Process multiple ocsp responses

wolfcrypt/src/asn.c

@@ -8885,6 +8885,7 @@ static int DecodeCertExtensions(DecodedCert* cert)
             case OCSP_NOCHECK_OID:
                 VERIFY_AND_SET_OID(cert->ocspNoCheckSet);
                 ret = GetASNNull(input, &idx, sz);
+                length = 0; /* idx is already incremented, reset length to 0 */
                 if (ret != 0)
                     return ASN_PARSE_E;
                 break;
@@ -16546,9 +16547,12 @@ static int DecodeSingleResponse(byte* source,
 
     prevIndex = idx;
 
-    /* When making a request, we only request one status on one certificate
+    /* wolfSSL only requests one status for one certificate at a time but
-     * at a time. There should only be one SingleResponse */
+       some OCSP responders can reply with multiple SingleResponse items.
+       Expect to handle one SingleResponse. Otherwise, we can process the
+       responses but only the last entry in the list is verified. */
 
+    while ((idx-prevIndex) < (word32)wrapperSz) {
         /* Wrapper around the Single Response */
         if (GetSequence(source, &idx, &length, size) < 0)
             return ASN_PARSE_E;
@@ -16600,7 +16604,7 @@ static int DecodeSingleResponse(byte* source,
                 return ASN_PARSE_E;
         }
 
-#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
+    #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
         cs->thisDateAsn = source + idx;
         localIdx = 0;
         if (GetDateInfo(cs->thisDateAsn, &localIdx, NULL,
@@ -16610,17 +16614,18 @@ static int DecodeSingleResponse(byte* source,
         XMEMCPY(cs->thisDateParsed.data,
                 cs->thisDateAsn + localIdx - cs->thisDateParsed.length,
                 cs->thisDateParsed.length);
-#endif
+    #endif
         if (GetBasicDate(source, &idx, cs->thisDate,
                                                     &cs->thisDateFormat, size) < 0)
             return ASN_PARSE_E;
 
-#ifndef NO_ASN_TIME
+    #ifndef NO_ASN_TIME
-#ifndef WOLFSSL_NO_OCSP_DATE_CHECK
+    #ifndef WOLFSSL_NO_OCSP_DATE_CHECK
         if (!XVALIDATE_DATE(cs->thisDate, cs->thisDateFormat, BEFORE))
             return ASN_BEFORE_DATE_E;
-#endif
+    #endif
-#endif
+    #endif
+
 
         /* The following items are optional. Only check for them if there is more
          * unprocessed data in the singleResponse wrapper. */
@@ -16633,7 +16638,7 @@ static int DecodeSingleResponse(byte* source,
             idx++;
             if (GetLength(source, &idx, &length, size) < 0)
                 return ASN_PARSE_E;
-#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
+    #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
             cs->nextDateAsn = source + idx;
             localIdx = 0;
             if (GetDateInfo(cs->nextDateAsn, &localIdx, NULL,
@@ -16643,18 +16648,19 @@ static int DecodeSingleResponse(byte* source,
             XMEMCPY(cs->nextDateParsed.data,
                     cs->nextDateAsn + localIdx - cs->nextDateParsed.length,
                     cs->nextDateParsed.length);
-#endif
+    #endif
             if (GetBasicDate(source, &idx, cs->nextDate,
                                                     &cs->nextDateFormat, size) < 0)
                 return ASN_PARSE_E;
 
-#ifndef NO_ASN_TIME
+    #ifndef NO_ASN_TIME
-#ifndef WOLFSSL_NO_OCSP_DATE_CHECK
+    #ifndef WOLFSSL_NO_OCSP_DATE_CHECK
             if (!XVALIDATE_DATE(cs->nextDate, cs->nextDateFormat, AFTER))
                 return ASN_AFTER_DATE_E;
-#endif
+    #endif
-#endif
+    #endif
         }
+    } /* while, process multiple SingleResponse items */
 
     localIdx = idx;
     if (((int)(idx - prevIndex) < wrapperSz) &&