Skip to content

Use wolfSSL's EmbedOcspLookup in non-blocking async OCSP example#604

Open
night1rider wants to merge 1 commit into
wolfSSL:masterfrom
night1rider:fenrir-issue-2904
Open

Use wolfSSL's EmbedOcspLookup in non-blocking async OCSP example#604
night1rider wants to merge 1 commit into
wolfSSL:masterfrom
night1rider:fenrir-issue-2904

Conversation

@night1rider

Copy link
Copy Markdown
Contributor

The callback built a curl command by interpolating the certificate's OCSP responder URL into a system() call, replace that with wolfSSL's EmbedOcspLookup so the untrusted URL is fetched over a socket as data instead of being executed.

Resolve the default server by hostname with getaddrinfo instead of a hard-coded IP so the example keeps connecting as the address changes.

@night1rider night1rider self-assigned this Jul 17, 2026

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #604

Scan targets checked: wolfssl-examples-bugs, wolfssl-examples-src

Findings: 1
1 finding(s) posted as inline comments (see file-level comments below)

This review was generated automatically by Fenrir. Findings are non-blocking.

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #604

Scan targets checked: wolfssl-examples-bugs, wolfssl-examples-src

Findings: 1
1 finding(s) posted as inline comments (see file-level comments below)

This review was generated automatically by Fenrir. Findings are non-blocking.

…OCSP responder URL into a system() call, replace that with wolfSSL's EmbedOcspLookup so the untrusted URL is fetched over a socket as data instead of being executed.

Resolve the default server by hostname with getaddrinfo instead of a hard-coded IP so the example keeps connecting as the address changes.

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #604

Scan targets checked: wolfssl-examples-bugs, wolfssl-examples-src

Findings: 1
1 finding(s) posted as inline comments (see file-level comments below)

This review was generated automatically by Fenrir. Findings are non-blocking.

Comment thread ocsp/ocsp_nonblock/ocsp_nonblock_async.c
Comment thread ocsp/ocsp_nonblock/ocsp_nonblock_async.c

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #604

Scan targets checked: wolfssl-examples-bugs, wolfssl-examples-src

Findings: 1
1 finding(s) posted as inline comments (see file-level comments below)

This review was generated automatically by Fenrir. Findings are non-blocking.

FILE* mark = fopen("ocsp.req", "wb");
if (mark == NULL)
return -1;
if (fclose(mark) != 0)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔵 [Low] Orphaned marker file on fclose failure corrupts WANT_READ state machine · Logic errors

If fclose(mark) fails, the function returns -1 but ocsp.req already exists on disk. On the next invocation, access sees the file, the WANT_READ branch is skipped, and EmbedOcspLookup is called immediately — bypassing the non-blocking simulation entirely.

Fix: Call remove("ocsp.req") before returning -1 when fclose fails, to keep the marker-file state consistent.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants