From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Fri, 14 Nov 2014 15:17:58 +0000 (+0100)
Subject: use the original DER/BER data when verifying an OCSP response
X-Git-Tag: gnutls_3_4_0~611
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=bd4534b7d0ad082035d19d6b4629329dfd994bab;p=thirdparty%2Fgnutls.git

use the original DER/BER data when verifying an OCSP response
---

diff --git a/lib/x509/ocsp.c b/lib/x509/ocsp.c
index 2b19f45e13..abb73fa9fc 100644
--- a/lib/x509/ocsp.c
+++ b/lib/x509/ocsp.c
@@ -41,6 +41,7 @@ typedef struct gnutls_ocsp_resp_int {
 	ASN1_TYPE resp;
 	gnutls_datum_t response_type_oid;
 	ASN1_TYPE basicresp;
+	gnutls_datum_t der;
 } gnutls_ocsp_resp_int;
 
 #define MAX_TIME 64
@@ -266,8 +267,6 @@ gnutls_ocsp_resp_import(gnutls_ocsp_resp_t resp,
 	if (resp->response_type_oid.size == sizeof(OCSP_BASIC)
 	    && memcmp(resp->response_type_oid.data, OCSP_BASIC,
 		      resp->response_type_oid.size) == 0) {
-		gnutls_datum_t d;
-
 		if (resp->basicresp) {
 			asn1_delete_structure(&resp->basicresp);
 
@@ -282,16 +281,15 @@ gnutls_ocsp_resp_import(gnutls_ocsp_resp_t resp,
 
 		ret =
 		    _gnutls_x509_read_value(resp->resp,
-					    "responseBytes.response", &d);
+					    "responseBytes.response", &resp->der);
 		if (ret < 0) {
 			gnutls_assert();
 			return ret;
 		}
 
 		ret =
-		    asn1_der_decoding(&resp->basicresp, d.data, d.size,
+		    asn1_der_decoding(&resp->basicresp, resp->der.data, resp->der.size,
 				      NULL);
-		gnutls_free(d.data);
 		if (ret != ASN1_SUCCESS) {
 			gnutls_assert();
 			return _gnutls_asn2err(ret);
@@ -1864,7 +1862,6 @@ static gnutls_x509_crt_t find_signercert(gnutls_ocsp_resp_t resp)
 
 			if ((20 == keyid.size) &&
 				memcmp(keyid.data, digest, 20) == 0) {
-				gnutls_assert();
 				signercert = certs[i];
 				goto quit;
 			}
@@ -1913,7 +1910,7 @@ _ocsp_resp_verify_direct(gnutls_ocsp_resp_t resp,
 	}
 	sigalg = rc;
 
-	rc = _gnutls_x509_get_raw_field(resp->basicresp, "tbsResponseData", &data);
+	rc = _gnutls_x509_get_raw_field2(resp->basicresp, &resp->der, "tbsResponseData", &data);
 	if (rc != GNUTLS_E_SUCCESS) {
 		gnutls_assert();
 		goto done;
@@ -1950,7 +1947,6 @@ _ocsp_resp_verify_direct(gnutls_ocsp_resp_t resp,
 	rc = GNUTLS_E_SUCCESS;
 
       done:
-	gnutls_free(data.data);
 	gnutls_free(sig.data);
 	gnutls_pubkey_deinit(pubkey);