mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

bug 977870 - insanity::pkix: consume the rest of input when a CertID doesn't match in an OCSP response r=briansmith

This commit is contained in:
David Keeler 2014-03-17 14:34:34 -07:00
Родитель 71abad65d5
Коммит 6426e9ea55
3 изменённых файлов: 19 добавлений и 4 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

5
security/insanity/lib/pkixder.h
Просмотреть файл

@ -163,6 +163,11 @@ public:
return Success; return Success;
} }
void SkipToEnd()
{
input = end;
}
bool AtEnd() const { return input == end; } bool AtEnd() const { return input == end; }
class Mark class Mark

13
security/insanity/lib/pkixocsp.cpp
Просмотреть файл

@ -603,6 +603,11 @@ SingleResponse(der::Input& input, Context& context)
} }
if (!match) { if (!match) {
// This response does not reference the certificate we're interested in.
// By consuming the rest of our input and returning successfully, we can
// continue processing and examine another response that might have what
// we want.
input.SkipToEnd();
return der::Success; return der::Success;
} }
@ -745,6 +750,10 @@ CertID(der::Input& input, const Context& context, /*out*/ bool& match)
const CERTCertificate& issuerCert = context.issuerCert; const CERTCertificate& issuerCert = context.issuerCert;
if (!SECITEM_ItemsAreEqual(&serialNumber, &cert.serialNumber)) { if (!SECITEM_ItemsAreEqual(&serialNumber, &cert.serialNumber)) {
// This does not reference the certificate we're interested in.
// Consume the rest of the input and return successfully to
// potentially continue processing other responses.
input.SkipToEnd();
return der::Success; return der::Success;
} }
@ -752,6 +761,8 @@ CertID(der::Input& input, const Context& context, /*out*/ bool& match)
SECOidTag hashAlg = SECOID_GetAlgorithmTag(&hashAlgorithm); SECOidTag hashAlg = SECOID_GetAlgorithmTag(&hashAlgorithm);
if (hashAlg != SEC_OID_SHA1) { if (hashAlg != SEC_OID_SHA1) {
// Again, not interested in this response. Consume input, return success.
input.SkipToEnd();
return der::Success; return der::Success;
} }
@ -768,6 +779,8 @@ CertID(der::Input& input, const Context& context, /*out*/ bool& match)
return der::Failure; return der::Failure;
} }
if (memcmp(hashBuf, issuerNameHash.data, issuerNameHash.len)) { if (memcmp(hashBuf, issuerNameHash.data, issuerNameHash.len)) {
// Again, not interested in this response. Consume input, return success.
input.SkipToEnd();
return der::Success; return der::Success;
} }

5
security/manager/ssl/tests/unit/test_ocsp_stapling.js
Просмотреть файл

@ -95,11 +95,8 @@ function add_tests_in_mode(useInsanity, certDB, otherTestCA) {
true); true);
add_ocsp_test("ocsp-stapling-unknown.example.com", add_ocsp_test("ocsp-stapling-unknown.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT), true); getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT), true);
// TODO(bug 977870): this should not result in SEC_ERROR_BAD_DER
add_ocsp_test("ocsp-stapling-good-other.example.com", add_ocsp_test("ocsp-stapling-good-other.example.com",
getXPCOMStatusFromNSS( getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT), true);
useInsanity ? SEC_ERROR_BAD_DER
: SEC_ERROR_OCSP_UNKNOWN_CERT), true);
// If the server doesn't staple an OCSP response, we continue as normal // If the server doesn't staple an OCSP response, we continue as normal
// (this means that even though stapling is enabled, we expect an OCSP // (this means that even though stapling is enabled, we expect an OCSP
// request). // request).