ocsp: propagate ocsp cb return error

[rizlik]

Description

The error returned from OCSP cb is not propagated.
Propagating the error allows the verify callback to adopt a custom fallback policy regarding the error.

This is unfortunately a breaking change in this scenario:

• custom cb return a negative value different than OCSP_INVALID_STATUS
• verify cb relies on OCSP_INVALID_STATUS ret error.

[Dor-kpf]

Hi @rizlik,
I tested the PR and it looks like the returned error from the OCSP callback is indeed propagated to the verify callback now. But it looks like the incorrect error code is set in the verifyCallback.
When my OCSP callback returns WOLFSSL_CBIO_ERR_TIMEOUT (-6) it invokes the VerifyCallback with the error: WOLFSSL_ERROR_ZERO_RETURN_E (-6). This is a different error but with the same value of -6. The casting to the right wolfSSL_ErrorCodes enum value is missing.
Looking at the code, I can see that the CheckOcspRequest function casts WOLFSSL_CBIO_ERR_WANT_READ (-2) to OCSP_WANT_READ (-408) right when returning from the call to ocspiocb. Maybe in our case we can cast to HTTP_TIMEOUT (-417)?
Thanks!

[rizlik]

Hi @Dor-kpf ,
You are right! Now the PR should map to the right error.
Thanks

[rizlik]

retest this please

[Dor-kpf]

Hi @rizlik,
I have tested it and it looks good!
In my OCSP callback I have returned WOLFSSL_CBIO_ERR_TIMEOUT (-6) and then my verify callback was later called and the error was propagated correctly (the reported error is HTTP_TIMEOUT (-417) as expected). In my verify callback I check if I use the soft/hard fail approach and then continue/abort the TLS handshake accordingly.

[douzzer]

retest this please