Added
Link Here
|
1 |
From 1b1b5b90cc3dd72dc4639c723b97e1ae6792be0a Mon Sep 17 00:00:00 2001 |
2 |
From: Daiki Ueno <ueno@gnu.org> |
3 |
Date: Fri, 14 Aug 2020 07:27:40 +0200 |
4 |
Subject: [PATCH] cert-session: check OCSP error responses |
5 |
|
6 |
If the OCSP responder returns an error code, such as tryLater, we |
7 |
can't proceed to examine the response bytes. In that case, just skip |
8 |
the check unless the stapling is mandatory on this certificate. |
9 |
|
10 |
Signed-off-by: Daiki Ueno <ueno@gnu.org> |
11 |
--- |
12 |
lib/cert-session.c | 21 ++++ |
13 |
tests/Makefile.am | 2 +- |
14 |
tests/ocsp-tests/ocsp-must-staple-connection | 111 ++++++++++++++++++- |
15 |
tests/ocsp-tests/response3.der | 2 + |
16 |
4 files changed, 134 insertions(+), 2 deletions(-) |
17 |
create mode 100644 tests/ocsp-tests/response3.der |
18 |
|
19 |
diff --git a/lib/cert-session.c b/lib/cert-session.c |
20 |
index db04a25e5d..5192083211 100644 |
21 |
--- lib/cert-session.c |
22 |
+++ lib/cert-session.c |
23 |
@@ -224,6 +224,11 @@ gnutls_certificate_set_verify_limits(gnutls_certificate_credentials_t res, |
24 |
} |
25 |
|
26 |
#ifdef ENABLE_OCSP |
27 |
+static int |
28 |
+_gnutls_ocsp_verify_mandatory_stapling(gnutls_session_t session, |
29 |
+ gnutls_x509_crt_t cert, |
30 |
+ unsigned int * ocsp_status); |
31 |
+ |
32 |
/* If the certificate is revoked status will be GNUTLS_CERT_REVOKED. |
33 |
* |
34 |
* Returns: |
35 |
@@ -260,6 +265,22 @@ check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert, |
36 |
goto cleanup; |
37 |
} |
38 |
|
39 |
+ if (gnutls_ocsp_resp_get_status(resp) != GNUTLS_OCSP_RESP_SUCCESSFUL) { |
40 |
+ ret = _gnutls_ocsp_verify_mandatory_stapling(session, cert, ostatus); |
41 |
+ if (ret < 0) { |
42 |
+ gnutls_assert(); |
43 |
+ goto cleanup; |
44 |
+ } |
45 |
+ if (*ostatus & GNUTLS_CERT_MISSING_OCSP_STATUS) { |
46 |
+ _gnutls_audit_log(session, |
47 |
+ "Missing basic OCSP response while required: %s.\n", |
48 |
+ gnutls_strerror(ret)); |
49 |
+ check_failed = 1; |
50 |
+ } |
51 |
+ ret = gnutls_assert_val(0); |
52 |
+ goto cleanup; |
53 |
+ } |
54 |
+ |
55 |
ret = gnutls_ocsp_resp_check_crt(resp, 0, cert); |
56 |
if (ret < 0) { |
57 |
ret = gnutls_assert_val(0); |
58 |
-- |
59 |
GitLab |
60 |
|