/* Maximum leeway in validity period: default 5 minutes */
#define MAX_VALIDITY_PERIOD (5 * 60)
+/* Timeout in seconds for ocsp response */
+#define OCSP_TIMEOUT 30
+
namespace CKM {
namespace {
std::vector<char> url(constUrl.begin(), constUrl.end());
url.push_back(0);
+ std::string headerHost;
{
char *chost = NULL, *cport = NULL, *cpath = NULL;
/* report error */
return CKM_API_OCSP_STATUS_INVALID_URL;
- if (chost) host = chost;
+ if (chost) {
+ host = chost;
+ headerHost = chost;
+ }
if (cport) port = cport;
if (cpath) path = cpath;
if (cbio == NULL) {
/*BIO_printf(bio_err, "Error creating connect BIO\n");*/
/* report error */
+ LogError("Connection to ocsp host failed: " << host);
return CKM_API_OCSP_STATUS_INTERNAL_ERROR;
}
return CKM_API_OCSP_STATUS_INTERNAL_ERROR;
}
- resp = OCSP_sendreq_bio(cbio, path.c_str(), req);
+ std::unique_ptr<OCSP_REQ_CTX, decltype(OCSP_REQ_CTX_free)*> ctx(OCSP_sendreq_new(cbio, path.c_str(), NULL, -1), OCSP_REQ_CTX_free);
+ if (!ctx) {
+ LogError("Error creating OCSP_REQ_CTX");
+ return CKM_API_OCSP_STATUS_INTERNAL_ERROR;
+ }
+
+ if (!OCSP_REQ_CTX_add1_header(ctx.get(), "host", headerHost.c_str())) {
+ LogError("Error adding header");
+ return CKM_API_OCSP_STATUS_INTERNAL_ERROR;
+ }
+
+ if (!OCSP_REQ_CTX_set1_req(ctx.get(), req)) {
+ LogError("Error setting ocsp request");
+ return CKM_API_OCSP_STATUS_INTERNAL_ERROR;
+ }
+
+ int fd;
+ if (BIO_get_fd(cbio, &fd) < 0) {
+ LogError("Error extracting fd from bio");
+ return CKM_API_OCSP_STATUS_INTERNAL_ERROR;
+ }
+
+ for (;;) {
+ fd_set confds;
+ int req_timeout = OCSP_TIMEOUT;
+ struct timeval tv;
+ int rv = OCSP_sendreq_nbio(&resp, ctx.get());
+ if (rv != -1)
+ break;
+ FD_ZERO(&confds);
+ FD_SET(fd, &confds);
+ tv.tv_usec = 0;
+ tv.tv_sec = req_timeout;
+ if (BIO_should_read(cbio)) {
+ rv = select(fd + 1, &confds, NULL, NULL, &tv);
+ } else if (BIO_should_write(cbio)) {
+ rv = select(fd + 1, NULL, &confds, NULL, &tv);
+ } else {
+ LogError("Unexpected retry condition\n");
+ return CKM_API_OCSP_STATUS_INTERNAL_ERROR;
+ }
+ if (rv == 0) {
+ LogError("Timeout on request\n");
+ break;
+ }
+ if (rv == -1) {
+ LogError("Select error\n");
+ break;
+ }
+ }
if (use_ssl && use_ssl_ctx)
SSL_CTX_free(use_ssl_ctx);
return CKM_API_OCSP_STATUS_INVALID_RESPONSE;
}
-
/* Check validity: if invalid write to output BIO so we
* know which response this refers to.
*/