From 28d8730948a8045d522cd4c7e93bf6f180c6bd9d Mon Sep 17 00:00:00 2001 From: Takashi Kojo Date: Fri, 22 Feb 2019 05:20:54 +0900 Subject: [PATCH 1/5] exporse OcspEntry in asn.h --- wolfssl/internal.h | 17 ----------------- wolfssl/wolfcrypt/asn.h | 16 ++++++++++++++++ 2 files changed, 16 insertions(+), 17 deletions(-) diff --git a/wolfssl/internal.h b/wolfssl/internal.h index d4fbefaba..7ba309354 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1781,28 +1781,11 @@ struct WOLFSSL_CIPHER { }; -typedef struct OcspEntry OcspEntry; - -#ifdef NO_SHA - #define OCSP_DIGEST_SIZE WC_SHA256_DIGEST_SIZE -#else - #define OCSP_DIGEST_SIZE WC_SHA_DIGEST_SIZE -#endif - #ifdef NO_ASN /* no_asn won't have */ typedef struct CertStatus CertStatus; #endif -struct OcspEntry { - OcspEntry* next; /* next entry */ - byte issuerHash[OCSP_DIGEST_SIZE]; /* issuer hash */ - byte issuerKeyHash[OCSP_DIGEST_SIZE]; /* issuer public key hash */ - CertStatus* status; /* OCSP response list */ - int totalStatus; /* number on list */ -}; - - #ifndef HAVE_OCSP typedef struct WOLFSSL_OCSP WOLFSSL_OCSP; #endif diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index ee5b7cc15..1648a0b25 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -1185,6 +1185,22 @@ struct OcspRequest { void* ssl; }; +typedef struct OcspEntry OcspEntry; + +#ifdef NO_SHA +#define OCSP_DIGEST_SIZE WC_SHA256_DIGEST_SIZE +#else +#define OCSP_DIGEST_SIZE WC_SHA_DIGEST_SIZE +#endif + +struct OcspEntry +{ + OcspEntry *next; /* next entry */ + byte issuerHash[OCSP_DIGEST_SIZE]; /* issuer hash */ + byte issuerKeyHash[OCSP_DIGEST_SIZE]; /* issuer public key hash */ + CertStatus *status; /* OCSP response list */ + int totalStatus; /* number on list */ +}; WOLFSSL_LOCAL void InitOcspResponse(OcspResponse*, CertStatus*, byte*, word32); WOLFSSL_LOCAL int OcspResponseDecode(OcspResponse*, void*, void* heap, int); From 801ef2c62c9af60001bce6025082ba231b01939c Mon Sep 17 00:00:00 2001 From: Takashi Kojo Date: Fri, 22 Feb 2019 05:39:38 +0900 Subject: [PATCH 2/5] add wolfSSL_CertManagerCheckOCSP_Staple --- src/ocsp.c | 18 ++++++++++++++++++ wolfssl/internal.h | 2 ++ wolfssl/ocsp.h | 4 +++- 3 files changed, 23 insertions(+), 1 deletion(-) diff --git a/src/ocsp.c b/src/ocsp.c index 6afb8e458..c3a5bc4ec 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -383,6 +383,24 @@ end: return ret; } +WOLFSSL_API int wolfSSL_CertManagerCheckOCSP_Staple(WOLFSSL_CERT_MANAGER *cm, + byte *response, int responseSz, buffer *responseBuffer, + CertStatus *status, OcspEntry *entry, OcspRequest *ocspRequest) +{ + int ret; + + WOLFSSL_ENTER("wolfSSL_CertManagerCheckOCSP_Staple"); + if (cm == NULL) + return BAD_FUNC_ARG; + if (cm->ocspEnabled == 0) + return WOLFSSL_SUCCESS; + + ret = CheckResponse(cm->ocsp, response, responseSz, responseBuffer, status, + entry, ocspRequest); + + return ret == 0 ? WOLFSSL_SUCCESS : ret; +} + /* 0 on success */ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest, buffer* responseBuffer) diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 7ba309354..f3d395549 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1791,6 +1791,7 @@ struct WOLFSSL_CIPHER { #endif /* wolfSSL OCSP controller */ +#ifdef HAVE_OCSP struct WOLFSSL_OCSP { WOLFSSL_CERT_MANAGER* cm; /* pointer back to cert manager */ OcspEntry* ocspList; /* OCSP response list */ @@ -1800,6 +1801,7 @@ struct WOLFSSL_OCSP { int(*statusCb)(WOLFSSL*, void*); #endif }; +#endif #ifndef MAX_DATE_SIZE #define MAX_DATE_SIZE 32 diff --git a/wolfssl/ocsp.h b/wolfssl/ocsp.h index f482bfc03..7bc359ec6 100644 --- a/wolfssl/ocsp.h +++ b/wolfssl/ocsp.h @@ -54,7 +54,9 @@ WOLFSSL_LOCAL int CheckCertOCSP_ex(WOLFSSL_OCSP*, DecodedCert*, WOLFSSL_BUFFER_INFO* responseBuffer, WOLFSSL* ssl); WOLFSSL_LOCAL int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest, WOLFSSL_BUFFER_INFO* responseBuffer); - +WOLFSSL_API int wolfSSL_CertManagerCheckOCSP_Staple(WOLFSSL_CERT_MANAGER *, + byte *response, int responseSz, WOLFSSL_BUFFER_INFO *responseBuffer, + CertStatus *status, OcspEntry *entry, OcspRequest *ocspRequest); #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) From 5e0a77704b03038d9e47fe09471344a86938dd7e Mon Sep 17 00:00:00 2001 From: Takashi Kojo Date: Fri, 22 Feb 2019 06:17:45 +0900 Subject: [PATCH 3/5] argument check --- src/ocsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ocsp.c b/src/ocsp.c index c3a5bc4ec..22a72dbe9 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -390,7 +390,7 @@ WOLFSSL_API int wolfSSL_CertManagerCheckOCSP_Staple(WOLFSSL_CERT_MANAGER *cm, int ret; WOLFSSL_ENTER("wolfSSL_CertManagerCheckOCSP_Staple"); - if (cm == NULL) + if (cm == NULL || response == NULL) return BAD_FUNC_ARG; if (cm->ocspEnabled == 0) return WOLFSSL_SUCCESS; From 744c247e92eacd9840a032634b5a4ef767831a8a Mon Sep 17 00:00:00 2001 From: Takashi Kojo Date: Fri, 22 Mar 2019 13:56:32 +0900 Subject: [PATCH 4/5] change CheckOCSP_staple to OCSPResponse, move to ssl.h --- src/ocsp.c | 28 +++++----------------------- src/ssl.c | 17 +++++++++++++++++ wolfssl/ocsp.h | 14 +++++++------- wolfssl/ssl.h | 11 ++++++++++- 4 files changed, 39 insertions(+), 31 deletions(-) diff --git a/src/ocsp.c b/src/ocsp.c index 22a72dbe9..30723df45 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -266,9 +266,9 @@ static int GetOcspStatus(WOLFSSL_OCSP* ocsp, OcspRequest* request, * entry The OCSP entry for this certificate. * returns OCSP_LOOKUP_FAIL when the response is bad and 0 otherwise. */ -static int CheckResponse(WOLFSSL_OCSP* ocsp, byte* response, int responseSz, - buffer* responseBuffer, CertStatus* status, - OcspEntry* entry, OcspRequest* ocspRequest) +WOLFSSL_LOCAL int CheckOcspResponse(WOLFSSL_OCSP *ocsp, byte *response, int responseSz, + WOLFSSL_BUFFER_INFO *responseBuffer, CertStatus *status, + OcspEntry *entry, OcspRequest *ocspRequest) { #ifdef WOLFSSL_SMALL_STACK CertStatus* newStatus; @@ -383,24 +383,6 @@ end: return ret; } -WOLFSSL_API int wolfSSL_CertManagerCheckOCSP_Staple(WOLFSSL_CERT_MANAGER *cm, - byte *response, int responseSz, buffer *responseBuffer, - CertStatus *status, OcspEntry *entry, OcspRequest *ocspRequest) -{ - int ret; - - WOLFSSL_ENTER("wolfSSL_CertManagerCheckOCSP_Staple"); - if (cm == NULL || response == NULL) - return BAD_FUNC_ARG; - if (cm->ocspEnabled == 0) - return WOLFSSL_SUCCESS; - - ret = CheckResponse(cm->ocsp, response, responseSz, responseBuffer, status, - entry, ocspRequest); - - return ret == 0 ? WOLFSSL_SUCCESS : ret; -} - /* 0 on success */ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest, buffer* responseBuffer) @@ -445,7 +427,7 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest, ret = ocsp->statusCb(ssl, ioCtx); if (ret == 0) { ret = wolfSSL_get_ocsp_response(ssl, &response); - ret = CheckResponse(ocsp, response, ret, responseBuffer, status, + ret = CheckOcspResponse(ocsp, response, ret, responseBuffer, status, entry, NULL); if (response != NULL) XFREE(response, NULL, DYNAMIC_TYPE_OPENSSL); @@ -493,7 +475,7 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest, XFREE(request, ocsp->cm->heap, DYNAMIC_TYPE_OCSP); if (responseSz >= 0 && response) { - ret = CheckResponse(ocsp, response, responseSz, responseBuffer, status, + ret = CheckOcspResponse(ocsp, response, responseSz, responseBuffer, status, entry, ocspRequest); } diff --git a/src/ssl.c b/src/ssl.c index fc3442a61..4d06681e7 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -5656,6 +5656,23 @@ int wolfSSL_CertManagerCheckOCSP(WOLFSSL_CERT_MANAGER* cm, byte* der, int sz) return ret == 0 ? WOLFSSL_SUCCESS : ret; } +WOLFSSL_API int wolfSSL_CertManagerCheckOCSPResponse(WOLFSSL_CERT_MANAGER *cm, + byte *response, int responseSz, buffer *responseBuffer, + CertStatus *status, OcspEntry *entry, OcspRequest *ocspRequest) +{ + int ret; + + WOLFSSL_ENTER("wolfSSL_CertManagerCheckOCSP_Staple"); + if (cm == NULL || response == NULL) + return BAD_FUNC_ARG; + if (cm->ocspEnabled == 0) + return WOLFSSL_SUCCESS; + + ret = CheckOcspResponse(cm->ocsp, response, responseSz, responseBuffer, status, + entry, ocspRequest); + + return ret == 0 ? WOLFSSL_SUCCESS : ret; +} int wolfSSL_CertManagerSetOCSPOverrideURL(WOLFSSL_CERT_MANAGER* cm, const char* url) diff --git a/wolfssl/ocsp.h b/wolfssl/ocsp.h index 7bc359ec6..33ea8f523 100644 --- a/wolfssl/ocsp.h +++ b/wolfssl/ocsp.h @@ -54,16 +54,16 @@ WOLFSSL_LOCAL int CheckCertOCSP_ex(WOLFSSL_OCSP*, DecodedCert*, WOLFSSL_BUFFER_INFO* responseBuffer, WOLFSSL* ssl); WOLFSSL_LOCAL int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest, WOLFSSL_BUFFER_INFO* responseBuffer); -WOLFSSL_API int wolfSSL_CertManagerCheckOCSP_Staple(WOLFSSL_CERT_MANAGER *, - byte *response, int responseSz, WOLFSSL_BUFFER_INFO *responseBuffer, - CertStatus *status, OcspEntry *entry, OcspRequest *ocspRequest); +WOLFSSL_LOCAL int CheckOcspResponse(WOLFSSL_OCSP *ocsp, byte *response, int responseSz, + WOLFSSL_BUFFER_INFO *responseBuffer, CertStatus *status, + OcspEntry *entry, OcspRequest *ocspRequest); #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) -WOLFSSL_API int wolfSSL_OCSP_resp_find_status(WOLFSSL_OCSP_BASICRESP *bs, - WOLFSSL_OCSP_CERTID* id, int* status, int* reason, - WOLFSSL_ASN1_TIME** revtime, WOLFSSL_ASN1_TIME** thisupd, - WOLFSSL_ASN1_TIME** nextupd); + WOLFSSL_API int wolfSSL_OCSP_resp_find_status(WOLFSSL_OCSP_BASICRESP *bs, + WOLFSSL_OCSP_CERTID *id, int *status, int *reason, + WOLFSSL_ASN1_TIME **revtime, WOLFSSL_ASN1_TIME **thisupd, + WOLFSSL_ASN1_TIME **nextupd); WOLFSSL_API const char *wolfSSL_OCSP_cert_status_str(long s); WOLFSSL_API int wolfSSL_OCSP_check_validity(WOLFSSL_ASN1_TIME* thisupd, WOLFSSL_ASN1_TIME* nextupd, long sec, long maxsec); diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 44bc2367b..ef0b8c426 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -100,7 +100,6 @@ #endif #endif - #ifdef __cplusplus extern "C" { #endif @@ -414,6 +413,11 @@ enum AlertLevel { alert_fatal = 2 }; +#if defined(HAVE_OCSP) +#include "wolfssl/ocsp.h" +#include "wolfssl/wolfcrypt/asn.h" +#endif + /* Maximum master key length (SECRET_LEN) */ #define WOLFSSL_MAX_MASTER_KEY_LENGTH 48 /* Maximum number of groups that can be set */ @@ -2113,6 +2117,11 @@ WOLFSSL_API void* wolfSSL_GetRsaDecCtx(WOLFSSL* ssl); #ifdef HAVE_CRL_IO WOLFSSL_API int wolfSSL_CertManagerSetCRL_IOCb(WOLFSSL_CERT_MANAGER*, CbCrlIO); +#endif +#if defined(HAVE_OCSP) + WOLFSSL_API int wolfSSL_CertManagerCheckOCSPResponse(WOLFSSL_CERT_MANAGER *, + byte *response, int responseSz, WOLFSSL_BUFFER_INFO *responseBuffer, + CertStatus *status, OcspEntry *entry, OcspRequest *ocspRequest); #endif WOLFSSL_API int wolfSSL_CertManagerCheckOCSP(WOLFSSL_CERT_MANAGER*, unsigned char*, int sz); From 6c9e64129d8c72a68b1c32abc2946fc72e9bf1c0 Mon Sep 17 00:00:00 2001 From: Takashi Kojo Date: Sat, 23 Mar 2019 08:03:45 +0900 Subject: [PATCH 5/5] move #include "ocsp.h" after #define WOLF_STACK_OF(x) --- wolfssl/ssl.h | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index ef0b8c426..54ec7f078 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -413,11 +413,6 @@ enum AlertLevel { alert_fatal = 2 }; -#if defined(HAVE_OCSP) -#include "wolfssl/ocsp.h" -#include "wolfssl/wolfcrypt/asn.h" -#endif - /* Maximum master key length (SECRET_LEN) */ #define WOLFSSL_MAX_MASTER_KEY_LENGTH 48 /* Maximum number of groups that can be set */ @@ -775,6 +770,11 @@ WOLFSSL_API const char* wolfSSL_ERR_reason_error_string(unsigned long); #define DECLARE_STACK_OF(x) WOLF_STACK_OF(x); #endif +#if defined(HAVE_OCSP) +#include "wolfssl/ocsp.h" +#include "wolfssl/wolfcrypt/asn.h" +#endif + WOLFSSL_API int wolfSSL_sk_X509_push(WOLF_STACK_OF(WOLFSSL_X509_NAME)* sk, WOLFSSL_X509* x509); WOLFSSL_API WOLFSSL_X509* wolfSSL_sk_X509_pop(WOLF_STACK_OF(WOLFSSL_X509_NAME)* sk);