Merge pull request #3164 from SparkiDev/tls13_ocsp2

TLS 1.3 server MUST NOT use OCSP Status V2
This commit is contained in:
toddouska 2020-07-29 16:23:24 -07:00 committed by GitHub
commit 64f6dc08f7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -3528,14 +3528,19 @@ static int TLSX_CSR2_Parse(WOLFSSL* ssl, byte* input, word16 length,
return 0;
#endif
/* accept the first good status_type and return */
ret = TLSX_UseCertificateStatusRequestV2(&ssl->extensions,
/* TLS 1.3 servers MUST NOT act upon presence or information in
* this extension (RFC 8448 Section 4.4.2.1).
*/
if (!IsAtLeastTLSv1_3(ssl->version)) {
/* accept the first good status_type and return */
ret = TLSX_UseCertificateStatusRequestV2(&ssl->extensions,
status_type, 0, ssl->heap, ssl->devId);
if (ret != WOLFSSL_SUCCESS)
return ret; /* throw error */
if (ret != WOLFSSL_SUCCESS)
return ret; /* throw error */
TLSX_SetResponse(ssl, TLSX_STATUS_REQUEST_V2);
ssl->status_request_v2 = status_type;
TLSX_SetResponse(ssl, TLSX_STATUS_REQUEST_V2);
ssl->status_request_v2 = status_type;
}
return 0;
}
@ -10327,6 +10332,7 @@ int TLSX_GetRequestSize(WOLFSSL* ssl, byte msgType, word16* pLength)
#ifdef WOLFSSL_TLS13
#ifndef NO_CERTS
else if (msgType == certificate_request) {
/* Don't send out any extension except those that are turned off. */
XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
#if !defined(WOLFSSL_NO_SIGALG)
TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS));
@ -10421,6 +10427,7 @@ int TLSX_WriteRequest(WOLFSSL* ssl, byte* output, byte msgType, word16* pOffset)
#ifdef WOLFSSL_TLS13
#ifndef NO_CERTS
else if (msgType == certificate_request) {
/* Don't send out any extension except those that are turned off. */
XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
#if !defined(WOLFSSL_NO_SIGALG)
TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS));
@ -10524,6 +10531,7 @@ int TLSX_GetResponseSize(WOLFSSL* ssl, byte msgType, word16* pLength)
#ifdef WOLFSSL_TLS13
case encrypted_extensions:
/* Send out all extension except those that are turned on. */
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_EC_POINT_FORMATS));
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS));
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SESSION_TICKET));
@ -10534,6 +10542,9 @@ int TLSX_GetResponseSize(WOLFSSL* ssl, byte msgType, word16* pLength)
#ifdef HAVE_CERTIFICATE_STATUS_REQUEST
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_STATUS_REQUEST));
#endif
#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_STATUS_REQUEST_V2));
#endif
#if defined(HAVE_SECURE_RENEGOTIATION)
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_RENEGOTIATION_INFO));
#endif
@ -10553,6 +10564,7 @@ int TLSX_GetResponseSize(WOLFSSL* ssl, byte msgType, word16* pLength)
#ifdef WOLFSSL_TLS13
#ifndef NO_CERTS
case certificate:
/* Don't send out any extension except those that are turned off. */
XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_STATUS_REQUEST));
/* TODO: TLSX_SIGNED_CERTIFICATE_TIMESTAMP,
@ -10640,6 +10652,7 @@ int TLSX_WriteResponse(WOLFSSL *ssl, byte* output, byte msgType, word16* pOffset
#ifdef WOLFSSL_TLS13
case encrypted_extensions:
/* Send out all extension except those that are turned on. */
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_EC_POINT_FORMATS));
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS));
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SESSION_TICKET));
@ -10650,6 +10663,9 @@ int TLSX_WriteResponse(WOLFSSL *ssl, byte* output, byte msgType, word16* pOffset
#ifdef HAVE_CERTIFICATE_STATUS_REQUEST
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_STATUS_REQUEST));
#endif
#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_STATUS_REQUEST_V2));
#endif
#if defined(HAVE_SECURE_RENEGOTIATION)
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_RENEGOTIATION_INFO));
#endif
@ -10669,6 +10685,8 @@ int TLSX_WriteResponse(WOLFSSL *ssl, byte* output, byte msgType, word16* pOffset
#ifdef WOLFSSL_TLS13
#ifndef NO_CERTS
case certificate:
/* Don't send out any extension except those that are turned
* off. */
XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_STATUS_REQUEST));
/* TODO: TLSX_SIGNED_CERTIFICATE_TIMESTAMP,