From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 22 Nov 2019 15:36:20 +0000 (+0100)
Subject: x509: Correctly parse nonce in OCSP response
X-Git-Tag: 5.8.2rc1~9^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cd0e4d5297882b88b17e52ba7bc042764771e352;p=thirdparty%2Fstrongswan.git

x509: Correctly parse nonce in OCSP response

Fixes: d7dc677ee572 ("x509: Correctly encode nonce in OCSP request")
---

diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_response.c b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
index 75eb9d7794..f3ade37e43 100644
--- a/src/libstrongswan/plugins/x509/x509_ocsp_response.c
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
@@ -577,7 +577,9 @@ static bool parse_basicOCSPResponse(private_x509_ocsp_response_t *this,
 				DBG2(DBG_ASN, "  %s", critical ? "TRUE" : "FALSE");
 				break;
 			case BASIC_RESPONSE_EXT_VALUE:
-				if (extn_oid == OID_NONCE)
+				if (extn_oid == OID_NONCE &&
+					asn1_parse_simple_object(&object, ASN1_OCTET_STRING,
+										parser->get_level(parser)+1, "nonce"))
 				{
 					this->nonce = object;
 				}