wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-08-05 13:44:41 +02:00
Code Issues Packages Projects Releases Wiki Activity

wolfcrypt/src/asn.c: refactor DecodeBasicOcspResponse() to keep DecodedCert off the stack in WOLFSSL_SMALL_STACK builds.

Browse Source
This commit is contained in:
Daniel Pouzzner
2022-05-19 11:28:34 -05:00
parent 368854b243
commit f2e9f5349f
1 changed files with 64 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

106
wolfcrypt/src/asn.c
View File

@@ -30407,52 +30407,74 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
#ifndef WOLFSSL_NO_OCSP_OPTIONAL_CERTS #ifndef WOLFSSL_NO_OCSP_OPTIONAL_CERTS
if (idx < end_index) if (idx < end_index)
{ {
DecodedCert cert; int cert_inited = 0;
#ifdef WOLFSSL_SMALL_STACK
if (DecodeCerts(source, &idx, resp, size) < 0) DecodedCert *cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL,
return ASN_PARSE_E; DYNAMIC_TYPE_TMP_BUFFER);
if (cert == NULL)
InitDecodedCert(&cert, resp->cert, resp->certSz, heap); return MEMORY_E;
#else
/* Don't verify if we don't have access to Cert Manager. */ DecodedCert cert[1];
ret = ParseCertRelative(&cert, CERT_TYPE,
noVerify ? NO_VERIFY : VERIFY_OCSP_CERT, cm);
if (ret < 0) {
WOLFSSL_MSG("\tOCSP Responder certificate parsing failed");
FreeDecodedCert(&cert);
return ret;
}
#ifndef WOLFSSL_NO_OCSP_ISSUER_CHECK
if ((cert.extExtKeyUsage & EXTKEYUSE_OCSP_SIGN) == 0) {
if (XMEMCMP(cert.subjectHash,
resp->single->issuerHash, OCSP_DIGEST_SIZE) == 0) {
WOLFSSL_MSG("\tOCSP Response signed by issuer");
}
else {
WOLFSSL_MSG("\tOCSP Responder key usage check failed");
#ifdef OPENSSL_EXTRA
resp->verifyError = OCSP_BAD_ISSUER;
#else
FreeDecodedCert(&cert);
return BAD_OCSP_RESPONDER;
#endif
}
}
#endif #endif
/* ConfirmSignature is blocking here */ do {
ret = ConfirmSignature(&cert.sigCtx, if (DecodeCerts(source, &idx, resp, size) < 0) {
resp->response, resp->responseSz, ret = ASN_PARSE_E;
cert.publicKey, cert.pubKeySize, cert.keyOID, break;
resp->sig, resp->sigSz, resp->sigOID, NULL); }
FreeDecodedCert(&cert); InitDecodedCert(cert, resp->cert, resp->certSz, heap);
cert_inited = 1;
if (ret != 0) { /* Don't verify if we don't have access to Cert Manager. */
WOLFSSL_MSG("\tOCSP Confirm signature failed"); ret = ParseCertRelative(cert, CERT_TYPE,
return ASN_OCSP_CONFIRM_E; noVerify ? NO_VERIFY : VERIFY_OCSP_CERT,
} cm);
if (ret < 0) {
WOLFSSL_MSG("\tOCSP Responder certificate parsing failed");
break;
}
#ifndef WOLFSSL_NO_OCSP_ISSUER_CHECK
if ((cert->extExtKeyUsage & EXTKEYUSE_OCSP_SIGN) == 0) {
if (XMEMCMP(cert->subjectHash,
resp->single->issuerHash, OCSP_DIGEST_SIZE) == 0) {
WOLFSSL_MSG("\tOCSP Response signed by issuer");
}
else {
WOLFSSL_MSG("\tOCSP Responder key usage check failed");
#ifdef OPENSSL_EXTRA
resp->verifyError = OCSP_BAD_ISSUER;
#else
ret = BAD_OCSP_RESPONDER;
break;
#endif
}
}
#endif
/* ConfirmSignature is blocking here */
ret = ConfirmSignature(
&cert->sigCtx,
resp->response, resp->responseSz,
cert->publicKey, cert->pubKeySize, cert->keyOID,
resp->sig, resp->sigSz, resp->sigOID, NULL);
if (ret != 0) {
WOLFSSL_MSG("\tOCSP Confirm signature failed");
ret = ASN_OCSP_CONFIRM_E;
break;
}
} while(0);
if (cert_inited)
FreeDecodedCert(cert);
#ifdef WOLFSSL_SMALL_STACK
XFREE(cert, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif
if (ret != 0)
return ret;
} }
else else
#endif /* WOLFSSL_NO_OCSP_OPTIONAL_CERTS */ #endif /* WOLFSSL_NO_OCSP_OPTIONAL_CERTS */