Refactor OCSP responder error handling and improve HTTP response sending logic; add wolfCLU_SendAll function for reliable socket writes

Author: julek-wolfssl

src/ocsp/clu_ocsp.c

@@ -818,15 +818,13 @@ static int ocspResponder(OcspResponderConfig* config)
 
         /* Accept connection */
         clientfd = wolfCLU_ServerAccept(sockfd);
-        if (clientfd == INVALID_SOCKET) {
-            continue;
-        }
+        if (clientfd == INVALID_SOCKET)
+            goto continue_loop;
 
         /* Read request from transport layer */
         ret = transportReadRequest(clientfd, transportType, &ocspReq, &ocspReqSz);
-        if (ret != WOLFCLU_SUCCESS) {
-            break;
-        }
+        if (ret != WOLFCLU_SUCCESS)
+            goto continue_loop;
 
         /* Process OCSP request and generate response */
         respSz = sizeof(respBuffer);
@@ -862,14 +860,13 @@ static int ocspResponder(OcspResponderConfig* config)
             if (ret != 0) {
                 /* If we can't encode an error response, send HTTP/SCGI error */
                 transportSendError(clientfd, transportType, 500, "Internal Server Error");
-                break;
+                goto continue_loop;
             }
         }
 
         /* Send response via transport layer */
-        if (transportSendResponse(clientfd, transportType, respBuffer, (int)respSz) != 0) {
-            break;
-        }
+        if (transportSendResponse(clientfd, transportType, respBuffer, (int)respSz) != 0)
+            goto continue_loop;
 
         requestsProcessed++;
 
@@ -878,7 +875,9 @@ static int ocspResponder(OcspResponderConfig* config)
             break;
         }
 
-        wolfCLU_ServerClose(clientfd);
+continue_loop:
+        if (clientfd != INVALID_SOCKET)
+            wolfCLU_ServerClose(clientfd);
         clientfd = INVALID_SOCKET;
     }
 

src/tools/clu_http.c

@@ -295,6 +295,25 @@ int wolfCLU_HttpServerRecv(SOCKET_T clientfd, byte* buffer, int bufferSz)
     return totalLen;
 }
 
+/* Send all bytes, looping on partial writes and EINTR */
+int wolfCLU_SendAll(SOCKET_T sockfd, const char* buf, int len)
+{
+    int sent = 0;
+    while (sent < len) {
+        int n = (int)send(sockfd, buf + sent, (size_t)(len - sent), 0);
+        if (n < 0) {
+#ifndef _WIN32
+            if (errno == EINTR) continue;
+#endif
+            return -1;
+        }
+        if (n == 0)
+            return -1;
+        sent += n;
+    }
+    return sent;
+}
+
 /**
  * @brief Send an HTTP response with OCSP content
  * @param clientfd client socket descriptor
@@ -307,7 +326,6 @@ int wolfCLU_HttpServerSendOcspResponse(SOCKET_T clientfd, const byte* body,
 {
     char header[512];
     int headerLen;
-    int sent;
 
     headerLen = XSNPRINTF(header, sizeof(header),
         "HTTP/1.0 200 OK\r\n"
@@ -321,15 +339,13 @@ int wolfCLU_HttpServerSendOcspResponse(SOCKET_T clientfd, const byte* body,
     }
 
     /* Send header */
-    sent = (int)send(clientfd, header, (size_t)headerLen, 0);
-    if (sent != headerLen) {
+    if (wolfCLU_SendAll(clientfd, header, headerLen) != headerLen) {
         return -1;
     }
 
     /* Send body */
     if (bodySz > 0) {
-        sent = (int)send(clientfd, (const char*)body, (size_t)bodySz, 0);
-        if (sent != bodySz) {
+        if (wolfCLU_SendAll(clientfd, (const char*)body, bodySz) != bodySz) {
             return -1;
         }
     }
@@ -390,12 +406,18 @@ int wolfCLU_HttpServerParseRequest(const byte* httpReq, int httpReqSz,
 {
     const char* contentLen;
     const char* bodyStart;
+    int bodyAvail;
 
     *body = NULL;
     *bodySz = 0;
 
+    if (httpReqSz < (int)XSTR_SIZEOF("POST ")) {
+        return -1;
+    }
+
     /* Check for POST method */
-    if (XSTRNCMP((char*)httpReq, "POST ", 5) != 0) {
+    if (XSTRNCMP((char*)httpReq, "POST ", 
+                 XSTR_SIZEOF("POST ")) != 0) {
         return -1;
     }
 
@@ -405,22 +427,26 @@ int wolfCLU_HttpServerParseRequest(const byte* httpReq, int httpReqSz,
         contentLen = XSTRSTR((char*)httpReq, "content-length:");
     }
     if (contentLen) {
-        *bodySz = XATOI(contentLen + 15);
-        if (*bodySz < 0) {
+        *bodySz = XATOI(contentLen + XSTR_SIZEOF("Content-Length:"));
+        if (*bodySz <= 0) {
             return -1;
         }
     }
 
-    /* Find body (after \r\n\r\n) */
-    bodyStart = XSTRSTR((char*)httpReq, "\r\n\r\n");
-    if (bodyStart) {
-        *body = (const byte*)(bodyStart + 4);
-        /* Use Content-Length if available, otherwise use remaining data */
-        if (*bodySz == 0) {
-            *bodySz = httpReqSz - (int)(*body - httpReq);
-        }
-        return 0;
+    /* Find body (has to appear after headers) */
+    bodyStart = XSTRSTR((char*)contentLen, "\r\n\r\n");
+    if (!bodyStart)
+        return -1;
+    bodyAvail = (int)(((char*)httpReq + httpReqSz) - 
+        (bodyStart + XSTR_SIZEOF("\r\n\r\n")));
+    /* Use Content-Length if available, otherwise use
+     * remaining data. Verify how much body we have. */
+    if (*bodySz == 0) {
+        *bodySz = bodyAvail;
     }
-
-    return -1;
+    else if (*bodySz > bodyAvail) {
+        return -1;
+    }
+    *body = (const byte*)(bodyStart + XSTR_SIZEOF("\r\n\r\n"));
+    return 0;
 }

src/tools/clu_pem_der.c

@@ -55,7 +55,7 @@ static int loadFileToDer(const char* filename, byte** der, word32* derSz, int pe
         return -1;
     }
 
-    buf = (byte*)XMALLOC(bufSz, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    buf = (byte*)XMALLOC(bufSz + 1, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
     if (buf == NULL) {
         wolfSSL_BIO_free(bio);
         return -1;
@@ -68,6 +68,7 @@ static int loadFileToDer(const char* filename, byte** der, word32* derSz, int pe
         return -1;
     }
     wolfSSL_BIO_free(bio);
+    buf[bufSz] = '\0';
 
     /* Check if PEM format */
     isPem = (XSTRSTR((char*)buf, "-----BEGIN") != NULL) ? 1 : 0;

src/tools/clu_scgi.c

@@ -118,21 +118,31 @@ static int parseHeaders(const byte* headers, int headerLen, ScgiRequest* req)
 
     while (pos < headerLen) {
         const char* key = (const char*)(headers + pos);
-        int keyLen = (int)XSTRLEN(key);
+        const char* keyEnd;
         const char* value;
+        const char* valueEnd;
+        int keyLen;
         int valueLen;
-        
-        if (pos + keyLen >= headerLen) {
+
+        /* Find NUL terminator for key within remaining bounds */
+        keyEnd = (const char*)memchr(key, '\0', (size_t)(headerLen - pos));
+        if (keyEnd == NULL) {
             break;
         }
-        
+        keyLen = (int)(keyEnd - key);
         pos += keyLen + 1;
+
+        if (pos >= headerLen) {
+            break;
+        }
+
+        /* Find NUL terminator for value within remaining bounds */
         value = (const char*)(headers + pos);
-        valueLen = (int)XSTRLEN(value);
-        
-        if (pos + valueLen >= headerLen) {
+        valueEnd = (const char*)memchr(value, '\0', (size_t)(headerLen - pos));
+        if (valueEnd == NULL) {
             break;
         }
+        valueLen = (int)(valueEnd - value);
 
         if (XSTRCMP(key, "CONTENT_LENGTH") == 0) {
             req->contentLength = XATOI(value);
@@ -235,7 +245,6 @@ int wolfCLU_ScgiSendResponse(SOCKET_T sockfd, int statusCode,
 {
     char header[512];
     int headerLen;
-    int sent;
 
     headerLen = XSNPRINTF(header, sizeof(header),
         "Status: %d %s\r\n"
@@ -248,14 +257,12 @@ int wolfCLU_ScgiSendResponse(SOCKET_T sockfd, int statusCode,
         return -1;
     }
 
-    sent = (int)send(sockfd, header, headerLen, 0);
-    if (sent != headerLen) {
+    if (wolfCLU_SendAll(sockfd, header, headerLen) != headerLen) {
         return -1;
     }
 
     if (bodyLen > 0 && body != NULL) {
-        sent = (int)send(sockfd, (const char*)body, bodyLen, 0);
-        if (sent != bodyLen) {
+        if (wolfCLU_SendAll(sockfd, (const char*)body, bodyLen) != bodyLen) {
             return -1;
         }
     }

tests/ocsp-scgi/ocsp-scgi-test.sh

@@ -276,21 +276,13 @@ run_test() {
         -CAfile "$CERTS_DIR/ca-cert.pem" \
         -url http://localhost:8080/ocsp 2>&1)
 
-    OCSP_EXIT_CODE=$?
-    
     echo "$OCSP_OUTPUT"
 
-    # Check if the request was successful
-    if [ $OCSP_EXIT_CODE -eq 0 ]; then
-        if echo "$OCSP_OUTPUT" | grep -q "$expected_status"; then
-            echo "✓ Test PASSED: Found expected status '$expected_status'"
-            return $EXIT_SUCCESS
-        else
-            echo "✗ Test FAILED: Expected '$expected_status' but got different status"
-            return $EXIT_FAILURE
-        fi
+    if echo "$OCSP_OUTPUT" | grep -q "$expected_status"; then
+        echo "✓ Test PASSED: Found expected status '$expected_status'"
+        return $EXIT_SUCCESS
     else
-        echo "✗ Test FAILED: OCSP request failed with exit code $OCSP_EXIT_CODE"
+        echo "✗ Test FAILED: Expected '$expected_status' but got different status"
         return $EXIT_FAILURE
     fi
 }

wolfclu/clu_header_main.h

@@ -712,6 +712,15 @@ int wolfCLU_HttpServerSendError(SOCKET_T clientfd, int statusCode,
  */
 void wolfCLU_ServerClose(SOCKET_T sockfd);
 
+/**
+ * @brief Send all bytes on a socket, looping on partial writes and EINTR
+ * @param sockfd socket descriptor
+ * @param buf data to send
+ * @param len number of bytes to send
+ * @return number of bytes sent on success, negative on error
+ */
+int wolfCLU_SendAll(SOCKET_T sockfd, const char* buf, int len);
+
 /**
  * @brief Parse HTTP POST request to extract OCSP request body
  * @param httpReq HTTP request buffer