Bonjour Rich,
+static char* urldecode(char* p)
+ {
+ unsigned char* out = (unsigned char *)p;
+ char* save = p;
+
+ for ( ; *p; p++)
+ {
+ if (*p == '+')
+ *out++ = ' ';
You're doing "HTML-entity" decoding here. URL decoding uses only the
"%xx" stuff. See RFC3986.
+ else if (*p != '%')
+ *out++ = *p;
[...]
+ }
+ /* URL decode? Really shouldn't be needed. */
+ if (strchr(p, '+') != NULL && strchr(p, '%') != NULL)
+ p = urldecode(p);
URL decode is necessary (RFC2560 says so, RFC3986 lists '+' and '/'
among the reserved characters that need to be encoded). In practice, GET
OCSP requests *are* URL encoded. And if by chance the request isn't
encoded, your test for the presence of a "+" and current urldecode() job
will render this request invalid if is contains a "+" (it can happen in
a Base64 encoded string).
--
Erwann ABALEA
Le 26/09/2014 04:56, Salz, Rich a écrit :
I don't see where the OCSP request is de-base64-ified, and URL-decoded.
In both cases, d2i_OCSP_REQUEST_bio is called to get the request, but it's done
directly on the HTTP request line for a GET.
I forgot to post the updated patch. Thanks Erwann.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
