forked from wolfSSL/wolfssl
Better CheckOcspRequest error detection on retry
This commit is contained in:
toddouska
36
src/ocsp.c
36
src/ocsp.c
@@ -251,6 +251,7 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest,
|
|||||||
CertStatus* status = NULL;
|
CertStatus* status = NULL;
|
||||||
byte* request = NULL;
|
byte* request = NULL;
|
||||||
int requestSz = 2048;
|
int requestSz = 2048;
|
||||||
|
int responseSz = 0;
|
||||||
byte* response = NULL;
|
byte* response = NULL;
|
||||||
const char* url = NULL;
|
const char* url = NULL;
|
||||||
int urlSz = 0;
|
int urlSz = 0;
|
||||||
@@ -319,31 +320,40 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest,
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
requestSz = EncodeOcspRequest(ocspRequest, request, requestSz);
|
requestSz = EncodeOcspRequest(ocspRequest, request, requestSz);
|
||||||
|
if (requestSz > 0 && ocsp->cm->ocspIOCb) {
|
||||||
|
responseSz = ocsp->cm->ocspIOCb(ocsp->cm->ocspIOCtx, url, urlSz,
|
||||||
|
request, requestSz, &response);
|
||||||
|
if (responseSz < 0) {
|
||||||
|
ret = responseSz; /* because ret was used for multiple purposes */
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if (ocsp->cm->ocspIOCb)
|
if (responseSz >= 0 && response) {
|
||||||
ret = ocsp->cm->ocspIOCb(ocsp->cm->ocspIOCtx, url, urlSz,
|
|
||||||
request, requestSz, &response);
|
|
||||||
|
|
||||||
if (ret >= 0 && response) {
|
|
||||||
XMEMSET(newStatus, 0, sizeof(CertStatus));
|
XMEMSET(newStatus, 0, sizeof(CertStatus));
|
||||||
|
|
||||||
InitOcspResponse(ocspResponse, newStatus, response, ret);
|
InitOcspResponse(ocspResponse, newStatus, response, responseSz);
|
||||||
OcspResponseDecode(ocspResponse, ocsp->cm, ocsp->cm->heap);
|
if (OcspResponseDecode(ocspResponse, ocsp->cm, ocsp->cm->heap) != 0) {
|
||||||
|
|
||||||
if (ocspResponse->responseStatus != OCSP_SUCCESSFUL)
|
|
||||||
ret = OCSP_LOOKUP_FAIL;
|
ret = OCSP_LOOKUP_FAIL;
|
||||||
|
WOLFSSL_MSG("OcspResponseDecode failed");
|
||||||
|
}
|
||||||
|
else if (ocspResponse->responseStatus != OCSP_SUCCESSFUL) {
|
||||||
|
ret = OCSP_LOOKUP_FAIL;
|
||||||
|
WOLFSSL_MSG("OcspResponse status bad");
|
||||||
|
}
|
||||||
else {
|
else {
|
||||||
|
ret = OCSP_LOOKUP_FAIL; /* make sure in fail state */
|
||||||
if (CompareOcspReqResp(ocspRequest, ocspResponse) == 0) {
|
if (CompareOcspReqResp(ocspRequest, ocspResponse) == 0) {
|
||||||
if (responseBuffer) {
|
if (responseBuffer) {
|
||||||
responseBuffer->buffer = (byte*)XMALLOC(ret, ocsp->cm->heap,
|
responseBuffer->buffer = (byte*)XMALLOC(responseSz,
|
||||||
DYNAMIC_TYPE_TMP_BUFFER);
|
ocsp->cm->heap, DYNAMIC_TYPE_TMP_BUFFER);
|
||||||
|
|
||||||
if (responseBuffer->buffer) {
|
if (responseBuffer->buffer) {
|
||||||
responseBuffer->length = ret;
|
responseBuffer->length = responseSz;
|
||||||
XMEMCPY(responseBuffer->buffer, response, ret);
|
XMEMCPY(responseBuffer->buffer, response, responseSz);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* only way to get to good state */
|
||||||
ret = xstat2err(ocspResponse->status->status);
|
ret = xstat2err(ocspResponse->status->status);
|
||||||
|
|
||||||
if (wc_LockMutex(&ocsp->ocspLock) != 0)
|
if (wc_LockMutex(&ocsp->ocspLock) != 0)
|
||||||
|
|||||||
Reference in New Issue
Block a user