summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--src/crypto/ocsp.c17
-rw-r--r--src/crypto/x509.c33
-rw-r--r--src/include/ipxe/x509.h2
-rw-r--r--src/net/validator.c2
4 files changed, 19 insertions, 35 deletions
diff --git a/src/crypto/ocsp.c b/src/crypto/ocsp.c
index 1b39fd0d..75d9a092 100644
--- a/src/crypto/ocsp.c
+++ b/src/crypto/ocsp.c
@@ -206,17 +206,17 @@ static int ocsp_request ( struct ocsp_check *ocsp ) {
* @ret rc Return status code
*/
static int ocsp_uri_string ( struct ocsp_check *ocsp ) {
+ struct x509_ocsp_responder *responder =
+ &ocsp->cert->extensions.auth_info.ocsp;
struct uri path_uri;
- char *base_uri_string;
char *path_base64_string;
char *path_uri_string;
size_t path_len;
- int len;
+ size_t len;
int rc;
/* Sanity check */
- base_uri_string = ocsp->cert->extensions.auth_info.ocsp.uri;
- if ( ! base_uri_string ) {
+ if ( ! responder->uri.len ) {
DBGC ( ocsp, "OCSP %p \"%s\" has no OCSP URI\n",
ocsp, x509_name ( ocsp->cert ) );
rc = -ENOTTY;
@@ -244,11 +244,14 @@ static int ocsp_uri_string ( struct ocsp_check *ocsp ) {
}
/* Construct URI string */
- if ( ( len = asprintf ( &ocsp->uri_string, "%s/%s", base_uri_string,
- path_uri_string ) ) < 0 ) {
- rc = len;
+ len = ( responder->uri.len + strlen ( path_uri_string ) + 1 /* NUL */ );
+ ocsp->uri_string = zalloc ( len );
+ if ( ! ocsp->uri_string ) {
+ rc = -ENOMEM;
goto err_ocsp_uri;
}
+ memcpy ( ocsp->uri_string, responder->uri.data, responder->uri.len );
+ strcpy ( &ocsp->uri_string[responder->uri.len], path_uri_string );
DBGC2 ( ocsp, "OCSP %p \"%s\" URI is %s\n",
ocsp, x509_name ( ocsp->cert ), ocsp->uri_string );
diff --git a/src/crypto/x509.c b/src/crypto/x509.c
index eb7d5029..29bb2296 100644
--- a/src/crypto/x509.c
+++ b/src/crypto/x509.c
@@ -131,20 +131,6 @@ const char * x509_name ( struct x509_certificate *cert ) {
}
/**
- * Free X.509 certificate
- *
- * @v refcnt Reference count
- */
-static void x509_free ( struct refcnt *refcnt ) {
- struct x509_certificate *cert =
- container_of ( refcnt, struct x509_certificate, refcnt );
-
- DBGC2 ( cert, "X509 %p freed\n", cert );
- free ( cert->extensions.auth_info.ocsp.uri );
- free ( cert );
-}
-
-/**
* Discard a cached certificate
*
* @ret discarded Number of cached items discarded
@@ -626,24 +612,19 @@ static int x509_parse_extended_key_usage ( struct x509_certificate *cert,
static int x509_parse_ocsp ( struct x509_certificate *cert,
const struct asn1_cursor *raw ) {
struct x509_ocsp_responder *ocsp = &cert->extensions.auth_info.ocsp;
- struct asn1_cursor cursor;
+ struct asn1_cursor *uri = &ocsp->uri;
int rc;
/* Enter accessLocation */
- memcpy ( &cursor, raw, sizeof ( cursor ) );
- if ( ( rc = asn1_enter ( &cursor, ASN1_IMPLICIT_TAG ( 6 ) ) ) != 0 ) {
+ memcpy ( uri, raw, sizeof ( *uri ) );
+ if ( ( rc = asn1_enter ( uri, ASN1_IMPLICIT_TAG ( 6 ) ) ) != 0 ) {
DBGC ( cert, "X509 %p OCSP does not contain "
"uniformResourceIdentifier:\n", cert );
DBGC_HDA ( cert, 0, raw->data, raw->len );
return rc;
}
-
- /* Record URI */
- ocsp->uri = zalloc ( cursor.len + 1 /* NUL */ );
- if ( ! ocsp->uri )
- return -ENOMEM;
- memcpy ( ocsp->uri, cursor.data, cursor.len );
- DBGC2 ( cert, "X509 %p OCSP URI is %s:\n", cert, ocsp->uri );
+ DBGC2 ( cert, "X509 %p OCSP URI is:\n", cert );
+ DBGC2_HDA ( cert, 0, uri->data, uri->len );
return 0;
}
@@ -1073,7 +1054,7 @@ int x509_certificate ( const void *data, size_t len,
*cert = zalloc ( sizeof ( **cert ) + cursor.len );
if ( ! *cert )
return -ENOMEM;
- ref_init ( &(*cert)->refcnt, x509_free );
+ ref_init ( &(*cert)->refcnt, NULL );
INIT_LIST_HEAD ( &(*cert)->list );
raw = ( *cert + 1 );
@@ -1363,7 +1344,7 @@ int x509_validate ( struct x509_certificate *cert,
}
/* Fail if OCSP is required */
- if ( cert->extensions.auth_info.ocsp.uri &&
+ if ( cert->extensions.auth_info.ocsp.uri.len &&
( ! cert->extensions.auth_info.ocsp.good ) ) {
DBGC ( cert, "X509 %p \"%s\" requires an OCSP check\n",
cert, x509_name ( cert ) );
diff --git a/src/include/ipxe/x509.h b/src/include/ipxe/x509.h
index 3e4bcd20..483153bb 100644
--- a/src/include/ipxe/x509.h
+++ b/src/include/ipxe/x509.h
@@ -133,7 +133,7 @@ enum x509_extended_key_usage_bits {
/** X.509 certificate OCSP responder */
struct x509_ocsp_responder {
/** URI */
- char *uri;
+ struct asn1_cursor uri;
/** OCSP status is good */
int good;
};
diff --git a/src/net/validator.c b/src/net/validator.c
index 7913ed64..60c54046 100644
--- a/src/net/validator.c
+++ b/src/net/validator.c
@@ -477,7 +477,7 @@ static void validator_step ( struct validator *validator ) {
/* The issuer is valid, but this certificate is not
* yet valid. If OCSP is applicable, start it.
*/
- if ( cert->extensions.auth_info.ocsp.uri &&
+ if ( cert->extensions.auth_info.ocsp.uri.len &&
( ! cert->extensions.auth_info.ocsp.good ) ) {
/* Start OCSP */
if ( ( rc = validator_start_ocsp ( validator, cert,