sysadmin/ipxe
1
0
Fork 0
mirror of https://github.com/ipxe/ipxe synced 2025-12-18 18:40:24 +03:00
Code Issues Packages Projects Releases Wiki Activity

[crypto] Remove dynamically-allocated storage for certificate OCSP URI

Browse Source 
Signed-off-by: Michael Brown <mcb30@ipxe.org>
This commit is contained in:
Michael Brown
2014-03-25 16:09:16 +00:00
parent 01fa7efa38
commit e1ebc50f81
4 changed files with 19 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
src/crypto/ocsp.c
View File

@@ -206,17 +206,17 @@ static int ocsp_request ( struct ocsp_check *ocsp ) {
* @ret rc Return status code * @ret rc Return status code
*/ */
static int ocsp_uri_string ( struct ocsp_check *ocsp ) { static int ocsp_uri_string ( struct ocsp_check *ocsp ) {
struct x509_ocsp_responder *responder =
&ocsp->cert->extensions.auth_info.ocsp;
struct uri path_uri; struct uri path_uri;
char *base_uri_string;
char *path_base64_string; char *path_base64_string;
char *path_uri_string; char *path_uri_string;
size_t path_len; size_t path_len;
int len; size_t len;
int rc; int rc;
/* Sanity check */ /* Sanity check */
base_uri_string = ocsp->cert->extensions.auth_info.ocsp.uri; if ( ! responder->uri.len ) {
if ( ! base_uri_string ) {
DBGC ( ocsp, "OCSP %p \"%s\" has no OCSP URI\n", DBGC ( ocsp, "OCSP %p \"%s\" has no OCSP URI\n",
ocsp, x509_name ( ocsp->cert ) ); ocsp, x509_name ( ocsp->cert ) );
rc = -ENOTTY; rc = -ENOTTY;
@@ -244,11 +244,14 @@ static int ocsp_uri_string ( struct ocsp_check *ocsp ) {
} }
/* Construct URI string */ /* Construct URI string */
if ( ( len = asprintf ( &ocsp->uri_string, "%s/%s", base_uri_string, len = ( responder->uri.len + strlen ( path_uri_string ) + 1 /* NUL */ );
path_uri_string ) ) < 0 ) { ocsp->uri_string = zalloc ( len );
rc = len; if ( ! ocsp->uri_string ) {
rc = -ENOMEM;
goto err_ocsp_uri; goto err_ocsp_uri;
} }
memcpy ( ocsp->uri_string, responder->uri.data, responder->uri.len );
strcpy ( &ocsp->uri_string[responder->uri.len], path_uri_string );
DBGC2 ( ocsp, "OCSP %p \"%s\" URI is %s\n", DBGC2 ( ocsp, "OCSP %p \"%s\" URI is %s\n",
ocsp, x509_name ( ocsp->cert ), ocsp->uri_string ); ocsp, x509_name ( ocsp->cert ), ocsp->uri_string );

33
src/crypto/x509.c
View File

@@ -130,20 +130,6 @@ const char * x509_name ( struct x509_certificate *cert ) {
return buf; return buf;
} }
/**
* Free X.509 certificate
*
* @v refcnt Reference count
*/
static void x509_free ( struct refcnt *refcnt ) {
struct x509_certificate *cert =
container_of ( refcnt, struct x509_certificate, refcnt );
DBGC2 ( cert, "X509 %p freed\n", cert );
free ( cert->extensions.auth_info.ocsp.uri );
free ( cert );
}
/** /**
* Discard a cached certificate * Discard a cached certificate
* *
@@ -626,24 +612,19 @@ static int x509_parse_extended_key_usage ( struct x509_certificate *cert,
static int x509_parse_ocsp ( struct x509_certificate *cert, static int x509_parse_ocsp ( struct x509_certificate *cert,
const struct asn1_cursor *raw ) { const struct asn1_cursor *raw ) {
struct x509_ocsp_responder *ocsp = &cert->extensions.auth_info.ocsp; struct x509_ocsp_responder *ocsp = &cert->extensions.auth_info.ocsp;
struct asn1_cursor cursor; struct asn1_cursor *uri = &ocsp->uri;
int rc; int rc;
/* Enter accessLocation */ /* Enter accessLocation */
memcpy ( &cursor, raw, sizeof ( cursor ) ); memcpy ( uri, raw, sizeof ( *uri ) );
if ( ( rc = asn1_enter ( &cursor, ASN1_IMPLICIT_TAG ( 6 ) ) ) != 0 ) { if ( ( rc = asn1_enter ( uri, ASN1_IMPLICIT_TAG ( 6 ) ) ) != 0 ) {
DBGC ( cert, "X509 %p OCSP does not contain " DBGC ( cert, "X509 %p OCSP does not contain "
"uniformResourceIdentifier:\n", cert ); "uniformResourceIdentifier:\n", cert );
DBGC_HDA ( cert, 0, raw->data, raw->len ); DBGC_HDA ( cert, 0, raw->data, raw->len );
return rc; return rc;
} }
DBGC2 ( cert, "X509 %p OCSP URI is:\n", cert );
/* Record URI */ DBGC2_HDA ( cert, 0, uri->data, uri->len );
ocsp->uri = zalloc ( cursor.len + 1 /* NUL */ );
if ( ! ocsp->uri )
return -ENOMEM;
memcpy ( ocsp->uri, cursor.data, cursor.len );
DBGC2 ( cert, "X509 %p OCSP URI is %s:\n", cert, ocsp->uri );
return 0; return 0;
} }
@@ -1073,7 +1054,7 @@ int x509_certificate ( const void *data, size_t len,
*cert = zalloc ( sizeof ( **cert ) + cursor.len ); *cert = zalloc ( sizeof ( **cert ) + cursor.len );
if ( ! *cert ) if ( ! *cert )
return -ENOMEM; return -ENOMEM;
ref_init ( &(*cert)->refcnt, x509_free ); ref_init ( &(*cert)->refcnt, NULL );
INIT_LIST_HEAD ( &(*cert)->list ); INIT_LIST_HEAD ( &(*cert)->list );
raw = ( *cert + 1 ); raw = ( *cert + 1 );
@@ -1363,7 +1344,7 @@ int x509_validate ( struct x509_certificate *cert,
} }
/* Fail if OCSP is required */ /* Fail if OCSP is required */
if ( cert->extensions.auth_info.ocsp.uri && if ( cert->extensions.auth_info.ocsp.uri.len &&
( ! cert->extensions.auth_info.ocsp.good ) ) { ( ! cert->extensions.auth_info.ocsp.good ) ) {
DBGC ( cert, "X509 %p \"%s\" requires an OCSP check\n", DBGC ( cert, "X509 %p \"%s\" requires an OCSP check\n",
cert, x509_name ( cert ) ); cert, x509_name ( cert ) );

2
src/include/ipxe/x509.h
View File

@@ -133,7 +133,7 @@ enum x509_extended_key_usage_bits {
/** X.509 certificate OCSP responder */ /** X.509 certificate OCSP responder */
struct x509_ocsp_responder { struct x509_ocsp_responder {
/** URI */ /** URI */
char *uri; struct asn1_cursor uri;
/** OCSP status is good */ /** OCSP status is good */
int good; int good;
}; };

2
src/net/validator.c
View File

@@ -477,7 +477,7 @@ static void validator_step ( struct validator *validator ) {
/* The issuer is valid, but this certificate is not /* The issuer is valid, but this certificate is not
* yet valid. If OCSP is applicable, start it. * yet valid. If OCSP is applicable, start it.
*/ */
if ( cert->extensions.auth_info.ocsp.uri && if ( cert->extensions.auth_info.ocsp.uri.len &&
( ! cert->extensions.auth_info.ocsp.good ) ) { ( ! cert->extensions.auth_info.ocsp.good ) ) {
/* Start OCSP */ /* Start OCSP */
if ( ( rc = validator_start_ocsp ( validator, cert, if ( ( rc = validator_start_ocsp ( validator, cert,