From 52658c51a9bb5e110d2fb2c5bbb0037d35203e1a Mon Sep 17 00:00:00 2001
From: John Safranek <john@wolfssl.com>
Date: Mon, 4 Dec 2023 11:31:04 -0800
Subject: [PATCH] OCSP Error Return

1. In CheckOcspResponse(), remove the existing check for UNKNOWN
   certificate status. Given the values of ret and ocsp->error, unknown
   won't get checked.
2. Separated checks for UKNOWN and REJECTED for logging purposes. Return
   that as an error.
3. Anything else should be a failure.
---
 src/ocsp.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/ocsp.c b/src/ocsp.c
index eca389493..c56ec22f1 100644
--- a/src/ocsp.c
+++ b/src/ocsp.c
@@ -409,10 +409,14 @@ int CheckOcspResponse(WOLFSSL_OCSP *ocsp, byte *response, int responseSz,
 end:
     if (ret == 0 && validated == 1) {
         WOLFSSL_MSG("New OcspResponse validated");
-    } else if ((ret == ocsp->error) && (ocspResponse->single->status->status == CERT_UNKNOWN)) {
+    }
+    else if (ret == OCSP_CERT_REVOKED) {
+        WOLFSSL_MSG("OCSP revoked");
+    }
+    else if (ret == OCSP_CERT_UNKNOWN) {
         WOLFSSL_MSG("OCSP unknown");
-        ret = OCSP_CERT_UNKNOWN;
-    } else if (ret != OCSP_CERT_REVOKED) {
+    }
+    else {
         WOLFSSL_MSG("OCSP lookup failure");
         ret = OCSP_LOOKUP_FAIL;
     }