1 files changed, 18 insertions, 6 deletions

diff --git a/src/scepclient/scepclient.c b/src/scepclient/scepclient.c
index 83b5d6219..26f210d12 100644
--- a/src/scepclient/scepclient.c
+++ b/src/scepclient/scepclient.c
@@ -113,6 +113,9 @@ long crl_check_interval = 0;
 /* by default pluto logs out after every smartcard use */
 bool pkcs11_keep_state = FALSE;
 
+/* by default HTTP fetch timeout is 30s */
+static u_int http_timeout = 30;
+
 /* options read by optionsfrom */
 options_t *options;
 
@@ -344,6 +347,7 @@ static void usage(const char *message)
 		"                                   - if no filename is given, default is used\n"
 		" --optionsfrom (-+) <filename>     reads additional options from given file\n"
 		" --force (-f)                      force existing file(s)\n"
+		" --httptimeout (-T)                timeout for HTTP operations (default: 30s)\n"
 		"\n"
 		"Options for key generation (pkcs1):\n"
 		" --keylength (-k) <bits>           key length for RSA key generation\n"
@@ -518,6 +522,7 @@ int main(int argc, char **argv)
 			{ "in", required_argument, NULL, 'i' },
 			{ "out", required_argument, NULL, 'o' },
 			{ "force", no_argument, NULL, 'f' },
+			{ "httptimeout", required_argument, NULL, 'T' },
 			{ "keylength", required_argument, NULL, 'k' },
 			{ "dn", required_argument, NULL, 'd' },
 			{ "days", required_argument, NULL, 'D' },
@@ -662,6 +667,14 @@ int main(int argc, char **argv)
 				force = TRUE;
 				continue;
 
+			case 'T':       /* --httptimeout */
+				http_timeout = atoi(optarg);
+				if (http_timeout <= 0)
+				{
+					usage("invalid httptimeout specified");
+				}
+				continue;
+
 			case '+':       /* --optionsfrom <filename> */
 				if (!options->from(options, optarg, &argc, &argv, optind))
 				{
@@ -939,7 +952,8 @@ int main(int argc, char **argv)
 		pkcs7_t *pkcs7;
 
 		if (!scep_http_request(scep_url, chunk_create(ca_name, strlen(ca_name)),
-							SCEP_GET_CA_CERT, http_get_request, &scep_response))
+							   SCEP_GET_CA_CERT, http_get_request,
+							   http_timeout, &scep_response))
 		{
 			exit_scepclient("did not receive a valid scep response");
 		}
@@ -1317,7 +1331,7 @@ int main(int argc, char **argv)
 		creds->add_cert(creds, TRUE, x509_ca_sig->get_ref(x509_ca_sig));
 
 		if (!scep_http_request(scep_url, pkcs7, SCEP_PKI_OPERATION,
-				http_get_request, &scep_response))
+							   http_get_request, http_timeout, &scep_response))
 		{
 			exit_scepclient("did not receive a valid scep response");
 		}
@@ -1337,7 +1351,7 @@ int main(int argc, char **argv)
 			poll_start = time_monotonic(NULL);
 			issuerAndSubject = asn1_wrap(ASN1_SEQUENCE, "cc",
 									issuer->get_encoding(issuer),
-									subject);
+									subject->get_encoding(subject));
 		}
 		while (attrs.pkiStatus == SCEP_PENDING)
 		{
@@ -1367,7 +1381,7 @@ int main(int argc, char **argv)
 				exit_scepclient("failed to build scep request");
 			}
 			if (!scep_http_request(scep_url, getCertInitial, SCEP_PKI_OPERATION,
-				http_get_request, &scep_response))
+							http_get_request, http_timeout, &scep_response))
 			{
 				exit_scepclient("did not receive a valid scep response");
 			}
@@ -1458,5 +1472,3 @@ int main(int argc, char **argv)
 	exit_scepclient(NULL);
 	return -1; /* should never be reached */
 }
-
-