From: Tobias Brunner <tobias@strongswan.org>
Date: Thu, 23 Nov 2023 10:32:15 +0000 (+0100)
Subject: x509: Correctly handle missing responder ID when parsing OCSP response errors
X-Git-Tag: 5.9.13rc1~1^2~8
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=585c40095a3a92e058c5d1d61137232f17f72195;p=thirdparty%2Fstrongswan.git

x509: Correctly handle missing responder ID when parsing OCSP response errors

The has_issuer() and issued_by() methods relied on it to be defined, so
if the OCSP response wasn't successful (i.e. OCSP status indicates an
error and no OCSP response is parsed), a null-pointer dereference was
caused if the caller checked if the OCSP response was issued by a
specific certificate.

That's a side-effect of the referenced commit.  Previously, error codes
caused the OCSP response to not get parsed successfully, which technically
wasn't correct as it's well formed and successfully parsed, it's just
indicating an error state.

Fixes: 00ab8d62c089 ("x509: Support generation of OCSP responses")
---

diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_response.c b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
index 3badf36b97..89249c113d 100644
--- a/src/libstrongswan/plugins/x509/x509_ocsp_response.c
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
@@ -878,7 +878,11 @@ METHOD(certificate_t, get_issuer, identification_t*,
 METHOD(certificate_t, has_issuer, id_match_t,
 	private_x509_ocsp_response_t *this, identification_t *issuer)
 {
-	return this->responderId->matches(this->responderId, issuer);
+	if (this->responderId)
+	{
+		return this->responderId->matches(this->responderId, issuer);
+	}
+	return ID_MATCH_NONE;
 }
 
 METHOD(certificate_t, issued_by, bool,
@@ -889,7 +893,7 @@ METHOD(certificate_t, issued_by, bool,
 	bool valid;
 	x509_t *x509 = (x509_t*)issuer;
 
-	if (issuer->get_type(issuer) != CERT_X509)
+	if (issuer->get_type(issuer) != CERT_X509 || !this->responderId)
 	{
 		return FALSE;
 	}