From 4712376ce17fdd9c279f8de86cf6ffb2e5c9a91a Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Tue, 19 Dec 2017 16:52:47 -0800
Subject: [PATCH] Fix for OCSP non-blocking with check all flag set.

---
 examples/client/client.c |  2 +-
 src/internal.c           | 15 +++++++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/examples/client/client.c b/examples/client/client.c
index e080f77b5..a5d2d83f9 100644
--- a/examples/client/client.c
+++ b/examples/client/client.c
@@ -1583,7 +1583,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
                                                     | WOLFSSL_OCSP_URL_OVERRIDE);
         }
         else {
-            wolfSSL_CTX_EnableOCSP(ctx, 0);
+            wolfSSL_CTX_EnableOCSP(ctx, WOLFSSL_OCSP_CHECKALL);
         }
 
     #ifdef WOLFSSL_NONBLOCK_OCSP
diff --git a/src/internal.c b/src/internal.c
index f33767357..d76ace244 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -8101,6 +8101,12 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                         args->dCertInit = 1;
                     }
 
+                    /* check if returning from non-blocking OCSP */
+                #ifdef WOLFSSL_NONBLOCK_OCSP
+                    if (args->lastErr != OCSP_WANT_READ)
+                    {
+                #endif
+
                     ret = ParseCertRelative(args->dCert, CERT_TYPE,
                                     !ssl->options.verifyNone, ssl->ctx->cm);
                 #ifdef WOLFSSL_ASYNC_CRYPT
@@ -8225,6 +8231,13 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                         WOLFSSL_MSG("Verified CA from chain and already had it");
                     }
 
+                #ifdef WOLFSSL_NONBLOCK_OCSP
+                    }
+                    else {
+                        args->lastErr = 0; /* clear last error */
+                    }
+                #endif
+
             #if defined(HAVE_OCSP) || defined(HAVE_CRL)
                     if (ret == 0) {
                         int doCrlLookup = 1;
@@ -8243,6 +8256,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                                                     args->dCert, NULL, ssl);
                         #ifdef WOLFSSL_NONBLOCK_OCSP
                             if (ret == OCSP_WANT_READ) {
+                                args->lastErr = ret;
                                 goto exit_ppc;
                             }
                         #endif
@@ -8262,6 +8276,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                             ret = CheckCertCRL(ssl->ctx->cm->crl, args->dCert);
                         #ifdef WOLFSSL_NONBLOCK_OCSP
                             if (ret == OCSP_WANT_READ) {
+                                args->lastErr = ret;
                                 goto exit_ppc;
                             }
                         #endif