Skip to content

Commit

Permalink
Merge pull request #6329 from tmael/crl_off
Browse files Browse the repository at this point in the history 
Add support for enabling and disabling CRLs.
  • Loading branch information
@dgarske
dgarske authored Jun 28, 2023
2 parents d029ba4 + 26e6fd9 commit 048083c
Show file tree
Hide file tree
Showing 9 changed files with 163 additions and 60 deletions.
5 changes: 3 additions & 2 deletions scripts/crl-revoked.test
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ cp -rp . $RUNNING_DIR/.
cd $RUNNING_DIR

revocation_code="-361"
revocation_code_openssl="23"
exit_code=1
counter=0
# need a unique resume port since may run the same time as testsuite
Expand Down Expand Up @@ -112,7 +113,7 @@ run_test() {
server_result=$?

case "$capture_out" in
*$revocation_code*)
*"$revocation_code"*|*"$revocation_code_openssl"*)
# only exit with zero on detection of the expected error code
echo ""
echo "Successful Revocation!!!!"
Expand Down Expand Up @@ -178,7 +179,7 @@ run_hashdir_test() {
server_result=$?

case "$capture_out" in
*$revocation_code*)
*"$revocation_code"*|*"$revocation_code_openssl"*)
# only exit with zero on detection of the expected error code
echo ""
echo "Successful Revocation!!!! with hash dir"
Expand Down
32 changes: 28 additions & 4 deletions src/internal.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -185,8 +185,13 @@ WOLFSSL_CALLBACKS needs LARGE_STATIC_BUFFERS, please add LARGE_STATIC_BUFFERS

#endif /* !WOLFSSL_NO_TLS12 */

#ifndef NO_WOLFSSL_SERVER
#if defined(HAVE_SESSION_TICKET) && !defined(WOLFSSL_NO_DEF_TICKET_ENC_CB)
#if !defined(NO_WOLFSSL_SERVER) && defined(HAVE_SESSION_TICKET)
#if defined(WOLFSSL_HAPROXY)
#define SSL_TICKET_CTX(ssl) ssl->initial_ctx->ticketEncCtx
#else
#define SSL_TICKET_CTX(ssl) ssl->ctx->ticketEncCtx
#endif
#if !defined(WOLFSSL_NO_DEF_TICKET_ENC_CB)
static int TicketEncCbCtx_Init(WOLFSSL_CTX* ctx,
TicketEncCbCtx* keyCtx);
static void TicketEncCbCtx_Free(TicketEncCbCtx* keyCtx);
Expand Down Expand Up @@ -6213,6 +6218,9 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
if (!newSSL) {
WOLFSSL_MSG("freeing old ctx to decrement reference count. Switching ctx.");
wolfSSL_CTX_free(ssl->ctx);
#if defined(WOLFSSL_HAPROXY)
wolfSSL_CTX_free(ssl->initial_ctx);
#endif
}

/* increment CTX reference count */
Expand All @@ -6229,6 +6237,20 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
ssl->ctx = ctx; /* only for passing to calls, options could change */
/* Don't change version on a SSL object that has already started a
* handshake */
#if defined(WOLFSSL_HAPROXY)
ret = wolfSSL_CTX_up_ref(ctx);
if (ret == WOLFSSL_SUCCESS) {
ssl->initial_ctx = ctx; /* Save access to session key materials */
}
else {
#ifdef WOLFSSL_REFCNT_ERROR_RETURN
return ret;
#else
(void)ret;
#endif
}

#endif
if (!ssl->msgsReceived.got_client_hello &&
!ssl->msgsReceived.got_server_hello)
ssl->version = ctx->method->version;
Expand Down Expand Up @@ -23135,6 +23157,8 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e)
#ifdef OPENSSL_EXTRA
case 0 :
return "ok";
case -WOLFSSL_X509_V_ERR_CERT_REVOKED :
return "certificate revoked";
#endif

case UNSUPPORTED_SUITE :
Expand Down Expand Up @@ -34639,7 +34663,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
if (error == 0) {
ret = ssl->ctx->ticketEncCb(ssl, et->key_name, et->iv, et->mac,
1, et->enc_ticket, sizeof(InternalTicket), &encLen,
ssl->ctx->ticketEncCtx);
SSL_TICKET_CTX(ssl));
}
else {
ret = WOLFSSL_TICKET_RET_FATAL;
Expand Down Expand Up @@ -34764,7 +34788,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
ret = ssl->ctx->ticketEncCb((WOLFSSL*)ssl, et->key_name, et->iv,
et->enc_ticket + inLen, 0,
et->enc_ticket, inLen, &outLen,
ssl->ctx->ticketEncCtx);
SSL_TICKET_CTX(ssl));
}
if (ret != WOLFSSL_TICKET_RET_OK) {
#ifdef WOLFSSL_ASYNC_CRYPT
Expand Down
74 changes: 56 additions & 18 deletions src/ssl.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4509,7 +4509,11 @@ int wolfSSL_get_error(WOLFSSL* ssl, int ret)
return WOLFSSL_ERROR_WANT_WRITE; /* convert to OpenSSL type */
else if (ssl->error == ZERO_RETURN || ssl->options.shutdownDone)
return WOLFSSL_ERROR_ZERO_RETURN; /* convert to OpenSSL type */
return ssl->error;
#if defined(WOLFSSL_HAPROXY)
return GetX509Error(ssl->error);
#else
return (ssl->error);
#endif
}


Expand Down Expand Up @@ -8152,7 +8156,8 @@ int wolfSSL_CertManagerLoadCRLBuffer(WOLFSSL_CERT_MANAGER* cm,
return BAD_FUNC_ARG;

if (cm->crl == NULL) {
if (wolfSSL_CertManagerEnableCRL(cm, 0) != WOLFSSL_SUCCESS) {
if (wolfSSL_CertManagerEnableCRL(cm, WOLFSSL_CRL_CHECK) !=
WOLFSSL_SUCCESS) {
WOLFSSL_MSG("Enable CRL failed");
return WOLFSSL_FATAL_ERROR;
}
Expand Down Expand Up @@ -8204,11 +8209,21 @@ int wolfSSL_CertManagerEnableCRL(WOLFSSL_CERT_MANAGER* cm, int options)
{
int ret = WOLFSSL_SUCCESS;

(void)options;

WOLFSSL_ENTER("wolfSSL_CertManagerEnableCRL");
if (cm == NULL)
return BAD_FUNC_ARG;
#if defined(OPENSSL_COMPATIBLE_DEFAULTS)
if (options == 0) {

/* Turn off doing Leaf CRL check */
cm->crlEnabled = 0;
/* Turn off all checks */
cm->crlCheckAll = 0;
return ret;
}
#else
(void)options;
#endif

#ifdef HAVE_CRL
if (cm->crl == NULL) {
Expand All @@ -8228,10 +8243,15 @@ int wolfSSL_CertManagerEnableCRL(WOLFSSL_CERT_MANAGER* cm, int options)
cm->crl->crlIOCb = EmbedCrlLookup;
#endif
}

cm->crlEnabled = 1;
if (options & WOLFSSL_CRL_CHECKALL)
cm->crlCheckAll = 1;
#if defined(OPENSSL_COMPATIBLE_DEFAULTS)
if ((options & WOLFSSL_CRL_CHECKALL) ||
(options & WOLFSSL_CRL_CHECK))
#endif
{
cm->crlEnabled = 1;
if (options & WOLFSSL_CRL_CHECKALL)
cm->crlCheckAll = 1;
}
#else
ret = NOT_COMPILED_IN;
#endif
Expand Down Expand Up @@ -9431,7 +9451,8 @@ int wolfSSL_CertManagerLoadCRL(WOLFSSL_CERT_MANAGER* cm, const char* path,
return BAD_FUNC_ARG;

if (cm->crl == NULL) {
if (wolfSSL_CertManagerEnableCRL(cm, 0) != WOLFSSL_SUCCESS) {
if (wolfSSL_CertManagerEnableCRL(cm, WOLFSSL_CRL_CHECK)
!= WOLFSSL_SUCCESS) {
WOLFSSL_MSG("Enable CRL failed");
return WOLFSSL_FATAL_ERROR;
}
Expand All @@ -9448,7 +9469,8 @@ int wolfSSL_CertManagerLoadCRLFile(WOLFSSL_CERT_MANAGER* cm, const char* file,
return BAD_FUNC_ARG;

if (cm->crl == NULL) {
if (wolfSSL_CertManagerEnableCRL(cm, 0) != WOLFSSL_SUCCESS) {
if (wolfSSL_CertManagerEnableCRL(cm, WOLFSSL_CRL_CHECK)
!= WOLFSSL_SUCCESS) {
WOLFSSL_MSG("Enable CRL failed");
return WOLFSSL_FATAL_ERROR;
}
Expand Down Expand Up @@ -14494,12 +14516,17 @@ void SetupSession(WOLFSSL* ssl)

WOLFSSL_ENTER("SetupSession");

if (!IsAtLeastTLSv1_3(ssl->version) && ssl->arrays != NULL &&
!session->haveAltSessionID) {
if (!IsAtLeastTLSv1_3(ssl->version) && ssl->arrays != NULL) {
/* Make sure the session ID is available when the user calls any
* get_session API */
XMEMCPY(session->sessionID, ssl->arrays->sessionID, ID_LEN);
session->sessionIDSz = ssl->arrays->sessionIDSz;
if (!session->haveAltSessionID) {
XMEMCPY(session->sessionID, ssl->arrays->sessionID, ID_LEN);
session->sessionIDSz = ssl->arrays->sessionIDSz;
}
else {
XMEMCPY(session->sessionID, session->altSessionID, ID_LEN);
session->sessionIDSz = ID_LEN;
}
}
session->side = (byte)ssl->options.side;
if (!IsAtLeastTLSv1_3(ssl->version) && ssl->arrays != NULL)
Expand Down Expand Up @@ -14904,7 +14931,7 @@ int wolfSSL_GetSessionFromCache(WOLFSSL* ssl, WOLFSSL_SESSION* output)
if (SslSessionCacheOff(ssl, ssl->session))
return WOLFSSL_FAILURE;

if (ssl->options.haveSessionId == 0)
if (ssl->options.haveSessionId == 0 && !ssl->session->haveAltSessionID)
return WOLFSSL_FAILURE;

#ifdef HAVE_SESSION_TICKET
Expand All @@ -14913,7 +14940,8 @@ int wolfSSL_GetSessionFromCache(WOLFSSL* ssl, WOLFSSL_SESSION* output)
#endif

XMEMSET(bogusID, 0, sizeof(bogusID));
if (!IsAtLeastTLSv1_3(ssl->version) && ssl->arrays != NULL)
if (!IsAtLeastTLSv1_3(ssl->version) && ssl->arrays != NULL
&& !ssl->session->haveAltSessionID)
id = ssl->arrays->sessionID;
else if (ssl->session->haveAltSessionID) {
id = ssl->session->altSessionID;
Expand Down Expand Up @@ -23116,8 +23144,9 @@ int wolfSSL_ERR_GET_REASON(unsigned long err)
#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
/* Nginx looks for this error to know to stop parsing certificates.
* Same for HAProxy. */
if (err == ((ERR_LIB_PEM << 24) | PEM_R_NO_START_LINE)
|| (err & 0xFFFFFFL) == -ASN_NO_PEM_HEADER)
if (err == ((ERR_LIB_PEM << 24) | PEM_R_NO_START_LINE) ||
((err & 0xFFFFFFL) == -ASN_NO_PEM_HEADER) ||
((err & 0xFFFL) == PEM_R_NO_START_LINE ))
return PEM_R_NO_START_LINE;
if (err == ((ERR_LIB_SSL << 24) | -SSL_R_HTTP_REQUEST))
return SSL_R_HTTP_REQUEST;
Expand Down Expand Up @@ -31248,6 +31277,9 @@ WOLFSSL_CTX* wolfSSL_set_SSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
#endif
if (ssl->ctx) {
wolfSSL_CTX_free(ssl->ctx);
#if defined(WOLFSSL_HAPROXY)
wolfSSL_CTX_free(ssl->initial_ctx);
#endif
}
ssl->ctx = ctx;

Expand Down Expand Up @@ -31450,6 +31482,12 @@ const byte* wolfSSL_SESSION_get_id(const WOLFSSL_SESSION* sess,
WOLFSSL_MSG("Bad func args. Please provide idLen");
return NULL;
}
#ifdef HAVE_SESSION_TICKET
if (sess->haveAltSessionID) {
*idLen = ID_LEN;
return sess->altSessionID;
}
#endif
*idLen = sess->sessionIDSz;
return sess->sessionID;
}
Expand Down
5 changes: 3 additions & 2 deletions src/x509.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7028,7 +7028,8 @@ int wolfSSL_X509_LOOKUP_load_file(WOLFSSL_X509_LOOKUP* lookup,
WOLFSSL_CERT_MANAGER* cm = lookup->store->cm;

if (cm->crl == NULL) {
if (wolfSSL_CertManagerEnableCRL(cm, 0) != WOLFSSL_SUCCESS) {
if (wolfSSL_CertManagerEnableCRL(cm, WOLFSSL_CRL_CHECK)
!= WOLFSSL_SUCCESS) {
WOLFSSL_MSG("Enable CRL failed");
goto end;
}
Expand Down Expand Up @@ -12440,7 +12441,7 @@ WOLF_STACK_OF(WOLFSSL_X509_NAME) *wolfSSL_dup_CA_list(

for (i = 0; i < num; i++) {
name = wolfSSL_X509_NAME_dup(wolfSSL_sk_X509_NAME_value(sk, i));
if (name == NULL || 0 != wolfSSL_sk_X509_NAME_push(copy, name)) {
if (name == NULL || WOLFSSL_SUCCESS != wolfSSL_sk_X509_NAME_push(copy, name)) {
WOLFSSL_MSG("Memory error");
wolfSSL_sk_X509_NAME_pop_free(copy, wolfSSL_X509_NAME_free);
return NULL;
Expand Down
13 changes: 10 additions & 3 deletions src/x509_str.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -170,7 +170,7 @@ int GetX509Error(int e)
case ASN_BEFORE_DATE_E:
return WOLFSSL_X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
case ASN_AFTER_DATE_E:
return WOLFSSL_X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
return WOLFSSL_X509_V_ERR_CERT_HAS_EXPIRED;
case ASN_NO_SIGNER_E: /* get issuer error if no CA found locally */
return WOLFSSL_X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
case ASN_SELF_SIGNED_E:
Expand All @@ -183,6 +183,8 @@ int GetX509Error(int e)
case ASN_SIG_HASH_E:
case ASN_SIG_KEY_E:
return WOLFSSL_X509_V_ERR_CERT_SIGNATURE_FAILURE;
case CRL_CERT_REVOKED:
return WOLFSSL_X509_V_ERR_CERT_REVOKED;
default:
#ifdef HAVE_WOLFSSL_MSG_EX
WOLFSSL_MSG_EX("Error not configured or implemented yet: %d", e);
Expand Down Expand Up @@ -980,7 +982,11 @@ int wolfSSL_X509_STORE_set_flags(WOLFSSL_X509_STORE* store, unsigned long flag)
if ((flag & WOLFSSL_CRL_CHECKALL) || (flag & WOLFSSL_CRL_CHECK)) {
ret = wolfSSL_CertManagerEnableCRL(store->cm, (int)flag);
}

#if defined(OPENSSL_COMPATIBLE_DEFAULTS)
else if (flag == 0) {
ret = wolfSSL_CertManagerDisableCRL(store->cm);
}
#endif
return ret;
}

Expand Down Expand Up @@ -1023,7 +1029,8 @@ WOLFSSL_API int wolfSSL_X509_STORE_load_locations(WOLFSSL_X509_STORE *str,

#ifdef HAVE_CRL
if (str->cm->crl == NULL) {
if (wolfSSL_CertManagerEnableCRL(str->cm, 0) != WOLFSSL_SUCCESS) {
if (wolfSSL_CertManagerEnableCRL(str->cm, WOLFSSL_CRL_CHECK)
!= WOLFSSL_SUCCESS) {
WOLFSSL_MSG("Enable CRL failed");
wolfSSL_CTX_free(ctx);
return WOLFSSL_FAILURE;
Expand Down
Loading

0 comments on commit 048083c

Please sign in to comment.