]> git.ipfire.org Git - thirdparty/ipxe.git/commit
projects / thirdparty / ipxe.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 5d3d62d) | patch
[crypto] Accept OCSP responses containing multiple certificates
authorMichael Brown <mcb30@ipxe.org>
Wed, 29 May 2013 15:41:58 +0000 (16:41 +0100)
committerMichael Brown <mcb30@ipxe.org>
Wed, 29 May 2013 15:41:58 +0000 (16:41 +0100)
commit0036fdd5c5a232662d07c6d1310241f4c5b6ab83
treec6381916694335b7b483251e09ed39678031d9e3tree | snapshot
parent5d3d62d8d72bfd84122fb89e1ee5f9e4c65f46c7commit | diff
[crypto] Accept OCSP responses containing multiple certificates

RFC2560 mandates that a valid OCSP response will contain exactly one
relevant certificate.  However, some OCSP responders include
extraneous certificates.  iPXE currently assumes that the first
certificate in the OCSP response is the relevant certificate; OCSP
checks will therefore fail if the responder includes the extraneous
certificates before the relevant certificate.

Fix by using the responder ID to identify the relevant certificate.

Reported-by: Christian Stroehmeier <stroemi@mail.uni-paderborn.de>
Signed-off-by: Michael Brown <mcb30@ipxe.org>
src/crypto/ocsp.c diff | blob | blame | history
src/include/ipxe/ocsp.h diff | blob | blame | history
Mirror of https://github.com/ipxe/ipxe.git