wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-08-01 19:54:40 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2336 from kaleb-himes/ZD-5388-OCSP-STATUS-UNHONORED

Browse Source 
Honor the status from peer and do not do internal OCSP lookup regardless
This commit is contained in:
toddouska
2019-07-16 11:32:34 -07:00
committed by GitHub
parent 99d3ea9e56 9af9941b90
commit 8b8ff2ac34
2 changed files with 36 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
src/tls.c
View File

@@ -2835,15 +2835,8 @@ static word16 TLSX_CSR_GetSize(CertificateStatusRequest* csr, byte isRequest)
} }
#endif #endif
#if defined(WOLFSSL_TLS13) && !defined(NO_WOLFSSL_SERVER) #if defined(WOLFSSL_TLS13) && !defined(NO_WOLFSSL_SERVER)
if (!isRequest && csr->ssl->options.tls1_3) { if (!isRequest && csr->ssl->options.tls1_3)
if (csr->response.buffer == NULL) {
OcspRequest* request = &csr->request.ocsp;
int ret = CreateOcspResponse(csr->ssl, &request, &csr->response);
if (ret < 0)
return ret;
}
return OPAQUE8_LEN + OPAQUE24_LEN + csr->response.length; return OPAQUE8_LEN + OPAQUE24_LEN + csr->response.length;
}
#endif #endif
return size; return size;
@@ -2952,6 +2945,13 @@ static int TLSX_CSR_Parse(WOLFSSL* ssl, byte* input, word16 length,
if (ssl->options.tls1_3) { if (ssl->options.tls1_3) {
word32 resp_length; word32 resp_length;
word32 offset = 0; word32 offset = 0;
/* Get the new extension potentially created above. */
extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST);
csr = extension ? (CertificateStatusRequest*)extension->data : NULL;
if (csr == NULL)
return MEMORY_ERROR;
ret = 0; ret = 0;
if (OPAQUE8_LEN + OPAQUE24_LEN > length) if (OPAQUE8_LEN + OPAQUE24_LEN > length)
ret = BUFFER_ERROR; ret = BUFFER_ERROR;
@@ -3032,7 +3032,25 @@ static int TLSX_CSR_Parse(WOLFSSL* ssl, byte* input, word16 length,
if (ret != WOLFSSL_SUCCESS) if (ret != WOLFSSL_SUCCESS)
return ret; /* throw error */ return ret; /* throw error */
TLSX_SetResponse(ssl, TLSX_STATUS_REQUEST); #if defined(WOLFSSL_TLS13) && !defined(NO_WOLFSSL_SERVER)
if (ssl->options.tls1_3) {
OcspRequest* request;
TLSX* extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST);
CertificateStatusRequest* csr = extension ?
(CertificateStatusRequest*)extension->data : NULL;
if (csr == NULL)
return MEMORY_ERROR;
request = &csr->request.ocsp;
ret = CreateOcspResponse(ssl, &request, &csr->response);
if (ret != 0)
return ret;
if (csr->response.buffer)
TLSX_SetResponse(ssl, TLSX_STATUS_REQUEST);
}
else
#endif
TLSX_SetResponse(ssl, TLSX_STATUS_REQUEST);
ssl->status_request = status_type; ssl->status_request = status_type;
#endif #endif
} }
@@ -10419,10 +10437,14 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
WOLFSSL_BUFFER(input + offset, size); WOLFSSL_BUFFER(input + offset, size);
#endif #endif
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13
if (IsAtLeastTLSv1_3(ssl->version)) if (IsAtLeastTLSv1_3(ssl->version) &&
break; msgType != client_hello &&
#endif msgType != certificate_request &&
msgType != certificate) {
break;
}
#endif
ret = CSR_PARSE(ssl, input + offset, size, isRequest); ret = CSR_PARSE(ssl, input + offset, size, isRequest);
break; break;

1
src/tls13.c
View File

@@ -5127,6 +5127,7 @@ static int SendTls13Certificate(WOLFSSL* ssl)
if (ret < 0) if (ret < 0)
return ret; return ret;
extSz = 0;
ret = TLSX_WriteResponse(ssl, ssl->buffers.certExts->buffer, ret = TLSX_WriteResponse(ssl, ssl->buffers.certExts->buffer,
certificate, &extSz); certificate, &extSz);
if (ret < 0) if (ret < 0)