wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-08-01 03:34:39 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #7779 from rizlik/ocsp-dfree-fix

Browse Source 
ocsp: don't free ocsp request if saved in ssl->ctx->certOcspRequest
This commit is contained in:
Sean Parkinson
2024-07-31 09:31:42 +10:00
committed by GitHub
parent ad76038b86 31380aca13
commit dbf88e4c73
2 changed files with 73 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
src/internal.c
View File

@@ -23313,13 +23313,17 @@ int SendFinished(WOLFSSL* ssl)
* Returns 0 on success * Returns 0 on success
*/ */
static int CreateOcspRequest(WOLFSSL* ssl, OcspRequest* request, static int CreateOcspRequest(WOLFSSL* ssl, OcspRequest* request,
DecodedCert* cert, byte* certData, word32 length) DecodedCert* cert, byte* certData, word32 length,
byte *ctxOwnsRequest)
{ {
int ret; int ret;
if (request != NULL) if (request != NULL)
XMEMSET(request, 0, sizeof(OcspRequest)); XMEMSET(request, 0, sizeof(OcspRequest));
if (ctxOwnsRequest!= NULL)
*ctxOwnsRequest = 0;
InitDecodedCert(cert, certData, length, ssl->heap); InitDecodedCert(cert, certData, length, ssl->heap);
/* TODO: Setup async support here */ /* TODO: Setup async support here */
ret = ParseCertRelative(cert, CERT_TYPE, VERIFY, SSL_CM(ssl), NULL); ret = ParseCertRelative(cert, CERT_TYPE, VERIFY, SSL_CM(ssl), NULL);
@@ -23333,8 +23337,11 @@ static int CreateOcspRequest(WOLFSSL* ssl, OcspRequest* request,
if (!ssl->buffers.weOwnCert) { if (!ssl->buffers.weOwnCert) {
wolfSSL_Mutex* ocspLock = &SSL_CM(ssl)->ocsp_stapling->ocspLock; wolfSSL_Mutex* ocspLock = &SSL_CM(ssl)->ocsp_stapling->ocspLock;
if (wc_LockMutex(ocspLock) == 0) { if (wc_LockMutex(ocspLock) == 0) {
if (ssl->ctx->certOcspRequest == NULL) if (ssl->ctx->certOcspRequest == NULL) {
ssl->ctx->certOcspRequest = request; ssl->ctx->certOcspRequest = request;
if (ctxOwnsRequest!= NULL)
*ctxOwnsRequest = 1;
}
wc_UnLockMutex(ocspLock); wc_UnLockMutex(ocspLock);
} }
} }
@@ -23363,6 +23370,7 @@ int CreateOcspResponse(WOLFSSL* ssl, OcspRequest** ocspRequest,
int ret = 0; int ret = 0;
OcspRequest* request = NULL; OcspRequest* request = NULL;
byte createdRequest = 0; byte createdRequest = 0;
byte ctxOwnsRequest = 0;
if (ssl == NULL || ocspRequest == NULL || response == NULL) if (ssl == NULL || ocspRequest == NULL || response == NULL)
return BAD_FUNC_ARG; return BAD_FUNC_ARG;
@@ -23400,7 +23408,7 @@ int CreateOcspResponse(WOLFSSL* ssl, OcspRequest** ocspRequest,
createdRequest = 1; createdRequest = 1;
if (ret == 0) { if (ret == 0) {
ret = CreateOcspRequest(ssl, request, cert, der->buffer, ret = CreateOcspRequest(ssl, request, cert, der->buffer,
der->length); der->length, &ctxOwnsRequest);
} }
if (ret != 0) { if (ret != 0) {
@@ -23427,7 +23435,7 @@ int CreateOcspResponse(WOLFSSL* ssl, OcspRequest** ocspRequest,
} }
/* free request up if error case found otherwise return it */ /* free request up if error case found otherwise return it */
if (ret != 0 && createdRequest) { if (ret != 0 && createdRequest && !ctxOwnsRequest) {
FreeOcspRequest(request); FreeOcspRequest(request);
XFREE(request, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST); XFREE(request, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST);
} }
@@ -24122,6 +24130,7 @@ int SendCertificateStatus(WOLFSSL* ssl)
{ {
OcspRequest* request = ssl->ctx->certOcspRequest; OcspRequest* request = ssl->ctx->certOcspRequest;
buffer responses[1 + MAX_CHAIN_DEPTH]; buffer responses[1 + MAX_CHAIN_DEPTH];
byte ctxOwnsRequest = 0;
int i = 0; int i = 0;
XMEMSET(responses, 0, sizeof(responses)); XMEMSET(responses, 0, sizeof(responses));
@@ -24180,7 +24189,7 @@ int SendCertificateStatus(WOLFSSL* ssl)
break; break;
ret = CreateOcspRequest(ssl, request, cert, der.buffer, ret = CreateOcspRequest(ssl, request, cert, der.buffer,
der.length); der.length, &ctxOwnsRequest);
if (ret == 0) { if (ret == 0) {
request->ssl = ssl; request->ssl = ssl;
ret = CheckOcspRequest(SSL_CM(ssl)->ocsp_stapling, ret = CheckOcspRequest(SSL_CM(ssl)->ocsp_stapling,
@@ -24195,12 +24204,13 @@ int SendCertificateStatus(WOLFSSL* ssl)
i++; i++;
FreeOcspRequest(request); if (!ctxOwnsRequest)
FreeOcspRequest(request);
} }
} }
} }
if (!ctxOwnsRequest)
XFREE(request, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST); XFREE(request, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST);
#ifdef WOLFSSL_SMALL_STACK #ifdef WOLFSSL_SMALL_STACK
XFREE(cert, ssl->heap, DYNAMIC_TYPE_DCERT); XFREE(cert, ssl->heap, DYNAMIC_TYPE_DCERT);
#endif #endif

55
tests/api.c
View File

@@ -84316,6 +84316,60 @@ static int test_wolfSSL_SendUserCanceled(void)
#endif #endif
return EXPECT_RESULT(); return EXPECT_RESULT();
} }
#if defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
defined(HAVE_OCSP) && \
defined(HAVE_CERTIFICATE_STATUS_REQUEST) && \
!defined(WOLFSSL_NO_TLS12)
static int test_ocsp_callback_fails_cb(void* ctx, const char* url, int urlSz,
byte* ocspReqBuf, int ocspReqSz, byte** ocspRespBuf)
{
(void)ctx;
(void)url;
(void)urlSz;
(void)ocspReqBuf;
(void)ocspReqSz;
(void)ocspRespBuf;
return -1;
}
static int test_ocsp_callback_fails(void)
{
WOLFSSL_CTX *ctx_c = NULL;
WOLFSSL_CTX *ctx_s = NULL;
WOLFSSL *ssl_c = NULL;
WOLFSSL *ssl_s = NULL;
struct test_memio_ctx test_ctx;
EXPECT_DECLS;
XMEMSET(&test_ctx, 0, sizeof(test_ctx));
ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
wolfTLSv1_2_client_method, wolfTLSv1_2_server_method), 0);
ExpectIntEQ(wolfSSL_CTX_EnableOCSPStapling(ctx_c), WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CTX_EnableOCSPStapling(ctx_s), WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_UseOCSPStapling(ssl_c, WOLFSSL_CSR_OCSP,0), WOLFSSL_SUCCESS);
/* override URL to avoid exing from SendCertificateStatus because of no AuthInfo on the certificate */
ExpectIntEQ(wolfSSL_CTX_SetOCSP_OverrideURL(ctx_s, "http://dummy.test"), WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CTX_EnableOCSP(ctx_s, WOLFSSL_OCSP_NO_NONCE | WOLFSSL_OCSP_URL_OVERRIDE), WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CTX_load_verify_locations(ctx_s, caCertFile, 0), WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_SetOCSP_Cb(ssl_s, test_ocsp_callback_fails_cb, NULL, NULL), WOLFSSL_SUCCESS);
ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), -1);
ExpectIntEQ(wolfSSL_get_error(ssl_s, -1), OCSP_INVALID_STATUS);
wolfSSL_free(ssl_c);
wolfSSL_free(ssl_s);
wolfSSL_CTX_free(ctx_c);
wolfSSL_CTX_free(ctx_s);
return EXPECT_RESULT();
}
#else
static int test_ocsp_callback_fails(void)
{
return TEST_SKIPPED;
}
#endif /* defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
defined(HAVE_OCSP) && \
defined(HAVE_CERTIFICATE_STATUS_REQUEST) */
/*----------------------------------------------------------------------------* /*----------------------------------------------------------------------------*
| Main | Main
@@ -85556,6 +85610,7 @@ TEST_CASE testCases[] = {
TEST_DECL(test_wolfSSL_UseOCSPStapling), TEST_DECL(test_wolfSSL_UseOCSPStapling),
TEST_DECL(test_wolfSSL_UseOCSPStaplingV2), TEST_DECL(test_wolfSSL_UseOCSPStaplingV2),
TEST_DECL(test_self_signed_stapling), TEST_DECL(test_self_signed_stapling),
TEST_DECL(test_ocsp_callback_fails),
/* Multicast */ /* Multicast */
TEST_DECL(test_wolfSSL_mcast), TEST_DECL(test_wolfSSL_mcast),