Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OCSP openssl compat fixes #8498

Open
wants to merge 10 commits into
base: master
Choose a base branch
from
Open

OCSP openssl compat fixes #8498

wants to merge 10 commits into from
+435 −137

Conversation

rizlik
Copy link
Contributor

@rizlik rizlik commented Feb 24, 2025
edited
Loading

Description

  • Fix NO_SHA builds
  • Fix i2d and d2i CERT ID functions

@rizlik
ocsp: responderID.ByKey is SHA-1 Digest len
8b80cb1 
Check that responderID.ByKey is exactly WC_SHA_DIGEST_SIZE as per RFC
6960. KEYID_SIZE can change across build configuration.
@rizlik
ocsp: use SHA-256 for responder name if no-sha
c24b7d1
@rizlik
test: ocsp: fix output file name in script
78ca784
@rizlik
test: gate ocsp test when SHA-1 is disabled
740fb6b 
tests blobs contains sha-1 hashes in certificate status
@rizlik
ocsp: populate digest type in cert_to_id
4016120 
- Added validation for digest type in `wolfSSL_OCSP_cert_to_id` function.
- Defined `OCSP_DIGEST` based on available hash types.
- Set `hashAlgoOID` in `certId` based on `OCSP_DIGEST`.
- Updated `asn.h` to define `OCSP_DIGEST` and `OCSP_DIGEST_SIZE` based on
  available hash types.
@rizlik
ocsp: support CERT_ID encoding in i2d_OCSP_CERTID
3bd4b35
@rizlik rizlik force-pushed the ocsp_fixes branch 5 times, most recently from ce26fea to 25891dd Compare February 25, 2025 19:26
@rizlik
asn: ocsp: refactor out CERT ID decoding
dfc5e61 
It will be reused in d2i_CERT_ID
@rizlik rizlik changed the title Ocsp fixes OCSP openssl compat fixes Feb 25, 2025
@rizlik rizlik marked this pull request as ready for review February 25, 2025 22:34
@douzzer
Copy link
Contributor

douzzer commented Feb 25, 2025

retest this please (org.jenkinsci.plugins.workflow.support.steps.AgentOfflineException)

@dgarske dgarske requested a review from SparkiDev February 26, 2025 00:58
douzzer
douzzer requested changes Feb 26, 2025
View reviewed changes
Copy link
Contributor

@douzzer douzzer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This fixes all the PQ tests I ran, but it breaks with --enable-sm3. I don't see the failures either without --enable-sm3, or on master, just on the combination.

FAILURES:
   750: test_wolfSSL_OCSP_id_get0_info
   759: test_wolfSSL_OCSP_REQ_CTX
   1090: test_ocsp_certid_enc_dec

Repro with --enable-all --enable-sm3 after moving SM3 sources into place from the wolfsm repo (needs wolfcrypt/src/sm3.c, wolfcrypt/src/sm3_asm.S, and wolfssl/wolfcrypt/sm3.h).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@douzzer douzzer douzzer requested changes

@julek-wolfssl julek-wolfssl Awaiting requested review from julek-wolfssl

@SparkiDev SparkiDev Awaiting requested review from SparkiDev

Requested changes must be addressed to merge this pull request.

Assignees

@wolfSSL-Bot wolfSSL-Bot

@SparkiDev SparkiDev

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@rizlik @douzzer @wolfSSL-Bot @SparkiDev