wolf SSL
wolfSSL SSL/TLS library, support up to TLS1.3
Dependents: CyaSSL-Twitter-OAuth4Tw Example-client-tls-cert TwitterReader TweetTest ... more
src/ocsp.c@4:1b0d80432c79, 2016-04-28 (annotated)
- Committer:
- wolfSSL
- Date:
- Thu Apr 28 00:57:21 2016 +0000
- Revision:
- 4:1b0d80432c79
wolfSSL 3.9.0
Who changed what in which revision?
| User | Revision | Line number | New contents of line |
|---|---|---|---|
| wolfSSL | 4:1b0d80432c79 | 1 | /* ocsp.c |
| wolfSSL | 4:1b0d80432c79 | 2 | * |
| wolfSSL | 4:1b0d80432c79 | 3 | * Copyright (C) 2006-2016 wolfSSL Inc. |
| wolfSSL | 4:1b0d80432c79 | 4 | * |
| wolfSSL | 4:1b0d80432c79 | 5 | * This file is part of wolfSSL. |
| wolfSSL | 4:1b0d80432c79 | 6 | * |
| wolfSSL | 4:1b0d80432c79 | 7 | * wolfSSL is free software; you can redistribute it and/or modify |
| wolfSSL | 4:1b0d80432c79 | 8 | * it under the terms of the GNU General Public License as published by |
| wolfSSL | 4:1b0d80432c79 | 9 | * the Free Software Foundation; either version 2 of the License, or |
| wolfSSL | 4:1b0d80432c79 | 10 | * (at your option) any later version. |
| wolfSSL | 4:1b0d80432c79 | 11 | * |
| wolfSSL | 4:1b0d80432c79 | 12 | * wolfSSL is distributed in the hope that it will be useful, |
| wolfSSL | 4:1b0d80432c79 | 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| wolfSSL | 4:1b0d80432c79 | 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| wolfSSL | 4:1b0d80432c79 | 15 | * GNU General Public License for more details. |
| wolfSSL | 4:1b0d80432c79 | 16 | * |
| wolfSSL | 4:1b0d80432c79 | 17 | * You should have received a copy of the GNU General Public License |
| wolfSSL | 4:1b0d80432c79 | 18 | * along with this program; if not, write to the Free Software |
| wolfSSL | 4:1b0d80432c79 | 19 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA |
| wolfSSL | 4:1b0d80432c79 | 20 | */ |
| wolfSSL | 4:1b0d80432c79 | 21 | |
| wolfSSL | 4:1b0d80432c79 | 22 | |
| wolfSSL | 4:1b0d80432c79 | 23 | /* Name change compatibility layer no longer needs to be included here */ |
| wolfSSL | 4:1b0d80432c79 | 24 | |
| wolfSSL | 4:1b0d80432c79 | 25 | #ifdef HAVE_CONFIG_H |
| wolfSSL | 4:1b0d80432c79 | 26 | #include <config.h> |
| wolfSSL | 4:1b0d80432c79 | 27 | #endif |
| wolfSSL | 4:1b0d80432c79 | 28 | |
| wolfSSL | 4:1b0d80432c79 | 29 | #include <wolfssl/wolfcrypt/settings.h> |
| wolfSSL | 4:1b0d80432c79 | 30 | |
| wolfSSL | 4:1b0d80432c79 | 31 | #ifndef WOLFCRYPT_ONLY |
| wolfSSL | 4:1b0d80432c79 | 32 | #ifdef HAVE_OCSP |
| wolfSSL | 4:1b0d80432c79 | 33 | |
| wolfSSL | 4:1b0d80432c79 | 34 | #include <wolfssl/error-ssl.h> |
| wolfSSL | 4:1b0d80432c79 | 35 | #include <wolfssl/ocsp.h> |
| wolfSSL | 4:1b0d80432c79 | 36 | #include <wolfssl/internal.h> |
| wolfSSL | 4:1b0d80432c79 | 37 | |
| wolfSSL | 4:1b0d80432c79 | 38 | #ifdef NO_INLINE |
| wolfSSL | 4:1b0d80432c79 | 39 | #include <wolfssl/wolfcrypt/misc.h> |
| wolfSSL | 4:1b0d80432c79 | 40 | #else |
| wolfSSL | 4:1b0d80432c79 | 41 | #include <wolfcrypt/src/misc.c> |
| wolfSSL | 4:1b0d80432c79 | 42 | #endif |
| wolfSSL | 4:1b0d80432c79 | 43 | |
| wolfSSL | 4:1b0d80432c79 | 44 | |
| wolfSSL | 4:1b0d80432c79 | 45 | int InitOCSP(WOLFSSL_OCSP* ocsp, WOLFSSL_CERT_MANAGER* cm) |
| wolfSSL | 4:1b0d80432c79 | 46 | { |
| wolfSSL | 4:1b0d80432c79 | 47 | WOLFSSL_ENTER("InitOCSP"); |
| wolfSSL | 4:1b0d80432c79 | 48 | |
| wolfSSL | 4:1b0d80432c79 | 49 | ForceZero(ocsp, sizeof(WOLFSSL_OCSP)); |
| wolfSSL | 4:1b0d80432c79 | 50 | |
| wolfSSL | 4:1b0d80432c79 | 51 | if (InitMutex(&ocsp->ocspLock) != 0) |
| wolfSSL | 4:1b0d80432c79 | 52 | return BAD_MUTEX_E; |
| wolfSSL | 4:1b0d80432c79 | 53 | |
| wolfSSL | 4:1b0d80432c79 | 54 | ocsp->cm = cm; |
| wolfSSL | 4:1b0d80432c79 | 55 | |
| wolfSSL | 4:1b0d80432c79 | 56 | return 0; |
| wolfSSL | 4:1b0d80432c79 | 57 | } |
| wolfSSL | 4:1b0d80432c79 | 58 | |
| wolfSSL | 4:1b0d80432c79 | 59 | |
| wolfSSL | 4:1b0d80432c79 | 60 | static int InitOcspEntry(OcspEntry* entry, OcspRequest* request) |
| wolfSSL | 4:1b0d80432c79 | 61 | { |
| wolfSSL | 4:1b0d80432c79 | 62 | WOLFSSL_ENTER("InitOcspEntry"); |
| wolfSSL | 4:1b0d80432c79 | 63 | |
| wolfSSL | 4:1b0d80432c79 | 64 | ForceZero(entry, sizeof(OcspEntry)); |
| wolfSSL | 4:1b0d80432c79 | 65 | |
| wolfSSL | 4:1b0d80432c79 | 66 | XMEMCPY(entry->issuerHash, request->issuerHash, OCSP_DIGEST_SIZE); |
| wolfSSL | 4:1b0d80432c79 | 67 | XMEMCPY(entry->issuerKeyHash, request->issuerKeyHash, OCSP_DIGEST_SIZE); |
| wolfSSL | 4:1b0d80432c79 | 68 | |
| wolfSSL | 4:1b0d80432c79 | 69 | return 0; |
| wolfSSL | 4:1b0d80432c79 | 70 | } |
| wolfSSL | 4:1b0d80432c79 | 71 | |
| wolfSSL | 4:1b0d80432c79 | 72 | |
| wolfSSL | 4:1b0d80432c79 | 73 | static void FreeOcspEntry(OcspEntry* entry) |
| wolfSSL | 4:1b0d80432c79 | 74 | { |
| wolfSSL | 4:1b0d80432c79 | 75 | CertStatus *status, *next; |
| wolfSSL | 4:1b0d80432c79 | 76 | |
| wolfSSL | 4:1b0d80432c79 | 77 | WOLFSSL_ENTER("FreeOcspEntry"); |
| wolfSSL | 4:1b0d80432c79 | 78 | |
| wolfSSL | 4:1b0d80432c79 | 79 | for (status = entry->status; status; status = next) { |
| wolfSSL | 4:1b0d80432c79 | 80 | next = status->next; |
| wolfSSL | 4:1b0d80432c79 | 81 | |
| wolfSSL | 4:1b0d80432c79 | 82 | if (status->rawOcspResponse) |
| wolfSSL | 4:1b0d80432c79 | 83 | XFREE(status->rawOcspResponse, NULL, DYNAMIC_TYPE_OCSP_STATUS); |
| wolfSSL | 4:1b0d80432c79 | 84 | |
| wolfSSL | 4:1b0d80432c79 | 85 | XFREE(status, NULL, DYNAMIC_TYPE_OCSP_STATUS); |
| wolfSSL | 4:1b0d80432c79 | 86 | } |
| wolfSSL | 4:1b0d80432c79 | 87 | } |
| wolfSSL | 4:1b0d80432c79 | 88 | |
| wolfSSL | 4:1b0d80432c79 | 89 | |
| wolfSSL | 4:1b0d80432c79 | 90 | void FreeOCSP(WOLFSSL_OCSP* ocsp, int dynamic) |
| wolfSSL | 4:1b0d80432c79 | 91 | { |
| wolfSSL | 4:1b0d80432c79 | 92 | OcspEntry *entry, *next; |
| wolfSSL | 4:1b0d80432c79 | 93 | |
| wolfSSL | 4:1b0d80432c79 | 94 | WOLFSSL_ENTER("FreeOCSP"); |
| wolfSSL | 4:1b0d80432c79 | 95 | |
| wolfSSL | 4:1b0d80432c79 | 96 | for (entry = ocsp->ocspList; entry; entry = next) { |
| wolfSSL | 4:1b0d80432c79 | 97 | next = entry->next; |
| wolfSSL | 4:1b0d80432c79 | 98 | FreeOcspEntry(entry); |
| wolfSSL | 4:1b0d80432c79 | 99 | XFREE(entry, NULL, DYNAMIC_TYPE_OCSP_ENTRY); |
| wolfSSL | 4:1b0d80432c79 | 100 | } |
| wolfSSL | 4:1b0d80432c79 | 101 | |
| wolfSSL | 4:1b0d80432c79 | 102 | FreeMutex(&ocsp->ocspLock); |
| wolfSSL | 4:1b0d80432c79 | 103 | |
| wolfSSL | 4:1b0d80432c79 | 104 | if (dynamic) |
| wolfSSL | 4:1b0d80432c79 | 105 | XFREE(ocsp, NULL, DYNAMIC_TYPE_OCSP); |
| wolfSSL | 4:1b0d80432c79 | 106 | } |
| wolfSSL | 4:1b0d80432c79 | 107 | |
| wolfSSL | 4:1b0d80432c79 | 108 | |
| wolfSSL | 4:1b0d80432c79 | 109 | static int xstat2err(int stat) |
| wolfSSL | 4:1b0d80432c79 | 110 | { |
| wolfSSL | 4:1b0d80432c79 | 111 | switch (stat) { |
| wolfSSL | 4:1b0d80432c79 | 112 | case CERT_GOOD: |
| wolfSSL | 4:1b0d80432c79 | 113 | return 0; |
| wolfSSL | 4:1b0d80432c79 | 114 | case CERT_REVOKED: |
| wolfSSL | 4:1b0d80432c79 | 115 | return OCSP_CERT_REVOKED; |
| wolfSSL | 4:1b0d80432c79 | 116 | default: |
| wolfSSL | 4:1b0d80432c79 | 117 | return OCSP_CERT_UNKNOWN; |
| wolfSSL | 4:1b0d80432c79 | 118 | } |
| wolfSSL | 4:1b0d80432c79 | 119 | } |
| wolfSSL | 4:1b0d80432c79 | 120 | |
| wolfSSL | 4:1b0d80432c79 | 121 | |
| wolfSSL | 4:1b0d80432c79 | 122 | int CheckCertOCSP(WOLFSSL_OCSP* ocsp, DecodedCert* cert, buffer* responseBuffer) |
| wolfSSL | 4:1b0d80432c79 | 123 | { |
| wolfSSL | 4:1b0d80432c79 | 124 | int ret = OCSP_LOOKUP_FAIL; |
| wolfSSL | 4:1b0d80432c79 | 125 | |
| wolfSSL | 4:1b0d80432c79 | 126 | #ifdef WOLFSSL_SMALL_STACK |
| wolfSSL | 4:1b0d80432c79 | 127 | OcspRequest* ocspRequest; |
| wolfSSL | 4:1b0d80432c79 | 128 | #else |
| wolfSSL | 4:1b0d80432c79 | 129 | OcspRequest ocspRequest[1]; |
| wolfSSL | 4:1b0d80432c79 | 130 | #endif |
| wolfSSL | 4:1b0d80432c79 | 131 | |
| wolfSSL | 4:1b0d80432c79 | 132 | WOLFSSL_ENTER("CheckCertOCSP"); |
| wolfSSL | 4:1b0d80432c79 | 133 | |
| wolfSSL | 4:1b0d80432c79 | 134 | |
| wolfSSL | 4:1b0d80432c79 | 135 | #ifdef WOLFSSL_SMALL_STACK |
| wolfSSL | 4:1b0d80432c79 | 136 | ocspRequest = (OcspRequest*)XMALLOC(sizeof(OcspRequest), NULL, |
| wolfSSL | 4:1b0d80432c79 | 137 | DYNAMIC_TYPE_TMP_BUFFER); |
| wolfSSL | 4:1b0d80432c79 | 138 | if (ocspRequest == NULL) { |
| wolfSSL | 4:1b0d80432c79 | 139 | WOLFSSL_LEAVE("CheckCertOCSP", MEMORY_ERROR); |
| wolfSSL | 4:1b0d80432c79 | 140 | return MEMORY_E; |
| wolfSSL | 4:1b0d80432c79 | 141 | } |
| wolfSSL | 4:1b0d80432c79 | 142 | #endif |
| wolfSSL | 4:1b0d80432c79 | 143 | |
| wolfSSL | 4:1b0d80432c79 | 144 | if (InitOcspRequest(ocspRequest, cert, ocsp->cm->ocspSendNonce) == 0) { |
| wolfSSL | 4:1b0d80432c79 | 145 | ret = CheckOcspRequest(ocsp, ocspRequest, responseBuffer); |
| wolfSSL | 4:1b0d80432c79 | 146 | |
| wolfSSL | 4:1b0d80432c79 | 147 | FreeOcspRequest(ocspRequest); |
| wolfSSL | 4:1b0d80432c79 | 148 | } |
| wolfSSL | 4:1b0d80432c79 | 149 | |
| wolfSSL | 4:1b0d80432c79 | 150 | #ifdef WOLFSSL_SMALL_STACK |
| wolfSSL | 4:1b0d80432c79 | 151 | XFREE(ocspRequest, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
| wolfSSL | 4:1b0d80432c79 | 152 | #endif |
| wolfSSL | 4:1b0d80432c79 | 153 | |
| wolfSSL | 4:1b0d80432c79 | 154 | WOLFSSL_LEAVE("CheckCertOCSP", ret); |
| wolfSSL | 4:1b0d80432c79 | 155 | return ret; |
| wolfSSL | 4:1b0d80432c79 | 156 | } |
| wolfSSL | 4:1b0d80432c79 | 157 | |
| wolfSSL | 4:1b0d80432c79 | 158 | static int GetOcspEntry(WOLFSSL_OCSP* ocsp, OcspRequest* request, |
| wolfSSL | 4:1b0d80432c79 | 159 | OcspEntry** entry) |
| wolfSSL | 4:1b0d80432c79 | 160 | { |
| wolfSSL | 4:1b0d80432c79 | 161 | WOLFSSL_ENTER("GetOcspEntry"); |
| wolfSSL | 4:1b0d80432c79 | 162 | |
| wolfSSL | 4:1b0d80432c79 | 163 | *entry = NULL; |
| wolfSSL | 4:1b0d80432c79 | 164 | |
| wolfSSL | 4:1b0d80432c79 | 165 | if (LockMutex(&ocsp->ocspLock) != 0) { |
| wolfSSL | 4:1b0d80432c79 | 166 | WOLFSSL_LEAVE("CheckCertOCSP", BAD_MUTEX_E); |
| wolfSSL | 4:1b0d80432c79 | 167 | return BAD_MUTEX_E; |
| wolfSSL | 4:1b0d80432c79 | 168 | } |
| wolfSSL | 4:1b0d80432c79 | 169 | |
| wolfSSL | 4:1b0d80432c79 | 170 | for (*entry = ocsp->ocspList; *entry; *entry = (*entry)->next) |
| wolfSSL | 4:1b0d80432c79 | 171 | if (XMEMCMP((*entry)->issuerHash, request->issuerHash, |
| wolfSSL | 4:1b0d80432c79 | 172 | OCSP_DIGEST_SIZE) == 0 |
| wolfSSL | 4:1b0d80432c79 | 173 | && XMEMCMP((*entry)->issuerKeyHash, request->issuerKeyHash, |
| wolfSSL | 4:1b0d80432c79 | 174 | OCSP_DIGEST_SIZE) == 0) |
| wolfSSL | 4:1b0d80432c79 | 175 | break; |
| wolfSSL | 4:1b0d80432c79 | 176 | |
| wolfSSL | 4:1b0d80432c79 | 177 | if (*entry == NULL) { |
| wolfSSL | 4:1b0d80432c79 | 178 | *entry = (OcspEntry*)XMALLOC(sizeof(OcspEntry), |
| wolfSSL | 4:1b0d80432c79 | 179 | NULL, DYNAMIC_TYPE_OCSP_ENTRY); |
| wolfSSL | 4:1b0d80432c79 | 180 | if (*entry) { |
| wolfSSL | 4:1b0d80432c79 | 181 | InitOcspEntry(*entry, request); |
| wolfSSL | 4:1b0d80432c79 | 182 | (*entry)->next = ocsp->ocspList; |
| wolfSSL | 4:1b0d80432c79 | 183 | ocsp->ocspList = *entry; |
| wolfSSL | 4:1b0d80432c79 | 184 | } |
| wolfSSL | 4:1b0d80432c79 | 185 | } |
| wolfSSL | 4:1b0d80432c79 | 186 | |
| wolfSSL | 4:1b0d80432c79 | 187 | UnLockMutex(&ocsp->ocspLock); |
| wolfSSL | 4:1b0d80432c79 | 188 | |
| wolfSSL | 4:1b0d80432c79 | 189 | return *entry ? 0 : MEMORY_ERROR; |
| wolfSSL | 4:1b0d80432c79 | 190 | } |
| wolfSSL | 4:1b0d80432c79 | 191 | |
| wolfSSL | 4:1b0d80432c79 | 192 | |
| wolfSSL | 4:1b0d80432c79 | 193 | static int GetOcspStatus(WOLFSSL_OCSP* ocsp, OcspRequest* request, |
| wolfSSL | 4:1b0d80432c79 | 194 | OcspEntry* entry, CertStatus** status, buffer* responseBuffer) |
| wolfSSL | 4:1b0d80432c79 | 195 | { |
| wolfSSL | 4:1b0d80432c79 | 196 | int ret = OCSP_INVALID_STATUS; |
| wolfSSL | 4:1b0d80432c79 | 197 | |
| wolfSSL | 4:1b0d80432c79 | 198 | WOLFSSL_ENTER("GetOcspStatus"); |
| wolfSSL | 4:1b0d80432c79 | 199 | |
| wolfSSL | 4:1b0d80432c79 | 200 | *status = NULL; |
| wolfSSL | 4:1b0d80432c79 | 201 | |
| wolfSSL | 4:1b0d80432c79 | 202 | if (LockMutex(&ocsp->ocspLock) != 0) { |
| wolfSSL | 4:1b0d80432c79 | 203 | WOLFSSL_LEAVE("CheckCertOCSP", BAD_MUTEX_E); |
| wolfSSL | 4:1b0d80432c79 | 204 | return BAD_MUTEX_E; |
| wolfSSL | 4:1b0d80432c79 | 205 | } |
| wolfSSL | 4:1b0d80432c79 | 206 | |
| wolfSSL | 4:1b0d80432c79 | 207 | for (*status = entry->status; *status; *status = (*status)->next) |
| wolfSSL | 4:1b0d80432c79 | 208 | if ((*status)->serialSz == request->serialSz |
| wolfSSL | 4:1b0d80432c79 | 209 | && !XMEMCMP((*status)->serial, request->serial, (*status)->serialSz)) |
| wolfSSL | 4:1b0d80432c79 | 210 | break; |
| wolfSSL | 4:1b0d80432c79 | 211 | |
| wolfSSL | 4:1b0d80432c79 | 212 | if (responseBuffer && *status && !(*status)->rawOcspResponse) { |
| wolfSSL | 4:1b0d80432c79 | 213 | /* force fetching again */ |
| wolfSSL | 4:1b0d80432c79 | 214 | ret = OCSP_INVALID_STATUS; |
| wolfSSL | 4:1b0d80432c79 | 215 | } |
| wolfSSL | 4:1b0d80432c79 | 216 | else if (*status) { |
| wolfSSL | 4:1b0d80432c79 | 217 | if (ValidateDate((*status)->thisDate, (*status)->thisDateFormat, BEFORE) |
| wolfSSL | 4:1b0d80432c79 | 218 | && ((*status)->nextDate[0] != 0) |
| wolfSSL | 4:1b0d80432c79 | 219 | && ValidateDate((*status)->nextDate, (*status)->nextDateFormat, AFTER)) |
| wolfSSL | 4:1b0d80432c79 | 220 | { |
| wolfSSL | 4:1b0d80432c79 | 221 | ret = xstat2err((*status)->status); |
| wolfSSL | 4:1b0d80432c79 | 222 | |
| wolfSSL | 4:1b0d80432c79 | 223 | if (responseBuffer) { |
| wolfSSL | 4:1b0d80432c79 | 224 | responseBuffer->buffer = (byte*)XMALLOC( |
| wolfSSL | 4:1b0d80432c79 | 225 | (*status)->rawOcspResponseSz, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
| wolfSSL | 4:1b0d80432c79 | 226 | |
| wolfSSL | 4:1b0d80432c79 | 227 | if (responseBuffer->buffer) { |
| wolfSSL | 4:1b0d80432c79 | 228 | responseBuffer->length = (*status)->rawOcspResponseSz; |
| wolfSSL | 4:1b0d80432c79 | 229 | XMEMCPY(responseBuffer->buffer, |
| wolfSSL | 4:1b0d80432c79 | 230 | (*status)->rawOcspResponse, |
| wolfSSL | 4:1b0d80432c79 | 231 | (*status)->rawOcspResponseSz); |
| wolfSSL | 4:1b0d80432c79 | 232 | } |
| wolfSSL | 4:1b0d80432c79 | 233 | } |
| wolfSSL | 4:1b0d80432c79 | 234 | } |
| wolfSSL | 4:1b0d80432c79 | 235 | } |
| wolfSSL | 4:1b0d80432c79 | 236 | |
| wolfSSL | 4:1b0d80432c79 | 237 | UnLockMutex(&ocsp->ocspLock); |
| wolfSSL | 4:1b0d80432c79 | 238 | |
| wolfSSL | 4:1b0d80432c79 | 239 | return ret; |
| wolfSSL | 4:1b0d80432c79 | 240 | } |
| wolfSSL | 4:1b0d80432c79 | 241 | |
| wolfSSL | 4:1b0d80432c79 | 242 | int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest, |
| wolfSSL | 4:1b0d80432c79 | 243 | buffer* responseBuffer) |
| wolfSSL | 4:1b0d80432c79 | 244 | { |
| wolfSSL | 4:1b0d80432c79 | 245 | OcspEntry* entry = NULL; |
| wolfSSL | 4:1b0d80432c79 | 246 | CertStatus* status = NULL; |
| wolfSSL | 4:1b0d80432c79 | 247 | byte* request = NULL; |
| wolfSSL | 4:1b0d80432c79 | 248 | int requestSz = 2048; |
| wolfSSL | 4:1b0d80432c79 | 249 | byte* response = NULL; |
| wolfSSL | 4:1b0d80432c79 | 250 | const char* url = NULL; |
| wolfSSL | 4:1b0d80432c79 | 251 | int urlSz = 0; |
| wolfSSL | 4:1b0d80432c79 | 252 | int ret = -1; |
| wolfSSL | 4:1b0d80432c79 | 253 | |
| wolfSSL | 4:1b0d80432c79 | 254 | #ifdef WOLFSSL_SMALL_STACK |
| wolfSSL | 4:1b0d80432c79 | 255 | CertStatus* newStatus; |
| wolfSSL | 4:1b0d80432c79 | 256 | OcspResponse* ocspResponse; |
| wolfSSL | 4:1b0d80432c79 | 257 | #else |
| wolfSSL | 4:1b0d80432c79 | 258 | CertStatus newStatus[1]; |
| wolfSSL | 4:1b0d80432c79 | 259 | OcspResponse ocspResponse[1]; |
| wolfSSL | 4:1b0d80432c79 | 260 | #endif |
| wolfSSL | 4:1b0d80432c79 | 261 | |
| wolfSSL | 4:1b0d80432c79 | 262 | WOLFSSL_ENTER("CheckOcspRequest"); |
| wolfSSL | 4:1b0d80432c79 | 263 | |
| wolfSSL | 4:1b0d80432c79 | 264 | if (responseBuffer) { |
| wolfSSL | 4:1b0d80432c79 | 265 | responseBuffer->buffer = NULL; |
| wolfSSL | 4:1b0d80432c79 | 266 | responseBuffer->length = 0; |
| wolfSSL | 4:1b0d80432c79 | 267 | } |
| wolfSSL | 4:1b0d80432c79 | 268 | |
| wolfSSL | 4:1b0d80432c79 | 269 | ret = GetOcspEntry(ocsp, ocspRequest, &entry); |
| wolfSSL | 4:1b0d80432c79 | 270 | if (ret != 0) |
| wolfSSL | 4:1b0d80432c79 | 271 | return ret; |
| wolfSSL | 4:1b0d80432c79 | 272 | |
| wolfSSL | 4:1b0d80432c79 | 273 | ret = GetOcspStatus(ocsp, ocspRequest, entry, &status, responseBuffer); |
| wolfSSL | 4:1b0d80432c79 | 274 | if (ret != OCSP_INVALID_STATUS) |
| wolfSSL | 4:1b0d80432c79 | 275 | return ret; |
| wolfSSL | 4:1b0d80432c79 | 276 | |
| wolfSSL | 4:1b0d80432c79 | 277 | if (ocsp->cm->ocspUseOverrideURL) { |
| wolfSSL | 4:1b0d80432c79 | 278 | url = ocsp->cm->ocspOverrideURL; |
| wolfSSL | 4:1b0d80432c79 | 279 | if (url != NULL && url[0] != '\0') |
| wolfSSL | 4:1b0d80432c79 | 280 | urlSz = (int)XSTRLEN(url); |
| wolfSSL | 4:1b0d80432c79 | 281 | else |
| wolfSSL | 4:1b0d80432c79 | 282 | return OCSP_NEED_URL; |
| wolfSSL | 4:1b0d80432c79 | 283 | } |
| wolfSSL | 4:1b0d80432c79 | 284 | else if (ocspRequest->urlSz != 0 && ocspRequest->url != NULL) { |
| wolfSSL | 4:1b0d80432c79 | 285 | url = (const char *)ocspRequest->url; |
| wolfSSL | 4:1b0d80432c79 | 286 | urlSz = ocspRequest->urlSz; |
| wolfSSL | 4:1b0d80432c79 | 287 | } |
| wolfSSL | 4:1b0d80432c79 | 288 | else { |
| wolfSSL | 4:1b0d80432c79 | 289 | /* cert doesn't have extAuthInfo, assuming CERT_GOOD */ |
| wolfSSL | 4:1b0d80432c79 | 290 | return 0; |
| wolfSSL | 4:1b0d80432c79 | 291 | } |
| wolfSSL | 4:1b0d80432c79 | 292 | |
| wolfSSL | 4:1b0d80432c79 | 293 | request = (byte*)XMALLOC(requestSz, NULL, DYNAMIC_TYPE_OCSP); |
| wolfSSL | 4:1b0d80432c79 | 294 | if (request == NULL) { |
| wolfSSL | 4:1b0d80432c79 | 295 | WOLFSSL_LEAVE("CheckCertOCSP", MEMORY_ERROR); |
| wolfSSL | 4:1b0d80432c79 | 296 | return MEMORY_ERROR; |
| wolfSSL | 4:1b0d80432c79 | 297 | } |
| wolfSSL | 4:1b0d80432c79 | 298 | |
| wolfSSL | 4:1b0d80432c79 | 299 | #ifdef WOLFSSL_SMALL_STACK |
| wolfSSL | 4:1b0d80432c79 | 300 | newStatus = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL, |
| wolfSSL | 4:1b0d80432c79 | 301 | DYNAMIC_TYPE_TMP_BUFFER); |
| wolfSSL | 4:1b0d80432c79 | 302 | ocspResponse = (OcspResponse*)XMALLOC(sizeof(OcspResponse), NULL, |
| wolfSSL | 4:1b0d80432c79 | 303 | DYNAMIC_TYPE_TMP_BUFFER); |
| wolfSSL | 4:1b0d80432c79 | 304 | |
| wolfSSL | 4:1b0d80432c79 | 305 | if (newStatus == NULL || ocspResponse == NULL) { |
| wolfSSL | 4:1b0d80432c79 | 306 | if (newStatus) XFREE(newStatus, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
| wolfSSL | 4:1b0d80432c79 | 307 | if (ocspResponse) XFREE(ocspResponse, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
| wolfSSL | 4:1b0d80432c79 | 308 | |
| wolfSSL | 4:1b0d80432c79 | 309 | XFREE(request, NULL, DYNAMIC_TYPE_OCSP); |
| wolfSSL | 4:1b0d80432c79 | 310 | |
| wolfSSL | 4:1b0d80432c79 | 311 | WOLFSSL_LEAVE("CheckCertOCSP", MEMORY_ERROR); |
| wolfSSL | 4:1b0d80432c79 | 312 | return MEMORY_E; |
| wolfSSL | 4:1b0d80432c79 | 313 | } |
| wolfSSL | 4:1b0d80432c79 | 314 | #endif |
| wolfSSL | 4:1b0d80432c79 | 315 | |
| wolfSSL | 4:1b0d80432c79 | 316 | requestSz = EncodeOcspRequest(ocspRequest, request, requestSz); |
| wolfSSL | 4:1b0d80432c79 | 317 | |
| wolfSSL | 4:1b0d80432c79 | 318 | if (ocsp->cm->ocspIOCb) |
| wolfSSL | 4:1b0d80432c79 | 319 | ret = ocsp->cm->ocspIOCb(ocsp->cm->ocspIOCtx, url, urlSz, |
| wolfSSL | 4:1b0d80432c79 | 320 | request, requestSz, &response); |
| wolfSSL | 4:1b0d80432c79 | 321 | |
| wolfSSL | 4:1b0d80432c79 | 322 | if (ret >= 0 && response) { |
| wolfSSL | 4:1b0d80432c79 | 323 | XMEMSET(newStatus, 0, sizeof(CertStatus)); |
| wolfSSL | 4:1b0d80432c79 | 324 | |
| wolfSSL | 4:1b0d80432c79 | 325 | InitOcspResponse(ocspResponse, newStatus, response, ret); |
| wolfSSL | 4:1b0d80432c79 | 326 | OcspResponseDecode(ocspResponse, ocsp->cm); |
| wolfSSL | 4:1b0d80432c79 | 327 | |
| wolfSSL | 4:1b0d80432c79 | 328 | if (ocspResponse->responseStatus != OCSP_SUCCESSFUL) |
| wolfSSL | 4:1b0d80432c79 | 329 | ret = OCSP_LOOKUP_FAIL; |
| wolfSSL | 4:1b0d80432c79 | 330 | else { |
| wolfSSL | 4:1b0d80432c79 | 331 | if (CompareOcspReqResp(ocspRequest, ocspResponse) == 0) { |
| wolfSSL | 4:1b0d80432c79 | 332 | if (responseBuffer) { |
| wolfSSL | 4:1b0d80432c79 | 333 | responseBuffer->buffer = (byte*)XMALLOC(ret, NULL, |
| wolfSSL | 4:1b0d80432c79 | 334 | DYNAMIC_TYPE_TMP_BUFFER); |
| wolfSSL | 4:1b0d80432c79 | 335 | |
| wolfSSL | 4:1b0d80432c79 | 336 | if (responseBuffer->buffer) { |
| wolfSSL | 4:1b0d80432c79 | 337 | responseBuffer->length = ret; |
| wolfSSL | 4:1b0d80432c79 | 338 | XMEMCPY(responseBuffer->buffer, response, ret); |
| wolfSSL | 4:1b0d80432c79 | 339 | } |
| wolfSSL | 4:1b0d80432c79 | 340 | } |
| wolfSSL | 4:1b0d80432c79 | 341 | |
| wolfSSL | 4:1b0d80432c79 | 342 | ret = xstat2err(ocspResponse->status->status); |
| wolfSSL | 4:1b0d80432c79 | 343 | |
| wolfSSL | 4:1b0d80432c79 | 344 | if (LockMutex(&ocsp->ocspLock) != 0) |
| wolfSSL | 4:1b0d80432c79 | 345 | ret = BAD_MUTEX_E; |
| wolfSSL | 4:1b0d80432c79 | 346 | else { |
| wolfSSL | 4:1b0d80432c79 | 347 | if (status != NULL) { |
| wolfSSL | 4:1b0d80432c79 | 348 | if (status->rawOcspResponse) |
| wolfSSL | 4:1b0d80432c79 | 349 | XFREE(status->rawOcspResponse, NULL, |
| wolfSSL | 4:1b0d80432c79 | 350 | DYNAMIC_TYPE_OCSP_STATUS); |
| wolfSSL | 4:1b0d80432c79 | 351 | |
| wolfSSL | 4:1b0d80432c79 | 352 | /* Replace existing certificate entry with updated */ |
| wolfSSL | 4:1b0d80432c79 | 353 | XMEMCPY(status, newStatus, sizeof(CertStatus)); |
| wolfSSL | 4:1b0d80432c79 | 354 | } |
| wolfSSL | 4:1b0d80432c79 | 355 | else { |
| wolfSSL | 4:1b0d80432c79 | 356 | /* Save new certificate entry */ |
| wolfSSL | 4:1b0d80432c79 | 357 | status = (CertStatus*)XMALLOC(sizeof(CertStatus), |
| wolfSSL | 4:1b0d80432c79 | 358 | NULL, DYNAMIC_TYPE_OCSP_STATUS); |
| wolfSSL | 4:1b0d80432c79 | 359 | if (status != NULL) { |
| wolfSSL | 4:1b0d80432c79 | 360 | XMEMCPY(status, newStatus, sizeof(CertStatus)); |
| wolfSSL | 4:1b0d80432c79 | 361 | status->next = entry->status; |
| wolfSSL | 4:1b0d80432c79 | 362 | entry->status = status; |
| wolfSSL | 4:1b0d80432c79 | 363 | entry->totalStatus++; |
| wolfSSL | 4:1b0d80432c79 | 364 | } |
| wolfSSL | 4:1b0d80432c79 | 365 | } |
| wolfSSL | 4:1b0d80432c79 | 366 | |
| wolfSSL | 4:1b0d80432c79 | 367 | if (status && responseBuffer && responseBuffer->buffer) { |
| wolfSSL | 4:1b0d80432c79 | 368 | status->rawOcspResponse = (byte*)XMALLOC( |
| wolfSSL | 4:1b0d80432c79 | 369 | responseBuffer->length, NULL, |
| wolfSSL | 4:1b0d80432c79 | 370 | DYNAMIC_TYPE_OCSP_STATUS); |
| wolfSSL | 4:1b0d80432c79 | 371 | |
| wolfSSL | 4:1b0d80432c79 | 372 | if (status->rawOcspResponse) { |
| wolfSSL | 4:1b0d80432c79 | 373 | status->rawOcspResponseSz = responseBuffer->length; |
| wolfSSL | 4:1b0d80432c79 | 374 | XMEMCPY(status->rawOcspResponse, |
| wolfSSL | 4:1b0d80432c79 | 375 | responseBuffer->buffer, |
| wolfSSL | 4:1b0d80432c79 | 376 | responseBuffer->length); |
| wolfSSL | 4:1b0d80432c79 | 377 | } |
| wolfSSL | 4:1b0d80432c79 | 378 | } |
| wolfSSL | 4:1b0d80432c79 | 379 | |
| wolfSSL | 4:1b0d80432c79 | 380 | UnLockMutex(&ocsp->ocspLock); |
| wolfSSL | 4:1b0d80432c79 | 381 | } |
| wolfSSL | 4:1b0d80432c79 | 382 | } |
| wolfSSL | 4:1b0d80432c79 | 383 | else |
| wolfSSL | 4:1b0d80432c79 | 384 | ret = OCSP_LOOKUP_FAIL; |
| wolfSSL | 4:1b0d80432c79 | 385 | } |
| wolfSSL | 4:1b0d80432c79 | 386 | } |
| wolfSSL | 4:1b0d80432c79 | 387 | else |
| wolfSSL | 4:1b0d80432c79 | 388 | ret = OCSP_LOOKUP_FAIL; |
| wolfSSL | 4:1b0d80432c79 | 389 | |
| wolfSSL | 4:1b0d80432c79 | 390 | #ifdef WOLFSSL_SMALL_STACK |
| wolfSSL | 4:1b0d80432c79 | 391 | XFREE(newStatus, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
| wolfSSL | 4:1b0d80432c79 | 392 | XFREE(ocspResponse, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
| wolfSSL | 4:1b0d80432c79 | 393 | #endif |
| wolfSSL | 4:1b0d80432c79 | 394 | |
| wolfSSL | 4:1b0d80432c79 | 395 | if (response != NULL && ocsp->cm->ocspRespFreeCb) |
| wolfSSL | 4:1b0d80432c79 | 396 | ocsp->cm->ocspRespFreeCb(ocsp->cm->ocspIOCtx, response); |
| wolfSSL | 4:1b0d80432c79 | 397 | |
| wolfSSL | 4:1b0d80432c79 | 398 | WOLFSSL_LEAVE("CheckOcspRequest", ret); |
| wolfSSL | 4:1b0d80432c79 | 399 | return ret; |
| wolfSSL | 4:1b0d80432c79 | 400 | } |
| wolfSSL | 4:1b0d80432c79 | 401 | |
| wolfSSL | 4:1b0d80432c79 | 402 | |
| wolfSSL | 4:1b0d80432c79 | 403 | #else /* HAVE_OCSP */ |
| wolfSSL | 4:1b0d80432c79 | 404 | |
| wolfSSL | 4:1b0d80432c79 | 405 | |
| wolfSSL | 4:1b0d80432c79 | 406 | #ifdef _MSC_VER |
| wolfSSL | 4:1b0d80432c79 | 407 | /* 4206 warning for blank file */ |
| wolfSSL | 4:1b0d80432c79 | 408 | #pragma warning(disable: 4206) |
| wolfSSL | 4:1b0d80432c79 | 409 | #endif |
| wolfSSL | 4:1b0d80432c79 | 410 | |
| wolfSSL | 4:1b0d80432c79 | 411 | |
| wolfSSL | 4:1b0d80432c79 | 412 | #endif /* HAVE_OCSP */ |
| wolfSSL | 4:1b0d80432c79 | 413 | #endif /* WOLFCRYPT_ONLY */ |
| wolfSSL | 4:1b0d80432c79 | 414 | |
| wolfSSL | 4:1b0d80432c79 | 415 |