Skip to content
Permalink
Browse files Browse the repository at this point in the history
OCSP: improve handling of OCSP no check extension
  • Loading branch information
SparkiDev committed Jul 16, 2021
1 parent f82fd01 commit f93083b
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 4 deletions.
12 changes: 8 additions & 4 deletions wolfcrypt/src/asn.c
Expand Up @@ -10212,9 +10212,13 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
}

#ifdef HAVE_OCSP
/* trust for the lifetime of the responder's cert*/
if (cert->ocspNoCheckSet && verify == VERIFY_OCSP)
verify = NO_VERIFY;
if (verify == VERIFY_OCSP_CERT) {
/* trust for the lifetime of the responder's cert*/
if (cert->ocspNoCheckSet)
verify = VERIFY;
else
verify = VERIFY_OCSP;
}
#endif
/* advance past extensions */
cert->srcIdx = cert->sigIndex;
Expand Down Expand Up @@ -17957,7 +17961,7 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,

/* Don't verify if we don't have access to Cert Manager. */
ret = ParseCertRelative(&cert, CERT_TYPE,
noVerify ? NO_VERIFY : VERIFY_OCSP, cm);
noVerify ? NO_VERIFY : VERIFY_OCSP_CERT, cm);
if (ret < 0) {
WOLFSSL_MSG("\tOCSP Responder certificate parsing failed");
FreeDecodedCert(&cert);
Expand Down
1 change: 1 addition & 0 deletions wolfssl/wolfcrypt/asn.h
Expand Up @@ -599,6 +599,7 @@ enum VerifyType {
VERIFY_OCSP = 3,
VERIFY_NAME = 4,
VERIFY_SKIP_DATE = 5,
VERIFY_OCSP_CERT = 6,
};

#ifdef WOLFSSL_CERT_EXT
Expand Down

2 comments on commit f93083b

@risicle
Copy link

@risicle risicle commented on f93083b Aug 8, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Patiently waiting on the CVE id for this...

@dgarske
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Patiently waiting on the CVE id for this...

https://nvd.nist.gov/vuln/detail/CVE-2021-38597

Please sign in to comment.