int CyaSSL_OCSP_Lookup_Cert(CYASSL_OCSP* ocsp, DecodedCert* cert) { byte* ocspReqBuf = NULL; int ocspReqSz = 2048; byte* ocspRespBuf = NULL; OcspRequest ocspRequest; OcspResponse ocspResponse; int result = 0; OCSP_Entry* ocspe; CertStatus* certStatus; const char *url; int urlSz; /* If OCSP lookups are disabled, return success. */ if (!ocsp->enabled) { CYASSL_MSG("OCSP lookup disabled, assuming CERT_GOOD"); return 0; } ocspe = find_ocsp_entry(ocsp, cert); if (ocspe == NULL) { CYASSL_MSG("alloc OCSP entry failed"); return MEMORY_ERROR; } certStatus = find_cert_status(ocspe, cert); if (certStatus == NULL) { CYASSL_MSG("alloc OCSP cert status failed"); return MEMORY_ERROR; } if (certStatus->status != -1) { if (!ValidateDate(certStatus->thisDate, certStatus->thisDateFormat, BEFORE) || (certStatus->nextDate[0] == 0) || !ValidateDate(certStatus->nextDate, certStatus->nextDateFormat, AFTER)) { CYASSL_MSG("\tinvalid status date, looking up cert"); certStatus->status = -1; } else { CYASSL_MSG("\tusing cached status"); result = xstat2err(certStatus->status); return result; } } if (ocsp->useOverrideUrl) { if (ocsp->overrideUrl[0] != '\0') { url = ocsp->overrideUrl; urlSz = (int)XSTRLEN(url); } else return OCSP_NEED_URL; } else if (cert->extAuthInfoSz != 0 && cert->extAuthInfo != NULL) { url = (const char *)cert->extAuthInfo; urlSz = cert->extAuthInfoSz; } else { CYASSL_MSG("\tcert doesn't have extAuthInfo, assuming CERT_GOOD"); return 0; } ocspReqBuf = (byte*)XMALLOC(ocspReqSz, NULL, DYNAMIC_TYPE_IN_BUFFER); if (ocspReqBuf == NULL) { CYASSL_MSG("\talloc OCSP request buffer failed"); return MEMORY_ERROR; } InitOcspRequest(&ocspRequest, cert, ocsp->useNonce, ocspReqBuf, ocspReqSz); ocspReqSz = EncodeOcspRequest(&ocspRequest); if (ocsp->CBIOOcsp) { result = ocsp->CBIOOcsp(ocsp->IOCB_OcspCtx, url, urlSz, ocspReqBuf, ocspReqSz, &ocspRespBuf); } if (result >= 0 && ocspRespBuf) { InitOcspResponse(&ocspResponse, certStatus, ocspRespBuf, result); OcspResponseDecode(&ocspResponse); if (ocspResponse.responseStatus != OCSP_SUCCESSFUL) { CYASSL_MSG("OCSP Responder failure"); result = OCSP_LOOKUP_FAIL; } else { if (CompareOcspReqResp(&ocspRequest, &ocspResponse) == 0) { result = xstat2err(ocspResponse.status->status); } else { CYASSL_MSG("OCSP Response incorrect for Request"); result = OCSP_LOOKUP_FAIL; } } } else { result = OCSP_LOOKUP_FAIL; } if (ocspReqBuf != NULL) { XFREE(ocspReqBuf, NULL, DYNAMIC_TYPE_IN_BUFFER); } if (ocspRespBuf != NULL && ocsp->CBIOOcspRespFree) { ocsp->CBIOOcspRespFree(ocsp->IOCB_OcspCtx, ocspRespBuf); } return result; }
int CyaSSL_OCSP_Lookup_Cert(CYASSL_OCSP* ocsp, DecodedCert* cert) { byte ocspReqBuf[SCRATCH_BUFFER_SIZE]; int ocspReqSz = SCRATCH_BUFFER_SIZE; byte* ocspRespBuf = NULL; OcspRequest ocspRequest; OcspResponse ocspResponse; int result = 0; OCSP_Entry* ocspe; CertStatus* certStatus; /* If OCSP lookups are disabled, return success. */ if (!ocsp->enabled) { CYASSL_MSG("OCSP lookup disabled, assuming CERT_GOOD"); return 0; } ocspe = find_ocsp_entry(ocsp, cert); if (ocspe == NULL) { CYASSL_MSG("alloc OCSP entry failed"); return MEMORY_ERROR; } certStatus = find_cert_status(ocspe, cert); if (certStatus == NULL) { CYASSL_MSG("alloc OCSP cert status failed"); return MEMORY_ERROR; } if (certStatus->status != -1) { if (!ValidateDate(certStatus->thisDate, certStatus->thisDateFormat, BEFORE) || (certStatus->nextDate[0] == 0) || !ValidateDate(certStatus->nextDate, certStatus->nextDateFormat, AFTER)) { CYASSL_MSG("\tinvalid status date, looking up cert"); certStatus->status = -1; } else { CYASSL_MSG("\tusing cached status"); result = xstat2err(certStatus->status); return result; } } InitOcspRequest(&ocspRequest, cert, ocspReqBuf, ocspReqSz); ocspReqSz = EncodeOcspRequest(&ocspRequest); result = http_ocsp_transaction(ocsp, cert, ocspReqBuf, ocspReqSz, &ocspRespBuf); if (result < 0) return result; /* If the transaction failed, return that result. */ InitOcspResponse(&ocspResponse, certStatus, ocspRespBuf, result); OcspResponseDecode(&ocspResponse); if (ocspResponse.responseStatus != OCSP_SUCCESSFUL) { CYASSL_MSG("OCSP Responder failure"); result = OCSP_LOOKUP_FAIL; } else { if (CompareOcspReqResp(&ocspRequest, &ocspResponse) == 0) { result = xstat2err(ocspResponse.status->status); } else { CYASSL_MSG("OCSP Response incorrect for Request"); result = OCSP_LOOKUP_FAIL; } } if (ocspRespBuf != NULL) { XFREE(ocspRespBuf, NULL, DYNAMIC_TYPE_IN_BUFFER); } return result; }