From 9753e467217ce052117cbe38d2414927a094db51 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Fri, 24 May 2013 17:23:07 -0700 Subject: [PATCH] minor OCSP update 1. When doing the HTTP transaction, use recv() and send(). 2. When a cert doesn't have an Auth Info extension, and not using an override server, it is considered good. 3. decode_url() should return -1 in case of error. 4. When decoding HTTP response, process all the headers, skipping all of those that are not-processed. --- src/io.c | 15 +++++++++------ src/ocsp.c | 8 ++++++-- 2 files changed, 15 insertions(+), 8 deletions(-) diff --git a/src/io.c b/src/io.c index f53e4e25b..0fad73b21 100644 --- a/src/io.c +++ b/src/io.c @@ -612,7 +612,6 @@ static int decode_http_response(byte* httpBuf, int httpBufSz, byte** dst) /* Advance idx past the next \r\n */ char* end = XSTRSTR(&buf[idx], "\r\n"); idx = (int)(end - buf + 2); - stop = 1; } } } @@ -629,6 +628,8 @@ static int decode_http_response(byte* httpBuf, int httpBufSz, byte** dst) static int decode_url(const char* url, int urlSz, char* outName, char* outPath, int* outPort) { + int result = -1; + if (outName != NULL && outPath != NULL && outPort != NULL) { if (url == NULL || urlSz == 0) @@ -648,7 +649,8 @@ static int decode_url(const char* url, int urlSz, } else cur = 0; i = 0; - while (url[cur] != 0 && url[cur] != ':' && url[cur] != '/') { + while (url[cur] != 0 && url[cur] != ':' && + url[cur] != '/' && cur < urlSz) { outName[i++] = url[cur++]; } outName[i] = 0; @@ -684,10 +686,11 @@ static int decode_url(const char* url, int urlSz, outPath[0] = '/'; outPath[1] = 0; } + result = 0; } } - return 0; + return result; } @@ -732,11 +735,11 @@ int EmbedOcspLookup(void* ctx, const char* url, int urlSz, if ((tcp_connect(&sfd, domainName, port) == 0) && (sfd > 0)) { int written; - written = (int)write(sfd, httpBuf, httpBufSz); + written = (int)send(sfd, httpBuf, httpBufSz, 0); if (written == httpBufSz) { - written = (int)write(sfd, ocspReqBuf, ocspReqSz); + written = (int)send(sfd, ocspReqBuf, ocspReqSz, 0); if (written == ocspReqSz) { - httpBufSz = (int)read(sfd, httpBuf, SCRATCH_BUFFER_SIZE); + httpBufSz = (int)recv(sfd, httpBuf, SCRATCH_BUFFER_SIZE, 0); if (httpBufSz > 0) { ocspRespSz = decode_http_response(httpBuf, httpBufSz, ocspRespBuf); diff --git a/src/ocsp.c b/src/ocsp.c index dae9c914f..64d082216 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -275,7 +275,7 @@ int CyaSSL_OCSP_Lookup_Cert(CYASSL_OCSP* ocsp, DecodedCert* cert) } } - if (ocsp->useOverrideUrl || cert->extAuthInfo == NULL) { + if (ocsp->useOverrideUrl) { if (ocsp->overrideUrl[0] != '\0') { url = ocsp->overrideUrl; urlSz = (int)XSTRLEN(url); @@ -283,10 +283,14 @@ int CyaSSL_OCSP_Lookup_Cert(CYASSL_OCSP* ocsp, DecodedCert* cert) else return OCSP_NEED_URL; } - else { + else if (cert->extAuthInfoSz == 0 || cert->extAuthInfo == NULL) { url = (const char *)cert->extAuthInfo; urlSz = cert->extAuthInfoSz; } + else { + CYASSL_MSG("\tcert doesn't have extAuthInfo, assuming CERT_GOOD"); + return 0; + } ocspReqBuf = (byte*)XMALLOC(ocspReqSz, NULL, DYNAMIC_TYPE_IN_BUFFER); if (ocspReqBuf == NULL) {