summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--src/crypto/ocsp.c42
-rw-r--r--src/include/ipxe/ocsp.h4
2 files changed, 32 insertions, 14 deletions
diff --git a/src/crypto/ocsp.c b/src/crypto/ocsp.c
index b83f4c03..2c747fb3 100644
--- a/src/crypto/ocsp.c
+++ b/src/crypto/ocsp.c
@@ -145,7 +145,7 @@ static void ocsp_free ( struct refcnt *refcnt ) {
static int ocsp_request ( struct ocsp_check *ocsp ) {
struct digest_algorithm *digest = &ocsp_digest_algorithm;
struct asn1_builder *builder = &ocsp->request.builder;
- struct asn1_cursor *cert_id = &ocsp->request.cert_id;
+ struct asn1_cursor *cert_id_tail = &ocsp->request.cert_id_tail;
uint8_t digest_ctx[digest->ctxsize];
uint8_t name_digest[digest->digestsize];
uint8_t pubkey_digest[digest->digestsize];
@@ -186,12 +186,14 @@ static int ocsp_request ( struct ocsp_check *ocsp ) {
DBGC2_HDA ( ocsp, 0, builder->data, builder->len );
/* Parse certificate ID for comparison with response */
- cert_id->data = builder->data;
- cert_id->len = builder->len;
- if ( ( rc = ( asn1_enter ( cert_id, ASN1_SEQUENCE ),
- asn1_enter ( cert_id, ASN1_SEQUENCE ),
- asn1_enter ( cert_id, ASN1_SEQUENCE ),
- asn1_enter ( cert_id, ASN1_SEQUENCE ) ) ) != 0 ) {
+ cert_id_tail->data = builder->data;
+ cert_id_tail->len = builder->len;
+ if ( ( rc = ( asn1_enter ( cert_id_tail, ASN1_SEQUENCE ),
+ asn1_enter ( cert_id_tail, ASN1_SEQUENCE ),
+ asn1_enter ( cert_id_tail, ASN1_SEQUENCE ),
+ asn1_enter ( cert_id_tail, ASN1_SEQUENCE ),
+ asn1_enter ( cert_id_tail, ASN1_SEQUENCE ),
+ asn1_skip ( cert_id_tail, ASN1_SEQUENCE ) ) ) != 0 ) {
DBGC ( ocsp, "OCSP %p \"%s\" could not locate certID: %s\n",
ocsp, x509_name ( ocsp->cert ), strerror ( rc ) );
return rc;
@@ -475,15 +477,31 @@ static int ocsp_parse_responder_id ( struct ocsp_check *ocsp,
static int ocsp_parse_cert_id ( struct ocsp_check *ocsp,
const struct asn1_cursor *raw ) {
struct asn1_cursor cursor;
+ struct asn1_algorithm *algorithm;
+ int rc;
- /* Check certID matches request */
+ /* Check certID algorithm */
memcpy ( &cursor, raw, sizeof ( cursor ) );
- asn1_shrink_any ( &cursor );
- if ( asn1_compare ( &cursor, &ocsp->request.cert_id ) != 0 ) {
+ asn1_enter ( &cursor, ASN1_SEQUENCE );
+ if ( ( rc = asn1_digest_algorithm ( &cursor, &algorithm ) ) != 0 ) {
+ DBGC ( ocsp, "OCSP %p \"%s\" certID unknown algorithm: %s\n",
+ ocsp, x509_name ( ocsp->cert ), strerror ( rc ) );
+ return rc;
+ }
+ if ( algorithm->digest != &ocsp_digest_algorithm ) {
+ DBGC ( ocsp, "OCSP %p \"%s\" certID wrong algorithm %s\n",
+ ocsp, x509_name ( ocsp->cert ),
+ algorithm->digest->name );
+ return -EACCES_CERT_MISMATCH;
+ }
+
+ /* Check remaining certID fields */
+ asn1_skip ( &cursor, ASN1_SEQUENCE );
+ if ( asn1_compare ( &cursor, &ocsp->request.cert_id_tail ) != 0 ) {
DBGC ( ocsp, "OCSP %p \"%s\" certID mismatch:\n",
ocsp, x509_name ( ocsp->cert ) );
- DBGC_HDA ( ocsp, 0, ocsp->request.cert_id.data,
- ocsp->request.cert_id.len );
+ DBGC_HDA ( ocsp, 0, ocsp->request.cert_id_tail.data,
+ ocsp->request.cert_id_tail.len );
DBGC_HDA ( ocsp, 0, cursor.data, cursor.len );
return -EACCES_CERT_MISMATCH;
}
diff --git a/src/include/ipxe/ocsp.h b/src/include/ipxe/ocsp.h
index be0bddc5..9eb70b2c 100644
--- a/src/include/ipxe/ocsp.h
+++ b/src/include/ipxe/ocsp.h
@@ -42,8 +42,8 @@ struct ocsp_check;
struct ocsp_request {
/** Request builder */
struct asn1_builder builder;
- /** Certificate ID */
- struct asn1_cursor cert_id;
+ /** Certificate ID (excluding hashAlgorithm) */
+ struct asn1_cursor cert_id_tail;
};
/** An OCSP responder */