diff --git a/src/internal.c b/src/internal.c index ce5f2d7ab8..45a1f809fc 100644 --- a/src/internal.c +++ b/src/internal.c @@ -13696,11 +13696,10 @@ int CheckForAltNames(DecodedCert* dCert, const char* domain, word32 domainLen, continue; } - /* RFC 6125 Sec. 6.4 / RFC 9525 Sec. 6.3: a DNS-ID reference - * identifier is matched only against dNSName SAN entries, never - * uniformResourceIdentifier (even when the URI value resembles a - * hostname). URI-ID matching requires scheme and host parsing - * (RFC 9525 Sec. 6.5, Sec. 7.2). */ + /* RFC 9525 Sec. 6.3: a DNS-ID reference identifier is matched only + * against dNSName SAN entries, never uniformResourceIdentifier + * (even when the URI value resembles a ostname). URI-ID matching + * requires scheme and host parsing (RFC 9525 Sec. 6.5, Sec. 7.2). */ if (!isIP && altName->type == ASN_URI_TYPE) { WOLFSSL_MSG("\tAltName is uniformResourceIdentifier, " "skipping for DNS hostname"); diff --git a/src/ocsp.c b/src/ocsp.c index e129a08595..14d5eb1354 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -1270,7 +1270,7 @@ OcspResponse* wolfSSL_d2i_OCSP_RESPONSE(OcspResponse** response, int length = 0; int ret; - if (data == NULL) + if (data == NULL || *data == NULL || len <= 0) return NULL; if (response != NULL) @@ -1286,36 +1286,24 @@ OcspResponse* wolfSSL_d2i_OCSP_RESPONSE(OcspResponse** response, if (resp->source != NULL) XFREE(resp->source, NULL, DYNAMIC_TYPE_TMP_BUFFER); resp->source = (byte*)XMALLOC((size_t)len, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (resp->source == NULL) { - wolfSSL_OCSP_RESPONSE_free(resp); - if (response != NULL && *response == resp) - *response = NULL; - return NULL; - } + if (resp->source == NULL) + goto error; + if (resp->single != NULL) { FreeOcspEntry(resp->single, NULL); XFREE(resp->single, NULL, DYNAMIC_TYPE_OCSP_ENTRY); } resp->single = (OcspEntry*)XMALLOC(sizeof(OcspEntry), NULL, DYNAMIC_TYPE_OCSP_ENTRY); - if (resp->single == NULL) { - wolfSSL_OCSP_RESPONSE_free(resp); - if (response != NULL && *response == resp) - *response = NULL; - return NULL; - } + if (resp->single == NULL) + goto error; XMEMSET(resp->single, 0, sizeof(OcspEntry)); resp->single->status = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL, DYNAMIC_TYPE_OCSP_STATUS); + if (resp->single->status == NULL) + goto error; resp->single->ownStatus = 1; - if (resp->single->status == NULL) { - wolfSSL_OCSP_RESPONSE_free(resp); - if (response != NULL && *response == resp) - *response = NULL; - return NULL; - } XMEMSET(resp->single->status, 0, sizeof(CertStatus)); - XMEMCPY(resp->source, *data, (size_t)len); resp->maxIdx = (word32)len; @@ -1323,10 +1311,7 @@ OcspResponse* wolfSSL_d2i_OCSP_RESPONSE(OcspResponse** response, if (ret != 0 && ret != WC_NO_ERR_TRACE(ASN_OCSP_CONFIRM_E)) { /* for just converting from a DER to an internal structure the CA may * not yet be known to this function for signature verification */ - wolfSSL_OCSP_RESPONSE_free(resp); - if (response != NULL && *response == resp) - *response = NULL; - return NULL; + goto error; } if (GetSequence(*data, &idx, &length, (word32)len) >= 0) @@ -1336,6 +1321,12 @@ OcspResponse* wolfSSL_d2i_OCSP_RESPONSE(OcspResponse** response, *response = resp; return resp; + +error: + wolfSSL_OCSP_RESPONSE_free(resp); + if (response != NULL && *response == resp) + *response = NULL; + return NULL; } int wolfSSL_i2d_OCSP_RESPONSE(OcspResponse* response, diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 127e0837d5..7ec41b4eea 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -18670,9 +18670,9 @@ static int DecodeGeneralName(const byte* input, word32* inOutIdx, byte tag, * unconditionally and excludes them from *checkCN, so a cert * with only registeredID SANs still falls back to CN. * - CheckForAltNames (TLS hostname matching): skips ASN_URI_TYPE - * for DNS hostname checks (RFC 6125 Sec. 6.4 / RFC 9525 Sec. 6.3) - * but URI SAN presence still suppresses CN fallback (RFC 6125 - * Sec. 6.4.4) because URI-ID is a distinct presented identifier. + * for DNS hostname checks (RFC 9525 Sec. 6.3) but URI SAN presence + * still suppresses CN fallback because URI-ID is a distinct presented + * identifier. * - DNS_to_GENERAL_NAME (used by wolfSSL_X509_get_ext) and the * ALT_NAMES_OID arm of wolfSSL_X509_get_ext_d2i: build a proper * ASN1_OBJECT in d.registeredID from raw OID bytes regardless