Code review feedback and minor fixes.

Remove outdated RFC, refactor into single error case, guard against negative/0 len and NULL *data pointer, don't set ownStatus until status is confirmed non-NULL.
This commit is contained in:
Kareem
2026-05-27 16:53:19 -07:00
parent 1e338487db
commit 4472980738
3 changed files with 22 additions and 32 deletions
+4 -5
View File
@@ -13696,11 +13696,10 @@ int CheckForAltNames(DecodedCert* dCert, const char* domain, word32 domainLen,
continue;
}
/* RFC 6125 Sec. 6.4 / RFC 9525 Sec. 6.3: a DNS-ID reference
* identifier is matched only against dNSName SAN entries, never
* uniformResourceIdentifier (even when the URI value resembles a
* hostname). URI-ID matching requires scheme and host parsing
* (RFC 9525 Sec. 6.5, Sec. 7.2). */
/* RFC 9525 Sec. 6.3: a DNS-ID reference identifier is matched only
* against dNSName SAN entries, never uniformResourceIdentifier
* (even when the URI value resembles a ostname). URI-ID matching
* requires scheme and host parsing (RFC 9525 Sec. 6.5, Sec. 7.2). */
if (!isIP && altName->type == ASN_URI_TYPE) {
WOLFSSL_MSG("\tAltName is uniformResourceIdentifier, "
"skipping for DNS hostname");
+15 -24
View File
@@ -1270,7 +1270,7 @@ OcspResponse* wolfSSL_d2i_OCSP_RESPONSE(OcspResponse** response,
int length = 0;
int ret;
if (data == NULL)
if (data == NULL || *data == NULL || len <= 0)
return NULL;
if (response != NULL)
@@ -1286,36 +1286,24 @@ OcspResponse* wolfSSL_d2i_OCSP_RESPONSE(OcspResponse** response,
if (resp->source != NULL)
XFREE(resp->source, NULL, DYNAMIC_TYPE_TMP_BUFFER);
resp->source = (byte*)XMALLOC((size_t)len, NULL, DYNAMIC_TYPE_TMP_BUFFER);
if (resp->source == NULL) {
wolfSSL_OCSP_RESPONSE_free(resp);
if (response != NULL && *response == resp)
*response = NULL;
return NULL;
}
if (resp->source == NULL)
goto error;
if (resp->single != NULL) {
FreeOcspEntry(resp->single, NULL);
XFREE(resp->single, NULL, DYNAMIC_TYPE_OCSP_ENTRY);
}
resp->single = (OcspEntry*)XMALLOC(sizeof(OcspEntry), NULL,
DYNAMIC_TYPE_OCSP_ENTRY);
if (resp->single == NULL) {
wolfSSL_OCSP_RESPONSE_free(resp);
if (response != NULL && *response == resp)
*response = NULL;
return NULL;
}
if (resp->single == NULL)
goto error;
XMEMSET(resp->single, 0, sizeof(OcspEntry));
resp->single->status = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL,
DYNAMIC_TYPE_OCSP_STATUS);
if (resp->single->status == NULL)
goto error;
resp->single->ownStatus = 1;
if (resp->single->status == NULL) {
wolfSSL_OCSP_RESPONSE_free(resp);
if (response != NULL && *response == resp)
*response = NULL;
return NULL;
}
XMEMSET(resp->single->status, 0, sizeof(CertStatus));
XMEMCPY(resp->source, *data, (size_t)len);
resp->maxIdx = (word32)len;
@@ -1323,10 +1311,7 @@ OcspResponse* wolfSSL_d2i_OCSP_RESPONSE(OcspResponse** response,
if (ret != 0 && ret != WC_NO_ERR_TRACE(ASN_OCSP_CONFIRM_E)) {
/* for just converting from a DER to an internal structure the CA may
* not yet be known to this function for signature verification */
wolfSSL_OCSP_RESPONSE_free(resp);
if (response != NULL && *response == resp)
*response = NULL;
return NULL;
goto error;
}
if (GetSequence(*data, &idx, &length, (word32)len) >= 0)
@@ -1336,6 +1321,12 @@ OcspResponse* wolfSSL_d2i_OCSP_RESPONSE(OcspResponse** response,
*response = resp;
return resp;
error:
wolfSSL_OCSP_RESPONSE_free(resp);
if (response != NULL && *response == resp)
*response = NULL;
return NULL;
}
int wolfSSL_i2d_OCSP_RESPONSE(OcspResponse* response,
+3 -3
View File
@@ -18670,9 +18670,9 @@ static int DecodeGeneralName(const byte* input, word32* inOutIdx, byte tag,
* unconditionally and excludes them from *checkCN, so a cert
* with only registeredID SANs still falls back to CN.
* - CheckForAltNames (TLS hostname matching): skips ASN_URI_TYPE
* for DNS hostname checks (RFC 6125 Sec. 6.4 / RFC 9525 Sec. 6.3)
* but URI SAN presence still suppresses CN fallback (RFC 6125
* Sec. 6.4.4) because URI-ID is a distinct presented identifier.
* for DNS hostname checks (RFC 9525 Sec. 6.3) but URI SAN presence
* still suppresses CN fallback because URI-ID is a distinct presented
* identifier.
* - DNS_to_GENERAL_NAME (used by wolfSSL_X509_get_ext) and the
* ALT_NAMES_OID arm of wolfSSL_X509_get_ext_d2i: build a proper
* ASN1_OBJECT in d.registeredID from raw OID bytes regardless