From 851d74fd6913b5d412ac521b7e72f6898360e0fb Mon Sep 17 00:00:00 2001 From: Marco Oliverio Date: Tue, 4 Feb 2025 22:52:41 +0000 Subject: [PATCH] ocsp-resp-refactor: address reviewer's comments --- src/ocsp.c | 20 +++++++++++--------- wolfcrypt/src/asn.c | 9 ++++----- 2 files changed, 15 insertions(+), 14 deletions(-) diff --git a/src/ocsp.c b/src/ocsp.c index fd7dd5863..9d1569fd9 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -825,11 +825,13 @@ void wolfSSL_OCSP_BASICRESP_free(WOLFSSL_OCSP_BASICRESP* basicResponse) static int OcspRespIdMatches(OcspResponse* resp, const byte* NameHash, const byte* keyHash) { - if (resp->responderIdType == OCSP_RESPONDER_ID_NAME) - return (XMEMCMP(NameHash, resp->responderId.nameHash, - SIGNER_DIGEST_SIZE) == 0); - else if (resp->responderIdType == OCSP_RESPONDER_ID_KEY) - return (XMEMCMP(keyHash, resp->responderId.keyHash, KEYID_SIZE) == 0); + if (resp->responderIdType == OCSP_RESPONDER_ID_NAME) { + return XMEMCMP(NameHash, resp->responderId.nameHash, + SIGNER_DIGEST_SIZE) == 0; + } + else if (resp->responderIdType == OCSP_RESPONDER_ID_KEY) { + return XMEMCMP(keyHash, resp->responderId.keyHash, KEYID_SIZE) == 0; + } return 0; } @@ -907,7 +909,7 @@ static int OcspVerifySigner(WOLFSSL_OCSP_BASICRESP *resp, DecodedCert *cert, InitDecodedCert(c, cert->source, cert->maxIdx, NULL); if (ParseCertRelative(c, CERT_TYPE, VERIFY, st->cm, NULL) != 0) { ret = ASN_OCSP_CONFIRM_E; - goto out; + goto err; } #ifndef WOLFSSL_NO_OCSP_ISSUER_CHECK if ((flags & WOLFSSL_OCSP_NOCHECKS) == 0) { @@ -922,7 +924,7 @@ static int OcspVerifySigner(WOLFSSL_OCSP_BASICRESP *resp, DecodedCert *cert, ret = 0; #endif -out: +err: FreeDecodedCert(c); #ifdef WOLFSSL_SMALL_STACK XFREE(c, NULL, DYNAMIC_TYPE_DCERT); @@ -960,14 +962,14 @@ int wolfSSL_OCSP_basic_verify(WOLFSSL_OCSP_BASICRESP* bs, if (ret != 0) { WOLFSSL_MSG("OCSP signature verification failed"); ret = -1; - goto out; + goto err; } if ((flags & WOLFSSL_OCSP_NOVERIFY) == 0) { ret = OcspVerifySigner(bs, cert, st, flags); } -out: +err: FreeDecodedCert(cert); XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); return ret == 0 ? WOLFSSL_SUCCESS : WOLFSSL_FAILURE; diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 5703874fe..3b7c623da 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -37317,7 +37317,7 @@ static int OcspCheckCert(OcspResponse *resp, int noVerify, cert->subjectHash, cert->subjectKeyHash) == 0) { WOLFSSL_MSG("\tInternal check doesn't match responder ID, ignoring\n"); ret = BAD_OCSP_RESPONDER; - goto out; + goto err; } #ifndef WOLFSSL_NO_OCSP_ISSUER_CHECK @@ -37325,7 +37325,7 @@ static int OcspCheckCert(OcspResponse *resp, int noVerify, ret = CheckOcspResponder(resp, cert, cm); if (ret < 0) { WOLFSSL_MSG("\tOCSP Responder certificate issuer check failed"); - goto out; + goto err; } } #endif /* WOLFSSL_NO_OCSP_ISSUER_CHECK */ @@ -37337,7 +37337,7 @@ static int OcspCheckCert(OcspResponse *resp, int noVerify, resp->sig, resp->sigSz, resp->sigOID, resp->sigParams, resp->sigParamsSz, NULL); } -out: +err: FreeDecodedCert(cert); #ifdef WOLFSSL_SMALL_STACK @@ -37509,7 +37509,7 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, ret = OcspCheckCert(resp, noVerify, noVerifySignature, (WOLFSSL_CERT_MANAGER*)cm, heap); if (ret == 0) { - goto out; + noVerifySignature = 1; } ret = 0; /* try to verify the OCSP response with CA certs */ } @@ -37545,7 +37545,6 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, ret = ASN_OCSP_CONFIRM_E; } } -out: if (ret == 0) { /* Update the position to after response data. */ *ioIndex = idx;