ocsp: corrected the comparison of the serial size in OCSP response

Previously the OCSP certificate check wouldn't verify the serial length
and could succeed in cases it shouldn't.

Reported by Stefan Buehler.

diff --git a/lib/x509/ocsp.c b/lib/x509/ocsp.c
index 92db9b6aad581af5b9d47fb16894832b5a522510..8181f2e070189cb15b7612dc0a5dca4dbff4aa17 100644 (file)
--- a/lib/x509/ocsp.c
+++ b/lib/x509/ocsp.c
@@ -1318,6 +1318,7 @@ gnutls_ocsp_resp_check_crt(gnutls_ocsp_resp_t resp,
                gnutls_assert();
                goto cleanup;
        }
+       cserial.size = t;
 
        if (rserial.size != cserial.size
            || memcmp(cserial.data, rserial.data, rserial.size) != 0) {