mirrors/wolfssl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

adds next update verification when decoding the OcspResponse;

Browse Source 
fixes memleak in GetOcspStatus(); If the status was outdated, the responseBuffer was allocated twice;
consider error in OcspResponseDecode() also a BAD_CERTIFICATE_STATUS_ERROR;
This commit is contained in:
Moisés Guimarães 2015-11-23 15:08:25 -03:00
parent f3131fb5d6
commit 96e18a8c68
3 changed files with 27 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
src/internal.c
View File

@ -4861,14 +4861,11 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx,
InitOcspResponse(response, status, input +*inOutIdx, status_length);
if ((ret = OcspResponseDecode(response, ssl->ctx->cm)) == 0) {
if (response->responseStatus != OCSP_SUCCESSFUL)
ret = BAD_CERTIFICATE_STATUS_ERROR;
else if (CompareOcspReqResp(request, response) != 0)
ret = BAD_CERTIFICATE_STATUS_ERROR;
else if (response->status->status != CERT_GOOD)
ret = BAD_CERTIFICATE_STATUS_ERROR;
}
if ((OcspResponseDecode(response, ssl->ctx->cm) != 0)
|| (response->responseStatus != OCSP_SUCCESSFUL)
|| (response->status->status != CERT_GOOD)
|| (CompareOcspReqResp(request, response) != 0))
ret = BAD_CERTIFICATE_STATUS_ERROR;
*inOutIdx += status_length;

16
src/ocsp.c
View File

@ -216,17 +216,19 @@ static int GetOcspStatus(WOLFSSL_OCSP* ocsp, OcspRequest* request,
if (ValidateDate((*status)->thisDate, (*status)->thisDateFormat, BEFORE)
&& ((*status)->nextDate[0] != 0)
&& ValidateDate((*status)->nextDate, (*status)->nextDateFormat, AFTER))
{
ret = xstat2err((*status)->status);
if (responseBuffer) {
responseBuffer->buffer = (byte*)XMALLOC(
if (responseBuffer) {
responseBuffer->buffer = (byte*)XMALLOC(
(*status)->rawOcspResponseSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
if (responseBuffer->buffer) {
responseBuffer->length = (*status)->rawOcspResponseSz;
XMEMCPY(responseBuffer->buffer,
(*status)->rawOcspResponse,
(*status)->rawOcspResponseSz);
if (responseBuffer->buffer) {
responseBuffer->length = (*status)->rawOcspResponseSz;
XMEMCPY(responseBuffer->buffer,
(*status)->rawOcspResponse,
(*status)->rawOcspResponseSz);
}
}
}
}

24
wolfcrypt/src/asn.c
View File

@ -8520,6 +8520,8 @@ static int DecodeSingleResponse(byte* source,
if (GetBasicDate(source, &idx, cs->nextDate,
&cs->nextDateFormat, size) < 0)
return ASN_PARSE_E;
if (!XVALIDATE_DATE(cs->nextDate, cs->nextDateFormat, AFTER))
return ASN_AFTER_DATE_E;
}
if (((int)(idx - prevIndex) < wrapperSz) &&
(source[idx] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1)))
@ -8594,7 +8596,7 @@ static int DecodeOcspRespExtensions(byte* source,
WOLFSSL_MSG("\tfail: extension data length");
return ASN_PARSE_E;
}
resp->nonce = source + idx;
resp->nonceSz = length;
}
@ -8758,8 +8760,8 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
else {
Signer* ca = GetCA(cm, resp->issuerHash);
if (!ca || !ConfirmSignature(resp->response, resp->responseSz,
ca->publicKey, ca->pubKeySize, ca->keyOID,
if (!ca || !ConfirmSignature(resp->response, resp->responseSz,
ca->publicKey, ca->pubKeySize, ca->keyOID,
resp->sig, resp->sigSz, resp->sigOID, NULL)) {
WOLFSSL_MSG("\tOCSP Confirm signature failed");
return ASN_OCSP_CONFIRM_E;
@ -8861,28 +8863,28 @@ word32 EncodeOcspRequestExtensions(OcspRequest* req, byte* output, word32 size)
if (totalSz < size)
{
totalSz = 0;
XMEMCPY(output + totalSz, seqArray[5], seqSz[5]);
totalSz += seqSz[5];
XMEMCPY(output + totalSz, seqArray[4], seqSz[4]);
totalSz += seqSz[4];
XMEMCPY(output + totalSz, seqArray[3], seqSz[3]);
totalSz += seqSz[3];
XMEMCPY(output + totalSz, seqArray[2], seqSz[2]);
totalSz += seqSz[2];
XMEMCPY(output + totalSz, NonceObjId, sizeof(NonceObjId));
totalSz += (word32)sizeof(NonceObjId);
XMEMCPY(output + totalSz, seqArray[1], seqSz[1]);
totalSz += seqSz[1];
XMEMCPY(output + totalSz, seqArray[0], seqSz[0]);
totalSz += seqSz[0];
XMEMCPY(output + totalSz, req->nonce, req->nonceSz);
totalSz += req->nonceSz;
}