From 909fd726cda207eb0a7335f35d02e1cee9362a94 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Wed, 1 Jul 2020 09:36:35 -0700 Subject: [PATCH 1/2] OCSP/CRL Fixing issue #3070. When the OCSP responder returns an unknown exception, continue through to checking the CRL. Before, it was setting the flag to check CRL, then clearing it because of the exception. --- src/internal.c | 47 ++++++++++++++++++++++++++++------------------- 1 file changed, 28 insertions(+), 19 deletions(-) diff --git a/src/internal.c b/src/internal.c index b7afc57f2..a738dd7c8 100644 --- a/src/internal.c +++ b/src/internal.c @@ -13434,9 +13434,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, #endif } - #if defined(HAVE_OCSP) || defined(HAVE_CRL) if (ret == 0) { - int doCrlLookup = 1; #ifdef HAVE_OCSP #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 if (ssl->status_request_v2) { @@ -13456,9 +13454,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, goto exit_ppc; } #endif - doCrlLookup = (ret == OCSP_CERT_UNKNOWN); if (ret != 0) { - doCrlLookup = 0; WOLFSSL_ERROR_VERBOSE(ret); WOLFSSL_MSG("\tOCSP Lookup not ok"); } @@ -13466,26 +13462,39 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, #endif /* HAVE_OCSP */ #ifdef HAVE_CRL - if (ret == 0 && doCrlLookup && - SSL_CM(ssl)->crlEnabled && - SSL_CM(ssl)->crlCheckAll) { - WOLFSSL_MSG("Doing Non Leaf CRL check"); - ret = CheckCertCRL(SSL_CM(ssl)->crl, args->dCert); - #ifdef WOLFSSL_NONBLOCK_OCSP - if (ret == OCSP_WANT_READ) { - args->lastErr = ret; - goto exit_ppc; + if (SSL_CM(ssl)->crlEnabled && + SSL_CM(ssl)->crlCheckAll) { + int doCrlLookup = 1; + + #ifdef HAVE_OCSP + if (SSL_CM(ssl)->ocspEnabled && + SSL_CM(ssl)->ocspCheckAll) { + /* If the cert status is unknown to the OCSP + responder, do a CRL lookup. If any other + error, skip the CRL lookup and fail the + certificate. */ + doCrlLookup = (ret == OCSP_CERT_UNKNOWN); } - #endif - if (ret != 0) { - WOLFSSL_ERROR_VERBOSE(ret); - WOLFSSL_MSG("\tCRL check not ok"); + #endif /* HAVE_OCSP */ + + if (doCrlLookup) { + WOLFSSL_MSG("Doing Non Leaf CRL check"); + ret = CheckCertCRL(SSL_CM(ssl)->crl, + args->dCert); + #ifdef WOLFSSL_NONBLOCK_OCSP + if (ret == OCSP_WANT_READ) { + args->lastErr = ret; + goto exit_ppc; + } + #endif + if (ret != 0) { + WOLFSSL_ERROR_VERBOSE(ret); + WOLFSSL_MSG("\tCRL check not ok"); + } } } #endif /* HAVE_CRL */ - (void)doCrlLookup; } - #endif /* HAVE_OCSP || HAVE_CRL */ #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) if (ret == 0 && /* extend the limit "+1" until reaching From 88f3570fe48ac1e3eea8efa7040f62a24978dc0d Mon Sep 17 00:00:00 2001 From: John Safranek Date: Wed, 23 Nov 2022 16:35:10 -0800 Subject: [PATCH 2/2] OCSP/CRL Added comments for the usage of OCSP_WANT_READ used with the CRL I/O callback. --- src/internal.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/internal.c b/src/internal.c index a738dd7c8..9d636f5a1 100644 --- a/src/internal.c +++ b/src/internal.c @@ -13482,6 +13482,10 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, ret = CheckCertCRL(SSL_CM(ssl)->crl, args->dCert); #ifdef WOLFSSL_NONBLOCK_OCSP + /* The CRL lookup I/O callback is using the + * same WOULD_BLOCK error code as OCSP's I/O + * callback, and it is enabling it using the + * same flag. */ if (ret == OCSP_WANT_READ) { args->lastErr = ret; goto exit_ppc; @@ -13852,6 +13856,10 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, WOLFSSL_MSG("Doing Leaf CRL check"); ret = CheckCertCRL(SSL_CM(ssl)->crl, args->dCert); #ifdef WOLFSSL_NONBLOCK_OCSP + /* The CRL lookup I/O callback is using the + * same WOULD_BLOCK error code as OCSP's I/O + * callback, and it is enabling it using the + * same flag. */ if (ret == OCSP_WANT_READ) { goto exit_ppc; }