wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-30 18:57:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix for possible use of NULL is the OCSP response nonce. This is optional and may not be provided in the OCSP response and should be skipped if not set in the response. ZD 10475.

Browse Source
This commit is contained in:
David Garske
2020-06-17 11:00:05 -07:00
parent b1aa903c1b
commit 0a38ab8ac2
1 changed files with 10 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
wolfcrypt/src/asn.c
View File

@ -16995,64 +16995,56 @@ int CompareOcspReqResp(OcspRequest* req, OcspResponse* resp)
WOLFSSL_ENTER("CompareOcspReqResp"); WOLFSSL_ENTER("CompareOcspReqResp");
if (req == NULL) if (req == NULL) {
{
WOLFSSL_MSG("\tReq missing"); WOLFSSL_MSG("\tReq missing");
return -1; return -1;
} }
if (resp == NULL || resp->issuerHash == NULL ||
if (resp == NULL) resp->issuerKeyHash == NULL || resp->status == NULL) {
{
WOLFSSL_MSG("\tResp missing"); WOLFSSL_MSG("\tResp missing");
return 1; return 1;
} }
/* Nonces are not critical. The responder may not necessarily add /* Nonces are not critical. The responder may not necessarily add
* the nonce to the response. */ * the nonce to the response. */
if (req->nonceSz if (req->nonceSz && resp->nonce != NULL
#ifndef WOLFSSL_FORCE_OCSP_NONCE_CHECK #ifndef WOLFSSL_FORCE_OCSP_NONCE_CHECK
&& resp->nonceSz != 0 && resp->nonceSz != 0
#endif #endif
) { ) {
cmp = req->nonceSz - resp->nonceSz; cmp = req->nonceSz - resp->nonceSz;
if (cmp != 0) if (cmp != 0) {
{
WOLFSSL_MSG("\tnonceSz mismatch"); WOLFSSL_MSG("\tnonceSz mismatch");
return cmp; return cmp;
} }
cmp = XMEMCMP(req->nonce, resp->nonce, req->nonceSz); cmp = XMEMCMP(req->nonce, resp->nonce, req->nonceSz);
if (cmp != 0) if (cmp != 0) {
{
WOLFSSL_MSG("\tnonce mismatch"); WOLFSSL_MSG("\tnonce mismatch");
return cmp; return cmp;
} }
} }
cmp = XMEMCMP(req->issuerHash, resp->issuerHash, KEYID_SIZE); cmp = XMEMCMP(req->issuerHash, resp->issuerHash, KEYID_SIZE);
if (cmp != 0) if (cmp != 0) {
{
WOLFSSL_MSG("\tissuerHash mismatch"); WOLFSSL_MSG("\tissuerHash mismatch");
return cmp; return cmp;
} }
cmp = XMEMCMP(req->issuerKeyHash, resp->issuerKeyHash, KEYID_SIZE); cmp = XMEMCMP(req->issuerKeyHash, resp->issuerKeyHash, KEYID_SIZE);
if (cmp != 0) if (cmp != 0) {
{
WOLFSSL_MSG("\tissuerKeyHash mismatch"); WOLFSSL_MSG("\tissuerKeyHash mismatch");
return cmp; return cmp;
} }
cmp = req->serialSz - resp->status->serialSz; cmp = req->serialSz - resp->status->serialSz;
if (cmp != 0) if (cmp != 0) {
{
WOLFSSL_MSG("\tserialSz mismatch"); WOLFSSL_MSG("\tserialSz mismatch");
return cmp; return cmp;
} }
cmp = XMEMCMP(req->serial, resp->status->serial, req->serialSz); cmp = XMEMCMP(req->serial, resp->status->serial, req->serialSz);
if (cmp != 0) if (cmp != 0) {
{
WOLFSSL_MSG("\tserial mismatch"); WOLFSSL_MSG("\tserial mismatch");
return cmp; return cmp;
} }