wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-31 19:24:42 +02:00
Code Issues Packages Projects Releases Wiki Activity

OCSP Fixes

Browse Source 
1. When using Cert Manager OCSP lookup, the issuer key hash wasn't
being set correctly. This could lead to unknown responses from lookup.
2. Default OCSP lookup callback could get blocked waiting for server
to close socket.
This commit is contained in:
John Safranek
2016-09-01 09:58:34 -07:00
parent a0b02236b8
commit 963b9d4c4d
4 changed files with 28 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/io.c
View File

@@ -1015,7 +1015,7 @@ static int process_http_response(int sfd, byte** respBuf,
XMEMCPY(recvBuf, start, len);
/* receive the OCSP response data */
do {
while (len < recvBufSz) {
result = (int)recv(sfd, (char*)recvBuf+len, recvBufSz-len, 0);
if (result > 0)
len += result;
@@ -1023,7 +1023,7 @@ static int process_http_response(int sfd, byte** respBuf,
WOLFSSL_MSG("process_http_response recv ocsp from peer failed");
return -1;
}
} while (len != recvBufSz);
}
*respBuf = recvBuf;
return recvBufSz;

4
src/ssl.c
View File

@@ -4570,7 +4570,7 @@ int wolfSSL_CertManagerCheckOCSP(WOLFSSL_CERT_MANAGER* cm, byte* der, int sz)
InitDecodedCert(cert, der, sz, NULL);
if ((ret = ParseCertRelative(cert, CERT_TYPE, NO_VERIFY, cm)) != 0) {
if ((ret = ParseCertRelative(cert, CERT_TYPE, VERIFY_OCSP, cm)) != 0) {
WOLFSSL_MSG("ParseCert failed");
}
else if ((ret = CheckCertOCSP(cm->ocsp, cert, NULL)) != 0) {
@@ -5046,7 +5046,7 @@ int wolfSSL_CertManagerCheckCRL(WOLFSSL_CERT_MANAGER* cm, byte* der, int sz)
InitDecodedCert(cert, der, sz, NULL);
if ((ret = ParseCertRelative(cert, CERT_TYPE, NO_VERIFY, cm)) != 0) {
if ((ret = ParseCertRelative(cert, CERT_TYPE, VERIFY_CRL, cm)) != 0) {
WOLFSSL_MSG("ParseCert failed");
}
else if ((ret = CheckCertCRL(cm->crl, cert)) != 0) {

37
wolfcrypt/src/asn.c
View File

@@ -5074,7 +5074,7 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
}
#endif
if (verify && type != CA_TYPE && type != TRUSTED_PEER_TYPE) {
if (verify != NO_VERIFY && type != CA_TYPE && type != TRUSTED_PEER_TYPE) {
Signer* ca = NULL;
#ifndef NO_SKID
if (cert->extAuthKeyIdSet)
@@ -5099,23 +5099,26 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
if (ret != 0)
return ret;
#endif /* HAVE_OCSP */
/* try to confirm/verify signature */
if (!ConfirmSignature(cert->source + cert->certBegin,
cert->sigIndex - cert->certBegin,
ca->publicKey, ca->pubKeySize, ca->keyOID,
cert->signature, cert->sigLength, cert->signatureOID,
cert->heap)) {
WOLFSSL_MSG("Confirm signature failed");
return ASN_SIG_CONFIRM_E;
if (verify == VERIFY) {
/* try to confirm/verify signature */
if (!ConfirmSignature(cert->source + cert->certBegin,
cert->sigIndex - cert->certBegin,
ca->publicKey, ca->pubKeySize, ca->keyOID,
cert->signature, cert->sigLength, cert->signatureOID,
cert->heap)) {
WOLFSSL_MSG("Confirm signature failed");
return ASN_SIG_CONFIRM_E;
}
#ifndef IGNORE_NAME_CONSTRAINTS
/* check that this cert's name is permitted by the signer's
* name constraints */
if (!ConfirmNameConstraints(ca, cert)) {
WOLFSSL_MSG("Confirm name constraint failed");
return ASN_NAME_INVALID_E;
}
#endif /* IGNORE_NAME_CONSTRAINTS */
}
#ifndef IGNORE_NAME_CONSTRAINTS
/* check that this cert's name is permitted by the signer's
* name constraints */
if (!ConfirmNameConstraints(ca, cert)) {
WOLFSSL_MSG("Confirm name constraint failed");
return ASN_NAME_INVALID_E;
}
#endif /* IGNORE_NAME_CONSTRAINTS */
}
else {
/* no signer */

6
wolfssl/wolfcrypt/asn.h
View File

@@ -312,8 +312,10 @@ enum ExtKeyUsage_Sum { /* From RFC 5280 */
enum VerifyType {
NO_VERIFY = 0,
VERIFY = 1
NO_VERIFY = 0,
VERIFY = 1,
VERIFY_CRL = 2,
VERIFY_OCSP = 3
};
#ifdef WOLFSSL_CERT_EXT