feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

ocsp-resp-refactor: address reviewer's comments

Browse Source
This commit is contained in:
Marco Oliverio
2025-02-04 22:52:41 +00:00
parent eb7904b5e5
commit 851d74fd69
2 changed files with 15 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
src/ocsp.c
View File

@ -825,11 +825,13 @@ void wolfSSL_OCSP_BASICRESP_free(WOLFSSL_OCSP_BASICRESP* basicResponse)
static int OcspRespIdMatches(OcspResponse* resp, const byte* NameHash, static int OcspRespIdMatches(OcspResponse* resp, const byte* NameHash,
const byte* keyHash) const byte* keyHash)
{ {
if (resp->responderIdType == OCSP_RESPONDER_ID_NAME) if (resp->responderIdType == OCSP_RESPONDER_ID_NAME) {
return (XMEMCMP(NameHash, resp->responderId.nameHash, return XMEMCMP(NameHash, resp->responderId.nameHash,
SIGNER_DIGEST_SIZE) == 0); SIGNER_DIGEST_SIZE) == 0;
else if (resp->responderIdType == OCSP_RESPONDER_ID_KEY) }
return (XMEMCMP(keyHash, resp->responderId.keyHash, KEYID_SIZE) == 0); else if (resp->responderIdType == OCSP_RESPONDER_ID_KEY) {
return XMEMCMP(keyHash, resp->responderId.keyHash, KEYID_SIZE) == 0;
}
return 0; return 0;
} }
@ -907,7 +909,7 @@ static int OcspVerifySigner(WOLFSSL_OCSP_BASICRESP *resp, DecodedCert *cert,
InitDecodedCert(c, cert->source, cert->maxIdx, NULL); InitDecodedCert(c, cert->source, cert->maxIdx, NULL);
if (ParseCertRelative(c, CERT_TYPE, VERIFY, st->cm, NULL) != 0) { if (ParseCertRelative(c, CERT_TYPE, VERIFY, st->cm, NULL) != 0) {
ret = ASN_OCSP_CONFIRM_E; ret = ASN_OCSP_CONFIRM_E;
goto out; goto err;
} }
#ifndef WOLFSSL_NO_OCSP_ISSUER_CHECK #ifndef WOLFSSL_NO_OCSP_ISSUER_CHECK
if ((flags & WOLFSSL_OCSP_NOCHECKS) == 0) { if ((flags & WOLFSSL_OCSP_NOCHECKS) == 0) {
@ -922,7 +924,7 @@ static int OcspVerifySigner(WOLFSSL_OCSP_BASICRESP *resp, DecodedCert *cert,
ret = 0; ret = 0;
#endif #endif
out: err:
FreeDecodedCert(c); FreeDecodedCert(c);
#ifdef WOLFSSL_SMALL_STACK #ifdef WOLFSSL_SMALL_STACK
XFREE(c, NULL, DYNAMIC_TYPE_DCERT); XFREE(c, NULL, DYNAMIC_TYPE_DCERT);
@ -960,14 +962,14 @@ int wolfSSL_OCSP_basic_verify(WOLFSSL_OCSP_BASICRESP* bs,
if (ret != 0) { if (ret != 0) {
WOLFSSL_MSG("OCSP signature verification failed"); WOLFSSL_MSG("OCSP signature verification failed");
ret = -1; ret = -1;
goto out; goto err;
} }
if ((flags & WOLFSSL_OCSP_NOVERIFY) == 0) { if ((flags & WOLFSSL_OCSP_NOVERIFY) == 0) {
ret = OcspVerifySigner(bs, cert, st, flags); ret = OcspVerifySigner(bs, cert, st, flags);
} }
out: err:
FreeDecodedCert(cert); FreeDecodedCert(cert);
XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); XFREE(cert, NULL, DYNAMIC_TYPE_DCERT);
return ret == 0 ? WOLFSSL_SUCCESS : WOLFSSL_FAILURE; return ret == 0 ? WOLFSSL_SUCCESS : WOLFSSL_FAILURE;

9
wolfcrypt/src/asn.c
View File

@ -37317,7 +37317,7 @@ static int OcspCheckCert(OcspResponse *resp, int noVerify,
cert->subjectHash, cert->subjectKeyHash) == 0) { cert->subjectHash, cert->subjectKeyHash) == 0) {
WOLFSSL_MSG("\tInternal check doesn't match responder ID, ignoring\n"); WOLFSSL_MSG("\tInternal check doesn't match responder ID, ignoring\n");
ret = BAD_OCSP_RESPONDER; ret = BAD_OCSP_RESPONDER;
goto out; goto err;
} }
#ifndef WOLFSSL_NO_OCSP_ISSUER_CHECK #ifndef WOLFSSL_NO_OCSP_ISSUER_CHECK
@ -37325,7 +37325,7 @@ static int OcspCheckCert(OcspResponse *resp, int noVerify,
ret = CheckOcspResponder(resp, cert, cm); ret = CheckOcspResponder(resp, cert, cm);
if (ret < 0) { if (ret < 0) {
WOLFSSL_MSG("\tOCSP Responder certificate issuer check failed"); WOLFSSL_MSG("\tOCSP Responder certificate issuer check failed");
goto out; goto err;
} }
} }
#endif /* WOLFSSL_NO_OCSP_ISSUER_CHECK */ #endif /* WOLFSSL_NO_OCSP_ISSUER_CHECK */
@ -37337,7 +37337,7 @@ static int OcspCheckCert(OcspResponse *resp, int noVerify,
resp->sig, resp->sigSz, resp->sigOID, resp->sigParams, resp->sig, resp->sigSz, resp->sigOID, resp->sigParams,
resp->sigParamsSz, NULL); resp->sigParamsSz, NULL);
} }
out: err:
FreeDecodedCert(cert); FreeDecodedCert(cert);
#ifdef WOLFSSL_SMALL_STACK #ifdef WOLFSSL_SMALL_STACK
@ -37509,7 +37509,7 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
ret = OcspCheckCert(resp, noVerify, noVerifySignature, ret = OcspCheckCert(resp, noVerify, noVerifySignature,
(WOLFSSL_CERT_MANAGER*)cm, heap); (WOLFSSL_CERT_MANAGER*)cm, heap);
if (ret == 0) { if (ret == 0) {
goto out; noVerifySignature = 1;
} }
ret = 0; /* try to verify the OCSP response with CA certs */ ret = 0; /* try to verify the OCSP response with CA certs */
} }
@ -37545,7 +37545,6 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
ret = ASN_OCSP_CONFIRM_E; ret = ASN_OCSP_CONFIRM_E;
} }
} }
out:
if (ret == 0) { if (ret == 0) {
/* Update the position to after response data. */ /* Update the position to after response data. */
*ioIndex = idx; *ioIndex = idx;