Bug #116795 for Net-SSLeay: OCSP broken in 1.75+ - patch included

forgot the new patch

Index: SSLeay.xs =================================================================== --- SSLeay.xs (revision 477) +++ SSLeay.xs (working copy) @@ -6011,7 +6011,7 @@ X509 *issuer; X509 *last = sk_X509_value(chain,sk_X509_num(chain)-1); if ( (issuer = find_issuer(last,store,chain))) { - OCSP_basic_add1_cert(bsr, X509_dup(issuer)); + OCSP_basic_add1_cert(bsr, issuer); TRACE(1,"run OCSP_basic_verify with issuer for last chain element"); RETVAL = OCSP_basic_verify(bsr, NULL, store, flags); } @@ -6058,11 +6058,8 @@ goto end; } int first = OCSP_resp_find(bsr, certid, -1); /* Find the first matching */ - if (first >= 0) - { - sir = OCSP_resp_get0(bsr,first); - break; - } + if (first >= 0) + sir = OCSP_resp_get0(bsr,first); } int status, revocationReason; @@ -6073,7 +6070,8 @@ status = OCSP_single_get0_status(sir, &revocationReason, &revocationTime, &thisupdate, &nextupdate); #else status = sir->certStatus->type; - revocationTime = sir->certStatus->value.revoked->revocationTime; + if (status == V_OCSP_CERTSTATUS_REVOKED) + revocationTime = sir->certStatus->value.revoked->revocationTime; thisupdate = sir->thisUpdate; nextupdate = sir->nextUpdate; #endif Index: t/external/ocsp.t =================================================================== --- t/external/ocsp.t (revision 477) +++ t/external/ocsp.t (working copy) @@ -16,7 +16,7 @@ # this should give us OCSP stapling host => 'www.live.com', port => 443, - fingerprint => '10c56ee9e2acaf2e77caeb7072bf6522dd7422b8', + fingerprint => '0e37dc9b320d2526e93e360a26c824b202d1f3af', ocsp_staple => 1, expect_status => Net::SSLeay::V_OCSP_CERTSTATUS_GOOD(), }, @@ -24,7 +24,7 @@ # no OCSP stapling yet host => 'www.google.com', port => 443, - fingerprint => '007a5ab302f14446e2ea24d3a829de22ba1bf950', + fingerprint => '89380c438a076d9d5fac228a8f680ff452487f30', expect_status => Net::SSLeay::V_OCSP_CERTSTATUS_GOOD(), }, { @@ -31,12 +31,13 @@ # this is revoked host => 'revoked.grc.com', port => 443, - fingerprint => '34703c40093461ad3ce087e161c7b7f42abe770c', + fingerprint => '310665f4c8e78db761c764e798dca66047341264', expect_status => Net::SSLeay::V_OCSP_CERTSTATUS_REVOKED(), }, ); -plan tests => 0+@tests; +my $release_tests = $ENV{RELEASE_TESTING} && 1; +plan tests => $release_tests + @tests; my $timeout = 10; # used to TCP connect and SSL connect @@ -50,6 +51,12 @@ TEST: +my $skipped = 0; +sub skip_unless_release { + $skipped++ if $release_tests; + goto &skip; +} + for my $test (@tests) { my $cleanup = __cleanup__->new; SKIP: { @@ -114,8 +121,9 @@ my $fp = $leaf_cert && unpack("H*",Net::SSLeay::X509_digest($leaf_cert,$sha1)); skip "could not get fingerprint",1 if !$fp; - skip "bad fingerprint $fp for $test->{host}:$test->{port}",1 - if $fp ne $test->{fingerprint}; + skip_unless_release( + "bad fingerprint $fp for $test->{host}:$test->{port} - expected $test->{fingerprint}, got $fp", + 1) if $fp ne $test->{fingerprint}; diag("fingerprint matches"); if ( $test->{ocsp_staple} && ! $stapled_response ) { @@ -225,6 +233,8 @@ } } +is($skipped,0,"skipped critical tests for release") if $release_tests; + { # cleanup stuff when going out of scope package __cleanup__;

Am Do 11. Aug 2016, 07:04:14, mikem@airspayce.com schrieb: Show quoted text
I see, the output from 'make test' does not include the reasons why tests got skipped. I've tested before with perl -Mblib and there it showed up. I've now adapted the test so that it uses diag() and it looks like this shows up in 'make test'. Apart from that it looks like that both live.com and google.com use different certificates in different parts of the world (i.e. based on target IP address) which made the test work for me but not for you :(. I've now switched to different hosts although it is hard to find a host which supports OCSP stapling. Attached is a new patch, this time for the test only. Regards, Steffen

Index: SSLeay.xs =================================================================== --- SSLeay.xs (revision 477) +++ SSLeay.xs (working copy) @@ -6011,7 +6011,7 @@ X509 *issuer; X509 *last = sk_X509_value(chain,sk_X509_num(chain)-1); if ( (issuer = find_issuer(last,store,chain))) { - OCSP_basic_add1_cert(bsr, X509_dup(issuer)); + OCSP_basic_add1_cert(bsr, issuer); TRACE(1,"run OCSP_basic_verify with issuer for last chain element"); RETVAL = OCSP_basic_verify(bsr, NULL, store, flags); } @@ -6058,11 +6058,8 @@ goto end; } int first = OCSP_resp_find(bsr, certid, -1); /* Find the first matching */ - if (first >= 0) - { - sir = OCSP_resp_get0(bsr,first); - break; - } + if (first >= 0) + sir = OCSP_resp_get0(bsr,first); } int status, revocationReason; @@ -6073,7 +6070,8 @@ status = OCSP_single_get0_status(sir, &revocationReason, &revocationTime, &thisupdate, &nextupdate); #else status = sir->certStatus->type; - revocationTime = sir->certStatus->value.revoked->revocationTime; + if (status == V_OCSP_CERTSTATUS_REVOKED) + revocationTime = sir->certStatus->value.revoked->revocationTime; thisupdate = sir->thisUpdate; nextupdate = sir->nextUpdate; #endif Index: t/external/ocsp.t =================================================================== --- t/external/ocsp.t (revision 477) +++ t/external/ocsp.t (working copy) @@ -14,17 +14,17 @@ my @tests = ( { # this should give us OCSP stapling - host => 'www.live.com', + host => 'www.microsoft.com', port => 443, - fingerprint => '10c56ee9e2acaf2e77caeb7072bf6522dd7422b8', + fingerprint => '5f0b37e633840ca02468552ea3b1197e5e118f7b', ocsp_staple => 1, expect_status => Net::SSLeay::V_OCSP_CERTSTATUS_GOOD(), }, { - # no OCSP stapling yet - host => 'www.google.com', + # no OCSP stapling + host => 'www.spiegel.de', port => 443, - fingerprint => '007a5ab302f14446e2ea24d3a829de22ba1bf950', + fingerprint => 'ad737048455485d8c817b7d0f7403553a7b9f65b', expect_status => Net::SSLeay::V_OCSP_CERTSTATUS_GOOD(), }, { @@ -31,12 +31,13 @@ # this is revoked host => 'revoked.grc.com', port => 443, - fingerprint => '34703c40093461ad3ce087e161c7b7f42abe770c', + fingerprint => '310665f4c8e78db761c764e798dca66047341264', expect_status => Net::SSLeay::V_OCSP_CERTSTATUS_REVOKED(), }, ); -plan tests => 0+@tests; +my $release_tests = $ENV{RELEASE_TESTING} ? 1:0; +plan tests => $release_tests + @tests; my $timeout = 10; # used to TCP connect and SSL connect @@ -50,6 +51,7 @@ TEST: +my @fp_mismatch; for my $test (@tests) { my $cleanup = __cleanup__->new; SKIP: { @@ -114,8 +116,11 @@ my $fp = $leaf_cert && unpack("H*",Net::SSLeay::X509_digest($leaf_cert,$sha1)); skip "could not get fingerprint",1 if !$fp; - skip "bad fingerprint $fp for $test->{host}:$test->{port}",1 - if $fp ne $test->{fingerprint}; + if ($fp ne $test->{fingerprint}) { + push @fp_mismatch, [ $fp,$test ]; + skip("bad fingerprint for $test->{host}:$test->{port} -". + " expected $test->{fingerprint}, got $fp",1) + } diag("fingerprint matches"); if ( $test->{ocsp_staple} && ! $stapled_response ) { @@ -225,6 +230,19 @@ } } +if ($release_tests) { + if (!@fp_mismatch) { + pass("all fingerprints matched"); + } else { + for(@fp_mismatch) { + my ($fp,$test) = @$_; + diag("fingerprint mismatch for $test->{host}:$test->{port} -". + " expected $test->{fingerprint}, got $fp") + } + fail("some fingerprints did not matched - please adjust test"); + } +} + { # cleanup stuff when going out of scope package __cleanup__;

Show quoted text
I've tried with 1.0.2c, 1.1.0, 1.0.0d, 1.0.2g-fips (ubuntu) so there is at least some overlap in the versions. Since it fails in OCSP_CERTIDs with "cannot find issuer to certificate" it might be that you have different CA storage setup with the different OpenSSL versions and that some of the CA storage don't contain the necessary root certificate. This might happen if you have sometimes Mozilla::CA installed and sometimes not, in which case it will use the default store. On the other hand it has certificate validation enabled when connecting, i.e. in case of missing root-CA it should have been skipped this test because the connection failed. Very strange indeed. Show quoted text
That happened because I've inadvertently placed a variable declaration between the label and the for loop and thus the label got not associated with the loop anymore. This is fixed within the attached patch.

Index: SSLeay.xs =================================================================== --- SSLeay.xs (revision 477) +++ SSLeay.xs (working copy) @@ -5916,7 +5916,7 @@ if (X509_check_issued(cert,cert) == X509_V_OK) croak("no OCSP request for self-signed certificate"); if (!(issuer = find_issuer(cert,store,chain))) - croak("cannot find issuer to certificate"); + croak("cannot find issuer certificate"); if (!(id = OCSP_cert_to_id(EVP_sha1(),cert,issuer))) croak("out of memory for generating OCSO certid"); if (!(len = i2d_OCSP_CERTID(id,NULL))) @@ -6011,7 +6011,7 @@ X509 *issuer; X509 *last = sk_X509_value(chain,sk_X509_num(chain)-1); if ( (issuer = find_issuer(last,store,chain))) { - OCSP_basic_add1_cert(bsr, X509_dup(issuer)); + OCSP_basic_add1_cert(bsr, issuer); TRACE(1,"run OCSP_basic_verify with issuer for last chain element"); RETVAL = OCSP_basic_verify(bsr, NULL, store, flags); } @@ -6058,11 +6058,8 @@ goto end; } int first = OCSP_resp_find(bsr, certid, -1); /* Find the first matching */ - if (first >= 0) - { - sir = OCSP_resp_get0(bsr,first); - break; - } + if (first >= 0) + sir = OCSP_resp_get0(bsr,first); } int status, revocationReason; @@ -6073,7 +6070,8 @@ status = OCSP_single_get0_status(sir, &revocationReason, &revocationTime, &thisupdate, &nextupdate); #else status = sir->certStatus->type; - revocationTime = sir->certStatus->value.revoked->revocationTime; + if (status == V_OCSP_CERTSTATUS_REVOKED) + revocationTime = sir->certStatus->value.revoked->revocationTime; thisupdate = sir->thisUpdate; nextupdate = sir->nextUpdate; #endif Index: t/external/ocsp.t =================================================================== --- t/external/ocsp.t (revision 477) +++ t/external/ocsp.t (working copy) @@ -14,17 +14,17 @@ my @tests = ( { # this should give us OCSP stapling - host => 'www.live.com', + host => 'www.microsoft.com', port => 443, - fingerprint => '10c56ee9e2acaf2e77caeb7072bf6522dd7422b8', + fingerprint => '5f0b37e633840ca02468552ea3b1197e5e118f7b', ocsp_staple => 1, expect_status => Net::SSLeay::V_OCSP_CERTSTATUS_GOOD(), }, { - # no OCSP stapling yet - host => 'www.google.com', + # no OCSP stapling + host => 'www.spiegel.de', port => 443, - fingerprint => '007a5ab302f14446e2ea24d3a829de22ba1bf950', + fingerprint => 'ad737048455485d8c817b7d0f7403553a7b9f65b', expect_status => Net::SSLeay::V_OCSP_CERTSTATUS_GOOD(), }, { @@ -31,12 +31,13 @@ # this is revoked host => 'revoked.grc.com', port => 443, - fingerprint => '34703c40093461ad3ce087e161c7b7f42abe770c', + fingerprint => '310665f4c8e78db761c764e798dca66047341264', expect_status => Net::SSLeay::V_OCSP_CERTSTATUS_REVOKED(), }, ); -plan tests => 0+@tests; +my $release_tests = $ENV{RELEASE_TESTING} ? 1:0; +plan tests => $release_tests + @tests; my $timeout = 10; # used to TCP connect and SSL connect @@ -48,8 +49,9 @@ Net::SSLeay::SSLeay_add_ssl_algorithms(); my $sha1 = Net::SSLeay::EVP_get_digestbyname('sha1'); + +my @fp_mismatch; TEST: - for my $test (@tests) { my $cleanup = __cleanup__->new; SKIP: { @@ -114,8 +116,11 @@ my $fp = $leaf_cert && unpack("H*",Net::SSLeay::X509_digest($leaf_cert,$sha1)); skip "could not get fingerprint",1 if !$fp; - skip "bad fingerprint $fp for $test->{host}:$test->{port}",1 - if $fp ne $test->{fingerprint}; + if ($fp ne $test->{fingerprint}) { + push @fp_mismatch, [ $fp,$test ]; + skip("bad fingerprint for $test->{host}:$test->{port} -". + " expected $test->{fingerprint}, got $fp",1) + } diag("fingerprint matches"); if ( $test->{ocsp_staple} && ! $stapled_response ) { @@ -225,6 +230,19 @@ } } +if ($release_tests) { + if (!@fp_mismatch) { + pass("all fingerprints matched"); + } else { + for(@fp_mismatch) { + my ($fp,$test) = @$_; + diag("fingerprint mismatch for $test->{host}:$test->{port} -". + " expected $test->{fingerprint}, got $fp") + } + fail("some fingerprints did not matched - please adjust test"); + } +} + { # cleanup stuff when going out of scope package __cleanup__;

Show quoted text
This is hopefully solved now. Inside the test I've first created the context and the SSL object and then added the features to the context I need. It looks like that some features in the SSL object are taken from the linked context while other features are copied from the context on creation of the SSL object and further changes to the context will not affect the SSL object. One of these copied features is the verification mode. Due to the order of creation of SSL object and context the SSL object ended up with a mode of VERIFY_NONE even if the context was set to VERIFY_PEER. And this caused the SSL_connect to succeed even though the certificate chain could not be verified against trusted CA. And because of the missing root CA the OCSP_CERTID failed to get the issue certificate. This is now fixed by first creating and fully setting up the context before creating the SSL object. This will probably mean that with your openssl-1.1.0 etc setups the test will be skipped because the SSL connections fail with "certificate verify failed". To fix this you might need to install Mozilla::CA in your test environment since it looks like that it cannot find the needed root CA.

Index: SSLeay.xs =================================================================== --- SSLeay.xs (revision 477) +++ SSLeay.xs (working copy) @@ -5916,7 +5916,7 @@ if (X509_check_issued(cert,cert) == X509_V_OK) croak("no OCSP request for self-signed certificate"); if (!(issuer = find_issuer(cert,store,chain))) - croak("cannot find issuer to certificate"); + croak("cannot find issuer certificate"); if (!(id = OCSP_cert_to_id(EVP_sha1(),cert,issuer))) croak("out of memory for generating OCSO certid"); if (!(len = i2d_OCSP_CERTID(id,NULL))) @@ -6011,7 +6011,7 @@ X509 *issuer; X509 *last = sk_X509_value(chain,sk_X509_num(chain)-1); if ( (issuer = find_issuer(last,store,chain))) { - OCSP_basic_add1_cert(bsr, X509_dup(issuer)); + OCSP_basic_add1_cert(bsr, issuer); TRACE(1,"run OCSP_basic_verify with issuer for last chain element"); RETVAL = OCSP_basic_verify(bsr, NULL, store, flags); } @@ -6058,11 +6058,8 @@ goto end; } int first = OCSP_resp_find(bsr, certid, -1); /* Find the first matching */ - if (first >= 0) - { - sir = OCSP_resp_get0(bsr,first); - break; - } + if (first >= 0) + sir = OCSP_resp_get0(bsr,first); } int status, revocationReason; @@ -6073,7 +6070,8 @@ status = OCSP_single_get0_status(sir, &revocationReason, &revocationTime, &thisupdate, &nextupdate); #else status = sir->certStatus->type; - revocationTime = sir->certStatus->value.revoked->revocationTime; + if (status == V_OCSP_CERTSTATUS_REVOKED) + revocationTime = sir->certStatus->value.revoked->revocationTime; thisupdate = sir->thisUpdate; nextupdate = sir->nextUpdate; #endif Index: t/external/ocsp.t =================================================================== --- t/external/ocsp.t (revision 477) +++ t/external/ocsp.t (working copy) @@ -14,17 +14,17 @@ my @tests = ( { # this should give us OCSP stapling - host => 'www.live.com', + host => 'www.microsoft.com', port => 443, - fingerprint => '10c56ee9e2acaf2e77caeb7072bf6522dd7422b8', + fingerprint => '5f0b37e633840ca02468552ea3b1197e5e118f7b', ocsp_staple => 1, expect_status => Net::SSLeay::V_OCSP_CERTSTATUS_GOOD(), }, { - # no OCSP stapling yet - host => 'www.google.com', + # no OCSP stapling + host => 'www.heise.de', port => 443, - fingerprint => '007a5ab302f14446e2ea24d3a829de22ba1bf950', + fingerprint => '36a7d7bfc59db65c040bccd291ae563d9ef7bafc', expect_status => Net::SSLeay::V_OCSP_CERTSTATUS_GOOD(), }, { @@ -31,12 +31,13 @@ # this is revoked host => 'revoked.grc.com', port => 443, - fingerprint => '34703c40093461ad3ce087e161c7b7f42abe770c', + fingerprint => '310665f4c8e78db761c764e798dca66047341264', expect_status => Net::SSLeay::V_OCSP_CERTSTATUS_REVOKED(), }, ); -plan tests => 0+@tests; +my $release_tests = $ENV{RELEASE_TESTING} ? 1:0; +plan tests => $release_tests + @tests; my $timeout = 10; # used to TCP connect and SSL connect @@ -48,8 +49,9 @@ Net::SSLeay::SSLeay_add_ssl_algorithms(); my $sha1 = Net::SSLeay::EVP_get_digestbyname('sha1'); + +my @fp_mismatch; TEST: - for my $test (@tests) { my $cleanup = __cleanup__->new; SKIP: { @@ -66,7 +68,6 @@ diag("tcp connect to $test->{host}:$test->{port} ok"); my $ctx = Net::SSLeay::CTX_new() or die "failed to create CTX"; - my $ssl = Net::SSLeay::new($ctx) or die "failed to create SSL"; # enable verification with hopefully usable CAs Net::SSLeay::CTX_set_default_verify_paths($ctx); @@ -75,10 +76,8 @@ if eval { require Mozilla::CA }; Net::SSLeay::CTX_set_verify($ctx,Net::SSLeay::VERIFY_PEER(),undef); - # setup TLS extension and callback to catch stapled OCSP response + # setup TLS extension callback to catch stapled OCSP response my $stapled_response; - Net::SSLeay::set_tlsext_status_type($ssl, - Net::SSLeay::TLSEXT_STATUSTYPE_ocsp()); Net::SSLeay::CTX_set_tlsext_status_cb($ctx,sub { my ($ssl,$resp) = @_; diag("got ".($resp ? '':'no ')."stapled OCSP response"); @@ -87,11 +86,21 @@ return 1; }); + # create SSL object only after we have the context fully done since + # some parts of the context (like verification mode) will be copied + # to the SSL object and thus later changes to the CTX don't affect + # the SSL object + my $ssl = Net::SSLeay::new($ctx) or die "failed to create SSL"; + + # setup TLS extension to request stapled OCSP response + Net::SSLeay::set_tlsext_status_type($ssl, + Net::SSLeay::TLSEXT_STATUSTYPE_ocsp()); + # non-blocking SSL_connect with timeout $cl->blocking(0); Net::SSLeay::set_fd($ssl,fileno($cl)); my $end = time() + $timeout; - my $rv; + my ($rv,@err); while (($rv = Net::SSLeay::connect($ssl)) < 0) { my $to = $end-time(); $to<=0 and last; @@ -101,10 +110,14 @@ select($vec,undef,undef,$to); } elsif ( $err == Net::SSLeay::ERROR_WANT_WRITE()) { select(undef,$vec,undef,$to); + } else { + while ( my $err = Net::SSLeay::ERR_get_error()) { + push @err, Net::SSLeay::ERR_error_string($err); + } + last } } - skip "SSL_connect with $test->{host}:$test->{port} failed: ". - Net::SSLeay::print_errs(''),1 + skip "SSL_connect with $test->{host}:$test->{port} failed: @err",1 if $rv<=0; diag("SSL_connect ok"); @@ -114,8 +127,11 @@ my $fp = $leaf_cert && unpack("H*",Net::SSLeay::X509_digest($leaf_cert,$sha1)); skip "could not get fingerprint",1 if !$fp; - skip "bad fingerprint $fp for $test->{host}:$test->{port}",1 - if $fp ne $test->{fingerprint}; + if ($fp ne $test->{fingerprint}) { + push @fp_mismatch, [ $fp,$test ]; + skip("bad fingerprint for $test->{host}:$test->{port} -". + " expected $test->{fingerprint}, got $fp",1) + } diag("fingerprint matches"); if ( $test->{ocsp_staple} && ! $stapled_response ) { @@ -225,6 +241,19 @@ } } +if ($release_tests) { + if (!@fp_mismatch) { + pass("all fingerprints matched"); + } else { + for(@fp_mismatch) { + my ($fp,$test) = @$_; + diag("fingerprint mismatch for $test->{host}:$test->{port} -". + " expected $test->{fingerprint}, got $fp") + } + fail("some fingerprints did not matched - please adjust test"); + } +} + { # cleanup stuff when going out of scope package __cleanup__;