forked from wolfSSL/wolfssl
Sean Parkinson
GitHub
@ -13470,9 +13470,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
|||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
#if defined(HAVE_OCSP) || defined(HAVE_CRL)
|
|
||||||
if (ret == 0) {
|
if (ret == 0) {
|
||||||
int doCrlLookup = 1;
|
|
||||||
#ifdef HAVE_OCSP
|
#ifdef HAVE_OCSP
|
||||||
#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
|
#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
|
||||||
if (ssl->status_request_v2) {
|
if (ssl->status_request_v2) {
|
||||||
@ -13492,9 +13490,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
|||||||
goto exit_ppc;
|
goto exit_ppc;
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
doCrlLookup = (ret == OCSP_CERT_UNKNOWN);
|
|
||||||
if (ret != 0) {
|
if (ret != 0) {
|
||||||
doCrlLookup = 0;
|
|
||||||
WOLFSSL_ERROR_VERBOSE(ret);
|
WOLFSSL_ERROR_VERBOSE(ret);
|
||||||
WOLFSSL_MSG("\tOCSP Lookup not ok");
|
WOLFSSL_MSG("\tOCSP Lookup not ok");
|
||||||
}
|
}
|
||||||
@ -13502,26 +13498,43 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
|||||||
#endif /* HAVE_OCSP */
|
#endif /* HAVE_OCSP */
|
||||||
|
|
||||||
#ifdef HAVE_CRL
|
#ifdef HAVE_CRL
|
||||||
if (ret == 0 && doCrlLookup &&
|
if (SSL_CM(ssl)->crlEnabled &&
|
||||||
SSL_CM(ssl)->crlEnabled &&
|
SSL_CM(ssl)->crlCheckAll) {
|
||||||
SSL_CM(ssl)->crlCheckAll) {
|
int doCrlLookup = 1;
|
||||||
WOLFSSL_MSG("Doing Non Leaf CRL check");
|
|
||||||
ret = CheckCertCRL(SSL_CM(ssl)->crl, args->dCert);
|
#ifdef HAVE_OCSP
|
||||||
#ifdef WOLFSSL_NONBLOCK_OCSP
|
if (SSL_CM(ssl)->ocspEnabled &&
|
||||||
if (ret == OCSP_WANT_READ) {
|
SSL_CM(ssl)->ocspCheckAll) {
|
||||||
args->lastErr = ret;
|
/* If the cert status is unknown to the OCSP
|
||||||
goto exit_ppc;
|
responder, do a CRL lookup. If any other
|
||||||
|
error, skip the CRL lookup and fail the
|
||||||
|
certificate. */
|
||||||
|
doCrlLookup = (ret == OCSP_CERT_UNKNOWN);
|
||||||
}
|
}
|
||||||
#endif
|
#endif /* HAVE_OCSP */
|
||||||
if (ret != 0) {
|
|
||||||
WOLFSSL_ERROR_VERBOSE(ret);
|
if (doCrlLookup) {
|
||||||
WOLFSSL_MSG("\tCRL check not ok");
|
WOLFSSL_MSG("Doing Non Leaf CRL check");
|
||||||
|
ret = CheckCertCRL(SSL_CM(ssl)->crl,
|
||||||
|
args->dCert);
|
||||||
|
#ifdef WOLFSSL_NONBLOCK_OCSP
|
||||||
|
/* The CRL lookup I/O callback is using the
|
||||||
|
* same WOULD_BLOCK error code as OCSP's I/O
|
||||||
|
* callback, and it is enabling it using the
|
||||||
|
* same flag. */
|
||||||
|
if (ret == OCSP_WANT_READ) {
|
||||||
|
args->lastErr = ret;
|
||||||
|
goto exit_ppc;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
if (ret != 0) {
|
||||||
|
WOLFSSL_ERROR_VERBOSE(ret);
|
||||||
|
WOLFSSL_MSG("\tCRL check not ok");
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
#endif /* HAVE_CRL */
|
#endif /* HAVE_CRL */
|
||||||
(void)doCrlLookup;
|
|
||||||
}
|
}
|
||||||
#endif /* HAVE_OCSP || HAVE_CRL */
|
|
||||||
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
|
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
|
||||||
if (ret == 0 &&
|
if (ret == 0 &&
|
||||||
/* extend the limit "+1" until reaching
|
/* extend the limit "+1" until reaching
|
||||||
@ -13879,6 +13892,10 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
|||||||
WOLFSSL_MSG("Doing Leaf CRL check");
|
WOLFSSL_MSG("Doing Leaf CRL check");
|
||||||
ret = CheckCertCRL(SSL_CM(ssl)->crl, args->dCert);
|
ret = CheckCertCRL(SSL_CM(ssl)->crl, args->dCert);
|
||||||
#ifdef WOLFSSL_NONBLOCK_OCSP
|
#ifdef WOLFSSL_NONBLOCK_OCSP
|
||||||
|
/* The CRL lookup I/O callback is using the
|
||||||
|
* same WOULD_BLOCK error code as OCSP's I/O
|
||||||
|
* callback, and it is enabling it using the
|
||||||
|
* same flag. */
|
||||||
if (ret == OCSP_WANT_READ) {
|
if (ret == OCSP_WANT_READ) {
|
||||||
goto exit_ppc;
|
goto exit_ppc;
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user