From c87d6b27e25a2404caa625c4cb90510066203bad Mon Sep 17 00:00:00 2001 From: John Safranek Date: Wed, 1 Aug 2018 15:26:31 -0700 Subject: [PATCH 1/6] OCSP Free Free the OCSP request when creating the response only if there is an error making the request. --- src/internal.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/internal.c b/src/internal.c index 0ffaae6c4..4590e596d 100644 --- a/src/internal.c +++ b/src/internal.c @@ -14048,8 +14048,10 @@ int CreateOcspResponse(WOLFSSL* ssl, OcspRequest** ocspRequest, der->length); } - if (request != NULL) + if (request != NULL && ret != 0) { XFREE(request, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST); + request = NULL; + } #ifdef WOLFSSL_SMALL_STACK XFREE(cert, ssl->heap, DYNAMIC_TYPE_DCERT); #endif From a178764a8b0a090366ff66dc1b9d6c0f5644f4eb Mon Sep 17 00:00:00 2001 From: kaleb-himes Date: Wed, 1 Aug 2018 16:43:57 -0600 Subject: [PATCH 2/6] Portability and self-cleanup changes to ocsp test scripts --- ...e1-ca-issued-certs-with-ca-as-responder.sh | 8 --- .../ocspd-intermediate1-ca-issued-certs.sh | 8 --- .../ocspd-intermediate2-ca-issued-certs.sh | 8 --- .../ocspd-intermediate3-ca-issued-certs.sh | 8 --- .../ocspd-root-ca-and-intermediate-cas.sh | 8 --- .../ocsp-stapling-with-ca-as-responder.test | 27 +++++++-- scripts/ocsp-stapling.test | 27 ++++++++- scripts/ocsp-stapling2.test | 57 +++++++++++++++++-- 8 files changed, 98 insertions(+), 53 deletions(-) delete mode 100755 certs/ocsp/ocspd-intermediate1-ca-issued-certs-with-ca-as-responder.sh delete mode 100755 certs/ocsp/ocspd-intermediate1-ca-issued-certs.sh delete mode 100755 certs/ocsp/ocspd-intermediate2-ca-issued-certs.sh delete mode 100755 certs/ocsp/ocspd-intermediate3-ca-issued-certs.sh delete mode 100755 certs/ocsp/ocspd-root-ca-and-intermediate-cas.sh diff --git a/certs/ocsp/ocspd-intermediate1-ca-issued-certs-with-ca-as-responder.sh b/certs/ocsp/ocspd-intermediate1-ca-issued-certs-with-ca-as-responder.sh deleted file mode 100755 index eecd81b58..000000000 --- a/certs/ocsp/ocspd-intermediate1-ca-issued-certs-with-ca-as-responder.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/sh - -openssl ocsp -port 22221 -nmin 1 \ - -index certs/ocsp/index-intermediate1-ca-issued-certs.txt \ - -rsigner certs/ocsp/intermediate1-ca-cert.pem \ - -rkey certs/ocsp/intermediate1-ca-key.pem \ - -CA certs/ocsp/intermediate1-ca-cert.pem \ - $@ diff --git a/certs/ocsp/ocspd-intermediate1-ca-issued-certs.sh b/certs/ocsp/ocspd-intermediate1-ca-issued-certs.sh deleted file mode 100755 index debfd63bb..000000000 --- a/certs/ocsp/ocspd-intermediate1-ca-issued-certs.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/sh - -openssl ocsp -port 22221 -nmin 1 \ - -index certs/ocsp/index-intermediate1-ca-issued-certs.txt \ - -rsigner certs/ocsp/ocsp-responder-cert.pem \ - -rkey certs/ocsp/ocsp-responder-key.pem \ - -CA certs/ocsp/intermediate1-ca-cert.pem \ - $@ diff --git a/certs/ocsp/ocspd-intermediate2-ca-issued-certs.sh b/certs/ocsp/ocspd-intermediate2-ca-issued-certs.sh deleted file mode 100755 index 0d06c5be1..000000000 --- a/certs/ocsp/ocspd-intermediate2-ca-issued-certs.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/sh - -openssl ocsp -port 22222 -nmin 1 \ - -index certs/ocsp/index-intermediate2-ca-issued-certs.txt \ - -rsigner certs/ocsp/ocsp-responder-cert.pem \ - -rkey certs/ocsp/ocsp-responder-key.pem \ - -CA certs/ocsp/intermediate2-ca-cert.pem \ - $@ diff --git a/certs/ocsp/ocspd-intermediate3-ca-issued-certs.sh b/certs/ocsp/ocspd-intermediate3-ca-issued-certs.sh deleted file mode 100755 index 5e6a5173c..000000000 --- a/certs/ocsp/ocspd-intermediate3-ca-issued-certs.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/sh - -openssl ocsp -port 22223 -nmin 1 \ - -index certs/ocsp/index-intermediate3-ca-issued-certs.txt \ - -rsigner certs/ocsp/ocsp-responder-cert.pem \ - -rkey certs/ocsp/ocsp-responder-key.pem \ - -CA certs/ocsp/intermediate3-ca-cert.pem \ - $@ diff --git a/certs/ocsp/ocspd-root-ca-and-intermediate-cas.sh b/certs/ocsp/ocspd-root-ca-and-intermediate-cas.sh deleted file mode 100755 index d3c3bc1ad..000000000 --- a/certs/ocsp/ocspd-root-ca-and-intermediate-cas.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/sh - -openssl ocsp -port 22220 -nmin 1 \ - -index certs/ocsp/index-ca-and-intermediate-cas.txt \ - -rsigner certs/ocsp/ocsp-responder-cert.pem \ - -rkey certs/ocsp/ocsp-responder-key.pem \ - -CA certs/ocsp/root-ca-cert.pem \ - $@ diff --git a/scripts/ocsp-stapling-with-ca-as-responder.test b/scripts/ocsp-stapling-with-ca-as-responder.test index 3b538c9d1..5c61e2ec1 100755 --- a/scripts/ocsp-stapling-with-ca-as-responder.test +++ b/scripts/ocsp-stapling-with-ca-as-responder.test @@ -1,8 +1,15 @@ -#!/bin/sh +#!/bin/bash + +#set an invalid default PID so we don't cleanup a process unexpectedly +OSSL_INT1_PID="INVALID" # ocsp-stapling.test - -trap 'for i in `jobs -p`; do pkill -TERM -P $i; done' EXIT +cleanup(){ + # "jobs" is not portable for posix. Must use bash interpreter! + for i in `jobs -p`; do pkill -TERM -P $i; done + kill $OSSL_INT1_PID +} +trap cleanup INT TERM EXIT server=login.live.com ca=certs/external/baltimore-cybertrust-root.pem @@ -18,8 +25,20 @@ RESULT=$? [ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1 # setup ocsp responder -./certs/ocsp/ocspd-intermediate1-ca-issued-certs-with-ca-as-responder.sh & +# OLD: ./certs/ocsp/ocspd-intermediate1-ca-issued-certs-with-ca-as-responder.sh & +# NEW: openssl isn't being cleaned up, invoke directly in script for cleanup +# purposes! +openssl ocsp -port 22221 -nmin 1 \ + -index certs/ocsp/index-intermediate1-ca-issued-certs.txt \ + -rsigner certs/ocsp/intermediate1-ca-cert.pem \ + -rkey certs/ocsp/intermediate1-ca-key.pem \ + -CA certs/ocsp/intermediate1-ca-cert.pem \ + $@ \ + & +OSSL_INT1_PID=$! + sleep 1 +# "jobs" is not portable for posix. Must use bash interpreter! [ $(jobs -r | wc -l) -ne 1 ] && echo -e "\n\nSetup ocsp responder failed, skipping" && exit 0 # client test against our own server - GOOD CERT diff --git a/scripts/ocsp-stapling.test b/scripts/ocsp-stapling.test index 511ae3b00..d39494c4e 100755 --- a/scripts/ocsp-stapling.test +++ b/scripts/ocsp-stapling.test @@ -1,8 +1,16 @@ -#!/bin/sh +#!/bin/bash + +#set an invalid default PID so we don't cleanup a process unexpectedly +OSSL_INT1_PID="INVALID" # ocsp-stapling.test +cleanup(){ + # "jobs" is not portable for posix. Must use bash interpreter! + for i in `jobs -p`; do pkill -TERM -P $i; done + kill $OSSL_INT1_PID +} +trap cleanup INT TERM EXIT -trap 'for i in `jobs -p`; do pkill -TERM -P $i; done' EXIT server=login.live.com ca=certs/external/baltimore-cybertrust-root.pem @@ -30,8 +38,21 @@ if [ $? -eq 0 ]; then fi # setup ocsp responder -./certs/ocsp/ocspd-intermediate1-ca-issued-certs.sh & +# OLD: ./certs/ocsp/ocspd-intermediate1-ca-issued-certs.sh & +# NEW: openssl isn't being cleaned up, invoke directly in script for cleanup +# purposes! +openssl ocsp -port 22221 -nmin 1 \ + -index certs/ocsp/index-intermediate1-ca-issued-certs.txt \ + -rsigner certs/ocsp/ocsp-responder-cert.pem \ + -rkey certs/ocsp/ocsp-responder-key.pem \ + -CA certs/ocsp/intermediate1-ca-cert.pem \ + $@ \ + & + +OSSL_INT1_PID=$! + sleep 1 +# "jobs" is not portable for posix. Must use bash interpreter! [ $(jobs -r | wc -l) -ne 1 ] && echo -e "\n\nSetup ocsp responder failed, skipping" && exit 0 # client test against our own server - GOOD CERT diff --git a/scripts/ocsp-stapling2.test b/scripts/ocsp-stapling2.test index 7a5bed878..a784733df 100755 --- a/scripts/ocsp-stapling2.test +++ b/scripts/ocsp-stapling2.test @@ -1,16 +1,61 @@ -#!/bin/sh +#!/bin/bash + +#set some invalid default PID(s) so we don't cleanup a process unexpectedly +OSSL_ROOT_PID="INVALID" +OSSL_INT2_PID="INVALID" +OSSL_INT3_PID="INVALID" # ocsp-stapling.test - -trap 'for i in `jobs -p`; do pkill -TERM -P $i; done' EXIT +cleanup(){ + # "jobs" is not portable for posix. Must use bash interpreter! + for i in `jobs -p`; do pkill -TERM -P $i; done + kill $OSSL_ROOT_PID + kill $OSSL_INT2_PID + kill $OSSL_INT3_PID +} +trap cleanup INT TERM EXIT [ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1 # setup ocsp responders -./certs/ocsp/ocspd-root-ca-and-intermediate-cas.sh & -./certs/ocsp/ocspd-intermediate2-ca-issued-certs.sh & -./certs/ocsp/ocspd-intermediate3-ca-issued-certs.sh & +# OLD: ./certs/ocsp/ocspd-root-ca-and-intermediate-cas.sh & +# NEW: openssl isn't being cleaned up, invoke directly in script for cleanup +# purposes! +openssl ocsp -port 22220 -nmin 1 \ + -index certs/ocsp/index-ca-and-intermediate-cas.txt \ + -rsigner certs/ocsp/ocsp-responder-cert.pem \ + -rkey certs/ocsp/ocsp-responder-key.pem \ + -CA certs/ocsp/root-ca-cert.pem \ + $@ \ + & +OSSL_ROOT_PID=$! + +# OLD: ./certs/ocsp/ocspd-intermediate2-ca-issued-certs.sh & +# NEW: openssl isn't being cleaned up, invoke directly in script for cleanup +# purposes! +openssl ocsp -port 22222 -nmin 1 \ + -index certs/ocsp/index-intermediate2-ca-issued-certs.txt \ + -rsigner certs/ocsp/ocsp-responder-cert.pem \ + -rkey certs/ocsp/ocsp-responder-key.pem \ + -CA certs/ocsp/intermediate2-ca-cert.pem \ + $@ \ + & +OSSL_INT2_PID=$! + +# OLD: ./certs/ocsp/ocspd-intermediate3-ca-issued-certs.sh & +# NEW: openssl isn't being cleaned up, invoke directly in script for cleanup +# purposes! +openssl ocsp -port 22223 -nmin 1 \ + -index certs/ocsp/index-intermediate3-ca-issued-certs.txt \ + -rsigner certs/ocsp/ocsp-responder-cert.pem \ + -rkey certs/ocsp/ocsp-responder-key.pem \ + -CA certs/ocsp/intermediate3-ca-cert.pem \ + $@ \ + & +OSSL_INT3_PID=$! + sleep 1 +# "jobs" is not portable for posix. Must use bash interpreter! [ $(jobs -r | wc -l) -ne 3 ] && echo -e "\n\nSetup ocsp responder failed, skipping" && exit 0 # client test against our own server - GOOD CERTS From ddec8781522141c7266aaf317237412f19a08bb1 Mon Sep 17 00:00:00 2001 From: kaleb-himes Date: Thu, 2 Aug 2018 10:03:47 -0600 Subject: [PATCH 3/6] Disable external tests for OCSP scripts --- scripts/ocsp-stapling-with-ca-as-responder.test | 8 +++++--- scripts/ocsp-stapling.test | 8 +++++--- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/scripts/ocsp-stapling-with-ca-as-responder.test b/scripts/ocsp-stapling-with-ca-as-responder.test index 5c61e2ec1..dc020dee0 100755 --- a/scripts/ocsp-stapling-with-ca-as-responder.test +++ b/scripts/ocsp-stapling-with-ca-as-responder.test @@ -20,9 +20,11 @@ ca=certs/external/baltimore-cybertrust-root.pem #./scripts/ping.test $server 2 # client test against the server -./examples/client/client -X -C -h $server -p 443 -A $ca -g -W 1 -RESULT=$? -[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1 +# external test case was never running, disable for now but retain case in event +# we wish to re-activate in the future. +#./examples/client/client -X -C -h $server -p 443 -A $ca -g -W 1 +#RESULT=$? +#[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1 # setup ocsp responder # OLD: ./certs/ocsp/ocspd-intermediate1-ca-issued-certs-with-ca-as-responder.sh & diff --git a/scripts/ocsp-stapling.test b/scripts/ocsp-stapling.test index d39494c4e..16c007d22 100755 --- a/scripts/ocsp-stapling.test +++ b/scripts/ocsp-stapling.test @@ -25,9 +25,11 @@ fi #./scripts/ping.test $server 2 # client test against the server -./examples/client/client -X -C -h $server -p 443 -A $ca -g -W 1 -RESULT=$? -[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1 +# external test case was never running, disable for now but retain case in event +# we wish to re-activate in the future. +#./examples/client/client -X -C -h $server -p 443 -A $ca -g -W 1 +#RESULT=$? +#[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1 # Test with example server From c71f730d674a6e18a0de7f78b40f2da1c624bb8e Mon Sep 17 00:00:00 2001 From: John Safranek Date: Thu, 2 Aug 2018 11:32:36 -0700 Subject: [PATCH 4/6] OSCP 1. Made killing the OCSP server process more reliable. 2. Added attr files for the OSCP status files. Bare minimum attr. 3. Added a NL to the error string from the client regarding external tests. --- ...dex-intermediate1-ca-issued-certs.txt.attr | 1 + ...dex-intermediate2-ca-issued-certs.txt.attr | 1 + ...dex-intermediate3-ca-issued-certs.txt.attr | 1 + examples/client/client.c | 2 +- scripts/ocsp-stapling.test | 30 ++++++++----------- 5 files changed, 16 insertions(+), 19 deletions(-) create mode 100644 certs/ocsp/index-intermediate1-ca-issued-certs.txt.attr create mode 100644 certs/ocsp/index-intermediate2-ca-issued-certs.txt.attr create mode 100644 certs/ocsp/index-intermediate3-ca-issued-certs.txt.attr diff --git a/certs/ocsp/index-intermediate1-ca-issued-certs.txt.attr b/certs/ocsp/index-intermediate1-ca-issued-certs.txt.attr new file mode 100644 index 000000000..3a7e39e6e --- /dev/null +++ b/certs/ocsp/index-intermediate1-ca-issued-certs.txt.attr @@ -0,0 +1 @@ +unique_subject = no diff --git a/certs/ocsp/index-intermediate2-ca-issued-certs.txt.attr b/certs/ocsp/index-intermediate2-ca-issued-certs.txt.attr new file mode 100644 index 000000000..3a7e39e6e --- /dev/null +++ b/certs/ocsp/index-intermediate2-ca-issued-certs.txt.attr @@ -0,0 +1 @@ +unique_subject = no diff --git a/certs/ocsp/index-intermediate3-ca-issued-certs.txt.attr b/certs/ocsp/index-intermediate3-ca-issued-certs.txt.attr new file mode 100644 index 000000000..3a7e39e6e --- /dev/null +++ b/certs/ocsp/index-intermediate3-ca-issued-certs.txt.attr @@ -0,0 +1 @@ +unique_subject = no diff --git a/examples/client/client.c b/examples/client/client.c index f34369ce7..c1af7dd8f 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -1454,7 +1454,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #endif if (done) { - printf("external test can't be run in this mode"); + printf("external test can't be run in this mode\n"); ((func_args*)args)->return_code = 0; XEXIT_T(EXIT_SUCCESS); diff --git a/scripts/ocsp-stapling.test b/scripts/ocsp-stapling.test index 16c007d22..01173f5f8 100755 --- a/scripts/ocsp-stapling.test +++ b/scripts/ocsp-stapling.test @@ -1,16 +1,15 @@ #!/bin/bash -#set an invalid default PID so we don't cleanup a process unexpectedly -OSSL_INT1_PID="INVALID" - # ocsp-stapling.test -cleanup(){ - # "jobs" is not portable for posix. Must use bash interpreter! - for i in `jobs -p`; do pkill -TERM -P $i; done - kill $OSSL_INT1_PID -} -trap cleanup INT TERM EXIT +cleanup() +{ + for i in $(jobs -pr) + do + kill -s HUP "$i" + done +} +trap cleanup EXIT INT TERM HUP server=login.live.com ca=certs/external/baltimore-cybertrust-root.pem @@ -25,11 +24,9 @@ fi #./scripts/ping.test $server 2 # client test against the server -# external test case was never running, disable for now but retain case in event -# we wish to re-activate in the future. -#./examples/client/client -X -C -h $server -p 443 -A $ca -g -W 1 -#RESULT=$? -#[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1 +./examples/client/client -C -h $server -p 443 -A $ca -g -W 1 +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1 # Test with example server @@ -48,10 +45,7 @@ openssl ocsp -port 22221 -nmin 1 \ -rsigner certs/ocsp/ocsp-responder-cert.pem \ -rkey certs/ocsp/ocsp-responder-key.pem \ -CA certs/ocsp/intermediate1-ca-cert.pem \ - $@ \ - & - -OSSL_INT1_PID=$! + "$@" & sleep 1 # "jobs" is not portable for posix. Must use bash interpreter! From 5ae45436f49376c63e8d38c8e147c5bec0276cb0 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Thu, 2 Aug 2018 14:50:59 -0700 Subject: [PATCH 5/6] OSCP 1. Added a missed attr files for the OSCP status files. Bare minimum attr. 2. Added the attr files to the automake include. 3. Fix out of bounds read with the OCSP URL. --- certs/ocsp/include.am | 6 +++++- certs/ocsp/index-ca-and-intermediate-cas.txt.attr | 1 + wolfcrypt/src/asn.c | 3 ++- 3 files changed, 8 insertions(+), 2 deletions(-) create mode 100644 certs/ocsp/index-ca-and-intermediate-cas.txt.attr diff --git a/certs/ocsp/include.am b/certs/ocsp/include.am index f3ba21121..784c3bed4 100644 --- a/certs/ocsp/include.am +++ b/certs/ocsp/include.am @@ -4,9 +4,13 @@ EXTRA_DIST += \ certs/ocsp/index-ca-and-intermediate-cas.txt \ + certs/ocsp/index-ca-and-intermediate-cas.txt.attr \ certs/ocsp/index-intermediate1-ca-issued-certs.txt \ + certs/ocsp/index-intermediate1-ca-issued-certs.txt.attr \ + certs/ocsp/index-intermediate2-ca-issued-certs.txt \ + certs/ocsp/index-intermediate2-ca-issued-certs.txt.attr \ certs/ocsp/index-intermediate3-ca-issued-certs.txt \ - certs/ocsp/index-intermediate3-ca-issued-certs.txt \ + certs/ocsp/index-intermediate3-ca-issued-certs.txt.attr \ certs/ocsp/openssl.cnf \ certs/ocsp/intermediate1-ca-key.pem \ certs/ocsp/intermediate1-ca-cert.pem \ diff --git a/certs/ocsp/index-ca-and-intermediate-cas.txt.attr b/certs/ocsp/index-ca-and-intermediate-cas.txt.attr new file mode 100644 index 000000000..3a7e39e6e --- /dev/null +++ b/certs/ocsp/index-ca-and-intermediate-cas.txt.attr @@ -0,0 +1 @@ +unique_subject = no diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index a06492227..700e72ccb 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -13351,7 +13351,7 @@ int InitOcspRequest(OcspRequest* req, DecodedCert* cert, byte useNonce, req->serialSz = cert->serialSz; if (cert->extAuthInfoSz != 0 && cert->extAuthInfo != NULL) { - req->url = (byte*)XMALLOC(cert->extAuthInfoSz, req->heap, + req->url = (byte*)XMALLOC(cert->extAuthInfoSz + 1, req->heap, DYNAMIC_TYPE_OCSP_REQUEST); if (req->url == NULL) { XFREE(req->serial, req->heap, DYNAMIC_TYPE_OCSP); @@ -13360,6 +13360,7 @@ int InitOcspRequest(OcspRequest* req, DecodedCert* cert, byte useNonce, XMEMCPY(req->url, cert->extAuthInfo, cert->extAuthInfoSz); req->urlSz = cert->extAuthInfoSz; + req->url[req->urlSz] = 0; } } From f45dbed8f96da91f5d8dec9b80463f6d31fe8352 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Thu, 2 Aug 2018 16:25:38 -0700 Subject: [PATCH 6/6] OCSP 1. Modify the other OCSP Stapling scripts to better manage the OCSP responder. 2. Modify the client's W option to take: - 1 for Stapling v1 - 2 for Stapling v2 - 3 for Stapling v2 MULTI 3. Modify the client to disallow stapling v2 with TLSv1.3. --- examples/client/client.c | 46 +++++++++++-------- .../ocsp-stapling-with-ca-as-responder.test | 18 ++++---- scripts/ocsp-stapling2.test | 36 ++++++--------- 3 files changed, 50 insertions(+), 50 deletions(-) diff --git a/examples/client/client.c b/examples/client/client.c index c1af7dd8f..a76379622 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -50,6 +50,11 @@ #define DEFAULT_TIMEOUT_SEC 2 +#define OCSP_STAPLING 1 +#define OCSP_STAPLINGV2 2 +#define OCSP_STAPLINGV2_MULTI 3 +#define OCSP_STAPLING_OPT_MAX OCSP_STAPLINGV2_MULTI + /* Note on using port 0: the client standalone example doesn't utilize the * port 0 port sharing; that is used by (1) the server in external control * test mode and (2) the testsuite which uses this code and sets up the correct @@ -787,7 +792,7 @@ static void Usage(void) #endif #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) - printf("-W Use OCSP Stapling\n"); + printf("-W Use OCSP Stapling (1 v1, 2 v2, 3 v2 multi)\n"); #endif #ifdef ATOMIC_USER printf("-U Atomic User Record Layer Callbacks\n"); @@ -1249,6 +1254,10 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) statusRequest = atoi(myoptarg); + if (statusRequest > OCSP_STAPLING_OPT_MAX) { + Usage(); + XEXIT_T(MY_EX_USAGE); + } #endif break; @@ -1986,33 +1995,32 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) wolfSSL_UseALPN(ssl, alpnList, (word32)XSTRLEN(alpnList), alpn_opt); } #endif -#ifdef HAVE_CERTIFICATE_STATUS_REQUEST + +#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) || \ + defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) if (statusRequest) { + if (version == 4 && + (statusRequest == OCSP_STAPLINGV2 || \ + statusRequest == OCSP_STAPLINGV2_MULTI)) { + err_sys("Cannot use OCSP Stapling V2 with TLSv1.3"); + } + if (wolfSSL_CTX_EnableOCSPStapling(ctx) != WOLFSSL_SUCCESS) err_sys("can't enable OCSP Stapling Certificate Manager"); switch (statusRequest) { - case WOLFSSL_CSR_OCSP: + #ifdef HAVE_CERTIFICATE_STATUS_REQUEST + case OCSP_STAPLING: if (wolfSSL_UseOCSPStapling(ssl, WOLFSSL_CSR_OCSP, WOLFSSL_CSR_OCSP_USE_NONCE) != WOLFSSL_SUCCESS) { wolfSSL_free(ssl); ssl = NULL; wolfSSL_CTX_free(ctx); ctx = NULL; err_sys("UseCertificateStatusRequest failed"); } - break; - } - - wolfSSL_CTX_EnableOCSP(ctx, 0); - } -#endif -#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 - if (statusRequest) { - if (wolfSSL_CTX_EnableOCSPStapling(ctx) != WOLFSSL_SUCCESS) - err_sys("can't enable OCSP Stapling Certificate Manager"); - - switch (statusRequest) { - case WOLFSSL_CSR2_OCSP: + #endif + #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 + case OCSP_STAPLINGV2: if (wolfSSL_UseOCSPStaplingV2(ssl, WOLFSSL_CSR2_OCSP, WOLFSSL_CSR2_OCSP_USE_NONCE) != WOLFSSL_SUCCESS) { @@ -2021,7 +2029,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) err_sys("UseCertificateStatusRequest failed"); } break; - case WOLFSSL_CSR2_OCSP_MULTI: + case OCSP_STAPLINGV2_MULTI: if (wolfSSL_UseOCSPStaplingV2(ssl, WOLFSSL_CSR2_OCSP_MULTI, 0) != WOLFSSL_SUCCESS) { @@ -2030,7 +2038,9 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) err_sys("UseCertificateStatusRequest failed"); } break; - + #endif + default: + err_sys("Invalid OCSP Stapling option"); } wolfSSL_CTX_EnableOCSP(ctx, 0); diff --git a/scripts/ocsp-stapling-with-ca-as-responder.test b/scripts/ocsp-stapling-with-ca-as-responder.test index dc020dee0..303dd713f 100755 --- a/scripts/ocsp-stapling-with-ca-as-responder.test +++ b/scripts/ocsp-stapling-with-ca-as-responder.test @@ -1,15 +1,14 @@ #!/bin/bash - -#set an invalid default PID so we don't cleanup a process unexpectedly -OSSL_INT1_PID="INVALID" - # ocsp-stapling.test -cleanup(){ - # "jobs" is not portable for posix. Must use bash interpreter! - for i in `jobs -p`; do pkill -TERM -P $i; done - kill $OSSL_INT1_PID + +cleanup() +{ + for i in $(jobs -pr) + do + kill -s HUP "$i" + done } -trap cleanup INT TERM EXIT +trap cleanup EXIT INT TERM HUP server=login.live.com ca=certs/external/baltimore-cybertrust-root.pem @@ -37,7 +36,6 @@ openssl ocsp -port 22221 -nmin 1 \ -CA certs/ocsp/intermediate1-ca-cert.pem \ $@ \ & -OSSL_INT1_PID=$! sleep 1 # "jobs" is not portable for posix. Must use bash interpreter! diff --git a/scripts/ocsp-stapling2.test b/scripts/ocsp-stapling2.test index a784733df..028f01f8a 100755 --- a/scripts/ocsp-stapling2.test +++ b/scripts/ocsp-stapling2.test @@ -1,19 +1,14 @@ #!/bin/bash - -#set some invalid default PID(s) so we don't cleanup a process unexpectedly -OSSL_ROOT_PID="INVALID" -OSSL_INT2_PID="INVALID" -OSSL_INT3_PID="INVALID" - # ocsp-stapling.test -cleanup(){ - # "jobs" is not portable for posix. Must use bash interpreter! - for i in `jobs -p`; do pkill -TERM -P $i; done - kill $OSSL_ROOT_PID - kill $OSSL_INT2_PID - kill $OSSL_INT3_PID + +cleanup() +{ + for i in $(jobs -pr) + do + kill -s HUP "$i" + done } -trap cleanup INT TERM EXIT +trap cleanup EXIT INT TERM HUP [ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1 @@ -28,7 +23,6 @@ openssl ocsp -port 22220 -nmin 1 \ -CA certs/ocsp/root-ca-cert.pem \ $@ \ & -OSSL_ROOT_PID=$! # OLD: ./certs/ocsp/ocspd-intermediate2-ca-issued-certs.sh & # NEW: openssl isn't being cleaned up, invoke directly in script for cleanup @@ -40,7 +34,6 @@ openssl ocsp -port 22222 -nmin 1 \ -CA certs/ocsp/intermediate2-ca-cert.pem \ $@ \ & -OSSL_INT2_PID=$! # OLD: ./certs/ocsp/ocspd-intermediate3-ca-issued-certs.sh & # NEW: openssl isn't being cleaned up, invoke directly in script for cleanup @@ -52,7 +45,6 @@ openssl ocsp -port 22223 -nmin 1 \ -CA certs/ocsp/intermediate3-ca-cert.pem \ $@ \ & -OSSL_INT3_PID=$! sleep 1 # "jobs" is not portable for posix. Must use bash interpreter! @@ -61,39 +53,39 @@ sleep 1 # client test against our own server - GOOD CERTS ./examples/server/server -c certs/ocsp/server3-cert.pem -k certs/ocsp/server3-key.pem & sleep 1 -./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 +./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 -v 3 RESULT=$? [ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1 ./examples/server/server -c certs/ocsp/server3-cert.pem -k certs/ocsp/server3-key.pem & sleep 1 -./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 +./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3 RESULT=$? [ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1 # client test against our own server - REVOKED SERVER CERT ./examples/server/server -c certs/ocsp/server4-cert.pem -k certs/ocsp/server4-key.pem & sleep 1 -./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 +./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 -v 3 RESULT=$? [ $RESULT -ne 1 ] && echo -e "\n\nClient connection suceeded $RESULT" && exit 1 ./examples/server/server -c certs/ocsp/server4-cert.pem -k certs/ocsp/server4-key.pem & sleep 1 -./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 +./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3 RESULT=$? [ $RESULT -ne 1 ] && echo -e "\n\nClient connection suceeded $RESULT" && exit 1 # client test against our own server - REVOKED INTERMEDIATE CERT ./examples/server/server -c certs/ocsp/server5-cert.pem -k certs/ocsp/server5-key.pem & sleep 1 -./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 +./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 -v 3 RESULT=$? [ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed $RESULT" && exit 1 ./examples/server/server -c certs/ocsp/server5-cert.pem -k certs/ocsp/server5-key.pem & sleep 1 -./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 +./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3 RESULT=$? [ $RESULT -ne 1 ] && echo -e "\n\nClient connection suceeded $RESULT" && exit 1