From 80bc547853163e26d839697700ff4328551dac20 Mon Sep 17 00:00:00 2001
From: John Bland <john.bland@wolfssl.com>
Date: Tue, 18 Jul 2023 13:00:53 -0400
Subject: [PATCH 1/5] in the event of a OCSP_WANT_READ, set the ssl->error

so that the re-run of DoHandShakeMsgType knows not to hash the certificate twice and won't send an alert to the server as it was when OCSP_WANT_READ instead of setting ret to 0
---
 src/internal.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/internal.c b/src/internal.c
index 73fbc6626..ce8f2b909 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -16332,6 +16332,11 @@ static int DoHandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx,
     }
 
 #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLFSSL_NONBLOCK_OCSP)
+    /* make sure async error is cleared */
+    if (ret == 0 && (ssl->error == WC_PENDING_E || ssl->error == OCSP_WANT_READ)) {
+        ssl->error = 0;
+    }
+
     /* if async, offset index so this msg will be processed again */
     if ((ret == WC_PENDING_E || ret == OCSP_WANT_READ) && *inOutIdx > 0) {
         *inOutIdx -= HANDSHAKE_HEADER_SZ;
@@ -16340,11 +16345,10 @@ static int DoHandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx,
             *inOutIdx -= DTLS_HANDSHAKE_EXTRA;
         }
     #endif
-    }
 
-    /* make sure async error is cleared */
-    if (ret == 0 && (ssl->error == WC_PENDING_E || ssl->error == OCSP_WANT_READ)) {
-        ssl->error = 0;
+        /* set the async error so the re-run will work and won't send alert */
+        ssl->error = ret;
+        ret = 0;
     }
 #endif /* WOLFSSL_ASYNC_CRYPT || WOLFSSL_NONBLOCK_OCSP */
 

From 7ee38350c0753c711616f5dcf4278b755b9eebf4 Mon Sep 17 00:00:00 2001
From: John Bland <john.bland@wolfssl.com>
Date: Tue, 18 Jul 2023 14:05:16 -0400
Subject: [PATCH 2/5] undo supressing the OCSP_WANT_READ error, instead

add it to the list of non-fatal errors so that a socket close alert wont be sent out but the caller still won't block and will instead get OCSP_WANT_READ as an error back from wolfSSL_connect
---
 src/internal.c | 13 +++++--------
 1 file changed, 5 insertions(+), 8 deletions(-)

diff --git a/src/internal.c b/src/internal.c
index ce8f2b909..87f8427d9 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -16332,11 +16332,6 @@ static int DoHandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx,
     }
 
 #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLFSSL_NONBLOCK_OCSP)
-    /* make sure async error is cleared */
-    if (ret == 0 && (ssl->error == WC_PENDING_E || ssl->error == OCSP_WANT_READ)) {
-        ssl->error = 0;
-    }
-
     /* if async, offset index so this msg will be processed again */
     if ((ret == WC_PENDING_E || ret == OCSP_WANT_READ) && *inOutIdx > 0) {
         *inOutIdx -= HANDSHAKE_HEADER_SZ;
@@ -16345,10 +16340,11 @@ static int DoHandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx,
             *inOutIdx -= DTLS_HANDSHAKE_EXTRA;
         }
     #endif
+    }
 
-        /* set the async error so the re-run will work and won't send alert */
-        ssl->error = ret;
-        ret = 0;
+    /* make sure async error is cleared */
+    if (ret == 0 && (ssl->error == WC_PENDING_E || ssl->error == OCSP_WANT_READ)) {
+        ssl->error = 0;
     }
 #endif /* WOLFSSL_ASYNC_CRYPT || WOLFSSL_NONBLOCK_OCSP */
 
@@ -16505,6 +16501,7 @@ int SendFatalAlertOnly(WOLFSSL *ssl, int error)
     case WANT_WRITE:
     case WANT_READ:
     case ZERO_RETURN:
+    case OCSP_WANT_READ:
 #ifdef WOLFSSL_ASYNC_CRYPT
     case WC_PENDING_E:
 #endif

From e12f1f44b4f6d3dde0890882ef8fc0e4d9c56419 Mon Sep 17 00:00:00 2001
From: John Bland <john.bland@wolfssl.com>
Date: Tue, 18 Jul 2023 14:55:16 -0400
Subject: [PATCH 3/5] make OCSP error entry conditional to cut down on size

---
 src/internal.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/internal.c b/src/internal.c
index 87f8427d9..f7e432023 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -16501,7 +16501,9 @@ int SendFatalAlertOnly(WOLFSSL *ssl, int error)
     case WANT_WRITE:
     case WANT_READ:
     case ZERO_RETURN:
+#ifdef HAVE_OCSP
     case OCSP_WANT_READ:
+#endif
 #ifdef WOLFSSL_ASYNC_CRYPT
     case WC_PENDING_E:
 #endif

From 9ea681030f7b0cc1c1844e521a68f89d0beba0d2 Mon Sep 17 00:00:00 2001
From: John Bland <john.bland@wolfssl.com>
Date: Tue, 18 Jul 2023 15:01:33 -0400
Subject: [PATCH 4/5] change conditional compile to use WOLFSSL_NONBLOCK_OCSP

instead of HAVE_OCSP
---
 src/internal.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/internal.c b/src/internal.c
index f7e432023..c9be1ead7 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -16501,7 +16501,7 @@ int SendFatalAlertOnly(WOLFSSL *ssl, int error)
     case WANT_WRITE:
     case WANT_READ:
     case ZERO_RETURN:
-#ifdef HAVE_OCSP
+#ifdef WOLFSSL_NONBLOCK_OCSP
     case OCSP_WANT_READ:
 #endif
 #ifdef WOLFSSL_ASYNC_CRYPT

From 2e4b651b878d6c64dff874139fcfcc23b42fb7b3 Mon Sep 17 00:00:00 2001
From: John Bland <john.bland@wolfssl.com>
Date: Fri, 21 Jul 2023 16:24:59 -0400
Subject: [PATCH 5/5] update tls13 to handle an OCSP_WANT_READ, update

async client test to retry connect on OCSP_WANT_READ instead of timing out
---
 .github/workflows/async.yml | 3 ++-
 examples/client/client.c    | 3 +++
 src/tls13.c                 | 8 ++++----
 3 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/async.yml b/.github/workflows/async.yml
index 8ded76950..71b35a400 100644
--- a/.github/workflows/async.yml
+++ b/.github/workflows/async.yml
@@ -10,7 +10,8 @@ jobs:
         config: [
           # Add new configs here
           '--enable-asynccrypt --enable-all --enable-dtls13',
-          '--enable-asynccrypt-sw',
+          '--enable-asynccrypt-sw --enable-ocspstapling --enable-ocspstapling2',
+          '--enable-ocsp CFLAGS="-DTEST_NONBLOCK_CERTS"',
         ]
     name: make check
     runs-on: ubuntu-latest
diff --git a/examples/client/client.c b/examples/client/client.c
index 80fb64a8c..cd2f800b8 100644
--- a/examples/client/client.c
+++ b/examples/client/client.c
@@ -223,6 +223,9 @@ static int NonBlockingSSL_Connect(WOLFSSL* ssl)
         #ifdef WOLFSSL_ASYNC_CRYPT
             || error == WC_PENDING_E
         #endif
+        #ifdef WOLFSSL_NONBLOCK_OCSP
+            || error == OCSP_WANT_READ
+        #endif
         ) {
         #ifndef WOLFSSL_CALLBACKS
             ret = wolfSSL_connect(ssl);
diff --git a/src/tls13.c b/src/tls13.c
index 0262062a1..ff11ab626 100644
--- a/src/tls13.c
+++ b/src/tls13.c
@@ -11479,12 +11479,12 @@ int DoTls13HandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx,
          * == 0) */
         *inOutIdx -= HANDSHAKE_HEADER_SZ;
     }
-#endif
 
-    /* reset error */
-    if (ret == 0 && ssl->error == WC_PENDING_E)
+    /* make sure async error is cleared */
+    if (ret == 0 && (ssl->error == WC_PENDING_E || ssl->error == OCSP_WANT_READ)) {
         ssl->error = 0;
-
+    }
+#endif
     if (ret == 0 && type != client_hello && type != session_ticket &&
                                                            type != key_update) {
         ret = HashInput(ssl, input + inIdx, size);