x509: Correctly handle missing responder ID when parsing OCSP response errors

The has_issuer() and issued_by() methods relied on it to be defined, so
if the OCSP response wasn't successful (i.e. OCSP status indicates an
error and no OCSP response is parsed), a null-pointer dereference was
caused if the caller checked if the OCSP response was issued by a
specific certificate.

That's a side-effect of the referenced commit.  Previously, error codes
caused the OCSP response to not get parsed successfully, which technically
wasn't correct as it's well formed and successfully parsed, it's just
indicating an error state.

Fixes: 00ab8d62c089 ("x509: Support generation of OCSP responses")

diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_response.c b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
index 3badf36b979707df725c217cccc14bde9e01bc82..89249c113d9cd5e9e96115d77e998681c49f74fd 100644 (file)
--- a/src/libstrongswan/plugins/x509/x509_ocsp_response.c
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
@@ -878,7 +878,11 @@ METHOD(certificate_t, get_issuer, identification_t*,
 METHOD(certificate_t, has_issuer, id_match_t,
        private_x509_ocsp_response_t *this, identification_t *issuer)
 {
-       return this->responderId->matches(this->responderId, issuer);
+       if (this->responderId)
+       {
+               return this->responderId->matches(this->responderId, issuer);
+       }
+       return ID_MATCH_NONE;
 }
 
 METHOD(certificate_t, issued_by, bool,
@@ -889,7 +893,7 @@ METHOD(certificate_t, issued_by, bool,
        bool valid;
        x509_t *x509 = (x509_t*)issuer;
 
-       if (issuer->get_type(issuer) != CERT_X509)
+       if (issuer->get_type(issuer) != CERT_X509 || !this->responderId)
        {
                return FALSE;
        }