[strongSwan-dev] Possible crash when OCSP response contains "ResponderID.byKey"

Владимир Подобаев vpodobaev at mail.ru
Fri Feb 17 14:16:03 CET 2012


I found a possible crash of Pluto. Please, check it. 

OCSP response contains a choice.
ResponderID ::= CHOICE {
      byName               [1] Name,
      byKey                [2] KeyHash }
Assume, we got byKey choice. Then:

In pluto/ocsp.c: in function valid_ocsp_response:
authcert = get_authcert(res->responder_id_name, res->responder_id_key, X509_OCSP_SIGNER | X509_CA);

In our case res->responder_id_name will be NULL.

In pluto/ca.c: in function get_authcert:

      if (keyid.ptr)
           chunk_t subjectKeyId;
           subjectKeyId = x509->get_subjectKeyIdentifier(x509);
           if (subjectKeyId.ptr && !chunk_equals(keyid, subjectKeyId))
       /* compare the subjectDistinguishedNames */ 
      if (!certificate->has_subject(certificate, subject))

In our case we will call certificate->has_subject(certificate, NULL).
Because subject is NULL.

In libstrongswan/plugins/x509/x509_cert.c: has_subject:
We use the subject pointer in the first code line:
if (subject->get_type(subject) == ID_KEY_ID)

And the subject is NULL.

Am I right? Or maybe I missed something. I haven't found any other place of setting res->responder_id_name, but in parsing function.
And if we got byKey choice - res->responder_id_name will remain in NULL. Right?

Best regards, Vladimir
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20120217/88472fb5/attachment.html>

More information about the Dev mailing list