diff --git a/src/ocsp.c b/src/ocsp.c index e8de3d512..b87077ea5 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -244,6 +244,7 @@ static int GetOcspStatus(WOLFSSL_OCSP* ocsp, OcspRequest* request, return ret; } +/* 0 on success */ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest, buffer* responseBuffer) { @@ -251,10 +252,12 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest, CertStatus* status = NULL; byte* request = NULL; int requestSz = 2048; + int responseSz = 0; byte* response = NULL; const char* url = NULL; int urlSz = 0; int ret = -1; + int validated = 0; /* ocsp validation flag */ #ifdef WOLFSSL_SMALL_STACK CertStatus* newStatus; @@ -319,32 +322,38 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest, #endif requestSz = EncodeOcspRequest(ocspRequest, request, requestSz); + if (requestSz > 0 && ocsp->cm->ocspIOCb) { + responseSz = ocsp->cm->ocspIOCb(ocsp->cm->ocspIOCtx, url, urlSz, + request, requestSz, &response); + } - if (ocsp->cm->ocspIOCb) - ret = ocsp->cm->ocspIOCb(ocsp->cm->ocspIOCtx, url, urlSz, - request, requestSz, &response); - - if (ret >= 0 && response) { + if (responseSz >= 0 && response) { XMEMSET(newStatus, 0, sizeof(CertStatus)); - InitOcspResponse(ocspResponse, newStatus, response, ret); - OcspResponseDecode(ocspResponse, ocsp->cm, ocsp->cm->heap); - - if (ocspResponse->responseStatus != OCSP_SUCCESSFUL) - ret = OCSP_LOOKUP_FAIL; + InitOcspResponse(ocspResponse, newStatus, response, responseSz); + if (OcspResponseDecode(ocspResponse, ocsp->cm, ocsp->cm->heap) != 0) { + WOLFSSL_MSG("OcspResponseDecode failed"); + } + else if (ocspResponse->responseStatus != OCSP_SUCCESSFUL) { + WOLFSSL_MSG("OcspResponse status bad"); + } else { if (CompareOcspReqResp(ocspRequest, ocspResponse) == 0) { if (responseBuffer) { - responseBuffer->buffer = (byte*)XMALLOC(ret, ocsp->cm->heap, - DYNAMIC_TYPE_TMP_BUFFER); + responseBuffer->buffer = (byte*)XMALLOC(responseSz, + ocsp->cm->heap, DYNAMIC_TYPE_TMP_BUFFER); if (responseBuffer->buffer) { - responseBuffer->length = ret; - XMEMCPY(responseBuffer->buffer, response, ret); + responseBuffer->length = responseSz; + XMEMCPY(responseBuffer->buffer, response, responseSz); } } + /* only way to get to good state */ ret = xstat2err(ocspResponse->status->status); + if (ret == 0) { + validated = 1; + } if (wc_LockMutex(&ocsp->ocspLock) != 0) ret = BAD_MUTEX_E; @@ -386,12 +395,8 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest, wc_UnLockMutex(&ocsp->ocspLock); } } - else - ret = OCSP_LOOKUP_FAIL; } } - else - ret = OCSP_LOOKUP_FAIL; #ifdef WOLFSSL_SMALL_STACK XFREE(newStatus, NULL, DYNAMIC_TYPE_TMP_BUFFER); @@ -401,6 +406,12 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest, if (response != NULL && ocsp->cm->ocspRespFreeCb) ocsp->cm->ocspRespFreeCb(ocsp->cm->ocspIOCtx, response); + if (ret == 0 && validated == 1) { + WOLFSSL_MSG("New OcspResponse validated"); + } else { + ret = OCSP_LOOKUP_FAIL; + } + WOLFSSL_LEAVE("CheckOcspRequest", ret); return ret; } diff --git a/wolfcrypt/src/memory.c b/wolfcrypt/src/memory.c index 470b09cf9..3d38265cf 100644 --- a/wolfcrypt/src/memory.c +++ b/wolfcrypt/src/memory.c @@ -389,10 +389,19 @@ int wolfSSL_StaticBufferSz(byte* buffer, word32 sz, int flag) /* creating only IO buffers from memory passed in, max TLS is 16k */ if (flag & WOLFMEM_IO_POOL || flag & WOLFMEM_IO_POOL_FIXED) { - ava = sz % (memSz + padSz + WOLFMEM_IO_SZ); + if (ava < (memSz + padSz + WOLFMEM_IO_SZ)) { + return 0; /* not enough room for even one bucket */ + } + + ava = ava % (memSz + padSz + WOLFMEM_IO_SZ); } else { int i, k; + + if (ava < (bucketSz[0] + padSz + memSz)) { + return 0; /* not enough room for even one bucket */ + } + while ((ava >= (bucketSz[0] + padSz + memSz)) && (ava > 0)) { /* start at largest and move to smaller buckets */ for (i = (WOLFMEM_MAX_BUCKETS - 1); i >= 0; i--) { diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 8ba498f74..56ab9a96e 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -4338,6 +4338,9 @@ int memory_test(void) word32 size[] = { WOLFMEM_BUCKETS }; word32 dist[] = { WOLFMEM_DIST }; byte buffer[30000]; /* make large enough to involve many bucket sizes */ + int pad = -(int)((wolfssl_word)&(buffer[0])) & (WOLFSSL_STATIC_ALIGN - 1); + /* pad to account for if head of buffer is not at set memory + * alignment when tests are ran */ /* check macro settings */ if (sizeof(size)/sizeof(word32) != WOLFMEM_MAX_BUCKETS) { @@ -4362,7 +4365,7 @@ int memory_test(void) } /* check that padding size returned is possible */ - if (wolfSSL_MemoryPaddingSz() <= WOLFSSL_STATIC_ALIGN) { + if (wolfSSL_MemoryPaddingSz() < WOLFSSL_STATIC_ALIGN) { return -101; /* no room for wc_Memory struct */ } @@ -4375,8 +4378,8 @@ int memory_test(void) } /* check function to return optimum buffer size (rounded down) */ - if ((ret = wolfSSL_StaticBufferSz(buffer, sizeof(buffer), WOLFMEM_GENERAL)) - % WOLFSSL_STATIC_ALIGN != 0) { + ret = wolfSSL_StaticBufferSz(buffer, sizeof(buffer), WOLFMEM_GENERAL); + if ((ret - pad) % WOLFSSL_STATIC_ALIGN != 0) { return -104; /* not aligned! */ } @@ -4393,21 +4396,22 @@ int memory_test(void) } ret = wolfSSL_MemoryPaddingSz(); + ret += pad; /* add space that is going to be needed if buffer not aligned */ if (wolfSSL_StaticBufferSz(buffer, size[0] + ret + 1, WOLFMEM_GENERAL) != (ret + (int)size[0])) { return -108; /* did not round down to nearest bucket value */ } ret = wolfSSL_StaticBufferSz(buffer, sizeof(buffer), WOLFMEM_IO_POOL); - if (ret < 0) { + if ((ret - pad) < 0) { return -109; } - if ((ret % (WOLFMEM_IO_SZ + wolfSSL_MemoryPaddingSz())) != 0) { + if (((ret - pad) % (WOLFMEM_IO_SZ + wolfSSL_MemoryPaddingSz())) != 0) { return -110; /* not even chunks of memory for IO size */ } - if ((ret % WOLFSSL_STATIC_ALIGN) != 0) { + if (((ret - pad) % WOLFSSL_STATIC_ALIGN) != 0) { return -111; /* memory not aligned */ }