forked from wolfSSL/wolfssl
OCSP/CRL
Fixing issue #3070. When the OCSP responder returns an unknown exception, continue through to checking the CRL. Before, it was setting the flag to check CRL, then clearing it because of the exception.
This commit is contained in:
John Safranek
@ -13434,9 +13434,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
|||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
#if defined(HAVE_OCSP) || defined(HAVE_CRL)
|
|
||||||
if (ret == 0) {
|
if (ret == 0) {
|
||||||
int doCrlLookup = 1;
|
|
||||||
#ifdef HAVE_OCSP
|
#ifdef HAVE_OCSP
|
||||||
#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
|
#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
|
||||||
if (ssl->status_request_v2) {
|
if (ssl->status_request_v2) {
|
||||||
@ -13456,9 +13454,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
|||||||
goto exit_ppc;
|
goto exit_ppc;
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
doCrlLookup = (ret == OCSP_CERT_UNKNOWN);
|
|
||||||
if (ret != 0) {
|
if (ret != 0) {
|
||||||
doCrlLookup = 0;
|
|
||||||
WOLFSSL_ERROR_VERBOSE(ret);
|
WOLFSSL_ERROR_VERBOSE(ret);
|
||||||
WOLFSSL_MSG("\tOCSP Lookup not ok");
|
WOLFSSL_MSG("\tOCSP Lookup not ok");
|
||||||
}
|
}
|
||||||
@ -13466,26 +13462,39 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
|||||||
#endif /* HAVE_OCSP */
|
#endif /* HAVE_OCSP */
|
||||||
|
|
||||||
#ifdef HAVE_CRL
|
#ifdef HAVE_CRL
|
||||||
if (ret == 0 && doCrlLookup &&
|
if (SSL_CM(ssl)->crlEnabled &&
|
||||||
SSL_CM(ssl)->crlEnabled &&
|
SSL_CM(ssl)->crlCheckAll) {
|
||||||
SSL_CM(ssl)->crlCheckAll) {
|
int doCrlLookup = 1;
|
||||||
WOLFSSL_MSG("Doing Non Leaf CRL check");
|
|
||||||
ret = CheckCertCRL(SSL_CM(ssl)->crl, args->dCert);
|
#ifdef HAVE_OCSP
|
||||||
#ifdef WOLFSSL_NONBLOCK_OCSP
|
if (SSL_CM(ssl)->ocspEnabled &&
|
||||||
if (ret == OCSP_WANT_READ) {
|
SSL_CM(ssl)->ocspCheckAll) {
|
||||||
args->lastErr = ret;
|
/* If the cert status is unknown to the OCSP
|
||||||
goto exit_ppc;
|
responder, do a CRL lookup. If any other
|
||||||
|
error, skip the CRL lookup and fail the
|
||||||
|
certificate. */
|
||||||
|
doCrlLookup = (ret == OCSP_CERT_UNKNOWN);
|
||||||
}
|
}
|
||||||
#endif
|
#endif /* HAVE_OCSP */
|
||||||
if (ret != 0) {
|
|
||||||
WOLFSSL_ERROR_VERBOSE(ret);
|
if (doCrlLookup) {
|
||||||
WOLFSSL_MSG("\tCRL check not ok");
|
WOLFSSL_MSG("Doing Non Leaf CRL check");
|
||||||
|
ret = CheckCertCRL(SSL_CM(ssl)->crl,
|
||||||
|
args->dCert);
|
||||||
|
#ifdef WOLFSSL_NONBLOCK_OCSP
|
||||||
|
if (ret == OCSP_WANT_READ) {
|
||||||
|
args->lastErr = ret;
|
||||||
|
goto exit_ppc;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
if (ret != 0) {
|
||||||
|
WOLFSSL_ERROR_VERBOSE(ret);
|
||||||
|
WOLFSSL_MSG("\tCRL check not ok");
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
#endif /* HAVE_CRL */
|
#endif /* HAVE_CRL */
|
||||||
(void)doCrlLookup;
|
|
||||||
}
|
}
|
||||||
#endif /* HAVE_OCSP || HAVE_CRL */
|
|
||||||
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
|
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
|
||||||
if (ret == 0 &&
|
if (ret == 0 &&
|
||||||
/* extend the limit "+1" until reaching
|
/* extend the limit "+1" until reaching
|
||||||
|
|||||||
Reference in New Issue
Block a user