Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OCSP openssl compat fixes #8498

Open
wants to merge 11 commits into
base: master
Choose a base branch
from
Open

OCSP openssl compat fixes #8498

wants to merge 11 commits into from
+436 −137

Conversation

rizlik
Copy link
Contributor

@rizlik rizlik commented Feb 24, 2025
edited
Loading

Description

  • Fix NO_SHA builds
  • Fix i2d and d2i CERT ID functions

@rizlik
ocsp: responderID.ByKey is SHA-1 Digest len
8b80cb1 
Check that responderID.ByKey is exactly WC_SHA_DIGEST_SIZE as per RFC
6960. KEYID_SIZE can change across build configuration.
@rizlik
ocsp: use SHA-256 for responder name if no-sha
c24b7d1
@rizlik
test: ocsp: fix output file name in script
78ca784
@rizlik
test: gate ocsp test when SHA-1 is disabled
740fb6b 
tests blobs contains sha-1 hashes in certificate status
@rizlik
ocsp: populate digest type in cert_to_id
4016120 
- Added validation for digest type in `wolfSSL_OCSP_cert_to_id` function.
- Defined `OCSP_DIGEST` based on available hash types.
- Set `hashAlgoOID` in `certId` based on `OCSP_DIGEST`.
- Updated `asn.h` to define `OCSP_DIGEST` and `OCSP_DIGEST_SIZE` based on
  available hash types.
@rizlik
ocsp: support CERT_ID encoding in i2d_OCSP_CERTID
3bd4b35
@rizlik rizlik force-pushed the ocsp_fixes branch 5 times, most recently from ce26fea to 25891dd Compare February 25, 2025 19:26
@rizlik
asn: ocsp: refactor out CERT ID decoding
dfc5e61 
It will be reused in d2i_CERT_ID
@rizlik rizlik changed the title Ocsp fixes OCSP openssl compat fixes Feb 25, 2025
@rizlik rizlik marked this pull request as ready for review February 25, 2025 22:34
@douzzer
Copy link
Contributor

douzzer commented Feb 25, 2025

retest this please (org.jenkinsci.plugins.workflow.support.steps.AgentOfflineException)

@dgarske dgarske requested a review from SparkiDev February 26, 2025 00:58
douzzer
douzzer requested changes Feb 26, 2025
View reviewed changes
Copy link
Contributor

@douzzer douzzer left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This fixes all the PQ tests I ran, but it breaks with --enable-sm2. I don't see the failures either without --enable-sm2, or on master, just on the combination.

FAILURES:
   750: test_wolfSSL_OCSP_id_get0_info
   759: test_wolfSSL_OCSP_REQ_CTX
   1090: test_ocsp_certid_enc_dec

Repro with --enable-all --enable-sm3 after moving SM3 sources into place from the wolfsm repo (needs wolfcrypt/src/sm2.c, wolfcrypt/src/sm2_asm.S, wolfcrypt/src/sp_sm2_x86_64.c, and wolfssl/wolfcrypt/sm2.h).

@dgarske dgarske requested a review from douzzer February 26, 2025 22:37
dgarske
dgarske requested changes Feb 26, 2025
View reviewed changes
dgarske
dgarske approved these changes Feb 26, 2025
View reviewed changes
Copy link
Contributor

@dgarske dgarske left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I pushed fixes.

@dgarske dgarske assigned SparkiDev and unassigned SparkiDev Feb 26, 2025
@dgarske
Copy link
Contributor

dgarske commented Feb 26, 2025

Retest this please: "PRB-generic-config-parser" no console.

SparkiDev
SparkiDev requested changes Feb 27, 2025
View reviewed changes
src/ocsp.c
#ifdef WOLFSSL_SMALL_STACK
DecodedCert *cert = NULL;
#else
DecodedCert cert[1];
#endif

(void)dgst;
if (dgst == NULL) {
dgstType = WC_HASH_TYPE_SHA;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not OCSP_DIGEST?

src/ocsp.c
}

/* Encode CertID following RFC 6960 ASN.1 structure */
static int OcspEncodeCertID(WOLFSSL_OCSP_CERTID* id, byte* output, word32 size)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Implementation can be combined with above.
Avoids two functions getting out of sync with each other.

src/ocsp.c
allocated = 1;
}

if (id->rawCertId != NULL) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Swap the condition check to match the code above.

src/ocsp.c
return -1;
}

if (data == NULL) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't do this here.
Return derSz when data is NULL after line 1427.
Code is similar enough that I can't see why not.

src/ocsp.c
cid = *cidOut;
FreeOcspEntry(cid, NULL);
} else {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

}
else {

@SparkiDev SparkiDev assigned rizlik and unassigned SparkiDev Feb 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SparkiDev SparkiDev SparkiDev requested changes

@dgarske dgarske dgarske approved these changes

@julek-wolfssl julek-wolfssl Awaiting requested review from julek-wolfssl

@douzzer douzzer Awaiting requested review from douzzer

Requested changes must be addressed to merge this pull request.

Assignees

@rizlik rizlik

@wolfSSL-Bot wolfSSL-Bot

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@rizlik @douzzer @dgarske @SparkiDev @wolfSSL-Bot