From c7c228b0619cfdc27e2f156d67e7732ee0b02829 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Tue, 6 Nov 2012 22:47:02 +0100 Subject: When verifying an OCSP response included in TLS don't fail if the response is old. That is to avoid creating more problems for a server that included an old response, from a server that included none. Also renamed: Too old -> Superseded. --- lib/gnutls_cert.c | 4 ++-- lib/gnutls_x509.c | 6 ++++-- lib/includes/gnutls/gnutls.h.in | 4 ++-- lib/x509/verify.c | 2 +- 4 files changed, 9 insertions(+), 7 deletions(-) diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c index f699a889d6..f98ecdc8c2 100644 --- a/lib/gnutls_cert.c +++ b/lib/gnutls_cert.c @@ -944,8 +944,8 @@ gnutls_certificate_verification_status_print (unsigned int status, if (status & GNUTLS_CERT_REVOKED) _gnutls_buffer_append_str (&str, _("The certificate chain revoked. ")); - if (status & GNUTLS_CERT_REVOCATION_DATA_TOO_OLD) - _gnutls_buffer_append_str (&str, _("The revocation data are too old. ")); + if (status & GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED) + _gnutls_buffer_append_str (&str, _("The revocation data are old and have been superseded. ")); if (status & GNUTLS_CERT_REVOCATION_DATA_INVALID) _gnutls_buffer_append_str (&str, _("The revocation data are invalid. ")); diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c index cf8dee55f6..bd50d23f10 100644 --- a/lib/gnutls_x509.c +++ b/lib/gnutls_x509.c @@ -148,6 +148,10 @@ check_ocsp_response (gnutls_session_t session, gnutls_x509_crt_t cert, goto cleanup; } + /* Report but do not fail on the following errors. That is + * because including the OCSP response in the handshake shouldn't + * cause more problems that not including it. + */ if (ntime == -1) { if (now - vtime > MAX_OCSP_VALIDITY_SECS) @@ -161,8 +165,6 @@ check_ocsp_response (gnutls_session_t session, gnutls_x509_crt_t cert, if (ntime < now) { _gnutls_audit_log(session, "There is a newer OCSP response but was not provided by the server\n"); - if (now-ntime > MAX_OCSP_VALIDITY_SECS) - *ostatus |= GNUTLS_CERT_REVOCATION_DATA_TOO_OLD; } } diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in index d7f07f21dd..c12576d4ae 100644 --- a/lib/includes/gnutls/gnutls.h.in +++ b/lib/includes/gnutls/gnutls.h.in @@ -447,8 +447,8 @@ extern "C" * should not be trusted. * @GNUTLS_CERT_NOT_ACTIVATED: The certificate is not yet activated. * @GNUTLS_CERT_EXPIRED: The certificate has expired. - * @GNUTLS_CERT_REVOCATION_DATA_TOO_OLD: The OCSP revocation data are too old. * @GNUTLS_CERT_REVOCATION_DATA_INVALID: The OCSP revocation data are invalid. + * @GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED: The revocation data are old and have been superseded. * @GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE: The revocation data have a future issue date. * @GNUTLS_CERT_UNEXPECTED_OWNER: The owner is not the expected one. * @@ -466,7 +466,7 @@ extern "C" GNUTLS_CERT_NOT_ACTIVATED = 1<<9, GNUTLS_CERT_EXPIRED = 1<<10, GNUTLS_CERT_SIGNATURE_FAILURE = 1<<11, - GNUTLS_CERT_REVOCATION_DATA_TOO_OLD = 1<<12, + GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED = 1<<12, GNUTLS_CERT_REVOCATION_DATA_INVALID = 1<<13, GNUTLS_CERT_UNEXPECTED_OWNER = 1<<14, GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE = 1<<15, diff --git a/lib/x509/verify.c b/lib/x509/verify.c index 7cbbb63299..636ae0e27e 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -1114,7 +1114,7 @@ _gnutls_verify_crl2 (gnutls_x509_crl_t crl, *output |= GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE; if (gnutls_x509_crl_get_next_update (crl) < now) - *output |= GNUTLS_CERT_REVOCATION_DATA_TOO_OLD; + *output |= GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED; cleanup: -- cgit v1.2.1