[crypto] Remove dynamically-allocated storage for certificate OCSP URI
Signed-off-by: Michael Brown <mcb30@ipxe.org>
This commit is contained in:
parent
01fa7efa38
commit
e1ebc50f81
|
@ -206,17 +206,17 @@ static int ocsp_request ( struct ocsp_check *ocsp ) {
|
|||
* @ret rc Return status code
|
||||
*/
|
||||
static int ocsp_uri_string ( struct ocsp_check *ocsp ) {
|
||||
struct x509_ocsp_responder *responder =
|
||||
&ocsp->cert->extensions.auth_info.ocsp;
|
||||
struct uri path_uri;
|
||||
char *base_uri_string;
|
||||
char *path_base64_string;
|
||||
char *path_uri_string;
|
||||
size_t path_len;
|
||||
int len;
|
||||
size_t len;
|
||||
int rc;
|
||||
|
||||
/* Sanity check */
|
||||
base_uri_string = ocsp->cert->extensions.auth_info.ocsp.uri;
|
||||
if ( ! base_uri_string ) {
|
||||
if ( ! responder->uri.len ) {
|
||||
DBGC ( ocsp, "OCSP %p \"%s\" has no OCSP URI\n",
|
||||
ocsp, x509_name ( ocsp->cert ) );
|
||||
rc = -ENOTTY;
|
||||
|
@ -244,11 +244,14 @@ static int ocsp_uri_string ( struct ocsp_check *ocsp ) {
|
|||
}
|
||||
|
||||
/* Construct URI string */
|
||||
if ( ( len = asprintf ( &ocsp->uri_string, "%s/%s", base_uri_string,
|
||||
path_uri_string ) ) < 0 ) {
|
||||
rc = len;
|
||||
len = ( responder->uri.len + strlen ( path_uri_string ) + 1 /* NUL */ );
|
||||
ocsp->uri_string = zalloc ( len );
|
||||
if ( ! ocsp->uri_string ) {
|
||||
rc = -ENOMEM;
|
||||
goto err_ocsp_uri;
|
||||
}
|
||||
memcpy ( ocsp->uri_string, responder->uri.data, responder->uri.len );
|
||||
strcpy ( &ocsp->uri_string[responder->uri.len], path_uri_string );
|
||||
DBGC2 ( ocsp, "OCSP %p \"%s\" URI is %s\n",
|
||||
ocsp, x509_name ( ocsp->cert ), ocsp->uri_string );
|
||||
|
||||
|
|
|
@ -130,20 +130,6 @@ const char * x509_name ( struct x509_certificate *cert ) {
|
|||
return buf;
|
||||
}
|
||||
|
||||
/**
|
||||
* Free X.509 certificate
|
||||
*
|
||||
* @v refcnt Reference count
|
||||
*/
|
||||
static void x509_free ( struct refcnt *refcnt ) {
|
||||
struct x509_certificate *cert =
|
||||
container_of ( refcnt, struct x509_certificate, refcnt );
|
||||
|
||||
DBGC2 ( cert, "X509 %p freed\n", cert );
|
||||
free ( cert->extensions.auth_info.ocsp.uri );
|
||||
free ( cert );
|
||||
}
|
||||
|
||||
/**
|
||||
* Discard a cached certificate
|
||||
*
|
||||
|
@ -626,24 +612,19 @@ static int x509_parse_extended_key_usage ( struct x509_certificate *cert,
|
|||
static int x509_parse_ocsp ( struct x509_certificate *cert,
|
||||
const struct asn1_cursor *raw ) {
|
||||
struct x509_ocsp_responder *ocsp = &cert->extensions.auth_info.ocsp;
|
||||
struct asn1_cursor cursor;
|
||||
struct asn1_cursor *uri = &ocsp->uri;
|
||||
int rc;
|
||||
|
||||
/* Enter accessLocation */
|
||||
memcpy ( &cursor, raw, sizeof ( cursor ) );
|
||||
if ( ( rc = asn1_enter ( &cursor, ASN1_IMPLICIT_TAG ( 6 ) ) ) != 0 ) {
|
||||
memcpy ( uri, raw, sizeof ( *uri ) );
|
||||
if ( ( rc = asn1_enter ( uri, ASN1_IMPLICIT_TAG ( 6 ) ) ) != 0 ) {
|
||||
DBGC ( cert, "X509 %p OCSP does not contain "
|
||||
"uniformResourceIdentifier:\n", cert );
|
||||
DBGC_HDA ( cert, 0, raw->data, raw->len );
|
||||
return rc;
|
||||
}
|
||||
|
||||
/* Record URI */
|
||||
ocsp->uri = zalloc ( cursor.len + 1 /* NUL */ );
|
||||
if ( ! ocsp->uri )
|
||||
return -ENOMEM;
|
||||
memcpy ( ocsp->uri, cursor.data, cursor.len );
|
||||
DBGC2 ( cert, "X509 %p OCSP URI is %s:\n", cert, ocsp->uri );
|
||||
DBGC2 ( cert, "X509 %p OCSP URI is:\n", cert );
|
||||
DBGC2_HDA ( cert, 0, uri->data, uri->len );
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
@ -1073,7 +1054,7 @@ int x509_certificate ( const void *data, size_t len,
|
|||
*cert = zalloc ( sizeof ( **cert ) + cursor.len );
|
||||
if ( ! *cert )
|
||||
return -ENOMEM;
|
||||
ref_init ( &(*cert)->refcnt, x509_free );
|
||||
ref_init ( &(*cert)->refcnt, NULL );
|
||||
INIT_LIST_HEAD ( &(*cert)->list );
|
||||
raw = ( *cert + 1 );
|
||||
|
||||
|
@ -1363,7 +1344,7 @@ int x509_validate ( struct x509_certificate *cert,
|
|||
}
|
||||
|
||||
/* Fail if OCSP is required */
|
||||
if ( cert->extensions.auth_info.ocsp.uri &&
|
||||
if ( cert->extensions.auth_info.ocsp.uri.len &&
|
||||
( ! cert->extensions.auth_info.ocsp.good ) ) {
|
||||
DBGC ( cert, "X509 %p \"%s\" requires an OCSP check\n",
|
||||
cert, x509_name ( cert ) );
|
||||
|
|
|
@ -133,7 +133,7 @@ enum x509_extended_key_usage_bits {
|
|||
/** X.509 certificate OCSP responder */
|
||||
struct x509_ocsp_responder {
|
||||
/** URI */
|
||||
char *uri;
|
||||
struct asn1_cursor uri;
|
||||
/** OCSP status is good */
|
||||
int good;
|
||||
};
|
||||
|
|
|
@ -477,7 +477,7 @@ static void validator_step ( struct validator *validator ) {
|
|||
/* The issuer is valid, but this certificate is not
|
||||
* yet valid. If OCSP is applicable, start it.
|
||||
*/
|
||||
if ( cert->extensions.auth_info.ocsp.uri &&
|
||||
if ( cert->extensions.auth_info.ocsp.uri.len &&
|
||||
( ! cert->extensions.auth_info.ocsp.good ) ) {
|
||||
/* Start OCSP */
|
||||
if ( ( rc = validator_start_ocsp ( validator, cert,
|
||||
|
|
Reference in New Issue