From f938a75780ed2aa67f109bf6e72324ecf4d82d7a Mon Sep 17 00:00:00 2001
From: toddouska <todd@wolfssl.com>
Date: Mon, 6 Feb 2017 14:10:38 -0800
Subject: [PATCH] fix OCSP signature leading zero, certdecode free on parse
 failure

---
 wolfcrypt/src/asn.c | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index 01f2360e4..db400f17b 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -9641,9 +9641,18 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
     /* Obtain pointer to the start of the signature, and save the size */
     if (source[idx++] == ASN_BIT_STRING)
     {
-        int sigLength = 0;
-        if (GetLength(source, &idx, &sigLength, size) < 0)
+        int  sigLength = 0;
+        byte b;
+
+        if (GetLength(source, &idx, &sigLength, size) <= 0)
             return ASN_PARSE_E;
+
+        b = source[idx++];
+        if (b != 0x00) {
+            return ASN_EXPECT_0_E;
+        }
+
+        sigLength--;
         resp->sigSz = sigLength;
         resp->sig = source + idx;
         idx += sigLength;
@@ -9662,8 +9671,11 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
 
         InitDecodedCert(&cert, resp->cert, resp->certSz, heap);
         ret = ParseCertRelative(&cert, CERT_TYPE, VERIFY, cm);
-        if (ret < 0)
+        if (ret < 0) {
+            WOLFSSL_MSG("\tOCSP Responder certificate parsing failed");
+            FreeDecodedCert(&cert);
             return ret;
+        }
 
         ret = ConfirmSignature(resp->response, resp->responseSz,
                             cert.publicKey, cert.pubKeySize, cert.keyOID,