diff options
| author | Bartlomiej Grzelewski <b.grzelewski@samsung.com> | 2017-11-09 14:21:13 +0100 |
|---|---|---|
| committer | Bartlomiej Grzelewski <b.grzelewski@samsung.com> | 2017-11-16 12:06:34 +0100 |
| commit | eacd8b321de92d38288294d2584ef98d517caead (patch) | |
| tree | ff08cd612a23017946fa87e88df541e082286472 | |
| parent | d084e83bb2231b175d9e0b866b03a6daa060cf53 (diff) | |
| download | key-manager-eacd8b321de92d38288294d2584ef98d517caead.tar.gz key-manager-eacd8b321de92d38288294d2584ef98d517caead.tar.bz2 key-manager-eacd8b321de92d38288294d2584ef98d517caead.zip | |
Add host parameter in HTTP header
Change-Id: Iacd8d8e244df289af8c4ab0fe87a26fcb91b5644
| -rw-r--r-- | src/manager/service/ocsp.cpp | 62 |
1 files changed, 59 insertions, 3 deletions
diff --git a/src/manager/service/ocsp.cpp b/src/manager/service/ocsp.cpp index dcccf2ac..acbf9d30 100644 --- a/src/manager/service/ocsp.cpp +++ b/src/manager/service/ocsp.cpp @@ -37,6 +37,9 @@ /* Maximum leeway in validity period: default 5 minutes */ #define MAX_VALIDITY_PERIOD (5 * 60) +/* Timeout in seconds for ocsp response */ +#define OCSP_TIMEOUT 30 + namespace CKM { namespace { @@ -151,6 +154,7 @@ int OCSPModule::ocsp_verify(X509 *cert, X509 *issuer, std::vector<char> url(constUrl.begin(), constUrl.end()); url.push_back(0); + std::string headerHost; { char *chost = NULL, *cport = NULL, *cpath = NULL; @@ -159,7 +163,10 @@ int OCSPModule::ocsp_verify(X509 *cert, X509 *issuer, /* report error */ return CKM_API_OCSP_STATUS_INVALID_URL; - if (chost) host = chost; + if (chost) { + host = chost; + headerHost = chost; + } if (cport) port = cport; if (cpath) path = cpath; @@ -198,6 +205,7 @@ int OCSPModule::ocsp_verify(X509 *cert, X509 *issuer, if (cbio == NULL) { /*BIO_printf(bio_err, "Error creating connect BIO\n");*/ /* report error */ + LogError("Connection to ocsp host failed: " << host); return CKM_API_OCSP_STATUS_INTERNAL_ERROR; } @@ -266,7 +274,56 @@ int OCSPModule::ocsp_verify(X509 *cert, X509 *issuer, return CKM_API_OCSP_STATUS_INTERNAL_ERROR; } - resp = OCSP_sendreq_bio(cbio, path.c_str(), req); + std::unique_ptr<OCSP_REQ_CTX, decltype(OCSP_REQ_CTX_free)*> ctx(OCSP_sendreq_new(cbio, path.c_str(), NULL, -1), OCSP_REQ_CTX_free); + if (!ctx) { + LogError("Error creating OCSP_REQ_CTX"); + return CKM_API_OCSP_STATUS_INTERNAL_ERROR; + } + + if (!OCSP_REQ_CTX_add1_header(ctx.get(), "host", headerHost.c_str())) { + LogError("Error adding header"); + return CKM_API_OCSP_STATUS_INTERNAL_ERROR; + } + + if (!OCSP_REQ_CTX_set1_req(ctx.get(), req)) { + LogError("Error setting ocsp request"); + return CKM_API_OCSP_STATUS_INTERNAL_ERROR; + } + + int fd; + if (BIO_get_fd(cbio, &fd) < 0) { + LogError("Error extracting fd from bio"); + return CKM_API_OCSP_STATUS_INTERNAL_ERROR; + } + + for (;;) { + fd_set confds; + int req_timeout = OCSP_TIMEOUT; + struct timeval tv; + int rv = OCSP_sendreq_nbio(&resp, ctx.get()); + if (rv != -1) + break; + FD_ZERO(&confds); + FD_SET(fd, &confds); + tv.tv_usec = 0; + tv.tv_sec = req_timeout; + if (BIO_should_read(cbio)) { + rv = select(fd + 1, &confds, NULL, NULL, &tv); + } else if (BIO_should_write(cbio)) { + rv = select(fd + 1, NULL, &confds, NULL, &tv); + } else { + LogError("Unexpected retry condition\n"); + return CKM_API_OCSP_STATUS_INTERNAL_ERROR; + } + if (rv == 0) { + LogError("Timeout on request\n"); + break; + } + if (rv == -1) { + LogError("Select error\n"); + break; + } + } if (use_ssl && use_ssl_ctx) SSL_CTX_free(use_ssl_ctx); @@ -370,7 +427,6 @@ int OCSPModule::ocsp_verify(X509 *cert, X509 *issuer, return CKM_API_OCSP_STATUS_INVALID_RESPONSE; } - /* Check validity: if invalid write to output BIO so we * know which response this refers to. */ |