Process multiple ocsp responses

2020-10-14 01:10:07 -07:00
parent 232028d03b
commit 5ac3e7d542
1 changed files with 106 additions and 100 deletions
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -8885,6 +8885,7 @@ static int DecodeCertExtensions(DecodedCert* cert)
            case OCSP_NOCHECK_OID:
                VERIFY_AND_SET_OID(cert->ocspNoCheckSet);
                ret = GetASNNull(input, &idx, sz);
+                length = 0; /* idx is already incremented, reset length to 0 */
                if (ret != 0)
                    return ASN_PARSE_E;
                break;
@@ -16546,9 +16547,12 @@ static int DecodeSingleResponse(byte* source,

    prevIndex = idx;

-    /* When making a request, we only request one status on one certificate
-     * at a time. There should only be one SingleResponse */
+    /* wolfSSL only requests one status for one certificate at a time but
+       some OCSP responders can reply with multiple SingleResponse items.
+       Expect to handle one SingleResponse. Otherwise, we can process the
+       responses but only the last entry in the list is verified. */

+    while ((idx-prevIndex) < (word32)wrapperSz) {
        /* Wrapper around the Single Response */
        if (GetSequence(source, &idx, &length, size) < 0)
            return ASN_PARSE_E;
@@ -16600,7 +16604,7 @@ static int DecodeSingleResponse(byte* source,
                return ASN_PARSE_E;
        }

-#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
+    #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
        cs->thisDateAsn = source + idx;
        localIdx = 0;
        if (GetDateInfo(cs->thisDateAsn, &localIdx, NULL,
@@ -16610,17 +16614,18 @@ static int DecodeSingleResponse(byte* source,
        XMEMCPY(cs->thisDateParsed.data,
                cs->thisDateAsn + localIdx - cs->thisDateParsed.length,
                cs->thisDateParsed.length);
-#endif
+    #endif
        if (GetBasicDate(source, &idx, cs->thisDate,
                                                    &cs->thisDateFormat, size) < 0)
            return ASN_PARSE_E;

-#ifndef NO_ASN_TIME
-#ifndef WOLFSSL_NO_OCSP_DATE_CHECK
+    #ifndef NO_ASN_TIME
+    #ifndef WOLFSSL_NO_OCSP_DATE_CHECK
        if (!XVALIDATE_DATE(cs->thisDate, cs->thisDateFormat, BEFORE))
            return ASN_BEFORE_DATE_E;
-#endif
-#endif
+    #endif
+    #endif
+

        /* The following items are optional. Only check for them if there is more
         * unprocessed data in the singleResponse wrapper. */
@@ -16633,7 +16638,7 @@ static int DecodeSingleResponse(byte* source,
            idx++;
            if (GetLength(source, &idx, &length, size) < 0)
                return ASN_PARSE_E;
-#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
+    #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
            cs->nextDateAsn = source + idx;
            localIdx = 0;
            if (GetDateInfo(cs->nextDateAsn, &localIdx, NULL,
@@ -16643,18 +16648,19 @@ static int DecodeSingleResponse(byte* source,
            XMEMCPY(cs->nextDateParsed.data,
                    cs->nextDateAsn + localIdx - cs->nextDateParsed.length,
                    cs->nextDateParsed.length);
-#endif
+    #endif
            if (GetBasicDate(source, &idx, cs->nextDate,
                                                    &cs->nextDateFormat, size) < 0)
                return ASN_PARSE_E;

-#ifndef NO_ASN_TIME
-#ifndef WOLFSSL_NO_OCSP_DATE_CHECK
+    #ifndef NO_ASN_TIME
+    #ifndef WOLFSSL_NO_OCSP_DATE_CHECK
            if (!XVALIDATE_DATE(cs->nextDate, cs->nextDateFormat, AFTER))
                return ASN_AFTER_DATE_E;
-#endif
-#endif
+    #endif
+    #endif
        }
+    } /* while, process multiple SingleResponse items */

    localIdx = idx;
    if (((int)(idx - prevIndex) < wrapperSz) &&