Populate the function x509_ocsp_get_response_data() with code that
parses the following ASN.1 structure:
ResponseData ::= SEQUENCE {
version [0] EXPLICIT Version DEFAULT v1,
responderID ResponderID,
producedAt GeneralizedTime,
responses SEQUENCE OF SingleResponse,
responseExtensions [1] EXPLICIT Extensions OPTIONAL }
x509_ocsp_get_response_data() will parse the top-level SEQUENCE and the
two EXPLICIT tags. It delegates the parsing of the individual
subcomponents to x509_ocsp_get_version(), x509_ocsp_get_responder_id(),
x509_ocsp_get_generalized_time(), x509_ocsp_get_responses() and
x509_ocsp_get_extensions().
Populate the function x509_ocsp_get_response() that parses the top
level components of the following ASN.1 structure:
BasicOCSPResponse ::= SEQUENCE {
tbsResponseData ResponseData,
signatureAlgorithm AlgorithmIdentifier,
signature BIT STRING,
certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
The top-level components correspond to the main SEQUENCE and the
EXPLICIT tag.
The added code removed the SEQUENCE component from the following ASN.1
structure:
ResponseBytes ::= SEQUENCE {
responseType OBJECT IDENTIFIER,
response OCTET STRING }
The parsing for responseType and response is delegated to
x509_ocsp_get_response_type() and x509_ocsp_get_response() respectively.
Populate the function x509_ocsp_get_response_status() that parses the
OCSPResponseStatus:
OCSPResponseStatus ::= ENUMERATED {
successful (0), -- Response has valid confirmations
malformedRequest (1), -- Illegal confirmation request
internalError (2), -- Internal error in issuer
tryLater (3), -- Try again later
-- (4) is not used
sigRequired (5), -- Must sign the request
unauthorized (6) -- Request unauthorized
}
The function writes the value into the resp_status field of the
mbedtls_x509_ocsp_response struct.
Add parsing for the OCSPResponse top level components:
OCSPResponse ::= SEQUENCE {
responseStatus OCSPResponseStatus,
responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
The added code does the following:
1. Parse the top level SEQUENCE
2. Call x509_ocsp_get_response_status() which will parse the
responseStatus in the future
3. If there is any data left in the buffer, parses the EXPLICIT
tag and calls x509_ocsp_get_response_bytes() which will parse
the responseBytes in the future
At this stage, the main framework for the code is being set up. The idea
is that each function will parse the top level components of the ASN1
objects and hand over the parsing of each of the individual
sub-components to other functions. Also, note that each function its
responsible for checking that:
1. At the begining, there is enough space in the buffer p to parse
whatever is being processed before end.
2. Prior to returning, the length specified in the ASN1 encoding
matches the number of bytes consumed from the buffer p.
3. The lengths of any intermediate sub-components (such as EXPLICIT
tags) parsed matches the number of bytes consumed by the called
functions x509_ocsp_get_*().
OCSP by itself is a protocol between an OCSP responder and a client.
The protocol messages are encoded in X.509 format, so I have created
the place-holder files x509_ocsp.c and x509_ocsp.h that will contain
the X.509 parser and verification for OCSP messages.
This commit adds regression tests for the bug when we didn't parse the
Signature Algorithm extension when renegotiating. (By nature, this bug
affected only the server)
The tests check for the fallback hash (SHA1) in the server log to detect
that the Signature Algorithm extension hasn't been parsed at least in
one of the handshakes.
A more direct way of testing is not possible with the current test
framework, since the Signature Algorithm extension is parsed in the
first handshake and any corresponding debug message is present in the
logs.
Signature algorithm extension was skipped when renegotiation was in
progress, causing the signature algorithm not to be known when
renegotiating, and failing the handshake. Fix removes the renegotiation
step check before parsing the extension.
When printing an option's value, print a newline at the end.
When the requested option is missing, fail with status 1 (the usual
convention for "not found") rather than -1 (which has a
system-dependent effect).
scripts/config.pl would always rewrite config.h if it was reading it.
This commit changes it to not modify the file when only reading is
required, i.e. for the get command.
Also, die if writing config.h fails (e.g. disk full).
Between 2.5.0 and 2.6.0, "scripts/config.pl get MBEDTLS_XXX" was fixed
for config.h lines with a comment at the end, but that broke the case
of macros with an empty expansion. Support all cases.
The change modifies the template code in tests/suites/helpers.function
and tests/suites/main.function so that error messages are printed to
stdout instead of being discarded. This makes errors visible regardless
of the --verbose flag being passed or not to the test suite programs.
Add a test to ssl-opt.sh that parses the client and server debug
output and then checks that the Unix timestamp in the ServerHello
message is within acceptable bounds.
Extend the run_test function in ssl-opt.sh so that it accepts the -f
and -F options. These parameters take an argument which is the name of
a shell function that will be called by run_test and will be given the
client input and output debug log. The idea is that these functions are
defined by each test and they can be used to do some custom check
beyon those allowed by the pattern matching capabilities of the
run_test function.
Change ssl_parse_server_hello() so that the parsed first four random
bytes from the ServerHello message are printed by the TLS client as
a Unix timestamp regardless of whether MBEDTLS_DEBUG_C is defined. The
debug message will only be printed if debug_level is 3 or higher.
Unconditionally enabling the debug print enabled testing of this value.
Our README claims that we only use basic Make functionality, but in
fact GNU make is required for conditional compilation. Document this.
Addresses issue #967
