works OCSP Stapling with TLS1.3 like OCSPv2Multi

wolfSSL · Aug 21, 2024 · 960f273 · 960f273
1 parent 2505a59
commit 960f273
Show file tree

Hide file tree

Showing 13 changed files with 1,104 additions and 166 deletions.
diff --git a/SCRIPTS-LIST b/SCRIPTS-LIST
@@ -35,6 +35,7 @@ scripts/
  google.test - example client test against google, part of tests
  resume.test - example sessoin resume test, part of tests
  ocsp-stapling.test - example client test against globalsign, part of tests
+ ocsp-stapling1_tls13.text - example client test against example server, part of tests
  ocsp-stapling2.test - example client test against example server, part of tests
  sniffer-testsuite.test - runs snifftest on a pcap of testsuite, part of tests
  in sniffer mode

diff --git a/configure.ac b/configure.ac
@@ -5968,10 +5968,27 @@ fi
 
 # Certificate Status Request : a.k.a. OCSP Stapling
 AC_ARG_ENABLE([ocspstapling],
- [AS_HELP_STRING([--enable-ocspstapling],[Enable OCSP Stapling (default: disabled)])],
+ [AS_HELP_STRING([--enable-ocspstapling],[Enable OCSP Stapling ((options: yes, no-multi, no, disabled default: disabled)])],
  [ ENABLED_CERTIFICATE_STATUS_REQUEST=$enableval ],
  [ ENABLED_CERTIFICATE_STATUS_REQUEST=no ]
  )
+AS_CASE([$ENABLED_CERTIFICATE_STATUS_REQUEST],
+ [no],[
+ ENABLED_CERTIFICATE_STATUS_REQUEST="no"
+ ENABLED_TLS_OCSP_MULTI="no"
+ ],
+ [disabled],[
+ ENABLED_CERTIFICATE_STATUS_REQUEST="no"
+ ENABLED_TLS_OCSP_MULTI="no"
+ ],
+ [yes],[
+ ENABLED_CERTIFICATE_STATUS_REQUEST="yes"
+ ENABLED_TLS_OCSP_MULTI="yes"
+ ],
+ [no-multi],[
+ ENABLED_CERTIFICATE_STATUS_REQUEST="yes"
+ ENABLED_TLS_OCSP_MULTI="no"
+ ])
 
 if test "x$ENABLED_NGINX" = "xyes" || test "x$ENABLED_WPAS" = "xyes" || \
  test "x$ENABLED_HAPROXY" = "xyes" || test "x$ENABLED_LIGHTY" = "xyes" || \
@@ -9547,7 +9564,17 @@ if test "$ENABLED_DH" != "no" && test "$ENABLED_DH" != "const"; then
  LT_LIB_M
 fi
 
-
+# mulitple OCSP stapling for TLS 1.3 Certificate extension
+if test "$ENABLED_CERTIFICATE_STATUS_REQUEST" = "yes"
+then
+ if test "$ENABLED_TLS13" = "yes"
+ then
+ if test "$ENABLED_TLS_OCSP_MULTI" = "yes"
+ then
+ AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TLS_OCSP_MULTI"
+ fi
+ fi
+fi
 ################################################################################
 
 # USER SETTINGS
@@ -9798,6 +9825,7 @@ AM_CONDITIONAL([BUILD_SM4],[test "x$ENABLED_SM4" != "xno" || test "x$ENABLED_USE
 AM_CONDITIONAL([BUILD_INLINE],[test "x$ENABLED_INLINE" = "xyes"])
 AM_CONDITIONAL([BUILD_OCSP],[test "x$ENABLED_OCSP" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
 AM_CONDITIONAL([BUILD_OCSP_STAPLING],[test "x$ENABLED_CERTIFICATE_STATUS_REQUEST" = "xyes"])
+AM_CONDITIONAL([BUILD_OCSP_STAPLING_MULTI],[test "x$ENABLED_CERTIFICATE_STATUS_REQUEST" = "xyes" && test "x$ENABLED_TLS13" = "xyes" && test "x$ENABLED_TLS_OCSP_MULTI" = "xyes"])
 AM_CONDITIONAL([BUILD_OCSP_STAPLING_V2],[test "x$ENABLED_CERTIFICATE_STATUS_REQUEST_V2" = "xyes"])
 AM_CONDITIONAL([BUILD_CRL],[test "x$ENABLED_CRL" != "xno" || test "x$ENABLED_USERSETTINGS" = "xyes"])
 AM_CONDITIONAL([BUILD_CRL_MONITOR],[test "x$ENABLED_CRL_MONITOR" = "xyes"])

diff --git a/examples/client/client.c b/examples/client/client.c
@@ -1221,66 +1221,70 @@ static const char* client_usage_msg[][78] = {
  || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
  "-W <num> Use OCSP Stapling (1 v1, 2 v2, 3 v2 multi)\n", /* 41 */
  " With 'm' at end indicates MUST staple\n", /* 42 */
+#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_TLS_OCSP_MULTI)
+ " -W 1 -v 4, Perform multi OCSP stapling for TLS13\n",
+ /* 43 */
+#endif
 #endif
 #if defined(ATOMIC_USER) && !defined(WOLFSSL_AEAD_ONLY)
- "-U Atomic User Record Layer Callbacks\n", /* 43 */
+ "-U Atomic User Record Layer Callbacks\n", /* 45 */
 #endif
 #ifdef HAVE_PK_CALLBACKS
- "-P Public Key Callbacks\n", /* 44 */
+ "-P Public Key Callbacks\n", /* 45 */
 #endif
 #ifdef HAVE_ANON
- "-a Anonymous client\n", /* 45 */
+ "-a Anonymous client\n", /* 46 */
 #endif
 #ifdef HAVE_CRL
- "-C Disable CRL\n", /* 46 */
+ "-C Disable CRL\n", /* 47 */
 #endif
 #ifdef WOLFSSL_TRUST_PEER_CERT
- "-E <file> Path to load trusted peer cert\n", /* 47 */
+ "-E <file> Path to load trusted peer cert\n", /* 48 */
 #endif
 #ifdef HAVE_WNR
- "-q <file> Whitewood config file, defaults\n", /* 48 */
+ "-q <file> Whitewood config file, defaults\n", /* 49 */
 #endif
  "-H <arg> Internal tests"
- " [defCipherList, exitWithRet, verifyFail, useSupCurve,\n", /* 49 */
- " loadSSL, disallowETM]\n", /* 50 */
+ " [defCipherList, exitWithRet, verifyFail, useSupCurve,\n", /* 50 */
+ " loadSSL, disallowETM]\n", /* 51 */
 #ifdef WOLFSSL_TLS13
- "-J Use HelloRetryRequest to choose group for KE\n", /* 51 */
- "-K Key Exchange for PSK not using (EC)DHE\n", /* 52 */
- "-I Update keys and IVs before sending data\n", /* 53 */
+ "-J Use HelloRetryRequest to choose group for KE\n", /* 52 */
+ "-K Key Exchange for PSK not using (EC)DHE\n", /* 53 */
+ "-I Update keys and IVs before sending data\n", /* 54 */
 #ifndef NO_DH
- "-y Key Share with FFDHE named groups only\n", /* 54 */
+ "-y Key Share with FFDHE named groups only\n", /* 55 */
 #endif
 #ifdef HAVE_ECC
- "-Y Key Share with ECC named groups only\n", /* 55 */
+ "-Y Key Share with ECC named groups only\n", /* 56 */
 #endif
 #endif /* WOLFSSL_TLS13 */
 #ifdef HAVE_CURVE25519
- "-t Use X25519 for key exchange\n", /* 56 */
+ "-t Use X25519 for key exchange\n", /* 57 */
 #endif
 #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
- "-Q Support requesting certificate post-handshake\n", /* 57 */
+ "-Q Support requesting certificate post-handshake\n", /* 58 */
 #endif
 #ifdef WOLFSSL_EARLY_DATA
- "-0 Early data sent to server (0-RTT handshake)\n", /* 58 */
+ "-0 Early data sent to server (0-RTT handshake)\n", /* 59 */
 #endif
 #ifdef WOLFSSL_MULTICAST
- "-3 <grpid> Multicast, grpid < 256\n", /* 59 */
+ "-3 <grpid> Multicast, grpid < 256\n", /* 60 */
 #endif
  "-1 <num> Display a result by specified language.\n"
- " 0: English, 1: Japanese\n", /* 60 */
+ " 0: English, 1: Japanese\n", /* 61 */
 #if !defined(NO_DH) && !defined(HAVE_FIPS) && \
  !defined(HAVE_SELFTEST) && !defined(WOLFSSL_OLD_PRIME_CHECK)
- "-2 Disable DH Prime check\n", /* 61 */
+ "-2 Disable DH Prime check\n", /* 62 */
 #endif
 #ifdef HAVE_SECURE_RENEGOTIATION
- "-4 Use resumption for renegotiation\n", /* 62 */
+ "-4 Use resumption for renegotiation\n", /* 63 */
 #endif
 #ifdef HAVE_TRUSTED_CA
- "-5 Use Trusted CA Key Indication\n", /* 63 */
+ "-5 Use Trusted CA Key Indication\n", /* 64 */
 #endif
  "-6 Simulate WANT_WRITE errors on every other IO send\n",
 #ifdef HAVE_CURVE448
- "-8 Use X448 for key exchange\n", /* 66 */
+ "-8 Use X448 for key exchange\n", /* 65 */
 #endif
 #if defined(OPENSSL_ALL) && defined(WOLFSSL_CERT_GEN) && \
  (defined(WOLFSSL_CERT_REQ) || defined(WOLFSSL_CERT_EXT)) && \
@@ -1448,69 +1452,73 @@ static const char* client_usage_msg[][78] = {
  || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
  "-W <num> OCSP Staplingを使用する"
  " (1 v1, 2 v2, 3 v2 multi)\n", /* 41 */
- " 'm' を最後に指定すると必ず staple を使用する\n" /* 42 */
+ " 'm' を最後に指定すると必ず staple を使用する\n" /* 42 */
+#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_TLS_OCSP_MULTI)
+ " -W 1 -v 4, "
+ "TLS13 使用時に複数(Multi)の OCSP を実施します\n" /* 43 */
+#endif
 #endif
 #if defined(ATOMIC_USER) && !defined(WOLFSSL_AEAD_ONLY)
  "-U アトミック・ユーザー記録の"
- "コールバックを利用する\n", /* 43 */
+ "コールバックを利用する\n", /* 44 */
 #endif
 #ifdef HAVE_PK_CALLBACKS
- "-P 公開鍵コールバック\n", /* 44 */
+ "-P 公開鍵コールバック\n", /* 45 */
 #endif
 #ifdef HAVE_ANON
- "-a 匿名クライアント\n", /* 45 */
+ "-a 匿名クライアント\n", /* 46 */
 #endif
 #ifdef HAVE_CRL
- "-C CRLを無効\n", /* 46 */
+ "-C CRLを無効\n", /* 47 */
 #endif
 #ifdef WOLFSSL_TRUST_PEER_CERT
- "-E <file> 信頼出来るピアの証明書ロードの為のパス\n", /* 47 */
+ "-E <file> 信頼出来るピアの証明書ロードの為のパス\n", /* 48 */
 #endif
 #ifdef HAVE_WNR
- "-q <file> Whitewood コンフィグファイル, 既定値\n", /* 48 */
+ "-q <file> Whitewood コンフィグファイル, 既定値\n", /* 49 */
 #endif
  "-H <arg> 内部テスト"
- " [defCipherList, exitWithRet, verifyFail, useSupCurve,\n", /* 49 */
- " loadSSL, disallowETM]\n", /* 50 */
+ " [defCipherList, exitWithRet, verifyFail, useSupCurve,\n", /* 50 */
+ " loadSSL, disallowETM]\n", /* 51 */
 #ifdef WOLFSSL_TLS13
- "-J HelloRetryRequestをKEのグループ選択に使用する\n", /* 51 */
- "-K 鍵交換にPSKを使用、(EC)DHEは使用しない\n", /* 52 */
- "-I データ送信前に、鍵とIVを更新する\n", /* 53 */
+ "-J HelloRetryRequestをKEのグループ選択に使用する\n", /* 52 */
+ "-K 鍵交換にPSKを使用、(EC)DHEは使用しない\n", /* 53 */
+ "-I データ送信前に、鍵とIVを更新する\n", /* 54 */
 #ifndef NO_DH
- "-y FFDHE名前付きグループとの鍵共有のみ\n", /* 54 */
+ "-y FFDHE名前付きグループとの鍵共有のみ\n", /* 55 */
 #endif
 #ifdef HAVE_ECC
- "-Y ECC名前付きグループとの鍵共有のみ\n", /* 55 */
+ "-Y ECC名前付きグループとの鍵共有のみ\n", /* 56 */
 #endif
 #endif /* WOLFSSL_TLS13 */
 #ifdef HAVE_CURVE25519
- "-t X25519を鍵交換に使用する\n", /* 56 */
+ "-t X25519を鍵交換に使用する\n", /* 57 */
 #endif
 #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
- "-Q ポストハンドシェークの証明要求をサポートする\n", /* 57 */
+ "-Q ポストハンドシェークの証明要求をサポートする\n", /* 58 */
 #endif
 #ifdef WOLFSSL_EARLY_DATA
  "-0 Early data をサーバーへ送信する"
- "（0-RTTハンドシェイク）\n", /* 58 */
+ "（0-RTTハンドシェイク）\n", /* 59 */
 #endif
 #ifdef WOLFSSL_MULTICAST
- "-3 <grpid> マルチキャスト, grpid < 256\n", /* 59 */
+ "-3 <grpid> マルチキャスト, grpid < 256\n", /* 60 */
 #endif
  "-1 <num> 指定された言語で結果を表示します。\n"
- " 0: 英語、 1: 日本語\n", /* 60 */
+ " 0: 英語、 1: 日本語\n", /* 61 */
 #if !defined(NO_DH) && !defined(HAVE_FIPS) && \
  !defined(HAVE_SELFTEST) && !defined(WOLFSSL_OLD_PRIME_CHECK)
- "-2 DHプライム番号チェックを無効にする\n", /* 61 */
+ "-2 DHプライム番号チェックを無効にする\n", /* 62 */
 #endif
 #ifdef HAVE_SECURE_RENEGOTIATION
- "-4 再交渉に再開を使用\n", /* 62 */
+ "-4 再交渉に再開を使用\n", /* 63 */
 #endif
 #ifdef HAVE_TRUSTED_CA
- "-5 信頼できる認証局の鍵表示を使用する\n", /* 63 */
+ "-5 信頼できる認証局の鍵表示を使用する\n", /* 64 */
 #endif
  "-6 WANT_WRITE エラーを全てのIO 送信でシミュレートします\n",
 #ifdef HAVE_CURVE448
- "-8 鍵交換に X448 を使用する\n", /* 66 */
+ "-8 鍵交換に X448 を使用する\n", /* 65 */
 #endif
 #if defined(OPENSSL_ALL) && defined(WOLFSSL_CERT_GEN) && \
  (defined(WOLFSSL_CERT_REQ) || defined(WOLFSSL_CERT_EXT)) && \

diff --git a/scripts/include.am b/scripts/include.am
@@ -27,13 +27,19 @@ endif
 
 if BUILD_OCSP_STAPLING
 dist_noinst_SCRIPTS+= scripts/ocsp-stapling.test
+if BUILD_OCSP_STAPLING_MULTI
+dist_noinst_SCRIPTS+= scripts/ocsp-stapling_tls13multi.test
+endif
 if !BUILD_OCSP_STAPLING_V2
 testsuite/testsuite.log: scripts/ocsp-stapling.log scripts/ocsp-stapling-with-ca-as-responder.log
 endif
 scripts/ocsp-stapling.log: scripts/ocsp.log
 dist_noinst_SCRIPTS+= scripts/ocsp-stapling-with-ca-as-responder.test
 scripts/ocsp-stapling-with-ca-as-responder.log: scripts/ocsp.log
 scripts/ocsp-stapling-with-ca-as-responder.log: scripts/ocsp-stapling.log
+if BUILD_OCSP_STAPLING_MULTI
+scripts/ocsp-stapling_tls13multi.log: scripts/ocsp-stapling-with-ca-as-responder.log
+endif
 endif
 
 if BUILD_OCSP_STAPLING_V2

diff --git a/scripts/ocsp-stapling.test b/scripts/ocsp-stapling.test
@@ -21,6 +21,20 @@ if ./examples/client/client '-#' | fgrep -q -e ' -DWOLFSSL_SNIFFER '; then
  exit 77
 fi
 
+if ./examples/client/client -V | grep -q 4; then
+ tls13=yes
+fi
+if ./examples/client/client -? 2>&1 | grep -q 'DTLSv1.3'; then
+ dtls13=yes
+fi
+./examples/client/client '-?' 2>&1 | grep -- 'Perform multi OCSP stapling for TLS13'
+if [ $? -eq 0 ]; then
+ tls13multi=yes
+else
+ tls13multi=no
+fi
+
+
 if openssl s_server -help 2>&1 | fgrep -q -i ipv6 && nc -h 2>&1 | fgrep -q -i ipv6; then
  IPV6_SUPPORTED=yes
 else
@@ -340,7 +354,7 @@ RESULT=$?
 printf '%s\n\n' "Test successfully REVOKED!"
 
 
-if ./examples/client/client -V | grep -q 4; then
+ if [[ ("$tls13" == "yes") && ("$tls13multi" == "no") ]]; then
  printf '%s\n\n' "------------- TEST CASE 3 SHOULD PASS --------------------"
  # client test against our own server - GOOD CERT
  remove_single_rF "$ready_file2"
@@ -406,7 +420,7 @@ if ./examples/client/client -? 2>&1 | grep -q 'DTLSv1.2'; then
  printf '%s\n\n' "Test PASSED!"
 fi
 
-if ./examples/client/client -? 2>&1 | grep -q 'DTLSv1.3'; then
+ if [[ ("$dtls13" == "yes") && ("$tls13multi" == "no") ]]; then
  printf '%s\n\n' "------------- TEST CASE DTLS-2 SHOULD PASS -------------------"
  # client test against our own server, must staple - GOOD CERT
  ./examples/server/server -c certs/ocsp/server1-cert.pem -R "$ready_file2" \

diff --git a/scripts/ocsp-stapling2.test b/scripts/ocsp-stapling2.test
@@ -43,7 +43,7 @@ fi
 if ./examples/client/client '-#' | fgrep -q -e ' -DTEST_IPV6 '; then
  if [[ "$IPV6_SUPPORTED" == "no" ]]; then
  echo 'Skipping IPV6 test in environment lacking IPV6 support.'
- exit 0
+ exit 77
  fi
  LOCALHOST='[::1]'
  LOCALHOST_FOR_NC='-6 ::1'