mirror of
https://github.com/guanzhi/GmSSL.git
synced 2026-06-27 15:43:42 +08:00
Fix bugs
This commit is contained in:
Zhi Guan
@@ -821,7 +821,7 @@ endif()
|
|||||||
#
|
#
|
||||||
set(CPACK_PACKAGE_NAME "GmSSL")
|
set(CPACK_PACKAGE_NAME "GmSSL")
|
||||||
set(CPACK_PACKAGE_VENDOR "GmSSL develop team")
|
set(CPACK_PACKAGE_VENDOR "GmSSL develop team")
|
||||||
set(CPACK_PACKAGE_VERSION "3.2.0-dev.1104")
|
set(CPACK_PACKAGE_VERSION "3.2.0-dev.1105")
|
||||||
set(CPACK_PACKAGE_DESCRIPTION_FILE ${PROJECT_SOURCE_DIR}/README.md)
|
set(CPACK_PACKAGE_DESCRIPTION_FILE ${PROJECT_SOURCE_DIR}/README.md)
|
||||||
set(CPACK_NSIS_MODIFY_PATH ON)
|
set(CPACK_NSIS_MODIFY_PATH ON)
|
||||||
include(CPack)
|
include(CPack)
|
||||||
|
|||||||
@@ -18,7 +18,7 @@ extern "C" {
|
|||||||
|
|
||||||
|
|
||||||
#define GMSSL_VERSION_NUM 30200
|
#define GMSSL_VERSION_NUM 30200
|
||||||
#define GMSSL_VERSION_STR "GmSSL 3.2.0-dev.1104"
|
#define GMSSL_VERSION_STR "GmSSL 3.2.0-dev.1105"
|
||||||
|
|
||||||
int gmssl_version_num(void);
|
int gmssl_version_num(void);
|
||||||
const char *gmssl_version_str(void);
|
const char *gmssl_version_str(void);
|
||||||
|
|||||||
31
src/ocsp.c
31
src/ocsp.c
@@ -19,6 +19,35 @@
|
|||||||
#include <gmssl/http.h>
|
#include <gmssl/http.h>
|
||||||
#include <gmssl/ocsp.h>
|
#include <gmssl/ocsp.h>
|
||||||
|
|
||||||
|
/*
|
||||||
|
TLS客户端验证OCSPResponse签发证书的逻辑
|
||||||
|
|
||||||
|
假定证书链是 EE <= CA1 <= CA2 <= RootCA
|
||||||
|
|
||||||
|
* 如果 OCSPResponse 包含 BasicOCSPResponse.certs,那么优先使用这个证书
|
||||||
|
这个证书是 Responder 的证书,关系是
|
||||||
|
ResponderCert <= CA1
|
||||||
|
也就是这个证书和EE是兄弟证书
|
||||||
|
Responder 证书必须包含扩展 Extended Key Usage: id-kp-OCSPSigning
|
||||||
|
|
||||||
|
* 如果 OCSPResponse 没有包含证书,那么就用 CA1 证书
|
||||||
|
|
||||||
|
客户端在验证的时候可以根据 keyHash, IssuerHash, serial等对比确认OCSP的签名证书
|
||||||
|
|
||||||
|
|
||||||
|
对于命令行工具
|
||||||
|
|
||||||
|
* OCSPReponder 中包含了 代理Responder证书
|
||||||
|
那么命令行用网站证书链中的CA1去验证ResponderCert
|
||||||
|
并且也验证网站证书链保证这个证书链是正确的
|
||||||
|
|
||||||
|
* 如果没包含代理Responder证书,但是命令行参数中提供了一个 Responder证书,那么也是执行相同的逻辑
|
||||||
|
|
||||||
|
* 如果没有Responder证书,就用CA1证书验证
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
*/
|
||||||
|
|
||||||
static const char *ocsp_cert_status_name(int status)
|
static const char *ocsp_cert_status_name(int status)
|
||||||
{
|
{
|
||||||
@@ -34,8 +63,6 @@ static const char *ocsp_cert_status_name(int status)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
int ocsp_request_item_to_der(int hash_algor,
|
int ocsp_request_item_to_der(int hash_algor,
|
||||||
const uint8_t *issuer_name_hash, size_t issuer_name_hash_len,
|
const uint8_t *issuer_name_hash, size_t issuer_name_hash_len,
|
||||||
const uint8_t *issuer_key_hash, size_t issuer_key_hash_len,
|
const uint8_t *issuer_key_hash, size_t issuer_key_hash_len,
|
||||||
|
|||||||
@@ -2558,8 +2558,7 @@ int tls_send_server_hello_done(TLS_CONNECT *conn)
|
|||||||
int tls_recv_client_certificate(TLS_CONNECT *conn)
|
int tls_recv_client_certificate(TLS_CONNECT *conn)
|
||||||
{
|
{
|
||||||
int ret;
|
int ret;
|
||||||
const int verify_depth = 5;
|
int verify_result = 0;
|
||||||
int verify_result;
|
|
||||||
|
|
||||||
if(conn->verbose) tls_trace("recv ClientCertificate\n");
|
if(conn->verbose) tls_trace("recv ClientCertificate\n");
|
||||||
|
|
||||||
@@ -2588,7 +2587,7 @@ int tls_recv_client_certificate(TLS_CONNECT *conn)
|
|||||||
if (x509_certs_verify(conn->client_certs, conn->client_certs_len, X509_cert_chain_client,
|
if (x509_certs_verify(conn->client_certs, conn->client_certs_len, X509_cert_chain_client,
|
||||||
conn->ctx->cacerts, conn->ctx->cacertslen, NULL, 0,
|
conn->ctx->cacerts, conn->ctx->cacertslen, NULL, 0,
|
||||||
NULL, 0,
|
NULL, 0,
|
||||||
verify_depth, &verify_result) != 1) {
|
conn->ctx->verify_depth, &verify_result) != 1) {
|
||||||
error_print();
|
error_print();
|
||||||
tls_send_alert(conn, TLS_alert_bad_certificate);
|
tls_send_alert(conn, TLS_alert_bad_certificate);
|
||||||
return -1;
|
return -1;
|
||||||
|
|||||||
@@ -1949,7 +1949,7 @@ static int x509_cert_check_optional_ocsp(const uint8_t *cert, size_t certlen,
|
|||||||
}
|
}
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
int x509_certs_verify(const uint8_t *certs, size_t certslen, int certs_type,
|
int x509_certs_verify(const uint8_t *certs, size_t certslen, int certs_type,
|
||||||
const uint8_t *rootcerts, size_t rootcertslen,
|
const uint8_t *rootcerts, size_t rootcertslen,
|
||||||
const uint8_t *crl, size_t crl_len,
|
const uint8_t *crl, size_t crl_len,
|
||||||
@@ -2094,6 +2094,7 @@ int x509_certs_verify(const uint8_t *certs, size_t certslen, int certs_type,
|
|||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// 只有 TLCP 的服务器证书链才是双证书,客户端证书和TLS12是一样的
|
||||||
int x509_certs_verify_tlcp(const uint8_t *certs, size_t certslen, int certs_type,
|
int x509_certs_verify_tlcp(const uint8_t *certs, size_t certslen, int certs_type,
|
||||||
const uint8_t *rootcerts, size_t rootcertslen,
|
const uint8_t *rootcerts, size_t rootcertslen,
|
||||||
const uint8_t *crl, size_t crl_len,
|
const uint8_t *crl, size_t crl_len,
|
||||||
@@ -2119,10 +2120,6 @@ int x509_certs_verify_tlcp(const uint8_t *certs, size_t certslen, int certs_type
|
|||||||
sign_cert_type = X509_cert_server_auth;
|
sign_cert_type = X509_cert_server_auth;
|
||||||
kenc_cert_type = X509_cert_server_key_encipher;
|
kenc_cert_type = X509_cert_server_key_encipher;
|
||||||
break;
|
break;
|
||||||
case X509_cert_chain_client:
|
|
||||||
sign_cert_type = X509_cert_server_auth;
|
|
||||||
kenc_cert_type = X509_cert_server_key_encipher;
|
|
||||||
break;
|
|
||||||
default:
|
default:
|
||||||
error_print();
|
error_print();
|
||||||
return -1;
|
return -1;
|
||||||
|
|||||||
Reference in New Issue
Block a user