From 963b9d4c4df692daad93917ef3aa14ffdbfb545e Mon Sep 17 00:00:00 2001
From: John Safranek <john@wolfssl.com>
Date: Thu, 1 Sep 2016 09:58:34 -0700
Subject: [PATCH] OCSP Fixes 1. When using Cert Manager OCSP lookup, the issuer
 key hash wasn't being set correctly. This could lead to unknown responses
 from lookup. 2. Default OCSP lookup callback could get blocked waiting for
 server to close socket.

---
 src/io.c                |  4 ++--
 src/ssl.c               |  4 ++--
 wolfcrypt/src/asn.c     | 37 ++++++++++++++++++++-----------------
 wolfssl/wolfcrypt/asn.h |  6 ++++--
 4 files changed, 28 insertions(+), 23 deletions(-)

diff --git a/src/io.c b/src/io.c
index ed0971dff..a37052b3a 100644
--- a/src/io.c
+++ b/src/io.c
@@ -1015,7 +1015,7 @@ static int process_http_response(int sfd, byte** respBuf,
         XMEMCPY(recvBuf, start, len);
 
     /* receive the OCSP response data */
-    do {
+    while (len < recvBufSz) {
         result = (int)recv(sfd, (char*)recvBuf+len, recvBufSz-len, 0);
         if (result > 0)
             len += result;
@@ -1023,7 +1023,7 @@ static int process_http_response(int sfd, byte** respBuf,
             WOLFSSL_MSG("process_http_response recv ocsp from peer failed");
             return -1;
         }
-    } while (len != recvBufSz);
+    }
 
     *respBuf = recvBuf;
     return recvBufSz;
diff --git a/src/ssl.c b/src/ssl.c
index 61bd2d4f8..391488162 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -4570,7 +4570,7 @@ int wolfSSL_CertManagerCheckOCSP(WOLFSSL_CERT_MANAGER* cm, byte* der, int sz)
 
     InitDecodedCert(cert, der, sz, NULL);
 
-    if ((ret = ParseCertRelative(cert, CERT_TYPE, NO_VERIFY, cm)) != 0) {
+    if ((ret = ParseCertRelative(cert, CERT_TYPE, VERIFY_OCSP, cm)) != 0) {
         WOLFSSL_MSG("ParseCert failed");
     }
     else if ((ret = CheckCertOCSP(cm->ocsp, cert, NULL)) != 0) {
@@ -5046,7 +5046,7 @@ int wolfSSL_CertManagerCheckCRL(WOLFSSL_CERT_MANAGER* cm, byte* der, int sz)
 
     InitDecodedCert(cert, der, sz, NULL);
 
-    if ((ret = ParseCertRelative(cert, CERT_TYPE, NO_VERIFY, cm)) != 0) {
+    if ((ret = ParseCertRelative(cert, CERT_TYPE, VERIFY_CRL, cm)) != 0) {
         WOLFSSL_MSG("ParseCert failed");
     }
     else if ((ret = CheckCertCRL(cm->crl, cert)) != 0) {
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index 884e66ae5..545b32d95 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -5074,7 +5074,7 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
         }
     #endif
 
- if (verify && type != CA_TYPE && type != TRUSTED_PEER_TYPE) {
+   if (verify != NO_VERIFY && type != CA_TYPE && type != TRUSTED_PEER_TYPE) {
         Signer* ca = NULL;
         #ifndef NO_SKID
             if (cert->extAuthKeyIdSet)
@@ -5099,23 +5099,26 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
             if (ret != 0)
                 return ret;
 #endif /* HAVE_OCSP */
-            /* try to confirm/verify signature */
-            if (!ConfirmSignature(cert->source + cert->certBegin,
-                        cert->sigIndex - cert->certBegin,
-                    ca->publicKey, ca->pubKeySize, ca->keyOID,
-                    cert->signature, cert->sigLength, cert->signatureOID,
-                    cert->heap)) {
-                WOLFSSL_MSG("Confirm signature failed");
-                return ASN_SIG_CONFIRM_E;
+
+            if (verify == VERIFY) {
+                /* try to confirm/verify signature */
+                if (!ConfirmSignature(cert->source + cert->certBegin,
+                            cert->sigIndex - cert->certBegin,
+                        ca->publicKey, ca->pubKeySize, ca->keyOID,
+                        cert->signature, cert->sigLength, cert->signatureOID,
+                        cert->heap)) {
+                    WOLFSSL_MSG("Confirm signature failed");
+                    return ASN_SIG_CONFIRM_E;
+                }
+                #ifndef IGNORE_NAME_CONSTRAINTS
+                /* check that this cert's name is permitted by the signer's
+                 * name constraints */
+                if (!ConfirmNameConstraints(ca, cert)) {
+                    WOLFSSL_MSG("Confirm name constraint failed");
+                    return ASN_NAME_INVALID_E;
+                }
+                #endif /* IGNORE_NAME_CONSTRAINTS */
             }
-#ifndef IGNORE_NAME_CONSTRAINTS
-            /* check that this cert's name is permitted by the signer's
-             * name constraints */
-            if (!ConfirmNameConstraints(ca, cert)) {
-                WOLFSSL_MSG("Confirm name constraint failed");
-                return ASN_NAME_INVALID_E;
-            }
-#endif /* IGNORE_NAME_CONSTRAINTS */
         }
         else {
             /* no signer */
diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h
index f609e0ab1..6aba913d2 100644
--- a/wolfssl/wolfcrypt/asn.h
+++ b/wolfssl/wolfcrypt/asn.h
@@ -312,8 +312,10 @@ enum ExtKeyUsage_Sum { /* From RFC 5280 */
 
 
 enum VerifyType {
-    NO_VERIFY = 0,
-    VERIFY    = 1
+    NO_VERIFY   = 0,
+    VERIFY      = 1,
+    VERIFY_CRL  = 2,
+    VERIFY_OCSP = 3
 };
 
 #ifdef WOLFSSL_CERT_EXT