Add host parameter in HTTP header

Change-Id: Iacd8d8e244df289af8c4ab0fe87a26fcb91b5644

diff --git a/src/manager/service/ocsp.cpp b/src/manager/service/ocsp.cpp
index dcccf2a..acbf9d3 100644 (file)
--- a/src/manager/service/ocsp.cpp
+++ b/src/manager/service/ocsp.cpp
@@ -37,6 +37,9 @@
 /* Maximum leeway in validity period: default 5 minutes */
 #define MAX_VALIDITY_PERIOD     (5 * 60)
 
+/* Timeout in seconds for ocsp response */
+#define OCSP_TIMEOUT 30
+
 namespace CKM {
 
 namespace {
@@ -151,6 +154,7 @@ int OCSPModule::ocsp_verify(X509 *cert, X509 *issuer,
 
        std::vector<char> url(constUrl.begin(), constUrl.end());
        url.push_back(0);
+       std::string headerHost;
 
        {
                char *chost = NULL, *cport = NULL, *cpath = NULL;
@@ -159,7 +163,10 @@ int OCSPModule::ocsp_verify(X509 *cert, X509 *issuer,
                        /* report error */
                        return CKM_API_OCSP_STATUS_INVALID_URL;
 
-               if (chost) host = chost;
+               if (chost) {
+                       host = chost;
+                       headerHost = chost;
+               }
                if (cport) port = cport;
                if (cpath) path = cpath;
 
@@ -198,6 +205,7 @@ int OCSPModule::ocsp_verify(X509 *cert, X509 *issuer,
        if (cbio == NULL) {
                /*BIO_printf(bio_err, "Error creating connect BIO\n");*/
                /* report error */
+               LogError("Connection to ocsp host failed: " << host);
                return CKM_API_OCSP_STATUS_INTERNAL_ERROR;
        }
 
@@ -266,7 +274,56 @@ int OCSPModule::ocsp_verify(X509 *cert, X509 *issuer,
                return CKM_API_OCSP_STATUS_INTERNAL_ERROR;
        }
 
-       resp = OCSP_sendreq_bio(cbio, path.c_str(), req);
+       std::unique_ptr<OCSP_REQ_CTX, decltype(OCSP_REQ_CTX_free)*> ctx(OCSP_sendreq_new(cbio, path.c_str(), NULL, -1), OCSP_REQ_CTX_free);
+       if (!ctx) {
+               LogError("Error creating OCSP_REQ_CTX");
+               return CKM_API_OCSP_STATUS_INTERNAL_ERROR;
+       }
+
+       if (!OCSP_REQ_CTX_add1_header(ctx.get(), "host", headerHost.c_str())) {
+               LogError("Error adding header");
+               return CKM_API_OCSP_STATUS_INTERNAL_ERROR;
+       }
+
+       if (!OCSP_REQ_CTX_set1_req(ctx.get(), req)) {
+               LogError("Error setting ocsp request");
+               return CKM_API_OCSP_STATUS_INTERNAL_ERROR;
+       }
+
+       int fd;
+       if (BIO_get_fd(cbio, &fd) < 0) {
+               LogError("Error extracting fd from bio");
+               return CKM_API_OCSP_STATUS_INTERNAL_ERROR;
+       }
+
+       for (;;) {
+               fd_set confds;
+               int req_timeout = OCSP_TIMEOUT;
+               struct timeval tv;
+               int rv = OCSP_sendreq_nbio(&resp, ctx.get());
+               if (rv != -1)
+                       break;
+               FD_ZERO(&confds);
+               FD_SET(fd, &confds);
+               tv.tv_usec = 0;
+               tv.tv_sec = req_timeout;
+               if (BIO_should_read(cbio)) {
+                       rv = select(fd + 1, &confds, NULL, NULL, &tv);
+               } else if (BIO_should_write(cbio)) {
+                       rv = select(fd + 1, NULL, &confds, NULL, &tv);
+               } else {
+                       LogError("Unexpected retry condition\n");
+                       return CKM_API_OCSP_STATUS_INTERNAL_ERROR;
+               }
+               if (rv == 0) {
+                       LogError("Timeout on request\n");
+                       break;
+               }
+               if (rv == -1) {
+                       LogError("Select error\n");
+                       break;
+               }
+       }
 
        if (use_ssl && use_ssl_ctx)
                SSL_CTX_free(use_ssl_ctx);
@@ -370,7 +427,6 @@ int OCSPModule::ocsp_verify(X509 *cert, X509 *issuer,
                return CKM_API_OCSP_STATUS_INVALID_RESPONSE;
        }
 
-
        /* Check validity: if invalid write to output BIO so we
         * know which response this refers to.
         */