wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-31 19:24:42 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3495 from haydenroche5/httpd

Browse Source 
Add OpenSSL compatibility functions for latest version of Apache httpd
This commit is contained in:
toddouska
2020-12-09 09:55:13 -08:00
committed by GitHub
parent b7aa0ebf57 03c7e52f5f
commit f31b41fcca
7 changed files with 532 additions and 206 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
src/internal.c
View File

@@ -9823,9 +9823,11 @@ static int ProcessCSR(WOLFSSL* ssl, byte* input, word32* inOutIdx,
#ifdef WOLFSSL_SMALL_STACK #ifdef WOLFSSL_SMALL_STACK
CertStatus* status; CertStatus* status;
OcspEntry* single;
OcspResponse* response; OcspResponse* response;
#else #else
CertStatus status[1]; CertStatus status[1];
OcspEntry single[1];
OcspResponse response[1]; OcspResponse response[1];
#endif #endif
@@ -9856,20 +9858,24 @@ static int ProcessCSR(WOLFSSL* ssl, byte* input, word32* inOutIdx,
#ifdef WOLFSSL_SMALL_STACK #ifdef WOLFSSL_SMALL_STACK
status = (CertStatus*)XMALLOC(sizeof(CertStatus), ssl->heap, status = (CertStatus*)XMALLOC(sizeof(CertStatus), ssl->heap,
DYNAMIC_TYPE_OCSP_STATUS); DYNAMIC_TYPE_OCSP_STATUS);
single = (OcspEntry*)XMALLOC(sizeof(OcspEntry), ssl->heap,
DYNAMIC_TYPE_OCSP_ENTRY);
response = (OcspResponse*)XMALLOC(sizeof(OcspResponse), ssl->heap, response = (OcspResponse*)XMALLOC(sizeof(OcspResponse), ssl->heap,
DYNAMIC_TYPE_OCSP_REQUEST); DYNAMIC_TYPE_OCSP_REQUEST);
if (status == NULL || response == NULL) { if (status == NULL || single == NULL || response == NULL) {
if (status) if (status)
XFREE(status, NULL, DYNAMIC_TYPE_OCSP_STATUS); XFREE(status, ssl->heap, DYNAMIC_TYPE_OCSP_STATUS);
if (single)
XFREE(single, ssl->heap, DYNAMIC_TYPE_OCSP_ENTRY);
if (response) if (response)
XFREE(response, NULL, DYNAMIC_TYPE_OCSP_REQUEST); XFREE(response, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST);
return MEMORY_ERROR; return MEMORY_ERROR;
} }
#endif #endif
InitOcspResponse(response, status, input +*inOutIdx, status_length, ssl->heap); InitOcspResponse(response, single, status, input +*inOutIdx, status_length, ssl->heap);
if (OcspResponseDecode(response, ssl->ctx->cm, ssl->heap, 0) != 0) if (OcspResponseDecode(response, ssl->ctx->cm, ssl->heap, 0) != 0)
ret = BAD_CERTIFICATE_STATUS_ERROR; ret = BAD_CERTIFICATE_STATUS_ERROR;
@@ -9877,9 +9883,9 @@ static int ProcessCSR(WOLFSSL* ssl, byte* input, word32* inOutIdx,
ret = BAD_CERTIFICATE_STATUS_ERROR; ret = BAD_CERTIFICATE_STATUS_ERROR;
else if (response->responseStatus != OCSP_SUCCESSFUL) else if (response->responseStatus != OCSP_SUCCESSFUL)
ret = BAD_CERTIFICATE_STATUS_ERROR; ret = BAD_CERTIFICATE_STATUS_ERROR;
else if (response->status->status == CERT_REVOKED) else if (response->single->status->status == CERT_REVOKED)
ret = OCSP_CERT_REVOKED; ret = OCSP_CERT_REVOKED;
else if (response->status->status != CERT_GOOD) else if (response->single->status->status != CERT_GOOD)
ret = BAD_CERTIFICATE_STATUS_ERROR; ret = BAD_CERTIFICATE_STATUS_ERROR;
else { else {
@@ -9889,9 +9895,9 @@ static int ProcessCSR(WOLFSSL* ssl, byte* input, word32* inOutIdx,
*inOutIdx += status_length; *inOutIdx += status_length;
FreeOcspResponse(response);
#ifdef WOLFSSL_SMALL_STACK #ifdef WOLFSSL_SMALL_STACK
XFREE(status, ssl->heap, DYNAMIC_TYPE_OCSP_STATUS); XFREE(status, ssl->heap, DYNAMIC_TYPE_OCSP_STATUS);
XFREE(single, ssl->heap, DYNAMIC_TYPE_OCSP_ENTRY);
XFREE(response, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST); XFREE(response, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST);
#endif #endif
@@ -11854,9 +11860,11 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx,
#ifdef WOLFSSL_SMALL_STACK #ifdef WOLFSSL_SMALL_STACK
CertStatus* status; CertStatus* status;
OcspEntry* single;
OcspResponse* response; OcspResponse* response;
#else #else
CertStatus status[1]; CertStatus status[1];
OcspEntry single[1];
OcspResponse response[1]; OcspResponse response[1];
#endif #endif
@@ -11872,12 +11880,16 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx,
#ifdef WOLFSSL_SMALL_STACK #ifdef WOLFSSL_SMALL_STACK
status = (CertStatus*)XMALLOC(sizeof(CertStatus), ssl->heap, status = (CertStatus*)XMALLOC(sizeof(CertStatus), ssl->heap,
DYNAMIC_TYPE_OCSP_STATUS); DYNAMIC_TYPE_OCSP_STATUS);
single = (OcspEntry*)XMALLOC(sizeof(OcspEntry), ssl->heap,
DYNAMIC_TYPE_OCSP_ENTRY);
response = (OcspResponse*)XMALLOC(sizeof(OcspResponse), ssl->heap, response = (OcspResponse*)XMALLOC(sizeof(OcspResponse), ssl->heap,
DYNAMIC_TYPE_OCSP_REQUEST); DYNAMIC_TYPE_OCSP_REQUEST);
if (status == NULL || response == NULL) { if (status == NULL || single == NULL || response == NULL) {
if (status) if (status)
XFREE(status, ssl->heap, DYNAMIC_TYPE_OCSP_STATUS); XFREE(status, ssl->heap, DYNAMIC_TYPE_OCSP_STATUS);
if (single)
XFREE(single, ssl->heap, DYNAMIC_TYPE_OCSP_ENTRY);
if (response) if (response)
XFREE(response, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST); XFREE(response, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST);
@@ -11901,13 +11913,13 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx,
} }
if (status_length) { if (status_length) {
InitOcspResponse(response, status, input +*inOutIdx, InitOcspResponse(response, single, status, input +*inOutIdx,
status_length, ssl->heap); status_length, ssl->heap);
if ((OcspResponseDecode(response, ssl->ctx->cm, ssl->heap, if ((OcspResponseDecode(response, ssl->ctx->cm, ssl->heap,
0) != 0) 0) != 0)
|| (response->responseStatus != OCSP_SUCCESSFUL) || (response->responseStatus != OCSP_SUCCESSFUL)
|| (response->status->status != CERT_GOOD)) || (response->single->status != CERT_GOOD))
ret = BAD_CERTIFICATE_STATUS_ERROR; ret = BAD_CERTIFICATE_STATUS_ERROR;
while (ret == 0) { while (ret == 0) {
@@ -11934,6 +11946,7 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx,
#ifdef WOLFSSL_SMALL_STACK #ifdef WOLFSSL_SMALL_STACK
XFREE(status, NULL, DYNAMIC_TYPE_OCSP_STATUS); XFREE(status, NULL, DYNAMIC_TYPE_OCSP_STATUS);
XFREE(single, NULL, DYNAMIC_TYPE_OCSP_ENTRY);
XFREE(response, NULL, DYNAMIC_TYPE_OCSP_REQUEST); XFREE(response, NULL, DYNAMIC_TYPE_OCSP_REQUEST);
#endif #endif

272
src/ocsp.c
View File

@@ -75,6 +75,9 @@ static void FreeOcspEntry(OcspEntry* entry, void* heap)
{ {
CertStatus *status, *next; CertStatus *status, *next;
if (entry == NULL)
return;
WOLFSSL_ENTER("FreeOcspEntry"); WOLFSSL_ENTER("FreeOcspEntry");
for (status = entry->status; status; status = next) { for (status = entry->status; status; status = next) {
@@ -83,6 +86,16 @@ static void FreeOcspEntry(OcspEntry* entry, void* heap)
if (status->rawOcspResponse) if (status->rawOcspResponse)
XFREE(status->rawOcspResponse, heap, DYNAMIC_TYPE_OCSP_STATUS); XFREE(status->rawOcspResponse, heap, DYNAMIC_TYPE_OCSP_STATUS);
#ifdef OPENSSL_EXTRA
if (status->serialInt) {
if (status->serialInt->isDynamic) {
XFREE(status->serialInt->data, NULL, DYNAMIC_TYPE_OPENSSL);
}
XFREE(status->serialInt, NULL, DYNAMIC_TYPE_OPENSSL);
}
status->serialInt = NULL;
#endif
XFREE(status, heap, DYNAMIC_TYPE_OCSP_STATUS); XFREE(status, heap, DYNAMIC_TYPE_OCSP_STATUS);
} }
@@ -272,9 +285,11 @@ WOLFSSL_LOCAL int CheckOcspResponse(WOLFSSL_OCSP *ocsp, byte *response, int resp
{ {
#ifdef WOLFSSL_SMALL_STACK #ifdef WOLFSSL_SMALL_STACK
CertStatus* newStatus; CertStatus* newStatus;
OcspEntry* newSingle;
OcspResponse* ocspResponse; OcspResponse* ocspResponse;
#else #else
CertStatus newStatus[1]; CertStatus newStatus[1];
OcspEntry newSingle[1];
OcspResponse ocspResponse[1]; OcspResponse ocspResponse[1];
#endif #endif
int ret; int ret;
@@ -282,21 +297,24 @@ WOLFSSL_LOCAL int CheckOcspResponse(WOLFSSL_OCSP *ocsp, byte *response, int resp
#ifdef WOLFSSL_SMALL_STACK #ifdef WOLFSSL_SMALL_STACK
newStatus = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL, newStatus = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL,
DYNAMIC_TYPE_TMP_BUFFER); DYNAMIC_TYPE_OCSP_STATUS);
newSingle = (OcspEntry*)XMALLOC(sizeof(OcspEntry), NULL,
DYNAMIC_TYPE_OCSP_ENTRY);
ocspResponse = (OcspResponse*)XMALLOC(sizeof(OcspResponse), NULL, ocspResponse = (OcspResponse*)XMALLOC(sizeof(OcspResponse), NULL,
DYNAMIC_TYPE_TMP_BUFFER); DYNAMIC_TYPE_OCSP_REQUEST);
if (newStatus == NULL || ocspResponse == NULL) { if (newStatus == NULL || newSingle == NULL || ocspResponse == NULL) {
if (newStatus) XFREE(newStatus, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (newStatus) XFREE(newStatus, NULL, DYNAMIC_TYPE_OCSP_STATUS);
if (ocspResponse) XFREE(ocspResponse, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (newSingle) XFREE(newSingle, NULL, DYNAMIC_TYPE_OCSP_ENTRY);
if (ocspResponse) XFREE(ocspResponse, NULL, DYNAMIC_TYPE_OCSP_REQUEST);
WOLFSSL_LEAVE("CheckCertOCSP", MEMORY_ERROR); WOLFSSL_LEAVE("CheckCertOCSP", MEMORY_ERROR);
return MEMORY_E; return MEMORY_E;
} }
#endif #endif
XMEMSET(newStatus, 0, sizeof(CertStatus)); InitOcspResponse(ocspResponse, newSingle, newStatus, response, responseSz,
ocsp->cm->heap);
InitOcspResponse(ocspResponse, newStatus, response, responseSz, ocsp->cm->heap);
ret = OcspResponseDecode(ocspResponse, ocsp->cm, ocsp->cm->heap, 0); ret = OcspResponseDecode(ocspResponse, ocsp->cm, ocsp->cm->heap, 0);
if (ret != 0) { if (ret != 0) {
ocsp->error = ret; ocsp->error = ret;
@@ -325,7 +343,7 @@ WOLFSSL_LOCAL int CheckOcspResponse(WOLFSSL_OCSP *ocsp, byte *response, int resp
} }
} }
ret = xstat2err(ocspResponse->status->status); ret = xstat2err(ocspResponse->single->status->status);
if (ret == 0) { if (ret == 0) {
validated = 1; validated = 1;
} }
@@ -342,15 +360,15 @@ WOLFSSL_LOCAL int CheckOcspResponse(WOLFSSL_OCSP *ocsp, byte *response, int resp
} }
/* Replace existing certificate entry with updated */ /* Replace existing certificate entry with updated */
newStatus->next = status->next; newSingle->status->next = status->next;
XMEMCPY(status, newStatus, sizeof(CertStatus)); XMEMCPY(status, newSingle->status, sizeof(CertStatus));
} }
else { else {
/* Save new certificate entry */ /* Save new certificate entry */
status = (CertStatus*)XMALLOC(sizeof(CertStatus), status = (CertStatus*)XMALLOC(sizeof(CertStatus),
ocsp->cm->heap, DYNAMIC_TYPE_OCSP_STATUS); ocsp->cm->heap, DYNAMIC_TYPE_OCSP_STATUS);
if (status != NULL) { if (status != NULL) {
XMEMCPY(status, newStatus, sizeof(CertStatus)); XMEMCPY(status, newSingle->status, sizeof(CertStatus));
status->next = entry->status; status->next = entry->status;
entry->status = status; entry->status = status;
entry->totalStatus++; entry->totalStatus++;
@@ -378,10 +396,10 @@ end:
ret = OCSP_LOOKUP_FAIL; ret = OCSP_LOOKUP_FAIL;
} }
FreeOcspResponse(ocspResponse);
#ifdef WOLFSSL_SMALL_STACK #ifdef WOLFSSL_SMALL_STACK
XFREE(newStatus, NULL, DYNAMIC_TYPE_TMP_BUFFER); XFREE(newStatus, NULL, DYNAMIC_TYPE_OCSP_STATUS);
XFREE(ocspResponse, NULL, DYNAMIC_TYPE_TMP_BUFFER); XFREE(newSingle, NULL, DYNAMIC_TYPE_OCSP_ENTRY);
XFREE(ocspResponse, NULL, DYNAMIC_TYPE_OCSP_REQUEST);
#endif #endif
return ret; return ret;
} }
@@ -501,21 +519,32 @@ int wolfSSL_OCSP_resp_find_status(WOLFSSL_OCSP_BASICRESP *bs,
WOLFSSL_ASN1_TIME** revtime, WOLFSSL_ASN1_TIME** thisupd, WOLFSSL_ASN1_TIME** revtime, WOLFSSL_ASN1_TIME** thisupd,
WOLFSSL_ASN1_TIME** nextupd) WOLFSSL_ASN1_TIME** nextupd)
{ {
WOLFSSL_OCSP_SINGLERESP* single;
if (bs == NULL || id == NULL) if (bs == NULL || id == NULL)
return WOLFSSL_FAILURE; return WOLFSSL_FAILURE;
/* Only supporting one certificate status in asn.c. */ single = bs->single;
if (CompareOcspReqResp(id, bs) != 0) while (single != NULL) {
if ((XMEMCMP(single->status->serial, id->status->serial, single->status->serialSz) == 0)
&& (XMEMCMP(single->issuerHash, id->issuerHash, OCSP_DIGEST_SIZE) == 0)
&& (XMEMCMP(single->issuerKeyHash, id->issuerKeyHash, OCSP_DIGEST_SIZE) == 0)) {
break;
}
single = single->next;
}
if (single == NULL)
return WOLFSSL_FAILURE; return WOLFSSL_FAILURE;
if (status != NULL) if (status != NULL)
*status = bs->status->status; *status = single->status->status;
if (thisupd != NULL) if (thisupd != NULL)
*thisupd = &bs->status->thisDateParsed; *thisupd = &single->status->thisDateParsed;
if (nextupd != NULL) if (nextupd != NULL)
*nextupd = &bs->status->nextDateParsed; *nextupd = &single->status->nextDateParsed;
/* TODO: Not needed for Nginx. */ /* TODO: Not needed for Nginx or httpd */
if (reason != NULL) if (reason != NULL)
*reason = 0; *reason = 0;
if (revtime != NULL) if (revtime != NULL)
@@ -551,7 +580,7 @@ int wolfSSL_OCSP_check_validity(WOLFSSL_ASN1_TIME* thisupd,
void wolfSSL_OCSP_CERTID_free(WOLFSSL_OCSP_CERTID* certId) void wolfSSL_OCSP_CERTID_free(WOLFSSL_OCSP_CERTID* certId)
{ {
FreeOcspRequest(certId); FreeOcspEntry(certId, NULL);
XFREE(certId, NULL, DYNAMIC_TYPE_OPENSSL); XFREE(certId, NULL, DYNAMIC_TYPE_OPENSSL);
} }
@@ -560,6 +589,7 @@ WOLFSSL_OCSP_CERTID* wolfSSL_OCSP_cert_to_id(
const WOLFSSL_X509 *issuer) const WOLFSSL_X509 *issuer)
{ {
WOLFSSL_OCSP_CERTID* certId; WOLFSSL_OCSP_CERTID* certId;
CertStatus* certStatus;
DecodedCert cert; DecodedCert cert;
WOLFSSL_CERT_MANAGER* cm; WOLFSSL_CERT_MANAGER* cm;
int ret; int ret;
@@ -582,7 +612,23 @@ WOLFSSL_OCSP_CERTID* wolfSSL_OCSP_cert_to_id(
certId = (WOLFSSL_OCSP_CERTID*)XMALLOC(sizeof(WOLFSSL_OCSP_CERTID), NULL, certId = (WOLFSSL_OCSP_CERTID*)XMALLOC(sizeof(WOLFSSL_OCSP_CERTID), NULL,
DYNAMIC_TYPE_OPENSSL); DYNAMIC_TYPE_OPENSSL);
if (certId != NULL) { certStatus = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL,
DYNAMIC_TYPE_OPENSSL);
if (certId == NULL || certStatus == NULL) {
if (certId)
XFREE(certId, NULL, DYNAMIC_TYPE_OPENSSL);
if (certStatus)
XFREE(certStatus, NULL, DYNAMIC_TYPE_OPENSSL);
return NULL;
}
XMEMSET(certId, 0, sizeof(WOLFSSL_OCSP_CERTID));
XMEMSET(certStatus, 0, sizeof(CertStatus));
certId->status = certStatus;
InitDecodedCert(&cert, subject->derCert->buffer, InitDecodedCert(&cert, subject->derCert->buffer,
subject->derCert->length, NULL); subject->derCert->length, NULL);
if (ParseCertRelative(&cert, CERT_TYPE, VERIFY_OCSP, cm) != 0) { if (ParseCertRelative(&cert, CERT_TYPE, VERIFY_OCSP, cm) != 0) {
@@ -590,14 +636,12 @@ WOLFSSL_OCSP_CERTID* wolfSSL_OCSP_cert_to_id(
certId = NULL; certId = NULL;
} }
else { else {
ret = InitOcspRequest(certId, &cert, 0, NULL); XMEMCPY(certId->issuerHash, cert.issuerHash, OCSP_DIGEST_SIZE);
if (ret != 0) { XMEMCPY(certId->issuerKeyHash, cert.issuerKeyHash, OCSP_DIGEST_SIZE);
XFREE(certId, NULL, DYNAMIC_TYPE_OPENSSL); XMEMCPY(certId->status->serial, cert.serial, cert.serialSz);
certId = NULL; certId->status->serialSz = cert.serialSz;
}
} }
FreeDecodedCert(&cert); FreeDecodedCert(&cert);
}
wolfSSL_CertManagerFree(cm); wolfSSL_CertManagerFree(cm);
@@ -637,11 +681,18 @@ int wolfSSL_OCSP_basic_verify(WOLFSSL_OCSP_BASICRESP *bs,
void wolfSSL_OCSP_RESPONSE_free(OcspResponse* response) void wolfSSL_OCSP_RESPONSE_free(OcspResponse* response)
{ {
if (response->status != NULL) if (response == NULL)
XFREE(response->status, NULL, DYNAMIC_TYPE_TMP_BUFFER); return;
if (response->single != NULL) {
FreeOcspEntry(response->single, NULL);
XFREE(response->single, NULL, DYNAMIC_TYPE_OCSP_ENTRY);
}
if (response->source != NULL) if (response->source != NULL)
XFREE(response->source, NULL, DYNAMIC_TYPE_TMP_BUFFER); XFREE(response->source, NULL, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(response, NULL, DYNAMIC_TYPE_OPENSSL);
XFREE(response, NULL, DYNAMIC_TYPE_OCSP_REQUEST);
} }
#ifndef NO_BIO #ifndef NO_BIO
@@ -725,7 +776,7 @@ OcspResponse* wolfSSL_d2i_OCSP_RESPONSE(OcspResponse** response,
resp = *response; resp = *response;
if (resp == NULL) { if (resp == NULL) {
resp = (OcspResponse*)XMALLOC(sizeof(OcspResponse), NULL, resp = (OcspResponse*)XMALLOC(sizeof(OcspResponse), NULL,
DYNAMIC_TYPE_OPENSSL); DYNAMIC_TYPE_OCSP_REQUEST);
if (resp == NULL) if (resp == NULL)
return NULL; return NULL;
XMEMSET(resp, 0, sizeof(OcspResponse)); XMEMSET(resp, 0, sizeof(OcspResponse));
@@ -733,16 +784,26 @@ OcspResponse* wolfSSL_d2i_OCSP_RESPONSE(OcspResponse** response,
resp->source = (byte*)XMALLOC(len, NULL, DYNAMIC_TYPE_TMP_BUFFER); resp->source = (byte*)XMALLOC(len, NULL, DYNAMIC_TYPE_TMP_BUFFER);
if (resp->source == NULL) { if (resp->source == NULL) {
XFREE(resp, NULL, DYNAMIC_TYPE_OPENSSL); XFREE(resp, NULL, DYNAMIC_TYPE_OCSP_REQUEST);
return NULL; return NULL;
} }
resp->status = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL, resp->single = (OcspEntry*)XMALLOC(sizeof(OcspEntry), NULL,
DYNAMIC_TYPE_TMP_BUFFER); DYNAMIC_TYPE_OCSP_ENTRY);
if (resp->status == NULL) { if (resp->single == NULL) {
XFREE(resp->source, NULL, DYNAMIC_TYPE_TMP_BUFFER); XFREE(resp->source, NULL, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(resp, NULL, DYNAMIC_TYPE_OPENSSL); XFREE(resp, NULL, DYNAMIC_TYPE_OCSP_REQUEST);
return NULL; return NULL;
} }
XMEMSET(resp->single, 0, sizeof(OcspEntry));
resp->single->status = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL,
DYNAMIC_TYPE_OCSP_STATUS);
if (resp->single->status == NULL) {
XFREE(resp->source, NULL, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(resp, NULL, DYNAMIC_TYPE_OCSP_REQUEST);
XFREE(resp->single, NULL, DYNAMIC_TYPE_OCSP_ENTRY);
return NULL;
}
XMEMSET(resp->single->status, 0, sizeof(CertStatus));
XMEMCPY(resp->source, *data, len); XMEMCPY(resp->source, *data, len);
resp->maxIdx = len; resp->maxIdx = len;
@@ -798,22 +859,22 @@ WOLFSSL_OCSP_BASICRESP* wolfSSL_OCSP_response_get1_basic(OcspResponse* response)
WOLFSSL_OCSP_BASICRESP* bs; WOLFSSL_OCSP_BASICRESP* bs;
bs = (WOLFSSL_OCSP_BASICRESP*)XMALLOC(sizeof(WOLFSSL_OCSP_BASICRESP), NULL, bs = (WOLFSSL_OCSP_BASICRESP*)XMALLOC(sizeof(WOLFSSL_OCSP_BASICRESP), NULL,
DYNAMIC_TYPE_OPENSSL); DYNAMIC_TYPE_OCSP_REQUEST);
if (bs == NULL) if (bs == NULL)
return NULL; return NULL;
XMEMCPY(bs, response, sizeof(OcspResponse)); XMEMCPY(bs, response, sizeof(OcspResponse));
bs->status = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL, bs->single = (OcspEntry*)XMALLOC(sizeof(OcspEntry), NULL,
DYNAMIC_TYPE_TMP_BUFFER); DYNAMIC_TYPE_OCSP_ENTRY);
bs->source = (byte*)XMALLOC(bs->maxIdx, NULL, DYNAMIC_TYPE_TMP_BUFFER); bs->source = (byte*)XMALLOC(bs->maxIdx, NULL, DYNAMIC_TYPE_TMP_BUFFER);
if (bs->status == NULL || bs->source == NULL) { if (bs->single == NULL || bs->source == NULL) {
if (bs->status) XFREE(bs->status, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (bs->single) XFREE(bs->single, NULL, DYNAMIC_TYPE_OCSP_ENTRY);
if (bs->source) XFREE(bs->source, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (bs->source) XFREE(bs->source, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL_OCSP_RESPONSE_free(bs); wolfSSL_OCSP_RESPONSE_free(bs);
bs = NULL; bs = NULL;
} }
else { else {
XMEMCPY(bs->status, response->status, sizeof(CertStatus)); XMEMCPY(bs->single, response->single, sizeof(OcspEntry));
XMEMCPY(bs->source, response->source, response->maxIdx); XMEMCPY(bs->source, response->source, response->maxIdx);
} }
return bs; return bs;
@@ -854,23 +915,10 @@ WOLFSSL_OCSP_ONEREQ* wolfSSL_OCSP_request_add0_id(OcspRequest *req,
if (req == NULL || cid == NULL) if (req == NULL || cid == NULL)
return NULL; return NULL;
FreeOcspRequest(req); XMEMCPY(req->issuerHash, cid->issuerHash, KEYID_SIZE);
XMEMCPY(req, cid, sizeof(OcspRequest)); XMEMCPY(req->issuerKeyHash, cid->issuerKeyHash, KEYID_SIZE);
XMEMCPY(req->serial, cid->status->serial, cid->status->serialSz);
if (cid->serial != NULL) { req->serialSz = cid->status->serialSz;
req->serial = (byte*)XMALLOC(cid->serialSz, NULL,
DYNAMIC_TYPE_OCSP_REQUEST);
req->url = (byte*)XMALLOC(cid->urlSz, NULL, DYNAMIC_TYPE_OCSP_REQUEST);
if (req->serial == NULL || req->url == NULL) {
FreeOcspRequest(req);
return NULL;
}
XMEMCPY(req->serial, cid->serial, cid->serialSz);
XMEMCPY(req->url, cid->url, cid->urlSz);
}
wolfSSL_OCSP_REQUEST_free(cid);
return req; return req;
} }
@@ -879,12 +927,11 @@ WOLFSSL_OCSP_CERTID* wolfSSL_OCSP_CERTID_dup(WOLFSSL_OCSP_CERTID* id)
{ {
WOLFSSL_OCSP_CERTID* certId; WOLFSSL_OCSP_CERTID* certId;
if (id == NULL) { if (id == NULL)
return NULL; return NULL;
}
certId = (WOLFSSL_OCSP_CERTID*)XMALLOC(sizeof(WOLFSSL_OCSP_CERTID), certId = (WOLFSSL_OCSP_CERTID*)XMALLOC(sizeof(WOLFSSL_OCSP_CERTID),
id->heap, DYNAMIC_TYPE_OPENSSL); NULL, DYNAMIC_TYPE_OPENSSL);
if (certId) { if (certId) {
XMEMCPY(certId, id, sizeof(WOLFSSL_OCSP_CERTID)); XMEMCPY(certId, id, sizeof(WOLFSSL_OCSP_CERTID));
} }
@@ -928,6 +975,87 @@ int wolfSSL_i2d_OCSP_REQUEST_bio(WOLFSSL_BIO* out,
return WOLFSSL_FAILURE; return WOLFSSL_FAILURE;
} }
#endif /* !NO_BIO */ #endif /* !NO_BIO */
int wolfSSL_i2d_OCSP_CERTID(WOLFSSL_OCSP_CERTID* id, unsigned char** data)
{
if (id == NULL || data == NULL)
return WOLFSSL_FAILURE;
if (*data != NULL) {
XMEMCPY(*data, id->rawCertId, id->rawCertIdSize);
*data = *data + id->rawCertIdSize;
}
else {
*data = (unsigned char*)XMALLOC(id->rawCertIdSize, NULL, DYNAMIC_TYPE_OPENSSL);
XMEMCPY(*data, id->rawCertId, id->rawCertIdSize);
}
return id->rawCertIdSize;
}
const WOLFSSL_OCSP_CERTID* wolfSSL_OCSP_SINGLERESP_get0_id(const WOLFSSL_OCSP_SINGLERESP *single)
{
return single;
}
int wolfSSL_OCSP_single_get0_status(WOLFSSL_OCSP_SINGLERESP *single,
int *reason,
WOLFSSL_ASN1_TIME **revtime,
WOLFSSL_ASN1_TIME **thisupd,
WOLFSSL_ASN1_TIME **nextupd)
{
if (single == NULL)
return WOLFSSL_FAILURE;
if (thisupd != NULL)
*thisupd = &single->status->thisDateParsed;
if (nextupd != NULL)
*nextupd = &single->status->nextDateParsed;
if (reason != NULL)
*reason = 0;
if (revtime != NULL)
*revtime = NULL;
return single->status->status;
}
int wolfSSL_OCSP_resp_count(WOLFSSL_OCSP_BASICRESP *bs)
{
WOLFSSL_OCSP_SINGLERESP* single;
int count = 0;
if (bs == NULL)
return WOLFSSL_FAILURE;
single = bs->single;
while(single != NULL)
{
++count;
single = single->next;
}
return count;
}
WOLFSSL_OCSP_SINGLERESP* wolfSSL_OCSP_resp_get0(WOLFSSL_OCSP_BASICRESP *bs, int idx)
{
WOLFSSL_OCSP_SINGLERESP* single;
int currIdx = 0;
if (bs == NULL)
return NULL;
single = bs->single;
while(single != NULL && currIdx != idx)
{
single = single->next;
++currIdx;
}
return single;
}
#endif /* OPENSSL_ALL || APACHE_HTTPD */ #endif /* OPENSSL_ALL || APACHE_HTTPD */
#ifdef OPENSSL_EXTRA #ifdef OPENSSL_EXTRA
@@ -985,15 +1113,15 @@ int wolfSSL_OCSP_id_get0_info(WOLFSSL_ASN1_STRING **name,
if (ser == NULL) if (ser == NULL)
return 0; return 0;
if (cid->serialSz > (WOLFSSL_ASN1_INTEGER_MAX - 2)) { if (cid->status->serialSz > (WOLFSSL_ASN1_INTEGER_MAX - 2)) {
/* allocate data buffer, +2 for type and length */ /* allocate data buffer, +2 for type and length */
ser->data = (unsigned char*)XMALLOC(cid->serialSz + 2, NULL, ser->data = (unsigned char*)XMALLOC(cid->status->serialSz + 2, NULL,
DYNAMIC_TYPE_OPENSSL); DYNAMIC_TYPE_OPENSSL);
if (ser->data == NULL) { if (ser->data == NULL) {
wolfSSL_ASN1_INTEGER_free(ser); wolfSSL_ASN1_INTEGER_free(ser);
return 0; return 0;
} }
ser->dataMax = cid->serialSz + 2; ser->dataMax = cid->status->serialSz + 2;
ser->isDynamic = 1; ser->isDynamic = 1;
} else { } else {
/* Use array instead of dynamic memory */ /* Use array instead of dynamic memory */
@@ -1003,16 +1131,16 @@ int wolfSSL_OCSP_id_get0_info(WOLFSSL_ASN1_STRING **name,
#ifdef WOLFSSL_QT #ifdef WOLFSSL_QT
/* Serial number starts at 0 index of ser->data */ /* Serial number starts at 0 index of ser->data */
XMEMCPY(&ser->data[i], cid->serial, cid->serialSz); XMEMCPY(&ser->data[i], cid->status->serial, cid->status->serialSz);
ser->length = cid->serialSz; ser->length = cid->status->serialSz;
#else #else
ser->data[i++] = ASN_INTEGER; ser->data[i++] = ASN_INTEGER;
i += SetLength(cid->serialSz, ser->data + i); i += SetLength(cid->status->serialSz, ser->data + i);
XMEMCPY(&ser->data[i], cid->serial, cid->serialSz); XMEMCPY(&ser->data[i], cid->status->serial, cid->status->serialSz);
#endif #endif
cid->serialInt = ser; cid->status->serialInt = ser;
*serial = cid->serialInt; *serial = ser;
} }
/* Not needed for Apache, return error if user is requesting */ /* Not needed for Apache, return error if user is requesting */

170
tests/api.c
View File

@@ -35091,7 +35091,7 @@ static void test_wolfSSL_i2d_PrivateKey()
#endif #endif
} }
static void test_wolfSSL_OCSP_get0_info() static void test_wolfSSL_OCSP_id_get0_info()
{ {
#if defined(OPENSSL_ALL) && defined(HAVE_OCSP) && !defined(NO_FILESYSTEM) #if defined(OPENSSL_ALL) && defined(HAVE_OCSP) && !defined(NO_FILESYSTEM)
X509* cert; X509* cert;
@@ -35104,7 +35104,7 @@ static void test_wolfSSL_OCSP_get0_info()
ASN1_INTEGER* serial = NULL; ASN1_INTEGER* serial = NULL;
ASN1_INTEGER* x509Int; ASN1_INTEGER* x509Int;
printf(testingFmt, "wolfSSL_OCSP_get0_info()"); printf(testingFmt, "wolfSSL_OCSP_id_get0_info()");
AssertNotNull(cert = AssertNotNull(cert =
wolfSSL_X509_load_certificate_file(svrCertFile, SSL_FILETYPE_PEM)); wolfSSL_X509_load_certificate_file(svrCertFile, SSL_FILETYPE_PEM));
@@ -35136,7 +35136,164 @@ static void test_wolfSSL_OCSP_get0_info()
X509_free(issuer); X509_free(issuer);
printf(resultFmt, "passed"); printf(resultFmt, "passed");
#endif /* OPENSSL_EXTRA & HAVE_OCSP */ #endif
}
static void test_wolfSSL_i2d_OCSP_CERTID()
{
#if defined(OPENSSL_ALL) && defined(HAVE_OCSP)
WOLFSSL_OCSP_CERTID certId;
byte* targetBuffer;
byte* beginTargetBuffer;
/* OCSP CertID bytes taken from PCAP */
byte rawCertId[] = {
0x30, 0x49, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05,
0x00, 0x04, 0x14, 0x80, 0x51, 0x06, 0x01, 0x32, 0xad, 0x9a, 0xc2, 0x7d,
0x51, 0x87, 0xa0, 0xe8, 0x87, 0xfb, 0x01, 0x62, 0x01, 0x55, 0xee, 0x04,
0x14, 0x03, 0xde, 0x50, 0x35, 0x56, 0xd1, 0x4c, 0xbb, 0x66, 0xf0, 0xa3,
0xe2, 0x1b, 0x1b, 0xc3, 0x97, 0xb2, 0x3d, 0xd1, 0x55, 0x02, 0x10, 0x01,
0xfd, 0xa3, 0xeb, 0x6e, 0xca, 0x75, 0xc8, 0x88, 0x43, 0x8b, 0x72, 0x4b,
0xcf, 0xbc, 0x91
};
int ret, i;
printf(testingFmt, "wolfSSL_i2d_OCSP_CERTID()");
XMEMSET(&certId, 0, sizeof(WOLFSSL_OCSP_CERTID));
certId.rawCertId = rawCertId;
certId.rawCertIdSize = sizeof(rawCertId);
targetBuffer = (byte*)XMALLOC(sizeof(rawCertId), NULL, DYNAMIC_TYPE_TMP_BUFFER);
beginTargetBuffer = targetBuffer;
ret = wolfSSL_i2d_OCSP_CERTID(&certId, &targetBuffer);
/* If target buffer is not null, function increments targetBuffer to point
just past the end of the encoded data. */
AssertPtrEq(targetBuffer, (beginTargetBuffer + sizeof(rawCertId)));
/* Function returns the size of the encoded data. */
AssertIntEQ(ret, sizeof(rawCertId));
for (i = 0; i < ret; ++i)
{
AssertIntEQ(beginTargetBuffer[i], rawCertId[i]);
}
XFREE(beginTargetBuffer, NULL, DYNAMIC_TYPE_TMP_BUFFER);
targetBuffer = NULL;
ret = wolfSSL_i2d_OCSP_CERTID(&certId, &targetBuffer);
/* If target buffer is null, function allocates memory for a buffer and
copies the encoded data into it. targetBuffer then points to the start of
this newly allocate buffer. */
AssertIntEQ(ret, sizeof(rawCertId));
for (i = 0; i < ret; ++i)
{
AssertIntEQ(targetBuffer[i], rawCertId[i]);
}
XFREE(targetBuffer, NULL, DYNAMIC_TYPE_OPENSSL);
printf(resultFmt, passed);
#endif
}
static void test_wolfSSL_OCSP_SINGLERESP_get0_id()
{
#if defined(OPENSSL_ALL) && defined(HAVE_OCSP)
WOLFSSL_OCSP_SINGLERESP single;
const WOLFSSL_OCSP_CERTID* certId = wolfSSL_OCSP_SINGLERESP_get0_id(&single);
printf(testingFmt, "wolfSSL_OCSP_SINGLERESP_get0_id()");
AssertPtrEq(&single, certId);
printf(resultFmt, passed);
#endif
}
static void test_wolfSSL_OCSP_single_get0_status()
{
#if defined(OPENSSL_ALL) && defined(HAVE_OCSP)
WOLFSSL_OCSP_SINGLERESP single;
CertStatus certStatus;
WOLFSSL_ASN1_TIME* thisDate;
WOLFSSL_ASN1_TIME* nextDate;
int ret, i;
printf(testingFmt, "wolfSSL_OCSP_single_get0_status()");
XMEMSET(&single, 0, sizeof(WOLFSSL_OCSP_SINGLERESP));
XMEMSET(&certStatus, 0, sizeof(CertStatus));
/* Fill the date fields with some dummy data. */
for (i = 0; i < CTC_DATE_SIZE; ++i) {
certStatus.thisDateParsed.data[i] = i;
certStatus.nextDateParsed.data[i] = i;
}
certStatus.status = CERT_GOOD;
single.status = &certStatus;
ret = wolfSSL_OCSP_single_get0_status(&single, NULL, NULL, &thisDate,
&nextDate);
AssertIntEQ(ret, CERT_GOOD);
AssertPtrEq(thisDate, &certStatus.thisDateParsed);
AssertPtrEq(nextDate, &certStatus.nextDateParsed);
printf(resultFmt, passed);
#endif
}
static void test_wolfSSL_OCSP_resp_count()
{
#if defined(OPENSSL_ALL) && defined(HAVE_OCSP)
WOLFSSL_OCSP_BASICRESP basicResp;
WOLFSSL_OCSP_SINGLERESP singleRespOne;
WOLFSSL_OCSP_SINGLERESP singleRespTwo;
int count = 1;
printf(testingFmt, "wolfSSL_OCSP_resp_count()");
XMEMSET(&basicResp, 0, sizeof(WOLFSSL_OCSP_BASICRESP));
XMEMSET(&singleRespOne, 0, sizeof(WOLFSSL_OCSP_SINGLERESP));
XMEMSET(&singleRespTwo, 0, sizeof(WOLFSSL_OCSP_SINGLERESP));
count = wolfSSL_OCSP_resp_count(&basicResp);
AssertIntEQ(count, 0);
basicResp.single = &singleRespOne;
count = wolfSSL_OCSP_resp_count(&basicResp);
AssertIntEQ(count, 1);
singleRespOne.next = &singleRespTwo;
count = wolfSSL_OCSP_resp_count(&basicResp);
AssertIntEQ(count, 2);
printf(resultFmt, passed);
#endif
}
static void test_wolfSSL_OCSP_resp_get0()
{
#if defined(OPENSSL_ALL) && defined(HAVE_OCSP)
WOLFSSL_OCSP_BASICRESP basicResp;
WOLFSSL_OCSP_SINGLERESP singleRespOne;
WOLFSSL_OCSP_SINGLERESP singleRespTwo;
WOLFSSL_OCSP_SINGLERESP* ret;
printf(testingFmt, "wolfSSL_OCSP_resp_get0()");
XMEMSET(&basicResp, 0, sizeof(WOLFSSL_OCSP_BASICRESP));
XMEMSET(&singleRespOne, 0, sizeof(WOLFSSL_OCSP_SINGLERESP));
XMEMSET(&singleRespTwo, 0, sizeof(WOLFSSL_OCSP_SINGLERESP));
basicResp.single = &singleRespOne;
singleRespOne.next = &singleRespTwo;
ret = wolfSSL_OCSP_resp_get0(&basicResp, 0);
AssertPtrEq(ret, &singleRespOne);
ret = wolfSSL_OCSP_resp_get0(&basicResp, 1);
AssertPtrEq(ret, &singleRespTwo);
printf(resultFmt, passed);
#endif
} }
static void test_wolfSSL_EVP_PKEY_derive(void) static void test_wolfSSL_EVP_PKEY_derive(void)
@@ -39227,7 +39384,12 @@ void ApiTest(void)
test_wolfssl_EVP_aes_gcm(); test_wolfssl_EVP_aes_gcm();
test_wolfSSL_PKEY_up_ref(); test_wolfSSL_PKEY_up_ref();
test_wolfSSL_i2d_PrivateKey(); test_wolfSSL_i2d_PrivateKey();
test_wolfSSL_OCSP_get0_info(); test_wolfSSL_OCSP_id_get0_info();
test_wolfSSL_i2d_OCSP_CERTID();
test_wolfSSL_OCSP_SINGLERESP_get0_id();
test_wolfSSL_OCSP_single_get0_status();
test_wolfSSL_OCSP_resp_count();
test_wolfSSL_OCSP_resp_get0();
test_wolfSSL_EVP_PKEY_derive(); test_wolfSSL_EVP_PKEY_derive();
test_wolfSSL_RSA_padding_add_PKCS1_PSS(); test_wolfSSL_RSA_padding_add_PKCS1_PSS();

155
wolfcrypt/src/asn.c
View File

@@ -16709,11 +16709,10 @@ static int GetEnumerated(const byte* input, word32* inOutIdx, int *value,
} }
static int DecodeSingleResponse(byte* source, static int DecodeSingleResponse(byte* source, word32* ioIndex, word32 size,
word32* ioIndex, OcspResponse* resp, word32 size, int wrapperSz, int wrapperSz, OcspEntry* single)
CertStatus* cs)
{ {
word32 idx = *ioIndex, prevIndex, oid, localIdx; word32 idx = *ioIndex, prevIndex, oid, localIdx, certIdIdx;
int length; int length;
int ret; int ret;
byte tag; byte tag;
@@ -16727,46 +16726,51 @@ static int DecodeSingleResponse(byte* source,
return ASN_PARSE_E; return ASN_PARSE_E;
/* Wrapper around the CertID */ /* Wrapper around the CertID */
certIdIdx = idx;
if (GetSequence(source, &idx, &length, size) < 0) if (GetSequence(source, &idx, &length, size) < 0)
return ASN_PARSE_E; return ASN_PARSE_E;
/* Skip the hash algorithm */ single->rawCertId = source + certIdIdx;
if (GetAlgoId(source, &idx, &oid, oidIgnoreType, size) < 0) /* Hash algorithm */
return ASN_PARSE_E; ret = GetAlgoId(source, &idx, &oid, oidIgnoreType, size);
if (ret < 0)
return ret;
single->hashAlgoOID = oid;
/* Save reference to the hash of CN */ /* Save reference to the hash of CN */
ret = GetOctetString(source, &idx, &length, size); ret = GetOctetString(source, &idx, &length, size);
if (ret < 0) if (ret < 0)
return ret; return ret;
resp->issuerHash = source + idx; XMEMCPY(single->issuerHash, source + idx, length);
idx += length; idx += length;
/* Save reference to the hash of the issuer public key */ /* Save reference to the hash of the issuer public key */
ret = GetOctetString(source, &idx, &length, size); ret = GetOctetString(source, &idx, &length, size);
if (ret < 0) if (ret < 0)
return ret; return ret;
resp->issuerKeyHash = source + idx; XMEMCPY(single->issuerKeyHash, source + idx, length);
idx += length; idx += length;
/* Get serial number */ /* Get serial number */
if (GetSerialNumber(source, &idx, cs->serial, &cs->serialSz, size) < 0) if (GetSerialNumber(source, &idx, single->status->serial, &single->status->serialSz, size) < 0)
return ASN_PARSE_E; return ASN_PARSE_E;
single->rawCertIdSize = idx - certIdIdx;
if ( idx >= size ) if (idx >= size)
return BUFFER_E; return BUFFER_E;
/* CertStatus */ /* CertStatus */
switch (source[idx++]) switch (source[idx++])
{ {
case (ASN_CONTEXT_SPECIFIC | CERT_GOOD): case (ASN_CONTEXT_SPECIFIC | CERT_GOOD):
cs->status = CERT_GOOD; single->status->status = CERT_GOOD;
idx++; idx++;
break; break;
case (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | CERT_REVOKED): case (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | CERT_REVOKED):
cs->status = CERT_REVOKED; single->status->status = CERT_REVOKED;
if (GetLength(source, &idx, &length, size) < 0) if (GetLength(source, &idx, &length, size) < 0)
return ASN_PARSE_E; return ASN_PARSE_E;
idx += length; idx += length;
break; break;
case (ASN_CONTEXT_SPECIFIC | CERT_UNKNOWN): case (ASN_CONTEXT_SPECIFIC | CERT_UNKNOWN):
cs->status = CERT_UNKNOWN; single->status->status = CERT_UNKNOWN;
idx++; idx++;
break; break;
default: default:
@@ -16774,23 +16778,23 @@ static int DecodeSingleResponse(byte* source,
} }
#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
cs->thisDateAsn = source + idx; single->status->thisDateAsn = source + idx;
localIdx = 0; localIdx = 0;
if (GetDateInfo(cs->thisDateAsn, &localIdx, NULL, if (GetDateInfo(single->status->thisDateAsn, &localIdx, NULL,
(byte*)&cs->thisDateParsed.type, (byte*)&single->status->thisDateParsed.type,
&cs->thisDateParsed.length, size) < 0) &single->status->thisDateParsed.length, size) < 0)
return ASN_PARSE_E; return ASN_PARSE_E;
XMEMCPY(cs->thisDateParsed.data, XMEMCPY(single->status->thisDateParsed.data,
cs->thisDateAsn + localIdx - cs->thisDateParsed.length, single->status->thisDateAsn + localIdx - single->status->thisDateParsed.length,
cs->thisDateParsed.length); single->status->thisDateParsed.length);
#endif #endif
if (GetBasicDate(source, &idx, cs->thisDate, if (GetBasicDate(source, &idx, single->status->thisDate,
&cs->thisDateFormat, size) < 0) &single->status->thisDateFormat, size) < 0)
return ASN_PARSE_E; return ASN_PARSE_E;
#ifndef NO_ASN_TIME #ifndef NO_ASN_TIME
#ifndef WOLFSSL_NO_OCSP_DATE_CHECK #ifndef WOLFSSL_NO_OCSP_DATE_CHECK
if (!XVALIDATE_DATE(cs->thisDate, cs->thisDateFormat, BEFORE)) if (!XVALIDATE_DATE(single->status->thisDate, single->status->thisDateFormat, BEFORE))
return ASN_BEFORE_DATE_E; return ASN_BEFORE_DATE_E;
#endif #endif
#endif #endif
@@ -16806,23 +16810,23 @@ static int DecodeSingleResponse(byte* source,
if (GetLength(source, &idx, &length, size) < 0) if (GetLength(source, &idx, &length, size) < 0)
return ASN_PARSE_E; return ASN_PARSE_E;
#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
cs->nextDateAsn = source + idx; single->status->nextDateAsn = source + idx;
localIdx = 0; localIdx = 0;
if (GetDateInfo(cs->nextDateAsn, &localIdx, NULL, if (GetDateInfo(single->status->nextDateAsn, &localIdx, NULL,
(byte*)&cs->nextDateParsed.type, (byte*)&single->status->nextDateParsed.type,
&cs->nextDateParsed.length, size) < 0) &single->status->nextDateParsed.length, size) < 0)
return ASN_PARSE_E; return ASN_PARSE_E;
XMEMCPY(cs->nextDateParsed.data, XMEMCPY(single->status->nextDateParsed.data,
cs->nextDateAsn + localIdx - cs->nextDateParsed.length, single->status->nextDateAsn + localIdx - single->status->nextDateParsed.length,
cs->nextDateParsed.length); single->status->nextDateParsed.length);
#endif #endif
if (GetBasicDate(source, &idx, cs->nextDate, if (GetBasicDate(source, &idx, single->status->nextDate,
&cs->nextDateFormat, size) < 0) &single->status->nextDateFormat, size) < 0)
return ASN_PARSE_E; return ASN_PARSE_E;
#ifndef NO_ASN_TIME #ifndef NO_ASN_TIME
#ifndef WOLFSSL_NO_OCSP_DATE_CHECK #ifndef WOLFSSL_NO_OCSP_DATE_CHECK
if (!XVALIDATE_DATE(cs->nextDate, cs->nextDateFormat, AFTER)) if (!XVALIDATE_DATE(single->status->nextDate, single->status->nextDateFormat, AFTER))
return ASN_AFTER_DATE_E; return ASN_AFTER_DATE_E;
#endif #endif
#endif #endif
@@ -16933,7 +16937,7 @@ static int DecodeResponseData(byte* source,
int ret; int ret;
byte tag; byte tag;
int wrapperSz; int wrapperSz;
CertStatus* cs; OcspEntry* single;
WOLFSSL_ENTER("DecodeResponseData"); WOLFSSL_ENTER("DecodeResponseData");
@@ -16980,20 +16984,21 @@ static int DecodeResponseData(byte* source,
return ASN_PARSE_E; return ASN_PARSE_E;
localIdx = idx; localIdx = idx;
cs = resp->status; single = resp->single;
while (idx - localIdx < (word32)wrapperSz) { while (idx - localIdx < (word32)wrapperSz) {
ret = DecodeSingleResponse(source, &idx, resp, size, wrapperSz, cs); ret = DecodeSingleResponse(source, &idx, size, wrapperSz, single);
if (ret < 0) if (ret < 0)
return ret; /* ASN_PARSE_E, ASN_BEFORE_DATE_E, ASN_AFTER_DATE_E */ return ret; /* ASN_PARSE_E, ASN_BEFORE_DATE_E, ASN_AFTER_DATE_E */
if (idx - localIdx < (word32)wrapperSz) { if (idx - localIdx < (word32)wrapperSz) {
cs->next = (CertStatus*)XMALLOC(sizeof(CertStatus), resp->heap, single->next = (OcspEntry*)XMALLOC(sizeof(OcspEntry), resp->heap,
DYNAMIC_TYPE_OCSP_STATUS); DYNAMIC_TYPE_OCSP_ENTRY);
if (cs->next == NULL) { if (single->next == NULL) {
return MEMORY_E; return MEMORY_E;
} }
cs = cs->next; single = single->next;
XMEMSET(cs, 0, sizeof(CertStatus)); XMEMSET(single, 0, sizeof(OcspEntry));
cs->isDynamic = 1; single->isDynamic = 1;
} }
} }
@@ -17105,7 +17110,7 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
#ifndef WOLFSSL_NO_OCSP_ISSUER_CHECK #ifndef WOLFSSL_NO_OCSP_ISSUER_CHECK
if ((cert.extExtKeyUsage & EXTKEYUSE_OCSP_SIGN) == 0) { if ((cert.extExtKeyUsage & EXTKEYUSE_OCSP_SIGN) == 0) {
if (XMEMCMP(cert.subjectHash, if (XMEMCMP(cert.subjectHash,
resp->issuerHash, KEYID_SIZE) == 0) { resp->single->issuerHash, OCSP_DIGEST_SIZE) == 0) {
WOLFSSL_MSG("\tOCSP Response signed by issuer"); WOLFSSL_MSG("\tOCSP Response signed by issuer");
} }
else { else {
@@ -17140,9 +17145,9 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
int sigValid = -1; int sigValid = -1;
#ifndef NO_SKID #ifndef NO_SKID
ca = GetCA(cm, resp->issuerKeyHash); ca = GetCA(cm, resp->single->issuerKeyHash);
#else #else
ca = GetCA(cm, resp->issuerHash); ca = GetCA(cm, resp->single->issuerHash);
#endif #endif
if (ca) { if (ca) {
@@ -17167,16 +17172,18 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
} }
void InitOcspResponse(OcspResponse* resp, CertStatus* status, void InitOcspResponse(OcspResponse* resp, OcspEntry* single, CertStatus* status,
byte* source, word32 inSz, void* heap) byte* source, word32 inSz, void* heap)
{ {
WOLFSSL_ENTER("InitOcspResponse"); WOLFSSL_ENTER("InitOcspResponse");
XMEMSET(status, 0, sizeof(CertStatus)); XMEMSET(status, 0, sizeof(CertStatus));
XMEMSET(single, 0, sizeof(OcspEntry));
XMEMSET(resp, 0, sizeof(OcspResponse)); XMEMSET(resp, 0, sizeof(OcspResponse));
single->status = status;
resp->responseStatus = -1; resp->responseStatus = -1;
resp->status = status; resp->single = single;
resp->source = source; resp->source = source;
resp->maxIdx = inSz; resp->maxIdx = inSz;
resp->heap = heap; resp->heap = heap;
@@ -17184,11 +17191,11 @@ void InitOcspResponse(OcspResponse* resp, CertStatus* status,
void FreeOcspResponse(OcspResponse* resp) void FreeOcspResponse(OcspResponse* resp)
{ {
CertStatus *status, *next; OcspEntry *single, *next;
for (status = resp->status; status; status = next) { for (single = resp->single; single; single = next) {
next = status->next; next = single->next;
if (status->isDynamic) if (single->isDynamic)
XFREE(status, resp->heap, DYNAMIC_TYPE_OCSP_STATUS); XFREE(single, resp->heap, DYNAMIC_TYPE_OCSP_ENTRY);
} }
} }
@@ -17464,7 +17471,7 @@ void FreeOcspRequest(OcspRequest* req)
int CompareOcspReqResp(OcspRequest* req, OcspResponse* resp) int CompareOcspReqResp(OcspRequest* req, OcspResponse* resp)
{ {
int cmp; int cmp;
CertStatus *status, *next, *prev = NULL, *top; OcspEntry *single, *next, *prev = NULL, *top;
WOLFSSL_ENTER("CompareOcspReqResp"); WOLFSSL_ENTER("CompareOcspReqResp");
@@ -17472,8 +17479,7 @@ int CompareOcspReqResp(OcspRequest* req, OcspResponse* resp)
WOLFSSL_MSG("\tReq missing"); WOLFSSL_MSG("\tReq missing");
return -1; return -1;
} }
if (resp == NULL || resp->issuerHash == NULL || if (resp == NULL || resp->single == NULL) {
resp->issuerKeyHash == NULL || resp->status == NULL) {
WOLFSSL_MSG("\tResp missing"); WOLFSSL_MSG("\tResp missing");
return 1; return 1;
} }
@@ -17498,41 +17504,30 @@ int CompareOcspReqResp(OcspRequest* req, OcspResponse* resp)
} }
} }
cmp = XMEMCMP(req->issuerHash, resp->issuerHash, KEYID_SIZE);
if (cmp != 0) {
WOLFSSL_MSG("\tissuerHash mismatch");
return cmp;
}
cmp = XMEMCMP(req->issuerKeyHash, resp->issuerKeyHash, KEYID_SIZE);
if (cmp != 0) {
WOLFSSL_MSG("\tissuerKeyHash mismatch");
return cmp;
}
/* match based on found status and return */ /* match based on found status and return */
for (status = resp->status; status; status = next) { for (single = resp->single; single; single = next) {
cmp = req->serialSz - status->serialSz; cmp = req->serialSz - single->status->serialSz;
if (cmp == 0) {
cmp = XMEMCMP(req->serial, status->serial, req->serialSz);
if (cmp == 0) { if (cmp == 0) {
if ((XMEMCMP(req->serial, single->status->serial, req->serialSz) == 0)
&& (XMEMCMP(req->issuerHash, single->issuerHash, OCSP_DIGEST_SIZE) == 0)
&& (XMEMCMP(req->issuerKeyHash, single->issuerKeyHash, OCSP_DIGEST_SIZE) == 0)) {
/* match found */ /* match found */
if (resp->status != status && prev) { if (resp->single != single && prev) {
/* move to top of list */ /* move to top of list */
top = resp->status; top = resp->single;
resp->status = status; resp->single = single;
prev->next = status->next; prev->next = single->next;
status->next = top; single->next = top;
} }
break; break;
} }
} }
next = status->next; next = single->next;
prev = status; prev = single;
} }
if (cmp != 0) { if (cmp != 0) {
WOLFSSL_MSG("\tserial mismatch"); WOLFSSL_MSG("\trequest and response mismatch");
return cmp; return cmp;
} }

14
wolfssl/ocsp.h
View File

@@ -41,7 +41,9 @@ typedef struct WOLFSSL_OCSP WOLFSSL_OCSP;
defined(WOLFSSL_HAPROXY) || defined(HAVE_LIGHTY) defined(WOLFSSL_HAPROXY) || defined(HAVE_LIGHTY)
typedef struct OcspResponse WOLFSSL_OCSP_BASICRESP; typedef struct OcspResponse WOLFSSL_OCSP_BASICRESP;
typedef struct OcspRequest WOLFSSL_OCSP_CERTID; typedef struct OcspEntry WOLFSSL_OCSP_CERTID;
typedef struct OcspEntry WOLFSSL_OCSP_SINGLERESP;
typedef struct OcspRequest WOLFSSL_OCSP_ONEREQ; typedef struct OcspRequest WOLFSSL_OCSP_ONEREQ;
@@ -107,6 +109,16 @@ WOLFSSL_API int wolfSSL_i2d_OCSP_REQUEST_bio(WOLFSSL_BIO* out,
WOLFSSL_OCSP_REQUEST *req); WOLFSSL_OCSP_REQUEST *req);
#endif #endif
WOLFSSL_API int wolfSSL_i2d_OCSP_CERTID(WOLFSSL_OCSP_CERTID *, unsigned char **);
WOLFSSL_API const WOLFSSL_OCSP_CERTID* wolfSSL_OCSP_SINGLERESP_get0_id(const WOLFSSL_OCSP_SINGLERESP *single);
WOLFSSL_API int wolfSSL_OCSP_single_get0_status(WOLFSSL_OCSP_SINGLERESP *single,
int *reason,
WOLFSSL_ASN1_TIME **revtime,
WOLFSSL_ASN1_TIME **thisupd,
WOLFSSL_ASN1_TIME **nextupd);
WOLFSSL_API int wolfSSL_OCSP_resp_count(WOLFSSL_OCSP_BASICRESP *bs);
WOLFSSL_API WOLFSSL_OCSP_SINGLERESP* wolfSSL_OCSP_resp_get0(WOLFSSL_OCSP_BASICRESP *bs, int idx);
#endif #endif
#ifdef OPENSSL_EXTRA #ifdef OPENSSL_EXTRA
WOLFSSL_API int wolfSSL_OCSP_REQUEST_add_ext(OcspRequest* req, WOLFSSL_API int wolfSSL_OCSP_REQUEST_add_ext(OcspRequest* req,

7
wolfssl/openssl/ocsp.h
View File

@@ -30,6 +30,7 @@
#define OCSP_REQUEST OcspRequest #define OCSP_REQUEST OcspRequest
#define OCSP_RESPONSE OcspResponse #define OCSP_RESPONSE OcspResponse
#define OCSP_BASICRESP WOLFSSL_OCSP_BASICRESP #define OCSP_BASICRESP WOLFSSL_OCSP_BASICRESP
#define OCSP_SINGLERESP WOLFSSL_OCSP_SINGLERESP
#define OCSP_CERTID WOLFSSL_OCSP_CERTID #define OCSP_CERTID WOLFSSL_OCSP_CERTID
#define OCSP_ONEREQ WOLFSSL_OCSP_ONEREQ #define OCSP_ONEREQ WOLFSSL_OCSP_ONEREQ
@@ -76,6 +77,12 @@
#define i2d_OCSP_REQUEST_bio wolfSSL_i2d_OCSP_REQUEST_bio #define i2d_OCSP_REQUEST_bio wolfSSL_i2d_OCSP_REQUEST_bio
#define i2d_OCSP_CERTID wolfSSL_i2d_OCSP_CERTID
#define OCSP_SINGLERESP_get0_id wolfSSL_OCSP_SINGLERESP_get0_id
#define OCSP_single_get0_status wolfSSL_OCSP_single_get0_status
#define OCSP_resp_count wolfSSL_OCSP_resp_count
#define OCSP_resp_get0 wolfSSL_OCSP_resp_get0
#endif /* HAVE_OCSP */ #endif /* HAVE_OCSP */
#endif /* WOLFSSL_OCSP_H_ */ #endif /* WOLFSSL_OCSP_H_ */

57
wolfssl/wolfcrypt/asn.h
View File

@@ -1258,6 +1258,9 @@ struct CertStatus {
byte serial[EXTERNAL_SERIAL_SIZE]; byte serial[EXTERNAL_SERIAL_SIZE];
int serialSz; int serialSz;
#ifdef OPENSSL_EXTRA
WOLFSSL_ASN1_INTEGER* serialInt;
#endif
int status; int status;
@@ -1274,11 +1277,36 @@ struct CertStatus {
byte* rawOcspResponse; byte* rawOcspResponse;
word32 rawOcspResponseSz; word32 rawOcspResponseSz;
/* option bits - using 32-bit for alignment */
word32 isDynamic:1; /* was allocated cert status */
}; };
typedef struct OcspEntry OcspEntry;
#ifdef NO_SHA
#define OCSP_DIGEST_SIZE WC_SHA256_DIGEST_SIZE
#else
#define OCSP_DIGEST_SIZE WC_SHA_DIGEST_SIZE
#endif
struct OcspEntry
{
OcspEntry *next; /* next entry */
word32 hashAlgoOID; /* hash algo ID */
byte issuerHash[OCSP_DIGEST_SIZE]; /* issuer hash */
byte issuerKeyHash[OCSP_DIGEST_SIZE]; /* issuer public key hash */
CertStatus *status; /* OCSP response list */
int totalStatus; /* number on list */
byte* rawCertId; /* raw bytes of the CertID */
int rawCertIdSize; /* num bytes in raw CertID */
/* option bits - using 32-bit for alignment */
word32 isDynamic:1; /* was dynamically allocated */
};
/* TODO: Long-term, it would be helpful if we made this struct and other OCSP
structs conform to the ASN spec as described in RFC 6960. It will help
with readability and with implementing OpenSSL compatibility API
functions, because OpenSSL's OCSP data structures conform to the
RFC. */
struct OcspResponse { struct OcspResponse {
int responseStatus; /* return code from Responder */ int responseStatus; /* return code from Responder */
@@ -1288,8 +1316,6 @@ struct OcspResponse {
byte producedDate[MAX_DATE_SIZE]; byte producedDate[MAX_DATE_SIZE];
/* Date at which this response was signed */ /* Date at which this response was signed */
byte producedDateFormat; /* format of the producedDate */ byte producedDateFormat; /* format of the producedDate */
byte* issuerHash;
byte* issuerKeyHash;
byte* cert; byte* cert;
word32 certSz; word32 certSz;
@@ -1298,7 +1324,7 @@ struct OcspResponse {
word32 sigSz; /* Length in octets for the sig */ word32 sigSz; /* Length in octets for the sig */
word32 sigOID; /* OID for hash used for sig */ word32 sigOID; /* OID for hash used for sig */
CertStatus* status; /* certificate status to fill out */ OcspEntry* single; /* chain of OCSP single responses */
byte* nonce; /* pointer to nonce inside ASN.1 response */ byte* nonce; /* pointer to nonce inside ASN.1 response */
int nonceSz; /* length of the nonce string */ int nonceSz; /* length of the nonce string */
@@ -1330,24 +1356,7 @@ struct OcspRequest {
void* ssl; void* ssl;
}; };
typedef struct OcspEntry OcspEntry; WOLFSSL_LOCAL void InitOcspResponse(OcspResponse*, OcspEntry*, CertStatus*, byte*, word32, void*);
#ifdef NO_SHA
#define OCSP_DIGEST_SIZE WC_SHA256_DIGEST_SIZE
#else
#define OCSP_DIGEST_SIZE WC_SHA_DIGEST_SIZE
#endif
struct OcspEntry
{
OcspEntry *next; /* next entry */
byte issuerHash[OCSP_DIGEST_SIZE]; /* issuer hash */
byte issuerKeyHash[OCSP_DIGEST_SIZE]; /* issuer public key hash */
CertStatus *status; /* OCSP response list */
int totalStatus; /* number on list */
};
WOLFSSL_LOCAL void InitOcspResponse(OcspResponse*, CertStatus*, byte*, word32, void*);
WOLFSSL_LOCAL void FreeOcspResponse(OcspResponse*); WOLFSSL_LOCAL void FreeOcspResponse(OcspResponse*);
WOLFSSL_LOCAL int OcspResponseDecode(OcspResponse*, void*, void* heap, int); WOLFSSL_LOCAL int OcspResponseDecode(OcspResponse*, void*, void* heap, int);