PORTREVISION=	1

From 1b1b5b90cc3dd72dc4639c723b97e1ae6792be0a Mon Sep 17 00:00:00 2001

From: Daiki Ueno <ueno@gnu.org>

Date: Fri, 14 Aug 2020 07:27:40 +0200

Subject: [PATCH] cert-session: check OCSP error responses

If the OCSP responder returns an error code, such as tryLater, we

can't proceed to examine the response bytes.  In that case, just skip

the check unless the stapling is mandatory on this certificate.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

---

 lib/cert-session.c                           |  21 ++++

 tests/Makefile.am                            |   2 +-

 tests/ocsp-tests/ocsp-must-staple-connection | 111 ++++++++++++++++++-

 tests/ocsp-tests/response3.der               |   2 +

 4 files changed, 134 insertions(+), 2 deletions(-)

 create mode 100644 tests/ocsp-tests/response3.der

diff --git a/lib/cert-session.c b/lib/cert-session.c

index db04a25e5d..5192083211 100644

--- lib/cert-session.c

+++ lib/cert-session.c

@@ -224,6 +224,11 @@ gnutls_certificate_set_verify_limits(gnutls_certificate_credentials_t res,

 }

 #ifdef ENABLE_OCSP

+static int

+_gnutls_ocsp_verify_mandatory_stapling(gnutls_session_t session,

+				       gnutls_x509_crt_t cert,

+				       unsigned int * ocsp_status);

+

 /* If the certificate is revoked status will be GNUTLS_CERT_REVOKED.

  * 

  * Returns:

@@ -260,6 +265,22 @@ check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert,

 		goto cleanup;

 	}

+	if (gnutls_ocsp_resp_get_status(resp) != GNUTLS_OCSP_RESP_SUCCESSFUL) {

+		ret = _gnutls_ocsp_verify_mandatory_stapling(session, cert, ostatus);

+		if (ret < 0) {

+			gnutls_assert();

+			goto cleanup;

+		}

+		if (*ostatus & GNUTLS_CERT_MISSING_OCSP_STATUS) {

+			_gnutls_audit_log(session,

+					  "Missing basic OCSP response while required: %s.\n",

+					  gnutls_strerror(ret));

+			check_failed = 1;

+		}

+		ret = gnutls_assert_val(0);

+		goto cleanup;

+	}

+

 	ret = gnutls_ocsp_resp_check_crt(resp, 0, cert);

 	if (ret < 0) {

 		ret = gnutls_assert_val(0);

-- 

GitLab