSz = cert->extAuthInfoSz;
+            req->url[req->urlSz] = 0;
        }
    }