1 files changed, 26 insertions, 20 deletions
diff --git a/src/lib/libtls/tls_ocsp.c b/src/lib/libtls/tls_ocsp.c
index af559c44c9..a30e363e6e 100644
--- a/src/lib/libtls/tls_ocsp.c
+++ b/src/lib/libtls/tls_ocsp.c
@@ -268,6 +268,30 @@ tls_ocsp_verify_response(struct tls *ctx, OCSP_RESPONSE *resp)
        return ret;
 }
+/*
+ * Process a raw OCSP response from an OCSP server request.
+ * OCSP details can then be retrieved with tls_peer_ocsp_* functions.
+ * returns 0 if certificate ok, -1 otherwise.
+ */
+static int
+tls_ocsp_process_response_internal(struct tls *ctx, const unsigned char *response,
+    size_t size)
+{
+        int ret;
+        OCSP_RESPONSE *resp;
+        resp = d2i_OCSP_RESPONSE(NULL, &response, size);
+        if (resp == NULL) {
+                tls_ocsp_ctx_free(ctx->ocsp_ctx);
+                ctx->ocsp_ctx = NULL;
+                tls_set_error(ctx, "unable to parse OCSP response");
+                return -1;
+        }
+        ret = tls_ocsp_verify_response(ctx, resp);
+        OCSP_RESPONSE_free(resp);
+        return ret;
+}
 /* TLS handshake verification callback for stapled requests */
 int
 tls_ocsp_verify_cb(SSL *ssl, void *arg)
@@ -286,7 +310,7 @@ tls_ocsp_verify_cb(SSL *ssl, void *arg)
        tls_ocsp_ctx_free(ctx->ocsp_ctx);
        ctx->ocsp_ctx = tls_ocsp_setup_from_peer(ctx);
        if (ctx->ocsp_ctx != NULL)
-                res = tls_ocsp_process_response(ctx, raw, size);
+                res = tls_ocsp_process_response_internal(ctx, raw, size);
        return (res == 0) ? 1 : 0;
 }
@@ -374,29 +398,11 @@ tls_peer_ocsp_revocation_time(struct tls *ctx)
        return ctx->ocsp_ctx->ocsp_result->revocation_time;
 }
-/*
- * Process a raw OCSP response from an OCSP server request.
- * OCSP details can then be retrieved with tls_peer_ocsp_* functions.
- * returns 0 if certificate ok, -1 otherwise.
- */
 int
 tls_ocsp_process_response(struct tls *ctx, const unsigned char *response,
    size_t size)
 {
-        int ret;
-        OCSP_RESPONSE *resp;
        if ((ctx->state & TLS_HANDSHAKE_COMPLETE) == 0)
                return -1;
+        return tls_ocsp_process_response_internal(ctx, response, size);
-        resp = d2i_OCSP_RESPONSE(NULL, &response, size);
-        if (resp == NULL) {
-                tls_ocsp_ctx_free(ctx->ocsp_ctx);
-                ctx->ocsp_ctx = NULL;
-                tls_set_error(ctx, "unable to parse OCSP response");
-                return -1;
-        }
-        ret = tls_ocsp_verify_response(ctx, resp);
-        OCSP_RESPONSE_free(resp);
-        return ret;
 }

diff --git a/src/lib/libtls/tls_ocsp.c b/src/lib/libtls/tls_ocsp.c index af559c44c9..a30e363e6e 100644 --- a/src/lib/libtls/tls_ocsp.c +++ b/src/lib/libtls/tls_ocsp.c
@@ -268,6 +268,30 @@ tls_ocsp_verify_response(struct tls ctx, OCSP_RESPONSE resp)
268	return ret;	268	return ret;
269	}	269	}
270		270
		271	/*
		272	* Process a raw OCSP response from an OCSP server request.
		273	* OCSP details can then be retrieved with tls_peer_ocsp_* functions.
		274	* returns 0 if certificate ok, -1 otherwise.
		275	*/
		276	static int
		277	tls_ocsp_process_response_internal(struct tls ctx, const unsigned char response,
		278	size_t size)
		279	{
		280	int ret;
		281	OCSP_RESPONSE *resp;
		282
		283	resp = d2i_OCSP_RESPONSE(NULL, &response, size);
		284	if (resp == NULL) {
		285	tls_ocsp_ctx_free(ctx->ocsp_ctx);
		286	ctx->ocsp_ctx = NULL;
		287	tls_set_error(ctx, "unable to parse OCSP response");
		288	return -1;
		289	}
		290	ret = tls_ocsp_verify_response(ctx, resp);
		291	OCSP_RESPONSE_free(resp);
		292	return ret;
		293	}
		294
271	/* TLS handshake verification callback for stapled requests */	295	/* TLS handshake verification callback for stapled requests */
272	int	296	int
273	tls_ocsp_verify_cb(SSL ssl, void arg)	297	tls_ocsp_verify_cb(SSL ssl, void arg)
@@ -286,7 +310,7 @@ tls_ocsp_verify_cb(SSL ssl, void arg)
286	tls_ocsp_ctx_free(ctx->ocsp_ctx);	310	tls_ocsp_ctx_free(ctx->ocsp_ctx);
287	ctx->ocsp_ctx = tls_ocsp_setup_from_peer(ctx);	311	ctx->ocsp_ctx = tls_ocsp_setup_from_peer(ctx);
288	if (ctx->ocsp_ctx != NULL)	312	if (ctx->ocsp_ctx != NULL)
289	res = tls_ocsp_process_response(ctx, raw, size);	313	res = tls_ocsp_process_response_internal(ctx, raw, size);
290		314
291	return (res == 0) ? 1 : 0;	315	return (res == 0) ? 1 : 0;
292	}	316	}
@@ -374,29 +398,11 @@ tls_peer_ocsp_revocation_time(struct tls *ctx)
374	return ctx->ocsp_ctx->ocsp_result->revocation_time;	398	return ctx->ocsp_ctx->ocsp_result->revocation_time;
375	}	399	}
376		400
377	/*
378	* Process a raw OCSP response from an OCSP server request.
379	* OCSP details can then be retrieved with tls_peer_ocsp_* functions.
380	* returns 0 if certificate ok, -1 otherwise.
381	*/
382	int	401	int
383	tls_ocsp_process_response(struct tls ctx, const unsigned char response,	402	tls_ocsp_process_response(struct tls ctx, const unsigned char response,
384	size_t size)	403	size_t size)
385	{	404	{
386	int ret;
387	OCSP_RESPONSE *resp;
388
389	if ((ctx->state & TLS_HANDSHAKE_COMPLETE) == 0)	405	if ((ctx->state & TLS_HANDSHAKE_COMPLETE) == 0)
390	return -1;	406	return -1;
391		407	return tls_ocsp_process_response_internal(ctx, response, size);
392	resp = d2i_OCSP_RESPONSE(NULL, &response, size);
393	if (resp == NULL) {
394	tls_ocsp_ctx_free(ctx->ocsp_ctx);
395	ctx->ocsp_ctx = NULL;
396	tls_set_error(ctx, "unable to parse OCSP response");
397	return -1;
398	}
399	ret = tls_ocsp_verify_response(ctx, resp);
400	OCSP_RESPONSE_free(resp);
401	return ret;
402	}	408	}