diff --git a/src/io.c b/src/io.c index ed0971dff..a37052b3a 100644 --- a/src/io.c +++ b/src/io.c @@ -1015,7 +1015,7 @@ static int process_http_response(int sfd, byte** respBuf, XMEMCPY(recvBuf, start, len); /* receive the OCSP response data */ - do { + while (len < recvBufSz) { result = (int)recv(sfd, (char*)recvBuf+len, recvBufSz-len, 0); if (result > 0) len += result; @@ -1023,7 +1023,7 @@ static int process_http_response(int sfd, byte** respBuf, WOLFSSL_MSG("process_http_response recv ocsp from peer failed"); return -1; } - } while (len != recvBufSz); + } *respBuf = recvBuf; return recvBufSz; diff --git a/src/ssl.c b/src/ssl.c index 61bd2d4f8..391488162 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -4570,7 +4570,7 @@ int wolfSSL_CertManagerCheckOCSP(WOLFSSL_CERT_MANAGER* cm, byte* der, int sz) InitDecodedCert(cert, der, sz, NULL); - if ((ret = ParseCertRelative(cert, CERT_TYPE, NO_VERIFY, cm)) != 0) { + if ((ret = ParseCertRelative(cert, CERT_TYPE, VERIFY_OCSP, cm)) != 0) { WOLFSSL_MSG("ParseCert failed"); } else if ((ret = CheckCertOCSP(cm->ocsp, cert, NULL)) != 0) { @@ -5046,7 +5046,7 @@ int wolfSSL_CertManagerCheckCRL(WOLFSSL_CERT_MANAGER* cm, byte* der, int sz) InitDecodedCert(cert, der, sz, NULL); - if ((ret = ParseCertRelative(cert, CERT_TYPE, NO_VERIFY, cm)) != 0) { + if ((ret = ParseCertRelative(cert, CERT_TYPE, VERIFY_CRL, cm)) != 0) { WOLFSSL_MSG("ParseCert failed"); } else if ((ret = CheckCertCRL(cm->crl, cert)) != 0) { diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 884e66ae5..545b32d95 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -5074,7 +5074,7 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm) } #endif - if (verify && type != CA_TYPE && type != TRUSTED_PEER_TYPE) { + if (verify != NO_VERIFY && type != CA_TYPE && type != TRUSTED_PEER_TYPE) { Signer* ca = NULL; #ifndef NO_SKID if (cert->extAuthKeyIdSet) @@ -5099,23 +5099,26 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm) if (ret != 0) return ret; #endif /* HAVE_OCSP */ - /* try to confirm/verify signature */ - if (!ConfirmSignature(cert->source + cert->certBegin, - cert->sigIndex - cert->certBegin, - ca->publicKey, ca->pubKeySize, ca->keyOID, - cert->signature, cert->sigLength, cert->signatureOID, - cert->heap)) { - WOLFSSL_MSG("Confirm signature failed"); - return ASN_SIG_CONFIRM_E; + + if (verify == VERIFY) { + /* try to confirm/verify signature */ + if (!ConfirmSignature(cert->source + cert->certBegin, + cert->sigIndex - cert->certBegin, + ca->publicKey, ca->pubKeySize, ca->keyOID, + cert->signature, cert->sigLength, cert->signatureOID, + cert->heap)) { + WOLFSSL_MSG("Confirm signature failed"); + return ASN_SIG_CONFIRM_E; + } + #ifndef IGNORE_NAME_CONSTRAINTS + /* check that this cert's name is permitted by the signer's + * name constraints */ + if (!ConfirmNameConstraints(ca, cert)) { + WOLFSSL_MSG("Confirm name constraint failed"); + return ASN_NAME_INVALID_E; + } + #endif /* IGNORE_NAME_CONSTRAINTS */ } -#ifndef IGNORE_NAME_CONSTRAINTS - /* check that this cert's name is permitted by the signer's - * name constraints */ - if (!ConfirmNameConstraints(ca, cert)) { - WOLFSSL_MSG("Confirm name constraint failed"); - return ASN_NAME_INVALID_E; - } -#endif /* IGNORE_NAME_CONSTRAINTS */ } else { /* no signer */ diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index f609e0ab1..6aba913d2 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -312,8 +312,10 @@ enum ExtKeyUsage_Sum { /* From RFC 5280 */ enum VerifyType { - NO_VERIFY = 0, - VERIFY = 1 + NO_VERIFY = 0, + VERIFY = 1, + VERIFY_CRL = 2, + VERIFY_OCSP = 3 }; #ifdef WOLFSSL_CERT_EXT