From 0a38ab8ac27628bb9231b53a4cff92ac4b7c8740 Mon Sep 17 00:00:00 2001 From: David Garske Date: Wed, 17 Jun 2020 11:00:05 -0700 Subject: [PATCH] Fix for possible use of NULL is the OCSP response nonce. This is optional and may not be provided in the OCSP response and should be skipped if not set in the response. ZD 10475. --- wolfcrypt/src/asn.c | 28 ++++++++++------------------ 1 file changed, 10 insertions(+), 18 deletions(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 91cbab76e..3a5a759cb 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -16995,64 +16995,56 @@ int CompareOcspReqResp(OcspRequest* req, OcspResponse* resp) WOLFSSL_ENTER("CompareOcspReqResp"); - if (req == NULL) - { + if (req == NULL) { WOLFSSL_MSG("\tReq missing"); return -1; } - - if (resp == NULL) - { + if (resp == NULL || resp->issuerHash == NULL || + resp->issuerKeyHash == NULL || resp->status == NULL) { WOLFSSL_MSG("\tResp missing"); return 1; } /* Nonces are not critical. The responder may not necessarily add * the nonce to the response. */ - if (req->nonceSz + if (req->nonceSz && resp->nonce != NULL #ifndef WOLFSSL_FORCE_OCSP_NONCE_CHECK && resp->nonceSz != 0 #endif ) { cmp = req->nonceSz - resp->nonceSz; - if (cmp != 0) - { + if (cmp != 0) { WOLFSSL_MSG("\tnonceSz mismatch"); return cmp; } cmp = XMEMCMP(req->nonce, resp->nonce, req->nonceSz); - if (cmp != 0) - { + if (cmp != 0) { WOLFSSL_MSG("\tnonce mismatch"); return cmp; } } cmp = XMEMCMP(req->issuerHash, resp->issuerHash, KEYID_SIZE); - if (cmp != 0) - { + if (cmp != 0) { WOLFSSL_MSG("\tissuerHash mismatch"); return cmp; } cmp = XMEMCMP(req->issuerKeyHash, resp->issuerKeyHash, KEYID_SIZE); - if (cmp != 0) - { + if (cmp != 0) { WOLFSSL_MSG("\tissuerKeyHash mismatch"); return cmp; } cmp = req->serialSz - resp->status->serialSz; - if (cmp != 0) - { + if (cmp != 0) { WOLFSSL_MSG("\tserialSz mismatch"); return cmp; } cmp = XMEMCMP(req->serial, resp->status->serial, req->serialSz); - if (cmp != 0) - { + if (cmp != 0) { WOLFSSL_MSG("\tserial mismatch"); return cmp; }