OCSP Fixes

1. When using Cert Manager OCSP lookup, the issuer key hash wasn't
being set correctly. This could lead to unknown responses from lookup.
2. Default OCSP lookup callback could get blocked waiting for server
to close socket.

src/io.c

@@ -1015,7 +1015,7 @@ static int process_http_response(int sfd, byte** respBuf,
         XMEMCPY(recvBuf, start, len);
 
     /* receive the OCSP response data */
-    do {
+    while (len < recvBufSz) {
         result = (int)recv(sfd, (char*)recvBuf+len, recvBufSz-len, 0);
         if (result > 0)
             len += result;
@@ -1023,7 +1023,7 @@ static int process_http_response(int sfd, byte** respBuf,
             WOLFSSL_MSG("process_http_response recv ocsp from peer failed");
             return -1;
         }
-    } while (len != recvBufSz);
+    }
 
     *respBuf = recvBuf;
     return recvBufSz;

src/ssl.c

@@ -4570,7 +4570,7 @@ int wolfSSL_CertManagerCheckOCSP(WOLFSSL_CERT_MANAGER* cm, byte* der, int sz)
 
     InitDecodedCert(cert, der, sz, NULL);
 
-    if ((ret = ParseCertRelative(cert, CERT_TYPE, NO_VERIFY, cm)) != 0) {
+    if ((ret = ParseCertRelative(cert, CERT_TYPE, VERIFY_OCSP, cm)) != 0) {
         WOLFSSL_MSG("ParseCert failed");
     }
     else if ((ret = CheckCertOCSP(cm->ocsp, cert, NULL)) != 0) {
@@ -5046,7 +5046,7 @@ int wolfSSL_CertManagerCheckCRL(WOLFSSL_CERT_MANAGER* cm, byte* der, int sz)
 
     InitDecodedCert(cert, der, sz, NULL);
 
-    if ((ret = ParseCertRelative(cert, CERT_TYPE, NO_VERIFY, cm)) != 0) {
+    if ((ret = ParseCertRelative(cert, CERT_TYPE, VERIFY_CRL, cm)) != 0) {
         WOLFSSL_MSG("ParseCert failed");
     }
     else if ((ret = CheckCertCRL(cm->crl, cert)) != 0) {

wolfcrypt/src/asn.c

@@ -5074,7 +5074,7 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
         }
     #endif
 
- if (verify && type != CA_TYPE && type != TRUSTED_PEER_TYPE) {
+   if (verify != NO_VERIFY && type != CA_TYPE && type != TRUSTED_PEER_TYPE) {
         Signer* ca = NULL;
         #ifndef NO_SKID
             if (cert->extAuthKeyIdSet)
@@ -5099,6 +5099,8 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
             if (ret != 0)
                 return ret;
 #endif /* HAVE_OCSP */
+
+            if (verify == VERIFY) {
                 /* try to confirm/verify signature */
                 if (!ConfirmSignature(cert->source + cert->certBegin,
                             cert->sigIndex - cert->certBegin,
@@ -5117,6 +5119,7 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
                 }
                 #endif /* IGNORE_NAME_CONSTRAINTS */
             }
+        }
         else {
             /* no signer */
             WOLFSSL_MSG("No CA signer to verify with");

wolfssl/wolfcrypt/asn.h

@@ -313,7 +313,9 @@ enum ExtKeyUsage_Sum { /* From RFC 5280 */
 
 enum VerifyType {
     NO_VERIFY   = 0,
-    VERIFY    = 1
+    VERIFY      = 1,
+    VERIFY_CRL  = 2,
+    VERIFY_OCSP = 3
 };
 
 #ifdef WOLFSSL_CERT_EXT