[crypto] Remove dynamically-allocated storage for certificate OCSP URI

Signed-off-by: Michael Brown <mcb30@ipxe.org>

diff --git a/src/crypto/ocsp.c b/src/crypto/ocsp.c
index 1b39fd0d40455e02546a882fbb19a856109cf4f2..75d9a09207d7769b78222641d52623092330d4b7 100644 (file)
--- a/src/crypto/ocsp.c
+++ b/src/crypto/ocsp.c
@@ -206,17 +206,17 @@ static int ocsp_request ( struct ocsp_check *ocsp ) {
  * @ret rc             Return status code
  */
 static int ocsp_uri_string ( struct ocsp_check *ocsp ) {
+       struct x509_ocsp_responder *responder =
+               &ocsp->cert->extensions.auth_info.ocsp;
        struct uri path_uri;
-       char *base_uri_string;
        char *path_base64_string;
        char *path_uri_string;
        size_t path_len;
-       int len;
+       size_t len;
        int rc;
 
        /* Sanity check */
-       base_uri_string = ocsp->cert->extensions.auth_info.ocsp.uri;
-       if ( ! base_uri_string ) {
+       if ( ! responder->uri.len ) {
                DBGC ( ocsp, "OCSP %p \"%s\" has no OCSP URI\n",
                       ocsp, x509_name ( ocsp->cert ) );
                rc = -ENOTTY;
@@ -244,11 +244,14 @@ static int ocsp_uri_string ( struct ocsp_check *ocsp ) {
        }
 
        /* Construct URI string */
-       if ( ( len = asprintf ( &ocsp->uri_string, "%s/%s", base_uri_string,
-                               path_uri_string ) ) < 0 ) {
-               rc = len;
+       len = ( responder->uri.len + strlen ( path_uri_string ) + 1 /* NUL */ );
+       ocsp->uri_string = zalloc ( len );
+       if ( ! ocsp->uri_string ) {
+               rc = -ENOMEM;
                goto err_ocsp_uri;
        }
+       memcpy ( ocsp->uri_string, responder->uri.data, responder->uri.len );
+       strcpy ( &ocsp->uri_string[responder->uri.len], path_uri_string );
        DBGC2 ( ocsp, "OCSP %p \"%s\" URI is %s\n",
                ocsp, x509_name ( ocsp->cert ), ocsp->uri_string );
 

diff --git a/src/crypto/x509.c b/src/crypto/x509.c
index eb7d50290225bd46306ba29e7852d7e61870468a..29bb2296644b529f59eac85f1ea86628b7e57897 100644 (file)
--- a/src/crypto/x509.c
+++ b/src/crypto/x509.c
@@ -130,20 +130,6 @@ const char * x509_name ( struct x509_certificate *cert ) {
        return buf;
 }
 
-/**
- * Free X.509 certificate
- *
- * @v refcnt           Reference count
- */
-static void x509_free ( struct refcnt *refcnt ) {
-       struct x509_certificate *cert =
-               container_of ( refcnt, struct x509_certificate, refcnt );
-
-       DBGC2 ( cert, "X509 %p freed\n", cert );
-       free ( cert->extensions.auth_info.ocsp.uri );
-       free ( cert );
-}
-
 /**
  * Discard a cached certificate
  *
@@ -626,24 +612,19 @@ static int x509_parse_extended_key_usage ( struct x509_certificate *cert,
 static int x509_parse_ocsp ( struct x509_certificate *cert,
                             const struct asn1_cursor *raw ) {
        struct x509_ocsp_responder *ocsp = &cert->extensions.auth_info.ocsp;
-       struct asn1_cursor cursor;
+       struct asn1_cursor *uri = &ocsp->uri;
        int rc;
 
        /* Enter accessLocation */
-       memcpy ( &cursor, raw, sizeof ( cursor ) );
-       if ( ( rc = asn1_enter ( &cursor, ASN1_IMPLICIT_TAG ( 6 ) ) ) != 0 ) {
+       memcpy ( uri, raw, sizeof ( *uri ) );
+       if ( ( rc = asn1_enter ( uri, ASN1_IMPLICIT_TAG ( 6 ) ) ) != 0 ) {
                DBGC ( cert, "X509 %p OCSP does not contain "
                       "uniformResourceIdentifier:\n", cert );
                DBGC_HDA ( cert, 0, raw->data, raw->len );
                return rc;
        }
-
-       /* Record URI */
-       ocsp->uri = zalloc ( cursor.len + 1 /* NUL */ );
-       if ( ! ocsp->uri )
-               return -ENOMEM;
-       memcpy ( ocsp->uri, cursor.data, cursor.len );
-       DBGC2 ( cert, "X509 %p OCSP URI is %s:\n", cert, ocsp->uri );
+       DBGC2 ( cert, "X509 %p OCSP URI is:\n", cert );
+       DBGC2_HDA ( cert, 0, uri->data, uri->len );
 
        return 0;
 }
@@ -1073,7 +1054,7 @@ int x509_certificate ( const void *data, size_t len,
        *cert = zalloc ( sizeof ( **cert ) + cursor.len );
        if ( ! *cert )
                return -ENOMEM;
-       ref_init ( &(*cert)->refcnt, x509_free );
+       ref_init ( &(*cert)->refcnt, NULL );
        INIT_LIST_HEAD ( &(*cert)->list );
        raw = ( *cert + 1 );
 
@@ -1363,7 +1344,7 @@ int x509_validate ( struct x509_certificate *cert,
        }
 
        /* Fail if OCSP is required */
-       if ( cert->extensions.auth_info.ocsp.uri &&
+       if ( cert->extensions.auth_info.ocsp.uri.len &&
             ( ! cert->extensions.auth_info.ocsp.good ) ) {
                DBGC ( cert, "X509 %p \"%s\" requires an OCSP check\n",
                       cert, x509_name ( cert ) );

diff --git a/src/include/ipxe/x509.h b/src/include/ipxe/x509.h
index 3e4bcd2059f8d258ae629fac1b8e28538aef8df3..483153bbe05cb5e550856035b6550c240188fa9e 100644 (file)
--- a/src/include/ipxe/x509.h
+++ b/src/include/ipxe/x509.h
@@ -133,7 +133,7 @@ enum x509_extended_key_usage_bits {
 /** X.509 certificate OCSP responder */
 struct x509_ocsp_responder {
        /** URI */
-       char *uri;
+       struct asn1_cursor uri;
        /** OCSP status is good */
        int good;
 };

diff --git a/src/net/validator.c b/src/net/validator.c
index 7913ed64f2ba1a0b669ca1678b0c884d37e2498a..60c54046ee8c16408fd53962b53b5d6df9dac19f 100644 (file)
--- a/src/net/validator.c
+++ b/src/net/validator.c
@@ -477,7 +477,7 @@ static void validator_step ( struct validator *validator ) {
                /* The issuer is valid, but this certificate is not
                 * yet valid.  If OCSP is applicable, start it.
                 */
-               if ( cert->extensions.auth_info.ocsp.uri &&
+               if ( cert->extensions.auth_info.ocsp.uri.len &&
                     ( ! cert->extensions.auth_info.ocsp.good ) ) {
                        /* Start OCSP */
                        if ( ( rc = validator_start_ocsp ( validator, cert,