From 085f55195a4f7d383ccb3094f1dd5b8c290174e4 Mon Sep 17 00:00:00 2001 From: David Garske Date: Thu, 6 Aug 2020 17:06:16 -0700 Subject: [PATCH 1/3] Fix for handling OCSP response in non-blocking mode. --- src/ocsp.c | 1 + src/wolfio.c | 7 +++++++ 2 files changed, 8 insertions(+) diff --git a/src/ocsp.c b/src/ocsp.c index b5a27197e..d4002c357 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -453,6 +453,7 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest, } else { /* cert doesn't have extAuthInfo, assuming CERT_GOOD */ + WOLFSSL_MSG("Cert has no OCSP URL, assuming CERT_GOOD"); return 0; } diff --git a/src/wolfio.c b/src/wolfio.c index 95bb6171f..da5cfda12 100644 --- a/src/wolfio.c +++ b/src/wolfio.c @@ -1078,6 +1078,13 @@ int wolfIO_HttpProcessResponse(int sfd, const char** appStrList, start[len] = 0; } else { + #ifdef WOLFSSL_NONBLOCK_OCSP + result = wolfSSL_LastError(); + if (result == SOCKET_EWOULDBLOCK) { + return OCSP_WANT_READ; + } + #endif + WOLFSSL_MSG("wolfIO_HttpProcessResponse recv http from peer failed"); return -1; } From 7ee2b61a5a25676ad8738b0e350e619aa724d18d Mon Sep 17 00:00:00 2001 From: David Garske Date: Mon, 24 Aug 2020 08:18:25 -0700 Subject: [PATCH 2/3] Peer review feedback to also check EAGAIN and always have supported. --- src/wolfio.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/wolfio.c b/src/wolfio.c index da5cfda12..170b23eb5 100644 --- a/src/wolfio.c +++ b/src/wolfio.c @@ -1078,12 +1078,10 @@ int wolfIO_HttpProcessResponse(int sfd, const char** appStrList, start[len] = 0; } else { - #ifdef WOLFSSL_NONBLOCK_OCSP result = wolfSSL_LastError(); - if (result == SOCKET_EWOULDBLOCK) { + if (result == SOCKET_EWOULDBLOCK || result == SOCKET_EAGAIN) { return OCSP_WANT_READ; } - #endif WOLFSSL_MSG("wolfIO_HttpProcessResponse recv http from peer failed"); return -1; From 6a984da53f4e5abb940cb4b329eb71d395785f9f Mon Sep 17 00:00:00 2001 From: David Garske Date: Tue, 25 Aug 2020 10:55:41 -0700 Subject: [PATCH 3/3] Fixes and Improvements to OCSP scripts. Fix for OCSP test with IPV6 enabled (use `-b` bind to any on server). Fix to use random port number for the `oscp-stapling.test` script. Reduce delay times in scripts. --- scripts/ocsp-stapling.test | 15 +++++++++------ scripts/ocsp-stapling2.test | 14 ++++++++------ 2 files changed, 17 insertions(+), 12 deletions(-) diff --git a/scripts/ocsp-stapling.test b/scripts/ocsp-stapling.test index d68270f3b..bc0a4e56f 100755 --- a/scripts/ocsp-stapling.test +++ b/scripts/ocsp-stapling.test @@ -1,7 +1,7 @@ #!/bin/bash # ocsp-stapling.test - +# Test requires HAVE_OCSP and HAVE_CERTIFICATE_STATUS_REQUEST ./examples/client/client -v 3 2>&1 | grep -- 'Bad SSL version' if [ $? -eq 0 ]; then @@ -178,7 +178,8 @@ fi # test interop fail case ready_file=`pwd`/wolf_ocsp_readyF$$ printf '%s\n' "ready file: $ready_file" -./examples/server/server -o -R $ready_file & +# use random port and bind to any (allows use with IPv6) +./examples/server/server -b -p $resume_port -o -R $ready_file & wolf_pid=$! wait_for_readyFile $ready_file if [ ! -f $ready_file ]; then @@ -203,7 +204,7 @@ fi # create a port 0 port to use with openssl ocsp responder -./examples/server/server -R $ready_file -p $resume_port & +./examples/server/server -b -p $resume_port -R $ready_file & wait_for_readyFile $ready_file if [ ! -f $ready_file ]; then printf '%s\n' "Failed to create ready file: \"$ready_file\"" @@ -215,7 +216,7 @@ else ./examples/client/client -p $RPORTSELECTED create_new_cnf $RPORTSELECTED fi -sleep 1 +sleep 0.1 # is our desired server there? - login.live.com doesn't answers PING #./scripts/ping.test $server 2 @@ -248,7 +249,7 @@ openssl ocsp -port $RPORTSELECTED -nmin 1 \ -CA certs/ocsp/intermediate1-ca-cert.pem \ "$@" & -sleep 1 +sleep 0.1 # "jobs" is not portable for posix. Must use bash interpreter! [ $(jobs -r | wc -l) -ne 1 ] && \ printf '\n\n%s\n' "Setup ocsp responder failed, skipping" && exit 0 @@ -270,7 +271,7 @@ remove_single_rF $ready_file2 ./examples/server/server -c certs/ocsp/server2-cert.pem -R $ready_file2 \ -k certs/ocsp/server2-key.pem -p $resume_port & wait_for_readyFile $ready_file2 -sleep 1 +sleep 0.1 CLI_PORT=`cat $ready_file2` ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -p $CLI_PORT RESULT=$? @@ -312,4 +313,6 @@ if [ $? -ne 0 ]; then printf '%s\n\n' "Test successfully REVOKED!" fi +printf '%s\n\n' "------------------- TESTS COMPLETE ---------------------------" + exit 0 diff --git a/scripts/ocsp-stapling2.test b/scripts/ocsp-stapling2.test index f162365ab..58c02ce74 100755 --- a/scripts/ocsp-stapling2.test +++ b/scripts/ocsp-stapling2.test @@ -1,6 +1,7 @@ #!/bin/bash -# ocsp-stapling.test +# ocsp-stapling2.test +# Test requires HAVE_OCSP and HAVE_CERTIFICATE_STATUS_REQUEST_V2 ./examples/client/client -v 3 2>&1 | grep -- 'Bad SSL version' if [ $? -eq 0 ]; then @@ -9,7 +10,8 @@ if [ $? -eq 0 ]; then exit 0 fi - +# create a unique ready file ending in PID for the script instance ($$) to take +# advantage of port zero solution WORKSPACE=`pwd` CERT_DIR="certs/ocsp" @@ -233,7 +235,7 @@ else create_new_cnf $RPORTSELECTED1 $RPORTSELECTED2 $RPORTSELECTED3 \ $RPORTSELECTED4 fi -sleep 1 +sleep 0.1 # setup ocsp responders # OLD: ./certs/ocsp/ocspd-root-ca-and-intermediate-cas.sh & @@ -269,7 +271,7 @@ openssl ocsp -port $RPORTSELECTED3 -nmin 1 \ $@ \ & -sleep 1 +sleep 0.1 # "jobs" is not portable for posix. Must use bash interpreter! [ $(jobs -r | wc -l) -ne 3 ] && printf '\n\n%s\n' "Setup ocsp responder failed, skipping" && exit 0 @@ -320,7 +322,7 @@ remove_single_rF $ready_file5 ./examples/server/server -c certs/ocsp/server4-cert.pem \ -k certs/ocsp/server4-key.pem -R $ready_file5 \ -p $resume_port & -sleep 1 +sleep 0.1 CLI_PORT=`cat $ready_file5` ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3 \ -p $CLI_PORT @@ -377,7 +379,7 @@ remove_single_rF $ready_file5 -k certs/ocsp/server4-key.pem -R $ready_file5 \ -p $resume_port -H loadSSL & wolf_pid=$! -sleep 1 +sleep 0.1 CLI_PORT=`cat $ready_file5` ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3 \ -p $CLI_PORT