diff options
author | wtchang%redhat.com <devnull@localhost> | 2007-01-06 17:05:27 +0000 |
---|---|---|
committer | wtchang%redhat.com <devnull@localhost> | 2007-01-06 17:05:27 +0000 |
commit | 48f6c81ddaf1b4b1aeffc02d1ab0abcce016386e (patch) | |
tree | 860cd68e7b31e856874020f8e8fd09419d31fc6e | |
parent | f05417a43164f947b0a733661d0701fb05cbdada (diff) | |
download | nss-hg-48f6c81ddaf1b4b1aeffc02d1ab0abcce016386e.tar.gz |
Bugzilla Bug 357197: backed out the previous checkin, which had the wrong
CVS commit comment. Will check it in with the right comment next.
Tag: NSS_3_11_BRANCH
-rw-r--r-- | security/nss/lib/certhigh/ocsp.c | 53 |
1 files changed, 24 insertions, 29 deletions
diff --git a/security/nss/lib/certhigh/ocsp.c b/security/nss/lib/certhigh/ocsp.c index 183f9b902..c74063bbe 100644 --- a/security/nss/lib/certhigh/ocsp.c +++ b/security/nss/lib/certhigh/ocsp.c @@ -2797,14 +2797,12 @@ CERT_VerifyOCSPResponseSignature(CERTOCSPResponse *response, } /* - * See if the request's certID and the single response's certID match. - * This can be easy or difficult, depending on whether the same hash - * algorithm was used. + * See if two certIDs match. This can be easy or difficult, depending + * on whether the same hash algorithm was used. */ static PRBool ocsp_CertIDsMatch(CERTCertDBHandle *handle, - CERTOCSPCertID *requestCertID, - CERTOCSPCertID *responseCertID) + CERTOCSPCertID *certID1, CERTOCSPCertID *certID2) { PRBool match = PR_FALSE; SECOidTag hashAlg; @@ -2817,54 +2815,51 @@ ocsp_CertIDsMatch(CERTCertDBHandle *handle, * * We just compare the easier things first. */ - if (SECITEM_CompareItem(&requestCertID->serialNumber, - &responseCertID->serialNumber) != SECEqual) { + if (SECITEM_CompareItem(&certID1->serialNumber, + &certID2->serialNumber) != SECEqual) { goto done; } /* - * Make sure the "parameters" are not too bogus. Since we encoded - * requestCertID->hashAlgorithm, we don't need to check it. + * For all the supported hash algorithms, 'parameters' is NULL (two + * bytes 0x05 0x00), but we allow it to be missing (zero length). */ - if (responseCertID->hashAlgorithm.parameters.len > 2) { - goto done; - } - if (SECITEM_CompareItem(&requestCertID->hashAlgorithm.algorithm, - &responseCertID->hashAlgorithm.algorithm) == SECEqual) { + if ((SECITEM_CompareItem(&certID1->hashAlgorithm.algorithm, + &certID2->hashAlgorithm.algorithm) == SECEqual) + && (certID1->hashAlgorithm.parameters.len <= 2) + && (certID2->hashAlgorithm.parameters.len <= 2)) { /* * If the hash algorithms match then we can do a simple compare * of the hash values themselves. */ - if ((SECITEM_CompareItem(&requestCertID->issuerNameHash, - &responseCertID->issuerNameHash) == SECEqual) - && (SECITEM_CompareItem(&requestCertID->issuerKeyHash, - &responseCertID->issuerKeyHash) == SECEqual)) { + if ((SECITEM_CompareItem(&certID1->issuerNameHash, + &certID2->issuerNameHash) == SECEqual) + && (SECITEM_CompareItem(&certID1->issuerKeyHash, + &certID2->issuerKeyHash) == SECEqual)) { match = PR_TRUE; } goto done; } - hashAlg = SECOID_FindOIDTag(&responseCertID->hashAlgorithm.algorithm); + hashAlg = SECOID_FindOIDTag(&certID2->hashAlgorithm.algorithm); switch (hashAlg) { case SEC_OID_SHA1: - keyHash = &requestCertID->issuerSHA1KeyHash; - nameHash = &requestCertID->issuerSHA1NameHash; + keyHash = &certID1->issuerSHA1KeyHash; + nameHash = &certID1->issuerSHA1NameHash; break; case SEC_OID_MD5: - keyHash = &requestCertID->issuerMD5KeyHash; - nameHash = &requestCertID->issuerMD5NameHash; + keyHash = &certID1->issuerMD5KeyHash; + nameHash = &certID1->issuerMD5NameHash; break; case SEC_OID_MD2: - keyHash = &requestCertID->issuerMD2KeyHash; - nameHash = &requestCertID->issuerMD2NameHash; + keyHash = &certID1->issuerMD2KeyHash; + nameHash = &certID1->issuerMD2NameHash; break; } if ((keyHash != NULL) - && (SECITEM_CompareItem(nameHash, - &responseCertID->issuerNameHash) == SECEqual) - && (SECITEM_CompareItem(keyHash, - &responseCertID->issuerKeyHash) == SECEqual)) { + && (SECITEM_CompareItem(nameHash, &certID2->issuerNameHash) == SECEqual) + && (SECITEM_CompareItem(keyHash, &certID2->issuerKeyHash) == SECEqual)) { match = PR_TRUE; } |