Merge pull request #537 from ejohnstown/ocsp-issuerKeyHash

OCSP Fixes
2016-09-02 14:57:07 -06:00
parent a0b02236b8 963b9d4c4d
commit 33f24ebaa8
4 changed files with 28 additions and 23 deletions
--- a/src/io.c
+++ b/src/io.c
@@ -1015,7 +1015,7 @@ static int process_http_response(int sfd, byte** respBuf,
        XMEMCPY(recvBuf, start, len);

    /* receive the OCSP response data */
-    do {
+    while (len < recvBufSz) {
        result = (int)recv(sfd, (char*)recvBuf+len, recvBufSz-len, 0);
        if (result > 0)
            len += result;
@@ -1023,7 +1023,7 @@ static int process_http_response(int sfd, byte** respBuf,
            WOLFSSL_MSG("process_http_response recv ocsp from peer failed");
            return -1;
        }
-    } while (len != recvBufSz);
+    }

    *respBuf = recvBuf;
    return recvBufSz;
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -4570,7 +4570,7 @@ int wolfSSL_CertManagerCheckOCSP(WOLFSSL_CERT_MANAGER* cm, byte* der, int sz)

    InitDecodedCert(cert, der, sz, NULL);

-    if ((ret = ParseCertRelative(cert, CERT_TYPE, NO_VERIFY, cm)) != 0) {
+    if ((ret = ParseCertRelative(cert, CERT_TYPE, VERIFY_OCSP, cm)) != 0) {
        WOLFSSL_MSG("ParseCert failed");
    }
    else if ((ret = CheckCertOCSP(cm->ocsp, cert, NULL)) != 0) {
@@ -5046,7 +5046,7 @@ int wolfSSL_CertManagerCheckCRL(WOLFSSL_CERT_MANAGER* cm, byte* der, int sz)

    InitDecodedCert(cert, der, sz, NULL);

-    if ((ret = ParseCertRelative(cert, CERT_TYPE, NO_VERIFY, cm)) != 0) {
+    if ((ret = ParseCertRelative(cert, CERT_TYPE, VERIFY_CRL, cm)) != 0) {
        WOLFSSL_MSG("ParseCert failed");
    }
    else if ((ret = CheckCertCRL(cm->crl, cert)) != 0) {
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -5074,7 +5074,7 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
        }
    #endif

- if (verify && type != CA_TYPE && type != TRUSTED_PEER_TYPE) {
+   if (verify != NO_VERIFY && type != CA_TYPE && type != TRUSTED_PEER_TYPE) {
        Signer* ca = NULL;
        #ifndef NO_SKID
            if (cert->extAuthKeyIdSet)
@@ -5099,6 +5099,8 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
            if (ret != 0)
                return ret;
 #endif /* HAVE_OCSP */
+
+            if (verify == VERIFY) {
                /* try to confirm/verify signature */
                if (!ConfirmSignature(cert->source + cert->certBegin,
                            cert->sigIndex - cert->certBegin,
@@ -5117,6 +5119,7 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
                }
                #endif /* IGNORE_NAME_CONSTRAINTS */
            }
+        }
        else {
            /* no signer */
            WOLFSSL_MSG("No CA signer to verify with");
--- a/wolfssl/wolfcrypt/asn.h
+++ b/wolfssl/wolfcrypt/asn.h
@@ -313,7 +313,9 @@ enum ExtKeyUsage_Sum { /* From RFC 5280 */

 enum VerifyType {
    NO_VERIFY   = 0,
-    VERIFY    = 1
+    VERIFY      = 1,
+    VERIFY_CRL  = 2,
+    VERIFY_OCSP = 3
 };

 #ifdef WOLFSSL_CERT_EXT