diff --git a/scripts/ocsp-stapling.test b/scripts/ocsp-stapling.test index 0d93dda92..db05460d1 100755 --- a/scripts/ocsp-stapling.test +++ b/scripts/ocsp-stapling.test @@ -311,7 +311,7 @@ wolf_pid3=$! wait_for_readyFile $ready_file2 $wolf_pid3 $port3 ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -p $port3 RESULT=$? -[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 2 failed" && exit 1 +[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 1 failed" && exit 1 printf '%s\n\n' "Test PASSED!" printf '%s\n\n' "------------- TEST CASE 2 SHOULD REVOKE ----------------------" @@ -324,7 +324,7 @@ wait_for_readyFile $ready_file2 $wolf_pid3 $port3 sleep 0.1 ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -p $port3 RESULT=$? -[ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection succeeded $RESULT" \ +[ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection 2 succeeded $RESULT" \ && exit 1 printf '%s\n\n' "Test successfully REVOKED!" @@ -345,7 +345,21 @@ if [ $? -ne 0 ]; then [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 3 failed" && exit 1 printf '%s\n\n' "Test PASSED!" - printf '%s\n\n' "------------- TEST CASE 4 SHOULD REVOKE ------------------" + printf '%s\n\n' "------------- TEST CASE 4 SHOULD PASS --------------------" + # client test against our own server, must staple - GOOD CERT + remove_single_rF $ready_file2 + ./examples/server/server -c certs/ocsp/server1-cert.pem -R $ready_file2 \ + -k certs/ocsp/server1-key.pem -v 4 \ + -p $port3 & + wolf_pid3=$! + wait_for_readyFile $ready_file2 $wolf_pid3 $port3 + ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1m -v 4 -F 1 \ + -p $port3 + RESULT=$? + [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 4 failed" && exit 1 + printf '%s\n\n' "Test PASSED!" + + printf '%s\n\n' "------------- TEST CASE 5 SHOULD REVOKE ------------------" # client test against our own server - REVOKED CERT remove_single_rF $ready_file2 ./examples/server/server -c certs/ocsp/server2-cert.pem -R $ready_file2 \ @@ -357,7 +371,7 @@ if [ $? -ne 0 ]; then -p $port3 RESULT=$? [ $RESULT -ne 1 ] && \ - printf '\n\n%s\n' "Client connection succeeded $RESULT" \ + printf '\n\n%s\n' "Client connection 5 succeeded $RESULT" \ && exit 1 printf '%s\n\n' "Test successfully REVOKED!" fi @@ -373,20 +387,20 @@ openssl s_server $V4V6_FLAG -cert ./certs/server-cert.pem -key certs/server-key. openssl_pid=$! sleep 0.1 -printf '%s\n\n' "------------- TEST CASE 5 SHOULD PASS ----------------------" +printf '%s\n\n' "------------- TEST CASE 6 SHOULD PASS ----------------------" # client asks for OCSP staple but doesn't fail when none returned ./examples/client/client -p $port -g -v 3 -W 1 RESULT=$? -[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 5 failed" && exit 1 +[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 6 failed" && exit 1 printf '%s\n\n' "Test PASSED!" -printf '%s\n\n' "------------- TEST CASE 6 SHOULD UNKNOWN -------------------" +printf '%s\n\n' "------------- TEST CASE 7 SHOULD UNKNOWN -------------------" # client asks for OCSP staple but doesn't fail when none returned ./examples/client/client -p $port -g -v 3 -W 1m RESULT=$? -[ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection 6 succeeded $RESULT" \ +[ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection 7 succeeded $RESULT" \ && exit 1 printf '%s\n\n' "Test PASSED!" @@ -395,21 +409,21 @@ openssl_tls13=$? ./examples/client/client -v 4 2>&1 | grep -- 'Bad SSL version' wolfssl_not_tls13=$? if [ "$openssl_tls13" = "0" -a "wolfssl_not_tls13" != "0" ]; then - printf '%s\n\n' "------------- TEST CASE 7 SHOULD PASS --------------------" + printf '%s\n\n' "------------- TEST CASE 8 SHOULD PASS --------------------" # client asks for OCSP staple but doesn't fail when none returned ./examples/client/client -p $port -g -v 4 -W 1 RESULT=$? - [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 7 failed" && exit 1 + [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 8 failed" && exit 1 printf '%s\n\n' "Test PASSED!" - printf '%s\n\n' "------------- TEST CASE 8 SHOULD UNKNOWN -----------------" + printf '%s\n\n' "------------- TEST CASE 9 SHOULD UNKNOWN -----------------" # client asks for OCSP staple but doesn't fail when none returned ./examples/client/client -p $port -g -v 4 -W 1m RESULT=$? [ $RESULT -ne 1 ] \ - && printf '\n\n%s\n' "Client connection 8 succeeded $RESULT" \ + && printf '\n\n%s\n' "Client connection 9 succeeded $RESULT" \ && exit 1 printf '%s\n\n' "Test PASSED!" fi diff --git a/src/tls.c b/src/tls.c index e0b1df0f1..3036ef4e4 100644 --- a/src/tls.c +++ b/src/tls.c @@ -2976,15 +2976,37 @@ static int TLSX_CSR_Parse(WOLFSSL* ssl, byte* input, word16 length, byte isRequest) { int ret; +#if !defined(NO_WOLFSSL_SERVER) + byte status_type; + word16 size = 0; +#if defined(WOLFSSL_TLS13) + DecodedCert* cert; +#endif +#endif + +#if !defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER) \ + && defined(WOLFSSL_TLS13) + OcspRequest* request; + TLSX* extension; + CertificateStatusRequest* csr; +#endif + +#if !defined(NO_WOLFSSL_CLIENT) && defined(WOLFSSL_TLS13) \ + || !defined(NO_WOLFSSL_SERVER) + word32 offset = 0; +#endif + +#if !defined(NO_WOLFSSL_CLIENT) && defined(WOLFSSL_TLS13) + word32 resp_length; +#endif /* shut up compiler warnings */ (void) ssl; (void) input; if (!isRequest) { #ifndef NO_WOLFSSL_CLIENT - TLSX* extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST); - CertificateStatusRequest* csr = extension ? - (CertificateStatusRequest*)extension->data : NULL; + extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST); + csr = extension ? (CertificateStatusRequest*)extension->data : NULL; if (!csr) { /* look at context level */ @@ -3005,8 +3027,8 @@ static int TLSX_CSR_Parse(WOLFSSL* ssl, byte* input, word16 length, case WOLFSSL_CSR_OCSP: /* propagate nonce */ if (csr->request.ocsp.nonceSz) { - OcspRequest* request = - (OcspRequest*)TLSX_CSR_GetRequest(ssl->extensions); + request = + (OcspRequest*)TLSX_CSR_GetRequest(ssl->extensions); if (request) { XMEMCPY(request->nonce, csr->request.ocsp.nonce, @@ -3022,9 +3044,6 @@ static int TLSX_CSR_Parse(WOLFSSL* ssl, byte* input, word16 length, #ifdef WOLFSSL_TLS13 if (ssl->options.tls1_3) { - word32 resp_length; - word32 offset = 0; - /* Get the new extension potentially created above. */ extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST); csr = extension ? (CertificateStatusRequest*)extension->data : NULL; @@ -3061,10 +3080,6 @@ static int TLSX_CSR_Parse(WOLFSSL* ssl, byte* input, word16 length, } else { #ifndef NO_WOLFSSL_SERVER - byte status_type; - word16 offset = 0; - word16 size = 0; - if (length == 0) return 0; @@ -3113,11 +3128,29 @@ static int TLSX_CSR_Parse(WOLFSSL* ssl, byte* input, word16 length, if (ret != WOLFSSL_SUCCESS) return ret; /* throw error */ - #if defined(WOLFSSL_TLS13) && !defined(NO_WOLFSSL_SERVER) + #if defined(WOLFSSL_TLS13) if (ssl->options.tls1_3) { - OcspRequest* request; - TLSX* extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST); - CertificateStatusRequest* csr = extension ? + cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), ssl->heap, + DYNAMIC_TYPE_DCERT); + if (cert == NULL) { + return MEMORY_E; + } + InitDecodedCert(cert, ssl->buffers.certificate->buffer, + ssl->buffers.certificate->length, ssl->heap); + ret = ParseCert(cert, CERT_TYPE, 1, ssl->ctx->cm); + if (ret != 0 ) { + XFREE(cert, ssl->heap, DYNAMIC_TYPE_DCERT); + return ret; + } + ret = TLSX_CSR_InitRequest(ssl->extensions, cert, ssl->heap); + if (ret != 0 ) { + XFREE(cert, ssl->heap, DYNAMIC_TYPE_DCERT); + return ret; + } + XFREE(cert, ssl->heap, DYNAMIC_TYPE_DCERT); + + extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST); + csr = extension ? (CertificateStatusRequest*)extension->data : NULL; if (csr == NULL) return MEMORY_ERROR;