I patched s_server to send a fake OCSP content (4 bytes). I suppose the server will just push that to the client and the client should fail complaining it's not a correct OCSP response. But the server crash with: ssl/statem/statem_dtls.c:127: OpenSSL internal error: assertion failed: s->init_num == (int)s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH
Command line used:
./openssl s_server -dtls1_2 -port 5684 -cipher
ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES128-CCM8:PSK-AES256-CCM8:PSK-AES128-CCM8
-CAfile ca.pem -cert server.pem -key server.key -chainCAfile bundle.pem
-status -status_verbose -mtu 1200
and
./openssl s_client -dtls1_2 -port 5684 -psk 73656372657450534b -host
localhost -cipher
ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES128-CCM8:PSK-AES256-CCM8:PSK-AES128-CCM8
-CAfile ca.pem -verify_hostname "IMEI:1234567890" -cert client.pem -key
client.key -chainCAfile bundle-client.pem -status
I attached also the test certificate and keys.
--
Julien Vermillard
On Mon, Aug 29, 2016 at 6:17 PM, Julien Vermillard <jvermill...@gmail.com>
wrote:
> It's a mix of C and Go, so it's really not minimal, but I'll try to modify
> s_server to see if I can reproduce it.
>
> --
> Julien Vermillard
>
> On Mon, Aug 29, 2016 at 6:13 PM, Matt Caswell <m...@openssl.org> wrote:
>
>>
>>
>> On 29/08/16 17:08, Julien Vermillard wrote:
>> > I have a DTLS 1.2 server based on last master (commit
>> > d196305aa0de1fc38837c27cb1ea6e60af9dd98d)
>> > I try to add ocsp stapling support (based on code in s_server.c).
>> >
>> > Basicaly in my callback I set the OCSP response by:
>> >
>> >
>> > if (SSL_set_tlsext_status_ocsp_resp(s,dataPtr,respLen) == 0) {
>> > return SSL_TLSEXT_ERR_NOACK;
>> > } else {
>> > return SSL_TLSEXT_ERR_OK;
>> > }
>> >
>> > but if my server manage to get an OCSP response it crash with this
>> message:
>> >
>> > ssl/statem/statem_dtls.c:127: OpenSSL internal error: assertion failed:
>> > s->init_num == (int)s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH
>> >
>> > Any clue?
>>
>> Do you have some minimal reproducer?
>>
>> Matt
>>
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>>
>
>
From f5afc5b32768902ed24a476098cfd121af1d8cb0 Mon Sep 17 00:00:00 2001
From: Julien Vermillard <jvermill...@sierrawireless.com>
Date: Mon, 29 Aug 2016 18:28:25 +0200
Subject: [PATCH] simple response
---
apps/s_server.c | 113 ++++++--------------------------------------------------
1 file changed, 11 insertions(+), 102 deletions(-)
diff --git a/apps/s_server.c b/apps/s_server.c
index 742cb83..4978fe9 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -472,111 +472,20 @@ static tlsextstatusctx tlscstatp = { NULL, NULL, NULL, 0, -1, 0 };
static int cert_status_cb(SSL *s, void *arg)
{
- tlsextstatusctx *srctx = arg;
- char *host = NULL, *port = NULL, *path = NULL;
- int use_ssl;
- unsigned char *rspder = NULL;
- int rspderlen;
- STACK_OF(OPENSSL_STRING) *aia = NULL;
- X509 *x = NULL;
- X509_STORE_CTX *inctx = NULL;
- X509_OBJECT *obj;
- OCSP_REQUEST *req = NULL;
- OCSP_RESPONSE *resp = NULL;
- OCSP_CERTID *id = NULL;
- STACK_OF(X509_EXTENSION) *exts;
- int ret = SSL_TLSEXT_ERR_NOACK;
- int i;
+ unsigned char* testBuff = OPENSSL_malloc(4);
+ testBuff[0] = 1;
+ testBuff[1] = 2;
+ testBuff[2] = 3;
+ testBuff[3] = 4;
- if (srctx->verbose)
- BIO_puts(bio_err, "cert_status: callback called\n");
- /* Build up OCSP query from server certificate */
- x = SSL_get_certificate(s);
- aia = X509_get1_ocsp(x);
- if (aia) {
- if (!OCSP_parse_url(sk_OPENSSL_STRING_value(aia, 0),
- &host, &port, &path, &use_ssl)) {
- BIO_puts(bio_err, "cert_status: can't parse AIA URL\n");
- goto err;
- }
- if (srctx->verbose)
- BIO_printf(bio_err, "cert_status: AIA URL: %s\n",
- sk_OPENSSL_STRING_value(aia, 0));
- } else {
- if (!srctx->host) {
- BIO_puts(bio_err,
- "cert_status: no AIA and no default responder URL\n");
- goto done;
- }
- host = srctx->host;
- path = srctx->path;
- port = srctx->port;
- use_ssl = srctx->use_ssl;
- }
- inctx = X509_STORE_CTX_new();
- if (inctx == NULL)
- goto err;
- if (!X509_STORE_CTX_init(inctx,
- SSL_CTX_get_cert_store(SSL_get_SSL_CTX(s)),
- NULL, NULL))
- goto err;
- obj = X509_STORE_CTX_get_obj_by_subject(inctx, X509_LU_X509,
- X509_get_issuer_name(x));
- if (obj == NULL) {
- BIO_puts(bio_err, "cert_status: Can't retrieve issuer certificate.\n");
- goto done;
- }
- id = OCSP_cert_to_id(NULL, x, X509_OBJECT_get0_X509(obj));
- X509_OBJECT_free(obj);
- if (!id)
- goto err;
- req = OCSP_REQUEST_new();
- if (req == NULL)
- goto err;
- if (!OCSP_request_add0_id(req, id))
- goto err;
- id = NULL;
- /* Add any extensions to the request */
- SSL_get_tlsext_status_exts(s, &exts);
- for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
- X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i);
- if (!OCSP_REQUEST_add_ext(req, ext, -1))
- goto err;
- }
- resp = process_responder(req, host, path, port, use_ssl, NULL,
- srctx->timeout);
- if (!resp) {
- BIO_puts(bio_err, "cert_status: error querying responder\n");
- goto done;
- }
- rspderlen = i2d_OCSP_RESPONSE(resp, &rspder);
- if (rspderlen <= 0)
- goto err;
- SSL_set_tlsext_status_ocsp_resp(s, rspder, rspderlen);
- if (srctx->verbose) {
- BIO_puts(bio_err, "cert_status: ocsp response sent:\n");
- OCSP_RESPONSE_print(bio_err, resp, 2);
- }
- ret = SSL_TLSEXT_ERR_OK;
- goto done;
+ if (SSL_set_tlsext_status_ocsp_resp(s, testBuff, 4) == 0) {
+ printf("noki\n");
+ } else {
+ printf("oki\n");
+ }
- err:
- ret = SSL_TLSEXT_ERR_ALERT_FATAL;
- done:
- if (ret != SSL_TLSEXT_ERR_OK)
- ERR_print_errors(bio_err);
- if (aia) {
- OPENSSL_free(host);
- OPENSSL_free(path);
- OPENSSL_free(port);
- X509_email_free(aia);
- }
- OCSP_CERTID_free(id);
- OCSP_REQUEST_free(req);
- OCSP_RESPONSE_free(resp);
- X509_STORE_CTX_free(inctx);
- return ret;
+ return SSL_TLSEXT_ERR_OK;
}
#endif
--
2.7.4
bundle.pem
Description: application/x509-ca-cert
ca.pem
Description: application/x509-ca-cert
server.key
Description: application/iwork-keynote-sffkey
server.pem
Description: application/x509-ca-cert
bundle-client.pem
Description: application/x509-ca-cert
client.key
Description: application/iwork-keynote-sffkey
client.pem
Description: application/x509-ca-cert
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
