WolfSSL
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #3544 from haydenroche5/ocsp_stapling_bug 

Fix bug where OCSP stapling wasn't happening even when requested by client
pull/3603/head
John Safranek 2020-12-29 14:23:10 -08:00 committed by GitHub
parent da007ecd7b c47b98bca1
commit c482d16029
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 81 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
scripts/ocsp-stapling.test
View File

@ -311,7 +311,7 @@ wolf_pid3=$!
wait_for_readyFile $ready_file2 $wolf_pid3 $port3
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -p $port3
RESULT=$?
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 2 failed" && exit 1
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 1 failed" && exit 1
printf '%s\n\n' "Test PASSED!"
printf '%s\n\n' "------------- TEST CASE 2 SHOULD REVOKE ----------------------"
@ -324,7 +324,7 @@ wait_for_readyFile $ready_file2 $wolf_pid3 $port3
sleep 0.1
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -p $port3
RESULT=$?
[ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection succeeded $RESULT" \
[ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection 2 succeeded $RESULT" \
&& exit 1
printf '%s\n\n' "Test successfully REVOKED!"
@ -345,7 +345,21 @@ if [ $? -ne 0 ]; then
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 3 failed" && exit 1
printf '%s\n\n' "Test PASSED!"
printf '%s\n\n' "------------- TEST CASE 4 SHOULD REVOKE ------------------"
printf '%s\n\n' "------------- TEST CASE 4 SHOULD PASS --------------------"
# client test against our own server, must staple - GOOD CERT
remove_single_rF $ready_file2
./examples/server/server -c certs/ocsp/server1-cert.pem -R $ready_file2 \
-k certs/ocsp/server1-key.pem -v 4 \
-p $port3 &
wolf_pid3=$!
wait_for_readyFile $ready_file2 $wolf_pid3 $port3
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1m -v 4 -F 1 \
-p $port3
RESULT=$?
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 4 failed" && exit 1
printf '%s\n\n' "Test PASSED!"
printf '%s\n\n' "------------- TEST CASE 5 SHOULD REVOKE ------------------"
# client test against our own server - REVOKED CERT
remove_single_rF $ready_file2
./examples/server/server -c certs/ocsp/server2-cert.pem -R $ready_file2 \
@ -357,7 +371,7 @@ if [ $? -ne 0 ]; then
-p $port3
RESULT=$?
[ $RESULT -ne 1 ] && \
printf '\n\n%s\n' "Client connection succeeded $RESULT" \
printf '\n\n%s\n' "Client connection 5 succeeded $RESULT" \
&& exit 1
printf '%s\n\n' "Test successfully REVOKED!"
fi
@ -373,20 +387,20 @@ openssl s_server $V4V6_FLAG -cert ./certs/server-cert.pem -key certs/server-key.
openssl_pid=$!
sleep 0.1
printf '%s\n\n' "------------- TEST CASE 5 SHOULD PASS ----------------------"
printf '%s\n\n' "------------- TEST CASE 6 SHOULD PASS ----------------------"
# client asks for OCSP staple but doesn't fail when none returned
./examples/client/client -p $port -g -v 3 -W 1
RESULT=$?
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 5 failed" && exit 1
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 6 failed" && exit 1
printf '%s\n\n' "Test PASSED!"
printf '%s\n\n' "------------- TEST CASE 6 SHOULD UNKNOWN -------------------"
printf '%s\n\n' "------------- TEST CASE 7 SHOULD UNKNOWN -------------------"
# client asks for OCSP staple but doesn't fail when none returned
./examples/client/client -p $port -g -v 3 -W 1m
RESULT=$?
[ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection 6 succeeded $RESULT" \
[ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection 7 succeeded $RESULT" \
&& exit 1
printf '%s\n\n' "Test PASSED!"
@ -395,21 +409,21 @@ openssl_tls13=$?
./examples/client/client -v 4 2>&1 | grep -- 'Bad SSL version'
wolfssl_not_tls13=$?
if [ "$openssl_tls13" = "0" -a "wolfssl_not_tls13" != "0" ]; then
printf '%s\n\n' "------------- TEST CASE 7 SHOULD PASS --------------------"
printf '%s\n\n' "------------- TEST CASE 8 SHOULD PASS --------------------"
# client asks for OCSP staple but doesn't fail when none returned
./examples/client/client -p $port -g -v 4 -W 1
RESULT=$?
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 7 failed" && exit 1
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 8 failed" && exit 1
printf '%s\n\n' "Test PASSED!"
printf '%s\n\n' "------------- TEST CASE 8 SHOULD UNKNOWN -----------------"
printf '%s\n\n' "------------- TEST CASE 9 SHOULD UNKNOWN -----------------"
# client asks for OCSP staple but doesn't fail when none returned
./examples/client/client -p $port -g -v 4 -W 1m
RESULT=$?
[ $RESULT -ne 1 ] \
&& printf '\n\n%s\n' "Client connection 8 succeeded $RESULT" \
&& printf '\n\n%s\n' "Client connection 9 succeeded $RESULT" \
&& exit 1
printf '%s\n\n' "Test PASSED!"
fi

4
src/internal.c
View File

@ -9918,6 +9918,7 @@ static int ProcessCSR(WOLFSSL* ssl, byte* input, word32* inOutIdx,
{
int ret = 0;
OcspRequest* request;
WOLFSSL_ENTER("ProcessCSR");
#ifdef WOLFSSL_SMALL_STACK
CertStatus* status;
@ -9999,6 +10000,7 @@ static int ProcessCSR(WOLFSSL* ssl, byte* input, word32* inOutIdx,
XFREE(response, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST);
#endif
WOLFSSL_LEAVE("ProcessCSR", ret);
return ret;
}
#endif
@ -11289,7 +11291,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
args->fatal = TLSX_CSR_InitRequest(ssl->extensions,
args->dCert, ssl->heap);
doLookup = 0;
#if defined(WOLFSSL_TLS13) && !defined(NO_WOLFSSL_CLIENT)
#if defined(WOLFSSL_TLS13)
if (ssl->options.tls1_3) {
TLSX* ext = TLSX_Find(ssl->extensions,
TLSX_STATUS_REQUEST);

67
src/tls.c
View File

@ -2980,15 +2980,37 @@ static int TLSX_CSR_Parse(WOLFSSL* ssl, byte* input, word16 length,
byte isRequest)
{
int ret;
#if !defined(NO_WOLFSSL_SERVER)
byte status_type;
word16 size = 0;
#if defined(WOLFSSL_TLS13)
DecodedCert* cert;
#endif
#endif
#if !defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER) \
&& defined(WOLFSSL_TLS13)
OcspRequest* request;
TLSX* extension;
CertificateStatusRequest* csr;
#endif
#if !defined(NO_WOLFSSL_CLIENT) && defined(WOLFSSL_TLS13) \
|| !defined(NO_WOLFSSL_SERVER)
word32 offset = 0;
#endif
#if !defined(NO_WOLFSSL_CLIENT) && defined(WOLFSSL_TLS13)
word32 resp_length;
#endif
/* shut up compiler warnings */
(void) ssl; (void) input;
if (!isRequest) {
#ifndef NO_WOLFSSL_CLIENT
TLSX* extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST);
CertificateStatusRequest* csr = extension ?
(CertificateStatusRequest*)extension->data : NULL;
extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST);
csr = extension ? (CertificateStatusRequest*)extension->data : NULL;
if (!csr) {
/* look at context level */
@ -3009,8 +3031,8 @@ static int TLSX_CSR_Parse(WOLFSSL* ssl, byte* input, word16 length,
case WOLFSSL_CSR_OCSP:
/* propagate nonce */
if (csr->request.ocsp.nonceSz) {
OcspRequest* request =
(OcspRequest*)TLSX_CSR_GetRequest(ssl->extensions);
request =
(OcspRequest*)TLSX_CSR_GetRequest(ssl->extensions);
if (request) {
XMEMCPY(request->nonce, csr->request.ocsp.nonce,
@ -3026,9 +3048,6 @@ static int TLSX_CSR_Parse(WOLFSSL* ssl, byte* input, word16 length,
#ifdef WOLFSSL_TLS13
if (ssl->options.tls1_3) {
word32 resp_length;
word32 offset = 0;
/* Get the new extension potentially created above. */
extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST);
csr = extension ? (CertificateStatusRequest*)extension->data : NULL;
@ -3046,12 +3065,10 @@ static int TLSX_CSR_Parse(WOLFSSL* ssl, byte* input, word16 length,
if (offset + resp_length != length)
ret = BUFFER_ERROR;
}
#if !defined(NO_WOLFSSL_SERVER)
if (ret == 0) {
csr->response.buffer = input + offset;
csr->response.length = resp_length;
}
#endif
return ret;
}
@ -3065,10 +3082,6 @@ static int TLSX_CSR_Parse(WOLFSSL* ssl, byte* input, word16 length,
}
else {
#ifndef NO_WOLFSSL_SERVER
byte status_type;
word16 offset = 0;
word16 size = 0;
if (length == 0)
return 0;
@ -3117,11 +3130,29 @@ static int TLSX_CSR_Parse(WOLFSSL* ssl, byte* input, word16 length,
if (ret != WOLFSSL_SUCCESS)
return ret; /* throw error */
#if defined(WOLFSSL_TLS13) && !defined(NO_WOLFSSL_SERVER)
#if defined(WOLFSSL_TLS13)
if (ssl->options.tls1_3) {
OcspRequest* request;
TLSX* extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST);
CertificateStatusRequest* csr = extension ?
cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), ssl->heap,
DYNAMIC_TYPE_DCERT);
if (cert == NULL) {
return MEMORY_E;
}
InitDecodedCert(cert, ssl->buffers.certificate->buffer,
ssl->buffers.certificate->length, ssl->heap);
ret = ParseCert(cert, CERT_TYPE, 1, ssl->ctx->cm);
if (ret != 0 ) {
XFREE(cert, ssl->heap, DYNAMIC_TYPE_DCERT);
return ret;
}
ret = TLSX_CSR_InitRequest(ssl->extensions, cert, ssl->heap);
if (ret != 0 ) {
XFREE(cert, ssl->heap, DYNAMIC_TYPE_DCERT);
return ret;
}
XFREE(cert, ssl->heap, DYNAMIC_TYPE_DCERT);
extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST);
csr = extension ?
(CertificateStatusRequest*)extension->data : NULL;
if (csr == NULL)
return MEMORY_ERROR;

6
wolfssl/internal.h
View File

@ -2020,8 +2020,8 @@ struct WOLFSSL_CERT_MANAGER {
byte ocspSendNonce:1; /* send the OCSP nonce ? */
byte ocspUseOverrideURL:1; /* ignore cert responder, override */
byte ocspStaplingEnabled:1; /* is OCSP Stapling on ? */
#if !defined(NO_WOLFSSL_CLIENT) && (defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
|| defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2))
#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
|| defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
byte ocspMustStaple:1; /* server must respond with staple */
#endif
@ -2356,7 +2356,7 @@ typedef struct {
union {
OcspRequest ocsp;
} request;
#if defined(WOLFSSL_TLS13) && !defined(NO_WOLFSSL_SERVER)
#if defined(WOLFSSL_TLS13)
buffer response;
#endif
} CertificateStatusRequest;