wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-31 11:17:29 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #5812 from ejohnstown/crl-ocsp

Browse Source 
OCSP/CRL
This commit is contained in:
Sean Parkinson
2022-11-24 12:42:17 +10:00
committed by GitHub
parent 0a38553909 88f3570fe4
commit cf8ea5c606
1 changed files with 36 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
src/internal.c
View File

@ -13470,9 +13470,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
#endif #endif
} }
#if defined(HAVE_OCSP) || defined(HAVE_CRL)
if (ret == 0) { if (ret == 0) {
int doCrlLookup = 1;
#ifdef HAVE_OCSP #ifdef HAVE_OCSP
#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
if (ssl->status_request_v2) { if (ssl->status_request_v2) {
@ -13492,9 +13490,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
goto exit_ppc; goto exit_ppc;
} }
#endif #endif
doCrlLookup = (ret == OCSP_CERT_UNKNOWN);
if (ret != 0) { if (ret != 0) {
doCrlLookup = 0;
WOLFSSL_ERROR_VERBOSE(ret); WOLFSSL_ERROR_VERBOSE(ret);
WOLFSSL_MSG("\tOCSP Lookup not ok"); WOLFSSL_MSG("\tOCSP Lookup not ok");
} }
@ -13502,26 +13498,43 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
#endif /* HAVE_OCSP */ #endif /* HAVE_OCSP */
#ifdef HAVE_CRL #ifdef HAVE_CRL
if (ret == 0 && doCrlLookup && if (SSL_CM(ssl)->crlEnabled &&
SSL_CM(ssl)->crlEnabled && SSL_CM(ssl)->crlCheckAll) {
SSL_CM(ssl)->crlCheckAll) { int doCrlLookup = 1;
WOLFSSL_MSG("Doing Non Leaf CRL check");
ret = CheckCertCRL(SSL_CM(ssl)->crl, args->dCert); #ifdef HAVE_OCSP
#ifdef WOLFSSL_NONBLOCK_OCSP if (SSL_CM(ssl)->ocspEnabled &&
if (ret == OCSP_WANT_READ) { SSL_CM(ssl)->ocspCheckAll) {
args->lastErr = ret; /* If the cert status is unknown to the OCSP
goto exit_ppc; responder, do a CRL lookup. If any other
error, skip the CRL lookup and fail the
certificate. */
doCrlLookup = (ret == OCSP_CERT_UNKNOWN);
} }
#endif #endif /* HAVE_OCSP */
if (ret != 0) {
WOLFSSL_ERROR_VERBOSE(ret); if (doCrlLookup) {
WOLFSSL_MSG("\tCRL check not ok"); WOLFSSL_MSG("Doing Non Leaf CRL check");
ret = CheckCertCRL(SSL_CM(ssl)->crl,
args->dCert);
#ifdef WOLFSSL_NONBLOCK_OCSP
/* The CRL lookup I/O callback is using the
* same WOULD_BLOCK error code as OCSP's I/O
* callback, and it is enabling it using the
* same flag. */
if (ret == OCSP_WANT_READ) {
args->lastErr = ret;
goto exit_ppc;
}
#endif
if (ret != 0) {
WOLFSSL_ERROR_VERBOSE(ret);
WOLFSSL_MSG("\tCRL check not ok");
}
} }
} }
#endif /* HAVE_CRL */ #endif /* HAVE_CRL */
(void)doCrlLookup;
} }
#endif /* HAVE_OCSP || HAVE_CRL */
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
if (ret == 0 && if (ret == 0 &&
/* extend the limit "+1" until reaching /* extend the limit "+1" until reaching
@ -13879,6 +13892,10 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
WOLFSSL_MSG("Doing Leaf CRL check"); WOLFSSL_MSG("Doing Leaf CRL check");
ret = CheckCertCRL(SSL_CM(ssl)->crl, args->dCert); ret = CheckCertCRL(SSL_CM(ssl)->crl, args->dCert);
#ifdef WOLFSSL_NONBLOCK_OCSP #ifdef WOLFSSL_NONBLOCK_OCSP
/* The CRL lookup I/O callback is using the
* same WOULD_BLOCK error code as OCSP's I/O
* callback, and it is enabling it using the
* same flag. */
if (ret == OCSP_WANT_READ) { if (ret == OCSP_WANT_READ) {
goto exit_ppc; goto exit_ppc;
} }