Don't assume requestorName is present for signed requests. ASN1 OCSP module

fix: certs field is OPTIONAL.

diff --git a/crypto/ocsp/ocsp_asn.c b/crypto/ocsp/ocsp_asn.c
index 6a3a360d544981a088087359dcdff5862a5c87f6..39b7a1c5687163eb0e257d2c6eefc7247bec6bc2 100644 (file)
--- a/crypto/ocsp/ocsp_asn.c
+++ b/crypto/ocsp/ocsp_asn.c
@@ -62,7 +62,7 @@
 ASN1_SEQUENCE(OCSP_SIGNATURE) = {
        ASN1_SIMPLE(OCSP_SIGNATURE, signatureAlgorithm, X509_ALGOR),
        ASN1_SIMPLE(OCSP_SIGNATURE, signature, ASN1_BIT_STRING),
 ASN1_SEQUENCE(OCSP_SIGNATURE) = {
        ASN1_SIMPLE(OCSP_SIGNATURE, signatureAlgorithm, X509_ALGOR),
        ASN1_SIMPLE(OCSP_SIGNATURE, signature, ASN1_BIT_STRING),

-       ASN1_EXP_SEQUENCE_OF(OCSP_SIGNATURE, certs, X509, 0)
+       ASN1_EXP_SEQUENCE_OF_OPT(OCSP_SIGNATURE, certs, X509, 0)

 } ASN1_SEQUENCE_END(OCSP_SIGNATURE)
 
 IMPLEMENT_ASN1_FUNCTIONS(OCSP_SIGNATURE)
 } ASN1_SEQUENCE_END(OCSP_SIGNATURE)
 
 IMPLEMENT_ASN1_FUNCTIONS(OCSP_SIGNATURE)

diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c
index 3d58dfb06cf34ff940a492c97556271b9cecf5e8..23ea41c847bfae18b707acba1e2221a606153622 100644 (file)
--- a/crypto/ocsp/ocsp_vfy.c
+++ b/crypto/ocsp/ocsp_vfy.c
@@ -367,7 +367,7 @@ int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, X509_STORE *st
                return 0;
                }
        gen = req->tbsRequest->requestorName;
                return 0;
                }
        gen = req->tbsRequest->requestorName;

-       if (gen->type != GEN_DIRNAME)
+       if (!gen || gen->type != GEN_DIRNAME)

                {
                OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE);
                return 0;
                {
                OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE);
                return 0;