WolfSSL
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
1
0
Fork 0
Code Issues Releases Wiki Activity

fix ocsp response when using DTLS

pull/7671/head
Hideki Miyazaki 2024-06-21 08:29:42 +09:00
parent 385a097646
commit 30eb558d58
4 changed files with 90 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
examples/client/client.c
View File

@ -1162,6 +1162,7 @@ static const char* client_usage_msg[][78] = {
"-D Override Date Errors example\n", /* 18 */
"-e List Every cipher suite available, \n", /* 19 */
"-g Send server HTTP GET\n", /* 20 */
#ifdef WOLFSSL_DTLS
#ifndef WOLFSSL_DTLS13
"-u Use UDP DTLS, add -v 2 for DTLSv1, -v 3 for DTLSv1.2"
" (default)\n", /* 21 */
@ -1169,6 +1170,7 @@ static const char* client_usage_msg[][78] = {
"-u Use UDP DTLS, add -v 2 for DTLSv1, -v 3 for DTLSv1.2"
" (default), -v 4 for DTLSv1.3\n", /* 21 */
#endif /* !WOLFSSL_DTLS13 */
#endif
#ifdef WOLFSSL_SCTP
"-G Use SCTP DTLS,"
" add -v 2 for DTLSv1, -v 3 for DTLSv1.2 (default)\n", /* 22 */
@ -1387,6 +1389,7 @@ static const char* client_usage_msg[][78] = {
"-D 日付エラー用コールバック例の上書きを行う\n", /* 18 */
"-e 利用可能な全ての暗号スイートをリスト, \n", /* 19 */
"-g サーバーへ HTTP GET を送信\n", /* 20 */
#ifdef WOLFSSL_DTLS
"-u UDP DTLSを使用する。\n"
#ifndef WOLFSSL_DTLS13
" -v 2 を追加指定するとDTLSv1, "
@ -1396,6 +1399,7 @@ static const char* client_usage_msg[][78] = {
"-v 3 を追加指定すると DTLSv1.2 (既定値),\n"
" -v 4 を追加指定すると DTLSv1.3\n", /* 21 */
#endif /* !WOLFSSL_DTLS13 */
#endif /* WOLFSSL_DTLS */
#ifdef WOLFSSL_SCTP
"-G SCTP DTLSを使用する。-v 2 を追加指定すると"
" DTLSv1, -v 3 を追加指定すると DTLSv1.2 (既定値)\n", /* 22 */

43
scripts/ocsp-stapling.test
View File

@ -388,6 +388,49 @@ else
echo 'skipping TLS1.3 stapling tests.' 1>&2
fi
printf '%s\n\n' "------------- TEST CASE 1 SHOULD PASS ------------------------"
# client test against our own server - GOOD CERT
./examples/server/server -c certs/ocsp/server1-cert.pem -R "$ready_file2" \
-k certs/ocsp/server1-key.pem -p $port3 &
wolf_pid3=$!
wait_for_readyFile "$ready_file2" $wolf_pid3 $port3
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -p $port3
RESULT=$?
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 1 failed" && exit 1
printf '%s\n\n' "Test PASSED!"
# DTLS 1.2 and 1.3 cases
if ./examples/client/client -? 2>&1 | grep -q 'DTLS'; then
printf '%s\n\n' "------------- TEST CASE DTLS-1 SHOULD PASS -------------------"
# client test against our own server, must staple - GOOD CERT
echo $ready_file2
./examples/server/server -c certs/ocsp/server1-cert.pem -R "$ready_file2" \
-k certs/ocsp/server1-key.pem -u -v 3 \
-p $port3 &
wolf_pid3=$!
sleep 0.2
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -u -v 3 \
-W 1 -p $port3
RESULT=$?
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 5 failed" && exit 1
printf '%s\n\n' "Test PASSED!"
printf '%s\n\n' "------------- TEST CASE DTLS-2 SHOULD PASS -------------------"
# client test against our own server, must staple - GOOD CERT
./examples/server/server -c certs/ocsp/server1-cert.pem -R "$ready_file2" \
-k certs/ocsp/server1-key.pem -u -v 4 \
-p $port3 &
wolf_pid3=$!
sleep 0.2
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -u -v 4 \
-W 1 -p $port3
RESULT=$?
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 5 failed" && exit 1
printf '%s\n\n' "Test PASSED!"
fi
# need a unique port since may run the same time as testsuite
generate_port() {
#-------------------------------------------------------------------------#

16
scripts/ocsp-stapling2.test
View File

@ -499,6 +499,22 @@ RESULT=$?
&& exit 1
printf '%s\n\n' "Test PASSED!"
if ./examples/client/client -? 2>&1 | grep -q 'DTLS'; then
printf '%s\n\n' "------------- TEST CASE DTLS-1 SHOULD PASS -------------------"
# client test against our own server - GOOD CERTS
./examples/server/server -c certs/ocsp/server3-cert.pem \
-k certs/ocsp/server3-key.pem -R $ready_file5 \
-p $port5 -u -v 3 &
server_pid5=$!
sleep 0.2
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 -u -v 3 \
-p $port5
RESULT=$?
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 1 failed" && exit 1
printf '%s\n\n' "Test PASSED!"
fi
printf '%s\n\n' "------------------- TESTS COMPLETE ---------------------------"
exit 0

99
src/internal.c
View File

@ -23860,6 +23860,7 @@ static int BuildCertificateStatus(WOLFSSL* ssl, byte type, buffer* status,
byte* output = NULL;
word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
word32 length = ENUM_LEN;
word32 headerSz= idx;
int sendSz = 0;
int ret = 0;
int i = 0;
@ -23879,89 +23880,43 @@ static int BuildCertificateStatus(WOLFSSL* ssl, byte type, buffer* status,
default:
return 0;
}
#ifdef WOLFSSL_DTLS
if (ssl->options.dtls) {
headerSz = idx = DTLS_RECORD_HEADER_SZ + DTLS_HANDSHAKE_HEADER_SZ;
sendSz = idx + length;
} else
#endif
sendSz = (int)(idx + length);
if (ssl->keys.encryptionOn)
sendSz += MAX_MSG_EXTRA;
/* Set this in case CheckAvailableSize returns a WANT_WRITE so that state
* is not advanced yet */
ssl->options.buildingMsg = 1;
output =(byte*)XMALLOC(sendSz, ssl->heap, DYNAMIC_TYPE_OCSP);
if (output == NULL)
return MEMORY_E;
if ((ret = CheckAvailableSize(ssl, sendSz)) == 0) {
output = GetOutputBuffer(ssl);
AddHeaders(output, length, certificate_status, ssl);
AddHeaders(output, length, certificate_status, ssl);
output[idx++] = type;
output[idx++] = type;
if (type == WOLFSSL_CSR2_OCSP_MULTI) {
c32to24(length - (ENUM_LEN + OPAQUE24_LEN), output + idx);
idx += OPAQUE24_LEN;
}
for (i = 0; i < count; i++) {
c32to24(status[i].length, output + idx);
idx += OPAQUE24_LEN;
XMEMCPY(output + idx, status[i].buffer, status[i].length);
idx += status[i].length;
}
if (IsEncryptionOn(ssl, 1)) {
byte* input;
int inputSz = (int)idx; /* build msg adds rec hdr */
int recordHeaderSz = RECORD_HEADER_SZ;
if (ssl->options.dtls)
recordHeaderSz += DTLS_RECORD_EXTRA;
inputSz -= recordHeaderSz;
input = (byte*)XMALLOC(inputSz, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
if (input == NULL)
return MEMORY_E;
XMEMCPY(input, output + recordHeaderSz, inputSz);
#ifdef WOLFSSL_DTLS
ret = DtlsMsgPoolSave(ssl, input, (word32)inputSz, certificate_status);
#endif
if (ret == 0)
sendSz = BuildMessage(ssl, output, sendSz, input, inputSz,
handshake, 1, 0, 0, CUR_ORDER);
XFREE(input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
if (sendSz < 0)
ret = sendSz;
}
else {
#ifdef WOLFSSL_DTLS
if (ret == 0 && IsDtlsNotSctpMode(ssl))
ret = DtlsMsgPoolSave(ssl, output, (word32)sendSz, certificate_status);
if (ret == 0 && ssl->options.dtls)
DtlsSEQIncrement(ssl, CUR_ORDER);
#endif
ret = HashOutput(ssl, output, sendSz, 0);
}
#if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
if (ret == 0 && ssl->hsInfoOn)
AddPacketName(ssl, "CertificateStatus");
if (ret == 0 && ssl->toInfoOn) {
ret = AddPacketInfo(ssl, "CertificateStatus", handshake, output,
sendSz, WRITE_PROTO, 0, ssl->heap);
if (ret != 0)
return ret;
}
#endif
if (ret == 0) {
ssl->options.buildingMsg = 0;
ssl->buffers.outputBuffer.length += sendSz;
if (!ssl->options.groupMessages)
ret = SendBuffered(ssl);
}
if (type == WOLFSSL_CSR2_OCSP_MULTI) {
c32to24(length - (ENUM_LEN + OPAQUE24_LEN), output + idx);
idx += OPAQUE24_LEN;
}
for (i = 0; i < count; i++) {
c32to24(status[i].length, output + idx);
idx += OPAQUE24_LEN;
XMEMCPY(output + idx, status[i].buffer, status[i].length);
idx += status[i].length;
}
/* Send Message. Handled message fragmentation in the function if needed */
ret = SendHandshakeMsg(ssl, output, (sendSz - headerSz), certificate_status,
"Certificate Status");
XFREE(output, ssl->heap, DYNAMIC_TYPE_OCSP);
WOLFSSL_LEAVE("BuildCertificateStatus", ret);
return ret;
}