HTTP: Fix OCSP status check

Due to a missing curly brackets, the OCSP status checking was not
working in the expected way. Instead of allowing optional-OCSP
configuration to accept connection when OCSP response was ready, all
such cases were marked as hard failures. In addition, the debug prints
were not necessarily accurate for the mandatory-OCSP-but-no-response
case (CID 72694, CID 72704).

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2014-09-07 18:30:58 +03:00
parent cb5ef952c8
commit 9c196f7703

View file

@ -1177,9 +1177,10 @@ static int ocsp_resp_cb(SSL *s, void *arg)
if (status == V_OCSP_CERTSTATUS_GOOD) if (status == V_OCSP_CERTSTATUS_GOOD)
return 1; return 1;
if (status == V_OCSP_CERTSTATUS_REVOKED) if (status == V_OCSP_CERTSTATUS_REVOKED) {
ctx->last_err = "Server certificate has been revoked"; ctx->last_err = "Server certificate has been revoked";
return 0; return 0;
}
if (ctx->ocsp == MANDATORY_OCSP) { if (ctx->ocsp == MANDATORY_OCSP) {
wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status unknown, but OCSP required"); wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status unknown, but OCSP required");
ctx->last_err = "OCSP status unknown"; ctx->last_err = "OCSP status unknown";