From 27756b081c1b894d579961b088e2a12ae841874b Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Fri, 22 Nov 2019 15:09:55 +0100 Subject: [PATCH] revocation: Check that nonce in OCSP response matches --- .../plugins/revocation/revocation_validator.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c index 68292e3cd5..d2f662dc68 100644 --- a/src/libstrongswan/plugins/revocation/revocation_validator.c +++ b/src/libstrongswan/plugins/revocation/revocation_validator.c @@ -64,6 +64,8 @@ static certificate_t *fetch_ocsp(char *url, certificate_t *subject, certificate_t *issuer) { certificate_t *request, *response; + ocsp_request_t *ocsp_request; + ocsp_response_t *ocsp_response; chunk_t send, receive = chunk_empty; /* TODO: requestor name, signature */ @@ -83,7 +85,6 @@ static certificate_t *fetch_ocsp(char *url, certificate_t *subject, request->destroy(request); return NULL; } - request->destroy(request); DBG1(DBG_CFG, " requesting ocsp status from '%s' ...", url); if (lib->fetcher->fetch(lib->fetcher, url, &receive, @@ -92,6 +93,7 @@ static certificate_t *fetch_ocsp(char *url, certificate_t *subject, FETCH_END) != SUCCESS) { DBG1(DBG_CFG, "ocsp request to %s failed", url); + request->destroy(request); chunk_free(&receive); chunk_free(&send); return NULL; @@ -105,8 +107,19 @@ static certificate_t *fetch_ocsp(char *url, certificate_t *subject, if (!response) { DBG1(DBG_CFG, "parsing ocsp response failed"); + request->destroy(request); + return NULL; + } + ocsp_request = (ocsp_request_t*)request; + ocsp_response = (ocsp_response_t*)response; + if (!chunk_equals_const(ocsp_request->get_nonce(ocsp_request), + ocsp_response->get_nonce(ocsp_response))) + { + DBG1(DBG_CFG, "nonce in ocsp response doesn't match"); + request->destroy(request); return NULL; } + request->destroy(request); return response; } -- 2.47.2