Use OCSP verify callback for both 1.2 and 1.3

- Modify test to use the same callbacks for both 1.2 and 1.3
- Remove 1.3 staple accessor

Author: julek-wolfssl

doc/dox_comments/header_files/ssl.h

@@ -5559,19 +5559,7 @@ int wolfSSL_set_tlsext_status_ocsp_resp_multi(WOLFSSL* ssl, unsigned char *resp,
 /*!
     \ingroup OCSP
 
-    \brief Gets the OCSP status response for a specific certificate in TLS 1.3.
-
-    \param ssl The WOLFSSL session.
-    \param idx Index of the certificate chain.
-
-    \return Pointer to WOLFSSL_BUFFER_INFO containing the response, or NULL on error.
-*/
-WOLFSSL_BUFFER_INFO* wolfSSL_GetTls13OcspStatusResp(const WOLFSSL* ssl, word32 idx);
-
-/*!
-    \ingroup OCSP
-
-    \brief Sets a callback to verify the OCSP status response for TLS 1.2.
+    \brief Sets a callback to verify the OCSP status response.
 
     This callback is only useful when SESSION_CERTS is enabled.
 
@@ -5584,10 +5572,10 @@ WOLFSSL_BUFFER_INFO* wolfSSL_GetTls13OcspStatusResp(const WOLFSSL* ssl, word32 i
     _Example_
     \code
     void my_ocsp_verify_cb(WOLFSSL* ssl, int err, byte* resp, word32 respSz, word32 idx, void* arg) { ... }
-    wolfSSL_CTX_set_tls12_ocsp_status_verify_cb(ctx, my_ocsp_verify_cb, NULL);
+    wolfSSL_CTX_set_ocsp_status_verify_cb(ctx, my_ocsp_verify_cb, NULL);
     \endcode
 */
-void wolfSSL_CTX_set_tls12_ocsp_status_verify_cb(WOLFSSL_CTX* ctx, ocspVerifyStatusCb cb, void* cbArg);
+void wolfSSL_CTX_set_ocsp_status_verify_cb(WOLFSSL_CTX* ctx, ocspVerifyStatusCb cb, void* cbArg);
 
 /*!
     \ingroup Setup

src/internal.c

@@ -15683,14 +15683,17 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                     #endif
                     }
 
-                    if (ret == 0) {
                 #ifdef HAVE_OCSP
+                    {
+                        /* If we are processing OCSP staples then always
+                         * initialize the corresponding request. */
+                        int ocspRet = 0;
                     #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
                         addToPendingCAs = 0;
                         if (ssl->options.side == WOLFSSL_CLIENT_END &&
                             ssl->status_request_v2 &&
                             TLSX_CSR2_IsMulti(ssl->extensions)) {
-                            ret = TLSX_CSR2_InitRequests(ssl->extensions,
+                            ocspRet = TLSX_CSR2_InitRequests(ssl->extensions,
                                                     args->dCert, 0, ssl->heap);
                             addToPendingCAs = 1;
                         }
@@ -15704,12 +15707,12 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                              * Server. Server side will check client
                              * certificates by traditional OCSP if enabled
                              */
-                            ret = TLSX_CSR_InitRequest_ex(ssl->extensions,
+                            ocspRet = TLSX_CSR_InitRequest_ex(ssl->extensions,
                                     args->dCert, ssl->heap, args->certIdx);
                         }
                         else
                     #endif
-                        if (SSL_CM(ssl)->ocspEnabled &&
+                        if (ret == 0 && SSL_CM(ssl)->ocspEnabled &&
                                             SSL_CM(ssl)->ocspCheckAll) {
                             WOLFSSL_MSG("Doing Non Leaf OCSP check");
                             ret = CheckCertOCSP_ex(SSL_CM(ssl)->ocsp,
@@ -15725,8 +15728,15 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                                 WOLFSSL_MSG("\tOCSP Lookup not ok");
                             }
                         }
+                        if (ocspRet != 0) {
+                            ret = ocspRet;
+                            WOLFSSL_ERROR_VERBOSE(ret);
+                            goto exit_ppc;
+                        }
+                    }
                 #endif /* HAVE_OCSP */
 
+                    if (ret == 0) {
                 #ifdef HAVE_CRL
                         if (SSL_CM(ssl)->crlEnabled &&
                                 SSL_CM(ssl)->crlCheckAll) {
@@ -16035,6 +16045,12 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                 if (ret == WC_NO_ERR_TRACE(WC_PENDING_E))
                     goto exit_ppc;
             #endif
+
+                /* Do verify callback. Don't call it on error as the callback
+                 * will still be called later. */
+                if (ret != 0)
+                    ret = DoVerifyCallback(SSL_CM(ssl), ssl, ret, args);
+
                 if (ret == 0) {
                     WOLFSSL_MSG("Verified Peer's cert");
                 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
@@ -16126,28 +16142,20 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                     }
                     #endif
 
-                    if (ssl->verifyCallback) {
-                        WOLFSSL_MSG(
-                            "\tCallback override available, will continue");
-                        /* check if fatal error */
-                        args->fatal = (args->verifyErr) ? (word16)(1)
-                                                        : (word16)(0);
-                        if (args->fatal)
-                            DoCertFatalAlert(ssl, ret);
-                    }
                     #if defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS)
                     /* Disregard failure to verify peer cert, as we will verify
                      * the whole chain with the native API later */
-                    else if (ssl->ctx->doAppleNativeCertValidationFlag) {
+                    if (ssl->ctx->doAppleNativeCertValidationFlag) {
                         WOLFSSL_MSG("\tApple native CA validation override"
                                     " available, will continue");
                         /* check if fatal error */
                         args->fatal = (args->verifyErr) ? 1 : 0;
                         if (args->fatal)
                             DoCertFatalAlert(ssl, ret);
                     }
+                    else
                     #endif/*defined(__APPLE__)&& defined(WOLFSSL_SYS_CA_CERTS)*/
-                    else {
+                    {
                         WOLFSSL_MSG("\tNo callback override available, fatal");
                         args->fatal = 1;
                         DoCertFatalAlert(ssl, ret);

src/ssl.c

@@ -23045,7 +23045,7 @@ int wolfSSL_set_tlsext_status_ocsp_resp_multi(WOLFSSL* ssl, unsigned char *resp,
     return WOLFSSL_SUCCESS;
 }
 
-void wolfSSL_CTX_set_tls12_ocsp_status_verify_cb(WOLFSSL_CTX* ctx,
+void wolfSSL_CTX_set_ocsp_status_verify_cb(WOLFSSL_CTX* ctx,
         ocspVerifyStatusCb cb, void* cbArg)
 {
     if (ctx != NULL) {

src/tls13.c

@@ -8745,26 +8745,6 @@ static int SetupOcspResp(WOLFSSL* ssl)
 #endif
     return ret;
 }
-
-WOLFSSL_BUFFER_INFO* wolfSSL_GetTls13OcspStatusResp(const WOLFSSL* ssl,
-        word32 idx)
-{
-    TLSX* extension = NULL;
-    CertificateStatusRequest* csr = NULL;
-
-    WOLFSSL_ENTER("wolfSSL_GetTls13OcspStatusResp");
-
-    if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version) ||
-            idx >= MAX_CERT_EXTENSIONS)
-        return NULL;
-
-    extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST);
-    csr = extension ? (CertificateStatusRequest*)extension->data : NULL;
-    if (csr == NULL)
-        return NULL;
-
-    return &csr->responses[idx];
-}
 #endif
 
 /* handle generation TLS v1.3 certificate (11) */

tests/api/test_ocsp.c

@@ -662,7 +662,8 @@ int test_ocsp_certid_enc_dec(void)
 #if defined(HAVE_OCSP) && defined(WOLFSSL_CERT_SETUP_CB) && \
     defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && !defined(NO_RSA) && \
     (defined(HAVE_CERTIFICATE_STATUS_REQUEST) || \
-     defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2))
+     defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)) && \
+    defined(SESSION_CERTS)
 
 static struct {
     size_t chainLen;
@@ -792,15 +793,9 @@ static int test_ocsp_tls_cert_cb_verify_cb(int preverify,
 #endif
             ) {
         WOLFSSL_BUFFER_INFO* bInfo = &store->certs[idx];
-#if defined(WOLFSSL_TLS13) && defined(HAVE_CERTIFICATE_STATUS_REQUEST)
-        WOLFSSL* ssl = (WOLFSSL*)store->userCtx;
-        WOLFSSL_BUFFER_INFO* ocspStaple =
-                wolfSSL_GetTls13OcspStatusResp(ssl, (word32)idx);
-#endif
         WOLFSSL_CERT_MANAGER* cm = NULL;
         DecodedCert cert;
         byte certInit = 0;
-        WOLFSSL_OCSP* ocsp = NULL;
 
         ret = 1;
         cm = wolfSSL_CertManagerNew();
@@ -824,24 +819,6 @@ static int test_ocsp_tls_cert_cb_verify_cb(int preverify,
         if (ret == 1 && wc_ParseCert(&cert, CERT_TYPE, VERIFY, cm) != 0)
             ret = 0;
 
-#if defined(WOLFSSL_TLS13) && defined(HAVE_CERTIFICATE_STATUS_REQUEST)
-        /* In this test we only expect a staple on the leaf cert */
-        if (wolfSSL_version(ssl) == TLS1_3_VERSION ||
-                wolfSSL_version(ssl) == DTLS1_3_VERSION) {
-            /* Verify OCSP with CA */
-            if (ret == 1 && (ocspStaple == NULL || ocspStaple->buffer == NULL ||
-                    ocspStaple->length == 0))
-                ret = 0;
-            if (ret == 1 && (ocsp = wc_NewOCSP(cm)) == NULL)
-                ret = 0;
-            if (ret == 1 &&
-                wc_CheckCertOcspResponse(ocsp, &cert, ocspStaple->buffer,
-                        ocspStaple->length, NULL) != 0)
-                ret = 0;
-        }
-#endif
-
-        wc_FreeOCSP(ocsp);
         if (certInit)
             wc_FreeDecodedCert(&cert);
         wolfSSL_CertManagerFree(cm);
@@ -850,7 +827,6 @@ static int test_ocsp_tls_cert_cb_verify_cb(int preverify,
     return ret;
 }
 
-#ifdef SESSION_CERTS
 static int test_ocsp_tls_cert_cb_ocsp_verify_cb(WOLFSSL* ssl, int err,
         byte* staple, word32 stapleSz, word32 idx, void* arg)
 {
@@ -899,7 +875,6 @@ static int test_ocsp_tls_cert_cb_ocsp_verify_cb(WOLFSSL* ssl, int err,
     }
     return err;
 }
-#endif
 
 static int test_ocsp_tls_cert_cb_ctx_ready(WOLFSSL_CTX* ctx)
 {
@@ -931,7 +906,7 @@ int test_ocsp_tls_cert_cb(void)
         byte useV2multi:1;
         byte maxFail:2;
     } params[] = {
-#if !defined(WOLFSSL_NO_TLS12) && defined(SESSION_CERTS)
+#if !defined(WOLFSSL_NO_TLS12)
         { wolfTLSv1_2_client_method, wolfTLSv1_2_server_method, "TLSv1_2", 0, 0, 1 },
         { wolfTLSv1_2_client_method, wolfTLSv1_2_server_method, "TLSv1_2", 1, 0, 1 },
         { wolfTLSv1_2_client_method, wolfTLSv1_2_server_method, "TLSv1_2", 1, 1, 1 },
@@ -1000,13 +975,9 @@ int test_ocsp_tls_cert_cb(void)
                 /* client: request stapling */
                 wolfSSL_set_verify(test_ctx.c_ssl, WOLFSSL_VERIFY_DEFAULT,
                         test_ocsp_tls_cert_cb_verify_cb);
-    #ifdef SESSION_CERTS
-                if (wolfSSL_version(test_ctx.c_ssl) == TLS1_2_VERSION ||
-                        wolfSSL_version(test_ctx.c_ssl) == DTLS1_2_VERSION) {
-                    wolfSSL_CTX_set_tls12_ocsp_status_verify_cb(test_ctx.c_ctx,
-                            test_ocsp_tls_cert_cb_ocsp_verify_cb, NULL);
-                }
-    #endif
+                wolfSSL_CTX_set_ocsp_status_verify_cb(test_ctx.c_ctx,
+                        test_ocsp_tls_cert_cb_ocsp_verify_cb, NULL);
+
                 /* No way to get ssl from the store without OPENSSL_EXTRA */
                 wolfSSL_SetCertCbCtx(test_ctx.c_ssl, test_ctx.c_ssl);
                 ExpectIntEQ(wolfSSL_CTX_EnableOCSPStapling(test_ctx.c_ctx), WOLFSSL_SUCCESS);

wolfssl/ssl.h

@@ -5657,13 +5657,10 @@ WOLFSSL_API long wolfSSL_get_tlsext_status_ocsp_resp(WOLFSSL *ssl, unsigned char
 WOLFSSL_API long wolfSSL_set_tlsext_status_ocsp_resp(WOLFSSL *ssl, unsigned char *resp, int len);
 WOLFSSL_API int wolfSSL_set_tlsext_status_ocsp_resp_multi(WOLFSSL* ssl, unsigned char *resp,
         int len, word32 idx);
-#ifdef WOLFSSL_TLS13
-WOLFSSL_API WOLFSSL_BUFFER_INFO* wolfSSL_GetTls13OcspStatusResp(const WOLFSSL* ssl, word32 idx);
-#endif
 typedef int(*ocspVerifyStatusCb)(WOLFSSL* ssl, int err, byte* resp, word32 respSz,
         word32 idx, void* arg);
 /* This callback is only useful when SESSION_CERTS is enabled */
-WOLFSSL_API void wolfSSL_CTX_set_tls12_ocsp_status_verify_cb(WOLFSSL_CTX* ctx,
+WOLFSSL_API void wolfSSL_CTX_set_ocsp_status_verify_cb(WOLFSSL_CTX* ctx,
         ocspVerifyStatusCb cb, void* cbArg);
 #endif