diff --git a/src/internal.c b/src/internal.c index c7fcd29c7..905e88a95 100644 --- a/src/internal.c +++ b/src/internal.c @@ -4861,14 +4861,11 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx, InitOcspResponse(response, status, input +*inOutIdx, status_length); - if ((ret = OcspResponseDecode(response, ssl->ctx->cm)) == 0) { - if (response->responseStatus != OCSP_SUCCESSFUL) - ret = BAD_CERTIFICATE_STATUS_ERROR; - else if (CompareOcspReqResp(request, response) != 0) - ret = BAD_CERTIFICATE_STATUS_ERROR; - else if (response->status->status != CERT_GOOD) - ret = BAD_CERTIFICATE_STATUS_ERROR; - } + if ((OcspResponseDecode(response, ssl->ctx->cm) != 0) + || (response->responseStatus != OCSP_SUCCESSFUL) + || (response->status->status != CERT_GOOD) + || (CompareOcspReqResp(request, response) != 0)) + ret = BAD_CERTIFICATE_STATUS_ERROR; *inOutIdx += status_length; diff --git a/src/ocsp.c b/src/ocsp.c index 7852c2bcb..7283e66ad 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -216,17 +216,19 @@ static int GetOcspStatus(WOLFSSL_OCSP* ocsp, OcspRequest* request, if (ValidateDate((*status)->thisDate, (*status)->thisDateFormat, BEFORE) && ((*status)->nextDate[0] != 0) && ValidateDate((*status)->nextDate, (*status)->nextDateFormat, AFTER)) + { ret = xstat2err((*status)->status); - if (responseBuffer) { - responseBuffer->buffer = (byte*)XMALLOC( + if (responseBuffer) { + responseBuffer->buffer = (byte*)XMALLOC( (*status)->rawOcspResponseSz, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (responseBuffer->buffer) { - responseBuffer->length = (*status)->rawOcspResponseSz; - XMEMCPY(responseBuffer->buffer, - (*status)->rawOcspResponse, - (*status)->rawOcspResponseSz); + if (responseBuffer->buffer) { + responseBuffer->length = (*status)->rawOcspResponseSz; + XMEMCPY(responseBuffer->buffer, + (*status)->rawOcspResponse, + (*status)->rawOcspResponseSz); + } } } } diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 935574ac7..728a8f737 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -8520,6 +8520,8 @@ static int DecodeSingleResponse(byte* source, if (GetBasicDate(source, &idx, cs->nextDate, &cs->nextDateFormat, size) < 0) return ASN_PARSE_E; + if (!XVALIDATE_DATE(cs->nextDate, cs->nextDateFormat, AFTER)) + return ASN_AFTER_DATE_E; } if (((int)(idx - prevIndex) < wrapperSz) && (source[idx] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1))) @@ -8594,7 +8596,7 @@ static int DecodeOcspRespExtensions(byte* source, WOLFSSL_MSG("\tfail: extension data length"); return ASN_PARSE_E; } - + resp->nonce = source + idx; resp->nonceSz = length; } @@ -8758,8 +8760,8 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, else { Signer* ca = GetCA(cm, resp->issuerHash); - if (!ca || !ConfirmSignature(resp->response, resp->responseSz, - ca->publicKey, ca->pubKeySize, ca->keyOID, + if (!ca || !ConfirmSignature(resp->response, resp->responseSz, + ca->publicKey, ca->pubKeySize, ca->keyOID, resp->sig, resp->sigSz, resp->sigOID, NULL)) { WOLFSSL_MSG("\tOCSP Confirm signature failed"); return ASN_OCSP_CONFIRM_E; @@ -8861,28 +8863,28 @@ word32 EncodeOcspRequestExtensions(OcspRequest* req, byte* output, word32 size) if (totalSz < size) { totalSz = 0; - + XMEMCPY(output + totalSz, seqArray[5], seqSz[5]); totalSz += seqSz[5]; - + XMEMCPY(output + totalSz, seqArray[4], seqSz[4]); totalSz += seqSz[4]; - + XMEMCPY(output + totalSz, seqArray[3], seqSz[3]); totalSz += seqSz[3]; - + XMEMCPY(output + totalSz, seqArray[2], seqSz[2]); totalSz += seqSz[2]; - + XMEMCPY(output + totalSz, NonceObjId, sizeof(NonceObjId)); totalSz += (word32)sizeof(NonceObjId); - + XMEMCPY(output + totalSz, seqArray[1], seqSz[1]); totalSz += seqSz[1]; - + XMEMCPY(output + totalSz, seqArray[0], seqSz[0]); totalSz += seqSz[0]; - + XMEMCPY(output + totalSz, req->nonce, req->nonceSz); totalSz += req->nonceSz; }