I patched s_server to send a fake OCSP content (4 bytes). I suppose the server will just push that to the client and the client should fail complaining it's not a correct OCSP response. But the server crash with: ssl/statem/statem_dtls.c:127: OpenSSL internal error: assertion failed: s->init_num == (int)s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH
Command line used: ./openssl s_server -dtls1_2 -port 5684 -cipher ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES128-CCM8:PSK-AES256-CCM8:PSK-AES128-CCM8 -CAfile ca.pem -cert server.pem -key server.key -chainCAfile bundle.pem -status -status_verbose -mtu 1200 and ./openssl s_client -dtls1_2 -port 5684 -psk 73656372657450534b -host localhost -cipher ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES128-CCM8:PSK-AES256-CCM8:PSK-AES128-CCM8 -CAfile ca.pem -verify_hostname "IMEI:1234567890" -cert client.pem -key client.key -chainCAfile bundle-client.pem -status I attached also the test certificate and keys. -- Julien Vermillard On Mon, Aug 29, 2016 at 6:17 PM, Julien Vermillard <jvermill...@gmail.com> wrote: > It's a mix of C and Go, so it's really not minimal, but I'll try to modify > s_server to see if I can reproduce it. > > -- > Julien Vermillard > > On Mon, Aug 29, 2016 at 6:13 PM, Matt Caswell <m...@openssl.org> wrote: > >> >> >> On 29/08/16 17:08, Julien Vermillard wrote: >> > I have a DTLS 1.2 server based on last master (commit >> > d196305aa0de1fc38837c27cb1ea6e60af9dd98d) >> > I try to add ocsp stapling support (based on code in s_server.c). >> > >> > Basicaly in my callback I set the OCSP response by: >> > >> > >> > if (SSL_set_tlsext_status_ocsp_resp(s,dataPtr,respLen) == 0) { >> > return SSL_TLSEXT_ERR_NOACK; >> > } else { >> > return SSL_TLSEXT_ERR_OK; >> > } >> > >> > but if my server manage to get an OCSP response it crash with this >> message: >> > >> > ssl/statem/statem_dtls.c:127: OpenSSL internal error: assertion failed: >> > s->init_num == (int)s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH >> > >> > Any clue? >> >> Do you have some minimal reproducer? >> >> Matt >> >> -- >> openssl-users mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users >> > >
From f5afc5b32768902ed24a476098cfd121af1d8cb0 Mon Sep 17 00:00:00 2001 From: Julien Vermillard <jvermill...@sierrawireless.com> Date: Mon, 29 Aug 2016 18:28:25 +0200 Subject: [PATCH] simple response --- apps/s_server.c | 113 ++++++-------------------------------------------------- 1 file changed, 11 insertions(+), 102 deletions(-) diff --git a/apps/s_server.c b/apps/s_server.c index 742cb83..4978fe9 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -472,111 +472,20 @@ static tlsextstatusctx tlscstatp = { NULL, NULL, NULL, 0, -1, 0 }; static int cert_status_cb(SSL *s, void *arg) { - tlsextstatusctx *srctx = arg; - char *host = NULL, *port = NULL, *path = NULL; - int use_ssl; - unsigned char *rspder = NULL; - int rspderlen; - STACK_OF(OPENSSL_STRING) *aia = NULL; - X509 *x = NULL; - X509_STORE_CTX *inctx = NULL; - X509_OBJECT *obj; - OCSP_REQUEST *req = NULL; - OCSP_RESPONSE *resp = NULL; - OCSP_CERTID *id = NULL; - STACK_OF(X509_EXTENSION) *exts; - int ret = SSL_TLSEXT_ERR_NOACK; - int i; + unsigned char* testBuff = OPENSSL_malloc(4); + testBuff[0] = 1; + testBuff[1] = 2; + testBuff[2] = 3; + testBuff[3] = 4; - if (srctx->verbose) - BIO_puts(bio_err, "cert_status: callback called\n"); - /* Build up OCSP query from server certificate */ - x = SSL_get_certificate(s); - aia = X509_get1_ocsp(x); - if (aia) { - if (!OCSP_parse_url(sk_OPENSSL_STRING_value(aia, 0), - &host, &port, &path, &use_ssl)) { - BIO_puts(bio_err, "cert_status: can't parse AIA URL\n"); - goto err; - } - if (srctx->verbose) - BIO_printf(bio_err, "cert_status: AIA URL: %s\n", - sk_OPENSSL_STRING_value(aia, 0)); - } else { - if (!srctx->host) { - BIO_puts(bio_err, - "cert_status: no AIA and no default responder URL\n"); - goto done; - } - host = srctx->host; - path = srctx->path; - port = srctx->port; - use_ssl = srctx->use_ssl; - } - inctx = X509_STORE_CTX_new(); - if (inctx == NULL) - goto err; - if (!X509_STORE_CTX_init(inctx, - SSL_CTX_get_cert_store(SSL_get_SSL_CTX(s)), - NULL, NULL)) - goto err; - obj = X509_STORE_CTX_get_obj_by_subject(inctx, X509_LU_X509, - X509_get_issuer_name(x)); - if (obj == NULL) { - BIO_puts(bio_err, "cert_status: Can't retrieve issuer certificate.\n"); - goto done; - } - id = OCSP_cert_to_id(NULL, x, X509_OBJECT_get0_X509(obj)); - X509_OBJECT_free(obj); - if (!id) - goto err; - req = OCSP_REQUEST_new(); - if (req == NULL) - goto err; - if (!OCSP_request_add0_id(req, id)) - goto err; - id = NULL; - /* Add any extensions to the request */ - SSL_get_tlsext_status_exts(s, &exts); - for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) { - X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i); - if (!OCSP_REQUEST_add_ext(req, ext, -1)) - goto err; - } - resp = process_responder(req, host, path, port, use_ssl, NULL, - srctx->timeout); - if (!resp) { - BIO_puts(bio_err, "cert_status: error querying responder\n"); - goto done; - } - rspderlen = i2d_OCSP_RESPONSE(resp, &rspder); - if (rspderlen <= 0) - goto err; - SSL_set_tlsext_status_ocsp_resp(s, rspder, rspderlen); - if (srctx->verbose) { - BIO_puts(bio_err, "cert_status: ocsp response sent:\n"); - OCSP_RESPONSE_print(bio_err, resp, 2); - } - ret = SSL_TLSEXT_ERR_OK; - goto done; + if (SSL_set_tlsext_status_ocsp_resp(s, testBuff, 4) == 0) { + printf("noki\n"); + } else { + printf("oki\n"); + } - err: - ret = SSL_TLSEXT_ERR_ALERT_FATAL; - done: - if (ret != SSL_TLSEXT_ERR_OK) - ERR_print_errors(bio_err); - if (aia) { - OPENSSL_free(host); - OPENSSL_free(path); - OPENSSL_free(port); - X509_email_free(aia); - } - OCSP_CERTID_free(id); - OCSP_REQUEST_free(req); - OCSP_RESPONSE_free(resp); - X509_STORE_CTX_free(inctx); - return ret; + return SSL_TLSEXT_ERR_OK; } #endif -- 2.7.4
bundle.pem
Description: application/x509-ca-cert
ca.pem
Description: application/x509-ca-cert
server.key
Description: application/iwork-keynote-sffkey
server.pem
Description: application/x509-ca-cert
bundle-client.pem
Description: application/x509-ca-cert
client.key
Description: application/iwork-keynote-sffkey
client.pem
Description: application/x509-ca-cert
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users