Bonjour Rich,

+static char* urldecode(char* p)
+       {
+       unsigned char* out = (unsigned char *)p;
+       char* save = p;
+
+       for ( ; *p; p++)
+               {
+               if (*p == '+')
+                       *out++ = ' ';

You're doing "HTML-entity" decoding here. URL decoding uses only the "%xx" stuff. See RFC3986.

+               else if (*p != '%')
+                       *out++ = *p;


[...]

+                       }
+               /* URL decode? Really shouldn't be needed. */
+               if (strchr(p, '+') != NULL && strchr(p, '%') != NULL)
+                   p = urldecode(p);

URL decode is necessary (RFC2560 says so, RFC3986 lists '+' and '/' among the reserved characters that need to be encoded). In practice, GET OCSP requests *are* URL encoded. And if by chance the request isn't encoded, your test for the presence of a "+" and current urldecode() job will render this request invalid if is contains a "+" (it can happen in a Base64 encoded string).

--
Erwann ABALEA

Le 26/09/2014 04:56, Salz, Rich a écrit :
I don't see where the OCSP request is de-base64-ified, and URL-decoded.
In both cases, d2i_OCSP_REQUEST_bio is called to get the request, but it's done 
directly on the HTTP request line for a GET.
I forgot to post the updated patch.  Thanks Erwann.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to