narenas
/
opengnsys_ipxe
mirror of https://github.com/ipxe/ipxe.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[ocsp] Avoid including a double path separator in request URI 

The OCSP responder URI included within an X.509 certificate may or may
not include a trailing slash.  We currently rely on the fact that
format_uri() incorrectly inserts an initial slash, which we include
unconditionally within the OCSP request URI.

Switch to using uri_encode() directly, and insert a slash only if the
X.509 certificate's OCSP responder URI does not already include a
trailing slash.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
pull/45/head
Michael Brown 2016-01-21 17:50:34 +00:00
parent 295ad11367
commit 42c2a6aab7
1 changed files with 26 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
src/crypto/ocsp.c
View File

@ -209,10 +209,10 @@ static int ocsp_request ( struct ocsp_check *ocsp ) {
static int ocsp_uri_string ( struct ocsp_check *ocsp ) { static int ocsp_uri_string ( struct ocsp_check *ocsp ) {
struct x509_ocsp_responder *responder = struct x509_ocsp_responder *responder =
&ocsp->cert->extensions.auth_info.ocsp; &ocsp->cert->extensions.auth_info.ocsp;
struct uri path_uri; char *base64;
char *path_base64_string; char *sep;
char *path_uri_string; size_t base64_len;
size_t path_len; size_t uri_len;
size_t len; size_t len;
int rc; int rc;
@ -224,46 +224,44 @@ static int ocsp_uri_string ( struct ocsp_check *ocsp ) {
goto err_no_uri; goto err_no_uri;
} }
/* Base64-encode the request as the URI path */ /* Calculate base64-encoded request length */
path_len = ( base64_encoded_len ( ocsp->request.builder.len ) base64_len = ( base64_encoded_len ( ocsp->request.builder.len )
+ 1 /* NUL */ ); + 1 /* NUL */ );
path_base64_string = malloc ( path_len );
if ( ! path_base64_string ) { /* Allocate and construct the base64-encoded request */
base64 = malloc ( base64_len );
if ( ! base64 ) {
rc = -ENOMEM; rc = -ENOMEM;
goto err_path_base64; goto err_alloc_base64;
} }
base64_encode ( ocsp->request.builder.data, ocsp->request.builder.len, base64_encode ( ocsp->request.builder.data, ocsp->request.builder.len,
path_base64_string, path_len ); base64, base64_len );
/* URI-encode the Base64-encoded request */ /* Calculate URI-encoded base64-encoded request length */
memset ( &path_uri, 0, sizeof ( path_uri ) ); uri_len = ( uri_encode ( URI_PATH, base64, ( base64_len - 1 /* NUL */ ),
path_uri.path = path_base64_string; NULL, 0 ) + 1 /* NUL */ );
path_uri_string = format_uri_alloc ( &path_uri );
if ( ! path_uri_string ) {
rc = -ENOMEM;
goto err_path_uri;
}
/* Construct URI string */ /* Allocate and construct the URI string */
len = ( responder->uri.len + strlen ( path_uri_string ) + 1 /* NUL */ ); len = ( responder->uri.len + 1 /* possible "/" */ + uri_len );
ocsp->uri_string = zalloc ( len ); ocsp->uri_string = zalloc ( len );
if ( ! ocsp->uri_string ) { if ( ! ocsp->uri_string ) {
rc = -ENOMEM; rc = -ENOMEM;
goto err_ocsp_uri; goto err_alloc_uri;
} }
memcpy ( ocsp->uri_string, responder->uri.data, responder->uri.len ); memcpy ( ocsp->uri_string, responder->uri.data, responder->uri.len );
strcpy ( &ocsp->uri_string[responder->uri.len], path_uri_string ); sep = &ocsp->uri_string[ responder->uri.len - 1 ];
if ( *sep != '/' )
*(++sep) = '/';
uri_encode ( URI_PATH, base64, base64_len, ( sep + 1 ), uri_len );
DBGC2 ( ocsp, "OCSP %p \"%s\" URI is %s\n", DBGC2 ( ocsp, "OCSP %p \"%s\" URI is %s\n",
ocsp, x509_name ( ocsp->cert ), ocsp->uri_string ); ocsp, x509_name ( ocsp->cert ), ocsp->uri_string );
/* Success */ /* Success */
rc = 0; rc = 0;
err_ocsp_uri: err_alloc_uri:
free ( path_uri_string ); free ( base64 );
err_path_uri: err_alloc_base64:
free ( path_base64_string );
err_path_base64:
err_no_uri: err_no_uri:
return rc; return rc;
} }