From f938a75780ed2aa67f109bf6e72324ecf4d82d7a Mon Sep 17 00:00:00 2001
From: toddouska <todd@wolfssl.com>
Date: Mon, 6 Feb 2017 14:10:38 -0800
Subject: [PATCH 1/3] fix OCSP signature leading zero, certdecode free on parse
 failure

---
 wolfcrypt/src/asn.c | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index 01f2360e4..db400f17b 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -9641,9 +9641,18 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
     /* Obtain pointer to the start of the signature, and save the size */
     if (source[idx++] == ASN_BIT_STRING)
     {
-        int sigLength = 0;
-        if (GetLength(source, &idx, &sigLength, size) < 0)
+        int  sigLength = 0;
+        byte b;
+
+        if (GetLength(source, &idx, &sigLength, size) <= 0)
             return ASN_PARSE_E;
+
+        b = source[idx++];
+        if (b != 0x00) {
+            return ASN_EXPECT_0_E;
+        }
+
+        sigLength--;
         resp->sigSz = sigLength;
         resp->sig = source + idx;
         idx += sigLength;
@@ -9662,8 +9671,11 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
 
         InitDecodedCert(&cert, resp->cert, resp->certSz, heap);
         ret = ParseCertRelative(&cert, CERT_TYPE, VERIFY, cm);
-        if (ret < 0)
+        if (ret < 0) {
+            WOLFSSL_MSG("\tOCSP Responder certificate parsing failed");
+            FreeDecodedCert(&cert);
             return ret;
+        }
 
         ret = ConfirmSignature(resp->response, resp->responseSz,
                             cert.publicKey, cert.pubKeySize, cert.keyOID,

From 7ddeb1afd9db86dd40bb396f14ba8209bf2b510a Mon Sep 17 00:00:00 2001
From: toddouska <todd@wolfssl.com>
Date: Mon, 6 Feb 2017 16:30:48 -0800
Subject: [PATCH 2/3] add user clock skew defines for date skew before checks

---
 wolfcrypt/src/asn.c | 26 +++++++++++++++++++++++---
 1 file changed, 23 insertions(+), 3 deletions(-)

diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index db400f17b..ae5d1a536 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -3475,6 +3475,21 @@ int ValidateDate(const byte* date, byte format, int dateType)
 #endif
 
     ltime = XTIME(0);
+
+#ifdef WOLFSSL_BEFORE_DATE_CLOCK_SKEW
+    if (dateType == BEFORE) {
+        WOLFSSL_MSG("Skewing local time for before date check");
+        ltime += WOLFSSL_BEFORE_DATE_CLOCK_SKEW;
+    }
+#endif
+
+#ifdef WOLFSSL_AFTER_DATE_CLOCK_SKEW
+    if (dateType == AFTER) {
+        WOLFSSL_MSG("Skewing local time for after date check");
+        ltime -= WOLFSSL_AFTER_DATE_CLOCK_SKEW;
+    }
+#endif
+
     if (!ExtractDate(date, format, &certTime, &i)) {
         WOLFSSL_MSG("Error extracting the date");
         return 0;
@@ -3500,12 +3515,17 @@ int ValidateDate(const byte* date, byte format, int dateType)
     }
 
     if (dateType == BEFORE) {
-        if (DateLessThan(localTime, &certTime))
+        if (DateLessThan(localTime, &certTime)) {
+            WOLFSSL_MSG("Date BEFORE check failed");
             return 0;
+        }
     }
-    else
-        if (DateGreaterThan(localTime, &certTime))
+    else {  /* dateType == AFTER */
+        if (DateGreaterThan(localTime, &certTime)) {
+            WOLFSSL_MSG("Date AFTER check failed");
             return 0;
+        }
+    }
 
     return 1;
 }

From 468df109b68cb7ea7507a98bddc9242e4762ad7b Mon Sep 17 00:00:00 2001
From: toddouska <todd@wolfssl.com>
Date: Tue, 7 Feb 2017 13:31:59 -0800
Subject: [PATCH 3/3] add WOLFSSL_NO_OCSP_OPTIONAL_CERTS to skip optional OCSP
 certs, responder issuer must still be trusted

---
 wolfcrypt/src/asn.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index ae5d1a536..bb1afd7ec 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -9608,6 +9608,8 @@ static int DecodeResponseData(byte* source,
 }
 
 
+#ifndef WOLFSSL_NO_OCSP_OPTIONAL_CERTS
+
 static int DecodeCerts(byte* source,
                             word32* ioIndex, OcspResponse* resp, word32 size)
 {
@@ -9634,15 +9636,18 @@ static int DecodeCerts(byte* source,
     return 0;
 }
 
+#endif /* WOLFSSL_NO_OCSP_OPTIONAL_CERTS */
+
+
 static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
                           OcspResponse* resp, word32 size, void* cm, void* heap)
 {
     int length;
     word32 idx = *ioIndex;
     word32 end_index;
-    int ret = -1;
 
     WOLFSSL_ENTER("DecodeBasicOcspResponse");
+    (void)heap;
 
     if (GetSequence(source, &idx, &length, size) < 0)
         return ASN_PARSE_E;
@@ -9682,9 +9687,11 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
      * Check the length of the BasicOcspResponse against the current index to
      * see if there are certificates, they are optional.
      */
+#ifndef WOLFSSL_NO_OCSP_OPTIONAL_CERTS
     if (idx < end_index)
     {
         DecodedCert cert;
+        int         ret;
 
         if (DecodeCerts(source, &idx, resp, size) < 0)
             return ASN_PARSE_E;
@@ -9708,7 +9715,9 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
             return ASN_OCSP_CONFIRM_E;
         }
     }
-    else {
+    else
+#endif /* WOLFSSL_NO_OCSP_OPTIONAL_CERTS */
+    {
         Signer* ca = NULL;
 
         #ifndef NO_SKID