ocsp-resp-refactor: address reviewer's comments

2025-02-04 22:52:41 +00:00
parent eb7904b5e5
commit 851d74fd69
2 changed files with 15 additions and 14 deletions
--- a/src/ocsp.c
+++ b/src/ocsp.c
@ -825,11 +825,13 @@ void wolfSSL_OCSP_BASICRESP_free(WOLFSSL_OCSP_BASICRESP* basicResponse)
 static int OcspRespIdMatches(OcspResponse* resp, const byte* NameHash,
    const byte* keyHash)
 {
-    if (resp->responderIdType == OCSP_RESPONDER_ID_NAME)
-        return (XMEMCMP(NameHash, resp->responderId.nameHash,
-                    SIGNER_DIGEST_SIZE) == 0);
-    else if (resp->responderIdType == OCSP_RESPONDER_ID_KEY)
-        return (XMEMCMP(keyHash, resp->responderId.keyHash, KEYID_SIZE) == 0);
+    if (resp->responderIdType == OCSP_RESPONDER_ID_NAME) {
+        return XMEMCMP(NameHash, resp->responderId.nameHash,
+                   SIGNER_DIGEST_SIZE) == 0;
+    }
+    else if (resp->responderIdType == OCSP_RESPONDER_ID_KEY) {
+        return XMEMCMP(keyHash, resp->responderId.keyHash, KEYID_SIZE) == 0;
+    }

    return 0;
 }
@ -907,7 +909,7 @@ static int OcspVerifySigner(WOLFSSL_OCSP_BASICRESP *resp, DecodedCert *cert,
    InitDecodedCert(c, cert->source, cert->maxIdx, NULL);
    if (ParseCertRelative(c, CERT_TYPE, VERIFY, st->cm, NULL) != 0) {
        ret = ASN_OCSP_CONFIRM_E;
-        goto out;
+        goto err;
    }
 #ifndef WOLFSSL_NO_OCSP_ISSUER_CHECK
    if ((flags & WOLFSSL_OCSP_NOCHECKS) == 0) {
@ -922,7 +924,7 @@ static int OcspVerifySigner(WOLFSSL_OCSP_BASICRESP *resp, DecodedCert *cert,
    ret = 0;
 #endif

-out:
+err:
    FreeDecodedCert(c);
 #ifdef WOLFSSL_SMALL_STACK
    XFREE(c, NULL, DYNAMIC_TYPE_DCERT);
@ -960,14 +962,14 @@ int wolfSSL_OCSP_basic_verify(WOLFSSL_OCSP_BASICRESP* bs,
    if (ret != 0) {
        WOLFSSL_MSG("OCSP signature verification failed");
        ret = -1;
-        goto out;
+        goto err;
    }

    if ((flags & WOLFSSL_OCSP_NOVERIFY) == 0) {
        ret = OcspVerifySigner(bs, cert, st, flags);
    }

-out:
+err:
    FreeDecodedCert(cert);
    XFREE(cert, NULL, DYNAMIC_TYPE_DCERT);
    return ret == 0 ? WOLFSSL_SUCCESS : WOLFSSL_FAILURE;
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@ -37317,7 +37317,7 @@ static int OcspCheckCert(OcspResponse *resp, int noVerify,
                cert->subjectHash, cert->subjectKeyHash) == 0) {
        WOLFSSL_MSG("\tInternal check doesn't match responder ID, ignoring\n");
        ret = BAD_OCSP_RESPONDER;
-        goto out;
+        goto err;
    }

 #ifndef WOLFSSL_NO_OCSP_ISSUER_CHECK
@ -37325,7 +37325,7 @@ static int OcspCheckCert(OcspResponse *resp, int noVerify,
        ret = CheckOcspResponder(resp, cert, cm);
        if (ret < 0) {
            WOLFSSL_MSG("\tOCSP Responder certificate issuer check failed");
-            goto out;
+            goto err;
        }
    }
 #endif /* WOLFSSL_NO_OCSP_ISSUER_CHECK */
@ -37337,7 +37337,7 @@ static int OcspCheckCert(OcspResponse *resp, int noVerify,
            resp->sig, resp->sigSz, resp->sigOID, resp->sigParams,
            resp->sigParamsSz, NULL);
    }
-out:
+err:
    FreeDecodedCert(cert);

 #ifdef WOLFSSL_SMALL_STACK
@ -37509,7 +37509,7 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
        ret = OcspCheckCert(resp, noVerify, noVerifySignature,
                            (WOLFSSL_CERT_MANAGER*)cm, heap);
        if (ret == 0) {
-            goto out;
+            noVerifySignature = 1;
        }
        ret = 0; /* try to verify the OCSP response with CA certs */
    }
@ -37545,7 +37545,6 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
            ret = ASN_OCSP_CONFIRM_E;
        }
    }
-out:
    if (ret == 0) {
        /* Update the position to after response data. */
        *ioIndex = idx;