From: Tobias Brunner Date: Fri, 22 Nov 2019 14:09:55 +0000 (+0100) Subject: revocation: Check that nonce in OCSP response matches X-Git-Tag: 5.8.2rc1~9^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=27756b081c1b8;p=thirdparty%2Fstrongswan.git revocation: Check that nonce in OCSP response matches --- diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c index 68292e3cd5..d2f662dc68 100644 --- a/src/libstrongswan/plugins/revocation/revocation_validator.c +++ b/src/libstrongswan/plugins/revocation/revocation_validator.c @@ -64,6 +64,8 @@ static certificate_t *fetch_ocsp(char *url, certificate_t *subject, certificate_t *issuer) { certificate_t *request, *response; + ocsp_request_t *ocsp_request; + ocsp_response_t *ocsp_response; chunk_t send, receive = chunk_empty; /* TODO: requestor name, signature */ @@ -83,7 +85,6 @@ static certificate_t *fetch_ocsp(char *url, certificate_t *subject, request->destroy(request); return NULL; } - request->destroy(request); DBG1(DBG_CFG, " requesting ocsp status from '%s' ...", url); if (lib->fetcher->fetch(lib->fetcher, url, &receive, @@ -92,6 +93,7 @@ static certificate_t *fetch_ocsp(char *url, certificate_t *subject, FETCH_END) != SUCCESS) { DBG1(DBG_CFG, "ocsp request to %s failed", url); + request->destroy(request); chunk_free(&receive); chunk_free(&send); return NULL; @@ -105,8 +107,19 @@ static certificate_t *fetch_ocsp(char *url, certificate_t *subject, if (!response) { DBG1(DBG_CFG, "parsing ocsp response failed"); + request->destroy(request); + return NULL; + } + ocsp_request = (ocsp_request_t*)request; + ocsp_response = (ocsp_response_t*)response; + if (!chunk_equals_const(ocsp_request->get_nonce(ocsp_request), + ocsp_response->get_nonce(ocsp_response))) + { + DBG1(DBG_CFG, "nonce in ocsp response doesn't match"); + request->destroy(request); return NULL; } + request->destroy(request); return response; }