Process multiple ocsp responses

wolfcrypt/src/asn.c

@@ -8885,6 +8885,7 @@ static int DecodeCertExtensions(DecodedCert* cert)
             case OCSP_NOCHECK_OID:
                 VERIFY_AND_SET_OID(cert->ocspNoCheckSet);
                 ret = GetASNNull(input, &idx, sz);
+                length = 0; /* idx is already incremented, reset length to 0 */
                 if (ret != 0)
                     return ASN_PARSE_E;
                 break;
@@ -16546,9 +16547,12 @@ static int DecodeSingleResponse(byte* source,
 
     prevIndex = idx;
 
-    /* When making a request, we only request one status on one certificate
+    /* wolfSSL only requests one status for one certificate at a time but
-     * at a time. There should only be one SingleResponse */
+       some OCSP responders can reply with multiple SingleResponse items.
+       Expect to handle one SingleResponse. Otherwise, we can process the
+       responses but only the last entry in the list is verified. */
 
+    while ((idx-prevIndex) < (word32)wrapperSz) {
         /* Wrapper around the Single Response */
         if (GetSequence(source, &idx, &length, size) < 0)
             return ASN_PARSE_E;
@@ -16622,6 +16626,7 @@ static int DecodeSingleResponse(byte* source,
     #endif
     #endif
 
+
         /* The following items are optional. Only check for them if there is more
          * unprocessed data in the singleResponse wrapper. */
 
@@ -16655,6 +16660,7 @@ static int DecodeSingleResponse(byte* source,
     #endif
     #endif
         }
+    } /* while, process multiple SingleResponse items */
 
     localIdx = idx;
     if (((int)(idx - prevIndex) < wrapperSz) &&