x509/ocsp: check OCSP delegated signer EKU OID to full length

The retrieved certificate purpose OID was compared against the expected
1.3.6.1.5.5.7.3.9 value without checking if the lengths were identical,
allowing a value that constitutes a prefix to match.
The check now compares the length as well.

Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu>
Co-authored-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu>
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

diff --git a/lib/x509/ocsp.c b/lib/x509/ocsp.c
index 8f3423f0a62cfb4e995bb1241b32ace461970e4a..ae04864d40499a7446b8509b24a2a2a977ebfd33 100644 (file)
--- a/lib/x509/ocsp.c
+++ b/lib/x509/ocsp.c
@@ -2132,7 +2132,8 @@ static int check_ocsp_purpose(gnutls_x509_crt_t signercert)
                        return gnutls_assert_val(rc);
                }
 
-               if (memcmp(oidtmp, GNUTLS_KP_OCSP_SIGNING, oidsize) != 0) {
+               if (oidsize != sizeof(GNUTLS_KP_OCSP_SIGNING) - 1 ||
+                   memcmp(oidtmp, GNUTLS_KP_OCSP_SIGNING, oidsize) != 0) {
                        gnutls_assert();
                        continue;
                }