From 3e6246af590b27dfca981b5d4c841e67d99c482d Mon Sep 17 00:00:00 2001 From: kaleb-himes Date: Mon, 8 Jul 2019 13:50:05 -0600 Subject: [PATCH 1/2] Honor the status from peer and do not do internal OCSP lookup regardless Item 2) Suggestion from Sean implemented: "Limit the message types" Item 3) Removed a hard tab --- src/tls.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/src/tls.c b/src/tls.c index 918ea3801..651f54280 100644 --- a/src/tls.c +++ b/src/tls.c @@ -10360,10 +10360,14 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType, case TLSX_STATUS_REQUEST: WOLFSSL_MSG("Certificate Status Request extension received"); -#ifdef WOLFSSL_TLS13 - if (IsAtLeastTLSv1_3(ssl->version)) - break; -#endif + #ifdef WOLFSSL_TLS13 + if (IsAtLeastTLSv1_3(ssl->version) && + msgType != client_hello && + msgType != certificate_request && + msgType != certificate) { + break; + } + #endif ret = CSR_PARSE(ssl, input + offset, size, isRequest); break; From 9af9941b9040b03f0021e3ae20fb795c67759cbd Mon Sep 17 00:00:00 2001 From: Sean Parkinson Date: Tue, 16 Jul 2019 12:10:58 +1000 Subject: [PATCH 2/2] Fixes for TLS 1.3 and OCSP Stapling Create the OCSP Response for Stapling and TLS 1.3 when parsing. When parsing OCSP stapling extension with TLS 1.3, use a new extension object if it was created. Set the extension size to 0 before writing extensions when sending a TLS 1.3 Certificate message. --- src/tls.c | 36 +++++++++++++++++++++++++++--------- src/tls13.c | 1 + 2 files changed, 28 insertions(+), 9 deletions(-) diff --git a/src/tls.c b/src/tls.c index 651f54280..e0cd9e5b1 100644 --- a/src/tls.c +++ b/src/tls.c @@ -2835,15 +2835,8 @@ static word16 TLSX_CSR_GetSize(CertificateStatusRequest* csr, byte isRequest) } #endif #if defined(WOLFSSL_TLS13) && !defined(NO_WOLFSSL_SERVER) - if (!isRequest && csr->ssl->options.tls1_3) { - if (csr->response.buffer == NULL) { - OcspRequest* request = &csr->request.ocsp; - int ret = CreateOcspResponse(csr->ssl, &request, &csr->response); - if (ret < 0) - return ret; - } + if (!isRequest && csr->ssl->options.tls1_3) return OPAQUE8_LEN + OPAQUE24_LEN + csr->response.length; - } #endif return size; @@ -2952,6 +2945,13 @@ static int TLSX_CSR_Parse(WOLFSSL* ssl, byte* input, word16 length, if (ssl->options.tls1_3) { word32 resp_length; word32 offset = 0; + + /* Get the new extension potentially created above. */ + extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST); + csr = extension ? (CertificateStatusRequest*)extension->data : NULL; + if (csr == NULL) + return MEMORY_ERROR; + ret = 0; if (OPAQUE8_LEN + OPAQUE24_LEN > length) ret = BUFFER_ERROR; @@ -3032,7 +3032,25 @@ static int TLSX_CSR_Parse(WOLFSSL* ssl, byte* input, word16 length, if (ret != WOLFSSL_SUCCESS) return ret; /* throw error */ - TLSX_SetResponse(ssl, TLSX_STATUS_REQUEST); + #if defined(WOLFSSL_TLS13) && !defined(NO_WOLFSSL_SERVER) + if (ssl->options.tls1_3) { + OcspRequest* request; + TLSX* extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST); + CertificateStatusRequest* csr = extension ? + (CertificateStatusRequest*)extension->data : NULL; + if (csr == NULL) + return MEMORY_ERROR; + + request = &csr->request.ocsp; + ret = CreateOcspResponse(ssl, &request, &csr->response); + if (ret != 0) + return ret; + if (csr->response.buffer) + TLSX_SetResponse(ssl, TLSX_STATUS_REQUEST); + } + else + #endif + TLSX_SetResponse(ssl, TLSX_STATUS_REQUEST); ssl->status_request = status_type; #endif } diff --git a/src/tls13.c b/src/tls13.c index a0b778a53..0a098fa52 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -5071,6 +5071,7 @@ static int SendTls13Certificate(WOLFSSL* ssl) if (ret < 0) return ret; + extSz = 0; ret = TLSX_WriteResponse(ssl, ssl->buffers.certExts->buffer, certificate, &extSz); if (ret < 0)