diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-12-08 13:45:24 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-02-19 15:29:37 +0100 |
commit | 5623c86b5678ef93e9670a6f7bc412e2c8dda62a (patch) | |
tree | 35fe40a30e4da89c3410dcc477fce78282ae1983 /lib/x509 | |
parent | 4a4f5b48a8db833adaaef9c0bbf02a9eb7b20700 (diff) | |
download | gnutls-5623c86b5678ef93e9670a6f7bc412e2c8dda62a.tar.gz |
ocsp: enhanced the OCSP response loading APIs
Introduced gnutls_certificate_set_ocsp_status_request_file2() and
gnutls_certificate_set_ocsp_status_request_mem(). These functions
behave as the equivalent certificate loading functions and pre-load
the OCSP response provided as a file, either in DER or in PEM form.
In addition, ensure that if the server is provided a problematic OCSP
response, or the OCSP response is not renewed before it is invalid, we
will not provide it to the clients.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Diffstat (limited to 'lib/x509')
-rw-r--r-- | lib/x509/Makefile.am | 2 | ||||
-rw-r--r-- | lib/x509/ocsp.c | 52 | ||||
-rw-r--r-- | lib/x509/ocsp.h | 30 |
3 files changed, 83 insertions, 1 deletions
diff --git a/lib/x509/Makefile.am b/lib/x509/Makefile.am index 128306b95c..a10cd2f00c 100644 --- a/lib/x509/Makefile.am +++ b/lib/x509/Makefile.am @@ -79,7 +79,7 @@ libgnutls_x509_la_SOURCES = \ tls_features.c \ krb5.c krb5.h \ ip.c ip.h ip-in-cidr.h \ - supported_exts.h + supported_exts.h ocsp.h if ENABLE_OCSP libgnutls_x509_la_SOURCES += ocsp.c ocsp_output.c diff --git a/lib/x509/ocsp.c b/lib/x509/ocsp.c index 9edaa48022..0c57f7cf2e 100644 --- a/lib/x509/ocsp.c +++ b/lib/x509/ocsp.c @@ -32,6 +32,7 @@ #include "common.h" #include "verify-high.h" #include "x509.h" +#include "ocsp.h" #include <gnutls/ocsp.h> #include <auth/cert.h> @@ -2543,3 +2544,54 @@ gnutls_ocsp_resp_list_import2(gnutls_ocsp_resp_t **ocsps, gnutls_ocsp_resp_deinit(resp); return ret; } + +/* This returns -1 if the OCSP response is invalid (revoked) or its + * data are too old. Otherwise it returns the time after which that data + * is invalid. + */ +time_t _gnutls_ocsp_get_validity(gnutls_ocsp_resp_t resp) +{ + unsigned int cert_status; + time_t rtime, vtime, ntime, now; + int ret; + + ret = gnutls_ocsp_resp_get_single(resp, 0, NULL, NULL, NULL, NULL, + &cert_status, &vtime, &ntime, + &rtime, NULL); + if (ret < 0) { + _gnutls_debug_log("There was an error parsing the OCSP response: %s\n", + gnutls_strerror(ret)); + return gnutls_assert_val(-1); + } + + if (cert_status != GNUTLS_OCSP_CERT_GOOD && + cert_status != GNUTLS_OCSP_CERT_UNKNOWN) { + _gnutls_debug_log("The OCSP response status (%d) is invalid\n", + cert_status); + return gnutls_assert_val(-1); + } + + now = gnutls_time(0); + + if (ntime == -1) { + /* This is a problematic case, and there is no concensus on how + * to treat these responses. It doesn't contain the time after which + * the response is invalid, thus it is an OCSP response effectively + * valid forever defeating the purpose of OCSP. We set here the same + * limit we apply when verifying responses. */ + if (now - vtime > MAX_OCSP_VALIDITY_SECS) { + _gnutls_debug_log("The OCSP response is old\n"); + return gnutls_assert_val(-1); + } + + return now + MAX_OCSP_VALIDITY_SECS; + } else { + /* there is a newer OCSP answer, don't trust this one */ + if (ntime < now) { + _gnutls_debug_log("There is a newer OCSP response\n"); + return gnutls_assert_val(-1); + } + + return ntime; + } +} diff --git a/lib/x509/ocsp.h b/lib/x509/ocsp.h new file mode 100644 index 0000000000..3d6418b184 --- /dev/null +++ b/lib/x509/ocsp.h @@ -0,0 +1,30 @@ +/* + * Copyright (C) 2017 Red Hat, Inc. + * + * Author: Nikos Mavrogiannopoulos + * + * This file is part of GnuTLS. + * + * The GnuTLS is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public License + * as published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/> + * + */ + +/* Online Certificate Status Protocol - RFC 2560 + */ +#include <gnutls/ocsp.h> + +/* fifteen days */ +#define MAX_OCSP_VALIDITY_SECS (15*60*60*24) + +time_t _gnutls_ocsp_get_validity(gnutls_ocsp_resp_t resp); |