From a795b19db23aea9ebaada0e1d740b2a5ce450a89 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Wed, 25 Feb 2026 19:43:47 +0100 Subject: [PATCH] Implement copilot suggestions --- examples/ocsp_responder/ocsp_responder.c | 70 ++++++++++++++++++++---- src/ocsp.c | 8 +-- wolfcrypt/src/asn.c | 2 + 3 files changed, 64 insertions(+), 16 deletions(-) diff --git a/examples/ocsp_responder/ocsp_responder.c b/examples/ocsp_responder/ocsp_responder.c index 7250e47236..f6d0664fb3 100644 --- a/examples/ocsp_responder/ocsp_responder.c +++ b/examples/ocsp_responder/ocsp_responder.c @@ -19,7 +19,11 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA */ -/* This is a test program and should not be used as an example. */ +/* Example OCSP responder used for interoperability and stapling testing. + * This code is for demonstration/testing only and is not hardened for + * secure or production use. Do not use this as a reference implementation + * for deploying an OCSP responder in production. + */ #ifdef HAVE_CONFIG_H #include @@ -515,15 +519,43 @@ static int ParseHttpRequest(const byte* httpReq, int httpReqSz, } if (contentLen) { *bodySz = atoi(contentLen + 15); + /* Reject obviously invalid or unreasonably large Content-Length */ + if (*bodySz < 0 || *bodySz > MAX_REQUEST_SIZE) { + LOG_ERROR("Invalid or too large Content-Length: %d\n", *bodySz); + *body = NULL; + *bodySz = 0; + return -1; + } } /* Find body (after \r\n\r\n) */ *body = (const byte*)XSTRSTR((char*)httpReq, "\r\n\r\n"); if (*body) { + int offset; + *body += 4; + offset = (int)(*body - httpReq); + + /* Validate that the body pointer is within the received buffer */ + if (offset < 0 || offset > httpReqSz) { + LOG_ERROR("Invalid HTTP body offset\n"); + *body = NULL; + *bodySz = 0; + return -1; + } + /* Use Content-Length if available, otherwise use remaining data */ if (*bodySz == 0) { - *bodySz = httpReqSz - (int)(*body - httpReq); + *bodySz = httpReqSz - offset; + } + + /* Ensure that the claimed body length fits in the received data */ + if (offset + *bodySz > httpReqSz) { + LOG_ERROR("Incomplete HTTP body: expected %d bytes, have %d\n", + *bodySz, httpReqSz - offset); + *body = NULL; + *bodySz = 0; + return -1; } return 0; } @@ -554,17 +586,31 @@ static int SendHttpResponse(SOCKET_T clientfd, const byte* ocspResp, int ocspRes "\r\n", ocspRespSz); /* Send header */ - sent = (int)send(clientfd, header, (size_t)headerLen, 0); - if (sent != headerLen) { - LOG_ERROR("Failed to send HTTP header\n"); - return -1; + { + int totalSent = 0; + while (totalSent < headerLen) { + sent = (int)send(clientfd, header + totalSent, + (size_t)(headerLen - totalSent), 0); + if (sent <= 0) { + LOG_ERROR("Failed to send HTTP header\n"); + return -1; + } + totalSent += sent; + } } /* Send body */ - sent = (int)send(clientfd, (const char*)ocspResp, (size_t)ocspRespSz, 0); - if (sent != ocspRespSz) { - LOG_ERROR("Failed to send OCSP response\n"); - return -1; + { + int totalSent = 0; + while (totalSent < ocspRespSz) { + sent = (int)send(clientfd, (const char*)ocspResp + totalSent, + (size_t)(ocspRespSz - totalSent), 0); + if (sent <= 0) { + LOG_ERROR("Failed to send OCSP response\n"); + return -1; + } + totalSent += sent; + } } return 0; @@ -815,9 +861,9 @@ THREAD_RETURN WOLFSSL_THREAD ocsp_responder_test(void* args) /* Write ready file if requested */ if (opts.readyFile != NULL) { XFILE rf = XFOPEN(opts.readyFile, "w"); - if (rf != NULL) { + if (rf != XBADFILE) { fprintf(rf, "%d\n", (int)opts.port); - fclose(rf); + XFCLOSE(rf); if (opts.verbose) { LOG_MSG("Ready file created: %s\n", opts.readyFile); } diff --git a/src/ocsp.c b/src/ocsp.c index fd1b4ce887..796e180b62 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -2260,7 +2260,7 @@ int wc_OcspResponder_AddSigner(OcspResponder* responder, DecodedCert* decoded = NULL; word32 keyOID = 0; - WOLFSSL_ENTER("wc_OcspResponder_AddResponder"); + WOLFSSL_ENTER("wc_OcspResponder_AddSigner"); if (responder == NULL || signerDer == NULL || signerDerSz == 0 || keyDer == NULL || keyDerSz == 0) @@ -2326,7 +2326,7 @@ int wc_OcspResponder_AddSigner(OcspResponder* responder, if (ret != 0) goto out; - if (XMEMCMP(issuer, decoded->subject, WC_ASN_NAME_MAX) != 0) { + if (XSTRNCMP(issuer, decoded->subject, WC_ASN_NAME_MAX) != 0) { /* Issuer name in responder cert does not match subject of issuer cert */ ret = BAD_FUNC_ARG; goto out; @@ -2827,6 +2827,8 @@ out: return ret; } +#endif /* HAVE_OCSP_RESPONDER */ + /* Helper functions for testing */ int wc_InitOcspRequest(OcspRequest* req, DecodedCert* cert, byte useNonce, void* heap) @@ -2840,8 +2842,6 @@ int wc_EncodeOcspRequest(OcspRequest* req, byte* output, return EncodeOcspRequest(req, output, size); } -#endif /* HAVE_OCSP_RESPONDER */ - #else /* HAVE_OCSP */ diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index cd0eb0690a..f2da699476 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -41026,6 +41026,8 @@ int OcspResponseEncode(OcspResponse* resp, byte* out, word32* outSz, ret = SizeASN_Items(ocspResponseASN, dataASN, ocspResponseASN_Length, &sz); } + if (ret == 0 && sz > (int)*outSz) + ret = BUFFER_E; if (ret == 0) { if (SetASN_Items(ocspResponseASN, dataASN, ocspResponseASN_Length, out) != sz)