diff options
-rw-r--r-- | lib/cert-session.c | 21 | ||||
-rw-r--r-- | tests/Makefile.am | 2 | ||||
-rwxr-xr-x | tests/ocsp-tests/ocsp-must-staple-connection | 111 | ||||
-rw-r--r-- | tests/ocsp-tests/response3.der | 2 |
4 files changed, 134 insertions, 2 deletions
diff --git a/lib/cert-session.c b/lib/cert-session.c index db04a25e5d..5192083211 100644 --- a/lib/cert-session.c +++ b/lib/cert-session.c @@ -224,6 +224,11 @@ gnutls_certificate_set_verify_limits(gnutls_certificate_credentials_t res, } #ifdef ENABLE_OCSP +static int +_gnutls_ocsp_verify_mandatory_stapling(gnutls_session_t session, + gnutls_x509_crt_t cert, + unsigned int * ocsp_status); + /* If the certificate is revoked status will be GNUTLS_CERT_REVOKED. * * Returns: @@ -260,6 +265,22 @@ check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert, goto cleanup; } + if (gnutls_ocsp_resp_get_status(resp) != GNUTLS_OCSP_RESP_SUCCESSFUL) { + ret = _gnutls_ocsp_verify_mandatory_stapling(session, cert, ostatus); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + if (*ostatus & GNUTLS_CERT_MISSING_OCSP_STATUS) { + _gnutls_audit_log(session, + "Missing basic OCSP response while required: %s.\n", + gnutls_strerror(ret)); + check_failed = 1; + } + ret = gnutls_assert_val(0); + goto cleanup; + } + ret = gnutls_ocsp_resp_check_crt(resp, 0, cert); if (ret < 0) { ret = gnutls_assert_val(0); diff --git a/tests/Makefile.am b/tests/Makefile.am index 8d71fc4bf0..0387bf7389 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -57,7 +57,7 @@ EXTRA_DIST = suppressions.valgrind eagain-common.h cert-common.h test-chains.h \ scripts/common.sh scripts/starttls-common.sh \ rng-op.c x509sign-verify-common.h common-key-tests.h \ ocsp-tests/certs/ca.key ocsp-tests/certs/ca.pem ocsp-tests/certs/ocsp-server.key ocsp-tests/certs/ocsp-server.pem ocsp-tests/response1.der \ - ocsp-tests/response2.der ocsp-tests/certs/ocsp_index.txt ocsp-tests/certs/ocsp_index.txt.attr \ + ocsp-tests/response2.der ocsp-tests/response3.der ocsp-tests/certs/ocsp_index.txt ocsp-tests/certs/ocsp_index.txt.attr \ ocsp-tests/response1.pem ocsp-tests/response2.pem \ ocsp-tests/certs/server_good.key ocsp-tests/certs/server_bad.key ocsp-tests/certs/server_good.template \ ocsp-tests/certs/server_bad.template ocsp-tests/certs/ocsp-staple-unrelated.der ocsp-tests/suppressions.valgrind \ diff --git a/tests/ocsp-tests/ocsp-must-staple-connection b/tests/ocsp-tests/ocsp-must-staple-connection index 49c355dda3..55d718ddf0 100755 --- a/tests/ocsp-tests/ocsp-must-staple-connection +++ b/tests/ocsp-tests/ocsp-must-staple-connection @@ -26,6 +26,7 @@ GNUTLS_CLI="${GNUTLS_CLI:-../src/gnutls-cli${EXEEXT}}" DIFF="${DIFF:-diff}" TEMPLATE_FILE="ms-out.$$.tmpl.tmp" SERVER_CERT_FILE="ms-cert.$$.pem.tmp" +SERVER_CERT_NO_EXT_FILE="ms-cert-no-ext.$$.pem.tmp" OCSP_RESPONSE_FILE="ms-resp.$$.tmp" OCSP_REQ_FILE="ms-req.$$.tmp" @@ -86,6 +87,7 @@ stop_servers () test -z "${TLS_SERVER_PID}" || kill "${TLS_SERVER_PID}" rm -f "$TEMPLATE_FILE" rm -f "$SERVER_CERT_FILE" + rm -f "$SERVER_CERT_NO_EXT_FILE" rm -f "$OCSP_RESPONSE_FILE" rm -f "$OCSP_REQ_FILE" } @@ -97,13 +99,21 @@ rm -f "$TEMPLATE_FILE" cp "${srcdir}/ocsp-tests/certs/server_good.template" "$TEMPLATE_FILE" chmod u+w "$TEMPLATE_FILE" echo "ocsp_uri=http://localhost:${OCSP_PORT}/ocsp/" >>"$TEMPLATE_FILE" -echo "tls_feature = 5" >>"$TEMPLATE_FILE" # Generate certificates with the random port datefudge -s "${CERTDATE}" ${CERTTOOL} \ --generate-certificate --load-ca-privkey "${srcdir}/ocsp-tests/certs/ca.key" \ --load-ca-certificate "${srcdir}/ocsp-tests/certs/ca.pem" \ --load-privkey "${srcdir}/ocsp-tests/certs/server_good.key" \ + --template "${TEMPLATE_FILE}" --outfile "${SERVER_CERT_NO_EXT_FILE}" 2>/dev/null + +# Generate certificates with the random port (with mandatory stapling extension) +echo "tls_feature = 5" >>"$TEMPLATE_FILE" + +datefudge -s "${CERTDATE}" ${CERTTOOL} \ + --generate-certificate --load-ca-privkey "${srcdir}/ocsp-tests/certs/ca.key" \ + --load-ca-certificate "${srcdir}/ocsp-tests/certs/ca.pem" \ + --load-privkey "${srcdir}/ocsp-tests/certs/server_good.key" \ --template "${TEMPLATE_FILE}" --outfile "${SERVER_CERT_FILE}" 2>/dev/null echo "=== Bringing OCSP server up ===" @@ -392,6 +402,105 @@ kill "${TLS_SERVER_PID}" wait "${TLS_SERVER_PID}" unset TLS_SERVER_PID +echo "=== Test 7: OSCP response error - client doesn't send status_request ===" + +eval "${GETPORT}" +# Port for gnutls-serv +TLS_SERVER_PORT=$PORT +PORT=${TLS_SERVER_PORT} +launch_bare_server $$ \ + datefudge "${TESTDATE}" \ + "${GNUTLS_SERV}" --echo --disable-client-cert \ + --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \ + --x509certfile="${SERVER_CERT_FILE}" \ + --port="${TLS_SERVER_PORT}" \ + --ocsp-response="${srcdir}/ocsp-tests/response3.der" --ignore-ocsp-response-errors +TLS_SERVER_PID="${!}" +wait_server $TLS_SERVER_PID + +wait_for_port "${TLS_SERVER_PORT}" + +echo "test 123456" | \ + datefudge -s "${TESTDATE}" \ + "${GNUTLS_CLI}" --priority "NORMAL:%NO_EXTENSIONS" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \ + --port="${TLS_SERVER_PORT}" localhost +rc=$? + +if test "${rc}" != "0"; then + echo "Connecting to server with valid certificate and OCSP error response failed" + exit ${rc} +fi + +kill "${TLS_SERVER_PID}" +wait "${TLS_SERVER_PID}" +unset TLS_SERVER_PID + +echo "=== Test 8: OSCP response error - client sends status_request, no TLS feature extension ===" + +eval "${GETPORT}" +# Port for gnutls-serv +TLS_SERVER_PORT=$PORT +PORT=${TLS_SERVER_PORT} +launch_bare_server $$ \ + datefudge "${TESTDATE}" \ + "${GNUTLS_SERV}" --echo --disable-client-cert \ + --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \ + --x509certfile="${SERVER_CERT_NO_EXT_FILE}" \ + --port="${TLS_SERVER_PORT}" \ + --ocsp-response="${srcdir}/ocsp-tests/response3.der" --ignore-ocsp-response-errors +TLS_SERVER_PID="${!}" +wait_server $TLS_SERVER_PID + +wait_for_port "${TLS_SERVER_PORT}" + +echo "test 123456" | \ + datefudge -s "${TESTDATE}" \ + "${GNUTLS_CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \ + --port="${TLS_SERVER_PORT}" localhost +rc=$? + +if test "${rc}" != "0"; then + echo "Connecting to server with valid certificate and OCSP error response failed" + exit ${rc} +fi + +kill "${TLS_SERVER_PID}" +wait "${TLS_SERVER_PID}" +unset TLS_SERVER_PID + +echo "=== Test 9: OSCP response error - client sends status_request, TLS feature extension present ===" + +eval "${GETPORT}" +# Port for gnutls-serv +TLS_SERVER_PORT=$PORT +PORT=${TLS_SERVER_PORT} +launch_bare_server $$ \ + datefudge "${TESTDATE}" \ + "${GNUTLS_SERV}" --echo --disable-client-cert \ + --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \ + --x509certfile="${SERVER_CERT_FILE}" \ + --port="${TLS_SERVER_PORT}" \ + --ocsp-response="${srcdir}/ocsp-tests/response3.der" --ignore-ocsp-response-errors +TLS_SERVER_PID="${!}" +wait_server $TLS_SERVER_PID + +wait_for_port "${TLS_SERVER_PORT}" + +echo "test 123456" | \ + datefudge -s "${TESTDATE}" \ + "${GNUTLS_CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \ + --port="${TLS_SERVER_PORT}" localhost +rc=$? + +if test "${rc}" = "0"; then + echo "Connecting to server with valid certificate and OCSP error response unexpectedly succeeded" + exit ${rc} +fi + +kill "${TLS_SERVER_PID}" +wait "${TLS_SERVER_PID}" +unset TLS_SERVER_PID + kill ${OCSP_PID} wait ${OCSP_PID} diff --git a/tests/ocsp-tests/response3.der b/tests/ocsp-tests/response3.der new file mode 100644 index 0000000000..39e09cffaa --- /dev/null +++ b/tests/ocsp-tests/response3.der @@ -0,0 +1,2 @@ +0 +
\ No newline at end of file |