From b3a85bc2c711bb1d8e85f1be7a0cedc475c310f1 Mon Sep 17 00:00:00 2001 From: David Garske Date: Fri, 2 Jun 2017 09:36:35 -0700 Subject: [PATCH] Fixes for OCSP and CRL with non-blocking sockets. Fix for OCSP and CRL file descriptor check to allow 0. --- src/crl.c | 5 ++++- src/internal.c | 25 +++++++++++++++++++++++-- src/io.c | 4 ++-- src/ocsp.c | 3 +++ 4 files changed, 32 insertions(+), 5 deletions(-) diff --git a/src/crl.c b/src/crl.c index 532282a2f..7743a1797 100755 --- a/src/crl.c +++ b/src/crl.c @@ -349,7 +349,10 @@ int CheckCertCRL(WOLFSSL_CRL* crl, DecodedCert* cert) if (crl->crlIOCb) { ret = crl->crlIOCb(crl, (const char*)cert->extCrlInfo, cert->extCrlInfoSz); - if (ret >= 0) { + if (ret == WOLFSSL_CBIO_ERR_WANT_READ) { + ret = WC_PENDING_E; + } + else if (ret >= 0) { /* try again */ ret = CheckCertCRLList(crl, cert, &foundEntry); } diff --git a/src/internal.c b/src/internal.c index a634f9210..946d58f17 100755 --- a/src/internal.c +++ b/src/internal.c @@ -7692,6 +7692,12 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, word32 totalSz WOLFSSL_MSG("Doing Non Leaf OCSP check"); ret = CheckCertOCSP(ssl->ctx->cm->ocsp, args->dCert, NULL); + #ifdef WOLFSSL_ASYNC_CRYPT + /* Handle WC_PENDING_E */ + if (ret == WC_PENDING_E) { + goto exit_ppc; + } + #endif doCrlLookup = (ret == OCSP_CERT_UNKNOWN); if (ret != 0) { doCrlLookup = 0; @@ -7706,6 +7712,11 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, word32 totalSz ssl->ctx->cm->crlCheckAll) { WOLFSSL_MSG("Doing Non Leaf CRL check"); ret = CheckCertCRL(ssl->ctx->cm->crl, args->dCert); + #ifdef WOLFSSL_ASYNC_CRYPT + if (ret == WC_PENDING_E) { + goto exit_ppc; + } + #endif if (ret != 0) { WOLFSSL_MSG("\tCRL check not ok"); } @@ -7845,8 +7856,13 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, word32 totalSz #ifdef HAVE_OCSP if (doLookup && ssl->ctx->cm->ocspEnabled) { WOLFSSL_MSG("Doing Leaf OCSP check"); - ret = CheckCertOCSP(ssl->ctx->cm->ocsp, - args->dCert, NULL); + ret = CheckCertOCSP(ssl->ctx->cm->ocsp, args->dCert, + NULL); + #ifdef WOLFSSL_ASYNC_CRYPT + if (ret == WC_PENDING_E) { + goto exit_ppc; + } + #endif doLookup = (ret == OCSP_CERT_UNKNOWN); if (ret != 0) { WOLFSSL_MSG("\tOCSP Lookup not ok"); @@ -7862,6 +7878,11 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, word32 totalSz if (doLookup && ssl->ctx->cm->crlEnabled) { WOLFSSL_MSG("Doing Leaf CRL check"); ret = CheckCertCRL(ssl->ctx->cm->crl, args->dCert); + #ifdef WOLFSSL_ASYNC_CRYPT + if (ret == WC_PENDING_E) { + goto exit_ppc; + } + #endif if (ret != 0) { WOLFSSL_MSG("\tCRL check not ok"); args->fatal = 0; diff --git a/src/io.c b/src/io.c index 8b9a9b960..7dc7c6584 100644 --- a/src/io.c +++ b/src/io.c @@ -1168,7 +1168,7 @@ int EmbedOcspLookup(void* ctx, const char* url, int urlSz, httpBuf, httpBufSz); ret = wolfIO_TcpConnect(&sfd, domainName, port, io_timeout_sec); - if ((ret != 0) || (sfd <= 0)) { + if ((ret != 0) || (sfd < 0)) { WOLFSSL_MSG("OCSP Responder connection failed"); } else if (wolfIO_Send(sfd, (char*)httpBuf, httpBufSz, 0) != @@ -1267,7 +1267,7 @@ int EmbedCrlLookup(WOLFSSL_CRL* crl, const char* url, int urlSz) httpBuf, httpBufSz); ret = wolfIO_TcpConnect(&sfd, domainName, port, io_timeout_sec); - if ((ret != 0) || (sfd <= 0)) { + if ((ret != 0) || (sfd < 0)) { WOLFSSL_MSG("CRL connection failed"); } else if (wolfIO_Send(sfd, (char*)httpBuf, httpBufSz, 0) diff --git a/src/ocsp.c b/src/ocsp.c index ae45322ed..7f34a5615 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -445,6 +445,9 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest, responseSz = ocsp->cm->ocspIOCb(ocsp->cm->ocspIOCtx, url, urlSz, request, requestSz, &response); } + if (responseSz == WOLFSSL_CBIO_ERR_WANT_READ) { + ret = WC_PENDING_E; + } XFREE(request, ocsp->cm->heap, DYNAMIC_TYPE_OCSP);