wolf SSL / wolfSSL

wolfSSL SSL/TLS library, support up to TLS1.3

Dependents:   CyaSSL-Twitter-OAuth4Tw Example-client-tls-cert TwitterReader TweetTest ... more

src/ocsp.c@7:481bce714567, 2017-05-02 (annotated)

Committer:
wolfSSL
Date:
Tue May 02 08:44:47 2017 +0000
Revision:
7:481bce714567
wolfSSL3.10.2

Who changed what in which revision?

UserRevisionLine numberNew contents of line
wolfSSL 7:481bce714567 1 /* ocsp.c
wolfSSL 7:481bce714567 2 *
wolfSSL 7:481bce714567 3 * Copyright (C) 2006-2016 wolfSSL Inc.
wolfSSL 7:481bce714567 4 *
wolfSSL 7:481bce714567 5 * This file is part of wolfSSL.
wolfSSL 7:481bce714567 6 *
wolfSSL 7:481bce714567 7 * wolfSSL is free software; you can redistribute it and/or modify
wolfSSL 7:481bce714567 8 * it under the terms of the GNU General Public License as published by
wolfSSL 7:481bce714567 9 * the Free Software Foundation; either version 2 of the License, or
wolfSSL 7:481bce714567 10 * (at your option) any later version.
wolfSSL 7:481bce714567 11 *
wolfSSL 7:481bce714567 12 * wolfSSL is distributed in the hope that it will be useful,
wolfSSL 7:481bce714567 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
wolfSSL 7:481bce714567 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
wolfSSL 7:481bce714567 15 * GNU General Public License for more details.
wolfSSL 7:481bce714567 16 *
wolfSSL 7:481bce714567 17 * You should have received a copy of the GNU General Public License
wolfSSL 7:481bce714567 18 * along with this program; if not, write to the Free Software
wolfSSL 7:481bce714567 19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
wolfSSL 7:481bce714567 20 */
wolfSSL 7:481bce714567 21
wolfSSL 7:481bce714567 22
wolfSSL 7:481bce714567 23 /* Name change compatibility layer no longer needs to be included here */
wolfSSL 7:481bce714567 24
wolfSSL 7:481bce714567 25 #ifdef HAVE_CONFIG_H
wolfSSL 7:481bce714567 26 #include <config.h>
wolfSSL 7:481bce714567 27 #endif
wolfSSL 7:481bce714567 28
wolfSSL 7:481bce714567 29 #include <wolfssl/wolfcrypt/settings.h>
wolfSSL 7:481bce714567 30
wolfSSL 7:481bce714567 31 #ifndef WOLFCRYPT_ONLY
wolfSSL 7:481bce714567 32 #ifdef HAVE_OCSP
wolfSSL 7:481bce714567 33
wolfSSL 7:481bce714567 34 #include <wolfssl/error-ssl.h>
wolfSSL 7:481bce714567 35 #include <wolfssl/ocsp.h>
wolfSSL 7:481bce714567 36 #include <wolfssl/internal.h>
wolfSSL 7:481bce714567 37
wolfSSL 7:481bce714567 38 #ifdef NO_INLINE
wolfSSL 7:481bce714567 39 #include <wolfssl/wolfcrypt/misc.h>
wolfSSL 7:481bce714567 40 #else
wolfSSL 7:481bce714567 41 #define WOLFSSL_MISC_INCLUDED
wolfSSL 7:481bce714567 42 #include <wolfcrypt/src/misc.c>
wolfSSL 7:481bce714567 43 #endif
wolfSSL 7:481bce714567 44
wolfSSL 7:481bce714567 45
wolfSSL 7:481bce714567 46 int InitOCSP(WOLFSSL_OCSP* ocsp, WOLFSSL_CERT_MANAGER* cm)
wolfSSL 7:481bce714567 47 {
wolfSSL 7:481bce714567 48 WOLFSSL_ENTER("InitOCSP");
wolfSSL 7:481bce714567 49
wolfSSL 7:481bce714567 50 ForceZero(ocsp, sizeof(WOLFSSL_OCSP));
wolfSSL 7:481bce714567 51
wolfSSL 7:481bce714567 52 if (wc_InitMutex(&ocsp->ocspLock) != 0)
wolfSSL 7:481bce714567 53 return BAD_MUTEX_E;
wolfSSL 7:481bce714567 54
wolfSSL 7:481bce714567 55 ocsp->cm = cm;
wolfSSL 7:481bce714567 56
wolfSSL 7:481bce714567 57 return 0;
wolfSSL 7:481bce714567 58 }
wolfSSL 7:481bce714567 59
wolfSSL 7:481bce714567 60
wolfSSL 7:481bce714567 61 static int InitOcspEntry(OcspEntry* entry, OcspRequest* request)
wolfSSL 7:481bce714567 62 {
wolfSSL 7:481bce714567 63 WOLFSSL_ENTER("InitOcspEntry");
wolfSSL 7:481bce714567 64
wolfSSL 7:481bce714567 65 ForceZero(entry, sizeof(OcspEntry));
wolfSSL 7:481bce714567 66
wolfSSL 7:481bce714567 67 XMEMCPY(entry->issuerHash, request->issuerHash, OCSP_DIGEST_SIZE);
wolfSSL 7:481bce714567 68 XMEMCPY(entry->issuerKeyHash, request->issuerKeyHash, OCSP_DIGEST_SIZE);
wolfSSL 7:481bce714567 69
wolfSSL 7:481bce714567 70 return 0;
wolfSSL 7:481bce714567 71 }
wolfSSL 7:481bce714567 72
wolfSSL 7:481bce714567 73
wolfSSL 7:481bce714567 74 static void FreeOcspEntry(OcspEntry* entry, void* heap)
wolfSSL 7:481bce714567 75 {
wolfSSL 7:481bce714567 76 CertStatus *status, *next;
wolfSSL 7:481bce714567 77
wolfSSL 7:481bce714567 78 WOLFSSL_ENTER("FreeOcspEntry");
wolfSSL 7:481bce714567 79
wolfSSL 7:481bce714567 80 for (status = entry->status; status; status = next) {
wolfSSL 7:481bce714567 81 next = status->next;
wolfSSL 7:481bce714567 82
wolfSSL 7:481bce714567 83 if (status->rawOcspResponse)
wolfSSL 7:481bce714567 84 XFREE(status->rawOcspResponse, heap, DYNAMIC_TYPE_OCSP_STATUS);
wolfSSL 7:481bce714567 85
wolfSSL 7:481bce714567 86 XFREE(status, heap, DYNAMIC_TYPE_OCSP_STATUS);
wolfSSL 7:481bce714567 87 }
wolfSSL 7:481bce714567 88
wolfSSL 7:481bce714567 89 (void)heap;
wolfSSL 7:481bce714567 90 }
wolfSSL 7:481bce714567 91
wolfSSL 7:481bce714567 92
wolfSSL 7:481bce714567 93 void FreeOCSP(WOLFSSL_OCSP* ocsp, int dynamic)
wolfSSL 7:481bce714567 94 {
wolfSSL 7:481bce714567 95 OcspEntry *entry, *next;
wolfSSL 7:481bce714567 96
wolfSSL 7:481bce714567 97 WOLFSSL_ENTER("FreeOCSP");
wolfSSL 7:481bce714567 98
wolfSSL 7:481bce714567 99 for (entry = ocsp->ocspList; entry; entry = next) {
wolfSSL 7:481bce714567 100 next = entry->next;
wolfSSL 7:481bce714567 101 FreeOcspEntry(entry, ocsp->cm->heap);
wolfSSL 7:481bce714567 102 XFREE(entry, ocsp->cm->heap, DYNAMIC_TYPE_OCSP_ENTRY);
wolfSSL 7:481bce714567 103 }
wolfSSL 7:481bce714567 104
wolfSSL 7:481bce714567 105 wc_FreeMutex(&ocsp->ocspLock);
wolfSSL 7:481bce714567 106
wolfSSL 7:481bce714567 107 if (dynamic)
wolfSSL 7:481bce714567 108 XFREE(ocsp, ocsp->cm->heap, DYNAMIC_TYPE_OCSP);
wolfSSL 7:481bce714567 109
wolfSSL 7:481bce714567 110 }
wolfSSL 7:481bce714567 111
wolfSSL 7:481bce714567 112
wolfSSL 7:481bce714567 113 static int xstat2err(int stat)
wolfSSL 7:481bce714567 114 {
wolfSSL 7:481bce714567 115 switch (stat) {
wolfSSL 7:481bce714567 116 case CERT_GOOD:
wolfSSL 7:481bce714567 117 return 0;
wolfSSL 7:481bce714567 118 case CERT_REVOKED:
wolfSSL 7:481bce714567 119 return OCSP_CERT_REVOKED;
wolfSSL 7:481bce714567 120 default:
wolfSSL 7:481bce714567 121 return OCSP_CERT_UNKNOWN;
wolfSSL 7:481bce714567 122 }
wolfSSL 7:481bce714567 123 }
wolfSSL 7:481bce714567 124
wolfSSL 7:481bce714567 125
wolfSSL 7:481bce714567 126 int CheckCertOCSP(WOLFSSL_OCSP* ocsp, DecodedCert* cert, buffer* responseBuffer)
wolfSSL 7:481bce714567 127 {
wolfSSL 7:481bce714567 128 int ret = OCSP_LOOKUP_FAIL;
wolfSSL 7:481bce714567 129
wolfSSL 7:481bce714567 130 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 131 OcspRequest* ocspRequest;
wolfSSL 7:481bce714567 132 #else
wolfSSL 7:481bce714567 133 OcspRequest ocspRequest[1];
wolfSSL 7:481bce714567 134 #endif
wolfSSL 7:481bce714567 135
wolfSSL 7:481bce714567 136 WOLFSSL_ENTER("CheckCertOCSP");
wolfSSL 7:481bce714567 137
wolfSSL 7:481bce714567 138
wolfSSL 7:481bce714567 139 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 140 ocspRequest = (OcspRequest*)XMALLOC(sizeof(OcspRequest), NULL,
wolfSSL 7:481bce714567 141 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 142 if (ocspRequest == NULL) {
wolfSSL 7:481bce714567 143 WOLFSSL_LEAVE("CheckCertOCSP", MEMORY_ERROR);
wolfSSL 7:481bce714567 144 return MEMORY_E;
wolfSSL 7:481bce714567 145 }
wolfSSL 7:481bce714567 146 #endif
wolfSSL 7:481bce714567 147
wolfSSL 7:481bce714567 148 if (InitOcspRequest(ocspRequest, cert, ocsp->cm->ocspSendNonce,
wolfSSL 7:481bce714567 149 ocsp->cm->heap) == 0) {
wolfSSL 7:481bce714567 150 ret = CheckOcspRequest(ocsp, ocspRequest, responseBuffer);
wolfSSL 7:481bce714567 151
wolfSSL 7:481bce714567 152 FreeOcspRequest(ocspRequest);
wolfSSL 7:481bce714567 153 }
wolfSSL 7:481bce714567 154
wolfSSL 7:481bce714567 155 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 156 XFREE(ocspRequest, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 157 #endif
wolfSSL 7:481bce714567 158
wolfSSL 7:481bce714567 159 WOLFSSL_LEAVE("CheckCertOCSP", ret);
wolfSSL 7:481bce714567 160 return ret;
wolfSSL 7:481bce714567 161 }
wolfSSL 7:481bce714567 162
wolfSSL 7:481bce714567 163 static int GetOcspEntry(WOLFSSL_OCSP* ocsp, OcspRequest* request,
wolfSSL 7:481bce714567 164 OcspEntry** entry)
wolfSSL 7:481bce714567 165 {
wolfSSL 7:481bce714567 166 WOLFSSL_ENTER("GetOcspEntry");
wolfSSL 7:481bce714567 167
wolfSSL 7:481bce714567 168 *entry = NULL;
wolfSSL 7:481bce714567 169
wolfSSL 7:481bce714567 170 if (wc_LockMutex(&ocsp->ocspLock) != 0) {
wolfSSL 7:481bce714567 171 WOLFSSL_LEAVE("CheckCertOCSP", BAD_MUTEX_E);
wolfSSL 7:481bce714567 172 return BAD_MUTEX_E;
wolfSSL 7:481bce714567 173 }
wolfSSL 7:481bce714567 174
wolfSSL 7:481bce714567 175 for (*entry = ocsp->ocspList; *entry; *entry = (*entry)->next)
wolfSSL 7:481bce714567 176 if (XMEMCMP((*entry)->issuerHash, request->issuerHash,
wolfSSL 7:481bce714567 177 OCSP_DIGEST_SIZE) == 0
wolfSSL 7:481bce714567 178 && XMEMCMP((*entry)->issuerKeyHash, request->issuerKeyHash,
wolfSSL 7:481bce714567 179 OCSP_DIGEST_SIZE) == 0)
wolfSSL 7:481bce714567 180 break;
wolfSSL 7:481bce714567 181
wolfSSL 7:481bce714567 182 if (*entry == NULL) {
wolfSSL 7:481bce714567 183 *entry = (OcspEntry*)XMALLOC(sizeof(OcspEntry),
wolfSSL 7:481bce714567 184 ocsp->cm->heap, DYNAMIC_TYPE_OCSP_ENTRY);
wolfSSL 7:481bce714567 185 if (*entry) {
wolfSSL 7:481bce714567 186 InitOcspEntry(*entry, request);
wolfSSL 7:481bce714567 187 (*entry)->next = ocsp->ocspList;
wolfSSL 7:481bce714567 188 ocsp->ocspList = *entry;
wolfSSL 7:481bce714567 189 }
wolfSSL 7:481bce714567 190 }
wolfSSL 7:481bce714567 191
wolfSSL 7:481bce714567 192 wc_UnLockMutex(&ocsp->ocspLock);
wolfSSL 7:481bce714567 193
wolfSSL 7:481bce714567 194 return *entry ? 0 : MEMORY_ERROR;
wolfSSL 7:481bce714567 195 }
wolfSSL 7:481bce714567 196
wolfSSL 7:481bce714567 197
wolfSSL 7:481bce714567 198 static int GetOcspStatus(WOLFSSL_OCSP* ocsp, OcspRequest* request,
wolfSSL 7:481bce714567 199 OcspEntry* entry, CertStatus** status, buffer* responseBuffer)
wolfSSL 7:481bce714567 200 {
wolfSSL 7:481bce714567 201 int ret = OCSP_INVALID_STATUS;
wolfSSL 7:481bce714567 202
wolfSSL 7:481bce714567 203 WOLFSSL_ENTER("GetOcspStatus");
wolfSSL 7:481bce714567 204
wolfSSL 7:481bce714567 205 *status = NULL;
wolfSSL 7:481bce714567 206
wolfSSL 7:481bce714567 207 if (wc_LockMutex(&ocsp->ocspLock) != 0) {
wolfSSL 7:481bce714567 208 WOLFSSL_LEAVE("CheckCertOCSP", BAD_MUTEX_E);
wolfSSL 7:481bce714567 209 return BAD_MUTEX_E;
wolfSSL 7:481bce714567 210 }
wolfSSL 7:481bce714567 211
wolfSSL 7:481bce714567 212 for (*status = entry->status; *status; *status = (*status)->next)
wolfSSL 7:481bce714567 213 if ((*status)->serialSz == request->serialSz
wolfSSL 7:481bce714567 214 && !XMEMCMP((*status)->serial, request->serial, (*status)->serialSz))
wolfSSL 7:481bce714567 215 break;
wolfSSL 7:481bce714567 216
wolfSSL 7:481bce714567 217 if (responseBuffer && *status && !(*status)->rawOcspResponse) {
wolfSSL 7:481bce714567 218 /* force fetching again */
wolfSSL 7:481bce714567 219 ret = OCSP_INVALID_STATUS;
wolfSSL 7:481bce714567 220 }
wolfSSL 7:481bce714567 221 else if (*status) {
wolfSSL 7:481bce714567 222 if (ValidateDate((*status)->thisDate, (*status)->thisDateFormat, BEFORE)
wolfSSL 7:481bce714567 223 && ((*status)->nextDate[0] != 0)
wolfSSL 7:481bce714567 224 && ValidateDate((*status)->nextDate, (*status)->nextDateFormat, AFTER))
wolfSSL 7:481bce714567 225 {
wolfSSL 7:481bce714567 226 ret = xstat2err((*status)->status);
wolfSSL 7:481bce714567 227
wolfSSL 7:481bce714567 228 if (responseBuffer) {
wolfSSL 7:481bce714567 229 responseBuffer->buffer = (byte*)XMALLOC(
wolfSSL 7:481bce714567 230 (*status)->rawOcspResponseSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 231
wolfSSL 7:481bce714567 232 if (responseBuffer->buffer) {
wolfSSL 7:481bce714567 233 responseBuffer->length = (*status)->rawOcspResponseSz;
wolfSSL 7:481bce714567 234 XMEMCPY(responseBuffer->buffer,
wolfSSL 7:481bce714567 235 (*status)->rawOcspResponse,
wolfSSL 7:481bce714567 236 (*status)->rawOcspResponseSz);
wolfSSL 7:481bce714567 237 }
wolfSSL 7:481bce714567 238 }
wolfSSL 7:481bce714567 239 }
wolfSSL 7:481bce714567 240 }
wolfSSL 7:481bce714567 241
wolfSSL 7:481bce714567 242 wc_UnLockMutex(&ocsp->ocspLock);
wolfSSL 7:481bce714567 243
wolfSSL 7:481bce714567 244 return ret;
wolfSSL 7:481bce714567 245 }
wolfSSL 7:481bce714567 246
wolfSSL 7:481bce714567 247 /* 0 on success */
wolfSSL 7:481bce714567 248 int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest,
wolfSSL 7:481bce714567 249 buffer* responseBuffer)
wolfSSL 7:481bce714567 250 {
wolfSSL 7:481bce714567 251 OcspEntry* entry = NULL;
wolfSSL 7:481bce714567 252 CertStatus* status = NULL;
wolfSSL 7:481bce714567 253 byte* request = NULL;
wolfSSL 7:481bce714567 254 int requestSz = 2048;
wolfSSL 7:481bce714567 255 int responseSz = 0;
wolfSSL 7:481bce714567 256 byte* response = NULL;
wolfSSL 7:481bce714567 257 const char* url = NULL;
wolfSSL 7:481bce714567 258 int urlSz = 0;
wolfSSL 7:481bce714567 259 int ret = -1;
wolfSSL 7:481bce714567 260 int validated = 0; /* ocsp validation flag */
wolfSSL 7:481bce714567 261
wolfSSL 7:481bce714567 262 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 263 CertStatus* newStatus;
wolfSSL 7:481bce714567 264 OcspResponse* ocspResponse;
wolfSSL 7:481bce714567 265 #else
wolfSSL 7:481bce714567 266 CertStatus newStatus[1];
wolfSSL 7:481bce714567 267 OcspResponse ocspResponse[1];
wolfSSL 7:481bce714567 268 #endif
wolfSSL 7:481bce714567 269
wolfSSL 7:481bce714567 270 WOLFSSL_ENTER("CheckOcspRequest");
wolfSSL 7:481bce714567 271
wolfSSL 7:481bce714567 272 if (responseBuffer) {
wolfSSL 7:481bce714567 273 responseBuffer->buffer = NULL;
wolfSSL 7:481bce714567 274 responseBuffer->length = 0;
wolfSSL 7:481bce714567 275 }
wolfSSL 7:481bce714567 276
wolfSSL 7:481bce714567 277 ret = GetOcspEntry(ocsp, ocspRequest, &entry);
wolfSSL 7:481bce714567 278 if (ret != 0)
wolfSSL 7:481bce714567 279 return ret;
wolfSSL 7:481bce714567 280
wolfSSL 7:481bce714567 281 ret = GetOcspStatus(ocsp, ocspRequest, entry, &status, responseBuffer);
wolfSSL 7:481bce714567 282 if (ret != OCSP_INVALID_STATUS)
wolfSSL 7:481bce714567 283 return ret;
wolfSSL 7:481bce714567 284
wolfSSL 7:481bce714567 285 if (ocsp->cm->ocspUseOverrideURL) {
wolfSSL 7:481bce714567 286 url = ocsp->cm->ocspOverrideURL;
wolfSSL 7:481bce714567 287 if (url != NULL && url[0] != '\0')
wolfSSL 7:481bce714567 288 urlSz = (int)XSTRLEN(url);
wolfSSL 7:481bce714567 289 else
wolfSSL 7:481bce714567 290 return OCSP_NEED_URL;
wolfSSL 7:481bce714567 291 }
wolfSSL 7:481bce714567 292 else if (ocspRequest->urlSz != 0 && ocspRequest->url != NULL) {
wolfSSL 7:481bce714567 293 url = (const char *)ocspRequest->url;
wolfSSL 7:481bce714567 294 urlSz = ocspRequest->urlSz;
wolfSSL 7:481bce714567 295 }
wolfSSL 7:481bce714567 296 else {
wolfSSL 7:481bce714567 297 /* cert doesn't have extAuthInfo, assuming CERT_GOOD */
wolfSSL 7:481bce714567 298 return 0;
wolfSSL 7:481bce714567 299 }
wolfSSL 7:481bce714567 300
wolfSSL 7:481bce714567 301 request = (byte*)XMALLOC(requestSz, ocsp->cm->heap, DYNAMIC_TYPE_OCSP);
wolfSSL 7:481bce714567 302 if (request == NULL) {
wolfSSL 7:481bce714567 303 WOLFSSL_LEAVE("CheckCertOCSP", MEMORY_ERROR);
wolfSSL 7:481bce714567 304 return MEMORY_ERROR;
wolfSSL 7:481bce714567 305 }
wolfSSL 7:481bce714567 306
wolfSSL 7:481bce714567 307 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 308 newStatus = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL,
wolfSSL 7:481bce714567 309 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 310 ocspResponse = (OcspResponse*)XMALLOC(sizeof(OcspResponse), NULL,
wolfSSL 7:481bce714567 311 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 312
wolfSSL 7:481bce714567 313 if (newStatus == NULL || ocspResponse == NULL) {
wolfSSL 7:481bce714567 314 if (newStatus) XFREE(newStatus, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 315 if (ocspResponse) XFREE(ocspResponse, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 316
wolfSSL 7:481bce714567 317 XFREE(request, NULL, DYNAMIC_TYPE_OCSP);
wolfSSL 7:481bce714567 318
wolfSSL 7:481bce714567 319 WOLFSSL_LEAVE("CheckCertOCSP", MEMORY_ERROR);
wolfSSL 7:481bce714567 320 return MEMORY_E;
wolfSSL 7:481bce714567 321 }
wolfSSL 7:481bce714567 322 #endif
wolfSSL 7:481bce714567 323
wolfSSL 7:481bce714567 324 requestSz = EncodeOcspRequest(ocspRequest, request, requestSz);
wolfSSL 7:481bce714567 325 if (requestSz > 0 && ocsp->cm->ocspIOCb) {
wolfSSL 7:481bce714567 326 responseSz = ocsp->cm->ocspIOCb(ocsp->cm->ocspIOCtx, url, urlSz,
wolfSSL 7:481bce714567 327 request, requestSz, &response);
wolfSSL 7:481bce714567 328 }
wolfSSL 7:481bce714567 329
wolfSSL 7:481bce714567 330 if (responseSz >= 0 && response) {
wolfSSL 7:481bce714567 331 XMEMSET(newStatus, 0, sizeof(CertStatus));
wolfSSL 7:481bce714567 332
wolfSSL 7:481bce714567 333 InitOcspResponse(ocspResponse, newStatus, response, responseSz);
wolfSSL 7:481bce714567 334 if (OcspResponseDecode(ocspResponse, ocsp->cm, ocsp->cm->heap) != 0) {
wolfSSL 7:481bce714567 335 WOLFSSL_MSG("OcspResponseDecode failed");
wolfSSL 7:481bce714567 336 }
wolfSSL 7:481bce714567 337 else if (ocspResponse->responseStatus != OCSP_SUCCESSFUL) {
wolfSSL 7:481bce714567 338 WOLFSSL_MSG("OcspResponse status bad");
wolfSSL 7:481bce714567 339 }
wolfSSL 7:481bce714567 340 else {
wolfSSL 7:481bce714567 341 if (CompareOcspReqResp(ocspRequest, ocspResponse) == 0) {
wolfSSL 7:481bce714567 342 if (responseBuffer) {
wolfSSL 7:481bce714567 343 responseBuffer->buffer = (byte*)XMALLOC(responseSz,
wolfSSL 7:481bce714567 344 ocsp->cm->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 345
wolfSSL 7:481bce714567 346 if (responseBuffer->buffer) {
wolfSSL 7:481bce714567 347 responseBuffer->length = responseSz;
wolfSSL 7:481bce714567 348 XMEMCPY(responseBuffer->buffer, response, responseSz);
wolfSSL 7:481bce714567 349 }
wolfSSL 7:481bce714567 350 }
wolfSSL 7:481bce714567 351
wolfSSL 7:481bce714567 352 /* only way to get to good state */
wolfSSL 7:481bce714567 353 ret = xstat2err(ocspResponse->status->status);
wolfSSL 7:481bce714567 354 if (ret == 0) {
wolfSSL 7:481bce714567 355 validated = 1;
wolfSSL 7:481bce714567 356 }
wolfSSL 7:481bce714567 357
wolfSSL 7:481bce714567 358 if (wc_LockMutex(&ocsp->ocspLock) != 0)
wolfSSL 7:481bce714567 359 ret = BAD_MUTEX_E;
wolfSSL 7:481bce714567 360 else {
wolfSSL 7:481bce714567 361 if (status != NULL) {
wolfSSL 7:481bce714567 362 if (status->rawOcspResponse)
wolfSSL 7:481bce714567 363 XFREE(status->rawOcspResponse, ocsp->cm->heap,
wolfSSL 7:481bce714567 364 DYNAMIC_TYPE_OCSP_STATUS);
wolfSSL 7:481bce714567 365
wolfSSL 7:481bce714567 366 /* Replace existing certificate entry with updated */
wolfSSL 7:481bce714567 367 XMEMCPY(status, newStatus, sizeof(CertStatus));
wolfSSL 7:481bce714567 368 }
wolfSSL 7:481bce714567 369 else {
wolfSSL 7:481bce714567 370 /* Save new certificate entry */
wolfSSL 7:481bce714567 371 status = (CertStatus*)XMALLOC(sizeof(CertStatus),
wolfSSL 7:481bce714567 372 ocsp->cm->heap, DYNAMIC_TYPE_OCSP_STATUS);
wolfSSL 7:481bce714567 373 if (status != NULL) {
wolfSSL 7:481bce714567 374 XMEMCPY(status, newStatus, sizeof(CertStatus));
wolfSSL 7:481bce714567 375 status->next = entry->status;
wolfSSL 7:481bce714567 376 entry->status = status;
wolfSSL 7:481bce714567 377 entry->totalStatus++;
wolfSSL 7:481bce714567 378 }
wolfSSL 7:481bce714567 379 }
wolfSSL 7:481bce714567 380
wolfSSL 7:481bce714567 381 if (status && responseBuffer && responseBuffer->buffer) {
wolfSSL 7:481bce714567 382 status->rawOcspResponse = (byte*)XMALLOC(
wolfSSL 7:481bce714567 383 responseBuffer->length,
wolfSSL 7:481bce714567 384 ocsp->cm->heap,
wolfSSL 7:481bce714567 385 DYNAMIC_TYPE_OCSP_STATUS);
wolfSSL 7:481bce714567 386
wolfSSL 7:481bce714567 387 if (status->rawOcspResponse) {
wolfSSL 7:481bce714567 388 status->rawOcspResponseSz = responseBuffer->length;
wolfSSL 7:481bce714567 389 XMEMCPY(status->rawOcspResponse,
wolfSSL 7:481bce714567 390 responseBuffer->buffer,
wolfSSL 7:481bce714567 391 responseBuffer->length);
wolfSSL 7:481bce714567 392 }
wolfSSL 7:481bce714567 393 }
wolfSSL 7:481bce714567 394
wolfSSL 7:481bce714567 395 wc_UnLockMutex(&ocsp->ocspLock);
wolfSSL 7:481bce714567 396 }
wolfSSL 7:481bce714567 397 }
wolfSSL 7:481bce714567 398 }
wolfSSL 7:481bce714567 399 }
wolfSSL 7:481bce714567 400
wolfSSL 7:481bce714567 401 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 7:481bce714567 402 XFREE(newStatus, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 403 XFREE(ocspResponse, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 7:481bce714567 404 #endif
wolfSSL 7:481bce714567 405
wolfSSL 7:481bce714567 406 XFREE(request, NULL, DYNAMIC_TYPE_OCSP);
wolfSSL 7:481bce714567 407
wolfSSL 7:481bce714567 408 if (response != NULL && ocsp->cm->ocspRespFreeCb)
wolfSSL 7:481bce714567 409 ocsp->cm->ocspRespFreeCb(ocsp->cm->ocspIOCtx, response);
wolfSSL 7:481bce714567 410
wolfSSL 7:481bce714567 411 if (ret == 0 && validated == 1) {
wolfSSL 7:481bce714567 412 WOLFSSL_MSG("New OcspResponse validated");
wolfSSL 7:481bce714567 413 } else {
wolfSSL 7:481bce714567 414 ret = OCSP_LOOKUP_FAIL;
wolfSSL 7:481bce714567 415 }
wolfSSL 7:481bce714567 416
wolfSSL 7:481bce714567 417 WOLFSSL_LEAVE("CheckOcspRequest", ret);
wolfSSL 7:481bce714567 418 return ret;
wolfSSL 7:481bce714567 419 }
wolfSSL 7:481bce714567 420
wolfSSL 7:481bce714567 421
wolfSSL 7:481bce714567 422 #else /* HAVE_OCSP */
wolfSSL 7:481bce714567 423
wolfSSL 7:481bce714567 424
wolfSSL 7:481bce714567 425 #ifdef _MSC_VER
wolfSSL 7:481bce714567 426 /* 4206 warning for blank file */
wolfSSL 7:481bce714567 427 #pragma warning(disable: 4206)
wolfSSL 7:481bce714567 428 #endif
wolfSSL 7:481bce714567 429
wolfSSL 7:481bce714567 430
wolfSSL 7:481bce714567 431 #endif /* HAVE_OCSP */
wolfSSL 7:481bce714567 432 #endif /* WOLFCRYPT_ONLY */
wolfSSL 7:481bce714567 433
wolfSSL 7:481bce714567 434