|
@@ -145,7 +145,7 @@ static void ocsp_free ( struct refcnt *refcnt ) {
|
145
|
145
|
static int ocsp_request ( struct ocsp_check *ocsp ) {
|
146
|
146
|
struct digest_algorithm *digest = &ocsp_digest_algorithm;
|
147
|
147
|
struct asn1_builder *builder = &ocsp->request.builder;
|
148
|
|
- struct asn1_cursor *cert_id = &ocsp->request.cert_id;
|
|
148
|
+ struct asn1_cursor *cert_id_tail = &ocsp->request.cert_id_tail;
|
149
|
149
|
uint8_t digest_ctx[digest->ctxsize];
|
150
|
150
|
uint8_t name_digest[digest->digestsize];
|
151
|
151
|
uint8_t pubkey_digest[digest->digestsize];
|
|
@@ -186,12 +186,14 @@ static int ocsp_request ( struct ocsp_check *ocsp ) {
|
186
|
186
|
DBGC2_HDA ( ocsp, 0, builder->data, builder->len );
|
187
|
187
|
|
188
|
188
|
/* Parse certificate ID for comparison with response */
|
189
|
|
- cert_id->data = builder->data;
|
190
|
|
- cert_id->len = builder->len;
|
191
|
|
- if ( ( rc = ( asn1_enter ( cert_id, ASN1_SEQUENCE ),
|
192
|
|
- asn1_enter ( cert_id, ASN1_SEQUENCE ),
|
193
|
|
- asn1_enter ( cert_id, ASN1_SEQUENCE ),
|
194
|
|
- asn1_enter ( cert_id, ASN1_SEQUENCE ) ) ) != 0 ) {
|
|
189
|
+ cert_id_tail->data = builder->data;
|
|
190
|
+ cert_id_tail->len = builder->len;
|
|
191
|
+ if ( ( rc = ( asn1_enter ( cert_id_tail, ASN1_SEQUENCE ),
|
|
192
|
+ asn1_enter ( cert_id_tail, ASN1_SEQUENCE ),
|
|
193
|
+ asn1_enter ( cert_id_tail, ASN1_SEQUENCE ),
|
|
194
|
+ asn1_enter ( cert_id_tail, ASN1_SEQUENCE ),
|
|
195
|
+ asn1_enter ( cert_id_tail, ASN1_SEQUENCE ),
|
|
196
|
+ asn1_skip ( cert_id_tail, ASN1_SEQUENCE ) ) ) != 0 ) {
|
195
|
197
|
DBGC ( ocsp, "OCSP %p \"%s\" could not locate certID: %s\n",
|
196
|
198
|
ocsp, x509_name ( ocsp->cert ), strerror ( rc ) );
|
197
|
199
|
return rc;
|
|
@@ -475,15 +477,31 @@ static int ocsp_parse_responder_id ( struct ocsp_check *ocsp,
|
475
|
477
|
static int ocsp_parse_cert_id ( struct ocsp_check *ocsp,
|
476
|
478
|
const struct asn1_cursor *raw ) {
|
477
|
479
|
struct asn1_cursor cursor;
|
|
480
|
+ struct asn1_algorithm *algorithm;
|
|
481
|
+ int rc;
|
478
|
482
|
|
479
|
|
- /* Check certID matches request */
|
|
483
|
+ /* Check certID algorithm */
|
480
|
484
|
memcpy ( &cursor, raw, sizeof ( cursor ) );
|
481
|
|
- asn1_shrink_any ( &cursor );
|
482
|
|
- if ( asn1_compare ( &cursor, &ocsp->request.cert_id ) != 0 ) {
|
|
485
|
+ asn1_enter ( &cursor, ASN1_SEQUENCE );
|
|
486
|
+ if ( ( rc = asn1_digest_algorithm ( &cursor, &algorithm ) ) != 0 ) {
|
|
487
|
+ DBGC ( ocsp, "OCSP %p \"%s\" certID unknown algorithm: %s\n",
|
|
488
|
+ ocsp, x509_name ( ocsp->cert ), strerror ( rc ) );
|
|
489
|
+ return rc;
|
|
490
|
+ }
|
|
491
|
+ if ( algorithm->digest != &ocsp_digest_algorithm ) {
|
|
492
|
+ DBGC ( ocsp, "OCSP %p \"%s\" certID wrong algorithm %s\n",
|
|
493
|
+ ocsp, x509_name ( ocsp->cert ),
|
|
494
|
+ algorithm->digest->name );
|
|
495
|
+ return -EACCES_CERT_MISMATCH;
|
|
496
|
+ }
|
|
497
|
+
|
|
498
|
+ /* Check remaining certID fields */
|
|
499
|
+ asn1_skip ( &cursor, ASN1_SEQUENCE );
|
|
500
|
+ if ( asn1_compare ( &cursor, &ocsp->request.cert_id_tail ) != 0 ) {
|
483
|
501
|
DBGC ( ocsp, "OCSP %p \"%s\" certID mismatch:\n",
|
484
|
502
|
ocsp, x509_name ( ocsp->cert ) );
|
485
|
|
- DBGC_HDA ( ocsp, 0, ocsp->request.cert_id.data,
|
486
|
|
- ocsp->request.cert_id.len );
|
|
503
|
+ DBGC_HDA ( ocsp, 0, ocsp->request.cert_id_tail.data,
|
|
504
|
+ ocsp->request.cert_id_tail.len );
|
487
|
505
|
DBGC_HDA ( ocsp, 0, cursor.data, cursor.len );
|
488
|
506
|
return -EACCES_CERT_MISMATCH;
|
489
|
507
|
}
|