Browse Source

[ocsp] Avoid including a double path separator in request URI

The OCSP responder URI included within an X.509 certificate may or may
not include a trailing slash.  We currently rely on the fact that
format_uri() incorrectly inserts an initial slash, which we include
unconditionally within the OCSP request URI.

Switch to using uri_encode() directly, and insert a slash only if the
X.509 certificate's OCSP responder URI does not already include a
trailing slash.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
tags/v1.20.1
Michael Brown 9 years ago
parent
commit
42c2a6aab7
1 changed files with 26 additions and 28 deletions
  1. 26
    28
      src/crypto/ocsp.c

+ 26
- 28
src/crypto/ocsp.c View File

@@ -209,10 +209,10 @@ static int ocsp_request ( struct ocsp_check *ocsp ) {
209 209
 static int ocsp_uri_string ( struct ocsp_check *ocsp ) {
210 210
 	struct x509_ocsp_responder *responder =
211 211
 		&ocsp->cert->extensions.auth_info.ocsp;
212
-	struct uri path_uri;
213
-	char *path_base64_string;
214
-	char *path_uri_string;
215
-	size_t path_len;
212
+	char *base64;
213
+	char *sep;
214
+	size_t base64_len;
215
+	size_t uri_len;
216 216
 	size_t len;
217 217
 	int rc;
218 218
 
@@ -224,46 +224,44 @@ static int ocsp_uri_string ( struct ocsp_check *ocsp ) {
224 224
 		goto err_no_uri;
225 225
 	}
226 226
 
227
-	/* Base64-encode the request as the URI path */
228
-	path_len = ( base64_encoded_len ( ocsp->request.builder.len )
229
-		     + 1 /* NUL */ );
230
-	path_base64_string = malloc ( path_len );
231
-	if ( ! path_base64_string ) {
227
+	/* Calculate base64-encoded request length */
228
+	base64_len = ( base64_encoded_len ( ocsp->request.builder.len )
229
+		       + 1 /* NUL */ );
230
+
231
+	/* Allocate and construct the base64-encoded request */
232
+	base64 = malloc ( base64_len );
233
+	if ( ! base64 ) {
232 234
 		rc = -ENOMEM;
233
-		goto err_path_base64;
235
+		goto err_alloc_base64;
234 236
 	}
235 237
 	base64_encode ( ocsp->request.builder.data, ocsp->request.builder.len,
236
-			path_base64_string, path_len );
238
+			base64, base64_len );
237 239
 
238
-	/* URI-encode the Base64-encoded request */
239
-	memset ( &path_uri, 0, sizeof ( path_uri ) );
240
-	path_uri.path = path_base64_string;
241
-	path_uri_string = format_uri_alloc ( &path_uri );
242
-	if ( ! path_uri_string ) {
243
-		rc = -ENOMEM;
244
-		goto err_path_uri;
245
-	}
240
+	/* Calculate URI-encoded base64-encoded request length */
241
+	uri_len = ( uri_encode ( URI_PATH, base64, ( base64_len - 1 /* NUL */ ),
242
+				 NULL, 0 ) + 1 /* NUL */ );
246 243
 
247
-	/* Construct URI string */
248
-	len = ( responder->uri.len + strlen ( path_uri_string ) + 1 /* NUL */ );
244
+	/* Allocate and construct the URI string */
245
+	len = ( responder->uri.len + 1 /* possible "/" */ + uri_len );
249 246
 	ocsp->uri_string = zalloc ( len );
250 247
 	if ( ! ocsp->uri_string ) {
251 248
 		rc = -ENOMEM;
252
-		goto err_ocsp_uri;
249
+		goto err_alloc_uri;
253 250
 	}
254 251
 	memcpy ( ocsp->uri_string, responder->uri.data, responder->uri.len );
255
-	strcpy ( &ocsp->uri_string[responder->uri.len], path_uri_string );
252
+	sep = &ocsp->uri_string[ responder->uri.len - 1 ];
253
+	if ( *sep != '/' )
254
+		*(++sep) = '/';
255
+	uri_encode ( URI_PATH, base64, base64_len, ( sep + 1 ), uri_len );
256 256
 	DBGC2 ( ocsp, "OCSP %p \"%s\" URI is %s\n",
257 257
 		ocsp, x509_name ( ocsp->cert ), ocsp->uri_string );
258 258
 
259 259
 	/* Success */
260 260
 	rc = 0;
261 261
 
262
- err_ocsp_uri:
263
-	free ( path_uri_string );
264
- err_path_uri:
265
-	free ( path_base64_string );
266
- err_path_base64:
262
+ err_alloc_uri:
263
+	free ( base64 );
264
+ err_alloc_base64:
267 265
  err_no_uri:
268 266
 	return rc;
269 267
 }

Loading…
Cancel
Save