From b3a85bc2c711bb1d8e85f1be7a0cedc475c310f1 Mon Sep 17 00:00:00 2001 From: David Garske Date: Fri, 2 Jun 2017 09:36:35 -0700 Subject: [PATCH 1/2] Fixes for OCSP and CRL with non-blocking sockets. Fix for OCSP and CRL file descriptor check to allow 0. --- src/crl.c | 5 ++++- src/internal.c | 25 +++++++++++++++++++++++-- src/io.c | 4 ++-- src/ocsp.c | 3 +++ 4 files changed, 32 insertions(+), 5 deletions(-) diff --git a/src/crl.c b/src/crl.c index 532282a2f..7743a1797 100755 --- a/src/crl.c +++ b/src/crl.c @@ -349,7 +349,10 @@ int CheckCertCRL(WOLFSSL_CRL* crl, DecodedCert* cert) if (crl->crlIOCb) { ret = crl->crlIOCb(crl, (const char*)cert->extCrlInfo, cert->extCrlInfoSz); - if (ret >= 0) { + if (ret == WOLFSSL_CBIO_ERR_WANT_READ) { + ret = WC_PENDING_E; + } + else if (ret >= 0) { /* try again */ ret = CheckCertCRLList(crl, cert, &foundEntry); } diff --git a/src/internal.c b/src/internal.c index a634f9210..946d58f17 100755 --- a/src/internal.c +++ b/src/internal.c @@ -7692,6 +7692,12 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, word32 totalSz WOLFSSL_MSG("Doing Non Leaf OCSP check"); ret = CheckCertOCSP(ssl->ctx->cm->ocsp, args->dCert, NULL); + #ifdef WOLFSSL_ASYNC_CRYPT + /* Handle WC_PENDING_E */ + if (ret == WC_PENDING_E) { + goto exit_ppc; + } + #endif doCrlLookup = (ret == OCSP_CERT_UNKNOWN); if (ret != 0) { doCrlLookup = 0; @@ -7706,6 +7712,11 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, word32 totalSz ssl->ctx->cm->crlCheckAll) { WOLFSSL_MSG("Doing Non Leaf CRL check"); ret = CheckCertCRL(ssl->ctx->cm->crl, args->dCert); + #ifdef WOLFSSL_ASYNC_CRYPT + if (ret == WC_PENDING_E) { + goto exit_ppc; + } + #endif if (ret != 0) { WOLFSSL_MSG("\tCRL check not ok"); } @@ -7845,8 +7856,13 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, word32 totalSz #ifdef HAVE_OCSP if (doLookup && ssl->ctx->cm->ocspEnabled) { WOLFSSL_MSG("Doing Leaf OCSP check"); - ret = CheckCertOCSP(ssl->ctx->cm->ocsp, - args->dCert, NULL); + ret = CheckCertOCSP(ssl->ctx->cm->ocsp, args->dCert, + NULL); + #ifdef WOLFSSL_ASYNC_CRYPT + if (ret == WC_PENDING_E) { + goto exit_ppc; + } + #endif doLookup = (ret == OCSP_CERT_UNKNOWN); if (ret != 0) { WOLFSSL_MSG("\tOCSP Lookup not ok"); @@ -7862,6 +7878,11 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, word32 totalSz if (doLookup && ssl->ctx->cm->crlEnabled) { WOLFSSL_MSG("Doing Leaf CRL check"); ret = CheckCertCRL(ssl->ctx->cm->crl, args->dCert); + #ifdef WOLFSSL_ASYNC_CRYPT + if (ret == WC_PENDING_E) { + goto exit_ppc; + } + #endif if (ret != 0) { WOLFSSL_MSG("\tCRL check not ok"); args->fatal = 0; diff --git a/src/io.c b/src/io.c index 8b9a9b960..7dc7c6584 100644 --- a/src/io.c +++ b/src/io.c @@ -1168,7 +1168,7 @@ int EmbedOcspLookup(void* ctx, const char* url, int urlSz, httpBuf, httpBufSz); ret = wolfIO_TcpConnect(&sfd, domainName, port, io_timeout_sec); - if ((ret != 0) || (sfd <= 0)) { + if ((ret != 0) || (sfd < 0)) { WOLFSSL_MSG("OCSP Responder connection failed"); } else if (wolfIO_Send(sfd, (char*)httpBuf, httpBufSz, 0) != @@ -1267,7 +1267,7 @@ int EmbedCrlLookup(WOLFSSL_CRL* crl, const char* url, int urlSz) httpBuf, httpBufSz); ret = wolfIO_TcpConnect(&sfd, domainName, port, io_timeout_sec); - if ((ret != 0) || (sfd <= 0)) { + if ((ret != 0) || (sfd < 0)) { WOLFSSL_MSG("CRL connection failed"); } else if (wolfIO_Send(sfd, (char*)httpBuf, httpBufSz, 0) diff --git a/src/ocsp.c b/src/ocsp.c index ae45322ed..7f34a5615 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -445,6 +445,9 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest, responseSz = ocsp->cm->ocspIOCb(ocsp->cm->ocspIOCtx, url, urlSz, request, requestSz, &response); } + if (responseSz == WOLFSSL_CBIO_ERR_WANT_READ) { + ret = WC_PENDING_E; + } XFREE(request, ocsp->cm->heap, DYNAMIC_TYPE_OCSP); From c55575665f20494eaca82b25a13e1381a02d3692 Mon Sep 17 00:00:00 2001 From: David Garske Date: Fri, 2 Jun 2017 10:35:26 -0700 Subject: [PATCH 2/2] Cleanup to use `WANT_READ` instead of async `WC_PENDING_E` for non-blocking OCSP and CRL. --- src/crl.c | 2 +- src/internal.c | 16 +++++++++------- src/ocsp.c | 2 +- 3 files changed, 11 insertions(+), 9 deletions(-) diff --git a/src/crl.c b/src/crl.c index 7743a1797..e632dbf10 100755 --- a/src/crl.c +++ b/src/crl.c @@ -350,7 +350,7 @@ int CheckCertCRL(WOLFSSL_CRL* crl, DecodedCert* cert) ret = crl->crlIOCb(crl, (const char*)cert->extCrlInfo, cert->extCrlInfoSz); if (ret == WOLFSSL_CBIO_ERR_WANT_READ) { - ret = WC_PENDING_E; + ret = WANT_READ; } else if (ret >= 0) { /* try again */ diff --git a/src/internal.c b/src/internal.c index 946d58f17..eab408824 100755 --- a/src/internal.c +++ b/src/internal.c @@ -7693,8 +7693,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, word32 totalSz ret = CheckCertOCSP(ssl->ctx->cm->ocsp, args->dCert, NULL); #ifdef WOLFSSL_ASYNC_CRYPT - /* Handle WC_PENDING_E */ - if (ret == WC_PENDING_E) { + /* non-blocking socket re-entry requires async */ + if (ret == WANT_READ) { goto exit_ppc; } #endif @@ -7713,7 +7713,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, word32 totalSz WOLFSSL_MSG("Doing Non Leaf CRL check"); ret = CheckCertCRL(ssl->ctx->cm->crl, args->dCert); #ifdef WOLFSSL_ASYNC_CRYPT - if (ret == WC_PENDING_E) { + /* non-blocking socket re-entry requires async */ + if (ret == WANT_READ) { goto exit_ppc; } #endif @@ -7859,7 +7860,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, word32 totalSz ret = CheckCertOCSP(ssl->ctx->cm->ocsp, args->dCert, NULL); #ifdef WOLFSSL_ASYNC_CRYPT - if (ret == WC_PENDING_E) { + /* non-blocking socket re-entry requires async */ + if (ret == WANT_READ) { goto exit_ppc; } #endif @@ -7879,7 +7881,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, word32 totalSz WOLFSSL_MSG("Doing Leaf CRL check"); ret = CheckCertCRL(ssl->ctx->cm->crl, args->dCert); #ifdef WOLFSSL_ASYNC_CRYPT - if (ret == WC_PENDING_E) { + /* non-blocking socket re-entry requires async */ + if (ret == WANT_READ) { goto exit_ppc; } #endif @@ -8289,8 +8292,7 @@ exit_ppc: WOLFSSL_LEAVE("ProcessPeerCerts", ret); #ifdef WOLFSSL_ASYNC_CRYPT - /* Handle WC_PENDING_E */ - if (ret == WC_PENDING_E) { + if (ret == WC_PENDING_E || ret == WANT_READ) { /* Mark message as not recevied so it can process again */ ssl->msgsReceived.got_certificate = 0; diff --git a/src/ocsp.c b/src/ocsp.c index 7f34a5615..4554b24b0 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -446,7 +446,7 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest, request, requestSz, &response); } if (responseSz == WOLFSSL_CBIO_ERR_WANT_READ) { - ret = WC_PENDING_E; + ret = WANT_READ; } XFREE(request, ocsp->cm->heap, DYNAMIC_TYPE_OCSP);