[strongSwan-dev] Possible crash when OCSP response contains "ResponderID.byKey"
Владимир Подобаев
vpodobaev at mail.ru
Fri Feb 17 14:16:03 CET 2012
Hello.
I found a possible crash of Pluto. Please, check it.
OCSP response contains a choice.
ResponderID ::= CHOICE {
byName [1] Name,
byKey [2] KeyHash }
Assume, we got byKey choice. Then:
In pluto/ocsp.c: in function valid_ocsp_response:
authcert = get_authcert(res->responder_id_name, res->responder_id_key, X509_OCSP_SIGNER | X509_CA);
In our case res->responder_id_name will be NULL.
In pluto/ca.c: in function get_authcert:
if (keyid.ptr)
{
chunk_t subjectKeyId;
subjectKeyId = x509->get_subjectKeyIdentifier(x509);
if (subjectKeyId.ptr && !chunk_equals(keyid, subjectKeyId))
{
continue;
}
}
/* compare the subjectDistinguishedNames */
if (!certificate->has_subject(certificate, subject))
{
continue;
}
In our case we will call certificate->has_subject(certificate, NULL).
Because subject is NULL.
In libstrongswan/plugins/x509/x509_cert.c: has_subject:
We use the subject pointer in the first code line:
if (subject->get_type(subject) == ID_KEY_ID)
And the subject is NULL.
Am I right? Or maybe I missed something. I haven't found any other place of setting res->responder_id_name, but in parsing function.
And if we got byKey choice - res->responder_id_name will remain in NULL. Right?
Best regards, Vladimir
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20120217/88472fb5/attachment.html>
More information about the Dev
mailing list