Merge pull request #7671 from miyazakh/dtls_ocsp

Fix ocsp response message build for DTLS

examples/client/client.c

@@ -1162,13 +1162,15 @@ static const char* client_usage_msg[][78] = {
  "-D Override Date Errors example\n", /* 18 */
  "-e List Every cipher suite available, \n", /* 19 */
  "-g Send server HTTP GET\n", /* 20 */
+#ifdef WOLFSSL_DTLS
 #ifndef WOLFSSL_DTLS13
  "-u Use UDP DTLS, add -v 2 for DTLSv1, -v 3 for DTLSv1.2"
  " (default)\n", /* 21 */
 #else
  "-u Use UDP DTLS, add -v 2 for DTLSv1, -v 3 for DTLSv1.2"
  " (default), -v 4 for DTLSv1.3\n", /* 21 */
 #endif /* !WOLFSSL_DTLS13 */
+#endif
 #ifdef WOLFSSL_SCTP
  "-G Use SCTP DTLS,"
  " add -v 2 for DTLSv1, -v 3 for DTLSv1.2 (default)\n", /* 22 */
@@ -1387,6 +1389,7 @@ static const char* client_usage_msg[][78] = {
  "-D 日付エラー用コールバック例の上書きを行う\n", /* 18 */
  "-e 利用可能な全ての暗号スイートをリスト, \n", /* 19 */
  "-g サーバーへ HTTP GET を送信\n", /* 20 */
+#ifdef WOLFSSL_DTLS
  "-u UDP DTLSを使用する。\n"
 #ifndef WOLFSSL_DTLS13
  " -v 2 を追加指定するとDTLSv1, "
@@ -1396,6 +1399,7 @@ static const char* client_usage_msg[][78] = {
  "-v 3 を追加指定すると DTLSv1.2 (既定値),\n"
  " -v 4 を追加指定すると DTLSv1.3\n", /* 21 */
 #endif /* !WOLFSSL_DTLS13 */
+#endif /* WOLFSSL_DTLS */
 #ifdef WOLFSSL_SCTP
  "-G SCTP DTLSを使用する。-v 2 を追加指定すると"
  " DTLSv1, -v 3 を追加指定すると DTLSv1.2 (既定値)\n", /* 22 */

scripts/ocsp-stapling.test

@@ -388,6 +388,40 @@ else
  echo 'skipping TLS1.3 stapling tests.' 1>&2
 fi
 
+# DTLS 1.2 and 1.3 cases
+if ./examples/client/client -? 2>&1 | grep -q 'DTLSv1.2'; then
+ printf '%s\n\n' "------------- TEST CASE DTLS-1 SHOULD PASS -------------------"
+ # client test against our own server, must staple - GOOD CERT
+ echo $ready_file2
+ ./examples/server/server -c certs/ocsp/server1-cert.pem -R "$ready_file2" \
+ -k certs/ocsp/server1-key.pem -u -v 3 \
+ -p $port3 &
+ wolf_pid3=$!
+
+ sleep 0.2
+ ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -u -v 3 \
+ -W 1 -p $port3
+ RESULT=$?
+ [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 5 failed" && exit 1
+ printf '%s\n\n' "Test PASSED!"
+fi
+
+if ./examples/client/client -? 2>&1 | grep -q 'DTLSv1.3'; then
+ printf '%s\n\n' "------------- TEST CASE DTLS-2 SHOULD PASS -------------------"
+ # client test against our own server, must staple - GOOD CERT
+ ./examples/server/server -c certs/ocsp/server1-cert.pem -R "$ready_file2" \
+ -k certs/ocsp/server1-key.pem -u -v 4 \
+ -p $port3 &
+ wolf_pid3=$!
+ sleep 0.2
+ ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -u -v 4 \
+ -W 1 -p $port3
+ RESULT=$?
+ [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 5 failed" && exit 1
+ printf '%s\n\n' "Test PASSED!"
+
+fi
+
 # need a unique port since may run the same time as testsuite
 generate_port() {
  #-------------------------------------------------------------------------#

scripts/ocsp-stapling2.test

@@ -499,6 +499,22 @@ RESULT=$?
  && exit 1
 printf '%s\n\n' "Test PASSED!"
 
+
+if ./examples/client/client -? 2>&1 | grep -q 'DTLS'; then
+printf '%s\n\n' "------------- TEST CASE DTLS-1 SHOULD PASS -------------------"
+# client test against our own server - GOOD CERTS
+./examples/server/server -c certs/ocsp/server3-cert.pem \
+ -k certs/ocsp/server3-key.pem -R $ready_file5 \
+ -p $port5 -u -v 3 &
+server_pid5=$!
+sleep 0.2
+./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 -u -v 3 \
+ -p $port5
+RESULT=$?
+[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 1 failed" && exit 1
+printf '%s\n\n' "Test PASSED!"
+fi
+
 printf '%s\n\n' "------------------- TESTS COMPLETE ---------------------------"
 
 exit 0

src/internal.c

@@ -23844,6 +23844,7 @@ static int BuildCertificateStatus(WOLFSSL* ssl, byte type, buffer* status,
  byte* output = NULL;
  word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
  word32 length = ENUM_LEN;
+ word32 headerSz= idx;
  int sendSz = 0;
  int ret = 0;
  int i = 0;
@@ -23863,88 +23864,42 @@ static int BuildCertificateStatus(WOLFSSL* ssl, byte type, buffer* status,
  default:
  return 0;
  }
+#ifdef WOLFSSL_DTLS
+ if (ssl->options.dtls) {
+ headerSz = idx = DTLS_RECORD_HEADER_SZ + DTLS_HANDSHAKE_HEADER_SZ;
+ sendSz = idx + length;
 
+ } else
+#endif
  sendSz = (int)(idx + length);
 
  if (ssl->keys.encryptionOn)
  sendSz += MAX_MSG_EXTRA;
 
- /* Set this in case CheckAvailableSize returns a WANT_WRITE so that state
- * is not advanced yet */
- ssl->options.buildingMsg = 1;
-
- if ((ret = CheckAvailableSize(ssl, sendSz)) == 0) {
- output = GetOutputBuffer(ssl);
-
- AddHeaders(output, length, certificate_status, ssl);
-
- output[idx++] = type;
-
- if (type == WOLFSSL_CSR2_OCSP_MULTI) {
- c32to24(length - (ENUM_LEN + OPAQUE24_LEN), output + idx);
- idx += OPAQUE24_LEN;
- }
-
- for (i = 0; i < count; i++) {
- c32to24(status[i].length, output + idx);
- idx += OPAQUE24_LEN;
-
- XMEMCPY(output + idx, status[i].buffer, status[i].length);
- idx += status[i].length;
- }
-
- if (IsEncryptionOn(ssl, 1)) {
- byte* input;
- int inputSz = (int)idx; /* build msg adds rec hdr */
- int recordHeaderSz = RECORD_HEADER_SZ;
+ output =(byte*)XMALLOC(sendSz, ssl->heap, DYNAMIC_TYPE_OCSP);
+ if (output == NULL)
+ return MEMORY_E;
 
- if (ssl->options.dtls)
- recordHeaderSz += DTLS_RECORD_EXTRA;
- inputSz -= recordHeaderSz;
- input = (byte*)XMALLOC(inputSz, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
- if (input == NULL)
- return MEMORY_E;
+ AddHeaders(output, length, certificate_status, ssl);
 
- XMEMCPY(input, output + recordHeaderSz, inputSz);
- #ifdef WOLFSSL_DTLS
- ret = DtlsMsgPoolSave(ssl, input, (word32)inputSz, certificate_status);
- #endif
- if (ret == 0)
- sendSz = BuildMessage(ssl, output, sendSz, input, inputSz,
- handshake, 1, 0, 0, CUR_ORDER);
- XFREE(input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
+ output[idx++] = type;
 
- if (sendSz < 0)
- ret = sendSz;
- }
- else {
- #ifdef WOLFSSL_DTLS
- if (ret == 0 && IsDtlsNotSctpMode(ssl))
- ret = DtlsMsgPoolSave(ssl, output, (word32)sendSz, certificate_status);
- if (ret == 0 && ssl->options.dtls)
- DtlsSEQIncrement(ssl, CUR_ORDER);
- #endif
- ret = HashOutput(ssl, output, sendSz, 0);
- }
+ if (type == WOLFSSL_CSR2_OCSP_MULTI) {
+ c32to24(length - (ENUM_LEN + OPAQUE24_LEN), output + idx);
+ idx += OPAQUE24_LEN;
+ }
 
- #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
- if (ret == 0 && ssl->hsInfoOn)
- AddPacketName(ssl, "CertificateStatus");
- if (ret == 0 && ssl->toInfoOn) {
- ret = AddPacketInfo(ssl, "CertificateStatus", handshake, output,
- sendSz, WRITE_PROTO, 0, ssl->heap);
- if (ret != 0)
- return ret;
- }
- #endif
+ for (i = 0; i < count; i++) {
+ c32to24(status[i].length, output + idx);
+ idx += OPAQUE24_LEN;
 
- if (ret == 0) {
- ssl->options.buildingMsg = 0;
- ssl->buffers.outputBuffer.length += sendSz;
- if (!ssl->options.groupMessages)
- ret = SendBuffered(ssl);
- }
+ XMEMCPY(output + idx, status[i].buffer, status[i].length);
+ idx += status[i].length;
  }
+ /* Send Message. Handled message fragmentation in the function if needed */
+ ret = SendHandshakeMsg(ssl, output, (sendSz - headerSz), certificate_status,
+ "Certificate Status");
+ XFREE(output, ssl->heap, DYNAMIC_TYPE_OCSP);
 
  WOLFSSL_LEAVE("BuildCertificateStatus", ret);
  return ret;