From: Martin H. <he...@hl...> - 2013-11-12 17:55:13
|
Hi developers, We had a closer look at our crashes of ocspd. I'm adding libpki-devel to this mail (previous mails went to the ocspd-devel list, but by now I believe the fix should be done in libpki). The client which caused the trouble is a Macintosh implementation of oscpd (running on a Mac with OS X 10.9) which handles the verification of certificates for Safari. Actually, it sends a GET-request (in contrast to my firefox which uses POST to send the data, which works fine). According to RFC 2560 a get request looks as follows: GET {url}/{url-encoding of base-64 encoding of the DER encoding of the OCSPRequest} In the requests which caused the crashes, {url} was "/", so there were two slashes after the GET and url- and base64-decoding failed due to this extra slash at the beginning. When I strip off all the slashes at the beginning, I can successfully decode the original der-formatted ocsp request, save it to a temporary file, parse it with openssl, and re-send it to the ocspd which then returns "Response verify OK". Let's look at the sources now. The problem is that in ocspd_req_get_socket in ocspd/src/ocspd/request.c, there is a call to PKI_HTTP_get_message in libpki/src/net/http_s.c. To make this work for this particular case, the latter should be able to parse an URL containing just a slash, and it should return a reasonable http_msg object. I believe it would work fine, if we would prepend urls that start with a slash e.g. by "http://localhost" somewhere where the http headers are parsed. Maybe if this is done in the right place, later on in the code sock->url is properly defined. I haven't looked that much into the details of libpki/src/net/pki_socket.c yet, but I'm going to try this out. best regards, Martin |