robin.thoni
/
ipxe
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 11 Wiki Activity
Browse Source

[crypto] Remove dynamically-allocated storage for certificate OCSP URI 

Signed-off-by: Michael Brown <mcb30@ipxe.org>
tags/v1.20.1
Michael Brown 10 years ago
parent
01fa7efa38
commit
e1ebc50f81
4 changed files with 19 additions and 35 deletions
Split View Show Diff Stats
  1. 10
    7
      src/crypto/ocsp.c
  2. 7
    26
      src/crypto/x509.c
  3. 1
    1
      src/include/ipxe/x509.h
  4. 1
    1
      src/net/validator.c

+ 10
- 7
src/crypto/ocsp.c View File 

@@ -206,17 +206,17 @@ static int ocsp_request ( struct ocsp_check *ocsp ) {
206 206 
  * @ret rc		Return status code
207 207 
  */
208 208 
 static int ocsp_uri_string ( struct ocsp_check *ocsp ) {
209 
+	struct x509_ocsp_responder *responder =
210 
+		&ocsp->cert->extensions.auth_info.ocsp;
209 211 
 	struct uri path_uri;
210 
-	char *base_uri_string;
211 212 
 	char *path_base64_string;
212 213 
 	char *path_uri_string;
213 214 
 	size_t path_len;
214 
-	int len;
215 
+	size_t len;
215 216 
 	int rc;
216 217
217 218 
 	/* Sanity check */
218 
-	base_uri_string = ocsp->cert->extensions.auth_info.ocsp.uri;
219 
-	if ( ! base_uri_string ) {
219 
+	if ( ! responder->uri.len ) {
220 220 
 		DBGC ( ocsp, "OCSP %p \"%s\" has no OCSP URI\n",
221 221 
 		       ocsp, x509_name ( ocsp->cert ) );
222 222 
 		rc = -ENOTTY;
 
@@ -244,11 +244,14 @@ static int ocsp_uri_string ( struct ocsp_check *ocsp ) {
244 244 
 	}
245 245
246 246 
 	/* Construct URI string */
247 
-	if ( ( len = asprintf ( &ocsp->uri_string, "%s/%s", base_uri_string,
248 
-				path_uri_string ) ) < 0 ) {
249 
-		rc = len;
247 
+	len = ( responder->uri.len + strlen ( path_uri_string ) + 1 /* NUL */ );
248 
+	ocsp->uri_string = zalloc ( len );
249 
+	if ( ! ocsp->uri_string ) {
250 
+		rc = -ENOMEM;
250 251 
 		goto err_ocsp_uri;
251 252 
 	}
253 
+	memcpy ( ocsp->uri_string, responder->uri.data, responder->uri.len );
254 
+	strcpy ( &ocsp->uri_string[responder->uri.len], path_uri_string );
252 255 
 	DBGC2 ( ocsp, "OCSP %p \"%s\" URI is %s\n",
253 256 
 		ocsp, x509_name ( ocsp->cert ), ocsp->uri_string );
254 257

+ 7
- 26
src/crypto/x509.c View File 

@@ -130,20 +130,6 @@ const char * x509_name ( struct x509_certificate *cert ) {
130 130 
 	return buf;
131 131 
 }
132 132
133 
-/**
134 
- * Free X.509 certificate
135 
- *
136 
- * @v refcnt		Reference count
137 
- */
138 
-static void x509_free ( struct refcnt *refcnt ) {
139 
-	struct x509_certificate *cert =
140 
-		container_of ( refcnt, struct x509_certificate, refcnt );
141 
-
142 
-	DBGC2 ( cert, "X509 %p freed\n", cert );
143 
-	free ( cert->extensions.auth_info.ocsp.uri );
144 
-	free ( cert );
145 
-}
146 
-
147 133 
 /**
148 134 
  * Discard a cached certificate
149 135 
  *
 
@@ -626,24 +612,19 @@ static int x509_parse_extended_key_usage ( struct x509_certificate *cert,
626 612 
 static int x509_parse_ocsp ( struct x509_certificate *cert,
627 613 
 			     const struct asn1_cursor *raw ) {
628 614 
 	struct x509_ocsp_responder *ocsp = &cert->extensions.auth_info.ocsp;
629 
-	struct asn1_cursor cursor;
615 
+	struct asn1_cursor *uri = &ocsp->uri;
630 616 
 	int rc;
631 617
632 618 
 	/* Enter accessLocation */
633 
-	memcpy ( &cursor, raw, sizeof ( cursor ) );
634 
-	if ( ( rc = asn1_enter ( &cursor, ASN1_IMPLICIT_TAG ( 6 ) ) ) != 0 ) {
619 
+	memcpy ( uri, raw, sizeof ( *uri ) );
620 
+	if ( ( rc = asn1_enter ( uri, ASN1_IMPLICIT_TAG ( 6 ) ) ) != 0 ) {
635 621 
 		DBGC ( cert, "X509 %p OCSP does not contain "
636 622 
 		       "uniformResourceIdentifier:\n", cert );
637 623 
 		DBGC_HDA ( cert, 0, raw->data, raw->len );
638 624 
 		return rc;
639 625 
 	}
640 
-
641 
-	/* Record URI */
642 
-	ocsp->uri = zalloc ( cursor.len + 1 /* NUL */ );
643 
-	if ( ! ocsp->uri )
644 
-		return -ENOMEM;
645 
-	memcpy ( ocsp->uri, cursor.data, cursor.len );
646 
-	DBGC2 ( cert, "X509 %p OCSP URI is %s:\n", cert, ocsp->uri );
626 
+	DBGC2 ( cert, "X509 %p OCSP URI is:\n", cert );
627 
+	DBGC2_HDA ( cert, 0, uri->data, uri->len );
647 628
648 629 
 	return 0;
649 630 
 }
 
@@ -1073,7 +1054,7 @@ int x509_certificate ( const void *data, size_t len,
1073 1054 
 	*cert = zalloc ( sizeof ( **cert ) + cursor.len );
1074 1055 
 	if ( ! *cert )
1075 1056 
 		return -ENOMEM;
1076 
-	ref_init ( &(*cert)->refcnt, x509_free );
1057 
+	ref_init ( &(*cert)->refcnt, NULL );
1077 1058 
 	INIT_LIST_HEAD ( &(*cert)->list );
1078 1059 
 	raw = ( *cert + 1 );
1079 1060 
 
@@ -1363,7 +1344,7 @@ int x509_validate ( struct x509_certificate *cert,
1363 1344 
 	}
1364 1345
1365 1346 
 	/* Fail if OCSP is required */
1366 
-	if ( cert->extensions.auth_info.ocsp.uri &&
1347 
+	if ( cert->extensions.auth_info.ocsp.uri.len &&
1367 1348 
 	     ( ! cert->extensions.auth_info.ocsp.good ) ) {
1368 1349 
 		DBGC ( cert, "X509 %p \"%s\" requires an OCSP check\n",
1369 1350 
 		       cert, x509_name ( cert ) );

+ 1
- 1
src/include/ipxe/x509.h View File 

@@ -133,7 +133,7 @@ enum x509_extended_key_usage_bits {
133 133 
 /** X.509 certificate OCSP responder */
134 134 
 struct x509_ocsp_responder {
135 135 
 	/** URI */
136 
-	char *uri;
136 
+	struct asn1_cursor uri;
137 137 
 	/** OCSP status is good */
138 138 
 	int good;
139 139 
 };

+ 1
- 1
src/net/validator.c View File 

@@ -477,7 +477,7 @@ static void validator_step ( struct validator *validator ) {
477 477 
 		/* The issuer is valid, but this certificate is not
478 478 
 		 * yet valid.  If OCSP is applicable, start it.
479 479 
 		 */
480 
-		if ( cert->extensions.auth_info.ocsp.uri &&
480 
+		if ( cert->extensions.auth_info.ocsp.uri.len &&
481 481 
 		     ( ! cert->extensions.auth_info.ocsp.good ) ) {
482 482 
 			/* Start OCSP */
483 483 
 			if ( ( rc = validator_start_ocsp ( validator, cert,

Write Preview
Loading…
Cancel
Save