feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Merge pull request #950 from dgarske/fix_ocsp_crl

Browse Source 
Fixes for OCSP and CRL with non-blocking sockets
This commit is contained in:
toddouska
2017-06-05 13:59:36 -07:00
committed by GitHub
parent c3d29ddfe3 c55575665f
commit 026a95ff10
4 changed files with 36 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/crl.c
View File

@ -349,7 +349,10 @@ int CheckCertCRL(WOLFSSL_CRL* crl, DecodedCert* cert)
if (crl->crlIOCb) { if (crl->crlIOCb) {
ret = crl->crlIOCb(crl, (const char*)cert->extCrlInfo, ret = crl->crlIOCb(crl, (const char*)cert->extCrlInfo,
cert->extCrlInfoSz); cert->extCrlInfoSz);
if (ret >= 0) { if (ret == WOLFSSL_CBIO_ERR_WANT_READ) {
ret = WANT_READ;
}
else if (ret >= 0) {
/* try again */ /* try again */
ret = CheckCertCRLList(crl, cert, &foundEntry); ret = CheckCertCRLList(crl, cert, &foundEntry);
} }

31
src/internal.c
View File

@ -7692,6 +7692,12 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, word32 totalSz
WOLFSSL_MSG("Doing Non Leaf OCSP check"); WOLFSSL_MSG("Doing Non Leaf OCSP check");
ret = CheckCertOCSP(ssl->ctx->cm->ocsp, args->dCert, ret = CheckCertOCSP(ssl->ctx->cm->ocsp, args->dCert,
NULL); NULL);
#ifdef WOLFSSL_ASYNC_CRYPT
/* non-blocking socket re-entry requires async */
if (ret == WANT_READ) {
goto exit_ppc;
}
#endif
doCrlLookup = (ret == OCSP_CERT_UNKNOWN); doCrlLookup = (ret == OCSP_CERT_UNKNOWN);
if (ret != 0) { if (ret != 0) {
doCrlLookup = 0; doCrlLookup = 0;
@ -7706,6 +7712,12 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, word32 totalSz
ssl->ctx->cm->crlCheckAll) { ssl->ctx->cm->crlCheckAll) {
WOLFSSL_MSG("Doing Non Leaf CRL check"); WOLFSSL_MSG("Doing Non Leaf CRL check");
ret = CheckCertCRL(ssl->ctx->cm->crl, args->dCert); ret = CheckCertCRL(ssl->ctx->cm->crl, args->dCert);
#ifdef WOLFSSL_ASYNC_CRYPT
/* non-blocking socket re-entry requires async */
if (ret == WANT_READ) {
goto exit_ppc;
}
#endif
if (ret != 0) { if (ret != 0) {
WOLFSSL_MSG("\tCRL check not ok"); WOLFSSL_MSG("\tCRL check not ok");
} }
@ -7845,8 +7857,14 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, word32 totalSz
#ifdef HAVE_OCSP #ifdef HAVE_OCSP
if (doLookup && ssl->ctx->cm->ocspEnabled) { if (doLookup && ssl->ctx->cm->ocspEnabled) {
WOLFSSL_MSG("Doing Leaf OCSP check"); WOLFSSL_MSG("Doing Leaf OCSP check");
ret = CheckCertOCSP(ssl->ctx->cm->ocsp, ret = CheckCertOCSP(ssl->ctx->cm->ocsp, args->dCert,
args->dCert, NULL); NULL);
#ifdef WOLFSSL_ASYNC_CRYPT
/* non-blocking socket re-entry requires async */
if (ret == WANT_READ) {
goto exit_ppc;
}
#endif
doLookup = (ret == OCSP_CERT_UNKNOWN); doLookup = (ret == OCSP_CERT_UNKNOWN);
if (ret != 0) { if (ret != 0) {
WOLFSSL_MSG("\tOCSP Lookup not ok"); WOLFSSL_MSG("\tOCSP Lookup not ok");
@ -7862,6 +7880,12 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, word32 totalSz
if (doLookup && ssl->ctx->cm->crlEnabled) { if (doLookup && ssl->ctx->cm->crlEnabled) {
WOLFSSL_MSG("Doing Leaf CRL check"); WOLFSSL_MSG("Doing Leaf CRL check");
ret = CheckCertCRL(ssl->ctx->cm->crl, args->dCert); ret = CheckCertCRL(ssl->ctx->cm->crl, args->dCert);
#ifdef WOLFSSL_ASYNC_CRYPT
/* non-blocking socket re-entry requires async */
if (ret == WANT_READ) {
goto exit_ppc;
}
#endif
if (ret != 0) { if (ret != 0) {
WOLFSSL_MSG("\tCRL check not ok"); WOLFSSL_MSG("\tCRL check not ok");
args->fatal = 0; args->fatal = 0;
@ -8268,8 +8292,7 @@ exit_ppc:
WOLFSSL_LEAVE("ProcessPeerCerts", ret); WOLFSSL_LEAVE("ProcessPeerCerts", ret);
#ifdef WOLFSSL_ASYNC_CRYPT #ifdef WOLFSSL_ASYNC_CRYPT
/* Handle WC_PENDING_E */ if (ret == WC_PENDING_E || ret == WANT_READ) {
if (ret == WC_PENDING_E) {
/* Mark message as not recevied so it can process again */ /* Mark message as not recevied so it can process again */
ssl->msgsReceived.got_certificate = 0; ssl->msgsReceived.got_certificate = 0;

4
src/io.c
View File

@ -1168,7 +1168,7 @@ int EmbedOcspLookup(void* ctx, const char* url, int urlSz,
httpBuf, httpBufSz); httpBuf, httpBufSz);
ret = wolfIO_TcpConnect(&sfd, domainName, port, io_timeout_sec); ret = wolfIO_TcpConnect(&sfd, domainName, port, io_timeout_sec);
if ((ret != 0) || (sfd <= 0)) { if ((ret != 0) || (sfd < 0)) {
WOLFSSL_MSG("OCSP Responder connection failed"); WOLFSSL_MSG("OCSP Responder connection failed");
} }
else if (wolfIO_Send(sfd, (char*)httpBuf, httpBufSz, 0) != else if (wolfIO_Send(sfd, (char*)httpBuf, httpBufSz, 0) !=
@ -1267,7 +1267,7 @@ int EmbedCrlLookup(WOLFSSL_CRL* crl, const char* url, int urlSz)
httpBuf, httpBufSz); httpBuf, httpBufSz);
ret = wolfIO_TcpConnect(&sfd, domainName, port, io_timeout_sec); ret = wolfIO_TcpConnect(&sfd, domainName, port, io_timeout_sec);
if ((ret != 0) || (sfd <= 0)) { if ((ret != 0) || (sfd < 0)) {
WOLFSSL_MSG("CRL connection failed"); WOLFSSL_MSG("CRL connection failed");
} }
else if (wolfIO_Send(sfd, (char*)httpBuf, httpBufSz, 0) else if (wolfIO_Send(sfd, (char*)httpBuf, httpBufSz, 0)

3
src/ocsp.c
View File

@ -445,6 +445,9 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest,
responseSz = ocsp->cm->ocspIOCb(ocsp->cm->ocspIOCtx, url, urlSz, responseSz = ocsp->cm->ocspIOCb(ocsp->cm->ocspIOCtx, url, urlSz,
request, requestSz, &response); request, requestSz, &response);
} }
if (responseSz == WOLFSSL_CBIO_ERR_WANT_READ) {
ret = WANT_READ;
}
XFREE(request, ocsp->cm->heap, DYNAMIC_TYPE_OCSP); XFREE(request, ocsp->cm->heap, DYNAMIC_TYPE_OCSP);