diff options
-rw-r--r-- | src/crypto/ocsp.c | 17 | ||||
-rw-r--r-- | src/crypto/x509.c | 33 | ||||
-rw-r--r-- | src/include/ipxe/x509.h | 2 | ||||
-rw-r--r-- | src/net/validator.c | 2 |
4 files changed, 19 insertions, 35 deletions
diff --git a/src/crypto/ocsp.c b/src/crypto/ocsp.c index 1b39fd0d..75d9a092 100644 --- a/src/crypto/ocsp.c +++ b/src/crypto/ocsp.c @@ -206,17 +206,17 @@ static int ocsp_request ( struct ocsp_check *ocsp ) { * @ret rc Return status code */ static int ocsp_uri_string ( struct ocsp_check *ocsp ) { + struct x509_ocsp_responder *responder = + &ocsp->cert->extensions.auth_info.ocsp; struct uri path_uri; - char *base_uri_string; char *path_base64_string; char *path_uri_string; size_t path_len; - int len; + size_t len; int rc; /* Sanity check */ - base_uri_string = ocsp->cert->extensions.auth_info.ocsp.uri; - if ( ! base_uri_string ) { + if ( ! responder->uri.len ) { DBGC ( ocsp, "OCSP %p \"%s\" has no OCSP URI\n", ocsp, x509_name ( ocsp->cert ) ); rc = -ENOTTY; @@ -244,11 +244,14 @@ static int ocsp_uri_string ( struct ocsp_check *ocsp ) { } /* Construct URI string */ - if ( ( len = asprintf ( &ocsp->uri_string, "%s/%s", base_uri_string, - path_uri_string ) ) < 0 ) { - rc = len; + len = ( responder->uri.len + strlen ( path_uri_string ) + 1 /* NUL */ ); + ocsp->uri_string = zalloc ( len ); + if ( ! ocsp->uri_string ) { + rc = -ENOMEM; goto err_ocsp_uri; } + memcpy ( ocsp->uri_string, responder->uri.data, responder->uri.len ); + strcpy ( &ocsp->uri_string[responder->uri.len], path_uri_string ); DBGC2 ( ocsp, "OCSP %p \"%s\" URI is %s\n", ocsp, x509_name ( ocsp->cert ), ocsp->uri_string ); diff --git a/src/crypto/x509.c b/src/crypto/x509.c index eb7d5029..29bb2296 100644 --- a/src/crypto/x509.c +++ b/src/crypto/x509.c @@ -131,20 +131,6 @@ const char * x509_name ( struct x509_certificate *cert ) { } /** - * Free X.509 certificate - * - * @v refcnt Reference count - */ -static void x509_free ( struct refcnt *refcnt ) { - struct x509_certificate *cert = - container_of ( refcnt, struct x509_certificate, refcnt ); - - DBGC2 ( cert, "X509 %p freed\n", cert ); - free ( cert->extensions.auth_info.ocsp.uri ); - free ( cert ); -} - -/** * Discard a cached certificate * * @ret discarded Number of cached items discarded @@ -626,24 +612,19 @@ static int x509_parse_extended_key_usage ( struct x509_certificate *cert, static int x509_parse_ocsp ( struct x509_certificate *cert, const struct asn1_cursor *raw ) { struct x509_ocsp_responder *ocsp = &cert->extensions.auth_info.ocsp; - struct asn1_cursor cursor; + struct asn1_cursor *uri = &ocsp->uri; int rc; /* Enter accessLocation */ - memcpy ( &cursor, raw, sizeof ( cursor ) ); - if ( ( rc = asn1_enter ( &cursor, ASN1_IMPLICIT_TAG ( 6 ) ) ) != 0 ) { + memcpy ( uri, raw, sizeof ( *uri ) ); + if ( ( rc = asn1_enter ( uri, ASN1_IMPLICIT_TAG ( 6 ) ) ) != 0 ) { DBGC ( cert, "X509 %p OCSP does not contain " "uniformResourceIdentifier:\n", cert ); DBGC_HDA ( cert, 0, raw->data, raw->len ); return rc; } - - /* Record URI */ - ocsp->uri = zalloc ( cursor.len + 1 /* NUL */ ); - if ( ! ocsp->uri ) - return -ENOMEM; - memcpy ( ocsp->uri, cursor.data, cursor.len ); - DBGC2 ( cert, "X509 %p OCSP URI is %s:\n", cert, ocsp->uri ); + DBGC2 ( cert, "X509 %p OCSP URI is:\n", cert ); + DBGC2_HDA ( cert, 0, uri->data, uri->len ); return 0; } @@ -1073,7 +1054,7 @@ int x509_certificate ( const void *data, size_t len, *cert = zalloc ( sizeof ( **cert ) + cursor.len ); if ( ! *cert ) return -ENOMEM; - ref_init ( &(*cert)->refcnt, x509_free ); + ref_init ( &(*cert)->refcnt, NULL ); INIT_LIST_HEAD ( &(*cert)->list ); raw = ( *cert + 1 ); @@ -1363,7 +1344,7 @@ int x509_validate ( struct x509_certificate *cert, } /* Fail if OCSP is required */ - if ( cert->extensions.auth_info.ocsp.uri && + if ( cert->extensions.auth_info.ocsp.uri.len && ( ! cert->extensions.auth_info.ocsp.good ) ) { DBGC ( cert, "X509 %p \"%s\" requires an OCSP check\n", cert, x509_name ( cert ) ); diff --git a/src/include/ipxe/x509.h b/src/include/ipxe/x509.h index 3e4bcd20..483153bb 100644 --- a/src/include/ipxe/x509.h +++ b/src/include/ipxe/x509.h @@ -133,7 +133,7 @@ enum x509_extended_key_usage_bits { /** X.509 certificate OCSP responder */ struct x509_ocsp_responder { /** URI */ - char *uri; + struct asn1_cursor uri; /** OCSP status is good */ int good; }; diff --git a/src/net/validator.c b/src/net/validator.c index 7913ed64..60c54046 100644 --- a/src/net/validator.c +++ b/src/net/validator.c @@ -477,7 +477,7 @@ static void validator_step ( struct validator *validator ) { /* The issuer is valid, but this certificate is not * yet valid. If OCSP is applicable, start it. */ - if ( cert->extensions.auth_info.ocsp.uri && + if ( cert->extensions.auth_info.ocsp.uri.len && ( ! cert->extensions.auth_info.ocsp.good ) ) { /* Start OCSP */ if ( ( rc = validator_start_ocsp ( validator, cert, |