Add OCSP response for intermediate cert into Certificate extension on TLS1.3 #7766
Conversation
wolfssl/wolfcrypt/asn.h
Outdated
| @@ -2630,6 +2632,8 @@ WOLFSSL_LOCAL int InitOcspRequest(OcspRequest* req, DecodedCert* cert, | |||
| WOLFSSL_LOCAL void FreeOcspRequest(OcspRequest* req); | |||
| WOLFSSL_LOCAL int EncodeOcspRequest(OcspRequest* req, byte* output, | |||
| word32 size); | |||
| WOLFSSL_LOCAL int CreateOcspRequest(struct WOLFSSL* ssl, OcspRequest* request, | |||
There was a problem hiding this comment.
This function declaration should not be in wolfCrypt... please move to internal.h and delete struct WOLFSSL;
SparkiDev
changed the title
|
retest this please |
1 similar comment
|
retest this please |
miyazakh
force-pushed
the
zd18141_tls13_ocsp
branch
from
3e5553d
to
2119f15
Compare
|
retest this please |
miyazakh
force-pushed
the
zd18141_tls13_ocsp
branch
from
9938dbe
to
4bf9895
Compare
|
Retest this please |
miyazakh
force-pushed
the
zd18141_tls13_ocsp
branch
2 times, most recently
from
5ee488b
to
ad44b12
Compare
There was a problem hiding this comment.
[check-source-text] [2 of 7] [wolfssl]
overlong lines added:
/src/internal.c:14898 #if defined(WOLFSSL_TLS13) && defined(HAVE_CERTIFICATE_STATUS_REQUEST)
/src/tls.c:3205 ret = (int)EncodeOcspRequestExtensions(&csr->request.ocsp[0],
/src/tls.c:3393 csr->request.ocsp[0].nonceSz);
/src/tls.c:3657 &csr->request.ocsp[0], NULL, NULL);
/src/tls13.c:8750 word32 copySz = AddCertExt(ssl, ssl->buffers.certificate->buffer,
check-source-text OK
[check-shell-scripts] [3 of 7] [wolfssl]
bash -n... done.
shellcheck scripts...
In ./scripts/ocsp-stapling_tls13multi.test line 48:
if [[ ("$tls13" == "no") && ("$dtsl13" == "no") ]]; then
^-----^ SC2154 (warning): dtsl13 is referenced but not assigned.
For more information:
https://www.shellcheck.net/wiki/SC2154 -- dtsl13 is referenced but not assi...
real 0m8.639s user 0m5.715s sys 0m0.056s
check-shell-scripts fail_analysis
wolfssl/wolfcrypt/asn.h
Outdated
| @@ -2630,6 +2630,8 @@ struct OcspRequest { | |||
| void* ssl; | |||
| }; | |||
|
|
|||
| struct WOLFSSL; | |||
There was a problem hiding this comment.
Please remove this artifact. Thanks.
examples/client/client.c
Outdated
| @@ -1221,66 +1221,70 @@ static const char* client_usage_msg[][78] = { | |||
| || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) | |||
| "-W <num> Use OCSP Stapling (1 v1, 2 v2, 3 v2 multi)\n", /* 41 */ | |||
| " With 'm' at end indicates MUST staple\n", /* 42 */ | |||
| #if defined(WOLFSSL_TLS13) && defined(HAVE_CSR_TLS13MULTI) | |||
There was a problem hiding this comment.
Does this support need gated? Should it be on by default for TLS v1.3 with OCSP?
Perhaps the name could be improved like WOLFSSL_TLS_OCSP_MULTI?
If the macro is kept can you make sure it is available as an option in configure.ac and also documented?
There was a problem hiding this comment.
Agree. Default is multi OCSP stapling on TLS13. It is able to disable it by --enable-ocspstapling=no-multi
SCRIPTS-LIST
Outdated
| @@ -35,6 +35,7 @@ scripts/ | |||
| google.test - example client test against google, part of tests | |||
| resume.test - example sessoin resume test, part of tests | |||
| ocsp-stapling.test - example client test against globalsign, part of tests | |||
| ocsp-stapling1_tls13.text - example client test against example server, part of tests | |||
There was a problem hiding this comment.
Should this be ./scripts/ocsp-stapling_tls13multi.test?
There was a problem hiding this comment.
Yes, that is true.
miyazakh
force-pushed
the
zd18141_tls13_ocsp
branch
from
d56469b
to
fca6a40
Compare
|
retest this please |
src/tls13.c
Outdated
| @@ -8459,8 +8529,10 @@ static int SendTls13Certificate(WOLFSSL* ssl) | |||
| { | |||
| int ret = 0; | |||
| word32 certSz, certChainSz, headerSz, listSz, payloadSz; | |||
| word16 extSz = 0; | |||
| word16 extSz[1 + MAX_CERT_EXTENSIONS]; | |||
There was a problem hiding this comment.
Does this actually need to be MAX_CERT_EXTENSIONS + 1? Isn't the +1 already handled by the macro? I reviewed code below and don't see reason. I do see that it needs to be at least 1.
There was a problem hiding this comment.
I thin we don't need + 1 by disabling index increment when not using multi.
if (MAX_CERT_EXTENSIONS > extIdx)
extIdx++;
src/tls13.c
Outdated
| @@ -8404,6 +8404,75 @@ static word32 NextCert(byte* data, word32 length, word32* idx) | |||
| return len; | |||
| } | |||
|
|
|||
| #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) | |||
There was a problem hiding this comment.
Fairly certain you can wrap this in !defined(NO_WOLFSSL_SERVER) to reduce code size for client only.
| /* We only send CSR on the server side. On client side, the CSR data | ||
| * is populated with the server response. We would be sending the server | ||
| * its own stapling data. */ | ||
| if (ssl->options.side == WOLFSSL_SERVER_END) { |
There was a problem hiding this comment.
Please wrap with !defined(NO_WOLFSSL_SERVER) for reduced code size with client only.
| @@ -3235,10 +3244,11 @@ typedef struct { | |||
| byte options; | |||
| WOLFSSL* ssl; | |||
| union { | |||
| OcspRequest ocsp; | |||
| OcspRequest ocsp[MAX_CERT_EXTENSIONS]; | |||
There was a problem hiding this comment.
Building HAVE_CERTIFICATE_STATUS_REQUEST without HAVE_OCSP causes these errors:
Guessing configure.ac has protections for this, but I was building with user_settings.h.
../Middlewares/Third_Party/wolfSSL_wolfSSL_wolfSSL/wolfssl/wolfssl/internal.h:3250:9: error: unknown type name 'OcspRequest'
3250 | OcspRequest ocsp[MAX_CERT_EXTENSIONS];
| ^~~~~~~~~~~
arm-none-eabi-gcc "../Middlewares/Third_Party/wolfSSL_wolfSSL_wolfSSL/wolfssl/wolfcrypt/src/ed448.c" -mcpu=cortex-m7 -std=gnu11 -DUSE_HAL_DRIVER -DSTM32H743xx -c -I../Core/Inc -I../Drivers/STM32H7xx_HAL_Driver/Inc -I../Drivers/STM32H7xx_HAL_Driver/Inc/Legacy -I../Drivers/CMSIS/Device/ST/STM32H7xx/Include -I../Drivers/CMSIS/Include -I../LWIP/App -I../LWIP/Target -I../Middlewares/Third_Party/LwIP/src/include -I../Middlewares/Third_Party/LwIP/system -I../Middlewares/Third_Party/FreeRTOS/Source/include -I../Middlewares/Third_Party/FreeRTOS/Source/CMSIS_RTOS_V2 -I../Middlewares/Third_Party/FreeRTOS/Source/portable/GCC/ARM_CM4F -I../Drivers/BSP/Components/lan8742 -I../Middlewares/Third_Party/LwIP/src/include/netif/ppp -I../Middlewares/Third_Party/LwIP/src/include/lwip -I../Middlewares/Third_Party/LwIP/src/include/lwip/apps -I../Middlewares/Third_Party/LwIP/src/include/lwip/priv -I../Middlewares/Third_Party/LwIP/src/include/lwip/prot -I../Middlewares/Third_Party/LwIP/src/include/netif -I../Middlewares/Third_Party/LwIP/src/include/compat/posix -I../Middlewares/Third_Party/LwIP/src/include/compat/posix/arpa -I../Middlewares/Third_Party/LwIP/src/include/compat/posix/net -I../Middlewares/Third_Party/LwIP/src/include/compat/posix/sys -I../Middlewares/Third_Party/LwIP/system/arch -I../Middlewares/Third_Party/LwIP/src/include/compat/stdc -I../Middlewares/Third_Party/LwIP/src/apps/http -I../wolfSSL -I../wolfTPM -I../Middlewares/Third_Party/wolfSSL_wolfSSL_wolfSSL/wolfssl/ -I../Middlewares/Third_Party/wolfSSL_wolfTPM_wolfTPM/wolftpm/ -Os -ffunction-sections -fdata-sections -Wall -fstack-usage -fcyclomatic-complexity -MMD -MP -MF"Middlewares/Third_Party/wolfSSL_wolfSSL_wolfSSL/wolfssl/wolfcrypt/src/ed448.d" -MT"Middlewares/Third_Party/wolfSSL_wolfSSL_wolfSSL/wolfssl/wolfcrypt/src/ed448.o" --specs=nano.specs -mfpu=fpv5-d16 -mfloat-abi=hard -mthumb -o "Middlewares/Third_Party/wolfSSL_wolfSSL_wolfSSL/wolfssl/wolfcrypt/src/ed448.o"
../Middlewares/Third_Party/wolfSSL_wolfSSL_wolfSSL/wolfssl/wolfssl/internal.h:3278:51: error: unknown type name 'OcspRequest'
3278 | WOLFSSL_LOCAL int CreateOcspRequest(WOLFSSL* ssl, OcspRequest* request,
| ^~~~~~~~~~~
../Middlewares/Third_Party/wolfSSL_wolfSSL_wolfSSL/wolfssl/wolfssl/internal.h:3992:13: error: unknown type name 'OcspRequest'
3992 | OcspRequest* certOcspRequest;
| ^~~~~~~~~~~
../Middlewares/Third_Party/wolfSSL_wolfSSL_wolfSSL/wolfssl/wolfssl/internal.h:6376:52: error: unknown type name 'OcspRequest'
6376 | WOLFSSL_LOCAL int CreateOcspResponse(WOLFSSL* ssl, OcspRequest** ocspRequest,
| ^~~~~~~~~~~
There was a problem hiding this comment.
Added to check if defined HAVE_CERTIFICATE_STATUS_REQUEST and _V2, but not defined HAVE_OCSP
miyazakh
force-pushed
the
zd18141_tls13_ocsp
branch
from
2b6ffec
to
5105082
Compare
| #endif | ||
| #if defined(ATOMIC_USER) && !defined(WOLFSSL_AEAD_ONLY) | ||
| "-U Atomic User Record Layer Callbacks\n", /* 43 */ | ||
| "-U Atomic User Record Layer Callbacks\n", /* 45 */ |
| " [defCipherList, exitWithRet, verifyFail, useSupCurve,\n", /* 50 */ | ||
| " loadSSL, disallowETM]\n", /* 51 */ |
There was a problem hiding this comment.
these two should be one string, i.e.
" [defCipherList, exitWithRet, verifyFail, useSupCurve,\n"
" loadSSL, disallowETM]\n", /* 50 */
with adjusted numbers below.
| " [defCipherList, exitWithRet, verifyFail, useSupCurve,\n", /* 50 */ | ||
| " loadSSL, disallowETM]\n", /* 51 */ |
There was a problem hiding this comment.
same here -- these should be one string, /* 50 */, with the numbers below it adjusted.
| int nonceSz = csr->request.ocsp.nonceSz; | ||
|
|
||
| int req_cnt = idx == -1 ? csr->requests : idx; | ||
| int nonceSz = csr->request.ocsp[0].nonceSz; |
There was a problem hiding this comment.
why using csr->request.ocsp[0].nonceSz rather than csr->request.ocsp[req_cnt].nonceSz?
Description
Similar to OCSP Stapling v2 Multi, Request OCSP response for Intermediate cert of server certificate chain and include the results to extension of CertificateEntry in Certificate Message
This behavior is default when enabled OCSP Stapling and TLS13.
./configure --enable-ocspstaplingBy specifying
no-multito--enable-ocspstapling, it behaves the same as before../configure --enable-ocspstapling=no-multiFixes zd#18141
Testing
Run unit test that is newly added
Checklist