OCSP example using Certificate Manager

[dgarske]

Also shows optional non-blocking OCSP support.
Uses PR: wolfSSL/wolfssl#3204
ZD 10417

[julek-wolfssl]

I'm getting this error when compiling:

gcc -o ocsp_nonblock ocsp_nonblock.c -Wall -I/usr/local/include -Os -L/usr/local/lib -lwolfssl
ocsp_nonblock.c: In function ‘main’:
ocsp_nonblock.c:279:19: warning: ‘derSz’ may be used uninitialized in this function [-Wmaybe-uninitialized]
  279 |             ret = wolfSSL_CertManagerVerifyBuffer(pCm,
      |                   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  280 |                 der, derSz, WOLFSSL_FILETYPE_ASN1);
      |                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[julek-wolfssl]

I think that having the callback be blocking is not a great example. I modified the example so that the IO callback returns the WANT_READ error and the wolfSSL_CertManagerCheckOCSP API should be called again. This is a very crude example using globals. A better example would store this in the ctx. What do you think @dgarske ?

diff --git a/ocsp/ocsp_nonblock/ocsp_nonblock.c b/ocsp/ocsp_nonblock/ocsp_nonblock.c
index 36052a63..be43c9cd 100644
--- a/ocsp/ocsp_nonblock/ocsp_nonblock.c
+++ b/ocsp/ocsp_nonblock/ocsp_nonblock.c
@@ -140,16 +140,31 @@ static const char* kGoogleCom =
 
 static int io_timeout_sec = DEFAULT_TIMEOUT_SEC;
 
+
+static SOCKET_T sfd = SOCKET_INVALID;
+static word16   port;
+static int      ret = -1;
+static char     path[MAX_URL_ITEM_SIZE];
+static char     domainName[MAX_URL_ITEM_SIZE];
+static int      nonBlockCnt = 0;
+static byte*    httpBuf;
+
 /* Return size of the OCSP response or negative for error */
 static int OcspLookupNonBlockCb(void* ctx, const char* url, int urlSz,
                         byte* ocspReqBuf, int ocspReqSz, byte** ocspRespBuf)
 {
-    SOCKET_T sfd = SOCKET_INVALID;
-    word16   port;
-    int      ret = -1;
-    char     path[MAX_URL_ITEM_SIZE];
-    char     domainName[MAX_URL_ITEM_SIZE];
-    int      nonBlockCnt = 0;
+    if (sfd != SOCKET_INVALID) {
+        ret = wolfIO_HttpProcessResponseOcsp(sfd, ocspRespBuf,
+                        httpBuf, HTTP_SCRATCH_BUFFER_SIZE, ctx);
+        nonBlockCnt++;
+        if (ret == OCSP_WANT_READ)
+            return WOLFSSL_CBIO_ERR_WANT_READ;
+        printf("OCSP Response: ret %d, nonblock count %d\n",
+            ret, nonBlockCnt);
+        XFREE(httpBuf, ctx, DYNAMIC_TYPE_OCSP);
+        httpBuf = NULL;
+        return ret;
+    }
 
     if (ocspReqBuf == NULL || ocspReqSz == 0) {
         printf("OCSP request is required for lookup\n");
@@ -163,7 +178,7 @@ static int OcspLookupNonBlockCb(void* ctx, const char* url, int urlSz,
     else {
         /* Note: This is free'd in OcspRespFreeCb callback */
         int   httpBufSz = HTTP_SCRATCH_BUFFER_SIZE;
-        byte* httpBuf   = (byte*)XMALLOC(httpBufSz, NULL, DYNAMIC_TYPE_OCSP);
+        httpBuf         = (byte*)XMALLOC(httpBufSz, NULL, DYNAMIC_TYPE_OCSP);
 
         printf("OCSP Lookup:\n");
         printf("\tURL: %s\n", url);
@@ -197,6 +212,8 @@ static int OcspLookupNonBlockCb(void* ctx, const char* url, int urlSz,
                         ret = wolfIO_HttpProcessResponseOcsp(sfd, ocspRespBuf, 
                                         httpBuf, HTTP_SCRATCH_BUFFER_SIZE, ctx);
                         nonBlockCnt++;
+                        if (ret == OCSP_WANT_READ)
+                            return WOLFSSL_CBIO_ERR_WANT_READ;
                     } while (ret == OCSP_WANT_READ);
                     printf("OCSP Response: ret %d, nonblock count %d\n", 
                         ret, nonBlockCnt);
@@ -208,8 +225,10 @@ static int OcspLookupNonBlockCb(void* ctx, const char* url, int urlSz,
             if (sfd != SOCKET_INVALID)
                 CloseSocket(sfd);
             XFREE(httpBuf, ctx, DYNAMIC_TYPE_OCSP);
+            httpBuf = NULL;
         }
     }
+    printf("Resp ret: %d\n", ret);
     return ret;
 }
 
@@ -217,6 +236,7 @@ static void OcspRespFreeCb(void* ctx, byte *resp)
 {
     if (resp)
         XFREE(resp, NULL, DYNAMIC_TYPE_OCSP);
+    httpBuf = NULL;
 
     (void)ctx;
 }
@@ -226,7 +246,7 @@ int main(void)
     int ret = -1;
     WOLFSSL_CERT_MANAGER* pCm;
     byte der[2000];
-    int derSz;
+    int derSz = 0;
 
 #if 0
     wolfSSL_Debugging_ON();
@@ -283,8 +303,10 @@ int main(void)
     #ifdef HAVE_OCSP
         if (ret == WOLFSSL_SUCCESS) {
             /* Check OCSP for certificate */
-            ret = wolfSSL_CertManagerCheckOCSP(pCm, 
-                der, derSz);
+            do {
+                ret = wolfSSL_CertManagerCheckOCSP(pCm,
+                    der, derSz);
+            } while (ret == OCSP_WANT_READ);
             printf("Check OCSP for Google.com (ret %d)\n", ret);
         }
     #endif

[julek-wolfssl]

The ctx is not the heap hint. It is in EmbedOcspLookup but not for user callbacks.

[julek-wolfssl]

Also do you think the example should use a select instead of a loop to wait for data on the socket?

[julek-wolfssl]

Thanks for the changes. They look good.