wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-08-06 06:04:41 +02:00
Code Issues Packages Projects Releases Wiki Activity

wolfcrypt/src/asn.c: refactor DecodeBasicOcspResponse() to keep DecodedCert off the stack in WOLFSSL_SMALL_STACK builds.

Browse Source
This commit is contained in:
Daniel Pouzzner
2022-05-19 11:28:34 -05:00
parent 368854b243
commit f2e9f5349f
1 changed files with 64 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
wolfcrypt/src/asn.c
View File

@@ -30407,25 +30407,37 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
#ifndef WOLFSSL_NO_OCSP_OPTIONAL_CERTS #ifndef WOLFSSL_NO_OCSP_OPTIONAL_CERTS
if (idx < end_index) if (idx < end_index)
{ {
DecodedCert cert; int cert_inited = 0;
#ifdef WOLFSSL_SMALL_STACK
DecodedCert *cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL,
DYNAMIC_TYPE_TMP_BUFFER);
if (cert == NULL)
return MEMORY_E;
#else
DecodedCert cert[1];
#endif
if (DecodeCerts(source, &idx, resp, size) < 0) do {
return ASN_PARSE_E; if (DecodeCerts(source, &idx, resp, size) < 0) {
ret = ASN_PARSE_E;
break;
}
InitDecodedCert(&cert, resp->cert, resp->certSz, heap); InitDecodedCert(cert, resp->cert, resp->certSz, heap);
cert_inited = 1;
/* Don't verify if we don't have access to Cert Manager. */ /* Don't verify if we don't have access to Cert Manager. */
ret = ParseCertRelative(&cert, CERT_TYPE, ret = ParseCertRelative(cert, CERT_TYPE,
noVerify ? NO_VERIFY : VERIFY_OCSP_CERT, cm); noVerify ? NO_VERIFY : VERIFY_OCSP_CERT,
cm);
if (ret < 0) { if (ret < 0) {
WOLFSSL_MSG("\tOCSP Responder certificate parsing failed"); WOLFSSL_MSG("\tOCSP Responder certificate parsing failed");
FreeDecodedCert(&cert); break;
return ret;
} }
#ifndef WOLFSSL_NO_OCSP_ISSUER_CHECK #ifndef WOLFSSL_NO_OCSP_ISSUER_CHECK
if ((cert.extExtKeyUsage & EXTKEYUSE_OCSP_SIGN) == 0) { if ((cert->extExtKeyUsage & EXTKEYUSE_OCSP_SIGN) == 0) {
if (XMEMCMP(cert.subjectHash, if (XMEMCMP(cert->subjectHash,
resp->single->issuerHash, OCSP_DIGEST_SIZE) == 0) { resp->single->issuerHash, OCSP_DIGEST_SIZE) == 0) {
WOLFSSL_MSG("\tOCSP Response signed by issuer"); WOLFSSL_MSG("\tOCSP Response signed by issuer");
} }
@@ -30434,25 +30446,35 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
#ifdef OPENSSL_EXTRA #ifdef OPENSSL_EXTRA
resp->verifyError = OCSP_BAD_ISSUER; resp->verifyError = OCSP_BAD_ISSUER;
#else #else
FreeDecodedCert(&cert); ret = BAD_OCSP_RESPONDER;
return BAD_OCSP_RESPONDER; break;
#endif #endif
} }
} }
#endif #endif
/* ConfirmSignature is blocking here */ /* ConfirmSignature is blocking here */
ret = ConfirmSignature(&cert.sigCtx, ret = ConfirmSignature(
&cert->sigCtx,
resp->response, resp->responseSz, resp->response, resp->responseSz,
cert.publicKey, cert.pubKeySize, cert.keyOID, cert->publicKey, cert->pubKeySize, cert->keyOID,
resp->sig, resp->sigSz, resp->sigOID, NULL); resp->sig, resp->sigSz, resp->sigOID, NULL);
FreeDecodedCert(&cert);
if (ret != 0) { if (ret != 0) {
WOLFSSL_MSG("\tOCSP Confirm signature failed"); WOLFSSL_MSG("\tOCSP Confirm signature failed");
return ASN_OCSP_CONFIRM_E; ret = ASN_OCSP_CONFIRM_E;
break;
} }
} while(0);
if (cert_inited)
FreeDecodedCert(cert);
#ifdef WOLFSSL_SMALL_STACK
XFREE(cert, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif
if (ret != 0)
return ret;
} }
else else
#endif /* WOLFSSL_NO_OCSP_OPTIONAL_CERTS */ #endif /* WOLFSSL_NO_OCSP_OPTIONAL_CERTS */