Skip to content

Commit

Permalink
Merge pull request #7766 from miyazakh/zd18141_tls13_ocsp
Browse files Browse the repository at this point in the history
Add OCSP response for intermediate cert into Certificate extension on TLS1.3
  • Loading branch information
douzzer authored Oct 11, 2024
2 parents 65742c4 + 5105082 commit f8da04d
Show file tree
Hide file tree
Showing 14 changed files with 1,114 additions and 169 deletions.
1 change: 1 addition & 0 deletions SCRIPTS-LIST
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ scripts/
google.test - example client test against google, part of tests
resume.test - example sessoin resume test, part of tests
ocsp-stapling.test - example client test against globalsign, part of tests
ocsp-stapling1_tls13multi.text - example client test against example server, part of tests
ocsp-stapling2.test - example client test against example server, part of tests
sniffer-testsuite.test - runs snifftest on a pcap of testsuite, part of tests
in sniffer mode
Expand Down
32 changes: 30 additions & 2 deletions configure.ac
Original file line number Diff line number Diff line change
Expand Up @@ -6001,10 +6001,27 @@ fi
# Certificate Status Request : a.k.a. OCSP Stapling
AC_ARG_ENABLE([ocspstapling],
[AS_HELP_STRING([--enable-ocspstapling],[Enable OCSP Stapling (default: disabled)])],
[AS_HELP_STRING([--enable-ocspstapling],[Enable OCSP Stapling ((options: yes, no-multi, no, disabled default: disabled)])],
[ ENABLED_CERTIFICATE_STATUS_REQUEST=$enableval ],
[ ENABLED_CERTIFICATE_STATUS_REQUEST=no ]
)
AS_CASE([$ENABLED_CERTIFICATE_STATUS_REQUEST],
[no],[
ENABLED_CERTIFICATE_STATUS_REQUEST="no"
ENABLED_TLS_OCSP_MULTI="no"
],
[disabled],[
ENABLED_CERTIFICATE_STATUS_REQUEST="no"
ENABLED_TLS_OCSP_MULTI="no"
],
[yes],[
ENABLED_CERTIFICATE_STATUS_REQUEST="yes"
ENABLED_TLS_OCSP_MULTI="yes"
],
[no-multi],[
ENABLED_CERTIFICATE_STATUS_REQUEST="yes"
ENABLED_TLS_OCSP_MULTI="no"
])
if test "x$ENABLED_NGINX" = "xyes" || test "x$ENABLED_WPAS" = "xyes" || \
test "x$ENABLED_HAPROXY" = "xyes" || test "x$ENABLED_LIGHTY" = "xyes" || \
Expand Down Expand Up @@ -9586,7 +9603,17 @@ if test "$ENABLED_DH" != "no" && test "$ENABLED_DH" != "const"; then
LT_LIB_M
fi
# mulitple OCSP stapling for TLS 1.3 Certificate extension
if test "$ENABLED_CERTIFICATE_STATUS_REQUEST" = "yes"
then
if test "$ENABLED_TLS13" = "yes"
then
if test "$ENABLED_TLS_OCSP_MULTI" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TLS_OCSP_MULTI"
fi
fi
fi
################################################################################
# USER SETTINGS
Expand Down Expand Up @@ -9841,6 +9868,7 @@ AM_CONDITIONAL([BUILD_SM4],[test "x$ENABLED_SM4" != "xno" || test "x$ENABLED_USE
AM_CONDITIONAL([BUILD_INLINE],[test "x$ENABLED_INLINE" = "xyes"])
AM_CONDITIONAL([BUILD_OCSP],[test "x$ENABLED_OCSP" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_OCSP_STAPLING],[test "x$ENABLED_CERTIFICATE_STATUS_REQUEST" = "xyes"])
AM_CONDITIONAL([BUILD_OCSP_STAPLING_MULTI],[test "x$ENABLED_CERTIFICATE_STATUS_REQUEST" = "xyes" && test "x$ENABLED_TLS13" = "xyes" && test "x$ENABLED_TLS_OCSP_MULTI" = "xyes"])
AM_CONDITIONAL([BUILD_OCSP_STAPLING_V2],[test "x$ENABLED_CERTIFICATE_STATUS_REQUEST_V2" = "xyes"])
AM_CONDITIONAL([BUILD_CRL],[test "x$ENABLED_CRL" != "xno" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_CRL_MONITOR],[test "x$ENABLED_CRL_MONITOR" = "xyes"])
Expand Down
98 changes: 53 additions & 45 deletions examples/client/client.c
Original file line number Diff line number Diff line change
Expand Up @@ -1242,66 +1242,70 @@ static const char* client_usage_msg[][78] = {
|| defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
"-W <num> Use OCSP Stapling (1 v1, 2 v2, 3 v2 multi)\n", /* 41 */
" With 'm' at end indicates MUST staple\n", /* 42 */
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_TLS_OCSP_MULTI)
" -W 1 -v 4, Perform multi OCSP stapling for TLS13\n",
/* 43 */
#endif
#endif
#if defined(ATOMIC_USER) && !defined(WOLFSSL_AEAD_ONLY)
"-U Atomic User Record Layer Callbacks\n", /* 43 */
"-U Atomic User Record Layer Callbacks\n", /* 45 */
#endif
#ifdef HAVE_PK_CALLBACKS
"-P Public Key Callbacks\n", /* 44 */
"-P Public Key Callbacks\n", /* 45 */
#endif
#ifdef HAVE_ANON
"-a Anonymous client\n", /* 45 */
"-a Anonymous client\n", /* 46 */
#endif
#ifdef HAVE_CRL
"-C Disable CRL\n", /* 46 */
"-C Disable CRL\n", /* 47 */
#endif
#ifdef WOLFSSL_TRUST_PEER_CERT
"-E <file> Path to load trusted peer cert\n", /* 47 */
"-E <file> Path to load trusted peer cert\n", /* 48 */
#endif
#ifdef HAVE_WNR
"-q <file> Whitewood config file, defaults\n", /* 48 */
"-q <file> Whitewood config file, defaults\n", /* 49 */
#endif
"-H <arg> Internal tests"
" [defCipherList, exitWithRet, verifyFail, useSupCurve,\n", /* 49 */
" loadSSL, disallowETM]\n", /* 50 */
" [defCipherList, exitWithRet, verifyFail, useSupCurve,\n", /* 50 */
" loadSSL, disallowETM]\n", /* 51 */
#ifdef WOLFSSL_TLS13
"-J Use HelloRetryRequest to choose group for KE\n", /* 51 */
"-K Key Exchange for PSK not using (EC)DHE\n", /* 52 */
"-I Update keys and IVs before sending data\n", /* 53 */
"-J Use HelloRetryRequest to choose group for KE\n", /* 52 */
"-K Key Exchange for PSK not using (EC)DHE\n", /* 53 */
"-I Update keys and IVs before sending data\n", /* 54 */
#ifndef NO_DH
"-y Key Share with FFDHE named groups only\n", /* 54 */
"-y Key Share with FFDHE named groups only\n", /* 55 */
#endif
#ifdef HAVE_ECC
"-Y Key Share with ECC named groups only\n", /* 55 */
"-Y Key Share with ECC named groups only\n", /* 56 */
#endif
#endif /* WOLFSSL_TLS13 */
#ifdef HAVE_CURVE25519
"-t Use X25519 for key exchange\n", /* 56 */
"-t Use X25519 for key exchange\n", /* 57 */
#endif
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
"-Q Support requesting certificate post-handshake\n", /* 57 */
"-Q Support requesting certificate post-handshake\n", /* 58 */
#endif
#ifdef WOLFSSL_EARLY_DATA
"-0 Early data sent to server (0-RTT handshake)\n", /* 58 */
"-0 Early data sent to server (0-RTT handshake)\n", /* 59 */
#endif
#ifdef WOLFSSL_MULTICAST
"-3 <grpid> Multicast, grpid < 256\n", /* 59 */
"-3 <grpid> Multicast, grpid < 256\n", /* 60 */
#endif
"-1 <num> Display a result by specified language.\n"
" 0: English, 1: Japanese\n", /* 60 */
" 0: English, 1: Japanese\n", /* 61 */
#if !defined(NO_DH) && !defined(HAVE_FIPS) && \
!defined(HAVE_SELFTEST) && !defined(WOLFSSL_OLD_PRIME_CHECK)
"-2 Disable DH Prime check\n", /* 61 */
"-2 Disable DH Prime check\n", /* 62 */
#endif
#ifdef HAVE_SECURE_RENEGOTIATION
"-4 Use resumption for renegotiation\n", /* 62 */
"-4 Use resumption for renegotiation\n", /* 63 */
#endif
#ifdef HAVE_TRUSTED_CA
"-5 Use Trusted CA Key Indication\n", /* 63 */
"-5 Use Trusted CA Key Indication\n", /* 64 */
#endif
"-6 Simulate WANT_WRITE errors on every other IO send\n",
#ifdef HAVE_CURVE448
"-8 Use X448 for key exchange\n", /* 66 */
"-8 Use X448 for key exchange\n", /* 65 */
#endif
#if defined(OPENSSL_ALL) && defined(WOLFSSL_CERT_GEN) && \
(defined(WOLFSSL_CERT_REQ) || defined(WOLFSSL_CERT_EXT)) && \
Expand Down Expand Up @@ -1469,69 +1473,73 @@ static const char* client_usage_msg[][78] = {
|| defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
"-W <num> OCSP Staplingを使用する"
" (1 v1, 2 v2, 3 v2 multi)\n", /* 41 */
" 'm' を最後に指定すると必ず staple を使用する\n" /* 42 */
" 'm' を最後に指定すると必ず staple を使用する\n" /* 42 */
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_TLS_OCSP_MULTI)
" -W 1 -v 4, "
"TLS13 使用時に複数(Multi)の OCSP を実施します\n" /* 43 */
#endif
#endif
#if defined(ATOMIC_USER) && !defined(WOLFSSL_AEAD_ONLY)
"-U アトミック・ユーザー記録の"
"コールバックを利用する\n", /* 43 */
"コールバックを利用する\n", /* 44 */
#endif
#ifdef HAVE_PK_CALLBACKS
"-P 公開鍵コールバック\n", /* 44 */
"-P 公開鍵コールバック\n", /* 45 */
#endif
#ifdef HAVE_ANON
"-a 匿名クライアント\n", /* 45 */
"-a 匿名クライアント\n", /* 46 */
#endif
#ifdef HAVE_CRL
"-C CRLを無効\n", /* 46 */
"-C CRLを無効\n", /* 47 */
#endif
#ifdef WOLFSSL_TRUST_PEER_CERT
"-E <file> 信頼出来るピアの証明書ロードの為のパス\n", /* 47 */
"-E <file> 信頼出来るピアの証明書ロードの為のパス\n", /* 48 */
#endif
#ifdef HAVE_WNR
"-q <file> Whitewood コンフィグファイル, 既定値\n", /* 48 */
"-q <file> Whitewood コンフィグファイル, 既定値\n", /* 49 */
#endif
"-H <arg> 内部テスト"
" [defCipherList, exitWithRet, verifyFail, useSupCurve,\n", /* 49 */
" loadSSL, disallowETM]\n", /* 50 */
" [defCipherList, exitWithRet, verifyFail, useSupCurve,\n", /* 50 */
" loadSSL, disallowETM]\n", /* 51 */
#ifdef WOLFSSL_TLS13
"-J HelloRetryRequestをKEのグループ選択に使用する\n", /* 51 */
"-K 鍵交換にPSKを使用、(EC)DHEは使用しない\n", /* 52 */
"-I データ送信前に、鍵とIVを更新する\n", /* 53 */
"-J HelloRetryRequestをKEのグループ選択に使用する\n", /* 52 */
"-K 鍵交換にPSKを使用、(EC)DHEは使用しない\n", /* 53 */
"-I データ送信前に、鍵とIVを更新する\n", /* 54 */
#ifndef NO_DH
"-y FFDHE名前付きグループとの鍵共有のみ\n", /* 54 */
"-y FFDHE名前付きグループとの鍵共有のみ\n", /* 55 */
#endif
#ifdef HAVE_ECC
"-Y ECC名前付きグループとの鍵共有のみ\n", /* 55 */
"-Y ECC名前付きグループとの鍵共有のみ\n", /* 56 */
#endif
#endif /* WOLFSSL_TLS13 */
#ifdef HAVE_CURVE25519
"-t X25519を鍵交換に使用する\n", /* 56 */
"-t X25519を鍵交換に使用する\n", /* 57 */
#endif
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
"-Q ポストハンドシェークの証明要求をサポートする\n", /* 57 */
"-Q ポストハンドシェークの証明要求をサポートする\n", /* 58 */
#endif
#ifdef WOLFSSL_EARLY_DATA
"-0 Early data をサーバーへ送信する"
"(0-RTTハンドシェイク)\n", /* 58 */
"(0-RTTハンドシェイク)\n", /* 59 */
#endif
#ifdef WOLFSSL_MULTICAST
"-3 <grpid> マルチキャスト, grpid < 256\n", /* 59 */
"-3 <grpid> マルチキャスト, grpid < 256\n", /* 60 */
#endif
"-1 <num> 指定された言語で結果を表示します。\n"
" 0: 英語、 1: 日本語\n", /* 60 */
" 0: 英語、 1: 日本語\n", /* 61 */
#if !defined(NO_DH) && !defined(HAVE_FIPS) && \
!defined(HAVE_SELFTEST) && !defined(WOLFSSL_OLD_PRIME_CHECK)
"-2 DHプライム番号チェックを無効にする\n", /* 61 */
"-2 DHプライム番号チェックを無効にする\n", /* 62 */
#endif
#ifdef HAVE_SECURE_RENEGOTIATION
"-4 再交渉に再開を使用\n", /* 62 */
"-4 再交渉に再開を使用\n", /* 63 */
#endif
#ifdef HAVE_TRUSTED_CA
"-5 信頼できる認証局の鍵表示を使用する\n", /* 63 */
"-5 信頼できる認証局の鍵表示を使用する\n", /* 64 */
#endif
"-6 WANT_WRITE エラーを全てのIO 送信でシミュレートします\n",
#ifdef HAVE_CURVE448
"-8 鍵交換に X448 を使用する\n", /* 66 */
"-8 鍵交換に X448 を使用する\n", /* 65 */
#endif
#if defined(OPENSSL_ALL) && defined(WOLFSSL_CERT_GEN) && \
(defined(WOLFSSL_CERT_REQ) || defined(WOLFSSL_CERT_EXT)) && \
Expand Down
6 changes: 6 additions & 0 deletions scripts/include.am
Original file line number Diff line number Diff line change
Expand Up @@ -27,13 +27,19 @@ endif

if BUILD_OCSP_STAPLING
dist_noinst_SCRIPTS+= scripts/ocsp-stapling.test
if BUILD_OCSP_STAPLING_MULTI
dist_noinst_SCRIPTS+= scripts/ocsp-stapling_tls13multi.test
endif
if !BUILD_OCSP_STAPLING_V2
testsuite/testsuite.log: scripts/ocsp-stapling.log scripts/ocsp-stapling-with-ca-as-responder.log
endif
scripts/ocsp-stapling.log: scripts/ocsp.log
dist_noinst_SCRIPTS+= scripts/ocsp-stapling-with-ca-as-responder.test
scripts/ocsp-stapling-with-ca-as-responder.log: scripts/ocsp.log
scripts/ocsp-stapling-with-ca-as-responder.log: scripts/ocsp-stapling.log
if BUILD_OCSP_STAPLING_MULTI
scripts/ocsp-stapling_tls13multi.log: scripts/ocsp-stapling-with-ca-as-responder.log
endif
endif

if BUILD_OCSP_STAPLING_V2
Expand Down
18 changes: 16 additions & 2 deletions scripts/ocsp-stapling.test
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,20 @@ if ./examples/client/client '-#' | fgrep -q -e ' -DWOLFSSL_SNIFFER '; then
exit 77
fi

if ./examples/client/client -V | grep -q 4; then
tls13=yes
fi
if ./examples/client/client -? 2>&1 | grep -q 'DTLSv1.3'; then
dtls13=yes
fi
./examples/client/client '-?' 2>&1 | grep -- 'Perform multi OCSP stapling for TLS13'
if [ $? -eq 0 ]; then
tls13multi=yes
else
tls13multi=no
fi


if openssl s_server -help 2>&1 | fgrep -q -i ipv6 && nc -h 2>&1 | fgrep -q -i ipv6; then
IPV6_SUPPORTED=yes
else
Expand Down Expand Up @@ -346,7 +360,7 @@ RESULT=$?
printf '%s\n\n' "Test successfully REVOKED!"


if ./examples/client/client -V | grep -q 4; then
if [[ ("$tls13" == "yes") && ("$tls13multi" == "no") ]]; then
printf '%s\n\n' "------------- TEST CASE 3 SHOULD PASS --------------------"
# client test against our own server - GOOD CERT
remove_single_rF "$ready_file2"
Expand Down Expand Up @@ -412,7 +426,7 @@ if ./examples/client/client -? 2>&1 | grep -q 'DTLSv1.2'; then
printf '%s\n\n' "Test PASSED!"
fi

if ./examples/client/client -? 2>&1 | grep -q 'DTLSv1.3'; then
if [[ ("$dtls13" == "yes") && ("$tls13multi" == "no") ]]; then
printf '%s\n\n' "------------- TEST CASE DTLS-2 SHOULD PASS -------------------"
# client test against our own server, must staple - GOOD CERT
./examples/server/server -c certs/ocsp/server1-cert.pem -R "$ready_file2" \
Expand Down
2 changes: 1 addition & 1 deletion scripts/ocsp-stapling2.test
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ fi
if ./examples/client/client '-#' | fgrep -q -e ' -DTEST_IPV6 '; then
if [[ "$IPV6_SUPPORTED" == "no" ]]; then
echo 'Skipping IPV6 test in environment lacking IPV6 support.'
exit 0
exit 77
fi
LOCALHOST='[::1]'
LOCALHOST_FOR_NC='-6 ::1'
Expand Down
Loading

0 comments on commit f8da04d

Please sign in to comment.